24PORT GIGABIT L2 INTELLIGENT SWITCH SF-2420GX
Management Guide 24PORT GIGABIT L2 INTELLIGENT SWITCH Layer 2 Switch with 20 10/100/1000BASE-T (RJ-45) Ports, 4 Gigabit Combination Ports (RJ-45/SFP), and 2 10-Gigabit Extender Module Slots Management Guide Version 1.
September, 2006
Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Stack Operations Selecting the Stack Master Selecting the Backup Unit Recovering from Stack Failure or Topology Change Broken Link for Line and Wrap-around Topologies Resilient IP Interface for Management Access Resilient Configuration Renumbering the Stack Ensuring Consistent Code is Used Across
Contents Displaying Switch Hardware/Software Versions Displaying Bridge Extension Capabilities Setting the Switch’s IP Address (IP Version 4) Manual Configuration Using DHCP/BOOTP Setting the Switch’s IP Address (IP Version 6) Configuring an IPv6 Address Configuring an IPv6 General Network Prefix Configuring the Neighbor Detection Protocol and Static Entries Configuring Support for Jumbo Frames Managing Firmware Downloading System Software from a Server Saving or Restoring Configuration Settings Downloading
Contents Configuring Port Security Configuring 802.1X Port Authentication Displaying 802.1X Global Settings Configuring 802.1X Global Settings Configuring Port Settings for 802.1X Displaying 802.
Contents Displaying Basic VLAN Information Displaying Current VLANs Creating VLANs Adding Static Members to VLANs (VLAN Index) Adding Static Members to VLANs (Port Index) Configuring VLAN Behavior for Interfaces Configuring Private VLANs Enabling Private VLANs Configuring Uplink and Downlink Ports Configuring Protocol-Based VLANs Configuring Protocol Groups Mapping Protocols to VLANs Class of Service Configuration Layer 2 Queue Settings Setting the Default Priority for Interfaces Mapping CoS Values to Egres
Contents Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Showing Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands Configuration Commands Command Line Processing Command Groups General Commands enable disable configure show history reload prompt end exit quit System Management Commands Device Designation Commands hostname switch renumber
Contents line login password timeout login response exec-timeout password-thresh silent-time databits parity speed stopbits disconnect show line Event Logging Commands logging on logging history logging host logging facility logging trap clear log show logging show log SMTP Alert Commands logging sendmail host logging sendmail level logging sendmail source-email logging sendmail destination-email logging sendmail show logging sendmail Time Commands sntp client sntp server sntp poll show sntp clock timezone
Contents snmp-server engine-id show snmp engine-id snmp-server view show snmp view snmp-server group show snmp group snmp-server user show snmp user User Authentication Commands User Account Commands username enable password Authentication Sequence authentication login authentication enable RADIUS Client radius-server host radius-server port radius-server key radius-server retransmit radius-server timeout show radius-server TACACS+ Client tacacs-server host tacacs-server port tacacs-server key show tacacs-s
Contents show public-key Port Security Commands port security 802.
Contents speed-duplex negotiation capabilities media-type shutdown switchport broadcast packet-rate clear counters show interfaces status show interfaces counters show interfaces switchport Link Aggregation Commands channel-group lacp lacp system-priority lacp admin-key (Ethernet Interface) lacp admin-key (Port Channel) lacp port-priority show lacp Mirror Port Commands port monitor show port monitor Rate Limit Commands rate-limit Address Table Commands mac-address-table static clear mac-address-table dynami
Contents spanning-tree cost spanning-tree port-priority spanning-tree edge-port spanning-tree portfast spanning-tree link-type spanning-tree mst cost spanning-tree mst port-priority spanning-tree protocol-migration show spanning-tree show spanning-tree mst configuration VLAN Commands GVRP and Bridge Extension Commands bridge-ext gvrp show bridge-ext switchport gvrp show gvrp configuration garp timer show garp timer Editing VLAN Groups vlan database vlan Configuring VLAN Interfaces interface vlan switchport
Contents show queue mode 4-188 show queue bandwidth 4-189 show queue cos-map 4-189 Priority Commands (Layer 3 and 4) 4-190 This section describes commands used to configure Layer 3 and Layer 4 traffic priority on the switch.
Contents ip domain-name ip domain-list ip name-server ip domain-lookup show hosts show dns show dns cache clear dns cache IP Interface Commands ip address ip default-gateway ip dhcp restart show ip interface show ip redirects ping ipv6 enable ipv6 general-prefix show ipv6 general-prefix ipv6 address ipv6 address autoconfig ipv6 address eui-64 ipv6 address link-local show ipv6 interface ipv6 default-gateway show ipv6 default-gateway ipv6 mtu show ipv6 mtu show ipv6 traffic clear ipv6 traffic ping ipv6 ipv6 n
Contents Using System Logs B-2 Glossary Index xvii
Contents xviii
Tables Table 1-1 Table 1-2 Table 3-1 Table 3-2 Table 3-3 Table 3-4 Table 3-5 Table 3-6 Table 3-7 Table 3-8 Table 3-9 Table 3-10 Table 3-11 Table 3-12 Table 3-13 Table 3-14 Table 3-15 Table 4-1 Table 4-2 Table 4-3 Table 4-4 Table 4-5 Table 4-6 Table 4-7 Table 4-8 Table 4-9 Table 4-10 Table 4-11 Table 4-12 Table 4-13 Table 4-14 Table 4-15 Table 4-16 Table 4-17 Table 4-18 Table 4-19 Table 4-20 Table 4-21 Table 4-22 Table 4-23 Table 4-24 Key Features System Defaults Web Page Configuration Buttons Switch Main M
Tables Table 4-25 Table 4-26 Table 4-27 Table 4-28 Table 4-29 Table 4-30 Table 4-31 Table 4-32 Table 4-33 Table 4-34 Table 4-35 Table 4-36 Table 4-37 Table 4-38 Table 4-39 Table 4-40 Table 4-41 Table 4-42 Table 4-43 Table 4-44 Table 4-45 Table 4-46 Table 4-47 Table 4-48 Table 4-49 Table 4-50 Table 4-51 Table 4-52 Table 4-53 Table 4-54 Table 4-55 Table 4-56 Table 4-57 Table 4-58 Table 4-59 Table 4-60 Table 4-61 Table 4-62 Table 4-63 Table 4-64 Table 4-65 Table 4-66 Table 4-67 Table 4-68 Table 4-69 xx User A
Tables Table 4-70 Table 4-71 Table 4-72 Table 4-73 Table 4-74 Table 4-75 Table 4-76 Table 4-77 Table 4-78 Table B-1 IGMP Query Commands Static Multicast Routing Commands DNS Commands show dns cache - display description Basic IP Configuration Commands show ipv6 interface - display description show ipv6 mtu - display description show ipv6 traffic - display description show ipv6 neighbors - display description Troubleshooting Chart 4-209 4-212 4-214 4-220 4-221 4-235 4-238 4-240 4-250 B-1 xxi
Tables xxii
Figures Figure 3-1 Figure 3-2 Figure 3-3 Figure 3-4 Figure 3-5 Figure 3-6 Figure 3-7 Figure 3-8 Figure 3-9 Figure 3-10 Figure 3-11 Figure 3-12 Figure 3-13 Figure 3-14 Figure 3-15 Figure 3-16 Figure 3-17 Figure 3-18 Figure 3-19 Figure 3-20 Figure 3-21 Figure 3-22 Figure 3-23 Figure 3-24 Figure 3-25 Figure 3-26 Figure 3-27 Figure 3-28 Figure 3-29 Figure 3-30 Figure 3-31 Figure 3-32 Figure 3-33 Figure 3-34 Figure 3-35 Figure 3-36 Figure 3-37 Figure 3-38 Figure 3-39 Figure 3-40 Figure 3-41 Home Page Front Pane
Figures Figure 3-42 Figure 3-43 Figure 3-44 Figure 3-45 Figure 3-46 Figure 3-47 Figure 3-48 Figure 3-49 Figure 3-50 Figure 3-51 Figure 3-52 Figure 3-53 Figure 3-54 Figure 3-55 Figure 3-56 Figure 3-57 Figure 3-58 Figure 3-59 Figure 3-60 Figure 3-61 Figure 3-62 Figure 3-63 Figure 3-64 Figure 3-65 Figure 3-66 Figure 3-67 Figure 3-68 Figure 3-69 Figure 3-70 Figure 3-71 Figure 3-72 Figure 3-73 Figure 3-74 Figure 3-75 Figure 3-76 Figure 3-77 Figure 3-78 Figure 3-79 Figure 3-80 Figure 3-81 Figure 3-82 Figure 3-83
Figures Figure 3-87 Figure 3-88 Figure 3-89 Figure 3-90 Figure 3-91 Figure 3-92 Figure 3-93 Figure 3-94 Figure 3-95 Figure 3-96 Figure 3-97 Figure 3-98 Figure 3-99 Figure 3-100 Figure 3-101 Figure 3-102 Figure 3-103 Figure 3-104 Figure 3-105 Figure 3-106 Default Port Priority Traffic Classes Queue Mode Queue Scheduling IP Precedence/DSCP Priority Status IP Precedence Priority IP DSCP Priority IP Port Priority Status IP Port Priority Configuring Class Maps Configuring Policy Maps Service Policy Settings IGM
Figures xxvi
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
1 Introduction Table 1-1 Key Features (Continued) Feature Description Traffic Prioritization Default port priority, traffic class map, queue scheduling, IP Precedence, or Differentiated Services Code Point (DSCP), and TCP/UDP Port Qualify of Service Supports Differentiated Services (DiffServ) Multicast Filtering Supports IGMP snooping and query Description of Software Features The switch provides a wide range of advanced performance enhancing features.
Description of Software Features 1 enabled to control network traffic during periods of congestion and prevent the loss of packets when port buffer thresholds are exceeded. The switch supports flow control based on the IEEE 802.3x standard. Rate Limiting – This feature controls the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
1 Introduction the chosen path should fail for any reason, an alternate path will be activated to maintain the connection. Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol reduces the convergence time for network topology changes to about 3 to 5 seconds, compared to 30 seconds or more for the older IEEE 802.1D STP standard.
System Defaults 1 or Layer 4 information contained in each packet. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. Multicast Filtering – Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN. The switch uses IGMP Snooping and Query to manage multicast group registration.
1 Introduction Table 1-2 System Defaults (Continued) Function Parameter Default Web Management HTTP Server Enabled HTTP Port Number 80 SNMP Port Configuration HTTP Secure Server Enabled HTTP Secure Port Number 443 SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Admin Status Enabled Auto-negotiation Enabled Flow
System Defaults 1 Table 1-2 System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority 0 Queue Mode WRR Weighted Round Robin Queue: 0 1 2 3 4 5 6 7 Weight: 1 2 4 6 8 10 12 14 IP Precedence Priority Disabled IP DSCP Priority Disabled IP Port Priority Disabled IP Settings Management. VLAN Any VLAN configured with an IP address IP Address 0.0.0.0 Subnet Mask 255.0.0.0 Default Gateway 0.0.0.
1 1-8 Introduction
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: An IPv4 address for this switch is obtained via DHCP by default. To change this address, see “Setting an IP Address” on page 2-7.
2 • • • • • Initial Configuration Configure up to 26 static or LACP trunks Enable port mirroring Set broadcast storm control on any port Display system information and statistics Configure any stack unit through the same IP address Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch.
Stack Operations 2 Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. An IPv4 address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address” on page 2-7. Notes: 1.
2 Initial Configuration • When the stack is initially powered on, the Master unit is designated as unit 1 for a ring topology. For a line topology, the stack is simply numbered from top to bottom, with the first unit in the stack designated at unit 1. This unit identification number appears on the Stack Unit ID LED on the front panel of the switch. It can also be selected on the front panel graphic of the web interface, or from the CLI.
Stack Operations 2 operations. However, note that the IP address will be the same for any common VLANs (with active port connections) that appear in both of the new stack segments. To resolve the conflicting IP addresses, you should manually replace the failed link or unit as soon as possible. If you are using a wrap-around stack topology, a single point of failure in the stack will not cause the stack to fail. It would take two or more points of failure to break the stack apart.
2 Initial Configuration • All user-initiated commands to configure the non-functioning units are dropped. The master unit, however, will be able to communicate the following information to the non-functioning units: - Image downloads - Stack topology information - System configuration information already stored on the master. In Special Stacking mode, the master unit displays warning messages whenever you log into the system through the CLI that inform you that an image download is required.
2 Basic Configuration Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows: 1. Open the console interface with the default user name and password “admin” to access the Privileged Exec level.
2 Initial Configuration Assigning an IPv4 Address Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Network mask for this network • Default gateway for the network To assign an IPv4 address to the switch, complete the following steps: 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2.
Basic Configuration 2 To configure an IPv6 link local address for the switch, complete the following steps: 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2. Type “ipv6 address” followed by up to 8 colon-separated 16-bit hexadecimal values for the ipv6-address similar to that shown in the example, followed by the “link-local” command parameter. Then press .
2 Initial Configuration To generate an IPv6 global unicast address for the switch using a general network prefix, complete the following steps: 1. From the Global Configuration mode prompt, type “ipv6 general prefix prefix-name ipv6-prefix/prefix-length,” where the “prefix-name” is a label identifying the network segment, “ipv6-prefix” specifies the high-order bits of the network address, and “prefix length” indicates the actual number of bits used in the network prefix. Press . 2.
Basic Configuration 2 Dynamic Configuration Obtaining an IPv4 Address If you select the “bootp” or “dhcp” option, IP will be enabled but will not function until a BOOTP or DHCP reply has been received. You therefore need to use the “ip dhcp restart” command to start broadcasting service requests. Requests will be sent periodically in an effort to obtain IP configuration information. (BOOTP and DHCP values can include the IP address, subnet mask, and default gateway.
2 Initial Configuration Obtaining an IPv6 Address Link Local Address — There are several ways to dynamically configure IPv6 addresses. The simplest method is to automatically generate a “link local” address (identified by an address prefix of FE80). This address type makes the switch accessible over IPv6 for all devices attached to the same local subnet. To generate an IPv6 link local address for the switch, complete the following steps: 1.
Basic Configuration 2. 2 From the interface prompt, type “ipv6 address autoconfig” and press . Console(config)#interface vlan 1 Console(config-if)#ipv6 address autoconfig Console(config-if)#end Console#show ipv6 interface Vlan 1 is up IPv6 is enable.
2 Initial Configuration The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings. To configure a community string, complete the following steps: 1.
Managing System Files 2 Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2” that includes the entire MIB-2 tree branch, and then another view that includes the IEEE 802.1d bridge MIB.
2 Initial Configuration • Diagnostic Code — Software that is run during system boot-up, also known as POST (Power On Self-Test). Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows. The switch has a total of 32 Mbytes of flash memory for system files. In the system flash memory, one file of each type must be set as the start-up file.
Managing System Files 2 To save the current configuration settings, enter the following command: 1. From the Privileged Exec mode prompt, type “copy running-config startup-config” and press . 2. Enter the name of the start-up file. Press . Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming. 4-26 \Write to FLASH finish. Success.
2 2-18 Initial Configuration
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
3 Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password “admin” is used for the administrator. Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.
Navigating the Web Browser Interface 3 Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 3-1 Web Page Configuration Buttons Button Action Apply Sets specified values to the system. Revert Cancels specified values and restores current values prior to pressing “Apply.
3 Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
Navigating the Web Browser Interface 3 Table 3-2 Switch Main Menu (Continued) Menu Description SNMP 3-44 Configuration Configures community strings and related trap functions Agent Status Enables or disables SNMP SNMPv3 Engine ID Page 3-46 3-46 3-49 Sets the SNMP v3 engine ID 3-50 Remote Engine ID Sets the SNMP v3 engine ID on a remote device 3-50 Users Configures SNMP v3 users 3-51 Remote Users Configures SNMP v3 users on a remote device 3-53 Groups Configures SNMP v3 groups 3-55
3 Configuring the Switch Table 3-2 Switch Main Menu (Continued) Menu Description Page Trunk Configuration Configures trunk connection settings Trunk Membership Specifies ports to group into static trunks 3-100 Configuration Allows ports to dynamically join trunks 3-101 Aggregation Port Configures parameters for link aggregation group members 3-103 Port Counters Information Displays statistics for LACP protocol messages 3-106 Port Internal Information Displays settings and operational sta
Navigating the Web Browser Interface 3 Table 3-2 Switch Main Menu (Continued) Menu Description Page Trunk Information Displays trunk settings for a specified MST instance 3-140 Port Configuration Configures port settings for a specified MST instance 3-141 Trunk Configuration Configures trunk settings for a specified MST instance 3-141 VLAN 3-143 802.
3 Configuring the Switch Table 3-2 Switch Main Menu (Continued) Menu Description Page IP Port Priority Status Globally enables or disables IP Port Priority 3-168 IP Port Priority Sets TCP/UDP port priority, defining the socket number and associated class-of-service value 3-168 Configure QoS classification criteria and service policies 3-169 Class Map Creates a class map for a type of traffic 3-170 Policy Map Creates a policy map for multiple interfaces 3-173 Service Policy Applies a poli
Basic Configuration 3 Basic Configuration Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes • • • • • System Name – Name assigned to the switch system. Object ID – MIB II object ID for switch’s network management subsystem. Location – Specifies the system location. Contact – Administrator responsible for the system. System Up Time – Length of time the management agent has been up.
3 Configuring the Switch Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.
Basic Configuration 3 CLI – Specify the hostname, location and contact information. Console(config)#hostname R&D 5 4-17 Console(config)#snmp-server location WC 9 4-58 Console(config)#snmp-server contact Ted 4-57 Console(config)#exit Console#show system 4-22 System Description: 24PORT GIGABIT L2 INTELLIGENT SWITCH System OID String: 1.3.6.1.4.1.4537.80 System Information System Up Time: 0 days, 1 hours, 28 minutes, and 0.
3 Configuring the Switch • Role – Shows that this switch is operating as Master or Slave. These additional parameters are displayed for the CLI. • Unit ID – Unit number in stack. • Redundant Power Status – Displays the status of the redundant power supply. Web – Click System, Switch Information. Figure 3-4 Switch Information CLI – Use the following command to display version information.
Basic Configuration 3 Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
3 Configuring the Switch CLI – Enter the following command.
Basic Configuration 3 • MAC Address – The physical layer address for this switch. Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” Enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 IPv4 Interface Configuration - Manual CLI – Specify the management interface, IP address and default gateway.
3 Configuring the Switch Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the stack to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes. Then click Restart DHCP to immediately request a new address. Note that the stack will also broadcast a request for IP configuration settings on each power reset.
Basic Configuration 3 CLI – Enter the following command to restart DHCP service. Console#ip dhcp restart Console# 4-224 Setting the Switch’s IP Address (IP Version 6) This section describes how to configure an IPv6 interface for management access over the network. This switch supports both IPv4 and IPv6, and can be managed through either of these address types. For information on configuring the switch with an IPv4 address, see “Setting the Switch’s IP Address (IP Version 4)” on page 3-14.
3 Configuring the Switch - Or you can include a general prefix for the network portion of the address (as described under “Configuring an IPv6 General Network Prefix” on page 3-22). When using this method, remember that the prefix length specified on the IPv6 Configuration page must include both the length of the general prefix and any contiguous bits (from the left of the specified address) that are added to the general prefix to form the extended network portion of the address.
Basic Configuration 3 • Manual Configuration – Manually configures an IPv6 address. • IPv6 Address – An IPv6 address can be configured in any of these ways: - A link-local address can be manually configured by specifying the entire address in the IPv6 Address field, and selecting the Address Type “Link Local.” The network prefix length is fixed at 64 bits and cannot be changed.
3 Configuring the Switch • EUI-64 (Extended Universal Identifier) – Configures an IPv6 address for an interface using an EUI-64 interface ID in the low order 64 bits. - When using EUI-64 format for the low-order 64 bits in the host portion of the address, the value entered in the IPv6 Address field includes the network portion of the address, and the value in the Prefix Length field indicates how many contiguous bits (from the left) of the address comprise the prefix (i.e.
Basic Configuration 3 A node is also required to compute and join the associated solicited-node multicast addresses for every unicast and anycast address it is assigned. IPv6 addresses that differ only in the high-order bits, e.g. due to multiple high-order prefixes associated with different aggregations, will map to the same solicited-node address, thereby reducing the number of multicast addresses a node must join.
3 Configuring the Switch CLI – This example configures an IPv6 gateway, specifies the management interface, configures a global unicast address, and then sets the MTU. Console#config Console(config)ipv6 default-gateway 2009:DB9:2229::240 Console(config)#interface vlan 1 Console(config-if)#ipv6 address rd 7279::79/64 Console(config-if)#ipv6 mtu 1280 Console(config-if)#end Console#show ipv6 default-gateway ipv6 default gateway: 2009:DB9:2229::240 Console#show ipv6 interface Vlan 1 is up IPv6 is enable.
Basic Configuration 3 Web – Click System, IPv6 Configuration, IPv6 General Prefix. Click Add to open the editing fields for a prefix entry. Enter a name for the general prefix, the value for the general prefix, and the prefix length. Then click Add to enable the entry. Figure 3-9 IPv6 General Prefix Configuration CLI – This example creates a general network prefix of 2009:DB9:2229::/48.
3 Configuring the Switch - Duplicate address detection determines if a new unicast IPv6 address already exists on the network before it is assigned to an interface. - Duplicate address detection is stopped on any interface that has been suspended (see “Creating VLANs” on page 3-148). While an interface is suspended, all unicast IPv6 addresses assigned to that interface are placed in a “pending” state.
Basic Configuration 3 - PROBE - A reachability confirmation is actively sought by resending neighbor solicitation messages every RetransTimer interval until confirmation of reachability is received. - ???? - Unknown state. The following states are used for static entries: - INCMP (Incomplete) -The interface for this entry is down. - REACH (Reachable) - The interface for this entry is up. Reachability detection is not applied to static entries in the IPv6 neighbor discovery cache.
3 Configuring the Switch Web – Click System, IPv6 Configuration, IPv6 ND Neighbor. To configure the Neighbor Detection protocol settings, select a VLAN interface, set the number of attempts allowed for duplicate address detection, set the interval for neighbor solicitation messages, and click Apply. To configure static neighbor entries, click Add, fill in the IPv6 address, VLAN interface and hardware address. Then click Add.
Basic Configuration 3 operating at full duplex, all switches in the network between the two end nodes must be able to accept the extended frame size. And for half-duplex connections, all devices in the collision domain would need to support jumbo frames. Command Attributes Jumbo Packet Status – Configures support for jumbo frames. (Default: Disabled) Web – Click System, Jumbo Frames. Enable or disable support for jumbo frames, and click Apply.
3 Configuring the Switch Downloading System Software from a Server When downloading runtime code, you can specify the destination file name to replace the current image, or first download the file using a different name from the current runtime code file, and then set the new file as the startup file. Web – Click System, File Management, Copy Operation.
Basic Configuration 3 To delete a file select System, File Management, Delete. Select the file name from the given list by checking the tick box and click Apply. Note that the file currently designated as the startup code cannot be deleted. Figure 3-14 Deleting Files CLI – To download new firmware form a TFTP server, enter the IP address of the TFTP server, select “config” as the file type, then enter the source and destination file names.
3 Configuring the Switch Saving or Restoring Configuration Settings You can upload/download configuration settings to/from a TFTP server, or copy files to and from switch units in a stack. The configuration file can be later downloaded to restore the switch’s settings. Command Attributes • File Transfer Method – The configuration copy operation includes these options: - file to file – Copies a file within the switch directory, assigning it a new name.
Basic Configuration 3 Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch. Web – Click System, File Management, Copy Operation.
3 Configuring the Switch CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config TFTP server ip address: 192.168.1.19 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming. -Write to FLASH finish. Success.
Basic Configuration 3 • Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive (from terminal). Set the speed to match the baud rate of the device connected to the serial port. (Range: 9600, 19200, 38400, 57600, or 115200 baud, Auto; Default: Auto) • Stop Bits – Sets the number of the stop bits transmitted per byte. (Range: 1-2; Default: 1 stop bit) • Password1 – Specifies a password for the line connection.
3 Configuring the Switch CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level.
3 Basic Configuration • Password2 – Specifies a password for the line connection. When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. (Default: No password) • Login2 – Enables password checking at login. You can select authentication by a single global password as configured for the Password parameter, or by passwords set up for specific user-name accounts.
3 Configuring the Switch Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.
Basic Configuration 3 Web – Click System, Logs, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and flash memory, then click Apply. Figure 3-19 System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings.
3 Configuring the Switch Web – Click System, Logs, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove. Figure 3-20 Remote Logs CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap. Console(config)#logging host 10.1.0.
Basic Configuration 3 Displaying Log Messages Use the Logs page to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory. Web – Click System, Log, Logs. Figure 3-21 Displaying Logs CLI – This example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification.
3 Configuring the Switch • SMTP Server List – Specifies a list of up to three recipient SMTP servers. The switch attempts to connect to the other listed servers if the first fails. Use the New SMTP Server text field and the Add/Remove buttons to configure the list. • Email Destination Address List – Specifies the email recipients of alert messages. You can specify up to five recipients. Use the New Email Destination Address text field and the Add/Remove buttons to configure the list.
Basic Configuration 3 CLI – Enter the IP address of at least one SMTP server, set the syslog severity level to trigger an email message, and specify the switch (source) and up to five recipient (destination) email addresses. Enable SMTP with the logging sendmail command to complete the configuration. Use the show logging sendmail command to display the current SMTP configuration. Console(config)#logging sendmail host 192.168.1.
3 Configuring the Switch CLI – This example renumbers all units in the stack. Console#switch all renumber Console# 4-17 Resetting the System Web – Click System, Reset. Click the Reset button to restart the switch. When prompted, confirm that you want reset the switch. Figure 3-24 Resetting the System CLI – Use the reload command to restart the switch. Console#reload System will be restarted, continue ? 4-14 Note: When restarting the system, it will always run the Power-On Self-Test.
Basic Configuration 3 Web – Select SNTP, Configuration. Modify any of the required parameters, and click Apply. Figure 3-25 SNTP Configuration CLI – This example configures the switch to operate as an SNTP client and then displays the current time and settings. Console(config)#sntp client Console(config)#sntp poll 16 Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.
3 Configuring the Switch Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to the UTC, and click Apply. Figure 3-26 Clock Time Zone CLI - This example shows how to set the time zone for the system clock. Console(config)#clock timezone Dhaka hours 6 minute 0 after-UTC Console# 4-53 Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network.
Simple Network Management Protocol 3 The SNMPv3 security structure consists of security models, with each model having it’s own security levels. There are three security models defined, SNMPv1, SNMPv2c, and SNMPv3. Users are assigned to “groups” that are defined by a security model and specified security levels. Each group also has a defined security access to set of MIB objects for reading and writing, which are known as “views.
3 Configuring the Switch Enabling the SNMP Agent Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3). Command Attributes SNMP Agent Status – Enables SNMP on the switch. Web – Click SNMP, Agent Status. Enable the SNMP Agent by marking the Enabled checkbox, and click Apply. Figure 3-27 Enabling the SNMP Agent CLI – The following example enables SNMP on the switch.
Simple Network Management Protocol 3 Web – Click SNMP, Configuration. Add new community strings as required, select the access rights from the Access Mode drop-down list, then click Add. Figure 3-28 Configuring SNMP Community Strings CLI – The following example adds the string “spiderman” with read/write access.
3 Configuring the Switch To send an inform to a SNMPv2c host, complete these steps: 1. Enable the SNMP agent (page 3-46). 2. Enable trap informs as described in the following pages. 3. Create a view with the required notification messages (page 3-59). 4. Create a group that includes the required notify view (page 3-55). To send an inform to a SNMPv3 host, complete these steps: 1. Enable the SNMP agent (page 3-46). 2. Enable trap informs as described in the following pages. 3.
Simple Network Management Protocol 3 • Enable Link-up and Link-down Traps3 – Issues a notification message whenever a port link is established or broken. (Default: Enabled) Web – Click SNMP, Configuration. Enter the IP address and community string for each management station that will receive trap messages, specify the UDP port, SNMP trap version, trap security level (for v3 clients), trap inform settings (for v2c/v3 clients), and then click Add.
3 Configuring the Switch Setting a Local Engine ID An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets. A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID.
Simple Network Management Protocol 3 The engine ID can be specified by entering 1 to 26 hexadecimal characters. If less than 26 characters are specified, trailing zeroes are added to the value. For example, the value “1234” is equivalent to “1234” followed by 22 zeroes. Web – Click SNMP, SNMPv3, Remote Engine ID. Enter an ID of up to 26 hexadecimal characters and then click Save. Figure 3-31 Setting an Engine ID CLI – This example specifies a remote SNMPv3 engine ID.
3 Configuring the Switch • Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available. • Privacy Password – A minimum of eight plain text characters is required. • Actions – Enables the user to be assigned to another SNMPv3 group. Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list.
3 Simple Network Management Protocol CLI – Use the snmp-server user command to configure a new user name and assign it to a group.
3 Configuring the Switch • Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available. • Privacy Password – A minimum of eight plain text characters is required. Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Simple Network Management Protocol 3 CLI – Use the snmp-server user command to configure a new user name and assign it to a group. Console(config)#snmp-server user mark group r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien 4-66 Console(config)#exit Console#show snmp user 4-68 No user exist.
3 Configuring the Switch Table 3-5 Supported Notification Messages Object Label Object ID Description newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election. topologyChange 1.3.6.1.2.1.17.0.
Simple Network Management Protocol 3 Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description swPowerStatus ChangeTrap 1.3.6.1.4.1.4537.80.2.1.0.1 This trap is sent when the power state changes. swFanFailureTrap 1.3.6.1.4.1.4537.80.2.1.0.17 This trap is sent when the fan fails. swFanRecoverTrap 1.3.6.1.4.1.4537.80.2.1.0.18 This trap is sent when the fan failure has recovered. swIpFilterRejectTrap 1.3.6.1.4.1.4537.80.2.1.0.
3 Configuring the Switch Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read, write, and notify views. Click Add to save the new group and return to the Groups list. To delete a group, check the box next to the group name, then click Delete.
Simple Network Management Protocol 3 Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree. Command Attributes • View Name – The name of the SNMP view. (Range: 1-64 characters) • View OID Subtrees – Shows the currently configured object identifiers of branches within the MIB tree that define the SNMP view.
3 Configuring the Switch CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)#exit Console#show snmp view View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.* View Type: included Storage Type: nonvolatile Row Status: active 4-63 4-64 View Name: readaccess Subtree OID: 1.3.6.1.
User Authentication 3 Command Attributes • Account List – Displays the current list of user accounts and associated access levels. (Defaults: admin, and guest) • New Account – Displays configuration settings for a new account. - User Name – The name of the user. (Maximum length: 8 characters; maximum number of users: 16) - Access Level – Specifies the user level. (Options: Normal and Privileged) - Password – Specifies the user password.
3 Configuring the Switch Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
User Authentication 3 • RADIUS Settings - Global – Provides globally applicable RADIUS settings. - ServerIndex – Specifies one of five RADIUS servers that may be configured. The switch attempts authentication using the listed sequence of servers. The process ends when a server either approves or denies access to a user. - Server IP Address – Address of authentication server. (Default: 10.1.0.1) - Server Port Number – Network (UDP) port of authentication server used for authentication messages.
3 Configuring the Switch Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-37 Authentication Server Settings CLI – Specify all the required parameters to enable logon authentication.
User Authentication Console#config Console(config)#authentication login tacacs Console(config)#tacacs-server host 10.20.30.40 Console(config)#tacacs-server port 200 Console(config)#tacacs-server key green Console(config)#exit Console#show tacacs-server Server IP address: 10.20.30.
3 Configuring the Switch Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply. Figure 3-38 HTTPS Settings CLI – This example enables the HTTP secure server and modifies the port number.
User Authentication 3 Configuring the Secure Shell The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks. The Secure Shell (SSH) includes server/client applications intended as a secure replacement for the older Berkley remote access tools.
3 Configuring the Switch be configured locally on the switch via the User Accounts page as described on page 3-60.) The clients are subsequently authenticated using these keys.
User Authentication 3 Authenticating SSH v2 Clients a. The client first queries the switch to determine if DSA public key authentication using a preferred algorithm is acceptable. b. If the specified algorithm is supported by the switch, it notifies the client to proceed with the authentication process. Otherwise, it rejects the request. c. The client sends a signature generated using the private key to the switch. d.
3 Configuring the Switch Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-39 SSH Host-Key Settings CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys.
User Authentication 3 Configuring the SSH Server The SSH server includes basic settings for authentication. Field Attributes • SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Disabled) • Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.
3 Configuring the Switch CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. Console(config)#ip ssh server Console(config)#ip ssh timeout 100 Console(config)#ip ssh authentication-retries 5 Console(config)#ip ssh server-key size 512 Console(config)#end Console#show ip ssh SSH Enabled - version 2.
User Authentication 3 Command Attributes • Port – Port number. • Name – Descriptive text (page 4-121). • Action – Indicates the action to be taken when a port security violation is detected: - None: No action should be taken. (This is the default.) - Trap: Send an SNMP trap message. - Shutdown: Disable the port. - Trap and Shutdown: Send an SNMP trap message and disable the port. • Security Status – Enables or disables port security on the port.
3 Configuring the Switch Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data. The IEEE 802.
User Authentication 3 • The RADIUS server and client also have to support the same EAP authentication type – MD5. (Some clients have native support in Windows, otherwise the dot1x client must support it.) Displaying 802.1X Global Settings The 802.1X protocol provides port authentication. Command Attributes 802.1X System Authentication Control – The global setting for 802.1X. Web – Click Security, 802.1X, Information. Figure 3-42 802.
3 Configuring the Switch Configuring 802.1X Global Settings The 802.1X protocol provides port authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Command Attributes 802.1X System Authentication Control – Sets the global setting for 802.1X. (Default: Disabled) Web – Select Security, 802.1X, Configuration. Enable 802.1X globally for the switch, and click Apply. Figure 3-43 802.1X Global Configuration CLI – This example enables 802.
User Authentication 3 • Max Request – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session. (Range: 1-10; Default 2) • Quiet Period – Sets the time that a switch port waits after the Max Request count has been exceeded before attempting to acquire a new client. (Range: 1-65535 seconds; Default: 60 seconds) • Re-authentication Period – Sets the time period after which a connected client must be re-authenticated.
3 Configuring the Switch CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 4-99.
User Authentication 3 Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-7 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator. Rx EAPOL Invalid The number of EAPOL frames that have been received by this Authenticator in which the frame type is not recognized.
3 Configuring the Switch Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-45 802.1X Port Statistics CLI – This example displays the dot1x statistics for port 4.
User Authentication 3 Filtering IP Addresses for Management Access You can create a list of up to 16 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage • The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.
3 Configuring the Switch Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add IP Filtering Entry. Figure 3-46 IP Filter CLI – This example restricts management access for Telnet clients. Console(config)#management telnet-client 192.168.1.19 Console(config)#management telnet-client 192.168.1.25 192.168.1.
Access Control Lists 3 Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, next header type, or flow label), or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, and then bind the list to a specific port.
3 Configuring the Switch - IPv6 Extended: IPv6 ACL mode that filters packets based on the destination IP address, as well as the type of the next header and the flow label (i.e., a request for special handling by IPv6 routers). - MAC: MAC ACL mode that filters packets based on the source or destination MAC address and the Ethernet frame type (RFC 1060). Web – Click Security, ACL, Configuration.
Access Control Lists 3 Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Then click Add. Figure 3-48 ACL Configuration - Standard IPv4 CLI – This example configures one permit rule for the specific address 10.1.1.21 and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask. Console(config-std-acl)#permit host 10.1.
3 Configuring the Switch • Source/Destination Port Bit Mask – Decimal number representing the port bits to match. (Range: 0-65535) • Control Code – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) • Control Code Bit Mask – Decimal number representing the code bits to match. The control bitmask is a decimal number (for an equivalent binary bit mask) that is applied to the control code.
Access Control Lists 3 Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Set any other required criteria, such as service type, protocol type, or TCP control code. Then click Add. Figure 3-49 ACL Configuration - Extended IPv4 CLI – This example adds three rules: 1.
3 Configuring the Switch Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields. (Options: Any, Host, MAC; Default: Any) • Source/Destination MAC Address – Source or destination MAC address.
Access Control Lists 3 Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexidecimal bitmask for an address range. Set any other required criteria, such as VID, Ethernet type, or packet format. Then click Add.
3 Configuring the Switch • Source Prefix-Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IPv6-prefix). If you select “Host,” enter a specific address. If you select “IPv6-prefix,” enter a subnet address and the prefix length. Then click Add.
Access Control Lists 3 • Destination Prefix-Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). • Next Header – Identifies the type of header immediately following the IPv6 header. (Range: 0-255) Optional internet-layer information is encoded in separate headers that may be placed between the IPv6 header and the upper-layer header in a packet.
3 Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Select the address type (Any or IPv6-prefix). If you select “IPv6-prefix,” enter a subnet address and prefix length. Set any other required criteria, such as next header, DSCP, or flow label. Then click Add. Figure 3-52 ACL Configuration - Extended IPv6 CLI – This example adds three rules: 1. Accepts any incoming packets for the destination 2009:DB9:2229::79/48. 2.
3 Access Control Lists Binding a Port to an Access Control List After configuring the Access Control Lists (ACL), you should bind them to the ports that need to filter traffic. You can only bind a port to one ACL for each basic type – IPv4 ingress, MAC ingress, and IPv6 ingress. Command Usage • This switch supports ACLs for ingress filtering only. Command Attributes • • • • • • • Port – Fixed port, SFP module, or XFP module. (Range: 1-26) IP – Specifies the IPv4 ACL to bind to a port.
3 Configuring the Switch Port Configuration Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • • • • • Name – Interface label. Type – Indicates the port type. (1000BASE-T, SFP, or 10G) Admin Status – Shows if the interface is enabled or disabled. Oper Status – Indicates if the link is Up or Down.
Port Configuration 3 Field Attributes (CLI) Basic information: • Port type – Indicates the port type. (1000BASE-T, SFP, or 10G) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address (IP Version 4)” on page 3-14.) Configuration: • • • • Name – Interface label. Port admin – Shows if the interface is enabled or disabled (i.e., up or down). Speed-duplex – Shows the current speed and duplex mode.
3 Configuring the Switch CLI – This example shows the connection status for Port 5.
Port Configuration 3 Configuring Interface Connections You can use the Port Configuration or Trunk Configuration page to enable/disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed and duplex mode, and flow control. Command Attributes • Name – Allows you to label an interface. (Range: 1-64 characters) • Admin – Allows you to manually disable an interface. You can disable an interface due to abnormal behavior (e.g.
3 Configuring the Switch • Trunk – Indicates if a port is a member of a trunk. To create trunks and select port members, see “Creating Trunk Groups” on page 3-99. Note: Auto-negotiation must be disabled before you can configure or force the interface to use the Speed/Duplex Mode or Flow Control options. Web – Click Port, Port Configuration or Trunk Configuration. Modify the required interface settings, and click Apply.
Port Configuration 3 Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices (i.e., single switch or a stack). You can create up to 26 trunks. The switch supports both static trunking and dynamic Link Aggregation Control Protocol (LACP).
3 Configuring the Switch Statically Configuring a Trunk Command Usage statically configured } • When configuring static trunks, you may not be able to link switches of different types, depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Port Configuration 3 CLI – This example creates trunk 1 with ports 9 and 10. Just connect these ports to two static trunk ports on another switch to form a trunk.
3 Configuring the Switch Command Attributes • Member List (Current) – Shows configured trunks (Unit, Port). • New – Includes entry fields for creating new trunks. - Unit – Stack unit. (Range: 1-8) - Port – Port identifier. (Range: 1-25/49) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply.
Port Configuration 3 Configuring LACP Parameters Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP System Priority. • Ports must have the same LACP port Admin Key. • However, if the “port channel” Admin Key is set (page 4-142), then the port Admin Key must be set to the same value for a port to be allowed to join a channel group.
3 Configuring the Switch Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
Port Configuration 3 CLI – The following example configures LACP parameters for ports 1-10. Ports 1-8 are used as active members of the LAG, ports 9 and 10 are set to backup mode. Console(config)#interface ethernet 1/1 4-120 Console(config-if)#lacp actor system-priority 3 4-134 Console(config-if)#lacp actor admin-key 120 4-135 Console(config-if)#lacp actor port-priority 128 4-136 Console(config-if)#exit . . .
3 Configuring the Switch Displaying LACP Port Counters You can display statistics for LACP protocol messages. Table 3-8 LACP Port Counters Parameter Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received by this channel group. Marker Sent Number of valid Marker PDUs transmitted from this channel group. Marker Received Number of valid Marker PDUs received by this channel group.
Port Configuration 3 Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 3-9 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port. LACPDUs Internal Number of seconds before invalidating received LACPDU information.
3 Configuring the Switch Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-60 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1.
Port Configuration 3 Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-10 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol. Partner Admin Port Number Current administrative value of the port number for the protocol Partner.
3 Configuring the Switch CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1.
Port Configuration 3 Web – Click Port, Port Broadcast Control or Trunk Broadcast Control. Check the Enabled box for any interface, set the threshold, and click Apply. Figure 3-62 Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 600 packets per second for port 2.
3 Configuring the Switch Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner. Source port(s) Command Usage Single target port • Monitor port speed should match or exceed source port speed, otherwise traffic may be dropped from the monitor port.
Port Configuration 3 CLI – Use the interface command to select the monitor port, then use the port monitor command to specify the source port. Note that default mirroring under the CLI is for both received and transmitted packets. Console(config)#interface ethernet 1/10 Console(config-if)#port monitor ethernet 1/13 Console(config-if)# 4-120 4-141 Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface.
3 Configuring the Switch Web - Click Port, Rate Limit, Input/Output Port/Trunk Configuration. Set the Input Rate Limit Status or Output Rate Limit Status, then set the rate limit for the individual interfaces, and click Apply. Figure 3-64 Rate Limit Configuration CLI - This example sets the rate limit for input and output traffic passing through port 1 to 600 Mbps.
Port Configuration 3 Table 3-11 Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters. Received Unicast Packets The number of subnetwork-unicast packets delivered to a higher-layer protocol. Received Multicast Packets The number of packets, delivered by this sub-layer to a higher (sub-)layer, which were addressed to a multicast address at this sub-layer.
3 Configuring the Switch Table 3-11 Port Statistics (Continued) Parameter Description Excessive Collisions A count of frames for which transmission on a particular interface fails due to excessive collisions. This counter does not increment when the interface is operating in full-duplex mode. Single Collision Frames The number of successfully transmitted frames for which transmission is inhibited by exactly one collision.
3 Port Configuration Table 3-11 Port Statistics (Continued) Parameter Description Fragments The total number of frames received that were less than 64 octets in length (excluding framing bits, but including FCS octets) and had either an FCS or alignment error. 64 Bytes Frames The total number of frames (including bad packets) received and transmitted that were 64 octets in length (excluding framing bits but including FCS octets).
3 Configuring the Switch Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen.
Address Table Settings 3 CLI – This example shows statistics for port 12.
3 Configuring the Switch Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Figure 3-66 Static Addresses CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.
Address Table Settings 3 Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 3-67 Dynamic Addresses CLI – This example also displays the address table entries for port 1.
3 Configuring the Switch Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the aging function. • Aging Time – The time after which a learned entry is discarded. (Range: 10-1000000 seconds; Default: 300 seconds) Web – Click Address Table, Address Aging. Specify the new aging time, click Apply. Figure 3-68 Address Aging CLI – This example sets the aging time to 400 seconds.
Spanning Tree Algorithm Configuration 3 Designated Root x x x Designated Bridge x Designated Port Root Port x Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
3 Configuring the Switch An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see “Configuring Multiple Spanning Trees” on page 3-136). An MST Region may contain multiple MSTP Instances. An Internal Spanning Tree (IST) is used to connect all the MSTP switches within an MST region.
Spanning Tree Algorithm Configuration 3 because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result. • Designated Root – The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device.
3 Configuring the Switch • Transmission limit – The minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. • Path Cost Method – The path cost is used to determine the best path between devices. The path cost method is used to determine the range of values that can be assigned to each interface. Web – Click Spanning Tree, STA, Information. Figure 3-69 STA Information CLI – This command displays global STA settings, followed by settings for each port.
Spanning Tree Algorithm Configuration 3 Transmission limit: 3 Path Cost Method: long --------------------------------------------------------------Eth 1/ 1 information --------------------------------------------------------------Admin status: enabled Role: disable State: discarding External admin path cost: 10000 Internal admin cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: 128 Designated cost: 300000 Designated port: 128.1 Designated root: 32768.
3 Configuring the Switch • Multiple Spanning Tree Protocol - To allow multiple spanning trees to operate over the network, you must configure a related set of bridges with the same MSTP configuration, allowing them to participate in a specific set of spanning tree instances. - A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments. - Be careful when switching between spanning tree modes.
3 Spanning Tree Algorithm Configuration • Forward Delay – The maximum time (in seconds) this device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result.
3 Configuring the Switch Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply.
3 Spanning Tree Algorithm Configuration CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters.
3 Configuring the Switch • Oper Path Cost – The contribution of this port to the path cost of paths towards the spanning tree root which include this port. • Oper Link Type – The operational point-to-point status of the LAN segment attached to this interface. This parameter is determined by manual configuration or by auto-detection, as described for Admin Link Type in STA Port Configuration on page 3-134.
Spanning Tree Algorithm Configuration 3 • Internal path cost – The path cost for the MST. See the preceding item. • Priority – Defines the priority used for this port in the Spanning Tree Algorithm. If the path cost for all ports on a switch is the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Algorithm is detecting network loops.
3 Configuring the Switch CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 Eth 1/ 5 information -------------------------------------------------------------Admin status: enabled Role: disable State: discarding External admin path cost: 10000 Internal admin cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: 128 Designated cost: 10000 Designated port: 128.1 Designated root: 32768.0.0000E8AAAA00 Designated bridge: 32768.0.
Spanning Tree Algorithm Configuration 3 The following interface attributes can be configured: • Spanning Tree – Enables/disables STA on this interface. (Default: Enabled) • Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
3 Configuring the Switch • Migration – If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the Protocol Migration button to manually re-check the appropriate BPDU format (RSTP or STP-compatible) to send on the selected interfaces. (Default: Disabled) Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration.
Spanning Tree Algorithm Configuration 3 To use multiple spanning trees: 1. Set the spanning tree type to MSTP (STA Configuration, page 3-127). 2. Enter the spanning tree priority for the selected MST instance (MSTP VLAN Configuration). 3. Add the VLANs that will share this MSTI (MSTP VLAN Configuration). Note: All VLANs are automatically added to the IST (Instance 0). To ensure that the MSTI maintains connectivity across the network, you must configure a related set of bridges with the same MSTI settings.
3 Configuring the Switch Web – Click Spanning Tree, MSTP, VLAN Configuration. Select an instance identifier from the list, set the instance priority, and click Apply. To add the VLAN members to an MSTI instance, enter the instance identifier, the VLAN identifier, and click Add. Figure 3-73 MSTP VLAN Configuration CLI – This displays STA settings for instance 1, followed by settings for each port.
Spanning Tree Algorithm Configuration 3 --------------------------------------------------------------Eth 1/ 7 information --------------------------------------------------------------Admin status: enabled Role: master State: forwarding External admin path cost: 10000 Internal admin path cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: 128 Designated cost: 0 Designated port: 128.1 Designated root: 32768.1.0030F1D473A0 Designated bridge: 32768.1.
3 Configuring the Switch Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance. Field Attributes MST Instance ID – Instance identifier to configure. (Range: 0-4094; Default: 0) The other attributes are described under “Displaying Interface Settings,” page 3-131. Web – Click Spanning Tree, MSTP, Port Information or Trunk Information.
Spanning Tree Algorithm Configuration 3 --------------------------------------------------------------Eth 1/ 1 information --------------------------------------------------------------Admin status: enabled Role: root State: forwarding External admin path cost: 10000 Internal admin path cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: 128 Designated cost: 0 Designated port: 128.4 Designated root: 32768.0.0000E8AAAA00 Designated bridge: 32768.0.
3 Configuring the Switch • Admin MST Path Cost – This parameter is used by the MSTP to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) Note that when the Path Cost Method is set to short (page 3-63), the maximum path cost is 65,535.
VLAN Configuration 3 VLAN Configuration IEEE 802.1Q VLANs In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains. VLANs confine broadcast traffic to the originating group, and can eliminate broadcast storms in large networks. This also provides a more secure and cleaner network environment. An IEEE 802.
3 Configuring the Switch Note: VLAN-tagged frames can pass through VLAN-aware or VLAN-unaware network interconnection devices, but the VLAN tags should be stripped off before passing it on to any end-node host that does not support VLAN tagging. tagged frames VA VA VA: VLAN Aware VU: VLAN Unaware tagged frames VA untagged frames VA VU VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways.
VLAN Configuration 3 these hosts, and core switches in the network, enable GVRP on the links between these devices. You should also determine security boundaries in the network and disable GVRP on the boundary ports to prevent advertisements from being propagated, or forbid those ports from joining restricted VLANs.
3 Configuring the Switch Enabling or Disabling GVRP (Global Setting) GARP VLAN Registration Protocol (GVRP) defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. VLANs are dynamically configured based on join messages issued by host devices and propagated throughout the network. GVRP must be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch. (Default: Disabled) Web – Click VLAN, 802.
3 VLAN Configuration CLI – Enter the following command.
3 Configuring the Switch Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4093, no leading zeroes). • Type – Shows how this VLAN was added to the switch. - Dynamic: Automatically learned via GVRP. - Static: Added as a static entry. • Name – Name of the VLAN (1 to 32 characters). • Status – Shows if this VLAN is enabled or disabled. - Active: VLAN is operational. - Suspend: VLAN is suspended; i.e., does not pass packets. • Ports / Channel groups – Shows the VLAN interface members.
VLAN Configuration 3 Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 3-79 VLAN Static List - Creating VLANs CLI – This example creates a new VLAN. Console(config)#vlan database Console(config-vlan)#vlan 2 name R&D media ethernet state active Console(config-vlan)#end Console#show vlan VLAN ID: Type: Name: Status: Ports/Port Channels: . . .
3 Configuring the Switch Command Attributes • VLAN – ID of configured VLAN (1-4093). • Name – Name of the VLAN (1 to 32 characters). • Status – Enables or disables the specified VLAN. - Enable: VLAN is operational. - Disable: VLAN is suspended; i.e., does not pass packets. • Port – Port identifier. • Trunk – Trunk identifier. • Membership Type – Select VLAN membership for each interface by marking the appropriate radio button for a port or trunk: - Tagged: Interface is a member of the VLAN.
3 VLAN Configuration CLI – The following example adds tagged and untagged ports to VLAN 2.
3 Configuring the Switch Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
VLAN Configuration 3 Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group. (Range: 60-3000 centiseconds; Default: 60) • GARP LeaveAll Timer13 – The interval between sending out a LeaveAll query message for VLAN group participants and the port leaving the group. This interval should be considerably larger than the Leave Time to minimize the amount of traffic generated by nodes rejoining the group.
3 Configuring the Switch CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid.
3 VLAN Configuration Configuring Uplink and Downlink Ports Use the Private VLAN Link Status page to set ports as downlink or uplink ports. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports. Web – Click VLAN, Private VLAN, Link Status. Mark the ports that will serve as uplinks and downlinks for the private VLAN, then click Apply.
3 Configuring the Switch Command Usage To configure protocol-based VLANs, follow these steps: 1. First configure VLAN groups for the protocols you want to use (page 3-148). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time. 2. Create a protocol group for each of the protocols you want to assign to a VLAN using the Protocol VLAN Configuration page. 3.
VLAN Configuration 3 Mapping Protocols to VLANs Map a protocol group to a VLAN for each interface that will participate in the group. Command Usage • When creating a protocol-based VLAN, only assign interfaces using this configuration screen. If you assign interfaces using any of the other VLAN menus such as the VLAN Static Table (page 3-149) or VLAN Static Membership by Port menu (page 3-151), these interfaces will admit traffic of any protocol type into the associated VLAN.
3 Configuring the Switch CLI – The following maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 3. Console(config)#interface ethernet 1/1 Console(config-if)#protocol-vlan protocol-group 1 vlan 3 Console(config-if)# 4-182 Class of Service Configuration Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion.
Class of Service Configuration 3 Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 3-87 Default Port Priority CLI – This example assigns a default priority of 5 to port 3.
3 Configuring the Switch Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using eight priority queues for each port, with service schedules based on strict or Weighted Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown in the following table.
3 Class of Service Configuration Web – Click Priority, Traffic Classes. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 3-88 Traffic Classes CLI – The following example shows how to change the CoS assignments to a one-to-one mapping.
3 Configuring the Switch Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue. WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue.
3 Class of Service Configuration Web – Click Priority, Queue Scheduling. Select the interface, highlight a traffic class (i.e., output queue), enter a weight, then click Apply. Figure 3-90 Queue Scheduling CLI – The following example shows how to assign WRR weights to each of the priority queues.
3 Configuring the Switch Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet or the number of the TCP port.
Class of Service Configuration 3 Mapping IP Precedence The Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic. The default IP Precedence values are mapped one-to-one to Class of Service values (i.e., Precedence value 0 maps to CoS value 0, and so forth).
3 Configuring the Switch CLI – The following example globally enables IP Precedence service on the switch, maps IP Precedence value 1 to CoS value 0 (on port 1), and then displays the IP Precedence settings.
Class of Service Configuration 3 Web – Click Priority, IP DSCP Priority. Select an entry from the DSCP table, enter a value in the Class of Service Value field, then click Apply. Figure 3-93 IP DSCP Priority CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings.
3 Configuring the Switch Mapping IP Port Priority You can also map network applications to Class of Service values based on the IP port number (i.e., TCP/UDP port number) in the frame header. Some of the more common TCP service ports include: HTTP: 80, FTP: 21, Telnet: 23 and POP3: 110. Command Attributes • • • • IP Port Priority Status – Enables or disables the IP port priority. IP Port Priority Table – Shows the IP port to CoS map. IP Port Number (TCP/UDP) – Set a new IP port number.
3 Quality of Service CLI – The following example globally enables IP Port Priority service on the switch, maps HTTP traffic (on port 1) to CoS value 0, and then displays the IP Port Priority settings. Console(config)#map ip port Console(config)#interface ethernet 1/1 Console(config-if)#map ip port 80 cos 0 Console(config-if)#end Console#show map ip port ethernet 1/5 TCP port mapping status: disabled 4-190 4-120 4-191 4-194 Port Port no.
3 Configuring the Switch Configuring Quality of Service Parameters To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the “Class Map” to designate a class name for a specific category of traffic. 2. Edit the rules for each class to specify a type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN. 3. Use the “Policy Map” to designate a policy name for a specific manner in which ingress traffic will be handled. 4.
Quality of Service 3 Class Configuration • Class Name – Name of the class map. (Range: 1-16 characters) • Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command. • Description – A brief description of a class map. (Range: 1-64 characters) • Add – Adds the specified class. • Back – Returns to previous page with making any changes. Match Class Settings • Class Name – List of class maps.
3 Configuring the Switch Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 3-96 Configuring Class Maps CLI - This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3.
Quality of Service 3 Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 3-170. - Open the Policy Map page, and click Add Policy. - When the Policy Configuration page opens, fill in the “Policy Name” field, and click Add. - When the Policy Rule Settings page opens, select a class name from the scroll-down list (Class Name field).
3 Configuring the Switch • Back – Returns to previous page with making any changes. Policy Rule Settings - Class Settings • Class Name – Name of class map. • Action – Shows the service provided to ingress traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified in Match Class Settings on page 3-170). • Meter – The maximum throughput and burst rate. - Rate (kbps) – Rate in kilobits per second. - Burst (byte) – Burst in bytes.
Quality of Service 3 Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes.
3 Configuring the Switch CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0.
Multicast Filtering Multicast Filtering Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.
3 Configuring the Switch Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 3-183). Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic.
3 Multicast Filtering Notes: 1. All systems on the subnet must support the same version. 2. Some attributes are only enabled for IGMPv2, including IGMP Report Delay and IGMP Query Timeout. Web – Click IGMP Snooping, IGMP Configuration. Adjust the IGMP settings as required, and then click Apply. (The default settings are shown below.) Figure 3-99 IGMP Configuration CLI – This example modifies the settings for multicast filtering, and then displays the current status.
3 Configuring the Switch Displaying Interfaces Attached to a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.
Multicast Filtering 3 Specifying Static Interfaces for a Multicast Router Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/ switch connected over the network to an interface (port or trunk) on your switch, you can manually configure the interface (and a specified VLAN) to join all the current multicast groups supported by the attached router.
3 Configuring the Switch Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN and multicast service. Command Attribute • VLAN ID – Selects the VLAN for which to display port members. • Multicast IP Address – The IP address for a specific multicast service. • Multicast Group Port List – Shows the interfaces that have already been assigned to the selected VLAN to propagate a specific multicast service.
3 Multicast Filtering Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in “Configuring IGMP Snooping and Query Parameters” on page 3-178. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch. First add all the ports attached to participating hosts to a common VLAN, and then assign the multicast service to that VLAN group.
3 Configuring the Switch Configuring Domain Name Service The Domain Naming System (DNS) service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network. When a client device designates this switch as a DNS server, the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switch, and waiting for a response.
Configuring Domain Name Service 3 Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use to use for address resolution, enable domain lookup status, and click Apply. Figure 3-104 DNS General Configuration CLI - This example sets a default domain name and a domain list. However, remember that if a domain list is specified, the default domain name is not used. Console(config)#ip domain-name sample.
3 Configuring the Switch Configuring Static DNS Host to Address Entries You can manually configure static entries in the DNS table that are used to map domain names to IP addresses. Command Usage • Static entries may be used for local devices connected directly to the attached network, or for commonly used resources located elsewhere on the network. • Servers or other network devices may support one or more connections via multiple IP addresses.
Configuring Domain Name Service 3 Web – Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply. Figure 3-105 DNS Static Host Table CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#ip host rd6 10.1.0.55 Console#show hosts 4-214 4-219 Hostname rd5 Inet address 10.1.0.55 192.168.1.55 Alias 1.
3 Configuring the Switch Displaying the DNS Cache You can display entries in the DNS cache that have been learned via the designated name servers. Field Attributes • No – The entry number for each resource record. • Flag – The flag is always “4” indicating a cache entry and therefore unreliable. • Type – This field includes CNAME which specifies the canonical or primary name for the owner, and ALIAS which specifies multiple domain names which are mapped to the same IP address as an existing entry.
Configuring Domain Name Service 3 CLI - This example displays all the resource records learned from the designated name servers. Console#show dns cache NO FLAG TYPE 0 4 CNAME 1 4 CNAME 2 4 CNAME 3 4 CNAME 4 4 CNAME 5 4 ALIAS 6 4 CNAME 7 4 ALIAS 8 4 CNAME 9 4 ALIAS 10 4 CNAME Console# IP 207.46.134.222 207.46.134.190 207.46.134.155 207.46.249.222 207.46.249.27 POINTER TO:4 207.46.68.27 POINTER TO:6 65.54.131.192 POINTER TO:8 165.193.72.190 TTL 51 51 51 51 51 51 71964 71964 605 605 87 4-220 DOMAIN www.
3 3-190 Configuring the Switch
Chapter 4: Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Note: You can only access the console interface through the Master unit in the stack. Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt.
4 Command Line Interface For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.0) and a host portion (1). Note: The IP address for this switch is obtained via DHCP by default. To access the stack through a Telnet session, you must first set the IP address for the Master unit, and set the default gateway if you are managing the switch from a different IP subnet. For example, Console(config)#interface vlan 1 Console(config-if)#ip address 10.1.0.254 255.255.255.
Entering Commands 4 Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
4 Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, DHCP, Interface, Line, Router, VLAN Database, or MSTP). You can also display a list of valid keywords for a specific command.
Entering Commands 4 Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.
4 Command Line Interface Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain switching functions. These classes are further divided into different modes. Available commands depend on the selected mode.
Entering Commands 4 Username: guest Password: [guest login password] CLI session with the 24PORT GIGABIT L2 INTELLIGENT SWITCH is opened. To end the CLI session, enter [Exit]. Console>enable Password: [privileged level password] Console# Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted.
4 Command Line Interface To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.
Entering Commands 4 Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches.
4 Command Line Interface Command Groups The system commands can be broken down into the functional groups shown below.
4 General Commands The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) CM (Class Map Configuration) GC (Global Configuration) IC (Interface Configuration) LC (Line Configuration) MST (Multiple Spanning Tree) NE (Normal Exec) PE (Privileged Exec) PM (Policy Map Configuration) VC (VLAN Database Configuration) General Commands Table 4-5 General Commands Command Function Mode enable Activates privileged mode NE Page 4-11 disable
4 Command Line Interface Command Usage • “super” is the default password required to change the command mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command on page 4-70.) • The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode.
General Commands 4 Command Mode Privileged Exec Example Console#configure Console(config)# Related Commands end (4-14) show history This command shows the contents of the command history buffer. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands.
4 Command Line Interface reload This command restarts the system. Note: When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command. Default Setting None Command Mode Privileged Exec Command Usage This command resets the entire system.
General Commands 4 Command Mode Global Configuration, Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration. Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode: Console(config-if)#end Console# exit This command returns to the previous configuration mode or exits the configuration program.
4 Command Line Interface Example This example shows how to quit a CLI session: Console#quit Press ENTER to start session User Access Verification Username: System Management Commands These commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
System Management Commands 4 hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Example Console(config)#hostname RD#1 Console(config)# switch renumber This command resets the switch unit identification numbers in the stack.
4 Command Line Interface System Status Commands This section describes commands used to display system information.
System Management Commands 4 Example Console#show startup-config building startup-config, please wait.....
4 Command Line Interface show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes.
System Management Commands 4 Example Console#show running-config building running-config, please wait.....
4 Command Line Interface show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 3-9. • The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance. Example Console#show system System Description: 24PORT GIGABIT L2 INTELLIGENT SWITCH System OID String: 1.3.6.1.4.1.4537.
System Management Commands 4 show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
4 Command Line Interface Example Console#show version Unit1 Serial Number: Hardware Version: EPLD Version: Number of Ports: Main Power Status: Redundant Power Status: 0000E8900000 R01 1.02 26 Up Not present Agent (master) Unit ID: Loader Version: Boot ROM Version: Operation Code Version: 1 1.0.0.3 1.0.0.7 1.0.0.42 Console# Frame Size Commands This section describes commands used to configure the Ethernet frame size on the switch.
System Management Commands 4 • The current setting for jumbo frames can be displayed with the show system command (page 4-22). Example Console(config)#jumbo frame Console(config)# Related Commands show ipv6 mtu (4-238) File Management Commands Managing Firmware Firmware can be uploaded and downloaded to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation.
4 Command Line Interface copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the TFTP server and the quality of the network connection.
System Management Commands 4 • Use the copy file unit command to copy a local file to another switch in the stack. Use the copy unit file command to copy a file from another switch in the stack. • The Boot ROM and Loader cannot be uploaded or downloaded from the TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. • For information on specifying an https-certificate, see “Replacing the Default Secure-site Certificate” on page 3-66.
4 Command Line Interface The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.
System Management Commands 4 Command Mode Privileged Exec Command Usage • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Config.cfg” cannot be deleted. • A colon (:) is required after the specified unit number. Example This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete test2.cfg Console# Related Commands dir (4-29) delete public-key (4-87) dir This command displays a list of files in flash memory.
4 Command Line Interface • File information is shown below: Table 4-11 File Directory Information Column Heading Description file name The name of the file. file type File types: Boot-Rom, Operation Code, and Config file. startup Shows if this file is used when the system is started. size The length of the file in bytes.
4 System Management Commands boot system This command specifies the file or image used to start up the system. Syntax boot system [unit:] {boot-rom| config | opcode}: filename The type of file or image to set as a default includes: • • • • • boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code. filename - Name of configuration file or code image. unit* - Stack unit. (Range: 1-8) * The colon (:) is required.
4 Command Line Interface Table 4-12 Line Commands (Continued) Command Function Mode exec-timeout Sets the interval that the command interpreter waits until user input is detected LC Page 4-35 password-thresh Sets the password intrusion threshold, which limits the number of LC failed logon attempts 4-36 silent-time* Sets the amount of time the management console is inaccessible LC after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command 4-36 data
System Management Commands 4 Related Commands show line (4-40) show users (4-23) login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
4 Command Line Interface password This command specifies the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password • {0 | 7} - 0 means plain password, 7 means encrypted password • password - Character string that specifies the line password. (Maximum length: 8 characters plain text, 32 encrypted, case sensitive) Default Setting No password is specified.
System Management Commands 4 Default Setting • CLI: Disabled (0 seconds) • Telnet: 300 seconds Command Mode Line Configuration Command Usage • If a login attempt is not detected within the timeout interval, the connection is terminated for the session. • This command applies to both the local console and Telnet connections. • The timeout for Telnet cannot be disabled. • Using the command without specifying a timeout restores the default setting.
4 Command Line Interface Example To set the timeout to two minutes, enter this command: Console(config-line)#exec-timeout 120 Console(config-line)# password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. Syntax password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120; 0: no threshold) Default Setting The default value is three attempts.
System Management Commands 4 Default Setting The default value is no silent-time. Command Mode Line Configuration (console only) Example To set the silent time to 60 seconds, enter this command: Console(config-line)#silent-time 60 Console(config-line)# Related Commands password-thresh (4-36) databits This command sets the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value.
4 Command Line Interface parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity • none - No parity • even - Even parity • odd - Odd parity Default Setting No parity Command Mode Line Configuration Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting.
System Management Commands 4 Command Usage Set the speed to match the baud rate of the device connected to the serial port. Some baud rates available on devices connected to the port might not be supported. The system indicates if the speed you selected is not supported. If you select the “auto” option, the switch will automatically detect the baud rate configured on the attached terminal, and adjust the speed accordingly.
4 Command Line Interface Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection. Example Console#disconnect 1 Console# Related Commands show ssh (4-90) show users (4-23) show line This command displays the terminal line’s parameters. Syntax show line [console | vty] • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet).
System Management Commands 4 Event Logging Commands This section describes commands used to configure event logging on the switch.
4 Command Line Interface logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). • level - One of the levels listed below.
System Management Commands 4 logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode Global Configuration Command Usage • Use this command more than once to build up a list of host IP addresses. • The maximum number of host IP addresses allowed is five.
4 Command Line Interface logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging. Syntax logging trap [level] no logging trap level - One of the syslog severity levels listed in the table on page 4-42. Messages sent include the selected level up through level 0.
System Management Commands 4 Related Commands show log (4-46) show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} • flash - Displays settings for storing event messages in flash memory (i.e., permanent memory). • ram - Displays settings for storing event messages in temporary RAM (i.e., memory flushed on power reset).
4 Command Line Interface The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.
System Management Commands 4 Example The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 Console# SMTP Alert Commands These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients.
4 Command Line Interface • To open a connection, the switch first selects the server that successfully sent mail during the last connection, or the first server configured by this command. If it fails to send mail, the switch selects the next server in the list and tries to send mail again. If it still fails, the system will repeat the process at a periodic interval. (A trap will be triggered if the switch cannot successfully open a connection.) Example Console(config)#logging sendmail host 192.168.1.
System Management Commands 4 Command Mode Global Configuration Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. Example Console(config)#logging sendmail source-email bill@this-company.com Console(config)# logging sendmail destination-email This command specifies the email recipients of alert messages. Use the no form to remove a recipient.
4 Command Line Interface Example Console(config)#logging sendmail Console(config)# show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------192.168.1.19 SMTP minimum severity level: 7 SMTP destination email addresses ----------------------------------------------ted@this-company.com SMTP source email address: bill@this-company.
System Management Commands 4 sntp client This command enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with the sntp servers command. Use the no form to disable SNTP client requests. Syntax [no] sntp client Default Setting Disabled Command Mode Global Configuration Command Usage • The time acquired from time servers is used to record accurate dates and times for log events.
4 Command Line Interface Default Setting None Command Mode Global Configuration Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received. It issues time synchronization requests based on the interval set via the sntp poll command. Example Console(config)#sntp server 10.1.0.
System Management Commands 4 show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending time synchronization requests, and the current SNTP mode (i.e., unicast).
4 Command Line Interface Related Commands show sntp (4-53) calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} • • • • • hour - Hour in 24-hour format. (Range: 0 - 23) min - Minute. (Range: 0 - 59) sec - Second. (Range: 0 - 59) day - Day of month.
SNMP Commands 4 SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
4 Command Line Interface Example Console(config)#snmp-server Console(config)# show snmp This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
SNMP Commands 4 snmp-server community This command defines the SNMP v1 and v2c community access string. Use the no form to remove the specified community string. Syntax snmp-server community string [ro|rw] no snmp-server community string • string - Community string that acts like a password and permits access to the SNMP protocol. (Maximum length: 32 characters, case sensitive; Maximum number of strings: 5) • ro - Specifies read-only access.
4 Command Line Interface Related Commands snmp-server location (4-58) snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location.
SNMP Commands 4 to using the snmp-server host command. (Maximum length: 32 characters) • version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1) - auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy. See “Simple Network Management Protocol” on page 3-44 for further information about these authentication and encryption options. • port - Host UDP port to use.
4 Command Line Interface To send an inform to a SNMPv3 host, complete these steps: 1. Enable the SNMP agent (page 4-55). 2. Allow the switch to send SNMP traps; i.e., notifications (page 4-60). 3. Specify the target host that will receive inform messages with the snmp-server host command as described in this section. 4. Create a view with the required notification messages (page 4-63). 5. Create a group that includes the required notify view (page 4-64). 6.
SNMP Commands 4 SNMP notifications, you must enter at least one snmp-server enable traps command. If you enter the command with no keywords, both authentication and link-up-down notifications are enabled. If you enter the command with a keyword, only the notification type related to that keyword is enabled. • The snmp-server enable traps command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications.
4 Command Line Interface • A remote engine ID is required when using SNMPv3 informs. (See snmp-server host on page 4-58.) The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. SNMP passwords are localized using the engine ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent.
SNMP Commands 4 snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. Syntax snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name • view-name - Name of an SNMP view. (Range: 1-64 characters) • oid-tree - Object identifier of a branch within the MIB tree. Wild cards can be used to mask a specific portion of the OID string. (Refer to the examples.) • included - Defines an included view.
4 Command Line Interface show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile Row Status: active Console# Table 4-21 show snmp view - display description Field Description View Name Name of an SNMP view. Subtree OID A branch in the MIB tree.
SNMP Commands 4 Default Setting • • • • Default groups: public19 (read only), private20 (read/write) readview - Every object belonging to the Internet OID space (1.3.6.1). writeview - Nothing is defined. notifyview - Nothing is defined. Command Mode Global Configuration Command Usage • A group sets the access policy for the assigned users. • When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command.
4 Command Line Interface Group Name: public Security Model: v2c Read View: defaultview Write View: none Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v1 Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v2c Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Console# Table 4-22 show snmp group - display descri
SNMP Commands 4 • • • • • • ip-address - The Internet address of the remote device. v1 | v2c | v3 - Use SNMP version 1, 2c or 3. encrypted - Accepts the password as encrypted input. auth - Uses SNMPv3 with authentication. md5 | sha - Uses MD5 or SHA authentication. auth-password - Authentication password. Enter as plain text if the encrypted option is not used. Otherwise, enter an encrypted password. (A minimum of eight characters is required.
4 Command Line Interface show snmp user This command shows information on SNMP users.
User Authentication Commands 4 User Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. You can also enable port-based authentication for network client access using IEEE 802.1X.
4 Command Line Interface • access-level level - Specifies the user level. The device has two predefined privilege levels: 0: Normal Exec, 15: Privileged Exec. • nopassword - No password is required for this user to log in. • {0 | 7} - 0 means plain password, 7 means encrypted password. • password password - The authentication password for the user. (Maximum length: 8 characters plain text, 32 encrypted, case sensitive) Default Setting • The default access level is Normal Exec.
User Authentication Commands 4 Default Setting • The default is level 15. • The default password is “super” Command Mode Global Configuration Command Usage • You cannot set a null password. You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command (page 4-11). • The encrypted password is required for compatibility with legacy password settings (i.e.
4 Command Line Interface Default Setting Local Command Mode Global Configuration Command Usage • RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet. • RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair.
User Authentication Commands 4 Command Usage • RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet. • RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair.
4 Command Line Interface radius-server host This command specifies primary and backup RADIUS servers and authentication parameters that apply to each server. Use the no form to restore the default values. Syntax [no] radius-server index host {host_ip_address | host_alias} [auth-port auth_port] [timeout timeout] [retransmit retransmit] [key key] • index - Allows you to specify up to five servers. These servers are queried in sequence until a server responds or the retransmit period expires.
User Authentication Commands 4 Command Mode Global Configuration Example Console(config)#radius-server port 181 Console(config)# radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default. Syntax radius-server key key_string no radius-server key key_string - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string.
4 Command Line Interface radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number_of_seconds no radius-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.
User Authentication Commands 4 TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
4 Command Line Interface Command Mode Global Configuration Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client. Do not use blank spaces in the string.
User Authentication Commands 4 Web Server Commands This section describes commands used to configure web browser management access to the switch.
4 Command Line Interface Example Console(config)#ip http server Console(config)# Related Commands ip http port (4-79) ip http secure-server This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the no form to disable this function.
User Authentication Commands 4 Example Console(config)#ip http secure-server Console(config)# Related Commands ip http secure-port (4-81) copy tftp https-certificate (4-26) ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number – The UDP port used for HTTPS.
4 Command Line Interface ip telnet server This command allows this device to be monitored or configured from Telnet. It also specifies the TCP port number used by the Telnet interface. Use the no form without the “port” keyword to disable this function. Use the no from with the “port” keyword to use the default port. Syntax ip telnet server [port port-number] no telnet server [port] • port - The TCP port number used by the Telnet interface. • port-number - The TCP port to be used by the browser interface.
User Authentication Commands 4 Table 4-33 Secure Shell Commands (Continued) Command Function Mode ip ssh save host-key Saves the host key from RAM to flash memory PE Page disconnect Terminates a line connection PE 4-39 show ip ssh Displays the status of the SSH server and the configured values PE for authentication timeout and retries 4-89 show ssh Displays the status of current SSH sessions PE 4-90 show public-key Shows the public key for the specified user or for the host PE 4-91 s
4 Command Line Interface 69631781366277414168985132049117204830339254324101637997592371449011938 00609025394840848271781943722884025331159521348610229029789827213532671 31629432532818915045306393916643 steve@192.168.1.19 4. Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. 5. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch. 6.
User Authentication Commands 4 Note: The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. ip ssh server This command enables the Secure Shell (SSH) server on this switch. Use the no form to disable this service. Syntax [no] ip ssh server Default Setting Disabled Command Mode Global Configuration Command Usage • The SSH server supports up to four client sessions.
4 Command Line Interface Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
User Authentication Commands 4 ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server key. (Range: 512-896 bits) Default Setting 768 bits Command Mode Global Configuration Command Usage • The server key is a private key that is never shared outside the switch. • The host key is shared with the SSH client, and is fixed at 1024 bits.
4 Command Line Interface ip ssh crypto host-key generate This command generates the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [dsa | rsa] • dsa – DSA (Version 2) key type. • rsa – RSA (Version 1) key type. Default Setting Generates both the DSA and RSA key pairs. Command Mode Privileged Exec Command Usage • The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. • This command stores the host key pair in memory (i.e., RAM).
User Authentication Commands 4 Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. • The SSH server must be disabled before you can execute this command. Example Console#ip ssh crypto zeroize dsa Console# Related Commands ip ssh crypto host-key generate (4-88) ip ssh save host-key (4-89) no ip ssh server (4-85) ip ssh save host-key This command saves the host key from RAM to flash memory.
4 Command Line Interface Example Console#show ip ssh SSH Enabled - version 2.0 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State 0 2.
User Authentication Commands 4 show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage • If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed.
4 Command Line Interface Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
User Authentication Commands 4 Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted. • First use the port security max-mac-count command to set the number of addresses, and then use the port security command to enable security on the port.
4 Command Line Interface Table 4-36 802.
User Authentication Commands 4 dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
4 Command Line Interface dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count. Syntax dot1x operation-mode {single-host | multi-host [max-count count]} no dot1x operation-mode [multi-host max-count] • single-host – Allows only a single host to connect to this port.
User Authentication Commands 4 Command Usage The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains connected the network and the process is handled transparently by the dot1x client software. Only if re-authentication fails is the port blocked. Example Console#dot1x re-authenticate Console# dot1x re-authentication This command enables periodic re-authentication for a specified port.
4 Command Line Interface Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout quiet-period 350 Console(config-if)# dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds.
User Authentication Commands 4 show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] • statistics - Displays dot1x status for each port. • interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-26/50) Command Mode Privileged Exec Command Usage This command displays the following information: • Global 802.1X Parameters – Shows whether or not 802.
4 Command Line Interface - Max Count - Port-control - Supplicant - Current Identifier – The maximum number of hosts allowed to access this port (page 4-96). – Shows the dot1x mode on a port as auto, force-authorized, or force-unauthorized (page 4-95). – MAC address of authorized client. – The integer (0-255) used by the Authenticator to identify the current authentication session.
User Authentication Commands 4 Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name 1/1 1/2 . . . 1/25 1/26 Status disabled disabled Operation Mode Single-Host Single-Host Mode ForceAuthorized ForceAuthorized Authorized n/a n/a disabled enabled Single-Host Single-Host ForceAuthorized Auto yes yes 802.1X Port Details 802.1X is enabled on port 1/1 . . . 802.
4 Command Line Interface IP Filter Commands This section describes commands used to configure IP management access to the switch. Table 4-37 IP Filter Commands Command Function Mode management Configures IP addresses that are allowed management access GC 4-102 PE 4-103 show management Displays the switch to be monitored or configured from a browser Page management This command specifies the client IP addresses that are allowed management access to the switch through various protocols.
User Authentication Commands 4 Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols.
4 Command Line Interface Access Control List Commands Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, next header type, or flow label), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
Access Control List Commands 4 access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl_name • standard – Specifies an ACL that filters packets based on the source IP address. • extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. • acl_name – Name of the ACL.
4 Command Line Interface Default Setting None Command Mode Standard IPv4 ACL Command Usage • New rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.
Access Control List Commands 4 • • • • • • • host – Keyword followed by a specific IP address. precedence – IP precedence level. (Range: 0-7) tos – Type of Service level. (Range: 0-15) dscp – DSCP priority level. (Range: 0-63) sport – Protocol21 source port number. (Range: 0-65535) dport – Protocol21 destination port number. (Range: 0-65535) port-bitmask – Decimal number representing the port bits to match.
4 Command Line Interface Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.0 to any destination address when set for destination TCP port 80 (i.e., HTTP).
Access Control List Commands 4 ip access-group This command binds a port to an IPv4 ACL. Use the no form to remove the port. Syntax [no] ip access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage • A port can only be bound to one ACL.
4 Command Line Interface IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses, next header type, and flow label.
Access Control List Commands 4 Example Console(config)#access-list ipv6 standard david Console(config-std-ipv6-acl)# Related Commands permit, deny (4-111) ipv6 access-group (4-114) show ipv6 access-list (4-113) permit, deny (Standard IPv6 ACL) This command adds a rule to a Standard IPv6 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule.
4 Command Line Interface permit, deny (Extended IPv6 ACL) This command adds a rule to an Extended IPv6 ACL. The rule sets a filter condition for packets with specific destination IP addresses, next header type, or flow label. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | destination-ipv6-address[/prefix-length]} [next-header next-header] [dscp dscp] [flow-label flow-label] • any – Keyword indicating any IPv6 destination address (an abbreviation for the IPv6 prefix ::/0).
4 Access Control List Commands e.g., in a hop-by-hop option. A flow is uniquely identified by the combination of a source address and a non-zero flow label. Packets that do not belong to a flow carry a flow label of zero. • Optional internet-layer information is encoded in separate headers that may be placed between the IPv6 header and the upper-layer header in a packet. There are a small number of such extension headers, each identified by a distinct Next Header value.
4 Command Line Interface Example Console#show ipv6 access-list standard IPv6 standard access-list david: permit host 2009:DB9:2229::79 permit 2009:DB9:2229:5::/64 Console# Related Commands permit, deny (4-111) ipv6 access-group (4-114) ipv6 access-group This command binds a port to an IPv6 ACL. Use the no form to remove the port. Syntax [no] ipv6 access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets.
Access Control List Commands 4 Example Console#show ip access-group Interface ethernet 1/2 IPv6 standard access-list david in Console# Related Commands ipv6 access-group (4-114) MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type.
4 Command Line Interface Example Console(config)#access-list mac jerry Console(config-mac-acl)# Related Commands permit, deny (4-116) mac access-group (4-118) show mac access-list (4-117) permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule.
Access Control List Commands • • • • • 4 address-bitmask22 – Bitmask for MAC address (in hexidecimal format). vid – VLAN ID. (Range: 1-4093) vid-bitmask22 – VLAN bitmask. (Range: 1-4093) protocol – A specific Ethernet protocol number. (Range: 600-fff hex.) protocol-bitmask22 – Protocol bitmask. (Range: 600-fff hex.) Default Setting None Command Mode MAC ACL Command Usage • New rules are added to the end of the list. • The ethertype option can only be used to filter Ethernet II formatted packets.
4 Command Line Interface Related Commands permit, deny 4-116 mac access-group (4-118) mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage • A port can only be bound to one ACL.
Access Control List Commands 4 ACL Information This section describes commands used to display ACL information. Table 4-42 ACL Information Commands Command Function Mode Page show access-list Show all IPv4 ACLs and associated rules PE 4-119 show access-group Shows the IPv4 ACLs assigned to each port PE 4-119 show access-list This command shows all IPv4 ACLs and associated rules. Command Mode Privileged Exec Example Console#show access-list IP standard access-list david: permit host 10.1.1.
4 Command Line Interface Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN.
Interface Commands 4 Command Mode Global Configuration Example To specify port 4, enter the following command: Console(config)#interface ethernet 1/4 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
4 Command Line Interface Default Setting • Auto-negotiation is enabled by default.
Interface Commands 4 • If autonegotiation is disabled, auto-MDI/MDI-X pin signal configuration will also be disabled for the RJ-45 ports. Example The following example configures port 11 to use autonegotiation. Console(config)#interface ethernet 1/11 Console(config-if)#negotiation Console(config-if)# Related Commands capabilities (4-123) speed-duplex (4-121) capabilities This command advertises the port capabilities of a given interface during autonegotiation.
4 Command Line Interface Example The following example configures Ethernet port 5 capabilities to 100half and 100full. Console(config)#interface ethernet 1/5 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)# Related Commands negotiation (4-122) speed-duplex (4-121) flowcontrol (4-124) flowcontrol This command enables flow control. Use the no form to disable flow control.
4 Interface Commands Related Commands negotiation (4-122) capabilities (flowcontrol, symmetric) (4-123) media-type This command forces the port type selected for combination ports 21-24/45-48. Use the no form to restore the default mode. Syntax media-type mode no media-type • mode - copper-forced - Always uses the built-in RJ-45 port. - sfp-forced - Always uses the SFP port (even if module not installed).
4 Command Line Interface Example The following example disables port 5. Console(config)#interface ethernet 1/5 Console(config-if)#shutdown Console(config-if)# switchport broadcast packet-rate This command configures broadcast storm control. Use the no form to disable broadcast storm control. Syntax switchport broadcast packet-rate rate no switchport broadcast rate - Threshold level as a rate; i.e., packets per second.
Interface Commands 4 Default Setting None Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset. Example The following example clears statistics on port 5.
4 Command Line Interface Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic information: Port type: 1000T Mac address: 00-30-F1-D4-73-A5 Configuration: Name: Port admin: Up Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full, 1000full Broadcast storm: Enabled Broadcast storm limit: 500 packets/second Flow control: Disabled LACP: Disabled Port security: Disabled Max MAC count: 0 Port security action: None Media type: None Current status: Link status: Up Port oper
Interface Commands 4 Example Console#show interfaces counters ethernet 1/7 Ethernet 1/7 Iftable stats: Octets input: 30658, Octets output: 196550 Unicast input: 6, Unicast output: 5 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats: Multi-cast input: 0, Multi-cast output: 3064 Broadcast input: 262, Broadcast output: 1 Ether-like stats: Alignment errors: 0, FCS errors: 0 Single Collision frames: 0, Multiple collision frames: 0
4 Command Line Interface Example This example shows the configuration setting for port 4.
Link Aggregation Commands 4 Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP.
4 Command Line Interface Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP system priority. • Ports must have the same port admin key (Ethernet Interface). • If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e.
Link Aggregation Commands 4 lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation. • A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID.
4 Command Line Interface Current status: Created by: Link status: Operation speed-duplex: Flow control type: Member Ports: Console# Lacp Up 1000full None Eth1/10, Eth1/11, Eth1/12, lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority • actor - The local side an aggregate link. • partner - The remote side of an aggregate link.
Link Aggregation Commands 4 lacp admin-key (Ethernet Interface) This command configures a port's LACP administration key. Use the no form to restore the default setting. Syntax lacp {actor | partner} admin-key key [no] lacp {actor | partner} admin-key • actor - The local side an aggregate link. • partner - The remote side of an aggregate link. • key - The port admin key must be set to the same value for ports that belong to the same link aggregation group (LAG).
4 Command Line Interface Default Setting 0 Command Mode Interface Configuration (Port Channel) Command Usage • Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured). • If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e.
Link Aggregation Commands 4 Example Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor port-priority 128 show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sys-id} • • • • • port-channel - Local identifier for a link aggregation group. (Range: 1-32) counters - Statistics for LACP protocol messages. internal - Configuration settings and operational state for local side.
4 Command Line Interface Console#show lacp 1 internal Port channel: 1 ------------------------------------------------------------------------Oper Key: 3 Admin Key: 0 Eth 1/ 2 ------------------------------------------------------------------------LACPDUs Internal: 30 sec LACP System Priority: 32768 LACP Port Priority: 32768 Admin Key: 3 Oper Key: 3 Admin State: defaulted, aggregation, long timeout, LACP-activity Oper State: distributing, collecting, synchronization, aggregation, long timeout, LACP-activi
Link Aggregation Commands 4 Console#show lacp 1 neighbors Port channel 1 neighbors ------------------------------------------------------------------------Eth 1/1 ------------------------------------------------------------------------Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 32768, 00-01-F4-78-AE-C0 Partner Admin Port Number: 2 Partner Oper Port Number: 2 Port Admin Priority: 32768 Port Oper Priority: 32768 Admin Key: 0 Oper Key: 3 Admin State: defaulted, distributing, col
4 Command Line Interface Console#show lacp sysid Port Channel System Priority System MAC Address ------------------------------------------------------------------------1 32768 00-30-F1-8F-2C-A7 2 32768 00-30-F1-8F-2C-A7 3 32768 00-30-F1-8F-2C-A7 4 32768 00-30-F1-8F-2C-A7 5 32768 00-30-F1-8F-2C-A7 6 32768 00-30-F1-8F-2C-A7 7 32768 00-30-F1-D4-73-A0 8 32768 00-30-F1-D4-73-A0 9 32768 00-30-F1-D4-73-A0 10 32768 00-30-F1-D4-73-A0 11 32768 00-30-F1-D4-73-A0 12 32768 00-30-F1-D4-73-A0 . . .
Mirror Port Commands 4 Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Table 4-50 Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session IC 4-141 show port monitor Shows the configuration for a mirror port PE 4-142 port monitor This command configures a mirror session. Use the no form to clear a mirror session.
4 Command Line Interface Example The following example configures the switch to mirror all packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 both Console(config-if)# show port monitor This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) • unit - Stack unit. (Range: 1-8) • port - Port number. (Range: 1-26) Default Setting Shows all sessions.
Rate Limit Commands 4 Rate Limit Commands This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks.
4 Command Line Interface Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
Address Table Commands 4 Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table. Static addresses have the following characteristics: • Static addresses will not be removed from the address table when a given interface link is down. • Static addresses are bound to the assigned interface and will not be moved.
4 Command Line Interface show mac-address-table This command shows classes of entries in the bridge-forwarding database. Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] • mac-address - MAC address. • mask - Bits to match in the address. • interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number.
Address Table Commands 4 mac-address-table aging-time This command sets the aging time for entries in the address table. Use the no form to restore the default aging time. Syntax mac-address-table aging-time seconds no mac-address-table aging-time seconds - Aging time. (Range: 10-1000000 seconds; 0 to disable aging) Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information.
4 Command Line Interface Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
4 Spanning Tree Commands spanning-tree This command enables the Spanning Tree Algorithm globally for the switch. Use the no form to disable it. Syntax [no] spanning-tree Default Setting Spanning tree is enabled. Command Mode Global Configuration Command Usage The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers.
4 Command Line Interface members may be inadvertently disabled to prevent network loops, thus isolating group members. When operating multiple VLANs, we recommend selecting the MSTP option. • Rapid Spanning Tree Protocol RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits, as described below: - STP Mode – If the switch receives an 802.
Spanning Tree Commands 4 Command Usage This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to the discarding state; otherwise, temporary data loops might result.
4 Command Line Interface spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)]. The maximum value is the lower of 40 or [2 x (forward-time - 1)].
Spanning Tree Commands 4 Default Setting 32768 Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
4 Command Line Interface spanning-tree transmission-limit This command configures the minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds. (Range: 1-10) Default Setting 3 Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs.
Spanning Tree Commands 4 mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. Syntax [no] mst instance_id vlan vlan-range • instance_id - Instance identifier of the spanning tree. (Range: 0-4094) • vlan-range - Range of VLANs. (Range: 1-4093) Default Setting none Command Mode MST Configuration Command Usage • Use this command to group VLANs into spanning tree instances.
4 Command Line Interface Default Setting 32768 Command Mode MST Configuration Command Usage • MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Spanning Tree Commands 4 revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. Syntax revision number number - Revision number of the spanning tree. (Range: 0-65535) Default Setting 0 Command Mode MST Configuration Command Usage The MST region name (page 4-156) and revision number are used to designate a unique MST region. A bridge (i.e.
4 Command Line Interface specify the maximum number of bridges that will propagate a BPDU. Each bridge decrements the hop count by one before passing on the BPDU. When the hop count reaches zero, the message is dropped. Example Console(config-mstp)#max-hops 30 Console(config-mstp)# spanning-tree spanning-disabled This command disables the spanning tree algorithm for the specified interface. Use the no form to reenable the spanning tree algorithm for the specified interface.
4 Spanning Tree Commands • Fast Ethernet – half duplex: 200,000; full duplex: 100,000; trunk: 50,000 • Gigabit Ethernet – full duplex: 10,000; trunk: 5,000 • 10 Gigabit Ethernet – full duplex: 1000; trunk: 500 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command is used by the Spanning Tree Algorithm to determine the best path between devices.
4 Command Line Interface Related Commands spanning-tree cost (4-158) spanning-tree edge-port This command specifies an interface as an edge port. Use the no form to restore the default. Syntax [no] spanning-tree edge-port Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node.
Spanning Tree Commands 4 Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port. In this mode, ports skip the Discarding and Learning states, and proceed straight to Forwarding. • Since end-nodes cannot cause forwarding loops, they can be passed through the spanning tree state changes more quickly than allowed by standard convergence time.
4 Command Line Interface • RSTP only works on point-to-point links between two bridges. If you designate a port as a shared link, RSTP is forbidden. Since MSTP is an extension of RSTP, this same restriction applies. Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree link-type point-to-point spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default.
Spanning Tree Commands 4 Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree mst 1 cost 50 Console(config-if)# Related Commands spanning-tree mst port-priority (4-163) spanning-tree mst port-priority This command configures the interface priority on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default.
4 Command Line Interface spanning-tree protocol-migration This command re-checks the appropriate BPDU format to send on the selected interface. Syntax spanning-tree protocol-migration interface interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number.
Spanning Tree Commands 4 Command Usage • Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. • Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST).
4 Command Line Interface --------------------------------------------------------------Eth 1/ 1 information --------------------------------------------------------------Admin status: enable Role: root State: forwarding External admin path cost: 10000 Internal admin cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: 128 Designated cost: 200000 Designated port: 128.24 Designated root: 32768.0.0000ABCD0000 Designated bridge: 32768.0.
VLAN Commands 4 VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
4 Command Line Interface bridge-ext gvrp This command enables GVRP globally for the switch. Use the no form to disable it. Syntax [no] bridge-ext gvrp Default Setting Disabled Command Mode Global Configuration Command Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. This function should be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch.
VLAN Commands 4 switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - Stack unit.
4 Command Line Interface garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} • {join | leave | leaveall} - Which timer to set. • timer_value - Value of timer.
VLAN Commands 4 show garp timer This command shows the GARP timers for the selected interface. Syntax show garp timer [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-26) • port-channel channel-id (Range: 1-32) Default Setting Shows all GARP timers.
4 Command Line Interface Command Usage • Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. • Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN. The results of these commands are written to the running-configuration file, and you can display this file by entering the show running-config command.
VLAN Commands 4 Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.
4 Command Line Interface Related Commands shutdown (4-125) switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {hybrid | trunk} no switchport mode • hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. • trunk - Specifies a port as an end-point for a VLAN trunk. A trunk is a direct link between two switches, so the port transmits tagged frames that identify the source VLAN.
VLAN Commands 4 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN.
4 Command Line Interface switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port.
VLAN Commands 4 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • A port, or a trunk with switchport mode set to hybrid, must be assigned to at least one VLAN as untagged. • If a trunk has switchport mode set to trunk (i.e., 1Q Trunk), then you can only assign an interface to VLAN groups as a tagged member. • Frames are always tagged within the switch.
4 Command Line Interface Command Usage • This command prevents a VLAN from being automatically added to the specified interface via GVRP. • If a VLAN has been added to the set of allowed VLANs for an interface, then you cannot add it to the set of forbidden VLANs for that same interface.
VLAN Commands 4 Example The following example shows how to display information for VLAN 1: Console#show vlan id 1 VLAN ID: Type: Name: Status: Ports/Port Channels: 1 Static DefaultVlan Active Eth1/ 1(S) Eth1/ 2(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/11(S) Eth1/12(S) Eth1/16(S) Eth1/17(S) Eth1/21(S) Eth1/22(S) Eth1/ 3(S) Eth1/ 8(S) Eth1/13(S) Eth1/18(S) Eth1/23(S) Eth1/ 4(S) Eth1/ 9(S) Eth1/14(S) Eth1/19(S) Eth1/24(S) Eth1/ 5(S) Eth1/10(S) Eth1/15(S) Eth1/20(S) Console# Configuring Private VLANs Private VLANs
4 Command Line Interface Example This example enables the private VLAN, and then sets port 12 as the uplink and ports 5-8 as the downlinks. Console(config)#pvlan Console(config)#pvlan up-link ethernet 1/12 down-link ethernet 1/5-8 Console(config)# show pvlan This command displays the configured private VLAN.
VLAN Commands 4 Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
4 Command Line Interface • protocol - Protocol type. The only option for the llc_other frame type is ipx_raw. The options for all other frames types include: ip, ipv6, arp, rarp, and user-defined (0801-FFFF hexadecimal). Default Setting No protocol groups are configured.
VLAN Commands 4 - If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface. Example The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2. Console(config)#interface ethernet 1/1 Console(config-if)#protocol-vlan protocol-group 1 vlan 2 Console(config-if)# show protocol-vlan protocol-group This command shows the frame and protocol type associated with protocol groups.
4 Command Line Interface Command Mode Privileged Exec Example This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2: Console#show interfaces protocol-vlan protocol-group Port ProtocolGroup ID Vlan ID ---------- ------------------ ----------Eth 1/1 1 vlan2 Console# Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to conge
Class of Service Commands 4 queue mode This command sets the queue mode to strict priority or Weighted Round-Robin (WRR) for the class of service (CoS) priority queues. Use the no form to restore the default value. Syntax queue mode {strict | wrr} no queue mode • strict - Services the egress queues in sequential order, transmitting all traffic in the higher priority queues before servicing lower priority queues.
4 Command Line Interface switchport priority default This command sets a priority for incoming untagged frames. Use the no form to restore the default value. Syntax switchport priority default default-priority-id no switchport priority default default-priority-id - The priority number for untagged ingress traffic. The priority is a number from 0 to 7. Seven is the highest priority. Default Setting The priority is not set, and the default value for untagged frames received on the interface is zero.
Class of Service Commands 4 queue bandwidth This command assigns weighted round-robin (WRR) weights to the eight class of service (CoS) priority queues. Use the no form to restore the default weights. Syntax queue bandwidth weight1...weight4 no queue bandwidth weight1...weight4 - The ratio of weights for queues 0 - 7 determines the weights used by the WRR scheduler. (Range: 1 - 15) Default Setting Weights 1, 2, 4, 6, 8, 10, 12, 14 are assigned to queues 0 - 7 respectively.
4 Command Line Interface Default Setting This switch supports Class of Service by using eight priority queues, with Weighted Round Robin queuing for each port. Eight separate traffic classes are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown below.
Class of Service Commands 4 show queue bandwidth This command displays the weighted round-robin (WRR) bandwidth allocation for the eight priority queues. Default Setting None Command Mode Privileged Exec Example Console#show queue bandwidth Information of Eth 1/1 Queue ID Weight -------- -----0 1 1 2 2 4 3 6 4 8 5 10 6 12 7 14 . . . show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit.
4 Command Line Interface Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and Layer 4 traffic priority on the switch.
Class of Service Commands 4 map ip port (Interface Configuration) This command sets IP port priority (i.e., TCP/UDP port priority). Use the no form to remove a specific setting. Syntax map ip port port-number cos cos-value no map ip port port-number • port-number - 16-bit TCP/UDP port number.
4 Command Line Interface Example The following example shows how to enable IP precedence mapping globally: Console(config)#map ip precedence Console(config)# map ip precedence (Interface Configuration) This command sets IP precedence priority (i.e., IP Type of Service priority). Use the no form to restore the default table. Syntax map ip precedence ip-precedence-value cos cos-value no map ip precedence • precedence-value - 3-bit precedence value.
Class of Service Commands 4 map ip dscp (Global Configuration) This command enables IP DSCP mapping (i.e., Differentiated Services Code Point mapping). Use the no form to disable IP DSCP mapping. Syntax [no] map ip dscp Default Setting Disabled Command Mode Global Configuration Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • IP Precedence and IP DSCP cannot both be enabled.
4 Command Line Interface Default Setting The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS value 0.
Class of Service Commands 4 Default Setting None Command Mode Privileged Exec Example The following shows that HTTP traffic has been mapped to CoS value 0: Console#show map ip port TCP port mapping status: disabled Port Port no. COS --------- -------- --Eth 1/ 5 80 0 Console# Related Commands map ip port (Global Configuration) (4-190) map ip port (Interface Configuration) (4-191) show map ip precedence This command shows the IP precedence priority map.
4 Command Line Interface Example Console#show map ip precedence ethernet 1/5 Precedence mapping status: disabled Port Precedence COS --------- ---------- --Eth 1/ 5 0 0 Eth 1/ 5 1 1 Eth 1/ 5 2 2 Eth 1/ 5 3 3 Eth 1/ 5 4 4 Eth 1/ 5 5 5 Eth 1/ 5 6 6 Eth 1/ 5 7 7 Console# Related Commands map ip precedence (Global Configuration) (4-191) map ip precedence (Interface Configuration) (4-192) show map ip dscp This command shows the IP DSCP priority map.
Quality of Service Commands 4 Related Commands map ip dscp (Global Configuration) (4-193) map ip dscp (Interface Configuration) (4-193) Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs.
4 7. Command Line Interface any traffic that exceeds the specified rate, or just reduce the DSCP service level for traffic exceeding the specified rate. Use the service-policy command to assign a policy map to a specific interface. Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. 2. You should create a Class Map (page 4-198) before creating a Policy Map (page 4-200).
Quality of Service Commands 4 match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan} • acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs. (Range: 1-16 characters) • dscp - A DSCP value. (Range: 0-63) • ip-precedence - An IP Precedence value. (Range: 0-7) • vlan - A VLAN.
4 Command Line Interface policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map and return to Global configuration mode. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map.
Quality of Service Commands 4 Command Mode Policy Map Configuration Command Usage • Use the policy-map command to specify a policy map and enter Policy Map configuration mode. Then use the class command to enter Policy Map Class configuration mode. And finally, use the set and police commands to specify the match criteria, where the: - set command classifies the service that an IP packet will receive.
4 Command Line Interface Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
Quality of Service Commands 4 Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
4 Command Line Interface show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-16 characters) Default Setting Displays all class maps.
Multicast Filtering Commands 4 Example Console#show policy-map Policy Map rd_policy class rd_class set ip dscp 3 Console#show policy-map rd_policy class rd_class Policy Map rd_policy class rd_class set ip dscp 3 Console# show policy-map interface This command displays the service policy assigned to the specified interface. Syntax show policy-map interface interface input interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number.
4 Command Line Interface IGMP Snooping Commands This section describes commands used to configure IGMP snooping on the switch.
4 Multicast Filtering Commands Command Mode Global Configuration Example The following shows how to statically configure a multicast group on a port: Console(config)#ip igmp snooping vlan 1 static 224.0.0.12 ethernet 1/5 Console(config)# ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default.
4 Command Line Interface Command Usage See “Configuring IGMP Snooping and Query Parameters” on page 3-178 for a description of the displayed items.
Multicast Filtering Commands 4 IGMP Query Commands This section describes commands used to configure Layer 2 IGMP query on the switch.
4 Command Line Interface Default Setting 2 times Command Mode Global Configuration Command Usage The query count defines how long the querier waits for a response from a multicast client before taking action. If a querier has sent a number of queries defined by this command, but a client has not responded, a countdown timer is started using the time defined by ip igmp snooping query-maxresponse-time.
Multicast Filtering Commands 4 ip igmp snooping query-max-response-time This command configures the query report delay. Use the no form to restore the default. Syntax ip igmp snooping query-max-response-time seconds no ip igmp snooping query-max-response-time seconds - The report delay advertised in IGMP queries. (Range: 5-25) Default Setting 10 seconds Command Mode Global Configuration Command Usage • The switch must be using IGMPv2 for this command to take effect.
4 Command Line Interface Command Mode Global Configuration Command Usage The switch must use IGMPv2 for this command to take effect.
Multicast Filtering Commands 4 Command Usage Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.
4 Command Line Interface Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. You can manually configure entries in the DNS domain name to IP address mapping table, configure default domain names, or specify one or more name servers to use for domain name to address translation.
Domain Name Service Commands 4 Command Usage Servers or other network devices may support one or more connections via multiple IP addresses. If more than one IP address is associated with a host name using this command, a DNS client can try each address in succession, until it establishes a connection with the target device. Example This example maps two address to a host name. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#end Console#show hosts Hostname rd5 Inet address 10.1.0.
4 Command Line Interface Default Setting None Command Mode Global Configuration Example Console(config)#ip domain-name sample.com Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: Name Server List: Console# Related Commands ip domain-list (4-216) ip name-server (4-217) ip domain-lookup (4-218) ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e.
Domain Name Service Commands 4 Example This example adds two domain names to the current list and then displays the list. Console(config)#ip domain-list sample.com.jp Console(config)#ip domain-list sample.com.uk Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.
4 Command Line Interface Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip domain-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.
Domain Name Service Commands 4 Related Commands ip domain-name (4-215) ip name-server (4-217) show hosts This command displays the static host name-to-address mapping table. Command Mode Privileged Exec Example Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously configured entry. Console#show hosts Hostname rd5 Inet address 10.1.0.55 192.168.1.55 Alias 1.rd6 Console# show dns This command displays the configuration of the DNS service.
4 Command Line Interface show dns cache This command displays entries in the DNS cache. Command Mode Privileged Exec Example Console#show dns cache NO FLAG TYPE 2 4 CNAME 3 4 CNAME 4 4 CNAME 5 4 CNAME 6 4 CNAME 7 4 CNAME 8 4 ALIAS Console# IP 66.218.71.84 66.218.71.83 66.218.71.81 66.218.71.80 66.218.71.89 66.218.71.86 POINTER TO:7 TTL 298 298 298 298 298 298 298 DOMAIN www.yahoo.akadns.net www.yahoo.akadns.net www.yahoo.akadns.net www.yahoo.akadns.net www.yahoo.akadns.net www.yahoo.akadns.net www.
IP Interface Commands 4 IP Interface Commands An IP addresses may be used for management access to the switch over your network. An IPv4 address for this switch is obtained via DHCP by default. You can manually configure a specific IPv4 address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on. Both IP Version 4 and Version 6 addresses can be defined and used simultaneously to access the switch.
4 Command Line Interface Table 4-74 Basic IP Configuration Commands Command Function Mode show ipv6 mtu Displays maximum transmission unit (MTU) information for IPv6 interfaces NE, PE Page 4-238 show ipv6 traffic Displays statistics about IPv6 traffic NE, PE 4-239 clear ipv6 traffic Resets IPv6 traffic counters PE 4-244 ping ipv6 Sends ICMP echo request packets to an IPv6 node on the network NE, PE 4-245 Neighbor Discovery ipv6 neighbor Configures a static entry in the IPv6 neighbor dis
IP Interface Commands 4 periodically by this device in an effort to learn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask). • You can start broadcasting BOOTP or DHCP requests by entering an ip dhcp restart command, or by rebooting the switch. Notes: 1. Only one VLAN interface can be assigned an IP address (the default is VLAN 1). This defines the management VLAN, the only VLAN through which you can gain management access to the switch.
4 Command Line Interface Example The following example defines a default gateway for this device: Console(config)#ip default-gateway 10.1.1.254 Console(config)# Related Commands show ip redirects (4-225) ipv6 default-gateway (4-236) ip dhcp restart This command submits an IPv4 BOOTP or DHCP client request.
IP Interface Commands 4 Example Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: User specified. Console# Related Commands show ip redirects (4-225) show ipv6 interface (4-234) show ip redirects This command shows the IPv4 default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects ip default gateway 10.1.0.
4 Command Line Interface Command Usage • Use the ping command to see if another site on the network can be reached. • The following are some results of the ping command: - Normal response - The normal response occurs in one to ten seconds, depending on network traffic. - Destination does not respond - If the host does not respond, a “timeout” appears in ten seconds. - Destination unreachable - The gateway for this destination indicates that the destination is unreachable.
IP Interface Commands 4 address to modified EUI-64 format (see page 4-231). This address type makes the switch accessible over IPv6 for all devices attached to the same local subnet. • If a duplicate address is detected on the local segment, this interface will be disabled and a warning message displayed on the console. • The no ipv6 enable command does not disable IPv6 for an interface that has been explicitly configured with an IPv6 address.
4 Command Line Interface Default Setting No general prefix is defined Command Mode Global Configuration Command Usage • Prefixes may contain zero-value fields or end in zeros. • A general prefix holds a short prefix that indicates the high-order bits used in the network portion of the address. Longer, more specific, prefixes can be based on the general prefix to specify any number of subnets. When the general prefix is changed, all of the more specific prefixes based on this prefix will also change.
IP Interface Commands 4 ipv6 address This command configures an IPv6 global unicast address and enables IPv6 on an interface. Use the no form without any arguments to remove all IPv6 addresses from the interface, or use the no form with a specific IPv6 address to remove that address from the interface.
4 Command Line Interface Example This example uses the general network prefix of 2009:DB9:2229::/48 used in an earlier example, and then specifies the subsequent prefix bits 0:0:0:7279::/64, and finally the host address portion of 79. Console(config)#interface vlan 1 Console(config-if)#ipv6 address rd 0:0:0:7279::79/64 Console(config-if)#end Console#show ipv6 interface Vlan 1 is up IPv6 is enable.
IP Interface Commands 4 • If a duplicate address is detected, a warning message is sent to the console. • If the router advertisements have the “other stateful configuration” flag set, the switch will attempt to acquire other non-address configuration information (such as a default gateway). Example This example assigns two dynamic global unicast address of 2005::212:CFFF:FE0B:4600 and 3FFE:501:FFFF:100:212:CFFF:FE0B:4600 to the switch.
4 Command Line Interface Default Setting No IPv6 addresses are defined Command Mode Interface Configuration (VLAN) Command Usage • If a link local address has not yet been assigned to this interface, this command will dynamically generate a global unicast address and a link-local address for this interface. (The link-local address is made with an address prefix of FE80 and a host portion based the switch’s MAC address in modified EUI-64 format.
IP Interface Commands 4 Example This example uses the general network prefix of 2001:0DB8:0:1::/64 used in an earlier example, and specifies that the EUI-64 interface identifier be used in the lower 64 bits of the address. Console(config)#interface vlan 1 Console(config-if)#ipv6 address 2001:0DB8:0:1::/64 eui-64 Console(config-if)#end Console#show ipv6 interface Vlan 1 is up IPv6 is enable.
4 Command Line Interface • You can configure multiple IPv6 global unicast addresses per interface, but only one link-local address per interface. • If a duplicate address is detected, a warning message is sent to the console. Example This example assigns a link-local address of FE80::269:3EF9:FE19:6779 to VLAN 1. Note that the prefix FE80 is required for link-local addresses, and the first 16-bit group in the host address is padded with a zero in the form 0269.
IP Interface Commands 4 Example This example displays all the IPv6 addresses configured for the switch. Console#show ipv6 interface Vlan 1 is up IPv6 is enable. Link-local address: FE80::269:3EF9:FE19:6779/64 Global unicast address(es): 2009:DB9:2229::79, subnet is 2009:DB9:2229:0::/64 Joined group address(es): FF01::1/16 FF02::1/16 FF02::1:FF00:79/104 FF02::1:FF19:6779/104 MTU is 1500 bytes. ND DAD is enabled, number of DAD attempts: 1.
4 Command Line Interface This example displays a brief summary of IPv6 addresses configured on the switch. Console#show ipv6 interface brief Vlan 1 is up IPv6 is enable. FF01::1 2009:DB9:2229::79 FE80::269:3EF9:FE19:6779 FF02::1 FF02::1:FF00:79 FF02::1:FF19:6779 Console# Related Commands show ip interface (4-224) ipv6 default-gateway This command sets an IPv6 default gateway to use when the management station in located on a different network segment.
IP Interface Commands 4 Related Commands show ipv6 default-gateway (4-237) ip default-gateway (4-223) show ipv6 default-gateway This command displays the current IPv6 default gateway.
4 Command Line Interface Related Commands show ipv6 mtu (4-238) jumbo frame (4-24) show ipv6 mtu This command displays the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this switch.
4 IP Interface Commands show ipv6 traffic This command displays statistics about IPv6 traffic passing through this switch.
4 Command Line Interface router solicit router advert redirects neighbor solicit neighbor advert Ipv6 icmp output sent output unreach routing unreach admin unreach neighbor unreach address unreach port parameter error parameter header parameter option hopcount expired Reassembly timeout too big echo request echo reply group query group report group reduce router solicit router advert redirects neighbor solicit neighbor advert UDP Statistics: input checksum errors length errors no port dropped output TCP S
IP Interface Commands 4 Table 4-77 show ipv6 traffic - display description Field Description hop count exceeded Number of packets discarded because its time-to-live (TTL) field was decremented to zero. unknown protocol The number of locally-addressed datagrams received successfully but discarded because of an unknown or unsupported protocol.
4 Command Line Interface Table 4-77 show ipv6 traffic - display description Field Description Ipv6 mcast mcast received The number of multicast packets received by the interface. mcast sent The number of multicast packets transmitted by the interface. ICMP Statistics Ipv6 icmp input input The total number of ICMP messages received by the interface which includes all those counted by ipv6IfIcmpInErrors.
4 IP Interface Commands Table 4-77 show ipv6 traffic - display description Field Description router solicit The number of ICMP Router Solicit messages received by the interface. router advert The number of ICMP Router Advertisement messages received by the interface. redirects The number of Redirect messages received. neighbor solicit The number of ICMP Neighbor Solicitation messages received by the interface.
4 Command Line Interface Table 4-77 show ipv6 traffic - display description Field Description UDP Statistics input The total number of UDP datagrams delivered to UDP users. checksum errors The total number of UDP packet checksum errors. length errors The total number of UDP header length errors. no port The total number of received UDP datagrams for which there was no application at the destination port.
IP Interface Commands 4 ping ipv6 This command sends ICMP echo request packets to an IPv6 node on the network. ping ipv6 address {ipv6-address | host-name} [size datagram-size | repeat repeat-count | data hex-data-pattern | source source-address | timeout seconds | verbose] • ipv6-address - The IPv6 address of the device to ping. The address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
4 Command Line Interface Example Console# ping ipv6 2001:0DB8::3/64 repeat 5 Which outside interface [1]:1 Type ESC to abort. Sending 5, [100]-byte ICMP Echos to 2009:DB9:2229::80, timeout is 2 seconds. !!!!! Success rate is 100 percent round-trip min/max/avg = 10/30/14.000000 ms Console# Related Commands ping (4-225) ipv6 neighbor This command configures a static entry in the IPv6 neighbor discovery cache. Use the no form to remove a static entry from the cache.
IP Interface Commands 4 converted to a static entry. Static entries in the IPv6 neighbor discovery cache are not modified if subsequently detected by the neighbor discovery process. • Disabling IPv6 on an interface with the no ipv6 enable command (see page 4-226) deletes all dynamically learned entries in the IPv6 neighbor discovery cache for that interface, but does not delete static entries.
4 Command Line Interface performed on the interface’s link-local address, the other IPv6 addresses remain in a “tentative” state. If no duplicate link-local address is found, duplicate address detection is started for the remaining IPv6 addresses. • If a duplicate address is detected, it is set to “duplicate” state, and a warning message is sent to the console. If a duplicate link-local address is detected, IPv6 processes are disabled on the interface.
IP Interface Commands 4 Default Setting 1000 milliseconds is used for neighbor discovery operations Command Mode Interface Configuration (VLAN) Command Usage This command specifies the interval between transmitting neighbor solicitation messages when resolving an address, or when probing the reachability of a neighbor. Therefore, avoid using very short intervals for normal IPv6 operations.
4 Command Line Interface show ipv6 neighbors This command displays information in the IPv6 neighbor discovery cache. Syntax show ipv6 neighbors [vlan vlan-id | ipv6-address] • vlan-id - VLAN ID (Range: 1-4093) • ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
IP Interface Commands 4 Table 4-78 show ipv6 neighbors - display description Field Description State The following states are used for dynamic entries: • INCMP (Incomplete) - Address resolution is being carried out on the entry. A neighbor solicitation message has been sent to the multicast address of the target, but it has not yet returned a neighbor advertisement message.
4 4-252 Command Line Interface
Appendix A: Software Specifications Software Features Authentication Local, RADIUS, TACACS+, Port (802.1X), HTTPS, SSH, Port Security Access Control Lists 9 ACLs (32 MAC rules, 32 IP rules, 32 IPv6 rules) DHCP Client BOOTP Client DNS Proxy Port Configuration 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex 1000BASE-SX/LX/LH - 1000 Mbps at full duplex (SFP), 10GBASE-LR/SR - 10 Gbps at full duplex (Module) Flow Control Full Duplex: IEEE 802.
A Software Specifications Quality of Service DiffServ supports class maps, policy maps, and service policies Multicast Filtering IGMP Snooping Additional Features BOOTP client CIDR (Classless Inter-Domain Routing) SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts Management Features In-Band Management Telnet, web-based HTTP or HTTPS, SNMP manager, or Secure Shell Out-of-Band Management RS-232 DB-9 console port Software
Management Information Bases A IGMP (RFC 1112) IGMPv2 (RFC 2236) IPv4 IGMP (RFC 3228) RADIUS+ (RFC 2618) RMON (RFC 2819 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2c (RFC 2571) SNMPv3 (RFC DRAFT 3414, 3410, 2273, 3411, 3415) SNTP (RFC 2030) SSH (Version 2.
A Software Specifications SNMP Community MIB (RFC 3584) TACACS+ Authentication Client MIB TCP MIB (RFC 2012) Trap (RFC 1215) UDP MIB (RFC 2013) A-4
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software • Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
B Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Designate the SNMP host that is to receive the error messages. 4. Repeat the sequence of commands or other actions that lead up to the error. 5.
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide bootup information for network devices, including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Glossary Extended Universal Identifier (EUI) An address format used by IPv6 to identify the host portion of the network address. The interface identifier in EUI compatible addresses is based on the link-layer (MAC) address of an interface. Interface identifiers used in global unicast and other IPv6 address types are 64 bits long and may be constructed in the EUI-64 format.
Glossary IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks. IEEE 802.1p An IEEE standard for providing quality of service (QoS) in Ethernet networks. The standard uses packet tags that define up to eight traffic classes and allows switches to transmit packets based on the tagged priority value. IEEE 802.
Glossary IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts. IP Precedence The Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic.
Glossary Port Authentication See IEEE 802.1X. Port Mirroring A method whereby data on a target port is mirrored to a monitor port for troubleshooting with a logic analyzer or RMON probe. This allows data on the target port to be studied unobstructively. Port Trunk Defines a network link aggregation and trunking method which specifies how to create a single high-speed logical link that combines several lower-speed physical links.
Glossary Secure Shell (SSH) A secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. Simple Mail Transfer Protocol (SMTP) A standard host-to-host mail transport protocol that operates over TCP, port 25. Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services.
Glossary User Datagram Protocol (UDP) UDP provides a datagram mode for packet-switched communications. It uses IP as the underlying transport mechanism to provide access to IP-like services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets. UDP is useful when TCP would be too complex, too slow, or just unnecessary.
Glossary Glossary-8
Index traffic class weights 3-162, 4-187 Numerics 802.
Index hardware version, displaying 3-11, 4-23 HTTPS 3-65, 4-80 HTTPS, secure server 3-65, 4-80 IPv6 configuring static neighbors 3-23, 4-246 displaying neighbors 3-23, 4-246 duplicast address detection 3-23 MTU 3-18, 4-237 IPv6 address dynamic configuration (global unicast) 2-12, 3-18, 4-230 dynamic configuration (link-local) 2-12, 4-226 EUI format 3-20 EUI-64 setting 3-20, 4-231 general prefix 3-19, 3-22, 4-227 global unicast 3-19 link-local 3-19 manual configuration (global unicast) 2-8, 3-19, 4-229 man
Index M main menu 3-4 Management Information Bases (MIBs) A-3 mirror port, configuring 3-112, 4-141 MSTP 4-149 global settings 3-136, 4-148 interface settings 3-134, 4-148 MTU for IPv6 3-18, 4-237 multicast filtering 3-177, 4-205 multicast groups 3-182, 4-208 displaying 4-208 static 3-182, 4-206, 4-208 multicast services configuring 3-183, 4-206 displaying 3-182, 4-208 multicast, static router port 3-181, 4-212 P password, line 4-34 passwords 2-7 administrator setting 3-60, 4-69 path cost 3-125, 3-132 met
Index port priority 3-133, 4-159 protocol migration 3-136, 4-164 transmission limit 3-129, 4-154 standards, IEEE A-2 startup files creating 3-31, 4-26 displaying 3-28, 4-18 setting 3-28, 4-31 static addresses, setting 3-119, 4-144 statistics port 3-114, 4-128 STP 3-127, 4-149 STP Also see STA switch settings, saving or restoring 4-25 system clock, setting 3-42, 4-50 system software, downloading from server 3-28, 4-26 T TACACS+, logon authentication 3-62, 4-77 time, setting 3-42, 4-50 traffic class weights
SF-2420GX E092006-CS-R01 150xxxxxxxxx