TigerStack III 10/100 24-Port Fast Ethernet Switch ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ 24 auto-MDI/MDI-X 10BASE-T/100BASE-TX ports 10BASE-T/100BASE-TX ports support PoE capabilities* 2 Gigabit combo ports (RJ-45/SFP) 8.
TigerStack III 10/100 Management Guide From SMC’s Tiger line of feature-rich workgroup LAN solutions 38 Tesla Irvine, CA 92618 Phone: (949) 679-8000 June 2005 Pub.
Information furnished by SMC Networks, Inc. (SMC) is believed to be accurate and reliable. However, no responsibility is assumed by SMC for its use, nor for any infringements of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent or patent rights of SMC. SMC reserves the right to change specifications at any time without notice. Copyright © 2005 by SMC Networks, Inc. 38 Tesla Irvine, CA 92618 All rights reserved.
LIMITED WARRANTY Limited Warranty Statement: SMC Networks, Inc. (“SMC”) warrants its products to be free from defects in workmanship and materials, under normal use and service, for the applicable warranty term. All SMC products carry a standard 90-day limited warranty from the date of purchase from SMC or its Authorized Reseller. SMC may, at its own discretion, repair or replace any product not operating as warranted with a similar or functionally equivalent product, during the applicable warranty term.
LIMITED WARRANTY WARRANTIES EXCLUSIVE: IF AN SMC PRODUCT DOES NOT OPERATE AS WARRANTED ABOVE, CUSTOMER’S SOLE REMEDY SHALL BE REPAIR OR REPLACEMENT OF THE PRODUCT IN QUESTION, AT SMC’S OPTION. THE FOREGOING WARRANTIES AND REMEDIES ARE EXCLUSIVE AND ARE IN LIEU OF ALL OTHER WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, EITHER IN FACT OR BY OPERATION OF LAW, STATUTORY OR OTHERWISE, INCLUDING WARRANTIES OR CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
TABLE OF CONTENTS 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Key Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Description of Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 System Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 2 Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Displaying System Information . . . . . . . . . . . . . . . . . . . . . . . . . Displaying Switch Hardware/Software Versions . . . . . . . . . . . Displaying Bridge Extension Capabilities . . . . . . . . . . . . . . . . . Setting the IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manual Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS Replacing the Default Secure-site Certificate . . . . . . . . . . 3-77 Configuring the Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-78 Generating the Host Key Pair . . . . . . . . . . . . . . . . . . . . . . 3-81 Configuring the SSH Server . . . . . . . . . . . . . . . . . . . . . . . . 3-83 Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-85 Configuring 802.1X Port Authentication . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS Power Over Ethernet Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Switch Power Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting a Switch Power Budget . . . . . . . . . . . . . . . . . . . . . . . . Displaying Port Power Status . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Port PoE Power . . . . . . . . . . . . . . . . . . . . . . . . . . Address Table Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS Mapping CoS Values to Egress Queues . . . . . . . . . . . . . Selecting the Queue Mode . . . . . . . . . . . . . . . . . . . . . . . . Setting the Service Weight for Traffic Classes . . . . . . . . . Layer 3/4 Priority Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mapping Layer 3/4 Priorities to CoS Values . . . . . . . . . . Selecting IP Precedence/DSCP Priority . . . . . . . . . . . . . Mapping IP Precedence . . . . . . . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS Negating the Effect of Commands . . . . . . . . . . . . . . . . . . . . . . . 4-6 Using Command History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 Understanding Command Modes . . . . . . . . . . . . . . . . . . . . . . . . 4-6 Exec Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7 Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8 Command Line Processing . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS enable password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IP Filter Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web Server Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ip http port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS logging sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-67 show logging sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-68 Time Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-68 sntp client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-69 sntp server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-70 sntp poll . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS radius-server key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . radius-server retransmit . . . . . . . . . . . . . . . . . . . . . . . . . . radius-server timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . show radius-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TACACS+ Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . tacacs-server host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS match access-list ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MAC ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . access-list mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . permit, deny (MAC ACL) . . . . . . . . . . . . . . . . . . . . . . . . . show mac access-list . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . flowcontrol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . switchport broadcast packet-rate . . . . . . . . . . . . . . . . . . . . . . . clear counters . . . . . . . . . . . . . .
TABLE OF CONTENTS spanning-tree transmission-limit . . . . . . . . . . . . . . . . . . . . . . . spanning-tree backup-root . . . . . . . . . . . . . . . . . . . . . . . . . . . . spanning-tree mst-configuration . . . . . . . . . . . . . . . . . . . . . . . mst vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . mst priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS switchport private-vlan host-association . . . . . . . . . . . . . switchport private-vlan mapping . . . . . . . . . . . . . . . . . . . show vlan private-vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . GVRP and Bridge Extension Commands . . . . . . . . . . . . . . . . . . . . . bridge-ext gvrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show bridge-ext . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . switchport gvrp . . . . .
TABLE OF CONTENTS IGMP Query Commands (Layer 2) . . . . . . . . . . . . . . . . . . . . ip igmp snooping querier . . . . . . . . . . . . . . . . . . . . . . . . . ip igmp snooping query-count . . . . . . . . . . . . . . . . . . . . . ip igmp snooping query-interval . . . . . . . . . . . . . . . . . . . . ip igmp snooping query-max-response-time . . . . . . . . . . ip igmp snooping router-port-expire-time . . . . . . . . . . . . Static Multicast Routing Commands . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS APPENDICES: A Software Specifications . . . . . . . . . . . . . . . . . . . . . . . . .A-1 Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 Management Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2 Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3 Management Information Bases . . . . . . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS xviii
TABLES Table 1-1 Table 1-2 Table 3-1 Table 3-2 Table 3-3 Table 3-4 Table 3-5 Table 3-6 Table 3-7 Table 3-8 Table 3-9 Table 3-10 Table 3-11 Table 3-12 Table 3-13 Table 3-14 Table 3-15 Table 3-16 Table 4-1 Table 4-2 Table 4-3 Table 4-4 Table 4-5 Table 4-6 Table 4-7 Table 4-8 Table 4-9 Table 4-10 Table 4-11 Table 4-12 Table 4-13 Table 4-14 Table 4-15 Table 4-16 Table 4-17 Table 4-18 Key Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 System Defaults . . . . . . . . . . . . .
TABLES Table 4-19 Table 4-20 Table 4-21 Table 4-22 Table 4-23 Table 4-24 Table 4-25 Table 4-26 Table 4-28 Table 4-27 Table 4-29 Table 4-30 Table 4-31 Table 4-32 Table 4-33 Table 4-34 Table 4-35 Table 4-36 Table 4-37 Table 4-38 Table 4-39 Table 4-40 Table 4-41 Table 4-42 Table 4-43 Table 4-44 Table 4-45 Table 4-46 Table 4-47 Table 4-48 Table 4-49 Table 4-50 Table 4-51 Table 4-52 Table 4-53 Table 4-55 Table 4-54 xx show logging flash/ram - display description . . . . . . . .
TABLES Table 4-56 Table 4-57 Table 4-58 Table 4-59 Table 4-60 Table 4-61 Table 4-62 Table 4-63 Table 4-64 Table 4-65 Table 4-66 Table 4-67 Table 4-68 Table 4-69 Table 4-70 Table 4-71 Table 4-72 Table 4-73 Table 4-74 Table 4-75 Table B-1 Spanning Tree Commands . . . . . . . . . . . . . . . . . . . . . . 4-204 VLAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-230 Editing VLAN Groups . . . . . . . . . . . . . . . . . . . . . . . . . 4-230 Configuring VLAN Interfaces . . . . . . . . . . .
TABLES xxii
FIGURES Figure 3-1 Figure 3-2 Figure 3-3 Figure 3-4 Figure 3-5 Figure 3-6 Figure 3-7 Figure 3-8 Figure 3-9 Figure 3-10 Figure 3-11 Figure 3-12 Figure 3-13 Figure 3-14 Figure 3-15 Figure 3-16 Figure 3-17 Figure 3-18 Figure 3-19 Figure 3-20 Figure 3-21 Figure 3-22 Figure 3-23 Figure 3-24 Figure 3-25 Figure 3-26 Figure 3-27 Figure 3-28 Figure 3-29 Figure 3-30 Figure 3-31 Figure 3-32 Figure 3-33 Figure 3-34 Figure 3-35 Figure 3-36 Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FIGURES Figure 3-37 Figure 3-38 Figure 3-39 Figure 3-40 Figure 3-41 Figure 3-42 Figure 3-43 Figure 3-44 Figure 3-45 Figure 3-46 Figure 3-47 Figure 3-48 Figure 3-49 Figure 3-50 Figure 3-51 Figure 3-52 Figure 3-53 Figure 3-54 Figure 3-55 Figure 3-56 Figure 3-57 Figure 3-58 Figure 3-59 Figure 3-60 Figure 3-61 Figure 3-62 Figure 3-63 Figure 3-64 Figure 3-65 Figure 3-66 Figure 3-67 Figure 3-68 Figure 3-69 Figure 3-70 Figure 3-71 Figure 3-72 Figure 3-73 xxiv 802.1X Global Information . . . . . . . . . . . . . .
FIGURES Figure 3-74 Figure 3-75 Figure 3-76 Figure 3-77 Figure 3-78 Figure 3-79 Figure 3-80 Figure 3-81 Figure 3-82 Figure 3-83 Figure 3-84 Figure 3-85 Figure 3-86 Figure 3-87 Figure 3-88 Figure 3-89 Figure 3-90 Figure 3-91 Figure 3-92 Figure 3-93 Figure 3-94 Figure 3-95 Figure 3-96 Figure 3-97 Figure 3-98 Figure 3-99 Figure 3-100 Figure 3-101 Figure 3-102 Figure 3-103 Figure 3-104 Figure 3-105 Figure 3-106 Figure 3-107 MSTP Port Information . . . . . . . . . . . . . . . . . . . . . . . .
FIGURES xxvi
CHAPTER 1 INTRODUCTION These switches provide a broad range of features for Layer 2 switching. They include a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by these switches. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment. The 24 10/100 Mbps ports on the SMC6824MPE and SMC6826MPE also support the IEEE 802.
INTRODUCTION Table 1-1 Key Features Feature Description DHCP Client Supported Port Configuration Speed, duplex mode and flow control Rate Limiting Input and output rate limiting per port Port Mirroring One or more ports mirrored to single analysis port Port Trunking Supports port trunking using either static or dynamic trunking (LACP) Broadcast Storm Control Supported Static Address Up to 8K MAC addresses in the forwarding table IEEE 802.
DESCRIPTION OF SOFTWARE FEATURES priority queueing ensures the minimum delay for moving real-time multimedia data across the network. While multicast filtering provides support for real-time network applications. Some of the management features are briefly described below. Configuration Backup and Restore – You can save the current configuration settings to a file on a TFTP server, and later download this file to restore the switch configuration settings.
INTRODUCTION switch connections. Flow control should also be enabled to control network traffic during periods of congestion and prevent the loss of packets when port buffer thresholds are exceeded. The switch supports flow control based on the IEEE 802.3x standard. Rate Limiting – This feature controls the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
DESCRIPTION OF SOFTWARE FEATURES IEEE 802.1D Bridge – The switch supports IEEE 802.1D transparent bridging. The address table facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information. The address table supports up to 8K addresses. Store-and-Forward Switching – The switch copies each frame into its memory before forwarding them to another port.
INTRODUCTION for different VLANs. It simplifies network management, provides for even faster convergence than RSTP by limiting the size of each region, and prevents VLAN members from being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP). Virtual LANs – The switch supports up to 255 VLANs. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network.
SYSTEM DEFAULTS priorities are mapped to a Class of Service value by the switch, and the traffic then sent to the corresponding output queue. Multicast Filtering – Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN. The switch uses IGMP Snooping and Query to manage multicast group registration.
INTRODUCTION Table 1-2 System Defaults (Continued) Function Parameter Default Authentication Privileged Exec Level Username “admin” Password “admin” Normal Exec Level Username “guest” Password “guest” Enable Privileged Exec from Password “super” Normal Exec Level RADIUS Authentication Disabled TACACS Authentication Disabled 802.
SYSTEM DEFAULTS Table 1-2 System Defaults (Continued) Function Parameter Default Power over Ethernet* Status Enabled (all ports) Rate Limiting Input and output limits Disabled Port Trunking Static Trunks None LACP Disabled Broadcast Storm Protection Status Enabled (all ports) Broadcast Limit Rate 500 packets per second Spanning Tree Protocol Status Enabled, MSTP (Defaults: All values based on IEEE 802.
INTRODUCTION Table 1-2 System Defaults (Continued) Function Parameter Default IP Settings Management VLAN 1 IP Address 0.0.0.0 Subnet Mask 255.0.0.0 Default Gateway 0.0.0.
CHAPTER 2 INITIAL CONFIGURATION Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: The IP address for this switch is assigned via DHCP by default. To change this address, see “Setting an IP Address” on page 2-7.
INITIAL CONFIGURATION The switch’s CLI configuration program, web interface, and SNMP agent allow you to perform the following management functions: • • • • • • • • • • • • • • • • • • • • • Set user names and passwords Set an IP interface for the management VLAN Configure SNMP parameters Enable/disable any port Set the speed/duplex mode for any port Configure the bandwidth of any port by limiting input or output rates Power attached devices using IEEE 802.
CONNECTING TO THE SWITCH Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch. Note: When configuring a stack, connect to the console port on the Master unit. Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch.
INITIAL CONFIGURATION Notes: 1. When using HyperTerminal with Microsoft® Windows® 2000, make sure that you have Windows 2000 Service Pack 2 or later installed. Windows 2000 Service Pack 2 fixes the problem of arrow keys not functioning in HyperTerminal’s VT100 emulation. See www.microsoft.com for information on Windows 2000 service packs. 2. Refer to “Line Commands” on page 4-13 for a complete description of console configuration options. 3.
STACK OPERATIONS Note: The onboard program only provides access to basic configuration functions. To access the full range of SNMP management functions, you must use SNMP-based network management software. Stack Operations Up to eight switches can be stacked together as described in the Installation Guide. One unit in the stack acts as the Master for configuration tasks and firmware upgrade. All of the other units function in Slave mode.
INITIAL CONFIGURATION Resilient IP Interface for Management Access The stack functions as one integral system for management and configuration purposes. You can therefore manage the stack through any port configured as part of the VLAN used for management access. The Master unit does not even have to include an active port member in the management VLAN.
BASIC CONFIGURATION 4. The session is opened and the CLI displays the “Console#” prompt indicating you have access at the Privileged Exec level. Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive.
INITIAL CONFIGURATION Dynamic — The switch sends IP configuration requests to BOOTP or DHCP address allocation servers on the network. Note: Only one VLAN interface can be assigned an IP address (the default is VLAN 1). This defines the management VLAN, the only VLAN through which you can gain management access to the switch. If you assign an IP address to any other VLAN, the new IP address overrides the original IP address and this becomes the new management VLAN.
BASIC CONFIGURATION 4. To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway,” where “gateway” is the IP address of the default gateway. Press . Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 192.168.1.
INITIAL CONFIGURATION 4. Type “ip dhcp restart” to begin broadcasting service requests. Press . 5. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press . 6. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press .
BASIC CONFIGURATION entire MIB tree. However, you may assign new views to version 1 or 2c community strings that suit your specific security requirements (see page 3-67). Community Strings (for SNMP version 1 and 2c clients) Community strings are used to control management access to SNMP version 1 and 2c stations, as well as to authorize SNMP stations to receive trap messages from the switch. You therefore need to assign community strings to specified users, and set the access level.
INITIAL CONFIGURATION community strings. If there are no community strings, then SNMP management access from SNMP v1 and v2c clients is disabled. Trap Receivers You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command.
BASIC CONFIGURATION used for authentication, provides the password “greenpeace” for authentication, and the password “einstien” for encryption. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included Console(config)#snmp-server group r&d v3 auth mib-2 802.
INITIAL CONFIGURATION Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file. The three types of files are: • Configuration — This file stores system configuration information and is created when configuration settings are saved.
CONFIGURING POWER OVER ETHERNET Configuring Power over Ethernet The 24 10/100 Mbps ports on the SMC6824MPE and SMC6826MPE support the IEEE 802.3af Power-over-Ethernet (PoE) standard that enables DC power to be supplied to attached devices over the unused pairs of wires in the connecting Ethernet cable. Any 802.3af compliant device attached to a port can directly draw power from the switch over the Ethernet cable without requiring its own separate power source.
INITIAL CONFIGURATION 2-16
CHAPTER 3 CONFIGURING THE SWITCH Using the Web Interface This switch provides an embedded HTTP Web agent. Using a Web browser you can configure the switch and view statistics to monitor network activity. The Web agent can be accessed by any computer on the network using a standard Web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
CONFIGURING THE SWITCH Notes: 1. You are allowed three attempts to enter the correct password; on the third failed attempt the current connection is terminated. 2. If you log into the web interface as guest (Normal Exec level), you can view the configuration settings or change the guest password. If you log in as “admin” (Privileged Exec level), you can change the settings on any page. 3.
NAVIGATING THE WEB BROWSER INTERFACE Navigating the Web Browser Interface To access the Web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your Web browser connects with the switch’s Web agent, the home page is displayed as shown below.
CONFIGURING THE SWITCH Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the Web page configuration buttons. Table 3-1 Web Page Configuration Buttons Button Action Apply Sets specified values to the system. Revert Cancels specified values and restores current values prior to pressing “Apply” or “Apply Changes.
NAVIGATING THE WEB BROWSER INTERFACE Panel Display The web agent displays an image of the switch’s ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex), or Flow Control (i.e., with or without flow control). Clicking on the image of a port opens the Port Configuration page as described on page 3-117.
CONFIGURING THE SWITCH Main Menu Using the onboard Web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
NAVIGATING THE WEB BROWSER INTERFACE Table 3-2 Switch Main Menu (Continued) Menu Description SNTP Page 3-43 Configuration Configures SNTP client settings, including broadcast mode or a specified list of servers 3-43 Clock Time Zone Sets the local time zone for the system clock 3-43 SNMP 3-45 Configuration Configures community strings and related trap functions 3-48 Agent Status Allows SNMP to be enabled or disabled 3-50 SNMPv3 3-53 Engine ID Sets the SNMP v3 engine ID on this switch 3-
CONFIGURING THE SWITCH Table 3-2 Switch Main Menu (Continued) Menu 802.
NAVIGATING THE WEB BROWSER INTERFACE Table 3-2 Switch Main Menu (Continued) Menu Description Page Broadcast Control Sets the broadcast storm threshold for each port 3-135 Mirror Port Configuration Sets the source and target ports for mirroring 3-136 Rate Limit 3-138 Input Port Configuration Sets the input rate limit for each port 3-138 Input Trunk Configuration Sets the input rate limit for each trunk 3-138 Output Port Configuration Sets the output rate limit for each port 3-138 Output Tr
CONFIGURING THE SWITCH Table 3-2 Switch Main Menu (Continued) Menu Description Page Configures individual trunk settings for STA 3-169 VLAN Configuration Configures priority and VLANs for a spanning tree instance 3-172 Port Information Displays port settings for a specified MST instance 3-175 Trunk Information Displays trunk settings for a specified MST instance 3-175 Port Configuration Configures port settings for a specified MST instance 3-177 Trunk Configuration Configures trunk setting
NAVIGATING THE WEB BROWSER INTERFACE Table 3-2 Switch Main Menu (Continued) Menu Description Private VLAN Page 3-194 Information Shows private VLANs and associated ports 3-195 Configuration Configures private VLANs 3-197 Association Maps a secondary VLAN to a primary VLAN 3-198 Port Information Shows VLAN port type, and associated primary or secondary VLANs 3-199 Port Configuration Configures VLAN port type, and associated primary or secondary VLANs 3-200 Trunk Information Shows VLAN trun
CONFIGURING THE SWITCH Table 3-2 Switch Main Menu (Continued) Menu Description Page Copy Settings Enables mapping IP Precedence and DSCP Priority settings to ports, or trunks.
BASIC CONFIGURATION Basic Configuration Displaying System Information You can easily identify the system by providing a descriptive name, location and contact information. Field Attributes • System Name – Name assigned to the switch system. • Object ID – MIB II object ID for switch’s network management subsystem. (SMC6824M: 1.3.6.1.4.1.202.20.28; SMC6824MPE: 1.3.6.1.4.1.202.20.41; SMC6826MPE: 1.3.6.1.4.1.202.20.53) • Location – Specifies the system location.
CONFIGURING THE SWITCH Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that access the Command Line Interface via Telnet.
BASIC CONFIGURATION CLI – Specify the hostname, location and contact information. Console(config)#hostname R&D 5 4-33 Console(config)#snmp-server location WC 9 4-155 Console(config)#snmp-server contact Geoff 4-155 Console(config)#end Console#show system System description: TigerStack III 10/100 6824M Managed 24+2 Stackable Switch; SW version: V2.4.2.13 System OID string: 1.3.6.1.4.1.202.20.28 System information System Up time: 0 days, 0 hours, 6 minutes, and 26.
CONFIGURING THE SWITCH • Internal Power Status – Displays the status of the internal power supply. Management Software • Loader Version – Version number of loader code. • Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code. • Operation Code Version – Version number of runtime code. • Role – Shows that this switch is operating as Master or Slave.
BASIC CONFIGURATION Web – Click System, Switch Information. Figure 3-4 General Switch Information CLI – Use the following command to display version information. Console#show version Unit 1 Serial number: Service tag: Hardware version: Module A type: Module B type: Number of ports: Main power status: Redundant power status 4-80 R0B Stacking Module not present 25 up :not present Agent (master) Unit ID: Loader version: Boot ROM version: Operation code version: 1 2.1.2.0 2.1.2.10 2.4.2.
CONFIGURING THE SWITCH Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
BASIC CONFIGURATION Web – Click System, Bridge Extension. Figure 3-5 Displaying Bridge Extension Configuration CLI – Enter the following command.
CONFIGURING THE SWITCH You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. Anything other than this format will not be accepted by the CLI program. Command Attributes • Management VLAN – ID of the configured VLAN (1-4093). This is the only VLAN through which you can gain management access to the switch.
BASIC CONFIGURATION Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static.” Enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 IP Interface Configuration - Manual CLI – Specify the management interface, IP address and default gateway. Console#config Console(config)#interface vlan 1 Console(config-if)#ip address 10.2.13.30 255.255.255.
CONFIGURING THE SWITCH Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes. Then click Restart DHCP to immediately request a new address. Note that the switch will also broadcast a request for IP configuration settings on each power reset.
BASIC CONFIGURATION Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the switch is moved to another network segment, you will lose management access to the switch. In this case, you can reboot the switch or submit a client request to restart DHCP service via the CLI. Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the Web interface.
CONFIGURING THE SWITCH • File Name – The file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) • Source/Destination Unit – Stack unit. (Range: 1 - 8) Note:Up to two copies of the system software (i.e., the runtime firmware) can be stored in the file directory on the switch.
BASIC CONFIGURATION If you download to a new destination file, go to the File, Set Start-Up menu, mark the operation code file used at startup, and click Apply. To start the new firmware, reboot the system via the System/Reset menu. Figure 3-9 Setting the Startup Code To delete a file, select System, File, Delete. Select the file name from the given list by checking the tick box and then click Apply. Note that the file currently designated as the startup code cannot be deleted.
CONFIGURING THE SWITCH CLI – To download new firmware form a TFTP server, enter the IP address of the TFTP server, select “opcode” as the file type, then enter the source and destination file names. When the file has finished downloading, set the new file to start up the system and then restart the switch. To start the new firmware, enter the “reload” command or reboot the system. Console#copy tftp file TFTP server ip address: 10.1.0.99 Choose file type: 1. config: 2. opcode 3.
BASIC CONFIGURATION • • • • - file to startup-config - Copies a file in the switch to the startup configuration. - file to tftp - Copies a file from the switch to a TFTP server. - running-config to file - Copies the running configuration to a file. - running-config to startup-config - Copies the running config to the startup config. - running-config to tftp - Copies the running configuration to a TFTP server. - startup-config to file - Copies the startup configuration to a file on the switch.
CONFIGURING THE SWITCH Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch. Web – Click System, File, Copy.
BASIC CONFIGURATION If you download to a new file name using “tftp to startup-config” or “tftp to file,” the file is automatically set as the start-up configuration file. To use the new settings, reboot the system via the System/Reset menu. You can also select any configuration file as the start-up configuration by using the System/File Management/Set Start-Up page.
CONFIGURING THE SWITCH This example shows how to download a PoE controller file from a TFTP server. Console#copy tftp file TFTP server IP address: 10.3.4.50 Choose file type: 1. config: 2. opcode 3. PD_Controller: <1-3>: 3 Source file name: 7012_007.s19 Destination file name: PoE-test Write to FLASH Programming. Write to FLASH finish. Success. Console# 4-82 This example shows how to copy a PoE controller file from another unit in the stack.
BASIC CONFIGURATION • Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts. When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3 attempts) • Silent Time – Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts has been exceeded.
CONFIGURING THE SWITCH Web – Click System, Line, Console. Specify the console port connection parameters as required, then click Apply. Figure 3-13 Console Port Settings CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level.
BASIC CONFIGURATION Telnet Settings You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other various parameters set, including the TCP port number, timeouts, and a password. These parameters can be configured via the Web or CLI interface. Command Attributes • Telnet Status – Enables or disables Telnet access to the switch.
CONFIGURING THE SWITCH Web – Click System, Line, Telnet. Specify the connection parameters for Telnet access, then click Apply. Figure 3-14 Configuring the Telnet Interface CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level.
BASIC CONFIGURATION Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.
CONFIGURING THE SWITCH Command Attributes • System Log Status – Enables/disables the logging of debug or error messages to the logging process. • Flash Level – Limits log messages saved to the switch’s permanent flash memory for all levels up to the specified level. For example, if level 3 is specified, all messages from level 0 to level 3 will be logged to flash. (Range: 0-7, Default: 3).
BASIC CONFIGURATION Web – Click System, Log, System Logs. Specify the System Log Status, set the level of event messages to be logged to RAM and flash memory, and then click Apply. Figure 3-15 System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings.
CONFIGURING THE SWITCH This attribute specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to process messages, such as sorting or storing messages in the corresponding database. (Range: 16-23, Default: 23) • Logging Trap – Limits log messages that are sent to the remote syslog server for all levels up to the specified level.
BASIC CONFIGURATION CLI – Enter the syslog server host IP address, choose the facility type and set the minimum level of messages to be logged. Console(config)#logging host 192.168.1.7 Console(config)#logging facility 23 Console(config)#logging trap 4 Console(config)# Console#show logging trap Syslog logging: Enabled REMOTELOG status: Enabled REMOTELOG facility type: local use 7 REMOTELOG level type: Warning conditions REMOTELOG server IP address: 192.168.1.7 REMOTELOG server IP address: 0.0.0.
CONFIGURING THE SWITCH CLI – This example shows the event message stored in RAM. Console#show logging flash [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification." level: 6, module: 5, function: 1, and event no.
BASIC CONFIGURATION Web – Click System, Log, SMTP. Enable SMTP, specify a source email address, and select the minimum severity level. To add an IP address to the SMTP Server List, type the new IP address in the SMTP Server field and click Add. To delete an IP address, click the entry in the SMTP Server List and click Remove. Specify up to five email addresses to receive the alert messages, and click Apply.
CONFIGURING THE SWITCH CLI – Enter the IP address of at least one SMTP server, set the syslog severity level to trigger an email message, and specify the switch (source) and up to five recipient (destination) email addresses. Enable SMTP with the logging sendmail command to complete the configuration. Use the show logging sendmail command to display the current SMTP configuration. Console(config)#logging sendmail host 192.168.1.
BASIC CONFIGURATION CLI – Use the reload command to reboot the system. Console#reload System will be restarted, continue ? y 4-28 Note:When restarting the system, it always runs the Power-On Self-Test. Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
CONFIGURING THE SWITCH Web – Select SNTP, Configuration. Modify any of the required parameters and click Apply. Figure 3-20 SNTP Configuration CLI – This example configures the switch to operate as an SNTP client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.
SIMPLE NETWORK MANAGEMENT PROTOCOL • Hours (0-13) – The number of hours before UTC (0-12) or after UTC (0-13). • Minutes (0-59) – The number of minutes before/after UTC. • Direction – Configures the time zone to be before (east) or after (west) UTC. Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to the UTC, and click Apply. Figure 3-21 Setting the Time Zone CLI - This example shows how to set the time zone for the system clock.
CONFIGURING THE SWITCH Information Base (MIB) that provides a standard presentation of the information controlled by the agent. SNMP defines both the format of the MIB specifications and the protocol used to access this information over the network. The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3 clients. This agent continuously monitors the status of the switch hardware, as well as the traffic passing through its ports.
SIMPLE NETWORK MANAGEMENT PROTOCOL Table 3-4 SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify Security View v1 noAuth public defaultview none NoPriv (read only) none Community string only v1 noAuth private defaultview defaultview none NoPriv (read/ write) Community string only v1 noAuth user user defined NoPriv defined user defined Community string only v2c noAuth public defaultview none NoPriv (read only) none Community string only v2c noAuth private defau
CONFIGURING THE SWITCH Enabling the SNMP Agent Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3). Command Attributes SNMP Agent Status – Enables SNMP on the switch. Web – Click SNMP, Agent Status. Enable the SNMP Agent by marking the Enabled checkbox, and click Apply. Figure 3-22 Enabling the SNMP Agent CLI – The following example enables SNMP on the switch.
SIMPLE NETWORK MANAGEMENT PROTOCOL • Access Mode – Specifies the access rights for the community string: - Read-Only – Authorized management stations are only able to retrieve MIB objects. - Read/Write – Authorized management stations are able to both retrieve and modify MIB objects. Web – Click SNMP, Configuration. Add new community strings as required, select the access rights from the Access Mode drop-down list, then click Add.
CONFIGURING THE SWITCH Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as SMC EliteView). You can specify up to five management stations that will receive authentication failure messages and other notification messages from the switch.
SIMPLE NETWORK MANAGEMENT PROTOCOL 3. Create a view with the required notification messages (page 3-67). 4. Create a group that includes the required notify view (page 3-61). 5. Specify a remote engine ID where the user resides (page 3-54). 6. Then configure a remote user (page 3-58). Command Attributes • Trap Manager Capability – This switch supports up to five trap managers. • Current – Displays a list of the trap managers currently configured.
CONFIGURING THE SWITCH - Retry times – The maximum number of times to resend an inform message if the recipient does not acknowledge receipt. (Range: 0-255; Default: 3) • Enable Authentication Traps3 – Issues a notification message to specified IP trap managers whenever authentication of an SNMP request fails. (Default: Enabled) • Enable Link-up and Link-down Traps3 – Issues a notification message whenever a port link is established or broken. (Default: Enabled) Web – Click SNMP, Configuration.
SIMPLE NETWORK MANAGEMENT PROTOCOL Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, it must be changed first before configuring other parameters. 2. Specify read and write access views for the switch MIB tree. 3. Configure SNMP user groups with the required security model (i.e., SNMP v1, v2c or v3) and security level (i.e., authentication and privacy). 4.
CONFIGURING THE SWITCH Web – Click SNMP, SNMPv3, Engine ID. Enter an ID of up to 26 hexadecimal characters and then click Save. Figure 3-25 Setting an Engine ID CLI – This example sets an SNMPv3 engine ID.
SIMPLE NETWORK MANAGEMENT PROTOCOL Web – Click SNMP, SNMPv3, Remote Engine ID. Enter an ID of up to 26 hexadecimal characters and then click Save. Figure 3-26 Setting an Engine ID CLI – This example specifies a remote SNMPv3 engine ID. Console(config)#snmp-server engineID remote 54321 192.168.1.19 Console(config)#exit Console#show snmp engine-id Local SNMP engineID: 8000002a8000000000e8666672 Local SNMP engineBoots: 1 Remote SNMP engineID 80000000030004e2b316c54321 Console# 4-160 4-161 IP address 192.
CONFIGURING THE SWITCH • • • • • 3-56 - AuthPriv – SNMP communications use both authentication and encryption (only available for the SNMPv3 security model). Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) Authentication Password – A minimum of eight plain text characters is required. Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available.
SIMPLE NETWORK MANAGEMENT PROTOCOL Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete. To change the assigned group of a user, click Change Group in the Actions column of the users table and select the new group.
CONFIGURING THE SWITCH CLI – Use the snmp-server user command to configure a new user name and assign it to a group. Console(config)#snmp-server user chris group r&d v3 auth md5 greenpeace priv des56 einstien 4-167 Console(config)#exit Console#show snmp user 4-169 EngineId: 80000034030001f488f5200000 User Name: chris Authentication Protocol: md5 Privacy Protocol: des56 Storage Type: nonvolatile Row Status: active Console# Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name.
SIMPLE NETWORK MANAGEMENT PROTOCOL Command Attributes • User Name – The name of user connecting to the SNMP agent. (Range: 1-32 characters) • Group Name – The name of the SNMP group to which the user is assigned. (Range: 1-32 characters) • Engine ID – The engine identifier for the SNMP agent on the remote device where the remote user resides. Note that the remote engine identifier must be specified before you configure a remote user. (See “Specifying a Remote Engine ID” on page 3-54.
CONFIGURING THE SWITCH Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
SIMPLE NETWORK MANAGEMENT PROTOCOL CLI – Use the snmp-server user command to configure a new user name and assign it to a group. Console(config)#snmp-server user mark group r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien Console(config)#exit Console#show snmp user No user exist.
CONFIGURING THE SWITCH • Notify View – The configured view for notifications. (Range: 1-64 characters) Table 3-5 Supported Notification Messages Object Label Object ID Description newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election. topologyChange 1.3.6.1.2.1.17.0.
SIMPLE NETWORK MANAGEMENT PROTOCOL Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description warmStart 1.3.6.1.6.3.1.1.5.2 A warmStart trap signifies that the SNMPv2 entity, acting in an agent role, is reinitializing itself such that its configuration is unaltered. linkDown* 1.3.6.1.6.3.1.1.5.
CONFIGURING THE SWITCH Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description authenticationFailure* 1.3.6.1.6.3.1.1.5.5 An authenticationFailure trap signifies that the SNMPv2 entity, acting in an agent role, has received a protocol message that is not properly authenticated. While all implementations of the SNMPv2 must be capable of generating this trap, the snmpEnableAuthenTra ps object indicates whether this trap will be generated. risingAlarm 1.3.6.1.2.1.16.0.
SIMPLE NETWORK MANAGEMENT PROTOCOL Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description swIpFilterRejectTrap 1.3.6.1.4.1.202.20.28.63.2.1.0.40 This trap is sent when an 1.3.6.1.4.1.202.20.41.63.2.1.0.40 incorrect IP address is 1.3.6.1.4.1.202.20.53.63.2.1.0.40 rejected by the IP Filter. swSmtpConnFailure Trap 1.3.6.1.4.1.202.20.28.63.2.1.0.41 This trap is triggered if 1.3.6.1.4.1.202.20.41.63.2.1.0.41 the SMTP system cannot 1.3.6.1.4.1.202.20.53.63.2.1.0.
CONFIGURING THE SWITCH Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read and write views. Click Add to save the new group and return to the Groups list. To delete a group, check the box next to the group name, then click Delete.
SIMPLE NETWORK MANAGEMENT PROTOCOL CLI – Use the snmp-server group command to configure a new group, specifying the security model and level, and restricting MIB access to defined read and write views.
CONFIGURING THE SWITCH Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list. For a specific view, click on View OID Subtrees to display the current configuration, or click on Edit OID Subtrees to make changes to the view settings. To delete a view, check the box next to the view name, then click Delete.
USER AUTHENTICATION CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)#exit Console#show snmp view View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.* View Type: included Storage Type: nonvolatile Row Status: active 4-162 4-163 View Name: readaccess Subtree OID: 1.3.6.1.
CONFIGURING THE SWITCH Configuring User Accounts The guest only has read access for most configuration parameters. However, the administrator has write access for all parameters governing the onboard agent. You should therefore assign a new administrator password as soon as possible, and store it in a safe place. The default guest name is “guest” with the password “guest.” The default administrator name is “admin” with the password “admin.
USER AUTHENTICATION Web – Click Security, User Accounts. To configure a new user account, enter the user name, access level, and password, then click Add. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply. Figure 3-31 Configuring User Accounts CLI – Assign a user name to access-level 15 (i.e., administrator), then specify the password.
CONFIGURING THE SWITCH Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols. Remote Authentication Dial-in User Service (RADIUS) and Terminal console Web Access Controller Access Telnet Control System Plus 1. Client attempts management access.
USER AUTHENTICATION • You can specify up to three authentication methods for any user to indicate the authentication sequence. For example, if you select (1) RADIUS, (2) TACACS and (3) Local, the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted using the TACACS+ server, and finally the local user name and password is checked.
CONFIGURING THE SWITCH • TACACS Settings - Server IP Address – Address of the TACACS+ server. (Default: 10.11.12.13) - Server Port Number – Network (TCP) port of TACACS+ server used for authentication messages. (Range: 1-65535; Default: 49) - Secret Text String – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 20 characters) Note: The local switch user database has to be set up by manually entering user names and passwords using the CLI.
USER AUTHENTICATION CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius Console(config)#radius-server port 181 Console(config)#radius-server key green Console(config)#radius-server retransmit 5 Console(config)#radius-server timeout 10 Console(config)#radius-server 1 host 192.168.1.
CONFIGURING THE SWITCH • If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate. - The client and server negotiate a set of security protocols to use for the connection. - The client and server generate session keys for encrypting and decrypting data.
USER AUTHENTICATION Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply. Figure 3-33 HTTPS Settings CLI – This example enables the HTTP secure server and modifies the port number. Console(config)#ip http secure-server Console(config)#ip http secure-port 441 Console(config)# 4-41 4-42 Replacing the Default Secure-site Certificate When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch.
CONFIGURING THE SWITCH When you have obtained these, place them on your TFTP server, and use the following command at the switch's command-line interface to replace the default (unrecognized) certificate with an authorized one: Console#copy tftp https-certificate TFTP server ip address: Source certificate file name: Source private file name: Private password: 4-82 Note:The switch must be reset for the new certif
USER AUTHENTICATION Command Usage The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified on the Authentication Settings page (page 3-69).
CONFIGURING THE SWITCH only accepts public key files based on standard UNIX format as shown in the following example for an RSA Version 1 key: 1024 35 1341081685609893921040944920155425347631641921872958921143173880 05553616163105177594083868631109291232226828519254374603100937187721199 69631781366277414168985132049117204830339254324101637997592371449011938 00609025394840848271781943722884025331159521348610229029789827213532671 31629432532818915045306393916643 steve@192.168.1.19 4.
USER AUTHENTICATION Notes: 1. To use SSH with only password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the known host file. However, you do not need to configure the client’s keys. 2. The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
CONFIGURING THE SWITCH • Generate – This button is used to generate the host key pair. Note that you must first generate the host key pair before you can enable the SSH server on the SSH Server Settings page. • Clear – This button clears the host key from both volatile memory (RAM) and non-volatile memory (Flash). Web – Click Security, SSH, Host-Key Settings.
USER AUTHENTICATION CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys.
CONFIGURING THE SWITCH • SSH Server-Key Size – Specifies the SSH server key size. (Range: 512-896 bits: Default: 768) - The server key is a private key that is never shared outside the switch. - The host key is shared with the SSH client, and is fixed at 1024 bits. Web – Click Security, SSH, Settings. Enable SSH and adjust the authentication parameters as required, then click Apply. Note that you must first generate the host key pair on the SSH Host-Key Settings page before you can enable the SSH server.
USER AUTHENTICATION Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
CONFIGURING THE SWITCH • If a port is disabled (shut down) due to a security violation, it must be manually re-enabled from the Port/Port Configuration page (page 3-117). Command Attributes • Port – Port number. • Name – Descriptive text (page 3-114). • Action – Indicates the action to be taken when a port security violation is detected: - None: No action should be taken. (This is the default.) - Trap: Send an SNMP trap message. - Shutdown: Disable the port.
USER AUTHENTICATION Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply. Figure 3-36 Enabling Port Security CLI – This example enables port security for Port 5 with the intrusion action to send a trap and disable the port, and then sets the maximum addresses to learn on the port to 20.
CONFIGURING THE SWITCH Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data. The IEEE 802.
USER AUTHENTICATION allows the client to access the network. Otherwise, network access is denied and the port remains blocked. The operation of 802.1X on the switch requires the following: • The switch must have an IP address assigned. • RADIUS authentication must be enabled on the switch and the IP address of the RADIUS server specified. • 802.1X must be enabled globally for the switch. • Each switch port that will be used must be set to dot1x “Auto” mode.
CONFIGURING THE SWITCH CLI – This example shows the default global setting for 802.1X. Console#show dot1x Global 802.1X Parameters system-auth-control: enable 4-116 802.1X Port Summary Port Name Status Authorized 1/1 disabled 1/2 disabled . . . 802.1X Port Details Operation Mode Mode Single-Host Single-Host ForceAuthorized ForceAuthorized n/a n/a 802.1X is disabled on port 1/1 . . . 802.1X is disabled on port 26 Console# Configuring 802.1X Global Settings The 802.
USER AUTHENTICATION Configuring Port Settings for 802.1X When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server. These parameters are described in this section. Command Attributes • Status – Indicates if authentication is enabled or disabled on the port.
CONFIGURING THE SWITCH • Re-authentication Period – Sets the time period after which a connected client must be re-authenticated. (Range: 1-65535 seconds; Default: 3600 seconds) • TX Period – Sets the time period during an authentication session that the switch waits before re-transmitting an EAP packet. (Range: 1-65535; Default: 30 seconds) • Authorized - Yes – Connected client is authorized. - No – Connected client is not authorized. - Blank – Displays nothing when dot1x is disabled on a port.
USER AUTHENTICATION Console#show dot1x 4-116 Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Authorized 1/1 disabled 1/2 enabled . . . 1/25 disabled 1/26 disabled Operation Mode Mode Single-Host Single-Host ForceAuthorized Auto yes yes Single-Host Single-Host ForceAuthorized ForceAuthorized n/a n/a 802.1X Port Details 802.1X is disabled on port 1/1 802.
CONFIGURING THE SWITCH Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-7 802.1X Statistics Parameter Description Rx EXPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator. Rx EAPOL Invalid The number of EAPOL frames that have been received by this Authenticator in which the frame type is not recognized.
USER AUTHENTICATION Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-40 Displaying 802.1X Statistics CLI – This example displays the 802.1X statistics for port 4.
CONFIGURING THE SWITCH Filtering IP Addresses for Management Access You can create a list of up to 16 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage • The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.
USER AUTHENTICATION Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add IP Filtering Entry. Figure 3-41 Entering IP Addresses to be Filtered CLI – This example restricts management access for Telnet and SNMP clients. Console(config)#management telnet-client 192.168.1.19 4-37 Console(config)#management telnet-client 192.168.1.25 192.168.1.
CONFIGURING THE SWITCH Access Control Lists Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port.
ACCESS CONTROL LISTS • When an ACL is bound to an interface as an egress filter, all entries in the ACL must be deny rules. Otherwise, the bind operation will fail. • The switch does not support the explicit “deny any any” rule for the egress IP ACL or the egress MAC ACLs. If these rules are included in ACL, and you attempt to bind the ACL to an interface for egress checking, the bind operation will fail. The order in which active ACLs are checked is as follows: 1. 2. 3. 4. 5.
CONFIGURING THE SWITCH Web – Click Security, ACL, Configuration. Enter an ACL name in the Name field, select the list type (IP Standard, IP Extended, or MAC), and click Add to open the configuration page for the new list. Figure 3-42 Selecting ACL Type CLI – This example creates a standard IP ACL named bill. Console(config)#access-list ip standard bill Console(config-std-acl)# 4-123 Configuring a Standard IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules.
ACCESS CONTROL LISTS Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Then click Add. Figure 3-43 Configuring Standard IP ACLs CLI – This example configures one permit rule for the specific address 10.1.1.21 and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask. Console(config-std-acl)#permit host 10.1.1.
CONFIGURING THE SWITCH • Source/Destination Subnet Mask – Subnet mask for source or destination address. (See the description for SubMask on page 3-100.) • Service Type – Packet priority settings based on the following criteria: - Precedence – IP precedence level. (Range: 0-7) - TOS – Type of Service level. (Range: 0-15) - DSCP – DSCP priority level. (Range: 0-63) • Protocol – Specifies the protocol type to match as TCP, UDP or Others, where others indicates a specific protocol number (0-255).
ACCESS CONTROL LISTS Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Set any other required criteria, such as service type, protocol type, or TCP control code. Then click Add.
CONFIGURING THE SWITCH CLI – This example adds three rules: 1. Accept any incoming packets if the source address is in subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. 2. Allow TCP packets from class C addresses 192.168.1.0 to any destination address when set for destination TCP port 80 (i.e., HTTP). 3. Permit all TCP packets from class C addresses 192.168.1.
ACCESS CONTROL LISTS • Ethernet Type Bitmask – Protocol bitmask. (Range: 600-fff hex.) • Packet Format – This attribute includes the following packet types: - Any – Any Ethernet packet type. - Untagged-eth2 – Untagged Ethernet II packets. - Untagged-802.3 – Untagged Ethernet 802.3 packets. - Tagged-eth2 – Tagged Ethernet II packets. - Tagged-802.3 – Tagged Ethernet 802.3 packets.
CONFIGURING THE SWITCH Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexadecimal bitmask for an address range. Set any other required criteria, such as VID, Ethernet type, or packet format. Then click Add.
ACCESS CONTROL LISTS Configuring ACL Masks You must specify masks that control the order in which ACL rules are checked. The switch includes two system default masks that pass/filter packets matching the permit/deny rules specified in an ingress ACL. You can also configure up to seven user-defined masks for an ingress or egress ACL. A mask must be bound exclusively to one of the basic ACL types (i.e.
CONFIGURING THE SWITCH Web – Click Security, ACL, Mask Configuration. Click Edit for one of the basic mask types to open the configuration page. Figure 3-46 Choosing ACL Types CLI – This example creates an IP ingress mask, and then adds two rules. Each rule is checked in order of precedence to look for a match in the ACL entries. The first entry matching a mask is applied to the inbound packet.
ACCESS CONTROL LISTS • Source/Destination Subnet Mask – Subnet mask for source or destination address. (See the description for SubMask on page 3-100.) • Protocol Bitmask – Check the protocol field. • Service Type Mask – Check the rule for the specified priority type. (Options: Precedence, TOS, DSCP; Default: TOS) • Source/Destination Port Bitmask – Protocol port of rule must match this bitmask. (Range: 0-65535) • Control Code Bitmask – Control flags of rule must match this bitmask.
CONFIGURING THE SWITCH CLI – This shows that the entries in the mask override the precedence in which the rules are entered into the ACL. In the following example, packets with the source address 10.1.1.1 are dropped because the “deny 10.1.1.1 255.255.255.255” rule has the higher precedence according the “mask host any” entry. Console(config)#access-list ip standard A2 Console(config-std-acl)#permit 10.1.1.0 255.255.255.0 Console(config-std-acl)#deny 10.1.1.1 255.255.255.
ACCESS CONTROL LISTS Web – Configure the mask to match the required rules in the MAC ingress or egress ACLs. Set the mask to check for any source or destination address, a host address, or an address range. Use a bitmask to search for specific VLAN ID(s) or Ethernet type(s). Or check for rules where a packet format was specified. Then click Add.
CONFIGURING THE SWITCH CLI – This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask.
ACCESS CONTROL LISTS • When an ACL is bound to an interface as an egress filter, all entries in the ACL must be deny rules. Otherwise, the bind operation will fail. • The switch does not support the explicit “deny any any” rule for the egress IP ACL or the egress MAC ACLs. If these rules are included in the ACL, and you attempt to bind the ACL to an interface for egress checking, the bind operation will fail. Command Attributes • • • • • • Port – Fixed port or optional module/SFP port.
CONFIGURING THE SWITCH CLI – This example assigns an IP and MAC ingress ACL to port 1, and an IP ingress ACL to port 2.
PORT CONFIGURATION Web – Click Port, Port Information or Trunk Information. Figure 3-50 Port - Port Information Field Attributes (CLI) Basic information: • Port type – Indicates the port type. (100BASE-TX, 1000BASE-GBIC, 100BASE-FX-S, 100BASE-FX-M, 1000BASE-T, or SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the IP Address” on page 3-19.) Configuration: • Name – Interface label. • Port admin – Shows if the interface is enabled or disabled (i.
CONFIGURING THE SWITCH • • • • • • • - 100full - Supports 100 Mbps full-duplex operation - 1000full - Supports 1000 Mbps full-duplex operation - Sym - Transmits and receives pause frames for flow control - FC - Supports flow control Broadcast storm – Shows if broadcast storm control is enabled or disabled. Broadcast storm limit – Shows the broadcast storm threshold. (500 262143 packets per second) Flow control – Shows if flow control is enabled or disabled. LACP – Shows if LACP is enabled or disabled.
PORT CONFIGURATION CLI – This example shows the connection status for Port 13.
CONFIGURING THE SWITCH the capabilities to be advertised. When auto-negotiation is disabled, you can force the settings for speed, mode, and flow control.The following capabilities are supported.
PORT CONFIGURATION Web – Click Port, Port Configuration or Trunk Configuration. Modify the required interface settings, and click Apply. Figure 3-51 Configuring Port Attributes CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/13 Console(config-if)#description RD SW#13 Console(config-if)#shutdown . Console(config-if)#no shutdown Console(config-if)#no negotiation Console(config-if)#speed-duplex 100half Console(config-if)#flowcontrol .
CONFIGURING THE SWITCH Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices (i.e., single switch or a stack). You can create up to six trunks at a time. The switch supports both static trunking and dynamic Link Aggregation Control Protocol (LACP).
PORT CONFIGURATION • When configuring static trunks on switches of different types, they must be compatible with the Cisco EtherChannel standard. • The ports at both ends of a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings. • Trunk ports must all be of the same media type (i.e., all 100BASE-T, 1000BASE-TX/SX/LX/LH, or all 100BASE-FX).
CONFIGURING THE SWITCH Web – Click Port, Trunk Membership. Enter a trunk ID of 1-6 in the Trunk field, select any of the switch ports from the scroll-down port list, and click Add. After you have completed adding ports to the member list, click Apply. Figure 3-52 Static Trunk Configuration CLI – This example creates trunk 1 with port 24 on unit 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk.
PORT CONFIGURATION Console#show interfaces status port-channel 1 Information of Trunk 1 Basic information: Port type: 100TX Mac address: 00-30-F1-B3-16-C5 Configuration: Name: Port admin: Up Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full Flow control: Enabled Port security: Disabled Max MAC count: 0 Current status: Created by: User Link status: Down Operation speed-duplex: 100full Flow control type: None Member Ports: Eth1/24, Eth2/24, Console# 4-179 Enabling LACP on Selected Ports Comm
CONFIGURING THE SWITCH Command Attributes • Member List (Current) – Shows configured trunks (Unit, Port). • New – Includes entry fields for creating new trunks. - Unit – Stack unit. (Range: 1-8) - Port – Port identifier. (Range: 1-26) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply.
PORT CONFIGURATION Console#show interfaces status port-channel 1 Information of Trunk 1 Basic information: Port type: 100TX Mac address: 00-04-E2-B3-16-D6 Configuration: Name: Port admin: Up Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full Flow control: Enabled Port security: Disabled Max MAC count: 0 Current status: Created by: LACP Link status: Up Port operation status: Up Operation speed-duplex: 100full Flow control type: None Member Ports: Eth1/1, Eth1/2, Eth1/3, Eth1/4, Console# 4-179
CONFIGURING THE SWITCH Command Attributes Set Port Actor – This menu sets the local side of an aggregate link; i.e., the ports on this switch. • Port – Port number. (Range: 1-26) • System Priority – LACP system priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations. (Range: 0-65535; Default: 32768) - Ports must be configured with the same system priority to join the same LAG.
PORT CONFIGURATION Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
CONFIGURING THE SWITCH CLI – The following example configures LACP parameters for ports 1-6. Ports 1-4 are used as active members of the LAG; ports 5 and 6 are set to backup mode. Console(config)#interface ethernet 1/1 4-171 Console(config-if)#lacp actor system-priority 3 4-192 Console(config-if)#lacp actor admin-key 120 4-192 Console(config-if)#lacp actor port-priority 128 4-192 Console(config-if)#exit . . .
PORT CONFIGURATION Displaying LACP Port Counters You can display statistics for LACP protocol messages. Table 3-8 LACP Port Counters Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received on this channel group. Marker Sent Number of valid Marker PDUs transmitted from this channel group. Marker Received Number of valid Marker PDUs received by this channel group.
CONFIGURING THE SWITCH CLI – The following example displays LACP counters for port channel 1. Console#show lacp 1 counters 4-196 Channel group : 2 --------------------------------------------------------------Eth 1/ 1 --------------------------------------------------------------LACPDUs Sent: 307 LACPDUs Receive: 296 Marker Sent: 0 Marker Receive: 0 LACPDUs Unknown Pkts: 0 LACPDUs Illegal Pkts: 0 . . .
PORT CONFIGURATION Table 3-9 LACP Internal Configuration Information (Continued) Field Description Admin State, Administrative or operational values of the actor’s state parameters: Oper State • Expired – The actor’s receive machine is in the expired state; • Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner. • Distributing – If false, distribution of outgoing frames on this link is disabled; i.e.
CONFIGURING THE SWITCH Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-56 Displaying LACP Port Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1.
PORT CONFIGURATION Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-10 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol. Partner Admin Port Number Current administrative value of the port number for the protocol Partner.
CONFIGURING THE SWITCH Web – Click Port, LACP, Port Neighbors Information. Select a port channel to display the corresponding information. Figure 3-57 Displaying Remote LACP Port Information CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1.
PORT CONFIGURATION Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt. You can protect your network from broadcast storms by setting a threshold for broadcast traffic for all ports.
CONFIGURING THE SWITCH CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 60 packets per second for port 2.
PORT CONFIGURATION Command Attributes • Mirror Sessions – Displays a list of current mirror sessions. • Source Unit – The unit whose port traffic will be monitored. (Range: 1-8) • Source Port – The port whose traffic will be monitored. (Range: 1-26) • Type – Allows you to select which traffic to mirror to the target port, Rx (receive), Tx (transmit), or Both. (Default: Rx) • Target Unit – The unit whose port will "duplicate" or "mirror" the traffic on the source port.
CONFIGURING THE SWITCH Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic coming out of the switch. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks.
PORT CONFIGURATION CLI - This example sets the rate limit for input and output traffic passing through port 1 to 60 Mbps. Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 60 Console(config-if)#rate-limit output 60 Console(config-if)# 4-171 4-187 4-187 Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
CONFIGURING THE SWITCH Table 3-11 Port Statistics (Continued) Parameter Description Received Discarded Packets The number of inbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. One possible reason for discarding such a packet could be to free up buffer space. Received Unknown Packets The number of packets received via the interface which were discarded because of an unknown or unsupported protocol.
PORT CONFIGURATION Table 3-11 Port Statistics (Continued) Parameter Description Etherlike Statistics Alignment Errors The number of alignment errors (missynchronized data packets). Late Collisions The number of times that a collision is detected later than 512 bit-times into the transmission of a packet. FCS Errors A count of frames received on a particular interface that are an integral number of octets in length but do not pass the FCS check.
CONFIGURING THE SWITCH Table 3-11 Port Statistics (Continued) Parameter Description Internal MAC Receive Errors A count of frames for which reception on a particular interface fails due to an internal MAC sublayer receive error. RMON Statistics 3-142 Drop Events The total number of events in which packets were dropped due to lack of resources.
PORT CONFIGURATION Table 3-11 Port Statistics (Continued) Parameter Description 64 Bytes Frames The total number of frames (including bad packets) received and transmitted that were 64 octets in length (excluding framing bits but including FCS octets).
CONFIGURING THE SWITCH Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen.
POWER OVER ETHERNET SETTINGS CLI – This example shows statistics for port 13.
CONFIGURING THE SWITCH the power required by a device exceeds the power budget of the port or the whole switch, power is not supplied. Ports can be set to one of three power priority levels, critical, high, or low. To control the power supply within the switch’s budget, ports set at critical or high priority have power enabled in preference to those ports set at low priority.
POWER OVER ETHERNET SETTINGS Web – Click PoE, Power Status. Figure 3-62 Displaying the Global PoE Status CLI – This example displays the current power status for the switch.
CONFIGURING THE SWITCH Web – Click PoE, Power Config. Specify the desired power budget for the switch. Click Apply. Figure 3-63 Setting the Switch Power Budget CLI – Use the power mainpower maximum allocation command to set the PoE power budget for the switch. Console(config)#power mainpower maximum allocation 200 Console(config)# 4-91 Displaying Port Power Status Use the Power Port Status page to display the current PoE power status for all ports.
POWER OVER ETHERNET SETTINGS Web – Click PoE, Power Port Status. Figure 3-64 Displaying Port PoE Status CLI – This example displays the PoE status and priority of port 1.
CONFIGURING THE SWITCH • If a device is connected to a critical or high-priority port and causes the switch to exceed its budget, port power is turned on, but the switch drops power to one or more lower-priority ports. Note: Power is dropped from low-priority ports in sequence starting from port number 1. Command Attributes • Port – The port number on the switch. • Admin Status – Enables PoE power on the port.
ADDRESS TABLE SETTINGS CLI – This example sets the PoE power budget for port 1 to 8 watts, the priority to high (2), and then enables the power. Console(config)#interface ethernet 1/1 Console(config-if)#power inline maximum allocation 8000 Console(config-if)#power inline priority 2 Console(config-if)#power inline auto Console(config-if)# 4-171 4-93 4-94 4-93 Address Table Settings Switches store the addresses for all known devices.
CONFIGURING THE SWITCH Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Figure 3-66 Mapping Ports to Static Addresses CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.
ADDRESS TABLE SETTINGS • VLAN – ID of configured VLAN (1-4093). • Address Table Sort Key – You can sort the information displayed based on MAC address, VLAN or interface (port or trunk). • Dynamic Address Counts – The number of addresses dynamically learned. • Current Dynamic Address Table – Lists all the dynamic addresses. Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e.
CONFIGURING THE SWITCH Changing the Aging Time You can change the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables or disables the aging time. • Aging Time – The time after which a learned entry is discarded. (Range: 10-1000000 seconds; Default: 300 seconds) Web – Click Address Table, Address Aging. Specify the new aging time, click Apply. Figure 3-68 Setting the Aging Time CLI – This example sets the aging time to 300 seconds.
SPANNING TREE ALGORITHM CONFIGURATION The spanning tree algorithms supported by this switch include these versions: • STP – Spanning Tree Protocol (IEEE 802.1D) • RSTP – Rapid Spanning Tree Protocol (IEEE 802.1w) • MSTP – Multiple Spanning Tree Protocol (IEEE 802.1s) STA uses a distributed algorithm to select a bridging device (STA-compliant switch, bridge or router) that serves as the root of the spanning tree network.
CONFIGURING THE SWITCH start learning, predefining an alternate route that can be used when a node or port fails, and retaining the forwarding database for ports insensitive to changes in the tree structure when reconfiguration occurs. When using STP or RSTP, it may be difficult to maintain a stable path between all VLAN members. Frequent changes in the tree structure can easily isolate some of the group members.
SPANNING TREE ALGORITHM CONFIGURATION • Forward Delay – The maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result.
CONFIGURING THE SWITCH • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device. • Root Hello Time – Interval (in seconds) at which this device transmits a configuration message.
SPANNING TREE ALGORITHM CONFIGURATION Web – Click Spanning Tree, STA Information. Figure 3-69 Displaying the Spanning Tree Algorithm CLI – This command displays global STA settings, followed by settings for each port.
CONFIGURING THE SWITCH --------------------------------------------------------------Eth 1/ 1 information --------------------------------------------------------------Admin status: enabled Role: disable State: discarding External path cost: 200000 Internal path cost: 200000 Priority: 128 Designated cost: 20000 Designated port : 128.1 Designated root: 32768.0.0000E8AAAA00 Designated bridge: 32768.0.
SPANNING TREE ALGORITHM CONFIGURATION • Rapid Spanning Tree Protocol8 RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits, as described below: - STP Mode – If the switch receives an 802.1D BPDU (i.e., STP BPDU) after a port’s migration delay timer expires, the switch assumes it is connected to an 802.1D bridge and starts using only 802.1D BPDUs. - RSTP Mode – If RSTP is using 802.
CONFIGURING THE SWITCH - RSTP: Rapid Spanning Tree (IEEE 802.1w) RSTP is the default. - MSTP: Multiple Spanning Tree (IEEE 802.1s) • Default Priority Format – Sets the default spanning tree priority format: - 802.1D9: Specifies IEEE 802.1D priority format in increments of 1. - 802.1t: Specifies IEEE 802.1t format in increments of 4096. • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device.
SPANNING TREE ALGORITHM CONFIGURATION • Forward Delay – The maximum time (in seconds) this device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result.
CONFIGURING THE SWITCH Web – Click Spanning Tree, STA Configuration. Modify the required attributes, and click Apply.
SPANNING TREE ALGORITHM CONFIGURATION CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters.
CONFIGURING THE SWITCH - If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding. - All ports are discarding when the switch is booted, then some of them change state to learning, and then to forwarding. • Forward Transitions – The number of times this port has changed from the Learning state to the Forwarding state.
SPANNING TREE ALGORITHM CONFIGURATION bridges, bridge ports, or LANs fail or are removed. The role is set to disabled (i.e., disabled port) if a port has no role within the spanning tree. R: Root Port A: Alternate Port D: Designated Port B: Backup Port Alternate port receives more useful BPDUs from another bridge and is therefore not selected as the designated R port. R A D x R A x Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port.
CONFIGURING THE SWITCH • • • • likely to be blocked if the Spanning Tree Algorithm is detecting network loops. Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. Designated root – The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device. Fast forwarding – This field provides the same as Admin Edge port, and is only included for backward compatibility with earlier products.
SPANNING TREE ALGORITHM CONFIGURATION CLI – This example shows general STA configuration and attributes for port 5. Console#show spanning-tree ethernet 1/5 4-227 Eth 1/ 5 information -------------------------------------------------------------Admin status: enabled Role: disable State: discarding External path cost: 200000 Internal path cost: 200000 Priority: 128 Designated cost: 200000 Designated port : 128.5 Designated root: 32768.0.0000E8AAAA00 Designated bridge: 32768.0.
CONFIGURING THE SWITCH - Learning - Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information. Port address table is cleared, and the port begins learning addresses. - Forwarding - Port forwards packets, and continues learning addresses. • Trunk12 – Indicates if a port is a member of a trunk. The following interface attributes can be configured: • Spanning Tree – Enables/disables STA on this interface.
SPANNING TREE ALGORITHM CONFIGURATION • Admin Link Type – The link type attached to this interface. - Point-to-Point – A connection to exactly one other bridge. - Shared – A connection to two or more bridges. - Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared media. (This is the default setting.
CONFIGURING THE SWITCH CLI – This example sets STA attributes for port 5.
SPANNING TREE ALGORITHM CONFIGURATION Command Attributes • MST Instance – Instance identifier of this spanning tree. (Default: 0) • Priority – The priority of a spanning tree instance. (Range: 0-61440 in steps of 4096; Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440; Default: 32768) • VLANs in MST Instance – VLANs assigned this instance. • MST ID – Instance identifier to configure.
CONFIGURING THE SWITCH CLI – This displays STA settings for instance 1, followed by settings for each port. Console#show spanning-tree mst 1 4-227 Spanning-tree information --------------------------------------------------------------Spanning tree mode: MSTP Spanning tree enabled/disabled: enabled Instance: 1 VLANs configuration: 1 Priority: 32768 Bridge Hello Time (sec.): 2 Bridge Max Age (sec.): 20 Bridge Forward Delay (sec.): 15 Root Hello Time (sec.): 2 Root Max Age (sec.): 20 Root Forward Delay (sec.
SPANNING TREE ALGORITHM CONFIGURATION CLI – This example sets the priority for MSTI 1, and adds VLANs 1-5 to this MSTI. Console(config)#spanning-tree mst-configuration Console(config-mst)#mst 1 priority 4096 Console(config-mstp)#mst 1 vlan 1-5 Console(config-mst)# 4-214 4-216 4-215 Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance.
CONFIGURING THE SWITCH CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST (page 3-156), the settings for other instances only apply to the local spanning tree.
SPANNING TREE ALGORITHM CONFIGURATION Configuring Interface Settings for MSTP You can configure the STA interface settings for an MST Instance using the MSTP Port Configuration and MSTP Trunk Configuration pages. Field Attributes The following attributes are read-only and cannot be changed: • STA State – Displays current state of this port within the Spanning Tree. (See Displaying Interface Settings on page 3-165 for additional information.
CONFIGURING THE SWITCH when the Path Cost Method is set to short (page 3-63), the maximum path cost is 65,535. By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode.
VLAN CONFIGURATION VLAN Configuration IEEE 802.1Q VLANs In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains. VLANs confine broadcast traffic to the originating group, and can eliminate broadcast storms in large networks. This also provides a more secure and cleaner network environment. An IEEE 802.
CONFIGURING THE SWITCH Assigning Ports to VLANs Before enabling VLANs for the switch, you must first assign each port to the VLAN group(s) in which it will participate. By default all ports are assigned to VLAN 1 as untagged ports. Add a port as a tagged port if you want it to carry traffic for one or more VLANs, and any intermediate network devices or the host at the other end of the connection supports VLANs.
VLAN CONFIGURATION Port Overlapping – Port overlapping can be used to allow access to commonly shared network resources among different VLAN groups, such as file servers or printers. Note that if you implement VLANs which do not overlap, but still need to communicate, you can connect them by enabled routing on this switch. Untagged VLANs – Untagged (or static) VLANs are typically used to reduce broadcast traffic and to increase security.
CONFIGURING THE SWITCH should also determine security boundaries in the network and disable GVRP on ports to prevent advertisements being propagated, or forbid ports from joining restricted VLANs. Note: If you have host devices that do not support GVRP, you should configure static or untagged VLANs for the switch ports connected to these devices (as described in “Adding Static Members to VLANs (VLAN Index)” on page 3-188).
VLAN CONFIGURATION by the frame tag. However, when this switch receives an untagged frame from a VLAN-unaware device, it first decides where to forward the frame, and then inserts a VLAN tag reflecting the ingress port’s default VID. Enabling or Disabling GVRP (Global Setting) GARP VLAN Registration Protocol (GVRP) defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network.
CONFIGURING THE SWITCH Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number14 – The VLAN version used by this switch as specified in the IEEE 802.1Q standard. • Maximum VLAN ID – Maximum VLAN ID recognized by this switch. • Maximum Number of Supported VLANs – Maximum number of VLANs that can be configured on this switch. Web – Click VLAN, 802.1Q VLAN, Basic Information.
VLAN CONFIGURATION Displaying Current VLANs The VLAN Current Table shows the current port members of each VLAN and whether or not the port supports VLAN tagging. Ports assigned to a large VLAN group that crosses several switches should use VLAN tagging. However, if you just want to create a small port-based VLAN for one or two switches, you can disable tagging. Command Attributes (Web) • VLAN ID – ID of configured VLAN (1-4093). • Up Time at Creation – Time this VLAN was created (i.e., System Up Time).
CONFIGURING THE SWITCH Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4093, no leading zeroes). • Type – Shows how this VLAN was added to the switch. - Dynamic: Automatically learned via GVRP. - Static: Added as a static entry. • Name – Name of the VLAN (1 to 32 characters). • Status – Shows if this VLAN is enabled or disabled. - Active: VLAN is operational. - Suspend: VLAN is suspended; i.e., does not pass packets. • Ports / Channel groups – Shows the VLAN interface members.
VLAN CONFIGURATION • VLAN ID – ID of configured VLAN (1-4093, no leading zeroes). • VLAN Name – Name of the VLAN (1 to 32 characters). • Status (Web) – Enables or disables the specified VLAN. - Enable: VLAN is operational. - Disable: VLAN is suspended; i.e., does not pass packets. • State (CLI) – Enables or disables the specified VLAN. - Active: VLAN is operational. - Suspend: VLAN is suspended; i.e., does not pass packets. • Add – Adds a new VLAN group to the current list.
CONFIGURING THE SWITCH CLI – This example creates a new VLAN.
VLAN CONFIGURATION Command Attributes • VLAN – ID of configured VLAN (1-4093). • Name – Name of the VLAN (1 to 32 characters). • Status – Enables or disables the specified VLAN. - Enable: VLAN is operational. - Disable: VLAN is suspended; i.e., does not pass packets. • Port – Port identifier. • Trunk – Trunk identifier. • Membership Type – Select VLAN membership for each interface by marking the appropriate radio button for a port or trunk: - Tagged: Interface is a member of the VLAN.
CONFIGURING THE SWITCH Web – Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if required. Select the membership type by marking the appropriate radio button in the list of ports or trunks. Click Apply. Figure 3-80 VLAN Static Table - Adding Static Members CLI – The following example adds tagged and untagged ports to VLAN 2.
VLAN CONFIGURATION • Non-Member – VLANs for which the selected interface is not a tagged member. Web – Click VLAN, 802.1Q VLAN, Static Membership by Port. Select an interface from the scroll-down box (Port or Trunk). Click Query to display membership information for the interface. Select a VLAN ID, and then click Add to add the interface as a tagged member, or click Remove to remove the interface. After configuring VLAN membership for each interface, click Apply.
CONFIGURING THE SWITCH • GARP – Group Address Registration Protocol is used by GVRP to register or deregister client attributes for client services within a bridged LAN. The default values for the GARP timers are independent of the media access method or data rate. These values should not be changed unless you are experiencing difficulties with GVRP registration/ deregistration. Command Attributes • PVID – VLAN ID assigned to untagged frames received on the interface.
VLAN CONFIGURATION • GARP Join Timer15 – The interval between transmitting requests/ queries to participate in a VLAN group. (Range: 20-1000 centiseconds; Default: 20) • GARP Leave Timer15 – The interval a port waits before leaving a VLAN group. This time should be set to more than twice the join time. This ensures that after a Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group.
CONFIGURING THE SWITCH Web – Click VLAN, 802.1Q VLAN, Port Configuration or Trunk Configuration. Fill in the required settings for each interface, click Apply. Figure 3-82 VLAN Port Configuration CLI – This example sets port 1 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid.
VLAN CONFIGURATION VLAN, and with their designated promiscuous ports. (Note that private VLANs and normal VLANs can exist simultaneously within the same switch.) Each private VLAN consists of two components: a primary VLAN and one or more community VLANs. A primary VLAN allows traffic to pass between promiscuous ports, and between promiscuous ports and community ports subordinate to the primary VLAN.
CONFIGURING THE SWITCH • Primary VLAN – The primary VLAN with which the selected VLAN is associated. (Note that this displays as VLAN 0 if the selected VLAN is itself a primary VLAN.) • Ports List – The list of ports (and assigned type) in the selected private VLAN. Web – Click Private VLAN, Private VLAN Information. Select the desired port from the VLAN ID drop-down menu.
VLAN CONFIGURATION Configuring Private VLANs The Private VLAN Configuration page is used to create/remove primary or community VLANs. Command Attributes • VLAN ID – ID of configured VLAN (1-4093). • Type – There are two types of VLANs within a private VLAN: - Primary VLANs - Conveys traffic between promiscuous ports, and to community ports within secondary VLANs. • Community VLANs - Conveys traffic between community ports, and to their associated promiscuous ports.
CONFIGURING THE SWITCH Associating Community VLANs Each community VLAN must be associated with a primary VLAN. Command Attributes • Primary VLAN ID – ID of primary VLAN (1-4093). • Association – Community VLANs associated with the selected primary VLAN. • Non-Association – Community VLANs not associated with the selected primary VLAN. Web – Click Private VLAN, Private VLAN Association.
VLAN CONFIGURATION Displaying Private VLAN Interface Information Use the Private VLAN Port Information and Private VLAN Trunk Information menus to display the interfaces associated with private VLANs. Command Attributes • Port/Trunk – The switch interface. • PVLAN Port Type – Displays private VLAN port types. - Normal – The port is not configured in a private VLAN.
CONFIGURING THE SWITCH CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and associated with VLAN 6. This means that traffic for port 4 and 5 can only pass through port 3.
VLAN CONFIGURATION promiscuous ports. If PVLAN Port Type is “Host,” then specify the associated secondary VLAN. Web – Click Private VLAN, Private VLAN Port Configuration or Private VLAN Trunk Configuration. Set the PVLAN Port Type for each port that will join a private VLAN. For promiscuous ports, set the associated primary VLAN. For host ports, set the associated secondary VLAN. After all the ports have been configured, click Apply.
CONFIGURING THE SWITCH Class of Service Configuration Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
CLASS OF SERVICE CONFIGURATION Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 3-88 Configuring Class of Service per Port CLI – This example assigns a default priority of 5 to port 3.
CONFIGURING THE SWITCH Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using four priority queues for each port, with service schedules based on Weighted Round Robin (WRR). Up to 8 separate traffic priorities are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown in the following table.
CLASS OF SERVICE CONFIGURATION Web18 – Click Priority, Traffic Classes. Mark an interface and click Select to display the current mapping of CoS values to output queues. Assign priorities to the traffic classes (i.e., output queues) for the selected interface, then click Apply.
CONFIGURING THE SWITCH Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue. WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue.
CLASS OF SERVICE CONFIGURATION Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue. As described in “Mapping CoS Values to Egress Queues” on page 3-204, the traffic classes are mapped to one of the four egress queues provided for each port. You can assign a weight to each of these queues (and thereby to the corresponding traffic priorities).
CONFIGURING THE SWITCH CLI – The following example shows how to assign WRR weights of 1, 4, 16 and 64 to the CoS priority queues 0, 1, 2 and 3. Console(config)#queue bandwidth 1 4 16 64 Console(config)#exit Console#show queue bandwidth Queue ID Weight -------- -----0 1 1 4 2 16 3 64 Console# 4-255 4-259 Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements.
CLASS OF SERVICE CONFIGURATION • IP Precedence – Maps layer 3/4 priorities using IP Precedence. • IP DSCP – Maps layer 3/4 priorities using Differentiated Services Code Point Mapping. Web – Click Priority, IP Precedence/DSCP Priority Status. Select Disabled, IP Precedence or IP DSCP from the scroll-down menu, then click Apply. Figure 3-92 Setting IP Precedence/DSCP Priority Status CLI – The following example enables IP Precedence service on the switch.
CONFIGURING THE SWITCH Command Attributes • IP Precedence Priority Table – Shows the IP Precedence to CoS map. • Class of Service Value – Maps a CoS value to the selected IP Precedence value. Note that “0” represents low priority and “7” represent high priority. Note: IP Precedence settings apply to all interfaces. Web20 – Click Priority, IP Precedence Priority. Select a port or trunk from the Interface field.
CLASS OF SERVICE CONFIGURATION Console#show map ip precedence ethernet 1/5 Precedence mapping status: disabled 4-267 Port Precedence COS --------- ---------- --Eth 1/ 5 0 0 Eth 1/ 5 1 0 Eth 1/ 5 2 2 Eth 1/ 5 3 3 Eth 1/ 5 4 4 Eth 1/ 5 5 5 Eth 1/ 5 6 6 Eth 1/ 5 7 7 Console# Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors.
CONFIGURING THE SWITCH Command Attributes • DSCP Priority Table – Shows the DSCP Priority to CoS map. • Class of Service Value – Maps a CoS value to the selected DSCP Priority value. Note that “0” represents low priority and “7” represent high priority. Note: IP DSCP settings apply to all interfaces. Web21 – Click Priority, IP DSCP Priority. Select a port or trunk from the Interface field. Select an entry from the DSCP table, enter a value in the Class of Service Value field, then click Apply.
CLASS OF SERVICE CONFIGURATION CLI21 – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 5), and then displays the DSCP Priority settings. Console(config)#map ip dscp Console(config)#interface ethernet 1/5 Console(config-if)#map ip dscp 1 cos 0 Console(config-if)#end Console#show map ip dscp ethernet 1/5 DSCP mapping status: disabled 4-264 4-265 4-268 Port DSCP COS --------- ---- --Eth 1/ 5 0 0 Eth 1/ 5 1 0 Eth 1/ 5 2 0 Eth 1/ 5 3 0 . . .
CONFIGURING THE SWITCH Web – Click Priority, IP Port Status. Set IP Port Priority Status to Enabled. Figure 3-95 Globally Enabling the IP Port Priority Status Web22 – Click Priority, IP Port Priority. Select a port or trunk from the Interface field. Enter the port number for a network application in the IP Port Number box and the new CoS value in the Class of Service box, and then click Apply. Figure 3-96 Mapping Ports and Trunks to IP TCP/UDP Priority 22.
CLASS OF SERVICE CONFIGURATION CLI22 – The following example globally enables IP Port Priority service on the switch, maps HTTP traffic (on port 5) to CoS value 0, and then displays the IP Port Priority settings for that port. Console(config)#map ip port Console(config)#interface ethernet 1/5 Console(config-if)#map ip port 80 cos 0 Console(config-if)#end Console#show map ip port ethernet 1/5 TCP port mapping status: disabled 4-261 4-262 4-266 Port Port no.
CONFIGURING THE SWITCH Web – Click Priority, Copy Settings. Select the source priority settings to be copied, enter the source port or trunk number and choose the destination interface/s to copy to, then click Copy Settings. Figure 3-97 Mapping Priority Settings to Ports/Trunks CLI – This feature not supported through the CLI. Mapping CoS Values to ACLs Use the ACL CoS Mapping page to set the output queue for packets matching an ACL rule as shown in the following table.
CLASS OF SERVICE CONFIGURATION Command Usage You must configure an ACL mask before you can map CoS values to the rule. Command Attributes • Port – Port identifier. • Name23 – Name of ACL. • Type – Type of ACL (IP or MAC). • CoS Priority – CoS value used for packets matching an IP ACL rule. (Range: 0-7) Web – Click Priority, ACL CoS Priority. Select a port, select an ACL rule, specify a CoS priority, then click Add.
CONFIGURING THE SWITCH Changing Priorities Based on ACL Rules You can change traffic priorities for frames matching the defined ACL rule. (This feature is commonly referred to as ACL packet marking.) This switch can change the IEEE 802.1p priority, IP Precedence, or DSCP Priority of IP frames; or change the IEEE 802.1p priority of Layer 2 frames. Command Usage • You must configure an ACL mask before you can change priorities based on a rule. • Traffic priorities may be included in the IEEE 802.
CLASS OF SERVICE CONFIGURATION Web – Click Priority, ACL Marker. Select a port and an ACL rule. To specify a ToS priority, mark the Precedence/DSCP check box, select Precedence or DSCP from the scroll-down box, and enter a priority. To specify an 802.1p priority, mark the 802.1p Priority check box, and enter a priority. Then click Add. Figure 3-99 Changing Priorities Based on ACL Rules CLI – This example changes the DSCP priority for packets matching an IP ACL rule, and the 802.
CONFIGURING THE SWITCH Multicast Filtering Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/router.
MULTICAST FILTERING multicast host registration protocol that allows any host to inform its local router that it wants to receive transmissions addressed to a specific multicast group. A router, or multicast-enabled switch, can periodically ask their hosts if they want to receive multicast traffic. If there is more than one router/ switch on the LAN performing IP multicasting, one of these devices is elected “querier” and assumes the role of querying the LAN for group members.
CONFIGURING THE SWITCH Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 3-228). Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic.
MULTICAST FILTERING • IGMP Query Count — Sets the maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group. (Range: 2-10; Default: 2) • IGMP Query Interval — Sets the frequency at which the switch sends IGMP host-query messages.
CONFIGURING THE SWITCH CLI – This example modifies the settings for multicast filtering, and then displays the current status.
MULTICAST FILTERING Web – Click IGMP Snooping, Multicast Router Port Information. Select the required VLAN ID from the scroll-down list to display the associated multicast routers. Figure 3-101 Mapping Multicast Switch Ports to VLANs CLI – This example shows that Port 11 has been statically configured as a port attached to a multicast router.
CONFIGURING THE SWITCH • Port or Trunk – Specifies the interface attached to a multicast router. Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast router, indicate the VLAN which will forward all the corresponding multicast traffic, and then click Add. After you have finished adding interfaces to the list, click Apply.
MULTICAST FILTERING • Multicast Group Port List – Shows the interfaces that have already been assigned to the selected VLAN to propagate a specific multicast service. Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists. The switch will display all the interfaces that are propagating this multicast service.
CONFIGURING THE SWITCH Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in “Configuring IGMP Snooping and Query Parameters” on page 3-222. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch. First add all the ports attached to participating hosts to a common VLAN, and then assign the multicast service to that VLAN group.
CONFIGURING DOMAIN NAME SERVICE CLI – This example assigns a multicast address to VLAN 1, and then displays all the known multicast services supported on VLAN 1. Console(config)#ip igmp snooping vlan 1 static 224.0.0.12 ethernet 1/12 Console(config)#exit Console#show mac-address-table multicast vlan 1 VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------1 224.0.0.12 Eth1/12 USER 1 224.1.2.
CONFIGURING THE SWITCH through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match. • When more than one name server is specified, the servers are queried in the specified sequence until a response is received, or the end of the list is reached with no response. • Note that if all name servers are deleted, DNS will automatically be disabled.
CONFIGURING DOMAIN NAME SERVICE Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use for address resolution, enable domain lookup status, and click Apply.
CONFIGURING THE SWITCH CLI - This example sets a default domain name and a domain list. However, remember that if a domain list is specified, the default domain name is not used. Console(config)#ip domain-name sample.com Console(config)#ip domain-list sample.com.uk Console(config)#ip domain-list sample.com.jp Console(config)#ip name-server 192.168.1.55 10.1.0.55 Console(config)#ip domain-lookup Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: .sample.com Domain Name List: .sample.com.
CONFIGURING DOMAIN NAME SERVICE • Alias – Displays the host names that are mapped to the same address(es) as a previously configured entry. Web – Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply.
CONFIGURING THE SWITCH CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#ip host rd6 10.1.0.55 Console#show host 4-287 4-287 4-292 Hostname rd5 Inet address 10.1.0.55 192.168.1.55 Alias 1.rd6 Console# Displaying the DNS Cache You can display entries in the DNS cache that have been learned via the designated name servers.
CONFIGURING DOMAIN NAME SERVICE Web – Select DNS, Cache. Figure 3-107 Displaying the DNS Cache CLI - This example displays all the resource records learned from the designated name servers. Console#show dns cache NO FLAG TYPE 0 4 CNAME 1 4 CNAME 2 4 CNAME 3 4 CNAME 4 4 CNAME 5 4 ALIAS 6 4 CNAME 7 4 ALIAS 8 4 CNAME 9 4 ALIAS 10 4 CNAME Console# IP 207.46.134.222 207.46.134.190 207.46.134.155 207.46.249.222 207.46.249.27 POINTER TO:4 207.46.68.27 POINTER TO:6 65.54.131.192 POINTER TO:8 165.193.72.
CONFIGURING THE SWITCH 3-236
CHAPTER 4 COMMAND LINE INTERFACE This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
USING THE COMMAND LINE INTERFACE After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the SMC6824M is opened. To end the CLI session, enter [Exit]. Console# Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address.
COMMAND LINE INTERFACE After you configure the switch with an IP address, you can open a Telnet session by performing these steps. 1. From the remote host, enter the Telnet command and the IP address of the device you want to access. 2. At the prompt, enter the user name and system password. The CLI will display the “Vty-n#” prompt for the administrator to show that you are using privileged access mode (i.e., Privileged Exec), or “Vty-n>” for the guest to show that you are using normal access mode (i.e.
ENTERING COMMANDS You can enter commands as follows: • To enter a simple command, enter the command keyword. • To enter multiple commands, enter each command in the required order. For example, to enable Privileged Exec command mode, and display the startup configuration, enter: Console>enable Console#show startup-config • To enter commands that require parameters, enter the required parameters after the command keyword.
COMMAND LINE INTERFACE Database). You can also display a list of valid keywords for a specific command.
ENTERING COMMANDS Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.
COMMAND LINE INTERFACE mode. You can always enter a question mark “?” at the prompt to display a list of the commands available for the current mode. The command classes and associated modes are displayed in the following table: Table 4-1 Command Modes Class Mode Exec Normal Privileged Configuration Global* Access Control List Interface Line VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode.
ENTERING COMMANDS Username: guest Password: [system login password] CLI session with the SMC6824M is opened. To end the CLI session, enter [Exit]. Console#enable Password: [privileged level password if so configured] Console# Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted.
COMMAND LINE INTERFACE To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.
ENTERING COMMANDS Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches.
COMMAND LINE INTERFACE Command Groups The system commands can be broken down into the functional groups shown below.
COMMAND GROUPS Table 4-4 Command Group Index (Continued) Command Group Description Page Power over Ethernet* Configures power output for connect devices 4-90 Address Table Configures the address table for filtering specified addresses, displays current entries, clears the table, or sets the aging time 4-200 Spanning Tree Configures Spanning Tree settings for the switch 4-204 VLANs Configures VLAN settings, and defines port membership for VLAN groups; also enables or configures private VLANs 4-2
COMMAND LINE INTERFACE Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
LINE COMMANDS line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line. Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “Vty” in screen displays such as show users.
COMMAND LINE INTERFACE login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
LINE COMMANDS Related Commands username (4-34) password (4-16) password This command specifies the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password • {0 | 7} - 0 means plain password, 7 means encrypted password • password - Character string that specifies the line password. (Maximum length: 8 characters plain text, 32 encrypted, case sensitive) Default Setting No password is specified.
COMMAND LINE INTERFACE Related Commands login (4-15) password-thresh (4-19) timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the number of seconds.
LINE COMMANDS exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the number of seconds.
COMMAND LINE INTERFACE password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. Syntax password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120; 0: no threshold) Default Setting The default value is three attempts.
LINE COMMANDS silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. Syntax silent-time seconds no silent-time seconds - The number of seconds to disable console response. (Range: 0-65535; 0: no silent-time) Default Setting The default value is no silent-time.
COMMAND LINE INTERFACE Default Setting 8 data bits per character Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
LINE COMMANDS Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting. Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second.
COMMAND LINE INTERFACE stopbits This command sets the number of the stop bits transmitted per byte. Use the no form to restore the default setting. Syntax stopbits {1 | 2} • 1 - One stop bit • 2 - Two stop bits Default Setting 1 stop bit Command Mode Line Configuration Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection.
LINE COMMANDS Example Console#disconnect 1 Console# Related Commands show ssh (4-53) show users (4-80) show line This command displays the terminal line’s parameters. Syntax show line [console | vty] • console - Console terminal line. • vty - Virtual terminal for remote console access.
COMMAND LINE INTERFACE General Commands Table 4-6 General Commands Command Function Mode Page enable Activates privileged mode NE 4-25 disable Returns to normal mode from privileged mode PE 4-26 configure Activates global configuration mode PE 4-27 show history Shows the command history buffer NE, PE 4-27 reload Restarts the system PE 4-28 end Returns to Privileged Exec mode any config.
GENERAL COMMANDS Command Usage • “super” is the default password required to change the command mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command on page 4-36.) • The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode.
COMMAND LINE INTERFACE configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration. See “Understanding Command Modes” on page 4-6.
GENERAL COMMANDS Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes
COMMAND LINE INTERFACE Example This example shows how to reset the switch: Console#reload System will be restarted, continue ? y end This command returns to Privileged Exec mode. Default Setting None Command Mode Global Configuration, Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration.
GENERAL COMMANDS Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: quit Use this command to exit the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program.
COMMAND LINE INTERFACE System Management Commands These commands are used to control system logs, passwords, user names, browser configuration options, and display or configure a variety of other system information.
SYSTEM MANAGEMENT COMMANDS Device Designation Commands Table 4-8 Device Designation Commands Command Function Mode Page prompt Customizes the CLI prompt GC 4-32 hostname Specifies the host name for the switch GC 4-33 snmp-server contact Sets the system contact string GC 4-154 snmp-server location Sets the system location string GC 4-155 light unit Displays the switch’s unit ID using its front-panel LEDs NE, PE 4-33 prompt This command customizes the CLI prompt.
COMMAND LINE INTERFACE hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Example Console(config)#hostname RD#1 Console(config)# light unit This command displays the stack unit ID using the switch’s front-panel LEDs.
SYSTEM MANAGEMENT COMMANDS User Access Commands The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 4-13), user authentication via a remote authentication server (page 4-151), and host access authentication for specific ports (page 4-110).
COMMAND LINE INTERFACE Default Setting • The default access level is Normal Exec. • The factory defaults for the user names and passwords are: Table 4-10 Default Login Settings username access-level password guest admin 0 15 guest admin Command Mode Global Configuration Command Usage The encrypted password is required for compatibility with legacy password settings (i.e.
SYSTEM MANAGEMENT COMMANDS enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. Use this command to control access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password. Syntax enable password [level level] {0 | 7} password no enable password [level level] • level level - Level 15 for Privileged Exec. (Levels 0-14 are not used.
COMMAND LINE INTERFACE Related Commands enable (4-25) authentication enable (4-99) IP Filter Commands Table 4-11 IP Filter Commands Command Function Mode Page management Configures IP addresses that are allowed management access GC 4-37 PE 4-38 show management Displays the switch to be monitored or configured from a browser management This command specifies the client IP addresses that are allowed management access to the switch through various protocols.
SYSTEM MANAGEMENT COMMANDS Command Usage • If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager. • IP address can be configured for SNMP, web and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. • When entering addresses for the same group (i.e.
COMMAND LINE INTERFACE Example Console#show management all-client Management Ip Filter Http-Client: Start ip address End ip address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 Snmp-Client: Start ip address End ip address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 Telnet-Client: Start ip address End ip address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2.
SYSTEM MANAGEMENT COMMANDS ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. Syntax ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
COMMAND LINE INTERFACE Example Console(config)#ip http server Console(config)# Related Commands ip http port (4-40) ip http secure-server This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the no form to disable this function.
SYSTEM MANAGEMENT COMMANDS • The following web browsers and operating systems currently support HTTPS: Table 4-13 HTTPS System Support Web Browser Operating System Internet Explorer 5.0 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP Netscape Navigator 6.2 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP, Solaris 2.6 • To specify a secure-site certificate, see “Replacing the Default Secure-site Certificate” on page 3-77.
COMMAND LINE INTERFACE Command Usage • You cannot configure the HTTP and HTTPS servers to use the same port.
SYSTEM MANAGEMENT COMMANDS Default Setting • Server: Enabled • Server Port: 23 Command Mode Global Configuration Example Console(config)#ip telnet server Console(config)#ip telnet port 123 Console(config)# Secure Shell Commands The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments.
COMMAND LINE INTERFACE Table 4-15 Secure Shell Commands Command Function Mode Page ip ssh server Enables the SSH server on the switch GC 4-47 ip ssh timeout Specifies the authentication timeout for the SSH GC server 4-48 ip ssh authenticationretries Specifies the number of retries allowed by a client GC 4-49 ip ssh server-key size Sets the SSH server key size GC 4-50 copy tftp public-key Copies the user’s public key from a TFTP server PE to the switch 4-82 delete public-key Deletes the
SYSTEM MANAGEMENT COMMANDS switch as described in the following section. Note that regardless of whether you use public key or password authentication, you still have to generate authentication keys on the switch and enable the SSH server. To use the SSH server, complete these steps: 1. Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. 2.
COMMAND LINE INTERFACE 5. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch. 6. Configure Challenge-Response Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can gain access. The following exchanges take place during this process: a.
SYSTEM MANAGEMENT COMMANDS Command Usage • The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. • The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption. • You must generate DSA and RSA host keys before enabling the SSH server.
COMMAND LINE INTERFACE Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
SYSTEM MANAGEMENT COMMANDS ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server key. (Range: 512-896 bits) Default Setting 768 bits Command Mode Global Configuration Command Usage • The server key is a private key that is never shared outside the switch. • The host key is shared with the SSH client, and is fixed at 1024 bits.
COMMAND LINE INTERFACE Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate Use this command to generate the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [dsa | rsa] • dsa – DSA (Version 2) key type. • rsa – RSA (Version 1) key type. Default Setting Generates both the DSA and RSA key pairs. Command Mode Privileged Exec Command Usage • This command stores the host key pair in memory (i.e., RAM).
SYSTEM MANAGEMENT COMMANDS ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] • dsa – DSA key type. • rsa – RSA key type. Default Setting Clears both the DSA and RSA key. Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. • The SSH server must be disabled before you can execute this command.
COMMAND LINE INTERFACE Default Setting Saves both the DSA and RSA key. Command Mode Privileged Exec Example Console#ip ssh save host-key dsa Console# Related Commands ip ssh crypto host-key generate (4-51) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 1.
SYSTEM MANAGEMENT COMMANDS Table 4-16 show ssh - display description Field Description Session The session number. (Range: 0-3) Version The Secure Shell version number. State The authentication negotiation state. (Values: Negotiation-Started, Authentication-Started, Session-Started) Username The user name of the client. Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.
COMMAND LINE INTERFACE show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage • If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed.
SYSTEM MANAGEMENT COMMANDS Example Console#show public-key host Host: RSA: 1024 35 156849954018676692593339467750546173253136748908365472541502024559319 986854435836165199992332978176606583095861082591321289023376546801726 272571413428762941301196195566782595664104869574278881462065194174677 298486546861571773939016477935594230357741309802273708779454524083971 752646358058176716709574804776117 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzDDg0h2 HxcYV44sXZ2JXhamLK6P8bvuiyacWbUWa4PAtp1K
COMMAND LINE INTERFACE logging on This command controls logging of error messages, sending debug or error messages to switch memory. The no form disables the logging process. Syntax [no] logging on Default Setting None Command Mode Global Configuration Command Usage The logging process controls error messages saved to switch memory. You can use the logging history command to control the type of error messages that are stored.
SYSTEM MANAGEMENT COMMANDS • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). • level - One of the syslog severity levels listed in the following table. Messages sent include the selected level down to level 0. Table 4-18 Logging Levels Level Severity Name Description 7 debugging Debugging messages 6 informational Informational messages only 5 notifications Normal but significant condition, such as cold start 4 warnings Warning conditions (e.g.
COMMAND LINE INTERFACE logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode Global Configuration Command Usage • By using this command more than once you can build up a list of host IP addresses. • The maximum number of host IP addresses allowed is five.
SYSTEM MANAGEMENT COMMANDS Command Usage The command specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to sort messages or to store messages in the corresponding database.
COMMAND LINE INTERFACE clear log Use this command to clear messages from the log buffer. Syntax clear log [flash | ram] • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
SYSTEM MANAGEMENT COMMANDS Default Setting None Command Mode Privileged Exec Example The following example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., default level 3 - 0), and the message level for RAM is “debugging” (i.e., default level 7 - 0).
COMMAND LINE INTERFACE Table 4-20 show logging trap - display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command. REMOTELOG status Shows if remote logging has been enabled via the logging trap command. REMOTELOG facility type The facility type for remote logging of syslog messages as specified in the logging facility command.
SYSTEM MANAGEMENT COMMANDS Example The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 Console# SMTP Alert Commands Configures SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients.
COMMAND LINE INTERFACE Default Setting None Command Mode Global Configuration Command Usage • You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. • To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.
SYSTEM MANAGEMENT COMMANDS Command Usage The specified level indicates an event threshold. All events at this level or higher will be sent to the configured email recipients. (For example, using Level 7 will report all events from level 7 to level 0.) Example This example will send email alerts for system errors from level 3 through 0. Console(config)#logging sendmail level 3 Console(config)# logging sendmail source-email This command sets the email address used for the “From” field in alert messages.
COMMAND LINE INTERFACE logging sendmail destination-email This command specifies the email recipients of alert messages. Use the no form to remove a recipient. Syntax [no] logging sendmail destination-email email-address email-address - The recipient email address for alert messages. (Range: 1-41 characters) Default Setting None Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient.
SYSTEM MANAGEMENT COMMANDS Example Console(config)#logging sendmail Console(config)# show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------192.168.1.19 SMTP minimum severity level: 7 SMTP destination email addresses ----------------------------------------------ted@this-company.com SMTP source email address: bill@this-company.
COMMAND LINE INTERFACE Table 4-22 Time Commands (Continued) Command Function Mode Page clock timezone Sets the time zone for the switch’s internal clock GC 4-73 calendar set Sets the system date and time PE 4-74 show calendar Displays the current date and time setting NE, PE 4-74 sntp client This command enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with the sntp servers command. Use the no form to disable SNTP client requests.
SYSTEM MANAGEMENT COMMANDS Example Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current time: Dec 23 02:52:44 2002 Poll interval: 60 Current mode: unicast SNTP status : Enabled SNTP server 137.92.140.80 0.0.0.0 0.0.0.0 Current server: 137.92.140.
COMMAND LINE INTERFACE Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received. It issues time synchronization requests based on the interval set via the sntp poll command. Example Console(config)#sntp server 10.1.0.
SYSTEM MANAGEMENT COMMANDS Related Commands sntp client (4-69) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending time synchronization requests, and the current SNTP mode (i.e., unicast).
COMMAND LINE INTERFACE clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} • name - Name of timezone, usually an acronym. (Default: UTC; Range: 1-29 characters) • hours - Number of hours before UTC (0-12) or after UTC (0-13). • minutes - Number of minutes before/after UTC. (Range: 0-59 minutes) • before-utc - Sets the local time zone before (west) of UTC.
SYSTEM MANAGEMENT COMMANDS calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {month day year | day month year} • • • • hour - Hour in 24-hour format. (Range: 0 - 23) min - Minute. (Range: 0 - 59) sec - Second.
COMMAND LINE INTERFACE Example This example shows how to display the current system clock setting.
SYSTEM MANAGEMENT COMMANDS • This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands.
COMMAND LINE INTERFACE Related Commands show running-config (4-77) show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes.
SYSTEM MANAGEMENT COMMANDS Example Console#show running-config ! IP address DHCP ! phymap 00-04-e2-b3-16-c0 00-30-f1-b0-e9-80 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 ! SNTP server 10.1.0.19 0.0.0.0 0.0.0.
COMMAND LINE INTERFACE show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 3-13. • The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance. Example Console#show system System description: TigerStack III 10/100 6824M Managed 24+2 Stackable Switch; SW version: V2.4.
SYSTEM MANAGEMENT COMMANDS show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
COMMAND LINE INTERFACE Command Mode Normal Exec, Privileged Exec Command Usage See “Displaying Switch Hardware/Software Versions” on page 3-15 for detailed information on the items displayed by this command.
FLASH/FILE COMMANDS copy Use this command to move (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the TFTP server and the quality of the network connection.
COMMAND LINE INTERFACE Command Usage • The system prompts for data required to complete the copy command. • The destination file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.
FLASH/FILE COMMANDS Example The following example shows how to upload the configuration settings to a file on the TFTP server. Console#copy file tftp Choose file type: 1. config: 2. opcode 3. PD_Controller: <1-3>: 2 Source file name: startup TFTP server ip address: 10.1.0.99 Destination file name: startup.01 TFTP completed. Success. Console# The following example shows how to copy the running configuration to a startup file.
COMMAND LINE INTERFACE This example shows how to copy a public-key used by SSH from an TFTP server. Note that public key authentication via SSH is only supported for users configured locally on the switch. Console#copy tftp public-key TFTP server IP address: 192.168.1.19 Choose public key type: 1. RSA: 2. DSA: <1-2>: 1 Source file name: steve.pub Username: steve TFTP Download Success. Write to FLASH Programming. Success.
FLASH/FILE COMMANDS delete This command deletes a file or image. Syntax delete [unit:] filename filename - Name of the configuration file or image name. unit - Specifies the stack unit. (Range: 1-8) Default Setting None Command Mode Privileged Exec Command Usage • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Config.cfg” cannot be deleted. • A colon (:) is required after the specified unit number. Example This example shows how to delete the test2.
COMMAND LINE INTERFACE dir This command displays a list of files in flash memory. Syntax dir [unit:] {{boot-rom: | config: | opcode:} [filename]} The type of file or image to display includes: • • • • boot-rom - Boot ROM (or diagnostic) image file config - Switch configuration file opcode - Run-time operation code image file. filename - Name of the file or image. If this file exists but contains errors, information on this file cannot be shown. • unit - Stack unit.
FLASH/FILE COMMANDS Example The following example shows how to display all file information: Console#dir file name file type startup size (byte) -------------------------------------------------- ------- ----------Unit1: D21210 Boot-Rom image Y 420408 V24213 Operation Code Y 2454828 Factory_Default_Config.
COMMAND LINE INTERFACE boot system Use this command to specify the file or image used to start up the system. Syntax boot system [unit:] {boot-rom| config | opcode}: filename The type of file or image to set as a default includes: • boot-rom* - Boot ROM. • config* - Configuration file. • opcode* - Run-time operation code. • filename - Name of the configuration file or image name. • unit* - Specifies the stack unit. (Range: 1-8) * The colon (:) is required.
POWER OVER ETHERNET COMMANDS Power over Ethernet Commands The commands in this group control the power that can be delivered to attached PoE devices through the switch ports on the SMC6824MPE and SMC6826MPE. The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget.
COMMAND LINE INTERFACE power mainpower maximum allocation This command defines a power budget for the switch (i.e., the power available to all switch ports). Use the no form to restore the default setting. Syntax power mainpower maximum allocation [unit unit] • watts - The power budget for the switch. (Range: 37 - 375 watts) • unit - Specifies the stack unit.
POWER OVER ETHERNET COMMANDS Default Setting Disabled Command Mode Global Configuration Command Usage • The switch automatically detects attached PoE devices by periodically transmitting test voltages that over the 10/100BASE-TX ports. When an 802.3af compatible device is plugged into one of these ports, the powered device reflects the test voltage back to the switch, which may then turn on the power to this device. When the power inline compatible command is used, this switch can detect 802.
COMMAND LINE INTERFACE power inline This command instructs the switch to automatically detect if a PoE-compliant device is connected to the specified port, and turn power on or off accordingly. Use the no form to turn off power for a port. Syntax [no] power inline Default Setting Detection is enabled for PoE-compliant devices.
POWER OVER ETHERNET COMMANDS Command Mode Interface Configuration Command Usage If a device is connected to a switch port and the switch detects that it requires more than the maximum power allocated to the port, no power is supplied to the device (i.e., port power remains off). Example Console(config)#interface ethernet 1/1 Console(config-if)#power inline maximum allocation 8000 Console(config-if)# power inline priority This command sets the power priority for specific ports.
COMMAND LINE INTERFACE • Power is dropped from low-priority ports in sequence starting from port number 1. Example Console(config)#interface ethernet 1/1 Console(config-if)#power inline priority 2 Console(config-if)# Related Commands power mainpower maximum allocation (4-91) show power inline status This command displays the current power status for all ports or for specific ports. Syntax show power inline status [interface] interface ethernet - unit - Stack unit. (Range: 1-8) - port - Port number.
POWER OVER ETHERNET COMMANDS Table 4-27 show power inline status parameters Parameter Description Admin The power mode set on the port (see power inline on page 4-93) Oper The current operating power status (displays on or off) Power (mWatt) The maximum power allocated to this port (see power inline maximum allocation on page 4-93) Power (used) The current power consumption on the port in milliwatts Priority The port’s power priority setting (see power inline priority on page 4-94) show power ma
COMMAND LINE INTERFACE Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or RADIUS authentication methods. You can also enable port-based authentication for network client access using IEEE 802.1X.
AUTHENTICATION COMMANDS authentication login This command defines the login authentication method and precedence. Use the no form to restore the default. Syntax authentication login {[local] [radius] [tacacs]} no authentication login • local - Use local password. • radius - Use RADIUS server password. • tacacs - Use TACACS server password. Default Setting Local Command Mode Global Configuration Command Usage • RADIUS uses UDP while TACACS+ uses TCP.
COMMAND LINE INTERFACE Example Console(config)#authentication login radius Console(config)# Related Commands username - for setting the local user names and passwords (4-34) authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-25). Use the no form to restore the default.
AUTHENTICATION COMMANDS • You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication enable radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
COMMAND LINE INTERFACE radius-server host This command specifies primary and backup RADIUS servers and authentication parameters that apply to each server. Use the no form to restore the default values. Syntax [no] radius-server index host {host_ip_address | host_alias} [auth-port auth_port] [timeout timeout] [retransmit retransmit] [key key] • index - Allows you to specific up to five servers. These servers are queried in sequence until a server responds or the retransmit period expires.
AUTHENTICATION COMMANDS radius-server port This command sets the RADIUS server network port. Use the no form to restore the default. Syntax radius-server port port_number no radius-server port port_number - RADIUS server UDP port used for authentication messages. (Range: 1-65535) Default Setting 1812 Command Mode Global Configuration Example Console(config)#radius-server port 181 Console(config)# radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default.
COMMAND LINE INTERFACE Example Console(config)#radius-server key green Console(config)# radius-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number_of_retries no radius-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
AUTHENTICATION COMMANDS Command Mode Global Configuration Example Console(config)#radius-server timeout 10 Console(config)# show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS server configuration: Global settings: Communication key with RADIUS server: ***** Server port number: 181 Retransmit times: 5 Request timeout: 10 Server 1: Server IP address: 192.168.1.
COMMAND LINE INTERFACE TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
AUTHENTICATION COMMANDS tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port_number no tacacs-server port port_number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) Default Setting 49 Command Mode Global Configuration Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default.
COMMAND LINE INTERFACE Example Console(config)#tacacs-server key green Console(config)# show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS server configuration: Server IP address: 10.11.12.13 Communication key with radius server: green Server port number: 49 Console# Port Security Commands These commands can be used to enable port security on a port.
AUTHENTICATION COMMANDS Table 4-33 Port Security Commands Command Function Mode Page port security Configures a secure port IC 4-108 mac-address-table static Maps a static address to a port in a VLAN GC 4-201 show mac-address-table Displays entries in the bridge-forwarding database 4-202 PE port security This command enables or configures port security. Use the no form without any keywords to disable port security.
COMMAND LINE INTERFACE Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted. • First use the port security max-mac-count command to set the number of addresses, and then use the port security command to enable security on the port.
AUTHENTICATION COMMANDS 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol). Table 4-34 802.1X Port Authentication Commands Command Function Mode Page dot1x system-auth-control Enables or disables 802.
COMMAND LINE INTERFACE dot1x system-auth-control This command enables IEEE 802.1X port authentication globally on the switch. Use the no form to restore the default. Syntax [no] dot1x system-auth-control Default Setting Disabled Command Mode Global Configuration Example Console(config)#dot1x system-auth-control Console(config)# dot1x default This command sets all configurable dot1x global and port settings to their default values.
AUTHENTICATION COMMANDS Default 2 Command Mode Interface Configuration Example Console(config)#interface ethernet 1/1 Console(config-if)#dot1x max-req 2 Console(config)# dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control • auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
COMMAND LINE INTERFACE dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count. Syntax dot1x operation-mode {single-host | multi-host [max-count count]} no dot1x operation-mode [multi-host max-count] • single-host – Allows only a single host to connect to this port.
AUTHENTICATION COMMANDS dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface ethernet unit/port - unit - The stack unit. (Range: 1-8) - port - Port number. (Range: 1-26) Command Mode Privileged Exec Example Console#dot1x re-authenticate Console# dot1x re-authentication This command enables periodic re-authentication for a specified port. Use the no form to disable re-authentication.
COMMAND LINE INTERFACE dot1x timeout quiet-period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. Use the no form to reset the default. Syntax dot1x timeout quiet-period seconds no dot1x timeout quiet-period seconds - The number of seconds.
AUTHENTICATION COMMANDS Example Console(config)#interface ethernet 1/5 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout tx-period This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.
COMMAND LINE INTERFACE Command Mode Privileged Exec Command Usage This command displays the following information: • Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch. • 802.1X Port Summary – Displays the port access control parameters for each interface that has enabled 802.1X, including the following items: - Status – Administrative state for port access control. - Operation Mode–Allows single or multiple hosts (page 4-113).
AUTHENTICATION COMMANDS - Supplicant– MAC address of authorized client. - Current Identifier– The integer (0-255) used by the Authenticator to identify the current authentication session. • Authenticator State Machine - State– Current state (including initialize, disconnected, connecting, authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). - Reauth Count– Number of times connecting state is re-entered.
COMMAND LINE INTERFACE 802.
ACCESS CONTROL LIST COMMANDS soon as it matches a deny rule. If no rules match for a list of all permit rules, the packet is dropped; and if no rules match for a list of all deny rules, the packet is accepted. There are three filtering modes: • Standard IP ACL mode (STD-ACL) filters packets based on the source IP address. • Extended IP ACL mode (EXT-ACL) filters packets based on source or destination IP address, as well as protocol type and protocol port number.
COMMAND LINE INTERFACE • Egress MAC ACLs only work for destination-mac-known packets, not for multicast, broadcast, or destination-mac-unknown packets. The order in which active ACLs are checked is as follows: 1. 2. 3. 4. 5. User-defined rules in the Egress MAC ACL for egress ports. User-defined rules in the Egress IP ACL for egress ports. User-defined rules in the Ingress MAC ACL for ingress ports. User-defined rules in the Ingress IP ACL for ingress ports.
ACCESS CONTROL LIST COMMANDS IP ACLs Table 4-36 IP ACL Commands Command Function Mode Page access-list ip Creates an IP ACL and enters configuration mode GC 4-123 access-list ip extended fragment-auto-mask Automatically creates extra masks to support fragmented ACL entries GC 4-123 permit, deny Filters packets matching a specified source STD-A IP address CL 4-124 permit, deny Filters packets meeting the specified EXT-A criteria, including source and destination IP CL address, TCP/UDP port nu
COMMAND LINE INTERFACE access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl_name • standard – Specifies an ACL that filters packets based on the source IP address. • extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. • acl_name – Name of the ACL.
ACCESS CONTROL LIST COMMANDS access-list ip extended fragment-auto-mask This command automatically creates extra masks to support fragmented ACL entries. Use the no form to disable this feature. Syntax [no] access-list ip extended fragment-auto-mask Default Setting Disabled Command Mode Global Configuration Command Usage If this feature is disabled, fragmented packets will not be matched by any ACL rule, and will be handled according to the default permit or deny rule.
COMMAND LINE INTERFACE Command Mode Standard ACL Command Usage • New rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.” The bitmask is bitwise ANDed with the specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned.
ACCESS CONTROL LIST COMMANDS [no] {permit | deny} tcp {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [precedence precedence] [tos tos] [dscp dscp] [source-port sport [bitmask]] [destination-port dport [port-bitmask]] [control-flag control-flags flag-bitmask] • • • • • • • • • • • • • protocol-number – A specific protocol number. (Range: 0-255) source – Source IP address. destination – Destination IP address.
COMMAND LINE INTERFACE with the address for each IP packet entering the port(s) to which this ACL has been assigned. • You can specify both Precedence and ToS in the same rule. However, if DSCP is used, then neither Precedence nor ToS can be specified. • The control-code bitmask is a decimal number (representing an equivalent bit mask) that is applied to the control code. Enter a decimal number, where the equivalent binary bit “1” means to match a bit and “0” means to ignore a bit.
ACCESS CONTROL LIST COMMANDS This permits all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any control-flag 2 2 Console(config-ext-acl)# Related Commands access-list ip (4-123) show ip access-list This command displays the rules for configured IP ACLs. Syntax show ip access-list {standard | extended} [acl_name] • standard – Specifies a standard IP ACL. • extended – Specifies an extended IP ACL.
COMMAND LINE INTERFACE access-list ip mask-precedence This command changes to the IP Mask mode used to configure access control masks. Use the no form to delete the mask table. Syntax [no] access-list ip mask-precedence {in | out} • in – Ingress mask for ingress ACLs. • out – Egress mask for egress ACLs. Default Setting Default system mask: Filter inbound packets according to specified IP ACLs. Command Mode Global Configuration Command Usage • A mask can only be used by all ingress ACLs or all egress ACLs.
ACCESS CONTROL LIST COMMANDS mask (IP ACL) This command defines a mask for IP ACLs. This mask defines the fields to check in the IP header. Use the no form to remove a mask. Syntax [no] mask [protocol] {any | host | source-bitmask} {any | host | destination-bitmask} [precedence] [tos] [dscp] [source-port [port-bitmask]] [destination-port [port-bitmask]] [control-flag [flag-bitmask]] • • • • • • • • • • • • • protocol – Check the protocol field. any – Any address will be matched.
COMMAND LINE INTERFACE determined by the mask, and not the order in which the ACL rules were entered. • First create the required ACLs and ingress or egress masks before mapping an ACL to an interface. • If you enter dscp, you cannot enter tos or precedence. You can enter both tos and precedence without dscp. • Masks that include an entry for a Layer 4 protocol source port or destination port can only be applied to packets with a header length of exactly five bytes.
ACCESS CONTROL LIST COMMANDS This shows how to create a standard ACL with an ingress mask to deny access to the IP host 171.69.198.102, and permit access to any others. Console(config)#access-list ip standard A2 Console(config-std-acl)#permit any Console(config-std-acl)#deny host 171.69.198.102 Console(config-std-acl)#end Console#show access-list IP standard access-list A2: deny host 171.69.198.
COMMAND LINE INTERFACE This is a more comprehensive example. It denies any TCP packets in which the SYN bit is ON, and permits all other packets. It then sets the ingress mask to check the deny rule first, and finally binds port 1 to this ACL. Note that once the ACL is bound to an interface (i.e., the ACL is active), the order in which the rules are displayed is determined by the associated mask.
ACCESS CONTROL LIST COMMANDS Example Console#show access-list ip mask-precedence IP ingress mask ACL: mask host any mask 255.255.255.0 any Console# Related Commands mask (IP ACL) (4-130) ip access-group This command binds a port to an IP ACL. Use the no form to remove the port. Syntax [no] ip access-group acl_name {in | out} • acl_name – Name of the ACL. (Maximum length: 15 characters) • in – Indicates that this list applies to ingress packets. • out – Indicates that this list applies to egress packets.
COMMAND LINE INTERFACE Related Commands show ip access-list (4-128) show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/2 IP standard access-list david Console# Related Commands ip access-group (4-134) map access-list ip This command sets the output queue for packets matching an ACL rule.
ACCESS CONTROL LIST COMMANDS • A packet matching a rule within the specified ACL is mapped to one of the output queues as shown in the following table. For information on mapping the CoS values to output queues, see queue cos-map on page 4-257.
COMMAND LINE INTERFACE Related Commands map access-list ip (4-135) match access-list ip This command changes the IEEE 802.1p priority, IP Precedence, or DSCP Priority of a frame matching the defined ACL rule. (This feature is commonly referred to as ACL packet marking.) Use the no form to remove the ACL marker. Syntax match access-list ip acl_name [set priority priority] {set tos tos_value | set dscp dscp_value} no match access-list ip acl_name • acl_name – Name of the ACL.
ACCESS CONTROL LIST COMMANDS IP frame header can include either the IP Precedence or DSCP priority type. • The precedence for priority mapping by this switch is IP Precedence or DSCP Priority, and then 802.1p priority. Example Console(config)#interface ethernet 1/12 Console(config-if)#match access-list ip bill set dscp 0 Console(config-if)# Related Commands show marking (4-138) show marking This command displays the current configuration for packet marking.
COMMAND LINE INTERFACE Table 4-38 MAC ACL Commands (Continued) Command Function Mode Page access-list mac mask-precedence Changes to the mode for configuring access control masks GC 4-143 mask Sets a precedence mask for the ACL rules MAC-Mask 4-144 show access-list mac Shows the ingress or egress rule masks mask-precedence for MAC ACLs PE 4-146 mac access-group Adds a port to a MAC ACL IC 4-146 show mac access-group Shows port assignments for MAC ACLs PE 4-147 map access-list mac Sets
ACCESS CONTROL LIST COMMANDS Command Usage • An egress ACL must contain all deny rules. • When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. • To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. • An ACL can contain up to 32 rules.
COMMAND LINE INTERFACE [no] {permit | deny} untagged-eth2 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [ethertype protocol [protocol-bitmask]] [no] {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [no] {permit | deny} untagged-802.
ACCESS CONTROL LIST COMMANDS • A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following: - 0800 - IP - 0806 - ARP - 8137 - IPX Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800.
COMMAND LINE INTERFACE access-list mac mask-precedence This command changes to MAC Mask mode used to configure access control masks. Use the no form to delete the mask table. Syntax [no] access-list ip mask-precedence {in | out} • in – Ingress mask for ingress ACLs. • out – Egress mask for egress ACLs. Default Setting Default system mask: Filter inbound packets according to specified MAC ACLs.
ACCESS CONTROL LIST COMMANDS mask (MAC ACL) This command defines a mask for MAC ACLs. This mask defines the fields to check in the packet header. Use the no form to remove a mask. Syntax [no] mask [pktformat] {any | host | source-bitmask} {any | host | destination-bitmask} [vid [vid-bitmask]] [ethertype [ethertype-bitmask]] • pktformat – Check the packet format field. (If this keyword must be used in the mask, the packet format must be specified in ACL rule to match.) • any – Any address will be matched.
COMMAND LINE INTERFACE Example This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask.
ACCESS CONTROL LIST COMMANDS show access-list mac mask-precedence This command shows the ingress or egress rule masks for MAC ACLs. Syntax show access-list mac mask-precedence [in | out] • in – Ingress mask precedence for ingress ACLs. • out – Egress mask precedence for egress ACLs.
COMMAND LINE INTERFACE • If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. • You must configure a mask for an ACL rule before you can bind it to a port. Example Console(config)#interface ethernet 1/2 Console(config-if)#mac access-group jerry in Console(config-if)# Related Commands show mac access-list (4-142) show mac access-group This command shows the ports assigned to MAC ACLs.
ACCESS CONTROL LIST COMMANDS Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage • You must configure an ACL mask before you can map CoS values to the rule. • By default, a packet matching a rule within the specified ACL is mapped to one of the output queues as shown below.
COMMAND LINE INTERFACE Command Mode Privileged Exec Example Console#show map access-list mac Access-list to COS of Eth 1/5 Access-list M5 cos 0 Console# Related Commands map access-list mac (4-147) match access-list mac This command changes the IEEE 802.1p priority of a Layer 2 frame matching the defined ACL rule. (This feature is commonly referred to as ACL packet marking.) Use the no form to remove the ACL marker.
ACCESS CONTROL LIST COMMANDS Related Commands show marking (4-138) ACL Information Table 4-40 ACL Information Command Function Mode Page show access-list Show all ACLs and associated rules PE 4-150 show access-group Shows the ACLs assigned to each port PE 4-151 show access-list This command shows all ACLs and associated rules, as well as all the user-defined masks. Command Mode Privileged Exec Command Usage Once the ACL is bound to an interface (i.e.
COMMAND LINE INTERFACE show access-group This command shows the port assignments of ACLs. Command Mode Privileged Executive Example Console#show access-group Interface ethernet 1/2 IP standard access-list david MAC access-list jerry Console# SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers.
SNMP COMMANDS Table 4-41 SNMP Commands (Continued) Command Function Mode Page snmp-server location Sets the system location string GC 4-155 snmp-server host Specifies the recipient of an SNMP notification operation GC 4-156 snmp-server enable traps Enables the device to send SNMP traps (i.e.
COMMAND LINE INTERFACE show snmp This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
SNMP COMMANDS snmp-server community This command defines the SNMP v1 and v2c community access string. Use the no form to remove the specified community string. Syntax snmp-server community string [ro|rw] no snmp-server community string • string - Community string that acts like a password and permits access to the SNMP protocol. (Maximum length: 32 characters, case sensitive; Maximum number of strings: 5) • ro - Specifies read-only access.
COMMAND LINE INTERFACE Default Setting None Command Mode Global Configuration Example Console(config)#snmp-server contact Paul Console(config)# Related Commands snmp-server location (4-155) snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location.
SNMP COMMANDS snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr • host-addr - Internet address of the host (the targeted recipient).
COMMAND LINE INTERFACE Default Setting • • • • Host Address: None Notification Type: Traps SNMP Version: 1 UDP Port: 162 Command Mode Global Configuration Command Usage • If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host.
SNMP COMMANDS 3. Specify the target host that will receive inform messages with the snmp-server host command as described in this section. 4. Create a view with the required notification messages (page 4-162). 5. Create a group that includes the required notify view (page 4-164). To send an inform to a SNMPv3 host, complete these steps: 1. Enable the SNMP agent (page 4-152). 2. Allow the switch to send SNMP traps; i.e., notifications (page 4-159). 3.
COMMAND LINE INTERFACE snmp-server enable traps This command enables this device to send Simple Network Management Protocol traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP notifications. Syntax [no] snmp-server enable traps [authentication | link-up-down] • authentication - Keyword to issue authentication failure notifications. • link-up-down - Keyword to issue link-up or link-down notifications. Default Setting Issue authentication and link-up-down traps.
SNMP COMMANDS Example Console(config)#snmp-server enable traps link-up-down Console(config)# Related Commands snmp-server host (4-156) snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default. Syntax snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {address}} • • • • local - Specifies the SNMP engine on this switch. remote - Specifies an SNMP engine on a remote device.
COMMAND LINE INTERFACE the engine ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. • Trailing zeroes need not be entered to uniquely specify a engine ID. In other words, the value “1234” is equivalent to “1234” followed by 22 zeroes. • A local engine ID is automatically generated that is unique to the switch.
SNMP COMMANDS Table 4-42 show snmp engine-id - display description Field Description Local SNMP engineID String identifying the local engine ID. Local SNMP engineBoots The number of times that the engine has (re-)initialized since the snmp EngineID was last configured. Remote SNMP engineID String identifying an engine ID on a remote device. IP address IP address of the device containing the corresponding remote SNMP engine.
COMMAND LINE INTERFACE Examples This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in this table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.
SNMP COMMANDS Table 4-43 show snmp view - display description (Continued) Field Description View Type Indicates if the view is included or excluded. Storage Type The storage type for this entry. Row Status The row status of this entry. snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group.
COMMAND LINE INTERFACE Command Usage • A group sets the access policy for the assigned users. • When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command. • When privacy is selected, the DES 56-bit algorithm is used for data encryption • For additional information on the notification messages supported by this switch, see “Supported Notification Messages” on page 3-62.
SNMP COMMANDS Group Name: public Security Model: v2c Read View: defaultview Write View: none Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v1 Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v2c Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Console# Table 4-44 show snmp group - display description 4-166
COMMAND LINE INTERFACE snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read and a Write View. Use the no form to remove a user from an SNMP group. Syntax snmp-server user username groupname [remote ip-address] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]] no snmp-server user username {v1 | v2c | v3 | remote} • username - Name of user connecting to the SNMP agent.
SNMP COMMANDS ID with the snmp-server engine-id command before using this configuration command. • Before you configure a remote user, use the snmp-server engine-id command (page 4-160) to specify the engine ID for the remote device where the user resides. Then use the snmp-server user command to specify the user and the IP address for the remote device where the user resides. The remote agent’s SNMP engine ID is used to compute authentication/privacy digests from the user’s password.
COMMAND LINE INTERFACE show snmp user This command shows information on SNMP users.
INTERFACE COMMANDS Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN.
COMMAND LINE INTERFACE interface This command configures an interface type and enter interface configuration mode. Use the no form to remove a trunk. Syntax interface interface no interface port-channel channel-id interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number.
INTERFACE COMMANDS Default Setting None Command Mode Interface Configuration (Ethernet, Port Channel) Example The following example adds a description to port 25 Console(config)#interface ethernet 1/25 Console(config-if)#description RD-SW#3 Console(config-if)# speed-duplex This command configures the speed and duplex mode of a given interface when autonegotiation is disabled. Use the no form to restore the default.
COMMAND LINE INTERFACE • When using the negotiation command to enable auto-negotiation, the optimal settings will be determined by the capabilities command. To set the speed/duplex mode under auto-negotiation, the required mode must be specified in the capabilities list for an interface. Example The following example configures port 5 to 100 Mbps, half-duplex operation.
INTERFACE COMMANDS Example The following example configures port 11 to use autonegotiation Console(config)#interface ethernet 1/11 Console(config-if)#negotiation Console(config-if)# Related Commands negotiation (4-173) speed-duplex (4-172) capabilities This command advertises the port capabilities of a given interface during autonegotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values.
COMMAND LINE INTERFACE Command Usage When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings for a link based on the capabilities command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. Example The following example configures Ethernet port 5 capabilities to 100half, 100full and flow control.
INTERFACE COMMANDS • To force flow control on or off (with the flowcontrol or no flowcontrol command), use the no negotiation command to disable auto-negotiation on the selected interface. • When using the negotiation command to enable auto-negotiation, the optimal settings will be determined by the capabilities command.
COMMAND LINE INTERFACE Example The following example disables port 5. Console(config)#interface ethernet 1/5 Console(config-if)#shutdown Console(config-if)# switchport broadcast packet-rate This command configures broadcast storm control. Use the no form to disable broadcast storm control. Syntax switchport broadcast packet-rate rate no switchport broadcast rate - Threshold level as a rate; i.e., packets per second.
INTERFACE COMMANDS clear counters This command clears statistics on an interface. Syntax clear counters interface interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-26) • port-channel channel-id (Range: 1-6) Default Setting None Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session.
COMMAND LINE INTERFACE show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-26) • port-channel channel-id (Range: 1-6) • vlan vlan-id (Range: 1-4093) Default Setting Shows the status for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
INTERFACE COMMANDS Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic information: Port type: 100TX Mac address: 00-01-F4-78-AE-C1 Configuration: Name: Port admin: Up Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full Broadcast storm: Enabled Broadcast storm limit: 500 packets/second Flow control: Enabled LACP: Disabled Port security: Disabled Max MAC count: 0 Port security action: None Current status: Link status: Up Port operation status: Up Operation speed-dup
COMMAND LINE INTERFACE Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Showing Port Statistics” on page 3-139.
INTERFACE COMMANDS show interfaces switchport This command displays the administrative and operational status of the specified interfaces. Syntax show interfaces switchport [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-26) • port-channel channel-id (Range: 1-6) Default Setting Shows all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
COMMAND LINE INTERFACE Table 4-47 show interfaces switchport - display description Field Description Broadcast threshold Shows if broadcast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 4-177). LACP status Shows if Link Aggregation Control Protocol has been enabled or disabled (page 4-190). Ingress/Egress rate Shows if rate limiting is enabled, and the current rate limit limit (page 4-187).
MIRROR PORT COMMANDS Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Table 4-48 Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session IC 4-184 PE 4-185 show port monitor Shows the configuration for a mirror port port monitor This command configures a mirror session. Use the no form to clear a mirror session.
COMMAND LINE INTERFACE • The destination port is set by specifying an Ethernet interface. • The mirror port and monitor port speeds should match, otherwise traffic may be dropped from the monitor port. • You can create multiple mirror sessions, but all sessions must share the same destination port. However, you should avoid sending too much traffic to the destination port from multiple source ports.
RATE LIMIT COMMANDS Example The following shows mirroring configured from port 6 to port 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 Console(config-if)#end Console#show port monitor Port Mirroring ------------------------------------Destination port(listen port):Eth1/1 Source port(monitored port) :Eth1/6 Mode :RX/TX Console# Rate Limit Commands This function allows the network manager to control the maximum rate for traffic transmitted or received on an interfac
COMMAND LINE INTERFACE rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to restore the default rate. Use the no form to restore the default status of disabled. Syntax rate-limit {input | output} [rate] no rate-limit {input | output} • input – Input rate • output – Output rate • rate – Maximum value in Mbps.
LINK AGGREGATION COMMANDS Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP.
COMMAND LINE INTERFACE Guidelines for Creating Trunks General Guidelines – • Finish configuring port trunks before you connect the corresponding network cables between switches to avoid creating a loop. • A trunk can have up to eight ports. • The ports at both ends of a connection must be configured as trunk ports. • All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings.
LINK AGGREGATION COMMANDS channel-group This command adds a port to a trunk. Use the no form to remove a port from a trunk. Syntax channel-group channel-id no channel-group channel-id - Trunk index (Range: 1-6) Default Setting The current port will be added to this trunk. Command Mode Interface Configuration (Port Channel) Command Usage • When configuring static trunks, the switches must comply with the Cisco EtherChannel standard. • Use no channel-group to remove a port group from a trunk.
COMMAND LINE INTERFACE Command Mode Interface Configuration (Ethernet) Command Usage • The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation. • A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID. • If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically.
LINK AGGREGATION COMMANDS Configuration: Name: Port admin: Up Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full Flow control: Enabled Port security: Disabled Max MAC count: 0 Current status: Created by: LACP Link status: Up Port operation status: Up Operation speed-duplex: 100full Flow control type: None Member Ports: Eth1/11, Eth1/12, Eth1/13, Console# lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting.
COMMAND LINE INTERFACE • Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
LINK AGGREGATION COMMANDS • Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
COMMAND LINE INTERFACE Example Console(config)#interface port channel 1 Console(config-if)#lacp admin-key 3 Console(config-if)# lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. • partner - The remote side of an aggregate link. • priority - LACP port priority is used to select a backup link.
LINK AGGREGATION COMMANDS show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sys-id} • • • • port-channel - Local identifier for a link aggregation group. (Range: 1-6) counters - Statistics for LACP protocol messages. internal - Configuration settings and operational state for local side. neighbors - Configuration settings and operational state for remote side. • sys-id - Summary of system priority and MAC address for all channel groups.
COMMAND LINE INTERFACE Table 4-51 show lacp counters - display description (Continued) Field Description Marker Received Number of valid Marker PDUs received by this channel group. LACPDUs Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.
LINK AGGREGATION COMMANDS Table 4-52 show lacp internal - display description (Continued) Field Description LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin State, Oper State Administrative or operational values of the actor’s state parameters: • Expired – The actor’s receive machine is in the expired state; • Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
COMMAND LINE INTERFACE Console#show lacp 1 neighbors Channel group 1 neighbors --------------------------------------------------------------------Eth 1/1 --------------------------------------------------------------------Partner Admin System ID : 32768, 00-00-00-00-00-00 Partner Oper System ID : 32768, 00-00-00-00-00-01 Partner Admin Port Number : 1 Partner Oper Port Number : 1 Port Admin Priority : 32768 Port Oper Priority : 32768 Admin Key : 0 Oper Key : 4 Admin State : defaulted, distributing, collecti
ADDRESS TABLE COMMANDS Console#show lacp sysid Channel group System Priority System MAC Address --------------------------------------------------------------------1 32768 00-30-F1-8F-2C-A7 2 32768 00-30-F1-8F-2C-A7 3 32768 00-30-F1-8F-2C-A7 4 32768 00-30-F1-8F-2C-A7 5 32768 00-30-F1-8F-2C-A7 6 32768 00-30-F1-8F-2C-A7 Console# Table 4-54 show lacp sysid - display description Field Description Channel group A link aggregation group configured on this switch.
COMMAND LINE INTERFACE mac-address-table static This command maps a static address to a destination port in a VLAN. Use the no form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id • mac-address - MAC address. • interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number.
ADDRESS TABLE COMMANDS Example Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear mac-address-table dynamic This command removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system configured entries.
COMMAND LINE INTERFACE Default Setting None Command Mode Privileged Exec Command Usage • The MAC Address Table contains the MAC addresses associated with each interface.
SPANNING TREE COMMANDS Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information. Example Console(config)#mac-address-table aging-time 300 Console(config)# show mac-address-table aging-time This command shows the aging time for entries in the address table. Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging time: 300 sec.
COMMAND LINE INTERFACE Table 4-56 Spanning Tree Commands (Continued) Command Function Mode Page spanning-tree hello-time Configures the spanning tree bridge hello time GC 4-209 spanning-tree max-age Configures the spanning tree bridge maximum age GC 4-210 spanning-tree default priority Sets the spanning-tree priority to use increments specified by IEEE 802.1D (steps of 1) or 802.
SPANNING TREE COMMANDS Table 4-56 Spanning Tree Commands (Continued) Command Function Mode Page spanning-tree edge-port Enables fast forwarding for edge ports IC 4-221 spanning-tree portfast IC 4-222 Sets an interface to fast forwarding spanning-tree link-type Configures the link type for RSTP/MSTP IC 4-223 spanning-tree mst cost Configures the path cost of an instance in the MST IC 4-224 spanning-tree mst port-priority Configures the priority of an instance in the IC MST 4-225 spanning-t
COMMAND LINE INTERFACE ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down. Example This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree mode Use this command to select the spanning tree mode for this switch. Use the no form to restore the default.
SPANNING TREE COMMANDS • Rapid Spanning Tree Protocol RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits, as described below: - STP Mode – If the switch receives an 802.1D BPDU after a port’s migration delay timer expires, the switch assumes it is connected to an 802.1D bridge and starts using only 802.1D BPDUs. - RSTP Mode – If RSTP is using 802.
COMMAND LINE INTERFACE Default Setting 15 seconds Command Mode Global Configuration Command Usage This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
SPANNING TREE COMMANDS Example Console(config)#spanning-tree hello-time 5 Console(config)# spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)]. The maximum value is the lower of 40 or [2 x (forward-time - 1)].
COMMAND LINE INTERFACE spanning-tree default priority Use this command to configure the spanning-tree priority to use increments specified by IEEE 802.1D (steps of 1) or 802.1t (steps of 4096). Use the no form to restore the default setting to increments specified by IEEE 802.1t. Syntax spanning-tree default priority {802.1D-1998 | 802.1t-2001} no spanning-tree default priority • 802.1D-1998 - Specifies priority increments of 1 per IEEE 802.1D. • 802.
SPANNING TREE COMMANDS Default Setting 32768 Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
COMMAND LINE INTERFACE Command Usage The path cost method is used to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Note that path cost (page 4-212) takes precedence over port priority (page 4-221).
SPANNING TREE COMMANDS spanning-tree backup-root This command adjusts the bridge priority in an attempt to take over as the new root bridge if it loses contact with the original root device. Use the no form to disable the command. Syntax [no] spanning-tree backup-root Default Setting Disabled Command Mode Global Configuration Command Usage This command will automatically lower the bridge priority of this device by 4096 if the switch loses contact with the current root bridge.
COMMAND LINE INTERFACE Related Commands mst vlan (4-215) mst priority (4-216) name (4-217) revision (4-218) max-hops (4-218) mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. Syntax [no] mst instance_id vlan vlan-range • instance_id - Instance identifier of the spanning tree. (Range: 0-4094) • vlan-range - Range of VLANs.
SPANNING TREE COMMANDS MSTI region as a single node, connecting all regions to the Common Spanning Tree. Example Console(config-mstp)#mst 1 vlan 2-5 Console(config-mstp)# mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. Syntax mst instance_id priority priority no mst instance_id priority • instance_id - Instance identifier of the spanning tree. (Range: 0-4094) • priority - Priority of the a spanning tree instance.
COMMAND LINE INTERFACE Example Console(config-mstp)#mst 1 priority 4096 Console(config-mstp)# name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name. Syntax name name name - Name of the spanning tree. Default Setting Switch’s MAC address Command Mode MST Configuration Command Usage The MST region name and revision number (page 4-218) are used to designate a unique MST region. A bridge (i.e.
SPANNING TREE COMMANDS revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. Syntax revision number number - Revision number of the spanning tree. (Range: 0-65535) Default Setting 0 Command Mode MST Configuration Command Usage The MST region name (page 4-217) and revision number are used to designate a unique MST region. A bridge (i.e.
COMMAND LINE INTERFACE Default Setting 20 Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MSTI region is never changed. However, each spanning tree instance within a region, and the internal spanning tree (IST) that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU.
SPANNING TREE COMMANDS spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port.
COMMAND LINE INTERFACE spanning-tree port-priority Use this command to configure the priority for the specified interface. Use the no form to restore the default. Syntax spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16) Default Setting 128 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command defines the priority for the use of a port in the Spanning Tree Algorithm.
SPANNING TREE COMMANDS Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
COMMAND LINE INTERFACE Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port. In this mode, ports skip the Discarding and Learning states, and proceed straight to Forwarding. • Since end-nodes cannot cause forwarding loops, they can be passed through the spanning tree state changes more quickly than allowed by standard convergence time.
SPANNING TREE COMMANDS Default Setting auto Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Specify a point-to-point link if the interface can only be connected to exactly one other bridge, or a shared link if it can be connected to two or more bridges. • When automatic detection is selected, the switch derives the link type from the duplex mode. A full-duplex interface is considered a point-to-point link, while a half-duplex interface is assumed to be on a shared link.
COMMAND LINE INTERFACE Default Setting • Ethernet – half duplex: 2,000,000; full duplex: 1,000,000; trunk: 500,000 • Fast Ethernet – half duplex: 200,000; full duplex: 100,000; trunk: 50,000 • Gigabit Ethernet – full duplex: 10,000; trunk: 5,000 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Each spanning-tree instance is associated with a unique set of VLAN IDs. • This command is used by the multiple spanning-tree algorithm to determine the best path between devices.
SPANNING TREE COMMANDS Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command defines the priority for the use of an interface in the multiple spanning-tree. If the path cost for all interfaces on a switch are the same, the interface with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree. • Where more than one interface is assigned the highest priority, the interface with lowest numeric identifier will be enabled.
COMMAND LINE INTERFACE Command Usage If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocol-migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
SPANNING TREE COMMANDS • Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST). • Use the show spanning-tree mst instance_id command to display the spanning tree configuration for an instance within the Multiple Spanning Tree (MST). • For a description of the items displayed under “Spanning-tree information,” see “Configuring Global Settings” on page 3-160.
COMMAND LINE INTERFACE --------------------------------------------------------------Eth 1/ 1 information --------------------------------------------------------------Admin status: enabled Role: disable State: discarding External path cost: 200000 Internal path cost: 200000 Priority: 128 Designated cost: 20000 Designated port : 128.1 Designated root: 32768.0.0000E8AAAA00 Designated bridge: 32768.0.
VLAN COMMANDS VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
COMMAND LINE INTERFACE Command Mode Global Configuration Command Usage • Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. • Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN. The results of these commands are written to the running-configuration file, and you can display this file by entering the show running-config command.
VLAN COMMANDS Command Mode VLAN Database Configuration Command Usage • • • • no vlan vlan-id deletes the VLAN. no vlan vlan-id name removes the VLAN name. no vlan vlan-id state returns the VLAN to the default state (i.e., active). You can configure up to 255 VLANs on the switch. Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.
COMMAND LINE INTERFACE Table 4-59 Configuring VLAN Interfaces (Continued) Command Function Mode Page switchport forbidden vlan Configures forbidden VLANs for an interface IC 4-239 switchport priority default Sets a port priority for incoming untagged frames IC 4-255 interface vlan This command enters interface configuration mode for VLANs, which is used to configure VLAN parameters for a physical interface. Syntax interface vlan vlan-id vlan-id - ID of the configured VLAN.
VLAN COMMANDS switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {trunk | hybrid} no switchport mode • trunk - Specifies a port as an end-point for a VLAN trunk. A trunk is a direct link between two switches, so the port transmits tagged frames that identify the source VLAN. Note that frames belonging to the port’s default VLAN i.e., associated with the PVID) are also transmitted as tagged frames.
COMMAND LINE INTERFACE switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types • all - The port accepts all frames, tagged or untagged. • tagged - The port only passes tagged frames.
VLAN COMMANDS switchport ingress-filtering This command enables ingress filtering for an interface. Use the no form to restore the default. Syntax [no] switchport ingress-filtering Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Ingress filtering only affects tagged frames.
COMMAND LINE INTERFACE switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port.
VLAN COMMANDS switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan • add vlan-list - List of VLAN identifiers to add. • remove vlan-list - List of VLAN identifiers to remove. • vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs.
COMMAND LINE INTERFACE • If a VLAN on the forbidden list for an interface is manually added to that interface, the VLAN is automatically removed from the forbidden list for that interface. Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged Console(config-if)# switchport forbidden vlan This command configures forbidden VLANs.
VLAN COMMANDS Example The following example shows how to prevent port 1 from being added to VLAN 3: Console(config)#interface ethernet 1/1 Console(config-if)#switchport forbidden vlan add 3 Console(config-if)# Displaying VLAN Information Table 4-60 Displaying VLAN Information Command Function Mode Page show vlan Shows VLAN information NE, PE 4-240 show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-179 show interfaces switchport Displays the administrative and
COMMAND LINE INTERFACE Example The following example shows how to display information for VLAN 1: Console#show vlan id 1 Vlan ID: Type: Name: Status: Ports/Port channel: 1 Static DefaultVlan Active Eth1/ 1(S) Eth1/ 2(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/11(S) Eth1/12(S) Eth1/16(S) Eth1/17(S) Eth1/21(S) Eth1/22(S) Eth1/ 3(S) Eth1/ 8(S) Eth1/13(S) Eth1/18(S) Eth1/23(S) Eth1/ 4(S) Eth1/ 9(S) Eth1/14(S) Eth1/19(S) Eth1/24(S) Eth1/ 5(S) Eth1/10(S) Eth1/15(S) Eth1/20(S) Eth1/26(S) Console# Configuring Private VLAN
VLAN COMMANDS Table 4-61 Private VLAN Commands (Continued) Command Function Mode Page Display Private VLAN Information show vlan private-vlan Shows private VLAN information NE, PE 4-247 To configure private VLANs, follow these steps: 1. Use the private-vlan command to designate one or more community VLANs and the primary VLAN that will channel traffic outside the community groups. 2. Use the private-vlan association command to map the secondary (i.e., community) VLAN(s) to the primary VLAN. 3.
COMMAND LINE INTERFACE private-vlan Use this command to create a primary or secondary (i.e., community) private VLAN. Use the no form to remove the specified private VLAN. Syntax private-vlan vlan-id {community | primary} no private-vlan vlan-id • vlan-id - ID of private VLAN. (Range: 1-4093, no leading zeroes). • community – A VLAN in which traffic is restricted to port members.
VLAN COMMANDS private-vlan association Use this command to associate a primary VLAN with a secondary (i.e., community) VLAN. Use the no form to remove all associations for the specified primary VLAN. Syntax private-vlan primary-vlan-id association {secondary-vlan-id | add secondary-vlan-id | remove secondary-vlan-id} no private-vlan primary-vlan-id association • primary-vlan-id - ID of private VLAN. (Range: 1-4093, no leading zeroes). • secondary-vlan-id - ID of private (i.e., community) VLAN.
COMMAND LINE INTERFACE switchport mode private-vlan Use this command to set the private VLAN mode for an interface. Use the no form to restore the default setting. Syntax switchport mode private-vlan {host | promiscuous} no switchport mode private-vlan • host – This port type can communicate with all other host ports assigned to the same secondary VLAN. All communications outside of this VLAN must pass through a promiscuous port in the associated primary VLAN.
VLAN COMMANDS switchport private-vlan host-association Use this command to associate an interface with a secondary VLAN. Use the no form to remove this association. Syntax switchport private-vlan host-association secondary-vlan-id no switchport private-vlan host-association • secondary-vlan-id – ID of secondary (i.e, community) VLAN. (Range: 1-4093, no leading zeroes). Default Setting None Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage All ports assigned to a secondary (i.e.
COMMAND LINE INTERFACE Default Setting None Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Promiscuous ports assigned to a primary VLAN can communicate with any other promiscuous ports in the same VLAN, and with the group members within any associated secondary VLANs.
GVRP AND BRIDGE EXTENSION COMMANDS Example Console#sh vlan private-vlan Primary Secondary Type -------- ----------- ---------2 primary 2 3 community 2 4 community 2 5 community 6 primary 6 7 community 6 8 community 6 9 community Console# Interfaces ----------------------------------Eth1/ 2 Eth1/ 3 Eth1/ 4 Eth1/ 5 Eth1/ 6 Eth1/ 7 Eth1/ 8 Eth1/ 9 GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN
COMMAND LINE INTERFACE bridge-ext gvrp This command enables GVRP globally for the switch. Use the no form to disable it. Syntax [no] bridge-ext gvrp Default Setting Disabled Command Mode Global Configuration Command Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. This function should be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch.
GVRP AND BRIDGE EXTENSION COMMANDS Example Console#show bridge-ext Max support VLAN numbers: Max support VLAN ID: Extended multicast filtering services: Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Global GVRP status: GMRP: Console# 255 4093 No Yes IVL Yes No Enabled Enabled Disabled switchport gvrp This command enables GVRP for a port. Use the no form to disable it.
COMMAND LINE INTERFACE Default Setting Shows both global and interface-specific configuration. Command Mode Normal Exec, Privileged Exec Example Console#show gvrp configuration ethernet 1/7 Eth 1/ 7: Gvrp configuration: Disabled Console# garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers' default values.
GVRP AND BRIDGE EXTENSION COMMANDS unless you are experiencing difficulties with GMRP or GVRP registration/deregistration. • Timer values are applied to GVRP for all the ports on all VLANs. • Timer values must meet the following restrictions: - leave >= (2 x join) - leaveall > leave Note: Set GVRP timers on all Layer 2 devices connected in the same network to the same values. Otherwise, GVRP may not operate successfully.
COMMAND LINE INTERFACE Example Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP timer status: Join timer: 20 centiseconds Leave timer: 60 centiseconds Leaveall timer: 1000 centiseconds Console# Related Commands garp timer (4-251) Priority Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port.
PRIORITY COMMANDS Priority Commands (Layer 2) Table 4-64 Priority Commands (Layer 2) Command Function Mode Page queue mode Sets the queue mode to strict priority or Weighted Round-Robin (WRR) GC 4-254 queue bandwidth Assigns round-robin weights to the priority queues GC 4-255 switchport priority default Sets a port priority for incoming untagged frames IC 4-255 queue cos map Assigns class-of-service values to the priority IC queues 4-257 show queue mode Shows the current queue mode PE 4
COMMAND LINE INTERFACE Command Mode Global Configuration Command Usage You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue. WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue.
PRIORITY COMMANDS Command Usage WRR controls bandwidth sharing at the egress port by defining scheduling weights. Example The following example shows how to assign WRR weights of 1, 3, 5 and 7 to the CoS priority queues 0, 1, 2 and 3: Console(config)#queue bandwidth 1 3 5 7 Console(config)# Related Commands show queue bandwidth (4-259) switchport priority default This command sets a priority for incoming untagged frames. Use the no form to restore the default value.
COMMAND LINE INTERFACE the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used. • This switch provides four priority queues for each port. It is configured to use Weighted Round Robin, which can be viewed with the show queue bandwidth command. Inbound frames that do not have VLAN tags are tagged with the input port’s default ingress user priority, and then placed in the appropriate priority queue at the output port.
PRIORITY COMMANDS Default Setting This switch supports Class of Service by using eight priority queues, with Weighted Round Robin queuing for each port. Eight separate traffic classes are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown below. Table 4-65 Default CoS Priority Levels Queue 0 1 2 3 Priority 1,2 0,3 4,5 6.
COMMAND LINE INTERFACE show queue mode This command shows the current queue mode. Default Setting None Command Mode Privileged Exec Example Console#sh queue mode Wrr status: Enabled Console# show queue bandwidth This command displays the weighted round-robin (WRR) bandwidth allocation for the priority queues.
PRIORITY COMMANDS show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number.
COMMAND LINE INTERFACE Table 4-66 Priority Commands (Layer 3 and 4) Command Function Mode Page map access-list mac Sets the CoS value and corresponding output IC queue for packets matching an ACL rule 4-147 show map ip port Shows the IP port map PE 4-266 show map ip precedence Shows the IP precedence map PE 4-267 show map ip dscp Shows the IP DSCP map PE 4-268 show map access-list Shows CoS value mapped to an access list for PE ip an interface 4-136 show map access-list Shows CoS value m
PRIORITY COMMANDS map ip port (Interface Configuration) This command sets IP port priority (i.e., TCP/UDP port priority). Use the no form to remove a specific setting. Syntax map ip port port-number cos cos-value no map ip port port-number • port-number - 16-bit TCP/UDP port number.
COMMAND LINE INTERFACE Command Mode Global Configuration Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • IP Precedence and IP DSCP cannot both be enabled. Enabling one of these priority types will automatically disable the other type.
PRIORITY COMMANDS Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • IP Precedence values are mapped to default Class of Service values on a one-to-one basis according to recommendations in the IEEE 802.1p standard, and then subsequently mapped to the four hardware priority queues. • This command sets the IP Precedence for all interfaces.
COMMAND LINE INTERFACE Example The following example shows how to enable IP DSCP mapping globally: Console(config)#map ip dscp Console(config)# map ip dscp (Interface Configuration) This command sets IP DSCP priority (i.e., Differentiated Services Code Point priority). Use the no form to restore the default table. Syntax map ip dscp dscp-value cos cos-value no map ip dscp • dscp-value - 8-bit DSCP value.
PRIORITY COMMANDS • DSCP priority values are mapped to default Class of Service values according to recommendations in the IEEE 802.1p standard, and then subsequently mapped to the four hardware priority queues. • This command sets the IP DSCP priority for all interfaces. Example The following example shows how to map IP DSCP value 1 to CoS value 0: Console(config)#interface ethernet 1/5 Console(config-if)#map ip dscp 1 cos 0 Console(config-if)# show map ip port This command shows the IP port priority map.
COMMAND LINE INTERFACE Related Commands map ip port (Global Configuration) (4-261) map ip port (Interface Configuration) (4-262) show map ip precedence This command shows the IP precedence priority map. Syntax show map ip precedence [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number.
PRIORITY COMMANDS show map ip dscp This command shows the IP DSCP priority map. Syntax show map ip dscp [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-26) • port-channel channel-id (Range: 1-6) Default Setting None Command Mode Privileged Exec Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --Eth 1/ 1 0 0 Eth 1/ 1 1 0 Eth 1/ 1 2 0 Eth 1/ 1 3 0 . . .
COMMAND LINE INTERFACE Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
MULTICAST FILTERING COMMANDS ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static This command adds a port to a multicast group. Use the no form to remove the port.
COMMAND LINE INTERFACE Example The following shows how to statically configure a multicast group on a port: Console(config)#ip igmp snooping vlan 1 static 224.0.0.12 ethernet 1/5 Console(config)# ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default.
MULTICAST FILTERING COMMANDS show ip igmp snooping This command shows the IGMP snooping configuration. Default Setting None Command Mode Privileged Exec Command Usage See “Configuring IGMP Snooping and Query Parameters” on page 3-222 for a description of the displayed items.
COMMAND LINE INTERFACE Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER, depending on selected options. Example The following shows the multicast entries learned through IGMP snooping for VLAN 1: Console#show mac-address-table multicast vlan 1 igmp-snooping VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------1 224.1.2.
MULTICAST FILTERING COMMANDS Default Setting Enabled Command Mode Global Configuration Command Usage If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic. Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping query-count This command configures the query count. Use the no form to restore the default.
COMMAND LINE INTERFACE query-max- response-time. If the countdown finishes, and the client still has not responded, then that client is considered to have left the multicast group. Example The following shows how to configure the query count to 10: Console(config)#ip igmp snooping query-count 10 Console(config)# Related Commands ip igmp snooping query-max-response-time (4-276) ip igmp snooping query-interval This command configures the query interval. Use the no form to restore the default.
MULTICAST FILTERING COMMANDS ip igmp snooping query-max-response-time This command configures the snooping report delay. Use the no form of this command to restore the default. Syntax ip igmp snooping query-max-response-time seconds no ip igmp snooping query-max-response-time seconds - The report delay advertised in IGMP queries. (Range: 5-25) Default Setting 10 seconds Command Mode Global Configuration Command Usage • The switch must be using IGMPv2 for this command to take effect.
COMMAND LINE INTERFACE ip igmp snooping router-port-expire-time This command configures the query timeout. Use the no form to restore the default. Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface which had been receiving query packets) to have expired.
MULTICAST FILTERING COMMANDS Static Multicast Routing Commands Table 4-72 Static Multicast Routing Commands Command Function Mode Page ip igmp snooping vlan mrouter Adds a multicast router port GC 4-278 show ip igmp snooping Shows multicast router ports mrouter PE 4-279 ip igmp snooping vlan mrouter This command statically configures a multicast router port. Use the no form to remove the configuration.
COMMAND LINE INTERFACE Example The following shows how to configure port 11 as a multicast router port within VLAN 1: Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/11 Console(config)# show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093) Default Setting Displays multicast router ports for all configured VLANs.
IP INTERFACE COMMANDS IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on. You may also need to a establish a default gateway between this device and management stations or other devices that exist on another network segment.
COMMAND LINE INTERFACE Default Setting DHCP Command Mode Interface Configuration (VLAN) Command Usage • You must assign an IP address to this device to gain management access over the network. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the configuration program.
IP INTERFACE COMMANDS ip default-gateway This command establishes a static route between this switch and devices that exist on another network segment. Use the no form to remove the static route. Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway Default Setting No static route is established. Command Mode Global Configuration Command Usage A gateway must be defined if the management station is located in a different IP segment.
COMMAND LINE INTERFACE Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command. • DHCP requires the server to reassign the client’s last address if available. • If the BOOTP or DHCP server has been moved to a different domain, the network portion of the address provided to the client will be based on this new domain.
IP INTERFACE COMMANDS show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects ip default gateway 10.1.0.254 Console# Related Commands ip default-gateway (4-282) ping This command sends ICMP echo request packets to another node on the network. Syntax ping host [count count][size size] • host - IP address or IP alias of the host. • count - Number of packets to send.
COMMAND LINE INTERFACE • Following are some results of the ping command: - Normal response -The normal response occurs in one to ten seconds, depending on network traffic. - Destination does not respond - If the host does not respond, a “timeout” appears in ten seconds. - Destination unreachable - The gateway for this destination indicates that the destination is unreachable. - Network or host unreachable - The gateway found no corresponding entry in the route table. • Press to stop pinging.
DNS COMMANDS DNS Commands These commands are used to configure Domain Naming System (DNS) services. You can manually configure entries in the DNS domain name to IP address mapping table, configure default domain names, or specify one or more name servers to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
COMMAND LINE INTERFACE ip host This command creates a static entry in the DNS table that maps a host name to an IP address. Use the no form to remove an entry. Syntax [no] ip host name address1 [address2 … address8] • name - Name of the host. (Range: 1-255 characters) • address1 - Corresponding IP address. • address2 … address8 - Additional corresponding IP addresses.
DNS COMMANDS clear host This command deletes entries from the DNS table. Syntax clear host {name | *} • name - Name of the host. (Range: 1-255 characters) • * - Removes all entries. Default Setting None Command Mode Privileged Exec Example This example clears all static entries from the DNS table. Console(config)#clear host * Console(config)# ip domain-name This command defines the default domain name appended to incomplete host names (i.e.
COMMAND LINE INTERFACE Example Console(config)#ip domain-name sample.com Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: Name Server List: Console# Related Commands ip domain-list (4-289) ip name-server (4-290) ip domain-lookup (4-291) ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation).
DNS COMMANDS • If there is no domain list, the domain name specified with the ip domain-name command is used. If there is a domain list, the default domain name is not used. Example This example adds two domain names to the current list and then displays the list. Console(config)#ip domain-list sample.com.jp Console(config)#ip domain-list sample.com.uk Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.
COMMAND LINE INTERFACE Command Usage The listed name servers are queried in the specified sequence until a response is received, or the end of the list is reached with no response. Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip domain-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.
DNS COMMANDS Example This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (4-288) ip name-server (4-290) show hosts This command displays the static host name-to-address mapping table.
COMMAND LINE INTERFACE show dns This command displays the configuration of the DNS server. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache. Command Mode Privileged Exec Example Console#show dns cache NO FLAG TYPE 0 4 CNAME pttch_pc.accton.com.
DNS COMMANDS Table 4-75 Show DNS Output Description Field Description NO The entry number for each resource record. FLAG The flag is always “4” indicating a cache entry and therefore unreliable. TYPE This field includes CNAME which specifies the canonical or primary name for the owner, and ALIAS which specifies multiple domain names which are mapped to the same IP address as an existing entry. IP The IP address associated with this record. TTL The time to live reported by the name server.
APPENDIX A SOFTWARE SPECIFICATIONS Software Features Authentication Local, RADIUS, TACACS, Port (802.
SOFTWARE SPECIFICATIONS Port Trunking Static trunks (Cisco EtherChannel compliant) Dynamic trunks (Link Aggregation Control Protocol) Spanning Tree Protocol Spanning Tree Protocol (STP, IEEE 802.1D) Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) VLAN Support Up to 255 groups; port-based, or tagged (802.
SOFTWARE SPECIFICATIONS SNMPv3 Management access via MIB database Trap management to specified hosts RMON Groups 1, 2, 3, 9 (Statistics, History, Alarm, Event) Standards IEEE 802.1D Spanning Tree Protocol and traffic priorities IEEE 802.1p priority tags IEEE 802.1Q VLAN IEEE 802.1w Rapid Spanning Tree Protocol IEEE 802.1X Port Authentication IEEE 802.3-2002 Ethernet, Fast Ethernet, Gigabit Ethernet, Link Aggregation Control Protocol, Full-duplex flow control (ISO/IEC 8802-3) IEEE 802.
SOFTWARE SPECIFICATIONS Management Information Bases Bridge MIB (RFC 1493) Entity MIB (RFC 2737) Ether-like MIB (RFC 2665) Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB (RFC 2233) Interfaces Evolution MIB (RFC 2863) IP Multicasting related MIBs MIB II (RFC 1213) Port Access Entity MIB (IEEE 802.
APPENDIX B TROUBLESHOOTING Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, web browser, or SNMP software • Be sure the switch is powered up. • Check network cabling between the management station and the switch. • Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
TROUBLESHOOTING Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Secure Shell • If you cannot connect using SSH, you may have exceeded the maximum number of concurrent Telnet/SSH sessions permitted. Try connecting again at a later time. • Be sure the control parameters for the SSH server are properly configured on the switch, and that the SSH client software is properly configured on the management station.
USING SYSTEM LOGS Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Designate the SNMP host that is to receive the error messages. 4. Repeat the sequence of commands or other actions that lead up to the error. 5.
TROUBLESHOOTING B-4
GLOSSARY Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Address Resolution Protocol (ARP) ARP converts between IP addresses and MAC (i.e., hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address.
GLOSSARY Dynamic Host Control Protocol (DHCP) Provides a framework for passing configuration information to hosts on a TCP/IP network. DHCP is based on the Bootstrap Protocol (BOOTP), adding the capability of automatic allocation of reusable network addresses and additional configuration options. Extensible Authentication Protocol over LAN (EAPOL) EAPOL is a client authentication protocol used by this switch to verify the network access rights for any device that is plugged into the switch.
GLOSSARY IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks. IEEE 802.1p An IEEE standard for providing quality of service (QoS) in Ethernet networks. The standard uses packet tags that define up to eight traffic classes and allows switches to transmit packets based on the tagged priority value. IEEE 802.
GLOSSARY IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork. Internet Control Message Protocol (ICMP) A network layer protocol that reports errors in processing IP packets. ICMP is also used by routers to feed back information about better routing choices.
GLOSSARY Link Aggregation See Port Trunk. Link Aggregation Control Protocol (LACP) Allows ports to automatically negotiate a trunked link with LACP-configured ports on another device. Management Information Base (MIB) An acronym for Management Information Base. It is a set of database objects that contains information about a specific device.
GLOSSARY Port Trunk Defines a network link aggregation and trunking method which specifies how to create a single high-speed logical link that combines several lower-speed physical links. Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports.
GLOSSARY Simple Network Time Protocol (SNTP) SNTP allows a device to set its internal clock based on periodic updates from a Network Time Protocol (NTP) server. Updates can be requested from a specific NTP server, or can be received via broadcasts sent by NTP servers. Spanning Tree Algorithm (STA) A technology that checks your network for any loops. A loop can often occur in complicated or backup linked network systems.
GLOSSARY Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN. XModem A protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected.
INDEX Numerics D 802.
INDEX H hardware version, displaying 3-15, 4-80 HTTPS, secure server 3-75, 4-41 I IEEE 802.1D 3-155, 4-207 IEEE 802.1s 3-155, 4-207 IEEE 802.1w 3-155, 4-207 IEEE 802.
INDEX power budgets port 3-147, 4-93 port priority 3-150, 4-94 Power over Ethernet configuring 2-15 priority, default port ingress 3-202, 4-256 priority, STA 3-167, 4-221 R RADIUS, logon authentication 3-72, 4-100 rate limits, setting 3-138, 4-186 remote logging 3-37, 4-60 RSTP 3-155, 4-207 global configuration 3-161, 4-207 S Secure Shell See SSH serial port, configuring 3-30, 4-13 SNMP community string 3-48, 4-154 enabling traps 3-50, 4-159 trap manager 3-50, 4-159 version 3 3-45, 3-53, 4-156, 4-160–4-16
INDEX W Web interface access requirements 3-1 configuration buttons 3-4 home page 3-3 menu list 3-6 panel display 3-5 Index-4
FOR TECHNICAL SUPPORT, CALL: From U.S.A. and Canada (24 hours a day, 7 days a week) (800) SMC-4-YOU; (949) 679-8000; Fax: (949) 679-1481 From Europe (8:00 AM - 5:30 PM UK Time) 44 (0) 118 974 8700; Fax: 44 (0) 118 974 8701 INTERNET E-mail addresses: techsupport@smc.com european.techsupport@smc-europe.com support@smc-asia.com Driver updates: http://www.smc.com/index.cfm?action=tech_support_drivers_downloads World Wide Web: http://www.smc.com http://www.smc-europe.com http://www.smc-asia.