Powered by Accton ES3528 ES3528-WDM Layer 2 Metro Access Switch Management Guide www.edge-core.
Management Guide ES3528 Fast Ethernet Switch Layer 2 Ethernet Metro Access Switch with 24 Fast Ethernet Ports (RJ-45), 2 Gigabit Combination Ports (RJ-45/SFP), 2 Gigabit Extender Module Slots (RJ-45/SFP), 1 Fast Ethernet Management Port (RJ-45) ES3528-WDM Fast Ethernet Switch Layer 2 WDM Metro Access Switch with 24 100BASE-BX Single-Fiber Ports (SC), 2 Gigabit Combination Ports (RJ-45/SFP), 2 Gigabit Extender Module Slots (RJ-45/SFP), 1 Fast Ethernet Management Port (RJ-45)
ES3528 ES3528-WDM F1.0.1.
Contents Section I: Getting Started Chapter 1: Introduction Key Features Description of Software Features System Defaults 1-1 1-1 1-2 1-6 Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) Trap Receivers Configuring Access for SNMP V
Contents Manual Configuration Using DHCP/BOOTP Managing Firmware Downloading System Software from a Server Saving or Restoring Configuration Settings Downloading Configuration Settings from a Server Console Port Settings Telnet Settings Configuring Event Logging System Log Configuration Remote Log Configuration Displaying Log Messages Sending Simple Mail Transfer Protocol Alerts Resetting the System Setting the System Clock Configuring SNTP Setting the Time Zone 4-9 4-10 4-11 4-12 4-14 4-15 4-16 4-18 4-20
Contents Chapter 7: Client Security Configuring Port Security 7-1 7-1 Chapter 8: Access Control Lists Configuring Access Control Lists Setting the ACL Name and Type Configuring a Standard ACL Configuring an Extended ACL Configuring a MAC ACL Configuring ACL Masks Specifying the Mask Type Configuring an IP ACL Mask Configuring a MAC ACL Mask Binding a Port to an Access Control List 8-1 8-1 8-2 8-3 8-4 8-7 8-9 8-9 8-10 8-12 8-13 Chapter 9: Port Configuration Displaying Connection Status Configuring Interf
Contents Displaying Basic VLAN Information Displaying Current VLANs Creating VLANs Adding Static Members to VLANs (VLAN Index) Adding Static Members to VLANs (Port Index) Configuring VLAN Behavior for Interfaces Configuring IEEE 802.
Contents Assigning Static Multicast Groups to Interfaces Chapter 16: Domain Name Service Configuring General DNS Service Parameters Configuring Static DNS Host to Address Entries Displaying the DNS Cache 15-15 16-1 16-1 16-3 16-5 Section III: Command Line Interface Chapter 17: Overview of Command Line Interface Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Sho
Contents show system show users show version System Mode Commands system mode show system mode System MTU Commands jumbo frame system mtu show system mtu File Management Commands copy delete dir whichboot boot system Line Commands line login password timeout login response exec-timeout password-thresh silent-time databits parity speed stopbits disconnect show line Event Logging Commands logging on logging history logging host logging facility logging trap clear log show logging show log SMTP Alert Commands
Contents show logging sendmail Time Commands sntp client sntp server sntp poll show sntp clock timezone calendar set show calendar 19-37 19-37 19-38 19-39 19-39 19-40 19-40 19-41 19-42 Chapter 20: SNMP Commands snmp-server show snmp snmp-server community snmp-server contact snmp-server location snmp-server host snmp-server enable traps snmp-server engine-id show snmp engine-id snmp-server view show snmp view snmp-server group show snmp group snmp-server user show snmp user 20-1 20-2 20-2 20-3 20-4 20-4 2
Contents Web Server Commands ip http port ip http server ip http secure-server ip http secure-port Telnet Server Commands ip telnet server Secure Shell Commands ip ssh server ip ssh timeout ip ssh authentication-retries ip ssh server-key size delete public-key ip ssh crypto host-key generate ip ssh crypto zeroize ip ssh save host-key show ip ssh show ssh show public-key 802.
Contents ip dhcp snooping vlan ip dhcp snooping binding ip dhcp snooping verify mac-address ip dhcp snooping database flash ip dhcp snooping trust show ip dhcp snooping show ip dhcp snooping binding 22-9 22-10 22-11 22-12 22-12 22-13 22-13 Chapter 23: Access Control List Commands IP ACLs access-list ip permit, deny (Standard ACL) permit, deny (Extended ACL) show ip access-list access-list ip mask-precedence mask (IP ACL) show access-list ip mask-precedence ip access-group show ip access-group MAC ACLs acc
Contents show interfaces switchport 24-11 Chapter 25: Link Aggregation Commands channel-group lacp lacp system-priority lacp admin-key (Ethernet Interface) lacp admin-key (Port Channel) lacp port-priority show lacp 25-1 25-2 25-2 25-4 25-4 25-5 25-6 25-7 Chapter 26: Mirror Port Commands port monitor show port monitor 26-1 26-1 26-2 Chapter 27: Rate Limit Commands rate-limit rate-limit cos show rate-limit cos 27-1 27-1 27-2 27-3 Chapter 28: Address Table Commands mac-address-table static clear mac-ad
Contents spanning-tree link-type spanning-tree mst cost spanning-tree mst port-priority spanning-tree protocol-migration show spanning-tree show spanning-tree mst configuration Chapter 30: VLAN Commands GVRP and Bridge Extension Commands bridge-ext gvrp show bridge-ext switchport gvrp show gvrp configuration garp timer show garp timer Editing VLAN Groups vlan database vlan Configuring VLAN Interfaces interface vlan switchport mode switchport acceptable-frame-types switchport ingress-filtering switchport nat
Contents queue bandwidth queue cos-map show queue bandwidth show queue cos-map vlan priority show vlan based priority Priority Commands (Layer 3 and 4) map ip port (Global Configuration) map ip port (Interface Configuration) map ip precedence (Global Configuration) map ip precedence (Interface Configuration) map ip dscp (Global Configuration) map ip dscp (Interface Configuration) show map ip port show map ip precedence show map ip dscp Chapter 32: Quality of Service Commands class-map match policy-map class
Contents show ip igmp snooping mrouter Multicast VLAN Registration Commands mvr (Global Configuration) mvr (Interface Configuration) show mvr 33-11 33-11 33-12 33-13 33-14 Chapter 34: Domain Name Service Commands ip host clear host ip domain-name ip domain-list ip name-server ip domain-lookup show hosts show dns show dns cache clear dns cache 34-1 34-1 34-2 34-3 34-3 34-4 34-5 34-6 34-7 34-7 34-8 Chapter 35: IP Interface Commands Basic IP Configuration ip address ip default-gateway ip dhcp restart show
Contents xviii
Tables Table 1-1 Table 1-2 Table 3-1 Table 3-2 Table 4-1 Table 5-1 Table 5-2 Table 6-1 Table 6-2 Table 9-1 Table 9-2 Table 9-3 Table 9-4 Table 11-1 Table 11-2 Table 11-3 Table 13-1 Table 13-2 Table 13-3 Table 13-4 Table 17-1 Table 17-2 Table 17-3 Table 17-4 Table 18-1 Table 19-1 Table 19-2 Table 19-3 Table 19-4 Table 19-5 Table 19-6 Table 19-7 Table 19-8 Table 19-9 Table 19-10 Table 19-11 Table 19-12 Table 19-13 Table 19-14 Table 20-1 Table 20-2 Table 20-3 Key Features System Defaults Web Page Configuratio
Tables Table 20-4 Table 20-5 Table 21-1 Table 21-2 Table 21-3 Table 21-4 Table 21-5 Table 21-6 Table 21-7 Table 21-8 Table 21-9 Table 21-10 Table 21-11 Table 21-12 Table 21-13 Table 22-1 Table 22-2 Table 22-3 Table 22-4 Table 23-1 Table 23-2 Table 23-3 Table 23-4 Table 24-1 Table 24-2 Table 25-1 Table 25-2 Table 25-3 Table 25-4 Table 25-5 Table 26-1 Table 27-1 Table 27-2 Table 28-1 Table 29-1 Table 29-2 Table 29-3 Table 29-4 Table 30-1 Table 30-2 Table 30-3 Table 30-4 Table 30-5 Table 30-6 Table 30-7 xx sh
Tables Table 30-8 Table 31-1 Table 31-2 Table 31-3 Table 31-4 Table 31-5 Table 31-6 Table 32-1 Table 33-1 Table 33-2 Table 33-3 Table 33-4 Table 33-5 Table 33-6 Table 33-7 Table 33-8 Table 34-1 Table 34-2 Table 35-1 Table B-1 IEEE 802.
Tables xxii
Figures Figure 3-1 Figure 3-2 Figure 4-1 Figure 4-2 Figure 4-3 Figure 4-4 Figure 4-5 Figure 4-6 Figure 4-7 Figure 4-8 Figure 4-9 Figure 4-10 Figure 4-11 Figure 4-12 Figure 4-13 Figure 4-14 Figure 4-15 Figure 4-16 Figure 4-17 Figure 4-18 Figure 4-19 Figure 4-20 Figure 4-21 Figure 4-22 Figure 5-1 Figure 5-2 Figure 5-3 Figure 5-4 Figure 5-5 Figure 5-6 Figure 5-7 Figure 5-8 Figure 5-9 Figure 6-1 Figure 6-2 Figure 6-3 Figure 6-4 Figure 6-5 Figure 6-6 Figure 6-7 Figure 6-8 Figure 6-9 Figure 6-10 Home Page Front
Figures Figure 7-1 Figure 8-1 Figure 8-2 Figure 8-3 Figure 8-4 Figure 8-5 Figure 8-6 Figure 8-7 Figure 8-8 Figure 9-1 Figure 9-2 Figure 9-3 Figure 9-4 Figure 9-5 Figure 9-6 Figure 9-7 Figure 9-8 Figure 9-9 Figure 9-10 Figure 9-11 Figure 9-12 Figure 10-1 Figure 10-2 Figure 10-3 Figure 11-1 Figure 11-2 Figure 11-3 Figure 11-4 Figure 11-5 Figure 11-6 Figure 11-7 Figure 12-1 Figure 12-2 Figure 12-3 Figure 12-4 Figure 12-5 Figure 12-6 Figure 12-7 Figure 12-8 Figure 12-9 Figure 12-10 Figure 12-11 Figure 12-12 Fig
Figures Figure 13-3 Figure 13-4 Figure 13-5 Figure 13-6 Figure 13-7 Figure 13-8 Figure 13-9 Figure 14-1 Figure 14-2 Figure 14-3 Figure 15-1 Figure 15-2 Figure 15-3 Figure 15-4 Figure 15-5 Figure 15-6 Figure 15-7 Figure 15-8 Figure 15-9 Figure 15-10 Figure 16-1 Figure 16-2 Figure 16-3 Queue Mode Queue Scheduling IP Precedence/DSCP Priority Status IP Precedence Priority IP DSCP Priority IP Port Priority Status IP Port Priority Configuring Class Maps Configuring Policy Maps Service Policy Settings IGMP Config
Figures xxvi
Section I: Getting Started This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Getting Started
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
1 Introduction Table 1-1 Key Features (Continued) Feature Description Virtual LANs Up to 255 using IEEE 802.
Description of Software Features 1 Access Control Lists – ACLs provide packet filtering for IP frames (based on address, protocol, TCP/UDP port number or TCP control code) or any frames (based on MAC address or Ethernet type). ACLs can by used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols.
1 Introduction Store-and-Forward Switching – The switch copies each frame into its memory before forwarding them to another port. This ensures that all frames are a standard Ethernet size and have been verified for accuracy with the cyclic redundancy check (CRC). This prevents bad frames from entering the network and wasting bandwidth. To avoid dropping frames on congested ports, the switch provides 32 MB for frame buffering. This buffer can queue packets awaiting transmission on congested networks.
Description of Software Features 1 Queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station application. These functions can be used to provide independent priorities for delay-sensitive data and best-effort data. This switch also supports several common methods of prioritizing layer 3/4 traffic to meet application requirements.
1 Introduction System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 4-15). The following table lists some of the basic system defaults.
System Defaults 1 Table 1-2 System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Admin Status Enabled Auto-negotiation Enabled Port Configuration Flow Control Disabled Input and output limits Disabled Input limit per port per CoS value Disabled Port Trunking
1 Introduction Table 1-2 System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority 0 Queue Mode WRR Weighted Round Robin Queue: 0 1 2 3 4 5 6 7 Weight: 1 2 4 6 8 10 12 14 IP Precedence Priority Disabled IP DSCP Priority Disabled IP Port Priority Disabled VLAN-based Priority Disabled Management. VLAN Any VLAN configured with an IP address IP Address 0.0.0.0 Subnet Mask 255.0.0.0 Default Gateway 0.0.0.
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: An IP address for this switch is obtained via DHCP by default. To change this address, see “Setting an IP Address” on page 2-4.
2 • • • • Initial Configuration Configure up to 12 static or LACP trunks Enable port mirroring Set broadcast storm control on any port Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch. Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch.
Basic Configuration 2 Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. An IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address” on page 2-4. Note: This switch supports four concurrent Telnet/SSH sessions.
2 Initial Configuration Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows: 1. Open the console interface with the default user name and password “admin” to access the Privileged Exec level.
Basic Configuration 2 Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Network mask for this network • Default gateway for the network To assign an IP address to the switch, complete the following steps: 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2.
2 Initial Configuration 5. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press . 6. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press . Console(config)#interface vlan 1 24-1 Console(config-if)#ip address dhcp 35-1 Console(config-if)#end Console#ip dhcp restart 35-3 Console#show ip interface 35-4 IP address and netmask: 192.168.1.54 255.255.255.
Basic Configuration 2 The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings. To configure a community string, complete the following steps: 1.
2 Initial Configuration Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2” that includes the entire MIB-2 tree branch, and then another view that includes the IEEE 802.1d bridge MIB.
2 Managing System Files Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows. The switch has a total of 32 Mbytes of flash memory for system files. In the system flash memory, one file of each type must be set as the start-up file.
2 2-10 Initial Configuration
Section II: Switch Management This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser, and a brief example for the Command Line Interface. Configuring the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 Basic Management Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Simple Network Management Protocol . . . . . . . . . . . . . . . . . . . . . . .
Switch Management
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
3 Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password “admin” is used for the administrator. Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.
Navigating the Web Browser Interface 3 Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 3-1 Web Page Configuration Buttons Button Action Apply Sets specified values to the system. Revert Cancels specified values and restores current values prior to pressing “Apply.
3 Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
Navigating the Web Browser Interface 3 Table 3-2 Switch Main Menu (Continued) Menu Description SNMPv3 Engine ID Page 5-7 Sets the SNMP v3 engine ID 5-7 Remote Engine ID Sets the SNMP v3 engine ID on a remote device 5-8 Users Configures SNMP v3 users 5-9 Remote Users Configures SNMP v3 users on a remote device Groups Configures SNMP v3 groups 5-13 Views Configures SNMP v3 views 5-16 Security 5-11 6-1 User Accounts Configures user names, passwords, and access levels 6-1 Authenticat
3 Configuring the Switch Table 3-2 Switch Main Menu (Continued) Menu Description LACP Configuration Page 9-8 Allows ports to dynamically join trunks 9-8 Aggregation Port Configures parameters for link aggregation group members 9-10 Port Counters Information Displays statistics for LACP protocol messages 9-13 Port Internal Information Displays settings and operational state for the local side 9-14 Port Neighbors Information Displays settings and operational state for the remote side 9-16 P
Navigating the Web Browser Interface 3 Table 3-2 Switch Main Menu (Continued) Menu Trunk Configuration Description Configures trunk settings for a specified MST instance VLAN Page 11-20 12-1 802.
3 Configuring the Switch Table 3-2 Switch Main Menu (Continued) Menu Description QoS Page 14-1 DiffServ Configure QoS classification criteria and service policies 14-1 Class Map Creates a class map for a type of traffic 14-2 Policy Map Creates a policy map for multiple interfaces 14-5 Service Policy Applies a policy map defined to an ingress port 14-8 IGMP Snooping 15-2 IGMP Configuration Enables multicast filtering; configures parameters for multicast query 15-3 Multicast Router Port
Chapter 4: Basic Management Tasks This chapter describes the basic functions required to set up management access to the switch, display or upgrade operating software, or reset the system. Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes • • • • • System Name – Name assigned to the switch system. Object ID – MIB II object ID for switch’s network management subsystem. Location – Specifies the system location.
4 Basic Management Tasks Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.) Figure 4-1 System Information CLI – Specify the hostname, location and contact information.
Configuring the Switch for Normal Operation or Tunneling Mode POST Result: DUMMY Test 1 ................. UART Loopback Test ........... DRAM Test .................... Timer Test ................... I2C Bus Initialization ....... Switch Int Loopback Test ..... 4 PASS PASS PASS PASS PASS PASS Console# * ES3528-WDM System Description: 24 port WDM Metro Access Switch † ES3528-WDM System OID String: 1.3.6.1.4.1.259.8.2.
4 Basic Management Tasks Configuring the Maximum Frame Size The maximum transfer unit (or frame size) for traffic crossing the switch should be set to minimize unnecessary fragmentation and maximize the transfer of large sequential data streams. Command Usage • Fast Ethernet ports are only affected by the System MTU setting. • Gigabit Ethernet ports are only affected by the Jumbo frame size setting.
Configuring Support for Jumbo Frames 4 CLI – This example sets the MTU for Fast Ethernet ports to 1528 bytes. Console(config)#system mtu 1528 Console(config)#exit Console#show system mtu System MTU size is 1528 Bytes System Jumbo MTU size is 1518 Bytes Console# 19-11 19-11 Configuring Support for Jumbo Frames The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 9216 bytes for Gigabit Ethernet.
4 Basic Management Tasks Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • Serial Number – The serial number of the switch. • • • • • Hardware Version – Hardware version of the main board. EPLD Version – Version number of EEPROM Programmable Logic Device. Number of Ports – Number of built-in ports.
Displaying Bridge Extension Capabilities 4 CLI – Use the following command to display version information. 19-7 Console#show version Unit 1 Serial Number: Hardware Version: EPLD Version: Number of Ports: 0000E8900000 R01 0.01 29 Agent (Master) Unit ID: Loader Version: Boot ROM Version: Operation Code Version: 1 1.0.0.1 1.0.0.7 1.0.1.
4 Basic Management Tasks Web – Click System, Bridge Extension. Figure 4-6 Displaying Bridge Extension Configuration CLI – Enter the following command.
Setting the Switch’s IP Address 4 Command Attributes • Management VLAN – ID of the configured VLAN (1-4093). By default, all ports on the stack are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address. • IP Address Mode – Specifies whether IP functionality is enabled via manual configuration (Static), Dynamic Host Configuration Protocol (DHCP), or Boot Protocol (BOOTP).
4 Basic Management Tasks CLI – Specify the management interface, IP address and default gateway. Console#config Console(config)#interface vlan 1 Console(config-if)#ip address 10.1.0.253 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 10.1.0.254 Console(config)# 24-1 35-1 35-2 Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the stack to be dynamically configured by these services. Web – Click System, IP Configuration.
Managing Firmware 4 Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the stack is moved to another network segment, you will lose management access to the stack. In this case, you can reboot the stack or submit a client request to restart DHCP service via the CLI. Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface.
4 Basic Management Tasks Downloading System Software from a Server When downloading runtime code, you can specify the destination file name to replace the current image, or first download the file using a different name from the current runtime code file, and then set the new file as the startup file. Web – Click System, File Management, Copy Operation.
Managing Firmware 4 To delete a file select System, File Management, Delete. Select the file name from the given list by checking the tick box and click Apply. Note that the file currently designated as the startup code cannot be deleted. Figure 4-11 Deleting Files CLI – To download new firmware form a TFTP server, enter the IP address of the TFTP server, select “config” as the file type, then enter the source and destination file names.
4 Basic Management Tasks Saving or Restoring Configuration Settings You can upload/download configuration settings to/from a TFTP server, or copy files to and from switch units in a stack. The configuration file can be later downloaded to restore the switch’s settings. Command Attributes • File Transfer Method – The configuration copy operation includes these options: - file to file – Copies a file within the switch directory, assigning it a new name.
Saving or Restoring Configuration Settings 4 Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch. Web – Click System, File Management, Copy Operation.
4 Basic Management Tasks CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config TFTP server ip address: 192.168.1.19 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming. -Write to FLASH finish. Success.
Console Port Settings 4 • Parity – Defines the generation of a parity bit. Communication protocols provided by some terminals can require a specific parity bit setting. Specify Even, Odd, or None. (Default: None) • Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive (from terminal). Set the speed to match the baud rate of the device connected to the serial port.
4 Basic Management Tasks CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level.
4 Telnet Settings • Password2 – Specifies a password for the line connection. When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. (Default: No password) • Login2 – Enables password checking at login. You can select authentication by a single global password as configured for the Password parameter, or by passwords set up for specific user-name accounts.
4 Basic Management Tasks Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.
Configuring Event Logging 4 Web – Click System, Logs, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and flash memory, then click Apply. Figure 4-16 System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings.
4 Basic Management Tasks Web – Click System, Logs, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove. Figure 4-17 Remote Logs CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap. Console(config)#logging host 10.1.0.
Configuring Event Logging 4 Displaying Log Messages Use the Logs page to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory. Web – Click System, Log, Logs. Figure 4-18 Displaying Logs CLI – This example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification.
4 Basic Management Tasks • SMTP Server List – Specifies a list of up to three recipient SMTP servers. The switch attempts to connect to the other listed servers if the first fails. Use the New SMTP Server text field and the Add/Remove buttons to configure the list. • Email Destination Address List – Specifies the email recipients of alert messages. You can specify up to five recipients. Use the New Email Destination Address text field and the Add/Remove buttons to configure the list.
4 Resetting the System CLI – Enter the IP address of at least one SMTP server, set the syslog severity level to trigger an email message, and specify the switch (source) and up to five recipient (destination) email addresses. Enable SMTP with the logging sendmail command to complete the configuration. Use the show logging sendmail command to display the current SMTP configuration. Console(config)#logging sendmail host 192.168.1.
4 Basic Management Tasks Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. You can also manually set the clock using the CLI. (See “calendar set” on page 19-41.) If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
Setting the System Clock 4 CLI – This example configures the switch to operate as an SNTP client and then displays the current time and settings. Console(config)#sntp client Console(config)#sntp poll 16 Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 Console(config)#exit Console#show sntp Current time: Jan 6 14:56:05 2004 Poll interval: 60 Current mode: unicast SNTP status : Enabled SNTP server 10.1.0.19 137.82.140.80 128.250.36.2 Current server: 128.250.36.
4 4-28 Basic Management Tasks
Chapter 5: Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
5 Simple Network Management Protocol Table 5-1 SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security v1 noAuthNoPriv public (read only) defaultview none none Community string only v1 noAuthNoPriv private (read/write) defaultview defaultview none Community string only v1 noAuthNoPriv user defined user defined user defined user defined Community string only v2c noAuthNoPriv public (read only) defaultview none none Community string only v2c noAu
Setting Community Access Strings 5 Setting Community Access Strings You may configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings. Command Attributes • SNMP Community Capability – The switch supports up to five community strings. • Current – Displays a list of the community strings currently configured.
5 Simple Network Management Protocol Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView). You can specify up to five management stations that will receive authentication failure messages and other trap messages from the switch.
Specifying Trap Managers and Trap Types 5 Version 1 or 2c clients), or define a corresponding “User Name” in the SNMPv3 Users page (for Version 3 clients). (Range: 1-32 characters, case sensitive) • Trap UDP Port – Specifies the UDP port number used by the trap manager. • Trap Version – Indicates if the user is running SNMP v1, v2c, or v3. (Default: v1) • Trap Security Level – When trap version 3 is selected, you must specify one of the following security levels.
5 Simple Network Management Protocol Web – Click SNMP, Configuration. Enter the IP address and community string for each management station that will receive trap messages, specify the UDP port, SNMP trap version, trap security level (for v3 clients), trap inform settings (for v2c/v3 clients), and then click Add. Select the trap types required using the check boxes for Authentication and Link-up/down traps, and then click Apply.
Configuring SNMPv3 Management Access 5 Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, do so before configuring other SNMP parameters. 2. Specify read and write access views for the switch MIB tree. 3. Configure SNMP user groups with the required security model (i.e., SNMP v1, v2c or v3) and security level (i.e., authentication and privacy). 4.
5 Simple Network Management Protocol Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. SNMP passwords are localized using the engine ID of the authoritative agent.
Configuring SNMPv3 Management Access 5 Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, or notify view. Command Attributes • User Name – The name of user connecting to the SNMP agent. (Range: 1-32 characters) • Group Name – The name of the SNMP group to which the user is assigned.
5 Simple Network Management Protocol Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete. To change the assigned group of a user, click Change Group in the Actions column of the users table and select the new group.
Configuring SNMPv3 Management Access 5 Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read and a write view. To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
5 Simple Network Management Protocol Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete. Figure 5-7 Configuring Remote SNMPv3 Users CLI – Use the snmp-server user command to configure a new user name and assign it to a group.
Configuring SNMPv3 Management Access 5 Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views. Command Attributes • Group Name – The name of the SNMP group. (Range: 1-32 characters) • Model – The group security model; SNMP v1, v2c or v3.
5 Simple Network Management Protocol Table 5-2 Supported Notification Messages (Continued) Object Label Object ID Description linkUp* 1.3.6.1.6.3.1.1.5.4 A linkUp trap signifies that the SNMP entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links left the down state and transitioned into some other state (but not into the notPresent state). This other state is indicated by the included value of ifOperStatus. authenticationFailure* 1.3.6.1.6.3.
Configuring SNMPv3 Management Access 5 Table 5-2 Supported Notification Messages (Continued) Object Label Object ID Description swThermalFalling Notification 1.3.6.1.4.1.259.8.2.2.2.1.0.59 This trap is sent when the temperature falls below the switchThermalActionFallingThreshold. swModuleInsertion Notificaiton 1.3.6.1.4.1.259.8.2.2.2.1.0.60 This trap is sent when a module is inserted. swModuleRemoval Notificaiton 1.3.6.1.4.1.259.8.2.2.2.1.0.61 This trap is sent when a module is removed.
5 Simple Network Management Protocol CLI – Use the snmp-server group command to configure a new group, specifying the security model and level, and restricting MIB access to defined read and write views. Console(config)#snmp-server group secure-users v3 priv read defaultview write defaultview notify defaultview 20-11 Console(config)#exit Console#show snmp group 20-12 . . .
Configuring SNMPv3 Management Access 5 Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list. For a specific view, click on View OID Subtrees to display the current configuration, or click on Edit OID Subtrees to make changes to the view settings.
5 Simple Network Management Protocol CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)#exit Console#show snmp view View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.* View Type: included Storage Type: nonvolatile Row Status: active View Name: readaccess Subtree OID: 1.3.6.1.
Chapter 6: User Authentication You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access4 to the data ports. This switch provides secure network management access using the following options: • • • • • • User Accounts – Manually configure management access rights for users.
6 User Authentication Web – Click Security, User Accounts. To configure a new user account, enter the user name, access level, and password, then click Add. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply. Figure 6-1 User Accounts CLI – Assign a user name to access-level 15 (i.e., administrator), then specify the password.
Configuring Local/Remote Logon Authentication 6 the network. An authentication server contains a database of multiple user name/ password pairs with associated privilege levels for each user that requires management access to the switch. RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport.
6 User Authentication - Number of Server Transmits – Number of times the switch tries to authenticate logon access via the authentication server. (Range: 1-30; Default: 2) - Timeout for a reply – The number of seconds the switch waits for a reply from the RADIUS server before it resends the request. (Range: 1-65535; Default: 5) • TACACS Settings - Server IP Address – Address of the TACACS+ server. (Default: 10.11.12.
Configuring HTTPS Console#show radius-server 6 21-8 Remote RADIUS server configuration: Global settings: Communication key with RADIUS server: ***** Server port number: 181 Retransmit times: 5 Request timeout: 10 Server 1: Server IP address: 192.168.1.25 Communication key with RADIUS server: ***** Server port number: 181 Retransmit times: 5 Request timeout: 10 Console#config Console(config)#authentication login tacacs Console(config)#tacacs-server host 10.20.30.
6 User Authentication • The following web browsers and operating systems currently support HTTPS: Table 6-1 HTTPS System Support Web Browser Operating System Internet Explorer 5.0 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP Netscape Navigator 6.2 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP, Solaris 2.6 • To specify a secure-site certificate, see “Replacing the Default Secure-site Certificate” on page 6-6.
6 Configuring the Secure Shell When you have obtained these, place them on your TFTP server, and use the following command at the switch's command-line interface to replace the default (unrecognized) certificate with an authorized one: Console#copy tftp https-certificate TFTP server ip address: Source certificate file name: Source private file name: Private password: 19-13 Note: The switch must be reset for th
6 User Authentication To use the SSH server, complete these steps: 1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.
Configuring the Secure Shell 6 stored on the switch can access it. The following exchanges take place during this process: Authenticating SSH v1.5 Clients a. The client sends its RSA public key to the switch. b. The switch compares the client's public key to those stored in memory. c. If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client. d.
6 User Authentication Note: The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. • Save Host-Key from Memory to Flash – Saves the host key from RAM (i.e., volatile memory to flash memory). Otherwise, the host key pair is stored to RAM by default. Note that you must select this item prior to generating the host-key pair. • Generate – This button is used to generate the host key pair.
Configuring the Secure Shell 6 CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys.
6 User Authentication Web – Click Security, SSH, Settings. Enable SSH and adjust the authentication parameters as required, then click Apply. Note that you must first generate the host key pair on the SSH Host-Key Settings page before you can enable the SSH server. Figure 6-5 SSH Server Settings CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection.
Configuring 802.1X Port Authentication 6 Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data. The IEEE 802.
6 User Authentication • The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.) • The RADIUS server and client also have to support the same EAP encryption method for passing authentication messages – MD5, TLS or TTLS. Native support for these encryption methods is provided in Windows XP, and in Windows 2000 with Service Pack 4.
Configuring 802.1X Port Authentication 6 Configuring 802.1X Global Settings The 802.1X protocol provides port authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Command Attributes 802.1X System Authentication Control – Sets the global setting for 802.1X. (Default: Disabled) Web – Select Security, 802.1X, Configuration. Enable 802.1X globally for the switch, and click Apply. Figure 6-7 802.
6 User Authentication • Max Request – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session. (Range: 1-10; Default 2) • Quiet Period – Sets the time that a switch port waits after the Max Request count has been exceeded before attempting to acquire a new client. (Range: 1-65535 seconds; Default: 60 seconds) • Re-authentication Period – Sets the time period after which a connected client must be re-authenticated.
Configuring 802.1X Port Authentication 6 CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 21-29.
6 User Authentication Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 6-2 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator. Rx EAPOL Invalid The number of EAPOL frames that have been received by this Authenticator in which the frame type is not recognized.
Configuring 802.1X Port Authentication 6 Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 6-9 802.1X Port Statistics CLI – This example displays the dot1x statistics for port 4.
6 User Authentication Filtering IP Addresses for Management Access You can create a list of up to 16 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage • The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.
Filtering IP Addresses for Management Access 6 Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add IP Filtering Entry. Figure 6-10 IP Filter CLI – This example restricts management access for Telnet clients. Console(config)#management telnet-client 192.168.1.19 Console(config)#management telnet-client 192.168.1.25 192.168.1.
6 6-22 User Authentication
Chapter 7: Client Security This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes. In addition to these methods, several other options of providing client security are supported by this switch.
7 Client Security MAC addresses already in the address table will be retained and will not age out. Any other device that attempts to use the port will be prevented from accessing the switch. Command Usage • A secure port has the following restrictions: - It cannot be used as a member of a static or dynamic trunk. - It should not be connected to a network interconnection device. • The default maximum number of MAC addresses allowed on a secure port is zero.
Configuring Port Security 7 Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply. Figure 7-1 Port Security CLI – This example selects the target port, sets the port security action to send a trap and disable the port, specifies a maximum address count, and then enables port security for the port.
7 7-4 Client Security
Chapter 8: Access Control Lists Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code), or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port.
8 Access Control Lists • Each ACL can have up to 32 rules. However, due to resource restrictions, the average number of rules bound to the ports should not exceed 20. • You must configure a mask for an ACL rule before you can bind it to a port or set the queue or frame priorities associated with the rule. • The switch does not support the explicit “deny any any” rule for the egress IP ACL or the egress MAC ACLs.
Configuring Access Control Lists 8 Web – Click Security, ACL, Configuration. Enter an ACL name in the Name field, select the list type (IP Standard, IP Extended, or MAC), and click Add to open the configuration page for the new list. Figure 8-1 Selecting ACL Type CLI – This example creates a standard IP ACL named bill.
8 Access Control Lists Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Then click Add. Figure 8-2 ACL Configuration - Standard IPv4 CLI – This example configures one permit rule for the specific address 10.1.1.21 and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask. Console(config-std-acl)#permit host 10.1.
Configuring Access Control Lists 8 • Source/Destination Port – Source/destination port number for the specified protocol type. (Range: 0-65535) • Source/Destination Port Bit Mask – Decimal number representing the port bits to match. (Range: 0-65535) • Control Code – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) • Control Code Bit Mask – Decimal number representing the code bits to match.
8 Access Control Lists Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Set any other required criteria, such as service type, protocol type, or TCP control code. Then click Add. Figure 8-3 ACL Configuration - Extended IPv4 CLI – This example adds three rules: 1.
Configuring Access Control Lists 8 Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields. (Options: Any, Host, MAC; Default: Any) • Source/Destination MAC Address – Source or destination MAC address.
8 Access Control Lists Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexidecimal bitmask for an address range. Set any other required criteria, such as VID, Ethernet type, or packet format. Then click Add.
Configuring Access Control Lists 8 Configuring ACL Masks You must specify masks that control the order in which ACL rules are checked. ACL rules matching the first entry in the mask are checked first. Rules matching subsequent entries in the mask are then checked in the specified order. The switch includes two system default masks that pass/filter packets matching the permit/deny rules specified in an ingress ACL. You can also configure up to seven user-defined masks for an ingress or egress ACL.
8 Access Control Lists CLI – This example creates an IP ingress mask, and then adds two rules. Each rule is checked in order of precedence to look for a match in the ACL entries. The first entry matching a mask is applied to the inbound packet. Console(config)#access-list ip mask-precedence in Console(config-ip-mask-acl)#mask host any Console(config-ip-mask-acl)#mask 255.255.255.
Configuring Access Control Lists 8 Web – Configure the mask to match the required rules in the IP ingress or egress ACLs. Set the mask to check for any source or destination address, a specific host address, or an address range. Include other criteria to search for in the rules, such as a protocol type or one of the service types. Or use a bitmask to search for specific protocol port(s) or TCP control code(s). Then click Add.
8 Access Control Lists Configuring a MAC ACL Mask This mask defines the fields to check in the packet header. Command Usage You must configure a mask for an ACL rule before you can bind it to a port. Command Attributes • Source/Destination Address Type – Use “Any” to match any address, “Host” to specify the host address for a single node, or “MAC” to specify a range of addresses. (Options: Any, Host, MAC; Default: Any) • Source/Destination Bit Mask – Address of rule must match this bitmask.
Binding a Port to an Access Control List 8 CLI – This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask.
8 Access Control Lists Web – Click Security, ACL, Port Binding. Mark the Enable field for the port you want to bind to an ACL for ingress traffic, select the required ACL from the drop-down list, then click Apply. Figure 8-8 ACL Port Binding CLI – This examples assigns an IP and MAC ingress ACL to port 1, and an IP ingress ACL to port 2.
Chapter 9: Port Configuration Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • • • • • • • • • • Name – Interface label. Type – Indicates port type. (100BASE-TX6, 100BASE-BX7, 1000BASE-T, or SFP) Admin Status – Shows if the interface is enabled or disabled. Oper Status – Indicates if the link is Up or Down.
9 Port Configuration Field Attributes (CLI) Basic information: • Port type – Indicates port type. (100BASE-TX10, 100BASE-BX11, 1000BASE-T, or SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address” on page 4-8.) Configuration: • Name – Interface label. • Port admin – Shows if the interface is enabled or disabled (i.e., up or down). • Speed-duplex – Shows the current speed and duplex mode.
Configuring Interface Connections 9 CLI – This example shows the connection status for Port 5.
9 Port Configuration - 100full - Supports 100 Mbps full-duplex operation - 1000full - Supports 1 Gbps full-duplex operation - Sym (Gigabit only) - Check this item to transmit and receive pause frames, or clear it to auto-negotiate the sender and receiver for asymmetric pause frames. (The current switch chip only supports symmetric pause frames.
Configuring Interface Connections 9 Web – Click Port, Port Configuration or Trunk Configuration. Modify the required interface settings, and click Apply. Figure 9-2 Port - Port Configuration CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/13 Console(config-if)#description RD SW#13 Console(config-if)#shutdown . Console(config-if)#no shutdown Console(config-if)#no negotiation Console(config-if)#speed-duplex 100half .
9 Port Configuration Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices. You can create up to 12 trunks. The switch supports both static trunking and dynamic Link Aggregation Control Protocol (LACP).
Creating Trunk Groups 9 Statically Configuring a Trunk Command Usage statically configured } • When configuring static trunks, you may not be able to link switches of different types, depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
9 Port Configuration CLI – This example creates trunk 1 with ports 9 and 10. Just connect these ports to two static trunk ports on another switch to form a trunk.
Creating Trunk Groups 9 Command Attributes • Member List (Current) – Shows configured trunks (Port). • New – Includes entry fields for creating new trunks. - Port – Port identifier. (Range: 1-28) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply. Figure 9-4 LACP Trunk Configuration CLI – The following example enables LACP for ports 1 to 6.
9 Port Configuration Configuring LACP Parameters Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP System Priority. • Ports must have the same LACP port Admin Key. • However, if the “port channel” Admin Key is set (page 4-142), then the port Admin Key must be set to the same value for a port to be allowed to join a channel group.
Creating Trunk Groups 9 Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
9 Port Configuration CLI – The following example configures LACP parameters for ports 1-10. Ports 1-8 are used as active members of the LAG, ports 9 and 10 are set to backup mode. Console(config)#interface ethernet 1/1 24-1 Console(config-if)#lacp actor system-priority 3 25-4 Console(config-if)#lacp actor admin-key 120 25-4 Console(config-if)#lacp actor port-priority 128 25-6 Console(config-if)#exit . . .
Creating Trunk Groups 9 Displaying LACP Port Counters You can display statistics for LACP protocol messages. Table 9-1 LACP Port Counters Parameter Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received by this channel group. Marker Sent Number of valid Marker PDUs transmitted from this channel group. Marker Received Number of valid Marker PDUs received by this channel group.
9 Port Configuration Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 9-2 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port. LACPDUs Internal Number of seconds before invalidating received LACPDU information.
Creating Trunk Groups 9 Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 9-7 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1.
9 Port Configuration Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 9-3 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol. Partner Admin Port Number Current administrative value of the port number for the protocol Partner.
Setting Broadcast Storm Thresholds 9 CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1.
9 Port Configuration • Threshold – Threshold as percentage of port bandwidth. (Options: 500-262143 packets per second; Default: 500 pps) • Trunk12 – Shows if port is a trunk member. Web – Click Port, Port Broadcast Control or Trunk Broadcast Control. Check the Enabled box for any interface, set the threshold, and click Apply. Figure 9-9 Port Broadcast Control CLI – Specify any interface, and then enter the threshold.
Configuring Port Mirroring 9 Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner. Source port(s) Command Usage Single target port • Monitor port speed should match or exceed source port speed, otherwise traffic may be dropped from the monitor port.
9 Port Configuration Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the switch. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks.
Showing Port Statistics 9 CLI - This example sets the rate limit for input and output traffic passing through port 1 to 60 Mbps. Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 60 Console(config-if)#rate-limit output 60 Console(config-if)# 24-1 27-1 Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
9 Port Configuration Table 9-4 Port Statistics (Continued) Parameter Description Transmit Multicast Packets The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a multicast address at this sub-layer, including those that were discarded or not sent.
Showing Port Statistics 9 Table 9-4 Port Statistics (Continued) Parameter Description RMON Statistics Drop Events The total number of events in which packets were dropped due to lack of resources. Jabbers The total number of frames received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either an FCS or alignment error. Received Bytes Total number of bytes of data received on the network.
9 Port Configuration Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen.
Showing Port Statistics 9 CLI – This example shows statistics for port 12.
9 9-26 Port Configuration
Chapter 10: Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. Setting Static Addresses A static address can be assigned to a specific interface on this switch.
10 Address Table Settings CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset. Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset 28-1 Console(config)# Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch.
Displaying the Address Table 10 Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 10-2 Dynamic Addresses CLI – This example also displays the address table entries for port 1.
10 Address Table Settings Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the aging function. • Aging Time – The time after which a learned entry is discarded. (Range: 10-1000000 seconds; Default: 300 seconds) Web – Click Address Table, Address Aging. Specify the new aging time, click Apply. Figure 10-3 Address Aging CLI – This example sets the aging time to 400 seconds.
Chapter 11: Spanning Tree Algorithm The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
11 Spanning Tree Algorithm MSTP – When using STP or RSTP, it may be difficult to maintain a stable path between all VLAN members. Frequent changes in the tree structure can easily isolate some of the group members. MSTP (which is based on RSTP for fast convergence) is designed to support independent spanning trees based on VLAN groups. Using multiple spanning trees can provide multiple forwarding paths and enable load balancing.
Displaying Global Settings 11 Displaying Global Settings You can display a summary of the current bridge STA information that applies to the entire switch using the STA Information screen. Field Attributes • Spanning Tree State – Shows if the switch is enabled to participate in an STA-compliant network.
11 Spanning Tree Algorithm • Instance – Instance identifier of this spanning tree. (This is always 0 for the CIST.) • VLANs configuration – VLANs assigned to the CIST. • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Displaying Global Settings 11 CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree Spanning-tree information --------------------------------------------------------------Spanning tree mode: MSTP Spanning tree enable/disable: enable Instance: 0 Vlans configuration: 1-4093 Priority: 32768 Bridge Hello Time (sec.): 2 Bridge Max Age (sec.): 20 Bridge Forward Delay (sec.): 15 Root Hello Time (sec.): 2 Root Max Age (sec.): 20 Root Forward Delay (sec.
11 Spanning Tree Algorithm Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol17 Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Configuring Global Settings 11 address will then become the root device. (Note that lower numeric values indicate higher priority.) • Default: 32768 • Range: 0-61440, in steps of 4096 • Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 Root Device Configuration • Hello Time – Interval (in seconds) at which the root device transmits a configuration message. • Default: 2 • Minimum: 1 • Maximum: The lower of 10 or [(Max.
11 Spanning Tree Algorithm Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. (Default: 65) • Configuration Digest – An MD5 signature key that contains the VLAN ID to MST ID mapping table. In other words, this key is a mapping of all VLANs to the CIST. • Region Revision18 – The revision for this MSTI. (Range: 0-65535; Default: 0) • Region Name18 – The name for this MSTI.
Configuring Global Settings 11 Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply.
11 Spanning Tree Algorithm CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters.
Displaying Interface Settings 11 • Designated Port – The port priority and number of the port on the designated bridging device through which this switch must communicate with the root of the Spanning Tree. • Oper Path Cost – The contribution of this port to the path cost of paths towards the spanning tree root which include this port. • Oper Link Type – The operational point-to-point status of the LAN segment attached to this interface.
11 Spanning Tree Algorithm These additional parameters are only displayed for the CLI: • Admin status – Shows if this interface is enabled. • External path cost – The path cost for the IST. This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) • Internal path cost – The path cost for the MST.
Configuring Interface Settings 11 CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 Eth 1/ 5 information -------------------------------------------------------------Admin status: enabled Role: disable State: discarding External admin path cost: 10000 Internal admin cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: 128 Designated cost: 10000 Designated port: 128.1 Designated root: 32768.0.0000E8AAAA00 Designated bridge: 32768.
11 Spanning Tree Algorithm The following interface attributes can be configured: • Spanning Tree – Enables/disables STA on this interface. (Default: Enabled) • Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Configuring Interface Settings 11 • Admin Link Type – The link type attached to this interface. • Point-to-Point – A connection to exactly one other bridge. • Shared – A connection to two or more bridges. • Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared media. (This is the default setting.
11 Spanning Tree Algorithm Configuring Multiple Spanning Trees MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance. By default all VLANs are assigned to the Internal Spanning Tree (MST Instance 0) that connects all bridges and LANs within the MST region.
Configuring Multiple Spanning Trees 11 Web – Click Spanning Tree, MSTP, VLAN Configuration. Select an instance identifier from the list, set the instance priority, and click Apply. To add the VLAN members to an MSTI instance, enter the instance identifier, the VLAN identifier, and click Add. Figure 11-5 MSTP VLAN Configuration CLI – This displays STA settings for instance 1, followed by settings for each port.
11 Spanning Tree Algorithm --------------------------------------------------------------Eth 1/ 7 information --------------------------------------------------------------Admin status: enabled Role: master State: forwarding External admin path cost: 10000 Internal admin path cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: 128 Designated cost: 0 Designated port: 128.1 Designated root: 32768.1.0030F1D473A0 Designated bridge: 32768.1.
Displaying Interface Settings for MSTP 11 Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance. Field Attributes MST Instance ID – Instance identifier to configure. (Range: 0-4094; Default: 0) The other attributes are described under “Displaying Interface Settings,” page 11-10. Web – Click Spanning Tree, MSTP, Port Information or Trunk Information.
11 Spanning Tree Algorithm --------------------------------------------------------------Eth 1/ 1 information --------------------------------------------------------------Admin status: enabled Role: root State: forwarding External admin path cost: 10000 Internal admin path cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: 128 Designated cost: 0 Designated port: 128.4 Designated root: 32768.0.0000E8AAAA00 Designated bridge: 32768.0.
Configuring Interface Settings for MSTP 11 Protocol is detecting network loops. Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. • Default: 128 • Range: 0-240, in steps of 16 • Admin MST Path Cost – This parameter is used by the MSTP to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
11 11-22 Spanning Tree Algorithm
Chapter 12: VLAN Configuration IEEE 802.1Q VLANs In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains. VLANs confine broadcast traffic to the originating group, and can eliminate broadcast storms in large networks. This also provides a more secure and cleaner network environment. An IEEE 802.
12 VLAN Configuration Note: VLAN-tagged frames can pass through VLAN-aware or VLAN-unaware network interconnection devices, but the VLAN tags should be stripped off before passing it on to any end-node host that does not support VLAN tagging. tagged frames VA VA VA: VLAN Aware VU: VLAN Unaware tagged frames VA untagged frames VA VU VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways.
IEEE 802.1Q VLANs 12 these hosts, and core switches in the network, enable GVRP on the links between these devices. You should also determine security boundaries in the network and disable GVRP on the boundary ports to prevent advertisements from being propagated, or forbid those ports from joining restricted VLANs.
12 VLAN Configuration Enabling or Disabling GVRP (Global Setting) GARP VLAN Registration Protocol (GVRP) defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. VLANs are dynamically configured based on join messages issued by host devices and propagated throughout the network. GVRP must be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch. (Default: Disabled) Web – Click VLAN, 802.
IEEE 802.1Q VLANs 12 CLI – Enter the following command.
12 VLAN Configuration Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4093, no leading zeroes). • Type – Shows how this VLAN was added to the switch. - Dynamic: Automatically learned via GVRP. - Static: Added as a static entry. • Name – Name of the VLAN (1 to 32 characters). • Status – Shows if this VLAN is enabled or disabled. - Active: VLAN is operational. - Suspend: VLAN is suspended; i.e., does not pass packets. • Ports / Channel groups – Shows the VLAN interface members.
IEEE 802.1Q VLANs 12 Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 12-4 VLAN Static List - Creating VLANs CLI – This example creates a new VLAN. Console(config)#vlan database Console(config-vlan)#vlan 2 name R&D media ethernet state active Console(config-vlan)#end Console#show vlan VLAN ID: Type: Name: Status: Ports/Port Channels: . . .
12 VLAN Configuration Command Attributes • VLAN – ID of configured VLAN (1-4093). • Name – Name of the VLAN (1 to 32 characters). • Status – Enables or disables the specified VLAN. - Enable: VLAN is operational. - Disable: VLAN is suspended; i.e., does not pass packets. • Port – Port identifier. • Trunk – Trunk identifier. • Membership Type – Select VLAN membership for each interface by marking the appropriate radio button for a port or trunk: - Tagged: Interface is a member of the VLAN.
IEEE 802.1Q VLANs 12 CLI – The following example adds tagged and untagged ports to VLAN 2.
12 VLAN Configuration Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
IEEE 802.1Q VLANs 12 Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group. (Range: 60-3000 centiseconds; Default: 60) • GARP LeaveAll Timer22 – The interval between sending out a LeaveAll query message for VLAN group participants and the port leaving the group. This interval should be considerably larger than the Leave Time to minimize the amount of traffic generated by nodes rejoining the group.
12 VLAN Configuration CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid.
12 Configuring IEEE 802.1Q Tunneling processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet. When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing. However, the SPVLAN tag is not added when it is sent out the tunnel port on the edge switch into the customer’s network. The packet is sent as a normal IEEE 802.
12 VLAN Configuration 5. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags. Layer 2 Flow for Packets Coming into an Uplink Port An uplink port receives one of the following packets: • Untagged • One tag (CVLAN or SPVLAN) • Double tag (CVLAN + SPVLAN) The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory.
Configuring IEEE 802.1Q Tunneling 12 Configuration Limitations for QinQ • The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN. Then the outer SPVLAN tag will be stripped when the packets are sent out. Another reason is that it causes none-customer packets will be forwarded to SPVLAN.
12 VLAN Configuration Adding an Interface to a QinQ Tunnel Follow the guidelines in the preceding section to set up a QinQ tunnel on the switch. Use the VLAN Port Configuration or VLAN Trunk Configuration screen to set the ingress port on the edge switch to dot1Q tunnel mode. Also set the Tag Protocol Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.
Configuring Private VLANs 12 CLI – This example sets port 2 to tunnel mode, indicates that the TPID used for 802.1Q tagged frames will be 9100 hexadecimal, and enables address monitor mode to pass traffic between the management VLANs and the tunnel port.
12 VLAN Configuration Configuring Uplink and Downlink Ports Use the Private VLAN Link Status page to set ports as downlink or uplink ports. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports. Web – Click VLAN, Private VLAN, Link Status. Mark the ports that will serve as uplinks and downlinks for the private VLAN, then click Apply.
Configuring Protocol-Based VLANs 12 Command Usage To configure protocol-based VLANs, follow these steps: 1. First configure VLAN groups for the protocols you want to use (page 6). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time. 2. Create a protocol group for each of the protocols you want to assign to a VLAN using the Protocol VLAN Configuration page. 3.
12 VLAN Configuration Mapping Protocols to VLANs Map a protocol group to a VLAN for each interface that will participate in the group. Command Usage • When creating a protocol-based VLAN, only assign interfaces using this configuration screen. If you assign interfaces using any of the other VLAN menus such as the VLAN Static Table (page 7) or VLAN Static Membership by Port menu (page 9), these interfaces will admit traffic of any protocol type into the associated VLAN.
Configuring Protocol-Based VLANs 12 CLI – The following maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 3.
12 12-22 VLAN Configuration
Chapter 13: Class of Service Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
13 Class of Service Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 13-1 Default Port Priority CLI – This example assigns a default priority of 5 to port 3.
Layer 2 Queue Settings 13 Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using eight priority queues for each port, with service schedules based on strict or Weighted Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown in the following table.
13 Class of Service Web – Click Priority, Traffic Classes. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 13-2 Traffic Classes CLI – The following example shows how to change the CoS assignments to a one-to-one mapping.
Layer 2 Queue Settings 13 Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue. WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue.
13 Class of Service Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue. As described in “Mapping CoS Values to Egress Queues” on page 3, the traffic classes are mapped to one of the eight egress queues provided for each port. You can assign a weight to each of these queues (and thereby to the corresponding traffic priorities).
Layer 3/4 Priority Settings 13 CLI – The following example shows how to assign WRR weights to each of the priority queues. Console(config)#queue bandwidth 1 3 5 7 9 11 13 15 Console(config)#exit Console#show queue bandwidth Information of Eth 1/1 Queue ID Weight -------- -----0 1 1 3 2 5 3 7 4 9 5 11 6 13 7 15 Information of Eth 1/2 Queue ID Weight . . .
13 Class of Service Web – Click Priority, IP Precedence/DSCP Priority Status. Select Disabled, IP Precedence or IP DSCP from the scroll-down menu, then click Apply. Figure 13-5 IP Precedence/DSCP Priority Status CLI – The following example enables IP Precedence service on the switch.
Layer 3/4 Priority Settings 13 Web – Click Priority, IP Precedence Priority. Select an entry from the IP Precedence Priority Table, enter a value in the Class of Service Value field, and then click Apply. Figure 13-6 IP Precedence Priority CLI – The following example globally enables IP Precedence service on the switch, maps IP Precedence value 1 to CoS value 0 (on port 1), and then displays the IP Precedence settings.
13 Class of Service Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP replaces the ToS bits, but it retains backward compatibility with the three precedence bits so that non-DSCP compliant, ToS-enabled devices, will not conflict with the DSCP mapping. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. The DSCP default values are defined in the following table.
Layer 3/4 Priority Settings 13 CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings.
13 Class of Service Click Priority, IP Port Priority. Enter the port number for a network application in the IP Port Number box and the new CoS value in the Class of Service box, and then click Apply. Figure 13-9 IP Port Priority CLI – The following example globally enables IP Port Priority service on the switch, maps HTTP traffic (on port 1) to CoS value 0, and then displays the IP Port Priority settings.
Chapter 14: Quality of Service The commands described in this section are used to configure Quality of Service (QoS) classification criteria and service policies. Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence, DSCP values, or VLAN lists.
14 Quality of Service 6. Use the “Service Policy” to assign a policy map to a specific interface. Configuring a Class Map A class map is used for matching packets to a specified class. Command Usage • To configure a Class Map, follow these steps: - Open the Class Map page, and click Add Class. - When the Class Configuration page opens, fill in the “Class Name” field, and click Add.
Configuring Quality of Service Parameters 14 Match Class Settings • Class Name – List of class maps. • ACL List – Name of an access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs. (Range: 1-16 characters) • IP DSCP – A DSCP value. (Range: 0-63) • IP Precedence – An IP Precedence value. (Range: 0-7) • VLAN – A VLAN. (Range:1-4093) • Add – Adds specified criteria to the class. Up to 16 items are permitted per class.
14 Quality of Service Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 14-1 Configuring Class Maps CLI - This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3.
Configuring Quality of Service Parameters 14 Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 14-2. - Open the Policy Map page, and click Add Policy. - When the Policy Configuration page opens, fill in the “Policy Name” field, and click Add. - When the Policy Rule Settings page opens, select a class name from the scroll-down list (Class Name field).
14 Quality of Service Policy Rule Settings - Class Settings • Class Name – Name of class map. • Action – Shows the service provided to ingress traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified in Match Class Settings on page 14-2). • Meter – The maximum throughput and burst rate. - Rate (kbps) – Rate in kilobits per second. - Burst (byte) – Burst in bytes.
Configuring Quality of Service Parameters 14 Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes.
14 Quality of Service CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0.
Chapter 15: Multicast Filtering Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.
15 Multicast Filtering Layer 2 IGMP (Snooping and Query) IGMP Snooping and Query – If multicast routing is not supported on other switches in your network, you can use IGMP Snooping and IGMP Query (page 15-3) to monitor IGMP service requests passing between multicast clients and servers, and dynamically configure the switch ports which need to forward multicast traffic.
Layer 2 IGMP (Snooping and Query) 15 Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 15-8). Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic.
15 Multicast Filtering • IGMP Query Timeout — The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface which had been receiving query packets) to have expired. (Range: 300-500 seconds, Default: 300) • IGMP Version — Sets the protocol version for compatibility with other devices on the network. (Range: 1-3; Default: 3) Notes: 1. All systems on the subnet must support the same version. 2.
Layer 2 IGMP (Snooping and Query) 15 Displaying Interfaces Attached to a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.
15 Multicast Filtering Specifying Static Interfaces for a Multicast Router Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/ switch connected over the network to an interface (port or trunk) on your switch, you can manually configure the interface (and a specified VLAN) to join all the current multicast groups supported by the attached router.
Layer 2 IGMP (Snooping and Query) 15 Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN and multicast service. Command Attribute • VLAN ID – Selects the VLAN for which to display port members. • Multicast IP Address – The IP address for a specific multicast service. • Multicast Group Port List – Shows the interfaces that have already been assigned to the selected VLAN to propagate a specific multicast service.
15 Multicast Filtering Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in “Configuring IGMP Snooping and Query Parameters” on page 15-3. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch. First add all the ports attached to participating hosts to a common VLAN, and then assign the multicast service to that VLAN group.
Multicast VLAN Registration 15 Multicast VLAN Registration Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers.
15 Multicast Filtering Configuring Global MVR Settings The global settings for Multicast VLAN Registration (MVR) include enabling or disabling MVR for the switch, selecting the VLAN that will serve as the sole channel for common multicast streams supported by the service provider, and assigning the multicast group address for each of these services to the MVR VLAN.
Multicast VLAN Registration 15 CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses. 33-2 33-12 Console(config)#ip igmp snooping Console(config)#mvr Console(config)#mvr group 228.1.23.1 10 Console(config)# Displaying MVR Interface Status You can display information about the interfaces attached to the MVR VLAN. Field Attributes • Type – Shows the MVR port type. • Oper Status – Shows the link status. • MVR Status – Shows the MVR status.
15 Multicast Filtering Configuring MVR Interface Status Each interface that participates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function. Command Usage • One or more interfaces may be configured as MVR source ports. • MVR receiver ports cannot be members of a trunk.
Multicast VLAN Registration 15 Web – Click MVR, Port Configuration or Trunk Configuration. Figure 15-8 MVR Port Configuration CLI – This example configures an MVR source port and receiver port, and then enables immediate leave on the receiver port.
15 Multicast Filtering Displaying Port Members of Multicast Groups You can display the multicast groups assigned to the MVR VLAN either through IGMP snooping or static configuration. Field Attributes • Group IP – Multicast groups assigned to the MVR VLAN. • Group Port List – Shows the interfaces with subscribers for multicast services provided through the MVR VLAN. Web – Click MVR, Group IP Information.
Multicast VLAN Registration 15 Assigning Static Multicast Groups to Interfaces For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces. Command Usage • Any multicast groups that use the MVR VLAN must be statically assigned to it under the MVR Configuration menu (see “Configuring Global MVR Settings” on page 15-10). • The IP address range from 224.0.0.0 to 239.255.255.
15 15-16 Multicast Filtering
Chapter 16: Domain Name Service The Domain Naming System (DNS) service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network. When a client device designates this switch as a DNS server, the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switch, and waiting for a response.
16 Domain Name Service Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use to use for address resolution, enable domain lookup status, and click Apply. Figure 16-1 DNS General Configuration CLI - This example sets a default domain name and a domain list. However, remember that if a domain list is specified, the default domain name is not used. Console(config)#ip domain-name sample.com Console(config)#ip domain-list sample.
Configuring Static DNS Host to Address Entries 16 Configuring Static DNS Host to Address Entries You can manually configure static entries in the DNS table that are used to map domain names to IP addresses. Command Usage • Static entries may be used for local devices connected directly to the attached network, or for commonly used resources located elsewhere on the network. • Servers or other network devices may support one or more connections via multiple IP addresses.
16 Domain Name Service Web – Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply. Figure 16-2 DNS Static Host Table CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#ip host rd6 10.1.0.55 Console#show hosts Hostname rd5 Inet address 10.1.0.55 192.168.1.55 Alias 1.
Displaying the DNS Cache 16 Displaying the DNS Cache You can display entries in the DNS cache that have been learned via the designated name servers. Field Attributes • No – The entry number for each resource record. • Flag – The flag is always “4” indicating a cache entry and therefore unreliable. • Type – This field includes CNAME which specifies the canonical or primary name for the owner, and ALIAS which specifies multiple domain names which are mapped to the same IP address as an existing entry.
16 Domain Name Service CLI - This example displays all the resource records learned from the designated name servers. Console#show dns cache NO FLAG TYPE 0 4 CNAME 1 4 CNAME 2 4 CNAME 3 4 CNAME 4 4 CNAME 5 4 ALIAS 6 4 CNAME 7 4 ALIAS 8 4 CNAME 9 4 ALIAS 10 4 CNAME Console# 16-6 IP 207.46.134.222 207.46.134.190 207.46.134.155 207.46.249.222 207.46.249.27 POINTER TO:4 207.46.68.27 POINTER TO:6 65.54.131.192 POINTER TO:8 165.193.72.190 TTL 51 51 51 51 51 51 71964 71964 605 605 87 34-7 DOMAIN www.
Section III:Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. Overview of Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-1 General Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-1 System Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-1 SNMP Commands . . . . . . . . . . . . . . . . . . . . . . .
Command Line Interface
Chapter 17: Overview of Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
17 Overview of Command Line Interface Note: The IP address for this switch is obtained via DHCP by default. To access the switch through a Telnet session, you must first set the IP address for the Master unit, and set the default gateway if you are managing the switch from a different IP subnet. For example, Console(config)#interface vlan 1 Console(config-if)#ip address 10.1.0.254 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 10.1.0.
Entering Commands 17 Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
17 Overview of Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line, or VLAN Database, or MSTP). You can also display a list of valid keywords for a specific command.
Entering Commands 17 The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Information of interfaces counters protocol-vlan Protocol-vlan information status Information of interfaces status switchport Information of interfaces switchport Console# Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.
17 Overview of Command Line Interface Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain switching functions. These classes are further divided into different modes. Available commands depend on the selected mode.
Entering Commands 17 Username: guest Password: [guest login password] CLI session with the Layer 2 Ethernet Metro Access Switch is opened. To end the CLI session, enter [Exit]. Console>enable Password: [privileged level password] Console# Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted.
17 Overview of Command Line Interface To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.
Entering Commands 17 Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches.
17 Overview of Command Line Interface Command Groups The system commands can be broken down into the functional groups shown below.
Command Groups 17 The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) CM (Class Map Configuration) NE (Normal Exec) GC (Global Configuration) IC (Interface Configuration) LC (Line Configuration) MST (Multiple Spanning Tree) PE (Privileged Exec) PM (Policy Map Configuration) VC (VLAN Database Configuration) 17-11
17 17-12 Overview of Command Line Interface
Chapter 18: General Commands These commands are used to control the command access mode, configuration mode, and other basic functions.
18 General Commands • The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode. Example Console>enable Password: [privileged level password] Console# Related Commands disable (18-2) enable password (21-3) disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics.
show history 18 Example Console#configure Console(config)# Related Commands end (18-4) show history This command shows the contents of the command history buffer. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands.
18 General Commands reload This command restarts the system. Note: When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command. Default Setting None Command Mode Privileged Exec Command Usage This command resets the entire system.
exit 18 Command Mode Global Configuration, Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration. Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode: Console(config-if)#end Console# exit This command returns to the previous configuration mode or exits the configuration program.
18 General Commands Example This example shows how to quit a CLI session: Console#quit Press ENTER to start session User Access Verification Username: 18-6
Chapter 19: System Management Commands These commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
19 System Management Commands Example Console(config)#hostname RD#1 Console(config)# System Status Commands This section describes commands used to display system information.
System Status Commands - 19 IP address Layer 4 precedence settings Spanning tree settings Any configured settings for the console port and Telnet Example Console#show startup-config building startup-config, please wait..... !00 !01_00-12-cf-21-dc-e0_01 ! phymap 00-12-cf-21-dc-e0 ! SNTP server 0.0.0.0 0.0.0.0 0.0.0.
19 System Management Commands show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes.
System Status Commands 19 Example Console#show running-config building running-config, please wait..... !00 !01_00-12-cf-21-dc-e0_01 ! phymap 00-12-cf-21-dc-e0 ! SNTP server 0.0.0.0 0.0.0.0 0.0.0.
19 System Management Commands show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 4-1. • The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance. Example Console#show system System Description: 24 port Ethernet Metro Access Switch* System OID String: 1.3.6.1.4.1.
System Status Commands 19 show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
19 System Management Commands Example Console#show version Unit 1 Serial Number: Hardware Version: EPLD Version: Number of Ports: 0000E8900000 R01 0.01 29 Agent (Master) Unit ID: Loader Version: Boot ROM Version: Operation Code Version: 1 1.0.0.1 1.0.0.7 1.0.1.7 Console# System Mode Commands This section describes command used to configure the switch to operate in normal mode or QinQ mode.
System MTU Commands 19 Example Console(config)#system mode qinq Console(config)# Related Commands show system mode (19-9) show system mode This command displays the switch system mode. Command Mode Privileged Exec Command Usage The system mode displays as QinQ or Normal mode.
19 System Management Commands jumbo frame This command enables support for extended frame sizes on Fast Ethernet and Gigabit Ethernet ports. Use the no form to disable it. Syntax [no] jumbo frame Default Setting Disabled Command Mode Global Configuration Command Usage • This switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames on Gigabit Ethernet ports of up to 9216 bytes. Compared to standard Ethernet frames that run only up to 1.
System MTU Commands 19 system mtu This command sets the maximum transfer unit for traffic crossing the switch. Use the no form to restore the default settings. Syntax system mtu {FE-size | jumbo GE-size} no system mtu • FE-size - Specifies the MTU size for Fast Ethernet ports. (Range: 1500-1546 bytes) • GE-size - Specifies the jumbo frame size (MTU) for Gigabit Ethernet ports.
19 System Management Commands Example Console#show system mtu System MTU size is 1500 bytes System Jumbo MTU size is 1500 bytes Console# File Management Commands Managing Firmware Firmware can be uploaded and downloaded to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
File Management Commands 19 copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the TFTP server and the quality of the network connection.
19 System Management Commands • The Boot ROM and Loader cannot be uploaded or downloaded from the TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. • For information on specifying an https-certificate, see “Replacing the Default Secure-site Certificate” on page 6-6. For information on configuring the switch to use HTTPS for a secure connection, see “ip http secure-server” on page 21-12.
File Management Commands 19 The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.
19 System Management Commands Command Usage • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Config.cfg” cannot be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete test2.cfg Console# Related Commands dir (19-16) delete public-key (21-20) dir This command displays a list of files in flash memory.
File Management Commands 19 Example The following example shows how to display all file information: Console#dir File name File type Startup Size (byte) -------------------------------------------------- ------- ----------Unit1: D1.0.0.7.bix Boot-Rom Image Y 1159752 V1.0.1.7.bix Operation Code Y 3542608 Factory_Default_Config.cfg Config File N 526 startup1.
19 System Management Commands Default Setting None Command Mode Global Configuration Command Usage • If the file contains an error, it cannot be set as the default file.
Line Commands 19 Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
19 System Management Commands Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections. Example To enter console line mode, enter the following command: Console(config)#line console Console(config-line)# Related Commands show line (19-27) show users (19-7) login This command enables password checking at login.
Line Commands 19 Example Console(config-line)#login local Console(config-line)# Related Commands username (21-2) password (19-21) password This command specifies the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password • {0 | 7} - 0 means plain password, 7 means encrypted password • password - Character string that specifies the line password.
19 System Management Commands timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Line Commands 19 Command Usage • If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. • This command applies to both the local console and Telnet connections. • The timeout for Telnet cannot be disabled. • Using the command without specifying a timeout restores the default setting.
19 System Management Commands silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. Syntax silent-time [seconds] no silent-time seconds - The number of seconds to disable console response. (Range: 0-65535; 0: no silent-time) Default Setting The default value is no silent-time.
Line Commands 19 Example To specify 7 data bits, enter this command: Console(config-line)#databits 7 Console(config-line)# Related Commands parity (19-25) parity This command defines the generation of a parity bit. Use the no form to restore the default setting.
19 System Management Commands Default Setting auto Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port. Some baud rates available on devices connected to the port might not be supported. The system indicates if the speed you selected is not supported. If you select the “auto” option, the switch will automatically detect the baud rate configured on the attached terminal, and adjust the speed accordingly.
Line Commands 19 Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection. Example Console#disconnect 1 Console# Related Commands show ssh (21-22) show users (19-7) show line This command displays the terminal line’s parameters. Syntax show line [console | vty] • console - Console terminal line.
19 System Management Commands Event Logging Commands This section describes commands used to configure event logging on the switch.
Event Logging Commands 19 logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). • level - One of the levels listed below.
19 System Management Commands logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode Global Configuration Command Usage • Use this command more than once to build up a list of host IP addresses. • The maximum number of host IP addresses allowed is five.
Event Logging Commands 19 logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging. Syntax logging trap [level] no logging trap level - One of the syslog severity levels listed in the table on page 19-29. Messages sent include the selected level up through level 0.
19 System Management Commands Related Commands show log (19-33) show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} • flash - Displays settings for storing event messages in flash memory (i.e., permanent memory). • ram - Displays settings for storing event messages in temporary RAM (i.e., memory flushed on power reset).
Event Logging Commands 19 The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.
19 System Management Commands Example The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 Console# SMTP Alert Commands These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients.
SMTP Alert Commands 19 • To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection. • To open a connection, the switch first selects the server that successfully sent mail during the last connection, or the first server configured by this command. If it fails to send mail, the switch selects the next server in the list and tries to send mail again.
19 System Management Commands Default Setting None Command Mode Global Configuration Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. Example Console(config)#logging sendmail source-email bill@this-company.com Console(config)# logging sendmail destination-email This command specifies the email recipients of alert messages. Use the no form to remove a recipient.
Time Commands 19 Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------192.168.1.19 SMTP minimum severity level: 7 SMTP destination email addresses ----------------------------------------------ted@this-company.
19 System Management Commands sntp client This command enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with the sntp servers command. Use the no form to disable SNTP client requests. Syntax [no] sntp client Default Setting Disabled Command Mode Global Configuration Command Usage • The time acquired from time servers is used to record accurate dates and times for log events.
Time Commands 19 sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Syntax sntp server [ip1 [ip2 [ip3]]] ip - IP address of an time server (NTP or SNTP). (Range: 1 - 3 addresses) Default Setting None Command Mode Global Configuration Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode.
19 System Management Commands Example Console(config)#sntp poll 60 Console# Related Commands sntp client (19-38) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending time synchronization requests, and the current SNTP mode (i.e., unicast).
Time Commands 19 Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
19 System Management Commands show calendar This command displays the system clock.
Chapter 20: SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
20 SNMP Commands snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. Syntax [no] snmp-server Default Setting Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# show snmp This command can be used to check the status of SNMP communications.
snmp-server community 20 Example Console#show snmp SNMP Agent: enabled SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1. private, and the privilege is read-write 2.
20 SNMP Commands • private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Command Mode Global Configuration Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information.
snmp-server host 20 Command Mode Global Configuration Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (20-4) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host.
20 SNMP Commands • SNMP Version: 1 • UDP Port: 162 Command Mode Global Configuration Command Usage • If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host. • The snmp-server host command is used in conjunction with the snmp-server enable traps command.
snmp-server enable traps 20 supports. If the snmp-server host command does not specify the SNMP version, the default is to send SNMP version 1 notifications. • If you specify an SNMP Version 3 host, then the community string is interpreted as an SNMP user name. If you use the V3 “auth” or “priv” options, the user name must first be defined with the snmp-server user command.
20 SNMP Commands conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command (page 20-11). Example Console(config)#snmp-server enable traps link-up-down Console(config)# Related Commands snmp-server host (20-5) snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default.
show snmp engine-id 20 • A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users (page 20-14). Example Console(config)#snmp-server engine-id local 12345 Console(config)#snmp-server engineID remote 54321 192.168.1.
20 SNMP Commands snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. Syntax snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name • view-name - Name of an SNMP view. (Range: 1-64 characters) • oid-tree - Object identifier of a branch within the MIB tree. Wild cards can be used to mask a specific portion of the OID string. (Refer to the examples.) • included - Defines an included view.
show snmp view 20 show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile Row Status: active Console# Table 20-3 show snmp view - display description Field Description View Name Name of an SNMP view. Subtree OID A branch in the MIB tree.
20 SNMP Commands Default Setting • • • • Default groups: public30 (read only), private31 (read/write) readview - Every object belonging to the Internet OID space (1.3.6.1). writeview - Nothing is defined. notifyview - Nothing is defined. Command Mode Global Configuration Command Usage • A group sets the access policy for the assigned users. • When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command.
show snmp group 20 Group Name: public Security Model: v2c Read View: defaultview Write View: none Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v1 Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v2c Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Console# Table 20-4 show snmp group - display description
20 SNMP Commands snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group. Syntax snmp-server user username groupname [remote ip-address] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]] no snmp-server user username {v1 | v2c | v3 | remote} • username - Name of user connecting to the SNMP agent.
show snmp user 20 need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. Example Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace priv des56 einstien Console(config)#snmp-server user mark group r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien Console(config)# show snmp user This command shows information on SNMP users.
20 20-16 SNMP Commands
Chapter 21: User Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access32 to the data ports.
21 User Authentication Commands username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name. Syntax username name {access-level level | nopassword | password {0 | 7} password} no username name • name - The name of the user. (Maximum length: 8 characters, case sensitive.
User Account Commands 21 enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password. Syntax enable password [level level] {0 | 7} password no enable password [level level] • level level - Level 15 for Privileged Exec. (Levels 0-14 are not used.
21 User Authentication Commands Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
Authentication Sequence 21 Example Console(config)#authentication login radius Console(config)# Related Commands username - for setting the local user names and passwords (21-2) authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 18-1). Use the no form to restore the default.
21 User Authentication Commands RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
RADIUS Client 21 Example Console(config)#radius-server 1 host 192.168.1.20 port 181 timeout 10 retransmit 5 key green Console(config)# radius-server port This command sets the RADIUS server network port. Use the no form to restore the default. Syntax radius-server port port_number no radius-server port port_number - RADIUS server UDP port used for authentication messages.
21 User Authentication Commands radius-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number_of_retries no radius-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
TACACS+ Client 21 Example Console#show radius-server Remote RADIUS server configuration: Global settings: Communication key with RADIUS server: ***** Server port number: 1812 Retransmit times: 2 Request timeout: 5 Server 1: Server IP address: 192.168.1.
21 User Authentication Commands Command Mode Global Configuration Example Console(config)#tacacs-server host 192.168.1.25 Console(config)# tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port_number no tacacs-server port port_number - TACACS+ server TCP port used for authentication messages.
Web Server Commands 21 show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS server configuration: Server IP address: 10.11.12.13 Communication key with TACACS server: ***** Server port number: 49 Console# Web Server Commands This section describes commands used to configure web browser management access to the switch.
21 User Authentication Commands Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (21-12) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function.
Web Server Commands 21 • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate. - The client and server negotiate a set of security protocols to use for the connection. - The client and server generate session keys for encrypting and decrypting data. • The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 5.x and Netscape Navigator 6.
21 User Authentication Commands • If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https://device:port_number Example Console(config)#ip http secure-port 1000 Console(config)# Related Commands ip http secure-server (21-12) Telnet Server Commands This section describes commands used to configure Telnet management access to the switch.
Secure Shell Commands 21 Secure Shell Commands This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0 clients.
21 User Authentication Commands To use the SSH server, complete these steps: 1. Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.
Secure Shell Commands 21 stored on the switch can access it. The following exchanges take place during this process: Authenticating SSH v1.5 Clients a. The client sends its RSA public key to the switch. b. The switch compares the client's public key to those stored in memory. c. If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client. d.
21 User Authentication Commands Example Console#ip ssh crypto host-key generate dsa Console#configure Console(config)#ip ssh server Console(config)# Related Commands ip ssh crypto host-key generate (21-20) show ssh (21-22) ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation.
Secure Shell Commands 21 ip ssh authentication-retries This command configures the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting. Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
21 User Authentication Commands delete public-key This command deletes the specified user’s public key. Syntax delete public-key username [dsa | rsa] • username – Name of an SSH user. (Range: 1-8 characters) • dsa – DSA public key type. • rsa – RSA public key type. Default Setting Deletes both the DSA and RSA key. Command Mode Privileged Exec Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate This command generates the host key pair (i.e., public and private).
Secure Shell Commands 21 Related Commands ip ssh crypto zeroize (21-21) ip ssh save host-key (21-21) ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] • dsa – DSA key type. • rsa – RSA key type. Default Setting Clears both the DSA and RSA key. Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory.
21 User Authentication Commands Example Console#ip ssh save host-key dsa Console# Related Commands ip ssh crypto host-key generate (21-20) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 2.0 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh This command displays the current SSH server connections.
Secure Shell Commands 21 Table 21-11 show ssh - display description (Continued) Field Description Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.
21 User Authentication Commands Example Console#show public-key host Host: RSA: 1024 65537 13236940658254764031382795526536375927835525327972629521130241 0719421061655759424590939236096954050362775257556251003866130989393834523 1033280214988866192159556859887989191950588394018138744046890877916030583 7768185490002831341625008348718449522087429212255691665655296328163516964 0408315547660664151657116381 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacW
802.1X Port Authentication 21 dot1x system-auth-control This command enables IEEE 802.1X port authentication globally on the switch. Use the no form to restore the default. Syntax [no] dot1x system-auth-control Default Setting Disabled Command Mode Global Configuration Example Console(config)#dot1x system-auth-control Console(config)# dot1x default This command sets all configurable dot1x global and port settings to their default values.
21 User Authentication Commands dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control • auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server. Clients that are not dot1x-aware will be denied access. • force-authorized – Configures the port to grant access to all clients, either dot1x-aware or otherwise.
802.1X Port Authentication 21 Command Usage • The “max-count” parameter specified by this command is only effective if the dot1x mode is set to “auto” by the dot1x port-control command (page 4-105). • In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails re-authentication or sends an EAPOL logoff message.
21 User Authentication Commands Command Usage • The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains connected the network and the process is handled transparently by the dot1x client software. Only if re-authentication fails is the port blocked. • The connected client is re-authenticated after the interval specified by the dot1x timeout re-authperiod command. The default is 3600 seconds.
802.1X Port Authentication 21 Default 3600 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout tx-period This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.
21 User Authentication Commands Command Usage This command displays the following information: • Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch. • 802.1X Port Summary – Displays the port access control parameters for each interface that has enabled 802.1X, including the following items: - Status – Administrative state for port access control. - Operation Mode – Allows single or multiple hosts (page 21-26).
802.1X Port Authentication 21 • Backend State Machine - State – Current state (including request, response, success, fail, timeout, idle, initialize). - Request Count – Number of EAP Request packets sent to the Supplicant without receiving a response. - Identifier(Server) – Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server. • Reauthentication State Machine - State – Current state (including initialize, reauthenticate).
21 User Authentication Commands Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name 1/1 1/2 . . . 1/47 1/48 Status disabled disabled Operation Mode Single-Host Single-Host Mode ForceAuthorized ForceAuthorized Authorized n/a n/a disabled enabled Single-Host Single-Host ForceAuthorized Auto yes yes 802.1X Port Details 802.1X is enabled on port 1/1 . . . 802.
Management IP Filter Commands 21 Management IP Filter Commands This section describes commands used to configure IP management access to the switch.
21 User Authentication Commands Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols.
Chapter 22: Client Security Commands This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes. In addition to these methods, several other options of providing client security are supported by this switch.
22 Client Security Commands port security This command enables or configures port security. Use the no form without any keywords to disable port security. Use the no form with the appropriate keyword to restore the default settings for a response to security violation or for the maximum number of allowed addresses.
IP Source Guard Commands 22 Example The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap Related Commands shutdown (24-6) mac-address-table static (28-1) IP Source Guard Commands IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or static and dynami
22 Client Security Commands Command Mode Interface Configuration (Ethernet) Command Usage • Source guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor. • Setting source guard mode to “sip” or “sip-mac” enables this function on the selected port.
IP Source Guard Commands 22 Example This example enables IP source guard on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip Console(config-if)# Related Commands ip source-guard binding (22-5) ip dhcp snooping (22-7) ip dhcp snooping vlan (22-9) ip source-guard binding This command adds a static address to the source-guard binding table. Use the no form to remove a static entry.
22 Client Security Commands - If there is an entry with same VLAN ID and MAC address, and the type of entry is static IP source guard binding, then the new entry will replace the old one. - If there is an entry with same VLAN ID and MAC address, and the type of the entry is dynamic DHCP snooping binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard binding. Example This example configures a static source-guard binding on port 5.
DHCP Snooping Commands 22 DHCP Snooping Commands DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCP snooping.
22 Client Security Commands • When enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping, and static entries configured in the DHCP snooping table. • Table entries are only learned for untrusted interfaces. Each entry includes a MAC address, IP address, lease time, entry type (Dynamic-DHCP-Binding, Static-DHCP-Binding), VLAN identifier, and port identifier.
DHCP Snooping Commands 22 Example This example enables DHCP snooping globally for the switch. Console(config)#ip dhcp snooping Console(config)# Related Commands ip dhcp snooping vlan (22-9) ip dhcp snooping trust (22-12) ip dhcp snooping binding (22-10) ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting.
22 Client Security Commands Related Commands ip dhcp snooping (22-7) ip dhcp snooping trust (22-12) ip dhcp snooping binding (22-10) ip dhcp snooping binding This command adds a static address to the DHCP snooping binding table. Use the no form to remove an entry from the binding table. Syntax ip dhcp binding mac-address vlan vlan-id ip-address interface ethernet unit/port lease-time no ip dhcp binding mac-address vlan vlan-id • • • • • • mac-address - A valid unicast MAC address.
DHCP Snooping Commands 22 - If there is a binding with same VLAN ID and MAC address, and the entry type is static IP source guard binding, static DHCP snooping binding, or dynamic DHCP snooping binding, the new entry will replace the old one. • When the lease time for a dynamic or static DHCP binding entry expires, it is removed from the binding table. Example This example configures a static DHCP binding entry on port 5, and sets the lease time to make it a permanent entry.
22 Client Security Commands ip dhcp snooping database flash This command writes all dynamically learned snooping entries to flash memory. Command Mode Global Configuration Command Usage This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset. However, note that the lease time shown for a dynamic entry that has been restored from flash memory will no longer be valid.
DHCP Snooping Commands 22 Example This example sets port 5 to untrusted. Console(config)#interface ethernet 1/5 Console(config-if)#no ip dhcp snooping trust Console(config-if)# Related Commands ip dhcp snooping (22-7) ip dhcp snooping vlan (22-9) ip dhcp snooping binding (22-10) show ip dhcp snooping This command shows the DHCP snooping configuration settings.
22 22-14 Client Security Commands
Chapter 23: Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port. This section describes the Access Control List commands.
23 Access Control List Commands access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl_name • standard – Specifies an ACL that filters packets based on the source IP address. • extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. • acl_name – Name of the ACL.
IP ACLs 23 Default Setting None Command Mode Standard IP ACL Command Usage • New rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.” The bitmask is bitwise ANDed with the specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned.
23 Access Control List Commands • • • • • • precedence – IP precedence level. (Range: 0-7) tos – Type of Service level. (Range: 0-15) dscp – DSCP priority level. (Range: 0-63) sport – Protocol33 source port number. (Range: 0-65535) dport – Protocol33 destination port number. (Range: 0-65535) port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) • control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header.
IP ACLs 23 Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.0 to any destination address when set for destination TCP port 80 (i.e., HTTP).
23 Access Control List Commands access-list ip mask-precedence This command changes to the IP Mask mode used to configure access control masks. Use the no form to delete the mask table. Syntax [no] access-list ip mask-precedence {in | out} • in – Ingress mask for ingress ACLs. • out – Egress mask for egress ACLs. Default Setting Default system mask: Filter inbound packets according to specified IP ACLs.
IP ACLs 23 • • • • • • • destination-bitmask – Destination address of rule must match this bitmask. precedence – Check the IP precedence field. tos – Check the TOS field. dscp – Check the DSCP field. source-port – Check the protocol source port field. destination-port – Check the protocol destination port field. port-bitmask – Protocol port of rule must match this bitmask. (Range: 0-65535) • control-flag – Check the field for control flags. • flag-bitmask – Control flags of rule must match this bitmask.
23 Access Control List Commands This shows that the entries in the mask override the precedence in which the rules are entered into the ACL. In the following example, packets with the source address 10.1.1.1 are dropped because the “deny 10.1.1.1 255.255.255.255” rule has the higher precedence according the “mask host any” entry. Console(config)#access-list ip standard A2 Console(config-std-acl)#permit 10.1.1.0 255.255.255.0 Console(config-std-acl)#deny 10.1.1.1 255.255.255.
IP ACLs 23 This shows how to create an extended ACL with an egress mask to drop packets leaving network 171.69.198.0 when the Layer 4 source port is 23. Console(config)#access-list ip extended A3 Console(config-ext-acl)#deny host 171.69.198.5 any Console(config-ext-acl)#deny 171.69.198.0 255.255.255.0 any source-port 23 Console(config-ext-acl)#end Console#show access-list IP extended access-list A3: deny host 171.69.198.5 any deny 171.69.198.0 255.255.255.
23 Access Control List Commands This is a more comprehensive example. It denies any TCP packets in which the SYN bit is ON, and permits all other packets. It then sets the ingress mask to check the deny rule first, and finally binds port 1 to this ACL. Note that once the ACL is bound to an interface (i.e., the ACL is active), the order in which the rules are displayed is determined by the associated mask.
IP ACLs 23 Related Commands mask (IP ACL) (23-6) ip access-group This command binds a port to an IP ACL. Use the no form to remove the port. Syntax [no] ip access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage • A port can only be bound to one ACL.
23 Access Control List Commands MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type.
MAC ACLs 23 Example Console(config)#access-list mac jerry Console(config-mac-acl)# Related Commands permit, deny (23-13) mac access-group (23-18) show mac access-list (23-14) permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule.
23 • • • • • Access Control List Commands address-bitmask34 – Bitmask for MAC address (in hexidecimal format). vid – VLAN ID. (Range: 1-4093) vid-bitmask34 – VLAN bitmask. (Range: 1-4093) protocol – A specific Ethernet protocol number. (Range: 600-fff hex.) protocol-bitmask34 – Protocol bitmask. (Range: 600-fff hex.) Default Setting None Command Mode MAC ACL Command Usage • New rules are added to the end of the list. • The ethertype option can only be used to filter Ethernet II formatted packets.
MAC ACLs 23 Related Commands permit, deny 23-13 mac access-group (23-18) access-list mac mask-precedence This command changes to MAC Mask mode used to configure access control masks. Use the no form to delete the mask table. Syntax [no] access-list ip mask-precedence {in | out} • in – Ingress mask for ingress ACLs. • out – Egress mask for egress ACLs. Default Setting Default system mask: Filter inbound packets according to specified MAC ACLs.
23 • • • • • • • Access Control List Commands host – The address must be for a single node. source-bitmask – Source address of rule must match this bitmask. destination-bitmask – Destination address of rule must match this bitmask. vid – Check the VLAN ID field. vid-bitmask – VLAN ID of rule must match this bitmask. ethertype – Check the Ethernet type field. ethertype-bitmask – Ethernet type of rule must match this bitmask.
MAC ACLs 23 This example creates an Egress MAC ACL. Console(config)#access-list mac M5 Console(config-mac-acl)#deny tagged-802.3 host 00-11-11-11-11-11 any Console(config-mac-acl)#deny tagged-eth2 00-11-11-11-11-11 ff-ff-ff-ff-ff-ff any vid 3 ethertype 0806 Console(config-mac-acl)#end Console#show access-list MAC access-list M5: deny tagged-802.
23 Access Control List Commands mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage • A port can only be bound to one ACL.
ACL Information 23 ACL Information This section describes commands used to display ACL information. Table 23-4 ACL Information Commands Command Function Mode Page show access-list Show all IP ACLs and associated rules PE 23-19 show access-group Shows the IP ACLs assigned to each port PE 23-19 show access-list This command shows all IP ACLs and associated rules. Command Mode Privileged Exec Command Usage Once the ACL is bound to an interface (i.e.
23 23-20 Access Control List Commands
Chapter 24: Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN.
24 Interface Commands Command Mode Global Configuration Example To specify port 4, enter the following command: Console(config)#interface ethernet 1/4 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
negotiation 24 Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting is: - Fast Ethernet ports – 100full (100 Mbps full-duplex) - Gigabit Ethernet ports – 1000full (1 Gbps full-duplex) Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • To force operation to the speed and duplex mode specified in a speed-duplex command, use the no negotiation command to disable auto-negotiation on the selected interface.
24 Interface Commands Command Usage • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. • If autonegotiation is disabled, auto-MDI/MDI-X pin signal configuration will also be disabled for the RJ-45 ports. Example The following example configures port 11 to use autonegotiation.
flowcontrol 24 Command Usage When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings for a link based on the capabilites command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. Example The following example configures Ethernet port 5 capabilities to 100half and 100full.
24 Interface Commands Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (24-3) capabilities (flowcontrol, symmetric) (24-4) media-type This command forces the port type selected for combination ports 27-28. Use the no form to restore the default mode.
switchport packet-rate 24 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then reenable it after the problem has been resolved. You may also want to disable a port for security reasons. Example The following example disables port 5.
24 Interface Commands switchport block This command prevents flooding of unknown unicast or multicast packets to an interface. Use the no form to restore the default setting. Syntax [no] switchport block {unicast | multicast} • unicast - Specifies unknown unicast packets. • multicast - Specifies unknown multicast packets. Command Mode Interface Configuration (Ethernet, Port Channel) Default Setting Unknown unicast and multicast packets are not blocked.
show interfaces status 24 Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset. Example The following example clears statistics on port 5.
24 Interface Commands Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic information: Port type: 1000T Mac address: 00-30-F1-D4-73-A5 Configuration: Name: Port admin: Up Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full, 1000full Broadcast storm: Enabled Broadcast storm limit: 500 packets/second Flow control: Disabled LACP: Disabled Port security: Disabled Max MAC count: 0 Port security action: None Media type: None Current status: Link status: Up Port operati
show interfaces switchport 24 Example Console#show interfaces counters ethernet 1/7 Ethernet 1/7 Iftable stats: Octets input: 30658, Octets output: 196550 Unicast input: 6, Unicast output: 5 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats: Multi-cast input: 0, Multi-cast output: 3064 Broadcast input: 262, Broadcast output: 1 Ether-like stats: Alignment errors: 0, FCS errors: 0 Single Collision frames: 0, Multiple collision
24 Interface Commands Example This example shows the configuration setting for port 4.
Chapter 25: Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP.
25 Link Aggregation Commands Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP system priority. • Ports must have the same port admin key (Ethernet Interface). • If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e.
lacp 25 Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation. • A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID. • If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically.
25 Link Aggregation Commands lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority • actor - The local side an aggregate link. • partner - The remote side of an aggregate link. • priority - This priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations.
lacp admin-key (Port Channel) 25 Default Setting 0 Command Mode Interface Configuration (Ethernet) Command Usage • Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured). • If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e.
25 Link Aggregation Commands • If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e., it has the null value of 0), this key is set to the same value as the port admin key (lacp admin key - Ethernet Interface) used by the interfaces that joined the group. Note that when the LAG is no longer used, the port channel admin key is reset to 0.
show lacp 25 show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sys-id} • • • • • port-channel - Local identifier for a link aggregation group. (Range: 1-32) counters - Statistics for LACP protocol messages. internal - Configuration settings and operational state for local side. neighbors - Configuration settings and operational state for remote side. sys-id - Summary of system priority and MAC address for all channel groups.
25 Link Aggregation Commands Console#show lacp 1 internal Port channel: 1 ------------------------------------------------------------------------Oper Key: 3 Admin Key: 0 Eth 1/ 2 ------------------------------------------------------------------------LACPDUs Internal: 30 sec LACP System Priority: 32768 LACP Port Priority: 32768 Admin Key: 3 Oper Key: 3 Admin State: defaulted, aggregation, long timeout, LACP-activity Oper State: distributing, collecting, synchronization, aggregation, long timeout, LACP-ac
show lacp 25 Console#show lacp 1 neighbors Port channel 1 neighbors ------------------------------------------------------------------------Eth 1/1 ------------------------------------------------------------------------Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 32768, 00-01-F4-78-AE-C0 Partner Admin Port Number: 2 Partner Oper Port Number: 2 Port Admin Priority: 32768 Port Oper Priority: 32768 Admin Key: 0 Oper Key: 3 Admin State: defaulted, distributing, collecting, synchr
25 Link Aggregation Commands Console#show lacp sysid Port Channel System Priority System MAC Address ------------------------------------------------------------------------1 32768 00-30-F1-8F-2C-A7 2 32768 00-30-F1-8F-2C-A7 3 32768 00-30-F1-8F-2C-A7 4 32768 00-30-F1-8F-2C-A7 5 32768 00-30-F1-8F-2C-A7 6 32768 00-30-F1-8F-2C-A7 7 32768 00-30-F1-D4-73-A0 8 32768 00-30-F1-D4-73-A0 9 32768 00-30-F1-D4-73-A0 10 32768 00-30-F1-D4-73-A0 11 32768 00-30-F1-D4-73-A0 12 32768 00-30-F1-D4-73-A0 . . .
Chapter 26: Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Table 26-1 Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session IC 26-1 show port monitor Shows the configuration for a mirror port PE 26-2 port monitor This command configures a mirror session. Use the no form to clear a mirror session.
26 Mirror Port Commands Example The following example configures the switch to mirror all packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 both Console(config-if)# show port monitor This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) • unit - Stack unit. (Range: 1) • port - Port number. (Range: 1-28) Default Setting Shows all sessions.
Chapter 27: Rate Limit Commands This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. The maximum data rate may also be set for specific Class of Service (CoS) priorities for traffic transmitted out of an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
27 Rate Limit Commands Related Command show interfaces switchport (24-11) rate-limit cos This command defines the output rate limit for an interface based on specified CoS priorities. Use the no form to restore the default status of disabled. Syntax rate-limit cos cos_value rate no rate-limit cos • cos_value – A number from 0 to 7, where 7 is the highest priority. • rate – Maximum value in Mbps.
show rate-limit cos 27 Example This example sets the maximum output rate for CoS traffic of priority level 0 to 50 Mbps on Port 1. Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit cos 0 50 Console(config-if)# show rate-limit cos This command displays the output rate limit for CoS priorities. Command Mode Privileged Exec Command Usage If no rate limit is set, this command displays a value of “0” for the corresponding interface.
27 27-4 Rate Limit Commands
Chapter 28: Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
28 Address Table Commands Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table. Static addresses have the following characteristics: • Static addresses will not be removed from the address table when a given interface link is down. • Static addresses are bound to the assigned interface and will not be moved.
show mac-address-table 28 show mac-address-table This command shows classes of entries in the bridge-forwarding database. Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] • mac-address - MAC address. • mask - Bits to match in the address. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
28 Address Table Commands mac-address-table aging-time This command sets the aging time for entries in the address table. Use the no form to restore the default aging time. Syntax mac-address-table aging-time seconds no mac-address-table aging-time seconds - Aging time. (Range: 10-1000000 seconds; 0 to disable aging) Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information.
Chapter 29: Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
29 Spanning Tree Commands Table 29-1 Spanning Tree Commands (Continued) Command Function show spanning-tree Shows spanning tree configuration for the common PE spanning tree (i.e., overall bridge), a selected interface, or an instance within the multiple spanning tree Mode Page 29-18 show spanning-tree mst configuration Shows the multiple spanning tree configuration 29-20 PE spanning-tree This command enables the Spanning Tree Algorithm globally for the switch. Use the no form to disable it.
spanning-tree mode 29 Default Setting rstp Command Mode Global Configuration Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members. When operating multiple VLANs, we recommend selecting the MSTP option.
29 Spanning Tree Commands spanning-tree forward-time This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
spanning-tree max-age 29 Example Console(config)#spanning-tree hello-time 5 Console(config)# Related Commands spanning-tree forward-time (29-4) spanning-tree max-age (29-5) spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)].
29 Spanning Tree Commands spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge.
spanning-tree transmission-limit 29 Command Usage The path cost method is used to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Note that path cost (page 29-12) takes precedence over port priority (page 29-13).
29 Spanning Tree Commands Related Commands mst vlan (29-8) mst priority (29-9) name (29-9) revision (29-10) max-hops (29-11) mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. Syntax [no] mst instance_id vlan vlan-range • instance_id - Instance identifier of the spanning tree. (Range: 0-4094) • vlan-range - Range of VLANs.
mst priority 29 mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. Syntax mst instance_id priority priority no mst instance_id priority • instance_id - Instance identifier of the spanning tree. (Range: 0-4094) • priority - Priority of the a spanning tree instance.
29 Spanning Tree Commands Command Usage The MST region name and revision number (page 29-10) are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
max-hops 29 max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. Syntax max-hops hop-number hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) Default Setting 20 Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MSTI region is never changed.
29 Spanning Tree Commands spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port. (Range: 0 for auto-configuration, 1-65535 for short path cost method 35, 1-200,000,000 for long path cost method) Table 29-2 Recommended STA Path Cost Range Port Type IEEE 802.1D-1998 IEEE 802.
spanning-tree port-priority 29 Command Usage • This command is used by the Spanning Tree Algorithm to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. • Path cost takes precedence over port priority. • When the spanning-tree pathcost method (page 29-6) is set to short, the maximum value for path cost is 65,535.
29 Spanning Tree Commands spanning-tree edge-port This command specifies an interface as an edge port. Use the no form to restore the default. Syntax [no] spanning-tree edge-port Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node.
spanning-tree link-type 29 Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port. In this mode, ports skip the Discarding and Learning states, and proceed straight to Forwarding. • Since end-nodes cannot cause forwarding loops, they can be passed through the spanning tree state changes more quickly than allowed by standard convergence time.
29 Spanning Tree Commands • RSTP only works on point-to-point links between two bridges. If you designate a port as a shared link, RSTP is forbidden. Since MSTP is an extension of RSTP, this same restriction applies. Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree link-type point-to-point spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default.
spanning-tree mst port-priority 29 Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree mst 1 cost 50 Console(config-if)# Related Commands spanning-tree mst port-priority (29-17) spanning-tree mst port-priority This command configures the interface priority on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default.
29 Spanning Tree Commands spanning-tree protocol-migration This command re-checks the appropriate BPDU format to send on the selected interface. Syntax spanning-tree protocol-migration interface interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
show spanning-tree 29 Command Mode Privileged Exec Command Usage • Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. • Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST).
29 Spanning Tree Commands --------------------------------------------------------------Eth 1/ 1 information --------------------------------------------------------------Admin status: enable Role: root State: forwarding External admin path cost: 10000 Internal admin cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: 128 Designated cost: 200000 Designated port: 128.24 Designated root: 32768.0.0000ABCD0000 Designated bridge: 32768.0.
Chapter 30: VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
30 VLAN Commands bridge-ext gvrp This command enables GVRP globally for the switch. Use the no form to disable it. Syntax [no] bridge-ext gvrp Default Setting Disabled Command Mode Global Configuration Command Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. This function should be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch.
GVRP and Bridge Extension Commands 30 switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - Stack unit.
30 VLAN Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} • {join | leave | leaveall} - Which timer to set. • timer_value - Value of timer.
GVRP and Bridge Extension Commands 30 show garp timer This command shows the GARP timers for the selected interface. Syntax show garp timer [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-32) Default Setting Shows all GARP timers.
30 VLAN Commands Editing VLAN Groups Table 30-3 Commands for Editing VLAN Groups Command Function Mode Page vlan database Enters VLAN database mode to add, change, and delete VLANs GC 30-6 vlan Configures a VLAN, including VID, name and state VC 30-7 vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately.
Editing VLAN Groups 30 vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] no vlan vlan-id [name | state] • vlan-id - ID of configured VLAN. (Range: 1-4093, no leading zeroes) • name - Keyword to be followed by the VLAN name. - vlan-name - ASCII string from 1 to 32 characters. • media ethernet - Ethernet media type. • state - Keyword to be followed by the VLAN state.
30 VLAN Commands Configuring VLAN Interfaces Table 30-4 Commands for Configuring VLAN Interfaces Command Function Mode Page interface vlan Enters interface configuration mode for a specified VLAN IC switchport mode Configures VLAN membership mode for an interface IC 30-9 switchport acceptable-frame-types Configures frame types to be accepted by an interface IC 30-9 switchport ingress-filtering Enables ingress filtering on an interface IC 30-10 switchport native vlan Configures the PVID
Configuring VLAN Interfaces 30 switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {hybrid | trunk | dot1q-tunnel} no switchport mode • hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. • trunk - Specifies a port as an end-point for a VLAN trunk. A trunk is a direct link between two switches, so the port transmits tagged frames that identify the source VLAN.
30 VLAN Commands Command Usage When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN. Example The following example shows how to restrict the traffic received on port 1 to tagged frames: Console(config)#interface ethernet 1/1 Console(config-if)#switchport acceptable-frame-types tagged Console(config-if)# Related Commands switchport mode (30-9) switchport ingress-filtering This command enables ingress filtering for an interface.
Configuring VLAN Interfaces 30 switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port.
30 VLAN Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • A port, or a trunk with switchport mode set to hybrid, must be assigned to at least one VLAN as untagged. • If a trunk has switchport mode set to trunk (i.e., 1Q Trunk), then you can only assign an interface to VLAN groups as a tagged member. • Frames are always tagged within the switch.
Displaying VLAN Information 30 Command Usage • This command prevents a VLAN from being automatically added to the specified interface via GVRP. • If a VLAN has been added to the set of allowed VLANs for an interface, then you cannot add it to the set of forbidden VLANs for that same interface.
30 VLAN Commands Example The following example shows how to display information for VLAN 1: Console#show vlan id 1 VLAN ID: Type: Name: Status: Ports/Port Channels: 1 Static DefaultVlan Active Eth1/ 1(S) Eth1/ 2(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/11(S) Eth1/12(S) Eth1/16(S) Eth1/17(S) Eth1/21(S) Eth1/22(S) Eth1/ 3(S) Eth1/ 8(S) Eth1/13(S) Eth1/18(S) Eth1/23(S) Eth1/ 4(S) Eth1/ 9(S) Eth1/14(S) Eth1/19(S) Eth1/24(S) Eth1/ 5(S) Eth1/10(S) Eth1/15(S) Eth1/20(S) Console# Configuring Private VLANs Private VLAN
Configuring Private VLANs 30 • Entering the pvlan command without any parameters enables the private VLAN. Entering no pvlan disables the private VLAN. Example This example enables the private VLAN, and then sets port 12 as the uplink and ports 5-8 as the downlinks. Console(config)#pvlan Console(config)#pvlan up-link ethernet 1/12 down-link ethernet 1/5-8 Console(config)# show pvlan This command displays the configured private VLAN.
30 VLAN Commands Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
Configuring Protocol-based VLANs 30 protocol-vlan protocol-group (Configuring Groups) This command creates a protocol group, or to add specific protocols to a group. Use the no form to remove a protocol group. Syntax protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol] no protocol-vlan protocol-group group-id • group-id - Group identifier of this protocol group. (Range: 1-2147483647) • frame37 - Frame type used by this protocol.
30 VLAN Commands Command Usage • When creating a protocol-based VLAN, only assign interfaces via this command. If you assign interfaces using any of the other VLAN commands (such as vlan on page 30-7), these interfaces will admit traffic of any protocol type into the associated VLAN. • When a frame enters a port that has been assigned to a protocol VLAN, it is processed in the following manner: - If the frame is tagged, it will be processed according to the standard rules applied to tagged frames.
Configuring Protocol-based VLANs 30 show interfaces protocol-vlan protocol-group This command shows the mapping from protocol groups to VLANs for the selected interfaces. Syntax show interfaces protocol-vlan protocol-group [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-32) Default Setting The mapping for all interfaces is displayed.
30 VLAN Commands Configuring IEEE 802.1Q Tunneling QinQ tunneling uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Configuring IEEE 802.1Q Tunneling 30 switchport mode dot1q-tunnel This command configures an interface as a QinQ tunnel port. Use the no form to restore the default setting. Syntax switchport mode dot1q-tunnel no switchport mode dot1q-tunnel – Sets the port as an 802.1Q tunnel port. Default Setting All ports are in hybrid mode. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Use the switchport mode command to set the switch to QinQ mode before entering this command.
30 VLAN Commands Related Commands switchport mode dot1q-tunnel (page 30-21) switchport dot1q-ethertype This command sets the Tag Protocol Identifier (TPID) value of a tunnel port. Use the no form. Use the no form to restore the default setting. Syntax switchport dot1q-ethertype tpid no switchport dot1q-ethertype tpid – Sets the ethertype value for 802.1Q encapsulation. This identifier is used to select a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.
Chapter 31: Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
31 Class of Service Commands queue mode This command sets the queue mode to strict priority or Weighted Round-Robin (WRR) for the class of service (CoS) priority queues. Use the no form to restore the default value. Syntax queue mode {strict | wrr} no queue mode • strict - Services the egress queues in sequential order, transmitting all traffic in the higher priority queues before servicing lower priority queues.
Priority Commands (Layer 2) 31 Example Console#sh queue mode Wrr status: Enabled Console# switchport priority default This command sets a priority for incoming untagged frames. Use the no form to restore the default value. Syntax switchport priority default default-priority-id no switchport priority default default-priority-id - The priority number for untagged ingress traffic. The priority is a number from 0 to 7. Seven is the highest priority.
31 Class of Service Commands Related Commands show interfaces switchport (24-11) queue bandwidth This command assigns weighted round-robin (WRR) weights to the eight class of service (CoS) priority queues. Use the no form to restore the default weights. Syntax queue bandwidth weight1...weight4 no queue bandwidth weight1...weight4 - The ratio of weights for queues 0 - 7 determines the weights used by the WRR scheduler.
Priority Commands (Layer 2) 31 Default Setting This switch supports Class of Service by using eight priority queues, with Weighted Round Robin queuing for each port. Eight separate traffic classes are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown below.
31 Class of Service Commands Example Console#show queue bandwidth Information of Eth 1/1 Queue ID Weight -------- -----0 1 1 2 2 4 3 6 4 8 5 10 6 12 7 14 . . . show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Priority Commands (Layer 2) 31 Default Setting The original priority value in the VLAN tag of a tagged packet, or a VLAN priority tag inserted by another device for an untagged packet. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command can be used to set a high priority for a VLAN carrying mostly low-latency traffic such as Voice over IP (VoIP), or to set a low priority for a VLAN carrying normal data traffic not sensitive to latency.
31 Class of Service Commands Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and Layer 4 traffic priority on the switch.
Priority Commands (Layer 3 and 4) 31 map ip port (Interface Configuration) This command sets IP port priority (i.e., TCP/UDP port priority). Use the no form to remove a specific setting. Syntax map ip port port-number cos cos-value no map ip port port-number • port-number - 16-bit TCP/UDP port number.
31 Class of Service Commands Example The following example shows how to enable IP precedence mapping globally: Console(config)#map ip precedence Console(config)# map ip precedence (Interface Configuration) This command sets IP precedence priority (i.e., IP Type of Service priority). Use the no form to restore the default table. Syntax map ip precedence ip-precedence-value cos cos-value no map ip precedence • precedence-value - 3-bit precedence value.
Priority Commands (Layer 3 and 4) 31 map ip dscp (Global Configuration) This command enables IP DSCP mapping (i.e., Differentiated Services Code Point mapping). Use the no form to disable IP DSCP mapping. Syntax [no] map ip dscp Default Setting Disabled Command Mode Global Configuration Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • IP Precedence and IP DSCP cannot both be enabled.
31 Class of Service Commands Default Setting The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS value 0.
Priority Commands (Layer 3 and 4) 31 Default Setting None Command Mode Privileged Exec Example The following shows that HTTP traffic has been mapped to CoS value 0: Console#show map ip port TCP port mapping status: disabled Port Port no. COS --------- -------- --Eth 1/ 5 80 0 Console# Related Commands map ip port (Global Configuration) (31-8) map ip port (Interface Configuration) (31-9) show map ip precedence This command shows the IP precedence priority map.
31 Class of Service Commands Example Console#show map ip precedence ethernet 1/5 Precedence mapping status: disabled Port Precedence COS --------- ---------- --Eth 1/ 5 0 0 Eth 1/ 5 1 1 Eth 1/ 5 2 2 Eth 1/ 5 3 3 Eth 1/ 5 4 4 Eth 1/ 5 5 5 Eth 1/ 5 6 6 Eth 1/ 5 7 7 Console# Related Commands map ip precedence (Global Configuration) (31-9) map ip precedence (Interface Configuration) (31-10) show map ip dscp This command shows the IP DSCP priority map.
Priority Commands (Layer 3 and 4) 31 Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --Eth 1/ 1 0 0 Eth 1/ 1 1 0 Eth 1/ 1 2 0 Eth 1/ 1 3 0 . . .
31 31-16 Class of Service Commands
Chapter 32: Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
32 Quality of Service Commands Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. 2. You should create a Class Map (page 32-2) before creating a Policy Map (page 32-4). Otherwise, you will not be able to specify a Class Map with the class command (page 32-5) after entering Policy-Map Configuration mode. class-map This command creates a class map used for matching packets to the specified class, and enters Class Map configuration mode.
match 32 match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan} • acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs. (Range: 1-32 characters) • dscp - A DSCP value. (Range: 0-63) • ip-precedence - An IP Precedence value. (Range: 0-7) • vlan - A VLAN.
32 Quality of Service Commands This example creates a class map call “rd_class#3,” and sets it to match packets marked for VLAN 1: Console(config)#class-map rd_class#3 match-any Console(config-cmap)#match vlan 1 Console(config-cmap)#exit Console(config)#access-list mac mask-precedence in Console(config-ip-mask-acl)#mask any any vid 1 Console(config-ip-mask-acl)# policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode.
class 32 class This command defines a traffic classification upon which a policy can act, and enters Policy Map Class configuration mode. Use the no form to delete a class map and return to Policy Map configuration mode. Syntax [no] class class-map-name class-map-name - Name of the class map. (Range: 1-16 characters) Default Setting None Command Mode Policy Map Configuration Command Usage • Use the policy-map command to specify a policy map and enter Policy Map configuration mode.
32 Quality of Service Commands set This command services IP traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified by the match command on page 32-3). Use the no form to remove the traffic classification. Syntax [no] set {cos new-cos | ip dscp new-dscp | ip precedence new-precedence} • new-cos - New Class of Service (CoS) value. (Range: 0-7) • new-dscp - New Differentiated Service Code Point (DSCP) value. (Range: 0-63) • new-precedence - New IP Precedence value.
service-policy 32 Command Usage • You can configure up to 63 policers (i.e., class maps) for Fast Ethernet and Gigabit Ethernet ingress ports. • Policing is based on a token bucket, where bucket depth (i.e., the maximum burst before the bucket overflows) is by specified the burst-byte field, and the average rate tokens are removed from the bucket is by specified by the rate-bps option.
32 Quality of Service Commands show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) Default Setting Displays all class maps.
show policy-map interface 32 Example Console#show policy-map Policy Map rd_policy class rd_class set ip dscp 3 Console#show policy-map rd_policy class rd_class Policy Map rd_policy class rd_class set ip dscp 3 Console# show policy-map interface This command displays the service policy assigned to the specified interface. Syntax show policy-map interface interface input interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
32 32-10 Quality of Service Commands
Chapter 33: Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
33 Multicast Filtering Commands ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static This command adds a port to a multicast group. Use the no form to remove the port.
IGMP Snooping Commands 33 ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default. Syntax ip igmp snooping version {1 | 2 | 3} no ip igmp snooping version • 1 - IGMP Version 1 • 2 - IGMP Version 2 • 3 - IGMP Version 3 Default Setting IGMP Version 2 Command Mode Global Configuration Command Usage • All systems on the subnet must support the same version.
33 Multicast Filtering Commands Command Usage • This command setting is only effective if IGMP snooping is enabled. • Any port can be designated as a multicast router port through dynamic or static configuration, including ports on Layer 2 or 3 switches. If there is more than one multicast router on a LAN segment performing IP multicasting, one of these devices is elected “querier” and assumes the role of querying the local segment for group members.
IGMP Snooping Commands 33 Command Mode Interface Configuration (VLAN) Command Usage • If immediate-leave is not used, a multicast router (or querier) will send a group-specific query message when an IGMPv2/v3 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified timeout period. Note that the timeout period is determined by the ip igmp snooping query-max-response-time (see page 33-8).
33 Multicast Filtering Commands show mac-address-table multicast This command shows known multicast addresses. Syntax show mac-address-table multicast [vlan vlan-id] [user | igmp-snooping] • vlan-id - VLAN ID (1 to 4093) • user - Display only the user-configured multicast entries. • igmp-snooping - Display only entries learned through IGMP snooping. Default Setting None Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER, depending on selected options.
IGMP Query Commands 33 ip igmp snooping querier This command enables the switch as an IGMP querier. Use the no form to disable it. Syntax [no] ip igmp snooping querier Default Setting Enabled Command Mode Global Configuration Command Usage • IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version, page 33-3). • If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic.
33 Multicast Filtering Commands Example The following shows how to configure the query count to 10: Console(config)#ip igmp snooping query-count 10 Console(config)# Related Commands ip igmp snooping query-max-response-time (33-8) ip igmp snooping query-interval This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval seconds - The frequency at which the switch sends IGMP host-query messages.
IGMP Query Commands 33 • This command defines the time after a query, during which a response is expected from a multicast client. If a querier has sent a number of queries defined by the ip igmp snooping query-count, but a client has not responded, a countdown timer is started using an initial value set by this command. If the countdown finishes, and the client still has not responded, then that client is considered to have left the multicast group.
33 Multicast Filtering Commands Static Multicast Routing Commands This section describes commands used to configure static multicast routing on the switch. Table 33-4 Static Multicast Routing Commands Command Function Mode ip igmp snooping vlan mrouter Adds a multicast router port GC Page 33-10 show ip igmp snooping mrouter Shows multicast router ports PE 33-11 ip igmp snooping vlan mrouter This command statically configures a multicast router port. Use the no form to remove the configuration.
Multicast VLAN Registration Commands 33 show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093) Default Setting Displays multicast router ports for all configured VLANs. Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static.
33 Multicast Filtering Commands mvr (Global Configuration) This command enables Multicast VLAN Registration (MVR) globally on the switch, statically configures MVR multicast group IP address(es) using the group keyword, or specifies the MVR VLAN identifier using the vlan keyword. Use the no form of this command without any keywords to globally disable MVR. Use the no form with the group keyword to remove a specific address or range of addresses.
Multicast VLAN Registration Commands 33 mvr (Interface Configuration) This command configures an interface as an MVR receiver or source port using the type keyword, enables immediate leave capability using the immediate keyword, or configures an interface as a static member of the MVR VLAN using the group keyword. Use the no form to restore the default settings.
33 Multicast Filtering Commands response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list. • Using immediate leave can speed up leave latency, but should only be enabled on a port attached to one multicast subscriber to avoid disrupting services to other group members attached to the same interface. • Immediate leave does not apply to multicast groups which have been statically assigned to a port.
Multicast VLAN Registration Commands 33 Command Usage Enter this command without any keywords to display the global settings for MVR. Use the interface keyword to display information about interfaces attached to the MVR VLAN. Or use the members keyword to display information about multicast groups assigned to the MVR VLAN.
33 Multicast Filtering Commands The following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN: Console#show mvr members MVR Group IP Status ---------------- -------225.0.0.1 ACTIVE 225.0.0.2 INACTIVE 225.0.0.3 INACTIVE 225.0.0.4 INACTIVE 225.0.0.5 INACTIVE 225.0.0.6 INACTIVE 225.0.0.7 INACTIVE 225.0.0.8 INACTIVE 225.0.0.9 INACTIVE 225.0.0.
Chapter 34: Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. You can manually configure entries in the DNS domain name to IP address mapping table, configure default domain names, or specify one or more name servers to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
34 Domain Name Service Commands Command Usage Servers or other network devices may support one or more connections via multiple IP addresses. If more than one IP address is associated with a host name using this command, a DNS client can try each address in succession, until it establishes a connection with the target device. Example This example maps two address to a host name. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#end Console#show hosts Hostname rd5 Inet address 10.1.0.
ip domain-name 34 ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name. Syntax ip domain-name name no ip domain-name name - Name of the host. Do not include the initial dot that separates the host name from the domain name.
34 Domain Name Service Commands Command Usage • Domain names are added to the end of the list one at a time. • When an incomplete host name is received by the DNS service on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match. • If there is no domain list, the domain name specified with the ip domain-name command is used. If there is a domain list, the default domain name is not used.
ip domain-lookup 34 Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip domain-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (34-3) ip domain-lookup (34-5) ip domain-lookup This command enables DNS host name-to-address translation.
34 Domain Name Service Commands Example This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Related Commands ip domain-name (34-3) ip name-server (34-4) show hosts This command displays the static host name-to-address mapping table.
show dns 34 show dns This command displays the configuration of the DNS service. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache.
34 Domain Name Service Commands clear dns cache This command clears all entries in the DNS cache.
Chapter 35: IP Interface Commands An IP address may be used for management access to the switch over your network. An IP address is obtained via DHCP by default for VLAN 1. You can manually configure a specific IP address, or direct the switch to obtain an address from a BOOTP or DHCP server when it is powered on. You may also need to a establish a default gateway between this device and management stations that exist on another network segment.
35 IP Interface Commands Command Usage • You must assign an IP address to this device to gain management access over the network or to connect the switch to existing IP subnets. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the configuration program.
Basic IP Configuration 35 Command Usage • A gateway must be defined if the management station is located in a different IP segment. • An default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch. Example The following example defines a default gateway for this device: Console(config)#ip default-gateway 10.1.1.
35 IP Interface Commands show ip interface This command displays the settings of an IP interface. Command Mode Normal Exec, Privileged Exec Example Console#show ip interface Console# Related Commands show ip redirects (35-4) show ip redirects This command shows the IP default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects ip default gateway 10.1.0.
Basic IP Configuration 35 Example This example displays all entries in the ARP cache. Console#show arp IP Address --------------192.168.0.1 192.168.0.110 192.168.0.162 MAC Address Type Interface ----------------- --------- ----------00-0f-3d-12-40-e1 dynamic 1 00-10-b5-62-03-74 dynamic 1 00-12-cf-0c-9a-a0 other 1 Total entry : 3 Console# ping This command sends ICMP echo request packets to another node on the network.
35 IP Interface Commands Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 0 ms Ping statistics for 10.1.0.
Section IV:Appendices This section provides additional information on the following topics. Software Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Appendices
Appendix A: Software Specifications Software Features Authentication Local, RADIUS, TACACS+, Port (802.
A Software Specifications Quality of Service DiffServ supports class maps, policy maps, and service policies Multicast Filtering IGMP Snooping Additional Features BOOTP client SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts Management Features In-Band Management Telnet, web-based HTTP or HTTPS, SNMP manager, or Secure Shell Out-of-Band Management RS-232 DB-9 console port Software Loading TFTP in-band or XModem out-of
Management Information Bases A IPv4 IGMP (RFC 3228) RADIUS+ (RFC 2618) RMON (RFC 2819 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2c (RFC 2571) SNMPv3 (RFC DRAFT 3414, 3410, 2273, 3411, 3415) SNTP (RFC 2030) SSH (Version 2.
A Software Specifications UDP MIB (RFC 2013) A-4
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software • Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
B Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Designate the SNMP host that is to receive the error messages. 4. Repeat the sequence of commands or other actions that lead up to the error. 5.
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide bootup information for network devices, including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Glossary Extensible Authentication Protocol over LAN (EAPOL) EAPOL is a client authentication protocol used by this switch to verify the network access rights for any device that is plugged into the switch. A user name and password is requested by the switch, and then passed to an authentication server (e.g., RADIUS) for verification. EAPOL is implemented as part of the IEEE 802.1X Port Authentication standard.
Glossary IEEE 802.1X Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication. IEEE 802.3ac Defines frame extensions for VLAN tagging. IEEE 802.3x Defines Ethernet frame start/stop requests and timers used for flow control on full-duplex links. IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members.
Glossary Link Aggregation See Port Trunk. Link Aggregation Control Protocol (LACP) Allows ports to automatically negotiate a trunked link with LACP-configured ports on another device. Management Information Base (MIB) An acronym for Management Information Base. It is a set of database objects that contains information about a specific device. MD5 Message-Digest Algorithm An algorithm that is used to create digital signatures.
Glossary Port Authentication See IEEE 802.1X. Port Mirroring A method whereby data on a target port is mirrored to a monitor port for troubleshooting with a logic analyzer or RMON probe. This allows data on the target port to be studied unobstructively. Port Trunk Defines a network link aggregation and trunking method which specifies how to create a single high-speed logical link that combines several lower-speed physical links.
Glossary Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services. Simple Network Time Protocol (SNTP) SNTP allows a device to set its internal clock based on periodic updates from a Network Time Protocol (NTP) server. Updates can be requested from a specific NTP server, or can be received via broadcasts sent by NTP servers. Spanning Tree Algorithm (STA) A technology that checks your network for any loops.
Glossary Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN. XModem A protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected.
Glossary Glossary-8
Index Numerics D 802.1Q tunnel 12-12, 30-20 description 12-12 interface configuration 12-16, 30-21–30-22 mode selection 12-16 TPID 12-11, 12-16, 30-22 802.
Index F J firmware displaying version 4-6, 19-7 upgrading 4-12, 19-13 jumbo frame 19-10 G GARP VLAN Registration Protocol See GVRP gateway, default 4-9, 35-2 GVRP global setting 12-4, 30-2 interface configuration 12-10, 30-3 H hardware version, displaying 4-6, 19-7 HTTPS 6-5, 21-12 secure server 6-5, 21-12 I IEEE 802.1D 11-1, 29-2 IEEE 802.1s 29-2 IEEE 802.1w 11-1, 29-2 IEEE 802.
Index setting multicast groups 15-10, 33-12 specifying a VLAN 15-10, 33-12 using immediate leave 15-12, 33-13 P password, line 19-21 passwords 2-4 administrator setting 6-1, 21-2 path cost 11-3, 11-12 method 11-7, 29-6 STA 11-3, 11-12, 29-6 port authentication 6-13, 21-24 port priority configuring 13-1, 31-1, 32-1 default ingress 13-1, 31-3 STA 11-12, 29-13 port security, configuring 7-1, 22-1 port, statistics 9-21, 24-10 ports autonegotiation 9-3, 24-3 broadcast storm threshold 9-17, 24-7 capabilities 9-3
Index STP Also see STA switch settings, saving or restoring 19-12 switchport dot1q-ethertype 30-22 switchport mode dot1q-tunnel 30-21 system clock, setting 4-26, 19-37 system mode, normal or QinQ 4-3, 19-8 system mtu 4-4, 19-11 system software, downloading from server 4-12, 19-13 T TACACS+, logon authentication 6-2, 21-9 time, setting 4-26, 19-37 TPID 12-11, 12-16, 30-22 traffic class weights 13-6, 31-4 trap manager 2-7, 5-4, 20-5 troubleshooting B-1 trunk configuration 9-6, 25-1 LACP 9-8, 25-1, 25-2 stati
ES3528 ES3528-WDM E122006/ST-R01 149100033100A