TigerSwitch 10/100 Management Guide
Contents
1. E 13 10 11 12 Go AAA Forwarding Tagged Untagged Frames If you want to create a small port based VLAN for devices attached directly to a single switch you can assign ports to the same untagged VLAN However to participate in a VLAN group that crosses several switches you should create a VLAN for that group and enable tagging on all ports Ports can be assigned to multiple tagged or untagged VLANs Each port on the switch is therefore capable of passing tagged or untagged frames When forwarding a frame from this switch along a path that contains any VLAN awate devices the switch should include VLAN tags When forwarding a frame from this switch along a path that does not contain any VLAN awate devices including the destination host the switch must first strip off the VLAN tag before forwarding the frame When the switch receives a tagged frame it will pass this frame onto the VLAN s indicated by the frame tag Howevet when this switch receives an untagged frame from a VLAN unawate device it first decides where to forward the frame and then inserts a VLAN tag reflecting the ingress port s default VID VLAN CONFIGURATION Enabling or Disabling GVRP Global Setting GARP VLAN Registration Protocol GVRP defines a way for switches to exchange VLAN i2. Port Configuration Specifies default PVID and VLAN attributes 3 153 Trunk Configuration Specifies default trunk VID and VLAN 3 153 attributes Private VLAN 3 156 Information Displays Private VLAN feature information 3 157 Configuration This page is used to create remove primary 3 159 ot community VLANs Association Each community VLAN must be associated 3 160 with a primary VLAN Port Information Shows VLAN pott type and associated 3 161 primary or secondary VLANs Port Configuration Sets the private VLAN interface type and 3 162 associates the interfaces with a private VLAN Trunk Information Shows VLAN pott type and associated 3 161 primary or secondary VLANs Trunk Configuration Sets the private VLAN interface type and 3 162 associates the interfaces with a private VLAN Priority 3 165 Default Port Priority Sets the default priority for each port 3 165 Default Trunk Priority Sets the default priority for each trunk 3 165 Traffic Classes Maps IEEE 802 1p priority tags to output 3 167 queues Traffic Classes Status Enables disables traffic class priorities not NA implemented Queue Mode Sets queue mode to strict priority or 3 169 Weighted Round Robin 3 9 CONFIGURING THE SWITCH 3 10 Table 3 2 Main Menu Continued Menu Description Page Queue Scheduling Configures Weighted Round Robin 3 170 queueing IP Precedence
3. Ponpame Tye Siams stus C Siams Sine PON ember 1 100Base TX Enabled Up 100full None Enabled 2 100Base TX Enabled Down 100full None Enabled 3 100Base TX Enabled Up 100full None Enabled 4 100Base Tx Enabled Down 100full None Enabled 5 100Base TX Enabled Down 100full None Enabled 5 100Base TX Enabled Down 100full None Enabled 7 100Base TX Enabled Down 100full None Enabled 8 100Base TX Enabled Down 100full None Enabled 9 100Base TX Enabled Down 100full None Enabled 10 100Base TX Enabled Down 100full None Enabled 11 100Base TX Enabled Down 100full None Enabled 12 100Base TX Enabled Down 100full None Enabled 13 100Base TX Enabled Down 100full None Enabled xl Figure 3 40 Displaying Port Trunk Information Field Attributes CLI Basic Information Port type Indicates the port type 100BASE TX 1000BASE T or SFP MAC address The physical layer address for this port To access this item on the web see Setting the Switch s IP Address on page 3 17 Configuration Name Interface label Port admin Shows if the interface is enabled or disabled i e up or down Speed duplex Shows the current speed and duplex mode Auto or fixed choice PoRT CONFIGURATION Capabilities Specifies the capabilities to be advertised for a port during auto negotiation To access this item on the web see Conf
4. Command Attributes Port Port identifier Name 6 Name of ACL Type Type of ACL IP or MAC 16 For information on configuring ACLs see page 3 77 3 178 CLASS OF SERVICE CONFIGURATION CoS Priority CoS value used for packets matching an IP ACL rule Range 0 7 e ACL CoS Priority Mapping Displays the configured information Web Click Priority ACL CoS Priority Enable mapping for any port select an ACL from the scroll down list then click Add ACL CoS Priority ACL CoS Priority Configure Port Name Type cS Prony fee seu ACL CoS Priority Mapping Port Name Type CoS Priority 1 bill IP Remove Figure 3 81 ACL CoS Priority CLI This example assigns a CoS value of zero to packets matching rules within the specified ACL on port 24 Console config interface ethernet 1 24 4 144 Console config if map access list ip bill cos 0 4 126 Console config if 3 179 CONFIGURING THE SWITCH Multicast Filtering 3 180 Multicasting is used to support real time Unicast applications such as videoconferencing aad OM or streaming audio A multicast server a does not have to establish a separate a connection with each client It merely broadcasts its service to thenetwork and gt any hosts that want to receive the Wu URL MI multicast register with their local multicas
5. Figure 3 57 STA Configuration SPANNING TREE ALGORITHM CONFIGURATION CLI This example enables Spanning Tree Protocol sets the mode to RSTP and then configures the STA and RSTP parameters Console config spanning tree 4 183 Console config spanning tree mode rstp 4 184 Console config spanning tree priority 45056 4 187 Console config spanning tree hello time 5 4 185 Console config spanning tree max age 38 4 186 Console config spanning tree forward time 20 4 185 Console config spanning tree pathcost method long 4 188 Console config spanning tree transmission limit 4 4 188 Console config Displaying Interface Settings The STA Port Information and STA Trunk Information pages display the current status of ports and trunks in the Spanning Tree Field Attributes Spanning Tree Shows if STA has been enabled on this interface e STA Status Displays current state of this port within the Spanning Tree Discarding Port receives STA configuration messages but does not forwatd packets Learning Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information Port address table is cleared and the port begins learning addresses Forwarding Port forwards packets and continues learning addresses The rules defining port status are A port on a network segment with no other STA compliant bridgin
6. ip telnet port This command specifies the TCP port number used by the Telnet interface Use the no form to use the default port Syntax ip telnet port port number no ip telnet port port number The TCP port to be used by the browser interface Range 1 65535 4 44 SYSTEM MANAGEMENT COMMANDS Default Setting 23 Command Mode Global Configuration Example Console config ip telnet port 123 Console config Related Commands ip telnet server 4 45 ip telnet server This command allows this device to be monitored or configured from Telnet Use the no form to disable this function Syntax no ip telnet server Default Setting Enabled Command Mode Global Configuration Example Console config ip telnet server Console config Related Commands ip telnet port 4 44 4 45 COMMAND LINE INTEREACE Secure Shell Commands 4 46 The Berkley standard includes remote access tools originally designed for Unix systems Some of these tools have also been implemented for Microsoft Windows and other environments These tools including commands such as r ogin remote login rsh remote shell and rep remote copy ate not secure from hostile attacks The Secure Shell SSH includes server client applications intended as a secure replacement for the older Berkley remote access tools SSH can also provide remote management access to this switch as a secure rep
7. Command Function Mode Page logging sendmai SMTP setvers to receive alert messages GC 4 68 host logging sendmai Severity threshold used to trigger alert GC 4 69 level messages logging sendmai Email address used for From field of alert GC 4 70 source email messages logging sendmai Email recipients of alert messages GC 4 70 destination email logging sendmai Enables SMTP event handling GC 4 71 show logging Displays SMTP event handler settings NE 4 71 sendmail PE logging sendmail host 4 68 This command specifies SMTP servers that will be sent alert messages Use the no form to remove an SMTP server Syntax no logging sendmail host p_address ip address YP address of an SMTP server that will be sent alert messages for event handling Default Setting None Command Mode Global Configuration Command Usage You can specify up to three SMTP servers for event handing However you must enter a separate command to specify each server SYSTEM MANAGEMENT COMMANDS To send email alerts the switch first opens a connection sends all the email alerts waiting in the queue one by one and finally closes the connection To open a connection the switch first selects the server that successfully sent mail during the last connection or the first server configured by this command If it fails to send mail the switch selects the next server in the list and tries to send mail again If it still fa
8. Figure 3 83 Multicast Router Port Information CLI This example shows that Port 11 has been statically configured as a port attached to a multicast router Console show ip igmp snooping mrouter vlan 1 4 248 VLAN M cast Router Port Type 1 Eth 1 11 Static Console Specifying Static Interfaces for a Multicast Router Depending on your network connections IGMP snooping may not always be able to locate the IGMP querier Therefore if the IGMP querier is a known multicast router switch connected over the network to an interface port or trunk on your switch you can manually configure the interface and a specified VLAN to join all the current multicast groups supported by the attached router This can ensure that multicast traffic is passed to all the appropriate interfaces within the switch Command Attributes Interface Activates the Port or Trunk scroll down list 3 185 CONFIGURING THE SWITCH WLAN ID Selects the VLAN to propagate all multicast traffic coming from the attached multicast router Portor Trunk Specifies the interface attached to a multicast router Web Click IGMP Snooping Static Multicast Router Port Configuration Specify the interfaces attached to a multicast router indicate the VLAN which will forward all the corresponding multicast traffic and then click Add After you have finished adding interfaces to the list click Apply Static Multicast Router Port Confi
9. Negating the Effect of Commands For many configuration commands you can enter the prefix keyword no to cancel the effect of a command or reset the configuration to the default value For example the logging command will log system messages to a host server To disable logging specify the no logging command This guide describes the negation effect for all applicable commands Using Command History The CLI maintains a history of commands that have been entered You can scroll back through the history of commands by pressing the up arrow key Any command displayed in the history list can be executed again or first modified and then executed Using the show history command displays a longer list of recently executed commands COMMAND LINE INTEREACE Understanding Command Modes The command set is divided into Exec and Configuration classes Exec commands generally display information on system status or clear statistical counters Configuration commands on the other hand modify interface parameters or enable certain switching functions These classes are further divided into different modes Available commands depend on the selected mode You can always enter a question mark at the prompt to display a list of the commands available for the current mode The command classes and associated modes are displayed in the following table Table 4 1 Command Modes Class Mode Exec Normal Privileged Configuration Globa
10. Ports assigned to a common port channel must meet the following criteria Ports must have the same LACP System Priority Ports must have the same LACP port Admin Key However if the port channel Admin Key is set page 4 142 then the port Admin Key must be set to the same value for a port to be allowed to join a channel group PoRT CONFIGURATION Note If the port channel admin key lacp admin key page 4 170 is not set through the CLI when a channel group is formed i e it has a null value of 0 this key is set to the same value as the port admin key used by the interfaces that joined the group lacp admin key as desctibed in this section and on page 4 169 Command Attributes Set Port Actor This menu sets the local side of an aggregate link i e the ports on this switch Port Port number Range 1 26 52 System Priority LACP system priority is used to determine link aggregation group LAG membership and to identify this device to other switches during LAG negotiations Range 0 65535 Default 32768 Ports must be configured with the same system priority to join the same LAG System priority is combined with the switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations with other systems Admin Key The LACP administration key must be set to the same value for ports that belong to the same LAG
11. Related Commands username 4 35 password 4 17 password This command specifies the password for a line Use the no form to remove the password Syntax password 0 7 password no password 0 7 0 means plain password 7 means encrypted password password Character string that specifies the line password Maximum length 8 characters plain text 32 encrypted case sensitive Default Setting No password is specified Command Mode Line Configuration Command Usage When a connection is started on a line with password protection the system prompts for the password If you enter the correct password the system shows a prompt You can use the password thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state The encrypted password is required for compatibility with legacy password settings i e plain text or encrypted when reading the configuration file during system bootup or when downloading the 4 17 COMMAND LINE INTEREACE configuration file from a TFTP server There is no need for you to manually configure encrypted passwords Example Console config line tpassword 0 secret Console config line Related Commands login 4 16 password thresh 4 20 timeout login response 4 18 This command sets the interval that the system waits for a user to log int
12. Subnet Mask 255 255 2550 Gateway IP Address 192 1651 253 MAC Address 00 30 F 1 12 34 56 Restart DHCP Figure 3 7 DHCP IP Configuration Note If you lose your management connection use a console connection and enter show ip interface to determine the new switch address 3 19 CONFIGURING THE SWITCH 3 20 CLI Specify the management interface and set the IP address mode to DHCP or BOOTP and then enter the ip dhcp restart command Console config Console config finterface vlan 1 4 144 Console config if ip address dhcp 4 249 Console config if end Console ip dhcp restart 4 251 Console show ip interface 4 252 IP address and netmask 192 168 1 54 255 255 255 0 on VLAN 1 and address mode dhcp Console Renewing DCHP DHCP may lease addresses to clients indefinitely or for a specific period of time If the address expires or the switch is moved to another network segment you will lose management access to the switch In this case you can reboot the switch or submit a client request to restart DHCP service via the CLI Web If the address assigned by DHCP is no longer functioning you will not be able to renew the IP settings via the web interface You can only restart DHCP service via the web interface if the current address is still available CLI Enter the following command to restart DHCP service Console ip dhcp restart 4 251 Console BASIC CONFIGU
13. eese essen 3 92 Static Trunk Configuration 0 6 0 6 cece eee 3 95 LACP Trunk Configuration 0 00000 eee 3 97 LACP Aggregation Port 6 cee eee eee 3 100 LACP Port Counters Information 3 102 LACP Port Internal Information 3 105 LACP Port Neighbors Information 3 107 Port Broadcast Control 0c ee eee 3 109 Mirror Port Configuration oooooooccccooom 3 111 Rate Limit Granularity Configuration 3 112 Output Rate Limit Port Configuration 3 114 Port Statistics cu 4b euh e ac d ae e AS 3 119 Configuring a Static Address Table 3 122 Configuring a Dynamic Address Table 3 123 Setting the Address Aging Time oooommm 3 124 SEA TAO MATO jo c vais mo HO LO DRE 3 128 STA Configuration sees 3 132 STA Port Information 0 0 0 cece eee eee 3 136 STA Port Configuration lesse 3 140 Enabling GVRP 1035 p eg Joa 3 145 VLAN Basic Information 00 000 e eee 3 146 Displaying Current VLANs essere 3 147 Configuring a VLAN Static List ooooo o 3 149 Configuring a VLAN Static Table 3 151 VLAN Static Membership by Port 3 152 VLAN Port Configuration 1 2 00 cece eee eee 3 155 Private VLAN Information 0 00005 3 158 Private VLAN Configuration oooooooccccoooo 3 159 Private VLAN Association 00 0000 ce
14. Consolefshow lacp 1 internal 4 172 Port channel 1 Oper Key 120 Admin Key 0 Eth 1 1 LACPDUs Internal 30 sec LACP System Priority 3 LACP Port Priority 128 Admin Key 120 Oper Key 120 Admin State defaulted aggregation long timeout LACP activity Oper State distributing collecting synchronization aggregation long timeout LACP activity 3 105 CONFIGURING THE SWITCH 3 106 remote side of an lin Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the k aggregation Table 3 8 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner s system ID assigned by the user Partner Oper System ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol partner Port Oper Priority Priority value assigned to this aggregation port by the partner Admin Key Current administrative value of the Key for the protocol partner Oper Key Current operational value of the Key for the protocol pat tner Admin State Administrative values
15. Glossary 3 GLOSSARY IGMP Query On each subnetwork one IGMP capable device will act as the querier that is the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong The elected querier will be the device with the lowest IP address in the subnetwork Internet Group Management Protocol IGMP A protocol through which hosts can register with their local router for multicast services If there is more than one multicast switch router on a given subnetwork one of the devices is made the querier and assumes responsibility for keeping track of group membership In Band Management Management of the network from a station attached directly to the network IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts IP Precedence The Type of Service ToS octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic The eight values are mapped one to one to the Class of Service categories by default but may be configured differently to suit the requirements for specific network applications Layer 2 Data Link layer in the ISO 7 Layer Data Communications Protocol This is related directly to the hardware interface for network devices and passes on traffic based on MAC addresses
16. Glossary 4 GLOSSARY Link Aggregation See Port Trunk Link Aggregation Control Protocol LACP Allows ports to automatically negotiate a trunked link with LACP configured ports on another device Management Information Base MIB An acronym for Management Information Base It is a set of database objects that contains information about a specific device MD5 Message Digest Algorithm An algorithm that is used to create digital signatures It is intended for use with 32 bit machines and is safer than the MD4 algorithm which has been broken MD5 is a one way hash function meaning that it takes a message and converts it into a fixed string of digits also called a message digest Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered or forwards them to all ports contained within the designated multicast VLAN group Network Time Protocol NTP NTP provides the mechanisms to synchronize time across the network The time servers operate in a hierarchical master slave configuration in order to synchronize local clocks within the subnet and to national time standards via wire or radio Out of Band Management Management of the network from a station not attached to the network Port Authentication See IEEE 802 1X Glossary 5 GLOSSARY Port Mirroring A method whereby data on a target port is mirrored to a monitor port for troub
17. iae d sedeo vero pu oven 4 64 show logging ed Su a ue wed 4 64 show log cs etis ctu rte ud e ens 4 67 SMTP Alert Commands ssessee ee 4 68 logging sendmail host oooo oooooooooocccnccoo oo 4 68 vili CONTENTS logging sendmail level 0 cece eee eee 4 69 logging sendmail source email 6 6 0 0 0 00000 eee 4 70 logging sendmail destination email 00 4 70 logeiz sendmail 222255 a a a 4 71 show logging sendmail 0 6c cece ooo 4 71 Time Commands aii ius hU M dad e ce eee e 4 72 snip client iss cte ensi ant Wat 4 73 S tp Setvet os ee a see n Das Je d a AUS e ND A 4 74 SUP poll aded TES edictis 4 75 show SAP a she i sk Ned ap epe esas s 4 75 ClOCkK TIMEZONE ici Ip APO es ied eae 4 76 Calendar set s etr oue em Da ela ua Staats 4 77 show calendar iii dui hada ta Wee NER ERA 4 78 System Status Commands 0 0c cee eee 4 78 show startup config possis ke eee eee ee eee 4 79 show running config 6 6 n 4 81 ShOW SyStetn oscar ted Shc date es 4 83 SOW USCIS fis rectors oT oM S UR d Met e d eo ees ed ay 4 84 sh w version miii 4 84 Frame Size Commands 0 cee cece ee ee eens 4 85 jumbovtrame 2e to denne ovre leue etus 4 85 Flash File Commands eeeeee RR 4 86 COD idu concu uoa a A eo t ES 4 87 deletec oes DTE oS PTS Dia uen BEAT D eis Rats 4 90 Mi ap be ue Reps 4 91 whicbboOt 2 04 5 3T doi d dado ds 1d dssdo A d 4 92 DODESYSTE x LEID a APR
18. lie Precedence DSCP Priority Status IP Precedence y Figure 3 76 IP Precedence DSCP Priority Status CLI The following example enables IP Precedence service on the switch Console config map ip precedence 4 230 Console config Mapping IP Precedence The Type of Service ToS octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic The default IP Precedence values are mapped one to one to Class of Service values i e Precedence value 0 maps to CoS value 0 and so forth Bits 6 and 7 are used for network control and the other bits for various application types ToS bits are defined in the following table CLASS OF SERVICE CONFIGURATION Table 3 12 Mapping IP Precedence Priority Level Traffic Type Priority Level Traffic Type 7 Network Control 3 Flash 6 Internetwork Control 2 Immediate 5 Critical 1 Priority 4 Flash Override 0 Routine Command Attributes IP Precedence Priority Table Shows the IP Precedence to CoS map Class of Service Value Maps a CoS value to the selected IP Precedence value Note that 0 represents low priority and 7 represent high priority Web Click Priority IP Precedence Priority Select an entry from the IP Precedence Priority Table enter a value in the Class of Service Val
19. Changing the Aging Time You can set the aging time for entries in the dynamic address table Command Attributes Aging Status Enables disables the function Aging Time The time after which a learned entry is discarded Range 10 30000 seconds Default 300 seconds Web Click Address Table Address Aging Specify the new aging time click Apply Address Aging Aging Status Iv Enabled Aging Time 10 30000 400 seconds Figure 3 55 Setting the Address Aging Time CLI This example sets the aging time to 400 seconds Console config Htmac address table aging time 400 4 180 Console config Spanning Tree Algorithm Configuration 3 124 The Spanning Tree Algorithm STA can be used to detect and disable network loops and to provide backup links between switches bridges or routers This allows the switch to interact with other bridging devices that is an STA compliant switch bridge or router in your network to ensure that only one route exists between any two stations on the network and provide backup links which automatically take over when a primary link goes down SPANNING TREE ALGORITHM CONFIGURATION The spanning tree algorithms supported by this switch include these versions STP Spanning Tree Protocol IEEE 802 1D RSTP Rapid Spanning Tree Protocol IEEE 802 1w STA uses a distributed algorithm to select a bridging device STA compliant switch bridge or rou
20. Console show mac address table aging time Aging time 100 sec Console 4 181 COMMAND LINE INTEREACE Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm STA globally for the switch and commands that configure STA for the selected interface Table 4 50 Spanning Tree Commands Command Function Mode Page spanning tree Enables the spanning tree protocol GC 4 183 spanning tree mode Configures STP or RSTP GC 4 184 spanning tree Configures the spanning tree bridge GC 4 185 forwatd time forward time spanning tree Configures the spanning tree bridge hello GC 4 185 hello time time spanning tree Configures the spanning tree bridge GC 4 186 max age maximum age spanning tree Configures the spanning tree bridge GC 4 187 ptiority ptiority spanning tree Configures the path cost method for GC 4 188 path cost method RSTP spanning tree Configures the transmission limit for GC 4 188 transmission limit RSTP spanning tree Disables spanning tree for an interface IC 4 189 spanning disabled spanning tree cost Configures the spanning tree path cost of IC 4 190 an interface spanning tree Configures the spanning tree priority of IC 4 191 port priority an interface spanning tree Enables fast forwarding for edge ports IC 4 191 edge port spanning tree Sets an interface to fast forwarding IC 4 192 portfast spanning tree C
21. INDEX R RADIUS logon authentication 4 97 rate limits setting 3 112 4 159 remote logging 4 63 restarting the system 3 41 4 30 RSTP 3 124 4 184 global configuration 3 126 4 184 S secure shell 3 57 4 46 Secure Shell configuration 3 57 4 50 4 51 serial port configuring 4 14 Simple Network Management Protocol See SNMP SNMP 3 45 community string 3 45 4 137 enabling traps 3 46 4 141 filtering IP addresses 3 75 trap manager 3 46 4 139 software displaying version 3 13 4 84 downloading 3 22 4 87 Spanning Tree Protocol See STA specifications software A 1 SSH configuring 3 57 4 50 4 51 STA 3 124 4 182 edge port 3 136 3 139 4 191 global settings configuring 3 129 4 183 4 188 global settings displaying 3 126 4 195 Index 3 INDEX interface settings 3 133 4 190 4 194 4 195 link type 3 136 3 139 4 193 path cost 3 127 3 135 4 190 path cost method 3 132 4 188 port priority 3 135 4 191 protocol migration 3 139 4 194 transmission limit 3 132 4 188 standards IEEE A 3 startup files creating 3 26 4 87 displaying 3 22 4 79 setting 3 22 4 93 static addresses setting 3 121 4 178 statistics port 3 114 4 153 STP 3 130 4 184 STP Aso see STA system clock setting 3 42 4 72 System Logs 3 33 system software downloading from server 3 22 4 87 T TACACS logon authentication 3 50 4 102 time setting 3 42 4 72 traffic class weights 3 170 4 225 trap manager 2 10 3 46 4 139 tro
22. flowcontrol symmetric 1000full Supports 1000 Mbps full duplex operation 100full Supports 100 Mbps full duplex operation 100half Supports 100 Mbps half duplex operation 10full Supports 10 Mbps full duplex operation 10half Supports 10 Mbps half duplex operation flowcontrol Supports flow control symmetric Gigabit only When specified the port transmits and receives pause frames when not specified the port will auto negotiate to determine the sender and receiver for asymmetric pause frames The current switch ASIC only supports symmetric pause frames Default Setting 100BASE TX 10half 10full 100half 100full e 1000BASE T 10half 10full 100half 100full 1000full SFP 1000full Command Mode Interface Configuration Ethernet Port Channel 4 147 COMMAND LINE INTEREACE Command Usage When auto negotiation is enabled with the negotiation command the switch will negotiate the best settings for a link based on the capabilites command When auto negotiation is disabled you must manually specify the link attributes with the speed duplex and flowcontrol commands Example The following example configures Ethernet port 5 capabilities to 100half 100full and flow control Console config interface ethernet 1 5 Console config if capabilities 100half Console config if capabilities 100full Console config if capabilities flowcontrol Console config if Related Commands
23. system auth control enable 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 disabled Single Host ForceAuthorized n a 1 2 enabled Single Host auto yes 1 26 disabled Single Host ForceAuthorized n a 802 1X Port Details 802 1X is disabled on port 1 1 802 1X is enabled on port 1 2 reauth enabled Enable reauth period 1800 quiet period 30 tx period 40 supplicant timeout 30 server timeout 10 reauth max 2 max req 5 Status Authorized Operation mode Single Host Max count 5 Port control Auto Supplicant 00 00 e8 49 5e dc Current Identifier 3 Authenticator State Machine State Authenticated Reauth Count 0 Backend State Machine State Idle Request Count 0 Identifier Server 2 Reauthentication State Machine State Initialize 802 1X is disabled on port 1 26 Consolef 4 116 ACCESS CONTROL LIST COMMANDS Access Control List Commands Access Control Lists ACL provide packet filtering for IP frames based on address protocol Layer 4 protocol port number or TCP control code or any frames based on MAC address or Ethernet type To filter packets first create an access list add the required rules and then bind the list to a specific port Access Control Lists An ACL is a sequential list of permit or deny conditions that apply to IP addresses MAC addresses or other more specific criteria This switch tests ingress or egress packets against the conditions in an ACL one by o
24. unit Stack unit This is unit 1 port Port number Range 1 26 52 rx Mirror received packets tx Mirror transmitted packets Default Setting No mirror session is defined Command Mode Interface Configuration Ethernet destination port Command Usage You can mirror traffic from any source port to a destination port for real time analysis You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive mannet The destination port is set by specifying an Ethernet interface 4 157 COMMAND LINE INTEREACE The mirror port and monitor port speeds should match otherwise traffic may be dropped from the monitor port Youcanonly create a single mirror session Example The following example configures the switch to mirror received packets from pott 6 to 11 Console config interface ethernet 1 11 Console config if port monitor ethernet 1 6 rx Console config if show port monitor This command displays mirror information Syntax show port monitor interface interface ethernet wnit port unit Stack unit This is unit 1 port Port number Range 1 26 52 Default Setting Shows all sessions Command Mode Privileged Exec Command Usage This command displays the currently configured source port destination port and mirror mode i e RX TX 4 158 Rate LiMIT COMMANDS
25. wrt Weighted Round Robin shares bandwidth at the egress ports by using scheduling weights 1 2 4 6 for queues 0 3 respectively Default Setting Weighted Round Robin Command Mode Global Configuration Command Usage You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced or use Weighted Round Robin WRR queuing that specifies a relative weight of each queue WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue This prevents the head of line blocking that can occur with strict priority queuing 4 223 COMMAND LINE INTEREACE Example The following example sets the queue mode to strict priority service mode Console config queue mode strict Console config switchport priority default 4 224 This command sets a priority for incoming untagged frames Use the no form to restore the default value Syntax switchport priority default defau t priority id no switchport priority default default priority id The priority number for untagged ingress traffic The priority is a number from 0 to 7 Seven is the highest priority Default Setting The priority is not set and the default value for untagged frames received on the interface is zero Command Mode Interfac
26. ACCESS CONTROL LISTS CLI This example adds two rules 1 Accept any incoming packets if the source address is in subnet 10 7 1 x For example if the rule is matched i e the rule 10 7 1 0 amp 255 255 255 0 equals the masked address 10 7 1 2 amp 255 255 255 0 the packet passes through 2 Allow TCP packets from class C addresses 192 168 1 0 to any destination address when set for destination TCP port 80 i e HTTP 3 Permit all TCP packets from class C addresses 192 168 1 0 with the TCP control code set to SYN Console config ext acl fpermit 10 7 1 1 255 255 255 0 any 4 122 Console config ext acl fpermit tcp 192 168 1 0 255 255 255 0 any destination port 80 Console config ext acl permit tcp 192 168 1 0 255 255 255 0 any control flag 2 2 Console config std acl Configuring a MAC ACL Command Attributes Action An ACL can contain any combination of permit or deny rules Source Destination Address Type Use Any to include all possible addresses Host to indicate a specific MAC address or MAC to specify an address range with the Address and Bitmask fields Options Any Host MAC Default Any Source Destination MAC Address Source or destination MAC address Source Destination Bitmask Hexidecimal mask for source or destination MAC address VID VLAN ID Range 1 4094 3 83 CONFIGURING THE SWITCH 3 84 Ethernet Type This o
27. COMMAND LINE INTEREACE show access group This command shows the port assignments of ACLs Command Mode Privileged Executive Example Console show access group Interface ethernet 1 25 IP standard access list david MAC access list jerry Console SNMP Commands 4 136 Controls access to this switch from management stations using the Simple Network Management Protocol SNMP as well as the error types sent to trap managers Table 4 39 SNMP Commands Command Function Mode Page snmp server Sets up the community access string to permit GC 4 137 community access to SNMP commands snmp server Sets the system contact string GC 4 138 contact snmp server Sets the system location string GC 4 138 location snmp server host Specifies the recipient of an SNMP GC 4 139 notification operation snmp server Enables the device to send SNMP traps GC 4 141 enable traps i e SNMP notifications show snmp Displays the status of SNMP communications NE 4 142 PE SNMP COMMANDS snmp server community This command defines the community access string for the Simple Network Management Protocol Use the no form to remove the specified community string Syntax snmp server community s ring ro rw no snmp server community string string Community string that acts like a password and permits access to the SNMP protocol Maximum length 32 characters case sens
28. Console config mac acl ACCESS CONTROL LISTS Binding a Port to an Access Control List After configuring Access Control Lists ACL you should bind them to the ports that need to filter traffic You can assign one IP access list to any port but you can only assign one MAC access list to all the ports on the switch Command Usage You must configure a mask for an ACL rule before you can bind it to a port This switch only supports ACLs for ingress filtering You can only bind one IP ACL to any port and one MAC ACL globally for ingress filtering Command Attributes Port Fixed port or SFP module Range 1 26 52 IP Specifies the IP Access List to enable for a port MAC Specifies the MAC Access List to enable globally e IN ACL for ingress packets ACL Name Name of the ACL 3 85 CONFIGURING THE SWITCH 3 86 Web Click Security ACL Port Binding Mark the Enabled field for the port you want to bind to an ACL select the required ACL from the drop down list then click Apply ACL Port Binding MAC IN T Enabled none J Port IP IN IV Enabled david z I Enabled davic IV Enabled david T Enabled david 2 T Enabled david 2 I Enabled david T Enabled david 2 i Figure 3 39 Binding a Port to an ACL SLO OH 020 2 CLI This example assigns an IP and MAC access list to port 1 and a
29. Designation switch User Access Configures the basic user names and passwords for 4 34 management access IP Filter Configures IP addresses that are allowed management 4 37 access Web Server Enables management access via a web browser 4 40 Telnet Server Enables management access via Telnet 4 44 Secure Shell Provides secure replacement for Telnet 4 46 Event Logging Controls logging of error messages 4 59 Time System Sets the system clock automatically via NTP SNTP 4 72 Clock server or manually 4 32 SYSTEM MANAGEMENT COMMANDS Table 4 7 System Management Commands Continued Command Group Function Page System Status Displays system configuration active managers and 4 78 vetsion information Frame Size Enables support for jumbo frames 4 85 Device Designation Commands Table 4 8 Device Designation Commands Command Function Mode Page prompt Customizes the prompt used in PE and NE mode GC 4 33 hostname Specifies the host name for the switch GC 4 34 snmp server Sets the system contact string GC 4 138 contact snmp server Sets the system location string GC 4 138 location prompt This command customizes the CLI prompt Use the no form to restore the default prompt Syntax prompt string no prompt string Any alphanumeric string to use for the CLI prompt Maximum length 255 characters Default Setting Console Command Mode Global Configuration
30. count Number of packets to send Range 1 16 default 5 Default Setting This command has no default for the host Command Mode Normal Exec Privileged Exec 4 253 COMMAND LINE INTEREACE 4 254 Command Usage Use the ping command to see if another site on the network can be reached Following are some results of the ping command Normal response The normal response occurs in one to ten seconds depending on network traffic Destination does not respond If the host does not respond a timeout appears in ten seconds Destination unreachable The gateway for this destination indicates that the destination is unreachable Network or host unreachable The gateway found no corresponding entry in the route table Press lt Esc gt to stop pinging Example Console ping 10 1 0 9 Type ESC to abort PING to 10 1 0 9 by 5 32 byte payload ICMP packets timeout is 5 seconds response time 10 ms response time 10 ms response time 10 ms response time 10 ms response time 10 ms Ping statistics for 10 1 0 9 5 packets transmitted 5 packets received 100 0 packets lost 0 Approximate round trip times Minimum 10 ms Maximum 20 ms Average 10 ms Console Related Commands interface 4 144 APPENDIX A SOFTWARE SPECIFICATIONS Software Features Authentication Local RADIUS TACACS Port 802 1X HTTPS SSH Port Security Access Control Lists IP MAC
31. mac address table Sets the aging time of the address table GC 4 180 aging time show Shows the aging time for the address table PE 4 181 mac address table aging time 4477 COMMAND LINE INTEREACE mac address table static This command maps a static address to a destination port in a VLAN Use the no form to remove an address Syntax mac address table static mac address interface interface vlan v an d action no mac address table static macaddress vlan vlan 1d mac address MAC address interface ethernet unit port unit Stack unit This is unit 1 port Port number Range 1 26 52 port channel channel id Range 1 4 e vian id VLAN ID Range 1 4094 action delete on reset Assignment lasts until the switch is reset permanent Assignment is permanent Default Setting No static addresses ate defined The default mode is permanent Command Mode Global Configuration Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN Use this command to add static addresses to the MAC Address Table Static addresses have the following characteristics Static addresses will not be removed from the address table when a given interface link is down Static addresses are bound to the assigned interface and will not be moved When a static address is seen on another interface the address will be ignored and will not be written to the
32. port channel channe id Range 1 4 Default Setting Shows all interfaces Command Mode Normal Exec Privileged Exec Command Usage If no interface is specified information on all interfaces is displayed Example This example shows the configuration setting for port 24 Console show interfaces switchport ethernet 1 24 Broadcast threshold Enabled 600 octets second LACP status Enabled Ingress rate limit disable Level 30 Egress rate limit disable Level 30 VLAN membership mode Hybrid Ingress rule Disabled Acceptable frame type All frames Native VLAN 1 Priority for untagged traffic 0 GVRP status Disabled Allowed Vlan l u Forbidden Vlan Private VLAN mode NONE Private VLAN host association NONE Private VLAN mapping NONE Console 4 155 COMMAND LINE INTEREACE 4 156 Table 4 41 Interfaces Switchport Statistics Field Broadcast threshold Desctiption Shows if broadcast storm suppression is enabled or disabled if enabled it also shows the threshold level page 4 150 Lacp status Shows if Link Aggregation Control Protocol has been enabled or disabled page 4 165 Ingress Egress rate limit Shows if rate limiting is enabled and the current rate limit page 4 160 VLAN membership mode Indicates membership mode as Trunk or Hybrid page 4 201 Ingress rule Acceptable frame type Shows if ingress filtering is enabled or disabled page 4 2
33. show line 4 25 show users 4 84 4 15 COMMAND LINE INTEREACE login 4 16 This command enables password checking at login Use the no form to disable password checking and allow connections without a password Syntax login local no login local Selects local password checking Authentication is based on the user name specified with the username command Default Setting login local Command Mode Line Configuration Command Usage There are three authentication modes provided by the switch itself at login login selects authentication by a single global password as specified by the password line configuration command When using this method the management interface starts in Normal Exec NE mode login local selects authentication via the user name and password specified by the username command i e default setting When using this method the management interface starts in Normal Exec NE or Privileged Exec PE mode depending on the user s privilege level 0 or 15 respectively no login selects no authentication When using this method the management interface starts in Normal Exec NE mode This command controls login authentication via the switch itself To configure user names and passwords for remote authentication servers you must use the RADIUS or TACACS software installed on those servers LINE COMMANDS Example Console config line login local Console config line
34. vii CONTENTS User Access Commands 0 0 4 34 setnate os ia deve ie bos age deca 4 35 enable password 0 06 cece cece eee eens 4 36 IP Filter Commands io da a Maka a as 4 37 Management 2o opted alate ee a8 4 38 show management 0 6 cee eee 4 39 Web Server Commands esses 4 40 ip Http port lt lt de hans SONO o PA ges ra a E iios 4 41 ip Http server da ari Ete pae ui 4 41 ip http secute setver 0 6c suner ereere 4 42 ip http secure port iia eee 4 43 Telnet Server Commands 00 cee ee eee 4 44 ip telnet poli hoists Ed t Rt ee Aet 4 44 ip telnetiserver dos o e ett a AT es 4 45 Secure Shell Commands o oooooooccccccconcccc 4 46 IPSS SETVE E Ac win Ls NONO Ad dia Bit eis 4 49 ip sshixtteout 1o Suite ce Ie tpe ete queda 4 50 ip ssh authentication retries 2 0 0 0 eee eee 4 51 ipssshisetvet key size ated ddd bd 4 51 delete public key zen Sauk a aed A 4 52 ip ssh crypto host key generate oooommoccocommmo 4 53 ip sshictyptozefolze fii loe ee es 4 54 ip ssh save hostkey 0 eee eee 4 54 ShOw Ip Ssh ei ACER tA A 4 55 show ssh idee lada sec oa 4 55 show public key oest so 6 hyna bae A cee eee 4 57 Event Logging Commands eese 4 59 LORO piu eae iiss Sivas ates T eee Shes 4 59 logging history wise oye Da it Oe MES 4 60 logeme host ees o ee seth BES Ld Le eS Res 4 61 logging facility a aA 4 62 lopeme Trap scc eoe ore ad DUNS Lean CE Ded a 4 63 Clear looong
35. 10 000 trunk 5 000 Command Mode Interface Configuration Ethernet Port Channel Command Usage This command is used by the Spanning Tree Algorithm to determine the best path between devices Therefore lower values should be assigned to ports attached to faster media and higher values assigned to ports with slower media Path cost takes precedence over pott priority When the spanning tree pathcost method page 4 188 is set to short the maximum value for path cost is 65 535 Example Console config interface ethernet 1 5 Console config if fspanning tree cost 5000 Console config if 4 190 SPANNING TREE COMMANDS spanning tree port priority This command configures the priority for the specified interface Use the no form to restore the default Syntax spanning tree port priority priority no spanning tree port priority priority The priority for a port Range 0 240 in steps of 16 Default Setting 128 Command Mode Interface Configuration Ethernet Port Channel Command Usage This command defines the priority for the use of a port in the Spanning Tree Algorithm If the path cost for all ports on a switch are the same the port with the highest priority that is lowest value will be configured as an active link in the spanning tree Where more than one port is assigned the highest priority the port with the lowest numeric identifier will be enabled Example Console config i
36. 26 Main power status up not present NNN NNN orr Qo o Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering Traffic Classes and Virtual LANs You can access these extensions to display default settings for the key variables Field Attributes Extended Multicast Filtering Services This switch does not support the filtering of individual multicast addresses based on GMRP GARP Multicast Registration Protocol Traffic Classes This switch provides mapping of user priorities to multiple traffic classes Refer to Class of Service Configuration on page 3 165 Static Entry Individual Port This switch allows static filtering for unicast and multicast addresses Refer to Setting Static Addresses on page 3 121 VLAN Learning This switch uses Independent VLAN Learning IVL where each port maintains its own filtering database 3 15 CONFIGURING THE SWITCH 3 16 Configurable PVID Tagging This switch allows you to override the default Port VLAN ID PVID used in frame tags and egress status VLAN Tagged or Untagged on each port Refer to VLAN Configuration on page 3 140 Local VLAN Capable This switch does not support multiple local bridges outside of the scope of 802 1Q defined VLANs GMRP GARP Multicast Registration Protocol GMRP allows network devices to register endstations with multicast
37. An authentication server contains a database of multiple user name password pairs with associated privilege levels for each user or group that require management access to a switch Table 4 29 RADIUS Client Commands Command Function Mode Page radius server host Specifies the RADIUS server GC 4 99 radius server port Sets the RADIUS server network port GC 4 99 radius server key Sets the RADIUS encryption key GC 4 99 radius server Sets the number of retries GC 4 100 retransmit radius server timeout Sets the interval between sending GC 4 100 authentication requests show radius server Shows the current RADIUS settings PE 4 101 4 97 COMMAND LINE INTEREACE radius server host 4 98 This command specifies primary and backup RADIUS servers and authentication parameters that apply to each server Use the no form to restore the default values Syntax no radius server index host host_ip_address host_alias auth port 27 5 por timeout meoud retransmit retransmil key ke index Allows you to specify up to five servers These servers are queried in sequence until a server responds or the retransmit period expires host_ip_address IP address of server host_alias Symbolic name of server Maximum length 20 characters port number RADIUS server UDP port used for authentication messages Range 1 65535 timeout Number of seconds the switch waits for a reply befo
38. Enter 2 Type ip address zp address netmask where ip address is the switch IP address and netmask is the network mask for the network Press lt Enter gt 3 Type exit to return to the global configuration mode prompt Press lt Enter gt 4 To set the IP address of the default gateway for the network to which the switch belongs type ip default gateway gateway where gateway is the IP address of the default gateway Press lt Enter gt Console config tinterface vlan 1 Console config if ttip address 192 168 1 5 255 255 255 0 Console config if texit Console config ttip default gateway 192 168 1 254 Console config 2 7 INITLAL CONFIGURATION 2 8 Dynamic Configuration If you select the bootp or dhcp option IP will be enabled but will not function until a BOOTP or DHCP reply has been received You therefore need to use the ip dhcp restart command to start broadcasting service requests Requests will be sent periodically in an effort to obtain IP configuration information BOOTP and DHCP values can include the IP address subnet mask and default gateway If the bootp or dhcp option is saved to the startup config file step 6 then the switch will start broadcasting service requests as soon as it is powered on To automatically configure the switch by communicating with BOOTP or DHCP addtess allocation servers on the network complet
39. GC 4 38 management access show management Displays the switch to be monitored or PE 4 39 configured from a browser 4 37 COMMAND LINE INTEREACE management 4 38 This command specifies the client IP addresses that are allowed management access to the switch through various protocols Use the no form to restore the default setting Syntax no management all client http client snmp client telnet client start address end address all client Adds IP address es to the SNMP web and Telnet groups http client Adds IP address es to the web group snmp client Adds IP address es to the SNMP group telnet client Adds IP address es to the Telnet group e startaddress A single IP address or the starting address of a range end address The end address of a range Default Setting All addresses Command Mode Global Configuration Command Usage If anyone tries to access a management interface on the switch from an invalid address the switch will reject the connection enter an event message in the system log and send a trap message to the trap manager IP address can be configured for SNMP web and Telnet access respectively Each of these groups can include up to five different sets of addresses either individual addresses or address ranges When entering addresses for the same group i e SNMP web or Telnet the switch will not accept overlapping address rang
40. GVRP configuration Enabled Console 4 219 COMMAND LINE INTEREACE garp timer This command sets the values for the join leave and leaveall timers Use the no form to restore the timers default values Syntax garp timer join leave leaveall zver value no garp timer join leave leaveall join leave leaveall Which timer to set ier value Value of timer Ranges join 20 1000 centiseconds leave 60 3000 centiseconds leavall 500 18000 centiseconds Default Setting join 20 centiseconds leave 60 centiseconds e leaveall 1000 centiseconds Command Mode Interface Configuration Ethernet Port Channel Command Usage Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN The default values for the GARP timers are independent of the media access method or data rate These values should not be changed unless you are expetiencing difficulties with GMRP or GVRP registration deregistration Timer values are applied to GVRP for all the ports on all VLANs Timer values must meet the following restrictions leave gt 2 x join leaveall gt leave Note Set GVRP timers on all Layer 2 devices connected in the same network to the same values Otherwise GVRP may not operate successfully 4 220 GVRP AND BRIDGE EXTENSION COMMANDS Example Console config interface ethernet
41. Maximum Addresses 0 Command Mode Interface Configuration Ethernet 4 105 COMMAND LINE INTEREACE 4 106 Command Usage If you enable port security the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted First use the port security max mac count command to set the number of addresses and then use the port security command to enable security on the port Use the no port security max mac count command to disable port secutity and reset the maximum number of addresses to the default You can also manually add secure addresses with the mac address table static command A secure port has the following restrictions Cannot use port monitoring Cannot be a multi VLAN port Cannot be connected to a network interconnection device Cannot be a trunk port If a port is disabled due to a security violation it must be manually re enabled using the no shutdown command Example The following example enables port security for port 5 and sets the response to a security violation to issue a trap message Console config interface ethernet 1 5 Console config if port security action trap Related Commands shutdown 4 149 mac address table static 4 178 show mac address table 4 179 AUTHENTICATION COMMANDS 802 1X Port Authentication T
42. Port Trunk The switch interface PVLAN Port Type Sets the private VLAN port types Normal The port is not assigned to a private VLAN 3 162 VLAN CONFIGURATION Host The port is a community port or an isolated port A community pott can communicate with other ports in its own community VLAN and with designated promiscuous port s An isolated port can only communicate with the single designated promiscuous port in the isolated VLAN it cannot communicate with any other host ports Promiscuous A promiscuous port can communicate with all interfaces within a private VLAN Primary VLAN Conveys traffic between promiscuous ports and between promiscuous ports and community ports within the associated secondary VLANs If PVLAN type is Promiscuous then specify the associated primary VLAN Community VLAN A community VLAN conveys traffic between community ports and from community ports to their designated promiscuous ports Set PVLAN Port Type to Host and then specify the associated Community VLAN Isolated VLAN Conveys traffic only between the VLAN s isolated ports and the promiscuous port Traffic between isolated ports within the VLAN is blocked Set the PVLAN Port Type to Host then specify an isolated VLAN by marking the check box for an Tsolated VLAN and selecting the required VLAN from the drop down box 3 163 CONFIGURING THE SWITCH Web Click VLAN Priva
43. associated secondary VLANs Community VLAN A community VLAN conveys traffic between community ports and from community ports to their designated promiscuous ports Isolated VLAN Conveys traffic only between the VLAN s isolated ports and the promiscuous port Traffic between isolated ports within the VLAN is blocked Trunk The trunk identifier Port Information only 3 161 CONFIGURING THE SWITCH Web Click VLAN Private VLAN Port Information or Trunk Information Private VLAN Port Information Port PVLAN Port Type Primary VLAN Community VLAN Isolated VLAN Trunk 1 Normal Normal 2 3 Promiscuous Pa Host 5 Host B 7 8 Normal Normal Normal Figure 3 70 Private VLAN Port Information CLI This example shows the switch configured with primary VLAN 5 and community VLAN 6 Port 3 has been configured as a promiscuous port and mapped to VLAN 5 while ports 4 and 5 have been configured as host ports and associated with VLAN 6 This means that traffic for port 4 and 5 can only pass through port 3 Console show vlan private vlan 4 216 Primary Secondary Type Interfaces 5 primary Eth1 3 5 6 community Ethl 4 Ethl 5 Console Configuring Private VLAN Interfaces Use the Private VLAN Port Configuration and Private VLAN Trunk Configuration menus to set the private VLAN interface type and assign the interfaces to a private VLAN Command Attributes
44. configuration 3 18 4 251 default priority ingress port 3 165 4 224 default settings system 1 7 DHCP 3 19 4 249 client 3 17 dynamic configuration 2 8 Differentiated Code Point Service See DSCP downloading software 3 22 4 87 DSCP enabling 3 172 4 233 mapping priorities 3 174 3 178 4 233 dynamic addresses displaying 3 122 4 179 E edge port STA 3 136 3 139 4 191 event logging 4 59 F firmware displaying version 3 13 4 84 upgrading 3 22 4 87 Index 1 INDEX G GARP VLAN Registration Protocol See GVRP gateway default 3 18 4 251 GVRP global setting 4 217 interface configuration 3 154 4 219 GVRP global setting 3 145 H hardware version displaying 3 13 4 84 HTTPS 3 54 4 42 HTTPS secure server 3 54 4 42 I IEEE 802 1D 3 125 4 184 IEEE 802 1w 3 125 4 184 IEEE 802 1X 3 66 4 107 IGMP groups displaying 3 186 4 241 Layer 2 3 181 4 238 query 3 181 4 243 query Layer 2 3 182 4 242 snooping 3 181 4 239 snooping configuring 3 181 4 238 ingress filtering 3 153 4 203 IP address BOOTP DHCP 3 19 4 249 4 251 setting 2 6 3 17 4 249 IP precedence enabling 3 172 4 230 4 231 mapping priorities 3 172 4 232 isolated ports 3 156 4 208 J jumbo frame 4 85 Index 2 L LACP local parameters 4 172 partner parameters 4 172 protocol message statistics 4 172 link type STA 3 136 3 139 4 193 logging syslog traps 4 63 to syslog servers 4 61 log in web interface 3 3 logon aut
45. i e around 1 to 3 seconds compared to 30 seconds or more for STP by reducing the number of state changes before active ports start learning predefining an alternate route 3 125 CONFIGURING THE SWITCH that can be used when a node or port fails and retaining the forwarding database for ports insensitive to changes in the tree structure when reconfiguration occurs Displaying Global Settings You can display a summary of the current bridge STA information that applies to the entire switch using the STA Information screen Field Attributes 3 126 Spanning Tree State Shows if the switch is enabled to participate in an STA compliant network Bridge ID A unique identifier for this bridge consisting of the bridge priority and MAC address where the address is taken from the switch system Max Age The maximum time in seconds a device can wait without receiving a configuration message before attempting to reconfigure All device ports except for designated ports should receive configuration messages at regular intervals Any port that apes out STA information provided in the last configuration message becomes the designated port for the attached LAN If it is a root port a new root port is selected from among the device ports attached to the network References to ports in this section mean interfaces which includes both ports and trunks Hello Time Interval in seconds at which the ro
46. router Console show ip igmp snooping mrouter vlan 1 VLAN M cast Router Ports Type 1 Eth 1 11 Static 2 Eth 1 12 Static Console 4 248 IP INTEREACE COMMANDS IP Interface Commands An IP addresses may be used for management access to the switch over your network The IP address for this switch is obtained via DHCP by default You can manually configure a specific IP address or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on You may also need to a establish a default gateway between this device and management stations or other devices that exist on another netwotk segment Table 4 67 IP Interface Commands Command Function Mode Page ip address Sets the IP address for the current interface IC 4 249 ip default gateway Defines the default gateway through which GC 4 251 this switch can reach other subnetworks ip dhcp restart Submits a BOOTP or DHCP client request PE 4 251 show ip interface Displays the IP settings for this device PE 4 252 show ip redirects Displays the default gateway configured for PE 4 253 this device ping Sends ICMP echo request packets to another NE 4 253 node on the network PE ip address This command sets the IP address for the currently selected VLAN interface Use the no form to restore the default IP address Syntax ip address ip address netmask bootp dhcp no ip address ip addre
47. the switch can use SMTP Simple Mail Transfer Protocol to send email messages when triggered by logging events of a specified level The messages are sent to specified SMTP servers on the network and can be retrieved using POP or IMAP clients Command Attributes Admin Status Enables disables the SMTP function Default Enabled Email Source Address Sets the email address used for the From field in alert messages You may use a symbolic email address that identifies the switch or the address of an administrator responsible for the switch Severity Sets the syslog severity threshold level see table on page 3 34 used to trigger alert messages All events at this level or higher will be sent to the configured email recipients For example using Level 7 will report all events from level 7 to level 0 Default Level 7 SMTP Server List Specifies a list of up to three recipient SMTP servers The switch attempts to connect to the other listed servers if the first fails Use the New SMTP Server text field and the Add Remove buttons to configure the list Email Destination Address List Specifies the email recipients of alert messages You can specify up to five recipients Use the New Email Destination Address text field and the Add Remove buttons to configure the list 3 39 CONFIGURING THE SWITCH 3 40 Web Click System Log SMTP Enable SMTP specify a source email address and select the
48. up to 88 lists DHCP Client Port Configuration 100BASE TX 10 100 Mbps half full duplex 1000BASE T 10 100 Mbps at half full duplex 1000 Mbps at full duplex Flow Control Full Duplex IEEE 802 3 2002 Half Duplex Back pressure Broadcast Storm Control Traffic throttled above a critical threshold Port Mirroring One soutce port one destination port Rate Limits Input Limit Output limit Range configured per port Port Trunking Static trunks Cisco EtherChannel compliant Dynamic trunks Link Aggregation Control Protocol A 1 SOFTWARE SPECIFICATIONS Spanning Tree Algorithm Spanning Tree Protocol STP IEEE 802 1D Rapid Spanning Tree Protocol RSTP IEEE 802 1w VLAN Support Up to 255 groups port based or tagged 802 1Q GVRP for automatic VLAN learning private VLANs Class of Service Supports four levels of priority and Weighted Round Robin Queueing which can be configured by VLAN tag or port Layer 3 4 priority mapping IP Port IP Precedence IP DSCP Multicast Filtering IGMP Snooping Layer 2 Additional Features BOOTP client SNTP Simple Network Time Protocol SNMP Simple Network Management Protocol RMON Remote Monitoring groups 1 2 3 9 SMTP Email Alerts Management Features A 2 In Band Management Telnet Web based HTTP or HTTPS SNMP manager or Secure Shell Out of Band Management RS 232 DB 9 console port Software Loading TFTP in band or XModem out of band SNMP Managem
49. username Name of an SSH user Range 1 8 characters Default Setting Shows all public keys Command Mode Privileged Exec Command Usage fno parameters are entered all keys are displayed If the user keyword is entered but no user name is specified then the public keys for all users are displayed When an RSA key is displayed the first field indicates the size of the host key e g 1024 the second field is the encoded public exponent e g 35 and the last string is the encoded modulus When a DSA key is displayed the first field indicates that the encryption method used by SSH is based on the Digital Signature Standard DSS and the last string is the encoded modulus 4 57 COMMAND LINE INTEREACE 4 58 Example Console show public key host Host RSA 1024 35 1568499540186766925933394677505461732531367489083654725415020245593 199868544358361651999923329781766065830958 610825 9132128902337654680 1726272571413428762941301196195566782595664104869574278881462065194 17467729848654686157177393901 64779355 9423035774130 98022737087794545 24083971752646358058176716709574804776117 DSA ssh dss AAAB3NzaClkc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV yrDbKStIlnzD DgOh2HxcYV44sX22JXhamLK6P8bvuiyacWbUWa4PAtplKMSdqsKeh3hKoA3vRRSylN2 XFfAKxl5fwFfvJlPdOkFgzLGMinvSNYOwiOXDKTBHOZAmUZpE85PWxDZMaCNBPjBrRA AAAFQChb4vsdfOGNIjwbvwrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZ vH p9cnrfwFTMUO1VFDly3IR2G395NLy50d7Z2DxfA9mCOfTyyEfbobM
50. will not conflict with the DSCP mapping Based on network policies different kinds of traffic can be marked for different kinds of forwarding The DSCP default values are defined in the following table Note that all the DSCP values that are not specified are mapped to CoS value 0 Table 3 13 Mapping DSCP Priority Values IP DSCP Value CoS Value 0 0 8 1 10 12 14 16 2 3 174 CLASS OF SERVICE CONFIGURATION Table 3 13 Mapping DSCP Priority Values Continued IP DSCP Value CoS Value 18 20 22 24 3 26 28 30 32 34 36 4 38 40 42 5 48 6 46 56 7 Command Attributes DSCP Priority Table Shows the DSCP Priority to CoS map e Class of Service Value Maps a CoS value to the selected DSCP Priority value Note that 0 represents low priority and 7 represent high priority Note IP DSCP settings apply to all interfaces Web Click Priority IP DSCP Priority Select an entry from the DSCP table enter a value in the Class of Service Value field then click Apply IP DSCP Priority DSCP Priority Table Class of Service Value 0 7 Restore Default Figure 3 78 Mapping IP DSCP Priority Values 3 175 CONFIGURING THE SWITCH 3 176 CLI The following example globally enables DSCP Priority service on the switch maps DSCP value 0 to CoS value 1 on port 1 and then displays the DSCP Priority settings Console confi
51. 0 consists of a network portion 10 1 0 and a host portion 1 Note The IP address for this switch is obtained via DHCP by default To access the switch through a Telnet session you must first set the IP address for the Master unit and set the default gateway if you are managing the switch from a different IP subnet For example Console config interface vlan 1 Console config if ip address 10 1 0 254 255 255 255 0 Console config 1f exit Console config ip default gateway 10 1 0 254 If your corporate network is connected to another network outside your office or to the Internet you need to apply for a registered IP address However if you are attached to an isolated network then you can use any IP address that matches the network segment to which you are attached After you configure the switch with an IP address you can open a Telnet session by performing these steps 1 From the remote host enter the Telnet command and the IP address of the device you want to access USING THE COMMAND LINE INTEREACE 2 At the prompt enter the user name and system password The CLI will display the Vty prompt for the administrator to show that you are using privileged access mode i e Privileged Exec or Vty z7 for the guest to show that you are using normal access mode i e Normal Exec where 7 indicates the number of the current Telnet session 3 Enter the necessary commands to complete your de
52. 1 4094 no leading zeroes name Keyword to be followed by the VLAN name vlan name ASCII string from 1 to 32 characters media ethernet Ethernet media type state Keywotd to be followed by the VLAN state active VLAN is operational suspend VLAN is suspended Suspended VLANs do not pass packets 4 198 VLAN COMMANDS Default Setting By default only VLAN 1 exists and is active Command Mode VLAN Database Configuration Command Usage no vlan v an id deletes the VLAN no vlan v an id name removes the VLAN name no vlan v an id state returns the VLAN to the default state i e active e You can configure up to 255 VLANs on the switch Example The following example adds a VLAN using VLAN ID 105 and name RD5 The VLAN is activated by default Console config fvlan database Console config vlan vlan 105 name RD5 media ethernet Console config vlan Related Commands show vlan 4 207 4 199 COMMAND LINE INTEREACE Configuring VLAN Interfaces Table 4 53 Configuring VLAN Interfaces interface vlan Command Function Mode Page interface vlan Enters interface configuration mode IC 4 200 fot a specified VLAN switchport mode Configures VLAN membership mode IC 4 201 for an interface switchpor Configures frame types to be accepted IC 4 202 acceptable frame types by an interface switchpor Enables ingress filtering on an interface IC
53. 121 When the port has reached the maximum number of MAC addresses the selected port will stop learning The MAC addresses USER AUTHENTICATION already in the address table will be retained and will not age out Any other device that attempts to use the port will be prevented from accessing the switch Command Usage A secure port has the following restrictions It cannot use port monitoring It cannot be a multi VLAN port It cannot be used as a member of a static or dynamic trunk It should not be connected to a network interconnection device The default maximum number of MAC addresses allowed on a secure port is zero You must configure a maximum address count from 1 1024 for the port to allow access If a port is disabled shut down due to a security violation it must be manually re enabled from the Port Port Configuration page page 3 90 Command Attributes Port Port number Name Descriptive text page 4 144 Action Indicates the action to be taken when a port security violation is detected None No action should be taken This is the default Trap Send an SNMP trap message Shutdown Disable the port Trap and Shutdown Send an SNMP trap message and disable the port Security Status Enables or disables pott security on the port Default Disabled Max MAC Count The maximum number of MAC addresses that can be learned on a port Range 0 1024 where 0
54. 3164 This type has no effect on the kind of messages reported by the switch However it may be used by the syslog server to sort messages or to store messages in the corresponding database Example Console config logging facility 19 Console config SYSTEM MANAGEMENT COMMANDS logging trap This command enables the logging of system messages to a remote server or limits the syslog messages saved to a remote server based on sevetity Use this command without a specified level to enable remote logging Use the no form to disable remote logging Syntax logging trap vel no logging trap level One of the level arguments listed below Messages sent include the selected level up through level 0 Refer to the table on page 4 60 Default Setting Enabled e Level 6 0 Command Mode Global Configuration Command Usage Using this command with a specified level enables remote logging and sets the minimum sevetity level to be saved Using this command without a specified level also enables remote logging but restores the minimum sevetity level to the default Example Console config flogging trap 4 Console config 4 63 COMMAND LINE INTEREACE clear logging This command clears messages from the log buffer Syntax clear logging flash ram flash Event history stored in flash memory i e permanent memory ram Event history stored in temporary RAM i e memory flushed o
55. 35 1341081685609893921040944920155425347631641921872958921143173880 055536161631051775940838686311092912322268285192543746031009371877211996963178 136627741416898513204911720483033925432410163799759237144901193800609025394840 848271781943722884025331159521348610229029789827213532671316294325328189150453 06393916643 steve 192 168 1 19 4 Set the Optional Parameters On the SSH Settings page configure the optional parameters including the authentication timeout the number of retries and the server key size 5 Enable SSH Service On the SSH Settings page enable the SSH server on the switch 6 Challenge Response Authentication When an SSH client attempts to contact the switch the SSH server uses the host key pair to negotiate a session key and encryption method Only clients that have a private key corresponding to the public keys stored on the switch can access The following exchanges take place during this process a The client sends its public key to the switch b The switch compares the client s public key to those stored in memory c If a match is found the switch uses the public key to encrypt a random sequence of bytes and sends this string to the client d The client uses its private key to decrypt the bytes and sends the decrypted bytes back to the switch e The switch compares the decrypted bytes to the original bytes it sent If the two sets match this means that the client s private key corresponds
56. 4 203 ingress filtering switchport native vlan Configures the PVID native VLAN IC 4 204 of an interface switchport allowed vlan Configures the VLANs associated with IC 4 205 an interface switchport gvtp Enables GVRP for an interface IC 4 219 switchport forbidden Configures forbidden VLANs foran IC 4 206 vlan interface switchport priority Sets a port priority for incoming IC 4 224 default untagged frames This command enters interface configuration mode for VLANs which is used to configure VLAN parameters for a physical interface Syntax interface vlan v an id vlan id YD of the configured VLAN Range 1 4094 no leading zeroes Default Setting None Command Mode Global Configuration 4 200 VLAN COMMANDS Example The following example shows how to set the interface configuration mode to VLAN 1 and then assign an IP address to the VLAN Console config finterface vlan 1 Console config if ip address 192 168 1 254 255 255 255 0 Console config if Related Commands shutdown 4 149 switchport mode This command configures the VLAN membership mode for a port Use the no form to restore the default Syntax switchport mode trunk hybrid private vlan no switchport mode trunk Specifies a port as an end point fora VLAN trunk A trunk is a direct link between two switches so the port transmits tagged frames that identify the source VLAN Note that frames belonging
57. Configuration Specify the source port unit the traffic type to be mirrored and the monitor port unit then click Add Mirror Port Configuration Mirror Sessions New Source 1 11 Tx Destination 1 13 Source Port 1 Add Type Fx emove f Target Port 1 Figure 3 49 Mirror Port Configuration CLI Use the interface command to select the monitor port then use the P port monitor command to specify the source port and traffic type Console config finterface ethernet 1 10 4 144 Console config if port monitor ethernet 1 13 tx 4 157 Console config if 3 111 CONFIGURING THE SWITCH Configuring Rate Limits 3 112 This function allows the network manager to control the maximum rate for traffic transmitted or received on a port Rate limiting is configured on ports at the edge of a network to limit traffic coming into or out of the network Traffic that falls within the rate limit is transmitted while packets that exceed the acceptable amount of traffic are dropped Rate limiting can be applied to individual ports or trunks When an interface is configured with this feature the traffic rate will be monitored by the hardware to verify conformity Non conforming traffic is dropped conforming traffic is forwarded without any changes Rate Limit Granularity Rate limit granularity is an additional feature enabling the network manager greater control over traffic on the networ
58. Example Console config prompt RD2 RD2 config 4 33 COMMAND LINE INTEREACE hostname This command specifies or modifies the host name for this device Use the no form to restore the default host name Syntax hostname name no hostname name The name of this host Maximum length 255 characters Default Setting None Command Mode Global Configuration Example Console config hostname RD 1 Console config User Access Commands 4 34 The basic commands required for management access are listed in this section This switch also includes other options for password checking via the console or a Telnet connection page 4 14 user authentication via a remote authentication server page 4 94 and host access authentication for specific ports page 4 107 Table 4 9 User Access Commands Command Function Mode Page username Establishes a user name based authentication GC 4 35 system at login enable password Sets a password to control access to the GC 4 36 Privileged Exec level username This command adds named users requires authentication at login specifies or changes a user s password or specify that no password is SYSTEM MANAGEMENT COMMANDS required or specifies or changes a user s access level Use the no form to remove a user name Syntax username name access level level nopassword password 0 7 password no usernam
59. Globally selects IP Precedence or DSCP 3 172 DSCP Priority Status Priority or disables both IP Precedence Priority Sets IP Type of Service priority mapping the 3 172 precedence tag to a class of service value IP DSCP Priority Sets IP Differentiated Services Code Point 3 174 ptiority mapping a DSCP tag to a class of setvice value IP Port Priority Status Globally enables or disables IP Port Priority 3 172 IP Port Priority Sets TCP UDP pott priority defining the 3 176 socket number and associated class of setvice value ACL CoS Priority Sets the CoS value and corresponding output 3 178 queue for packets matching an ACL rule IGMP Snooping 3 180 IGMP Configuration Enables multicast filtering configures 3 181 parameters for multicast query Multicast Router Displays the ports that are attached to a 3 184 Port Information neighboring multicast router for each VLAN ID Static Multicast Router Assigns ports that are attached to a 3 185 Port Configuration neighboring multicast router IP Multicast Registration Displays all multicast groups active on this 3 186 Table switch including multicast IP addresses and VLAN ID IGMP Member Indicates multicast addresses associated with 3 188 Port Table the selected VLAN BASIC CONFIGURATION Basic Configuration Displaying System Information You can easily identify the system by displaying the device name location and contact information Field Attributes System Name Name as
60. Interface If IGMP snooping cannot locate the IGMP querier you can manually designate a known IGMP querier i e a multicast router switch connected over the network to an interface on your switch page 3 185 This interface will then join all the current multicast groups supported by the attached router switch to ensure that multicast traffic is passed to all appropriate interfaces within the switch Static IGMP Host Interface For multicast applications that you need to control more carefully you can manually assign a multicast service to specific interfaces on the switch page 3 188 Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently Based on the IGMP query and report messages the switch forwards traffic only to the ports that request multicast traffic This prevents the switch from broadcasting the traffic to all ports and possibly disrupting network performance Command Usage IGMP Snooping This switch can passively snoop on IGMP Query and Report packets transferred between IP multicast routers switches and IP multicast host groups to identify the IP multicast group members It simply monitors the IGMP packets passing through it picks out the group registration information and configures the multicast filters accordingly 3 181 CONFIGURING THE SWITCH 3 182 IGMP Querier A router or multicast enabled switch can periodically ask their hos
61. None ACCESS CONTROL LIST COMMANDS Command Mode Interface Configuration Ethernet Command Usage A packet matching a rule within the specified ACL is mapped to one of the output queues as shown in the following table For information on mapping the CoS values to output queues see queue cos map on page 4 226 Table 4 35 Egress Queue Priority Mapping Queue 0 1 2 3 Priority 1 2 0 3 4 5 6 7 Example Console config finterface ethernet 1 25 Console config if map access list ip david cos 0 Console config if Related Commands queue cos map 4 226 show map access list ip 4 127 show map access list ip This command shows the CoS value mapped to an IP ACL for the current interface The CoS value determines the output queue for packets matching an ACL rule Syntax show map access list ip zerface interface ethernet unit port unit This is device 1 port Port number Command Mode Privileged Exec 4 127 COMMAND LINE INTEREACE Example Console show map access list ip Eth 1 25 access list ip david cos 0 Console Related Commands map access list ip 4 126 MAC ACLs Table 4 36 MAC ACLs Command Function Mode Page access list mac Creates a MAC ACL and enters GC 4 128 configuration mode permit deny Filters packets matching a specified MAC ACL 4 130 source and destination address packet format and Ethernet type show mac Displ
62. PDUs transmitted from this channel group Matker Received Number of valid Marker PDUs received by this channel group LACPDUs Unknown Number of frames received that either 1 Carry the Pkts Slow Protocols Ethernet Type value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Addtess but do not carry the Slow Protocols Ethernet Type LACPDUS Illegal Pkts Number of frames that carry the Slow Protocols Ethernet Type value but contain a badly formed PDU or an illegal value of Protocol Subtype Web Click Port LACP Port Counters Information Select a member port to display the corresponding information LACP Port Counters Information Member Port y Trunk ID 2 LACPDUs Sent LACPDUs Receive Marker Sent Marker Receive Marker Unknown Pkts Marker Illegal Pkts Figure 3 45 LACP Port Counters Information 3 102 PoRT CONFIGURATION CLI The following example displays LACP counters Console show lacp counters 4 172 Port channel 1 Eth 1 1 LACPDUs Sent 91 LACPDUs Receive 43 Marker Sent 0 Marker Receive 0 LACPDUs Unknown Pkts O0 LACPDUs Illegal Pkts 0 Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation Table 3 7 LACP Internal Configuration Information Field Desctiption Oper Key Current oper
63. Parity none Stopbits 1 VTY configuration Password threshold 3 times Interactive timeout 600 sec Login timeout 300 sec Console 3 32 BASIC CONFIGURATION Configuring Event Logging The switch allows you to control the logging of error messages including the type of events that are recorded in switch memory logging to a remote System Log syslog server and displays a list of recent event messages System Log Configuration The system allows you to enable or disable event logging and specify which levels are logged to RAM or flash memory Severe error messages that are logged to flash memory are permanently stored in the switch to assist in troubleshooting network problems Up to 4096 log entries can be stored in the flash memory with the oldest entries being overwritten first when the available log memory 256 kilobytes has been exceeded The System Logs page allows you to configure and limit system messages that are logged to flash or RAM memory The default is for event levels 0 to 3 to be logged to flash and levels 0 to 6 to be logged to RAM Command Attributes System Log Status Enables disables the logging of debug or error messages to the logging process Default Enabled Flash Level Limits log messages saved to the switch s permanent flash memory for all levels up to the specified level For example if level 3 is specified all messages from level 0 to level 3 will be logged to fl
64. Setting the Time Zone SNTP uses Coordinated Universal Time or UTC formerly Greenwich Mean Time or GMT based on the time at the Earth s prime meridian zero degrees longitude To display a time corresponding to your local time you must indicate the number of hours and minutes your time zone is east before ot west after of UTC Command Attributes e Current Time Displays the current time Name Assigns a name to the time zone Range 1 29 characters Hours 0 12 The number of hours before after UTC Minutes 0 59 The number of minutes before after UTC Direction Configures the time zone to be before east or after west UTC Web Select SNTP Clock Time Zone Set the offset for your time zone relative to the UTC and click Apply Clock Time Zone Current Time Jan 2 02 08 13 2001 Name Tanan Hours 0 12 l Minutes 0 590 Direction Before UTC After UTC Figure 3 21 Setting the System Clock CLI This example shows how to set the time zone for the system clock Console config clock timezone Dhaka hours 6 minute 0 after UTC 4 76 Console config SIMPLE NETWORK MANAGEMENT PROTOCOL Simple Network Management Protocol Simple Network Management Protocol SNMP is a communication protocol designed specifically for managing devices on a network Equipment commonly managed with SNMP includes switches routers and host computers SNMP is typically used to configur
65. TACACS authentication if selected and click Apply Authentication Settings Authentication floa RADIUS Settings Global Sererindex C1 C2 C3 C4 C5 Server Port Number 1 565535 pez 7 Secret Text String Number of Server Transmits 1 30 p Timeout for a reply 1 655535 b sec TACACS Settings Server IP Address fon Server Port Number 1 65535 49 Secret Text String Figure 3 25 Authentication Settings 3 53 CONFIGURING THE SWITCH CLI Specify all the required parameters to enable logon authentication Console config authentication login radius 4 95 Console config radius server port 181 4 99 Console config radius server key green 4 99 Console config radius server retransmit 5 4 100 Console config radius server timeout 10 4 100 Console config radius server 1 host 192 168 1 25 4 98 Console config end Console show radius server 4 101 Remote RADIUS server configuration Global settings Communication key with RADIUS server Server port number 181 Retransmit times 5 Request timeout 10 Server 1 Server IP address 192 168 1 25 Communication key with RADIUS server Server port number 1812 Retransmit times 2 Request timeout 5 Consolefconfigure Console config authentication login tacacs 4 95 Console config ttacacs server host 10 20 30 40 4 102 Console config ttacacs server port 200
66. Table 1 1 Key Features Feature Description Configuration Backup to TFTP server Backup and Restore Authentication Console Telnet web User name password RADIUS TACACS Web HTTPS Telnet SSH SNMP v1 2c Community strings Port IEEE 802 1X MAC addtess filtering Access Control Supports up to 88 IP or MAC ACLs Lists DHCP Client Supported Port Configuration Speed duplex mode and flow control Rate Limiting Input and output rate limiting per port Port Mirroring One port mirrored to a single analysis port 1 1 INTRODUCTION Table 1 1 Key Features Feature Description Port Trunking Supports up to 4 trunks using either static or dynamic trunking LACP Broadcast Storm Supported Control Static Address Up to 8K MAC addresses in the forwarding table IEEE 802 1D Supports dynamic data switching and addresses learning Bridge Store and Forward Supported to ensure wire speed switching while eliminating Switching bad frames Spanning Tree Supports standard STP and Rapid Spanning Tree Protocol Algorithm RSTP Virtual LANs Up to 255 using IEEE 802 1Q port based or private VLANs Traffic Default port priority traffic class map queue scheduling IP Prioritization Precedence or Differentiated Services Code Point DSCP and TCP UDP Port Multicast Filtering Supports IGMP snooping and query Description of Soft
67. Timer 2 The interval a port waits before leaving a VLAN group This time should be set to more than twice the join time This ensures that after a Leave or LeaveAll message has been issued the applicants can rejoin before the port actually leaves the group Range 60 3000 centiseconds Default 60 GARP LeaveAll Timer The interval between sending out a LeaveAll query message for VLAN group participants and the port leaving the group This interval should be considerably larger than the Leave Time to minimize the amount of traffic generated by nodes rejoining the group Range 500 18000 centiseconds Default 1000 12 Timer settings must follow this rule 2 x join timer lt leave timer lt leaveAll timer 3 154 VLAN CONFIGURATION Mode Indicates VLAN membership mode for an interface Default Hybrid 1Q Trunk Specifies a port as an end point for a VLAN trunk A trunk is a direct link between two switches so the port transmits tagged frames that identify the source VLAN Note that frames belonging to the port s default VLAN e associated with the PVID are also transmitted as tagged frames Hybrid Specifies a hybrid VLAN interface The port may transmit tagged or untagged frames Trunk Member Indicates if a port is a member of a trunk To add a trunk to the selected VLAN use the last table on the VLAN Static Table page Web Click VLAN 802 1Q VLAN Port Configuration or VLAN Trunk
68. Use the no form to remove a rule Syntax no permit deny any source bitmask host source any Any source IP address source Source IP address bitmask Decimal number representing the address bits to match host Keyword followed by a specific IP address Default Setting None Command Mode Standard ACL 4 120 ACCESS CONTROL LIST COMMANDS Command Usage New rules are appended to the end of the list Addtess bitmasks are similar to a subnet mask containing four integers from 0 to 255 each separated by a period The binary mask uses 1 bits to indicate match and 0 bits to indicate ignore The bitmask is bitwise ANDed with the specified source IP address and then compared with the address for each IP packet entering the port s to which this ACL has been assigned Example This example configures one permit rule for the specific address 10 1 1 21 and another rule for the address range 168 92 16 x 168 92 31 x using a bitmask Console config std acl fpermit host 10 1 1 21 Console config std acl fpermit 168 92 16 0 255 255 240 0 Console config std acl Related Commands access list ip 4 119 4 121 COMMAND LINE INTEREACE permit deny Extended ACL This command adds a rule to an Extended IP ACL The rule sets a filter condition for packets with specific source or destination IP addresses protocol types source or destination protocol ports or TCP co
69. a particular interface that exceed the maximum permitted frame size Deferred Transmissions A count of frames for which the first transmission attempt on a particular interface is delayed because the medium was busy Internal MAC Receive Errors A count of frames for which reception on a particular interface fails due to an internal MAC sublayer receive error RMON Statistics Drop Events The total number of events in which packets were dropped due to lack of resources Jabbers The total number of frames received that were longer than 1518 octets excluding framing bits but including FCS octets and had either an FCS or alignment error Received Bytes Total number of bytes of data received on the network This statistic can be used as a teasonable indication of Ethernet utilization Collisions The best estimate of the total number of collisions on this Ethernet segment Received Frames The total number of frames bad broadcast and multicast received Broadcast Frames The total number of good frames received that were directed to the broadcast address Note that this does not include multicast packets 3 117 CONFIGURING THE SWITCH 3 118 Table 3 9 Port Statistics Continued Parameter Description Multicast Frames The total number of good frames received that were directed to this multicast address CRC Alignment Errors The number o
70. access list add the required rules and then bind the list to a specific port Configuring Access Control Lists An ACL is a sequential list of permit or deny conditions that apply to IP addresses MAC addresses or other more specific criteria This switch tests ingress or egress packets against the conditions in an ACL one by one A packet will be accepted as soon as it matches a permit rule or dropped as soon as it matches a deny rule If no rules match for a list of all permit tules the packet is dropped and if no rules match for a list of all deny tules the packet is accepted 3 77 CONFIGURING THE SWITCH 3 78 Command Usage The following restrictions apply to ACLs Each ACL can have up to 32 rules The maximum number of ACLs is 88 However due to resource restrictions the average number of rules bound to the ports should not exceed 20 This switch supports ACLs for ingress filtering only However you can only bind one IP ACL to any port and one MAC ACL globally for ingress filtering In other words only two ACLs can be bound to an interface Ingress IP ACL and Ingress MAC ACL The order in which active ACLs are checked is as follows User defined rules in the Ingress MAC ACL for ingress ports User defined rules in the Ingress IP ACL for ingress ports Explicit default rule permit any any in the ingress IP ACL for ingress ports Explicit default rule permit any any in the ingress MAC ACL for ingress
71. address table 4 178 ADDRESS TABLE COMMANDS A static address cannot be learned on another port until the address is removed with the no form of this command Example Console config mac address table static 00 e0 29 94 34 de interface ethernet 1 1 vlan 1 delete on reset Console config clear mac address table dynamic This command removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system configured entries Default Setting None Command Mode Privileged Exec Example Console clear mac address table dynamic Console show mac address table This command shows classes of entries in the bridge forwarding database Syntax show mac address table address mac address mask interface interface vlan v an id sort address vlan interface mac address MAC address mask Bits to match in the address interface ethernet unit port unit Stack unit This is unit 1 port Port number Range 1 26 52 port channel channe id Range 1 4 e vlan id VLAN ID Range 1 4094 sott Sort by address vlan or interface 4 179 COMMAND LINE INTEREACE Default Setting None Command Mode Privileged Exec Command Usage The MAC Address Table contains the MAC addresses associated with each interface Note that the Type field may include the following types Learned Dynamic address entri
72. all active console and Telnet sessions including user name idle time and IP address of Telnet client Default Setting None Command Mode Normal Exec Privileged Exec Command Usage The session used to execute this command is indicated by a symbol next to the Line i e session index number Example Console show users Username accounts Username Privilege Public Key admin 15 None guest 0 None steve 15 RSA Online users Line Username Idle time h m s Remote IP addr 0 console admin 0 14 14 1 VTY 0 admin 0 00 00 192 168 1 19 2 SSH 1 steve 0 00 06 1921681 1 19 Web online users Line Remote IP addr Username Idle time h m s 1 HTTP 192 168 1 19 admin 0 00 00 Console show version This command displays hardware and software version information for the system Default Setting None 4 84 Command Mode SYSTEM MANAGEMENT COMMANDS Normal Exec Privileged Exec Command Usage See Displaying Switch Hardware Software Versions on page 3 13 for detailed information on the items displayed by this command Example Console show version Unit 1 Serial number Service tag Hardware version Module A type Module B type Number of ports Main power status Redundant power status Agent master A419048860 ROB 1000BaseT 1000BaseT 26 up not present Unit ID q Loader version 2 2 1 4 Boot ROM version 242 149 Operation code ve
73. and maps class of service tags to hardware queues Priority Layer 3 and 4 Maps TCP ports IP precedence tags or IP DSCP 4 229 tags to class of service values Priority Commands Layer 2 Table 4 58 Priority Commands Layer 2 Command Function Mode Page queue mode Sets the queue mode to strict priority or GC 4 223 Weighted Round Robin WRR switchport priority Sets a port priority for incoming untagged IC 4 224 default frames queue bandwidth Assigns round robin weights to the priority GC 4 225 queues queue cos map Assigns class of service values to the IC 4 226 priority queues show queue mode Shows the current queue mode PE 4 227 show queue Shows round robin weights assigned to the PE 4 227 bandwidth ptiority queues 4 222 PRIORITY COMMANDS Table 4 58 Priority Commands Layer 2 Continued Command Function Mode Page show queue Shows the class of service map PE 4 228 cos map show interfaces Displays the administrative and operational PE 4 155 switchport status of an interface queue mode This command sets the queue mode to strict priority or Weighted Round Robin WRR for the class of service CoS priority queues Use the no form to restore the default value Syntax queue mode strict wrr no queue mode strict Services the egress queues in sequential order transmitting all traffic in the higher priority queues before servicing lower priority queues
74. appended to the end of the prompt to indicate that the system is in privileged access mode Example Console gt enable Password privileged level password Console Related Commands disable 4 28 enable password 4 36 4 27 COMMAND LINE INTEREACE disable This command returns to Normal Exec mode from privileged mode In normal access mode you can only display basic information on the switch s configuration or Ethernet statistics To gain access to all commands you must use the privileged mode See Understanding Command Modes on page 4 8 Default Setting None Command Mode Privileged Exec Command Usage The gt character is appended to the end of the prompt to indicate that the system is in normal access mode Example Console disable Console gt Related Commands enable 4 27 configure 4 28 This command activates Global Configuration mode You must enter this mode to modify any settings on the switch You must also enter Global Configuration mode prior to enabling some of the other configuration modes including Interface Configuration Line Configuration and VLAN Database Configuration See Understanding Command Modes on page 4 8 Default Setting None Command Mode Privileged Exec GENERAL COMMANDS Example Console configure Console config Related Commands end 4 30 show history This command shows the contents of the command histor
75. cc cece cece eee ees 2 6 Manual Configuration sees 2 7 Dynamic Configuration 0 cece eee eee 2 8 Enabling SNMP Management Access 000000000000 2 9 Community Strings x2 ces ate d Sak Aa Bt e 2 9 Ttap ReCetyerss conc eec e tb 2 10 Saving Configuration Settings 0 eee eee eee 2 11 Managing System Files 0 nanunua nurnaru cece eee 2 12 Configuring the Switch ooooooooooo o o 3 1 Using the Web Interface cies ccs ete bee Rr rarus 3 1 Navigating the Web Browser Interface 00 cee eee ooo 3 3 HomePage sce east tte tr 3 3 Configuration Options 6 0 6 cee eee 3 4 Panel Display o veteres Meer aa bed ras Hed Len 3 4 Main Menu seh 045 is es at thie alte nce hw nets ES UD ha etai 3 5 Basic Configutation lt gt odia be at oie Se we i luv 3 11 Displaying System Information 0 00 e eee ee eee 3 11 Displaying Switch Hardware Software Versions 3 13 Displaying Bridge Extension Capabilities oooo o o o o 3 15 Setting the Switch s IP Address 6 ce esses 3 17 Manual Configuration 0 0 0 66 cee ce eee 3 18 CONTENTS Using DHCP BOOTP 0 eee eee 3 19 Managing Firmware cesse 3 21 Downloading System Software from a Server 3 22 Saving or Restoring Configuration Settings 3 24 Downloading Configuration Settings from a Servet 3 26 Console Port Settings eraa ra e Lene 3 28 lelnetSetungs sed
76. command configures the query interval Use the no form to restore the default Syntax ip igmp snooping query interval seconds no ip igmp snooping query interval seconds The frequency at which the switch sends IGMP host query messages Range 60 125 Default Setting 125 seconds Command Mode Global Configuration Example The following shows how to configure the query interval to 100 seconds Console config ip igmp snooping query interval 100 Console config MULTICAST FILTERING COMMANDS ip igmp snooping query max response time This command configures the query report delay Use the no form to restore the default Syntax ip igmp snooping query max response time seconds no ip igmp snooping query max response time seconds The report delay advertised in IGMP queries Range 5 25 Default Setting 10 seconds Command Mode Global Configuration Command Usage The switch must be using IGMP v2 for this command to take effect This command defines the time after a query during which a response is expected from a multicast client If a querier has sent a number of queries defined by the ip igmp snooping query count but a client has not responded a countdown timer is started using an initial value set by this command If the countdown finishes and the client still has not responded then that client is considered to have left the multicast group Example The following shows how to configure the maximum
77. creating new trunks Port Port identifier Range 1 26 52 Web Click Port LACP Configuration Select any of the switch ports from the scroll down port list and click Add After you have completed adding ports to the member list click Apply LACP Configuration Member List Current New Unit Porti Unit Port2 Unit Port3 Unit Port4 cda Port xl Unitl Port5 Remove Unit PortG Remove Figure 3 43 LACP Trunk Configuration 3 97 CONFIGURING THE SWITCH 3 98 CLI The following example enables LACP for ports 1 to 6 Just connect these ports to LACP enabled trunk ports on another switch to form a trunk Console config interface ethernet 1 1 4 144 Console config if lacp 4 165 Console config 1f exit Console config tinterface ethernet 1 6 Console config if lacp Console config if end Console show interfaces status port channel 1 4 152 Information of Trunk 1 Basic information Port type 100TX ac address 22 22 22 22 22 2d Configuration ame Port admin Up Speed duplex Auto Capabilities 10half 10full 100half 100full Flow control status Disabled Port security Disabled ax MAC count 0 Current status Created by Lacp Link status Up Port operation status Up Operation speed duplex 100full Flow control type None ember Ports Eth1 1 Eth1 2 Eth1 3 Eth1 4 Eth1 5 Eth1 6 Console Configuring LACP Parameters Dynamically Creating a Port Channel
78. device root port and designated port The device with the highest priority becomes the STA root device However if all devices have the same priority the device with the lowest MAC address will then become the root device Root Hello Time Interval in seconds at which this device transmits a configuration message Root Maximum Age The maximum time in seconds this device can wait without receiving a configuration message before attempting to reconfigure All device ports except for designated ports should receive configuration messages at regular intervals If the root port ages out STA information provided in the last configuration message a new root port is selected from among the device ports attached to the network References to ports in this section means interfaces which includes both ports and trunks 3 127 CONFIGURING THE SWITCH 3 128 Root Forward Delay The maximum time in seconds this device will wait before changing states 1 e discarding to learning to forwarding This delay is required because every device must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to a discarding state otherwise temporary data loops might result Transmission limit The minimum interval between the transmission of consecutive RSTP BPDUs Path Cost Method The path cost
79. dscp Interface Configuration 4 233 show tn pp pott ji euet ea LER 4 235 show map ip precedence u s sunsun nrn rrr 4 236 show map ip dscp 1 6 6 cee cece eee ee 4 237 xiii CONTENTS Multicast Filtering Commands 6 0 000 cee cece 4 238 IGMP Snooping Commands 0 4 238 ipigmp snooping 4i ny A eo 4 239 ip igmp snooping vlan static n se nsss ee eee 4 239 ip igmp snooping version 0 06 eee eee 4 240 show ip igmp snooping lise 4 241 show mac address table multicast o ooo o 4 241 IGMP Query Commands Layer 2 1 0 0 00 0000 4 242 ip igmp snooping quetiet 6 ee eee eee 4 243 ip igmp snooping query count liess 4 243 ip igmp snooping query intetval sees 4 244 ip igmp snooping query max response time 4 245 ip igmp snooping router port expire time 4 246 Static Multicast Routing Commands 00005 4 247 ip igmp snooping vlan mroutet oooooccccoooo 4 247 show ip igmp snooping mrouter sese 4 248 IP Interface Commands 00 eect eee 4 249 Ip address dra S LLL M LA 4 249 1p default gateway dci aei pM he abd a 4 251 Ip dhcp restart escudo ototdo and oS ro eto ru es 4 251 show ip interface aida e nu peg oe 4 252 show ip tedirects i2 oes A REAL ARE 4 253 PO fr he M Rosa A d IECUR Lu ELE bett 4 253 xiv CONTENTS APPENDICES A Software Specifications o o ooooooo
80. each of these queues and thereby to the corresponding traffic priorities This weight sets the frequency at which each queue will be polled for service and subsequently affects the response time for software applications assigned a specific priority value Command Attributes WRR Setting Table 5 Displays a list of weights for each traffic class i e queue Weight Value Set a new weight for the selected traffic class However note that Queue 0 is fixed at a weight of 1 and cannot be configured Range 1 31 Web Click Priority Queue Scheduling Highlight a traffic class i e output queue enter a weight then click Apply Queue Scheduling Traffic Class 0 weight 1 Traffic Class 1 weight 1 WRR Setting Table Traffic Class 2 weight 4 Traffic Class 3 weight 16 Weight Value 1 31 Figure 3 75 Configuring Queue Scheduling 15 CLI shows Queue ID 3 170 CLASS OF SERVICE CONFIGURATION CLI The following example shows how to assign WRR weights to each of the priority queues Console config fqueue bandwidth 6 9 12 4 225 Console config exit Console show queue bandwidth 4 227 Queue ID Weight Console Layer 3 4 Priority Settings Mapping Layer 3 4 Priorities to CoS Values This switch supports several common methods of prioritizing layer 3 4 traffic to meet application requirements Traffic priorities can be specified in the IP header of a frame using t
81. ethernet unit port unit This is device 1 port Port number Range 1 26 52 Command Mode Privileged Exec Example Console show map access list mac Access list to COS of Eth 1 5 Access list jerry cos 0 Console Related Commands map access list mac 4 133 4 134 ACCESS CONTROL LIST COMMANDS ACL Information Table 4 38 ACL Information Command Function Mode Page show access list Show all ACLs and associated rules PE 4 135 show access group Shows the ACLs assigned to each port PE 4 136 show access list This command shows all ACLs and associated rules as well as all the uset defined masks Command Mode Privileged Exec Command Usage Once the ACL is bound to an interface 1 e the ACL is active the order in which the rules are displayed is determined by the associated mask Example Console show access list IP standard access list david permit host 10 1 1 21 permit 168 92 16 0 255 255 240 0 IP extended access list bob permit 10 7 1 1 255 255 255 0 any permit 192 168 1 0 255 255 255 0 any destination port 80 80 permit 192 168 1 0 255 255 255 0 any protocol tcp control code 2 2 MAC access list jerry permit any host 00 30 29 94 34 de ethertype 800 800 IP extended access list A6 permit 10 7 1 0 255 255 255 0 any permit 192 168 1 0 255 255 255 0 any destination port 80 80 permit TCP 192 168 1 0 255 255 255 0 any control flag 2 2 Console 4 135
82. groups This switch does not support GMRP it uses the Internet Group Management Protocol IGMP to provide automatic multicast filtering Web Click System Bridge Extension Configuration Bridge Extension Configuration Bridge Capability Extended Multicast Filtering Services No Traffic Classes Enabled Static Entry Individual Port Yes VLAN Learning IYL Configurable PVID Tagging Yes Local VLAN Capable No GMRP I Enable Figure 3 5 Bridge Extension Configuration BASIC CONFIGURATION CLI Enter the following command Console show bridge ext 4 218 Max support VLAN numbers 255 Max support VLAN ID 4094 Extended multicast filtering services No Static entry individual port Yes VLAN learning IVL Configurable PVID tagging Yes Local VLAN capable No Traffic classes Enabled Global GVRP status Disabled GMRP Disabled Console Setting the Switch s IP Address This section describes how to configure an IP interface for management access over the network The IP address for this switch is obtained via DHCP by default To manually configure an address you need to change the switch s default settings IP address 0 0 0 0 and netmask 255 0 0 0 to values that are compatible with your network You may also need to a establish a default gateway between the switch and management stations that exist on another network segment You can manually configure a specific IP address or direct the device to o
83. interfaces 1s displayed For a description of the items displayed by this command see Displaying Connection Status on page 3 87 4 152 Example INTERFACE COMMANDS Information of Eth 1 5 Basic information Port type Mac address Configuration Name Port admin Speed duplex Capabilities Broadcast storm Broadcast storm limit Flow control Lacp Port security ax MAC count Port security action Current status Link status Port operation status Flow control type Information of VLAN 1 MAC address Console Operation speed duplex Console show interfaces status ethernet 1 5 100TX 00 30 F1 D3 26 05 Up Auto 10half Enabled 32000 octets second Disabled Disabled Disabled 0 None 10fu11 100half 100full Up Up 100full None Console show interfaces status vlan 1 00 00 AB CD 00 00 show interfaces counters This command displays interface statistics Syntax show interfaces counters n erface interface ethernet zzi port unit Stack unit This is unit 1 pott Port number Range 1 26 52 port channel channel id Range 1 4 Default Setting Shows the counters for all interfaces Command Mode Normal Exec Privileged Exec 4 153 COMMAND LINE INTEREACE Command Usage If no interface is specified information on all interfaces 1s displayed For a description of the items displayed by this command see Showing Port Statisti
84. means disabled Trunk Trunk number if port is a member page 3 94 and 3 96 3 65 CONFIGURING THE SWITCH Web Click Security Port Security Set the action to take when an invalid address is detected on a port mark the checkbox in the Status column to enable security for a port set the maximum number of MAC addresses allowed on a port and click Apply Configuration Port Name Action Security Status Max MAC Count 0 1024 Trunk 1 None Enabled Noe E Tr Enabled None F Enabled None D Enabled Trap and Shutdown F Enabled None y Enabled Figure 3 29 Configuring Port Security TT Oo nm amp win CLI This example selects the target port sets the port security action to send a trap and disable the port and sets the maximum MAC addresses allowed on the port and then enables port security for the port Console config interface ethernet 1 5 Console config if port security action trap and shutdown 4 105 Console config if port security max mac count 20 Console config if port security Console config if Configuring 802 1X Port Authentication 3 66 Network switches can provide open and easy access to network resources by simply attaching a client PC Although this automatic configuration and access is a desirable feature it also allows unauthorized personnel to easily intrude and possibly gain access to sensiti
85. multicast This command shows known multicast addresses Syntax show mac address table multicast vlan v an id user igmp snooping e vlan id VLAN ID 1 to 4094 user Display only the user configured multicast entries igmp snooping Display only entries learned through IGMP snooping Default Setting None 4 241 COMMAND LINE INTEREACE Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER depending on selected options Example The following shows the multicast entries learned through IGMP snooping for VLAN 1 Console show mac address table multicast vlan 1 igmp snooping VLAN M cast IP addr Member ports Type Console IGMP Query Commands Layer 2 4 242 Table 4 65 IGMP Query Commands Layer 2 router port expire time Command Function Mode Page ip igmp snooping quetier Allows this device to act as the GC 4 243 querier for IGMP snooping ip igmp snooping Configures the query count GC 4 243 query count ip igmp snooping Configures the query interval GC 4 244 query interval ip igmp snooping Configures the report delay GC 4 245 query max response time Ip igmp snooping Configures the query timeout GC 4 246 MULTICAST FILTERING COMMANDS ip igmp snooping querier This command enables the switch as an IGMP querier Use the no form to disable it Syntax no ip igmp snooping querier Default Setting Enab
86. must first assign each port to the VLAN group s in which it will participate By default all ports are assigned to VLAN 1 as untagged ports Add a port as a tagged port if you want it to carry traffic for one or more VLANS and any intermediate netwotk devices or the host at the other end of the connection supports VLANs Then assign ports on the other VLAN aware network devices along the path that will carry this traffic to the same VLAN S either manually or dynamically using GVRP However if you want a port on this switch to participate in one or more VLANS but none of the intermediate netwotk devices nor the host at the other end of the connection supports VLANs then you should add this port to the VLAN as an untagged port 3 141 CONFIGURING THE SWITCH Note VLAN tagged frames can pass through VLAN aware or VLAN unaware network interconnection devices but the VLAN tags should be stripped off before passing it on to any end node host that does not support VLAN tagging E E tagged frames g E VA VA VA VLAN Aware VU VLAN Unaware E tagged untagged a PX frames frames p EE AMELIE VA VA VU VLAN Classification When the switch receives a frame it classifies the frame in one of two ways If the frame is untagged the switch assigns the frame to an associated VLAN based on the default VLAN ID of the receiving port But if the frame is tag
87. no form to remove the pott Syntax no ip access group ac _name in acl_name Name of the ACL Maximum length 16 characters in Indicates that this list applies to ingress packets Default Setting None Command Mode Interface Configuration Ethernet Command Usage A port can only be bound to one ACL Ifa pott is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding with the new one Youmust configure a mask for an ACL rule before you can bind it to a port 4 125 COMMAND LINE INTEREACE show Example Console config int eth 1 25 Console config if ip access group david in Console config 1f Related Commands show ip access list 4 124 ip access group This command shows the ports assigned to IP ACLs Command Mode Privileged Exec Example Console show ip access group Interface ethernet 1 25 IP access list david in Console Related Commands ip access group 4 125 map access list ip 4 126 This command sets the output queue for packets matching an ACL rule The specified CoS value is only used to map the matching packet to an output queue it is not written to the packet itself Use the no form to remove the CoS mapping Syntax no map access list ip ac _name cos cos value acd name Name of the ACL Maximum length 16 characters cos value CoS value Range 0 7 Default Setting
88. of timezone usually an acronym Range 1 29 characters bours Number of hours before after UTC Range 0 12 hours minutes Number of minutes before after UTC Range 0 59 minutes before utc Sets the local time zone before east of UTC after utc Sets the local time zone after west of UTC Default Setting None Command Mode Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time UTC formerly Greenwich Mean Time ot GMT based on the earth s prime meridian zero degrees longitude To display a time corresponding to your local time you must indicate the number of hours and minutes your time zone is east before or west after of UTC 4 76 SYSTEM MANAGEMENT COMMANDS Example Console config fclock timezone Japan hours 8 minute 0 after UTC Console config Related Commands show sntp 4 75 calendar set This command sets the system clock It may be used if there is no time server on your network or if you have not configured the switch to receive signals from a time server Syntax calendar set hour min sec day month year month day year bour Hour in 24 hour format Range 0 23 min Minute Range 0 59 sec Second Range 0 59 day Day of month Range 1 31 month januaty february march april may june july august september october november december year Year 4 digit Range 20
89. only tacacs Use TACACS server password Default Setting Local Command Mode Global Configuration Command Usage RADIUS uses UDP while TACACS uses TCP UDP only offers best effort delivery while TCP offers a connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name passwotd and privilege level must be configured on the authentication servet AUTHENTICATION COMMANDS You can specify three authentication methods in a single command to indicate the authentication sequence For example if you enter authentication enable radius tacacs local the user name and password on the RADIUS server is verified first If the RADIUS server is not available then authentication is attempted on the TACACS server If the TACACS server is not available the local user name and password is checked Example Console config authentication enable radius Console config Related Commands enable password sets the password for changing command modes 4 36 RADIUS Client Remote Authentication Dial in User Service RADIUS is a logon authentication protocol that uses software running on a central server to control access to RADIUS aware devices on the network
90. or weighted round robin relative weight for each priority queue also sets priority for TCP UDP traffic types IP precedence and DSCP Multicast Filtering Configures IGMP multicast filtering query 4 238 parameters and specifies ports attached to a multicast router IP Interface Configures IP address for the switch 4 249 The access mode shown in the following tables is indicated by these abbreviations NE Normal Exec PE Privileged Exec GC Global Configuration ACL Access Control List Configuration IC Interface Configuration LC Line Configuration VC VLAN Database Configuration 4 13 COMMAND LINE INTEREACE Line Commands 4 14 You can access the onboard configuration program by attaching a VT100 compatible device to the server s serial port These commands are used to set communication parameters for the serial port or Telnet i e a virtual terminal Table 4 5 Line Commands Command Function Mode Page line Identifies a specific line for configuration and GC 4 15 starts the line configuration mode login Enables password checking at login LC 4 16 password Specifies a password on a line LC 4 17 timeout login Sets the interval that the system waits for a user LC 4 18 response to log into the CLI exec timeout Sets the interval that the command interpreter LC 4 19 waits until user input is detected password thresh Sets the password in
91. pe bU IAEA and 3 30 Configuring Event Logging 2 0 6 kee eee eee 3 33 System Log Configuration 1 0 3 33 Remote Log Configuration 3 36 Displaying Log Messages sees 3 38 Sending Simple Mail Transfer Protocol Alerts 3 39 Resetting the System ccce 3 41 Setting the System Clock ooooooococoomooccocmmo o 3 42 Configuring SNIP i stint duh A p ur Ana 3 42 Setting the Time Zone 0 ce cee es 3 44 Simple Network Management Protocol esses 3 45 Setting Community Access Strings 0 cece ee eee 3 45 Specifying Trap Managers and Trap Types 3 46 Use r Authenticati n sas eas ho laa UD d 3 48 Configuring User Accounts isseeeeeee eese 3 48 Configuring Local Remote Logon Authentication 3 50 Contouring MEPS Suus dcr uA RU ii 3 54 Replacing the Default Secure site Certificate 3 56 Configuring the Secure Shell sees 3 57 Generating the Host Key Pairt o oooooommm oo 3 60 Configuring the SSH Server 0 6 0 cece 3 62 Configuring Port Security ecce eese 3 64 Configuring 802 1X Port Authentication sess 3 66 Displaying 802 1X Global Settings sese 3 68 Configuring 802 1X Global Settings sss 3 69 Configuring Port Settings for 802 1X ooooo o o 3 70 Displaying 802 1X Statistics 6 eee eee 3 73 Filtering Addresses for Management Access 3 75 Access Control
92. point shared no spanning tree link type auto Automatically derived from the duplex mode setting point to point Point to point link shared Shared medium 4 193 COMMAND LINE INTEREACE Default Setting auto Command Mode Interface Configuration Ethernet Port Channel Command Usage Specify a point to point link if the interface can only be connected to exactly one other bridge or a shared link if it can be connected to two or more bridges When automatic detection is selected the switch derives the link type from the duplex mode A full duplex interface is considered a point to point link while a half duplex interface is assumed to be on a shared link RSTPonly wotks on point to point links between two bridges If you designate a port as a shared link RSTP is forbidden Example Console config interface ethernet 1 5 Console config if spanning tree link type point to point spanning tree protocol migration This command re checks the appropriate BPDU format to send on the selected interface Syntax spanning tree protocol migration interface interface ethernet unit port unit This is device 1 port Port number Range 1 26 52 port channel channe id Range 1 4 Command Mode Privileged Exec 4 194 SPANNING TREE COMMANDS Command Usage If at any time the switch detects STP BPDUs including Configuration ot Topology Change Notification BPDUs it will automatica
93. port Eight separate traffic classes are defined in IEEE 802 1p The default priority levels are assigned according to recommendations in the IEEE 802 1p standard as shown below Table 4 59 Default CoS Priority Levels Queue 0 1 2 3 Priority 1 2 0 3 4 5 6 7 Command Mode Interface Configuration Ethernet Port Channel Command Usage CoS values assigned at the ingress port are also used at the egress port This command sets the CoS priority for all interfaces 4 226 PRIORITY COMMANDS Example The following example shows how to map CoS values 0 1 and 2 to egress queue 0 value 3 to egress queue 1 values 4 and 5 to egress queue 2 and values 6 and 7 to egress queue 3 Console config interface ethernet 1 1 Console config if queue cos map 0 0 1 2 Console config if queue cos map 1 3 Console config if queue cos map 2 4 5 Console config if queue cos map 3 6 7 Console config if end Console show queue cos map ethernet 1 1 Information of Eth 1 1 CoS Value 710 1 2 2 4 5 6077 Priority Queue 00012233 Console Related Commands show queue cos map 4 228 show queue mode This command shows the current queue mode Default Setting None Command Mode Privileged Exec Example Consolefshow queue mode Queue mode wrr Console show queue bandwidth This command displays the weighted round robin WRR bandwidth allocation for the four priority qu
94. port will drop any incoming frames with a source MAC address that is unknown or has been previously learned from another port If a device with an unauthorized MAC address attempts to use the switch port the intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message AUTHENTICATION COMMANDS Table 4 31 Port Security Commands Command Function Mode Page port security Configures a secure port IC 4 105 mac address table Maps a static address to a portina VLAN GC 4 178 static show Displays entries in the bridge forwarding PE 4 179 mac address table database port security This command enables or configures port security Use the no form without any keywords to disable port security Use the no form with the appropriate keyword to restore the default settings for a response to security violation or for the maximum number of allowed addresses Syntax port security action shutdown trap trap and shutdown max mac count address count no port security action max mac count action Response to take when port security is violated shutdown Disable port only trap Issue SNMP trap message only trap and shutdown Issue SNMP trap message and disable port max mac count address count The maximum number of MAC addresses that can be learned on a port Range 0 1024 Default Setting Status Disabled e Action None
95. query interval 100 4 244 Console config fip igmp snooping router port expire time 300 4 246 Console config ip igmp snooping version 2 4 240 Console config exit Console show ip igmp snooping 4 241 Service status Enabled Querier status Enabled Query count 10 Query interval 100 sec Query max response time 20 sec Router port expire time 300 sec IGMP snooping version Version 2 Console Displaying Interfaces Attached to a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP along with a multicast routing protocol such as DVMRP or PIM to support IP multicasting across the Internet These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch You can use the Multicast Router Port Information page to display the ports on this switch attached to a neighboring multicast router switch for each VLAN ID Command Attributes WLAN ID ID of configured VLAN 1 4094 Multicast Router List Multicast routers dynamically discovered by this switch or those that are statically assigned to an interface on this switch MULTICAST FILTERING Web Click IGMP Snooping Multicast Router Port Information Select the required VLAN ID from the scroll down list to display the associated multicast routers Multicast Router Port Information VLAN 1D 1 y Multicast Router List Unitl Portl 1 Static
96. response time to 20 seconds Console config ip igmp snooping query max response time 20 Console config Related Commands ip igmp snooping version 4 240 ip igmp snooping query max response time 4 245 4 245 COMMAND LINE INTEREACE ip igmp snooping router port expire time This command configures the query timeout Use the no form to restore the default Syntax ip igmp snooping router port expire time seconds no ip igmp snooping router port expire time seconds The time the switch waits after the previous querier stops before it considers the router port 1 e the interface which had been receiving query packets to have expired Range 300 500 Default Setting 300 seconds Command Mode Global Configuration Command Usage The switch must use IGMPv2 for this command to take effect Example The following shows how to configure the default timeout to 300 seconds Console config ip igmp snooping router port expire time 300 Console config Related Commands ip igmp snooping version 4 240 4 246 MULTICAST FILTERING COMMANDS Static Multicast Routing Commands Table 4 66 Static Multicast Routing Commands Command Function Mode Page ip igmp snooping vlan Adds a multicast router port GC 4 247 mrouter show ip igmp snooping Shows multicast router ports PE 4 248 mrouter ip igmp snooping vlan mrouter This command statically configures a multicast rout
97. switch using the following options e User Accounts Manually configure access rights on the switch for specified users Authentication Settings Use remote authentication to configure access rights HTTPS Settings Provide a secure web connection SSH Settings Provide a secure shell for secure Telnet access Port Security Configure secure addresses for individual ports e 802 1X Use IEEE 802 1X port authentication to control access to specific ports IP Filter Filters management access to the web SNMP or Telnet interface Configuring User Accounts 3 48 The guest only has read access for most configuration parameters However the administrator has write access for all parameters governing the onboatd agent You should therefore assign a new administrator passwotd as soon as possible and store it in a safe place The default guest name is guest with the password guest The default administrator name is admin with the password admin USER AUTHENTICATION Command Attributes Account List Displays the current list of user accounts and associated access levels Defaults admin and guest New Account Displays configuration settings for a new account User Name The name of the user Maximum length 8 characters maximum number of users 16 Access Level Specifies the user level Options Normal and Privileged Password Specifies th
98. that is applied to the control code Enter a decimal number where the equivalent binary bit 1 means to match a bit and 0 means to ignore a bit The following bits may be specified 1 fin Finish 2 syn Synchronize 3 81 CONFIGURING THE SWITCH 3 82 4 rst Reset 8 psh Push 16 ack Acknowledgement 32 urg Urgent pointer For example use the code value and mask below to catch packets with the following flags set SYN flag valid use control code 2 control bitmask 2 Both SYN and ACK valid use control code 18 control bitmask 18 SYN valid and ACK invalid use control code 2 control bitmask 18 Web Specify the action i e Permit or Deny Specify the source and or destination addresses Select the address type Any Host or IP If you select Host enter a specific address If you select IP enter a subnet address and the mask for an address range Set any other required criteria such as service type protocol type or TCP control code Then click Add Extended ACL p Name Tom nasai Control Source IP Source Destination Destination Source Destination Control Action Address Subnet Mask IP Address Subnet Mask TOS Precedence DSCP Protocol por pog Code Code Remove Permt 10 91 320 255 255 2550 10345 255 255 255 255 7 Any Any Any Any Any Any Remove 0 DSCF cotes Figure 3 37 ACL Configuration Extended IP
99. timeout Maximum number of reauthentication attempts Maximum number of times a port will retransmit an EAP request identity packet to the client before it times out the authentication session page 4 109 Authorization status authorized or not Shows if single or multiple hosts clients can connect to an 802 1 X authorized port The maximum number of hosts allowed to access this port page 4 110 Shows the dot1x mode on a pott as auto force authorized or force unauthorized page 4 109 MAC addtess of authorized client The integer 0 255 used by the Authenticator to identify the current authentication session Authenticator State Machine State Current state including initialize disconnected connecting authenticating authenticated aborting held force_authorized force_unauthorized Reauth Count Number of times connecting state is re entered Backend State Machine State Current state including request response success fail timeout idle initialize Request Count Number of EAP Request packets sent to the Supplicant without receiving a response Identifier Server Identifier carried in the most recent EAP Success Failure or Request packet received from the Authentication Server 4 115 COMMAND LINE INTEREACE Reautbentication State Machine State Current state including initialize reauthenticate Example Console show dot1x Global 802 1X Parameters
100. to another VLAN via GVRP Private VLAN ports cannot be set to trunked mode See switchport mode on page 4 201 Example Console config vlan database Console config vlan tprivate vlan 2 primary Console config vlan private vlan 3 community Console config 4 211 COMMAND LINE INTEREACE private vlan association Use this command to associate a primary VLAN with a secondary i e community VLAN Use the no form to remove all associations for the specified primary VLAN Syntax private vlan primary vlan id association secondary vlan id add secondary vlan id remove secondary vlan id no private vlan primary vian id association e primary vlan id ID of primary VLAN Range 1 4094 no leading zeroes secondary vlan id YD of secondary i e community VLAN Range 1 4094 no leading zeroes Default Setting None Command Mode VLAN Configuration Command Usage Secondary VLANs provide security for group members The associated primary VLAN provides a common interface for access to other network resources within the primary VLAN e g servers configured with promiscuous ports and to resources outside of the primary VLAN via promiscuous ports Example Console config vlan private vlan 2 association 3 Console config 4 212 VLAN COMMANDS switchport mode private vlan Use this command to set the private VLAN mode for an interface Use the no form to restore th
101. to an authorized public key and the client is authenticated Notes 1 To use SSH with only password authentication the host public key must still be given to the client either during initial connection or manually entered into the known host file However you do not need to configure the client s keys 3 59 CONFIGURING THE SWITCH 3 60 2 The SSH server supports up to four client sessions The maximum number of client sessions includes both current Telnet sessions and SSH sessions Generating the Host Key Pair A host public private key pair is used to provide secure communications between an SSH client and the switch After generating this key pair you must provide the host public key to SSH clients and import the client s public key to the switch as described in the proceeding section Command Usage Field Attributes Public Key of Host Key The public key for the host RSA Version 1 The first field indicates the size of the host key e g 1024 the second field is the encoded public exponent e g 65537 and the last string is the encoded modulus DSA Version 2 The first field indicates that the encryption method used by SSH is based on the Digital Signature Standard DSS The last string is the encoded modulus Host Key Type The key type used to generate the host key pair i e public and private keys Range RSA Version 1 DSA Version 2 Both Default RSA The SSH serve
102. with the Cisco EtherChannel standard For dynamic trunks the switches have to comply with LACP This switch supports up to four trunks For example a trunk consisting of two 1000 Mbps ports can support an aggregate bandwidth of 4 Gbps when operating at full duplex Table 4 44 Link Aggregation Commands Command Function Mode Page Manual Configuration Commands interface Configures a trunk and enters GC 4 144 port channel interface configuration mode fot the trunk channel group Adds a port to a trunk IC Ethernet 4 165 Dynamic Configuration Command acp Configures LACP for the IC Ethernet 4 165 current interface acp system priority Configures a port s LACP IC Ethernet 4 168 system priority acp admin key Configures a port s IC Ethernet 4 169 administration key acp admin key Configures an port channel s IC Port Channel 4 170 administration key acp port priority Configures a port s LACP port IC Ethernet 4 171 priority Trunk Status Display Command show interfaces Shows trunk information NE PE 4 152 status port channel show lacp Shows LACP information PE 4 172 4 163 COMMAND LINE INTEREACE 4 164 Guidelines for Creating Trunks General Guidelines Finish configuring port trunks before you connect the corresponding network cables between switches to avoid creating a loop A trunk can have up to eight ports The ports at both ends of a co
103. wnit port unit Stack unit This is unit 1 pott Port number Range 1 26 52 port channel channel id Range 1 4 Default Setting None Command Mode Privileged Exec Example Console show map ip dscp ethernet 1 1 DSCP mapping status enabled Port DSCP COS Eth 1 1 0 0 Eth 1 1 T 0 Eth 1 1 2 0 Eth 1 1 3 0 Eth 1 1 63 0 Console Related Commands map ip dscp Global Configuration 4 233 map ip dscp Interface Configuration 4 233 4 237 COMMAND LINE INTEREACE Multicast Filtering Commands This switch uses IGMP Internet Group Management Protocol to query for any attached hosts that want to receive a specific multicast service It identifies the ports containing hosts requesting a service and sends data out to those ports only It then propagates the service request up to any neighboring multicast switch router to ensure that it will continue to receive the multicast service Table 4 63 Multicast Filtering Commands Command Groups Function Page IGMP Snooping Configures multicast groups via IGMP snooping 4 238 ot static assignment sets the IGMP version displays current snooping and query settings and displays the multicast service and group members IGMP Query Configures IGMP query parameters for multicast 4 242 filtering at Layer 2 Static Multicast Configures static multicast router ports 4 247 Routing IGMP Snooping Commands Table 4
104. 0 Admin Link Type The link type attached to this interface Point to Point connection to exactly one other bridge Shared A connection to two or more bridges Auto The switch automatically determines if the interface is attached to a point to point link or to shared media This is the default setting Admin Edge Port Fast Forwarding You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to the spanning tree forwarding state Specifying Edge Ports provides quicker convergence for devices such as workstations or servers retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events does not cause the spanning tree to initiate reconfiguration when the interface changes state and also overcomes other STA related timeout problems However remember that Edge Port should only be enabled for ports connected to an end node device Default Disabled Migration If at any time the switch detects STP BPDUs including Configuration or Topology Change Notification BPDUs it will automatically set the selected interface to forced STP compatible mode However you can also use the Protocol Migration button to manually re check the appropriate BPDU format RSTP or STP compatible to send on th
105. 00 Console config mac acl fpermit any host 00 e0 29 94 34 de ethertype 0800 Console config mac acl Related Commands access list mac 4 128 show mac access list This command displays the rules for configured MAC ACLs Syntax show mac access list ac _name acl_name Name of the ACL Maximum length 16 characters Command Mode Privileged Exec Example Console show mac access list MAC access list jerry permit any host 00 e0 29 94 34 de ethertype 800 800 Console Related Commands permit deny 4 130 mac access group 4 132 4 131 COMMAND LINE INTEREACE mac access group show 4 132 This command binds a port to a MAC ACL Use the no form to remove the port Syntax mac access group ac ame in acd name Name of the ACL Maximum length 16 characters in Indicates that this list applies to ingress packets Default Setting None Command Mode Interface Configuration Ethernet Command Usage A port can only be bound to one ACL Ifa port is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding with the new one Example Console config interface ethernet 1 25 Console config if mac access group jerry in Console config if Related Commands show mac access list 4 131 mac access group This command shows the ports assigned to MAC ACLs Command Mode Privileged Exec Example Consol
106. 0030F1D32600 Fast forwarding disabled Forward transitions 0 Admin edge port disabled Oper edge port disabled Admin Link type auto Oper Link type point to point Spanning Tree Status enabled Console Configuring Interface Settings You can configure RSTP attributes for specific interfaces including port priority path cost link type and edge port You may use a different priority or path cost for ports of the same media type to indicate the preferred path link type to indicate a point to point connection or shared media connection and edge port to indicate if the attached device can support fast forwarding References to ports in this section means interfaces which includes both ports and trunks Command Attributes The following attributes are read only and cannot be changed STA State Displays current state of this port within the Spanning Tree See Displaying Interface Settings on page 3 133 for additional information Discarding Port receives STA configuration messages but does not forward packets 3 137 CONFIGURING THE SWITCH 3 138 The Learning Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information Port address table is cleared and the port begins learning addresses Forwarding Port forwards packets and continues learning addresses Trunk Indicates if a port is a me
107. 01 2100 Default Setting None Command Mode Privileged Exec Example This example shows how to set the system clock to 15 12 34 April 1st 2004 Console calendar set 15 12 34 1 April 2004 Console 4 77 COMMAND LINE INTEREACE show calendar This command displays the system clock Default Setting None Command Mode Normal Exec Privileged Exec Example Console show calendar 15 12 45 April 1 2004 Console System Status Commands Table 4 23 System Status Commands Command Function Mode Page show Displays the contents of the configuration file PE 4 79 startup config stored in flash memory that is used to start up the system show Displays the configuration data currently in use PE 4 81 running config show system Displays system information NE 4 83 PE show users Shows all active console and Telnet sessions NE 4 84 including user name idle time and IP address PE of Telnet clients show version Displays version information for the system NE 4 84 PE 4 78 SYSTEM MANAGEMENT COMMANDS show startup config This command displays the configuration file stored in non volatile memory that is used to start up the system Default Setting None Command Mode Privileged Exec Command Usage Use this command in conjunction with the show running config command to compare the information in running memory to the informat
108. 03 Shows if acceptable VLAN frames include all types or tagged frames only page 4 202 Native VLAN Indicates the default Port VLAN ID page 4 204 Priority for untagged traffic Indicates the default priority for untagged frames page 4 222 Gvrp status Shows if GARP VLAN Registration Protocol is enabled or disabled page 4 219 Allowed Vlan Shows the VLANs this interface has joined where u indicates untagged and t indicates tagged page 4 205 Forbidden Vlan Shows the VLANs this interface can not dynamically join via GVRP page 4 206 Private VLAN Shows the private VLAN mode as host promiscuous or mode none 4 213 Private VLAN Shows the secondary or community VLAN with which this host association port is associated 4 214 Private VLAN Shows the primary VLAN mapping for a promiscuous port mapping 4 215 MiRROR Port COMMANDS Mirror Port Commands This section describes how to mirror traffic from a source port to a target pott Table 4 42 Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session IC 4 157 show port Shows the configuration for a mirror port PE 4 158 monitor port monitor ear a This command configures a mirror session Use the no form to c mirror session Syntax port monitor nterface rx tx no port monitor interface interface ethernet unit port source port
109. 1 e 4 32 e 4 33 e 4 34 e 4 35 e 4 36 e 4 37 e 4 38 e 4 39 e 4 40 e 4 41 e 4 42 e 4 43 e 4 44 e 4 45 e 4 46 e 4 47 e 4 49 e 4 48 e 4 50 e 4 51 e 4 52 e 4 53 e 4 54 e 4 55 e 4 56 e 4 57 SMTP Alert Commands seesleeseess 4 68 Time Command dde a d eec e oe dese itae bie 4 72 System Status Commands 0 00 0000 4 78 Frame Size Commands 0 0 cee cece eens 4 85 Flash File Commands eee 4 86 File Directory Information lesse 4 92 Authentication Commands 00 0 0 eee eee 4 94 Authentication Sequence 1 1 6 eee eee 4 94 RADIUS Client Commands 0 00 00 e eee 4 97 EACAGS Commnarids ved 1 ens pl eg ege e 4 102 Port Security Commands 000000000 4 105 802 1X Port Authentication 00 00 mo 4 107 Access Control Lists 2 0 0 ce cece eee 4 118 PA Cases ih uti tiM cuu aera shad sh LM Ud dat e LE 4 118 Egress Queue Priority Mapping esses 4 127 MAG AGES Sus nto doo eS ANUS 4 128 Egress Queue Priority Mapping esses 4 133 AG Es Infoftmatio f s dead add desee dE dae ove Qa dc 4 135 SNMP Commands 0 e eee cece eee ees 4 136 Interface Commands 0 4 143 Interfaces Switchport Statistics oooooo o oooo 4 156 Mirror Port Commands 0 0 cece o 4 157 Rate Limit Commands 00 00 e cece eee 4 159 Link Aggregation Commands sess 4 163 show lacp counters d
110. 1 1 Console config if garp timer join 100 Console config if Related Commands show garp timer 4 221 show garp timer This command shows the GARP timers for the selected interface Syntax show garp timer interface interface ethernet wnit port unit Stack unit This is unit 1 pott Port number Range 1 26 52 port channel channel id Range 1 4 Default Setting Shows all GARP timers Command Mode Normal Exec Privileged Exec Example Console show garp timer ethernet 1 1 Eth 1 1 GARP timer status Join timer 100 centiseconds Leave timer 60 centiseconds Leaveall timer 1000 centiseconds Console Related Commands garp timer 4 220 4 221 COMMAND LINE INTEREACE Priority Commands The commands desctibed in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion This switch supports CoS with four priority queues for each port Data packets in a port s high priority queue will be transmitted before those in the lower priority queues You can set the default priority for each interface the relative weight of each queue and the mapping of frame priority tags to the switch s priority queues Table 4 57 Priority Commands Command Groups Function Page Priority Layer 2 Configures default priority for untagged frames 4 222 sets queue weights
111. 10 7 1 x For example if the rule is matched i e the rule 10 7 1 0 amp 255 255 255 0 equals the masked address 10 7 1 2 amp 255 255 255 0 the packet passes through Console config ext acl fpermit 10 7 1 1 255 255 255 0 any Console config ext acl This allows TCP packets from class C addresses 192 168 1 0 to any destination address when set for destination TCP port 80 i e HTTP Console config ext acl permit 192 168 1 0 255 255 255 0 any destination port 80 Console config ext acl This permits all TCP packets from class C addresses 192 168 1 0 with the TCP control code set to SYN Console config ext acl permit tcp 192 168 1 0 255 255 255 0 any control flag 2 2 Console config ext acl Related Commands access list ip 4 119 show ip access list This command displays the rules for configured IP ACLs Syntax show ip access list standard extended ac _name standard Specifies a standard IP ACL extended Specifies an extended IP ACL ad name Name of the ACL Maximum length 16 characters Command Mode Privileged Exec 4 124 ACCESS CONTROL LIST COMMANDS Example Console show ip access list standard IP standard access list david permit host 10 1 1 21 permit 168 92 16 0 255 255 240 0 Console Related Commands permit deny 4 120 ip access group 4 125 ip access group This command binds a port to an IP ACL Use the
112. 145 DegoHaton S ua AES D ASSI det a Mat P 4 146 capabilities taa ia te es 4 147 ds A AI oM evi Lo eal di sra 4 148 shutdown M nrbi DD LII 4 149 switchport broadcast packet rate 6 ee eee 4 150 Clear COUNLETS i ace eda Ae eps 4 151 show interfaces status 6 cece eee 4 152 show interfaces counters 6 eee eee eee 4 153 show interfaces switchport 0 cece eee 4 155 Mirror Port Commands isses eh 4 157 POH MORO a Eds Ur 4 157 show port monitor ooooccccccocoooooccccc ee 4 158 Rate Limit Commands eeeeee cence 4 159 fate limit a cot RS poe itu epe de epo 4 160 rate limit granularity ssec 4 161 show tate mit ideo pe dh e ERG RUPTA 4 162 Link Aggregation Commands 1 1 6 0 cece ce eee 4 163 channel troupa a be Pt ene bed 4 165 NAC iM ate sop EA LM Ari E tds A 4 165 lacp system priority sads aa I 4 168 lacp admin key Ethernet Interface sss 4 169 lacp admin key Port Channel 0000 4 170 xi CONTENTS cpi port priority ete utedueetuc Se obe qs 4 171 show lacpe hie uM od eM Ee ura 4 172 Address Table Commands 0 0 0 00 0 4 177 mac address table static isses 4 178 clear mac address table dynamic 0 00004 4 179 show mac address table 0 eee eee eee 4 179 mac address table aging time 6 6 suus cece eee 4 180 show mac address table aging time 0 0 000000 4 181 Spanning Tree Commands 0 0 0 6 cece ee
113. 15 seconds Command Mode Global Configuration Command Usage This command sets the maximum time in seconds the root device will wait before changing states i e discarding to learning to forwarding This delay is required because every device must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to the discarding state otherwise temporary data loops might result Example Console config spanning tree forward time 20 Console config spanning tree hello time This command configures the spanning tree bridge hello time globally for this switch Use the no form to restore the default Syntax spanning tree hello time me no spanning tree hello time time Time in seconds Range 1 10 seconds The maximum value is the lower of 10 or max age 2 1 4 185 COMMAND LINE INTEREACE Default Setting 2 seconds Command Mode Global Configuration Command Usage This command sets the time interval in seconds at which the root device transmits a configuration message Example Console config spanning tree hello time 5 Console config spanning tree max age This command configures the spanning tree bridge maximum age globally for this switch Use the no form to restore the default Syntax spanning tree max age seconds no spanning tree max age seconds Time i
114. 168 1 19 Set the Optional Parameters Set other optional parameters including the authentication timeout the number of retries and the server key size Enable SSH Service Use the ip ssh server command to enable the SSH servet on the switch Configure Challenge Response Authentication When an SSH client attempts to contact the switch the SSH server uses the host key pair to negotiate a session key and encryption method Only clients that have a private key corresponding to the public keys stored on the switch can gain access The following exchanges take place during this process SYSTEM MANAGEMENT COMMANDS a The client sends its public key to the switch b The switch compares the client s public key to those stored in memory c Ifa match is found the switch uses the public key to encrypt a random sequence of bytes and sends this string to the client d The client uses its private key to decrypt the bytes and sends the decrypted bytes back to the switch e The switch compares the decrypted bytes to the original bytes it sent If the two sets match this means that the client s private key corresponds to an authorized public key and the client is authenticated Note To use SSH with only password authentication the host public key must still be given to the client either during initial connection or manually entered into the known host file However you do not need to configure the client s keys ip
115. 2 APPENDIX B TROUBLESHOOTING Problems Accessing the Management Interface Symptom Table B 1 Troubleshooting Chart Action Cannot connect using Telnet web browser ot SNMP softwate Be sure the switch is powered up Check network cabling between the management station and the switch Check that you have a valid network connection to the switch and that the port you are using has not been disabled Be sure you have configured the VLAN interface through which the management station is connected with a valid IP address subnet mask and default gateway Be sure the management station has an IP address in the same subnet as the switch s IP interface to which it is connected If you are trying to connect to the switch via the IP address for a tagged VLAN group your management station and the ports connecting intermediate switches in the network must be configured with the appropriate tag If you cannot connect using Telnet you may have exceeded the maximum number of concurrent Telnet SSH sessions permitted Try connecting again at a later time B 1 TROUBLESHOOTING Table B 1 Troubleshooting Chart Continued Symptom Action Cannot connect using Secure Shell Cannot access the on board configuration program via a serial port connection f you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH sessions permitted Try connecting again
116. 2 System Defaults Function Parameter Default Console Port Baud Rate 9600 Connection Data bits 8 Stop bits 1 Parity none Local Console Timeout 0 disabled Authentication Privileged Exec Level Username admin Password admin Normal Exec Level Username guest Password guest Enable Privileged Exec from Normal Exec Level Password super RADIUS Authentication Disabled TACACS Authentication Disabled 802 1X Port Disabled Authentication HTTPS Enabled SSH Disabled Port Security Disabled IP Filtering Disabled 1 7 INTRODUCTION Table 1 2 System Defaults Function Parameter Default Web HTTP Server Enabled Ponema Ferre pom Number 80 HTTP Secure Server Enabled HTTP Secure Port 443 Number SNMP Community Strings public read only private read write Traps Authentication traps enabled Link up down events enabled Port Admin Status Enabled Configuration Auto negotiation Enabled Flow Control Disabled Rate Limiting Input and output limits Disabled Port Trunking Static Trunks None LACP all ports Disabled Broadcast Storm Status Disabled all ports Conon Broadcast Limit Rate 32 000 octets per second Spanning Tree Status Enabled RSTP Algorithm Defaults All values based on IEEE 802 1w Fast Forwarding Edge Disabled Port Address Table Aging Time 300 se
117. 4 0 118 974 8700 33 0 41 38 32 32 39 02 739 12 33 31 33 455 72 88 49 0 89 92861 0 41 0 1 9409971 46 0 868 70700 44 0 118 974 8700 34 93 477 4920 27 11 314 1133 34 93 477 4920 7 095 290 29 96 86 21 6485 9922 886 2 8797 8006 65 238 6556 82 2 553 0860 81 3 5645 5715 61 2 8875 7887 91 22 696 2790 97 14 299 4466 66 2 651 8733 Fax 949 679 1481 Fax 34 93 477 3774 Fax 44 0 118 974 8701 Fax 33 0 41 38 01 58 Fax 39 02 739 14 17 Fax 31 33 455 73 30 Fax 49 0 89 92861 230 Fax 41 0 1 9409972 Fax 46 0 887 62 62 Fax 44 0 118 974 8701 Fax 34 93 477 3774 Fax 27 11 314 9133 Fax 34 93 477 3774 Fax 7 095 290 29 96 Fax 86 21 6495 7924 Fax 886 2 8797 6288 Fax 65 238 6466 Fax 82 2 553 7202 Fax 81 3 5645 5716 Fax 61 2 8875 7777 Fax 91 22 696 2794 Fax 97 14 299 4664 Fax 66 2 651 8737 If you are looking for further contact information please visit www smc com www smec europe com or WWW smc asia com SMC Networks 38 Tesla Irvine CA 92618 Phone 949 679 8000 Model Number SMC6726AL2 SMC6752AL2 Pub Number 149100005200H Revision Number F2 2 6 3 E012005 RO1
118. 4 0 0 12 ethernet 1 5 Console config ip igmp snooping version 4 240 This command configures the IGMP snooping version Use the no form to restote the default Syntax ip igmp snooping version 1 2 no ip igmp snooping version 1 IGMP Version 1 2 IGMP Version 2 Default Setting IGMP Version 2 Command Mode Global Configuration Command Usage All systems on the subnet must support the same version If there are legacy devices in your network that only support Version 1 you will also have to configure this switch to use Version 1 Some commands are only enabled for IGMPv2 including ip igmp query max response time and ip igmp query timeout Example The following configures the switch to use IGMP Version 1 Console config ip igmp snooping version 1 Console config MULTICAST FILTERING COMMANDS show ip igmp snooping This command shows the IGMP snooping configuration Default Setting None Command Mode Privileged Exec Command Usage See Configuring IGMP Snooping and Query Parameters on page 3 181 for a description of the displayed items Example The following shows the current IGMP snooping configuration Console show ip igmp snooping Service status Enabled Querier status Enabled Query count 2 Query interval 125 sec Query max response time 10 sec Router port expire time 300 sec IGMP snooping version Version 2 Console show mac address table
119. 4 103 Console config tttacacs server key green 4 103 Console show tacacs server 4 104 Server IP address 10 20 30 40 Communication key with tacacs server Server port number 200 Console Configuring HTTPS 3 54 You can configure the switch to enable the Secure Hypertext Transfer Protocol HTTPS over the Secure Socket Layer SSL providing secure access i e an encrypted connection to the switch s web interface Command Usage Both the HTTP and HTTPS service can be enabled independently on the switch However you cannot configure both services to use the same UDP port USER AUTHENTICATION If you enable HTTPS you must indicate this in the URL that you specify in your browser https device port_number When you start HTTPS the connection is established in this way The client authenticates the server using the server s digital certificate The client and server negotiate a set of security protocols to use for the connection The client and server generate session keys for encrypting and decrypting data The client and server establish a secure encrypted connection A padlock icon should appear in the status bar for Internet Explorer 5 x ot above and Netscape Navigator 6 2 or above The following web browsers and operating systems currently support HTTPS Table 3 4 HTTPS System Support Web Browser Operating System Internet Explorer 5 0 or later Windows 98 Windows NT wit
120. 4 59 COMMAND LINE INTEREACE Example Console config logging on Console config Related Commands logging history 4 60 clear logging 4 64 logging history This command limits syslog messages saved to switch memory based on severity The no form returns the logging of syslog messages to the default level Syntax logging history flash ram eve no logging history flash ram flash Event history stored in flash memory i e permanent memoty ram Event history stored in temporary RAM i e memory flushed on power reset level One of the levels listed below Messages sent include the selected level down to level 0 Range 0 7 Table 4 18 Logging Levels Level Severity Name Desctiption 7 debugging Debugging messages 6 informational Informational messages only 5 notifications Normal but significant condition such as cold start 4 warnings Warning conditions e g return false unexpected return 3 errors Error conditions e g invalid input default used 2 critical Critical conditions e g memory allocation or free memory error resource exhausted There are only Level 2 5 and 6 error messages for the current firmware release 4 60 SYSTEM MANAGEMENT COMMANDS Table 4 18 Logging Levels Continued Level Severity Name Description 1 alerts Immediate action needed 0 emergencies System unusable There
121. 6 capabilities flowcontrol symmetric 4 147 shutdown This command disables an interface To restart a disabled interface use the no form Syntax no shutdown Default Setting All interfaces are enabled Command Mode Interface Configuration Ethernet Port Channel 4 149 COMMAND LINE INTEREACE Command Usage This command allows you to disable a port due to abnormal behavior e g excessive collisions and then reenable it after the problem has been resolved You may also want to disable a port for security reasons Example The following example disables port 5 Console config interface ethernet 1 5 Console config if shutdown Console config if switchport broadcast packet rate This command configures broadcast storm control Use the no form to disable broadcast storm control Syntax switchport broadcast octet rate rate no switchport broadcast rate Threshold level as a rate i e octets per second Range 64 95232000 Default Setting Enabled for all ports Packet rate limit 32000 octets per second Command Mode Interface Configuration Ethernet Command Usage When broadcast traffic exceeds the specified threshold packets above that threshold are dropped This command can enable or disable broadcast storm control for the selected interface However the specified threshold value applies to all ports on the switch 4 150 INTERFACE COMMANDS Example The foll
122. 600 7 00 00 00 00 00 00 60 3600 7 00 00 00 00 00 00 oc 3600 z 00 00 00 00 00 00 oo 3600 33 00 00 00 00 00 00 ot 3600 30 00 00 00 00 00 00 or 3600 zJ 00 00 00 00 00 0 m xw E 00 00 00 00 00 00 fo xa ES w x 60 600 0 00 0 00 00 ot 3600 7 00 00 00 00 00 00 P Figure 3 32 802 1X Port Configuration 3 71 CONFIGURING THE SWITCH 3 72 CLI This example sets the 802 1X parameters on port 2 For a description of the additional fields displayed in this example see show dot1x on page 4 114 802 1X Port Details 802 1X is disabled on port 1 1 802 1X is enabled on port 1 2 reauth enabled Enable reauth period 1800 quiet period 30 tx period 40 supplicant timeout 30 server timeout 10 reauth max 2 max req 5 Status Authorized Operation mode Single Host Max count 5 Port control Auto Supplicant 00 00 e8 49 5e dc Current Identifier 3 Authenticator State Machine State Authenticated Reauth Count 0 Backend State Machine State Idle Request Count 0 Identifier Server 2 Reauthentication State Machine State Initialize 802 1X is disabled on port 1 26 Consolef Console config interface ethernet 1 2 4 144 Console config if fdotlx port control auto 4 109 Console config if fdotlx re authentication 4 111 Console config 1f itdotlx max req 5 4 109 Console config if dotlx timeout quiet period 30 4 112 Console confi
123. 64 IGMP Snooping Commands Command Function Mode Page ip igmp snooping Enables IGMP snooping GC 4 239 ip igmp snooping Adds an interface as a member of a GC 4 239 vlan static multicast group ip igmp snooping Configures the IGMP version for GC 4 240 version snooping show ip igmp Shows the IGMP snooping and query PE 4 241 snooping configuration show Shows the IGMP snooping MAC PE 4 241 mac address table multicast list multicast 4 238 MULTICAST FILTERING COMMANDS ip igmp snooping This command enables IGMP snooping on this switch Use the no form to disable it Syntax no ip igmp snooping Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping Console config ip igmp snooping Console config ip igmp snooping vlan static This command adds a port to a multicast group Use the no form to remove the port Syntax no ip igmp snooping vlan 1 an d static p address interface e vlan id VLAN ID Range 1 4094 ip address IP address for multicast group interface ethernet unit port unit Stack unit This is unit 1 port Port number Range 1 26 52 port channel channel id Range 1 4 Default Setting None 4 239 COMMAND LINE INTEREACE Command Mode Global Configuration Example The following shows how to statically configure a multicast group on a port Console config ip igmp snooping vlan 1 static 22
124. 7 CONFIGURING THE SWITCH Command Attributes Priority CoS value Range 0 7 where 7 is the highest priority Traffic Class Output queue buffer Range 0 3 where 3 is the highest CoS priority queue Web Click Priority Traffic Classes The current mapping of CoS values to output queues is displayed Assign priorities to the traffic classes i e output queues then click Apply Traffic Classes Priority Traffic Class o If ov 1 03 3 o 3 ff o 4 2 0 3 5 P o e B o 7 B oo B Figure 3 73 Traffic Classes CLI The following example shows how to change the CoS assignments Console config interface ethernet 1 1 4 144 Console config if fqueue cos map 0 0 4 226 Console config if fqueue cos map 1 1 Console config if fqueue cos map 2 2 Console config if fend Console show queue cos map ethernet 1 1 4 228 Information of Eth 1 1 CoS Value c 132 3 Priority Queue 0 12 1 Console 5 2 Co Ov 4 7 2 3 Note Mapping specific values for CoS priorities is implemented as an interface configuration command but any changes will apply to the all interfaces on the switch 14 CLI shows Queue ID 3 168 CLASS OF SERVICE CONFIGURATION Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority que
125. A root device However if all devices have the same priority the device with the lowest MAC address will then become the root device Example Console config fspanning tree priority 40960 Console config 4 187 COMMAND LINE INTEREACE spanning tree pathcost method This command configures the path cost method used for Rapid Spanning Tree Use the no form to restore the default Syntax spanning tree pathcost method long short no spanning tree pathcost method long Specifies 32 bit based values that range from 0 200 000 000 short Specifies 16 bit based values that range from 0 65535 Default Setting Long method Command Mode Global Configuration Command Usage The path cost method is used to determine the best path between devices Therefore lower values should be assigned to ports attached to faster media and higher values assigned to ports with slower media Note that path cost page 4 190 takes precedence over port priority page 4 191 Example Console config spanning tree pathcost method long Console config spanning tree transmission limit This command configures the minimum interval between the transmission of consecutive RSTP BPDUs Use the no form to restore the default Syntax spanning tree transmission limit count no spanning tree transmission limit count The transmission limit in seconds Range 1 10 Default Setting 3 4 188 SPANNING TREE C
126. ACL rule show map Shows CoS value mapped to an access list for PE 4 127 access list ip an interface access list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs Use the no form to remove the specified ACL Syntax no access list ip standard extended acl name standard Specifies an ACL that filters packets based on the source IP address extended Specifies an ACL that filters packets based on the source or destination IP address and other more specific criteria acl_name Name of the ACL Maximum length 16 characters Default Setting None Command Mode Global Configuration 4 119 COMMAND LINE INTEREACE Command Usage When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To create an ACL you must add at least one rule to the list To remove a rule use the no permit or no deny command followed by the exact text of a previously configured rule An ACL can contain up to 22 rules Example Console config access list ip standard david Console config std acl f Related Commands permit deny 4 120 ip access group 4 125 show ip access list 4 124 permit deny Standard ACL This command adds a rule to a Standard IP ACL The rule sets a filter condition for packets emanating from the specified source
127. ACP system priority assigned to this port channel 4 174 Priority LACP Port LACP port priority assigned to this interface within the channel Priority group LINK AGGREGATION COMMANDS Table 4 46 show lacp internal display description Continued Field Admin State Oper State Description Administrative or operational values of the actor s state parameters Expired The actor s receive machine is in the expired state Defaulted The actor s receive machine is using defaulted operational partner information administratively configured for the partner Distributing If false distribution of outgoing frames on this link is disabled i e distribution is currently disabled and is not expected to be enabled in the absence of administrative changes or changes in received protocol information Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in received protocol information Synchronization The System considers this link to be IN SYNC i e it has been allocated to the correct Link Aggregation Group the group has been associated with a compatible Aggregator and the identity of the Link Aggregation Group is consistent with the System ID and operational Key information transmitted Aggregation The system considers this link to be a
128. ACPDUs Sent Number of valid LACPDUs transmitted from this channel group LACPDUs Number of valid LACPDUS received on this channel group Received Marker Sent Number of valid Marker PDUs transmitted from this channel group Marker Received Number of valid Marker PDUs received by this channel group LACPDUs Number of frames received that either 1 Carry the Slow Unknown Pkts Protocols Ethernet Type value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but do not carry the Slow Protocols Ethernet Type LACPDUs Illegal Number of frames that carry the Slow Protocols Ethernet Pkts Type value but contain a badly formed PDU or an illegal value of Protocol Subtype 4 173 COMMAND LINE INTEREACE Console show lacp 1 internal Port channel 1 Oper Key 4 Admin Key 0 Eth 1 1 LACPDUs Internal 30 sec LACP System Priority 32768 LACP Port Priority 32768 Admin Key 4 Oper Key 4 Admin State defaulted aggregation long timeout LACP activity Oper State distributing collecting synchronization aggregation long timeout LACP activity Table 4 46 show lacp internal display description Field Desctiption Oper Key Current operational value of the key for the aggregation port Admin Key Current administrative value of the key for the aggregation port LACPDUs Number of seconds before invalidating received LACPDU Internal information LACP System L
129. C6726AL2 Other than the number of fixed ports there are no major differences between the SMC6726AL2 and SMC6752AL2 3 3 CONFIGURING THE SWITCH Configuration Options Configurable parameters have a dialog box or a drop down list Once a configuration change has been made on a page be sure to click on the Apply button to confirm the new setting The following table summarizes the web page configuration buttons Table 3 1 Configuration Options Button Action Revert Cancels specified values and restores current values prior to pressing Apply Apply Sets specified values to the system Help Links directly to webhelp Notes 1 To ensure proper screen refresh be sure that Internet Explorer 5 x is configured as follows Under the menu Tools Internet Options General Temporary Internet Files Settings the setting for item Check for newer versions of stored pages should be Every visit to the page 2 When using Internet Explorer 5 0 you may have to manually refresh the screen after making configuration changes by pressing the browser s refresh button Panel Display The web agent displays an image of the switch s ports The Mode can be set to display different information for the ports including Active i e up ot down Duplex i e half or full duplex or Flow Control Le with or without flow control Clicking on the image of a port opens the Port Configuration page as describ
130. Configuration Fill in the required settings for each interface click Apply VLAN Port Configuration Garp Garp CARE Port PVID Acceptable Ingress GVRP fier Ten on Mode Trunk e Frame Type Filtering Status Centi Centi Seconds Member Seconds Seconds 0 20 1000 60 3000 18000 1 ALL y Enabled Enabled 20 60 1000 Hybrid y 1 ALL z F Enabled Enabled 20 n foo Hyeid 3 Tagged v Enabled Enabled 20 60 1000 Hybrid y 1 ALL Enabled Enabled 20 60 1000 Hybrid I 1 ALL F Enabled V Enabled 30 30 2000 Hybond 1 ALL y FT Enabled Enabled 20 50 foco Hybrid m Figure 3 66 VLAN Port Configuration 3 155 CONFIGURING THE SWITCH CLI This example sets port 3 to accept only tagged frames assigns PVID 3 as the native VLAN ID enables GVRP sets the GARP timers and then sets the switchport mode to hybrid Console config interface ethernet 1 3 4 144 Console config if switchport acceptable frame types tagged 4 202 Console config if switchport ingress filtering 4 203 Console config if switchport native vlan 3 4 204 Console config if switchport gvrp 4 219 Console config if garp timer join 20 4 220 Console config if garp timer leave 90 4 220 Console config if garp timer leaveall 2000 4 220 Console config if switchport mode hybrid 4 201 Console config if Private VLANs 3 156 Private VLANs provide port based security and iso
131. Console config map ip dscp Interface Configuration This command sets IP DSCP priority i e Differentiated Services Code Point priority Use the no form to restore the default table Syntax map ip dscp dsqp value cos cos value no map ip dscp dsep value 8 bit DSCP value Range 0 63 e cos value Class of Service value Range 0 7 4 233 COMMAND LINE INTEREACE Default Setting The DSCP default values are defined in the following table Note that all the DSCP values that are not specified are mapped to CoS value 0 Table 4 62 IP DSCP to CoS Values IP DSCP Value CoS Value 0 0 8 1 10 12 14 16 2 18 20 22 24 3 26 28 30 32 34 36 4 38 40 42 5 48 6 46 56 7 Command Mode Interface Configuration Ethernet Port Channel Command Usage The precedence for priority mapping is IP Port IP Precedence or IP DSCP and default switchport priority DSCP priority values are mapped to default Class of Service values according to recommendations in the IEEE 802 1p standard and then subsequently mapped to the four hardware priority queues This command sets the IP DSCP priority for all interfaces Example The following example shows how to map IP DSCP value 1 to CoS value 0 Console config interface ethernet 1 5 Console config if map ip dscp 1 cos 0 Console config if 4 234 PRIORITY COMMANDS show map ip port Use this com
132. Console config radius server retransmit This command sets the number of retries Use the no form to restore the default Syntax radius server retransmit 2umber_of_retries no tadius server retransmit number_of_retries Number of times the switch will try to authenticate logon access via the RADIUS server Range 1 30 Default Setting 2 Command Mode Global Configuration Example Console config radius server retransmit 5 Console config tadius server timeout This command sets the interval between transmitting authentication requests to the RADIUS server Use the no form to restore the default Syntax radius server timeout ruber of seconds no radius server timeout number of seconds Number of seconds the switch waits for a reply before resending a request Range 1 65535 Default Setting 5 4 100 AUTHENTICATION COMMANDS Command Mode Global Configuration Example Console config radius server timeout 10 Console config show radius setver This command displays the current settings for the RADIUS server Default Setting None Command Mode Privileged Exec Example Console show radius server Remote RADIUS server configuration Global settings Communication key with RADIUS server Server port number 1812 Retransmit times 2 Request timeout 5 Sever 1 Server IP address 192 168 1 1 Communication key with RADIUS server Server port nu
133. E COMMANDS parity This command defines the generation of a parity bit Use the no form to restore the default setting Syntax parity none even odd no parity none No parity even Even parity odd Odd parity Default Setting No parity Command Mode Line Configuration Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting Example To specify no parity enter this command Console config line parity none Console config line speed This command sets the terminal line s baud rate This command sets both the transmit to terminal and receive from terminal speeds Use the no form to restore the default setting Syntax speed bps no speed bps Baud rate in bits per second Options 9600 19200 38400 57600 115200 bps 4 23 COMMAND LINE INTEREACE Default Setting 9600 Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port Some baud rates available on devices connected to the port might not be supported The system indicates if the speed you selected is not supported Example To specify 57600 bps enter this command Console config line speed 57600 Console config line stopbits 4 24 This command sets the number of the stop bits transmitted per byte Use the no form to restore the default settin
134. Example The following shows mirroring configured from port 6 to port 11 Console config interface ethernet 1 11 Console config if port monitor ethernet 1 6 rx Console config if end Console show port monitor Port Mirroring Destination port listen port Eth1 11 Source port monitored port Ethl 6 Mode RX Console Rate Limit Commands This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network Traffic that falls within the rate limit is transmitted while packets that exceed the acceptable amount of traffic are dropped Rate limiting can be applied to individual ports or trunks When an interface is configured with this feature the traffic rate will be monitored by the hardware to verify conformity Non conforming traffic is dropped conforming traffic is forwarded without any changes Note The rate limit granularity is multiplied by the rate limit page 4 160 to set the actual rate limit for an interface Granularity is a global setting that applies to Fast Ethernet or Gigabit Ethernet interfaces Table 4 43 Rate Limit Commands Command Function Mode Page rate limit Configures the maximum input or output IC 4 160 rate for a port rate limit Sets the Fast Ethernet and Gigabit Ethernet IC 4 161 granularity gran
135. Exec mode Default Setting None GENERAL COMMANDS Command Mode Global Configuration Interface Configuration Line Configuration and VLAN Database Configuration Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode Console config if end Console exit This command returns to the previous configuration mode or exit the configuration program Default Setting None Command Mode Any Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode and then quit the CLI session Console config exit Console exit Press ENTER to start session User Access Verification Username quit This command exits the configuration program Default Setting None 4 31 COMMAND LINE INTEREACE Command Mode Normal Exec Privileged Exec Command Usage The quit and exit commands can both exit the configuration program Example This example shows how to quit a CLI session Consolefquit Press ENTER to start session User Access Verification Username System Management Commands These commands are used to control system logs passwords user names browser configuration options and display or configure a variety of other system information Table 4 7 System Management Commands Command Group Function Page Device Configures information that uniquely identifies this 4 33
136. F OR IN CONNECTION WITH THE SALE INSTALLATION MAINTENANCE USE PERFORMANCE FAILURE OR INTERRUPTION OF ITS PRODUCTS EVEN IF SMC OR ITS AUTHORIZED RESELLER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES OR THE LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES FOR CONSUMER PRODUCTS SO THE ABOVE LIMITATIONS AND EXCLUSIONS MAY NOT APPLY TO YOU THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS WHICH MAY VARY FROM STATE TO STATE NOTHING IN THIS WARRANTY SHALL BE TAKEN TO AFFECT YOUR STATUTORY RIGHTS SMC will provide warranty service for one year following discontinuance from the active SMC price list Under the limited lifetime warranty internal and external power supplies fans and cables are covered by a standard one year warranty from date of purchase SMC Networks Inc 38 Tesla Irvine CA 92618 CONTENTS Intt duction LEAR 1 1 Wey Features in a a OS ae 1 1 Description of Software Features liliis 1 2 System Default didas Sak Leda A es Ses Qs eret a e Tees 1 7 Initial Configuration lees 2 1 Gonnectnp to the Switch 23 45 24 00 id he pith ta bete 2 1 Configuration Options 2 6 6 2 1 Required Connections 2 2 Remote Connections Js eee XO ed S etnies de es 2 4 Basic GontiguratioB 25r ea tee d eoe ha A Rer ed eed 2 5 Console Connection 6 0 6 eee eee 2 5 Setting Passwords zia alise AL ad alee ure 2 5 Setting an IP Address dois ao 0
137. JZi80GCstSNO xrZZVnMqWrTYfdrKX7YKBw Kjw6Bm iFq70 jAhf1Dg4510Ac27s6TLdtnylwRq Ow2eTCD5nekAAACBAJ8rMCCXTXxHLFACZzWS7EjOyDbsloBfPuSAb40ASyjKXKVYNLOKT LZfcFRu41bS2KV5LAwecsigF DjKGWtPNIOqabKgYCw20dVzX4Gg yqdTlYmGA7fHGm 8ARGeiG4ssFKy4Z6DmYPXFumlYgOfhLwuHpOSKdxT3kk475S7 wOW Console SYSTEM MANAGEMENT COMMANDS Event Logging Commands Table 4 17 Event Logging Commands Command Function Mode Page ogging on Controls logging of error messages GC 4 59 ogging history Limits syslog messages saved to switch memory GC 4 60 based on severity ogeing host Adds a syslog server host IP address that will GC 4 61 receive logging messages ogging facility Sets the facility type for remote logging of syslog GC 4 62 messages ogging trap Limits syslog messages saved to a remote server GC 4 63 based on severity clear logging Clears messages from the logging buffer PE 4 64 show logging Displays the state of logging PE 4 64 show log Displays log messages PE 4 67 logging on This command controls logging of error messages sending debug or error messages to switch memory The no form disables the logging process Syntax no logging on Default Setting None Command Mode Global Configuration Command Usage The logging process controls error messages saved to switch memory You can use the logging history command to control the type of error messages that are stored
138. LH 1000full Trunk Indicates if a port is a member of a trunk To create trunks and select port members see Creating Trunk Groups on page 3 92 Note Auto negotiation must be disabled before you can configure or force the interface to use the Speed Duplex Mode or Flow Control options 3 91 CONFIGURING THE SWITCH Web Click Port Port Configuration or Trunk Configuration Modify the required interface settings and click Apply Port Configuration Port Name Admin Speed Duplex Flow Controll Autonegotiation Trunk FE Iv 10h M100h M 1000h Fs 1 Iv Enabled fi z F Enabled mno Ein F i r bx r C F IV 10h fV 100h M n 2 Iv Enabled z F Enabled EN os bre misil gt A F Enabled fV 10h fV 100h 7 1000h M Sym 3 IV Enabled x F Enabled tor Poor FT 10006 FC E F Enabled V 10h F7 100h M 1000h M Sym 4 F Enabled E M Enabled 101 Eioor Mor Cee Figure 3 41 Port Trunk Configuration CLI Select the interface and then enter the required settings Console config interface ethernet 1 13 4 144 Console config if description RD SW 13 4 144 Console config if shutdown 4 149 Console config if no shutdown Console config if no negotiation 4 146 Console config if speed duplex 100half 4 145 Console config if flowcontrol 4 148 Console config if negotiation Console config if capabilities 100half 4 147 Console config if capabilities 100full Consol
139. LIST COMMANDS Default Setting None Command Mode Extended ACL Command Usage All new rules are appended to the end of the list Addtess bitmasks are similar to a subnet mask containing four integers from 0 to 255 each separated by a period The binary mask uses 1 bits to indicate match and 0 bits to indicate ignore The bitmask is bitwise ANDed with the specified source IP address and then compared with the address for each IP packet entering the port s to which this ACL has been assigned You can specify both Precedence and ToS in the same rule However if DSCP is used then neither Precedence nor ToS can be specified The control code bitmask is a decimal number representing an equivalent bit mask that is applied to the control code Enter a decimal number where the equivalent binary bit 1 means to match a bit and 0 means to ignore a bit The following bits may be specified 1 fin Finish 2 syn Synchronize 4 rst Reset 8 psh Push 16 ack Acknowledgement 32 urg Urgent pointer For example use the code value and mask below to catch packets with the following flags set SYN flag valid use control code 2 2 Both SYN and ACK valid use control code 18 18 SYN valid and ACK invalid use control code 2 18 4 123 COMMAND LINE INTEREACE Example This example accepts any incoming packets if the source address is within subnet
140. Lists 4 5 3 Sek cl acd ege pen Pda a TR ETAT S 3 77 Configuring Access Control Lists 0 00 00 ce eee 3 77 Setting the ACL Name and Type 000 3 78 iv CONTENTS Configuring a Standard IP ACL 000000 3 79 Configuring an Extended IP ACL 0 3 81 Configuring a MAC ACL 6 ee eee eee 3 83 Binding a Port to an Access Control List o ooo oooo 3 85 Port Configuration 3 5 ecu e es eR epus 3 87 Displaying Connection Status 3 87 Configuring Interface Connections 0 000 eee eee 3 90 Creating Trunk Groups 1 0 6 eee eee ee 3 92 Statically Configuring a Trunk o ooooooommmm o o 3 94 Enabling LACP on Selected Ports ooooo ooooooo 3 96 Configuring LACP Parameters 00 0000004 3 98 Displaying LACP Port Counters oooooooccoooo 3 102 Displaying LACP Settings and Status for Local Side 3 103 Displaying LACP Settings and Status for Remote Side 3 106 Setting Broadcast Storm Thresholds o oooooooooo 3 108 Configuring Port Mirroring 1002 0 eee cece eee 3 110 Configuring Rate Limits 0 eee eee 3 112 Rate Limit Granulatity 0 eee ee eee 3 112 Rate Limit Configuration 0 0 3 113 Showing Port Statistics 6 0 eee eee 3 114 Address Table Settings 3 121 Setting Static Addresses 0 6 eee eee 3 121 Displaying the Address Table 0 0 0 0 000 cc eee eee 3 122 Changing the Aging T
141. M PE 4 54 ip ssh save host key Saves the host key from RAM to flash PE 4 54 memory disconnect Terminates a line connection PE 4 25 show ip ssh Displays the status of the SSH server and PE 4 55 the configured values for authentication timeout and retries show ssh Displays the status of current SSH sessions PE 4 55 show public key Shows the public key for the specified user PE 4 57 or for the host show users Shows SSH users including privilege level PE 4 84 and public key type The SSH server on this switch supports both password and public key authentication If password authentication is specified by the SSH client then the password can be authenticated either locally or via a RADIUS or TACACS remote authentication server as specified by the authentication login command on page 4 95 If public key authentication is specified by the client then you must configure authentication keys on both the client and the switch as described in the following section Note that regardless of whether you use public key or password authentication you still have to generate authentication keys on the switch and enable the SSH server To use the SSH server complete these steps 1 Generate a Host Key Pair Us e the ip ssh crypto host key generate command to create a host public private key pait 4 47 COMMAND LINE INTEREACE 4 48 Provide Host Public Key to Clients Many SSH client programs automatically import the
142. N COMMANDS In multi host mode only one host connected to a port needs to pass authentication for all other hosts to be granted network access Similarly a port can become unauthorized for all hosts if one attached host fails re authentication or sends an EAPOL logoff message Example Console config interface eth 1 2 Console config if dotlx operation mode multi host max count 10 Console config if dotl1x re authenticate This command forces re authentication on all ports or a specific interface Syntax dotlx re authenticate z erface interface ethernet unit port unit Stack unit This is unit 1 port Pott number Range 1 52 Command Mode Privileged Exec Example Consolettdot1lx re authenticate Console dotlx re authentication This command enables periodic re authentication globally for all ports Use the no form to disable re authentication Syntax no dotix re authentication Command Mode Interface Configuration 4 111 COMMAND LINE INTEREACE Example Console config finterface eth 1 2 Console config if f dotlx re authentication Console config 1f dot1x timeout quiet period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client Use the no form to reset the default Syntax dotlx timeout quiet period seconds no dotlx timeout quiet period seconds T
143. OMMANDS Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs Example Console config spanning tree transmission limit 4 Console config spanning tree spanning disabled This command disables the spanning tree algorithm for the specified interface Use the no form to reenable the spanning tree algorithm for the specified interface Syntax no spanning tree spanning disabled Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This command limits the maximum transmission rate for BPDUs Example This example disables the spanning tree algorithm for port 5 Console config interface ethernet 1 5 Console config if spanning tree spanning disabled Console config if 4 189 COMMAND LINE INTEREACE spanning tree cost This command configures the spanning tree path cost for the specified interface Use the no form to restore the default Syntax spanning tree cost cost no spanning tree cost cost The path cost for the port Range 1 200 000 000 The recommended range is Ethernet 200 000 20 000 000 Fast Ethernet 20 000 2 000 000 Gigabit Ethernet 2 000 200 000 Default Setting Ethernet half duplex 2 000 000 full duplex 1 000 000 trunk 500 000 Fast Ethernet half duplex 200 000 full duplex 100 000 trunk 50 000 Gigabit Ethernet full duplex
144. RATION Managing Firmware You can upload download firmware to or from a TFTP server or copy files to and from switch units in a stack By saving runtime code to a file on a TFTP server that file can later be downloaded to the switch to restore operation You can also set the switch to use new firmware without overwtiting the previous vetsion You must specify the method of file transfer along with the file type and file names as required Command Attributes File Transfer Method The firmware copy operation includes these options file to file Copies a file within the switch directory assigning it a new name file to tftp Copies a file from the switch to a TFTP server tftp to file Copies a file from a TFTP server to the switch file to unit Copies a file from this switch to another unit in the stack unit to file Copies a file from another unit in the stack to this switch TFTP Server IP Address The IP address of a TFTP server File Type Specify opcode operational code to copy firmware File Name The file name should not contain slashes or the leading letter of the file name should not be a period and the maximum length for file names on the TFTP server is 127 characters ot 31 characters for files on the switch Valid characters A Z a z 0 9 6699 6699 66 o D Mae PES Note Up to two copies of the system software 1 e the runtime firmware can be stor
145. Range 0 65535 Default 1 Port Priority If a link goes down LACP port priority is used to select a backup link Range 0 65535 Default 32768 Set Port Partner This menu sets the remote side of an aggregate link i e the ports on the attached device The command attributes have the same meaning as those used for the port actor Howevet configuring LACP settings for the partner only applies to its administrative state not its operational state and will only take effect the next time an aggregate link is established with the partner 3 99 CONFIGURING THE SWITCH Web Click Port LACP Aggregation Port Set the System Priority Admin Key and Port Priority for the Port Actor You can optionally configure these settings for the Port Partner Be aware that these settings only affect the administrative state of the partner and will not take effect until the next time an aggregate link is formed with this device After you have completed setting the port LACP parameters click Apply Aggregation Port Set Port Actor System Priority Admin Key Port Priority Pet 0 65535 065535 0 65535 1 Bp f de 2 feo 32768 sip izo fre af lio fre s pe Bes elb fe joe 7 B fro 32768 alb pe bzs alb pe fiz si Figure 3 44 LACP Aggregation Port 3 100 PoRT CONFIGURATION CLI The following example configures LACP p
146. Restart DHCP Requests a new IP address from the DHCP server Manual Configuration Web Click System IP Configuration Select the VLAN through which the management station is attached set the IP Address Mode to Static enter the IP address subnet mask and gateway then click Apply IP Configuration Management VLAN 1 y IP Address Mode Static IP Address 192 168 154 Subnet Mask 255 255 255 0 Gateway IP Address 192 168 1 253 MAC Address DO 30 F 1 12 34 56 Restart DHCP Figure 3 6 Manual IP Configuration BASIC CONFIGURATION CLI Specify the management interface IP address and default gateway Console config Console config interface vlan 1 4 144 Console config if ip address 10 1 0 254 255 255 255 0 4 249 Console config if exit Console config ip default gateway 192 168 1 254 4 252 Console config Using DHCP BOOTP If your network provides DHCP BOOTP services you can configure the switch to be dynamically configured by these services Web Click System IP Configuration Specify the VLAN to which the management station is attached set the IP Address Mode to DHCP or BOOTP Click Apply to save your changes Then click Restart DHCP to immediately request a new address Note that the switch will also broadcast a request for IP configuration settings on each power reset IP Configuration Management VLAN 1 y IP Address Mode DHCP IP Address 192168154
147. SADA p UT RARE eni et 4 permit deny Standard ACL 0 eee eee eee 4 permit deny Extended ACL o occcooooccccnoooo 4 show ip access list isaisa cece eee 4 ip a cess group sacl sa Leda le de i adds 4 show ip access group ieeese eee 4 map access list 1p 6 eee eee eee 4 show map access list ip 6 eee eee ee 4 MAG AGES aia ita ue ue rer e hee Ae ear ate aes 4 ACCESS HISt MACs ees AV eis E ARES IRL P Vd 4 permit deny MAC ACL 0 0 0 eee eee 4 show mac access list 1 6 cee eee eee 4 MaG ACCESS OTOU ccv e Vo E PEE ene ES 4 show macaccess group ssseeeee eee 4 map access list mac ise 4 101 102 102 103 103 104 104 105 107 108 108 109 110 111 111 113 117 118 120 122 124 125 126 127 CONTENTS show map access list mac 4 134 ACL Informatio mess cod icici d reat tale oh tue Mek ed 4 135 show access list sog yuna Aia cee eee eens 4 135 show access group oe eee eee 4 136 SNMP Gommatids xd eee My a 4 136 snmp server community 6 eh n 4 137 Stimp setvet Contaci sgan i aaa d HRS Soles UP EE tak 4 138 snmp serverlocation 2 6 kk e 4 138 sninp server host zucs i uus det reb idas 4 139 snmp server enable traps 0 6 06 eee eee 4 141 SHOW SNMP treat ac 4 142 Interface Commands s ginere ie eee ee eens 4 143 Intebace ii Ota Aur Buc de o d c boe d 4 144 description ie LV LU en LL Lees a ea 4 144 speed duplex 24 iiobis aia AS 4
148. String that describes the system location Maximum length 255 characters Default Setting None 4 138 SNMP COMMANDS Command Mode Global Configuration Example Console config snmp server location Room 23 Console config Related Commands snmp server contact 4 138 snmp server host This command specifies the recipient of a Simple Network Management Protocol notification operation Use the no form to remove the specified host Syntax snmp server host host addr community string version 1 2c no snmp server host Lost addr bost addr Internet address of the host the targeted recipient Maximum host addresses 5 trap destination IP address entries community string Password like community string sent with the notification operation Although you can set this string using the snmp server host command by itself we recommend that you define this string using the snmp server community command prior to using the snmp server host command Maximum length 32 characters version Specifies whether to send notifications as SNMP v1 or v2c traps Range 1 2c Default 1 Default Setting Host Address None SNMP Version 1 Command Mode Global Configuration 4 139 COMMAND LINE INTEREACE Command Usage If you do not enter an snmp server host command no notifications are sent In order to configure the switch to send SNMP notifications you must enter at least one snmp serv
149. TigerSwitch 10 100 24 48 Port 10 100Mbps Fast Ethernet Managed Switch 24 48 auto MDI MDI X 10BASE T 100BASE TX ports 2 Gigabit RJ 45 ports shared with 2 SFP transceiver slots 2 Gigabit RJ 45 ports 8 8 17 6 Gbps of aggregate bandwidth Non blocking switching architecture Spanning Tree Protocol and Rapid STP Up to four LACP or static 4 port trunks Layer 2 3 4 CoS support through four priority queues Full support for VLANs with GVRP IGMP multicast filtering and snooping Support for jumbo frames up to 9 KB Manageable via console Web SNMP RMON SMC Management Guide Networks SMC6726AL2 SMC6752AL2 9 99 99 9 9 9 99 TigerSwitch 10 100 Management Guide From SMC s Tiger line of feature rich workgroup LAN solutions SMC Networks January 2005 38 Tesla Irvine CA 92618 Pub 149100005200H Phone 949 679 8000 Information furnished by SMC Networks Inc SMC is believed to be accu rate and reliable However no responsibility is assumed by SMC for its use nor for any infringements of patents or other rights of third parties which may result from its use No license is granted by implication or otherwise under any patent or patent rights of SMC SMC reserves the right to change specifications at any time without notice Copyright O 2005 by SMC Netwotks Inc 38 Tesla Irvine CA 92618 All rights reserved Trademarks SMC is a registered trademark and EZ Switch TigerStack and TigerSwitch are tr
150. Time sec Root Max Age sec Root Forward Delay sec Designated Root Current root port Current root cost Number of topology changes Designated root Designated bridge Fast forwarding enabled Forward transitions 1 Admin edge port enabled Oper edge port disabled Admin Link type auto Oper Link type Spanning Tree Status enabled Console Last topology changes time sec Transmission limit Path Cost Method Eth 1 1 information Admin status enabled Role root State forwarding Path cost 100000 Priority 128 Designated cost 200000 Designated port 128 24 RSTP enabled 40960 2 20 15 2 20 15 32768 0 0000ABCD0000 1 50000 226 32768 0 0000ABCD0000 32768 0 0030F1552000 point to point 4 196 VLAN COMMANDS VLAN Commands A VLAN is a group of ports that can be located anywhere in the network but communicate as though they belong to the same physical segment This section describes commands used to create VLAN groups add port members specify how VLAN tagging is used and enable automatic VLAN registration for the selected interface Table 4 51 VLANs Command Groups Function Page Editing VLAN Groups Sets up VLAN groups including name VID 4 197 and state Configuring VLAN Configures VLAN interface parameters 4 200 Interfaces including ingress and egress tagging mode ingress filtering PVID and GVRP Displaying VLAN D
151. US A LEER 4 93 Authentication Commands 00 cee cece ee 4 94 Authentication Sequence 1 6 eee eee eee 4 94 authentication login 6 ee ee eee 4 95 authentication enable 0 0 eee eee eee 4 96 RADIUS Chent oes HR p ERR RR YS 4 97 tadius setyet host erase be reb yee ee be 4 98 radius server port ciiin 4 99 fadius servet key Lx rive VADER RI eR 4 99 radius servet retransmit llis 4 100 tadius server timeout lees 4 100 ix CONTENTS show radius setvet 6 ccc 4 PACA CS F Ciena ii Sc oae e dk toa oll acted ues 4 tacacs server host 4 tacacs setver poft isses 4 tacacsssetvet key uoo tort pe e PIU Ie ER 4 show tacacs setvet isses en 4 Port Security Commands 0 0 0 0 eee eee eee 4 Port SECU cs e Aen Vat a DAD hase hein Ad 4 802 1X Port Authentication 4 dotlx system auth control 0 0 eee eee eee 4 dotlx default s eie aga da eda ok 4 dotlxqmax requaus ees Pass eee Ma ee i 4 dotlx port control 0 0 6 eee ee 4 dotlx operation mode 0 cece cece 4 dotlx re auth nticate iocari Lud 4 dotlx re authentication 6 0 cee eee 4 dotix timeout quiet petiod 6 6 60 0 4 dotix timeout re authperiod 0 000000 ee 4 dotlx timeout tx period 0 cee eee 4 show dotlx 2522 l vetri De igs Was ek es 4 Access Control List Commands 0 00000 c cee ee eee 4 TAC ce dM Lic ndi da OM RNA tell ates LI Seva dl 4 ACCESS U
152. VLAN Use the Private VLAN Port Configuration menu page 3 162 to set the port type to promiscuous i e having access to all ports in the primary VLAN or host i e having access restricted to community VLAN members and channeling all other traffic through promiscuous ports Then assign any promiscuous ports to a primary VLAN and any host ports a community VLAN To configure an isolated VLAN follow these steps 1 Use the Private VLAN Configuration menu page 3 159 to designate an isolated VLAN that will channel all traffic through a single promiscuous port Use the Private VLAN Port Configuration menu page 3 162 to set the port type to promiscuous i e the single channel to the external network or isolated i e having access only to the promiscuous port in its own VLAN Then assign the promiscuous port and all host ports to an isolated VLAN Displaying Current Private VLANs The Private VLAN Information page displays information on the private VLANs configured on the switch including primary community and isolated VLANs and their assigned interfaces Command Attributes VLAN ID ID of configured VLAN 1 4094 and VLAN type Primary VLAN The VLAN with which the selected VLAN ID is associated A primary VLAN displays its own ID a community VLAN displays the associated primary VLAN and an isolated VLAN displays the stand alone VLAN Ports List The list of ports and assigned port type in the
153. a rsa dsa DSA key type e tsa RSA key type Default Setting Clears both the DSA and RSA key Command Mode Privileged Exec Command Usage This command clears the host key from volatile memory RAM Use the no ip ssh save host key command to clear the host key from flash memory The SSH server must be disabled before you can execute this command Example Consolefip ssh crypto zeroize dsa Console Related Commands ip ssh crypto host key generate 4 53 ip ssh save host key 4 54 no ip ssh server 4 49 ip ssh save host key This command saves host key from RAM to flash memory Syntax ip ssh save host key dsa rsa dsa DSA key type e tsa RSA key type 4 54 SYSTEM MANAGEMENT COMMANDS Default Setting Saves both the DSA and RSA key Command Mode Privileged Exec Example Console ip ssh save host key dsa Console Related Commands ip ssh crypto host key generate 4 53 show ip ssh This command displays the connection settings used when authenticating client access to the SSH server Command Mode Privileged Exec Example Console show ip ssh SSH Enabled version 1 99 Negotiation timeout 120 secs Authentication retries 3 Server key size 768 bits Console show ssh This command displays the current SSH server connections Command Mode Privileged Exec Example Console show ssh Connection Version State Username Encryption 0 2 0 Sess
154. a user Server IP Address Address of authentication server Default 10 1 0 1 Server Port Number Network UDP port of authentication server used for authentication messages Range 1 65535 Default 1812 Secret Text String Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 20 characters Number of Server Transmits Number of times the switch tries to authenticate logon access via the authentication server Range 1 30 Default 2 Timeout for a reply The number of seconds the switch waits for a reply from the RADIUS server before it resends the request Range 1 65535 Default 5 e TACACS Settings Server IP Address Address of the TACACS server Default 10 11 12 13 Server Port Number Network TCP port of TACACS server used for authentication messages Range 1 65535 Default 49 Secret Text String Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 20 characters Note The local switch user database has to be set up by manually entering user names and passwords using the CLI See username on page 4 35 3 52 USER AUTHENTICATION Web Click Security Authentication Settings To configure local or remote authentication preferences specify the authentication sequence 1 e one to three methods fill in the parameters for RADIUS or
155. active 1 interface ethernet 1 1 switchport allowed vlan add 1 untagged switchport native vlan 1 1 interface vlan 1 IP address DHCP 1 1 no map IP precedence no map IP DSCP line console 1 line VTY 1 end 1 Console Related Commands show startup config 4 79 4 82 SYSTEM MANAGEMENT COMMANDS show system This command displays system information Default Setting None Command Mode Normal Exec Privileged Exec Command Usage Fora description of the items shown by this command refer to Displaying System Information on page 11 The POST results should all display PASS If any POST test indicates FAIL contact your distributor for assistance Example Console show system System description TigerSwitch 10 100 6726AL2 System OID string 1 3 6 1 4 1 202 20 46 System information System Up time 3 hours 0 minutes and 7 18 seconds System Name NONE System Location NONE System Contact NONE MAC address 00 30 F1 D3 26 00 Web server enabled Web server port 80 Web secure server enabled Web secure server port 443 Telnet server enable Telnet port 2 23 Jumbo Frame Disabled POST result DUMMY Test 1 45126 rere seat ese PASS UART LOOP BACK Test PASS DRAM TES Cases suu mc e Weve Ste Bat PASS Timer T st 9 we iR de PASS Switch Int Loopback test PASS Done All Pass Console 4 83 COMMAND LINE INTEREACE show usets Shows
156. adcast traffic to the otiginating group and can eliminate broadcast storms in large networks This also provides a more secure and cleaner network environment An IEEE 802 1Q VLAN is a group of ports that can be located anywhere in the network but communicate as though they belong to the same physical segment VLAN CONFIGURATION VLANs help to simplify network management by allowing you to move devices to a new VLAN without having to change any physical connections VLANs can be easily organized to reflect departmental groups such as Marketing or R amp D usage groups such as e mail or multicast groups used for multimedia applications such as videoconferencing VLANs provide greater network efficiency by reducing broadcast traffic and allow you to make network changes without having to update IP addresses or IP subnets VLANs inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN This switch supports the following VLAN features Up to 255 VLANs based on the IEEE 802 1Q standard Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol Port overlapping allowing a port to participate in multiple VLANs Endstations can belong to multiple VLANs Passing traffic between VLAN aware and VLAN unaware devices Priority tagging Assigning Ports to VLANs Before enabling VLANs for the switch you
157. ademarks of SMC Networks Inc Other product and company names are trademarks or registered trademarks of their respective holders LIMITED WARRANTY Limited Warranty Statement SMC Networks Inc SMC warrants its products to be free from defects in workmanship and materials under normal use and service for the applicable warranty term All SMC products carry a standard 90 day limited warranty from the date of purchase from SMC or its Authorized Reseller SMC may at its own discretion repair or replace any product not operating as warranted with a similar or functionally equivalent product during the applicable warranty term SMC will endeavor to repair or replace any product returned under warranty within 30 days of receipt of the product The standard limited warranty can be upgraded to a Limited Lifetime warranty by registering new products within 30 days of purchase from SMC or its Authorized Reseller Registration can be accomplished via the enclosed product registration card or online via the SMC web site Failure to register will not affect the standard limited warranty The Limited Lifetime warranty covers a product during the Life of that Product which is defined as the period of time during which the product is an Active SMC product A product is considered to be Active while it is listed on the current SMC price list As new technologies emerge older technologies become obsolete and SMC will at its discretion replace an o
158. an upload download configuration settings to from a TFTP server ot copy files to and from switch units in a stack The configuration files can be later downloaded to restore the switch s settings Command Attributes File Transfer Method The configuration copy operation includes these options file to file Copies a file within the switch directory assigning it a new name file to running config Copies a file in the switch to the running configuration file to startup config Copies a file in the switch to the startup configuration file to tftp Copies a file from the switch to a TFTP server running config to file Copies the running configuration to a file running config to startup config Copies the running config to the startup config BASIC CONFIGURATION running config to tftp Copies the running configuration to a TFTP server startup config to file Copies the startup configuration to a file on the switch startup config to running config Copies the startup config to the running config startup config to tftp Copies the startup configuration to a TFTP setvet tftp to file Copies a file from a TFTP server to the switch tftp to running config Copies a file from a TFTP server to the running config tftp to startup config Copies a file from a TFTP server to the startup config file to unit Copies a file from this switch to anothe
159. ansparent bridging The address table facilitates data switching by learning addresses and then filtering or forwarding traffic based on this information The address table supports up to 8K addresses DESCRIPTION OF SOFTWARE FEATURES Store and Forward Switching The switch copies each frame into its memory before forwarding them to another port This ensures that all frames are a standard Ethernet size and have been verified for accuracy with the cyclic redundancy check CRC This prevents bad frames from entering the network and wasting bandwidth To avoid dropping frames on congested ports the switch provides 8 MB for frame buffering This buffer can queue packets awaiting transmission on congested networks Spanning Tree Algorithm The switch supports these spanning tree protocols Spanning Tree Protocol STP IEEE 802 1D This protocol provides loop detection and recovery by allowing two or more redundant connections to be created between a pait of LAN segments When there are multiple physical paths between segments this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network This prevents the creation of network loops However if the chosen path should fail for any reason an alternate path will be activated to maintain the connection Rapid Spanning Tree Protocol RSTP IEEE 802 1w This protocol reduces the convergence time for networ
160. ar to entering commands on a UNIX system Console Connection To access the switch through the console port perform these steps 1 At the console prompt enter the user name and password The default user names are admin and guest with corresponding passwords of admin and guest When the administrator user name and password is entered the CLI displays the Console prompt and enters privileged access mode i e Privileged Exec But when the guest user name and password is entered the CLI displays the Console gt prompt and enters normal access mode i e Normal Exec 2 Enter the necessary commands to complete your desired tasks 3 When finished exit the session with the quit or exit command 44 COMMAND LINE INTEREACE After connecting to the system through the console port the login screen displays User Access Verification Username admin Password CLI session with the SMC6726AL2 is opened To end the CLI session enter Exit Console Telnet Connection Telnet operates over the IP transport protocol In this environment your management station and any network device you want to manage over the network must have a valid IP address Valid IP addresses consist of four numbers 0 to 255 separated by periods Each address consists of a network portion and host portion For example the IP address assigned to this switch 10 1 0 1 with subnet mask 255 255 255
161. arameters for ports 1 4 Ports 1 4 are used as active members of the LAG Console config finterface ethernet 1 1 4 144 Console config if lacp actor system priority 3 4 168 Console config if lacp actor admin key 120 4 169 Console config if lacp actor port priority 128 4 171 Console config if exit Console config finterface ethernet 1 4 Console config if lacp actor system priority 3 Console config if lacp actor admin key 120 Console config if lacp actor port priority 512 Console config if end Console show lacp sysid 4 172 Port Channel System Priority System MAC Address 1 3 00 00 E9 31 31 31 2 32768 00 00 E9 31 31 31 3 32768 00 00 E9 31 31 31 4 32768 00 00 E9 31 31 31 Consolefshow lacp 1 internal 4 172 Port channel 1 Oper Key 120 Admin Key 0 Eth 1 1 LACPDUs Internal 30 sec LACP System Priority 3 LACP Port Priority 128 Admin Key 120 Oper Key 120 Admin State defaulted aggregation long timeout LACP activity Oper State distributing collecting synchronization aggregation long timeout LACP activity 3 101 CONFIGURING THE SWITCH Displaying LACP Port Counters You can display statistics for LACP protocol messages Table 3 6 LACP Port Counters Field Desctiption LACPDUS Sent Number of valid LACPDUS transmitted from this channel group LACPDUS Received Number of valid LACPDUS received on this channel group Marker Sent Number of valid Marker
162. arded before reaching their targets UDP is useful when TCP would be too complex too slow or just unnecessary Virtual LAN VLAN A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network A VLAN serves as a logical workgroup with no physical barriers and allows users to share information and resources as though located on the same LAN XModem A protocol used to transfer files between devices Data is grouped in 128 byte blocks and error corrected Glossary 8 Numerics 802 1X port authentication 3 66 A acceptable frame type 3 153 4 202 Access Control List See ACL ACL Extended IP 3 78 4 117 4 118 4 122 MAC 3 79 4 117 4 128 4 128 4 131 Standard IP 3 78 4 117 4 118 4 120 address table 3 121 4 177 aging time 3 124 4 181 B BOOTP 3 19 4 249 BPDU 23 125 broadcast storm threshold 3 108 4 150 C Class of Service See CoS CLI showing commands 4 6 command line interface See CLI community ports 3 156 4 208 community string 2 9 3 45 4 137 community VLANs 3 159 4 210 configuration settings saving or restoring 2 11 3 24 4 87 console port required connections 2 2 INDEX CoS configuring 3 165 4 222 DSCP 3 174 3 178 4 233 IP precedence 3 172 4 230 4 231 layer 3 4 priorities 3 171 4 229 queue mapping 3 167 4 226 queue mode 3 169 4 223 traffic class weights 3 170 4 225 D default gateway
163. are only Level 2 5 and 6 error messages for the current firmware release Default Setting Flash errors level 3 0 RAM warnings level 6 0 Command Mode Global Configuration Command Usage The message level specified for flash memory must be a higher priority i e numerically lower than that specified for RAM Example Console config logging history ram 0 Console config logging host This command adds a syslog server host IP address that will receive logging messages Use the no form to remove a syslog server host Syntax no logging host osz 5 address bost ib address The IP address of a syslog server Default Setting None Command Mode Global Configuration 4 61 COMMAND LINE INTEREACE Command Usage Byusing this command more than once you can build up a list of host IP addresses The maximum number of host IP addresses allowed is five Example Console config flogging host 10 1 0 3 Console config logging facility 4 62 This command sets the facility type for remote logging of syslog messages Use the no form to return the type to the default Syntax no logging facility Ape type A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service Range 16 23 Default Setting 23 Command Mode Global Configuration Command Usage The command specifies the facility type tag sent in syslog messages See RFC
164. ash Range 0 7 Default 3 3 33 CONFIGURING THE SWITCH Table 3 3 Logging Levels Level Severity Name Description 7 Debug Debugging messages 6 Informational Informational messages only 5 Notice Normal but significant condition such as cold start 4 Warning Warning conditions e g return false unexpected return 3 Error Error conditions e g invalid input default used 2 Critical Critical conditions e g memory allocation ot free memory error resource exhausted 1 Alert Immediate action needed 0 Emergency System unusable There are only Level 2 5 and 6 error messages for the current firmware release e RAM Level Limits log messages saved to the switch s temporary RAM memory for all levels up to the specified level For example if level 7 is specified all messages from level 0 to level 7 will be logged to RAM Range 0 7 Default 6 Note The Flash Level must be equal to or less than the RAM Level 3 34 BASIC CONFIGURATION Web Click System Log System Logs Specify System Log Status set the level of event messages to be logged to RAM and flash memory then click Apply System Logs System Log Status FM Enabled Flash Level 0 7 0 Ram Level 0 7 0 Figure 3 15 System Logs CLI Enable system logging and then specify the level of messages to be logged to RAM and flash memory Use the show logging command to display the current sett
165. at 800 762 4968 Customers are responsible for all shipping charges from their facility to SMC SMC is responsible for return shipping charges from SMC to customer LIMITED WARRANTY WARRANTIES EXCLUSIVE IF AN SMC PRODUCT DOES NOT OPERATE AS WARRANTED ABOVE CUSTOMER S SOLE REMEDY SHALL BE REPAIR OR REPLACEMENT OF THE PRODUCT IN QUESTION AT SMC S OPTION THE FOREGOING WARRANTIES AND REMEDIES ARE EXCLUSIVE AND ARE IN LIEU OF ALL OTHER WARRANTIES OR CONDITIONS EXPRESS OR IMPLIED EITHER IN FACT OR BY OPERATION OF LAW STATUTORY OR OTHERWISE INCLUDING WARRANTIES OR CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE SMC NEITHER ASSUMES NOR AUTHORIZES ANY OTHER PERSON TO ASSUME FOR IT ANY OTHER LIABILITY IN CONNECTION WITH THE SALE INSTALLATION MAINTENANCE OR USE OF ITS PRODUCTS SMC SHALL NOT BE LIABLE UNDER THIS WARRANTY IF ITS TESTING AND EXAMINATION DISCLOSE THE ALLEGED DEFECT IN THE PRODUCT DOES NOT EXIST OR WAS CAUSED BY CUSTOMER S OR ANY THIRD PERSON S MISUSE NEGLECT IMPROPER INSTALLATION OR TESTING UNAUTHORIZED ATTEMPTS TO REPAIR OR ANY OTHER CAUSE BEYOND THE RANGE OF THE INTENDED USE OR BY ACCIDENT FIRE LIGHTNING OR OTHER HAZARD LIMITATION OF LIABILITY IN NO EVENT WHETHER BASED IN CONTRACT OR TORT INCLUDING NEGLIGENCE SHALL SMC BE LIABLE FOR INCIDENTAL CONSEQUENTIAL INDIRECT SPECIAL OR PUNITIVE DAMAGES OF ANY KIND OR FOR LOSS OF REVENUE LOSS OF BUSINESS OR OTHER FINANCIAL LOSS ARISING OUT O
166. at a later time Be sure the control parameters for the SSH server are properly configured on the switch and that the SSH client software is properly configured on the management station Besure you have generated a public key on the switch and exported this key to the SSH client Be sure you have set up an account on the switch for each SSH user including user name authentication level and passwotd Be sure you have imported the client s public key to the switch if public key authentication is used Besure you have set the terminal emulator program to VT100 compatible 8 data bits 1 stop bit no parity and 9600 bps Check that the null modem serial cable conforms to the pin out connections provided in the Installation Guide Forgot or lost the password Contact SMC Technical Support for help B 2 USING SYSTEM LOGS Using System Logs If a fault does occur refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch If the problem appears to be caused by the switch follow these steps 1 Enable logging 2 Set the error messages reported to include all categories 3 Designate the SNMP host that is to receive the error messages 4 Repeat the sequence of commands or other actions that lead up to the error 5 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages di
167. atible Aggregator and the identity of the Link Aggregation Group is consistent with the System ID and operational Key information transmitted Aggregation The system considers this link to be aggregatable i e a potential candidate for aggregation Long timeout Periodic transmission of LACPDUS uses a slow transmission rate LACP Activity Activity control value with regard to this link 0 Passive 1 Active 3 104 Port CONFIGURATION Web Click Port LACP Port Internal Information Select a port channel to display the corresponding information LACP Port Internal Information Interface Pon 3 Trunk ID 1 LACP System Priority 32768 LACP Port Priority 32768 Admin Key 3 Oper Key 3 LACPDUS Interval secs 30 seconds Admin State Expired Oper State Expired Admin State Defaulted 2 Oper State Defaulted Admin State Distributing Oper State Distributing Y Admin State Collecting Oper State Collecting a Admin State Synchronization i Oper State Synchronization v Admin State Aggregation s Oper State Aggregation v Admin State Timeout Long Oper State Timeout Long Admin State LACP Activity Y Oper State LACP Activity CA Figure 3 46 LACP Port Internal Information CLI The following example displays the LACP configuration settings and operational state for the local side of port channel 1
168. ation and link up down traps Command Mode Global Configuration Command Usage If you do not enter an snmp server enable traps command no notifications controlled by this command are sent In order to configure this device to send SNMP notifications you must enter at least one snmp server enable traps command If you enter the command with no keywords both authentication and link up down notifications are enabled If you enter the command with a keywotd only the notification type related to that keyword is enabled Thesnmp server enable traps command is used in conjunction with the snmp server host command Use the snmp server host command to specify which host or hosts receive SNMP notifications In order to send notifications you must configure at least one snmp server host command Example Console config fsnmp server enable traps link up down Console config Related Commands snmp servet host 4 139 4 141 COMMAND LINE INTEREACE show snmp 4 142 This command checks the status of SNMP communications Default Setting None Command Mode Normal Exec Privileged Exec Command Usage This command provides information on the community access strings counter information for SNMP input and output protocol data units and whether or not SNMP logging has been enabled with the snmp server enable traps command Example Console show snmp SNMP traps Authentication enabled Link up d
169. ational value of the key for the aggregation port Admin Key Current administrative value of the key for the aggregation port LACPDUs Number of seconds before invalidating received LACPDU Internal information LACP System LACP system priority assigned to this port channel Priority 3 103 CONFIGURING THE SWITCH Table 3 7 LACP Internal Configuration Information Continued Field Description LACP Port LACP port priority assigned to this interface within the channel Priority group Admin State Administrative or operational values of the actor s state Oper State parameters Expired The actor s receive machine is in the expired state Defaulted The actor s receive machine is using defaulted operational partner information administratively configured for the partner Distributing If false distribution of outgoing frames on this link is disabled i e distribution is currently disabled and is not expected to be enabled in the absence of administrative changes or changes in received protocol information Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in received protocol information Synchronization The System considers this link to be IN SYNG i e it has been allocated to the correct Link Aggregation Group the group has been associated with a comp
170. ays the rules for configured MAC PE 4 131 access list ACLs mac access group Adds a port to a MAC ACL IC 4 132 show mac Shows port assignments for MAC ACLs PE 4 132 access group map access list Sets the CoS value and corresponding IC 4 133 mac output queue for packets matching an ACL rule show map Shows CoS value mapped to an access PE 4 134 access list mac list for an interface access list mac This command adds a MAC access list and enters MAC ACL configuration mode Use the no form to remove the specified ACL Syntax no access list mac ac ame ac name Name of the ACL Maximum length 16 characters 4 128 ACCESS CONTROL LIST COMMANDS Default Setting None Command Mode Global Configuration Command Usage When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To create an ACL you must add at least one tule to the list To remove a tule use the no permit or no deny command followed by the exact text of a previously configured rule An ACL can contain up to 32 rules Example Console config access list mac jerry Console config mac acl Related Commands permit deny MAC ACL 4 130 mac access group 4 132 show mac access list 4 131 4 129 COMMAND LINE INTEREACE permit deny MAC ACL This command adds a rule to a MAC ACL The rule filters packets matching a s
171. bles the secure hypertext transfer protocol HTTPS over the Secure Socket Layer SSL providing secure access 1 e an encrypted connection to the switch s web interface Use the no form to disable this function Syntax no ip http secure server Default Setting Enabled Command Mode Global Configuration Command Usage Both HTTP and HTTPS service can be enabled independently on the switch However you cannot configure the HTTP and HTTPS servers to use the same UDP port If you enable HTTPS you must indicate this in the URL that you specify in your browser https device port_number When you start HTTPS the connection is established in this way The client authenticates the server using the server s digital certificate The client and server negotiate a set of security protocols to use for the connection The client and server generate session keys for encrypting and decrypting data The client and server establish a secure encrypted connection SYSTEM MANAGEMENT COMMANDS e A padlock icon should appear in the status bar for Internet Explorer 5 x and Netscape Navigator 6 2 or later versions The following web browsers and operating systems currently support HTTPS Table 4 13 HTTPS System Support Web Browser Operating System Internet Explorer 5 0 or later Windows 98 Windows NT with service pack 6a Windows 2000 Windows XP Netscape Navigator 6 2 or later Windows 98 Windows NT wit
172. btain an address from a BOOTP or DHCP server Valid IP addresses consist of four decimal numbers 0 to 255 separated by periods Anything outside this format will not be accepted by the CLI program Command Attributes e Management VLAN ID of the configured VLAN 1 4094 no leading zeroes By default all ports on the switch are members of VLAN 1 However the management station can be attached to a port belonging to any VLAN as long as that VLAN has been assigned an IP address IP Address Mode Specifies whether IP functionality is enabled via manual configuration Static Dynamic Host Configuration Protocol DHCP or Boot Protocol BOOTP If DHCP BOOTP is enabled IP will not function until a reply has been received from the server 3 17 CONFIGURING THE SWITCH 3 18 Requests will be broadcast periodically by the switch for an IP address DHCP BOOTP values can include the IP address subnet mask and default gateway IP Address Address of the VLAN interface that is allowed management access Valid IP addresses consist of four numbers 0 to 255 separated by periods Default 0 0 0 0 Subnet Mask This mask identifies the host address bits used for routing to specific subnets Default 255 0 0 0 Gateway IP address IP address of the gateway router between this device and management stations that exist on other network segments Default 0 0 0 0 MAC Address The physical layer address for this switch
173. c between isolated ports within the VLAN is blocked Current Displays a list of the currently configured VLANs Web Click VLAN Private VLAN Configuration Enter the VLAN ID number select Primary Isolated or Community type then click Add To remove a ptivate VLAN from the switch highlight an entry in the Current list box and then click Remove Note that all member ports must be removed from the VLAN before it can be deleted Private VLAN Configuration Current New Corm VLAN Add VLAN iD 1 4094 PIE Remove Type Primary z Figure 3 68 Private VLAN Configuration 3 159 CONFIGURING THE SWITCH 3 160 CLI This example configures VLAN 5 as a primary VLAN and VLAN 6 as acommunity VLAN and VLAN 7 as an isolated VLAN Console config vlan database 4 197 Console config vlan private vlan 5 primary 4 210 Console config vlan private vlan 6 community Console config vlan private vlan 7 isolated Console config vlan Associating VLANs Each community VLAN must be associated with a primary VLAN Command Attributes Primary VLAN ID ID of primary VLAN 1 4094 e Association Community VLANs associated with the selected primary VLAN Non Association Community VLANs not associated with the selected VLAN Web Click VLAN Private VLAN Association Select the required primary VLAN from the scroll down box highlight one or more community VLANs in the No
174. ccess the onboard configuration program over the network using Telnet i e a virtual terminal Management access via Telnet can be enabled disabled and other various parameters set including the TCP port number timeouts and a password These parameters can be configured via the web or CLI interface Command Attributes e Telnet Status Enables or disables Telnet access to the switch Default Enabled Telnet Port Number Sets the TCP port number for Telnet on the switch Default 23 BASIC CONFIGURATION Login Timeout Sets the interval that the system waits for a user to log into the CLI If a login attempt is not detected within the timeout interval the connection is terminated for the session Range 0 300 seconds Default 300 seconds Exec Timeout Sets the interval that the system waits until user input is detected If user input is not detected within the timeout interval the current session is terminated Range 0 65535 seconds Default 600 seconds Password Threshold Sets the password intrusion threshold which limits the number of failed logon attempts When the logon attempt threshold is reached the system interface becomes silent for a specified amount of time set by the Silent Time parameter before allowing the next logon attempt Range 0 120 Default 3 attempts Password Specifies a password for the line connection When a connection is started on a line with password
175. ce eee 3 160 Private VLAN Port Information 3 162 Private VLAN Port Configuration ooc oooooo 3 164 Port Priority Configuration o oooooooocccooom 3 166 Traffic Classes cuotas epe Nested ea Aes 3 168 Figure 3 74 Figure 3 75 Figure 3 76 Figure 3 77 Figure 3 78 Figure 3 79 Figure 3 80 Figure 3 81 Figure 3 82 Figure 3 83 Figure 3 84 Figure 3 85 Figure 3 86 FIGURES Queue Mode aiidis tented bet Mete Configuring Queue Scheduling o o ooooooooo IP Precedence DSCP Priority Status Mapping IP Precedence Priority Values Mapping IP DSCP Priority Values ooooo IP Port Priotity Status i ie v CR e IP Poft Priority ient IS nA UI ADM ACE COS PAON tad onda Vu Sudan se that IGMP Configuration sese Multicast Router Port Information Static Multicast Router Port Configuration IP Multicast Registration Table IGMP Member Port Table oo oooommo oo o xxiii FIGURES xxiv CHAPTER 1 INTRODUCTION This switch provides a broad range of features for Layer 2 switching It includes a management agent that allows you to configure the features listed in this manual The default configuration can be used for most of the features provided by this switch However there are many options that you should configure to maximize the switch s performance for your particular network environment Key Features
176. ce or CLI to specify the trunk on the devices at both ends When using a port trunk take note of the following points Finish configuring port trunks before you connect the corresponding netwotk cables between switches to avoid creating a loop You can create up to four trunks on the switch with up to eight ports per trunk The potts at both ends of a connection must be configured as trunk ports When configuring static trunks on switches of different types they must be compatible with the Cisco EtherChannel standard The potts at both ends of a trunk must be configured in an identical manner including communication mode i e speed duplex mode and flow control VLAN assignments and CoS settings All the ports in a trunk have to be treated as a whole when moved from to added or deleted from a VLAN STP VLAN and IGMP settings can only be made for the entire trunk 3 93 CONFIGURING THE SWITCH 3 94 Statically Configuring a Trunk Command Usage When configuring static trunks you i statically may not be able to link switches of configured different types depending on the mm TES 1 manufacturer s implementation Nm m m mm Howevet note that the static trunks i active on this switch are Cisco links EtherChannel compatible To avoid creating a loop in the RRESERES EA netwotk be sure you add a static trunk via the configuration inte
177. cee cea ese beets 3 167 Mapping IP Precedence 0 0 0 0 cece ee eee 3 173 Mapping DSCP Priority Values ooooo o 3 174 Egress Queue Priority Mapping esses 3 178 Command Modes 5 c cse eee re e n n 4 8 Configuration Modes 0 6 6 ccc cece eee 4 10 Command Line Processing 0 0 0 0 cece 4 11 Command Groups sses rer Cerap eee eee 4 12 Line Commands is 2 sese ee RR edi ees 4 14 General Commands corz rer on E ve e hee v 4 26 System Management Commands issues 4 32 Device Designation Commands 0000 4 33 User Access Commands sese 4 34 Default Login Settings so rase re curese an eee 4 35 IP Filter Commands iei 4 37 Web Server Commands 0 000000 cece eee 4 40 HTTPS System Support 00 0000 e cece eee 4 43 Telnet Server Commands 0 000 cee eee ee 4 44 SSH Commands 0 00 2 cessed tay iA gs 4 46 show ssh display description oooooococomooo 4 56 Event Logging Commands 0000 e eee ee 4 59 Logmng Levels sc shiva beth di 4 60 show logging flash ram display description 4 65 show logging trap display description 4 66 TABLES xviii Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab e 4 21 e 4 22 e 4 23 e 4 24 e 4 25 e 4 26 e 4 27 e 4 28 e 4 29 e 4 30 e 4 3
178. ckets intended for that address are forwarded directly to the associated port Otherwise the traffic is flooded to all ports Command Attributes Interface Indicates a port or trunk MAC Address Physical address associated with this interface 3 122 ADDRESS TABLE SETTINGS VLAN ID of configured VLAN 1 4094 Address Table Sort Key You can sort the information displayed based on MAC address VLAN or interface port or trunk Dynamic Address Counts The number of addresses dynamically learned Current Dynamic Address Table Lists all the dynamic addresses Web Click Address Table Dynamic Addresses Specify the search type i e mark the Interface MAC Address or VLAN checkbox select the method of sorting the displayed addresses and then click Query Dynamic Addresses Query by Iv Interface Port h Trunk gt MAC Address ti 7 VLAN fix Address Table Sort Key Address Query Dynamic Address Table Dynamic Address Counts 00 20 9C 23 CD 60 VLAN 2 Unit 1 Port 1 Dynamic Current Dynamic Address Table Figure 3 54 Configuring a Dynamic Address Table CLI This example also displays the address table entries for port 1 Console show mac address table interface ethernet 1 1 4 179 Interface Mac Address Vlan Type Eth 1 1 00 E0 29 94 34 DE 1 Delete on reset Eth 1 1 00 20 9C 23 CD 60 2 Learned Console 3 123 CONFIGURING THE SWITCH
179. conds SYSTEM DEFAULTS Table 1 2 System Defaults Function Parameter Default Virtual LANs Default VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Disabled Switchport Mode Egress Hybrid tagged untagged frames Mode GVRP global Disabled GVRP port interface Disabled Traffic Ingress Port Priority 0 i ML Da Weighted Round Robin Queue 0123 Weight 1246 IP Precedence Priority Disabled IP DSCP Priority Disabled IP Port Priority Disabled IP Settings IP Address 0 0 0 0 Subnet Mask 255 0 0 0 Default Gateway 0 0 0 0 DHCP Client Enabled BOOTP Disabled Multicast IGMP Snooping Snooping Enabled Filtering Quetier Enabled System Log Status Enabled Messages Logged Levels 0 6 Messages Logged to Flash Levels 0 3 SMTP Email Event Handler Enabled but no server defined Alerts SNTP Clock Synchronization Disabled 1 9 INTRODUCTION CHAPTER 2 INITIAL CONFIGURATION Connecting to the Switch Configuration Options The switch includes a built in network management agent The agent offers a variety of management options including SNMP RMON Groups 1 2 3 9 and a web based interface A PC may also be connected directly to the switch for configuration and monitoring via a command line interface CLI Note The IP address for this switch is obtained via DHCP by default To change this address see Setting an IP Addres
180. configured Traffic Prioritization This switch prioritizes each packet based on the required level of service using four priority queues with strict or Weighted Round Robin Queuing It uses IEEE 802 1p and 802 1Q tags to prioritize incoming traffic based on input from the end station application These functions can be used to provide independent priorities for delay sensitive data and best effort data This switch also supports several common methods of prioritizing layer 3 4 traffic to meet application requirements Traffic can be prioritized based on the priority bits in the IP frame s Type of Service ToS octet or the number of the TCP UDP port When these services are enabled the priorities are mapped to a Class of Service value by the switch and the traffic then sent to the corresponding output queue Multicast Filtering Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real time delivery by setting the required priority level for the designated VLAN The switch uses IGMP Snooping and Query to manage multicast group registration System Defaults The switch s system defaults are provided in the configuration file Factory Default Config cfg To reset the switch defaults this file SYSTEM DEFAULTS should be set as the startup configuration file page 3 23 The following table lists some of the basic system defaults Table 1
181. cs on page 3 114 Example Console show interfaces counters ethernet 1 7 Ethernet 1 7 Iftable stats Octets input 30658 Octets output 196550 Unicast input 6 Unicast output 5 Discard input 0 Discard output 0 Error input 0 Error output 0 Unknown protos input 0 QLen output 0 Extended iftable stats Multi cast input 0 Multi cast output 3064 Broadcast input 262 Broadcast output 1 Ether like stats Alignment errors 0 FCS errors 0 Single Collision frames 0 Multiple collision frames 0 SQE Test errors 0 Deferred transmissions 0 Late collisions 0 Excessive collisions 0 Internal mac transmit errors 0 Internal mac receive errors 0 Frame too longs 0 Carrier sense errors 0 Symbol errors 0 RMON stats Drop events 0 Octets 227208 Packets 3338 Broadcast pkts 263 Multi cast pkts 3064 Undersize pkts 0 Oversize pkts 0 Fragments 0 Jabbers 0 CRC align errors 0 Collisions 0 Packet size lt 64 octets 3150 Packet size 65 to 127 octets 139 Packet size 128 to 255 octets 4 Packet size 256 to 511 octets 0 Packet size 512 to 1023 octets 0 Packet size 1024 to 1518 octets 0 Console 4 154 INTERFACE COMMANDS show interfaces switchport This command displays the administrative and operational status of the specified interfaces Syntax show interfaces switchport erface interface ethernet zz port unit Stack unit This is unit 1 pott Port number Range 1 26 52
182. ctets 15020 Received Unicast Packets Received Multicast 177 Recewed Broadcast 0 Packets Packets Received Discarded Received Unknown 0 Packets Packets i Received Errors O Transmit Octets 158087 Transmit Multicast rem Unicast Packets Packets 2420 Transmit Broadcast a7 Transmit Discarded 0 Packets Packets Transmit Errors ol Etherlike Statistics Alignment Errors D Late Collisions FCS Errors i jExcesswe Collisions 0 Single Collision Frames NOR MAG Tranemi 0 rors Multiple Collision Frames O Carrier Sense Errors SQE Test Errors Frames Too Long a Deferred Transmissions rs MAG Receiis mors RMON Statistics Drop Events 0 Jabbers 0 Received Bytes 188155 Collisions Received Frames 064 Bytes Frames 2249 Broadcast Frames 47 65 127 Bytes Frames 459 Multicast Frames 2672 128 255 Bytes Frames M CRC Alignment Errors 0256 511 Bytes Frames 0 Undersize Frames 0 512 1023 Bytes Frames 0 Oversize Frames 0 1024 1518 Bytes Frames 0 Fragments 0 Refresh zl Figure 3 52 Port Statistics 3 119 CONFIGURING THE SWITCH 3 120 CLI This example shows statistics for port 13 Console show interfaces counters ethernet 1 13 4 153 Ethernet 1 13 Iftable stats Octets input 868453 Octets output 3492122 Unicast input 7315 Unitcast output 6658 Discard input 0 Discard output 0 Error input 0 Error output 0 Unknown p
183. d Remember to record it in a safe place This command controls access to the Privileged Exec level from the Normal Exec level Use the no form to reset the default password Syntax enable password level ve 0 7 password no enable password level ee level level Level 15 for Privileged Exec Levels 0 14 are not used 0 7 0 means plain password 7 means encrypted password password passwotd for this privilege level Maximum length 8 characters plain text 32 encrypted case sensitive Default Setting The default is level 15 The default password is super Command Mode Global Configuration 4 36 SYSTEM MANAGEMENT COMMANDS Command Usage Youcannot set a null passwotd You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command page 4 27 The encrypted password is required for compatibility with legacy password settings i e plain text or encrypted when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server There is no need for you to manually configure encrypted passwords Example Console config fenable password level 15 0 admin Console config Related Commands enable 4 27 authentication enable 4 96 IP Filter Commands Table 4 11 IP Filter Commands Command Function Mode Page management Configures IP addresses that are allowed
184. ddresses Host to specify a specific host address in the Address field or IP to specify a range of addresses with the Address and SubMask fields Options Any Host IP Default Any IP Address Source IP address 3 79 CONFIGURING THE SWITCH 3 80 Subnet Mask A subnet mask containing four integers from 0 to 255 each separated by a period The mask uses 1 bits to indicate match and 0 bits to indicate ignore The mask is bitwise ANDed with the specified source IP address and compared with the address for each IP packet entering the port s to which this ACL has been assigned Web Specify the action i e Permit or Deny Select the address type Any Host or IP If you select Host enter a specific address If you select IP enter a subnet address and the mask for an address range Then click Add Standard ACL Name david Action IP Address Subnet Mask Remove Permit 10 1 1 21 255 255 255 258 Remove Action Permit Address Type IP gt IP Address 168 392 16 0 Subnet Mask 255 255 240 0 Tada Figure 3 36 ACL Configuration Standard IP CLI This example configures one permit rule for the specific address 10 1 1 21 and another rule for the address range 168 92 16 x 168 92 31 x using a bitmask Console config std acl permit host 10 1 1 21 4 120 Console config std acl fpermit 168 92 16 0 255 255 240 0 Console config s
185. e 5 25 seconds Default 10 IGMP Query Timeout The time the switch waits after the previous querier stops before it considers the router port i e the interface which had been receiving query packets to have expired Range 300 500 seconds Default 300 MULTICAST FILTERING IGMP Version Sets the protocol version for compatibility with other devices on the network Range 1 2 Default 2 Notes 1 All systems on the subnet must support the same version 2 Some attributes are only enabled for IGMPv2 including IGMP Report Delay and IGMP Query Timeout Web Click IGMP Snooping IGMP Configuration Adjust the IGMP settings as required and then click Apply The default settings are shown below IGMP Configuration IGMP Status M Enabled Act as IGMP Querier Iv Enabled IGMP Query Count 2 10 B IGMP Query Interval 60 125 125 seconds IGMP Report Delay 5 25 10 seconds IGMP Query Timeout 300 500 Bo seconds IGMP Version 1 2 E Figure 3 82 IGMP Configuration 3 183 CONFIGURING THE SWITCH 3 184 CLI This example modifies the settings for multicast filtering and then displays the current status Console config ip igmp snooping 4 239 Console config ip igmp snooping querier 4 243 Console config ip igmp snooping query count 10 4 243 Console config ip igmp snooping query max response time 20 4 245 Console config ip igmp snooping
186. e config 1f capabilities flowcontrol Creating Trunk Groups 3 92 You can create multiple links between devices that work as one virtual aggregate link A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist as well as providing a fault tolerant link between two devices You can create up to four trunks at a time The switch supports both static trunking and dynamic Link Aggregation Control Protocol LACP Static trunks have to be manually configured at both ends of the link and the switches must comply with the Cisco EtherChannel standard On the other hand LACP configured ports can PoRT CONFIGURATION automatically negotiate a trunked link with LACP configured ports on another device You can configure any number of ports on the switch as LACP as long as they are not already configured as part of a static trunk If ports on another device are also configured as LACP the switch and the other device will negotiate a trunk link between them If an LACP trunk consists of more than eight ports all other ports will be placed in a standby mode Should one link in the trunk fail one of the standby ports will automatically be activated to replace it Command Usage Besides balancing the load across each port in the trunk the other ports provide redundancy by taking over the load if a port in the trunk fails However before making any physical connections between devices use the web interfa
187. e server Range 0 7 Default 6 Host IP List Displays the list of remote server IP addresses that receive the syslog messages The maximum number of host IP addresses allowed is five Host IP Address Specifies a new server IP address to add to the Host IP List BASIC CONFIGURATION Web Click System Log Remote Logs To add an IP address to the Host IP List type the new IP address in the Host IP Address box and then click Add To delete an IP address click the entry in the Host IP List and then Current Host IP List none lt lt Add Remove click Remove Remote Logs Remote Log Status Iv Enabled Logging Facility 16 23 23 Logging Trap 0 7 6 Host IP Address New Host IP Address Figure 3 16 Remote Logs CLI Enter the syslog server host IP address choose the facility type and set the logging trap REMOTELOG REMOTELOG REMOTELOG REMOTELOG REMOTELOG REMOTELOG REMOTELOG REMOTELOG Console status facility type level type server ip address server ip address server ip address server ip address server ip address Console config logging host 192 168 1 15 Console config logging facility 23 Console config logging trap 4 Console config end Console show logging trap Syslog logging Enabled Enabled local use 7 Informational messages only 192 168 1 15 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 37 CONFIGURING THE SWITCH 3 38 Di
188. e Configuration Ethernet Port Channel Command Usage The precedence for priority mapping is IP Port IP Precedence or IP DSCP and default switchport priority The default priority applies for an untagged frame received on a port set to accept all frame types i e receives both untagged and tagged frames This priority does not apply to IEEE 802 1Q VLAN tagged frames If the incoming frame is an IEEE 802 1Q VLAN tagged frame the IEEE 802 1p User Priority bits will be used This switch provides eight priority queues for each port It is configured to use Weighted Round Robin which can be viewed with the show queue bandwidth command Inbound frames that do not have VLAN tags are tagged with the input port s default ingress user priority and then placed in the appropriate priority queue at the output port The default priority for all ingress ports is zero PRIORITY COMMANDS Therefore any inbound frames that do not have priority tags will be placed in queue 0 of the output port Note that if the output port is an untagged member of the associated VLAN these frames are stripped of all VLAN tags prior to transmission Example The following example shows how to set a default priority on port 3 to 5 Console config interface ethernet 1 3 Console config if switchport priority default 5 queue bandwidth This command assigns weighted round robin WRR weights to the four class of service CoS priority
189. e Service DNS A system used for translating host names for network nodes into IP addresses Glossary 1 GLOSSARY Dynamic Host Control Protocol DHCP Provides a framewotk for passing configuration information to hosts on a TCP IP network DHCP is based on the Bootstrap Protocol BOOTP adding the capability of automatic allocation of reusable network addresses and additional configuration options Extensible Authentication Protocol over LAN EAPOL EAPOL is a client authentication protocol used by this switch to verify the network access rights for any device that is plugged into the switch A user name and password is requested by the switch and then passed to an authentication server e g RADIUS for verification EAPOL is implemented as part of the IEEE 802 1X Port Authentication standard GARP VLAN Registration Protocol GVRP Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network Generic Attribute Registration Protocol GARP GARP is a protocol that can be used by endstations and switches to register and propagate multicast group membership information in a switched environment so that multicast data frames are propagated only to those parts of a switched LAN containing registered endstations Formerly called Group Address Registration Protocol Gener
190. e Startup Size bytes Factory Default Config cfg Config File Y 5013 C v2263 Operation Code N 1675640 v2263 1 Operation Code Y 1657080 Figure 3 9 Select Start Up Operation File To delete a file select System File Delete Select the file name from the given list by checking the tick box and click Apply Note that the file currently designated as the startup code cannot be deleted Delete Name Type Startup Size bytes E Factory Default Config cfa Config File Y 5013 T v2263 Operation Code N 1675640 T V2263 1 Operation Code Y 1657080 Figure 3 10 Deleting Files 3 23 CONFIGURING THE SWITCH CLI To download new firmware form a TFTP server enter the IP address of the TFTP server select opcode as the file type then enter the soutce and destination file names When the file has finished downloading set the new file to start up the system and then restart the switch To start the new firmware enter the reload command or reboot the system Consoletcopy tftp file 4 87 TFTP server ip address 10 1 0 19 Choose file type 1 config 2 opcode 1 2 2 Source file name V2 2 6 3 bix Destination file name V2263 Write to FLASH Programming Write to FLASH finish Success Console config Console config boot system opcode V2263 4 93 Console config exit Console reload 4 30 Saving or Restoring Configuration Settings 3 24 You c
191. e default setting Syntax switchport mode private vlan host promiscuous no switchport mode private vlan host This port type can subsequently be assigned to a community ot isolated VLAN promiscuous This port type can communicate with all other promiscuous ports in the same primary VLAN as well as with all the ports in the associated secondary VLANs Default Setting Normal VLAN Command Mode Interface Configuration Ethernet Port Channel Command Usage Toassigna promiscuous port to a primary VLAN use the switchport ptivate vlan mapping command To assign a host port to a community VLAN use the private vlan host association command To assign a promiscuous port or host port to an isolated VLAN use the switchport private vlan isolated command Example Console config finterface ethernet 1 2 Console config if switchport mode private vlan promiscuous Console config if exit Console config interface ethernet 1 3 Console config if switchport mode private vlan host Console config if 4 213 COMMAND LINE INTEREACE switchport private vlan host association Use this command to associate an interface with a secondary VLAN Use the no form to remove this association Syntax switchport private vlan host association secondary vlan id no switchport private vlan host association secondary vlan id ID of secondary i e community VLAN Range 1 4094 Default Setting None Com
192. e eee 4 182 spannitip tree eic A Bcc se di 4 183 spanning tree mode lees 4 184 spanning tree forward time 0 6 6 cee ee eee 4 185 spanning tree hello time 6 eee eee eee 4 185 spanning tree Max age 2 eee eee 4 186 spanning tree priority 2 6 cee eee 4 187 spanning tree pathcost method 4 188 spanning tree transmission limit o o ooocooooooccoooo 4 188 spanning tree spanning disabled sese 4 189 sparininp tes Cost irn dh 4 190 spanning tree port priofity ciissssee eee 4 191 spanning tree edge port liiis 4 191 spanning tree portfast c isses ee 4 192 spanning tree link type 6 0 ee eee eee 4 193 spanning tree protocol migration see 4 194 show spanning tree 2 n 4 195 VEAN Commands Jy soe ai aged sed edades 4 197 Editing VLAN Groups sis sanes Aa a I EA eee eee 4 197 Vian database vs mori poian aton pi aaa Rep e S 4 197 VAR A id 4 198 Configuring VLAN Interfaces ooooccococooccccoooo 4 200 intettacewlam ii A id A 4 200 switchpottMode oia o da Sake ees 4 201 switchport acceptable frame types ooooommm 4 202 switchport ingress filtering oooooocooommmmm r 4 203 switchport native vlan icis 4 204 switchport allowed vlan 6 cece 4 205 switchport forbidden vlan oooooocooommmmo o 4 206 CONTENTS Displaying VLAN Information 000 eee ee 4 207 show Van cuu tN iy E Side all tk Bega add ee de 4 207 Configuring Priva
193. e selected interfaces Default Disabled 3 139 CONFIGURING THE SWITCH Web Click Spanning Tree STA Port Configuration or Trunk Configuration Modify the required attributes then click Apply STA Port Configuration Port Spanning Tree STA State a Sia Licance of 16 oa Cost Admin Link Type pan renee Migration Trunk 1 F Enabled Forwarding 128 00000 Auto Z F Enabled I Enabled 2 F Enabled Discarding 128 io0000 Auto ZI enabled F Enabled 3 F Enabled Discarding ree ooo Auto E enabled MT Enabled 4 F Enabled Discarding ize 100000 Auto Z F Enabled I Enabled F Enabled Discarding ra 100000 Auto 3 F Enabled I Enabled 6 F Enabled Discarding rea Ei frooo00 Aro p E Enabled Enabled Figure 3 59 STA Port Configuration CLI This example sets STA attributes for port 7 Console config interface ethernet 1 7 4 144 Console config if spanning tree port priority 0 4 191 Console config if spanning tree cost 50 4 190 Console config if spanning tree link type auto 4 193 Console config if no spanning tree edge port 4 191 Console config if VLAN Configuration IEEE 802 1Q VLANs 3 140 In large networks routers are used to isolate broadcast traffic for each subnet into separate domains This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains VLANs confine bro
194. e show mac access group Interface ethernet 1 25 MAC access list jerry in Console ACCESS CONTROL LIST COMMANDS Related Commands mac access group 4 132 map access list mac This command sets the output queue for packets matching an ACL rule The specified CoS value is only used to map the matching packet to an output queue it is not written to the packet itself Use the no form to remove the CoS mapping Syntax no map access list mac ac _name cos cos value acl_name Name of the ACL Maximum length 16 characters cos value CoS value Range 0 7 Default Setting None Command Mode Interface Configuration Ethernet Command Usage You must configure an ACL mask before you can map CoS values to the rule A packet matching a rule within the specified ACL is mapped to one of the output queues as shown below Table 4 37 Egress Queue Priority Mapping Queue 0 1 2 Priority 1 2 0 3 4 5 6 7 Example Console config int eth 1 5 Console config if map access list mac jerry cos 0 Console config if 4 133 COMMAND LINE INTEREACE Related Commands queue cos map 4 226 show map access list mac 4 134 show map access list mac This command shows the CoS value mapped to a MAC ACL for the current interface The CoS value determines the output queue for packets matching an ACL rule Syntax show map access list mac z erface interface
195. e the following steps 1 From the Global Configuration mode prompt type interface vlan 1 to access the interface configuration mode Press Enter 2 Atthe interface configuration mode prompt use one of the following commands To obtain IP settings via DHCP type ip address dhcp and press Enter e To obtain IP settings via BOOTP type ip address bootp and press Enter 3 Type end to return to the Privileged Exec mode Press lt Enter gt 4 Type ip dhcp restart to begin broadcasting service requests Press lt Enter gt 5 Wait a few minutes and then check the IP configuration settings by typing the show ip interface command Press lt Enter gt BASIC CONFIGURATION 6 Then save your configuration changes by typing copy running config startup config Enter the startup file name and press lt Enter gt Console config interface vlan 1 Console config if ip address dhcp Console config if end Console ip dhcp restart Console show ip interface IP address and netmask 192 168 1 54 255 255 255 0 on VLAN 1 and address mode User specified Console tcopy running config startup config Startup configuration file name startup Write to FLASH Programming Write to FLASH finish Success Enabling SNMP Management Access The switch can be configured to accept management commands from Simple Network Management Protocol SNMP applications such as SMC EliteVie
196. e these devices for proper operation in a network environment as well as to monitor them to evaluate performance or detect potential problems The switch includes an onboard SNMP agent that continuously monitors the status of its hardware as well as the traffic passing through its ports A network management station can access this information using software such as SMC EliteView Access rights to the onboard agent are controlled by community strings To communicate with the switch the management station must first submit a valid community string for authentication The options for configuring community strings trap functions and restricting access to clients with specified IP addresses are described in the following sections Setting Community Access Strings You may configure up to five community strings authorized for management access All community strings used for IP Trap Managers should be listed in this table For security reasons you should consider removing the default strings Command Attributes SNMP Community Capability Indicates that the switch supports up to five community strings Community String A community string that acts like a password and permits access to the SNMP protocol Default strings public read only private read write Range 1 32 characters case sensitive 3 45 CONFIGURING THE SWITCH Access Mode Read Only Specifies read only access Authorized management
197. e user password Range 0 8 characters plain text case sensitive Change Password Sets a new password for the specified user name e Add Remove Adds or removes an account from the list Web Click Security User Accounts To configure a new user account specify a user name select the user s access level then enter a password and confirm it Click Add to save the new user account and add it to the Account List To change the password for a specific user enter the user name and new password confirm the password by entering it again then click Apply User Accounts Account List New Account admin Privileged User Name Joe23 guest Normal lt lt Add Access Level Noma Remove Password Lr Confirm Password Change Password User Name I 1 New Password Confirm Pasw l Change Figure 3 24 Access Levels 3 49 CONFIGURING THE SWITCH CLI Assign a user name to access level 15 i e administrator then specify the password Console config username bob access level 15 4 35 Console config fusername bob password 0 smith Console config Configuring Local Remote Logon Authentication 3 50 Use the Authentication Settings menu to restrict management access based on specified user names and passwords You can manually configure access rights on the switch or you can use a remote access authentication server based on RADIUS or TACACS protocols Remo
198. e with the lowest MAC address will then become the root device Note that lower numeric values indicate higher priority Default 32768 Range 0 61440 in steps of 4096 Options 0 4096 8192 12288 16384 20480 24576 28672 327768 36864 40960 45056 49152 53248 57344 61440 SPANNING TREE ALGORITHM CONFIGURATION Root Device Configuration Hello Time Interval in seconds at which the root device transmits a configuration message Default 2 Minimum 1 Maximum The lower of 10 or Max Message Age 2 1 Maximum Age The maximum time in seconds a device can wait without receiving a configuration message before attempting to reconfigure All device ports except for designated ports should receive configuration messages at regular intervals Any port that ages out STA information provided in the last configuration message becomes the designated port for the attached LAN If it is a root port a new root portis selected from among the device ports attached to the network References to ports in this section mean interfaces which includes both ports and trunks Default 20 Minimum The higher of 6 or 2 x Hello Time 1 Maximum The lower of 40 or 2 x Forward Delay 1 Forward Delay The maximum time in seconds this device will wait before changing states i e discarding to learning to forwarding This delay is required because every device must receive informati
199. e zname name The name of the user Maximum length 8 characters case sensitive Maximum users 16 access level eve Specifies the user level The device has two predefined privilege levels 0 Normal Exec 15 Privileged Exec nopassword No passwotd is required for this user to log in 0 7 0 means plain password 7 means encrypted password password password The authentication password for the user Maximum length 8 characters plain text 32 encrypted case sensitive Default Setting The default access level is Normal Exec The factory defaults for the user names and passwords are Table 4 10 Default Login Settings username access level password guest 0 guest admin 15 admin Command Mode Global Configuration 4 35 COMMAND LINE INTEREACE Command Usage The encrypted password is required for compatibility with legacy password settings i e plain text or encrypted when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server There is no need for you to manually configure encrypted passwords Example This example shows how to set the access level and password for a user Console config username bob access level 15 Console config ttusername bob password 0 smith Console config enable password After initially logging onto the system you should set the Privileged Exec passwot
200. ed IC 4 214 isolated VLAN switchport private vlan Maps an interface to a primary VLAN IC 4 215 mapping Display Private VLAN Information show vlan private vlan Shows private VLAN information NE 4 216 PE To configure primary secondary associated groups follow these steps 1 Use the private vlan command to designate one or more community VLANs and the primary VLAN that will channel traffic outside of the community groups Use the private vlan association command to map the community VLAN s to the primary VLAN Use the switchport mode private vlan command to configure ports as promiscuous i e having access to all ports in the primary VLAN ot host i e community port Use the switchport private vlan host association command to assign a port to a secondary VLAN 4 209 COMMAND LINE INTEREACE 5 Use the switchport private vlan mapping command to assign a port to a primary VLAN 6 Use the show vlan private vlan command to verify your configuration settings To configure isolated VLANs follow these steps 1 Use the private vlan command to designate an isolated VLAN that will contain a single promiscuous port and one or more isolated ports 2 Use the switchport mode private vlan command to configure one port as promiscuous i e having access to all ports in the isolated VLAN one or more ports as host i e isolated port 3 Use the switchport private vlan isolated command to assi
201. ed VLAN 1 u Forbidden VLAN Private VLAN mode NONE Private VLAN host association NONE Private VLAN mapping NONE Consolef 13 CLI displays this information as Priority for untagged traffic 3 166 CLASS OF SERVICE CONFIGURATION Mapping CoS Values to Egress Queues This switch processes Class of Service CoS priority tagged traffic by using four priority queues for each port with service schedules based on strict or Weighted Round Robin WRR Up to eight separate traffic priorities are defined in IEEE 802 1p The default priority levels are assigned according to recommendations in the IEEE 802 1p standard as shown in the following table Table 3 10 Mapping CoS Values to Egress Queues Queue 0 1 2 3 Priority 1 2 0 3 4 5 6 7 gt 12 Q f 03 Q Serviced by weighted 45 gt Q round robin 67 Q V J The priority levels recommended in the IEEE 802 1p standard for various network applications are shown in the following table However you can map the priority levels to the switch s output queues in any way that benefits application traffic for your own network Table 3 11 CoS Priority Levels Priority Level Traffic Type 1 Background 2 ets 0 default Best Effort 3 Excellent Effort 4 Controlled Load 5 Video less than 100 milliseconds latency and jitter 6 Voice less than 10 milliseconds latency and jitter 7 Network Control 3 16
202. ed in the file directory on the switch The currently designated startup version of this file cannot be deleted 1 These operations are not supported for this switch 3 21 CONFIGURING THE SWITCH 3 22 Downloading System Software from a Server When downloading runtime code you can specify the destination file name to replace the current image or first download the file using a different name from the current runtime code file and then set the new file as the startup file Web Click System File Management Copy Operation Select tftp to file as the file transfer method enter the IP address of the TFTP server set the file type to opcode enter the file name of the software to download select a file on the switch to overwrite or specify a new file name then click Apply If you replaced the current firmware used for startup and want to start using the new operation code reboot the system via the System Reset menu Copy tftp to file TFTP Server IP Address 192 160 1 19 File Type opcode Source FileName V2263bix e vz263 sj Destination File Name Figure 3 8 Operation Code Image File Transfer BASIC CONFIGURATION If you download to a new destination file go to the System File Set Start Up menu mark the operation code file used at startup and click Apply To start the new firmware reboot the system via the System Reset menu Set Start Up Name Typ
203. ed on page 3 90 rs LI T T T T 3 DO vc TUM Maa p uj CEEE e M NCC Mode Active y B Linkup J Link Down Figure 3 2 Panel Display 3 4 MAIN MENU Main Menu Using the onboard web agent you can define system parameters manage and control the switch and all its ports or monitor network conditions The following table briefly describes the selections available from this program Table 3 2 Main Menu Menu Desctiption Page System 3 11 System Information Provides basic system description including 3 11 contact information Switch Information Shows the number of ports hardware 3 13 firmware version numbers and power status Bridge Extension Shows the bridge extension parameters 3 15 IP Configuration Sets the IP address for management access 3 17 File 3 21 Copy Allows the transfer and copying files 3 21 Delete Allows deletion of files from the flash 3 22 memoty Set Startup Sets the startup file 3 22 Line 3 28 Console Sets console port connection parameters 3 28 Telnet Sets Telnet connection parameters 3 30 Log 3 33 Logs Stores and displays error messages 3 33 System Logs Sends error messages to a logging process 3 33 Remote Logs Configures the logging of messages to a 3 36 remote logging process SMTP Logs Sends an SMTP client message to a 3 39 participating server Reset Restarts the switch 3 41 3 5 CONFIGURING THE SWITCH 3 6 Table 3 2 Main M
204. elete public key 4 52 dir This command displays a list of files in flash memory Syntax dir unit boot rom config opcode ename The type of file or image to display includes boot rom Boot ROM or diagnostic image file config Switch configuration file opcode Run time operation code image file filename Name of the configuration file or code image unit Stack unit This is unit 1 Default Setting None Command Mode Privileged Exec Command Usage If you enter the command dir without any parameters the system displays all files A colon is required after the specified unit number 4 91 COMMAND LINE INTEREACE File information is shown below Table 4 26 File Directory Information Column Heading Desctiption file name The name of the file file type File types Boot Rom Operation Code and Config file startup Shows if this file is used when the system is statted size The length of the file in bytes Example The following example shows how to display all file information Console dir 1 file name file type startup size byte Unitl Diag V2 2 1 3 bix Boot Rom image Y 196020 V2 1 5 4 bix Operation Code N 1745120 V2 2 2 2 bix Operation Code Y 1745500 Factory Default Config cfg Config File N 5013 startup Config File b 6023 Total free space 340787 Console whichboot This command displays which files were booted when the system powered
205. em config startup 4 93 Console config exit Console reload 4 30 3 27 CONFIGURING THE SWITCH Console Port Settings 3 28 You can access the onboard configuration program by attaching a VT100 compatible device to the switch s serial console port Management access through the console port is controlled by various parameters including a password timeouts and basic communication settings These parameters can be configured via the web or CLI interface Command Attributes Login Timeout Sets the interval that the system waits for a user to log into the CLI If a login attempt is not detected within the timeout interval the connection is terminated for the session Range 0 300 seconds Default 0 seconds Exec Timeout Sets the interval that the system waits until user input is detected If user input is not detected within the timeout interval the current session is terminated Range 0 65535 seconds Default 0 seconds Password Threshold Sets the password intrusion threshold which limits the number of failed logon attempts When the logon attempt threshold is reached the system interface becomes silent for a specified amount of time set by the Silent Time parameter before allowing the next logon attempt Range 0 120 Default 3 attempts Silent Time Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts has been exceeded Ra
206. en VLANs Syntax switchport forbidden vlan add v an ist remove v an list no switchport forbidden vlan add vlan list List of VLAN identifiers to add e remove v an list List of VLAN identifiers to remove e vlan list Separate nonconsecutive VLAN identifiers with a comma and no spaces use a hyphen to designate a range of IDs Do not enter leading zeros Range 1 4094 Default Setting No VLANs are included in the forbidden list Command Mode Interface Configuration Ethernet Port Channel Command Usage This command prevents a VLAN from being automatically added to the specified interface via GVRP Ifa VLAN has been added to the set of allowed VLANs for an interface then you cannot add it to the set of forbidden VLANs for that same interface 4 206 VLAN COMMANDS Example The following example shows how to prevent port 1 from being added to VLAN 2 Console config finterface ethernet 1 1 Console config if switchport forbidden vlan add 3 Console config if Displaying VLAN Information Table 4 54 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE 4 207 PE show interfaces Displays status for the specified VLAN NE 4 152 status vlan interface PE show interfaces Displays the administrative and operational NE 4 155 switchport status of an interface PE show vlan This command shows VLAN information Syntax show
207. enable the SSH server Authentication Settings To use the SSH server complete these steps 1 Generate a Host Key Pair On the SSH Host Key Settings page create a host public private key pair Provide Host Public Key to Clients Many SSH client programs automatically import the host public key during the initial connection setup with the switch Otherwise you need to manually create a known hosts file on the management station and place the host public key in it An entry for a public key in the known hosts file would appear similar to the following example 10 1 0 54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 10825913212890233 76546801726272571413428762941301196195566782 59566410486957427888146206 5194174677298486546861571773939016477935594230357741 3098022737087 7945452408397 1752646358058176716709574804776117 Import Clients Public Key to the Switch Use the copy tftp public key command page 4 87 to copy a file containing the public key for all the SSH client s granted management access to the switch Note that these clients must be configured locally on the switch via the User Accounts page as described on page 3 48 The clients are subsequently authenticated using these keys The current firmware only accepts USER AUTHENTICATION public key files based on standard UNIX format as shown in the following example for an RSA Version 1 key 1024
208. enabled for ports connected to an end node device Admin Link Type The link type attached to this interface Point to Point A connection to exactly one other bridge Shared A connection to two or more bridges Auto The switch automatically determines if the interface is attached to a point to point link or to shared media Web Click Spanning Tree STA Port Information or STA Trunk Information 1 3 3 STA Port Information Spanning Forward Designated Designated Designated Oper Oper Trunk Port Tree STA Status Transitions Cost Bridge Port Link Type Edge Port Pert Role Member Enabled Forwarding 7 200000 32768 0 0030F1552000 128 24 rone Disabled Root Enabled Discarding 0 200000 51440 0 0000E9313131 128 2 oen Enabled Disabled Enabled Discarding 0 200000 61440 0 0000E9313131 128 3 pg Enabled Disabled Enabled Discarding 0 200000 j6144000000E9313131 128 4 ron Enabled Disabled Enabled Discarding 0 200000 61440 0 0000E9313131 1285 roni Enabled Disabled ont x Figure 3 58 STA Port Information SPANNING TREE ALGORITHM CONFIGURATION CLI This example shows the STA attributes for port 5 Console show spanning tree ethernet 1 5 4 195 Eth 1 5 information Admin status enabled Role disable State discarding Path cost 100000 Priority 128 Designated cost 0 Designated port 128 5 Designated root 32768 0030F1D32600 Designated bridge 32768
209. ent access using local or RADIUS authentication methods You can also enable port based authentication for network client access using IEEE 802 1X Table 4 27 Authentication Commands Command Group Function Page Authentication Defines logon authentication method and 4 94 Sequence precedence RADIUS Client Configures settings for authentication via a 4 97 RADIUS server TACACS Client Configures settings for authentication via a 4 102 TACACS server Port Security Configures secure addresses for a port 4 104 Port Authentication Configures host authentication on specific ports 4 107 using 802 1X Authentication Sequence Table 4 28 Authentication Sequence Command Function Mode Page authentication login Defines logon authentication method and GC 4 95 precedence authentication enable Defines the authentication method and GC 4 96 precedence for command mode change 4 94 AUTHENTICATION COMMANDS authentication login This command defines the login authentication method and precedence Use the no form to restore the default Syntax authentication login local radius tacacs no authentication login local Use local password radius Use RADIUS server password tacacs Use TACACS server password Default Setting Local Command Mode Global Configuration Command Usage RADIUS uses UDP while TACACS uses TCP UDP only offers best effort deliv
210. ent access via MIB database Trap management to specified hosts SOFTWARE SPECIFICATIONS RMON Groups 1 2 3 9 Statistics History Alarm Event Standards IEEE 802 1D Spanning Tree Protocol and traffic priorities IEEE 802 1p Priority tags IEEE 802 1Q VLAN IEEE 802 1 w Rapid Spanning Tree Protocol IEEE 802 1X Port Authentication IEEE 802 3 2002 Ethernet Fast Ethernet Gigabit Ethernet Full duplex flow control Link Aggregation Control Protocol IEEE 802 3ac VLAN tagging DHCP Client RFC 1541 HTTPS IGMP RFC 1112 IGMPv2 RFC 2236 RADIUS RFC 2618 RMON RFC 1757 groups 1 2 3 9 SNMP RFC 1157 SNMPv2 REC 2571 SNTP RFC 2030 SSH Version 2 0 TFTP RFC 1350 A 3 SOFTWARE SPECIFICATIONS Management Information Bases A 4 Bridge MIB RFC 1493 Entity MIB RFC 2737 Ether like MIB RFC 2665 Extended Bridge MIB RFC 2674 Extensible SNMP Agents MIB RFC 2742 Forwarding Table MIB RFC 2096 IGMP MIB RFC 2933 Interface Group MIB RFC 2233 Interfaces Evolution MIB RFC 2863 IP Multicasting related MIBs MAU MIB RFC 2668 MIB II RFC 1213 Port Access Entity MIB IEEE 802 1X Port Access Entity Equipment MIB Private MIB RADIUS Authentication Client MIB RFC 2621 RMON MIB RFC 2819 RMON II Probe Configuration Group RFC 2021 partial implementation SNMP Community MIB RFC 2576 SNMPv2 IP MIB RFC 2011 TACACS Authentication Client MIB TCP MIB RFC 2013 Trap RFC 1215 UDP MIB RFC 201
211. ent port will be added to this trunk Command Mode Interface Configuration Ethernet Command Usage When configuring static trunks the switches must comply with the Cisco EtherChannel standard Use no channel group to remove a port group from a trunk Use no interfaces port channel to remove a trunk from the switch Example The following example creates trunk 1 and then adds port 11 Console config finterface port channel 1 Console config if exit Console config interface ethernet 1 11 Console config if channel group 1 Console config if This command enables 802 3ad Link Aggregation Control Protocol LACP for the current interface Use the no form to disable it Syntax no lacp Default Setting Disabled 4 165 COMMAND LINE INTEREACE Command Mode Interface Configuration Ethernet Command Usage Theports on both ends of an LACP trunk must be configured for full duplex either by forced mode or auto negotiation Atrunk formed with another switch using LACP will automatically be assigned the next available port channel ID Ifthe target switch has also enabled LACP on the connected ports the trunk will be activated automatically If more than eight ports attached to the same target switch have LACP enabled the additional ports will be placed in standby mode and will only be enabled if one of the active links fails 4 166 Example LINK AGGREGATION COMMANDS The
212. ents that are not dot1x awate will be denied access force authorized Configures the port to grant access to all clients either dotlx aware or otherwise force unauthorized Configures the port to deny access to all clients either dot1x aware or otherwise 4 109 COMMAND LINE INTEREACE Default force authorized Command Mode Interface Configuration Example Console config interface eth 1 2 Console config if dotlx port control auto Console config if dotlx operation mode This command allows single or multiple hosts clients to connect to an 802 1 X authorized port Use the no form with no keywords to restore the default to single host Use the no form with the multi host max count keywords to restore the default maximum count Syntax dotix operation mode single host multi host max count count no dotlx operation mode multi host max count single host Allows only a single host to connect to this port multi host Allows multiple host to connect to this port max count Keyword for the maximum number of hosts count The maximum number of hosts that can connect to a port Range 1 1024 Default 5 Default Single host Command Mode Interface Configuration Command Usage The max count parameter specified by this command is only effective if the dot1x mode is set to auto by the dotlx port control command page 4 109 4 110 AUTHENTICATIO
213. enu Continued Menu Description Page SNTP 3 42 Configuration Configures SNTP client settings including 3 42 broadcast mode or a specified list of servers Clock Time Zone Sets the local time zone for the system clock 3 44 SNMP 3 45 Configuration Configures community strings and related 3 45 trap functions Security 3 48 User Accounts Assigns a new password for the current user 3 48 Authentication Settings Configures authentication sequence 3 50 RADIUS and TACACS HTTPS Settings Configures secure HTTP settings 3 54 SSH 3 57 Host Key Settings Generates the host key pair public and 3 60 private Settings Configures Secure Shell server settings 3 62 Port Security Configures per pott security including 3 64 status response for security breach and maximum allowed MAC addresses 802 1X Port authentication 3 66 Information Displays global configuration settings 3 69 Configuration Configures the global configuration setting 3 69 Port Configuration Sets parameters for individual ports 3 70 Statistics Displays protocol statistics for the selected 3 73 port ACL 3 77 Configuration Configures packet filtering based on IP or 3 77 MAC addresses Port Binding Binds a port to the specified ACL 3 85 MAIN MENU Table 3 2 Main Menu Continued Menu Desctiption Page IP Filter Sets IP addresses of clien
214. er host command In order to enable multiple hosts you must issue a separate snmp setver host command for each host The snmp server host command is used in conjunction with the snmp server enable traps command Use the snmp server enable traps command to specify which SNMP notifications are sent globally For a host to receive notifications at least one snmp server enable traps command and the snmp server host command for that host must be enabled Some notification types cannot be controlled with the snmp server enable traps command For example some notification types are always enabled The switch can send SNMP version 1 or version 2c notifications to a host IP address depending on the SNMP version that the management station supports If the snmp server host command does not specify the SNMP version the default is to send SNMP version 1 notifications Example Console config snmp server host 10 1 19 23 batman Console config Related Commands snmp server enable traps 4 141 4 140 SNMP COMMANDS snmp server enable traps This command enables this device to send Simple Network Management Protocol traps SNMP notifications Use the no form to disable SNMP notifications Syntax no snmp server enable traps authentication link up down authentication Keyword to issue authentication failure traps link up down Keywotd to issue link up or link down traps Default Setting Issue authentic
215. er port Use the no form to remove the configuration Syntax no ip igmp snooping vlan 2 an d mrouter interface vlan id VLAN ID Range 1 4094 interface ethernet zu port unit Stack unit This is unit 1 port Port number Range 1 26 52 port channel channel id Range 1 4 Default Setting No static multicast router ports are configured Command Mode Global Configuration Command Usage Depending on your network connections IGMP snooping may not always be able to locate the IGMP querier Therefore if the IGMP querier is a known multicast router switch connected over the network to an interface port or trunk on your router you can manually configure that interface to join all the current multicast groups 4 247 COMMAND LINE INTEREACE Example The following shows how to configure port 11 as a multicast router port within VLAN 1 Console config fip igmp snooping vlan 1 mrouter ethernet 1 11 Console config show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports Syntax show ip igmp snooping mrouter vlan 5 4 vlan id VLAN ID Range 1 4094 Default Setting Displays multicast router ports for all configured VLANs Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static Example The following shows that port 11 in VLAN 1 is attached to a multicast
216. ery while TCP offers a connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name passwotd and privilege level must be configured on the authentication server You can specify three authentication methods in a single command to indicate the authentication sequence For example if you enter authentication login radius tacacs local the user name and passwotd on the RADIUS server is verified first If the RADIUS server is not available then authentication is attempted on the TACACS server If the TACACS server is not available the local user name and password is checked 4 95 COMMAND LINE INTEREACE Example Console config ttauthentication login radius Console config Related Commands username for setting the local user names and passwords 4 35 authentication enable 4 96 This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command see page 4 27 Use the no form to restote the default Syntax authentication enable local radius tacacs no authentication enable local Use local password only radius Use RADIUS server password
217. es 3 170 Layer 3 4 Priority Settings ooa aeua i arda Aaa EA AeA 3 171 Mapping Layer 3 4 Priorities to CoS Values 3 171 Selecting IP Precedence DSCP Priority 3 172 Mapping IP Precedence 0 0 c eee eee 3 172 Mapping DSCP Priority 0 00 3 174 Mapping IP Port Priority o oooooooooooccoooooo 3 176 Mapping CoS Values to ACLs sess 3 178 Multicast Filterme 2 122 tea De aa in side 3 180 Layer 2 IGMP Snooping and Query ooooocccocooomo 3 181 Configuring IGMP Snooping and Query Parameters 3 181 Displaying Interfaces Attached to a Multicast Router 3 184 Specifying Static Interfaces for a Multicast Router 3 185 Displaying Port Members of Multicast Services 3 186 Assigning Ports to Multicast Services o o o oooo o 3 188 4 Command Line Interface 0 ee eee eee 4 1 Using the Command Line Interface 00 eee 4 1 Accessing the Elli td Get ene DL muere 4 1 Console Connection si ssaa a yaaa aa eh 4 1 Telnet Connection aci ad 4 2 Entering Commander ta Se AS e an 4 4 Keywords and Arguments ooooccccococonocccccca 4 4 Minimum Abbreviation 2 0 0 0 0c ee cee cece eens 4 4 Command Completion 0 66 0600 c ccc eee eee 4 5 vi CONTENTS Getting Help on Commands 0 0000 c cece eee 4 5 Showing Commands 60 6 cece cece eens 4 6 Partial Keyword Lookup 0 eee cece ee eee 4 7 Negating the Effect o
218. es Permanent Static entry Delete on reset Static entry to be deleted when system is reset The mask should be hexadecimal numbers representing an equivalent bit mask in the form xx xx xx xx xx xx that is applied to the specified MAC address Enter hexadecimal numbers where an equivalent binary bit 0 means to match a bit and 1 means to ignore a bit For example a mask of 00 00 00 00 00 00 means an exact match and a mask of FF FF FF FF FF FF means any The maximum number of address entries is 8191 Example Console show mac address table Interface Mac Address Vlan Type Eth 1 1 00 00 E8 49 5E DC 1 Delete on reset Trunk 2 00 E0 29 8F AA 1B 1 Learned Console mac address table aging time This command sets the aging time for entries in the address table Use the no form to restore the default aging time Syntax mac address table aging time seconds no mac address table aging time seconds Aging time Range 10 30000 seconds 0 to disable aging 4 180 ADDRESS TABLE COMMANDS Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information Example Console config mac address table aging time 100 Console config show mac address table aging time This command shows the aging time for entries in the address table Default Setting None Command Mode Privileged Exec Example
219. es including tagged or untagged frames or only tagged frames When set to receive all frame types any received frames that are untagged are assigned to the default VLAN Options All Tagged Default All Ingress Filtering Determines how to process frames tagged for VLANs for which the ingress port is not a member Default Disabled Ingress filtering only affects tagged frames 3 153 CONFIGURING THE SWITCH lfingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member these frames will be flooded to all other ports except for those VLANs explicitly forbidden on this port Ifingress filtering is enabled and a port receives frames tagged for VLANs for which itis not a member these frames will be discarded Ingress filtering does not affect VLAN independent BPDU frames such as GVRP or STP Howevet they do affect VLAN dependent BPDU frames such as GMRP GVRP Status Enables disables GVRP for the interface GVRP must be globally enabled for the switch before this setting can take effect See Displaying Bridge Extension Capabilities on page 3 15 When disabled any GVRP packets received on this port will be discarded and no GVRP registrations will be propagated from other ports Default Disabled e GARP Join Timer The interval between transmitting requests queries to participate in a VLAN group Range 20 1000 centiseconds Default 20 GARP Leave
220. es When entering addresses for different groups the switch will accept overlapping address ranges You cannot delete an individual address from a specified range You must delete the entire range and reenter the addresses SYSTEM MANAGEMENT COMMANDS You can delete an address range just by specifying the start address or by specifying both the start address and end address Example This example restricts management access to the indicated addresses Console config management all client 192 168 1 19 Console config management all client 192 168 1 25 192 168 1 30 Console config show management This command displays the client IP addresses that are allowed management access to the switch through various protocols Syntax show management all client http client snmp client telnet client all client Adds IP address es to the SNMP web and Telnet groups http client Adds IP address es to the web group snmp client Adds IP address es to the SNMP group telnet client Adds IP address es to the Telnet group Command Mode Privileged Exec 4 39 COMMAND LINE INTEREACE Example Console show management all client Management IP Filter HTTP Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 168 1 25 192 168 1 30 SNMP Client Start IP address End IP address I 192 168 1 19 192 168 1 19 Zi 21192 T6841 72 5 192 168 1 30 TELNET Client S
221. ess 00 00 E8 AA AA 01 Configuration Name Port admin Up Speed duplex Auto Capabilities 10half 10full 100half 100full Flow control Disabled Port security Disabled Max MAC count 0 Current status Created by User Link status Up Port operation status Up Operation speed duplex 100full Flow control type None Member Ports Eth1 1 Eth1 2 Consolef Enabling LACP on Selected Ports Command Usage To avoid creating a loop in the dynamically netwotk be sure you enable LACP enap led before connecting the ports and also TAREN disconnect the ports before disabling active backup LACP links link If the target switch has also enabled oe LACP on the connected ports the x configured trunk will be activated automatically members PoRT CONFIGURATION A trunk formed with another switch using LACP will automatically be assigned the next available trunk ID fmotethan eight ports attached to the same target switch have LACP enabled the additional ports will be placed in standby mode and will only be enabled if one of the active links fails All ports on both ends of an LACP trunk must be configured for full duplex either by forced mode or auto negotiation Trunks dynamically established through LACP will also be shown in the Member List on the Trunk Membership menu see page 3 95 Command Attributes e Member List Current Shows configured trunks Unit Port e New Includes entry fields for
222. eters you can access the onboard configuration program from anywhere within the attached network The onboard configuration program can be accessed using Telnet from any computer attached to the network The switch can also be managed by any computer using a web browser Internet Explorer 5 0 or above or Netscape Navigator 6 2 or above or from a network computer using SNMP network management software Note The onboard program only provides access to basic configuration functions To access the full range of SNMP management functions you must use SNMP based network management software BASIC CONFIGURATION Basic Configuration Console Connection The CLI program provides two different command levels normal access level Normal Exec and privileged access level Privileged Exec The commands available at the Normal Exec level are a limited subset of those available at the Privileged Exec level and allow you to only display information and use basic utilities To fully configure the switch parameters you must access the CLI at the Privileged Exec level Access to both CLI levels are controlled by user names and passwords The switch has a default user name and password for each level To log into the CLI at the Privileged Exec level using the default user name and passwotd perform these steps 1 To initiate your console connection press lt Enter gt The User Access Vetification procedure starts 2 At the Username
223. etes all characters from the cursor to the end of the line Ctrl L Repeats current command line on a new line Ctrl N Enters the next command line in the history buffer Ctrl P Enters the last command Ctrl R Repeats current command line on a new line Ctrl U Deletes from the cursor to the beginning of the line Ctrl W Deletes the last word typed Esc B Moves the cursor back one word Esc D Deletes from the cursor to the end of the word Esc F Moves the cursor forward one word Delete key or Erases a mistake when entering a command backspace key 4 11 COMMAND LINE INTEREACE Command Groups 4 12 The system commands can be broken down into the functional groups shown below Table 4 4 Command Groups trunk configures Link Aggregation Control Protocol for port trunks Command Group Description Page Line Sets communication parameters for the serial port 4 14 and Telnet including baud rate and console time out General Basic commands for entering privileged access 4 26 mode restarting the system or quitting the CLI System Controls system logs system passwords user name 4 32 Management browser management options and a variety of other system information Flash File Manages code image or switch configuration files 4 86 Authentication Configures logon access using local or remote 4 94 authentication also configures port security and IEEE 802 1X port access co
224. ets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password thresh command Use the no form to remove the silent time value Syntax silent time seconds no silent time seconds The number of seconds to disable console response Range 0 65535 0 no silent time Default Setting The default value is no silent time Command Mode Line Configuration Example To set the silent time to 60 seconds enter this command Console config line silent time 60 Console config line Related Commands password thresh 4 20 4 21 COMMAND LINE INTEREACE databits 4 22 This command sets the number of data bits per character that are interpreted and generated by the console port Use the no form to restore the default value Syntax databits 7 8 no databits 7 Seven data bits per character 8 Eight data bits per character Default Setting 8 data bits per character Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity If parity is being generated specify 7 data bits per character If no parity is required specify 8 data bits per character Example To specify 7 data bits enter this command Console config line databits 7 Console config line Related Commands parity 4 23 LIN
225. eues Default Setting None 4 227 COMMAND LINE INTEREACE Command Mode Privileged Exec Example Console show queue bandwidth Queue ID Weight Consolef show queue cos map This command shows the class of service priority map Syntax show queue cos map erface interface ethernet wnit port unit Stack unit This is unit 1 pott Port number Range 1 26 52 port channel channel id Range 1 4 Default Setting None Command Mode Privileged Exec Example Console show queue cos map ethernet 1 1 Information of Eth 1 1 CoS Value 0 12 345 56 7 Priority Queue 00012233 Console 4 228 PRIORITY COMMANDS Priority Commands Layer 3 and 4 Table 4 60 Priority Commands Layer 3 and 4 Command Function Mode Page map ip port Enables TCP class of service mapping GC 4 230 map ip port Maps TCP socket to a class of service IC 4 230 map ip precedence Enables IP precedence class of service GC 4 230 mapping map ip precedence Maps IP precedence value to a class of IC 4 232 setvice map ip dscp Enables IP DSCP class of service GC 4 233 mapping map ip dscp Maps IP DSCP value to a class of service IC 4 233 map access list ip Sets the CoS value and corresponding IC 4 126 output queue for packets matching an ACL rule map access list mac Sets the CoS value and corresponding IC 4 133 output queue for packets matching an ACL rule show ma
226. exceed the acceptable amount of traffic are dropped Port Mirroring The switch can unobtrusively mirror traffic from any port to a monitor port You can then attach a protocol analyzer or RMON probe to this port to perform traffic analysis and verify connection integrity Port Trunking Ports can be combined into an aggregate connection Trunks can be manually set up or dynamically configured using IEEE 802 3ad Link Aggregation Control Protocol LACP The additional ports dramatically increase the throughput across any connection and provide redundancy by taking over the load if a port in the trunk should fail The switch supports up to four trunks Broadcast Storm Control Broadcast suppression prevents broadcast traffic from overwhelming the network When enabled on a pott the level of broadcast traffic passing through the port is restricted If broadcast traffic rises above a pre defined threshold it will be throttled until the level falls back beneath the threshold Static Addresses A static address can be assigned to a specific interface on this switch Static addresses are bound to the assigned interface and will not be moved When a static address is seen on another interface the address will be ignored and will not be written to the address table Static addresses can be used to provide network security by restricting access for a known host to a specific port IEEE 802 1D Bridge The switch supports IEEE 802 1D tr
227. f CRC alignment errors FCS or alignment errors Undersize Frames The total number of frames received that wete less than 64 octets long excluding framing bits but including FCS octets and were otherwise well formed Oversize Frames The total number of frames received that were longer than 1518 octets excluding framing bits but including FCS octets and were otherwise well formed Fragments The total number of frames received that were less than 64 octets in length excluding framing bits but including FCS octets and had either an FCS or alignment error 64 Bytes Frames The total number of frames including bad packets received and transmitted that were 64 octets in length excluding framing bits but including FCS octets 65 127 Byte Frames 128 255 Byte Frames 256 511 Byte Frames 512 1023 Byte Frames 1024 1518 Byte Frames 1519 1536 Byte Frames The total number of frames including bad packets received and transmitted where the number of octets fall within the specified range excluding framing bits but including FCS octets Port CONFIGURATION Web Click Port Port Statistics Select the required interface and click Query You can also use the Refresh button at the bottom of the page to update the screen Port Statistics Interface Pon 1 C Trunk y Query Interface Statistics Received O
228. f Commands 00 000008 4 7 Using Command History 1 6 0 eee cece eee 4 7 Understanding Command Modes 000 eee eee 4 8 Exec Commander ii 4 8 Configuration Commands seien 4 9 Command Line Processing 0 cece eee eee ee 4 11 Command Groups J L Lidl ute d de Bee Sh 4 12 I3necCommands i2 tt PM AES As sad 4 14 MA O A TM RUM pA ID UNE 4 15 loeis he ace n LLL MPO AA oT EI MELDE 4 16 PASTO a ise LIU Weed e edle Ln LU Rubio E ced 4 17 timeout login response isos cose esa 4 dev va Pep 4 18 EXEC Hmieoutvis ics henra IU ue per Rr e oet TR ee aA 4 19 passwotd thtesh o Lbs er pun sce Pg nde 4 20 silent tme RN doo usd ee he dE od sucus ou a 4 21 ata bits cates ison ait ts tsa iua coe eme todas ans 4 22 PALA Ola ATIS OS Mane DA 4 23 speed sce Aste eL Mt cse Ais 4 23 miroir MORET 4 24 discoODfieeEs so cn dn ch ias iba 4 25 showline sco Sits Peas cha m IRURE PIS 4 25 General Commands sacco we EO a Oe 4 26 enable o ros Doel oin HOS 4 27 disable 444 cst ed rake nuu ate eas aot hi US 4 28 COM MOUS ir c RA E ash RAM LI pedo a Saag oh vis 4 28 Show History i eoe Potete Re SU uto Pee boa 4 29 reload s oeuvre io ble nee ID LU UA UM 4 30 AA eu d slut ed a ee c bm M HIM ce DE 4 30 OM c DP 4 31 UIE Sys Sects ah E Ere e LE SU EE 4 31 System Management Commands 0 0 0 c cece eee ee eee 4 32 Device Designation Commands esses 4 33 ptotptscs i e oni os vhs PE SI IU dex 4 33 hostia 4 34
229. face by marking the appropriate radio button for a port or trunk Tagged Interface is a member of the VLAN All packets transmitted by the port will be tagged that is carry a tag and therefore carry VLAN or CoS information Untagged Interface is a member of the VLAN All packets transmitted by the port will be untagged that is not carry a tag and therefore not carry VLAN or CoS information Note that an interface must be assigned to at least one group as an untagged port VLAN CONFIGURATION Forbidden Interface is forbidden from automatically joining the VLAN via GVRP For more information see Automatic VLAN Registration on page 3 143 None Interface is not a member of the VLAN Packets associated with this VLAN will not be transmitted by the interface Trunk Member Indicates if a port is a member of a trunk To add a trunk to the selected VLAN use the last table on the VLAN Static Table page Web Click VLAN 802 1Q VLAN Static Table Select a VLAN ID from the scroll down list Modify the VLAN name and status if required Select the membership type by marking the appropriate radio button in the list of ports or trunks Click Apply VLAN Static Table VLAN y Name R amp D Status v Enable Port Tagged Untagged Forbidden None Trunk Member G C G O a 9191919 D I N c c 01501090 gt ITSTETOTOT Figure 3 64 Configuring a VLAN Static Table CLI The followi
230. figuration startup config The configuration used for system initialization tftp Keyword that allows you to copy to from a TFTP server https certificate Copies an HTTPS certificate from an TFTP server to the switch public key Keyword that allows you to copy a SSH key from a TFTP server See Secure Shell Commands on page 4 46 unit Keyword that allows you to copy to from a unit Default Setting None 4 87 COMMAND LINE INTEREACE 4 88 Command Mode Privileged Exec Command Usage The system prompts for data required to complete the copy command The destination file name should not contain slashes or the leading letter of the file name should not be a period and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch Valid characters A Z a z 0 9 6699 99 o DC MM t Due to the size limit of the flash memory the switch supports only two operation code files The maximum number of user defined configuration files depends on available memory You can use Factory_Default_Config cfg as the source to copy from the factory default configuration file but you cannot use it as the destination To replace the startup configuration you must use startup config as the destination Use the copy file unit command to copy a local file to another switch in the stack Use the copy unit file command to copy a file
231. figure the switch to send time synchronization requests to time servers Command Attributes SNTP Client Configures the switch to operate as an SNTP client This requires at least one time server to be specified in the SNTP Server field Default Disabled SN TP Poll Interval Sets the interval between sending requests for a time update from a time server Range 16 16284 seconds Default 16 seconds BASIC CONFIGURATION SNTP Server Sets the IP address for up to three time servers The switch attempts to update the time from the first servet if this fails it attempts an update from the next server in the sequence Web Select SNTP Configuration Modify any of the required parameters and click Apply SNTP Configuration SNTP Client Enabled SNTP Polling Interval 1616384 16 SNTP Server 0 0 0 0 0 0 0 0 0 0 0 0 Figure 3 20 SNTP Configuration CLI This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings Console config sntp server 10 1 0 19 137 82 140 80 128 250 36 2 4 74 Console config sntp poll 60 4 75 Console config sntp client 4 73 Console config exit Console show sntp Current time Jan 6 14 56 05 2004 Poll interval 60 Current mode unicast SNTP status Enabled SNTP server 10 1 0 19 137 82 140 80 128 250 36 2 Current server 128 250 36 2 Console 3 43 CONFIGURING THE SWITCH 3 44
232. following shows LACP enabled on ports 11 13 Because LACP has also been enabled on the ports at the other end of the links the show interfaces status port channel 1 command shows that Trunk 1 has been established Console config interface ethernet 1 11 Console config if lacp Console config if exit Console config interface ethernet 1 12 Console config if lacp Console config if exit Console config interface ethernet 1 13 Console config if lacp Console config if exit Console config exit Console show interfaces status port channel 1 Information of Trunk 1 Basic information Port type Mac address Configuration ame Port admin Speed duplex Capabilities Flow control status Port security ax MAC count Current status Created by Link status Flow control type ember Ports Eth1 11 Console Operation speed duplex Eth1 12 100TX 00 00 e8 00 00 0b Up Auto 10half Disabled Disabled 0 10full 100half LACP Up 100full None Eth1 13 100full 4 167 COMMAND LINE INTEREACE lacp system priority This command configures a port s LACP system priority Use the no form to restore the default setting Syntax lacp actor partner system priority priority no lacp actor partner system priority actor The local side an aggregate link partner The remote side of an aggregate link priority This priority is used
233. for Management Access You cteate a list of up to 16 IP addresses or IP address groups that are allowed management access to the switch through the web interface SNMP or Telnet Command Usage The management interfaces are open to all IP addresses by default Once you add an entty to a filter list access to that interface is restricted to the specified addresses If anyone tries to access a management interface on the switch from an invalid address the switch will reject the connection enter an event message in the system log and send a trap message to the trap manager IP address can be configured for SNMP web and Telnet access respectively Each of these groups can include up to five different sets of addresses either individual addresses or address ranges When entering addresses for the same group i e SNMP web or Telnet the switch will not accept overlapping address ranges When entering addresses for different groups the switch will accept ovetlapping address ranges You cannot delete an individual address from a specified range You must delete the entire range and reenter the addresses You can delete an address range just by specifying the start address or by specifying both the start address and end address Command Attributes Web IP Filter Configures IP address es for the web group SNMP IP Filter Configures IP address es for the SNMP group Telnet IP Filter Configures IP address es for the Te
234. for a network application in the IP Port Number box and the new CoS value in the Class of Service box and then click Apply IP Port Priority none IP Port Priority Table a Port Number TCP UDP B Class of Service Value 0 7 o Remove IP Port Figure 3 80 IP Port Priority 3 177 CONFIGURING THE SWITCH CLI The following example globally enables IP Port Priority service on the switch maps HTTP traffic on port 5 to CoS value 0 and then displays all the IP Port Priority settings for that port Console config map ip port 4 230 Console config interface ethernet 1 5 Console config if map ip port 80 cos 0 4 230 Console config if end Console show map ip port ethernet 1 5 4 230 TCP port mapping status enabled Port Port no COS Eth 1 5 80 0 Console Note Mapping specific values for IP Port Priority is implemented as an interface configuration command but any changes will apply to the all interfaces on the switch Mapping CoS Values to ACLs Use the ACL CoS Mapping page to set the output queue for packets matching an ACL rule as shown in the following table Note that the specified CoS value is only used to map the matching packet to an output queue it is not written to the packet itself For information on mapping the CoS values to output queues see page 3 167 Table 3 14 Egress Queue Priority Mapping Queue 0 1 2 3 Priority 1 2 0 3 4 5 6 7
235. from another switch in the stack The Boot ROM and Loader cannot be uploaded or downloaded from the TFTP server You must follow the instructions in the release notes for new firmware or contact your distributor for help For information on specifying an https certificate see See Replacing the Default Secure site Certificate on page 3 56 For information on configuring the switch to use HTTPS for a secure connection see See ip http secure server on page 4 42 FLASH FILE COMMANDS Example The following example shows how to upload the configuration settings to a file on the TFTP server Console copy file tftp Choose file type 1 config 2 opcode 1 2 1 Source file name startup TFTP server ip address 10 1 0 99 Destination file name startup 01 TFTP completed Success Console The following example shows how to copy the running configuration to a startup file Console copy running config file destination file name startup Write to FLASH Programming Write to FLASH finish Success Console The following example shows how to download a configuration file Console copy tftp startup config TFTP server ip address 10 1 0 99 Source configuration file name startup 01 Startup configuration file name startup Write to FLASH Programming Write to FLASH finish Success Console This example shows how to copy a secure site certificate from an TFTP server It the
236. g TFTP Server IP Address 192 168 123 Source File Name config startup Fectory_Defeult_Config cta y o fu Startup File Name Figure 3 11 Copy Configuration Settings BASIC CONFIGURATION If you download to a new file name using tftp to startup config or tftp to file the file is automatically set as the start up configuration file To use the new settings reboot the system via the System Reset menu Note that you can also select any configuration file as the start up configuration by using the System File Set Start Up page Set Start Up Name Type Startup Size bytes C Factory Default Config cfg Config File IN 5013 c startup Config File v 3091 e v2263 Operation Code N 1675640 v2263 1 Operation Code Y 1657080 Figure 3 12 Setting the Startup Configuration Settings CLI Enter the IP address of the TFTP server specify the source file on the server set the startup file name on the switch and then restart the switch Consoletcopy tftp startup config 4 87 TFTP server ip address 192 168 1 19 Source configuration file name config 1 Startup configuration file name startup Write to FLASH Programming Write to FLASH finish Success Consolefreload To select another configuration file as the start up configuration use the boot system command and then restart the switch Console config Console config boot syst
237. g Syntax stopbits 1 2 1 One stop bit e 2 Two stop bits Default Setting 1 stop bit Command Mode Line Configuration Example To specify 2 stop bits enter this command Console config line tstopbits 2 Console config line LINE COMMANDS disconnect This command terminates an SSH Telnet or console connection Syntax disconnect session id session id The session identifier for an SSH Telnet or console connection Range 0 4 Command Mode Privileged Exec Command Usage Specifying session identifier 0 will disconnect the console connection Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection Example Console disconnect 1 Console Related Commands show ssh 4 55 show users 4 84 show line This command displays the terminal line s parameters Syntax show line console vty console Console terminal line e vty Virtual terminal for remote console access 1 e Telnet Default Setting Shows all lines Command Mode Normal Exec Privileged Exec 4 25 COMMAND LINE INTEREACE Example To show all lines enter this command Interactive Silent time Baudrate Databits Parity Stopbits Interactive console Console show line Console configuration Password threshold 3 times timeout Disabled Login timeout Disabled Disabled 9600 8 none I VTY config
238. g device is always forwarding If two potts ofa switch are connected to the same segment and there is no other STA device attached to this segment the port with the smaller ID forwards packets and the other is discarding 3 133 CONFIGURING THE SWITCH 3 134 All ports are discarding when the switch is booted then some of them change state to learning and then to forwarding Forward Transitions The number of times this port has transitioned from the Learning state to the Forwarding state Designated Cost The cost for a packet to travel from this port to the root in the current Spanning Tree configuration The slower the media the higher the cost Designated Bridge The bridge priority and MAC address of the device through which this port must communicate to reach the root of the Spanning Tree Designated Port The port priority and number of the port on the designated bridging device through which this switch must communicate with the root of the Spanning Tree Oper Link Type The operational point to point status of the LAN segment attached to this interface This parameter is determined by manual configuration or by auto detection as described for Admin Link Type in STA Port Configuration on page 3 137 Oper Edge Port This parameter is initialized to the setting for Admin Edge Port in STA Port Configuration on page 3 137 i e true ot false but will be set to false if a BPDU is received indicati
239. g map ip dscp 4 233 Console config interface ethernet 1 1 4 144 Console config if map ip dscp 1 cos 0 4 233 Console config if end Console show map ip dscp ethernet 1 1 4 237 DSCP mapping status enabled Port DSCP COS Eth 1 1 0 0 Eth 1 1 1 0 Eth 1 1 2 0 Eth 1 1 3 0 Eth 1 1 63 0 Console Note Mapping specific values for IP DSCP is implemented as an interface configuration command but any changes will apply to the all interfaces on the switch Mapping IP Port Priority You can also map network applications to Class of Service values based on the IP port number i e TCP UDP port number in the frame header Some of the more common TCP service ports include HTTP 80 FTP 21 Telnet 23 and POP3 110 Command Attributes IP Port Priority Status Enables or disables the IP port priority IP Port Priority Table Shows the IP port to CoS map IP Port Number TCP UDP Set a new IP port number e Class of Service Value Sets a CoS value for a new IP port Note that 0 represents low priority and 7 represent high priority Note IP Port Priority settings apply to all interfaces CLASS OF SERVICE CONFIGURATION Web Click Priority IP Port Priority Status Set IP Port Priority Status to Enabled IP Port Priority Status IP Port Priority Global Status T Enabled Figure 3 79 IP Port Priority Status Click Priority IP Port Priority Enter the port number
240. g example adds a description to port 24 Console config finterface ethernet 1 24 Console config if description RD SW 3 Console config if speed duplex This command configures the speed and duplex mode of a given interface when autonegotiation is disabled Use the no form to restore the default Syntax speed duplex 1000full 100full 100half 10full 10half no speed duplex 1000full Forces 1000 Mbps full duplex operation 100full Forces 100 Mbps full duplex operation 100half Forces 100 Mbps half duplex operation 10full Forces 10 Mbps full duplex operation 10half Forces 10 Mbps half duplex operation Default Setting Auto negotiation is enabled by default When auto negotiation is disabled the default speed duplex setting is 100half for 100BASE TX ports and 1000full for Gigabit Ethernet ports Command Mode Interface Configuration Ethernet Port Channel Command Usage To force operation to the speed and duplex mode specified in a speed duplex command use the no negotiation command to disable auto negotiation on the selected interface 4 145 COMMAND LINE INTEREACE When using the negotiation command to enable auto negotiation the optimal settings will be determined by the capabilities command To set the speed duplex mode under auto negotiation the required mode must be specified in the capabilities list for an interface Example The following example configures port 5 t
241. g if dotlx timeout re authperiod 1800 4 112 Console config if dotlx timeout tx period 40 4 113 Console config if end Console show dotlx 4 114 Global 802 1X Parameters system auth control enable 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 disabled Single Host ForceAuthorized n a 1 2 enabled Single Host auto yes 1 26 disabled Single Host ForceAuthorized n a USER AUTHENTICATION Displaying 802 1X Statistics This switch can display statistics for dot1x protocol exchanges for any port Table 3 5 802 1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator Rx EAPOL Invalid The number of EAPOL frames that have been received by this Authenticator in which the frame type is not recognized Rx EAPOL Total The number of valid EAPOL frames of any type that have been received by this Authenticator Rx EAP Resp Id The number of EAP Resp Id frames that have been received by this Authenticator Rx EAP Resp Oth The number of valid EAP Response frames other than Resp Id frames that have been received by this Authenticator Rx EAP LenError The number of EAPOL frames that have been received by this Authenticator in which the Packet Body Length field is invalid Rx Last EAPOLVer The
242. g zeroes Default Setting None Command Mode Interface Configuration Ethernet Port Channel Command Usage Promiscuous ports assigned to a primary VLAN can communicate with any other promiscuous ports in the same VLAN and with the group members within any associated secondary VLANs 4 215 COMMAND LINE INTEREACE Example Console config ftinterface ethernet 1 2 Console config if switchport private vlan mapping 2 Console config if show vlan private vlan Use this command to show the private VLAN configuration settings on this switch Syntax show vlan private vlan community isolated primary community Displays all community VLANs along with their associated primary VLAN and assigned host interfaces isolated Displays an isolated VLAN along with the assigned promiscuous interface and host interfaces The Primary and Secondary fields both display the isolated VLAN ID primary Displays all primary VLANs along with any assigned promiscuous interfaces Default Setting None Command Mode Privileged Executive Example Console show vlan private vlan Primary Secondary Type Interfaces 5 primary Eth1 3 5 6 community Ethl 4 Ethl 5 0 8 isolated Console 4 216 GVRP AND BRIDGE EXTENSION COMMANDS GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members o
243. ged the switch uses the tagged VLAN ID to identify the port broadcast domain of the frame Port Overlapping Port overlapping can be used to allow access to commonly shared network resources among different VLAN groups such as file servers or printers Note that if you implement VLANs which do not overlap but still need to communicate you can connect them by enabled routing on this switch Untagged VLANs Untagged or static VLANs are typically used to reduce broadcast traffic and to increase security A group of network users assigned to a VLAN form a broadcast domain that is separate from other VLANs configured on the switch Packets are forwarded only between ports that are designated for the same VLAN Untagged VLANs can be used to manually isolate user groups or subnets However you should use IEEE 802 3 tagged VLANs with GVRP whenever possible to fully automate VLAN registration 3 142 VLAN CONFIGURATION Automatic VLAN Registration GVRP GARP VLAN Registration Protocol defines a system whereby the switch can automatically learn the VLANs to which each end station should be assigned If an end station or its network adapter supports the IEEE 802 1Q VLAN protocol it can be configured to broadcast a message to your network indicating the VLAN groups it wants to join When this switch receives these messages it will automatically place the receiving port in the specified VLANs and then forward the message to all other po
244. ggregatable i e a potential candidate for aggregation Long timeout Periodic transmission of LACPDUS uses a slow transmission rate LACP Activity Activity control value with regard to this link 0 Passive 1 Active 4 175 COMMAND LINE INTEREACE Console show lacp 1 neighbors Port channel 1 neighbors Partner Admin System ID 32768 00 00 00 00 00 00 Partner Oper System ID 32768 00 00 00 00 00 01 Partner Admin Port Number 1 Partner Oper Port Number 1 Port Admin Priority 32768 Port Oper Priority 32768 Admin Key 0 Oper Key 4 Admin State defaulted distributing collecting synchronization long timeout Oper State distributing collecting synchronization aggregation long timeout LACP activity Table 4 47 show lacp neighbors display description Field Desctiption Partner Admin LAG partner s system ID assigned by the user System ID Partner Oper LAG partner s system ID assigned by the LACP protocol System ID Partner Admin Current administrative value of the port number for the Port Number protocol Partner Partner Oper Operational port number assigned to this aggregation port Port Number by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol partner Port Oper Priority Priority value assigned to this aggregation port by the partner Admin Key Current administrative value of
245. gn a port to an isolated VLAN 4 Use the show vlan private vlan command to verify your configuration settings private vlan 4 210 Use this command to create a primary community or isolated private VLAN Use the no form to remove the specified private VLAN Syntax private vlan v an id community primary isolated no private vlan v an id e vlan id ID of private VLAN Range 1 4094 no leading zeroes community A VLAN in which traffic is restricted to host members in the same VLAN and to promiscuous ports in the associate primary VLAN primary A VLAN which can contain one or more community VLANs and serves to channel traffic between community VLANs and other locations isolated Specifies an isolated VLAN Ports assigned to an isolated VLAN can only communicate with the promiscuous port within their own VLAN VLAN COMMANDS Default Setting None Command Mode VLAN Configuration Command Usage Private VLANs are used to restrict traffic to ports within the same community or isolated VLAN and channel traffic passing outside the community through promiscuous ports When using community VLANs they must be mapped to an associated primary VLAN that contains promiscuous ports When using an isolated VLAN it must be configured to contain a single promiscuous port Port membership for private VLANS is static Once a port has been assigned to a private VLAN it cannot be dynamically moved
246. guration Current New Vlan1 Uniti Portl 1 fntece E Add vean ofi Remove Por fr Trunk Figure 3 84 Static Multicast Router Port Configuration CLI This example configures port 11 as a multicast router port within VLAN 1 Console config ip igmp snooping vlan 1 mrouter ethernet 1 11 4 247 Console config exit Console show ip igmp snooping mrouter vlan 1 4 248 VLAN M cast Router Port Type 1 Eth 1 11 Static Console Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN and multicast service Command Attributes e WLAN ID Selects the VLAN for which to display port members e Multicast IP Address The IP address for a specific multicast service 3 186 MULTICAST FILTERING e Multicast Group Port List Shows the interfaces that have already been assigned to the selected VLAN to propagate a specific multicast service Web Click IGMP Snooping IP Multicast Registration Table Select a VLAN ID and the IP address for a multicast service from the scroll down lists The switch will display all the interfaces that are propagating this multicast service IP Multicast Registration Table VLAN ID ly Multicast IP Address 2241 1 12 Multicast Group Port List Unitl Portl User Figure 3 85 IP Multicast Registration Table CLI This example displays all the known multicast services supported on VLAN 1 a
247. gure 3 5 Figure 3 6 Figure 3 7 Figure 3 8 Figure 3 9 Figure 3 10 Figure 3 11 Figure 3 12 Figure 3 13 Figure 3 14 Figure 3 15 Figure 3 16 Figure 3 17 Figure 3 18 Figure 3 19 Figure 3 20 Figure 3 21 Figure 3 22 Figure 3 23 Figure 3 24 Figure 3 25 Figure 3 26 Figure 3 27 Figure 3 28 Figure 3 29 Figure 3 30 Figure 3 31 Figure 3 32 Figure 3 33 Figure 3 34 Figure 3 35 Figure 3 36 FIGURES Home Pages isses bvgzrev6 elas aes aria 3 3 Panel Display 0 iaa os eL eet 3 4 System Information 0 cece ccc mo 3 12 Switch Information 0 00 c cece ee eee ee 3 14 Bridge Extension Configuration oo o ooooomom o 3 16 Manual IP Configuration oooooocooommmmmm r oo 3 18 DHCP IP Configuration 0 saas c cece eee 3 19 Operation Code Image File Transfer 3 22 Select Start Up Operation File oooooo oooooo o 3 23 Deleting Files een o do Ae es 3 23 Copy Configuration Settings ooooooocomomoo 3 26 Setting the Startup Configuration Settings 3 27 Console Port Settings 0 00 eee eee eee 3 29 Enabling Telnet iier vp ii 3 32 System Logs 21 1 id APIs 3 35 Remotes Gos aps ee ood alas det 3 37 Displaying Logs i2 m eme e 3 38 Enabling and Configuring SMTP Alerts 3 40 Resetting the System 1 1 0 0 ce eee eee 3 41 SNTP Configuration sospes teniri orren eee eee 3 43 Setting the System Clock oooooooooooommo o 3 44 Configuring SNMP Com
248. h service pack 6a Windows 2000 Windows XP Netscape Navigator 6 2 or later Windows 98 Windows NT with setvice pack 6a Windows 2000 Windows XP Solaris 2 6 To specify a secure site certificate see Replacing the Default Secure site Certificate on page 3 56 Command Attributes HTTPS Status Allows you to enable disable the HTTPS server feature on the switch Default Enabled Change HTTPS Port Number Specifies the UDP port number used for HTTPS connection to the switch s web interface Default Port 443 3 55 CONFIGURING THE SWITCH 3 56 Web Click Security HTTPS Settings Enable HTTPS and specify the port number then click Apply HTTPS Settings HTTPS Status IV Enabled Change HTTPS Port Number 1 65535 asa Figure 3 26 HTTPS Settings CLI This example enables the HTTP secure server and modifies the port number Console config ttip http secure server 4 42 Console config tip http secure port 441 4 43 Console config Replacing the Default Secure site Certificate When you log onto the web interface using HTTPS for secure access a Secure Sockets Layer SSL certificate appears for the switch By default the certificate that Netscape and Internet Explorer display will be associated with a warning that the site is not recognized as a secure site This is because the certificate has not been signed by an approved certification auth
249. h authentication retries 5 4 51 Console config tip ssh server key size 512 4 51 Console config end Console show ip ssh 4 55 SSH Enabled version 2 0 Negotiation timeout 120 secs Authentication retries 5 Server key size 512 bits Console show ssh 4 55 Connection Version State Username Encryption 0 2 0 Session Started admin ctos aes128 cbc hmac md5 stoc aes128 cbc hmac md5 Console disconnect 0 4 25 Console Configuring Port Security 3 64 Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port When port security is enabled on a port the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted as authorized to access the network through that port If a device with an unauthorized MAC address attempts to use the switch port the intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message To use port security specify a maximum number of addresses to allow on the port and then let the switch dynamically learn the lt source MAC address VLAN gt pair for frames received on the port Note that you can also manually add secure addresses to the port using the Static Address Table page 3
250. h over a serial connection to the console port or via Telnet For more information on using the CLI refer to Chapter 4 Command Line Interface Prior to accessing the switch from a web browser be sure you have first performed the following tasks 1 Configure the switch with a valid IP address subnet mask and default gateway using an out of band serial connection BOOTP or DHCP protocol See Setting an IP Address on page 2 6 2 Set user names and passwords using an out of band serial connection Access to the web agent is controlled by the same user names and passwords as the onboard configuration program See Setting Passwords on page 2 5 3 After you enter a user name and password you will have access to the system configuration program 3 1 CONFIGURING THE SWITCH 3 2 Notes 1 You are allowed three attempts to enter the correct password on the third failed attempt the current connection is terminated If you log into the web interface as guest Normal Exec level you can view the configuration settings or change the guest password If you log in as admin Privileged Exec level you can change the settings on any page If the path between your management station and this switch does not pass through any device that uses the Spanning Tree Algorithm then you can set the switch port attached to your management station to fast forwarding i e enable Admin Edge Port to improve the sw
251. h service pack 6a Windows 2000 Windows XP Solaris 2 6 To specify a secure site certificate see Replacing the Default Secure site Certificate on page 4 56 Also refer to the copy command on page 4 87 Example Console config ip http secure server Console config Related Commands ip http secure port 4 43 copy tftp https certificate 4 87 ip http secure port This command specifies the UDP port number used for HTTPS connection to the switch s web interface Use the no form to restore the default port Syntax ip http secure port port_number no ip http secure port port number The UDP port used for HTTPS Range 1 655535 Default Setting 443 4 43 COMMAND LINE INTEREACE Command Mode Global Configuration Command Usage You cannot configure the HTTP and HTTPS servers to use the same port Ifyou change the HTTPS port number clients attempting to connect to the HTTPS server must specify the port number in the URL in this format https device port_number Example Console config ip http secure port 1000 Console config Related Commands ip http secure server 4 42 Telnet Server Commands Table 4 14 Telnet Server Commands Command Function Mode Page ip telnet port Specifies the port to be used by the Telnet GC 4 44 interface ip telnet server Allows the switch to be monitored or configured GC 4 45 from Telnet
252. he configuration for bridge extension commands Default Setting None Command Mode Privileged Exec Command Usage See Displaying Basic VLAN Information on page 3 145 and Displaying Bridge Extension Capabilities on page 3 15 for a description of the displayed items Example Console show bridge ext Max support vlan numbers 255 Max support vlan ID 4094 Extended multicast filtering services No Static entry individual port Yes VLAN learning IVL Configurable PVID tagging Yes Local VLAN capable No Traffic classes Enabled Global GVRP status Enabled GMRP Disabled Console 4 218 AND BRIDGE EXTENSION ND GVRP B EXTENSION COMMANDS switchport gvrp This command enables GVRP for a port Use the no form to disable it Syntax no switchport gvrp Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Example Console config interface ethernet 1 6 Console config if switchport gvrp Console config if show gvrp configuration This command shows if GVRP is enabled Syntax show gvrp configuration zrerface interface ethernet wnit port unit Stack unit This is unit 1 pott Port number Range 1 26 52 port channel channel id Range 1 4 Default Setting Shows both global and interface specific configuration Command Mode Normal Exec Privileged Exec Example Console show gvrp configuration ethernet 1 6 Eth 1 6
253. he number of seconds Range 1 655535 Default 60 seconds Command Mode Interface Configuration Example Console config finterface eth 1 2 Console config if dotlx timeout quiet period 350 Console config if dot1x timeout re authperiod This command sets the time period after which a connected client must be re authenticated Syntax dotlx timeout re authperiod seconds no dotlx timeout re authperiod seconds The number of seconds Range 1 65535 Default 3600 seconds 4 112 AUTHENTICATION COMMANDS Command Mode Interface Configuration Example Console config interface eth 1 2 Console config if dotlx timeout re authperiod 300 Console config if dotlx timeout tx period This command sets the time that an interface on the switch waits during an authentication session before re transmitting an EAP packet Use the no form to reset to the default value Syntax dotlx timeout tx period seconds no dotlx timeout tx period seconds The number of seconds Range 1 65535 Default 30 seconds Command Mode Interface Configuration Example Console config interface eth 1 2 Console config if dot1lx timeout tx period 300 Console config if 4 113 COMMAND LINE INTEREACE show dotlx This command shows general port authentication related settings on the switch or a specific interface Syntax show dotlx statistics interface zz erface e statist
254. he priority bits in the Type of Service ToS octet or the number of the TCP port If priority bits are used the ToS octet may contain three bits for IP Precedence or six bits for Differentiated Services Code Point DSCP service When these services are enabled the priorities are mapped to a Class of Service value by the switch and the traffic then sent to the corresponding output queue Because different priority information may be contained in the traffic this switch maps priority values to the output queues in the following manner The precedence for priority mapping is IP Port Priority IP Precedence or DSCP Priority and then Default Port Priority P Precedence and DSCP Priority cannot both be enabled Enabling one of these priority types will automatically disable the other 3 171 CONFIGURING THE SWITCH 3 172 Selecting IP Precedence DSCP Priority The switch allows you to choose between using IP Precedence or DSCP priority Select one of the methods or disable this feature Command Attributes Disabled Disables both priority services This is the default setting IP Precedence Maps layer 3 4 priorities using IP Precedence IP DSCP Maps layer 3 4 priorities using Differentiated Services Code Point Mapping Web Click Priority IP Precedence DSCP Priority Status Select Disabled IP Precedence or IP DSCP from the scroll down menu then click Apply IP Precedence DSCP Priority Status
255. he switch supports IEEE 802 1X dot1x port based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication Client authentication is controlled centrally by a RADIUS server using EAP Extensible Authentication Protocol Table 4 32 802 1X Port Authentication Command Function Mode Page dot1x Enables dot1x globally on the switch GC 4 108 system auth control dot1x default Resets all dot1x parameters to their GC 4 108 default values dotlx max req Sets the maximum number of times that IC 4 109 the switch retransmits an EAP request identity packet to the client before it times out the authentication session dotlx port control Sets dotlx mode for a port interface IC 4 109 dotix Allows single or multiple hosts on an IC 4 110 operation mode dotlx port dot1x re authenticate Forces re authentication on specific ports PE 4 111 dotix Enables re authentication for all ports IC 4 111 re authentication dotlx timeout Sets the time that a switch port waits after IC 4 112 quiet period the Max Request Count has been exceeded before attempting to acquire a new client dotlx timeout Sets the time period after which a IC 4 112 re authperiod connected client must be re authenticated dotlx timeout Sets the time period during an IC 4 113 tx period authentication session that the switch waits before re transmitting an EAP packet show dotlx Shows all dot1x related
256. hentication 3 48 4 94 RADIUS client 4 97 RADIUS server 4 97 TACACS client 3 50 4 102 TACACS server 3 50 4 102 logon authentication sequence 3 51 4 95 4 96 M main menu 3 5 Management Information Bases MIBs A 4 mirror port configuring 3 110 4 157 multicast filtering 3 180 4 238 multicast groups 3 186 4 241 displaying 4 241 static 3 186 4 239 4 241 multicast services configuring 3 188 4 239 displaying 3 186 4 241 multicast static router port 3 185 4 247 P password line 4 17 4 18 passwords 2 5 administrator setting 3 48 4 35 path cost 3 127 3 135 method 3 132 4 188 STA 3 127 3 135 4 188 port authentication 3 66 port priority configuring 3 165 4 222 default ingress 3 165 4 224 STA 3 135 4 191 port security configuring 3 64 4 104 port statistics 3 114 4 153 ports autonegotiation 3 91 4 146 broadcast storm threshold 3 108 4 150 capabilities 3 91 4 147 duplex mode 3 90 4 145 flow control 3 90 4 148 speed 3 90 4 145 ports configuring 3 87 4 143 ports mirroring 3 110 4 157 primary VLAN 3 157 priority default port ingress 3 165 4 224 private VLANs configuring 3 156 3 157 4 209 problems troubleshooting B 1 promiscuous ports 3 156 4 208 protocol migration 3 139 4 194 PVLAN association 3 160 community ports 3 156 4 208 interface configuration 3 162 isolated ports 3 156 4 208 primary VLAN 3 157 promiscuous ports 3 156 4 208 Q queue weights 3 170 4 225
257. hentication can be used to detect if a new device is plugged into a switch port Default Disabled Max Req Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session Range 1 10 Default 2 USER AUTHENTICATION Quiet Period Sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client Range 1 655535 seconds Default 60 seconds e Re authen Period Sets the time period after which a connected client must be re authenticated Range 1 65535 seconds Default 3600 seconds Tx Period Sets the time period during an authentication session that the switch waits before re transmitting an EAP packet Range 1 65535 Default 30 seconds Authorized Yes Connected client is authorized No Connected client is not authorized Blank Displays nothing when dot1x is disabled on a port Supplicant Indicates the MAC address of a connected client Trunk Indicates if the port is configured as a trunk port Web Click Security 802 1X Port Configuration Modify the parameters required and click Apply 802 1X Port Configuration y E Mode Reauthen MaxReq guis Reautven Te period Authorized Supplicant Trunk Port Status Operation Mode Perio 60 3600 7 es 00 00 00 00 00 00 nr 3600 0 00 00 00 00 00 00 ot 3
258. host public key during the initial connection setup with the switch Otherwise you need to manually create a known hosts file on the management station and place the host public key in it An entry for a public key in the known hosts file would appear similar to the following example 10 1 0 54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 10825913212890233 76546801726272571413428762941301196195566782 59566410486957427888 146206 519417467729848654686157177393901647793559423035774130980227370877945452408397 1752646358058176716709574804776117 Import Client s Public Key to the Switch Use the copy tftp public key command to copy a file containing the public key for all the SSH client s granted management access to the switch Note that these clients must be configured locally on the switch via the User Accounts page as described on page 3 48 The clients are subsequently authenticated using these keys The current firmware only accepts public key files based on standard UNIX format as shown in the following example for an RSA Version 1 key 1024 35 1341081685609893921040944920155425347631641921872958921143173880 055536161631051775940838686311092912322268285192543746031009371877211996963178 136627741416898513204911720483033925432410163799759237144901193800609025394840 848271781943722884025331159521348610229029789827213532671316294325328189150453 06393916643 steve 192
259. ic Multicast Registration Protocol GMRD GMRP allows network devices to register end stations with multicast groups GMRP requires that any participating network devices or end stations comply with the IEEE 802 1p standard Group Attribute Registration Protocol GARP See Generic Attribute Registration Protocol Glossary 2 GLOSSARY IEEE 802 1D Specifies a general method for the operation of MAC bridges including the Spanning Tree Protocol IEEE 802 1Q VLAN Taggine Defines Ethernet frame tags which carry VLAN information It allows switches to assign endstations to different virtual LANs and defines a standard way for VLANs to communicate across switched networks IEEE 802 1p An IEEE standard for providing quality of service QoS in Ethernet networks The standard uses packet tags that define up to eight traffic classes and allows switches to transmit packets based on the tagged priority value IEEE 802 1X Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication IEEE 802 3ac Defines frame extensions for VLAN tagging IEEE 802 3x Defines Ethernet frame start stop requests and timers used for flow control on full duplex links Now incorporated in IEEE 802 3 2002 IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members
260. ics Displays dotlx status for each port interface ethernet unit port unit Stack unit This is unit 1 port Port number Range 1 26 52 Command Mode Privileged Exec Command Usage This command displays the following information Global 802 1X Parameters Shows whether or not 802 1X port authentication is globally enabled on the switch 802 1X Port Summary Displays the port access control parameters for each interface including the following items Status Administrative state for port access control Operation Mode Dot1x port control operation mode page 4 110 Mode Dot1x port control mode page 4 109 Authorized Authorization status yes or n a not authorized 802 1X Port Details Displays the port access control parameters for each interface including the following items reauth enabled Periodic re authentication page 4 111 reauth period Time after which a connected client must be re authenticated page 4 112 quiet period Time a port waits after Max Request Count is exceeded before attempting to acquire a new client page 4 112 4 114 tx period supplicant timeout server timeout reauth max max teq Status Operation Mode Max Count Port control Supplicant Current Identifier AUTHENTICATION COMMANDS Time a port waits during authentication session before re transmitting EAP packet page 4 113 Supplicant timeout Server
261. iguring Interface Connections on page 3 48 The following capabilities are supported 10half Supports 10 Mbps half duplex operation 10full Supports 10 Mbps full duplex operation 100half Supports 100 Mbps half duplex operation 100full Supports 100 Mbps full duplex operation 1000full Supports 1000 Mbps full duplex operation Sym Transmits and receives pause frames for flow control FC Supports flow control Broadcast storm Shows if broadcast storm control is enabled or disabled Broadcast storm limit Shows the broadcast storm threshold 64 95232000 octets per second Flow control Shows if flow control is enabled or disabled LACP Shows if LACP is enabled or disabled Port Security Shows if port security is enabled or disabled Max MAC count Shows the maximum number of MAC address that can be learned by a port 0 1024 addresses Pott security action Shows the response to take when a security violation is detected shutdown trap trap and shutdown ot none Current Status Link Status Indicates if the link is up or down Port Operation Status Provides detailed information on pott state Displayed only when the link is up Operation speed duplex Shows the current speed and duplex mode Flow control type Indicates the type of flow control currently in use IEEE 802 3x Back Pressure or none 3 89 CONFIGURING THE SWITCH CLI This example show
262. ils the system will repeat the process at a periodic interval A trap will be triggered if the switch cannot successfully open a connection Example Console config logging sendmail host 192 168 1 200 Console config logging sendmail level This command sets the severity threshold used to trigger alert messages Syntax logging sendmail level ve level One of the system message levels page 4 60 Messages sent include the selected level down to level 0 Range 0 7 Default 7 Default Setting Level 7 Command Mode Global Configuration Command Usage The specified level indicates an event threshold All events at this level ot higher will be sent to the configured email recipients For example using Level 7 will report all events from level 7 to level 0 Example This example will send email alerts for system errors from level 4 through 0 Console config logging sendmail level 4 Console config 4 69 COMMAND LINE INTEREACE logging sendmail source email This command sets the email address used for the From field in alert messages Use the no form to delete the source email address Syntax no logging sendmail source email eza L adaress email address The source email address used in alert messages Range 0 41 characters Default Setting None Command Mode Global Configuration Command Usage You may use an symbolic email address that identifies the sw
263. ime eese 3 124 Spanning Tree Algorithm Configuration 0 0 0 eese 3 124 Displaying Global Settings 00 eee 3 126 Configuring Global Settings 0 3 129 Displaying Interface Settings 0 0 0 0 c cee eee 3 133 Configuring Interface Settings 1 0 0 6 eee eee eee eee 3 137 VLAN Configuration es en iea anaa cee nnn 3 140 IEEE 8021Q VLANS 2 0 0 ccc cece ee ee eens 3 140 Enabling or Disabling GVRP Global Setting 3 145 Displaying Basic VLAN Information 3 145 Displaying Current VLANs essere 3 146 Creating VEAN S ies PI hec dena are 3 148 Adding Static Members to VLANs VLAN Index 3 150 Adding Static Members to VLANs Port Index 3 152 CONTENTS Configuring VLAN Behavior for Interfaces 3 153 Private VLAN Se osi SIE ua IAE ssa ace tte ot 3 156 Displaying Current Private VLANs o oooomoo o 3 157 Configuring Private VLANs 0 000 cea 3 159 Associating VLANS 1 0 66 cece cece eee 3 160 Displaying Private VLAN Interface Information 3 161 Configuring Private VLAN Interfaces o oooo o 3 162 Class of Service Configuration ccce 3 165 Layer 2 Queue Settings 6 6 cece eee 3 165 Setting the Default Priority for Interfaces 3 165 Mapping CoS Values to Egress Queues o 3 167 Selecting the Queue Mode 0 00 eee 3 169 Setting the Service Weight for Traffic Class
264. ination email addresses 1 ted this company com SMTP source email address john acme com SMTP status Enabled Console Time Commands The system clock can be dynamically set by polling a set of specified time servers NTP or SNTP Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries If the clock is not set the switch will only record the time from the factory default set at the last bootup Table 4 22 Time Commands Command Function Mode Page sntp client Accepts time from specified time servers GC 4 73 sntp server Specifies one or more time servers GC 4 74 sntp poll Sets the interval at which the client polls for time GC 4 75 show sntp Shows current SNTP configuration settings NE 4 75 PE clock timezone Sets the time zone for the switch s internal clock GC 4 76 calendar set Sets the system date and time PE 4 77 show calendar Displays the current date and time setting NE 4 78 PE 4 72 SYSTEM MANAGEMENT COMMANDS sntp client This command enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with the sntp servers command Use the no form to disable SNTP client requests Syntax no sntp client Default Setting Disabled Command Mode Global Configuration Command Usage The time acquired from time servers is used to record accurate dates and times f
265. ined errors preventing them from being deliverable to a higher layer protocol Transmit Octets The total number of octets transmitted out of the be nterface including framing characters Transmit Unicast Packets The total number of packets that higher level protocols requested be transmitted to a subnetwork unicast address including those that were discarded or not sent 3 115 CONFIGURING THE SWITCH 3 116 Table 3 9 Port Statistics Continued Parameter Description Transmit Multicast Packets The total number of packets that higher level protocols requested be transmitted and which were addressed to a multicast address at this sub layer including those that were discarded or not sent Transmit Broadcast Packets The total number of packets that higher level protocols requested be transmitted and which were addressed to a broadcast address at this sub layer including those hat were discarded or not sent Transmit Discarded Packets The number of outbound packets which were chosen o be discarded even though no errors had been detected to prevent their being transmitted One possible reason for discarding such a packet could be to free up buffer space Transmit Errors The number of outbound packets that could not be ransmitted because of errors Etherlike Statistics Alignment Errors The number of alignment errors missynchronized data packe
266. information PE 4 114 4 107 COMMAND LINE INTEREACE dotix dot1x 4 108 system auth control This command enables 802 1X port authentication globally on the switch Use the no form to restore the default Syntax no system auth control Default Setting Disabled Command Mode Global Configuration Example Console config dotlx system auth control Console config default This command sets all configurable dot1x global and port settings to their default values Command Mode Global Configuration Example Console config dot1lx default Console config AUTHENTICATION COMMANDS dotlx max req This command sets the maximum number of times the switch port will retransmit an EAP request identity packet to the client before it times out the authentication session Use the no form to restore the default Syntax dotlx max req count no dotlx max req count The maximum number of requests Range 1 10 Default 2 Command Mode Interface Configuration Example Console config interface eth 1 2 Console config if dotlx max req 2 Console config if dotlx port control This command sets the dotlx mode on a port interface Use the no form to restote the default Syntax dotlx port control auto force authorized force unauthorized no dotlx port control auto Requires a dotlx aware connected client to be authorized by the RADIUS server Cli
267. ings Console config flogging on 4 59 Console config flogging history ram 0 4 60 Console config fend Consolefshow logging flash 4 64 Syslog logging Enabled History logging in FLASH level emergencies Console 3 35 CONFIGURING THE SWITCH Remote Log Configuration The Remote Logs page allows you to configure the logging of messages that are sent to syslog servers or other management stations You can also limit the error messages sent to only those messages below a specified level Command Attributes 3 36 Remote Log Status Enables disables the logging of debug or error messages to the remote logging process Default Enabled Logging Facility Sets the facility type for remote logging of syslog messages There are eight facility types specified by values of 16 to 23 The facility type is used by the syslog server to dispatch log messages to an appropriate service The attribute specifies the facility type tag sent in syslog messages See RFC 3164 This type has no effect on the kind of messages reported by the switch However it may be used by the syslog server to process messages such as sorting or storing messages in the corresponding database Range 16 23 Default 23 Logging Trap Limits log messages that are sent to the remote syslog server for all levels up to the specified level For example if level 3 is specified all messages from level 0 to level 3 will be sent to the remot
268. inimum severity level 4 SMTP destination email addresses 1 geoff acme com SMTP source email address john acme com SMTP status Enabled Console Resetting the System Web Click System Reset to reboot the switch When prompted confirm that you want reset the switch Reset the switch by selecting Reset Reset Figure 3 19 Resetting the System 3 41 CONFIGURING THE SWITCH CLI Use the reload command to restart the switch When prompted confirm that you want to reset the switch Console reload 4 30 System will be restarted continue lt y n gt y Note When restarting the system it will always run the Power On Self Test Setting the System Clock 3 42 Simple Network Time Protocol SNTP allows the switch to set its internal clock based on periodic updates from a time server SNTP or NTP Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries You can also manually set the clock using the CLI See calendar set on page 4 77 If the clock is not set the switch will only record the time from the factory default set at the last bootup When the SNTP client is enabled the switch periodically sends a request for a time update to a configured time server You can configure up to three time server IP addresses The switch will attempt to poll each server in the configured sequence Configuring SNTP You can con
269. ion control management access via the console port web browser or Telnet RADIUS and TACACS logon authentication assign a specific privilege level for each user name password pair The user name password and privilege level must be configured on the authentication server You can specify up to three authentication methods for any user to indicate the authentication sequence For example if you select 1 RADIUS 2 TACACS and 3 Local the user name and password on the RADIUS server is verified first If the RADIUS server is not available then authentication is attempted using the TACACS server and finally the local user name and password is checked Command Attributes Authentication Select the authentication or authentication sequence required Local User authentication is performed only locally by the switch Radius User authentication is performed using a RADIUS server only TACACS User authentication is performed using a TACACS server only authentication sequence User authentication is performed by up to three authentication methods in the indicated sequence 3 51 CONFIGURING THE SWITCH e RADIUS Settings Global Provides globally applicable RADIUS settings ServerIndex Specifies one of five RADIUS servers that may be configured The switch attempts authentication using the listed sequence of setvers The process ends when a server either approves or denies access to
270. ion Started admin ctos aes128 cbc hmac md5 stoc aes128 cbc hmac md5 Console 4 55 COMMAND LINE INTEREACE 4 56 Table 4 16 show ssh display description Field Desctiption Session The session number Range 0 3 Version The Secure Shell version number State The authentication negotiation state Values Negotiation Started Authentication Started Session Started Username The user name of the client Encryption The encryption method is automatically negotiated between the client and server Options for SSHv1 5 include DES 3DES Options for SSHv2 0 can include different algorithms for the client to server ctos and server to client stoc aes128 cbc hmac shal aes192 cbc hmac shal aes256 cbc hmac shal 3des cbc hmac sha1 blowfish cbc hmac sha1 aes128 cbc hmac md5 aes192 cbc hmac md5 aes256 cbc hmac md5 3des cbc hmac md5 blowfish cbc hmac md5 Terminology DES Data Encryption Standard 56 bit key 3DES Triple DES Uses three iterations of DES 112 bit key aes Advanced Encryption Standard 160 or 224 bit key blowfish Blowfish 32 448 bit key cbc cypher block chaining shal Secure Hash Algorithm 1 160 bit hashes md5 Message Digest algorithm number 5 128 bit hashes SYSTEM MANAGEMENT COMMANDS show public key This command shows the public key for the specified user or for the host Syntax show public key user username host
271. ion stoted in non volatile memory This command displays settings for key command modes Each mode group is separated by cep symbols and includes the configuration mode command and corresponding commands This command displays the following information SNMP community strings Users names and access levels VLAN database VLAN ID name and state VLAN configuration settings for each interface IP address configured for the switch Spanning tree settings Any configured settings for the console port and Telnet 4 79 COMMAND LINE INTEREACE 4 80 Example Console show startup config building startup config please wait t username admin access level 15 username admin password 0 admin username guest access level 0 username guest password 0 guest enable password level 15 0 super 1 snmp server community public ro snmp server community private rw 1 logging history ram 6 logging history flash 3 1 vlan database vlan 1 name DefaultVlan media ethernet state active 1 interface ethernet 1 1 switchport allowed vlan add 1 untagged switchport native vlan 1 interface vlan 1 ip address dhcp 1 line console 1 line VTY 1 end Console Related Commands show running config 4 81 SYSTEM MANAGEMENT COMMANDS show running config This command displays the configuration information currently in use Default Setting None Command Mode Privileged Exec Command Usage U
272. ions include HTTPS for secure management access via the web SSH for secure management access over a Telnet equivalent connection IP address filtering for SNMP web Telnet management access and MAC address filtering for port access Access Control Lists ACLs provide packet filtering for IP frames based on address protocol TCP UDP port number or TCP control code or any frames based on MAC address or Ethernet type ACLs can be used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols Port Configuration You can manually configure the speed duplex mode and flow control used on specific ports or use auto negotiation to detect the connection settings used by the attached device Use the full duplex mode on ports whenever possible to double the throughput of switch connections Flow control should also be enabled to control network traffic during periods of congestion and prevent the loss of packets when port buffer thresholds are exceeded The switch supports flow control based on the IEEE 802 3x standard 1 3 INTRODUCTION 1 4 Rate Limiting This feature controls the maximum rate for traffic transmitted or received on an interface Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network Traffic that falls within the rate limit is transmitted while packets that
273. is controlled by the exec timeout command for vty sessions Example Console config ip ssh timeout 60 Console config SYSTEM MANAGEMENT COMMANDS Related Commands exec timeout 4 19 show ip ssh 4 55 ip ssh authentication retries This command configures the number of times the SSH server attempts to reauthenticate a user Use the no form to restore the default setting Syntax ip ssh authentication retries count no ip ssh authentication retries count The number of authentication attempts permitted after which the interface is reset Range 1 5 Default Setting 3 Command Mode Global Configuration Example Console config ip ssh authentication retires 2 Console config Related Commands show ip ssh 4 55 ip ssh server key size This command sets the SSH server key size Use the no form to restore the default setting Syntax ip ssh server key size key size no ip ssh server key size key size The size of server key Range 512 896 bits 4 51 COMMAND LINE INTEREACE Default Setting 768 bits Command Mode Global Configuration Command Usage The server key is a private key that is never shared outside the switch The host key is shared with the SSH client and is fixed at 1024 bits Example Console config ip ssh server key size 512 Console config delete public key This command deletes the specified user s public key Syntax delete p
274. is used to determine the best path between devices The path cost method is used to determine the range of values that can be assigned to each interface Web Click Spanning Tree STA Information STA Information Spanning Tree Spanning Tree State Enabled Designated Root 32768 0000ABCDO000 Bridge ID 32768 0000ABCD0000 Root Port Max Age 20 Root Path Cost Hello Time 2 Configuration Changes 2 Forward Delay 15 Last Topology Change 0 d 0 hO min 35 s Figure 3 56 STA Information SPANNING TREE ALGORITHM CONFIGURATION CLI This command displays global STA settings followed by settings for each port Consolefshow spanning tree 4 195 Spanning tree information Spanning tree mode RSTP Spanning tree enable disable enabled Priority 32768 Bridge Hello Time sec 2 Bridge Max Age sec 20 Bridge Forward Delay sec 215 Root Hello Time sec 22 Root Max Age sec 220 Root Forward Delay sec 15 Designated Root 32768 0 0000ABCD0000 Current root port E Current root cost 200000 Number of topology changes Last topology changes time sec 13380 Transmission limit 23 Path Cost Method long Note The current root port and current root cost display as zero when this device is not connected to the network Configuring Global Settings Global settings apply to the entire switch Command Usage Spanning Tree Protocollo Uses RSTP for the internal state machine but sends
275. isplay description 4 173 show lacp internal display description 4 174 show lacp neighbors display description 4 176 Address Table Commands 00 0 0 e eee 4 177 show lacp sysid display description 4 177 Spanning Tree Commands esses 4 182 MIGAINS ice an hun An RUM cated de ee 4 197 Editing VLAN Groups 0 0000 4 197 Configuring VLAN Interfaces o ooooooommmm 4 200 Show VLAN Commands 0ooooocococooocooo 4 207 Private VLAN Commands 000 eee eee 4 209 GVRP and Bridge Extension Commands 4 217 Priority Commands 0 0 eee eee ee 4 222 Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab e 4 58 e 4 59 e 4 60 e 4 61 e 4 62 e 4 63 e 4 64 e 4 65 e 4 66 e 4 67 e B 1 TABLES Priority Commands Layer 2 o o oooomommmo o o o 4 222 Default CoS Priority Levels ooooom momoo o o o 4 226 Priority Commands Layer 3 and 4 4 229 Mapping IP Precedence Values oooommmo 4 232 IP DSCP to CoS Values 1 0 0 eee eee 4 234 Multicast Filtering Commands 00 4 238 IGMP Snooping Commands 0 00005 4 238 IGMP Query Commands Layer 2 4 242 Static Multicast Routing Commands 4 247 IP Interface Commands 0 00 eee eee 4 249 Troubleshooting Chart B 1 TABLES XX Figure 3 1 Figure 3 2 Figure 3 3 Figure 3 4 Fi
276. isplays VLAN groups status port members 4 207 Information and MAC addresses Configuring Private Configures private VLANs including uplink 4 208 VLANs and downlink ports Editing VLAN Groups Table 4 52 Editing VLAN Groups Command Function Mode Page vlan database Enters VLAN database mode to add change GC 4 197 and delete VLANs vlan Configures a VLAN including VID name VC 4 198 and state vlan database This command enters VLAN database mode All commands in this mode will take effect immediately Default Setting None 4 197 COMMAND LINE INTEREACE Command Mode Global Configuration Command Usage Use the VLAN database command mode to add change and delete VLANs After finishing configuration changes you can display the VLAN settings by entering the show vlan command Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN The results of these commands are written to the running configuration file and you can display this file by entering the show running config command Example Console config vlan database Console config vlan Related Commands show vlan 4 207 vlan This command configures a VLAN Use the no form to restore the default settings or delete a VLAN Syntax vlan v an id name v an name media ethernet state active suspend no vlan v an id name state vlan id ID of configured VLAN Range
277. itch s response time to management commands issued through the web interface See Configuring Interface Settings on page 3 137 NAVIGATING THE WEB BROWSER INTERFACE Navigating the Web Browser Interface To access the web browser interface you must first enter a user name and password The administrator has Read Write access to all configuration parameters and statistics The default user name and password for the administrator is admin Home Page When your web browser connects with the switch s web agent the home page is displayed as shown below The home page displays the Main Menu on the left side of the screen and System Information on the right side The Main Menu links are used to navigate to other menus and display configuration parameters and statistics SMC unit 1 Mode Active z Networks B uinkup F Link Down Gli Home TigerSwitch 10 100 6726AL2 Manager BO System amp CI SNTP EC SNMP System Name amp CJ Security E BA Por Object ID 1 3 6 1 4 1 202 20 46 BO Address Table lLocation C Spanning Tree BAVAN Contact t CJ Priority f 1 754 BG IGMP Snooping System Up Time D days O hours 10 minutes and 37 84 seconds Connect to textual user interface Send mail to technical support E peu Connect to SMC Web Page Apply Revert Help Figure 3 1 Home Page Note The examples in this chapter are based on the SM
278. itch or the address of an administrator responsible for the switch Example This example will set the source email john acme com Console config tlogging sendmail source email john acme com Console config logging sendmail destination email This command specifies the email recipients of alert messages Use the no form to remove a recipient Syntax no logging sendmail destination email emailaddress email address The source email address used in alert messages Range 1 41 characters Default Setting None 4 70 SYSTEM MANAGEMENT COMMANDS Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages However you must enter a separate command to specify each recipient Example Console config logging sendmail destination email ted this company com Console config logging sendmail This command enables SMTP event handling Use the no form to disable this function Syntax no logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console config logging sendmail Console config show logging sendmail This command displays the settings for the SMTP event handler Command Mode Normal Exec Privileged Exec 4 71 COMMAND LINE INTEREACE Example Console show logging sendmail SMTP servers 1 192 168 1 200 SMTP minimum severity level 4 SMTP dest
279. itchport native vlan v an id no switchport native vlan vlan id Default VLAN ID for a port Range 1 4094 no leading zeroes Default Setting VLAN 1 Command Mode Interface Configuration Ethernet Port Channel Command Usage If an interface is not a member of VLAN 1 and you assign its PVID to this VLAN the interface will automatically be added to VLAN 1 as an untagged member For all other VLANs an interface must first be configured as an untagged member before you can assign its PVID to that group If acceptable frame types is set to all or switchport mode is set to hybrid the PVID will be inserted into all untagged frames entering the ingress port Example The following example shows how to set the PVID for port 1 to VLAN 3 Console config interface ethernet 1 1 Console config if switchport native vlan 3 Console config if VLAN COMMANDS switchport allowed vlan This command configures VLAN groups on the selected interface Use the no form to restore the default Syntax switchport allowed vlan add v an list tagged untagged remove v an list no switchport allowed vlan add v an list List of VLAN identifiers to add e remove v an list List of VLAN identifiers to remove e vlan list Separate nonconsecutive VLAN identifiers with a comma and no spaces use a hyphen to designate a range of IDs Do not enter leading zeros Range 1 4094 Default Setting All ports are a
280. itive Maximum number of strings 5 ro Specifies read only access Authorized management stations are only able to retrieve MIB objects rw Specifies read write access Authorized management stations are able to both retrieve and modify MIB objects Default Setting public Read only access Authorized management stations are only able to retrieve MIB objects private Read wtite access Authorized management stations are able to both retrieve and modify MIB objects Command Mode Global Configuration Command Usage The first snmp server community command you enter enables SNMP The no snmp server community command disables SNMP Example Console config snmp server community alpha rw Console config 4 137 COMMAND LINE INTEREACE snimp server contact This command sets the system contact string Use the no form to remove the system contact information Syntax snmp server contact string no snmp server contact string String that describes the system contact information Maximum length 255 characters Default Setting None Command Mode Global Configuration Example Console config tsnmp server contact Joe Console config Related Commands snmp server location 4 138 snmp server location This command sets the system location string Use the no form to remove the location string Syntax snmp server location ext no snmp server location text
281. ive VLAN 1 Priority for untagged traffic 0 Gvrp status Disabled Allowed Vlan l u Forbidden Vlan Private VLAN mode NONE Private VLAN host association NONE Private VLAN mapping NONE Console Configuring Port Mirroring 3 110 You can mirror traffic from any source port to a target port for real time analysis jajaj aaa You can then attach a logic analyzer or Source Single RMON probe to the target port and port s target study the traffic crossing the source port port in a completely unobtrusive manner Command Usage Monitor port speed should match or exceed source port speed otherwise traffic may be dropped from the monitor port All mirror sessions have to share the same destination port When mirroring port traffic the target port must be included in the same VLAN as the source port PoRT CONFIGURATION Command Attributes Mirror Sessions Displays a list of current mirror sessions Source Unit The unit whose port traffic will be monitored Source Port The port whose traffic will be monitored e Type Allows you to select which traffic to mirror to the target port Rx receive or Tx transmit Default Rx Target Unit The unit whose port will duplicate or mirror the traffic on the source port Target Port The port that will mirror the traffic on the source port Web Click Port Mirror Port
282. k The rate limit granularity is multiplied by the rate limit level page 3 113 to set the actual rate limit for an interface Granularity is a global setting that applies to Fast Ethernet or Gigabit Ethernet interfaces Command Usage For Fast Ethernet interfaces the rate limit granularity can be set to 512 Kbps 1 Mbps or 3 3 Mbps For Gigabit Ethernet interfaces the rate limit granularity is 33 3 Mbps Web Click Port Rate Limit Granularity Select the required rate limit granularity for Fast Ethernet and Gigabit Ethernet and click apply Rate Limit Granularity Fast Ethernet Granularity 3 3Mbps y Gigabit Ethernet Granularity 33 3Mbps y Figure 3 50 Rate Limit Granularity Configuration PoRT CONFIGURATION CLI This example sets and displays Fast Ethernet and Gigabit Ethernet granularity Console config rate limit fastethernet granularity 512 4 161 Console config rate limit gigabitethernet granularity 33300 4 161 console show rate limit 4 162 Fast ethernet granularity 512 Gigabit ethernet granularity 33300 Console Rate Limit Configuration Use the rate limit configuration pages to apply rate limiting Command Usage Input and output rate limit can be enabled or disabled for individual interfaces Command Attributes Port Trunk Displays the port number e Rate Limit Status Enables or disables the rate limit Default Disabled e Rate Limit Level Sets
283. k to the client The EAP packet from the RADIUS server contains not only the challenge but the authentication method to be used The client can reject the authentication method and request another depending on the configuration of the client software and the RADIUS server The authentication method must be MD5 The client responds to the appropriate method with its credentials such as a password or certificate The RADIUS server verifies the client credentials and responds with an accept or reject packet If authentication is successful the switch allows the client to access the network Otherwise network access is denied and the port remains blocked The operation of 802 1X on the switch requires the following The switch must have an IP address assigned e RADIUS authentication must be enabled on the switch and the IP address of the RADIUS server specified 802 1X must be enabled globally for the switch Each switch port that will be used must be set to dot1X Auto mode Each client that needs to be authenticated must have dot1X client software installed and properly configured 3 67 CONFIGURING THE SWITCH 3 68 The RADIUS server and 802 1X client support EAP The switch only supports EAPOL in order to pass the EAP packets from the server to the client The RADIUS server and client also have to support the same EAP authentication type MD5 Some clients have native support in Windows otherwise the dot1
284. k topology changes to 3 to 5 seconds compared to 30 seconds or more for the older IEEE 802 1D STP standard It is intended as a complete replacement for STP but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP compliant mode if they detect STP protocol messages from attached devices Virtual LANs The switch supports up to 255 VLANs A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network The switch supports tagged VLANs based on the IEEE 802 1Q standard Members of VLAN groups can be dynamically learned via GVRP or ports can be manually assigned to a specific set of VLANs This allows the 1 5 INTRODUCTION 1 6 switch to restrict traffic to the VLAN groups to which a user has been assigned By segmenting your network into VLANs you can e Eliminate broadcast storms which severely degrade performance in a flat network Simplify network management for node changes moves by remotely configuring VLAN membership for any port rather than having to manually change the network connection e Provide data security by restricting all traffic to the originating VLAN Use private VLANs to restrict traffic to pass only between data ports and the uplink ports thereby isolating adjacent ports within the same VLAN and allowing you to limit the total number of VLANs that need to be
285. l Access Control List Interface Line VLAN Database You must be in Privileged Exec mode to access the Global configuration mode You must be in Global Configuration mode to access any of the other configuration modes Exec Commands 4 8 When you open a new console session on the switch with the user name and password guest the system enters the Normal Exec command mode or guest mode displaying the Console gt command prompt Only a limited number of the commands are available in this mode You can access all commands only from the Privileged Exec command mode or administrator mode To access Privilege Exec mode open a new console session with the user name and password admin The system will now display the Console command prompt You can also enter Privileged Exec mode from within Normal Exec mode by entering the enable command followed by the privileged level password super page 4 36 ENTERING COMMANDS To enter Privileged Exec mode enter the following user names and passwords Username admin Password admin login password CLI session with the SMC6726AL2 is opened To end the CLI session enter Exit Console Username guest Password guest login password CLI session with the SMC6726AL2 is opened To end the CLI session enter Exit Console gt enable Password privileged level password Console Configuration Commands Configurati
286. lacement for Telnet When a client contacts the switch via the SSH protocol the switch uses a public key that the client must match along with a local user name and password for access authentication SSH also encrypts all data transfers passing between the switch and SSH enabled management station clients and ensures that data traveling over the network arrives unaltered This section describes the commands used to configure the SSH server Howevet note that you also need to install a SSH client on the management station when using this protocol to configure the switch Note The switch supports both SSH Version 1 5 and 2 0 Table 4 15 SSH Commands uset Command Function Mode Page Ip ssh server Enables the SSH server on the switch GC 4 49 ip ssh timeout Specifies the authentication timeout for the GC 4 50 SSH server ip ssh Specifies the number of retries allowed by GC 4 51 authentication retries a client Ip ssh server key size Sets the SSH server key size GC 4 51 copy tftp public key Copies the user s public key from a TFTP PE 4 87 server to the switch delete public key Deletes the public key for the specified PE 4 52 SYSTEM MANAGEMENT COMMANDS Table 4 15 SSH Commands Continued Command Function Mode Page ip ssh crypto Generates the host key PE 4 53 host key generate ip ssh crypto zeroize Clear the host key from RA
287. lation between ports within the assigned VLAN This switch supports two types of private VLANs primary secondary associated groups and stand alone isolated VLANs A primary VLAN contains promiscuous ports that can communicate with all other ports in the private VLAN group while a secondary or community VLAN contains community ports that can only communicate with other hosts within the secondary VLAN and with any of the promiscuous ports in the associated primary VLAN Isolated VLANs on the other hand consist a single stand alone VLAN that contains one promiscuous port and one or more isolated or host ports In all cases the promiscuous ports are designed to provide open access to an external network such as the Internet while the community or isolated ports provide restricted access to local users Multiple primary VLANs can be configured on this switch and multiple community VLANs can be associated with each primary VLAN One or more isolated VLANs can also be configured Note that private VLANs and normal VLANs can exist simultaneously within the same switch To configure primary secondary associated groups follow these steps 1 Use the Private VLAN Configuration menu page 3 159 to designate one of more community VLANs and the primary VLAN that will channel traffic outside of the VLAN groups VLAN CONFIGURATION Use the Private VLAN Association menu page 3 160 to map the secondary i e community VLAN s to the primary
288. lder product in its product line with one that incorporates these newer technologies At that point the obsolete product is discontinued and is no longer an Active SMC product A list of discontinued products with their respective dates of discontinuance can be found at http www smc com index cfm action customer service warranty All products that are replaced become the property of SMC Replacement products may be either new or reconditioned Any replaced or repaired product carries either a 30 day limited warranty ot the remainder of the initial warranty whichever is longer SMC is not responsible for any custom software or firmware configuration information or memory data of Customer contained in stored on or integrated with any products returned to SMC pursuant to any warranty Products returned to SMC should have any customer installed accessory or add on components such as expansion modules removed prior to returning the product for replacement SMC is not responsible for these items if they are returned with the product Customers must contact SMC for a Return Material Authorization number prior to returning any product to SMC Proof of purchase may be required Any product returned to SMC without a valid Return Material Authorization RMA number clearly marked on the outside of the package will be returned to customer at customer s expense For warranty claims within North America please call our toll free customer support number
289. le config finterface ethernet 1 1 Console config 1f tswitchport acceptable frame types tagged Console config 1f 4 202 VLAN COMMANDS Related Commands switchport mode 4 201 switchport ingress filtering This command enables ingress filtering for an interface Use the no form to testore the default Syntax no switchport ingress filtering Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Command Usage Ingress filtering only affects tagged frames fingress filtering is disabled and a port receives frames tagged for VLAWNs for which it is not a member these frames will be flooded to all other ports except for those VLANs explicitly forbidden on this port fingress filtering is enabled and a port receives frames tagged for VLANS for which it is not a member these frames will be discarded Ingress filtering does not affect VLAN independent BPDU frames such as GVRP or STA However they do affect VLAN dependent BPDU frames such as GMRP Example The following example shows how to set the interface to port 1 and then enable ingress filtering Console config interface ethernet 1 1 Console config if switchport ingress filtering Console config if 4 203 COMMAND LINE INTEREACE switchport native vlan 4 204 This command configures the PVID i e default VLAN ID for a port Use the no form to restore the default Syntax sw
290. led Command Mode Global Configuration Command Usage If enabled the switch will serve as querier if elected The querier is responsible for asking hosts if they want to receive multicast traffic Example Console config ip igmp snooping querier Console config ip igmp snooping query count This command configures the query count Use the no form to restore the default Syntax ip igmp snooping query count count no ip igmp snooping query count count The maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group Range 2 10 Default Setting 2 times Command Mode Global Configuration 4 243 COMMAND LINE INTEREACE Command Usage The query count defines how long the querier waits for a response from a multicast client before taking action If a querier has sent a number of queries defined by this command but a client has not responded a countdown timer is started using the time defined by ip igmp snooping query max response time If the countdown finishes and the client still has not responded then that client is considered to have left the multicast group Example The following shows how to configure the query count to 10 Console config ip igmp snooping query count 10 Console config Related Commands ip igmp snooping query max response time 4 245 ip igmp snooping query interval 4 244 This
291. leshooting with a logic analyzer or RMON probe This allows data on the target port to be studied unobstructively Port Trunk Defines a network link aggregation and trunking method which specifies how to create a single high speed logical link that combines several lower speed physical links Private VLANs Private VLANs provide port based security and isolation between ports within the assigned VLAN Data traffic on downlink ports can only be forwarded to and from uplink ports Remote Authentication Dial in User Service RADIUS RADIUS is a logon authentication protocol that uses software running on a central server to control access to RADIUS compliant devices on the network Remote Monitoring RMON RMON provides comprehensive network monitoring capabilities It eliminates the polling required in standard SNMP and can set alarms on a variety of traffic conditions including specific error types Rapid Spanning Tree Protocol RSTP RSTP reduces the convergence time for network topology changes to about 10 of that required by the older IEEE 802 1D STP standard Secure Shell SSH A secure replacement for remote access functions including Telnet SSH can authenticate users with a cryptographic key and encrypt data connections between management clients and the switch Glossary 6 GLOSSARY Simple Network Management Protocol SNMP The application protocol in the Internet suite of protocols which offers netwo
292. level global configuration mode prompt type snmp server community sting mode where string is the community access string and mode is rw read write or ro read only Press lt Enter gt Note that the default mode is read only 2 To remove an existing string simply type no snmp server community string where string is the community access string to remove Press lt Enter gt Console config snmp server community admin rw Console config snmp server community private Console config Trap Receivers You can also specify SNMP stations that are to receive traps from the switch To configure a trap receiver complete the following steps 1 From the Privileged Exec level global configuration mode prompt type snmp server host host address community string where host address is the IP address for the trap receiver and BASIC CONFIGURATION community string is the string associated with that host Press lt Enter gt 2 In order to configure the switch to send SNMP notifications you must enter at least one snmp server enable traps command Type snmp server enable traps Ape where type is either authentication ot link up down Press lt Enter gt Console config snmp server enable traps link up down Console config tt Saving Configuration Settings Configuration commands only modify the running configuration file and are not saved when the switch is reb
293. lient applications intended as a secure replacement for the older Berkley remote access tools SSH can also provide remote management access to this switch as a secure replacement for Telnet When the client contacts the switch via the SSH protocol the switch generates a public key that the client uses along with a local user name and password for access authentication SSH also encrypts all data transfers passing between the switch and SSH enabled management station clients and ensures that data traveling over the network arrives unaltered Note that you need to install an SSH client on the management station to access the switch for management via the SSH protocol Note The switch supports both SSH Version 1 5 and 2 0 clients 3 57 CONFIGURING THE SWITCH 3 58 Command Usage The SSH server on this switch supports both password and public key authentication If password authentication is specified by the SSH client then the password can be authenticated either locally or via a RADIUS or TACACS remote authentication server as specified on the Authentication Settings page page 3 50 If public key authentication is specified by the client then you must configure authentication keys on both the client and the switch as described in the following section Note that regardless of whether you use public key or password authentication you still have to generate authentication keys on the switch SSH Host Key Settings and
294. lly set the selected interface to forced STP compatible mode However you can also use the spanning tree protocol migration command at any time to manually re check the appropriate BPDU format to send on the selected interfaces i e RSTP or STP compatible Example Console spanning tree protocol migration ethernet 1 5 Console show spanning tree This command shows the configuration for the spanning tree Syntax show spanning tree nterface interface ethernet zu port unit This is device 1 port Port number Range 1 26 52 port channel channe id Range 1 4 Default Setting None Command Mode Privileged Exec Command Usage Usethe show spanning tree command with no parameters to display the spanning tree configuration for the switch and for every interface in the tree Use the show spanning tree z erface command to display the spanning tree configuration for a specific interface 4 195 COMMAND LINE INTEREACE For a description of the items displayed under Spanning tree information see Configuring Global Settings on page 3 129 For a description of the items displayed for specific interfaces see Displaying Interface Settings on page 3 133 Example Console show spanning tree Spanning tree information Spanning tree mode Spanning tree enabled disabled Priority Bridge Hello Time sec Bridge Max Age sec Bridge Forward Delay sec Root Hello
295. lnet group IP Filter List IP address which are allowed management access to this interface Start IP Address A single IP address or the starting address of a range 3 75 CONFIGURING THE SWITCH 3 76 End IP Address The end address of a range Add Remove Filtering Entry Adds removes an IP address from the list Web Click Security IP Filter Enter the IP addresses or range of addresses that are allowed management access to an interface and click Add IP Filtering Entry to update the filter list IP Filter Web IP Filter IWeb IP Filter List Start IP 1 Address End IP Address Add Web IP Filtering Entry Remove Web IP Filtering Entry Figure 3 34 Creating a Web IP Filter List ACCESS CONTROL LISTS CLI This example allows SNMP access for a specific client Console config management snmp client 10 1 2 3 4 38 Console config fend Console show management all client Management IP Filter HTTP Client Start IP address End IP address Vo 101 28 10 1 2 254 SNMP Client Start IP address End IP address TELNET Client Start IP address End IP address Console Access Control Lists Access Control Lists ACL provide packet filtering for IP frames based on address protocol Layer 4 protocol port number or TCP control code or any frames based on MAC address or Ethernet type To filter incoming packets first create an
296. long with the ports propagating the corresponding services The Type field shows if this entry was learned dynamically or was statically configured Consolefshow bridge 1 multicast vlan 1 4 241 VLAN M cast IP addr Member ports Type 1 224 1 1 12 Eth1 12 USER ji 224 1 2 3 Eth1 12 IGMP Console 3 187 CONFIGURING THE SWITCH Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in Configuring IGMP snooping and Query Parameters on page 3 133 For certain applications that require tighter control you may need to statically configure a multicast service on the switch First add all the ports attached to participating hosts to acommon VLAN and then assign the multicast service to that VLAN group Command Usage Static multicast addresses are never aged out When a multicast address is assigned to an interface in a specific VLAN the corresponding traffic can only be forwarded to ports within that VLAN Command Attributes 3 188 Interface Activates the Port or Trunk scroll down list VLAN ID Selects the VLAN to propagate all multicast traffic coming from the attached multicast router switch Multicast IP The IP address for a specific multicast service Port or Trunk Specifies the interface attached to a multicast router switch MULTICAST FILTERING Web Click IGMP Snooping IGMP Member P
297. lso known as run time code This code runs the switch operations and provides the CLI and web management interfaces See Managing Firmware on page 3 21 for more information Diagnostic Code Software that is run during system boot up also known as POST Power On Self Test Due to the size limit of the flash memory the switch supports only two operation code files However you can have as many diagnostic code files and configuration files as available flash memory space allows In the system flash memory one file of each type must be set as the start up file During a system boot the diagnostic and operation code files set as the start up file are run and then the start up configuration file is loaded Note that configuration files should be downloaded using a file name that reflects the contents or usage of the file settings If you download directly to the running config the system will reboot and the settings will have to be copied from the running config to a permanent file CHAPTER 2 CONFIGURING THE SWITCH Using the Web Interface This switch provides an embedded HTTP web agent Using a web browser you can configure the switch and view statistics to monitor network activity The web agent can be accessed by any computer on the network using a standard web browser Internet Explorer 5 0 or above or Netscape Navigator 6 2 or above Note You can also use the Command Line Interface CLI to manage the switc
298. mand Mode Interface Configuration Ethernet Port Channel Command Usage All ports assigned to a secondary 1 e community VLAN can pass traffic between group members but must communicate with resources outside of the group via promiscuous ports in the associated primary VLAN Example Console config interface ethernet 1 3 Console config if switchport private vlan host association 3 Console config if switchport private vlan isolated Use this command to assign an interface to an isolated VLAN Use the no form to remove this assignment Syntax switchport private vlan isolated so ated vlan id no switchport private vlan isolated isolated vlan id ID of isolated VLAN Range 1 4094 4 214 VLAN COMMANDS Default Setting None Command Mode Interface Configuration Ethernet Port Channel Command Usage Host ports assigned to a isolated VLAN cannot pass traffic between 8 group members and must communicate with resources outside of the group v a a promiscuous port Example Console config interface ethernet 1 3 Console config if switchport private vlan isolated 3 Console config if switchport private vlan mapping Use this command to map an interface to a primary VLAN Use the no form to remove this mapping Syntax switchport private vlan mapping primary vlan id no switchport private vlan mapping primary vlan id ID of primary VLAN Range 1 4094 no leadin
299. mand to show the IP port priority map Syntax show map ip port interface interface ethernet wnit port unit Stack unit This is unit 1 pott Port number Range 1 26 52 port channel channel id Range 1 4 Default Setting None Command Mode Privileged Exec Example The following shows that HTTP traffic has been mapped to CoS value 0 Console show map ip port TCP port mapping status enabled Port Port no COS Eth 1 5 80 0 Console Related Commands map ip port Global Configuration 4 230 map ip port Interface Configuration 4 230 4 235 COMMAND LINE INTEREACE show map ip precedence This command shows the IP precedence priority map Syntax show map ip precedence z erface interface ethernet wnit port unit Stack unit This is unit 1 pott Port number Range 1 26 52 port channel channe id Range 1 4 Default Setting None Command Mode Privileged Exec Example Console show map ip precedence ethernet 1 5 Precedence mapping status enabled Port Precedence COS Eth 1 5 0 0 Eth 1 5 1 1 Eth 1 5 2 2 Eth 1 5 3 3 Eth 1 5 4 4 Eth 1 5 5 5 Eth 1 5 6 6 Eth 1 5 7 7 Console Related Commands map ip port Global Configuration 4 230 map ip precedence Interface Configuration 4 232 4 236 PRIORITY COMMANDS show map ip dscp This command shows the IP DSCP priority map Syntax show map ip dscp interface interface ethernet
300. mber 181 Retransmit times 2 Request timeout 5 Console 4 101 COMMAND LINE INTEREACE TACACS Client Terminal Access Controller Access Control System TACACS is a logon authentication protocol that uses software running on a central server to control access to TACACS aware devices on the network An authentication server contains a database of multiple user name password pairs with associated privilege levels for each user or group that require management access to a switch Table 4 30 TACACS Commands Command Function Mode Page tacacs server host Specifies the TACACS server GC 4 102 tacacs server port Specifies the TACACS server network GC 4 103 port tacacs server key Sets the TACACS encryption key GC 4 103 show tacacs server Shows the current TACACS settings GC 4 104 tacacs server host This command specifies the TACACS server Use the no form to restore the default Syntax tacacs server host host_ip_address no tacacs server host bost ip address IP address of a TACACS server Default Setting 10 11 12 13 Command Mode Global Configuration Example Console config tacacs server host 192 168 1 25 Console config 4 102 AUTHENTICATION COMMANDS tacacs server port This command specifies the TACACS server network port Use the no form to restore the default Syntax tacacs server port porz number no tacacs serve
301. mber of a trunk STA Port Configuration only following interface attributes can be configured Spanning Tree Enables disables STA on this interface Default Enabled Priority Defines the priority used for this port in the Spanning Tree Protocol If the path cost for all ports on a switch are the same the port with the highest priority 1 e lowest value will be configured as an active link in the Spanning Tree This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops Where more than one port is assigned the highest priority the port with lowest numeric identifier will be enabled Default 128 Range 0 240 in steps of 16 Path Cost This parameter is used by the STP to determine the best path between devices Therefore lower values should be assigned to ports attached to faster media and higher values assigned to ports with slower media Path cost takes precedence over port priority Note that when the Path Cost Method is set to short page 3 63 the maximum path cost is 65 535 Range Ethernet 200 000 20 000 000 Fast Ethernet 20 000 2 000 000 Gigabit Ethernet 2 000 200 000 SPANNING TREE ALGORITHM CONFIGURATION Default Ethernet Half duplex 2 000 000 full duplex 1 000 000 trunk 500 000 Fast Ethernet Half duplex 200 000 full duplex 100 000 trunk 50 000 Gigabit Ethernet Full duplex 10 000 trunk 5 00
302. memory Syntax show log flash ram login tail flash Event history stored in flash memory i e permanent memory ram Event history stored in temporary RAM i e memory flushed on power reset tail Shows event history starting from the most recent entry login Shows the login record only Default Setting None Command Mode Privileged Exec Command Usage This command shows the system and event messages stored in memory including the time stamp message level page 4 60 program module function and event number Example The following example shows sample messages stored in RAM Console show log ram 5 00 01 06 2001 01 0 STA root change notification level 6 module 6 function and event no 4 00 01 00 2001 01 0 STA root change notification level 6 module 6 function and event no 3 00 00 54 2001 01 0 STA root change notification level 6 module 6 function and event no 2 00 00 50 2001 01 0 STA topology change notification level 6 module 6 function and event no 1 00 00 48 2001 01 0 VLAN 1 link up notification level 6 module 6 function and event no Console 4 67 COMMAND LINE INTEREACE SMTP Alert Commands These commands configure SMTP event handling and forwarding of alert messages to the specified SMTP servers and email recipients Table 4 21 SMTP Alert Commands
303. mic Automatically learned via GVRP Static Added as a static entry Name Name of the VLAN 1 to 32 characters Status Shows if this VLAN is enabled or disabled Active VLAN is operational Suspend VLAN is suspended i e does not pass packets Ports Channel groups Shows the VLAN interface members 3 147 CONFIGURING THE SWITCH 3 148 CLI Current VLAN information can be displayed with the following command Console show vlan id 1 4 207 Vian ID y Type Static Name DefaultVlan Status Active Ports Port Channel Ethl 1 S Ethl 2 S Eth1 3 S Eth1 4 S Ethl 5 S Ethl 6 S Ethl 7 S Ethl 8 S Ethl 9 S Eth1 10 S Eth1 11 S Eth1 12 S Eth1 13 S Eth1 14 S Eth1 15 s Eth1 16 S Eth1 17 S Eth1 18 S Eth1 19 S Eth1 20 S Eth1 21 S Eth1 22 S Eth1 23 S Eth1 24 S Eth1 25 S Eth1 26 S Consoles Creating VLANs Use the VLAN Static List to create or remove VLAN groups To propagate information about VLAN groups used on this switch to external network devices you must specify a VLAN ID for each of these groups Command Attributes e Current Lists all the current VLAN groups created for this system Up to 255 VLAN groups can be defined VLAN 1 is the default untagged VLAN e New Allows you to specify the name and numeric identifier for a new VLAN group The VLAN name is only used for management on this system it is not added to the VLAN tag WLAN ID ID of c
304. minimum severity level To add an IP address to the SMTP Server List type the new IP address in the SMTP Server field and click Add To delete an IP address click the entry in the SMTP Server List and click Remove Specify up to five email addresses to receive the alert messages and click Apply SMTP Admin Status M Enabled Email Source Address jiohn Gacme com Severity 4 Waming y SMTP Server List New 192 168 1 20 _ Add 182 168 122 iw Server Remove Email Destination Address List New geoff acme com lt lt Add Email Destination mues Remove Figure 3 18 Enabling and Configuring SMTP Alerts BASIC CONFIGURATION CLI Enter the IP address of at least one SMTP server set the syslog sevetity level to trigger an email message and specify the switch source and up to five recipient destination email addresses Enable SMTP with the logging sendmail command to complete the configuration Use the show logging sendmail command to display the current SMTP configuration Console config logging sendmail host 192 168 1 200 4 68 Console config logging sendmail level 4 4 69 Console config logging sendmail source email john acme com 4 70 Console config logging sendmail destination email geoff acme com 4 70 Console config logging sendmail 4 71 Console config exit Console show logging sendmail 4 71 SMTP servers 1 192 168 1 200 SMTP m
305. mm A 1 Software Features and anit s asa ge AUS togae ie Sat Soin dated A 1 Management Feat res lues ii dk A 2 Standards s sup E T esce s E E lo A 3 Management Information Bases iiisseeeee eee A 4 B Troubleshooting sis rer Ren B 1 Problems Accessing the Management Interface llle B 1 Using System Loss elder aa ee AU HN DEG eds B 3 Glossary Index XV CONTENTS xvi Table 1 1 e 1 2 Tab Tab Tab Tab Tab Tab Tab Tab e 3 1 e 3 2 e 3 3 e 3 4 Table 3 5 e 3 e 3 e 3 6 7 8 Table 3 9 Table 3 10 Table 3 11 Table 3 12 Table 3 13 Table 3 14 Tab Tab Tab Tab Tab Tab Tab Tab Tab e 4 1 e 4 2 Table 4 3 e 4 4 e 4 5 e 4 6 e 4 7 Table 4 8 Table 4 9 Table 4 Table 4 Table 4 Table 4 e 4 e 4 e 4 Table 4 Tab Table 4 19 e 4 10 11 12 13 14 15 16 17 18 Table 4 20 Key Features cessere er gh e ry date pr ya 1 1 System D faults ooi e D RR RR RR 1 7 Configuration Options 0 6 cee eee 3 4 Main Ment ciu e ERIS SL Seebeck eels 3 5 Logoing Levels vivos soy tended obs rex pe da 3 34 HTTPS System Support 3 55 802 1X Statistics coco a gd 3 73 LAGP Pott Counters idea 3 102 LACP Internal Configuration Information 3 103 LACP Neighbor Configuration Information 3 106 Port Statistics iiie e ias 3 115 Mapping CoS Values to Egress Queues 3 167 CoS Priority Levels 3c saves
306. mmunity String Community string sent with the notification operation Range 1 32 characters case sensitive Trap Version Specifies whether to send notifications as SNMP v1 ot v2c traps The default is version 1 Enable Authentication Traps Issues a trap message whenever an invalid community string is submitted during the SNMP access authentication process Default Enabled Enable Link up and Link down Traps Issues a trap message whenever a pott link is established or broken Default Enabled Web Click SNMP Configuration Fill in the IP address and community string for each trap manager that will receive trap messages and then click Add Select the trap types required using the check boxes for Authentication and Link up down traps and then click Apply Trap Managers Trap Manager Capability 5 Current New none Trap Manager IP address 192 168 1 19 lt lt Add Trap Manager Community String private Remove Trap Version 2c Enable Authentication Traps Vv Enable Link up and Link down Traps V la Figure 3 23 Configuring IP Trap Managers 3 47 CONFIGURING THE SWITCH CLI This example adds a trap manager and enables both authentication and link up link down traps Console config fsnmp server host 192 168 1 19 private version 2c 4 139 Console config snmp server enable traps authentication 4 141 User Authentication You can restrict management access to this
307. mple the command configure can be entered as con If an entry is ambiguous the system will prompt for further input ENTERING COMMANDS Command Completion If you terminate input with a Tab key the CLI will print the remaining characters of a partial keyword up to the point of ambiguity In the logging history example typing log followed by a tab will result in printing the command up to logging Getting Help on Commands You can display a brief description of the help system by entering the help command You can also display command syntax by using the character to list keywords ot parameters 4 5 COMMAND LINE INTEREACE Showing Commands If you enter a at the command prompt the system will display the first level of keywords for the current command class Normal Exec or Privileged Exec or configuration class Global ACL Interface Line or VLAN Database You specific command For possible show comman can also display a list of valid keywords for a example the command show displays a list of ds Console show access group access list bridge ext calendar dotix garp gvrp history interfaces ip lacp line log logging mac mac address table management map port public key queue radius server rate limit running config snmp sntp spanning tree ssh startup config system tacacs server users version vian Console show Access groups Access lists B
308. munity Strings 3 46 Configuring IP Trap Managers ooooocccccoooo 3 47 Access Levels oiu sue ERSTE ea eek 3 49 Authentication Settings 6 0 6 cee eee 3 53 ITETPS SetHngs ita Sere debs se USE ORE 3 56 SSH Host Key Settings 0 ee eee eee 3 61 SSH Servet Settings ossi lepra gebe 3 63 Configuring Port Security oooooooooocooomooo 3 66 802 1X Global Information oooooomoom mooo 3 68 802 1X Configuration 2 0 cee eee eee 3 69 802 1X Port Configuration 0 3 71 Displaying 802 1X Port Statistics ooo oooooo 3 74 Creating a Web IP Filter List oooo oooomoo o 3 76 Selecting ACL Type scree gs orn E ee dong 3 79 ACL Configuration Standard IP 0 3 80 FIGURES xxii Figure 3 37 Figure 3 38 Figure 3 39 Figure 3 40 Figure 3 41 Figure 3 42 Figure 3 43 Figure 3 44 Figure 3 45 Figure 3 46 Figure 3 47 Figure 3 48 Figure 3 49 Figure 3 50 Figure 3 51 Figure 3 52 Figure 3 53 Figure 3 54 Figure 3 55 Figure 3 56 Figure 3 57 Figure 3 58 Figure 3 59 Figure 3 60 Figure 3 61 Figure 3 62 Figure 3 63 Figure 3 64 Figure 3 65 Figure 3 66 Figure 3 67 Figure 3 68 Figure 3 69 Figure 3 70 Figure 3 71 Figure 3 72 Figure 3 73 ACL Configuration Extended IP o o oo 3 82 ACL Configuration MAC esee 3 84 Binding a Port to an ACL 6 eee eee 3 86 Displaying Port Trunk Information 3 88 Port Trunk Configuration
309. n Association list box and click Add to associate these entries with the selected primary VLAN A community VLAN can only be associated with one primary VLAN Private VLAN Association Primary VLAN ID 5 Association Non Association Add Remove Figure 3 69 Private VLAN Association VLAN CONFIGURATION CLI This example associates community VLANs 6 and 7 with primary VLAN 5 Console config vlan database 4 197 Console config vlan tprivate vlan 5 association 6 4 212 Console config vlan private vlan 5 association 7 4 212 Console config vlan Displaying Private VLAN Interface Information Use the Private VLAN Port Information and Private VLAN Trunk Information menus to display the interfaces associated with private VLANs Command Attributes Port Trunk The switch interface e PVLAN Port Type Displays private VLAN port types Normal The port is not configured in a private VLAN Host The port is a community port and can only communicate with other ports in its own community VLAN and with the designated promiscuous port s Or the port is an isolated port that can only communicate with the lone promiscuous port within its own isolated VLAN Promiscuous A promiscuous port can communicate with all the interfaces within a private VLAN Primary VLAN Conveys traffic between promiscuous ports and between promiscuous ports and community ports within the
310. n IP access list to port 3 Console config tinterface ethernet 1 1 4 144 Console config 1f ttip access group david in 4 125 Console config if mac access group jerry in 4 132 Console config interface ethernet 1 3 Console config 1f ttip access group david in Console config 1f exit Console config 1f PoRT CONFIGURATION Port Configuration Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status including link state speed duplex mode flow control and auto negotiation Field Attributes Web Name Interface label Type Indicates the port type 100BASE TX 1000BASE T or SFP Admin Status Shows if the interface is enabled or disabled Oper Status Indicates if the link is Up or Down Speed Duplex Status Shows the current speed and duplex mode Auto or fixed choice Flow Control Status Indicates the type of flow control currently in use IEEE 802 3x Back Pressure or None Autonegotiation Shows if auto negotiation is enabled or disabled Trunk Member Shows if port is a trunk member Creation Shows if a trunk is manually configured or dynamically set via LACP 5 Port Information only 6 Trunk Information only 3 87 CONFIGURING THE SWITCH 3 88 Web Click Port Port Information or Trunk Information Port Information
311. n Timeout 0 300 0 secs 0 Disabled Exec Timeout 0 65535 secs 0 Disabled Password Threshold 0 120 3 0 Disabled Silent Time 0 65535 0 secs 0 Disabled Data Bits ez Parity None y Speed 9600 Stop Bits hz Figure 3 13 Console Port Settings 3 CLI only 3 29 CONFIGURING THE SWITCH CLI Enter Line Configuration mode for the console then specify the connection parameters as required To display the current console port settings use the show line command from the Normal Exec level Conso Conso Conso Conso Conso Conso Conso Conso Conso Conso Conso Conso Conso le config line le config line le config line le config line le config line le config line le config line le config line le config line le config line le config line le config line le show line VTY configuration Password threshold Interactive timeout 600 sec Login timeout Console console login local password 0 secret timeout login response 0 exec timeout 0 password thresh 3 silent time 60 databits 8 parity none speed 115200 stopbits 1 end Console configuration Password threshold Interactive timeout Disabled Login timeout Silent time Baudrate Databits Parity Stopbits 3 times Disabled 60 115200 8 none 1 3 times 300 sec 4 15 4 16 4 17 4 18 4 19 4 20 4 21 4 22 4 23 4 23 4 24 Telnet Settings 3 30 You can a
312. n interfaces across the network This section describes how to enable GVRP for individual interfaces and globally for the switch as well as how to display default configuration settings for the Bridge Extension MIB Table 4 56 GVRP and Bridge Extension Commands Command Function Mode Page bridge ext gvrp Enables GVRP globally for the GC 4 217 switch show bridge ext Shows the global bridge extension PE 4 218 configuration switchport gvrp Enables GVRP for an interface IC 4 219 switchport forbidden vlan Configures forbidden VLANs for an IC 4 206 interface show gvrp configuration Displays GVRP configuration for NE 4 219 the selected interface PE garp timer Sets the GARP timer for the selected IC 4 220 function show garp timer Shows the GARP timer for the NE 4 221 selected function PE bridge ext gvrp This command enables GVRP globally for the switch Use the no form to disable it Syntax no bridge ext gvrp Default Setting Disabled 4 217 COMMAND LINE INTEREACE Command Mode Global Configuration Command Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network This function should be enabled to permit automatic VLAN registration and to support VLANs which extend beyond the local switch Example Console config bridge ext gvrp Console config show bridge ext This command shows t
313. n power reset Default Setting Flash and RAM Command Mode Privileged Exec Example Console clear logging Console Related Commands show logging 4 64 show logging This command displays the configuration settings for logging messages to local switch memory to an SMTP event handler or to a remote syslog servet Syntax show logging flash ram sendmail trap flash Displays settings for storing event messages in flash memory i e permanent memory ram Displays settings for storing event messages in temporary RAM e memory flushed on power reset sendmail Displays settings for the SMTP event handler page 4 71 trap Displays settings for the trap function 4 64 SYSTEM MANAGEMENT COMMANDS Default Setting None Command Mode Privileged Exec Example The following example shows that system logging is enabled the message level for flash memory is errors i e default level 3 0 the message level for RAM is informational i e default level 6 0 Console show logging flash Syslog logging Enabled History logging in FLASH level errors Console show logging ram Syslog logging Enabled History logging in RAM level informational Console Table 4 19 show logging flash ram display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command History logging in The me
314. n reboots the switch to activate the certificate Console copy tftp https certificate TFTP server ip address 10 1 0 19 Source certificate file name SS certificate Source private file name SS private Private password Success Console reload System will be restarted continue lt y n gt y 4 89 COMMAND LINE INTEREACE This example shows how to copy a public key used by SSH from an TFTP server Note that public key authentication via SSH is only supported for users configured locally on the switch Console copy tftp public key TFTP server IP address 192 168 1 19 Choose public key type 1 RSA 2 DSA lt 1 2 gt 1 Source file name steve pub Username steve TFTP Download Success Write to FLASH Programming Success Console delete This command deletes a file or image Syntax delete unit filename filename Name of the configuration file or image name unit Stack unit This is unit 1 Default Setting None Command Mode Privileged Exec Command Usage If the file type is used for system startup then this file cannot be deleted Factory_Default_Config cfg cannot be deleted e A colon is required after the specified unit number 4 90 FLASH FILE COMMANDS Example This example shows how to delete the test2 cfg configuration file from flash memory for unit 1 Console delete 1 test2 cfg Console Related Commands dir 4 91 d
315. n seconds Range 6 40 seconds The minimum value is the higher of 6 or 2 x hello time 1 The maximum value is the lower of 40 or 2 x forward time 1 Default Setting 20 seconds Command Mode Global Configuration Command Usage This command sets the maximum time in seconds a device can wait without receiving a configuration message before attempting to reconfigure All device ports except for designated ports should receive configuration messages at regular intervals Any port that ages out STA information provided in the last configuration message 4 186 SPANNING TREE COMMANDS becomes the designated port for the attached LAN If it is a root port a new root port is selected from among the device ports attached to the network Example Console config spanning tree max age 40 Console config spanning tree priority This command configures the spanning tree priority globally for this switch Use the no form to restore the default Syntax spanning tree priority priority no spanning tree priority priority Priority of the bridge Range 0 61440 in steps of 4096 Options 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 61440 Default Setting 32768 Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device root port and designated port The device with the highest priority becomes the ST
316. nds that the SSH server waits for a response from a client during an authentication attempt Range 1 120 seconds Default 120 seconds USER AUTHENTICATION SSH Authentication Retries Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process Range 1 5 times Default 3 SSH Server Key Size Specifies the SSH server key size Range 512 896 bits Default 768 The server key is a private key that is never shared outside the switch The host key is shared with the SSH client and is fixed at 1024 bits Web Click Security SSH Settings Enable SSH and adjust the authentication parameters as required then click Apply Note that you must first generate the host key pair on the SSH Host Key Settings page before you can enable the SSH server SSH Server Settings SSH Serer Status I Enabled Version 2 0 SSH Authentication Timeout 1 120 120 seconde SSH Authentication Retries 1 5 3 SSH Server Key Size 612 896 768 Figure 3 28 SSH Server Settings 3 63 CONFIGURING THE SWITCH CLI This example enables SSH sets the authentication parameters and displays the current configuration It shows that the administrator has made a connection via SHH and then disables this connection Console config ip ssh server 4 49 Console config ip ssh timeout 100 4 50 Console config ip ss
317. ne A packet will be accepted as soon as it matches a permit rule or dropped as soon as it matches a deny rule If no rules match for a list of all permit tules the packet is dropped and if no rules match for a list of all deny tules the packet is accepted There are three filtering modes Standard IP ACL mode STD ACL filters packets based on the source IP address Extended IP ACL mode EXT ACL filters packets based on source ot destination IP address as well as protocol type and protocol port numbet If the TCP protocol is specified then you can also filter packets based on the TCP control code MAC ACL mode MAC ACL filters packets based on the source or destination MAC address and the Ethernet frame type RFC 1060 The following restrictions apply to ACLs Each ACL can have up to 32 rules The maximum number of ACLs is 88 However due to resource restrictions the average number of rules bound the ports should not exceed 20 4 117 COMMAND LINE INTEREACE e This switch supports ACLs for ingress filtering only You can only bind one IP ACL to any port and one MAC ACL globally for ingress filtering In other words only two ACLs can be bound to an interface Ingress IP ACL and Ingress MAC ACL The order in which active ACLs are checked is as follows 1 User defined rules in the Ingress MAC ACL for ingress ports 2 User defined rules in the Ingress IP ACL for ingress ports 3 Explicit defaul
318. ne line console vty Console config line 4 14 Access access list ip standard Console config std acl 4 117 Control access list ip extended Console config ext acl List access list mac Console config mac acl Interface interface ethernet port Console config if 4 142 port channel d vlan id VLAN vlan database Console config vlan 4 197 For example you can use the following commands to enter interface configuration mode and then return to Privil leged Exec mode Console config interface ethernet 1 5 Console config 1f exit Console config ENTERING COMMANDS Command Line Processing Commands are not case sensitive You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters You can use the Tab key to complete partial commands or enter a partial command followed by the character to display a list of possible matches You can also use the following editing keystrokes for command line processing Table 4 3 Command Line Processing Keystroke Function Ctrl A Shifts cursor to start of command line Ctrl B Shifts cursor to the left one character Ctrl C Terminates the current task and displays the command prompt Ctrl E Shifts cursor to end of command line Ctrl F Shifts cursor to the right one character Ctr K Del
319. negotiation 4 146 speed duplex 4 145 flowcontrol 4 148 flowcontrol 4 148 This command enables flow control Use the no form to disable flow control Syntax no flowcontrol Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Command Usage Flow control can eliminate frame loss by blocking traffic from end stations or segments connected directly to the switch when its buffers fill When enabled back pressure is used for half duplex operation and IEEE 802 3x for full duplex operation INTERFACE COMMANDS To force flow control on or off with the flowcontrol or no flowcontrol command use the no negotiation command to disable auto negotiation on the selected interface When using the negotiation command to enable auto negotiation the optimal settings will be determined by the capabilities command To enable flow control under auto negotiation flowcontrol must be included in the capabilities list for any port Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub Example The following example enables flow control on port 5 Console config finterface ethernet 1 5 Console config if flowcontrol Console config if no negotiation Console config if Related Commands negotiation 4 14
320. network portion of the address provided to the client will be based on this new domain Example In the following example the device is reassigned the same address Console config interface vlan 1 Console config if ip address dhcp Console config if end Console ip dhcp restart Console show ip interface IP address and netmask 192 168 1 54 255 255 255 0 on VLAN 1 and address mode DHCP Console Related Commands ip address 4 249 show ip interface This command displays the settings of an IP interface Default Setting All interfaces Command Mode Privileged Exec Example Console show ip interface IP address and netmask 192 168 1 54 255 255 255 0 on VLAN 1 and address mode User specified Console Related Commands show ip redirects 4 253 4 252 IP INTEREACE COMMANDS show ip redirects This command shows the default gateway configured for this device Default Setting None Command Mode Privileged Exec Example Console show ip redirects IP default gateway 10 1 0 254 Console Related Commands show ip interface 4 252 ping This command sends ICMP echo request packets to another node on the network Syntax ping host size size count cound bost IP address or IP alias of the host size Number of bytes in a packet Range 32 512 default 32 The actual packet size will be eight bytes larger than the size specified because the switch adds header information
321. new management VLAN Example In the following example the device is assigned an address in VLAN 1 Console config tinterface vlan 1 Console config if fip address 192 168 1 5 255 255 255 0 Console config 1f Related Commands ip dhcp restart 4 251 IP INTEREACE COMMANDS ip default gateway This command establishes a static route between this switch and devices that exist on another network segment Use the no form to remove the static route Syntax ip default gateway gateway no ip default gateway gateway IP address of the default gateway Default Setting No static route is established Command Mode Global Configuration Command Usage A gateway must be defined if the management station is located in a different IP segment Example The following example defines a default gateway for this device Console config ip default gateway 10 1 1 254 Console config Related Commands show ip redirects 4 253 ip dhcp restart This command submits a BOOTP or DHCP client request Default Setting None Command Mode Privileged Exec 4 251 COMMAND LINE INTEREACE Command Usage This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command DHCP requires the server to reassign the client s last address if available Ifthe BOOTP or DHCP server has been moved to a different domain the
322. nfigures the broadcast storm control IC 4 150 broadcast threshold packet rate clear counters Clears statistics on an interface PE 4 151 show interfaces Displays status for the specified interface NE 4 152 status PE show interfaces Displays statistics for the specified interfaces NE 4 153 counters PE show interfaces Displays the administrative and operational NE 4 155 switchport status of an interface PE 4 143 COMMAND LINE INTEREACE interface This command configures an interface type and enter interface configuration mode Use the no form to remove a trunk Syntax interface interface no interface port channel channel id interface ethernet wnit port unit Stack unit This is unit 1 pott Port number Range 1 26 52 port channel channel id Range 1 4 vlan v an id Range 1 4094 Default Setting None Command Mode Global Configuration Example To specify port 24 enter the following command Console config finterface ethernet 1 24 Console config 1f description This command adds a description to an interface Use the no form to remove the description Syntax description s ring no description string Comment or a description to help you remember what is attached to this interface Range 1 64 characters 4 144 INTERFACE COMMANDS Default Setting None Command Mode Interface Configuration Ethernet Port Channel Example The followin
323. nformation in order to register VLAN members on ports across the network VLANs are dynamically configured based on join messages issued by host devices and propagated throughout the network GVRP must be enabled to permit automatic VLAN registration and to support VLANs which extend beyond the local switch Default Disabled Web Click VLAN 802 1Q VLAN GVRP Status Enable or disable GVRP and click Apply GVRP Status GVRP v Enable Figure 3 60 Enabling GVRP CLI This example enables GVRP for the switch Console config bridge ext gvrp 4 217 Console config Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch Field Attributes e VLAN Version Number The VLAN version used by this switch as specified in the IEEE 802 1Q standard Maximum VLAN ID Maximum VLAN ID recognized by this switch Maximum Number of Supported VLANs Maximum number of VLANS that can be configured on this switch 11 Web Only 3 145 CONFIGURING THE SWITCH Web Click VLAN 802 1Q VLAN Basic Information VLAN Basic Information VLAN Version Number 1 Maximum VLAN ID 4094 Maximum Number of Supported VLANs 255 Figure 3 61 VLAN Basic Information CLI Enter the following command Console show bridge ext 4 218 Max support vlan numbers 255 Max support vlan ID 4094 Extended multicast filtering ser
324. ng 0 Command Mode Interface Configuration Ethernet Command Usage Potts are only allowed to join the same LAG if 1 the LACP system ptiority matches 2 the LACP port admin key matches and 3 the LACP port channel key matches if configured Ifthe port channel admin key lacp admin key Port Channel is not set when a channel group is formed i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group Once the remote side of a link has been established LACP operational settings are already in use on that side Configuring LACP settings for the partner only applies to its administrative state not its operational state and will only take effect the next time an aggregate link is established with the partner Example Console config finterface ethernet 1 5 Console config if lacp actor admin key 120 Console config if 4 169 COMMAND LINE INTEREACE lacp admin key Port Channel This command configures a port channel s LACP administration key string Use the no form to restore the default setting Syntax lacp actor partner admin key key no lacp actor partner admin key key The port channel admin key is used to identify a specific link aggregation group LAG during local LACP setup on this switch Range 0 65535 Default Setting 0 Command Mode Interface Configu
325. ng example adds tagged and untagged ports to VLAN 2 Console Console Console Console Console Console Console Console config interface ethernet 1 1 4 144 config if switchport allowed vlan add 2 tagged 4 205 config if exit config interface ethernet 1 2 config if switchport allowed vlan add 2 untagged config if exit config interface ethernet 1 13 config if switchport allowed vlan add 2 tagged 3 151 CONFIGURING THE SWITCH Adding Static Members to VLANs Port Index Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member Command Attributes Interface Port or trunk identifier Member VLANs for which the selected interface is a tagged member Non Member VLANs for which the selected interface is not a tagged member Web Open VLAN 802 1Q VLAN Static Membership by Port Select an interface from the scroll down box Port or Trunk Click Query to display membership information for the interface Select a VLAN ID and then click Add to add the interface as a tagged member or click Remove to remove the interface After configuring VLAN membership for each interface click Apply VLAN Static Membership by Port Interface Por 3 y C Trunk Y Query Member Non Member Vlan 1 Vlan 2 ml le Figure 3 65 VLAN Static Membership by Port CLI This example adds Port 3 to VLAN 1 as a tagged port and
326. ng that another bridge is attached to this port Port Role Roles are assigned according to whether the port is part of the active topology connecting the bridge to the root bridge i e root port connecting a LAN through the bridge to the root bridge i e designated port or is an alternate or backup port that may provide connectivity if other bridges bridge ports or LANs fail or are removed The role is set to disabled i e disabled port if a port has no role within the spanning tree SPANNING TREE ALGORITHM CONFIGURATION Alternate port receives more R Root Port useful BPDUs from another A Alternate Port bridge and is therefore not D Designated Port selected as the designated B Backup Port port R R A ID B Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated ort R R p ee X D Y Trunk Member Indicates if a port is a member of a trunk STA Port Information only These additional parameters are only displayed for the CLI Admin status Shows if this interface is enabled Path cost This parameter is used by the STA to determine the best path between devices Therefore lower values should be assigned to ports attached to faster media and higher values assigned to ports with slower media Path cost takes precedence over port priority Priority Defines the priority used for this p
327. nge 0 65535 Default 0 Data Bits Sets the number of data bits per character that are interpreted and generated by the console port If parity is being generated specify 7 data bits per character If no parity is required specify 8 data bits per character Default 8 bits Parity Defines the generation of a parity bit Communication protocols provided by some terminals can require a specific parity bit setting Specify Even Odd or None Default None BASIC CONFIGURATION Speed Sets the terminal line s baud rate for transmit to terminal and receive from terminal Set the speed to match the baud rate of the device connected to the serial port Range 9600 19200 38400 57600 ot 115200 baud Default 9600 bps Stop Bits Sets the number of the stop bits transmitted per byte Range 1 2 Default 1 stop bit e Password Specifies a password for the line connection When a connection is started on a line with passwotd protection the system prompts for the passwotd If you enter the correct password the system shows a prompt Default No password Login Enables password checking at login You can select authentication by a single global password as configured for the Password parameter or by passwotds set up for specific user name accounts Default Local Web Click System Line Console Specify the console port connection parameters as required then click Apply Console Logi
328. nnection must be configured as trunk ports All ports in a trunk must be configured in an identical manner including communication mode i e speed duplex mode and flow control VLAN assignments and CoS settings All the ports in a trunk have to be treated as a whole when moved from to added or deleted from a VLAN via the specified port channel STP VLAN and IGMP settings can only be made for the entire trunk via the specified port channel Dynamically Creating a Port Channel Ports assigned to a common port channel must meet the following criteria Ports must have the same LACP system priority Ports must have the same port admin key Ethernet Interface If the port channel admin key lacp admin key Port Channel is not set when a channel group is formed i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group However if the port channel admin key is set then the port admin key must be set to the same value for a port to be allowed to join a channel group If a link goes down LACP port priority is used to select the backup link LINK AGGREGATION COMMANDS channel group lacp This command adds a port to a trunk Use the no form to remove a port from a trunk Syntax channel group channel id no channel group channel id Trunk index Range 1 4 Default Setting The curr
329. nterface ethernet 1 5 Console config if spanning tree port priority 128 Related Commands spanning tree cost 4 190 spanning tree edge port This command specifies an interface as an edge port Use the no form to restore the default Syntax no spanning tree edge port 4 191 COMMAND LINE INTEREACE Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Command Usage You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to the spanning tree forwarding state Specifying Edge Ports provides quicker convergence for devices such as workstations or servers retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events does not cause the spanning tree to initiate reconfiguration when the interface changes state and also overcomes other STA related timeout problems However remember that Edge Port should only be enabled for ports connected to an end node device This command has the same effect as the spanning tree portfast Example Console config interface ethernet ethernet 1 5 Console config if fspanning tree edge port Console config 1f Related Commands spanning tree portfast 4 192 spanning tree portfast This command se
330. ntrol Access Control List Provides filtering for IP frames based on address 4 117 protocol TCP UDP port number or TCP control code or non IP frames based on MAC addtess or Ethernet type SNMP Activates authentication failure traps configures 4 136 community access strings and trap managers also configures IP address filtering Interface Configures the connection parameters for all 4 142 Ethernet ports aggregated links and VLANs Mirror Port Mirrors data to another port for analysis without 4 157 affecting the data passing through or the performance of the monitored port Rate Limiting Controls the maximum rate for traffic transmitted or 4 159 received on a port Link Aggregation Statically groups multiple ports into a single logical 4 161 COMMAND GROUPS Table 4 4 Command Groups Continued Command Group Description Page Address Table Configures the address table for filtering specified 4 177 addresses displays current entries clears the table or sets the aging time Spanning Tree Configures Spanning Tree settings for the switch 4 182 VLANs Configures VLAN settings and defines port 4 197 membership for VLAN groups also enables or configures private VLANs GVRP and Configures GVRP settings that permit automatic 4 217 Bridge Extension VLAN learning shows the configuration for the bridge extension MIB Priority Sets port priority for untagged frames selects strict 4 222 priority
331. ntrol codes Use the no form to remove a rule Syntax no permit deny protocol number udp B 2 any source address bitmask host source any destination address bitmask host destination precedence precedence tos tos dscp die source port sport end destination port dport end permit deny tcp any source address bitmask host source any destination address bitmask host destination precedence precedence tos tos dscp dic source port sport end destination port dport end control flag contro flags flag bitmask protocol number A specific protocol number Range 0 255 source Source IP address destination Destination IP address address bitmask Decimal number representing the address bits to match host Keyword followed by a specific IP address precedence IP precedence level Range 0 7 tos Type of Service level Range 0 15 dsp DSCP priority level Range 0 63 sport Protocol source port number Range 0 65535 dport Protocol destination port number Range 0 65535 end Upper bound of the protocol port range Range 0 65535 control flags Decimal number representing a bit string that specifies flag bits in byte 14 of the TCP header Range 0 63 flag bitmask Decimal number representing the code bits to match Range 0 63 17 Includes TCP UDP or other protocol types 4 122 ACCESS CONTROL
332. o the CLI Use the no form to restore the default Syntax timeout login response seconds no timeout login response seconds Integer that specifies the timeout interval Range 0 300 seconds 0 disabled Default Setting CLI Disabled 0 seconds Telnet 600 seconds Command Mode Line Configuration Command Usage Ifa login attempt is not detected within the timeout interval the connection is terminated for the session This command applies to both the local console and Telnet connections The timeout for Telnet cannot be disabled Using the command without specifying a timeout restores the default setting LINE COMMANDS Example To set the timeout to two minutes enter this command Console config line timeout login response 120 Console config line Related Commands silent time 4 21 exec timeout 4 14 exec timeout This command sets the interval that the system waits until user input is detected Use the no form to restore the default Syntax exec timeout seconds no exec timeout seconds Integer that specifies the number of seconds Range 0 65535 seconds 0 no timeout Default Setting CLI No timeout Telnet 10 minutes Command Mode Line Configuration Command Usage Ifuser input is detected within the timeout interval the session is kept open otherwise the session is terminated This command applies to both the local console and Telne
333. o 100 Mbps half duplex operation Console Console Console Console config interface ethernet 1 5 config if speed duplex 100half config if no negotiation config if Related Commands negotiation 4 146 capabilities 4 147 negotiation 4 146 This command enables autonegotiation for a given interface Use the no form to disable autonegotiation Syntax no negotiation Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage When auto negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command When auto negotiation is disabled you must manually specify the link attributes with the speed duplex and flowcontrol commands If autonegotiation is disabled auto MDI MDI X pin signal configuration will also be disabled for the RJ 45 ports INTERFACE COMMANDS Example The following example configures port 11 to use autonegotiation Console config finterface ethernet 1 11 Console config if negotiation Console config if Related Commands capabilities 4 147 speed duplex 4 145 capabilities This command advertises the port capabilities of a given interface during autonegotiation Use the no form with parameters to remove an advertised capability or the no form without parameters to restore the default values Syntax no capabilities 1000full 100full 100half 10full 10half
334. of the main board Internal Power Status Displays the status of the internal power supply 3 13 CONFIGURING THE SWITCH 3 14 Management Software Loader Version Version number of loader code Boot ROM Version Version of Power On Self Test POST and boot code Operation Code Version Version number of runtime code e Role Shows that this switch is operating as Master or Slave Expansion Slot Expansion Slot 1 2 Combination RJ 45 SFP ports These additional parameters are displayed for the CLI Unit ID Unit number in stack Redundant Power Status Displays the status of the redundant power supply Web Click System Switch Information Switch Information Main Board Serial Number Number of Ports pe Hardware Version Internal Power Status Active Management Software Loader Version 2 2 1 4 Boot ROM Version 2 2 1 9 Operation Code Version 0 2 6 3 Role Master Expansion Slot Expansion Slot 1 1000BaseT Expansion Slot 2 1000BaseT Figure 3 4 Switch Information BASIC CONFIGURATION CLI Use the following command to display version information Console show version Unit 1 Redundant power status Agent master Unit ID Loader version Boot ROM version Console Operation code version Serial number A419048860 Service tag Hardware version ROB Module A type 1000BaseT Module B type 1000BaseT Number of ports
335. of the partner s state parameters See preceding table Oper State Operational values of the partner s state parameters See preceding table Port CONFIGURATION Web Click Port LACP Port Neighbors Information Select a port channel to display the corresponding information LACP Port Neighbors Information Interface Port 3 Trunk ID 1 Partner Admin System ID 32768 000010 000000 Pater Oper System ID 32768 00 30 F1 09 2500 Partner Admin Port Number 3 Partner Oper Port Number 13 Port Admin Priority 32768 Port Oper Priority 32768 Admin Key D Oper Key 3 Admin State Expired Oper State Expired Admin State Defaulted s Oper State Defaulted Admin State Distributing s Oper State Distributing CS Admin State Collecting s Oper State Collecting v Admin State Synchronization s Oper State Synchronization v Admin State Aggregation Oper State Aggregation Admin State Timeout i Long Oper State Timeout _ Long Admin State LACP Activity Oper State LACP Activity Figure 3 47 LACP Port Neighbors Information CLI The following example displays the LACP configuration settings and operational state for the remote side of port channel 1 Console show lacp 1 neighbors Port channel 1 neighbors Eth 1 1 Partner Admin System ID Partner Oper System ID Partner Admin Port Number Partner Ope
336. on about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it retutn to a discarding state otherwise temporary data loops might result Default 15 Minimum The higher of 4 or Max Message Age 2 1 Maximum 30 3 131 CONFIGURING THE SWITCH 3 132 Configuration Settings for RS TP Path Cost Method The path cost is used to determine the best path between devices The path cost method is used to determine the range of values that can be assigned to each interface Long Specifies 32 bit based values that range from 1 200 000 000 This is the default Short Specifies 16 bit based values that range from 1 65535 Transmission Limit The maximum transmission rate for BPDUs is specified by setting the minimum interval between the transmission of consecutive protocol messages Range 1 10 Default 3 Web Click Spanning Tree STA Configuration Modify the required attributes and click Apply STA Configuration Switch Spanning Tree State Vv Enabled Spanning Tree Type RSTP Priority 0 61440 132768 When the Switch Becomes Root Input Format 2 hello time 1 lt max age lt 2 forward delay 1 Hello Time 1 10 2 seconds Maximum Age 5 40 20 seconds Forward Delay 4 30 15 seconds Advanced Path Cost Method Long y Transmission Limit 1 10 3
337. on commands are privileged level commands used to modify switch settings These commands modify the running configuration only and are not saved when the switch is rebooted To store the running configuration in non volatile storage use the copy running config startup config command The configuration commands are organized into different modes e Global Configuration These commands modify the system level configuration and include commands such as hostname and snmp server community Access Control List Configuration These commands are used for packet filtering Interface Configuration These commands modify the port configuration such as speed duplex and negotiation Line Configuration These commands modify the console port and Telnet configuration and include command such as parity and databits 4 9 COMMAND LINE INTEREACE 4 10 e VLAN Configuration Includes the command to create VLAN groups To enter the Global Configuration mode enter the command configure in Privileged Exec mode The system prompt will change to Console config which gives you access privilege to all Global Configuration commands Console configure Console config To enter the other modes at the configuration prompt type one of the following commands Use the exit or end command to return to the Privileged Exec mode Table 4 2 Configuration Modes Mode Command Prompt Page Li
338. ondary or community VLAN contains community ports that can only communicate with other hosts within the secondary VLAN and with any of the promiscuous ports in the associated primary VLAN Isolated VLANs on the other hand consist a single stand alone VLAN that contains one promiscuous port and one or more isolated or host ports In all cases the promiscuous ports are designed to provide open access to an external network such as the Internet while the community or isolated ports provide restricted access to local users Multiple primary VLANs can be configured on this switch and multiple community VLANs can be associated with each primary VLAN One or more isolated VLANs can also be configured Note that private VLANs and normal VLANs can exist simultaneously within the same switch VLAN COMMANDS This section describes commands used to configure private VLANs Table 4 55 Private VLAN Commands Command Function Mode Page Edit Private VLAN Groups private vlan Adds or deletes primary community or VC 4 210 isolated VLANs private vlan association Associates a community VLAN witha VC 4 212 primary VLAN Configure Private VLAN Interfaces switchport mode Sets an interface to host mode or IC 4 213 private vlan promiscuous mode switchport private vlan Associates an interface with a secondary IC 4 214 host association VLAN switchport private vlan Associates an interface with an isolat
339. onfigured VLAN 1 4094 no leading zeroes VLAN Name Name of the VLAN 1 to 32 characters Status Web Enables or disables the specified VLAN Enabled VLAN is operational Disabled VLAN is suspended i e does not pass packets State CLT Enables or disables the specified VLAN Active VLAN is operational Suspend VLAN is suspended i e does not pass packets e Add Adds a new VLAN group to the current list VLAN CONFIGURATION Remove Removes a VLAN group from the current list If any port is assigned to this group as untagged it will be reassigned to VLAN group 1 as untagged Web Click VLAN 802 1Q VLAN Static List To create a new VLAN enter the VLAN ID and VLAN name mark the Enable checkbox to activate the VLAN and then click Add VLAN Static List Current New 1 DefaultVien Enabled ba ARDY eA E VLAN ID 1 4094 2 agg MANDA VLAN Name R amp D Remove tus F Enabled Figure 3 63 Configuring a VLAN Static List CLI This example creates a new VLAN Console config vlan database 4 197 Console config vlan vlan 2 name R amp D media ethernet state active 4 198 Console config vlan tend Console show vlan 4 207 Vian ID 1 Type Static Name DefaultVlan Status Active Ports Channel groups Ethi 1 S Ethl 2 S Ethl 3 S Ethl 4 S Eth1 5 S Ethl 6 S Ethl 7 S Ethl 8 S Ethl 9 S Eth1 10 S Ethl 11 S Eth1 12 S Eth1 13 S Eth1 14 S E
340. onfigures the link type for RSTP IC 4 193 link type 4 182 SPANNING TREE COMMANDS Table 4 50 Spanning Tree Commands Command Function Mode Page spanning tree Re checks the appropriate BPDU format PE 4 195 protocol migration show spanning tree Shows spanning tree configuration for PE 4 195 the common spanning tree 1 e overall bridge or a selected interface spanning tree This command enables the Spanning Tree Algorithm globally for the switch Use the no form to disable it Syntax no spanning tree Default Setting Spanning tree is enabled Command Mode Global Configuration Command Usage The Spanning Tree Algorithm STA can be used to detect and disable network loops and to provide backup links between switches bridges or routers This allows the switch to interact with other bridging devices that is an STA compliant switch bridge or router in your network to ensure that only one route exists between any two stations on the network and provide backup links which automatically take over when a primary link goes down Example This example shows how to enable the Spanning Tree Algorithm for the switch Console config spanning tree Console config 4 183 COMMAND LINE INTEREACE spanning tree mode This command selects the spanning tree mode for this switch Use the no form to restore the default Syntax spanning tree mode stp rstp no spanning t
341. only 802 1D BPDUs Rapid Spanning Tree Protocol RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits as described below 10 STP and RSTP BPDUs are transmitted as untagged frames and will cross any VLAN boundaries 3 129 CONFIGURING THE SWITCH 3 130 STP Mode If the switch receives an 802 1D BPDU i e STP BPDU after a port s migration delay timer expires the switch assumes it is connected to an 802 1D bridge and starts using only 802 1D BPDUs RSTP Mode If RSTP is using 802 1D BPDUs on a port and receives an RSTP BPDU after the migration delay expires RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port Command Attributes Basic Configuration of Global Settings Spanning Tree State Enables disables STA on this switch Default Enabled Spanning Tree Type Specifies the type of spanning tree used on this switch STP Spanning Tree Protocol IEEE 802 1D i e when this option is selected the switch will use RSTP set to STP forced compatibility mode RSTP Rapid Spanning Tree IEEE 802 1w RSTP is the default Priority Bridge priority is used in selecting the root device root port and designated port The device with the highest priority becomes the STA root device However if all devices have the same priority the devic
342. ooted To save all your configuration changes in nonvolatile storage you must copy the running configuration file to the start up configuration file using the copy command To save the current configuration settings enter the following command 1 From the Privileged Exec mode prompt type copy running config startup config and press lt Enter gt 2 Enter the name of the start up file Press lt Enter gt Console copy running config startup config Startup configuration file name startup Write to FLASH Programming Write to FLASH finish Success Console 2 11 INITIAL CONFIGURATION Managing System Files 2 12 The switch s flash memory supports three types of system files that can be managed by the CLI program web interface or SNMP The switch s file system allows files to be uploaded and downloaded copied deleted and set as a start up file The three types of files are Configuration This file stores system configuration information and is created when configuration settings are saved Saved configuration files can be selected as a system start up file or can be uploaded via TFTP to a server for backup A file named Factory Default Config cfg contains all the system default settings and cannot be deleted from the system See Saving or Restoring Configuration Settings on page 3 24 for more information Operation Code System software that is executed after boot up a
343. or log events Without SNTP the switch only records the time starting from the factory default set at the last bootup i e 00 00 00 Jan 1 2001 This command enables client time requests to time servers specified via the sntp servers command It issues time synchronization requests based on the interval set via the sntp poll command Example Console config sntp server 10 1 0 19 Console config sntp poll 60 Console config sntp client Console config end Console show sntp Current time Dec 23 02 52 44 2002 Poll interval 60 Current mode unicast SNTP status Enabled SNTP server 10 1 0 19 0 0 0 0 0 0 0 0 Current server 10 1 0 19 Console Related Commands sntp server 4 74 sntp poll 4 75 show sntp 4 75 4 73 COMMAND LINE INTEREACE sntp server 4 74 This command sets the IP address of the servers to which SNTP time requests ate issued Use the this command with no arguments to clear all time servers from the current list Syntax sntp server 7p1 752 7p3 ip IP address of a time server NTP or SNTP Range 1 3 addresses Default Setting None Command Mode Global Configuration Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode The client will poll the time servers in the order specified until a response is received It issues time synchronization requests based on the interval set via the
344. ority If you want this warning to be replaced by a message confirming that the connection to the switch is secure you must obtain a unique certificate and a private key and password from a recognized certification authority Note For maximum security we recommend you obtain a unique Secure Sockets Layer certificate at the earliest opportunity This is because the default certificate for the switch is not unique to the hardware you have purchased USER AUTHENTICATION When you have obtained these place them on your TFTP server and use the following command at the switch s command line interface to replace the default unrecognized certificate with an authorized one Console copy tftp https certificate 4 87 TFTP server ip address server ip address gt Source certificate file name lt certificate file name gt Source private file name lt private key file name gt Private password lt password for private key gt Note The switch must be reset for the new certificate to be activated To reset the switch type console reload Configuring the Secure Shell The Berkley standard includes remote access tools originally designed for Unix systems Some of these tools have also been implemented for Microsoft Windows and other environments These tools including commands such as r ogin remote login rsh remote shell and rz remote copy ate not secure from hostile attacks The Secure Shell SSH includes server c
345. ort All values displayed have been accumulated since the last system reboot and are shown as counts per second Statistics are refreshed every 60 seconds by default 3 114 PoRT CONFIGURATION Note RMON groups 2 5 and 9 can only be accessed using SNMP management software such as SMC EliteView Table 3 9 Port Statistics Parameter Description Interface Statistics Rec eived Octets The total number of octets received on the interface including framing characters Rec Pac eived Unicast Kets The number of subnetwork unicast packets delivered to a higher layer protocol Rec Pac eived Multicast Kets The number of packets delivered by this sub layer to a higher sub layer which were addressed to a multicast address at this sub layer Rec eived Broadcast The number of packets delivered by this sub layer to a Packets higher sub layer which were addressed to a broadcast address at this sub layer Received Discarded The number of inbound packets which were chosen to Packets be discarded even though no errors had been detected to prevent their being deliverable to a higher layer protocol One possible reason for discarding such a packet could be to free up buffer space Received Unknown The number of packets received via the interface which Packets were discarded because of an unknown or unsupported protocol Received Errors The number of inbound packets that conta
346. ort 3 113 Port Configuration Output Sets the output rate limit for each trunk 3 113 Trunk Configuration Port Statistics Lists Ethernet and RMON port statistics 3 114 Address Table 3 121 Static Addresses Displays entries for interface address or 3 121 VLAN Dynamic Addresses Displays or edits static entries in the Address 3 122 Table Address Aging Sets timeout for dynamically learned entries 3 124 Spanning Tree 3 124 STA Information Displays STA values used for the bridge 3 126 Configuration Configures global bridge settings for STA 3 129 and RSTP Port Information Displays individual port settings for STA 3 133 Trunk Information Displays individual trunk settings for STA 3 133 Port Configuration Configures individual port settings for STA 3 137 Trunk Configuration Configures individual trunk settings for STA 3 137 VLAN 3 140 802 1Q VLAN GVRP Status Enables GVRP VLAN registration protocol 3 145 Basic Information Displays information on the VLAN type 3 145 supported by this switch Current Table Shows the current port members of each 3 146 VLAN and whether or not the port is tagged or untagged Static List Used to create or remove VLAN groups 3 148 Static Table Modifies the settings for an existing VLAN 3 150 MAIN MENU Table 3 2 Main Menu Continued Menu Desctiption Page Static Membership by Port Configures membership type for interfaces including tagged untagged or forbidden 3 152
347. ort Table Specify the interface attached to a multicast service via an IGMP enabled switch or multicast router indicate the VLAN that will propagate the multicast service specify the multicast IP address and click Add After you have completed adding ports to the member list click Apply IGMP Member Port Table IGMP Member Port List New Static IGMP Member Port I VLAN T 224 1 1 12 Unit T Port 1 Interface Port M Mano ts Add Multicast IP YA Remove Unit f Port fr Trunk fa Figure 3 86 IGMP Member Port Table CLI This example assigns a multicast address to VLAN 1 and then displays all the known multicast services supported on VLAN 1 Console config ip igmp snooping vlan 1 static 224 1 1 12 ethernet 1 11 4 239 Console config exit Console show mac address table multicast vlan 1 4 241 VLAN M cast IP addr Member ports Type 1 224 1 1 12 Eth1 11 User 1 224 1 2 3 Eth1 12 IGMP Console 3 189 CONFIGURING THE SWITCH 3 190 CHAPTER 4 COMMAND LINE INTERFACE This chapter describes how to use the Command Line Interface CLI Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server s console port or via a Telnet connection the switch can be managed by entering command keywords and parameters at the prompt Using the switch s command line interface CLI is very simil
348. ort in the Spanning Tree Algorithm If the path cost for all ports on a switch is the same the port with the highest priority 1 e lowest value will be configured as an active link in the Spanning Tree This makes a port with higher priority less likely to be blocked if the Spanning Tree Algorithm is detecting network loops Where more than one port is assigned the highest priority the port with the lowest numeric identifier will be enabled 3 135 CONFIGURING THE SWITCH 3 136 Designated root The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device Fast forwarding This field provides the same information as Admin Edge port and is only included for backward compatibility with earlier products Admin Edge Port You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to the spanning tree forwarding state Specifying Edge Ports provides quicker convergence for devices such as workstations or servers retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events does not cause the spanning tree to reconfigure when the interface changes state and also overcomes other STA related timeout problems However remember that Edge Port should only be
349. ot device transmits a configuration message Forward Delay The maximum time in seconds the root device will wait before changing states i e discarding to learning to forwarding This delay is required because every device must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to a discarding state otherwise temporary data loops might result SPANNING TREE ALGORITHM CONFIGURATION Designated Root The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device Root Port The number of the port on this switch that is closest to the root This switch communicates with the root device through this port If there is no root port then this switch has been accepted as the root device of the Spanning Tree network Root Path Cost The path cost from the root port on this switch to the root device Configuration Changes The number of times the Spanning Tree has been reconfigured Last Topology Change Time since the Spanning Tree was last reconfigured These additional parameters are only displayed for the CLI Spanning tree mode Specifies the type of spanning tree used on this switch STP Spanning Tree Protocol IEEE 802 1D RSTP Rapid Spanning Tree IEEE 802 1w Priority Bridge priority is used in selecting the root
350. owing shows how to configure broadcast storm control at 600 packets per second Console config finterface ethernet 1 5 Console config if switchport broadcast octet rate 600 Console config if clear counters This command clears statistics on an interface Syntax clear counters nterface interface ethernet wnit port unit Stack unit This is unit 1 pott Port number Range 1 26 52 port channel channe id Range 1 4 Default Setting None Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset This command sets the base value for displayed statistics to zero for the current management session However if you log out and back into the management interface the statistics displayed will show the absolute value accumulated since the last power reset Example The following example clears statistics on port 5 Console clear counters ethernet 1 5 Console 4 151 COMMAND LINE INTEREACE show interfaces status This command displays the status for an interface Syntax show interfaces status z erface interface ethernet wnit port unit Stack unit This is unit 1 pott Port number Range 1 26 52 port channel channe id Range 1 4 vlan vian id Range 1 4094 Default Setting Shows the status for all interfaces Command Mode Normal Exec Privileged Exec Command Usage If no interface is specified information on all
351. own enabled SNMP communities 1 alpha and the privilege is read write 2 private and the privilege is read write 3 public and the privilege is read only 0 SNMP packets input 0 Bad SNMP version errors Unknown community name Illegal operation for community name supplied Encoding errors Number of requested variables Number of altered variables Get request PDUs Get next PDUs 0 Set request PDUs 0 SNMP packets output 0 Too big errors No such name errors Bad values errors General errors Response PDUs Trap PDUs ooooooo ODO SNMP logging enabled Logging to 10 1 19 23 batman version 1 Console INTERFACE COMMANDS Interface Commands These commands are used to display or set communication parameters for an Ethernet port aggregated link or VLAN Table 4 40 Interface Commands Command Function Mode Page interface Configures an interface type and enters interface GC 4 144 configuration mode description Adds a description to an interface configuration IC 4 144 speed duplex Configures the speed and duplex operation ofa IC 4 145 given interface when autonegotiation is disabled negotiation Enables autonegotiation of a given interface IC 4 146 capabilities Advertises the capabilities of a given interface IC 4 147 for use in autonegotiation flowcontrol Enables flow control on a given interface IC 4 148 shutdown Disables an interface IC 4 149 switchport Co
352. p ip port Shows the IP port map PE 4 235 show map ip Shows the IP precedence map PE 4 236 precedence show map ip dscp Shows the IP DSCP map PE 4 237 show map access list Shows CoS value mapped to an access list PE 4 127 ip fot an interface show map access list Shows CoS value mapped to an access list PE 4 134 mac fot an interface 4 229 COMMAND LINE INTEREACE map ip port Global Configuration This command enables IP port mapping i e class of service mapping for TCP UDP sockets Use the no form to disable IP port mapping Syntax no map ip port Default Setting Disabled Command Mode Global Configuration Command Usage The precedence for priority mapping is IP Port IP Precedence or IP DSCP and default switchport priority Example The following example shows how to enable TCP UDP port mapping globally Console config map ip port Console config map ip port Interface Configuration 4 230 This command set IP port priority i e TCP UDP port priority Use the no form to remove a specific setting Syntax map ip port port number cos cos value no map ip port port number port number 16 bit TCP UDP port number Range 1 65535 cos value Class of Service value Range 0 7 Default Setting None PRIORITY COMMANDS Command Mode Interface Configuration Ethernet Port Channel Command Usage The precedence for priority mapping is IP Port IP Precedence o
353. pecified MAC source or destination address 1 e physical layer address or Ethernet protocol type Use the no form to remove a rule Syntax no permit deny any host source source address bitmask any host destination destination address bitmask vid vid vid end ethertype protocol protocol end Note The default is for Ethernet IT packets any Any MAC source or destination address host A specific MAC address source Source MAC address destination Destination MAC address range with bitmask e address bitmaskl Bitmask for MAC address in hexidecimal format vid VLAN ID Range 1 4094 vid end Upper bound of VID range Range 1 4094 protocol A specific Ethernet protocol number Range 0 65535 protocol end Upper bound of protocol range Range 0 65535 Default Setting None Command Mode MAC ACL Command Usage New tules are added to the end of the list The ethertype option can only be used to filter Ethernet IT formatted packets 18 For all bitmasks 1 means care and 0 means ignore 4 130 ACCESS CONTROL LIST COMMANDS A detailed listing of Ethernet protocol types can be found in RFC 1060 A few of the more common types include the following 0800 IP 0806 ARP 8137 IPX Example This rule permits packets from any source MAC address to the destination address 00 e0 29 94 34 de where the Ethernet type is 08
354. ping IP Precedence Values IP Precedence Value 0 1 2 3 4 5 6 7 CoS Value 0 1 2 3 4 5 6 7 Command Mode Interface Configuration Ethernet Port Channel Command Usage The precedence for priority mapping is IP Port IP Precedence or IP DSCP and default switchport priority IP Precedence values are mapped to default Class of Service values on a one to one basis according to recommendations in the IEEE 802 1p standard and then subsequently mapped to the eight hardware priority queues This command sets the IP Precedence for all interfaces Example The following example shows how to map IP precedence value 1 to CoS value 0 Console config finterface ethernet 1 5 Console config if map ip precedence 1 cos 0 Console config if 4 232 PRIORITY COMMANDS map ip dscp Global Configuration This command enables IP DSCP mapping i e Differentiated Services Code Point mapping Use the no form to disable IP DSCP mapping Syntax no map ip dscp Default Setting Disabled Command Mode Global Configuration Command Usage The precedence for priority mapping is IP Port IP Precedence or IP DSCP and default switchport priority IP Precedence and IP DSCP cannot both be enabled Enabling one of these priority types will automatically disable the other type Example The following example shows how to enable IP DSCP mapping globally Console config map ip dscp
355. port priority the port with the lowest physical port number will be selected as the backup port Once the remote side of operational settings are a settings for the partner o a link has been established LACP ready in use on that side Configuring LACP nly applies to its administrative state not its operational state and will only take effect the next time an aggregate link is established with the partner Example Console config ttinterface ethernet 1 5 Console config if lacp actor port priority 128 4 171 COMMAND LINE INTEREACE show lacp This command displays LACP information Syntax show lacp port channel counters internal neighbors sysid e port channel Local identifier for a link aggregation group Range 1 4 counters Statistics for LACP protocol messages internal Configuration settings and operational state for local side neighbors Configuration settings and operational state for remote side sysid Summary of system priority and MAC address for all channel groups Default Setting Port Channel all Command Mode Privileged Exec 4 172 LINK AGGREGATION COMMANDS Example Console show lacp 1 counters Port channel 1 LACPDUs Sent 21 LACPDUs Received 21 Marker Sent 0 Marker Received 0 LACPDUs Unknown Pkts 0 LACPDUs Illegal Pkts 0 Table 4 45 show lacp counters display description Field Description L
356. ports If no explicit rule is matched the implicit default is permit all Setting the ACL Name and Type Use the ACL Configuration page to designate the name and type of an ACL Command Attributes Name Name of the ACL Maximum length 16 characters Type There are three filtering modes Standard IP ACL mode that filters packets based on the source IP address Extended IP ACL mode that filters packets based on source or destination IP address as well as protocol type and protocol port number If the TCP protocol is specified then you can also filter packets based on the TCP control code ACCESS CONTROL LISTS MAC MAC ACL mode that filters packets based on the source ot destination MAC address and the Ethernet frame type RFC 1060 Web Click Security ACL Configuration Enter an ACL name in the Name field select the list type IP Standard IP Extended or MAC and click Add to open the configuration page for the new list ACL Configuration Type Name Remove Edit Name david Type Standard y Add Figure 3 35 Selecting ACL Type CLI This example creates a standard IP ACL named david Console config faccess list ip standard david 4 119 Console config std acl Configuring a Standard IP ACL Command Attributes Action An ACL can contain any combination of permit or deny rules Address Type Specifies the source IP address Use Any to include all possible a
357. prompt enter admin 3 At the Password prompt also enter admin The password characters are not displayed on the console screen 4 The session is opened and the CLI displays the Console prompt indicating you have access at the Privileged Exec level Setting Passwords Note If this is your first time to log into the CLI program you should define new passwords for both default user names using the username command record them and put them in a safe place Passwords can consist of up to 8 alphanumeric characters and are case sensitive To prevent unauthorized access to the switch set the passwords as follows 1 Open the console interface with the default user name and password admin to access the Privileged Exec level 2 5 INITLAL CONFIGURATION 2 Type configure and press lt Enter gt 3 Type username guest password 0 password for the Normal Exec level where password is your new password Press lt Enter gt 4 Type username admin password 0 password for the Privileged Exec level where password is your new password Press lt Enter gt Note 0 specifies the password in plain text 7 specifies the password in encrypted form Username admin Password CLI session with the SMC6726AL2 is opened To end the CLI session enter Exit Console configure Console config username guest password 0 password Console config username admin passwo
358. protection the system prompts for the password If you enter the correct password the system shows a prompt Default No password Login Enables password checking at login You can select authentication by a single global password as configured for the Password parameter or by passwotds set up for specific user name accounts Default Local 4 CLI only 3 31 CONFIGURING THE SWITCH Web Click System Line Telnet Specify the connection parameters for Telnet access then click Apply Telnet Telnet Status Enabled Telnet Port Number a Login Timeout 0 300 300 secs 0 Disabled Exec Timeout 0 655535 po secs 0 Disabled Password Threshold 0 1203 Disabled Figure 3 14 Enabling Telnet CLI Enter Line Configuration mode for a virtual terminal then specify the connection parameters as required To display the current virtual terminal settings use the show line command from the Normal Exec level Console config line vty 4 15 Console config line login local 4 16 Console config line password 0 secret 4 17 Console config line timeout login response 300 4 18 Console config line exec timeout 600 4 19 Console config line password thresh 3 4 20 Console config line end Console show line 4 25 Console configuration Password threshold 3 times Interactive timeout Disabled Login timeout Disabled Silent time Disabled Baudrate 9600 Databits 8
359. protocol version number carried in the most recently received EAPOL frame Rx Last EAPOLSrc The source MAC address carried in the most recently received EAPOL frame Tx EAPOL Total The number of EAPOL frames of any type that have been transmitted by this Authenticator Tx EAP Req Id The number of EAP Req Id frames that have been transmitted by this Authenticator Tx EAP Req Oth The number of EAP Request frames other than Rq Id frames that have been transmitted by this Authenticator 3 73 CONFIGURING THE SWITCH Web Select Security 802 1X Statistics Select the required port and then click Query Click Refresh to update the statistics 802 1X Statistics Query Rx EXPOL Start DIRx EAP LenError 0 Rx EAPOL Logoff DIRx Last EAPOLVer Rx EAPOL Invalid DiRx Last EAPOLSrc 00 00 00 00 00 00 Rx EAPOL Total D Tx EAPOL Total 1 Rx EAP Resp ld O Tx EAP Reg ld 0 Rx EAP Resp Oth D Tx EAP Req Oth 0 Refresh Figure 3 33 Displaying 802 1X Port Statistics CLI This example displays the 802 1X statistics for port 4 Console show dotlx statistics interface ethernet 1 4 4 114 Eth 1 4 Rx EAPOL EAPOL EAPOL EAPOL EAP EAP EAP Start Logoff Invalid Total Resp Id Resp Oth LenError 2 0 0 1007 672 0 0 Last Last EAPOLVer EAPOLSrc L 00 00 E8 98 73 21 Tx EAPOL EAP EAP Total Reg Id Req Oth 2017 1005 0 Console 3 74 USER AUTHENTICATION Filtering Addresses
360. ption can only be used to filter Ethernet II formatted packets Range 0 65535 A detailed listing of Ethernet protocol types can be found in RFC 1060 A few of the more common types include 0800 IP 0806 ARP 8137 IPX Web Specify the action i e Permit or Deny Specify the source and or destination addresses Select the address type Any Host or MAC If you select Host enter a specific address e g 11 22 33 44 55 66 If you select MAC enter a base address and a hexidecimal bitmask for an address range Set any other required criteria such as VID or Ethernet type Then click Add MAC ACL Name joe Action Source MAC Address Source Bitmask Destination MAC Address Destination Bitmask VID Ethernet Type Remove Permit Any Any 100 e0 29 94 34 de LIII Any Any Remove Action Permit Source Address Type Any Source MAC Address 0 00 00 00 00 00 _ Source Bitmask jfo0 09 00 00 00 00 Destination Address Type Any Destination MAC Address 30 00 00 00 00 00 _ Destination Bitmask f00 00 00 00 00 00 VID 1 4034 Grang EthemetType 965535 Range F Note Ethernet Type OxDSDD IP packet dont support for MAC ACL ELS Figure 3 38 ACL Configuration MAC CLI This rule permits packets from any source MAC address to the destination address 00 e0 29 94 34 de where the Ethernet type is 0800 Console config mac acl spermit any host 00 e0 29 94 34 de ethertype 0800 4 130
361. queues Use the no form to restore the default weights Syntax queue bandwidth weigh 1 weight3 no queue bandwidth weight1 weight3 The ratio of weights for queues 0 3 determines the weights used by the WRR scheduler However note that Queue 0 is fixed at a weight of 1 and cannot be configured Range 1 31 Default Setting Weights 1 2 4 6 are assigned to queues 0 3 respectively Queue 0 is non configurable Command Mode Global Configuration Command Usage WRR controls bandwidth sharing at the egress port by defining scheduling weights Example This example shows how to assign WRR weights to priority queues 1 3 Console config fqueue bandwidth 6 9 12 Console config 4 225 COMMAND LINE INTEREACE Related Commands show queue bandwidth 4 227 queue cos map This command assigns class of service CoS values to the priority queues i e hardware output queues 0 3 Use the no form set the CoS map to the default values Syntax queue cos map queue_id cos cos no queue cos map queue id The ID of the priority queue Ranges are 0 to 3 where 3 is the highest priority queue cos cosi The CoS values that are mapped to the queue ID It is a space separated list of numbers The CoS value is a number from 0 to 7 where 7 is the highest priority Default Setting This switch supports Class of Service by using four priority queues with Weighted Round Robin queuing for each
362. r IP DSCP and default switchport priority This command sets the IP port priority for all interfaces Example The following example shows how to map HTTP traffic to CoS value 0 Console config interface ethernet 1 5 Console config if map ip port 80 cos 0 Console config if map ip precedence Global Configuration This command enables IP precedence mapping i e IP Type of Service Use the no form to disable IP precedence mapping Syntax no map ip precedence Default Setting Disabled Command Mode Global Configuration Command Usage The precedence for priority mapping is IP Port IP Precedence or IP DSCP and default switchport priority IP Precedence and IP DSCP cannot both be enabled Enabling one of these priority types will automatically disable the other type Example The following example shows how to enable IP precedence mapping globally Console config map ip precedence Console config 4 231 COMMAND LINE INTEREACE map ip precedence Interface Configuration This command sets IP precedence priority i e IP Type of Service priority Use the no form to restore the default table Syntax map ip precedence p precedence value cos cos value no map ip precedence precedence value 3 bit precedence value Range 0 7 e cos value Class of Service value Range 0 7 Default Setting The list below shows the default priority mapping Table 4 61 Map
363. r Port Number Port Admin Priority Port Oper Priority Admin Key Oper Key Admin State Oper State 4 172 32768 00 00 00 00 00 00 3 00 30 F1 CE 2A 20 5 3 32768 128 0 120 defaulted distributing collecting synchronization long timeout distributing collecting synchronization aggregation long timeout LACP activity 3 107 CONFIGURING THE SWITCH Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is malfunctioning or if application programs are not well designed or properly configured If there is too much broadcast traffic on your network performance can be severely degraded or everything can come to complete halt You can protect your network from broadcast storms by setting a threshold for broadcast traffic Any broadcast packets exceeding the specified threshold will then be dropped Command Usage Broadcast Storm Control is enabled by default Broadcast control does not effect IP multicast traffic The specified threshold applies to all ports on the switch Command Attributes Port Port number Trunk Trunk number e Type Indicates the port type 100BASE TX 1000BASE T or SFP Threshold Threshold as percentage of port bandwidth Range 64 95232000 octets per second Default 32000 e Protect Status Shows whether or not broadcast storm control has been enabled Default Enabled Trunk Shows if a port i
364. r port port number TACACS server TCP port used for authentication messages Range 1 65535 Default Setting 49 Command Mode Global Configuration Example Console config ftacacs server port 181 Console config tacacs server key This command sets the TACACS encryption key Use the no form to restore the default Syntax tacacs server key key_string no tacacs server key Key string Encryption key used to authenticate logon access for the client Do not use blank spaces in the string Maximum length 20 characters Default Setting None Command Mode Global Configuration 4 103 COMMAND LINE INTEREACE show Example Console config tacacs server key green Console config tacacs server This command displays the current settings for the TACACS server Default Setting None Command Mode Privileged Exec Example Console show tacacs server Remote TACACS server configuration Server IP address 10 11 12 13 Communication key with TACACS server Server port number 49 Console Port Security Commands 4 104 These commands can be used to enable port security on a port When using port security the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network The
365. r unit in the stack unit to file Copies a file from another unit in the stack to this switch TFTP Server IP Address The IP address of a TFTP server File Type Specify config configuration to copy configuration settings File Name The file name should not contain slashes or the leading letter of the file name should not be a period and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch Valid characters A Z a z 0 9 6699 66 0 ce e E ces Note The maximum number of user defined configuration files is limited only by available flash memory space 2 These operations are not supported for this switch 3 25 CONFIGURING THE SWITCH 3 26 Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file or you can specify the current startup configuration file as the destination file to directly replace it Note that the file Factory_Default_Config cfg can be copied to the TFTP server but cannot be used as the destination on the switch Web Click System File Copy Select tftp to startup config or tftp to file and enter the IP address of the TFTP server Specify the name of the file to download and select a file on the switch to overwrite or specify a new file name then click Apply Copy tftp to startup confi
366. r uses RSA or DSA for key exchange when the client first establishes a connection with the switch and then negotiates with the client to select either DES 56 bit or 3DES 168 bit for data encryption Save Host Key from Memory to Flash Saves the host key from RAM i e volatile memory to flash memory Otherwise the host key pair is stored to RAM by default Note that you must select this item ptior to generating the host key pair USER AUTHENTICATION Generate This button is used to generate the host key pair Note that you must first generate the host key pair before you can enable the SSH server on the SSH Server Settings page Clear This button clears the host key from both volatile memory RAM and non volatile memory Flash Web Click Security SSH Host Key Settings Select the host key type from the drop down box select the option to save the host key from memory to flash if required prior to generating the key and then click Generate SSH Host Key Settings Ipsa Public Key of Host Key Host Key Type Both y V Save Host Key from Memory to Flash Gener Ger Figure 3 27 SSH Host Key Settings 3 61 CONFIGURING THE SWITCH 3 62 CLI This example generates a host key pair using both the RSA and DSA algorithms stores the keys to flash memory and then displays the host s public keys Console ip ssh crypto host key generate 4 49 Console ip ssh save host ke
367. ration Port Channel Command Usage Ports are only allowed to join the same LAG if 1 the LACP system priority matches 2 the LACP port admin key matches and 3 the LACP port channel key matches if configured Ifthe port channel admin key lacp admin key Port Channel is not set when a channel group is formed i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group Note that when the LAG is no longer used the port channel admin key is reset to 0 Example Console config interface port channel 1 Console config if lacp actor admin key 3 Console config 1f 4 170 lacp port priority LINK AGGREGATION COMMANDS This command configures LACP port priority Use the no form to restore the default setting Syntax lacp actor partner port priority priority no lacp factor partner port priority actor The local side an aggregate link partner The remote side of an aggregate link priority LACP port priority is used to select a backup link Range 0 65535 Default Setting 32768 Command Mode Interface Configuration Ethernet Command Usage Setting a lower value indicates a higher effective priority fan active port link goes down the backup port with the highest priority is selected to replace the downed link However if two or more ports have the same LACP
368. rd 0 password Console config Setting an IP Address You must establish IP address information for the switch to obtain management access through the network This can be done in either of the following ways Manual You have to input the information including IP address and subnet mask If your management station is not in the same IP subnet as the switch you will also need to specify the default gateway router Dynamic The switch sends IP configuration requests to BOOTP or DHCP address allocation servers on the network 2 6 BASIC CONFIGURATION Manual Configuration You can manually assign an IP address to the switch You may also need to specify a default gateway that resides between this device and management stations that exist on another network segment Valid IP addresses consist of four decimal numbers 0 to 255 separated by periods Anything outside this format will not be accepted by the CLI program Note The IP address for this switch is obtained via DHCP by default Before you can assign an IP address to the switch you must obtain the following information from your network administrator e P address for the switch Default gateway for the network e Network mask for this network To assign an IP address to the switch complete the following steps 1 From the Privileged Exec level global configuration mode prompt type interface vlan 1 to access the interface configuration mode Press
369. re resending a request Range 1 65535 retransmit Number of times the switch will try to authenticate logon access via the RADIUS server Range 1 30 key Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 20 characters Default Setting auth port 1812 timeout 5 seconds retransmit 2 Command Mode Global Configuration Example Console config radius server 1 host 192 168 1 20 auth port 181 timeout 10 retransmit 5 key green Console config AUTHENTICATION COMMANDS radius server port This command sets the RADIUS server network port Use the no form to restore the default Syntax radius server port port_number no radius server port port number RADIUS server UDP port used for authentication messages Range 1 65535 Default Setting 1812 Command Mode Global Configuration Example Console config fradius server port 181 Console config radius server key This command sets the RADIUS encryption key Use the no form to restore the default Syntax radius server key key_string no radius server key Key string Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 20 characters Default Setting None Command Mode Global Configuration 4 99 COMMAND LINE INTEREACE Example Console config ttradius server key green
370. ree mode stp Spanning Tree Protocol IEEE 802 1D tstp Rapid Spanning Tree Protocol IEEE 802 1w Default Setting rstp Command Mode Global Configuration Command Usage Spanning Tree Protocol Uses RSTP for the internal state machine but sends only 802 1D BPDUs Rapid Spanning Tree Protocol RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits as described below STP Mode If the switch receives an 802 1D BPDU after a port s migration delay timer expires the switch assumes it is connected to an 802 1D bridge and starts using only 802 1D BPDUs RSTP Mode If RSTP is using 802 1D BPDUs on a port and receives an RSTP BPDU after the migration delay expires RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port Example The following example configures the switch to use Rapid Spanning Tree Console config spanning tree mode rstp Console config 4 184 SPANNING TREE COMMANDS spanning tree forward time This command configures the spanning tree bridge forward time globally for this switch Use the no form to restore the default Syntax spanning tree forward time seconds no spanning tree forward time seconds Time in seconds Range 4 30 seconds The minimum value is the higher of 4 or max age 2 1 Default Setting
371. removes Port 3 from VLAN 2 Console config interface ethernet 1 3 4 144 Console config if switchport allowed vlan add 1 tagged 4 205 Console config if switchport allowed vlan remove 2 3 152 VLAN CONFIGURATION Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces including the default VLAN identifier PVID accepted frame types ingress filtering GVRP status and GARP timers Command Usage GVRP GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network GARP Group Address Registration Protocol is used by GVRP to register or deregister client attributes for client services within a bridged LAN The default values for the GARP timers are independent of the media access method or data rate These values should not be changed unless you are experiencing difficulties with GVRP registration deregistration Command Attributes PVID VLAN ID assigned to untagged frames received on the interface Default 1 If an interface is not a member of VLAN 1 and you assign its PVID to this VLAN the interface will automatically be added to VLAN 1 as an untagged member For all other VLANs an interface must first be configured as an untagged member before you can assign its PVID to that group Acceptable Frame Type Sets the interface to accept all frame typ
372. ress is seen on another interface the address will be ignored and will not be written to the address table Command Attributes Static Address Counts The number of manually configured addresses Current Static Address Table Lists all the static addresses Interface Port or trunk associated with the device assigned a static address MAC Address Physical address of a device mapped to this interface e VLAN ID of configured VLAN 1 4094 9 Web Only 3 121 CONFIGURING THE SWITCH Web Click Address Table Static Addresses Specify the interface the MAC address and VLAN then click Add Static Address Static Addresses Static Address Counts 00 E0 29 94 34 DE VLAN 1 Unit 1 Port 1 Permanent Current Static Address Table Interface Por 1 y C Trunk z MAC Address mM VLAN fi Add Static Address Remove Static Address Figure 3 53 Configuring a Static Address Table CLI This example adds an address to the static address table but sets it to be deleted when the switch is reset Console config mac address table static 00 e0 29 94 34 de interface ethernet 1 1 vlan 1 delete on reset 4 178 Console config Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch When the destination address for inbound traffic is found in the database the pa
373. rface before connecting the ports and also disconnect the ports before removing a static trunk via the configuration interface Command Attributes Member List Current Shows configured trunks Trunk ID Unit Port New Includes entry fields for creating new trunks Trunk Trunk identifier Range 1 4 Port Port identifier Range 1 26 52 PoRT CONFIGURATION Web Click Port Trunk Membership Enter a trunk ID of 1 4 in the Trunk field select any of the switch ports from the scroll down port list and click Add After you have completed adding ports to the member list click Apply Trunk Membership Member List Current New Trunk2 Unitl Portl Trunk2 Unitl Port2 Add Trunk 1 4 Remove Per 3 y Figure 3 42 Static Trunk Configuration 3 95 CONFIGURING THE SWITCH 3 96 CLI This example creates trunk 2 with ports 1 and 2 Just connect these ports to two static trunk ports on another switch to form a trunk Console config interface port channel 2 4 144 Console config if exit Console config interface ethernet 1 1 4 144 Console config if channel group 2 4 165 Console config if exit Console config interface ethernet 1 2 Console config if channel group 2 Console config 1f end Console show interfaces status port channel 2 4 152 Information of Trunk 2 Basic information Port type 100TX Mac addr
374. ridge extension information Date and time information 802 1X content GARP properties GVRP interface information History information nterface information P information LACP statistic TTY line information Login records Login setting AC access list Configuration of the address table anagement IP filter aps priority Port Characteristics Public Key information Priority queue information RADIUS server information Configures rate limits Information on the running configuration Simple Network Management Protocol statistics Simple Network Time Protocol configuration Spanning tree configuration Secure shell server connections Startup system configuration System Information TACACS server settings Information about terminal lines System hardware and software versions Virtual LAN settings ENTERING COMMANDS The command show interfaces will display the following information Console show interfaces counters Interface counters information status Interface status information switchport Interface switchport information Console Partial Keyword Lookup If you terminate a partial keyword with a question mark alternatives that match the initial letters are provided Remember not to leave a space between the command and question mark For example s shows all the e S keywords starting with Console show s snmp sntp spanning tree ssh startup config system Console show s
375. rity Set flow control to none Set the emulation mode to VT100 When using HyperTerminal select Terminal keys not Windows keys Notes 1 When using HyperTerminal with Microsoft Windows 2000 make sure that you have Windows 2000 Service Pack 2 or later installed Windows 2000 Service Pack 2 fixes the problem of arrow keys not functioning in HyperTerminal s VT100 emulation See www microsoft com for information on Windows 2000 service packs 2 Refer to Line Commands on page 4 14 for a complete description of console configuration options 3 Once you have set up the terminal correctly the console login screen will be displayed 2 3 INITLAL CONFIGURATION For a description of how to use the CLI see Using the Command Line Interface on page 4 1 For a list of all the CLI commands and detailed information on using the CLI refer to Command Groups on page 4 12 Remote Connections 2 4 Prior to accessing the switch s onboard agent via a network connection you must first configure it with a valid IP address subnet mask and default gateway using a console connection DHCP or BOOTP protocol The IP address for this switch is obtained via DHCP by default To manually configure this address or enable dynamic address assignment via DHCP or BOOTP see Setting an IP Address on page 2 6 Note This switch supports four concurrent Telnet SSH sessions After configuring the switch s IP param
376. rk management setvices Simple Network Time Protocol SNTP SNTP allows a device to set its internal clock based on periodic updates from a Network Time Protocol NTP server Updates can be requested from a specific NTP server or can be received via broadcasts sent by NTP servers Spanning Tree Algorithm STA A technology that checks your network for any loops A loop can often occur in complicated or backup linked network systems Spanning Tree detects and directs data along the shortest available path maximizing the performance and efficiency of the network Telnet Defines a remote communication facility for interfacing to a terminal device over TCP IP Terminal Access Controller Access Control System Plus TPACACS TACACS is a logon authentication protocol that uses software running on a central server to control access to TACACS compliant devices on the netwotk Transmission Control Protocol Internet Protocol TCP IP Protocol suite that includes TCP as the primary transport protocol and IP as the network layer protocol Trivial File Transfer Protocol TFTP A TCP IP protocol commonly used for software downloads Glossaty 7 GLOSSARY User Datagram Protocol UDP UDP provides a datagram mode for packet switched communications It uses IP as the underlying transport mechanism to provide access to IP like services UDP packets are delivered just like IP packets connection less datagrams that may be disc
377. rotos input 0 QLen output 0 Extended iftable stats Multi cast input 0 Multi cast output 17027 Broadcast input 231 Broadcast output 7 Ether like stats Alignment errors 0 FCS errors 0 Single Collision frames 0 Multiple collision frames 0 SQE Test errors 0 Deferred transmissions 0 Late collisions 0 Excessive collisions 0 Internal mac transmit errors 0 Internal mac receive errors 0 Frame too longs 0 Carrier sense errors 0 Symbol errors 0 RMON stats Drop events 0 Octets 4422579 Packets 31552 Broadcast pkts 238 Multi cast pkts 17033 Undersize pkts 0 Oversize pkts 0 Fragments 0 Jabbers 0 CRC align errors 0 Collisions 0 Packet size lt 64 octets 25568 Packet size 65 to 127 octets 1616 Packet size 128 to 255 octets 1249 Packet size 256 to 511 octets 1449 Packet size 512 to 1023 octets 802 Packet size 1024 to 1518 octets 871 Console ADDRESS TABLE SETTINGS Address Table Settings Switches store the addresses for all known devices This information is used to pass traffic directly between the inbound and outbound ports All the addresses learned by monitoring traffic are stored in the dynamic address table You can also manually configure static addresses that are bound to a specific port Setting Static Addresses A static address can be assigned to a specific interface on this switch Static addresses ate bound to the assigned interface and will not be moved When a static add
378. rsion 2 2 6 3 Consolef Frame Size Commands Table 4 24 Frame Size Commands Command Function Mode Page jumbo frame Enables support for jumbo frames GC 4 85 jumbo frame This command enables support for jumbo frames Use the no form to disable it Syntax no jumbo frame Default Setting Disabled 4 85 COMMAND LINE INTEREACE Command Mode Global Configuration Command Usage This switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 9216 bytes Compared to standard Ethernet frames that run only up to 1 5 KB using jumbo frames significantly reduces the per packet overhead required to process protocol encapsulation fields To use jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switches in the network between the two end nodes must be able to accept the extended frame size And for half duplex connections all devices in the collision domain would need to support jumbo frames Enabling jumbo frames will limit the maximum threshold for broadcast storm control to 64 packets per second See the switchport broadcast command on page 4 150 The current setting for jumbo frames can be displayed with the show system command page 4 82 Example Console config jumbo frame Console config Flash File Command
379. rt Capabilities Allows auto negotiation to be enabled disabled When auto negotiation is enabled you need to specify the capabilities to be advertised When auto negotiation is disabled you can force the settings for speed mode and flow control The following capabilities are supported 10half Supports 10 Mbps half duplex operation 10full Supports 10 Mbps full duplex operation 100half Supports 100 Mbps half duplex operation 100full Supports 100 Mbps full duplex operation 1000full Supports 1000 Mbps full duplex operation Sym Gigabit only Check this item to transmit and receive pause frames or clear it to auto negotiate the sender and receiver for asymmetric pause frames The current switch chip only supports symmetric pause frames FC Supports flow control Flow control can eliminate frame loss by blocking traffic from end stations or segments connected directly to the switch when its buffers fill When enabled back pressure is used for half duplex operation and IEEE 802 3x for full duplex operation Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub Default Autonegotiation enabled Advertised capabilities for 100BASE TX 10half 10full 100half 100full 1000BASE T 10half 10full 100half 100full 1000full 1000BASE SX LX
380. rts When the message arrives at another switch that supports GVRP it will also place the receiving port in the specified VLANs and pass the message on to all other ports VLAN requirements are propagated in this way throughout the network This allows GVRP compliant devices to be automatically configured for VLAN groups based solely on endstation requests To implement GVRP in a network first add the host devices to the required VLANs using the operating system or other application software so that these VLANs can be propagated onto the network For both the edge switches attached directly to these hosts and core switches in the network enable GVRP on the links between these devices You should also determine security boundaties in the network and disable GVRP on the boundary ports to prevent advertisements from being propagated or forbid those ports from joining restricted VLANs Note If you have host devices that do not support GVRP you should configure static or untagged VLANs for the switch ports connected to these devices as described in Adding Static Members to VLANs VLAN Index on page 3 150 But you can still enable GVRP on these edge switches as well as on the core switches in the network 3 143 CONFIGURING THE SWITCH 3 144 Saco ESETETETETEN aaa ER ER aaa Port based VLAN C N 2 9 3 4 rT cT TD IIT PARAL to
381. s 4 86 These commands are used to manage the system code or configuration files Table 4 25 Flash File Commands Command Function Mode Page copy Copies a code image or a switch configuration to PE 4 87 or from flash memory or a TFTP server delete Deletes a file or code image PE 4 90 dir Displays a list of files in flash memory PE 4 91 FLAsH FILE COMMANDS Table 4 25 Flash File Commands Continued Command Function Mode Page whichboot Displays the files booted PE 4 92 boot system Specifies the file or image used to start up the GC 4 93 system copy This command moves upload download a code image or configuration file between the switch s flash memory and a TFTP server When you save the system code or configuration settings to a file on a TFTP server that file can later be downloaded to the switch to restore system operation The success of the file transfer depends on the accessibility of the TFTP server and the quality of the network connection Syntax copy file file running config startup config tftp unit copy running config file startup config tftp copy startup config file running config tftp copy tftp file running config startup config https certificate public key copy unit file file Keyword that allows you to copy to from a file running config Keyword that allows you to copy to from the current running con
382. s on page 2 6 The switch s HTTP web agent allows you to configure switch parameters monitor port connections and display statistics using a standard web browser such as Netscape Navigator version 6 2 and higher or Microsoft IE version 5 0 and higher The switch s web management interface can be accessed from any computer attached to the network The CLI program can be accessed by a direct connection to the RS 232 serial console port on the switch or remotely by a Telnet connection over the network The switch s management agent also supports SNMP Simple Network Management Protocol This SNMP agent permits the switch to be managed from any system in the network using network management software such as SMC HliteView 2 1 INITLAL CONFIGURATION The switch s web interface CLI configuration program and SNMP agent allow you to perform the following management functions Set user names and passwords for up to 16 users Set an IP interface for a management VLAN Configure SNMP parameters Enable disable any port Set the speed duplex mode for any port Configure the bandwidth of any port by limiting input or output rates Control port access through IEEE 802 1X security or static address filtering Filter packets using Access Control Lists ACLs Configure up to 255 IEEE 802 1Q VLANs Enable GVRP automatic VLAN registration Configure IGMP multicast filtering Upload and download system firmware via TFTP Upload and download s
383. s a trunk member 7 Port Broadcast Control 8 Trunk Broadcast Control 3 108 PoRT CONFIGURATION Web Click Port Port Trunk Broadcast Control Set the threshold mark the Enabled field for the desired interface and click Apply Port Broadcast Control Threshold 64 95232000 32000 octets sec Port Type Protect Status Trunk 1 100Base TX Enabled 2 100Base Tx I Enabled EX 100Base TX Enabled 4 100Base Tx I Enabled 5 t00Base TX I Enabled 6 7 100Base TX IT Enabled 100Base TX T Enabled LETT TT Figure 3 48 Port Broadcast Control 3 109 CONFIGURING THE SWITCH CLI Specify any interface and then enter the threshold The following disables broadcast storm control for port 1 and then sets broadcast suppression at 600 octets per second for port 2 which applies to all ports Console config interface ethernet 1 1 4 144 Console config if no switchport broadcast 4 150 Console config if exit Console config interface ethernet 1 2 Console config if switchport broadcast octet rate 600 4 150 Console config if end Console show interfaces switchport ethernet 1 2 4 155 Information of Eth 1 2 Broadcast threshold Enabled 600 octets second Lacp status Enabled Ingress rate limit disable Level 30 Egress rate limit disable Level 30 VLAN membership mode Hybrid Ingress rule Disabled Acceptable frame type All frames Nat
384. s the connection status for Port 5 Console show interfaces status ethernet 1 5 Information of Eth 1 5 Basic information Port type Mac address Configuration Name Port admin Speed duplex Capabilities Broadcast storm Broadcast storm limit Flow control Lacp Port security Max MAC count Port security action Current status Link status Operation speed duplex Flow control type Console 100TX 00 30 1 47 58 46 Up Auto 10half Enabled 32000 octets second Disabled Disabled Disabled 0 None 10full 100half Down 100fu11 None 4 152 100fu11 Configuring Interface Connections 3 90 You can use the Port Configuration or Trunk Configuration page to enable disable an interface set auto negotiation and the interface capabilities to advertise or manually fix the speed duplex mode and flow control Command Attributes Name Allows you to label an interface Range 1 64 characters Admin Allows you to manually disable an interface You can disable an interface due to abnormal behavior e g excessive collisions and then reenable it after the problem has been resolved You may also disable an interface for security reasons Speed Duplex Allows you to manually set the port speed and duplex mode i e with auto negotiation disabled Flow Control Allows automatic or manual selection of flow control PoRT CONFIGURATION Autonegotiation Po
385. se this command in conjunction with the show startup config command to compare the information in running memory to the information stoted in non volatile memory This command displays settings for key command modes Each mode group is separated by symbols and includes the configuration mode command and corresponding commands This command displays the following information MAC address for each switch in the stack SNTP server settings SNMP community strings Users names access levels and encrypted passwords Eventlog settings VLAN database VLAN ID name and state VLAN configuration settings for each interface IP address configured for the switch Layer 4 precedence settings Any configured settings for the console port and Telnet 4 81 COMMAND LINE INTEREACE Example Console show running config building running config please wait E phymap 00 30 f1 d3 26 00 SNTP server 0 0 0 0 0 0 0 0 0 0 0 0 clock timezone hours 0 minute 0 after UTC 1 SNMP server community private rw SNMP server community public ro 1 I username admin access level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca Bl logging history ram 6 logging history flash 3 1 vlan database vlan 1 name DefaultVlan media ethernet state
386. selected private VLAN 3 157 CONFIGURING THE SWITCH Web Click VLAN Private VLAN Information Select the desired port from the VLAN ID drop down menu Private VLAN Information VLAN ID 5 PrimaryVLAN v Primary VLAN VLAN 5 Unit 1 Port 3 Promiscuous Unit 1 Port 4 Host Unit 1 Port 5 Host Figure 3 67 Private VLAN Information CLI This example shows the switch configured with primary VLAN 5 and secondary VLAN 6 Port 3 has been configured as a promiscuous port and mapped to VLAN 5 while ports 4 and 5 have been configured as a host ports and are associated with VLAN 6 This means that traffic for port 4 and 5 can only pass through port 3 Console show vlan private vlan 4 216 Primary Secondary Type Interfaces 5 primary Ethl 3 5 6 community Ethl 4 Ethl 5 Consolef 3 158 VLAN CONFIGURATION Configuring Private VLANs The Private VLAN Configuration page is used to create remove primary community or isolated VLANs Command Attributes WLAN ID ID of configured VLAN 1 4094 Type There are three types of private VLANs Primary VLANs Conveys traffic between promiscuous ports and to community ports within secondary or community VLANs Community VLANs Conveys traffic between community ports and to their promiscuous ports in the associated primary VLAN Isolated VLANs Conveys traffic only between the VLAN s isolated ports and the promiscuous port Traffi
387. signed to the switch system Object ID MIB II object ID for switch s network management subsystem Location Specifies the system location Contact Administrator responsible for the system System Up Time Length of time the management agent has been up These additional parameters are displayed for the CLI MAC Address The physical layer address for this switch Web server Shows if management access via HTTP is enabled Web server port Shows the TCP port number used by the web interface Web secure server Shows if management access via HTTPS is enabled Web secure server port Shows the TCP port used by the HTTPS interface Telnet server Shows if management access via Telnet is enabled Telnet port Shows the TCP port used by the Telnet interface Jumbo Frame Shows if jumbo frames are enabled POST result Shows results of the power on self test 3 11 CONFIGURING THE SWTICH Web Click System System Information Specify the system name location and contact information for the system administrator then click Apply This page also includes a Telnet button that allows access to the Command Line Interface via Telnet TigerSwitch 10 100 6726AL2 Manager System Name Object ID 1 3 6 1 4 1 202 20 46 Location Contact System Up Time O days O hours 10 minutes and 37 84 seconds OS Connect to textual user interface Send mail
388. sired tasks 4 When finished exit the session with the quit or exit command After entering the Telnet command the login screen displays Username admin Password CLI session with the SMC6726AL2 is opened To end the CLI session enter Exit Vty 04 Note You can open up to four sessions to the device via Telnet 4 3 COMMAND LINE INTEREACE Entering Commands This section describes how to enter CLI commands Keywords and Arguments A CLI command is a series of keywords and arguments Keywords identify a command and arguments specify configuration parameters For example in the command show interfaces status ethernet 1 5 show interfaces and status are keywords ethernet is an argument that specifies the interface type and 1 5 specifies the unit port You can enter commands as follows To enter a simple command enter the command keyword To enter multiple commands enter each command in the required order For example to enable Privileged Exec command mode and display the startup configuration enter Console gt enable Console show startup config To enter commands that require parameters enter the required parameters after the command keyword For example to set a password for the administrator enter Console config username admin password 0 smith Minimum Abbreviation The CLI will accept a minimum number of characters that uniquely identify a command For exa
389. sntp poll command Example Console config sntp server 10 1 0 19 Console config Related Commands sntp client 4 73 sntp poll 4 75 show sntp 4 75 SYSTEM MANAGEMENT COMMANDS sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode Use the no form to restore to the default Syntax sntp poll seconds no sntp poll seconds Interval between time requests Range 16 16384 seconds Default Setting 16 seconds Command Mode Global Configuration Example Console config sntp poll 60 Console config Related Commands sntp client 4 73 show sntp This command displays the current time and configuration settings for the SNTP client and indicates whether or not the local time has been properly updated Command Mode Normal Exec Privileged Exec Command Usage This command displays the current time the poll interval used for sending time synchronization requests and the current SNTP mode i e unicast 4 75 COMMAND LINE INTEREACE Example Console show sntp Current time Dec 23 05 13 28 2002 Poll interval 16 Current mode unicast SNTP status Enabled SNTP server 137 92 140 80 0 0 0 0 0 0 0 0 Current server 137 92 140 80 Console clock timezone This command sets the time zone for the switch s internal clock Syntax clock timezone name hour hours minute minutes before utc after utc name Name
390. splayed 6 Contact your distributor s service engineer For example Console config flogging on Console config logging history flash 7 Console config snmp server host 192 168 1 23 B 3 TROUBLESHOOTING B 4 GLOSSARY Access Control List ACL ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC ie Layer 2 information Boot Protocol BOOTP BOOTP is used to provide bootup information for network devices including IP address information the address of the TFTP server that contains the devices system files and the name of the boot file Class of Service CoS CoS is supported by prioritizing packets based on the required level of service and then placing them in the appropriate output queue Data is transmitted from the queues using weighted round robin service to enforce priority service and prevent blockage of lower level queues Priority may be set according to the port default the packet s priority bit in the VLAN tag TCP UDP port number IP Precedence bit or DSCP priority bit Differentiated Services Code Point Service DSCP DSCP uses a six bit tag to provide for up to 64 different forwarding behaviors Based on network policies different kinds of traffic can be marked for different kinds of forwarding The DSCP bits are mapped to the Class of Service categories and then into the output queues Domain Nam
391. splaying Log Messages The Logs page allows you to scroll through the logged system and event messages The switch can store up to 2048 log entries in temporary random access memory RAM i e memory flushed on power reset and up to 4096 entries in permanent flash memory Web Click System Log Logs Log Messages Level 6 Module 6 tunctions 1 error number Information VLAN 1 link up notification Log Messages Level 6 Module 6 functions 1 error number 1 Information STP topology change notification Log Messages Level 6 Module 6 functions error number Information Unt 1 redundant power change to good Log Messages Level 6 Module 6 tunctions 1 error number Information Unit 1 main power change to not exist Log Messages Level 6 Module 6 functions 1 error number 1 Information Und 1 Port 3 link up notification Log Messages Level 6 Module functions 1 error number Information System coldStert notification Figure 3 17 Displaying Logs CLI This example shows the event message stored in RAM Consolefshow log ram 4 64 1 00 01 37 2001 01 01 DHCP request failed will retry later level 4 module 9 function 0 and event no 10 0 00 00 35 2001 01 01 System coldStart notification level 6 module 6 function 1 and event no 1 Console BASIC CONFIGURATION Sending Simple Mail Transfer Protocol Alerts To alert system administrators of problems
392. ss IP address netmask Network mask for the associated IP subnet This mask identifies the host address bits used for routing to specific subnets bootp Obtains IP address from BOOTP dhcp Obtains IP address from DHCP 4 249 COMMAND LINE INTEREACE 4 250 Default Setting DHCP Command Mode Interface Configuration VLAN Command Usage You must assign an IP address to this device to gain management access over the network You can manually configure a specific IP address or direct the device to obtain an address from a BOOTP or DHCP server Valid IP addresses consist of four numbers 0 to 255 separated by periods Anything outside this format will not be accepted by the configuration program If you select the bootp or dhcp option IP is enabled but will not function until a BOOTP or DHCP reply has been received Requests will be broadcast periodically by this device in an effort to learn its IP address BOOTP and DHCP values can include the IP address default gateway and subnet mask You can start broadcasting BOOTP or DHCP requests by entering an ip dhcp restart command or by rebooting the switch Note Only one VLAN interface can be assigned an IP address the default is VLAN 1 This defines the management VLAN the only VLAN through which you can gain management access to the switch If you assign an IP address to any other VLAN the new IP address overrides the original IP address and this becomes the
393. ssage level s reported based on the logging history FLASH command History logging in The message level s reported based on the logging history RAM command 4 65 COMMAND LINE INTEREACE 4 66 The following example displays settings for the trap function REMOTELOG server REMOTELOG server REMOTELOG server REMOTELOG server REMOTELOG server Console Console show logging trap Syslog logging Enabled REMOTELOG status Enabled REMOTELOG facility type local use 7 REMOTELOG level type Informational messages only IP address 0 0 0 0 IP address 0 0 0 0 IP address 0 0 0 0 IP address 0 0 0 0 IP address 0 0 0 0 Table 4 20 show logging trap display description setver IP address Field Description Syslog logging Shows if system logging has been enabled via the logging on command REMOTELOG _ Shows if remote logging has been enabled via the logging status trap command REMOTELOG The facility type for remote logging of syslog messages as facility type specified in the logging facility command REMOTELOG The severity threshold for syslog messages sent to a remote level type server as specified in the logging trap command REMOTELOG The address of syslog servers as specified in the logging host command Related Commands show logging sendmail 4 71 SYSTEM MANAGEMENT COMMANDS show log This command displays the system and event messages stored in
394. ssh server This command enables the Secure Shell SSH server on this switch Use the no form to disable this service Syntax no ip ssh server Default Setting Disabled Command Mode Global Configuration Command Usage The SSH server supports up to four client sessions The maximum number of client sessions includes both current Telnet sessions and SSH sessions The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch and then negotiates with the client to select either DES 56 bit or 3DES 168 bit for data encryption 4 49 COMMAND LINE INTEREACE You must generate the host key before enabling the SSH server Example Console ip ssh crypto host key generate dsa Consolefconfigure Console config ip ssh server Console config Related Commands ip ssh crypto host key generate 4 53 show ssh 4 55 ip ssh timeout 4 50 This command configures the timeout for the SSH server Use the no form to restore the default setting Syntax ip ssh timeout seconds no ip ssh timeout seconds The timeout for client response during SSH negotiation Range 1 120 Default Setting 10 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase Once an SSH session has been established the timeout for user input
395. ssigned to VLAN 1 by default The default frame type is untagged Command Mode Interface Configuration Ethernet Port Channel Command Usage lt A port or a trunk with switchport mode set to hybrid must be assigned to at least one VLAN as untagged Ifa trunk has switchport mode set to trunk i e 1Q Trunk then you can only assign an interface to VLAN groups as a tagged member Frames are always tagged within the switch The tagged untagged parameter used when adding a VLAN to an interface tells the switch whether to keep or remove the tag from a frame on egress If none of the intermediate network devices nor the host at the other end of the connection supports VLANS the interface should be added to these VLANs as an untagged member Otherwise it is only necessaty to add at most one VLAN as untagged and this should correspond to the native VLAN for the interface 4 205 COMMAND LINE INTEREACE Ifa VLAN on the forbidden list for an interface is manually added to that interface the VLAN is automatically removed from the forbidden list for that interface Example The following example shows how to add VLANs 1 2 5 and 6 to the allowed list as tagged VLANs for port 1 Console config interface ethernet 1 1 Console config if switchport allowed vlan add 1 2 5 6 tagged Console config 1f switchport forbidden vlan This command configures forbidden VLANs Use the no form to remove the list of forbidd
396. st 4 214 Console config if switchport private vlan host association 6 4 214 Console config if exit Console config interface ethernet 1 5 Console config if switchport mode private vlan host Console config if switchport private vlan host association 6 Console config if 3 164 CLASS OF SERVICE CONFIGURATION Class of Service Configuration Class of Service CoS allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion This switch supports CoS with four priority queues for each port Data packets in a port s high priority queue will be transmitted before those in the lower priority queues You can set the default priority for each interface and configure the mapping of frame priority tags to the switch s priority queues Layer 2 Queue Settings Setting the Default Priority for Interfaces You can specify the default port priority for each interface on the switch All untagged packets entering the switch are tagged with the specified default port priority and then sorted into the appropriate priority queue at the output port Command Usage This switch provides four priority queues for each port It uses Weighted Round Robin to prevent head of queue blockage The default priority applies for an untagged frame received on a port set to accept all frame types i e receives both untagged and tagged frames This priority does not appl
397. stations are only able to retrieve MIB objects Read Write Specifies read write access Authorized management stations are able to both retrieve and modify MIB objects Web Click SNMP Configuration Add new community strings as required select the access rights from the Access Mode drop down list then click Add SNMP Configuration SNMP Community SNMP Community Capability 5 Current New lt lt Add Community String spiderman Remove Access Mode Read Write v Figure 3 22 Configuring SNMP Community Strings CLI The following example adds the string spiderman with read write access Console config snmp server community spiderman rw 4 137 Console config Specifying Trap Managers and Trap Types 3 46 Traps indicating status changes are issued by the switch to specified trap managers You must specify trap managers so that key events are reported by this switch to your management station using network management platforms such as SMC EliteView You can specify up to five management stations that will receive authentication failure messages and other trap messages from the switch SIMPLE NETWORK MANAGEMENT PROTOCOL Command Attributes Trap Manager Capability This switch supports up to five trap managers Current Displays a list of the trap managers currently configured Trap Manager IP Address IP address of the host the targeted recipient Trap Manager Co
398. t connections The timeout for Telnet cannot be disabled Using the command without specifying a timeout restores the default setting 4 19 COMMAND LINE INTEREACE Example To set the timeout to two minutes enter this command Console config line exec timeout 120 Console config line Related Commands silent time 4 21 timeout login response 4 13 password thresh 4 20 This command sets the password intrusion threshold which limits the number of failed logon attempts Use the no form to remove the threshold value Syntax password thresh breshold no password thresh threshold The number of allowed password attempts Range 1 120 0 no threshold Default Setting The default value is three attempts Command Mode Line Configuration Command Usage When the logon attempt threshold is reached the system interface becomes silent for a specified amount of time before allowing the next logon attempt Use the silent time command to set this interval When this threshold is reached for Telnet the Telnet logon interface shuts down This command applies to both the local console and Telnet connections LINE COMMANDS Example To set the password threshold to five attempts enter this command Console config line password thresh 5 Console config line Related Commands silent time 4 21 timeout login response 4 13 silent time This command s
399. t rule permit any any in the ingress IP ACL for ingress ports 4 Explicit default rule permit any any in the ingress MAC ACL for ingress ports 5 If no explicit rule is matched the implicit default is permit all Table 4 33 Access Control Lists Command Function Page Groups IP ACLs Configures ACLs based on IP addresses TCP UDP 4 118 port number protocol type and TCP control code MAC ACLs Configures ACLs based on hardware addresses packet 4 128 format and Ethernet type ACL Information Displays ACLs and associated rules shows ACLs 4 135 assigned to each port IP ACLs Table 4 34 IP ACLs Command Function Mode Page access list ip Creates an IP ACL and enters configuration GC 4 119 mode permit deny Filters packets matching a specified source STD ACL 4 120 IP address permit deny Filters packets meeting the specified criteria EXT ACL 4 122 including source and destination IP address TCP UDP port number protocol type and TCP control code 4 118 ACCESS CONTROL LIST COMMANDS Table 4 34 IP ACLs Continued Command Function Mode Page show ip Displays the rules for configured IP ACLs PE 4 124 access list ip Adds a port to an IP ACL IC 4 125 access gtoup show ip Shows port assignments for IP ACLs PE 4 125 access gtoup map access list Sets the CoS value and corresponding output IC 4 126 ip queue for packets matching an
400. t switch router Although this C EDU approach reduces the network overhead E required by a multicast server the CX di broadcast traffic must be carefully Mo BR pruned at every multicast switch router it a a a 1 i f passes through to ensure that traffic is CJ TE QJ only passed on to the hosts which subscribed to this service This switch uses IGMP Internet Group Management Protocol to query for any attached hosts that want to receive a specific multicast service It identifies the ports containing hosts requesting to join the service and sends data out to those ports only It then propagates the service request up to any neighboring multicast switch router to ensure that it will continue to receive the multicast service This procedure is called multicast filtering The purpose of IP multicast filtering is to optimize a switched network s performance so multicast packets will only be forwarded to those ports containing multicast group hosts or multicast routers switches instead of flooding traffic to all ports in the subnet VLAN MULTICAST FILTERING Layer 2 IGMP Snooping and Query IGMP Snooping and Query If multicast routing is not supported on other switches in your network you can use IGMP Snooping and Query page 3 181 to monitor IGMP service requests passing between multicast clients and servers and dynamically configure the switch ports which need to forward multicast traffic Static IGMP Router
401. tart IP address End IP address T1 192 168 1 19 192 4685 1 19 2 1192 168 1 25 192 168 1 30 Consolef Web Server Commands Table 4 12 Web Server Commands Command Function Mode Page ip http port Specifies the port to be used by the web browser GC 4 41 interface ip http server Allows the switch to be monitored or configured GC 4 41 from a browser ip http Enables HTTPS for encrypted communications GC 4 42 secure setvet ip http Specifies the UDP port number for HTTPS GC 4 43 Secure port 4 40 SYSTEM MANAGEMENT COMMANDS ip http port This command specifies the TCP port number used by the web browser interface Use the no form to use the default port Syntax ip http port port number no ip http port port number The TCP port to be used by the browser interface Range 1 65535 Default Setting 80 Command Mode Global Configuration Example Console config fip http port 769 Console config Related Commands ip http server 4 41 ip http server This command allows this device to be monitored or configured from a browser Use the no form to disable this function Syntax no ip http server Default Setting Enabled Command Mode Global Configuration 441 COMMAND LINE INTEREACE Example Console config ip http server Console config Related Commands ip http port 4 41 ip http secure server 4 42 This command ena
402. td acl ACCESS CONTROL LISTS Configuring an Extended IP ACL Command Attributes Action An ACL can contain any combination of permit or deny tules Source Destination Address Type Specifies the source or destination IP address Use Any to include all possible addresses Host to specify a specific host address in the Address field or IP to specify a range of addresses with the Address and SubMask fields Options Any Host IP Default Any Source Destination Address Source or destination IP address Source Destination Subnet Mask Subnet mask for source or destination address See the description for Subnet Mask on page 3 79 Service Type Packet priority settings based on the following criteria Precedence IP precedence level Range 0 7 TOS Type of Service level Range 0 15 DSCP DSCP priority level Range 0 63 Protocol Specifies the protocol type to match as TCP UDP or Others where others indicates a specific protocol number 0 255 Options TCP UDP Others Default TCP Source Destination Port Source destination port number for the specified protocol type Range 0 65535 Control Code Decimal number representing a bit string that specifies flag bits in byte 14 of the TCP header Range 0 63 Control Code Bitmask Decimal number representing the code bits to match The control bitmask is a decimal number for an equivalent binary bit mask
403. te Authentication Dial in E User Service RADIUS and Terminal Access console jaja m Ea al Controller Access 1 Client attempts management access 2 Switch contacts authentication server 3 Authentication server challenges client 4 Client responds with proper password or key 5 Authentication server approves access 6 Switch grants management access Control System Plus RADIUS TACACS are logon TACACS server authentication protocols that use software running on a central server to control access to RADIUS aware ot TACACS aware devices on the network An authentication server contains a database of multiple user name password pairs with associated ptivilege levels for each user that requires management access to the switch RADIUS uses UDP while TACACS uses TCP UDP only offers best effort delivery while TCP offers a connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet USER AUTHENTICATION Command Usage By default management access is always checked against the authentication database stored on the local switch If a remote authentication server is used you must specify the authentication sequence and the corresponding parameters for the remote authentication protocol Local and remote logon authenticat
404. te VLAN Port Configuration or Trunk Configuration Set the PVLAN Port Type for each port that will join a private VLAN Assign promiscuous ports to a primary or isolated VLAN Assign host ports to a community or isolated VLAN After all the ports have been configured click Apply Private VLAN Port Configuration Port PVLAN Port Type Primary VLAN Community VLAN Isolated VLAN Trunk 1 Normal y none Y none E me Normal y none Y none z FE none Promiscuous y none Y oO none Host y none Y 6 T none B Host none Y I none f Normal y none Y none E none r Normal y mone none Y E none gt Normal i none none F r none y Figure 3 71 Private VLAN Port Configuration dada Orn Oi nl S win CLI This example shows the switch configured with primary VLAN 5 and secondary VLAN 6 Port 3 has been configured as a promiscuous port and mapped to VLAN 5 while ports 4 and 5 have been configured as a host ports and associated with VLAN 6 This means that traffic for port 4 and 5 can only pass through port 3 Console config interface ethernet 1 3 Console config if switchport mode private vlan promiscuous 4 213 Console config if switchport private vlan mapping 5 4 215 Console config if exit Console config interface ethernet 1 4 Console config if switchport mode private vlan ho
405. te VLANs 0 00 4 208 private lA 4 210 private vlan association liiis 4 212 switchport mode private vlan 0 0 00 eee 4 213 switchport private vlan host association 4 214 switchport private vlan isolated oooooooooooo 4 214 switchport private vlan mapping esses 4 215 show vlan private vlan 1 0 eee eee 4 216 GVRP and Bridge Extension Commands 0005 4 217 bridg ext VPO ata Ve 4 217 show bridge ext 6 0 0 cece eee 4 218 switchpott gvrp ove A aL RE ELE 4 219 show gvrp configuration 6 6 6 eee eee 4 219 Garp immefiz rede e ebrei Vu DES eras 4 220 show Gatp timer cese du ee A EAA 4 221 Priority Commands 32 2 dads Made deve ice eene cac d seed e aca 4 222 Priority Commands Layer 2 0 ee eee 4 222 queue mode cues Rie he uL TAS REI 4 223 switchport priority default 0 0 00 eee 4 224 queue bandwidth a oikeni aae aa eia a aias 4 225 queue cos Apeira e a ep ES 4 226 show queuemode s io Dell a Lev 4 227 show queue bandwidth 0 00 4 227 show queue cos map 6 eee eee 4 228 Priority Commands Layer 3 and 4 sese 4 229 map ip port Global Configuration o o ooooooo o 4 230 map ip port Interface Configuration 4 230 map ip precedence Global Configuration 4 231 map ip precedence Interface Configuration 4 232 map ip dscp Global Configuration 4 233 map ip
406. ted 33 3 Mbps Default Setting Fast Ethernet interface 3 3 Mbps Gigabit Ethernet interface 33 3 Mbps Command Mode Global Configuration Ethernet Port Channel Command Usage Actual rate limit Rate limit level Granularity Example The following sets Fast Ethernet granularity to 1 Mbps and Gigabit Ethernet granularity to 33 3 Mbps Console config rate limit fastethernet granularity 1000 Console config rate limit gigabitethernet granularity 33300 Console config 4 161 COMMAND LINE INTEREACE show rate limit Use this command to display the rate limit granularity Default Setting Fast Ethernet interface 3 5 Mbps Gigabit Ethernet interface 33 3 Mbps Command Mode Privileged Exec Command Usage For Fast Ethernet interfaces the rate limit granularity is 512 Kbps 1 Mbps or 3 3 Mbps For Gigabit Ethernet interfaces the rate limit granularity is 33 5 Mbps Example Console show rate limit Fast ethernet granularity 1000 Gigabit ethernet granularity 33300 Consolef 4 162 LINK AGGREGATION COMMANDS Link Aggregation Commands Ports can be statically grouped into an aggregate link i e trunk to increase the bandwidth of a network connection or to ensure fault recovery Or you can use the Link Aggregation Control Protocol LACP to automatically negotiate a trunk link between this switch and another network device For static trunks the switches have to comply
407. ter that serves as the root of the spanning tree network It selects a root port on each bridging device except for the root device which incurs the lowest path cost when forwarding a packet from that device to the root device Then it selects a designated bridging device from each LAN which incurs the lowest path cost when forwarding a packet from that LAN to the root device All ports connected to designated bridging devices are assigned as designated ports After determining the lowest cost spanning tree it enables all root ports and designated ports and disables all other ports Network packets are therefore only forwarded between root ports and designated ports eliminating any possible network loops Designated Root we gt Fi d X X Designated o zer ES A i Port p aen Me Designated p C Fe WP METER X Once a stable network topology has been established all bridges listen for Hello BPDUs Bridge Protocol Data Units transmitted from the Root Bridge If a bridge does not get a Hello BPDU after a predefined interval Maximum Age the bridge assumes that the link to the Root Bridge is down This bridge will then initiate negotiations with other bridges to reconfigure the network to reestablish a valid network topology RSTP is designed as a general replacement for the slower legacy STP RSTP achieves must faster reconfiguration
408. th1 15 S Ethl 16 S Eth1 17 S Eth1 18 S Eth1 19 S Eth1 20 S Eth1 21 S Eth1 22 S Eth1 23 S Eth1 24 S Eth1 25 S Eth1 26 S Vlan ID 2 Type Static Name R amp D Status Active Ports Port Channel Console config vlan 3 149 CONFIGURING THE SWITCH 3 150 Adding Static Members to VLANs VLAN Index Use the VLAN Static Table to configure port members for the selected VLAN index Assign ports as tagged if they are connected to 802 1Q VLAN compliant devices or untagged they are not connected to any VLAN awate devices Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol Notes 1 You can also use the VLAN Static Membership by Port page to configure VLAN groups based on the port index page 3 152 However note that this configuration page can only add ports to a VLAN as tagged members 2 VLAN 1 is the default untagged VLAN containing all ports on the switch and can only be modified by first reassigning the default port VLAN ID as described under Configuring VLAN Behavior for Interfaces on page 3 153 Command Attributes VLAN ID of configured VLAN 1 4094 Name Name of the VLAN 1 to 32 characters Status Enables or disables the specified VLAN Enable VLAN is operational Disable VLAN is suspended i e does not pass packets Port Port identifier Membership Type Select VLAN membership for each inter
409. the Key for the protocol partner Oper Key Current operational value of the Key for the protocol partner Admin State Administrative values of the partner s state parameters See preceding table Oper State Operational values of the partner s state parameters See preceding table 4 176 ADDRESS TABLE COMMANDS Console show lacp sysid Table 4 48 show lacp sysid display description Port Channel System Priority System MAC Address 1 32768 00 30 F1 D3 26 00 2 32768 00 30 F1 D3 26 00 3 32768 00 30 F1 D3 26 00 4 32768 00 30 F1 D3 26 00 Console Field Description Channel group A link aggregation group configured on this switch System Priority LACP system priority for this channel group System MAC System MAC address Address The LACP system priority and system MAC address are concatenated to form the LAG system ID Address Table Commands These commands are used to configure the address table for filtering specified addresses displaying current entries clearing the table or setting the aging time Table 4 49 Address Table Commands Command Function Mode Page mac address table Maps a static address to a port ina VLAN GC 4 178 static clear Removes any learned entries from the PE 4 179 mac address table forwarding database dynamic show Displays entries in the bridge forwarding PE 4 179 mac address table database
410. the rate limit level Range 1 30 Default 30 Note Actual rate limit Rate Limit Level Granularity 3 113 CONFIGURING THE SWITCH Web Click Port Rate Limit Input Output Port Trunk Configuration Enable the Rate Limit Status for the required interfaces set the Rate Limit Level and click Apply Output Rate Limit Port Configuration Port Output Rate Limit Status Output Rate Limit Level 1 30 Trunk 1 I Enabled 2 F Enabled 3 IV Enabled 4 F Enabled 5 F Enabled 5 F Enabled 7 F Enabled 8 F Enabled TIT Figure 3 51 Output Rate Limit Port Configuration CLI This example sets the rate limit level for input and output traffic passing through port 3 Console config interface ethernet 1 3 4 144 Console config if rate limit input level 25 4 160 Console config if rate limit output level 25 4 160 Console config if Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet like MIBs as well as a detailed breakdown of traffic based on the RMON MIB Interfaces and Ethernet like statistics display errors on the traffic passing through each port This information can be used to identify potential problems with the switch such as a faulty port or unusually heavy loading RMON statistics provide access to a broad range of statistics including a total count of different frame types and sizes passing through each p
411. to determine link aggregation group LAG membership and to identify this device to other switches during LAG negotiations Range 0 655535 Default Setting 32768 Command Mode Interface Configuration Ethernet Command Usage Port must be configured with the same system priority to join the same LAG System priority is combined with the switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations with other systems Once the remote side of a link has been established LACP operational settings are already in use on that side Configuring LACP settings for the partner only applies to its administrative state not its operational state and will only take effect the next time an aggregate link is established with the partner Example Console config interface ethernet 1 5 Console config if flacp actor system priority 3 Console config if 4 168 LINK AGGREGATION COMMANDS lacp admin key Ethernet Interface This command configures a port s LACP administration key Use the no form to restore the default setting Syntax lacp actor partner admin key key no lacp actor partner admin key actor The local side an aggregate link partner The remote side of an aggregate link key The port admin key must be set to the same value for ports that belong to the same link aggregation group LAG Range 0 65535 Default Setti
412. to technical support Connect to SMC Web Page Figure 3 3 System Information 3 12 BASIC CONFIGURATION CLI Specify the hostname location and contact information Console config thostname R amp D 5 4 34 Console config snmp server location WC 9 4 138 Console config snmp server contact Ted 4 138 Console config exit Consolefshow system 4 83 System description TigerSwitch 10 100 6726AL2 System OID string 1 3 6 1 4 1 202 20 46 System information System Up time 0 days 2 hours 4 minutes and 7 13 seconds System Name R amp D 5 System Location WC 9 System Contact Ted MAC address 00 30 F1 12 34 56 Web server enabled Web server port 80 Web secure server enabled Web secure server port 443 Telnet server enabled Telnet port 23 Jumbo Frame Disabled POST result DUMMY Tesi lidades mas sica PASS UART LOOP BACK Test PASS DRAM TOS s 135345559 9 0 ias M PASS Timer Testa wee eee RR sia PASS REC Initializa8tlon s 6 9 PASS Switch Int Loopback test PASS Done All Pass Console Displaying Switch Hardware Software Versions Use the Switch Information page to display hardware firmware version numbers for the main board and management software as well as the power status of the system Field Attributes Main Board Serial Number The serial number of the switch Number of Ports Number of built in RJ 45 ports Hardware Version Hardware version
413. to the port s default VLAN e associated with the PVID are also transmitted as tagged frames hybrid Specifies a hybrid VLAN interface The port may transmit tagged or untagged frames private vlan For an explanation of this command see switchport mode private vlan on page 4 213 Default Setting All ports are in hybrid mode with the PVID set to VLAN 1 Command Mode Interface Configuration Ethernet Port Channel 4 201 COMMAND LINE INTEREACE Example The following shows how to set the configuration mode to port 1 and then set the switchport mode to hybrid Console config interface ethernet 1 1 Console config if switchport mode hybrid Console config if Related Commands switchport acceptable frame types 4 202 switchport acceptable frame types This command configures the acceptable frame types for a port Use the no form to restore the default Syntax switchport acceptable frame types all tagged no switchport acceptable frame types all The port accepts all frames tagged or untagged tagged The port only receives tagged frames Default Setting All frame types Command Mode Interface Configuration Ethernet Port Channel Command Usage When set to receive all frame types any received frames that are untagged are assigned to the default VLAN Example The following example shows how to restrict the traffic received on port 1 to tagged frames Conso
414. trol 4 108 Console config 3 69 CONFIGURING THE SWITCH 3 70 Configuring Port Settings for 802 1X When 802 1X is enabled you need to configure the parameters for the authentication process that runs between the client and the switch i e authenticator as well as the client identity lookup process that runs between the switch and authentication server These parameters are desctibed in this section Command Attributes Port Port number Status Indicates if authentication is enabled or disabled on the port Default Disabled e Operation Mode Allows single or multiple hosts clients to connect to an 802 1 X authorized port Options Single Host Multi Host Default Single Host e Max Count The maximum number of hosts that can connect to a port when the Multi Host operation mode is selected Range 1 1024 Default 5 e Mode Sets the authentication mode to one of the following options Auto Requires a dotlx awate client to be authorized by the authentication server Clients that are not dot1x aware will be denied access Force Authorized Forces the port to grant access to all clients either dot1x aware or otherwise This is the default setting Force Unauthorized Forces the port to deny access to all clients either dotlx awate or otherwise Re authen Sets the client to be re authenticated after the interval specified by the Re authentication Period Re aut
415. trusion threshold which LC 4 20 limits the number of failed logon attempts silent time Sets the amount of time the management LC 4 21 console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password thresh command databits Sets the number of data bits per character that LC 4 22 are interpreted and generated by hardware patity Defines the generation of a parity bit LC 4 23 speed Sets the terminal baud rate LC 4 23 stopbits Sets the number of the stop bits transmitted per LC 4 24 byte disconnect Terminates a line connection PE 4 25 show line Displays a terminal line s parameters NE 4 25 PE These commands only apply to the serial port line LINE COMMANDS This command identifies a specific line for configuration and to process subsequent line configuration commands Syntax line console vty console Console terminal line vty Virtual terminal for remote console access 1 e Telnet Default Setting There is no default line Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as Vty in screen displays such as show users However the serial communication parameters e g databits do not affect Telnet connections Example To enter console line mode enter the following command Console config line console Console config line Related Commands
416. ts Late Collisions The number of times that a collision is detected later than 512 bit times into the transmission of a packet FCS Errors A count of frames received on a particular interface that are an integral number of octets in length but do not pass the FCS check This count does not include frames received with frame too long or frame too short error Excessive Collisions A count of frames for which transmission on a particular interface fails due to excessive collisions This counter does not increment when the interface is operating in full duplex mode Single Collision Frames The number of successfully transmitted frames for which transmission is inhibited by exactly one collision Internal MAC Transmit Errors A count of frames for which transmission on a particular interface fails due to an internal MAC sublayer transmit error PoRT CONFIGURATION Table 3 9 Port Statistics Continued Parameter Description Multiple Collision Frames A count of successfully transmitted frames for which transmission is inhibited by more than one collision Carrier Sense Errors The number of times that the carrier sense condition was lost or never asserted when attempting to transmit a frame SQE Test Errors A count of times that the SQE TEST ERROR message is generated by the PLS sublayer for a particular interface Frames Too Long A count of frames received on
417. ts allowed 3 75 management access via the web SNMP and Telnet Port 3 87 Port Information Displays port connection status 3 87 Trunk Information Displays trunk connection status 3 87 Port Configuration Configures port connection settings 3 90 Trunk Configuration Configures trunk connection settings 3 90 Trunk Membership Specifies ports to group into static trunks 3 94 LACP 3 92 Configuration Allows ports to dynamically join trunks 3 96 Aggregation Port Configures parameters for link aggregation 3 98 group members Port Counters Displays statistics for LACP protocol 3 102 messages Port Internal Displays settings and operational state for 3 103 Information the local side Port Neighbors Displays settings and operational state for 3 106 Information the remote side Port Broadcast Control Sets the broadcast storm threshold for each 3 108 port Trunk Broadcast Sets the broadcast storm threshold for each 3 108 Control trunk Mirror Port Sets the source and target ports for mirroring 3 110 Configuration Rate Limit 3 112 Granularity Enables or disables the rate limit feature 3 112 Input Sets the input rate limit for each port 3 113 Port Configuration Input Sets the input rate limit for each trunk 3 113 Trunk Configuration 3 7 CONFIGURING THE SWITCH 3 8 Table 3 2 Main Menu Continued Menu Description Page Output Sets the output rate limit for each p
418. ts an interface to fast forwarding Use the no form to disable fast forwarding Syntax no spanning tree portfast Default Setting Disabled 4 192 SPANNING TREE COMMANDS Command Mode Interface Configuration Ethernet Port Channel Command Usage This command is used to enable disable the fast spanning tree mode for the selected port In this mode ports skip the Discarding and Learning states and proceed straight to Forwarding Since end nodes cannot cause forwarding loops they can be passed through the spanning tree state changes more quickly than allowed by standard convergence time Fast forwarding can achieve quicker convergence for end node workstations and servers and also overcome other STA related timeout problems Remember that fast forwarding should only be enabled for ports connected to a LAN segment that is at the end of a bridged LAN or for an end node device This command is the same as spanning tree edge port and is only included for backward compatibility with earlier products Note that this command may be removed for future software versions Example Console config finterface ethernet 1 5 Console config if spanning tree portfast Console config if Related Commands spanning tree edge port 4 191 spanning tree link type This command configures the link type for Rapid Spanning Tree Use the no form to restore the default Syntax spanning tree link type auto point to
419. ts if they want to receive multicast traffic If there is more than one router switch on the LAN performing IP multicasting one of these devices is elected querier and assumes the role of querying the LAN for group members It then propagates the setvice requests on to any upstream multicast switch router to ensure that it will continue to receive the multicast service Note Multicast routers use this information along with a multicast routing protocol such as DVMRP or PIM to support IP multicasting across the Internet Command Attributes IGMP Status When enabled the switch will monitor network traffic to determine which hosts want to receive multicast traffic This is also referred to as IGMP Snooping Default Enabled Act as IGMP Querier When enabled the switch can serve as the Querier which is responsible for asking hosts if they want to receive multicast traffic Default Enabled IGMP Query Count Sets the maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group Range 2 10 Default 2 IGMP Query Interval Sets the frequency at which the switch sends IGMP host query messages Range 60 125 seconds Default 125 IGMP Report Delay Sets the time between receiving an IGMP Report for an IP multicast address on a port before the switch sends an IGMP Query out of that port and removes the entry from its list Rang
420. ubleshooting B 1 trunk configuration 3 92 4 163 LACP 3 96 4 165 static 3 94 4 165 Index 4 U upgrading software 3 22 4 87 user password 3 48 4 35 4 36 V VLANs 3 140 3 165 4 197 4 217 adding static members 3 150 3 152 4 205 creating 3 148 4 198 description 3 140 3 165 displaying basic information 3 145 4 218 displaying port members 3 146 4 207 egress mode 3 155 4 201 interface configuration 3 153 4 202 4 206 private 3 156 4 208 W Web interface menulist 3 5 web interface access requirements 3 1 configuration buttons 3 4 home page 3 3 menu list 3 5 panel display 3 4 FOR TECHNICAL SUPPORT CALL From U S A and Canada 24 hours a day 7 days a week 800 SMC 4 YOU Phn 949 679 8000 Fax 949 679 1481 From Europe Contact details can be found on WWW smc europe com or www smc com INTERNET E mail addresses techsupport smc com european techsupport smc europe com Driver updates http www smc com index cfm action tech support drivers downloads World Wide Web http www smc com http www smc europe com FOR LITERATURE OR ADVERTISING RESPONSE CALL U S A and Canada Spain UK France Italy Benelux Central Europe Switzerland Nordic Northern Europe Eastern Europe Sub Saharian Africa North Africa Russia PRC Taiwan Asia Pacific Korea Japan Australia India Middle East Thailand 800 SMC 4 YOU 34 93 477 4935 4
421. ublic key zserzaze dsa rsa username Name of an SSH user Range 1 8 characters e dsa DSA public key type e tsa RSA public key type Default Setting Deletes both the DSA and RSA key Command Mode Privileged Exec Example Console delete public key admin dsa Console 4 52 SYSTEM MANAGEMENT COMMANDS ip ssh crypto host key generate This command generates the host key pair 1 e public and private Syntax ip ssh crypto host key generate dsa rsa e dsa DSA Version 2 key type tsa RSA Version 1 key type Default Setting Generates both the DSA and RSA key pairs Command Mode Privileged Exec Command Usage This command stores the host key pair in memory i e RAM Use the ip ssh save host key command to save the host key pair to flash memory Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process Otherwise you must manually create a known hosts file and place the host public key in it The SSH server uses this host key to negotiate a session key and encryption method with the client trying to connect to it Example Consolefip ssh crypto host key generate dsa Console Related Commands ip ssh crypto zeroize 4 54 ip ssh save host key 4 54 4 53 COMMAND LINE INTEREACE ip ssh crypto zeroize This command clears the host key from memory i e RAM Syntax ip ssh crypto zeroize ds
422. ue field and then click Apply IP Precedence Priority IP Precedence 0 CoS0 IP Precedence 1 CoS 1 IP Precedence 2 CoS 2 IP Precedence 3 CoS 3 IP Precedence 4 CoS 4 IP Precedence 5 CoS 5 IP Precedence 6 CoS 6 IP Precedence CoS Class of Service Value 0 7 Restore Default IP Precedence Priority Table Figure 3 77 Mapping IP Precedence Priority Values 3 173 CONFIGURING THE SWITCH CLI The following example globally enables IP Precedence service on the switch maps IP Precedence value 1 to CoS value 0 on port 1 and then displays the IP Precedence settings Console config map ip precedence 4 230 Console config finterface ethernet 1 1 4 144 Console config if map ip precedence 1 cos 0 4 232 Console config if end Console show map ip precedence ethernet 1 1 4 236 Precedence mapping status enabled Port Precedence COS Eth 1 1 0 0 Eth 1 1 L 0 Eth 1 1 2 2 Eth 1 1 3 3 Eth 1 1 4 4 Eth 1 1 5 5 Eth 1 1 6 6 Eth 1 1 gi 7 Console Note Mapping specific values for IP Precedence is implemented as an interface configuration command but any changes will apply to the all interfaces on the switch Mapping DSCP Priority The DSCP is six bits wide allowing coding for up to 64 different forwarding behaviors The DSCP replaces the ToS bits but it retains backward compatibility with the three precedence bits so that non DSCP compliant ToS enabled devices
423. ues are serviced or use Weighted Round Robin WRR queuing that specifies a relative weight of each queue WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue This prevents the head of line blocking that can occur with strict priority queuing Command Attributes WRR Weighted Round Robin shares bandwidth at the egress ports by using scheduling weights 1 2 4 6 for queues 0 through 3 respectively This is the default selection Strict Services the egress queues in sequential order transmitting all traffic in the higher priority queues before servicing lower priority queues Web Click Priority Queue Mode Select Strict or WRR then click Apply Queue Mode Queue Mode WRR Figure 3 74 Queue Mode CLI The following sets the queue mode to strict priority service mode Console config queue mode wrr 4 223 Console config exit Consolefshow queue mode 4 227 Queue mode wrr Console 3 169 CONFI GURING THE SWITCH Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin WRR algorithm to determine the frequency at which it services each priority queue As described in Mapping CoS Values to Egress Queues on page 3 167 the traffic classes are mapped to one of the four egress queues provided for each port You can assign a weight to
424. ularity show rate limit Shows the rate limit granularity PE 4 162 4 159 COMMAND LINE INTEREACE tate limit Use this command to define the rate limit level for a specific interface Use this command without specifying a rate to restore the default rate limit level Use the no fotm to restore the default status of disabled Syntax rate limit input output level raze no rate limit input output input Input rate output Output rate rate Maximum value Range 1 30 Default Setting 30 Command Mode Interface Configuration Ethernet Port Channel Command Usage Actual rate limit Rate limit level Granularity Example Console config ttinterface ethernet 1 1 Console config if rate limit input level 20 Console config if 4 160 Rate LiMIT COMMANDS rate limit granularity Use this command to define the rate limit granularity for the Fast Ethernet ports and the Gigabit Ethernet ports Use the no form of this command to restore the default setting Syntax rate limit fastethernet gigabitethernet granularity granu arity no rate limit fastethernet gigabitethernet granularity fastethernet Fast Ethernet granularity gigabitethernet Gigabit Ethernet granularity e granularity Sets rate limit granularity for the system For Fast Ethernet choose 512 Kbps 1 Mbps or 3 3 Mbps For Gigabit Ethernet only one granularity option is suppor
425. up Syntax whichboot Default Setting None Command Mode Privileged Exec 4 92 FLASH FILE COMMANDS Example This example shows the information displayed by the whichboot command See the table under the dir command for a description of the file information displayed by this command Console whichboot file name file type startup size byte Unitl Diag V2 2 1 3 bix Boot Rom image Y 196020 V232 22x2 Tx Operation Code Y 1745500 startup Config File Y 6023 Total free space 340787 Console boot system This command specifies the image used to start up the system Syntax boot system wit boot rom config opcode filename The type of file or image to set as a default includes boot rom Boot ROM config Configuration file opcode Run time operation code filename Name of the configuration file or code image unif Specifies the unit number This is unit 1 The colon is required Default Setting None Command Mode Global Configuration Command Usage A colon is required after the specified unit number and file type f the file contains an error it cannot be set as the default file 4 93 COMMAND LINE INTEREACE Example Console config boot system config startup Console config Related Commands dir 4 91 whichboot 4 92 Authentication Commands You can configure this switch to authenticate users logging into the system for managem
426. uration Password threshold 3 times timeout 600 sec Login timeout 300 sec General Commands Table 4 6 General Commands context sensitive Command Function Mode Page enable Activates privileged mode NE 4 27 disable Returns to normal mode from ptivileged mode PE 4 28 configure Activates global configuration mode PE 4 28 show history Shows the command history buffer NE PE 4 29 reload Restarts the system PE 4 30 end Returns to Privileged Exec mode any 4 30 config mode exit Returns to the previous configuration mode or any 4 31 exits the CLI quit Exits a CLI session NE PE 4 31 help Shows how to use help any NA Shows options for command completion any NA 4 26 GENERAL COMMANDS enable This command activates Privileged Exec mode In privileged mode additional commands are available and certain commands display additional information See Understanding Command Modes on page 4 8 Syntax enable eve level Privilege level to log into the device The device has two predefined privilege levels 0 Normal Exec 15 Privileged Exec Enter level 15 to access Privileged Exec mode Default Setting Level 15 Command Mode Normal Exec Command Usage super is the default password required to change the command mode from Normal Exec to Privileged Exec To set this password see the enable password command on page 4 36 The ff character is
427. ve network data The IEEE 802 1X dot1X standard defines a port based access control procedure that prevents unauthorized access to a network by requiring users to first submit credentials for authentication Access to all switch ports in a network can be centrally controlled from a server which means that authorized users can use the same credentials for authentication from any point within the network USER AUTHENTICATION This switch uses the Extensible mN Authentication 802 1x client Protocol over LANs panni Bona APOL to E 1 Client attempts to access a switch port exchange gt 2 Switch sends client an identity request RADIUS 8 Client sends back identity information authentication server 4 Switch forwards this to authentication server 5 Authentication server challenges client 6 Client responds with proper credentials protocol messages 7 Authentication server approves access 8 Switch grants client access to this port with the client and a remote RADIUS authentication server to verify user identity and access rights When a client i e Supplicant connects to a switch port the switch e Authenticator responds with an EAPOL identity request The client provides its identity such as a user name in an EAPOL response to the switch which it forwards to the RADIUS server The RADIUS server vetifies the client identity and sends an access challenge bac
428. vices No Static entry individual port Yes VLAN learning IVL Configurable PVID tagging Yes Local VLAN capable No Traffic classes Enabled Global GVRP status Enabled GMRP Disabled Console Displaying Current VLANs The VLAN Current Table shows the current port members of each VLAN and whether or not the port supports VLAN tagging Ports assigned to a large VLAN group that crosses several switches should use VLAN tagging However if you just want to create a small port based VLAN for one or two switches you can disable tagging Command Attributes Web VLAN ID ID of configured VLAN 1 4094 UpTime at Creation Time this VLAN was created i e System Up Time Status Shows how this VLAN was added to the switch Dynamic GVRP Automatically learned via GVRP Permanent Added as a static entry 3 146 VLAN CONFIGURATION Egress Ports Shows all the VLAN port members Untagged Ports Shows the untagged VLAN port members Web Click VLAN 802 1Q VLAN Current Table Select any ID from the scroll down list VLAN Current Table VLAN ID 1 Up Time at Creation O d 0 h 0 min 18 s Status Permanent Egress Ports Unit Por y Untagged Ports Uni Pot 4 Un Unit Pong zf le Figure 3 62 Displaying Current VLANs Command Attributes CLI VLAN ID of configured VLAN 1 4094 no leading zeroes e Type Shows how this VLAN was added to the switch Dyna
429. vlan id v an id name van name private vlan private vlan type id Keyword to be followed by the VLAN ID vlan id ID of the configured VLAN Range 1 4093 no leading zeroes name Keyword to be followed by the VLAN name vlan name ASCII string from 1 to 32 characters private vlan For an explanation of this command see show vlan private vlan on page 4 216 private vlan type Indicates the private vlan type Options Community Isolated Primary Default Setting Shows all VLANs 4 207 COMMAND LINE INTEREACE Command Mode Normal Exec Privileged Exec Example The following example shows how to display information for VLAN 1 Console show vlan id 1 Vlan ID 1 Type Static Name DefaultVlan Status Active Ports Port Channel Ethl 1 S Ethl 2 S Ethl 3 S Ethl 4 S Ethl 5 S Ethl 6 S Ethl 7 S Ethl 8 S Eth1 9 S Eth1 10 S Eth1 11 S Eth1 12 S Eth1 13 S Eth1 14 S Eth1 15 S Eth1 16 S Eth1 17 S Eth1 18 S Eth1 19 S Eth1 20 S Eth1 21 S Eth1 22 S Eth1 23 S Eth1 24 S Eth1 25 S Eth1 26 S Console Configuring Private VLANs 4 208 Private VLANs provide port based security and isolation between ports within the assigned VLAN This switch supports two types of private VLANs primary secondary associated groups and stand alone isolated VLANs A primary VLAN contains promiscuous ports that can communicate with all other ports in the private VLAN group while a sec
430. w You can configure the switch to 1 respond to SNMP requests or 2 generate SNMP traps When SNMP management stations send requests to the switch either to return information or to set a parameter the switch provides the requested data or sets the specified parameter The switch can also be configured to send information to SNMP managers without being requested by the managers through trap messages which inform the manager that certain events have occurred Community Strings Community strings are used to control management access to SNMP stations as well as to authorize SNMP stations to receive trap messages from the switch You therefore need to assign community strings to specified users or user groups and set the access level 2 9 INITIAL CONFIGURATION 2 10 The default strings are e public with read only access Authorized management stations are only able to retrieve MIB objects private with read write access Authorized management stations are able to both retrieve and modify MIB objects Note If you do not intend to utilize SNMP we recommend that you delete both of the default community strings If there are no community strings then SNMP management access to the switch is disabled To prevent unauthorized access to the switch via SNMP it is recommended that you change the default community strings To configure a community string complete the following steps 1 From the Privileged Exec
431. ware Features 1 2 The switch provides a wide range of advanced performance enhancing features Flow control eliminates the loss of packets due to bottlenecks caused by port saturation Broadcast storm suppression prevents broadcast traffic storms from engulfing the network Port based and private VLANs plus support for automatic GVRP VLAN tegistration provide traffic security and efficient use of network bandwidth CoS priority queueing ensures the minimum delay for moving real time multimedia data across the network While multicast filtering provides support for real time network applications Some of the management features are briefly described below DESCRIPTION OF SOFTWARE FEATURES Configuration Backup and Restore You can save the current configuration settings to a file on a TFTP server and later download this file to restore the switch configuration settings Authentication This switch authenticates management access via the console port Telnet or web browser User names and passwords can be configured locally or can be verified via a remote authentication server i e RADIUS or TACACS Port based authentication is also supported via the IEEE 802 1X protocol This protocol uses the Extensible Authentication Protocol over LANs EAPOL to request user credentials from the 802 1X client and then verifies the client s right to access the network via an authentication server Other authentication opt
432. witch configuration files via TFTP Configure Spanning Tree parameters Configure Class of Service CoS priority queuing Configure up to 4 static or LACP trunks Enable port mirroring Set broadcast storm control on any port Display system information and statistics Configure any stack unit through the same IP address Required Connections 2 2 The switch provides an RS 232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch A null modem console cable is provided with the switch Note When configuring a stack connect to the console port on the Master unit CONNECTING TO THE SWITCH Attach a VT100 compatible terminal or a PC running a terminal emulation program to the switch You can use the console cable provided with this package or use a null modem cable that complies with the wiring assignments shown in the Installation Guide To connect a terminal to the console port complete the following steps 1 Connect the console cable to the serial port on a terminal or a PC running terminal emulation software and tighten the captive retaining screws on the DB 9 connector 2 Connect the other end of the cable to the RS 232 serial port on the switch 3 Make sure the terminal emulation software is set as follows Select the appropriate serial port COM port 1 or COM port 2 Set the baud rate to 9600 bps Set the data format to 8 data bits 1 stop bit and no pa
433. x client must support it Displaying 802 1X Global Settings The 802 1X protocol provides client authentication Command Attributes 802 1X System Authentication Control The global setting for 802 1X Web Click Security 802 1X Information 802 1X Information 802 1X System Authentication Control Disabled Figure 3 30 802 1X Global Information CLI This example shows the default global setting for 802 1X Console show dot1x 4 114 Global 802 1X Parameters system auth control enable 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 disabled Single Host ForceAuthorized n a 1 2 disabled Single Host ForceAuthorized n a 802 1X Port Details 802 1X is disabled on port 1 1 802 1X is disabled on port 1 26 Console USER AUTHENTICATION Configuring 802 1X Global Settings The 802 1X protocol includes port authentication The 802 1X protocol must be enabled globally for the switch system before pott settings are active Command Attributes 802 1X System Authentication Control Sets the global setting for 802 1X Default Disabled Web Select Security 802 1X Configuration Enable 802 1X globally for the switch and click Apply 802 1X Configuration 802 1X System Authentication Control V Enabled Figure 3 31 802 1X Configuration CLI This example enables 802 1X globally for the switch Console config dotlx system auth con
434. y 4 49 Console show public key host 4 49 Host RSA 1024 65537 127250922544 92640213133651454 613118 9679055192360076028653006761 8240969094744832010252487896597759216832222558465238779154 647980739 63140338 6925793105105765212243052807865885485789272602 9378660892368 4142327591212760325919683697053439336438445223335188287173896894511 729290510813919642025190932104328579045764891 DSA ssh dss AAAAB3NzaCIkc3MAAACBAN6zwIqCqDb3869jYVXlMElsHLOECERe6hlasfEthIwmj hLY400jqJZpcEQUgCfYlum0Y2uoLka Py9ieGWO8f2gobUZKIICuKg6vjO9XTs7XKcO 5xfzkBiKviDa 20r1z6UK 6vFOgvUDFedlnixYTVo h5v8r0ea2rpnO06DkZAAAAFOCN Znx17dwpW8RrVDOnSWw40k 60AAATEAptkGeB6B5hwagH4gU0CY 611 TmrmSiJgfwO90 QRPUMbCAkCC uzxatOo7drnIZypMx Sx5RUdMGgKS 9ywsal cWqHeFY5i1c31DCNBue eLykZzVS RSt azTKIkzrJh8GLGNq375R5 5yRxFvmcGInQ7 IphPqyJ309MK8LFDf mJEA AACAL8A6tESi SwP20FgX7VGoEbz VDSOIRTMFy3iUXtvGyQAOVS y6 7Mfc31MtgqPRUOY XDiwIBp5NXgilCg5z7VqbmRm2 8mWc5af8TUAgPNWKV 6WOhqmshQdotVzDR1e XKNTZj OuTwWfjO5Kytdn4MdoTHgrbl DMdAfjnte8MZZs Console Configuring the SSH Server The SSH server includes basic settings for authentication Field Attributes SSH Server Status Allows you to enable disable the SSH server on the switch Default Disabled Version The Secure Shell version number Version 2 0 is displayed but the switch supports management access via either SSH Version 1 5 or 2 0 clients SSH Authentication Timeout Specifies the time interval in seco
435. y buffer Default Setting None Command Mode Normal Exec Privileged Exec Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands Example In this example the show history command lists the contents of the command history buffer Console show history Execution command history 2 config 1 show history Configuration command history 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console 4 29 COMMAND LINE INTEREACE The command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode and commands from the Configuration command history buffer when you are in any of the configuration modes In this example the 2 command repeats the second command in the Execution history buffer config Console 2 Console config Console config reload end 4 30 This command restarts the system Note When the system is restarted it will always run the Power On Self Test It will also retain all configuration information stored in non volatile memory by the copy running config startup config command Default Setting None Command Mode Privileged Exec Command Usage This command resets the entire system Example This example shows how to reset the switch Console reload System will be restarted continue lt y n gt y This command returns to Privileged
436. y to IEEE 802 1Q VLAN tagged frames If the incoming frame is an IEEE 802 1Q VLAN tagged frame the IEEE 802 1p User Priority bits will be used If the output port is an untagged member of the associated VLAN these frames are stripped of all VLAN tags prior to transmission 3 165 CONFIGURING THE SWITCH Command Attributes Default Priority The priority that is assigned to untagged frames received on the specified interface Range 0 7 Default 0 Number of Egress Traffic Classes The number of queue buffers provided for each port Web Click Priority Default Port Priority or Default Trunk Priority Modify the default priority for any interface then click Apply Default Port Priority Port Default Priority 0 7 Number of Egress Traffic Classes Trunk 1 b 4 2 b 4 3 bc 4 4 hb 5 bp 4 6 b 4 si Figure 3 72 Port Priority Configuration CLI This example assigns a default priority of 5 to port 3 Console config finterface ethernet 1 3 4 144 Console config if switchport priority default 5 4 224 Console config if end Console show interfaces switchport ethernet 1 3 4 155 Information of Eth 1 3 Broadcast threshold Disabled LACP status Disabled Ingress rate limit disable Level 30 Egress rate limit disable Level 30 VLAN membership mode Hybrid Ingress rule Enabled Acceptable frame type Tagged frames only Native VLAN 1 Priority for untagged traffic 5 GVRP status Disabled Allow
Download Pdf Manuals
Related Search