Instruction/ maintenance manual of the product SMC8126PL2-F SMC Networks
Go to page of 614
MANA GEMENT GUIDE ta Tige rSwitch TM 10 /100 / 1000 L2 -Lite SMB P oE Gigabit S witch SMC812 6PL2 -F.
.
20 Mason Ir vine, CA 92618 Phone: (949) 67 9-8000 Tige rSwitch 10/100/1000 Management Guide F rom SMC’ s Tiger line of f eature-rich wor kgroup LAN solutions August 2009 Pub.
Information furnished by SMC Networ ks, Inc. (SMC) is believed to be accurate and reliable. However , no re sponsibility is as sumed by SMC for its use, nor for any infringements of patents or other rights of third p arties w hich may result from its use.
v About This Guide Purpose This guide gives specific information on how to operate and use the management functions of the switch. Audience The guide is intended for use by network admin istrators who.
vi.
vii Contents Chapter 1: Intr oductio n 1-1 Key Features 1-1 Description of Software Features 1-2 System Defaults 1-6 Chapter 2: Initial Configuratio n 2-1 Connecting to the Switch 2-1 Configuration Op.
Contents viii Saving or Restoring Configuration Settings 3-22 Downloading Configuration Setti ngs from a Server 3-23 Console Port Setti ngs 3-24 Telnet Settings 3-26 Configuring Event Logging 3-28 Sys.
Contents ix Generating the Host Key Pair 3-77 Configuring the SSH Server 3-79 Configuring 802.1X Port Authenticati on 3-80 Displaying 802.1X Global Settin gs 3-81 Configuring 802.1X Global Setti ngs 3-82 Configuring Port Settings for 802.1X 3-83 Displaying 802.
Contents x Setting a Switch Po wer Budget 3-136 Displaying Port Power Status 3-136 Configuring Port PoE Power 3-137 Address Table Settings 3-139 Setting Static Addresses 3-139 Displaying the Address T.
Contents xi Quality of Service 3-200 Configuring Quality of Service Parameters 3-201 Configuring a Class Map 3-201 Creating QoS Policies 3-204 Attaching a Policy Map to Ingress Queues 3-207 Multicast .
Contents xii Partial Keyword Lookup 4-5 Negating the Effect of Commands 4-5 Using Command History 4-5 Understanding Command Mo des 4-6 Exec Commands 4-6 Configuration Commands 4-7 Command Line Process.
Contents xiii speed 4-38 stopbits 4-38 disconnect 4-39 show line 4-39 Event Logging Comman ds 4-40 logging on 4-41 logging history 4-42 logging host 4-43 logging facility 4-43 logging trap 4-44 clear .
Contents xiv snmp-server engine-id 4-68 show snmp engine-id 4-69 snmp-server view 4-69 show snmp view 4-71 snmp-server group 4 -71 show snmp group 4-73 snmp-server us er 4-74 show snmp use r 4-75 Auth.
Contents xv Web Server Comman ds 4-99 ip http port 4-99 ip http server 4-100 ip http secure-server 4-100 ip http secure-port 4-101 Telnet Server Commands 4-102 ip telnet server 4-102 Secure Shell Comm.
Contents xvi show network-access mac-address-table 4-130 DHCP Snooping Command s 4-131 ip dhcp snooping 4-132 ip dhcp snooping vlan 4-133 ip dhcp snooping trus t 4-134 ip dhcp snooping verify mac-addr.
Contents xvii show interfaces switchport 4-165 Link Aggregation Commands 4-167 channel-group 4-168 lacp 4-169 lacp system-priority 4-170 lacp admin-key (Ethernet Interface) 4-171 lacp admin-key (Port .
Contents xviii mst priority 4-203 name 4-204 revision 4-205 max-hops 4-205 spanning-tree spanning-disab led 4-206 spanning-tree cost 4-206 spanning-tree port-priority 4-208 spanning-tree edge-port 4-2.
Contents xix Configuring Private VLANs 4-235 private-vlan 4-236 private vlan associati on 4-237 switchport mode private-vlan 4-238 switchport private-vlan host-association 4-238 switchport private-vla.
Contents xx IGMP Snooping Commands 4-266 ip igmp snooping 4-267 ip igmp snooping vlan static 4-267 ip igmp snooping version 4-268 ip igmp snooping leave-proxy 4-2 68 ip igmp snooping immediate -leave .
Contents xxi ip default-gateway 4-298 ip dhcp restart 4-299 show ip interface 4-299 show ip redirects 4-300 ping 4-300 Appendix A: Software Specifications A -1 Software Features A-1 Management Feature.
Contents xxii.
xxiii Tables Table 1-1 Key Featur es 1-1 Table 1-2 System Defau lts 1-6 Table 3-1 Configuration Options 3-3 Table 3-2 Main Menu 3-4 Table 3-3 Logging Levels 3-28 Table 3-5 Supported Notification Messages 3-49 Table 3-6 HTTPS System Support 3-73 Table 3-7 802.
T ables xxiv Table 4-25 Authentication Comma nds 4-76 Table 4-24 show snmp user - display descrip tion 4-76 Table 4-26 User Access Commands 4-77 Table 4-27 Default Login Settings 4-77 Table 4-28 Authe.
Ta b l e s xxv Table 4-76 Priority Commands 4-244 Table 4-77 Priority Comma nds (Layer 2) 4-244 Table 4-78 Defaul t CoS Values to Egress Queues 4-248 Table 4-79 Priority Comma nds (Layer 3 and 4) 4-25.
T ables xxvi.
xxvii Figures Figure 3-1 Home Pa ge 3 -2 Figure 3-2 Panel Disp lay 3 -3 Figure 3-3 System Information 3-12 Figure 3-4 Switch Information 3-13 Figure 3-5 Bridge Exte nsion Configuration 3-15 Figure 3-6.
Figures xxviii Figure 3-43 AAA Accounting Summary 3-69 Figure 3-44 AAA Authorization Settings 3-71 Figure 3-45 AAA Authorization Exec Settings 3-71 Figure 3-46 AAA Authorization Summary 3-72 Figure 3- 47 HTTPS Se ttings 3-74 Figure 3-48 SSH Host-Key Settings 3-78 Figure 3-49 SSH Server Settings 3-79 Figure 3- 50 802.
Figures xxix Figure 3-88 Se tting the Address Aging Ti me 3-141 Figure 3-89 Displayi ng Spanning Tree Information 3-146 Figure 3-90 Configu ring Spanning Tree 3-150 Figure 3-91 Displayi ng Spanning Tr.
Figures xxx Figure 3-133 MVR Port Configuration 3-229 Figure 3-134 MVR Group Member Configuration 3- 230 Figure 3-135 DNS General Configuratio n 3-232 Figure 3-136 DNS Static Host Table 3-234 Figure 3.
1-1 Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching . It includes a management agent that allows you to config ure the features listed in thi s manual. The default configurati on can be used for most of the featu res provided by this switch.
Introduction 1-2 1 Description of Software Features The switch provides a wide range of advanced perf ormance enhancing features. Flow control eliminates the l oss of packet s due to bottlenecks caused by port saturation. S torm suppression prevent s broadcast, multicast or unknown unicast traff ic storms from engulfing th e networ k.
Description of Softwa re Features 1-3 1 Port Conf igurati on – Y ou can manually confi gure the speed, duplex mode, a nd flow control used on specif ic ports, or use auto-neg otiation to detect the connection settings used by the at tached devic e.
Introduction 1-4 1 (CRC). This prevents bad f rames from entering the net work and wasting ban dwidth. T o avoid dropping frames on c ongested port s, the switch provi des 4 Mbits f or frame buffe ring. This buf fer can queue packets await ing transmission on congest ed networks.
Description of Softwa re Features 1-5 1 T raffic Pr ioritization – This switch prioritizes each packe t based on the required level of service, using fo ur priority queues with stri ct or Weighted Ro und Robin Queuing. It uses IEEE 802.1 p and 802.1Q tags to pri oritize incoming traffic based on input from the end-st ation application.
Introduction 1-6 1 System Defaults The switch’s system default s are provided in the configuration file “Factory_Default_Config. cfg.” To reset the swi tch defaults, th is file should be set as the startup config uration file (page 3-22). The following t able list s some of the basic system defaults.
System Defaults 1-7 1 SNMP SNMP Agent Enabled Community Strings “public” (read only), “private” (read/write) T raps Authentication t raps: enabled Link-up-down even ts: enabled SNMP V3 View: d.
Introduction 1-8 1 IP Settings IP A ddress DHCP assigned Subnet Mask 25 5.255.255.0 Default Gateway 0.0.0.0 DHCP Client: Enabled DNS Client/Proxy service: Disabled BOOTP Disabled Multicast Filtering I.
2-1 Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in net work management agent. The agent of fers a variety of management options, including SNMP , RMON (Group s 1, 2, 3, 9) and a web-based interface .
Initial Configuration 2-2 2 • Configure up to 32 stati c or LACP trunks • Enable port mirroring • Set broadcast, mu lticast or unk nown unicast storm control on any port • Display syst em info.
Basic Configuration 2-3 2 Remote Connections Prior to accessing the switch’ s onboard agent via a network connection, you must first config ure it with a valid IP ad dress, subnet mask, and defau lt gateway u sing a console connection, DHCP or BOOTP protocol .
Initial Configuration 2-4 2 Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names us ing the “usern ame” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric c haracters and are cas e sensitive.
Basic Configuration 2-5 2 Before you can assign an IP address to the swit ch, you must obt ain the following information fr om your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this ne twork T o assign an IP address to the switch, complete the fol lowing step s: 1.
Initial Configuration 2-6 2 4. If network connections ar e normally slow , type “ip dhcp restart ” to re-start broadcasting service reque sts. Press <Ent er>. 5. W ait a few minutes, and then check the IP configurati on settings by typ ing the “show ip interface” command.
Basic Configuration 2-7 2 The default strings are: • public - with read-only access. Authorized management st ations are only able to retrieve MIB objects . • private - with read-write access. Authoriz ed management stat ions are able to b oth retrieve and modify MIB ob jects.
Initial Configuration 2-8 2 Configuring Access for SNMP Version 3 Clients T o configure management access f or SNMPv3 clients, you need to f irst create a view that defines the portions of MIB that the cl ient can read or writ e, assign the vi ew to a group, and then assi gn the user to a group.
Managing System Fi les 2-9 2 Due to the size limit of the flash memory , th e switch support s only two operation code files. However , you can have as many dia gnostic code files and configuration files as availa ble flash memory sp ace allows. The s witch has a tot al of 16 Mbytes of flash memory for system f iles.
Initial Configuration 2-10 2.
3-1 Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web ag ent. Using a web browser you can configure the switch and view statistics to monitor network activity . The web agent can be accessed by any computer on th e network using a st andard web browser (Internet Explo rer 5.
Configuring the Switch 3-2 3 Navigating the Web Browser Interface T o access the web-browser interface you must f irst enter a user name and password. The administra tor has Read/Write access to all configurati on parameters and stat istics. The def ault user name and p assword for the administrator is “ad min.
Navigating the Web Browser Inte rface 3-3 3 Configuration Options Configurable p arameters have a dialog box or a drop-down li st. Once a configuration change has been made on a page, be sure to clic k on the Apply button to conf irm the new setting. The followi ng table summarize s the web page config uration buttons.
Configuring the Switch 3-4 3 Main Menu Using the onboa rd web agent , you can def ine system p arameters, manage and control the s witch, and all its p o rts, or monitor network c onditions. Th e following table brie fly describes the select ions available from thi s program.
Navigating the Web Browser Inte rface 3-5 3 SNMPv3 3-43 Engine ID Sets the SNMP v3 engine ID on th is switch 3-43 Remote Engine ID Sets the SNMP v3 engine ID fo r a remote device 3-44 Users Configures.
Configuring the Switch 3-6 3 802.1X Port authenticat ion 3-80 Information Displays global configuration set tings 3-82 Configuration Configures the global conf iguration setting 3-82 Port Config urati.
Navigating the Web Browser Inte rface 3-7 3 Power Config Configures the power budget for the switch 3-136 Power Port Status Displays the status of port power parameters 3-136 Power Port Config Configu.
Configuring the Switch 3-8 3 Trunk Configuration Specifies defaul t trunk VID and VLAN attributes 3-176 Tunnel Port Configuration Add s ports to a QinQ tunnel 3-182 Tunnel Trunk Configuration Adds tru.
Navigating the Web Browser Inte rface 3-9 3 IGMP Immediate Leave Enables the immediate leave fun ction 3-212 Multicast Router Port Information Displays the ports that are atta ched to a neigh boring m.
Configuring the Switch 3-10 3 Binding Information Displays the DHCP Snooping binding information 3-106 IP Source Guard 3-107 Port Configura tion Enables IP source guard and selects filter type per por.
Basic Configuration 3-11 3 Basic Configuration This section descri bes the basic functions require d to set up manag ement access to the switch, displa y or upgrade operating sof tware, or reset the system. Displaying System Information Y ou can easily identify the system by displ aying the device name, lo cation and contact i nformation.
Configuring the Switch 3-12 3 Web – Click System, System Information. S pecify the system name, location, and contact information for the system admini strator , then click Apply . (This page also includes a T elnet button that allows acc ess to the Command Line Interface via T elnet.
Basic Configuration 3-13 3 Displaying Switch Hardware/Software Versions Use the Switch Information p age to display hardware/f irmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • Serial Number – The serial number of the switch.
Configuring the Switch 3-14 3 CLI – Use the following command to di splay version informatio n. Console#show version 4-22 Unit 1 Unit 1 Serial Number: MWOR0AA134A00 09 Hardware Version: R01 EPLD Version: 0.00 Number of Ports: 26 Main Power Status: Up Redundant Power Status: Not present Agent (Master) Unit ID: 1 Loader Version: 1.
Basic Configuration 3-15 3 Displaying Bridge Extension Capabilities The Bridge MIB includes ext ensions for managed devices t hat support Multicast Filtering, T raffic Cl asses, and V irtual LANs. Y ou can access these extensions to display default sett ings for the key variables.
Configuring the Switch 3-16 3 CLI – Enter the following command. Setting the Switch’s IP Address This section describes how to con figure an IP interface for management access over the network. T he IP addres s for the stack is obt ained via DHCP by default.
Basic Configuration 3-17 3 Manual Config uration Web – Click System, IP Configu ration. Select the VLAN thro ugh which the management st ation is attac hed, set the IP Address Mode to “S tatic,” enter the IP address, subnet mask and gat eway , then click Ap ply .
Configuring the Switch 3-18 3 Using DHCP/BOOTP If your network provides DHCP/BOOTP serv ices, you can configure the switch to be dynamically con figured by these services. Web – Click Syste m, IP Conf iguration. S pecify the VLAN to which the management statio n is attached, set the IP Address Mode to DHCP or BOOTP .
Basic Configuration 3-19 3 Renewing DCHP – DHCP may lease addresses to clients indefi nitely or for a specific period of t ime. If the address expires or the swi tch is moved to another network segment, you will lose management a ccess to the switch.
Configuring the Switch 3-20 3 Managing Firmware Just specify the meth od of file transfer , along with the file ty pe and file names as required. By saving run- time code to a file on a TFTP server , that file can l ater be downloaded t o the switch t o restore operati on.
Basic Configuration 3-21 3 Web –Click System, File Manageme nt, Copy Operation. Se lect “tf tp to file” as the f ile transfer method, enter the I P address of the TFTP server , set the file type.
Configuring the Switch 3-22 3 CLI – T o download new firmware form a TFTP server , enter the IP address of the TFTP server , select “opco de” as the f ile type, t hen enter t he source and destination file names. When the file has finished downl oading, set the new file to start up the system, and then rest art the switch.
Basic Configuration 3-23 3 Downloading Configuration Set tings from a Server Y ou can download the configuration file un der a new file name and then set it as the startup fi le, or you can specify the current st artup configurati on file as the destination file to directly replac e it.
Configuring the Switch 3-24 3 CLI – Enter the IP address of the TFTP server , specif y the source file on the server , set the sta rtup file name on the switch, and then restart the swit ch. T o select another confi guration file as the st art-up configuration, use the bo ot system command and then rest art the switch.
Basic Configuration 3-25 3 • Speed – Sets the t erminal line’ s baud rate for transmit (to terminal) and receive (from terminal ). Set th e speed to match the baud rate of the device connect ed to the serial po rt. (Range: 96 00, 19200, 3840 0 baud; Default: 9600) • Stop Bits – Sets t he number of the stop bit s transmitted per byte .
Configuring the Switch 3-26 3 CLI – Enter Line Configuration mode for the con sole, then specify th e connection parameters a s required. T o display the current console port s ettings, use the show line comm and from the Norm al Exec level. Telnet Settings Y ou can access the onboard configuration pr ogra m over the network using T elnet (i.
Basic Configuration 3-27 3 • Password 2 – S pecifies a password for the li ne connection. When a conne ction is started on a line with password protect ion, the system prompts for the password. If you enter the correct passwor d, the system shows a pr ompt.
Configuring the Switch 3-28 3 Configuring Event Logging The switch allows yo u to control t he logging of error messages, includi ng the type of events th at are recorded in switch memory , lo gging to a remote System Log (syslog) server , and displays a list of recent event messages.
Basic Configuration 3-29 3 Web – Click System, Log, System Logs. S pecify System Log S tatus, set the level of event messages to be logged to RAM and flash memory , then click Apply . Figure 3-16 System Logs CLI – Enable system l ogging and then sp ecify the level of messages to be logge d to RAM and flash memory .
Configuring the Switch 3-30 3 • Host IP Ad dress – S pecifies a new server I P address to add to the Host IP List. Web – Click System, Log, Remote Logs. T o add an IP address to the Host IP List, type the new IP address in the Host IP Addr ess box, and the n click Add.
Basic Configuration 3-31 3 Displaying Log Messages The Logs pa ge allows you to scroll through t he logged sy stem and event me ssages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset ) and up to 4096 entries in permane nt flash memory .
Configuring the Switch 3-32 3 • SMTP Server – Specifies a new SMTP server address to add to the SMTP Server List. • Email Destination Address List – S pecifies the email recipient s of alert messages.
Basic Configuration 3-33 3 CLI – Enter the IP address of at least one SMTP server , set the syslog severity level to trigger an emai l message, and spe cify the switch (source) and up to f ive recipient (destination) e mail addresses. Enab le SMTP with the logging sendmai l command to complete t he configurati on.
Configuring the Switch 3-34 3 CLI – Use the reload command to restart th e switch. When prompted, confi rm that you want to reset the switch. When restarting the system, it will alwa ys run the Power-On Self-Test. Resetting the System Web – Click System, Reset.
Basic Configuration 3-35 3 Setting the System Clock Simple Network T ime Protocol (SNTP) allo ws the switch to set its internal clo ck based on periodic upda tes from a time server (SNTP or NTP). Maint aining an accurate time on the switch enables the system lo g to record meaningful dates and times for event entries .
Configuring the Switch 3-36 3 Web – Sele ct SNTP , Configuration. Modify any of t he required paramet ers, and click Apply . Figure 3-22 SNTP Configuration CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current ti me and settings.
Simple Network Manag ement Protocol 3-37 3 Web – Select SNTP , Clock T ime Zone. Set the offset for your ti me zone relative to the UTC, and click Apply . Figure 3-23 Setting the Sys tem Clock CLI - This example shows how to set the time zone for the system clock.
Configuring the Switch 3-38 3 Access to the switch using from cl ients using SNMPv3 provides additional securi ty features that cover messag e integrity , authentication, and encryption; as we ll as controlling u ser access to speci fic areas of the MIB tree.
Simple Network Manag ement Protocol 3-39 3 Enabling the SNMP Agent Enables SNMPv3 service for all man agement client s (i.e., versions 1, 2c, 3). Command Attributes SNMP Agent Status – Enables SNMP on the switch. Web – Click SNMP , Agent S tatus. Figure 3-24 Enabling SNMP Ag ent Status CLI – The following example ena bles SNMP on the switch.
Configuring the Switch 3-40 3 Web – Click SNMP , Configuration. Add new community strings as required, select the access right s from the Access Mode drop-down li st, then click Add. Figure 3-25 Configuring S NMP Community Strings CLI – The following example adds the strin g “spiderman” with read/write acce ss.
Simple Network Manag ement Protocol 3-41 3 To send an inform to a SNMPv2c host, complet e these steps: 1. Enable the SNMP agent (3-39). 2. Enable trap informs as described in the followi ng pages. 3. Create a view with the required notificati on messages (3-52).
Configuring the Switch 3-42 3 • Enable Authentication Traps 3 – I ssues a notif ication message to specified IP trap managers whenever an i nvalid community string is submitted during the SNMP access authenticati on process.
Simple Network Manag ement Protocol 3-43 3 Configuring SNMPv3 Management Access T o configure SNMPv3 management access to the switch, follow these steps: 1. If you wa nt to change t he default engine ID, i t must be changed first before configuring othe r pa rameters.
Configuring the Switch 3-44 3 Specifying a Remote Engi ne ID T o send inform messa ges to an SNMPv3 u ser on a remote de vice, you mus t first specify the engine ident ifier for the SNMP agent on the remote devi ce where the user resides.
Simple Network Manag ement Protocol 3-45 3 Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security l evel and assign ed to a group. The SNMPv3 group restricts us ers to a specific rea d, write, and notify view .
Configuring the Switch 3-46 3 Web – Click SNMP , SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group , then click Add to save the configurati on and return to the User Name list. T o delete a user , check the box next to the user name, then cli ck Delete.
Simple Network Manag ement Protocol 3-47 3 Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security l evel and assign ed to a group. The SNMPv3 group restricts us ers to a specific rea d, write, and notify view .
Configuring the Switch 3-48 3 Web – Click SNMP , SNMPv3, Remote Users. Cl ick New to co nfigure a us er name. In the New User pag e, define a name and as sign it to a group, t hen click Add to save the configuration and ret urn to the User Name list.
Simple Network Manag ement Protocol 3-49 3 Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for it s assigned users, restricting them to specific read, write, and notify views. Y ou can use the pre-defined default groups or create new group s to map a set of SNMP users to SNMP views.
Configuring the Switch 3-50 3 linkDown * 1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP entity , acting in an agent role, has detected that the ifOperStatus object fo r one of its communication links is about to enter the down state from some other state (but not fro m the notPresent state).
Simple Network Manag ement Protocol 3-51 3 Web – Click SNMP , SNMPv3, Groups. Click New to configure a new group. In the New Group page, d efine a name, assi gn a security model and level, and t hen select read and write views. Click Ad d to save the new group and ret urn to the Groups li st.
Configuring the Switch 3-52 3 Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified p ortions of the MIB tree. The predefined view “defaultvi ew” includes access to the entire MIB tree. Command Attributes • View Name – The name of the SNMP view.
Simple Network Manag ement Protocol 3-53 3 CLI – Use the snmp-server view command to confi gure a new view . This example view includes the MIB-2 i nterfaces tab le, and the wildcard mask se lects all in dex entries. Console(config)#snmp-server view ifEntry.
Configuring the Switch 3-54 3 User Authentication Y ou can configure this switch to authen ticate users logging into the system for management access using l ocal or remote authenticat ion methods.
User Authentication 3-55 3 Web – Click Security , User Account s. T o configure a new user account, specify a user name, select the user’s access level, the n enter a password and confi rm it. Click Add to save the new user account and add it to the Account List.
Configuring the Switch 3-56 3 Configuring Local/Remote Logon Authentic a tion Use the Authenticati on Settings menu to restrict management access based on specified user name s and passwo rds. Y ou can manually configure access right s on the switch, or you can use a remote access aut hentication server base d on RADIUS or T ACACS+ protocols.
User Authentication 3-57 3 Command Attributes • Authentication – Select the authenticatio n, or authenticatio n sequence required: - Local – User authentica t ion is pe rformed only l ocally by the switch. - Radius – User authentication is performed using a RADIUS server onl y.
Configuring the Switch 3-58 3 Web – Click Securi ty , Authent ication Sett ings. T o configure local or remote authenticati on preferences, specify the aut hentication sequen ce (i.e., one to three methods), fill in the parameters for RADIUS or T ACAC S+ authentication if selected, and click Apply .
User Authentication 3-59 3 CLI – S pecify all t he required p arameters to enable logon authentica tion. Configuring Encryption Keys The Encryption Key feature pro vides a central locatio n for the management of all RADIUS and T ACACS+ server encrypti on keys.
Configuring the Switch 3-60 3 - Confirm Secret Text String – Re-type the string entered in the previous field to ensure no errors were made. The switch wil l not change the encryption key if these two fields do not match. - Change – Clicking this button adds or modifies the selected encrypt ion key.
User Authentication 3-61 3 AAA Authorization and Accounting The Authenticati on, authorization, and acco unting (AAA) f eature provides the main framework for configurin g access control on the switch. The thre e security functio ns can be summarized as follows: • Authenticati on — Identifies users t hat request access to the net work.
Configuring the Switch 3-62 3 Configuring AAA RADIUS Group Settings The AAA RADIUS Group Set tings screen def ines the conf igured RADIUS servers to use for account ing and authori zation. Command Attributes • Group Name - Defines a name for the RADIUS serv er group.
User Authentication 3-63 3 Configuring AAA T ACACS+ Group Settings The AAA T ACACS+ Group Setting s screen defines the config ured T ACACS+ servers to use for accounti ng and authorization. Command Attributes • Group Name - Defi nes a name for the T ACACS+ server group.
Configuring the Switch 3-64 3 The group names “radius” and “taca cs+” specifies al l configu red RADIUS and TACACS+ hosts (see "Configuri ng Local/Remote Logon Authent ication" on page 3-56). Any ot her group name refers to a server group configured on t he RADIUS or TACACS+ Group Settings pages.
User Authentication 3-65 3 AAA Accounting Update This feature set s the interval at which accou nting updates are sent to account ing servers. Command Attributes Periodic Upd ate - Specifies the interval at whi ch the local account ing service updates informati on to the accounting server.
Configuring the Switch 3-66 3 AAA Accounting 802.1X Port Settings This feature applies th e specified accounti ng method to an interface. Command Attributes • Port / Trunk - Specifies a port or trunk number. • Method Name - Specifie s a user define d method name t o apply to t he interface.
User Authentication 3-67 3 AAA Accounting Exec Command Privileges This feature speci fies a method n ame to apply to commands entered at specific CLI privilege levels. Command Attributes • Commands Privilege Level - The CLI privileg e levels (0-15).
Configuring the Switch 3-68 3 AAA Accounting Exec Settings This feature spe cifies a me thod name to a pply to cons ole and T elnet connections. Command Attributes Method Name - Specifie s a user define d method name to apply to console and Telnet connecti ons.
User Authentication 3-69 3 Web – Click Security , AAA, S ummary . Figure 3-43 AAA Accounting Summar y.
Configuring the Switch 3-70 3 CLI – Use the following command to di splay the currentl y applied accounting methods, and registered users. Authorization Settings AAA authorization is a feature that verifies a user ha s access to speci fic services .
User Authentication 3-71 3 Web – Click Security , AAA, Authorization, Se ttings. T o configure a new authorizatio n method, specify a met hod name and a group name, select the servi ce, then click Add. Figure 3-44 AAA Authorization Settings CLI – S pecify the authorization method requi red and the server group.
Configuring the Switch 3-72 3 CLI – S pecify the authorizati on method to use for Console and T elnet interfac es. Authorization Summary The Authorizat ion Summary d isplays the configured autho rization met hods and the interfaces to which th ey are applied.
User Authentication 3-73 3 Configuring HTTPS Y ou can configure the switch to enable the Secure Hypertex t T ransfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to th e switch’ s web interface.
Configuring the Switch 3-74 3 Web – Click Securi ty , HTTPS Settin gs. Enable HTTPS and specify the port number , then click Appl y . Figure 3-47 HTTPS Setti ngs CLI – This example enables the HTTP secu re server and modifies the port number .
User Authentication 3-75 3 Configuring the Secure Sh ell The Berkley-st andard includes remote access tools originall y designed for Unix systems. Some of these tool s have also been implemented for Microsoft Windows and other envi ronments.
Configuring the Switch 3-76 3 3. Import Cl ient’ s Public Key to the Switc h – Use the co py t ftp public-key command (4-25) to copy a file cont aining the public key for all the SSH client’ s granted management access to the swit ch.
User Authentication 3-77 3 Authenticating SSH v2 Clients a. The client first queries the switch to determine if DSA public key authenticati on using a preferred algorit hm is acceptabl e. b. If the specified algorithm is supported by th e switch, it notifi es the client to proceed with the authent ication process.
Configuring the Switch 3-78 3 Web – Click Security , SSH, Host-Key Settings. Select the host-key type from th e drop-down box, select the opti on to save the host key from memory to flash (if required) prior t o generating t he key , an d then click Generate.
User Authentication 3-79 3 Configuring the SSH Server The SSH server incl udes basic se ttings fo r authenticat ion. Note: You must first generate the host key pair on the SSH Host-Key Settings page before you can enable the SSH se rver. Field Attributes • SSH Server St atus – Allows you to enable/disable the SSH server on the switch.
Configuring the Switch 3-80 3 CLI – This example enables SSH, set s the authentication parameters, and dis plays the current configuration. It shows that the administrator has made a connection via SHH, and then disables th is connection. Configuring 802.
User Authentication 3-81 3 TLS (T ransport Layer Security), PEAP (Protected Extensible Authentication Protocol), or TTLS (T unneled T ransport Layer Security). The client responds to the appropriate method wi th its credentials, such as a p assword or certif icate.
Configuring the Switch 3-82 3 CLI – This example shows the default globa l setting for 802.1X. Configuring 802.1X Global Settin gs The 802.1X protocol provides port au thentication. The 802.1X protocol must be enabled global ly for the switch system b efore port settings are a ctive.
User Authentication 3-83 3 Configuring Port Setting s for 802.1X When 802.1X is enabled, yo u need to configur e the paramete rs for the authenticati on process that runs between the clien t and the switch (i.e., authenticator), as well as t he client identit y lookup process that runs between the switch and authenticat ion server .
Configuring the Switch 3-84 3 Web – Click Security , 80 2.1X, Port Configuration. Modify t he para meters required, and click Apply . Figure 3-52 802.
User Authentication 3-85 3 CLI – This example set s the 802.1X para meters on port 2. For a description of the additional fields displa yed in this example, see "sh ow dot1x" on p age 4-1 18.
Configuring the Switch 3-86 3 Displaying 802.1X Statistics This switch can display st atistics for dot1x protoc ol exchanges for any port. Web – Select Security , 80 2.1X, S tatist ics. Select the required port and then click Query . Click Refresh to update the stat istics.
User Authentication 3-87 3 CLI – This example displays the 802. 1X statisti cs for port 4. Filtering IP Addresses for Management Access Y ou create a list of up to 16 IP addresses or IP address groups t hat are allowed management access to the switch through the web interface, SNMP , or T elnet.
Configuring the Switch 3-88 3 Web – Click Security , IP Filter . Enter the IP addresses or range of addresses that are allowed management access to an interface, and cl ick Add Web IP Filt ering Entry to update the fil ter list. Figure 3-54 Creating an IP Filter List CLI – This example allows SNMP access for a specific cli ent.
General Securi ty Measures 3-89 3 General Security Measures This switch support s many methods of segregating traf fic for client s attached to each of the dat a ports, and for ensur ing that only authorize d clients gai n access to the network. Private VLANs and port-bas ed authentication using IEEE 802.
Configuring the Switch 3-90 3 Configuring Port Security Port security is a feature th at allows you to configure a switch port with one or more device MAC addresses that are authorized t o access the network through that port .
Access Control Li sts 3-91 3 Web – Click Sec urity , Port Securi ty . Set the action to t ake when an invalid address is detected on a port, mark the c heckbox in the S tatus col umn to enabl e security for a port, set the maximu m number of MAC addresses all owed on a port, and click Appl y .
Configuring the Switch 3-92 3 • When an ACL is bound to an interf ace as an egress filter, all entri es in the ACL must be deny rules. Otherwi se, the bind operation will f ail. • The switch does not su pport the explici t “deny any any” rule for t he egress IP ACL.
Access Control Li sts 3-93 3 Configuring a Standard IP ACL Command Attributes • Action – An ACL can contain any combination of permit or de ny rules.
Configuring the Switch 3-94 3 Configuring an Extended IP ACL Command Attributes • Action – An ACL can contain any combination of permit or de ny rules.
Access Control Li sts 3-95 3 Web – S pecify the action (i.e., Permit or Deny). S pecify the source and/ or destination addre sses. Select the address type (Any , Host, or IP). If you select “Host,” enter a specific addre ss. If you select “IP ,” enter a subnet address and the mask for an address range.
Configuring the Switch 3-96 3 Configuring a MAC ACL Use this page to configure ACLs based on hardware addresses, p acket format, and Ethernet type. Command Attributes • Action – An ACL can contain any combination of permit or de ny rules.
Access Control Li sts 3-97 3 Web – S pecify the action (i.e., Permit or Deny). S pecify the source and/ or destination addresses. Select t he address type (Any , Host, or MAC). If yo u select “Host,” enter a spe cific address (e.g., 1 1-22- 33-44-55-66).
Configuring the Switch 3-98 3 Binding a Port to an Acce ss Control List After configuring the Access Control List s (ACL), you can bind the ports that need to filter traf fic to the appropriate ACLs. Y ou can as sign one IP access list to any port. Command Usage • Each ACL can have up to 32 rules .
Access Control Li sts 3-99 3 CLI – This example assigns an IP access list to port 1, and an IP access list to port 3. Filtering IP Addresses for Management Access Y ou can create a list of up to 16 IP add resses or IP add ress groups t hat are allowed management access to the switch through the web interface, SNMP , or T elnet.
Configuring the Switch 3-100 3 Web – Click Security , IP Filter . Enter the IP addresses or range of addresses that are allowed management access to an interface, and cl ick Add Web IP Filt ering Entry to update the fil ter list. Figure 3-61 Creating an IP Filter List CLI – This example allows SNMP access for a specific cli ent.
Access Control Li sts 3-101 3 DHCP Snooping The addresses assigned to DHCP client s on insecure ports can be carefully controlled using the dynamic binding s registered with DHCP Snooping (or using the static bindings conf igured with IP Source Guard).
Configuring the Switch 3-102 3 - If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN. - If a DHCP packet is from server is received on a trusted port, it will be forwarded to both trusted and untru sted ports in the same VLAN.
Access Control Li sts 3-103 3 DHCP Snooping VLAN Configuration Use the DHCP Snooping VLAN Conf iguration p age to enable or disabl e DHCP snooping on specifi c VLANs.
Configuring the Switch 3-104 3 Command Usage • DHCP Snooping (see 3-102) must be enabled for Option 82 i nformation to be inserted into req uest packets.
Access Control Li sts 3-105 3 CLI – This example enables DHCP Snooping Information Op tion, and sets the policy as replace . DHCP Snooping Port Configuration Use the DHCP Snooping Port Config uration page to configure switch port s as trusted or untruste d.
Configuring the Switch 3-106 3 Web – Click DHCP Snooping, Port Configurati on. Set any port s within the local network or firewall to truste d, and click Apply . Figure 3-65 DHCP Snooping Port Configuration CLI – This examp le shows how to enabl e the DHCP Sn ooping T rust S tatus for port s .
Access Control Li sts 3-107 3 • IP Address Type – Indicates an IPv4 addres s type. • Lease Time (Seconds) – The time f or which this IP address is le ased to the client.
Configuring the Switch 3-108 3 Command Usage • Setting source guard mode to SIP (Source IP) or SIP-MAC (So urce IP and MAC) enables this funct ion on the selected port. Use the SIP option to check the VL AN ID, source IP address, and port number agai nst all entries in the bindi ng table.
Access Control Li sts 3-109 3 Web – Click IP Source Guard, Port Configurat ion. Set the require d filtering type for each port and click Apply . Figure 3-67 IP Source Guard Port Configuration CLI – This example shows how to enable IP source gua rd on port 5 to check the source IP address for ingress p ackets again st the binding table .
Configuring the Switch 3-110 3 - If there is an entry with t he same VLAN ID and MAC add ress, and the typ e of the entry is dynamic DHCP snoopi ng binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard bin ding.
Access Control Li sts 3-111 3 Displaying Information for Dynamic IP Source Guard Bindings Use the Dynamic Informatio n page to display the source-guard binding t able for a selected int erface. Command Attributes • Query by – Select an in terface to display the sou rce-guard binding.
Configuring the Switch 3-112 3 Port Configuration Displaying Connection Status Y ou can use the Port Info rmation or T runk Information p ages to display the cu rrent connection st atus, including link state , speed/duplex mode , flow control, and auto-negot iation.
Port Configuration 3-113 3 Configuration: • Name – Interfac e label. • Port admin – Shows if the interface is enabled or disabled (i. e., up or down). • Speed-duplex – Shows the current speed and duplex mode. (Auto, or fixed choice) • Capabilities – Specifies the capabilities to be adve rtised for a port during auto-negotia tion.
Configuring the Switch 3-114 3 CLI – This example shows the connection status for Port 5. Configuring Interface Connections Y ou can use the Port Configuration or T runk Configuratio n page to ena b.
Port Configuration 3-115 3 problem has been resolved. Yo u may also disable an interface for security reasons. • Speed/Duplex – Al lows you to manual ly set the port speed and dup lex mode. (i.e., with auto-negot iation disabled) • Flow Control – Allows automatic or manual selection of fl ow control.
Configuring the Switch 3-116 3 CLI – Select the interface, an d then enter the required setting s. Creating Trunk Groups Y ou can create multiple links between devices tha t work as one virtual, aggrega te link.
Port Configuration 3-117 3 • The ports at both ends of a trunk must be configured in an identic al manner, including communi cation mode (i.e ., speed, dupl ex mode and flow con trol), VLAN assignments, and Co S settings. • Any of the Gigabit ports on the fro nt panel can be trunked toge ther, includin g ports of different me dia types.
Configuring the Switch 3-118 3 CLI – This example creates trunk 2 wi th ports 1 and 2. Just connect these port s to two stati c trunk port s on another switch to form a trunk.
Port Configuration 3-119 3 Command Attributes • Member List ( Current ) – Shows configured trunks (Port) . • New – Includes entry fields for creating n ew trunks. - Port – Port identifier. (Range: 1-26/50) Web – Click Port, L ACP , Configuration.
Configuring the Switch 3-120 3 CLI – The followi ng example enab les LACP for port s 1 to 6. Just connect these ports to LACP-enabled trunk port s on another switch to form a trunk.
Port Configuration 3-121 3 - System priority is combined with the swit ch’s MAC address to form the LAG identifier. This ident ifier is used to indic ate a specific LAG during LACP negotiations with other systems. • Admin Key – The LACP administration key must be set to the same value for ports that belong to the same LAG.
Configuring the Switch 3-122 3 CLI – The following example configures LACP p arameters for ports 1-4. Ports 1-4 are used as active members of the LAG .
Port Configuration 3-123 3 Web – Click Port, LACP , Port Counters Information. Sel ect a member port to display the corresponding info rmation. Figure 3-75 LACP - Port Counte rs Information CLI – The following example displ ays LACP counters.
Configuring the Switch 3-124 3 Displaying LACP Settings and Status for the Local Side Y ou can display configuration settings and the operational st ate for the local sid e of an link aggrega tion. T able 3-9 LACP Internal Configuration Infor mation Field Description Oper Key Current operational value of the key for the aggregation port.
Port Configuration 3-125 3 Web – Click Port, LACP , Port Internal Information. Select a port channel to di splay the corresponding info rmation. Figure 3-76 LACP - Port Internal I nformation CLI – The following example displ ays the LACP configuration set tings and operational st ate for the local side of port channel 1.
Configuring the Switch 3-126 3 Displaying LACP Set tings an d Status for the Remote Side Y ou can display configuration settings and the op erational st ate for the remote side of an link aggregat ion. Web – Click Port, LACP , Port Neighbors Informati on.
Port Configuration 3-127 3 CLI – The following example displ ays the LACP configuration set tings and operational st ate for the remote side of port channel 1. Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is ma lfunctioning, or if application programs are no t well designed or properly configured.
Configuring the Switch 3-128 3 Web – Click Port, Port/T runk Broadcast Control. Set the threshold, mark the Enabled field for the desired i nterface and click Apply . Figure 3-78 Port Broadcast Control Configuring Local Port Mirrori ng Y ou can mirror traffic from any source port to a target port for real-time analy sis.
Port Configuration 3-129 3 Web – Click Port, Mirror Port Configuration. S pecify the source port, the traffi c type to be mirrored, and the monitor port , then click Add.
Configuring the Switch 3-130 3 Web – Click Port, Rate Limit, Input/Output Port/T runk Configura tion. Enable the Rate Limit S tatus for the required i nterfaces, then set th e rate limit for the i ndividual interfaces, and cli ck Apply .
Port Configuration 3-131 3 Received Multicast Packets The number of packets, de livered by this sub-layer to a higher (sub-)layer , which were address ed to a multic ast address at this sub-layer .
Configuring the Switch 3-132 3 Multiple Collision Frames A count of successf ully transmitted fr ames for which tr ansmission is inhibited by more than one collision. Carrier Sense Errors The number of times that the carrier sense condit ion was lost or never asserted when attempting to transmit a frame.
Port Configuration 3-133 3 Web – Click Port, Port S tatistics. Select the required i nterface, and cli ck Query . Y ou can also use the Refresh butt on at the bottom of the p age to update the screen.
Configuring the Switch 3-134 3 Figure 3-81 Port Statistics CLI – This example shows stat istics for port 13. Power Over Ethernet Settings The switch can provide DC power to a wi de range of conn ected devices, elimin ating the need for an additio nal power source and cut ting down on the amount of cables attache d to each d evice.
Power Over Ethernet Settings 3-135 3 power , if necessary by dropping power to ports set for a lower priority . If power is dropped to some low-priority port s and later the power demands on the switch fall back within it s budget, the dropped power is automatically restored.
Configuring the Switch 3-136 3 Setting a Switch Power Budget A maximum PoE power budget for th e switch (power avail able to all switch port s) can be defined so that power can be centra lly managed, prevent ing overload conditions at the power source.
Power Over Ethernet Settings 3-137 3 re-enabled when the overl oad condition is no longer det ected on the port. (Default: Disabled) Web – Click PoE, Power Port S tatus. Figure 3-84 Displaying Port PoE Statu s CLI – This example displays the PoE st atus and priority of port 1.
Configuring the Switch 3-138 3 • If a device is connecte d to a critical or high-pri ority port and causes the switch to exceed its budget, port power is turned on, but the switch drops power to one or more lower-priority ports. Note: Power is dropped from low-priority port s in sequence starting from port number 1 .
Address T able Settings 3-139 3 Address Table Settings Switches store th e addresses for all known devices. Thi s information is u sed to pass traff ic directly between the inboun d and outbound port s. All the addresses learned by monitoring traf fic are stored in the dynamic address t able.
Configuring the Switch 3-140 3 Displaying the Address Table The Dynamic Address T able contains the MAC addresses l earned by monitoring t he source address for traf fic entering the switch.
Address T able Settings 3-141 3 CLI – This example also displa ys the address tabl e entries for port 1. Changing the Aging Time Y ou can set the aging time for entries in the dynami c address t able. Command Attributes • Aging Status – Enables/disables the funct ion.
Configuring the Switch 3-142 3 Spanning Tree Algorithm Configuration The S panning T ree Algorithm (ST A) can be used to detect and disa ble network loops, a nd to provide backup links between switches, bridges or routers.
Spanning Tree Algorithm Configuration 3-143 3 MSTP – MSTP When using STP or RSTP , it may be difficult to maint ain a st able path bet ween all VLAN memb ers.
Configuring the Switch 3-144 3 Once you specify the VLANs to i nclude in a Multiple S panning T ree Instance (MSTI), the protocol wil l automatically bui ld an MSTI tree to maint ain connectivity among each of the VLANs.
Spanning Tree Algorithm Configuration 3-145 3 These additional p arameters are only displayed for the CLI: • Spanning tr ee mode – Speci fies the type of spanni ng tree used on this switch: - STP : Spanning Tree Protocol (IEEE 802.1 D) - RSTP : Rapid Spanning Tree (IEEE 802.
Configuring the Switch 3-146 3 Web – Click S panni ng T ree, ST A, Informatio n. Figure 3-89 Displaying Spa nning Tree Informati on CLI – This command displays global ST A settings, followed by settings for each port . Note: The current root port and current root cost display as zero when this device is not connected to the network.
Spanning Tree Algorithm Configuration 3-147 3 Configuring Global Settings for STA Global setti ngs apply to the entire s witch. Command Usage • Spanning Tree Protoco l 9 Uses RSTP for the internal stat e machine, but sends only 802. 1D BPDUs. This creates one spanning tree i nstance for the entire net work.
Configuring the Switch 3-148 3 • Priority – Bridge priority is used in selectin g the root device, root port, and designated port. The device with th e highest priority becomes the STA root device. However, if all d evices have the same pr iority, the devic e with the lowest MAC address will then become the root device.
Spanning Tree Algorithm Configuration 3-149 3 • Transmission Limit – The maximu m transmission rate for BPDUs is speci fied by setting the minimum interval between the transmission of consecutive protocol messages.
Configuring the Switch 3-150 3 Web – Click S panni ng T ree, ST A, Configuratio n. Modify the required attributes, and click Apply . Figure 3-90 Config uring Spanning Tree.
Spanning Tree Algorithm Configuration 3-151 3 CLI – This example enables S pann ing T ree Protocol, sets the mode to RSTP , and then configures the ST A and RSTP p a rameters. Displaying Interface Settings for STA The ST A Port Information and ST A Trunk I nformation p ages display the curren t status of ports and trunks i n the S panning T ree.
Configuring the Switch 3-152 3 • Designated Port – The port priority and number of the po rt on the designated bridging device through which t his switch must communicate with the root of the Spanning Tree. • Oper Path Cost – The contri bution of this port to the path cost of paths towards the spanning tree root which i nclude this p ort.
Spanning Tree Algorithm Configuration 3-153 3 These additional p arameters are only displayed for the CLI: • Admin Status – Shows if this interfac e is enabled. • External Admin Path Cost – The path cost for the IST. This parameter is use d by the STA to determine the best pat h between devices.
Configuring the Switch 3-154 3 CLI – This example shows the ST A attributes for port 5. Configuring Interface Settings for STA Y ou can configure RSTP and MSTP attributes for specific inte rfaces, includi ng port priority , p ath cost, link type, and edge port.
Spanning Tree Algorithm Configuration 3-155 3 The following interfa ce attributes can be configured : • Spanning Tr ee – Enables/dis ables STA on this inte rface. (Default : Enabled). • Priority – Defines the priority used for this port i n the Spanning Tree Protocol.
Configuring the Switch 3-156 3 • Admin Link Type – The link type attached to this interface . - Point-to-Point – A connection to exactly one other bridge. - Shared – A connection to two or more bridges. - Auto – The switch automatically determines i f the interface is attache d to a point-to-point link or to s hared media.
Spanning Tree Algorithm Configuration 3-157 3 Web – Click S panni ng T ree, ST A, Port Configuration or T runk Configuration. Modify the required attributes, then click Apply . Figure 3-92 Configuri ng Spanning Tree per Port CLI – This example sets ST A attributes for port 7.
Configuring the Switch 3-158 3 Configuring Multiple Spanning Trees MSTP generates a unique sp anning tree for each inst ance. This provides multiple path ways across the network , thereby balancin g t.
Spanning Tree Algorithm Configuration 3-159 3 Web – Click S panning T ree, MSTP , VLAN Configuration. Select an ins tance identifier from the li st, set the instance priority , and click Apply . T o add the VLAN members to an MSTI inst ance, enter the inst ance identifier , the VLAN identifier , and click Add.
Configuring the Switch 3-160 3 CLI – This displa ys ST A setting s for inst ance 1, followed by setti ngs for each port. Console#show spanning-tree mst 1 4-213 Spanning-tree information ------------.
Spanning Tree Algorithm Configuration 3-161 3 Displaying Interface Settings for MSTP The MSTP Port Informati on and MSTP T runk Info rmation pag es display the current status of ports and trunks i n the selecte d MST instance. Command Attributes • MST Instance ID – Instance i dentifier to config ure.
Configuring the Switch 3-162 3 CLI – This displays ST A sett ings for insta nce 0, followed by settings fo r each port. The settings for inst ance 0 are global sett ings that apply to the IST , the settings for other inst ances only apply to the local span ning tree.
Spanning Tree Algorithm Configuration 3-163 3 Configuring Interface Settings for MSTP Y ou can configure the ST A interface settings for an MST Inst ance using the MSTP Port Configuration and MSTP T runk Configuration page s.
Configuring the Switch 3-164 3 Web – Click S panning T ree, MSTP , Port Configuration or T runk Configuration. Enter the priority and p ath cost for an inte rface, and click App ly . Figure 3-95 Displ aying MSTP Interface Settings CLI – This example sets the MSTP attributes for port 4.
VLAN Configuration 3-165 3 This switch support s the following VL AN features: • Up to 255 VLANs based on the IEEE 802.1Q standard • Distributed VLAN lea r ning across multi ple switches using exp.
Configuring the Switch 3-166 3 Unt agged VLANs – Untagged (or stati c) VLANs are typically used to reduce broadcast traf fic and to increase security . A group of network users assi gned to a VLAN form a broadcast domain that is sep arate from other VLANs configured on the switch.
VLAN Configuration 3-167 3 Forwarding T agged/Unt agged Frames If you want to create a smal l port-based VLAN for devices attached di rectly to a single switch, you can ass ign ports to the same untagged VLAN.
Configuring the Switch 3-168 3 Displaying Basic VLAN Information The VLAN Basic Inf ormation p age displays basic informat ion on the VL AN type supported by the switch. Field Attributes • VLAN Versio n Number 12 – The VLAN version used by this switch as specified in the IEEE 802.
VLAN Configuration 3-169 3 Displaying Current VLANs The VLAN Current T able shows the current port members of each VLAN and whether or not the port supports VLAN taggin g. Ports as signed to a l a rge VLAN group that crosses several switches sh ould use VLAN tagging .
Configuring the Switch 3-170 3 • Name – Name of the VLAN (1 to 32 charac ters). • Status – Shows if this VLAN is enabled or disabl ed. - Active : VLAN is opera t ional. - Suspend : VLAN is suspe nded; i.e., does not pass pack ets. • Ports / Channel gr oups – Shows the VLAN interf ace members.
VLAN Configuration 3-171 3 Web – Click VLAN, 80 2.1Q VLAN, S tatic List. T o create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activa te the VLAN, and then click Add.
Configuring the Switch 3-172 3 CLI – This example creates a new VLAN. Console(config)#vlan database 4-220 Console(config-vlan)#vlan 2 name R&D media ethernet state active 4-221 Console(config-vl.
VLAN Configuration 3-173 3 Adding Static Members to VLANs (VLAN Index) Use the VLAN S tatic T able to configure port members fo r the selected VLAN ind ex. Assign ports a s tagged i f they are connected to 802.1Q VLAN compliant devices, or untagged t hey are not connected to any VLAN-aware device s.
Configuring the Switch 3-174 3 Web – Click VLAN, 80 2.1Q VLAN, S tatic T able. Select a VLAN ID from the scroll-down list . Modify the VLAN name and status if re quired. Select the membership type by marking the ap propriate radio button in the list of ports or trunks.
VLAN Configuration 3-175 3 Adding Static Members to VLANs (Port Index) Use the VLAN S tatic Membership by Port menu to assign VLAN groups to the selected interfa ce as a tagged member . Command Attributes • Interface – Port or trunk identif ier. • Member – VLANs for which the select ed interface is a tag ged member.
Configuring the Switch 3-176 3 Configuring VLAN Behavior for Interfaces Y ou can configure VLAN behavior for speci fic interface s, including the d efault VLAN identifier (PVID), acce pted frame types, in gress filtering, GVRP status, and GARP timers.
VLAN Configuration 3-177 3 • GARP Leave Timer 13 – The inte rval a port wai ts before leav ing a VLAN group. This time shoul d be set to more tha n twice the join ti me. This ensures that afte r a Leave or LeaveAll message has be en issued, the appli cants can rejoin before the port actually leave s the group.
Configuring the Switch 3-178 3 Configuring IEEE 802.1Q Tunneling IEEE 802.1Q T unneling (QinQ) is designed for service providers carrying tra ffic fo r multiple custome rs across their netwo rks.
VLAN Configuration 3-179 3 customer’s network. The packet is sent as a normal IEEE 802.1Q-t agged frame, preserving the o riginal VLAN numb ers used in the customer’s network. Layer 2 Flow for Packets Coming into a T unnel Access Port A QinQ tunnel port may recei ve either tagge d or untagged p ackets.
Configuring the Switch 3-180 3 Layer 2 Flow for Packets Coming into a T unnel Uplink Port An uplink port receives one of th e following pa ckets: • Untagged • One tag (CVLAN or SPVLAN) • Double tag (CVLAN + SPVLAN) The ingress process does source and desti nation lookup s.
VLAN Configuration 3-181 3 • Static trunk port groups are compatible with QinQ tunn el ports as lon g as the QinQ configurati on is consistent with in a trunk port group.
Configuring the Switch 3-182 3 incoming frames conta ining that etherty pe are assigned to the VLAN contai ned in the tag followin g the ethertype fiel d, as they would be with a standard 802.1Q trunk . Frames arriving on the port contain ing any other ethertype are look ed upon as untagged fr ames, and assigne d to the nat ive VLAN of tha t port.
VLAN Configuration 3-183 3 the attached clie nt is using a nonstandard 2-byt e ethertype to identify 802 .1Q tagged frames (se e "Displaying Basi c VLAN Information" on page 3-168 ). Command Attributes Mode – Set the VLAN membership mode of the port .
Configuring the Switch 3-184 3 Configuring Private VLANs Private VLANs provide port-based securi ty and isolation between port s within the assigned VLAN. Dat a traffic on downlink port s can only be forwarded to, and from, uplink port s. (Note that private VLANs and normal VLANs can exist simul taneousl y within the same switch.
VLAN Configuration 3-185 3 Configuring Uplink and Downlink Ports Use the Private VLAN Link S tatus p age to set ports as do wnlink or uplink port s. Ports designated as downlink port s can not communicate wit h any other ports on t he switch except for the up link ports.
Configuring the Switch 3-186 3 Command Usage T o configure pro tocol-based VLANs, follow these steps: 1. First configure VLAN group s for the protocols you want to u se (3-170). Although not mandatory , we s uggest configuring a sepa rate VLAN for ea ch major protocol running on your network.
VLAN Configuration 3-187 3 CLI – This example creates protocol group 1 for Ethernet frames using the IP protocol, and group 2 for Ethernet frames using the ARP protocol. Mapping Protocols to VLAN s Use the Protocol VLAN Port Configurati on menu to map a Protocol VLAN Group to a VLAN.
Configuring the Switch 3-188 3 Web – Click VLAN, Proto col VLAN, Port Configurat ion. Figure 3-108 Protocol VLAN Port Conf iguration CLI – The following maps the traffic ent ering Port 1 which match es the protocol type specified in protocol grou p 2 to VLAN 2.
Class of Service Conf iguration 3-189 3 Class of Service Configuration Class of Service (CoS) al lows you to spe cify which dat a packets have greater precedence when traf fic is buffered in th e switch due to conges tion. This swit ch supports Co S with four priorit y queues for each port.
Configuring the Switch 3-190 3 Command Attributes • Default Priority 14 – The priority that is assigned to untagge d frames received on the specified int erface. (Range: 0-7; Defa ult: 0) • Number of Egress Traffic Classes – The number of queue buffe rs provided for each port.
Class of Service Conf iguration 3-191 3 Mapping CoS Values to Egress Que ues This switch processe s Class of Service (CoS) priority t agged traffic by u sing four priority queues for each port, wit h service schedules based on strict or W eighted Round Robin (WRR).
Configuring the Switch 3-192 3 Web – Cli ck Priority , T raffic Classes. Sele ct a port or trunk for t he current mapping of CoS values to out put queues to be display ed. Assign priorities to th e traf fic classes (i.e., output queues), then click Apply .
Class of Service Conf iguration 3-193 3 Selecting the Queue Mode Y ou can set the switch to service the queues based on a strict rul e that requires all traff ic in a high er priority queue to be processe d before lower priori ty queues a re serviced, or use W eighted Round-Robin (WRR) queuing that specifies a relat ive weight of eac h queue.
Configuring the Switch 3-194 3 Setting the Service Weig ht for Traffic Classes This switch uses the We ighted Round Robin (WRR) algorithm t o determine the frequency at which it servi ces each priority queue.
Class of Service Conf iguration 3-195 3 Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports several common methods of prioritizing layer 3/4 traf fic to meet application requi rements.
Configuring the Switch 3-196 3 Mapping IP Precedence The T ype of Service (T oS) octet in the IPv4 header includes th ree precedence bit s defining eight di ffer ent priority levels rangi ng from highest prio rity for network control packet s to lowest priority for routine traffi c.
Class of Service Conf iguration 3-197 3 CLI – The f ollowing exa mple globally enables IP Precedence service on the switch , maps IP Precedence value 1 to CoS value 0 (on port 1), an d then display s the IP Precedence settings.
Configuring the Switch 3-198 3 Command Attributes • DSCP Priority Table – Shows the DSCP Priority to CoS map. • Class of Service Value – Maps a CoS v alue to the selected DSCP Pri ority value. Note that “0” represents lo w priority and “7” represent hi gh priority.
Class of Service Conf iguration 3-199 3 Mapping IP Port Priority Y ou can also map network applications to Class of Se rvice values based on the I P port number (i.e., TCP/UDP port numbe r) in the frame header . Some of the more common TCP service port s include: HTTP: 80, FTP: 21, T elnet: 23 and POP3: 1 10.
Configuring the Switch 3-200 3 CLI * – The foll owing example gl obally enables IP Port Priority service on the switch, maps HTTP traf fic on port 5 to CoS value 0, and then di splays all the IP Port Pri ority settings for t hat port.
Quality of Service 3-201 3 Configuring Quality of Service Parameters T o create a service policy for a speci fic category or ingress traf fic, follow these steps: 1. Use the “Class Map” to designa te a class name for a specific category of traffic .
Configuring the Switch 3-202 3 Class Con figurat ion • Class Name – Name of the class map. (Range: 1-16 characters) • Type – Only one match command is permitted per cl ass map, so the match-any field refers to the criteri a specified by the lone match command .
Quality of Service 3-203 3 Web – Click QoS, Diff Serv , then click Add Class to create a new class, or Edit Rules to change the rules of an exi sting class. Figure 3-118 Configuri ng Class Maps CLI - This example creates a class map call “rd-cl ass,” and sets it to match packet s marked for DSCP service value 3.
Configuring the Switch 3-204 3 Creating QoS Poli cies This function creates a pol icy map that can be att ached to multiple int erfaces. Command Usage • To configure a Policy Map, foll ow these steps: - Create a Class Map as described on 3-201. - Open the Policy Map page, and click Add Policy.
Quality of Service 3-205 3 Policy Rule Settings - Class Settings - • Class Name – Name of class map. • Action – Shows the service provi ded to ingress traf fic by setting a CoS, DSCP , or IP Precedence value i n a matching packet (as specifi ed in Match Cla ss Settings on 3-201).
Configuring the Switch 3-206 3 Web – Click QoS, DiffServ , Policy Map to displ ay the list of existing poli cy maps. T o add a new pol icy map clic k Add Policy .
Quality of Service 3-207 3 CLI – This example creates a policy map call ed “rd-policy ,” set s the average bandwidth the 1 Mbps, the burst rate to 1522 bp s, and the response to redu ce the DSCP value for vio lating p ackets t o 0.
Configuring the Switch 3-208 3 CLI - This example applies a serv ice policy to an ingress interface. Multicast Filtering Multicasting i s used to support real-t ime applications such as vide oconferencing or streaming audio. A mul ticast server does not have to est ablish a sep arate connection with each client.
Multicast Filtering 3-209 3 Layer 2 IGMP (Snooping and Query) IGMP Snooping and Query – If mul ticast routing is not supported on other switches in your network, you can use IGMP Snoopi ng and Query.
Configuring the Switch 3-210 3 Configuring IGMP Sn ooping and Query P a rameters Y ou can configure the switch to forward multicast traf fic intelligent ly . Based on the IGMP query and report messages, th e switch forwards traf fic only to the ports that request multicast tr affic.
Multicast Filtering 3-211 3 • Act as IGMP Querier — When enab led, the switch can serve as the Queri er, which is responsible for aski ng hosts if they want t o receive multic ast traffic.
Configuring the Switch 3-212 3 CLI – This exampl e modifies the se ttings for mult icast filt ering, and then di splays the current st atus. Enabling IGMP Immediate Leave The switch can be configure.
Multicast Filtering 3-213 3 Command Attributes • VLAN ID – ID of configured VLAN (1-4094). • Immediate Leave – Sets the status for immedia t e leave on the specifi ed VLAN. (Default: Disabl ed) Web – Click IG MP Snooping, IGMP Immediate Lea ve.
Configuring the Switch 3-214 3 Displaying Interfaces Attached to a Multicast Router Multicast routers th at are attached to ports on the switch use information obt ained from IGMP , along with a multicast routing protoco l such as DVMRP or PIM, to support IP multicasti ng across the Internet.
Multicast Filtering 3-215 3 Specifying Static Interfaces for a Multicast Router Depending on your ne twork connection s, IGMP snooping may n ot always b e able to locate the IGMP qu erier .
Configuring the Switch 3-216 3 Displaying Port Members of Multicast Se rvices Y ou can display the port members associated with a specified VLAN and multicast service. Command Attributes • VLAN ID – Selects the VLAN for which to display port members.
Multicast Filtering 3-217 3 Assigning Ports to Multicast Services Multicast f iltering can be dynamical ly configure d using IGMP Snooping an d IGMP Query messages as described in "Conf iguring IGMP Snooping and Query Parameters" on page 3-210.
Configuring the Switch 3-218 3 CLI – This example assigns a multic ast address to VLAN 1, and the n displays all the known multicast services s upported on VLAN 1. IGMP Filtering and Throttling In cert ain switch appl ications, the a dministrator may want to control the multicast services that are avai lable to end users.
Multicast Filtering 3-219 3 Web – Click IGMP Snoop ing, IGMP Filter Con f iguration. Create a profile nu mber by entering the numb er in text box and clickin g Add.
Configuring the Switch 3-220 3 • Access Mode – Sets the access mode of the profile; eith er permit or deny. (Default: Deny) • New Multicast Address Range List – Specifi es multicast gro ups to include i n the profile. Specify a mult icast group range by ente ring a start and end IP address .
Multicast Filtering 3-221 3 CLI – This exampl e configures prof ile number 19 b y setting the access mode t o “permit” and t hen specifying a range of mul ticast group s that a u ser can join. The current profile con figuration is then di splayed.
Configuring the Switch 3-222 3 Web – Click IGMP Snooping, IGMP Filter/T hrot tling Port Co nfigurati on or IGMP Filter/Throttl ing T runk Configuration. Select a profile to ass ign to an interface, th en set the throttli ng number and action. Click Ap ply .
Multicast Filtering 3-223 3 Multicast VLAN Registration Multicast VLAN Regis tration (MVR) is a protocol that controls access to a singl e network-wide VLAN most commonly used for transmit ting multicast tr affic (such as television c hannels or video-on -demand) across a service pro vider ’s network.
Configuring the Switch 3-224 3 Configuring Glob al MVR Settings The global settings for Mult icast VLAN Registratio n (MVR) include enabling or disabling MVR for the switch , selecting the VLAN tha t .
Multicast Filtering 3-225 3 Web – Click MVR, Con f iguration. Enabl e MVR global ly on the swit ch, select the MVR VLAN, add the multicast groups that will stream traf fic to attached hosts, and then click Appl y .
Configuring the Switch 3-226 3 Displaying MVR Interface Status Y ou can display information about the in terfaces attached to the MVR VLAN. Field Attributes • Type – Shows the MVR port type. • Oper Status – Shows the link status. • MVR Status – Shows the MVR status.
Multicast Filtering 3-227 3 Displaying Port Members of Multicast Groups Y ou can display the multicast groups ass i gned to the MVR VLAN either through IGMP snooping or st atic configurati on. Field Attributes • Group IP – Multicast groups assigned to the MVR VLAN.
Configuring the Switch 3-228 3 Configuring MVR Interface St atus Each interface that particip ates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one sub scriber attached to an i nterface is receiving multicas t services, you can enable the immediate leave fun ction.
Multicast Filtering 3-229 3 - Non-MVR – An interface that does no t participate in the MVR VLAN. (This i s the default typ e.) • Immediate Leave – Configures the swit ch to immediately remove an int erface from a multic ast stream as soo n as it receives a leave me ssage for that group.
Configuring the Switch 3-230 3 Assigning Static Multicast Groups to Interfaces For multicast streams tha t will run for a long te rm and be associated wit h a stable set of hosts, you can statical ly bind the multicas t group to the parti cipating interfaces.
Configuring Domain Nam e Service 3-231 3 Configuring Domain Name Service The Domain Naming System (DNS) service on thi s switch allows host names to be mapped to IP ad dresses using s tatic t able entries or by redirect ion to other name servers on the network.
Configuring the Switch 3-232 3 Web – Select DNS, General Configuration. Set the def ault domain name or list of domain names, s pecify one or mo re name servers to use to use for address resolution, enable domai n lookup status, and click Apply .
Configuring Domain Nam e Service 3-233 3 Configuring Static DNS Host to Address Entries Y ou can manually configure static ent ries in the DNS tabl e that are used to map domain names to IP addresses.
Configuring the Switch 3-234 3 Web – Select DNS, S tatic Host T able. Enter a host name and one or more corresponding addresse s, then click Apply . Figure 3-136 DNS Static Host Table CLI - This example maps two addre ss to a host name, and then con figures an alias host name for the same addresses.
Configuring Domain Nam e Service 3-235 3 Displaying the DNS Cache Y ou can display entries in the DNS cache that have been learned via the designated name servers. Field Attributes • No – The entry number for each resource record. • Flag – The flag is always “4” indicating a cache entry and therefo re unreliable.
Configuring the Switch 3-236 3 Switch Clustering Switch Clustering is a met hod of grouping switches tog ether to enable centrali zed management through a single unit . Switches that su pport clustering c an be grouped together regard less of physical lo cation or switch type, as lon g as they are connected to the same loc al network.
Switch Clust ering 3-237 3 • Cluster IP Pool – An “internal” IP address pool that is used to assign I P addresses to Member switches in the cluster. Internal cluster IP addre sses are in the form 10. x.x.member-ID . Only the base IP address of the pool nee ds to be set since Member IDs can only be between 1 and 16.
Configuring the Switch 3-238 3 Cluster Member Configuration Adds Candidate switches to the clu ster as Members. Command Attributes • Member ID – S pecify a Member ID n umber for the selected Candidate switch.
Switch Clust ering 3-239 3 Displaying Information on Cl uster Members Use the Cluster Member Info rmation pag e to display informati on on current cluster Member switches. Command Attributes • Member ID – The ID number of the Member switch. • Role – Indicates the curren t status of t he switch in the cluster .
Configuring the Switch 3-240 3 Cluster Candidate Information Use the Cluster Candidate Information p age to display inf ormation about discov ered switches in the network that are alrea dy cluster Members or are availabl e to become cluster Members.
4-1 Chapter 4: Command Line Interface This chapter descri bes how to use t he Command Line I nterface (CLI). Using the Command Line Interface Accessing the CLI When accessing the manage ment interface.
Command Line Interfa ce 4-2 4 Telnet Connection T elnet operates over the IP transport protocol. I n this environment, your management st ation and any network device you want to man age over the network must have a valid IP address. V alid IP addresses consist of four numbers , 0 to 255, separated by peri ods.
Entering Commands 4-3 4 Entering Commands This section describes how to ent er CLI commands. Keywords and Arguments A CLI command is a series of keywords and argument s.
Command Line Interfa ce 4-4 4 Showing Commands If you enter a “?” at the command prompt, the system will displa y the first level of keywords for the current command class (Normal Exec or Privil eged Exec) or configuration cl ass (Global, ACL, Interface, Line or VL AN Database).
Entering Commands 4-5 4 The command “ show interfaces ? ” will di splay the fo llowing informat ion: Partial Keyword Lookup If you terminat e a p artial keyword with a question mark, alternatives that match the initial letters are provi ded. (Remember not to leave a space betwe en the command and question mark.
Command Line Interfa ce 4-6 4 Understanding Command Modes The command set is divided int o Exec and Configurati on classes. Exec command s generally display in formation on sys tem status or clea r statist ical counters. Configuration comman ds, on the other hand, modify interface parameters or enabl e certai n switching functio ns.
Entering Commands 4-7 4 Configuration Commands Configuration c ommands are privi leged level comma nds used to modi fy switch settings. These commands modify th e running configuration only an d are not saved when the switch is rebooted.
Command Line Interfa ce 4-8 4 T o enter the other modes, at the conf iguration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.
Entering Commands 4-9 4 Command Line Processing Commands are not case sensitive . Y o u can abbreviate commands and parameters as long as t hey cont ain enough l etters to dif ferentiate them from a ny other currently available comman ds or p arameters.
Command Line Interfa ce 4-10 4 Command Groups The system commands can be broken down into the functional group s shown below . T able 4-4 Command Groups Command Group Description Page General Basic co.
General Comma nds 4-11 4 The access mode shown in the followi ng tables is in dicated by these abbreviations: ACL (Access Control List Configu ration) NE (Normal Exec) CM (Class Map Configuration) PE .
Command Line Interfa ce 4-12 4 Command Mode Normal Exec Command Usage • “super” is the def ault password require d to change the comma nd mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command on p age 4-78.
General Comma nds 4-13 4 Example Related Commands end (4-14) show hist ory This command shows the content s of the command history buf fer . Command Mode Normal Exec, Privileg ed Exec Command Usage The history buf fer size is fixed at 10 Execu tion commands and 10 Configuration commands.
Command Line Interfa ce 4-14 4 Command Mode Privileged Exec Command Usage • This command resets the entire system. • When the system is restart ed, it will always run the Power-On Se lf-Test. It wil l also retain all conf iguration informa t ion stored in non-vol atile memory by the copy runni ng-conf ig startu p-config command.
General Comma nds 4-15 4 exit This command returns to the previous configuration mode or exit the conf iguration program. Command Mode Any Example This example shows how to return to the Pri vileged Exec mode from the Globa l Configuration mode, and then quit the CLI sess ion: quit This command exit s the configuration program.
Command Line Interfa ce 4-16 4 System Management Commands These commands are used to control syst em logs, p asswords, user names, brows er configuration options, and di splay or confi gure a variety of other system information. Device Designation Commands hostname This command specifies or modif ies the host name for this dev ice.
System Management Commands 4-17 4 Example System Status Commands This section de scribes commands used to display system information. show startu p-config This command displays the config uration file stored in non-volatile memory that is used to st art up the system.
Command Line Interfa ce 4-18 4 Example Related Commands show running-confi g (4-18) show running-con fig This command displays the conf iguration information currently in use. Default Setting None Command Mode Privileged Exec Console#show startup-config building startup-config, please wait.
System Management Commands 4-19 4 Command Usage • Use this command in conjuncti on with the show startup-config command to compare the inf ormation in runni ng memory to the information stored in non-volatile me mory. • This command displays se ttings for key command mod es.
Command Line Interfa ce 4-20 4 Example Related Commands show startup-con fig (4-17) Console#show running-config building startup-config, please wait... .. !<stackingDB>00</stackingDB> !<stackingMac>01_00-13-f7-12-31-23_01</ stackingMac> ! phymap 00-13-f7-12-31-23 ! SNTP server 0.
System Management Commands 4-21 4 show system This command displays system info rmation. Command Mode Normal Exec, Privileg ed Exec Command Usage • For a description of the items shown by this command, refer to "Displ aying System Information" o n page 3-11.
Command Line Interfa ce 4-22 4 Example show version This command displays hardware and sof tware version informati on for the system. Command Mode Normal Exec, Privileg ed Exec Command Usage See "Displaying Swi tch Hardwa re/Sof tware V ersions" on p age 3-13 for detail ed information on the i tems displayed by this co mmand.
System Management Commands 4-23 4 Frame Size Commands jumbo frame This command enables suppo rt for jumbo fram es. Use the no form to disable it. Syntax [ no ] jumbo frame Default Setting Disabled Com.
Command Line Interfa ce 4-24 4 File Management Commands Managing Firmware Firmware can be uploaded and downloa ded to or from an TFTP server . By saving run-time code to a file on an TFTP server , that file can l ater be downloaded to the switch to restore operation.
System Management Commands 4-25 4 copy This command moves (upload/downl oad) a code image or configuration file between the swi tch’s f lash memory and a TFTP server . When you save the syste m code or configuration set tings to a file on a TFTP server , that file can later be downloaded to the switch to restore syst em operation.
Command Line Interfa ce 4-26 4 • The Boot ROM and Loader cannot be uploaded or down loaded from the TFTP server. You must fol low the instructions i n the release notes for new fi rmware, or contact your distributor for hel p.
System Management Commands 4-27 4 The following example shows how to do wnload a configuration file: This example shows how to copy a secure-site certificate from an TFTP server . It then reboot s the switch to activate the certif icate: This example shows how to copy a public-ke y used by SSH from a TFTP server .
Command Line Interfa ce 4-28 4 delete This command deletes a file or image. Syntax delete filename filename - Name of the configuration file or image name. Command Mode Privileged Exec Command Usage • If the file type is used for system startup, then thi s file cannot be del eted.
System Management Commands 4-29 4 • File information is sho wn below: Example The following example shows how to di splay all file inf ormation: whichboo t This command displ ays which files were booted when the system po wered up. Command Mode Privileged Exec Example This example shows the informat ion displayed by the whichboot command.
Command Line Interfa ce 4-30 4 boot system This command specif ies the i mage used to st art up the system. Syntax boot system { boot-rom | config | opcode }: filename The type of file or image to set as a default includes: • boot-rom * - Boot ROM. • config * - Configuration f ile.
System Management Commands 4-31 4 Line Commands Y ou can access the onboard c onfiguration prog ram by att aching a VT100 compatibl e device to the server’s serial port. These comman ds are used to set communication p arameters for the serial port or T elnet (i.
Command Line Interfa ce 4-32 4 Command Usage T elnet is considered a virt ual terminal connec tion and will be sho wn as “Vty” in screen displays such as show users . However , the seri al communication parameters (e .g., dat abits) do not af fect T elnet connections.
System Management Commands 4-33 4 Example Related Commands username (4-77) password (4-33) password This command specifies the password for a li ne. Use the no form to remove t he password.
Command Line Interfa ce 4-34 4 timeout login response This command sets th e interval that the system wait s for a user to log into the CLI. Use the no form to restore the default. Syntax timeout l ogin respons e [ se conds ] no timeout lo gin response seconds - Integer that specifies the timeout interval.
System Management Commands 4-35 4 Command Mode Line Configuration Command Usage • If user input is detec ted within the timeout interval, the sessio n is kept open; otherwise the sessi on is terminated. • This command app lies to b oth the local console and Telnet connecti ons.
Command Line Interfa ce 4-36 4 Related Commands silent-ti me (4-36) timeout login response (4-13) silent-time This command sets th e amount of time the management console is inaccessibl e after the nu mber of unsuccessful logon at tempts exceed s the threshold set by the p assword-thresh command.
System Management Commands 4-37 4 Command Usage The data bit s command ca n be used to mask the h i gh bit o n input from devices that generat e 7 data bi ts with p arity . If parity is being generated, specify 7 dat a bits per character . If no parity is re quired, speci fy 8 data bits per character .
Command Line Interfa ce 4-38 4 speed This command sets th e terminal line’ s baud rate. This command sets both the transmit (to t erminal) and rec eive (from terminal ) speeds. Use t he no form to restore the default sett ing. Syntax speed bps no speed bps - Baud rate in bits per second.
System Management Commands 4-39 4 Example T o specify 2 stop bits, enter this command: disconnect This command termina tes an SSH, T elnet, or console con nection. Syntax disconnec t session-id session-id – The session identifier for an SSH, T elnet or cons ole connection.
Command Line Interfa ce 4-40 4 Example T o show all lin es, enter this command: Event Logging Commands Console#show line Console Configuration: Password Threshold: 3 times Interactive Timeout: 600 sec.
System Management Commands 4-41 4 logging on This command controls logging of error messag es, sending debug or error messages to switch memory . The no form d isables the l ogging process.
Command Line Interfa ce 4-42 4 logging history This command limi ts syslog messages saved to switch memory based on severi ty . The no form return s the logging of syslog messag es to the default level. Syntax logging histo ry { flash | ram } level no logging history { flash | ram } • flash - Event hist ory stored in fl ash memory (i.
System Management Commands 4-43 4 logging ho st This command adds a syslog server host IP address t hat will receiv e logging messages. Use the no form to remove a syslog server host. Syntax [ no ] logging host host_ip_address host_ip_address - The IP address of a syslog server .
Command Line Interfa ce 4-44 4 logging tra p This command enables the logging of system messages to a remote server , or limits the syslog messages saved to a remote server based on severity . Use this command without a specif ied level to enabl e remote logging.
System Management Commands 4-45 4 Related Commands show logging (4-45) show logging This command displays the conf iguration settin gs for logging mess ages to local switch memory , to an SMTP event handl er , or to a remote syslog server .
Command Line Interfa ce 4-46 4 The following example dis plays settings for the t rap function. Related Commands show logging s endmail (4-50) show log This command displays the system and event messages stored in memory . Syntax show log { flash | ram } [ lo gin ] • flash - Event hist ory stored in fl ash memory (i.
System Management Commands 4-47 4 Example The following example shows sampl e messages stored in RAM. SMTP Alert Commands These commands configure SMTP event handl ing, and forwarding of alert messages to th e specified SMTP se rvers and emai l recipient s.
Command Line Interfa ce 4-48 4 Command Mode Global Configurat ion Command Usage • You can specify up to three SMTP servers for event han ding. However, you must enter a separate command to speci fy each server.
System Management Commands 4-49 4 logging sendmail source- email This command sets th e email address used for the “From” fiel d in alert messages. Use the no form to delet e the source email address. Syntax [no] logging se ndmail sour ce-email email-address email-address - The source email address used in alert messages.
Command Line Interfa ce 4-50 4 logging s endmail This command enables SMTP even t handling. Use the no form to disable this function. Syntax [ no ] logging se ndmail Default Setting Enabled Command Mode Global Configurat ion Example show logging sendmail This command displ ays the setti ngs for the SMTP ev ent handler .
System Management Commands 4-51 4 Time Commands The system clock can be dynamically set by polli ng a set of specified time servers (NTP or SNTP). Maintaini ng an accurate time on the swit ch enables the system log to record meaningful dates and t imes for event entries.
Command Line Interfa ce 4-52 4 Example Related Commands sntp server (4-52) sntp poll (4 -53) show sntp (4-53) sntp server This command sets th e IP address of the se rvers t o which SNTP time req uests are issued. Use the this comman d with no argument s to clear all time servers fr om the current list.
System Management Commands 4-53 4 sntp poll This command sets th e interval between sending time request s when the switch is set to SN TP client mod e. Use the no form to restore to the defaul t. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests.
Command Line Interfa ce 4-54 4 clock timezone This command sets th e time zone for the switch’ s internal clock. Syntax clock timezone name hour hours mi nute minutes { before-utc | after-utc } • name - Name of timezone, usua lly an acronym. (Range: 1-29 charac ters) • hours - Number of hours before/after UTC.
System Management Commands 4-55 4 calendar set This command sets th e system clock. It may be used if there is no time server on your network, or i f you have no t configured the switch t o receive signals from a time server . Syntax calendar set hour min sec { da y month year | month day year } • hour - Hour in 24-hour format.
Command Line Interfa ce 4-56 4 Switch Cluster Commands Switch Clustering is a met hod of grouping switches tog ether to enable centrali zed management through a single unit . Switches that su pport clustering c an be grouped together regard less of physical lo cation or switch type, as lon g as they are connected to the same loc al network.
System Management Commands 4-57 4 Command Usage • To create a switch clust er, first be sure that clusteri ng is enabled on the switch (the default is enabl ed), then set the switch as a Cluster Co mmander. Set a Cluster IP Pool that does not conflict wit h any other IP sub nets in the network.
Command Line Interfa ce 4-58 4 cluster ip-pool This command sets th e cluster IP address pool. Use th e no form to re set to the default address. Syntax cluster ip-pool ip-addres s no cluster ip-poo l ip-address - The base IP address for IP addre sses assigned to cluster Members.
System Management Commands 4-59 4 Command Usage • The maximum number of clus ter Members is 16. • The maximum number of switch Can didates is 100 . Example rcommand This command provides access to a cluster Membe r CLI for configuration. Syntax rcommand id < member -id > member-id - The ID number of the Member switch.
Command Line Interfa ce 4-60 4 show cluster members This command shows the current switch clus ter members. Command Mode Privileged Exec Example show cluster candidates This command shows the discove red Candidate swi tches in the network.
SNMP Commands 4-61 4 SNMP Commands Controls access to thi s switch from management statio ns using the Simple Net work Management Protocol (SNMP), as well as the error types sent to trap managers.
Command Line Interfa ce 4-62 4 snmp-server This command enables the SNMPv3 engine and se rvices for all management cli ents (i.e., versions 1, 2c, 3). Use th e no form to disable the server .
SNMP Commands 4-63 4 Example snmp-server community This command defines the SNMP v1 and v2c community access string. Use th e no form to remove the specified commun ity string.
Command Line Interfa ce 4-64 4 Command Mode Global Configurat ion Example snmp-server contact This command set s the system contact string. Use the no form t o remove the system cont act inf ormation. Syntax snmp-server cont act string no snmp-server cont act string - S tring that desc ribes the system contact information.
SNMP Commands 4-65 4 Example Related Commands snmp-server contact (4-64) snmp-server host This command specifies the recipient of a Simple Ne twork Management Protocol notificati on operation.
Command Line Interfa ce 4-66 4 Command Usage • If you do not en ter an snmp-server host command, no notifi cations are sent. In order to conf igure the switch to sen d SNMP notification s, you must enter at least one snmp-s erver host command. In ord er to enable multipl e hosts, you must issue a separa te snmp-server host command fo r each host.
SNMP Commands 4-67 4 exist, and the switch wil l not authorize SNMP ac cess for the host. However, i f you specify a V3 host with the “noauth” op tion, an SNMP user account will be generated, and the swit ch will authorize SNMP acc ess for the host.
Command Line Interfa ce 4-68 4 Related Commands snmp-server host (4-65) snmp-server engine-id This command configures an iden tification stri ng for the SNMPv3 engine.
SNMP Commands 4-69 4 Related Commands snmp-server host (4-65) show snmp en gine-id This command shows the SNMP engine ID. Command Mode Privileged Exec Example This example shows the defaul t engine ID. snmp-server view This command adds an SNMP view which controls user access to the MIB.
Command Line Interfa ce 4-70 4 Command Usage • Views are used in the snmp-server group command to restrict user acc ess to specified porti ons of the MIB tree. • The predefined view “defau ltview” includes acc ess to the entire MIB tr ee. Examples This view includes MIB-2.
SNMP Commands 4-71 4 show snm p view This command shows information on t he SNMP views. Command Mode Privileged Exec Example snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP grou p.
Command Line Interfa ce 4-72 4 Default Setting • Default groups: publ ic 20 (read only), private 21 (read/writ e) • readview - Every object belonging to the Internet OID space (1.3.6.1). • writeview - Nothin g is defined. • notifyvie w - Nothing is defined.
SNMP Commands 4-73 4 show snmp group Four default group s are provided – SNMP v1 read-onl y access and read/ write access, and SNMPv2c read-only access and read/write access.
Command Line Interfa ce 4-74 4 snmp-server use r This command adds a user to an SNMP g r oup, restricti ng the user t o a specific SNMP Read, W rite, or Notify V iew .
SNMP Commands 4-75 4 Command Usage • The SNMP engine ID is used to compu te the authenticat ion/privacy digest s from the password. You should theref ore configure the engine ID with the snmp-server engine-id command bef ore using this co nfiguration command.
Command Line Interfa ce 4-76 4 Authentication Commands Y ou can configure this switch to authen ticate users logging into the system for management access using l ocal or RADIUS authenticati on methods. Y ou can also enable port-based au thentication for ne twork client access using IEEE 802.
Authentication Commands 4-77 4 User Account and Privilege Level Commands The basic commands required fo r management access are listed in this section.
Command Line Interfa ce 4-78 4 Command Mode Global Configurat ion Command Usage • Privilege level 0 prov ides access to a limited number of the comman ds which display the current status of t he switch, as well a s several dat abase clear and reset functions.
Authentication Commands 4-79 4 Example Related Commands enable (4-1 1) authenticati on enable (4-82) privileg e This command assign s a privileg e level to sp ecified command groups or individual commands. Use the no form to restore the def ault setting.
Command Line Interfa ce 4-80 4 Command Usage Due to system limitations in the current software, privilege commands (page 4-79) entered during the current switch se ssion will not be st ored properly in the ru nning-config fil e (see show ru nning-conf ig on pag e 4-18).
Authentication Commands 4-81 4 authentication login This command define s the login aut hentication met hod and precedence. Use the no form to restore the default. Syntax authentication log in {[ local ] [ radi us ] [ t acacs ]} no authentication login • local - Use local password.
Command Line Interfa ce 4-82 4 authentication enable This command defines the authent ication metho d and precedence to use when changing from Exec command mode to Priv ileged Exec command mode with the enable command (see page 4- 1 1). Use the no form to restore the def ault.
Authentication Commands 4-83 4 RADIUS Client Remote Authent ication Dial-in User Service (RADIUS) is a logon authent ication protocol that uses sof tware running on a central server to control access to RADIUS-aware devices on the network.
Command Line Interfa ce 4-84 4 Example radius-server port This command set s the RADIUS server network port. Use the no form to restore the default. Syntax radius-server port port-number no radius-server port port-number - RADIUS server UDP port used for authentication messages.
Authentication Commands 4-85 4 radius-server retransmit This command sets th e number of retries. Use the no form to resto re the def ault. Syntax radius-server retransmit number -of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server .
Command Line Interfa ce 4-86 4 Example TACACS+ Client T erminal Access Controller Acces s Control System (T ACACS+) is a logon authenticati on protocol that uses sof tware running on a central server to control access to T ACACS-aware device s on the network.
Authentication Commands 4-87 4 tacacs-server host This command specifies the T ACACS+ server . Use the no form to restore the default. Syntax [ no ] taca cs-server index hos t host-ip-add ress [ port port-number ] [ timeout timeout ] [ retransmit retransmit ] [ key key ] • index - Specifies the index number of the server.
Command Line Interfa ce 4-88 4 Example tacacs-server key This command sets th e T ACACS+ encryption key . Use the no form to restore the default. Syntax t acacs-server key key-string no t acacs-server key key-string - Encryption key used to authenticate logon access for the client.
Authentication Commands 4-89 4 tacacs-server timeout This command sets th e interval between transmitting authent ication request s to the T ACACS+ ser ver .
Command Line Interfa ce 4-90 4 AAA Commands The Authenticati on, authorization, and acco unting (AAA) f eature provides the main framework for configuri ng access control on the switch. The AAA functions require the use of configured RADIUS or T ACACS+ servers in the network.
Authentication Commands 4-91 4 Example server This command adds a security server to an AAA server group . Use the no form to remove the associated server fro m the group. Syntax [ no ] server { inde x | ip-address } • index - Specif ies the server i ndex.
Command Line Interfa ce 4-92 4 aaa accounting dot1x This command enables the accounting of requested 802 .1X services for ne twork access. Use the no form to disable the accounting service.
Authentication Commands 4-93 4 aaa accounting exec This command enables the ac counting of requested Ex ec services for network access. Use the no form to disable the accounting service.
Command Line Interfa ce 4-94 4 aaa accounting commands This command enables the ac counting of Exec mode commands. Use the no form to disable the accoun ting service.
Authentication Commands 4-95 4 aaa accounting update This command enables the sending of periodic update s to the accounting serv er . Use the no form to di sable accountin g updates. Syntax aaa accounting up date [ periodic interval ] no aaa accounting up date interval - Sends an interim a ccounting record to the server at this interval.
Command Line Interfa ce 4-96 4 Example accounting exec This command applies an account ing method to loca l console or T elnet connections. Use the no form to di sable accountin g on the lin e.
Authentication Commands 4-97 4 Command Mode Line Configuration Example aaa authorization exec This command enables the auth orization for Exec access. Use the no form to disable the authorizat ion service.
Command Line Interfa ce 4-98 4 authorization exec This command applies an autho rization method to local console or T elnet connections. Use the no form to disable authorization on the li ne.
Authentication Commands 4-99 4 Command Mode Privileged Exec Example Web Server Commands This section de scribes commands u sed to config ure web browser management access to the switch. ip http port This command specifies the TCP port number used by the web browser interface.
Command Line Interfa ce 4-100 4 Example Related Commands ip http server (4-100) ip http server This command allows this device to be moni tored or config ured from a browser .
Authentication Commands 4-101 4 • When you start HTTPS, the connection is established in this way: - The client authenticates th e server using the server’s digita l certificate. - The client and server negotiate a set of sec urity protocols to use for the connection.
Command Line Interfa ce 4-102 4 Command Usage • You cannot configure the HTTP and HTTPS serv ers to use the same port. • If you change the HTTPS port number, cl ients attempting to conn ect to the.
Authentication Commands 4-103 4 Secure Shell Comma nds This section de scribes the commands used to configure the SSH server . Howe ver , note that you also need t o inst all a SSH cli ent on the man agement station when using this p rotocol to configure th e switch.
Command Line Interfa ce 4-104 4 Otherwise, you need to manually c reate a known host s file on the management statio n and place the host public key in it . An entry for a publi c key in the known hosts fil e would appear similar to t he following example: 10.
Authentication Commands 4-105 4 d) The cl ient uses its private key to decrypt the chal lenge string, compu tes the MD5 checksum, and sends the checksum back to the switch. e) The switch comp ares the checksum sent from the client against that computed for the original string it se nt.
Command Line Interfa ce 4-106 4 Related Commands ip ssh crypto host-key generate (4-108 ) show ssh (4-1 10) ip ssh timeout This command config ures the timeout for the SSH serv er . Use the no form to restore the default sett ing. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation.
Authentication Commands 4-107 4 Command Mode Global Configurat ion Example Related Commands show ip ssh (4-109) ip ssh server-key size This command sets the SSH serve r key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server k ey .
Command Line Interfa ce 4-108 4 Example ip ssh crypto host-key generate This command generates the host key pair (i.e., publi c and private). Syntax ip ssh crypto host-key generate [ dsa | rsa ] • dsa – DSA (Version 2) key type. • rsa – RSA (Version 1) ke y type.
Authentication Commands 4-109 4 Default Setting Clears both the DSA and RSA key . Command Mode Privileged Exec Command Usage • This command clears the host key from vol atile memory (RAM). Use the no ip ssh save host-key command to clear the host key from f lash memory.
Command Line Interfa ce 4-110 4 Example show ssh This command displays the current SSH server connect ions. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 1.
Authentication Commands 4-111 4 show public-key This command shows the publi c key for the specified user or for the host. Syntax show public-key [ user [ username ]| ho st ] username – Name of an SSH user . (Range: 1-8 characters) Default Setting Shows all public keys.
Command Line Interfa ce 4-112 4 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submi t credentials for authenticati on.
Authentication Commands 4-113 4 dot1x default This command sets al l configurable dot1x gl obal and port settings to thei r default values. Command Mode Global Configurat ion Example dot1x max-req Thi.
Command Line Interfa ce 4-114 4 Default force-authorized Command Mode Interface Configur ation Example dot1x operation-mode This command allows singl e or multiple host s (clients) to connect to an 802.1X-authorized port. Use t he no form with no keywords to resto re the default to single host.
Authentication Commands 4-115 4 dot1x re-authenticate This command forces re-authenticat ion on all ports or a specific interface. Syntax dot1x re-authenticate [ inte rface ] interface • ethernet unit / port - unit - Stack unit. (Range : 1) - port - Port number.
Command Line Interfa ce 4-116 4 Related Commands dot1x timeout re-authperi od (4-1 16) dot1x timeout quiet-period This command sets th e time that a switch port wait s after the Max Request Count has been exc eeded before att empting to ac quire a new client.
Authentication Commands 4-117 4 dot1x timeout tx-period This command sets the time tha t an interface on the switch waits during an authenticati on session before re-transmitting an EAP packet. Use the no form to reset to the defa ult value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-p eriod seconds - The number of seconds.
Command Line Interfa ce 4-118 4 Example show dot1x This command shows general port aut hentication related set tings on the switch or a specific interface. Syntax show dot1x [ statistics ] [ interface interface ] • statistics - Displays dot1x status for each port.
Authentication Commands 4-119 4 - max-req – Maximum number of times a port will retransmit an EAP request/identi ty packet to the cl ient before it times out th e authentication session (page 4-113). - Status – Authorizati on status (authoriz ed or not).
Command Line Interfa ce 4-120 4 Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mod e Mode Authorized 1/1 disabled Single-Host ForceAuthorized n/a 1/2 enabled Single-Host auto yes .
Authentication Commands 4-121 4 Management IP Filter Commands This section de scribes commands used to config ure IP management access to the switch. management This command specif ies the cl ient IP addresses that are a llowed management access to the switch through vario us protocols.
Command Line Interfa ce 4-122 4 Example This example re stricts management access to the indi cated addresses. show managem ent This command displays the cli ent IP addresses that are allowed management access to the swi t ch through vario us protocols.
General Securi ty Measures 4-123 4 General Security Measures This switch support s many methods of segregating traf fic for client s attached to each of the dat a ports, and for ensur ing that only authorize d clients gai n access to the network. Private VLANs and port-bas ed authentication using IEEE 802.
Command Line Interfa ce 4-124 4 Port Security Commands These commands can be used to enable port securi ty on a port. When using port security , the switch stops learning new MAC addresses on the specified po rt when it has reached a co nfigured maximum nu mber .
General Securi ty Measures 4-125 4 Command Usage • If you enable po rt security, th e switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffi c with source addresses al ready stored in the dynamic or sta tic address table wi ll be accepted .
Command Line Interfa ce 4-126 4 Network Access (MAC Address Authentication) Network Access authent ication control s access to the net work by authenticating the MAC address of each host that attempt s to connect to a switch port.
General Securi ty Measures 4-127 4 Command Usage The maximum number of MAC addresses pe r port is 2048, and t he maximum number of secure MAC addresses su pported for the switch system is 1024. When the limit is reached, all new MAC addresses are t reated as authenticati on failures.
Command Line Interfa ce 4-128 4 indicates untagged VLAN and “t” tag ged VLAN. The “Tunnel-Type” attribute should be set to “VLAN,” and t he “Tunnel-M edium-Type” attri bute set to “802.
General Securi ty Measures 4-129 4 Example mac-authentication max-mac-count Use this command to set the maximum numbe r of MAC addresses that can be authenticated on a port via 802.1X au thentication or MAC authentica tion. Use the no form of this command to restore th e default.
Command Line Interfa ce 4-130 4 Example show network-access mac-addres s-table Use this command to display secure MAC address table entries . Syntax show network-access mac-address-t able [ static | dynamic ] [ address mac-address [ mask ]] [ interface interface ] [ sort { address | interface }] • static - Specifies st atic address entrie s.
General Securi ty Measures 4-131 4 Example DHCP Snooping Commands DHCP snooping all ows a switch to prot ect a network fro m rogue DHCP servers or other devices which sen d port-related informati on to a DHCP server . This information ca n be useful i n tracking an I P address back t o a physical port.
Command Line Interfa ce 4-132 4 ip dhcp snoopi ng This command enables DHCP snoo ping globally . Use the no form to restore the default setti ng. Syntax [ no ] ip dhcp snoo ping Default Setting Disabl.
General Securi ty Measures 4-133 4 MAC address verificatio n is enabled, then the packe t will only be forwarded if the client’s hardware address stored in the DHCP packet is the same as t he source MAC address in the Ethernet h eader. * If the DHCP packet i s not a rec ognizable type, it is dr opped.
Command Line Interfa ce 4-134 4 packet filterin g will be performed on any untrust ed ports within the VLAN as specified by the ip dhcp snooping trust command (page 4-134).
General Securi ty Measures 4-135 4 • Additional consi derations when the s witch itself i s a DHCP client – The por t(s) through which it submits a client request to the DHCP server must be configured as t rusted. Example This example set s port 5 to untrusted.
Command Line Interfa ce 4-136 4 ip dhcp snoopin g information option This command enables the DHCP Opti on 82 information rel ay for the switch. Use the no form to disable t his functi on.
General Securi ty Measures 4-137 4 ip dhcp snooping i nformation policy This command sets the DHCP snoopin g information option policy for DHCP client packets that incl ude Option 82 information. Syntax ip dhcp snoopi ng informat ion polic y { drop | keep | replace } • drop - Drops the client’s request packet instead of relaying it.
Command Line Interfa ce 4-138 4 show ip dhcp snooping This command shows the DHCP snooping confi guration settings. Command Mode Privileged Exec Example show ip dhcp snoo ping binding This command shows the DHCP snooping bindi ng table entri es.
General Securi ty Measures 4-139 4 IP Source Guard Commands IP Source Guard is a security featu re that filt ers IP traf fic on network inte rfaces based on manually confi gured entries in the IP Source Guard t able, or dynamic entries in t he DHCP Snooping t able when enabled (see "DHCP Snooping Commands" on page 4-131).
Command Line Interfa ce 4-140 4 • When enabled, traff ic is filtered based upo n dynamic entries learned v ia DHCP snooping, or static addresses conf igured in the source guard bi nding table.
General Securi ty Measures 4-141 4 ip source-guard binding This command adds a stati c address to the source-guard bind ing tabl e. Use the no form to re move a st atic entry .
Command Line Interfa ce 4-142 4 Related Commands ip source-guard (4-139) ip dhcp snoopi ng (4-132) ip dhcp snoopi ng vlan (4-133) show ip source-guard This command shows whether source guard is enabled or disabled on each interface .
Access Contro l List Comm ands 4-143 4 Access Control List Commands Access Control List s (ACL) provide packet fi ltering for IP fr ames (based on add ress, protocol, or Layer 4 protocol port number or TCP control code), or any frames (based on MAC address or Ethernet type).
Command Line Interfa ce 4-144 4 access-list ip This command adds an IP access list and enters configuration mode for st andard or extended IP ACLs. Us e the no form to remove the specified ACL. Syntax [ no ] access-li st ip { standard | extended } acl-name • standard – Specif ies an ACL that filters packets based on the so urce IP address.
Access Contro l List Comm ands 4-145 4 permit , deny (Standard ACL) This command adds a rule to a S tandard IP ACL. The rule sets a filter condit ion for packet s emanating from the specified source. Us e the no form to re move a rule. Syntax [ no ] { permit | deny } { any | source bitmask | ho st source } • any – Any source IP address.
Command Line Interfa ce 4-146 4 permit , deny (Extende d ACL) This command adds a rule to an Extende d IP ACL. The rule sets a filt er condition for packet s with specific source or destinatio n IP addresses, protocol ty pes, or source or destination proto col ports, or TCP control cod es.
Access Contro l List Comm ands 4-147 4 Command Usage • All new rules are appended to the end of the list. • Address bitmasks are simi lar to a subnet mask, containing four inte gers from 0 to 255, each s eparated by a period. The binary mask uses 1 bits to in dicate “match” and 0 bits to indica te “ignore.
Command Line Interfa ce 4-148 4 Related Commands access-list ip (4-144) show ip access-list This command displays the ru les for configured IP ACLs. Syntax show ip access-list { st andard | extended } [ acl-name ] • standard – Specifies a st andard IP ACL.
Access Contro l List Comm ands 4-149 4 Example Related Commands show ip access-li st (4-148) show ip access-group This command shows the ports assigned to IP ACLs.
Command Line Interfa ce 4-150 4 access-list mac This command adds a MAC access list and enters MAC ACL confi guration mode. Use the no form to remove the specified ACL.
Access Contro l List Comm ands 4-151 4 [ no ] { permit | deny } untagged-e th2 { any | host source | source address-bitm ask } { any | host destination | destination address-bitmask } [ ethertype protocol [ pro tocol - bitmask ]] [ no ] { permit | deny } tagged-80 2.
Command Line Interfa ce 4-152 4 Example This rule permits p ackets from any source MAC address to the destination add ress 00-e0-29-94-34-de where th e Ethernet type i s 0800. Related Commands access-list mac (4-150) show mac access-list This command displays the ru les for configured MAC ACLs.
Access Contro l List Comm ands 4-153 4 Example Related Commands show mac access-l ist (4-152) show mac access-group This command shows the port s assigned to MAC ACLs.
Command Line Interfa ce 4-154 4 ACL Information show access-list This command shows all ACLs and associated rules. Command Mode Privileged Exec Example show access-group This command shows the port assignment s of ACLs.
Interface Commands 4-155 4 Interface Commands These commands are used to display or set co mmunication pa rameters for an Ethernet port, aggregate d link, or VLAN. interface This command configure s an interface type and enter int erface configurati on mode.
Command Line Interfa ce 4-156 4 Command Mode Global Configurat ion Example T o specify port 24, ente r the following command: description This command adds a description t o an interface.
Interface Commands 4-157 4 Default Setting • Auto-negotiat ion is enabled by default. • When auto-negoti ation is disabl ed, the default speed-duplex set ting is 100half for 100BASE-TX ports and 1000full for Gigabit Ethernet ports.
Command Line Interfa ce 4-158 4 Command Usage • When auto-negotiati on is enabled the switch will negotiate the best set tings for a link b ased on the capabilities command. When auto-negotiation is disabled, you must manual ly specify the link attri butes with the speed-duplex and flowcontro l commands.
Interface Commands 4-159 4 Command Usage When auto-negotiat ion is enabled with t he negotiation co mmand, the switch will negotiate the best settin gs for a link based on the capabilites command. When auto-negotiat ion is disabled, yo u must manually specify t he link attributes wi th the speed-duplex and flowcontrol commands.
Command Line Interfa ce 4-160 4 • Avoid using flow cont rol on a port connected to a hub unless it is actuall y required to solve a problem. Otherwise back pressure jamming signals may degrade overall perfo rmance for the segment attached to the hub .
Interface Commands 4-161 4 Default Setting All interfaces are enabled. Command Mode Interface Co nfiguration (Et hernet, Port Channel) Command Usage This command all ows you to d isable a port due to ab normal behavior (e.g., excessive collisions), and then reenabl e it after the probl em has been resolved.
Command Line Interfa ce 4-162 4 Example The following s hows how to confi gure broad cast storm control at 500 p acke ts per second: clear counters This command clears statist ics on an int erface. Syntax clear counters interface interface • ethernet unit / port - unit - Stack unit.
Interface Commands 4-163 4 show interfaces status This command displays the st atus for an interface. Syntax show interfaces sta tus [ int erface ] interface • ethernet unit / port - unit - Stack unit.
Command Line Interfa ce 4-164 4 show interfaces counters This command displays inte rface statistics. Syntax show interfaces counters [ interface ] interface • ethernet unit / port - unit - Stack unit.
Interface Commands 4-165 4 show interfaces switchport This command displays the admi nistrative and ope rational st atus of the speci fied interface s. Syntax show interfaces switchport [ interface ] interface • ethernet unit / port - unit - Stack unit.
Command Line Interfa ce 4-166 4 Private-VLAN Mode: NONE Private-VLAN host-association: NONE Private-VLAN Mapping: NONE 802.1Q-tunnel Status: Disable 802.
Link Aggregation Commands 4-167 4 Link Aggregation Commands Ports can b e stati cally grouped in to an aggrega te link (i.e., trunk) to i ncrease the bandwidth of a netwo rk connection or t o ensure fault recovery .
Command Line Interfa ce 4-168 4 Dynamically Creati ng a Port Channel – Ports assigned t o a common port ch annel must meet the followin g criteria: • Ports must have the same LACP system priority. • Ports must have the same port admi n key (Ethernet Interf ace).
Link Aggregation Commands 4-169 4 lacp This command enables 802.3ad Link Aggrega tion Control Prot ocol (LACP) for the current inte rface. Use the no form to disable it .
Command Line Interfa ce 4-170 4 Example The following shows LACP enabled on port s 1 1-13. Because LACP has also been enabled on the port s at the other end of the li nks, the show interfac es status port-cha nnel 1 command shows that T runk 1 has been est ablished.
Link Aggregation Commands 4-171 4 Command Mode Interface Conf iguration (Ethern et) Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined wit h the switch’s MAC address to form the LAG identifier.
Command Line Interfa ce 4-172 4 • Once the remote side of a link ha s been established, LACP operat ional settings are already in use on that side. Configurin g LACP settings for the partner only ap.
Link Aggregation Commands 4-173 4 lacp port-priori ty This command configures LACP port priori ty . Use the no form to restore t he default setting. Syntax lacp { actor | pa r t n er } port-priority priority no lacp { actor | pa r t n e r } port-priority • actor - The local side an aggregat e link.
Command Line Interfa ce 4-174 4 show lacp This command displays LACP informatio n. Syntax show lacp [ port-channel ] { counters | intern al | neighbors | sys id } • port-channel - Local ident ifier for a link aggregation group. (Range : 1-32) • counters - Statistics for LACP protocol messages.
Link Aggregation Commands 4-175 4 Console#show lacp 1 internal Port channel : 1 --------------------------------------- ---------------------------------- Oper Key : 4 Admin Key : 0 Eth 1/1 ----------.
Command Line Interfa ce 4-176 4 Console#show lacp 1 neighbors Port channel 1 neighbors --------------------------------------- ---------------------------------- Eth 1/1 ------------------------------.
Link Aggregation Commands 4-177 4 Console#show lacp sysid Port Channel System Priority Sys tem MAC Address --------------------------------------- ---------------------------------- 1 32768 00 -12-CF-.
Command Line Interfa ce 4-178 4 Mirror Port Commands This section describes how to mirror traf fic from a source port to a target port. port monitor This command configures a mirror sess ion.
Mirror Port Commands 4-179 4 Example The following example conf igures the switch to mi rror received packet s from port 6 to 1 1: show port mo nitor This command displays mirror informa tion. Syntax show port monit or [ interfac e ] interface - ethernet unit / port (source port) • unit - Stack unit.
Command Line Interfa ce 4-180 4 RSPAN Mirroring Commands Remote Swit ched Port Anal yzer (RSP AN) allow s you to mirror t raffic from remote switches for analys is on a local destinati on port. Configuration Guidel ines T ake the following step s to configure an RSP AN session: 1.
RSP AN Mirroring Commands 4-181 4 has been configured, MAC addre ss learning will still not be re-st arted on the RSPAN uplink ports. • IEEE 802.1X – RSPAN and 80 2.
Command Line Interfa ce 4-182 4 • The source port and destinat ion port cannot be configured on t he same switch. Example The following example conf igures the switch to mi rror received pa ckets from port 2 and 3: rspan destination Use this command to specif y the destination port to monitor the mi rrored traff ic.
RSP AN Mirroring Commands 4-183 4 Example The following example conf igures port 4 to receive mirrored RSP AN traffic: rspan remote vlan Use this command to speci fy the RSP AN VLAN, switch role (source, i ntermediate or destination), an d the upli nk ports.
Command Line Interfa ce 4-184 4 switchport allowed vlan comman d (page 4-226). Nor can GVRP dynamically add port members to an RSPAN VLAN. Also, note th at the show vlan command (pag e 4-228) will not display an y members for an RSPAN VLAN, but will on ly show configured RSPAN VLAN iden tifiers.
Rate Limit Co mmands 4-185 4 Command Mode Privileged Exec Example Rate Limit Commands This function allows th e network manager t o control the maximum rate f or traffic received on an interface. Rate limiting i s configured on interfaces at the edge of a network to limit traff ic into or out of the network.
Command Line Interfa ce 4-186 4 Command Mode Interface Configuration (Ethernet, Port Channel) Example Power over Ethernet Commands The commands in this group control the power that can be delivered to att ached PoE devices through the swi tch ports.
Power over Ethernet Comma nds 4-187 4 Default Setting 375 watt s Command Mode Global Configurat ion Command Usage • Setting a maximum power budget f or the switch enables powe r to be centrally managed, preventing ove rload condition s at the power source.
Command Line Interfa ce 4-188 4 Example power inlin e This command instruct s the switch to automatically detect if a PoE-compliant devi ce is connected to the spec ified port, and turn power on or off accordi ngly . Use the no form to turn off power for a port.
Power over Ethernet Comma nds 4-189 4 power inli ne maximum a llocation This command limit s the power allocated to spec ific port s. Use the no form to restore the default sett ing. Syntax power inline maximum allocation [ milliwatt s ] no power in line maximum allocation milliwatts - The maximum power budget for the port.
Command Line Interfa ce 4-190 4 Command Usage • If the power demand from devic es connected to the switch exceeds the power budget setting, the switch u ses port power priority settings to cont rol the supplied power. F or example: - A device connected to a low-priority port that causes the switch to exceed its budget is not suppli ed power.
Power over Ethernet Comma nds 4-191 4 show power inline status This command displays the current power st atus for all ports or for specific ports. Syntax show power inline status [ interface ] interface ethernet • unit - Stack unit. (Range : 1) • port - Port number.
Command Line Interfa ce 4-192 4 show power mainpower Use this command to display the current power status for the switch. Command Mode Privileged Exec Example Address Table Commands These commands are used to configure the addres s table for filt ering specified addresses, displayi ng current entries, clearing the t able, or setting the aging time.
Power over Ethernet Comma nds 4-193 4 mac-address-table static This command maps a static address to a destination port in a VLAN. Us e the no form to remove an address. Syntax mac-address-t able static mac-address interface interface vlan vlan-id [ ac tion ] no mac-address-t able static mac-addre ss vlan vlan-id • mac-address - MAC address.
Command Line Interfa ce 4-194 4 clear mac-address-table dynamic This command removes any learned entrie s from the forwarding dat abase and clears the transmit and receive count s for any static or system configured entries.
Power over Ethernet Comma nds 4-195 4 means to match a bit and “1” means to ignore a bit . For example, a mask of 00-00-00-00-00-00 mean s an exact ma tch, and a mas k of FF-FF-FF-FF-FF -FF means “any.” • The maximum number of address entries is 8191.
Command Line Interfa ce 4-196 4 Spanning Tree Commands This section includes co mmands that configure the S panni ng T ree Algorithm (ST A) globally for the switch, and commands that configure ST A for the selected interface.
Spanning Tree Commands 4-197 4 spanning-tr ee This command enables the S panni ng T ree Algorithm globally for the switch. Use t he no form to disable it.
Command Line Interfa ce 4-198 4 Command Usage • Spanning Tree Protoco l Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. - This creates one spanning tree instance f or the entire network.
Spanning Tree Commands 4-199 4 Default Setting 15 seconds Command Mode Global Configurat ion Command Usage This command sets the maxi mum time (in seconds) the root device will wait before changing states (i.
Command Line Interfa ce 4-200 4 spanning-tr ee max-age This command configures the sp anning tree bridge maximum age globally for t his switch. Use the no form to restore the defaul t. Syntax sp anning-tree max-age second s no spanning-tree max-age seconds - T ime in seconds.
Spanning Tree Commands 4-201 4 Default Setting 32768 Command Mode Global Configurat ion Command Usage Bridge priority is used in sel ecting the root de vice, root port, and desi gnated port. The device with the highest priority (i.e., lower numeric value) becomes the ST A root devic e.
Command Line Interfa ce 4-202 4 spanning-tree tran smission-limit This command configures the min imum interval between the t ransmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. Syntax sp anning-tree tr ansmission-l imit count no sp anning-tree tr ansmissi on-limit count - The transmission limit in seconds.
Spanning Tree Commands 4-203 4 mst vlan This command adds VLANs t o a spann ing tree inst ance. Use the no form to remove the specified VLANs. Usin g the no form wit hout any VLAN p a rameters to remove all VLANs. Syntax [ no ] mst instance_ id vlan vlan-ra nge • instance_id - Instance ident ifier of th e spanning tr ee.
Command Line Interfa ce 4-204 4 Default Setting 32768 Command Mode MST Configuration Command Usage • MST priority is used in selecting the root bridg e and alternate bri dge of the specified insta nce. The device with the highest priority (i. e., lowest numerical value) becomes the MSTI root device.
Spanning Tree Commands 4-205 4 revisi on This command confi gures the revisio n number for thi s multiple sp anning tree configurati on of this switch. Use the no form to restore th e default. Syntax revision number number - Revision number of the spanning tree.
Command Line Interfa ce 4-206 4 bridge decrement s the hop count by one before p assing on the BPDU. When the hop count reaches zero, the message is dropped. Example spanning-tree sp anning-disabled This command disables the sp anning tree algorithm for the specified interf ace.
Spanning Tree Commands 4-207 4 Default Setting By default, the syst em automatically detect s the speed and duplex mode used on each port, and confi gures the path cos t according to the values shown below . Path cost “0” is used to indi cate auto-configuration mode.
Command Line Interfa ce 4-208 4 spanning-tree po rt-priority This command configures the prio rity for the specified int erface. Use the no form to restore the default. Syntax sp anning-t ree port -priority pri ority no spanning-tree port-priority priority - The priority for a port.
Spanning Tree Commands 4-209 4 devices such as workstations or servers, retai ns the current forwarding database to re duce the amount of frame floodin g required to re build address tables during rec.
Command Line Interfa ce 4-210 4 Related Commands spanning-t ree edge-port (4-208) spanning-tree lin k-type This command configures the li nk type for Rapid S panning T ree and Multiple S panning T ree.
Spanning Tree Commands 4-211 4 spanning-tree mst co st This command configures the p ath cost on a spanning inst ance in the Multiple S panning T ree. Use the no form to restore the default. Syntax sp anning-tree mst inst ance_id cost cost no spanning-tree mst instance_id cost • instance_id - Instance ident ifier of th e spanning tr ee.
Command Line Interfa ce 4-212 4 spanning-tree mst po rt-priority This command configures the in terface priority on a sp anning instance in the Multiple S panni ng T ree.
Spanning Tree Commands 4-213 4 Command Usage If at any time the switch dete cts STP BPDUs, including Configuration or T opology Change Notifi cation BPDUs, it wi ll automatical ly set the select ed interface to forced STP-compatible mode.
Command Line Interfa ce 4-214 4 Example Console#show spanning-tree Spanning-tree information --------------------------------------- ------------------------ Spanning Tree Mode: MSTP Spanning Tree Enabled/Disabled: Enab led Instance: 0 VLANs Configuration: 1-40 94 Priority: 3276 8 Bridge Hello Time (sec.
VLAN Commands 4-215 4 show spanning-tree m st configuration This command shows the configurat ion of the multiple spanning tree. Command Mode Privileged Exec Example VLAN Commands A VLAN is a group of port s that can be located a nywhere in the net work, but communicate as though t hey belong to the same physical segment.
Command Line Interfa ce 4-216 4 GVRP and Bridge Extension Commands GARP VLAN Registration Protoco l defines a way for switches to exchange VLAN information in order to automati cally register VLAN members on interfaces across the network.
VLAN Commands 4-217 4 show bridge-ext This command shows the configuratio n for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See "Displaying Basic VLAN Informat ion" on page 3-168 and "Displaying Bridge Extension Cap abilities" on page 3-15 for a description o f the displ ayed items.
Command Line Interfa ce 4-218 4 show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp conf iguration [ int erface ] interface • ethernet unit / port - unit - Stack unit.
VLAN Commands 4-219 4 Command Usage • Group Address Registration Protocol is use d by GVRP and GMRP to register or deregister client attri butes for client servi ces within a bridged LAN. The default values fo r the GARP timers are independen t of the media access method or da ta rate.
Command Line Interfa ce 4-220 4 Related Commands garp timer (4-218) Editing VLAN Groups vlan database This command enters VLAN dat abase mode. All commands in this mode will take effec t immediately . Default Setting None Command Mode Global Configurat ion Command Usage • Use the VLAN database command mode to add, change, and delete VLANs.
VLAN Commands 4-221 4 vlan This command config ures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [ name vlan-name ] media ethernet [ st ate { active | suspend }] [ rspan ] no vlan vlan-id [ name | state ] • vlan-id - ID of configured VLAN.
Command Line Interfa ce 4-222 4 Configuring VLAN Interfaces interface vlan This command enters interf ace configuration mode for VLANs, which is used to configur e VLAN parameters for a physical interface. Syntax interface vlan vlan-id vlan-id - ID of the configured VLAN.
VLAN Commands 4-223 4 switchport mode This command confi gures the VLAN me mbership mode for a port. Use the no form to restore the de fault. Syntax switchport mode { access | hybrid | trunk | private-vlan } no switchport mode • access - Specifies an acce ss VLAN interface.
Command Line Interfa ce 4-224 4 switchport acceptable-frame-types This command confi gures the accept able frame types for a po rt. Use the no fo rm to restore the default. Syntax switchport accept able-frame-types { all | ta g g e d } no switchport accept a ble-frame-types • all - The port accepts all frames, tagged or untagged.
VLAN Commands 4-225 4 • If ingress filtering is disabled and a port receives fra mes tagged for VLANs for which it is not a member, these frames wil l be flooded to all other ports (except for those VLANs explicitly fo rbidden on this port).
Command Line Interfa ce 4-226 4 switchport allowed vlan This command confi gures VLAN group s on the selected interface. Use the no form to restore the de fault. Syntax switchport allowed vlan { add vlan-list [ tag g e d | unt a gged ] | remove vlan-list } no switch port allow ed vlan • add vlan-list - List of VLAN identifi ers to add.
VLAN Commands 4-227 4 switchport forbidden vlan This command confi gures forbidden VLANs. Use the no form to remove th e list of forbidden VLANs. Syntax switchport forbidden vlan { add vlan-list | remove vlan-list } no switchport forbidden vl an • add vlan-list - List of VLAN identifi ers to add.
Command Line Interfa ce 4-228 4 Displaying VLAN Information show vlan This command shows VLAN information. Syntax show vlan [ id vlan-id | name vlan-name | priv ate-vlan private-vlan -type ] • id - Keyword to be followed by t he VLAN ID. vlan-id - ID of the configured VL AN.
VLAN Commands 4-229 4 Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tun neling) uses a single Servic e Provider VLAN (SPVLAN) for customers who have multiple VLANs.
Command Line Interfa ce 4-230 4 reconfigured to overcome a break in the tree. It is therefo re advisable to disable spanning tree on these port s. dot1q-tunnel syst em-tunnel-control This command set s the switch to operate i n QinQ mode. Use the no form to di sable QinQ operating mod e.
VLAN Commands 4-231 4 • When a tunnel uplink port receives a packet fro m a customer, the customer tag (regardless of whether t here are one or more tag layers) is retained in the inner tag, and the service provider’s tag added to the outer tag .
Command Line Interfa ce 4-232 4 Example Related Commands show interfaces switchport (4-165) show dot1q-tunnel This command displays info rmation about Qin Q tunnel ports.
VLAN Commands 4-233 4 Configuring Port-based Traffic Segmentation If tighter secu rity is required for passi ng traff ic from dif ferent clients throu gh downlink ports on the lo cal network and over uplink por t s to the service provider , port-based traff ic segment ation can be used to isolat e traffi c for individu al clients .
Command Line Interfa ce 4-234 4 Example pvlan up-l ink/down-lin k This command confi gures uplink/downl ink ports for traf fic-segment ation client sessions. Use the no form to restore a port to normal operating mode. Syntax pvlan [ up-link interface-lis t do wn-link interface-list ] no pvlan • up-link - Specifies an uplink interface.
VLAN Commands 4-235 4 Example Configuring Private VLANs Private VLANs provide port-based securi ty and isolation of local ports con tained within dif f erent private VLAN group s. This switch supports two types of private VLANs – primary and community group s.
Command Line Interfa ce 4-236 4 T o configure primary/community assoc i ated group s, follow these step s: 1. Use the private-vlan command to desi gnate one or more community VLANs and the primary VLAN that will chan nel traf fic outside of the community group s.
VLAN Commands 4-237 4 Example private vlan associa tion Use this command to associate a primary VLAN with a secondary (i.e., c ommunity) VLAN. Use the no form to remove all associations for t he specified primary VL AN.
Command Line Interfa ce 4-238 4 switchport mode private-vlan Use this command to set the private VLAN mode for an interf ace. Use the no form to restore the default sett ing. Syntax switchport mode private-vlan { host | promiscuous } no switchport mo de private-vlan • host – This port type can subsequent ly be assig ned to a communit y VLAN.
VLAN Commands 4-239 4 Command Usage All ports assi gned to a secondary (i.e., communi ty) VLAN can pa ss traffi c between group members, but must commu nicate with resources out side of the group via promiscuous ports in the associat ed primary VLAN. Example switchport privat e-vlan mapping Use this command to map an interface t o a primary VLAN.
Command Line Interfa ce 4-240 4 Default Setting None Command Mode Privileged Executive Example Configuring Protocol-based VLANs The network devices required to support mu lti ple protocols canno t be easily g rouped into a common VLAN.
VLAN Commands 4-241 4 Ethernet traffic must not be mapped to another VLAN or you will lose administrative network connectivi ty to the switch. If lost in this manner, network access can be regained by removing the of fendin g Protocol VLAN rule via the console.
Command Line Interfa ce 4-242 4 Default Setting No protocol group s are mapped for any interface. Command Mode Interface Co nfigurati on (Ethernet, Po rt Channel) Command Usage • When creating a protocol-b ased VLAN, only as sign interfa ces via this command.
VLAN Commands 4-243 4 Example This shows protocol group 1 configu red for IP over Ethernet: show interfaces protoc ol-vlan protocol-g roup This command shows the mapping f rom protocol g roups to VLANs for the sel ected interface s.
Command Line Interfa ce 4-244 4 Class of Service Commands The commands described in this secti on allow you to specify which data packe ts have greater precedence when traf fic is bu ffered in the switch due to congestion. This switch support s CoS with four priorit y queues for each port.
Class of Service Co mmands 4-245 4 queue mode This command sets th e queue mode to strict priori ty or Wei ghted Round-Robin (WRR) for the class of service (CoS) priorit y queues.
Command Line Interfa ce 4-246 4 Default Setting The priority is not set, and the default value for untagged frame s received on the interface is zero. Command Mode Interface Co nfigurati on (Ethernet, Po rt Channel) Command Usage • The precedence for priority mappin g is IP Port, IP Precedence or IP DSCP, and default switchp ort priority.
Class of Service Co mmands 4-247 4 Default Setting Weight s 1, 2, 4, 8 are assigned to queues 0-3 respectively . Command Mode Interface Co nfiguration (Et hernet, Port Channel) Command Usage • WRR controls bandwidth sharing at th e egress port by defining schedul ing weights.
Command Line Interfa ce 4-248 4 Default Setting This switch support s Class of Service by using four priori ty queues, with Weight ed Round Robin queuing f or each port. Eight sep arate traf fic classes are defined in IEEE 802.1p. The default priority levels are assigne d according to recommendations in the IEEE 802.
Class of Service Co mmands 4-249 4 show queue bandwidth This command displays the we ighted round-robin (WRR) bandwi dth alloca tion for the four priori ty queues. Default Setting None Command Mode Privileged Exec Example show queue cos-map This command shows the class of service priorit y map.
Command Line Interfa ce 4-250 4 Priority Commands (Layer 3 and 4) map ip port (Global Configuration) This command enables IP port mapping (i .e., class of service mapping f or TCP/UDP sockets).
Class of Service Co mmands 4-251 4 map ip port (Interface Configuration) This command sets IP port pri ority (i.e., TCP/UDP port priority). Use the no form to remove a specific setting. Syntax map ip port port -number cos cos-value no map ip port port-number • port-number - 16-bit TCP/UDP port number.
Command Line Interfa ce 4-252 4 Example The following example shows how to en able IP precedence mapping gl obally: map ip precedence (Interface Config uration) This command sets IP preced ence priority (i.e., IP T ype of Service priority). Use the no form to restore the def ault t able.
Class of Service Co mmands 4-253 4 Default Setting Disabled Command Mode Global Configurat ion Command Usage The precedence for priority mapping i s IP DSCP , and default switchport priority . Example The following example shows how to en able IP DSCP mapping globally: map ip dscp (Interface Configuration) This command sets IP DSCP priori ty (i.
Command Line Interfa ce 4-254 4 Command Usage • The precedence for priority mappin g is IP DSCP, and default switchp ort priority. • DSCP priority valu es are mapped to def ault Class of Service val ues according to recommendations in t he IEEE 802.
Class of Service Co mmands 4-255 4 show map ip precedence This command shows the IP precedence priorit y map. Syntax show map ip precedence [ inte rface ] interface • ethernet unit / port - unit - Stack unit.
Command Line Interfa ce 4-256 4 Command Mode Privileged Exec Example Related Commands map ip dscp (Global Conf iguration) (4-252) map ip dscp (Interface Config uration) (4-253) Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --- Eth 1/ 1 0 0 Eth 1/ 1 1 0 Eth 1/ 1 2 0 Eth 1/ 1 3 0 .
Quality of Service Co mmands 4-257 4 Quality of Service Commands The commands described in this sect ion are used to configure Dif ferentiated Services (Dif fServ) classificatio n criteria and service polici es. Y ou can classify traffic based on access list s, IP Precedence or DSCP values, or VLANs.
Command Line Interfa ce 4-258 4 5. Use the set command to modify the QoS value for matc hing traf fic class, and use the policer co mmand to monitor the averag e flow and burst rate, and drop any traff ic that exceeds the sp ecified rate, or just re duce the DSCP service level for traff ic exceeding the specif ied rate.
Quality of Service Co mmands 4-259 4 match This command defines the criteria used to classify traf fic. Use the no form to delete the matching criteria. Syntax [ no ] match { access-list acl-name | ip dsc p dscp | ip precedence ip-precedence | vlan vlan } • acl-name - Name of the access cont rol list.
Command Line Interfa ce 4-260 4 rename This command redefines the name of a class map or policy map. Syntax rename map-na me map-name - Name of the class map or policy map. (Range: 1-16 characters) Command Mode Class Map Configuration Policy Map Configuration Example description This command specif ies the d escription of a class map or policy map.
Quality of Service Co mmands 4-261 4 policy-map This command creates a pol icy map that can be att ached to multiple interfaces, and enters Policy Map con figuration mode. Us e the no form to delete a policy map and return to Global configurat ion mode.
Command Line Interfa ce 4-262 4 Command Mode Policy Map Configuration Command Usage • Use the policy-map command to specify a policy map and enter Policy Map configuration mode . Then use the class command to enter Policy Map Class configurati on mode.
Quality of Service Co mmands 4-263 4 incoming p ackets wi ll receive, and then uses t he police command to limit the average bandwid th to 100,000 Kbps, the burst rate to 15 22 bytes, and configure t he response to drop any violating p ackets. police This command defines an poli cer for classified traf fic.
Command Line Interfa ce 4-264 4 service-policy This command appli es a policy map defined b y the policy -map command to the ingress queue of a p articular interface. Use the no form to remove the p olicy map from this interface. Syntax [ no ] service-policy input policy-map-name • input - Apply to the input traffi c.
Quality of Service Co mmands 4-265 4 Example show policy-map This command displays the QoS pol icy maps wh ich define classifi cation criteria for incoming traf fic, and may include policers for bandwi dth limit ations. Syntax show policy-map [ policy-map-name [ class class-map-name ]] • policy-map-name - Name of the policy map.
Command Line Interfa ce 4-266 4 Command Mode Privileged Exec Example Multicast Filtering Commands This switch uses IGMP (I nternet Grou p Manage ment Protocol) to query for any attache d hosts tha t want to receive a specif ic multicast servi ce.
Multicast Filter ing Commands 4-267 4 ip igmp snoopi ng This command enables IGMP sno oping on this swit ch. Use the no form to disable it. Syntax [ no ] ip igmp snooping Default Setting Enabled Command Mode Global Configurat ion Example The following example enab les IGMP snooping.
Command Line Interfa ce 4-268 4 ip igmp snoo ping ver sion This command confi gures the IGMP snoop ing version. Use the no form to restore the default.
Multicast Filter ing Commands 4-269 4 • The IGMP snooping leave-proxy fea ture suppresses all unnecessary I GMP leave messages s o that the non-querier swit ch forwards an I GMP leave packet only whe n the last d ynamic member port l eaves a mult icast group.
Command Line Interfa ce 4-270 4 Example The following s hows how to enable immediate leav e. show ip igmp snoo ping This command shows the IGMP snooping configuration.
Multicast Filter ing Commands 4-271 4 Command Mode Privileged Exec Command Usage Member types displayed i nclude IGMP or USER, depending on selected options.
Command Line Interfa ce 4-272 4 Command Usage • IGMP snooping querier is not support ed for IGMPv3 snooping (see ip igmp snooping v ersion , page 4-268). • If enabled, the switch wil l serve as querier if elected. The querier is responsible for asking ho sts if they want to receive multicast traffic.
Multicast Filter ing Commands 4-273 4 ip igmp snoopi ng query-interv al This command configures the que ry interval. Use the no fo rm to restore the defau lt. Syntax ip igmp snoopi ng query-int erval seconds no ip igmp snoo ping query-int erval seconds - The frequency at which the switch send s IGMP host-query messages.
Command Line Interfa ce 4-274 4 Example The following s hows how to confi gure the maximum res ponse time to 20 seconds: Related Commands ip igmp snooping version (4-268) ip igmp snoopi ng ro uter-port-expire-time This command configures the que ry timeout.
Multicast Filter ing Commands 4-275 4 Static Multicast Routing Commands This section de scribes commands u sed to config ure stati c multicast rout ing on th e switch. ip igmp snoopi ng vlan mrouter This command stat ically configures a multic ast router port.
Command Line Interfa ce 4-276 4 show ip igmp snoo ping mrouter This command displays i nformation on st atically configured and dynamically l earned multicast router port s. Syntax show ip igmp snoo ping mrouter [ vlan vlan-id ] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router port s for all configured VLANs.
Multicast Filter ing Commands 4-277 4 IGMP Filtering and Throttling Commands In cert ain switch appl ications, the a dministrator may want to control the multicast services that are avai lable to end users. Fo r example, an IP/TV servic e based on a specific subscri ption plan.
Command Line Interfa ce 4-278 4 • The IGMP filtering feature operate s in the same manner when MVR is used to forward multicas t traffic. Example ip igmp profile This command creates an IGMP filt er profile number and ente rs IGMP profile configurati on mode.
Multicast Filter ing Commands 4-279 4 • When the access mode is set to pe rmit, IGMP join re ports are processed when a multicast group fal ls within the contro lled range. When the access mode is set to deny, IGMP joi n reports are only processed when a mult icast group is not in the controlled range.
Command Line Interfa ce 4-280 4 Command Mode Interface Configur ation Command Usage • The IGM P filtering pr ofile mu st first be crea ted with the ip igmp profi le command before being able t o assign it to an interfac e. • Only one profile can be assig ned to an interface.
Multicast Filter ing Commands 4-281 4 Example ip igmp max-grou ps action This command sets th e IGMP throttling action f or an interface on the switch. Syntax ip igmp max-g roups action { replace | deny } • replace - The new multicast group replaces an existing group.
Command Line Interfa ce 4-282 4 Command Mode Privileged Exec Example show ip igmp p rofile This command displays IGMP filterin g profiles created on the swi tch. Syntax show ip igmp profil e [ profile-numbe r ] profile-number - An existing IGMP filter profile number .
Multicast Filter ing Commands 4-283 4 show ip igmp throttl e interface This command displays the interf ace settings for IGMP throttling. Syntax show ip igmp throttl e interface [ interface ] interface • ethernet unit / port - unit - Stack unit. (Range : 1) - port - Port number.
Command Line Interfa ce 4-284 4 Multicast VLAN Registration Commands This section de scribes commands u sed to config ure Multicast VLAN Registration (MVR). A single ne twork-wide VLAN can be u sed to transmi t multicast traffi c (such as televisio n channels) acros s a service pro vider ’s network.
Multicast Filter ing Commands 4-285 4 Command Mode Global Configurat ion Command Usage • Use the mvr group command to st atically config ure all multicast group addresses that wil l join the MVR VLAN.
Command Line Interfa ce 4-286 4 mvr (Interface Configuration) This command configures an int erface as an MVR receiver or source port us ing the type keyword, enables immediate l eave capabil ity using the immediate keywor d, or configures an int erface as a stati c member of the MVR VLAN using the group keyword.
Multicast Filter ing Commands 4-287 4 • Immediate leave appl ies only to receiver ports. Whe n enabled, the receiver port is immediately remov ed from the multicast group id entified in the leave message.
Command Line Interfa ce 4-288 4 Default Setting Displays global config uration settings for MVR when no keywords are used. Command Mode Privileged Exec Command Usage Enter this command without any keywords to display the gl obal settings for MVR. Use the interfa ce keyword to displ ay information about int erfaces attache d to the MVR VLAN.
Multicast Filter ing Commands 4-289 4 The following s hows information a bout the int erfaces associa ted with mult icast groups assigne d to the MVR VLAN: Status Shows the MVR status and interface status. MVR status for sourc e ports is “ACTIVE” if MVR is globally enabled on the switch.
Command Line Interfa ce 4-290 4 Domain Name Service Commands These commands are used to configure Domain Na ming System (DNS) services. Entries can be manual ly configured in the DNS domain name to IP address mapp ing table, default domain names conf igured, or one or more name servers speci fied to use for domain name to address translat ion.
Domain Name Service Co mmands 4-291 4 Command Usage Servers or other network devices may support one or more connections via multiple IP addre sses. If more than one IP ad dress is associated with a hos t name using this command, a DNS client can try each addre ss in succession, until it est ablishes a connection with the t arget device.
Command Line Interfa ce 4-292 4 Default Setting None Command Mode Global Configurat ion Example Related Commands ip domain-list (4-292) ip name-server (4-293) ip domain-lookup (4-2 94) ip domain-list This command defines a list of domain names that can be appende d to incomplete host names (i.
Domain Name Service Co mmands 4-293 4 Example This example adds two domain names to the current list and then dis plays the list. Related Commands ip domain-name (4-2 91) ip name-server This command specifies the address of one or more domai n name servers to use for name-to-address reso lution.
Command Line Interfa ce 4-294 4 Example This example adds two domain-name serve rs to the list and then displays the list. Related Commands ip domain-name (4-2 91) ip domain-lookup (4-2 94) ip domain-looku p This command enables DNS ho st name-to-address transl ation.
Domain Name Service Co mmands 4-295 4 Related Commands ip domain-name (4-2 91) ip name-server (4-293) show hosts This command displays the st atic host name-to-address mapping table. Command Mode Privileged Exec Example Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously con figured entry .
Command Line Interfa ce 4-296 4 show dns cache This command displays entrie s in the DNS cache. Command Mode Privileged Exec Example clear dns cache This command clears all entries in the DNS cache. Command Mode Privileged Exec Example Console#show dns cache NO FLAG TYPE DOMAI N TTL IP 0 4 Address www.
IP Interface Commands 4-297 4 IP Interface Commands An IP addresses may be used for manage ment access to the switch over y our network. The IP address for th is switch is obtained via DHCP by default. Y ou can manually configure a spe cific IP address, or direct the dev ice to obtai n an address from a BOOTP or DHCP server when it is powered on.
Command Line Interfa ce 4-298 4 • If you select the bootp or dh cp option, IP i s enabled but will not fun ction until a BOOTP or DHCP reply has been rece ived. Requests will be br oadcast periodically b y this device in an effort t o learn its IP address.
IP Interface Commands 4-299 4 Related Commands show ip redirect s (4-300) ip dhcp restart This command submit s a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Comman.
Command Line Interfa ce 4-300 4 Related Commands show ip redirect s (4-300) show ip re directs This command shows the default gateway configu red for this device.
IP Interface Commands 4-301 4 • Press <Esc> to stop pinging. Example Related Commands interface (4-155) Console#ping 10.1.0.9 Type ESC to abort.
Command Line Interfa ce 4-302 4.
A-1 Appendix A: Software Specifications Software Features Authentication an d General Security Mea sures Local, RADIUS, T ACACS, Port (802.1X, MA C A uthentication), AAA, HT TPS, SSH, Port Security , .
Software Specifications A-2 A Multicas t Filterin g IGMP Snooping (Layer 2) Multicast VLAN Reg istration Quality of Service DiffServ supp orts class map s, policy map s, and service policies Additiona.
Management Inform ation Bases A-3 A DHCP Client (RFC 2131) DHCP Options (RFC 2132) HTTPS IGMP (RFC 1 1 12) IGMPv2 (RFC 2236) IGMPv3 (RFC 3376) - p artial support RADIUS+ (RFC 2618) RMON (RFC 2819 groups 1,2,3,9) SNMP (RFC 1 157) SNMPv2 (RFC 2571) SNMPv3 (RFC DRAFT 2273, 2576, 3410, 341 1, 3414, 3415) SNTP (RFC 2030) SSH (V ersion 2.
Software Specifications A-4 A SNMP View Based ACM MIB (RFC 3415) T ACACS+ Authentica tion Client MIB TCP MIB (RFC 2013) T rap (RFC 1215) UDP MIB (RFC 2013).
B-1 Appendix B: Troubleshooting Problems Accessing the Mana gement Interface T able B-1 T roubleshooting Chart Symptom Action Cannot connect us ing T elnet, web browser , or SNMP software • Be sure the switch is powered up. • Check network cabling between the management s tation and the switch.
T roubleshooting B-2 B Using System Logs If a fault does occur , refer to the Ins tallati on Guide to ensure that t he problem you encountered is actual ly caused by the switch. If the prob lem appears to be caused by the switch, follow these steps: 1.
Glossary-1 Glossary Access Control List (ACL) ACLs can limit netwo rk traffic and restrict access to cert ain users or devices by checking each p acket for certai n IP or MAC (i.
Glossary Glossary-2 DHCP Snooping A technique used to enhance network security by snooping on DHCP server messages to track the physi cal location of host s, ensure that hosts only use the IP addresses assigned to the m, and ensure that only autho rized DHCP servers are accessible.
Glossary-3 Glossary IEEE 802.1p An IEEE standard for prov iding quality of service (QoS) in Ethern et networks. The standard uses p acket tags that define up to eight traf fic classes and allows switches to transmit p ackets based on th e tagged priorit y value.
Glossary Glossary-4 IP Multicast Filtering A process whereby this switch can p ass multicast traffic al ong to partici pating host s. IP Precedence The T ype of Service (T oS) octet in the IPv4 header.
Glossary-5 Glossary Multiple Span ning Tree Pr otocol (MSTP) MSTP can provide an independent sp anning tree for different VLANs. It simpli fies network management, pro vides for even fa ster convergence t han RSTP by limiting the size of each regi on, and prevents VL AN members from being segmented fr om the rest of the group.
Glossary Glossary-6 Remote Monitoring (RMON) RMON provides comprehensi ve network monitorin g capabilit ies. It eliminat es the polling requi red in st andard SNMP , and can se t alarms on a v ariety of tr affic conditions, in cluding specific error types.
Glossary-7 Glossary Transmissi on Contr ol Prot ocol/Internet Protocol (TCP/IP) Protocol suite that i ncludes TCP as the primary transport prot ocol, and IP as the network layer protocol. Trivial Fi le Transfer Pr otocol (TFTP) A TCP/IP protocol co mmonly used for so ftware downlo ads.
Glossary Glossary-8.
Index-1 Numerics 802.1Q tunnel 3 -178, 4-229 access 3-183, 4 -230 configuration, guideline s 3-181 configuration, limitation s 3-180 description 3-1 78 ethernet type 3-182, 4-231 interface configurat ion 3-182, 4-230–4-231 mode selection 3-183, 4-230 status, configuring 3-181, 4-230 TPID 3-182, 4-231 uplink 3-183, 4 -230 802.
Index-2 Index D default gateway, configuration 3 -16, 4-298 default priority , ingress port 3-189, 4-245 default settings, system 1-6 DHCP 3-18, 4-297 client 3-16, 4 -297 dynamic config uration 2-5 DH.
Index-3 Index IGMP filter profile s, configuratio n 3-219, 4-277 filter, parameters 3-219, 4-277 filtering & th rottling, cr eating profile 3-218, 4-278 filtering & throt tling, enabling 3 -21.
Index-4 Index MSTP 3-158, 4-197 configuring 3 -158, 4-202–4 -213 global settings, con f iguring 3-147, 3-158, 4-196, 4-203–4-2 0 5 global setting s, displaying 3-144, 4-213 interface setting s, co.
Index-5 Index problems, troublesho oting B-1 profiles, IGMP filter 3-219, 4-278 promiscuous ports 4-235 protocol migration 3-156, 4-212 protocol VLANs 3-185, 4-240 configur ing 3-18 6, 4-241 interface.
Index-6 Index STA 3-142, 4-196 edge port 3-153, 3-156, 4-208 global settings, con f iguring 3-147, 4-197–4-202 global setting s, displaying 3-144, 4-213 interface setting s, configuring 3-154, 4-206.
Index-7 Index V VLANs 3-164, 3- 185, 3-189, 4 -215, 4-228 802.1Q tunnel mode 3-183, 4-230 adding static members 3-173, 3-175, 4-226 creating 3-170, 4-221 description 3-1 64, 3-189 displaying basic i n.
Index-8 Index.
.
149100000023A R01 SMC812 6PL2 -F.
An important point after buying a device SMC Networks SMC8126PL2-F (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought SMC Networks SMC8126PL2-F yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data SMC Networks SMC8126PL2-F - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, SMC Networks SMC8126PL2-F you will learn all the available features of the product, as well as information on its operation. The information that you get SMC Networks SMC8126PL2-F will certainly help you make a decision on the purchase.
If you already are a holder of SMC Networks SMC8126PL2-F, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime SMC Networks SMC8126PL2-F.
However, one of the most important roles played by the user manual is to help in solving problems with SMC Networks SMC8126PL2-F. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device SMC Networks SMC8126PL2-F along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center