ECS3510-26P Management Guide

ECS3510-26P
26-Port Fast Ethernet
Layer 2 Switch
Management Guide
www.edge-core.com
M ANAGEMENT G UIDE
ECS3510-28P GIGABIT ETHERNET SWITCH
Layer 2 Managed Switch
with 24 10/100BASE-TX (RJ-45) PoE Ports,
and 2 Gigabit SFP Ports
ECS3510-28P
E052013/ST-R01
149100000220A
ABOUT THIS GUIDE
PURPOSE This guide gives specific information on how to operate and use the
management functions of the switch. To deploy this switch effectively and
ensure trouble-free operation, you should first read the relevant sections in
this guide so that you are familiar with all of its software features.
AUDIENCE The guide is intended for use by network administrators who are
responsible for operating and maintaining network equipment. The guide
assumes a basic working knowledge of LANs (Local Area Networks), the
Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
CONVENTIONS The following conventions are used throughout this guide to show
information:
NOTE: Emphasizes important information or calls your attention to related
features or instructions.
CAUTION: Alerts you to a potential hazard that could cause loss of data, or
damage the system or equipment.
WARNING: Alerts you to a potential hazard that could cause personal injury.
RELATED PUBLICATIONS This guide focuses on switch software configuration through the web
interface and console port.
For information on how to install the switch, see the following guide:
Installation Guide
For all safety information and regulatory statements, see the following
documents:
Quick Start Guide
Safety and Regulatory Information
– 5 –
ABOUT THIS GUIDE
REVISION HISTORY This section summarizes the changes in each revision of this guide.
MAY 2013 REVISION
This is the first version of this guide. This guide is valid for software release
v1.0.0.0.
– 6 –
CONTENTS
SECTION I
ABOUT THIS GUIDE
5
CONTENTS
7
FIGURES
33
TABLES
43
GETTING STARTED
49
1 INTRODUCTION
51
Key Features
51
Description of Software Features
52
System Defaults
57
2 INITIAL SWITCH CONFIGURATION
Connecting to the Switch
61
Configuration Options
61
Required Connections
62
Remote Connections
63
Basic Configuration
64
Console Connection
64
Setting Passwords
64
Setting an IP Address
65
Downloading a Configuration File Referenced by a DHCP Server
71
Enabling SNMP Management Access
73
Managing System Files
Saving or Restoring Configuration Settings
SECTION II
61
75
76
WEB CONFIGURATION
79
3 USING THE WEB INTERFACE
81
Connecting to the Web Interface
– 7 –
81
CONTENTS
Navigating the Web Browser Interface
82
Home Page
82
Configuration Options
83
Panel Display
83
Main Menu
84
4 BASIC MANAGEMENT TASKS
97
Displaying System Information
97
Displaying Hardware/Software Versions
98
Configuring Support for Jumbo Frames
100
Displaying Bridge Extension Capabilities
101
Managing System Files
102
Copying Files via FTP/TFTP or HTTP
102
Saving the Running Configuration to a Local File
104
Setting The Start-Up File
105
Showing System Files
106
Automatic Operation Code Upgrade
107
Setting the System Clock
111
Setting the Time Manually
111
Setting the SNTP Polling Interval
112
Specifying SNTP Time Servers
113
Setting the Time Zone
114
Configuring Summer Time
115
Configuring the Console Port
117
Configuring Telnet Settings
119
Displaying CPU Utilization
120
Displaying Memory Utilization
121
Resetting the System
122
5 INTERFACE CONFIGURATION
Port Configuration
127
127
Configuring by Port List
127
Configuring by Port Range
130
Displaying Connection Status
131
Configuring Local Port Mirroring
132
Configuring Remote Port Mirroring
134
Showing Port or Trunk Statistics
138
Performing Cable Diagnostics
142
– 8 –
CONTENTS
Trunk Configuration
144
Configuring a Static Trunk
145
Configuring a Dynamic Trunk
147
Displaying LACP Port Counters
153
Displaying LACP Settings and Status for the Local Side
154
Displaying LACP Settings and Status for the Remote Side
156
Configuring Trunk Mirroring
158
Saving Power
159
Traffic Segmentation
161
Enabling Traffic Segmentation
161
Configuring Uplink and Downlink Ports
162
VLAN Trunking
163
6 VLAN CONFIGURATION
167
IEEE 802.1Q VLANs
167
Configuring VLAN Groups
170
Adding Static Members to VLANs
171
Configuring Dynamic VLAN Registration
176
IEEE 802.1Q Tunneling
179
Enabling QinQ Tunneling on the Switch
183
Adding an Interface to a QinQ Tunnel
184
Protocol VLANs
185
Configuring Protocol VLAN Groups
186
Mapping Protocol Groups to Interfaces
187
Configuring IP Subnet VLANs
189
Configuring MAC-based VLANs
191
Configuring VLAN Mirroring
193
7 ADDRESS TABLE SETTINGS
195
Setting Static Addresses
195
Changing the Aging Time
197
Displaying the Dynamic Address Table
198
Clearing the Dynamic Address Table
199
Configuring MAC Address Mirroring
200
8 SPANNING TREE ALGORITHM
203
Overview
203
Configuring Loopback Detection
206
Configuring Global Settings for STA
207
– 9 –
CONTENTS
Displaying Global Settings for STA
212
Configuring Interface Settings for STA
213
Displaying Interface Settings for STA
217
Configuring Multiple Spanning Trees
220
Configuring Interface Settings for MSTP
223
9 CONGESTION CONTROL
227
Rate Limiting
227
Storm Control
229
Automatic Traffic Control
232
Setting the ATC Timers
233
Configuring ATC Thresholds and Responses
235
10 CLASS OF SERVICE
239
Layer 2 Queue Settings
239
Setting the Default Priority for Interfaces
239
Selecting the Queue Mode
240
Mapping CoS Values to Egress Queues
243
Layer 3/4 Priority Settings
245
Setting Priority Processing to DSCP or CoS
246
Mapping Ingress DSCP Values to Internal DSCP Values
247
Mapping CoS Priorities to Internal DSCP Values
249
11 QUALITY OF SERVICE
253
Overview
253
Configuring a Class Map
254
Creating QoS Policies
257
Attaching a Policy Map to a Port
267
12 VOIP TRAFFIC CONFIGURATION
269
Overview
269
Configuring VoIP Traffic
270
Configuring Telephony OUI
271
Configuring VoIP Traffic Ports
272
13 SECURITY MEASURES
275
AAA Authorization and Accounting
276
Configuring Local/Remote Logon Authentication
277
Configuring Remote Logon Authentication Servers
278
Configuring AAA Accounting
283
Configuring AAA Authorization
289
– 10 –
CONTENTS
Configuring User Accounts
292
Web Authentication
294
Configuring Global Settings for Web Authentication
294
Configuring Interface Settings for Web Authentication
295
Network Access (MAC Address Authentication)
296
Configuring Global Settings for Network Access
299
Configuring Network Access for Ports
300
Configuring Port Link Detection
302
Configuring a MAC Address Filter
303
Displaying Secure MAC Address Information
305
Configuring HTTPS
306
Configuring Global Settings for HTTPS
306
Replacing the Default Secure-site Certificate
308
Configuring the Secure Shell
309
Configuring the SSH Server
312
Generating the Host Key Pair
313
Importing User Public Keys
315
Access Control Lists
317
Showing TCAM Utilization
318
Setting the ACL Name and Type
319
Configuring a Standard IPv4 ACL
320
Configuring an Extended IPv4 ACL
322
Configuring a MAC ACL
325
Configuring an ARP ACL
327
Binding a Port to an Access Control List
328
ARP Inspection
330
Configuring Global Settings for ARP Inspection
331
Configuring VLAN Settings for ARP Inspection
333
Configuring Interface Settings for ARP Inspection
334
Displaying ARP Inspection Statistics
336
Displaying the ARP Inspection Log
337
Filtering IP Addresses for Management Access
338
Configuring Port Security
340
Configuring 802.1X Port Authentication
342
Configuring 802.1X Global Settings
344
Configuring Port Authenticator Settings for 802.1X
345
– 11 –
CONTENTS
Configuring Port Supplicant Settings for 802.1X
349
Displaying 802.1X Statistics
351
IP Source Guard
354
Configuring Ports for IP Source Guard
354
Configuring Static Bindings for IP Source Guard
356
Displaying Information for Dynamic IP Source Guard Bindings
358
DHCP Snooping
359
DHCP Snooping Global Configuration
362
DHCP Snooping VLAN Configuration
363
Configuring Ports for DHCP Snooping
364
Displaying DHCP Snooping Binding Information
365
DoS Protection
14
366
BASIC ADMINISTRATION PROTOCOLS
Configuring Event Logging
369
369
System Log Configuration
369
Remote Log Configuration
372
Sending Simple Mail Transfer Protocol Alerts
373
Link Layer Discovery Protocol
376
Setting LLDP Timing Attributes
376
Configuring LLDP Interface Attributes
378
Configuring LLDP Interface Civic-Address
382
Displaying LLDP Local Device Information
384
Displaying LLDP Remote Device Information
387
Displaying Device Statistics
392
Power Over Ethernet
393
Displaying the Switch’s Overall PoE Power Budget
394
Setting The Port PoE Power Budget
395
Simple Network Management Protocol
397
Configuring Global Settings for SNMP
399
Setting the Local Engine ID
400
Specifying a Remote Engine ID
401
Setting SNMPv3 Views
402
Configuring SNMPv3 Groups
405
Setting Community Access Strings
410
Configuring Local SNMPv3 Users
411
Configuring Remote SNMPv3 Users
413
– 12 –
CONTENTS
Specifying Trap Managers
Remote Monitoring
415
420
Configuring RMON Alarms
420
Configuring RMON Events
423
Configuring RMON History Samples
425
Configuring RMON Statistical Samples
428
Switch Clustering
430
Configuring General Settings for Clusters
431
Cluster Member Configuration
432
Managing Cluster Members
434
Setting A Time Range
435
15 IP CONFIGURATION
439
Using the Ping Function
439
Address Resolution Protocol
441
Setting the ARP Timeout
441
Displaying ARP Entries
442
Setting the Switch’s IP Address (IP Version 4)
443
Setting the Switch’s IP Address (IP Version 6)
445
Configuring the IPv6 Default Gateway
445
Configuring IPv6 Interface Settings
446
Configuring an IPv6 Address
450
Showing IPv6 Addresses
452
Showing the IPv6 Neighbor Cache
454
Showing IPv6 Statistics
456
Showing the MTU for Responding Destinations
461
16 IP SERVICES
463
Configuring General DNS Service Parameters
463
Configuring a List of Domain Names
464
Configuring a List of Name Servers
466
Configuring Static DNS Host to Address Entries
467
Displaying the DNS Cache
468
17 MULTICAST FILTERING
471
Overview
471
Layer 2 IGMP (Snooping and Query)
472
Configuring IGMP Snooping and Query Parameters
474
Specifying Static Interfaces for a Multicast Router
477
– 13 –
CONTENTS
Assigning Interfaces to Multicast Services
480
Setting IGMP Snooping Status per Interface
482
Displaying Multicast Groups Discovered by IGMP Snooping
487
Filtering and Throttling IGMP Groups
Enabling IGMP Filtering and Throttling
488
Configuring IGMP Filter Profiles
489
Configuring IGMP Filtering and Throttling for Interfaces
492
Multicast VLAN Registration
SECTION III
488
493
Configuring Global MVR Settings
495
Configuring MVR Interface Status
496
Assigning Static MVR Multicast Groups to Interfaces
498
Displaying MVR Receiver Groups
500
COMMAND LINE INTERFACE
503
18 USING THE COMMAND LINE INTERFACE
505
Accessing the CLI
505
Console Connection
505
Telnet Connection
506
Entering Commands
507
Keywords and Arguments
507
Minimum Abbreviation
507
Command Completion
507
Getting Help on Commands
508
Partial Keyword Lookup
509
Negating the Effect of Commands
509
Using Command History
510
Understanding Command Modes
510
Exec Commands
510
Configuration Commands
511
Command Line Processing
513
Output Modifiers
513
CLI Command Groups
19 GENERAL COMMANDS
514
517
prompt
517
reload (Global Configuration)
518
– 14 –
CONTENTS
enable
519
quit
520
show history
520
configure
521
disable
522
reload (Privileged Exec)
522
show reload
523
end
523
exit
523
20 SYSTEM MANAGEMENT COMMANDS
Device Designation
525
525
hostname
526
System Status
526
show access-list tcam-utilization
527
show memory
527
show process cpu
528
show running-config
528
show startup-config
529
show system
530
show tech-support
531
show users
531
show version
532
Frame Size
533
jumbo frame
533
File Management
534
General Commands
535
boot system
535
copy
536
delete
539
dir
539
whichboot
540
Automatic Code Upgrade Commands
541
upgrade opcode auto
541
upgrade opcode path
542
show upgrade
543
– 15 –
CONTENTS
Line
544
line
544
databits
545
exec-timeout
546
login
547
parity
548
password
548
password-thresh
549
silent-time
550
speed
550
stopbits
551
timeout login response
552
disconnect
552
terminal
553
show line
554
Event Logging
555
logging facility
555
logging history
556
logging host
557
logging on
557
logging trap
558
clear log
558
show log
559
show logging
560
SMTP Alerts
561
logging sendmail
561
logging sendmail host
562
logging sendmail level
563
logging sendmail destination-email
563
logging sendmail source-email
564
show logging sendmail
564
Time
565
SNTP Commands
565
sntp client
565
sntp poll
566
sntp server
567
– 16 –
CONTENTS
show sntp
567
Manual Configuration Commands
568
clock summer-time
568
clock timezone
569
clock timezone-predefined
570
calendar set
571
show calendar
571
Time Range
572
time-range
572
absolute
573
periodic
574
show time-range
575
Switch Clustering
575
cluster
576
cluster commander
577
cluster ip-pool
578
cluster member
578
rcommand
579
show cluster
579
show cluster members
580
show cluster candidates
580
21 SNMP COMMANDS
581
General SNMP Commands
582
snmp-server
582
snmp-server community
583
snmp-server contact
583
snmp-server location
584
show snmp
584
SNMP Target Host Commands
585
snmp-server enable traps
585
snmp-server host
586
SNMPv3 Commands
589
snmp-server engine-id
589
snmp-server group
590
snmp-server user
591
snmp-server view
592
– 17 –
CONTENTS
show snmp engine-id
593
show snmp group
594
show snmp user
595
show snmp view
596
Notification Log Commands
596
nlm
596
snmp-server notify-filter
597
show nlm oper-status
598
show snmp notify-filter
599
22 REMOTE MONITORING COMMANDS
601
rmon alarm
602
rmon event
603
rmon collection history
604
rmon collection rmon1
605
show rmon alarms
606
show rmon events
606
show rmon history
606
show rmon statistics
607
23 AUTHENTICATION COMMANDS
609
User Accounts
609
enable password
610
username
611
Authentication Sequence
612
authentication enable
612
authentication login
613
RADIUS Client
614
radius-server acct-port
614
radius-server auth-port
615
radius-server host
615
radius-server key
616
radius-server retransmit
616
radius-server timeout
617
show radius-server
617
TACACS+ Client
618
tacacs-server host
618
tacacs-server key
619
– 18 –
CONTENTS
tacacs-server port
620
show tacacs-server
620
AAA
621
aaa accounting commands
621
aaa accounting dot1x
622
aaa accounting exec
623
aaa accounting update
624
aaa authorization exec
625
aaa group server
626
server
626
accounting dot1x
627
accounting exec
627
authorization exec
628
show accounting
628
Web Server
629
ip http port
630
ip http server
630
ip http secure-port
631
ip http secure-server
631
Telnet Server
633
ip telnet max-sessions
633
ip telnet port
634
ip telnet server
634
show ip telnet
635
Secure Shell
635
ip ssh authentication-retries
638
ip ssh server
638
ip ssh server-key size
639
ip ssh timeout
640
delete public-key
640
ip ssh crypto host-key generate
641
ip ssh crypto zeroize
642
ip ssh save host-key
642
show ip ssh
643
show public-key
643
show ssh
644
– 19 –
CONTENTS
802.1X Port Authentication
645
General Commands
646
dot1x default
646
dot1x eapol-pass-through
646
dot1x system-auth-control
647
Authenticator Commands
647
dot1x intrusion-action
647
dot1x max-req
648
dot1x operation-mode
649
dot1x port-control
650
dot1x re-authentication
650
dot1x timeout quiet-period
651
dot1x timeout re-authperiod
651
dot1x timeout supp-timeout
652
dot1x timeout tx-period
652
dot1x re-authenticate
653
Supplicant Commands
654
dot1x identity profile
654
dot1x max-start
654
dot1x pae supplicant
655
dot1x timeout auth-period
656
dot1x timeout held-period
656
dot1x timeout start-period
657
Display Information Commands
show dot1x
657
657
Management IP Filter
660
management
660
show management
661
24 GENERAL SECURITY MEASURES
Port Security
663
664
port security
664
Network Access (MAC Address Authentication)
666
network-access aging
667
network-access mac-filter
667
mac-authentication reauth-time
668
network-access dynamic-qos
669
– 20 –
CONTENTS
network-access dynamic-vlan
670
network-access guest-vlan
671
network-access link-detection
671
network-access link-detection link-down
672
network-access link-detection link-up
672
network-access link-detection link-up-down
673
network-access max-mac-count
674
network-access mode mac-authentication
674
network-access port-mac-filter
675
mac-authentication intrusion-action
676
mac-authentication max-mac-count
676
clear network-access
677
show network-access
677
show network-access mac-address-table
678
show network-access mac-filter
679
Web Authentication
679
web-auth login-attempts
680
web-auth quiet-period
681
web-auth session-timeout
681
web-auth system-auth-control
682
web-auth
682
web-auth re-authenticate (Port)
683
web-auth re-authenticate (IP)
683
show web-auth
684
show web-auth interface
684
show web-auth summary
685
DHCP Snooping
685
ip dhcp snooping
686
ip dhcp snooping information option
688
ip dhcp snooping information policy
689
ip dhcp snooping verify mac-address
689
ip dhcp snooping vlan
690
ip dhcp snooping trust
691
clear ip dhcp snooping database flash
692
ip dhcp snooping database flash
692
show ip dhcp snooping
693
– 21 –
CONTENTS
show ip dhcp snooping binding
IP Source Guard
693
694
ip source-guard binding
694
ip source-guard
696
ip source-guard max-binding
697
show ip source-guard
698
show ip source-guard binding
698
ARP Inspection
699
ip arp inspection
700
ip arp inspection filter
701
ip arp inspection log-buffer logs
702
ip arp inspection validate
703
ip arp inspection vlan
703
ip arp inspection limit
704
ip arp inspection trust
705
show ip arp inspection configuration
706
show ip arp inspection interface
706
show ip arp inspection log
707
show ip arp inspection statistics
707
show ip arp inspection vlan
707
Denial of Service Protection
flow tcp-udp-port-zero
25 ACCESS CONTROL LISTS
IPv4 ACLs
708
708
711
711
access-list ip
712
permit, deny, redirect-to (Standard IP ACL)
713
permit, deny, redirect-to (Extended IPv4 ACL)
714
ip access-group
717
show ip access-group
717
show ip access-list
718
MAC ACLs
718
access-list mac
719
permit, deny, redirect-to
(MAC ACL)
719
mac access-group
722
show mac access-group
722
show mac access-list
723
– 22 –
CONTENTS
ARP ACLs
723
access-list arp
723
permit, deny (ARP ACL)
724
show arp access-list
725
ACL Information
726
show access-group
726
show access-list
726
26 INTERFACE COMMANDS
729
Interface Configuration
730
interface
730
alias
731
capabilities
731
description
732
flowcontrol
733
giga-phy-mode
734
negotiation
735
shutdown
736
speed-duplex
736
switchport packet-rate
737
clear counters
739
show interfaces brief
739
show interfaces counters
740
show interfaces status
741
show interfaces switchport
742
show interfaces transceiver
744
Cable Diagnostics
745
test cable-diagnostics
745
show cable-diagnostics
746
Power Savings
747
power-save
747
show power-save
748
27 LINK AGGREGATION COMMANDS
Manual Configuration Commands
channel-group
749
750
750
Dynamic Configuration Commands
lacp
751
751
– 23 –
CONTENTS
lacp admin-key (Ethernet Interface)
752
lacp port-priority
753
lacp system-priority
754
lacp admin-key (Port Channel)
755
Trunk Status Display Commands
756
show lacp
756
28 PORT MIRRORING COMMANDS
761
Local Port Mirroring Commands
761
port monitor
761
show port monitor
763
RSPAN Mirroring Commands
764
rspan source
765
rspan destination
766
rspan remote vlan
767
no rspan session
768
show rspan
769
29 RATE LIMIT COMMANDS
rate-limit
771
771
30 AUTOMATIC TRAFFIC CONTROL COMMANDS
Threshold Commands
773
776
auto-traffic-control apply-timer
776
auto-traffic-control release-timer
776
auto-traffic-control
777
auto-traffic-control action
778
auto-traffic-control alarm-clear-threshold
779
auto-traffic-control alarm-fire-threshold
780
auto-traffic-control auto-control-release
781
auto-traffic-control control-release
781
SNMP Trap Commands
782
snmp-server enable port-traps atc broadcast-alarm-clear
782
snmp-server enable port-traps atc broadcast-alarm-fire
782
snmp-server enable port-traps atc broadcast-control-apply
783
snmp-server enable port-traps atc broadcast-control-release
783
snmp-server enable port-traps atc multicast-alarm-clear
784
snmp-server enable port-traps atc multicast-alarm-fire
784
snmp-server enable port-traps atc multicast-control-apply
785
– 24 –
C ONTENTS
snmp-server enable port-traps atc multicast-control-release
ATC Display Commands
785
786
show auto-traffic-control
786
show auto-traffic-control interface
786
31 ADDRESS TABLE COMMANDS
789
mac-address-table aging-time
789
mac-address-table static
790
clear mac-address-table dynamic
791
show mac-address-table
791
show mac-address-table aging-time
792
show mac-address-table count
793
32 SPANNING TREE COMMANDS
795
spanning-tree
796
spanning-tree cisco-prestandard
797
spanning-tree forward-time
797
spanning-tree hello-time
798
spanning-tree max-age
799
spanning-tree mode
799
spanning-tree pathcost method
801
spanning-tree priority
801
spanning-tree mst configuration
802
spanning-tree transmission-limit
802
max-hops
803
mst priority
804
mst vlan
804
name
805
revision
806
spanning-tree bpdu-filter
806
spanning-tree bpdu-guard
807
spanning-tree cost
808
spanning-tree edge-port
809
spanning-tree link-type
810
spanning-tree loopback-detection
810
spanning-tree loopback-detection action
811
spanning-tree loopback-detection release-mode
812
spanning-tree loopback-detection trap
813
– 25 –
CONTENTS
spanning-tree mst cost
813
spanning-tree mst port-priority
814
spanning-tree port-priority
815
spanning-tree root-guard
815
spanning-tree spanning-disabled
816
spanning-tree loopback-detection release
817
spanning-tree protocol-migration
817
show spanning-tree
818
show spanning-tree mst configuration
820
33 VLAN COMMANDS
821
GVRP and Bridge Extension Commands
822
bridge-ext gvrp
822
garp timer
823
switchport forbidden vlan
824
switchport gvrp
824
show bridge-ext
825
show garp timer
825
show gvrp configuration
826
Editing VLAN Groups
827
vlan database
827
vlan
828
Configuring VLAN Interfaces
829
interface vlan
829
switchport acceptable-frame-types
830
switchport allowed vlan
831
switchport ingress-filtering
832
switchport mode
832
switchport native vlan
833
vlan-trunking
834
Displaying VLAN Information
835
show vlan
835
Configuring IEEE 802.1Q Tunneling
836
dot1q-tunnel system-tunnel-control
837
switchport dot1q-tunnel mode
838
switchport dot1q-tunnel tpid
839
show dot1q-tunnel
840
– 26 –
CONTENTS
Configuring Port-based Traffic Segmentation
840
traffic-segmentation
840
show traffic-segmentation
841
Configuring Protocol-based VLANs
842
protocol-vlan protocol-group (Configuring Groups)
843
protocol-vlan protocol-group (Configuring Interfaces)
843
show protocol-vlan protocol-group
844
show interfaces protocol-vlan protocol-group
845
Configuring IP Subnet VLANs
846
subnet-vlan
846
show subnet-vlan
847
Configuring MAC Based VLANs
848
mac-vlan
848
show mac-vlan
849
Configuring Voice VLANs
849
voice vlan
850
voice vlan aging
851
voice vlan mac-address
852
switchport voice vlan
853
switchport voice vlan priority
853
switchport voice vlan rule
854
switchport voice vlan security
855
show voice vlan
855
34 CLASS OF SERVICE COMMANDS
857
Priority Commands (Layer 2)
857
queue mode
858
queue weight
859
switchport priority default
860
show queue mode
861
show queue weight
861
Priority Commands (Layer 3 and 4)
862
qos map cos-dscp
862
qos map dscp-mutation
864
qos map phb-queue
865
qos map trust-mode
866
show qos map cos-dscp
867
– 27 –
CONTENTS
show qos map dscp-mutation
867
show qos map phb-queue
868
show qos map trust-mode
868
35 QUALITY OF SERVICE COMMANDS
869
class-map
870
description
871
match
872
rename
873
policy-map
873
class
874
police flow
875
police srtcm-color
877
police trtcm-color
879
set cos
881
set ip dscp
882
set phb
883
service-policy
884
show class-map
885
show policy-map
885
show policy-map interface
886
36 MULTICAST FILTERING COMMANDS
IGMP Snooping
887
887
ip igmp snooping
889
ip igmp snooping proxy-reporting
889
ip igmp snooping querier
890
ip igmp snooping router-alert-option-check
890
ip igmp snooping router-port-expire-time
891
ip igmp snooping tcn-flood
892
ip igmp snooping tcn-query-solicit
893
ip igmp snooping unregistered-data-flood
893
ip igmp snooping unsolicited-report-interval
894
ip igmp snooping version
895
ip igmp snooping version-exclusive
895
ip igmp snooping vlan general-query-suppression
896
ip igmp snooping vlan immediate-leave
897
ip igmp snooping vlan last-memb-query-count
898
– 28 –
CONTENTS
ip igmp snooping vlan last-memb-query-intvl
898
ip igmp snooping vlan mrd
899
ip igmp snooping vlan proxy-address
900
ip igmp snooping vlan query-interval
901
ip igmp snooping vlan query-resp-intvl
902
ip igmp snooping vlan static
903
show ip igmp snooping
903
show ip igmp snooping mrouter
904
show ip igmp snooping group
905
Static Multicast Routing
ip igmp snooping vlan mrouter
IGMP Filtering and Throttling
906
906
907
ip igmp filter (Global Configuration)
907
ip igmp profile
908
permit, deny
909
range
909
ip igmp filter (Interface Configuration)
910
ip igmp max-groups
910
ip igmp max-groups action
911
show ip igmp filter
912
show ip igmp profile
912
show ip igmp throttle interface
913
Multicast VLAN Registration
914
mvr
914
mvr immediate-leave
915
mvr type
916
mvr vlan group
917
show mvr
918
37 LLDP COMMANDS
921
lldp
923
lldp holdtime-multiplier
923
lldp med-fast-start-count
924
lldp notification-interval
924
lldp refresh-interval
925
lldp reinit-delay
925
lldp tx-delay
926
– 29 –
CONTENTS
lldp admin-status
927
lldp basic-tlv management-ip-address
927
lldp basic-tlv port-description
928
lldp basic-tlv system-capabilities
929
lldp basic-tlv system-description
929
lldp basic-tlv system-name
930
lldp dot1-tlv proto-ident
930
lldp dot1-tlv proto-vid
931
lldp dot1-tlv pvid
931
lldp dot1-tlv vlan-name
932
lldp dot3-tlv link-agg
932
lldp dot3-tlv max-frame
933
lldp med-location civic-addr
933
lldp med-notification
935
lldp med-tlv ext-poe
936
lldp med-tlv inventory
936
lldp med-tlv location
937
lldp med-tlv med-cap
937
lldp med-tlv network-policy
938
lldp notification
938
show lldp config
939
show lldp info local-device
940
show lldp info remote-device
941
show lldp info statistics
943
38 DOMAIN NAME SERVICE COMMANDS
945
ip domain-list
945
ip domain-lookup
946
ip domain-name
947
ip host
948
ip name-server
949
ipv6 host
950
clear dns cache
950
clear host
951
show dns
951
show dns cache
952
show hosts
952
– 30 –
CONTENTS
39 DHCP COMMANDS
955
DHCP Client
955
DHCP for IPv4
955
ip dhcp client class-id
955
ip dhcp restart client
956
DHCP for IPv6
957
ipv6 dhcp client rapid-commit vlan
957
ipv6 dhcp restart client vlan
958
show ip dhcp client-identifier
959
show ipv6 dhcp duid
959
show ipv6 dhcp vlan
960
40 IP INTERFACE COMMANDS
IPv4 Interface
961
961
Basic IPv4 Configuration
962
ip address
962
ip default-gateway
963
show ip default-gateway
964
show ip interface
964
show ip traffic
965
traceroute
966
ping
967
ARP Configuration
968
arp timeout
968
clear arp-cache
969
show arp
969
IPv6 Interface
970
Interface Address Configuration and Utilities
971
ipv6 default-gateway
971
ipv6 address
972
ipv6 address autoconfig
973
ipv6 address eui-64
974
ipv6 address link-local
976
ipv6 enable
977
ipv6 mtu
978
show ipv6 default-gateway
979
show ipv6 interface
980
– 31 –
CONTENTS
show ipv6 mtu
981
show ipv6 mtu
982
show ipv6 traffic
983
clear ipv6 traffic
987
ping6
987
Neighbor Discovery
SECTION IV
988
clear ipv6 neighbors
988
show ipv6 neighbors
989
APPENDICES
991
A SOFTWARE SPECIFICATIONS
993
Software Features
993
Management Features
994
Standards
995
Management Information Bases
995
B TROUBLESHOOTING
997
Problems Accessing the Management Interface
997
Using System Logs
998
C LICENSE INFORMATION
999
The GNU General Public License
999
GLOSSARY
1003
COMMAND LIST
1011
INDEX
1017
– 32 –
FIGURES
Figure 1: Home Page
82
Figure 2: Front Panel Indicators
83
Figure 3: System Information
98
Figure 4: General Switch Information
99
Figure 5: Configuring Support for Jumbo Frames
100
Figure 6: Displaying Bridge Extension Configuration
102
Figure 7: Copy Firmware
104
Figure 8: Saving the Running Configuration
105
Figure 9: Setting Start-Up Files
106
Figure 10: Displaying System Files
107
Figure 11: Configuring Automatic Code Upgrade
110
Figure 12: Manually Setting the System Clock
112
Figure 13: Setting the Polling Interval for SNTP
113
Figure 14: Specifying SNTP Time Servers
114
Figure 15: Setting the Time Zone
115
Figure 16: Summer Time Settings
116
Figure 17: Console Port Settings
118
Figure 18: Telnet Connection Settings
120
Figure 19: Displaying CPU Utilization
121
Figure 20: Displaying Memory Utilization
122
Figure 21: Restarting the Switch (Immediately)
124
Figure 22: Restarting the Switch (In)
125
Figure 23: Restarting the Switch (At)
125
Figure 24: Restarting the Switch (Regularly)
126
Figure 25: Configuring Connections by Port List
130
Figure 26: Configuring Connections by Port Range
131
Figure 27: Displaying Port Information
132
Figure 28: Configuring Local Port Mirroring
132
Figure 29: Configuring Local Port Mirroring
133
Figure 30: Displaying Local Port Mirror Sessions
134
Figure 31: Configuring Remote Port Mirroring
134
– 33 –
FIGURES
Figure 32: Configuring Remote Port Mirroring (Source)
137
Figure 33: Configuring Remote Port Mirroring (Intermediate)
138
Figure 34: Configuring Remote Port Mirroring (Destination)
138
Figure 35: Showing Port Statistics (Table)
141
Figure 36: Showing Port Statistics (Chart)
142
Figure 37: Performing Cable Tests
144
Figure 38: Configuring Static Trunks
145
Figure 39: Creating Static Trunks
146
Figure 40: Configuring Connection Parameters for a Static Trunk
147
Figure 41: Showing Information for Static Trunks
147
Figure 42: Configuring Dynamic Trunks
147
Figure 43: Configuring the LACP Aggregator Admin Key
150
Figure 44: Enabling LACP on a Port
150
Figure 45: Configuring LACP Parameters on a Port
151
Figure 46: Configuring Connection Parameters for a Dynamic Trunk
152
Figure 47: Showing Connection Parameters for Dynamic Trunks
152
Figure 48: Showing Members of Dynamic Trunks
152
Figure 49: Displaying LACP Port Counters
154
Figure 50: Displaying LACP Port Internal Information
156
Figure 51: Displaying LACP Port Remote Information
157
Figure 52: Configuring Trunk Mirroring
158
Figure 53: Configuring Trunk Mirroring
159
Figure 54: Displaying Trunk Mirror Sessions
159
Figure 55: Enabling Power Savings
161
Figure 56: Enabling Traffic Segmentation
162
Figure 57: Configuring Members for Traffic Segmentation
163
Figure 58: Configuring VLAN Trunking
163
Figure 59: Configuring VLAN Trunking
165
Figure 60: VLAN Compliant and VLAN Non-compliant Devices
168
Figure 61: Using GVRP
170
Figure 62: Creating Static VLANs
171
Figure 63: Configuring Static Members by VLAN Index
174
Figure 64: Configuring Static VLAN Members by Interface
175
Figure 65: Configuring Static VLAN Members by Interface Range
175
Figure 66: Configuring Global Status of GVRP
177
Figure 67: Configuring GVRP for an Interface
178
– 34 –
FIGURES
Figure 68: Showing Dynamic VLANs Registered on the Switch
178
Figure 69: Showing the Members of a Dynamic VLAN
178
Figure 70: QinQ Operational Concept
180
Figure 71: Enabling QinQ Tunneling
184
Figure 72: Adding an Interface to a QinQ Tunnel
185
Figure 73: Configuring Protocol VLANs
187
Figure 74: Displaying Protocol VLANs
187
Figure 75: Assigning Interfaces to Protocol VLANs
188
Figure 76: Showing the Interface to Protocol Group Mapping
189
Figure 77: Configuring IP Subnet VLANs
190
Figure 78: Showing IP Subnet VLANs
191
Figure 79: Configuring MAC-Based VLANs
192
Figure 80: Showing MAC-Based VLANs
192
Figure 81: Configuring VLAN Mirroring
194
Figure 82: Showing the VLANs to Mirror
194
Figure 83: Configuring Static MAC Addresses
196
Figure 84: Displaying Static MAC Addresses
197
Figure 85: Setting the Address Aging Time
197
Figure 86: Displaying the Dynamic MAC Address Table
199
Figure 87: Clearing Entries in the Dynamic MAC Address Table
200
Figure 88: Mirroring Packets Based on the Source MAC Address
201
Figure 89: Showing the Source MAC Addresses to Mirror
201
Figure 90: STP Root Ports and Designated Ports
204
Figure 91: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree
205
Figure 92: Common Internal Spanning Tree, Common Spanning Tree,
Internal Spanning Tree
205
Figure 93: Configuring Port Loopback Detection
207
Figure 94: Configuring Global Settings for STA (STP)
211
Figure 95: Configuring Global Settings for STA (RSTP)
211
Figure 96: Configuring Global Settings for STA (MSTP)
212
Figure 97: Displaying Global Settings for STA
213
Figure 98: Configuring Interface Settings for STA
217
Figure 99: STA Port Roles
219
Figure 100: Displaying Interface Settings for STA
219
Figure 101: Creating an MST Instance
221
Figure 102: Displaying Global Settings for an MST Instance
221
Figure 103: Adding a VLAN to an MST Instance
222
– 35 –
FIGURES
Figure 104: Displaying Members of an MST Instance
222
Figure 105: Configuring MSTP Interface Settings
224
Figure 106: Displaying MSTP Interface Settings
225
Figure 107: Configuring Rate Limits
229
Figure 108: Configuring Storm Control
231
Figure 109: Storm Control by Limiting the Traffic Rate
232
Figure 110: Storm Control by Shutting Down a Port
233
Figure 111: Configuring ATC Timers
234
Figure 112: Configuring ATC Interface Attributes
237
Figure 113: Setting the Default Port Priority
240
Figure 114: Setting the Queue Mode (Strict)
242
Figure 115: Setting the Queue Mode (WRR)
242
Figure 116: Setting the Queue Mode (Strict and WRR)
243
Figure 117: Mapping CoS Values to Egress Queues
245
Figure 118: Showing CoS Values to Egress Queue Mapping
245
Figure 119: Setting the Trust Mode
247
Figure 120: Configuring DSCP to DSCP Internal Mapping
248
Figure 121: Showing DSCP to DSCP Internal Mapping
249
Figure 122: Configuring CoS to DSCP Internal Mapping
250
Figure 123: Showing CoS to DSCP Internal Mapping
251
Figure 124: Configuring a Class Map
255
Figure 125: Showing Class Maps
256
Figure 126: Adding Rules to a Class Map
256
Figure 127: Showing the Rules for a Class Map
257
Figure 128: Configuring a Policy Map
264
Figure 129: Showing Policy Maps
265
Figure 130: Adding Rules to a Policy Map
266
Figure 131: Showing the Rules for a Policy Map
266
Figure 132: Attaching a Policy Map to a Port
267
Figure 133: Configuring a Voice VLAN
271
Figure 134: Configuring an OUI Telephony List
272
Figure 135: Showing an OUI Telephony List
272
Figure 136: Configuring Port Settings for a Voice VLAN
274
Figure 137: Configuring the Authentication Sequence
278
Figure 138: Authentication Server Operation
278
Figure 139: Configuring Remote Authentication Server (RADIUS)
281
– 36 –
FIGURES
Figure 140: Configuring Remote Authentication Server (TACACS+)
282
Figure 141: Configuring AAA Server Groups
282
Figure 142: Showing AAA Server Groups
283
Figure 143: Configuring Global Settings for AAA Accounting
285
Figure 144: Configuring AAA Accounting Methods
286
Figure 145: Showing AAA Accounting Methods
286
Figure 146: Configuring AAA Accounting Service for 802.1X Service
287
Figure 147: Configuring AAA Accounting Service for Exec Service
287
Figure 148: Displaying a Summary of Applied AAA Accounting Methods
288
Figure 149: Displaying Statistics for AAA Accounting Sessions
288
Figure 150: Configuring AAA Authorization Methods
290
Figure 151: Showing AAA Authorization Methods
290
Figure 152: Configuring AAA Authorization Methods for Exec Service
291
Figure 153: Displaying the Applied AAA Authorization Method
291
Figure 154: Configuring User Accounts
293
Figure 155: Showing User Accounts
293
Figure 156: Configuring Global Settings for Web Authentication
295
Figure 157: Configuring Interface Settings for Web Authentication
296
Figure 158: Configuring Global Settings for Network Access
300
Figure 159: Configuring Interface Settings for Network Access
302
Figure 160: Configuring Link Detection for Network Access
303
Figure 161: Configuring a MAC Address Filter for Network Access
304
Figure 162: Showing the MAC Address Filter Table for Network Access
304
Figure 163: Showing Addresses Authenticated for Network Access
306
Figure 164: Configuring HTTPS
308
Figure 165: Downloading the Secure-Site Certificate
309
Figure 166: Configuring the SSH Server
313
Figure 167: Generating the SSH Host Key Pair
314
Figure 168: Showing the SSH Host Key Pair
315
Figure 169: Copying the SSH User’s Public Key
316
Figure 170: Showing the SSH User’s Public Key
317
Figure 171: Showing TCAM Utilization
319
Figure 172: Creating an ACL
320
Figure 173: Showing a List of ACLs
320
Figure 174: Configuring a Standard IPv4 ACL
322
Figure 175: Configuring an Extended IPv4 ACL
324
– 37 –
FIGURES
Figure 176: Configuring a MAC ACL
326
Figure 177: Configuring a ARP ACL
328
Figure 178: Binding a Port to an ACL
329
Figure 179: Configuring Global Settings for ARP Inspection
333
Figure 180: Configuring VLAN Settings for ARP Inspection
334
Figure 181: Configuring Interface Settings for ARP Inspection
335
Figure 182: Displaying Statistics for ARP Inspection
337
Figure 183: Displaying the ARP Inspection Log
338
Figure 184: Creating an IP Address Filter for Management Access
339
Figure 185: Showing IP Addresses Authorized for Management Access
340
Figure 186: Setting the Maximum Address Count for Port Security
342
Figure 187: Configuring the Status and Response for Port Security
342
Figure 188: Configuring Port Security
343
Figure 189: Configuring Global Settings for 802.1X Port Authentication
345
Figure 190: Configuring Interface Settings for 802.1X Port Authenticator
349
Figure 191: Configuring Interface Settings for 802.1X Port Supplicant
351
Figure 192: Showing Statistics for 802.1X Port Authenticator
353
Figure 193: Showing Statistics for 802.1X Port Supplicant
353
Figure 194: Setting the Filter Type for IP Source Guard
356
Figure 195: Configuring Static Bindings for IP Source Guard
357
Figure 196: Displaying Static Bindings for IP Source Guard
358
Figure 197: Showing the IP Source Guard Binding Table
359
Figure 198: Configuring Global Settings for DHCP Snooping
363
Figure 199: Configuring DHCP Snooping on a VLAN
364
Figure 200: Configuring the Port Mode for DHCP Snooping
365
Figure 201: Displaying the Binding Table for DHCP Snooping
366
Figure 202: Setting Action for Packets with Layer 4 Port Set to Zero
367
Figure 203: Configuring Settings for System Memory Logs
371
Figure 204: Showing Error Messages Logged to System Memory
372
Figure 205: Configuring Settings for Remote Logging of Error Messages
373
Figure 206: Configuring General Settings for SMTP Alert Messages
374
Figure 207: Specifying SMTP Servers
375
Figure 208: Showing Configured SMTP Servers
375
Figure 209: Configuring LLDP Timing Attributes
378
Figure 210: Configuring LLDP Interface Attributes
382
Figure 211: Configuring the Civic Address for an LLDP Interface
383
– 38 –
FIGURES
Figure 212: Showing the Civic Address for an LLDP Interface
384
Figure 213: Displaying Local Device Information for LLDP (General)
386
Figure 214: Displaying Local Device Information for LLDP (Port)
386
Figure 215: Displaying Remote Device Information for LLDP (Port)
391
Figure 216: Displaying Remote Device Information for LLDP (Port Details)
391
Figure 217: Displaying LLDP Device Statistics (General)
393
Figure 218: Displaying LLDP Device Statistics (Port)
393
Figure 219: Showing the Switch’s PoE Budget
395
Figure 220: Setting a Port’s PoE Budget
397
Figure 221: Configuring Global Settings for SNMP
400
Figure 222: Configuring the Local Engine ID for SNMP
401
Figure 223: Configuring a Remote Engine ID for SNMP
402
Figure 224: Showing Remote Engine IDs for SNMP
402
Figure 225: Creating an SNMP View
403
Figure 226: Showing SNMP Views
404
Figure 227: Adding an OID Subtree to an SNMP View
404
Figure 228: Showing the OID Subtree Configured for SNMP Views
405
Figure 229: Creating an SNMP Group
409
Figure 230: Showing SNMP Groups
409
Figure 231: Setting Community Access Strings
410
Figure 232: Showing Community Access Strings
411
Figure 233: Configuring Local SNMPv3 Users
412
Figure 234: Showing Local SNMPv3 Users
413
Figure 235: Configuring Remote SNMPv3 Users
415
Figure 236: Showing Remote SNMPv3 Users
415
Figure 237: Configuring Trap Managers (SNMPv1)
419
Figure 238: Configuring Trap Managers (SNMPv2c)
419
Figure 239: Configuring Trap Managers (SNMPv3)
419
Figure 240: Showing Notification Managers
420
Figure 241: Configuring an RMON Alarm
422
Figure 242: Showing Configured RMON Alarms
423
Figure 243: Configuring an RMON Event
424
Figure 244: Showing Configured RMON Events
425
Figure 245: Configuring an RMON History Sample
426
Figure 246: Showing Configured RMON History Samples
427
Figure 247: Showing Collected RMON History Samples
428
– 39 –
FIGURES
Figure 248: Configuring an RMON Statistical Sample
429
Figure 249: Showing Configured RMON Statistical Samples
429
Figure 250: Showing Collected RMON Statistical Samples
430
Figure 251: Configuring a Switch Cluster
432
Figure 252: Configuring a Cluster Members
433
Figure 253: Showing Cluster Members
433
Figure 254: Showing Cluster Candidates
434
Figure 255: Managing a Cluster Member
435
Figure 256: Setting the Name of a Time Range
436
Figure 257: Showing a List of Time Ranges
436
Figure 258: Add a Rule to a Time Range
437
Figure 259: Showing the Rules Configured for a Time Range
437
Figure 260: Pinging a Network Device
440
Figure 261: Setting the ARP Timeout
442
Figure 262: Displaying ARP Entries
442
Figure 263: Configuring a Static IPv4 Address
444
Figure 264: Configuring a Dynamic IPv4 Address
444
Figure 265: Configuring the IPv6 Default Gateway
446
Figure 266: Configuring General Settings for an IPv6 Interface
449
Figure 267: Configuring an IPv6 Address
452
Figure 268: Showing Configured IPv6 Addresses
454
Figure 269: Showing IPv6 Neighbors
455
Figure 270: Showing IPv6 Statistics (IPv6)
460
Figure 271: Showing IPv6 Statistics (ICMPv6)
460
Figure 272: Showing IPv6 Statistics (UDP)
461
Figure 273: Showing Reported MTU Values
461
Figure 274: Configuring General Settings for DNS
464
Figure 275: Configuring a List of Domain Names for DNS
465
Figure 276: Showing the List of Domain Names for DNS
465
Figure 277: Configuring a List of Name Servers for DNS
466
Figure 278: Showing the List of Name Servers for DNS
467
Figure 279: Configuring Static Entries in the DNS Table
468
Figure 280: Showing Static Entries in the DNS Table
468
Figure 281: Showing Entries in the DNS Cache
469
Figure 282: Multicast Filtering Concept
471
Figure 283: Configuring General Settings for IGMP Snooping
477
– 40 –
FIGURES
Figure 284: Configuring a Static Interface for a Multicast Router
479
Figure 285: Showing Static Interfaces Attached a Multicast Router
479
Figure 286: Showing Current Interfaces Attached a Multicast Router
479
Figure 287: Assigning an Interface to a Multicast Service
481
Figure 288: Showing Static Interfaces Assigned to a Multicast Service
481
Figure 289: Showing Current Interfaces Assigned to a Multicast Service
481
Figure 290: Configuring IGMP Snooping on an Interface
486
Figure 291: Showing Interface Settings for IGMP Snooping
487
Figure 292: Showing Multicast Groups Learned by IGMP Snooping
488
Figure 293: Enabling IGMP Filtering and Throttling
489
Figure 294: Creating an IGMP Filtering Profile
490
Figure 295: Showing the IGMP Filtering Profiles Created
490
Figure 296: Adding Multicast Groups to an IGMP Filtering Profile
491
Figure 297: Showing the Groups Assigned to an IGMP Filtering Profile
491
Figure 298: Configuring IGMP Filtering and Throttling Interface Settings
493
Figure 299: MVR Concept
494
Figure 300: Configuring Global Settings for MVR
496
Figure 301: Configuring Interface Settings for MVR
498
Figure 302: Assigning Static MVR Groups to a Port
499
Figure 303: Showing the Static MVR Groups Assigned to a Port
500
Figure 304: Displaying MVR Receiver Groups
501
Figure 305: Storm Control by Limiting the Traffic Rate
774
Figure 306: Storm Control by Shutting Down a Port
775
Figure 307: Configuring VLAN Trunking
834
– 41 –
FIGURES
– 42 –
TABLES
Table 1: Key Features
51
Table 2: System Defaults
57
Table 3: Options 60, 66 and 67 Statements
71
Table 4: Options 55 and 124 Statements
72
Table 5: Web Page Configuration Buttons
83
Table 6: Switch Main Menu
84
Table 7: Port Statistics
139
Table 8: LACP Port Counters
153
Table 9: LACP Internal Configuration Information
154
Table 10: LACP Remote Device Configuration Information
156
Table 11: Recommended STA Path Cost Range
215
Table 12: Default STA Path Costs
215
Table 13: Effective Rate Limit
228
Table 14: IEEE 802.1p Egress Queue Priority Mapping
243
Table 15: CoS Priority Levels
243
Table 16: Mapping Internal Per-hop Behavior to Hardware Queues
244
Table 17: Default Mapping of DSCP Values to Internal PHB/Drop Values
248
Table 18: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence
250
Table 19: Dynamic QoS Profiles
297
Table 20: HTTPS System Support
307
Table 21: Priority Bits Processed by Extended IPv4 ACL
322
Table 22: ARP Inspection Statistics
336
Table 23: ARP Inspection Log
337
Table 24: 802.1X Statistics
351
Table 25: Logging Levels
370
Table 26: LLDP MED Location CA Types
382
Table 27: Chassis ID Subtype
385
Table 28: System Capabilities
385
Table 29: Port ID Subtype
387
Table 30: Remote Port Auto-Negotiation Advertised Capability
389
Table 31: SNMPv3 Security Models and Levels
398
– 43 –
TABLES
Table 32: Supported Notification Messages
406
Table 33: Address Resolution Protocol
441
Table 34: Show IPv6 Neighbors - display description
454
Table 35: Show IPv6 Statistics - display description
456
Table 36: Show MTU - display description
461
Table 37: General Command Modes
510
Table 38: Configuration Command Modes
512
Table 39: Keystroke Commands
513
Table 40: Command Group Index
514
Table 41: General Commands
517
Table 42: System Management Commands
525
Table 43: Device Designation Commands
525
Table 44: System Status Commands
526
Table 45: Frame Size Commands
533
Table 46: Flash/File Commands
534
Table 47: File Directory Information
540
Table 48: Line Commands
544
Table 49: Event Logging Commands
555
Table 50: Logging Levels
556
Table 51: show logging flash/ram - display description
560
Table 52: show logging trap - display description
561
Table 53: Event Logging Commands
561
Table 54: Time Commands
565
Table 55: Time Range Commands
572
Table 56: Switch Cluster Commands
575
Table 57: SNMP Commands
581
Table 58: show snmp engine-id - display description
594
Table 59: show snmp group - display description
595
Table 60: show snmp user - display description
595
Table 61: show snmp view - display description
596
Table 62: RMON Commands
601
Table 63: Authentication Commands
609
Table 64: User Access Commands
609
Table 65: Default Login Settings
611
Table 66: Authentication Sequence Commands
612
Table 67: RADIUS Client Commands
614
– 44 –
TABLES
Table 68: TACACS+ Client Commands
618
Table 69: AAA Commands
621
Table 70: Web Server Commands
629
Table 71: HTTPS System Support
632
Table 72: Telnet Server Commands
633
Table 73: Secure Shell Commands
635
Table 74: show ssh - display description
644
Table 75: 802.1X Port Authentication Commands
645
Table 76: Management IP Filter Commands
660
Table 77: General Security Commands
663
Table 78: Management IP Filter Commands
664
Table 79: Network Access Commands
666
Table 80: Dynamic QoS Profiles
669
Table 81: Web Authentication
680
Table 82: DHCP Snooping Commands
685
Table 83: IP Source Guard Commands
694
Table 84: ARP Inspection Commands
699
Table 85: DoS Protection Commands
708
Table 86: Access Control List Commands
711
Table 87: IPv4 ACL Commands
711
Table 88: Priority Bits Processed by Extended IPv4 ACL
716
Table 89: MAC ACL Commands
718
Table 90: ARP ACL Commands
723
Table 91: ACL Information Commands
726
Table 92: Interface Commands
729
Table 93: show interfaces switchport - display description
743
Table 94: Link Aggregation Commands
749
Table 95: show lacp counters - display description
756
Table 96: show lacp internal - display description
757
Table 97: show lacp neighbors - display description
758
Table 98: show lacp sysid - display description
759
Table 99: Port Mirroring Commands
761
Table 100: Mirror Port Commands
761
Table 101: RSPAN Commands
764
Table 102: Rate Limit Commands
771
Table 103: ATC Commands
773
– 45 –
TABLES
Table 104: Address Table Commands
789
Table 105: Spanning Tree Commands
795
Table 106: Recommended STA Path Cost Range
808
Table 107: Default STA Path Costs
808
Table 108: VLAN Commands
821
Table 109: GVRP and Bridge Extension Commands
822
Table 110: Commands for Editing VLAN Groups
827
Table 111: Commands for Configuring VLAN Interfaces
829
Table 112: Commands for Displaying VLAN Information
835
Table 113:
836
802.1Q Tunneling Commands
Table 114: Commands for Configuring Traffic Segmentation
840
Table 115: Protocol-based VLAN Commands
842
Table 116: IP Subnet VLAN Commands
846
Table 117: MAC Based VLAN Commands
848
Table 118: Voice VLAN Commands
849
Table 119: Priority Commands
857
Table 120: Priority Commands (Layer 2)
857
Table 121: Priority Commands (Layer 3 and 4)
862
Table 122: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence
863
Table 123: Default Mapping of DSCP Values to Internal PHB/Drop Values
864
Table 124: Mapping Internal Per-hop Behavior to Hardware Queues
865
Table 125: Quality of Service Commands
869
Table 126: Multicast Filtering Commands
887
Table 127: IGMP Snooping Commands
887
Table 128: Static Multicast Interface Commands
906
Table 129: IGMP Filtering and Throttling Commands
907
Table 130: Multicast VLAN Registration Commands
914
Table 131: show mvr - display description
919
Table 132: show mvr interface - display description
919
Table 133: show mvr members - display description
920
Table 134: LLDP Commands
921
Table 135: LLDP MED Location CA Types
934
Table 136: Address Table Commands
945
Table 137: show dns cache - display description
952
Table 138: show hosts - display description
953
Table 139: DHCP Commands
955
– 46 –
TABLES
Table 140: DHCP Client Commands
955
Table 141: IP Interface Commands
961
Table 142: IPv4 Interface Commands
961
Table 143: Basic IP Configuration Commands
962
Table 144: Address Resolution Protocol Commands
968
Table 145: IPv6 Configuration Commands
970
Table 146: show ipv6 interface - display description
980
Table 147: show ipv6 mtu - display description
982
Table 148: show ipv6 mtu - display description
982
Table 149: show ipv6 traffic - display description
984
Table 150: show ipv6 neighbors - display description
989
Table 151: Troubleshooting Chart
997
– 47 –
TABLES
– 48 –
SECTION I
GETTING STARTED
This section provides an overview of the switch, and introduces some basic
concepts about network switches. It also describes the basic settings
required to access the management interface.
This section includes these chapters:
◆
"Introduction" on page 51
◆
"Initial Switch Configuration" on page 61
– 49 –
SECTION I | Getting Started
– 50 –
1
INTRODUCTION
This switch provides a broad range of features for Layer 2 switching. It
includes a management agent that allows you to configure the features
listed in this manual. The default configuration can be used for most of the
features provided by this switch. However, there are many options that you
should configure to maximize the switch’s performance for your particular
network environment.
KEY FEATURES
Table 1: Key Features
Feature
Description
Configuration Backup
and Restore
Using management station or FTP/TFTP server
Authentication
Console, Telnet, web – user name/password, RADIUS, TACACS+
Port – IEEE 802.1X, MAC address filtering
SNMP v1/2c - Community strings
SNMP version 3 – MD5 or SHA password
Telnet – SSH
Web – HTTPS
General Security
Measures
AAA
ARP Inspection
DHCP Snooping
IP Source Guard
Port Authentication – IEEE 802.1X
Port Security – MAC address filtering
Access Control Lists
Supports up to 512 rules, 64 ACLs,
and a maximum of 32 rules for an ACL
DHCP/DHCPv6
Client
DNS
Client and Proxy service
Port Configuration
Speed and duplex mode and flow control
Port Trunking
Supports up to 12 trunks – static or dynamic trunking (LACP)
Port Mirroring
6 sessions, one or more source ports to one analysis port,
or one source port to multiple destination ports (remote mirror)
Congestion Control
Rate Limiting
Throttling for broadcast, multicast, unknown unicast storms
Random Early Detection
Address Table
8K MAC addresses in the forwarding table, 1K static MAC
addresses, 256 L2 multicast groups
IP Version 4 and 6
Supports IPv4 and IPv6 addressing, and management
IEEE 802.1D Bridge
Supports dynamic data switching and addresses learning
– 51 –
CHAPTER 1 | Introduction
Description of Software Features
Table 1: Key Features (Continued)
Feature
Description
Store-and-Forward
Switching
Supported to ensure wire-speed switching while eliminating bad
frames
Spanning Tree Algorithm
Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and
Multiple Spanning Trees (MSTP)
Virtual LANs
Up to 256 using IEEE 802.1Q, port-based, protocol-based,
voice VLANs, and QinQ tunnel
Traffic Prioritization
Default port priority, traffic class map, queue scheduling, IP
Precedence, or Differentiated Services Code Point (DSCP)
Qualify of Service
Supports Differentiated Services (DiffServ)
Link Layer Discovery
Protocol
Used to discover basic information about neighboring devices
Multicast Filtering
Supports IGMP snooping and query, and Multicast VLAN
Registration
Switch Clustering
Supports up to 36 member switches in a cluster
DESCRIPTION OF SOFTWARE FEATURES
The switch provides a wide range of advanced performance enhancing
features. Flow control eliminates the loss of packets due to bottlenecks
caused by port saturation. Storm suppression prevents broadcast,
multicast, and unknown unicast traffic storms from engulfing the network.
Untagged (port-based), tagged, and protocol-based VLANs, plus support
for automatic GVRP VLAN registration provide traffic security and efficient
use of network bandwidth. CoS priority queueing ensures the minimum
delay for moving real-time multimedia data across the network. While
multicast filtering provides support for real-time network applications.
Some of the management features are briefly described below.
CONFIGURATION You can save the current configuration settings to a file on the
BACKUP AND management station (using the web interface) or an FTP/TFTP server
RESTORE (using the web or console interface), and later download this file to restore
the switch configuration settings.
AUTHENTICATION This switch authenticates management access via the console port, Telnet,
or a web browser. User names and passwords can be configured locally or
can be verified via a remote authentication server (i.e., RADIUS or
TACACS+). Port-based authentication is also supported via the IEEE
802.1X protocol. This protocol uses Extensible Authentication Protocol over
LANs (EAPOL) to request user credentials from the 802.1X client, and then
uses the EAP between the switch and the authentication server to verify
the client’s right to access the network via an authentication server (i.e.,
RADIUS or TACACS+ server).
– 52 –
CHAPTER 1 | Introduction
Description of Software Features
Other authentication options include HTTPS for secure management access
via the web, SSH for secure management access over a Telnet-equivalent
connection, SNMP Version 3, IP address filtering for SNMP/Telnet/web
management access. MAC address filtering and IP source guard also
provide authentication for port access. While DHCP snooping is provided to
prevent malicious attacks from insecure ports.
ACCESS CONTROL ACLs provide packet filtering for IP frames (based on address, protocol,
LISTS TCP/UDP port number or TCP control code) or any frames (based on MAC
address or Ethernet type). ACLs can be used to improve performance by
blocking unnecessary network traffic or to implement security controls by
restricting access to specific network resources or protocols.
PORT CONFIGURATION You can manually configure the speed, duplex mode, and flow control used
on specific ports, or use auto-negotiation to detect the connection settings
used by the attached device. Use full-duplex mode on ports whenever
possible to double the throughput of switch connections. Flow control
should also be enabled to control network traffic during periods of
congestion and prevent the loss of packets when port buffer thresholds are
exceeded. The switch supports flow control based on the IEEE 802.3x
standard (now incorporated in IEEE 802.3-2002).
RATE LIMITING This feature controls the maximum rate for traffic transmitted or received
on an interface. Rate limiting is configured on interfaces at the edge of a
network to limit traffic into or out of the network. Packets that exceed the
acceptable amount of traffic are dropped.
PORT MIRRORING The switch can unobtrusively mirror traffic from any port to a monitor port.
You can then attach a protocol analyzer or RMON probe to this port to
perform traffic analysis and verify connection integrity.
PORT TRUNKING Ports can be combined into an aggregate connection. Trunks can be
manually set up or dynamically configured using Link Aggregation Control
Protocol (LACP – IEEE 802.3-2005). The additional ports dramatically
increase the throughput across any connection, and provide redundancy by
taking over the load if a port in the trunk should fail. The switch supports
up to 12 trunks.
STORM CONTROL Broadcast, multicast and unknown unicast storm suppression prevents
traffic from overwhelming the network.When enabled on a port, the level of
broadcast traffic passing through the port is restricted. If broadcast traffic
rises above a pre-defined threshold, it will be throttled until the level falls
back beneath the threshold.
– 53 –
CHAPTER 1 | Introduction
Description of Software Features
STATIC MAC A static address can be assigned to a specific interface on this switch.
ADDRESSES Static addresses are bound to the assigned interface and will not be
moved. When a static address is seen on another interface, the address will
be ignored and will not be written to the address table. Static addresses
can be used to provide network security by restricting access for a known
host to a specific port.
IP ADDRESS Access to insecure ports can be controlled using DHCP Snooping which
FILTERING filters ingress traffic based on static IP addresses and addresses stored in
the DHCP Snooping table. Traffic can also be restricted to specific source IP
addresses or source IP/MAC address pairs based on static entries or entries
stored in the DHCP Snooping table.
IEEE 802.1D BRIDGE The switch supports IEEE 802.1D transparent bridging. The address table
facilitates data switching by learning addresses, and then filtering or
forwarding traffic based on this information. The address table supports up
to 8K addresses.
STORE-AND-FORWARD The switch copies each frame into its memory before forwarding them to
SWITCHING another port. This ensures that all frames are a standard Ethernet size and
have been verified for accuracy with the cyclic redundancy check (CRC).
This prevents bad frames from entering the network and wasting
bandwidth.
To avoid dropping frames on congested ports, the switch provides 1 MB for
frame buffering. This buffer can queue packets awaiting transmission on
congested networks.
SPANNING TREE The switch supports these spanning tree protocols:
ALGORITHM
◆
Spanning Tree Protocol (STP, IEEE 802.1D) – This protocol provides
loop detection. When there are multiple physical paths between
segments, this protocol will choose a single path and disable all others
to ensure that only one route exists between any two stations on the
network. This prevents the creation of network loops. However, if the
chosen path should fail for any reason, an alternate path will be
activated to maintain the connection.
◆
Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol
reduces the convergence time for network topology changes to about 3
to 5 seconds, compared to 30 seconds or more for the older IEEE
802.1D STP standard. It is intended as a complete replacement for STP,
but can still interoperate with switches running the older standard by
automatically reconfiguring ports to STP-compliant mode if they detect
STP protocol messages from attached devices.
◆
Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is
a direct extension of RSTP. It can provide an independent spanning tree
for different VLANs. It simplifies network management, provides for
– 54 –
CHAPTER 1 | Introduction
Description of Software Features
even faster convergence than RSTP by limiting the size of each region,
and prevents VLAN members from being segmented from the rest of
the group (as sometimes occurs with IEEE 802.1D STP).
VIRTUAL LANS The switch supports up to 256 VLANs. A Virtual LAN is a collection of
network nodes that share the same collision domain regardless of their
physical location or connection point in the network. The switch supports
tagged VLANs based on the IEEE 802.1Q standard. Members of VLAN
groups can be dynamically learned via GVRP, or ports can be manually
assigned to a specific set of VLANs. This allows the switch to restrict traffic
to the VLAN groups to which a user has been assigned. By segmenting
your network into VLANs, you can:
◆
Eliminate broadcast storms which severely degrade performance in a
flat network.
◆
Simplify network management for node changes/moves by remotely
configuring VLAN membership for any port, rather than having to
manually change the network connection.
◆
Provide data security by restricting all traffic to the originating VLAN.
◆
Use private VLANs to restrict traffic to pass only between data ports
and the uplink ports, thereby isolating adjacent ports within the same
VLAN, and allowing you to limit the total number of VLANs that need to
be configured.
◆
Use protocol VLANs to restrict traffic to specified interfaces based on
protocol type.
IEEE 802.1Q This feature is designed for service providers carrying traffic for multiple
TUNNELING (QINQ) customers across their networks. QinQ tunneling is used to maintain
customer-specific VLAN and Layer 2 protocol configurations even when
different customers use the same internal VLAN IDs. This is accomplished
by inserting Service Provider VLAN (SPVLAN) tags into the customer’s
frames when they enter the service provider’s network, and then stripping
the tags when the frames leave the network.
TRAFFIC This switch prioritizes each packet based on the required level of service,
PRIORITIZATION using four priority queues with strict priority, Weighted Round Robin (WRR)
scheduling, or a combination of strict and weighted queuing. It uses IEEE
802.1p and 802.1Q tags to prioritize incoming traffic based on input from
the end-station application. These functions can be used to provide
independent priorities for delay-sensitive data and best-effort data.
This switch also supports several common methods of prioritizing layer 3/4
traffic to meet application requirements. Traffic can be prioritized based on
the priority bits in the IP frame’s Type of Service (ToS) octet using DSCP, or
IP Precedence. When these services are enabled, the priorities are mapped
– 55 –
CHAPTER 1 | Introduction
Description of Software Features
to a Class of Service value by the switch, and the traffic then sent to the
corresponding output queue.
QUALITY OF SERVICE Differentiated Services (DiffServ) provides policy-based management
mechanisms used for prioritizing network resources to meet the
requirements of specific traffic types on a per-hop basis. Each packet is
classified upon entry into the network based on access lists, IP Precedence
or DSCP values, or VLAN lists. Using access lists allows you select traffic
based on Layer 2, Layer 3, or Layer 4 information contained in each
packet. Based on network policies, different kinds of traffic can be marked
for different kinds of forwarding.
MULTICAST FILTERING Specific multicast traffic can be assigned to its own VLAN to ensure that it
does not interfere with normal network traffic and to guarantee real-time
delivery by setting the required priority level for the designated VLAN. The
switch uses IGMP Snooping and Query to manage multicast group
registration. It also supports Multicast VLAN Registration which allows
common multicast traffic, such as television channels, to be transmitted
across a single network-wide multicast VLAN shared by hosts residing in
other standard or private VLAN groups, while preserving security and data
isolation for normal traffic.
LINK LAYER LLDP is used to discover basic information about neighboring devices
DISCOVERY PROTOCOL within the local broadcast domain. LLDP is a Layer 2 protocol that
advertises information about the sending device and collects information
gathered from neighboring network nodes it discovers.
Advertised information is represented in Type Length Value (TLV) format
according to the IEEE 802.1ab standard, and can include details such as
device identification, capabilities and configuration settings. Media
Endpoint Discovery (LLDP-MED) is an extension of LLDP intended for
managing endpoint devices such as Voice over IP phones and network
switches. The LLDP-MED TLVs advertise information such as network
policy, power, inventory, and device location details. The LLDP and LLDPMED information can be used by SNMP applications to simplify
troubleshooting, enhance network management, and maintain an accurate
network topology.
– 56 –
CHAPTER 1 | Introduction
System Defaults
SYSTEM DEFAULTS
The switch’s system defaults are provided in the configuration file
“Factory_Default_Config.cfg.” To reset the switch defaults, this file should
be set as the startup configuration file.
The following table lists some of the basic system defaults.
Table 2: System Defaults
Function
Parameter
Default
Console Port Connection
Baud Rate
115200 bps
Data bits
8
Stop bits
1
Parity
none
Local Console Timeout
0 (disabled)
Privileged Exec Level
Username “admin”
Password “admin”
Normal Exec Level
Username “guest”
Password “guest”
Enable Privileged Exec from
Normal Exec Level
Password “super”
RADIUS Authentication
Disabled
TACACS+ Authentication
Disabled
802.1X Port Authentication
Disabled
Web Authentication
Disabled
MAC Authentication
Disabled
HTTPS
Enabled
SSH
Disabled
Port Security
Disabled
IP Filtering
Disabled
DHCP Snooping
Disabled
IP Source Guard
Disabled (all ports)
HTTP Server
Enabled
HTTP Port Number
80
HTTP Secure Server
Disabled
HTTP Secure Server Port
443
Authentication
Web Management
– 57 –
CHAPTER 1 | Introduction
System Defaults
Table 2: System Defaults (Continued)
Function
Parameter
Default
SNMP
SNMP Agent
Enabled
Community Strings
“public” (read only)
“private” (read/write)
Traps
Authentication traps: enabled
Link-up-down events: enabled
SNMP V3
View: defaultview
Group: public (read only);
private (read/write)
Admin Status
Enabled
Auto-negotiation
Enabled
Flow Control
Disabled
Static Trunks
None
LACP (all ports)
Disabled
Rate Limiting
Disabled
Storm Control
Broadcast: Enabled (64 kbits/s)
Port Configuration
Port Trunking
Congestion Control
Multicast: Disabled
Unknown Unicast: Disabled
Address Table
Aging Time
300 seconds
Spanning Tree Algorithm
Status
Enabled, RSTP
(Defaults: RSTP standard)
Edge Ports
Auto
LLDP
Status
Enabled
Virtual LANs
Default VLAN
1
PVID
1
Acceptable Frame Type
All
Ingress Filtering
Disabled
Switchport Mode (Egress Mode) Hybrid
Traffic Prioritization
GVRP (global)
Disabled
GVRP (port interface)
Disabled
QinQ Tunneling
Disabled
Ingress Port Priority
0
Queue Mode
Strict-WRR
Queue Weight
Queue: 0 1 2 3
Weight: 1 2 4 6
Class of Service
Enabled
IP Precedence Priority
Disabled
IP DSCP Priority
Disabled
– 58 –
CHAPTER 1 | Introduction
System Defaults
Table 2: System Defaults (Continued)
Function
Parameter
Default
IP Settings
Management. VLAN
VLAN 1
IP Address
DHCP assigned
Subnet Mask
255.255.255.0
Default Gateway
0.0.0.0
DHCP
Client: Disabled
DNS
Proxy service
BOOTP
Disabled
IGMP Snooping (Layer 2)
Snooping: Disabled
Querier: Disabled
IGMP Proxy Reporting
Disabled
Status
Enabled
Messages Logged to RAM
Levels 0-7 (all)
Messages Logged to Flash
Levels 0-3
SMTP Email Alerts
Event Handler
Enabled (but no server defined)
SNTP
Clock Synchronization
Disabled
Switch Clustering
Status
Disabled
Commander
Disabled
Multicast Filtering
System Log
– 59 –
CHAPTER 1 | Introduction
System Defaults
– 60 –
2
INITIAL SWITCH CONFIGURATION
This chapter includes information on connecting to the switch and basic
configuration procedures.
CONNECTING TO THE SWITCH
The switch includes a built-in network management agent. The agent
offers a variety of management options, including SNMP, RMON and a webbased interface. A PC may also be connected directly to the switch for
configuration and monitoring via a command line interface (CLI).
NOTE: An IPv4 address for this switch is obtained via DHCP by default. To
change this address, see "Setting an IP Address" on page 65.
CONFIGURATION The switch’s HTTP web agent allows you to configure switch parameters,
OPTIONS monitor port connections, and display statistics using a standard web
browser such as Internet Explorer 6.x or above, and Mozilla Firefox 4.x or
above. The switch’s web management interface can be accessed from any
computer attached to the network.
The CLI program can be accessed by a direct connection to the RS-232
serial console port on the switch, or remotely by a Telnet connection over
the network.
The switch’s management agent also supports SNMP (Simple Network
Management Protocol). This SNMP agent permits the switch to be managed
from any system in the network using network management software.
The switch’s web interface, console interface, and SNMP agent allow you to
perform the following management functions:
◆
Set user names and passwords
◆
Set an IP interface for a management VLAN
◆
Configure SNMP parameters
◆
Enable/disable any port
◆
Set the speed/duplex mode for any port
◆
Configure the bandwidth of any port by limiting input or output rates
– 61 –
CHAPTER 2 | Initial Switch Configuration
Connecting to the Switch
◆
Control port access through IEEE 802.1X security or static address
filtering
◆
Filter packets using Access Control Lists (ACLs)
◆
Configure up to 256 IEEE 802.1Q VLANs
◆
Enable GVRP automatic VLAN registration
◆
Configure IGMP multicast filtering
◆
Upload and download system firmware or configuration files via HTTP
(using the web interface) or FTP/TFTP (using the command line or web
interface)
◆
Configure Spanning Tree parameters
◆
Configure Class of Service (CoS) priority queuing
◆
Configure static or LACP trunks (up to 12)
◆
Enable port mirroring
◆
Set storm control on any port for excessive broadcast, multicast, or
unknown unicast traffic
◆
Display system information and statistics
REQUIRED The switch provides an RS-232 serial port that enables a connection to a
CONNECTIONS PC or terminal for monitoring and configuring the switch. A null-modem
console cable is provided with the switch.
Attach a VT100-compatible terminal, or a PC running a terminal emulation
program to the switch. You can use the console cable provided with this
package, or use a null-modem cable that complies with the wiring
assignments shown in the Installation Guide.
To connect a terminal to the console port, complete the following steps:
1. Connect the console cable to the serial port on a terminal, or a PC
running terminal emulation software, and tighten the captive retaining
screws on the DB-9 connector.
2. Connect the other end of the cable to the RS-232 serial port on the
switch.
3. Make sure the terminal emulation software is set as follows:
■
Select the appropriate serial port (COM port 1 or COM port 2).
■
Set the baud rate to 115200 bps.
■
Set the data format to 8 data bits, 1 stop bit, and no parity.
– 62 –
CHAPTER 2 | Initial Switch Configuration
Connecting to the Switch
■
Set flow control to none.
■
Set the emulation mode to VT100.
■
When using HyperTerminal, select Terminal keys, not Windows
keys.
NOTE: Once you have set up the terminal correctly, the console login screen
will be displayed.
For a description of how to use the CLI, see "Using the Command Line
Interface" on page 505. For a list of all the CLI commands and detailed
information on using the CLI, refer to "CLI Command Groups" on
page 514.
REMOTE Prior to accessing the switch’s onboard agent via a network connection,
CONNECTIONS you must first configure it with a valid IP address, subnet mask, and
default gateway using a console connection, or DHCP protocol.
An IPv4 address for this switch is obtained via DHCP by default. To
manually configure this address or enable dynamic address assignment via
DHCP, see "Setting an IP Address" on page 65.
NOTE: This switch supports four Telnet sessions or SSH sessions.
After configuring the switch’s IP parameters, you can access the onboard
configuration program from anywhere within the attached network. The
onboard configuration program can be accessed using Telnet from any
computer attached to the network. The switch can also be managed by any
computer using a web browser (Internet Explorer 6.x or above, or Mozilla
Firefox 4.x or above), or from a network computer using SNMP network
management software.
The onboard program only provides access to basic configuration functions.
To access the full range of SNMP management functions, you must use
SNMP-based network management software.
– 63 –
CHAPTER 2 | Initial Switch Configuration
Basic Configuration
BASIC CONFIGURATION
CONSOLE The CLI program provides two different command levels — normal access
CONNECTION level (Normal Exec) and privileged access level (Privileged Exec). The
commands available at the Normal Exec level are a limited subset of those
available at the Privileged Exec level and allow you to only display
information and use basic utilities. To fully configure the switch
parameters, you must access the CLI at the Privileged Exec level.
Access to both CLI levels are controlled by user names and passwords. The
switch has a default user name and password for each level. To log into the
CLI at the Privileged Exec level using the default user name and password,
perform these steps:
1. To initiate your console connection, press <Enter>. The “User Access
Verification” procedure starts.
2. At the User Name prompt, enter “admin.”
3. At the Password prompt, also enter “admin.” (The password characters
are not displayed on the console screen.)
4. The session is opened and the CLI displays the “Console#” prompt
indicating you have access at the Privileged Exec level.
SETTING PASSWORDS If this is your first time to log into the CLI program, you should define new
passwords for both default user names using the “username” command,
record them and put them in a safe place.
Passwords can consist of up to 32 alphanumeric characters and are case
sensitive. To prevent unauthorized access to the switch, set the passwords
as follows:
1. Open the console interface with the default user name and password
“admin” to access the Privileged Exec level.
2. Type “configure” and press <Enter>.
3. Type “username guest password 0 password,” for the Normal Exec
level, where password is your new password. Press <Enter>.
4. Type “username admin password 0 password,” for the Privileged Exec
level, where password is your new password. Press <Enter>.
– 64 –
CHAPTER 2 | Initial Switch Configuration
Basic Configuration
Username: admin
Password:
CLI session with the ECS3510-26P is opened.
To end the CLI session, enter [Exit].
Console#configure
Console(config)#username guest password 0 [password]
Console(config)#username admin password 0 [password]
Console(config)#
SETTING AN IP You must establish IP address information for the switch to obtain
ADDRESS management access through the network. This can be done in either of the
following ways:
◆
Manual — You have to input the information, including IP address and
subnet mask. If your management station is not in the same IP subnet
as the switch, you will also need to specify the default gateway router.
◆
Dynamic — The switch can send IPv4 configuration requests to BOOTP
or DHCP address allocation servers on the network, or can
automatically generate a unique IPv6 host address based on the local
subnet address prefix received in router advertisement messages. An
IPv6 link local address for use in a local network can also be
dynamically generated as described in "Obtaining an IPv6 Address" on
page 69.
The current software does not support DHCP for IPv6, so an IPv6 global
unicast address for use in a network containing more than one subnet
can only be manually configured as described in "Assigning an IPv6
Address" on page 66.
MANUAL CONFIGURATION
You can manually assign an IP address to the switch. You may also need to
specify a default gateway that resides between this device and
management stations that exist on another network segment. Valid IPv4
addresses consist of four decimal numbers, 0 to 255, separated by periods.
Anything outside this format will not be accepted by the CLI program.
NOTE: The IPv4 address for this switch is obtained via DHCP by default.
ASSIGNING AN IPV4 ADDRESS
Before you can assign an IP address to the switch, you must obtain the
following information from your network administrator:
◆
IP address for the switch
◆
Network mask for this network
◆
Default gateway for the network
– 65 –
CHAPTER 2 | Initial Switch Configuration
Basic Configuration
To assign an IPv4 address to the switch, complete the following steps
1. From the Global Configuration mode prompt, type “interface vlan 1” to
access the interface-configuration mode. Press <Enter>.
2. Type “ip address ip-address netmask,” where “ip-address” is the switch
IP address and “netmask” is the network mask for the network. Press
<Enter>.
3. Type “exit” to return to the global configuration mode prompt. Press
<Enter>.
4. To set the IP address of the default gateway for the network to which
the switch belongs, type “ip default-gateway gateway,” where
“gateway” is the IP address of the default gateway. Press <Enter>.
Console(config)#interface vlan 1
Console(config-if)#ip address 192.168.1.5 255.255.255.0
Console(config-if)#exit
Console(config)#ip default-gateway 192.168.1.254
ASSIGNING AN IPV6 ADDRESS
This section describes how to configure a “link local” address for
connectivity within the local subnet only, and also how to configure a
“global unicast” address, including a network prefix for use on a multisegment network and the host portion of the address.
An IPv6 prefix or address must be formatted according to RFC 2373 “IPv6
Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal
values. One double colon may be used to indicate the appropriate number
of zeros required to fill the undefined fields. For detailed information on the
other ways to assign IPv6 addresses, see "Setting the Switch’s IP Address
(IP Version 6)" on page 445.
Link Local Address — All link-local addresses must be configured with a
prefix in the range of FE80~FEBF. Remember that this address type makes
the switch accessible over IPv6 for all devices attached to the same local
subnet only. Also, if the switch detects that the address you configured
conflicts with that in use by another device on the subnet, it will stop using
the address in question, and automatically generate a link local address
that does not conflict with any other devices on the local subnet.
To configure an IPv6 link local address for the switch, complete the
following steps:
1. From the Global Configuration mode prompt, type “interface vlan 1” to
access the interface-configuration mode. Press <Enter>.
2. Type “ipv6 address” followed by up to 8 colon-separated 16-bit
hexadecimal values for the ipv6-address similar to that shown in the
– 66 –
CHAPTER 2 | Initial Switch Configuration
Basic Configuration
example, followed by the “link-local” command parameter. Then press
<Enter>.
Console(config)#interface vlan 1
Console(config-if)#ipv6 address FE80::260:3EFF:FE11:6700 link-local
Console(config-if)#ipv6 enable
Console(config-if)#end
Console#show ipv6 interface
VLAN 1 is up
IPv6 is enabled
Link-Local Address:
FE80::260:3EFF:FE11:6700/64
Global Unicast Address(es):
(None)
Joined Group Address(es):
FF02::1:FF11:6700
FF02::1
IPv6 link MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 3
ND retransmit interval is 1000 milliseconds
Console#
Address for Multi-segment Network — Before you can assign an IPv6
address to the switch that will be used to connect to a multi-segment
network, you must obtain the following information from your network
administrator:
◆
Prefix for this network
◆
IP address for the switch
◆
Default gateway for the network
For networks that encompass several different subnets, you must define
the full address, including a network prefix and the host address for the
switch. You can specify either the full IPv6 address, or the IPv6 address
and prefix length. The prefix length for an IPv6 network is the number of
bits (from the left) of the prefix that form the network address, and is
expressed as a decimal number. For example, all IPv6 addresses that start
with the first byte of 73 (hexadecimal) could be expressed as
73:0:0:0:0:0:0:0/8 or 73::/8.
To generate an IPv6 global unicast address for the switch, complete the
following steps:
1. From the global configuration mode prompt, type “interface vlan 1” to
access the interface-configuration mode. Press <Enter>.
2. From the interface prompt, type “ipv6 address ipv6-address” or
“ipv6 address ipv6-address/prefix-length,” where “prefix-length”
indicates the address bits used to form the network portion of the
address. (The network address starts from the left of the prefix and
should encompass some of the ipv6-address bits.) The remaining bits
are assigned to the host interface. Press <Enter>.
– 67 –
CHAPTER 2 | Initial Switch Configuration
Basic Configuration
3. Type “exit” to return to the global configuration mode prompt. Press
<Enter>.
4. To set the IP address of the IPv6 default gateway for the network to
which the switch belongs, type “ipv6 default-gateway gateway,” where
“gateway” is the IPv6 address of the default gateway. Press <Enter>.
Console(config)#interface vlan 1
Console(config-if)#ipv6 address 2001:DB8:2222:7272::66/64
Console(config-if)#exit
Console(config)#ipv6 default-gateway 2001:DB8:2222:7272::254
Console(config)end
Console#show ipv6 interface
VLAN 1 is up
IPv6 is enabled
Link-Local Address:
FE80::260:3EFF:FE11:6700/64
Global Unicast Address(es):
2001:DB8:2222:7272::/64, subnet is 2001:DB8:2222:7272::/64
Joined Group Address(es):
FF02::1:FF00:0
FF02::1:FF11:6700
FF02::1
IPv6 link MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 3
ND retransmit interval is 1000 milliseconds
Console#show ipv6 default-gateway
ipv6 default gateway: 2001:DB8:2222:7272::254
Console#
DYNAMIC CONFIGURATION
Obtaining an IPv4 Address
If you select the “bootp” or “dhcp” option, the system will immediately
start broadcasting service requests. IP will be enabled but will not function
until a BOOTP or DHCP reply has been received. Requests are broadcast
every few minutes using exponential backoff until IP configuration
information is obtained from a BOOTP or DHCP server. BOOTP and DHCP
values can include the IP address, subnet mask, and default gateway. If
the DHCP/BOOTP server is slow to respond, you may need to use the “ip
dhcp restart client” command to re-start broadcasting service requests.
Note that the “ip dhcp restart client” command can also be used to start
broadcasting service requests for all VLANs configured to obtain address
assignments through BOOTP or DHCP. It may be necessary to use this
command when DHCP is configured on a VLAN, and the member ports
which were previously shut down are now enabled.
If the “bootp” or “dhcp” option is saved to the startup-config file (step 6),
then the switch will start broadcasting service requests as soon as it is
powered on.
– 68 –
CHAPTER 2 | Initial Switch Configuration
Basic Configuration
To automatically configure the switch by communicating with BOOTP or
DHCP address allocation servers on the network, complete the following
steps:
1. From the Global Configuration mode prompt, type “interface vlan 1” to
access the interface-configuration mode. Press <Enter>.
2. At the interface-configuration mode prompt, use one of the following
commands:
■
To obtain IP settings via DHCP, type “ip address dhcp” and press
<Enter>.
■
To obtain IP settings via BOOTP, type “ip address bootp” and press
<Enter>.
3. Type “end” to return to the Privileged Exec mode. Press <Enter>.
4. Wait a few minutes, and then check the IP configuration settings by
typing the “show ip interface” command. Press <Enter>.
5. Then save your configuration changes by typing “copy running-config
startup-config.” Enter the startup file name and press <Enter>.
Console(config)#interface vlan 1
Console(config-if)#ip address dhcp
Console(config-if)#end
Console#show ip interface
Vlan 1 is Administrative Up - Link Up
Address is B4-0E-DC-34-E6-3C (bia B4-0E-DC-34-E6-3C)
Index: 1001, MTU: 1500, Bandwidth: 1g
Address Mode is DHCP
IP Address: 192.168.0.5 Mask: 255.255.255.0
Proxy ARP is disabled
Console#copy running-config startup-config
Startup configuration file name []: startup
\Write to FLASH Programming.
\Write to FLASH finish.
Success.
OBTAINING AN IPV6 ADDRESS
Link Local Address — There are several ways to configure IPv6 addresses.
The simplest method is to automatically generate a “link local” address
(identified by an address prefix in the range of FE80~FEBF). This address
type makes the switch accessible over IPv6 for all devices attached to the
same local subnet.
To generate an IPv6 link local address for the switch, complete the
following steps:
1. From the Global Configuration mode prompt, type “interface vlan 1” to
access the interface-configuration mode. Press <Enter>.
2. Type “ipv6 enable” and press <Enter>.
– 69 –
CHAPTER 2 | Initial Switch Configuration
Basic Configuration
Console(config)#interface vlan 1
Console(config-if)#ipv6 enable
Console(config-if)#end
Console#show ipv6 interface
VLAN 1 is up
IPv6 is enabled.
Link-local address:
FE80::2E0:CFF:FE00:FD/64
Global unicast address(es):
(None)
Joined group address(es):
FF02::1:FF11:6700
FF02::1
IPv6 link MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 3.
ND retransmit interval is 1000 milliseconds
Console#
Address for Multi-segment Network — To generate an IPv6 address that
can be used in a network containing more than one subnet, the switch can
be configured to automatically generate a unique host address based on
the local subnet address prefix received in router advertisement messages.
(DHCP for IPv6 will also be supported in future software releases.)
To dynamically generate an IPv6 host address for the switch, complete the
following steps:
1. From the Global Configuration mode prompt, type “interface vlan 1” to
access the interface-configuration mode. Press <Enter>.
2. From the interface prompt, type “ipv6 address autoconfig” and press
<Enter>.
3. Type “ipv6 enable” and press <Enter> to enable IPv6 on an interface
that has not been configured with an explicit IPv6 address.
Console(config)#interface vlan 1
Console(config-if)#ipv6 address autoconfig
Console(config-if)#ipv6 enable
Console(config-if)#end
Console#show ipv6 interface
VLAN 1 is up
IPv6 is enabled.
Link-local address:
FE80::212:CFFF:FE0B:4600/64
Global unicast address(es):
2001:DB8:2222:7272:2E0:CFF:FE00:FD/64, subnet is 2001:DB8:2222:7272::/
64[AUTOCONFIG]
valid lifetime 2591978 preferred lifetime 604778
Joined group address(es):
FF02::1:FF00:FD
FF02::1:FF11:6700
FF02::1
MTU is 1500 bytes.
ND DAD is enabled, number of DAD attempts: 1.
ND retransmit interval is 1000 milliseconds
– 70 –
CHAPTER 2 | Initial Switch Configuration
Basic Configuration
Console#
DOWNLOADING A
CONFIGURATION FILE
REFERENCED BY A
DHCP SERVER
Information passed on to the switch from a DHCP server may also include a
configuration file to be downloaded and the TFTP servers where that file
can be accessed. If the Factory Default Configuration file is used to
provision the switch at startup, in addition to requesting IP configuration
settings from the DHCP server, it will also ask for the name of a bootup
configuration file and TFTP servers where that file is stored.
If the switch receives information that allows it to download the remote
bootup file, it will save this file to a local buffer, and then restart the
provision process.
Note the following DHCP client behavior:
◆
The bootup configuration file received from a TFTP server is stored on
the switch with the original file name. If this file name already exists in
the switch, the file is overwritten.
◆
If the name of the bootup configuration file is the same as the Factory
Default Configuration file, the download procedure will be terminated,
and the switch will not send any further DHCP client requests.
◆
If the switch fails to download the bootup configuration file based on
information passed by the DHCP server, it will not send any further
DHCP client requests.
◆
If the switch does not receive a DHCP response prior to completing the
bootup process, it will continue to send a DHCP client request once a
minute. These requests will only be terminated if the switch’s address is
manually configured, but will resume if the address mode is set back to
DHCP.
To successfully transmit a bootup configuration file to the switch the DHCP
daemon (using a Linux based system for this example) must be configured
with the following information:
◆
Options 60, 66 and 67 statements can be added to the daemon’s
configuration file.
Table 3: Options 60, 66 and 67 Statements
Option
◆
Statement
Keyword
Parameter
60
vendor-class-identifier
a string indicating the vendor class identifier
66
tftp-server-name
a string indicating the tftp server name
67
bootfile-name
a string indicating the bootfile name
By default, DHCP option 66/67 parameters are not carried in a DHCP
server reply. To ask for a DHCP reply with option 66/67 information, the
– 71 –
CHAPTER 2 | Initial Switch Configuration
Basic Configuration
DHCP client request sent by this switch includes a “parameter request
list” asking for this information. Besides, the client request also
includes a “vendor class identifier” that allows the DHCP server to
identify the device, and select the appropriate configuration file for
download. This information is included in Option 55 and 124.
Table 4: Options 55 and 124 Statements
Option
Statement
Keyword
Parameter
55
dhcp-parameter-request-list a list of parameters, separated by ','
124
vendor-class-identifier
a string indicating the vendor class identifier
The following configuration examples are provided for a Linux-based DHCP
daemon (dhcpd.conf file). In the “Vendor class” section, the server will
always send Option 66 and 67 to tell the switch to download the “test”
configuration file from server 192.168.255.101.
ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
server-name "Server1";
Server-identifier 192.168.255.250;
#option 43 with encapsulated option 66, 67
option space dynamicProvision code width 1 length 1 hash size 2;
option dynamicProvision.tftp-server-name code 66 = text;
option dynamicProvision.bootfile-name code 67 = text;
subnet 192.168.255.0 netmask 255.255.255.0 {
range 192.168.255.160 192.168.255.200;
option routers 192.168.255.101;
option tftp-server-name "192.168.255.100"; #Default Option 66
option bootfile-name "bootfile";
#Default Option 67
}
class "Option66,67_1" {
#DHCP Option 60 Vendor class
match if option vendor-class-identifier = "ECS4110-24T_Op.cfg";
option tftp-server-name "192.168.255.101";
option bootfile-name "test";
}
NOTE: Use “ECS4110-24T_Op.cfg” for the vendor-class-identifier in the
dhcpd.conf file.
– 72 –
CHAPTER 2 | Initial Switch Configuration
Basic Configuration
ENABLING SNMP The switch can be configured to accept management commands from
MANAGEMENT ACCESS Simple Network Management Protocol (SNMP) applications such as EdgeCore ECView Pro. You can configure the switch to respond to SNMP
requests or generate SNMP traps.
When SNMP management stations send requests to the switch (either to
return information or to set a parameter), the switch provides the
requested data or sets the specified parameter. The switch can also be
configured to send information to SNMP managers (without being
requested by the managers) through trap messages, which inform the
manager that certain events have occurred.
The switch includes an SNMP agent that supports SNMP version 1, 2c, and
3 clients. To provide management access for version 1 or 2c clients, you
must specify a community string. The switch provides a default MIB View
(i.e., an SNMPv3 construct) for the default “public” community string that
provides read access to the entire MIB tree, and a default view for the
“private” community string that provides read/write access to the entire
MIB tree. However, you may assign new views to version 1 or 2c
community strings that suit your specific security requirements (see
"Setting SNMPv3 Views" on page 402).
COMMUNITY STRINGS (FOR SNMP VERSION 1 AND 2C CLIENTS)
Community strings are used to control management access to SNMP
version 1 and 2c stations, as well as to authorize SNMP stations to receive
trap messages from the switch. You therefore need to assign community
strings to specified users, and set the access level.
The default strings are:
◆
public - with read-only access. Authorized management stations are
only able to retrieve MIB objects.
◆
private - with read/write access. Authorized management stations are
able to both retrieve and modify MIB objects.
To prevent unauthorized access to the switch from SNMP version 1 or 2c
clients, it is recommended that you change the default community strings.
To configure a community string, complete the following steps:
1. From the Privileged Exec level global configuration mode prompt, type
“snmp-server community string mode,” where “string” is the
community access string and “mode” is rw (read/write) or ro (read
only). Press <Enter>. (Note that the default mode is read only.)
2. To remove an existing string, simply type “no snmp-server community
string,” where “string” is the community access string to remove. Press
<Enter>.
– 73 –
CHAPTER 2 | Initial Switch Configuration
Basic Configuration
Console(config)#snmp-server community admin rw
Console(config)#snmp-server community private
Console(config)#
NOTE: If you do not intend to support access to SNMP version 1 and 2c
clients, we recommend that you delete both of the default community
strings. If there are no community strings, then SNMP management access
from SNMP v1 and v2c clients is disabled.
TRAP RECEIVERS
You can also specify SNMP stations that are to receive traps from the
switch. To configure a trap receiver, use the “snmp-server host” command.
From the Privileged Exec level global configuration mode prompt, type:
“snmp-server host host-address community-string
[version {1 | 2c | 3 {auth | noauth | priv}}]”
where “host-address” is the IP address for the trap receiver, “communitystring” specifies access rights for a version 1/2c host, or is the user name
of a version 3 host, “version” indicates the SNMP client version, and “auth |
noauth | priv” means that authentication, no authentication, or
authentication and privacy is used for v3 clients. Then press <Enter>. For
a more detailed description of these parameters, see "snmp-server host"
on page 586. The following example creates a trap host for each type of
SNMP client.
Console(config)#snmp-server host 10.1.19.23 batman
Console(config)#snmp-server host 10.1.19.98 robin version 2c
Console(config)#snmp-server host 10.1.19.34 barbie version 3 auth
Console(config)#
CONFIGURING ACCESS FOR SNMP VERSION 3 CLIENTS
To configure management access for SNMPv3 clients, you need to first
create a view that defines the portions of MIB that the client can read or
write, assign the view to a group, and then assign the user to a group. The
following example creates one view called “mib-2” that includes the entire
MIB-2 tree branch, and then another view that includes the IEEE 802.1d
bridge MIB. It assigns these respective read and read/write views to a
group call “r&d” and specifies group authentication via MD5 or SHA. In the
last step, it assigns a v3 user to this group, indicating that MD5 will be
used for authentication, provides the password “greenpeace” for
authentication, and the password “einstien” for encryption.
Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included
Console(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included
Console(config)#snmp-server group r&d v3 auth read mib-2 write 802.1d
– 74 –
CHAPTER 2 | Initial Switch Configuration
Managing System Files
Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace priv
des56 einstien
Console(config)#
For a more detailed explanation on how to configure the switch for access
from SNMP v3 clients, refer to "Simple Network Management Protocol" on
page 397, or refer to the specific CLI commands for SNMP starting on
page 581.
MANAGING SYSTEM FILES
The switch’s flash memory supports three types of system files that can be
managed by the CLI program, web interface, or SNMP. The switch’s file
system allows files to be uploaded and downloaded, copied, deleted, and
set as a start-up file.
The types of files are:
◆
Configuration — This file type stores system configuration information
and is created when configuration settings are saved. Saved
configuration files can be selected as a system start-up file or can be
uploaded via FTP/TFTP to a server for backup. The file named
“Factory_Default_Config.cfg” contains all the system default settings
and cannot be deleted from the system. If the system is booted with
the factory default settings, the switch will also create a file named
“startup1.cfg” that contains system settings for switch initialization,
including information about the unit identifier, and MAC address for the
switch. The configuration settings from the factory defaults
configuration file are copied to this file, which is then used to boot the
switch. See "Saving or Restoring Configuration Settings" on page 76 for
more information.
◆
Operation Code — System software that is executed after boot-up,
also known as run-time code. This code runs the switch operations and
provides the CLI and web management interfaces. See "Managing
System Files" on page 102 for more information.
◆
Diagnostic Code — Software that is run during system boot-up, also
known as POST (Power On Self-Test).
Due to the size limit of the flash memory, the switch supports only two
operation code files. However, you can have as many diagnostic code files
and configuration files as available flash memory space allows. The switch
has a total of 32 Mbytes of flash memory for system files.
In the system flash memory, one file of each type must be set as the startup file. During a system boot, the diagnostic and operation code files set as
the start-up file are run, and then the start-up configuration file is loaded.
Note that configuration files should be downloaded using a file name that
reflects the contents or usage of the file settings. If you download directly
– 75 –
CHAPTER 2 | Initial Switch Configuration
Managing System Files
to the running-config, the system will reboot, and the settings will have to
be copied from the running-config to a permanent file.
SAVING OR Configuration commands only modify the running configuration file and are
RESTORING not saved when the switch is rebooted. To save all your configuration
CONFIGURATION changes in nonvolatile storage, you must copy the running configuration
file to the start-up configuration file using the “copy” command.
SETTINGS
New startup configuration files must have a name specified. File names on
the switch are case-sensitive, can be from 1 to 31 characters, must not
contain slashes (\ or /), and the leading letter of the file name must not be
a period (.). (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)
There can be more than one user-defined configuration file saved in the
switch’s flash memory, but only one is designated as the “startup” file that
is loaded when the switch boots. The copy running-config startupconfig command always sets the new file as the startup file. To select a
previously saved configuration file, use the boot system
config:<filename> command.
The maximum number of saved configuration files depends on available
flash memory. The amount of available flash memory can be checked by
using the dir command.
To save the current configuration settings, enter the following command:
1. From the Privileged Exec mode prompt, type “copy running-config
startup-config” and press <Enter>.
2. Enter the name of the start-up file. Press <Enter>.
Console#copy running-config startup-config
Startup configuration file name []: startup
\Write to FLASH Programming.
\Write to FLASH finish.
Success.
Console#
To restore configuration settings from a backup server, enter the following
command:
1. From the Privileged Exec mode prompt, type “copy tftp startup-config”
and press <Enter>.
2. Enter the address of the TFTP server. Press <Enter>.
3. Enter the name of the startup file stored on the server. Press <Enter>.
4. Enter the name for the startup file on the switch. Press <Enter>.
– 76 –
CHAPTER 2 | Initial Switch Configuration
Managing System Files
Console#copy file startup-config
Console#copy tftp startup-config
TFTP server IP address: 192.168.0.4
Source configuration file name: startup-rd.cfg
Startup configuration file name [startup1.cfg]:
Success.
Console#
– 77 –
CHAPTER 2 | Initial Switch Configuration
Managing System Files
– 78 –
SECTION II
WEB CONFIGURATION
This section describes the basic switch features, along with a detailed
description of how to configure each feature via a web browser.
This section includes these chapters:
◆
"Using the Web Interface" on page 81
◆
"Basic Management Tasks" on page 97
◆
"Interface Configuration" on page 127
◆
"VLAN Configuration" on page 167
◆
"Address Table Settings" on page 195
◆
"Spanning Tree Algorithm" on page 203
◆
"Congestion Control" on page 227
◆
"Class of Service" on page 239
◆
"Quality of Service" on page 253
◆
"VoIP Traffic Configuration" on page 269
◆
"Security Measures" on page 275
◆
"Basic Administration Protocols" on page 369
◆
"IP Configuration" on page 439
◆
"IP Services" on page 463
◆
"Multicast Filtering" on page 471
– 79 –
SECTION II | Web Configuration
– 80 –
3
USING THE WEB INTERFACE
This switch provides an embedded HTTP web agent. Using a web browser
you can configure the switch and view statistics to monitor network
activity. The web agent can be accessed by any computer on the network
using a standard web browser (Internet Explorer 6.x or above, or Mozilla
Firefox 4.x or above).
NOTE: You can also use the Command Line Interface (CLI) to manage the
switch over a serial connection to the console port or via Telnet. For more
information on using the CLI, refer to "Using the Command Line Interface"
on page 505.
CONNECTING TO THE WEB INTERFACE
Prior to accessing the switch from a web browser, be sure you have first
performed the following tasks:
1. Configure the switch with a valid IP address, subnet mask, and default
gateway using an out-of-band serial connection, BOOTP or DHCP
protocol. (See "Setting an IP Address" on page 65.)
2. Set user names and passwords using an out-of-band serial connection.
Access to the web agent is controlled by the same user names and
passwords as the onboard configuration program. (See "Setting
Passwords" on page 64.)
3. After you enter a user name and password, you will have access to the
system configuration program.
NOTE: You are allowed three attempts to enter the correct password; on
the third failed attempt the current connection is terminated.
NOTE: If you log into the web interface as guest (Normal Exec level), you
can view the configuration settings or change the guest password. If you
log in as “admin” (Privileged Exec level), you can change the settings on
any page.
NOTE: If the path between your management station and this switch does
not pass through any device that uses the Spanning Tree Algorithm, then
you can set the switch port attached to your management station to fast
forwarding (i.e., enable Admin Edge Port) to improve the switch’s response
time to management commands issued through the web interface. See
"Configuring Interface Settings for STA" on page 213.
– 81 –
CHAPTER 3 | Using the Web Interface
Navigating the Web Browser Interface
NOTE: Users are automatically logged off of the HTTP server or HTTPS
server if no input is detected for 600 seconds.
NOTE: Connection to the web interface is not supported for HTTPS using an
IPv6 link local address.
NAVIGATING THE WEB BROWSER INTERFACE
To access the web-browser interface you must first enter a user name and
password. The administrator has Read/Write access to all configuration
parameters and statistics. The default user name and password for the
administrator is “admin.”
HOME PAGE When your web browser connects with the switch’s web agent, the home
page is displayed as shown below. The home page displays the Main Menu
on the left side of the screen and System Information on the right side. The
Main Menu links are used to navigate to other menus, and display
configuration parameters and statistics.
Figure 1: Home Page
– 82 –
CHAPTER 3 | Using the Web Interface
Navigating the Web Browser Interface
CONFIGURATION Configurable parameters have a dialog box or a drop-down list. Once a
OPTIONS configuration change has been made on a page, be sure to click on the
Apply button to confirm the new setting. The following table summarizes
the web page configuration buttons.
Table 5: Web Page Configuration Buttons
Button
Action
Apply
Sets specified values to the system.
Revert
Cancels specified values and restores current
values prior to pressing “Apply.”
Save current configuration settings.
Displays help for the selected page.
Refreshes the current page.
Displays the site map.
Logs out of the management interface.
Links to the manufacture’s web site.
Sends mail to the manufacturer.
PANEL DISPLAY The web agent displays an image of the switch’s ports. The Mode can be
set to display different information for the ports, including Active (i.e., up
or down), Duplex (i.e., half or full duplex), or Flow Control (i.e., with or
without flow control).
Figure 2: Front Panel Indicators
– 83 –
CHAPTER 3 | Using the Web Interface
Navigating the Web Browser Interface
MAIN MENU Using the onboard web agent, you can define system parameters, manage
and control the switch, and all its ports, or monitor network conditions. The
following table briefly describes the selections available from this program.
Table 6: Switch Main Menu
Menu
Description
Page
General
Provides basic system description, including contact information
97
Switch
Shows the number of ports, hardware version, power status, and 98
firmware version numbers
IP
Sets the IPv4 address for management access
443
Capability
Enables support for jumbo frames;
shows the bridge extension parameters
100,
101
System
File
102
Copy
Allows the transfer and copying files
102
Set Startup
Sets the startup file
105
Show
Shows the files stored in flash memory; allows deletion of files
106
Automatic Operation Code Upgrade
Automatically upgrades operation code if a newer version is
found on the server
107
Time
111
Configure General
Manual
Manually sets the current time
111
SNTP
Configures SNTP polling interval
112
Configure Time Server
Configures a list of SNTP servers
113
Configure Time Zone
Sets the local time zone for the system clock
114
Configure Summer Time
Configures summer time settings
115
Console
Sets console port connection parameters
117
Telnet
Sets Telnet connection parameters
119
CPU Utilization
Displays information on CPU utilization
120
Memory Status
Shows memory utilization parameters
121
Reload
Restarts the switch immediately, at a specified time, after a
specified delay, or at a periodic interval
122
Interface
127
Port
127
General
Configure by Port List
Configures connection settings per port
127
Configure by Port Range
Configures connection settings for a range of ports
130
Show Information
Displays port connection status
131
Mirror
132
Add
Sets the source and target ports for mirroring
132
Show
Shows the configured mirror sessions
132
– 84 –
CHAPTER 3 | Using the Web Interface
Navigating the Web Browser Interface
Table 6: Switch Main Menu (Continued)
Menu
Description
Page
Statistics
Shows Interface, Etherlike, and RMON port statistics
138
Chart
Shows Interface, Etherlike, and RMON port statistics
138
Cable Test
Performs cable diagnostics for selected port to diagnose any cable 142
faults (short, open etc.) and report the cable length
Trunk
Static
145
Configure Trunk
Creates a trunk, specifying port members
Configure General
145
145
Configure
Configures trunk connection settings
145
Show Information
Displays trunk connection settings
145
Dynamic
Configure Aggregator
147
Configures administration key for specific LACP groups
Configure Aggregation Port
147
147
Configure
147
General
Allows ports to dynamically join trunks
Actor
Configures parameters for link aggregation group members on the 147
local side
Partner
Configures parameters for link aggregation group members on the 147
remote side
Show Information
147
153
Counters
Displays statistics for LACP protocol messages
153
Internal
Displays configuration settings and operational state for the local
side of a link aggregation
154
Neighbors
Displays configuration settings and operational state for the
remote side of a link aggregation
156
Configure Trunk
147
Show
Displays trunk connection settings
147
Configure
Configures trunk connection settings
147
Show Member
Show port members of dynamic trunks
147
Mirror
158
Add
Sets the source trunks and target port for mirroring
158
Show
Shows the configured mirror sessions
158
Statistics
Shows Interface, Etherlike, and RMON port statistics
138
Chart
Shows Interface, Etherlike, and RMON port statistics
138
Green Ethernet
Adjusts the power provided to ports based on the length
of the cable used to connect to other devices
159
RSPAN
Mirrors traffic from remote switches for analysis at a destination
port on the local switch
134
Traffic Segmentation
Configure Global
161
Enables traffic segmentation globally
– 85 –
161
CHAPTER 3 | Using the Web Interface
Navigating the Web Browser Interface
Table 6: Switch Main Menu (Continued)
Menu
Description
Configure Session
VLAN Trunking
Page
Configures the uplink and down-link ports for a segmented group 162
of ports
Allows unknown VLAN groups to pass through the specified
interface
163
Virtual LAN
167
Configure VLAN
Configures VLAN groups, administrative status, and remote type
170
Modify VLAN and Member Ports
Configures group name, status, and member attributes
171
Edit Member by Interface
Specifies VLAN attributes per interface
171
Edit Member by Interface Range
Specifies VLAN attributes per interface range
171
Configure General
Enables GVRP VLAN registration protocol globally
176
Configure Interface
Configures GVRP status and timers per interface
176
VLAN
Static
Dynamic
Show Dynamic VLAN
176
Show VLAN
Shows the VLANs this switch has joined through GVRP
176
Show VLAN Member
Shows the interfaces assigned to a VLAN through GVRP
176
IEEE 802.1Q (QinQ) Tunneling
179
Configure Global
Sets tunnel mode for the switch
183
Configure Interface
Sets the tunnel mode for any participating interface
184
Tunnel
Protocol
185
Configure Protocol
186
Add
Creates a protocol group, specifying supported protocols
186
Show
Shows configured protocol groups
186
Configure Interface
187
Add
Maps a protocol group to a VLAN
187
Show
Shows the protocol groups mapped to each VLAN
187
IP Subnet
189
Add
Maps IP subnet traffic to a VLAN
189
Show
Shows IP subnet to VLAN mapping
189
MAC-Based
191
Add
Maps traffic with specified source MAC address to a VLAN
191
Show
Shows source MAC address to VLAN mapping
191
Mirror
193
Add
Mirrors traffic from one or more source VLANs to a target port
193
Show
Shows mirror list
193
– 86 –
CHAPTER 3 | Using the Web Interface
Navigating the Web Browser Interface
Table 6: Switch Main Menu (Continued)
Menu
Description
Page
MAC Address
195
Static
195
Add
Configures static entries in the address table
195
Show
Displays static entries in the address table
195
Configure Aging
Sets timeout for dynamically learned entries
197
Show Dynamic MAC
Displays dynamic entries in the address table
198
Clear Dynamic MAC
Removes any learned entries from the forwarding database and
clears the transmit and receive counts for any static or system
configured entries
199
Dynamic
Mirror
200
Add
Mirrors traffic matching a specified source address from any port
on the switch to a target port
200
Show
Shows mirror list
200
Spanning Tree
203
Loopback Detection
Configures Loopback Detection parameters
STA
Spanning Tree Algorithm
206
Configure Global
Configure
Configures global bridge settings for STP, RSTP and MSTP
207
Show Information
Displays STA values used for the bridge
212
Configure
Configures interface settings for STA
213
Show Information
Displays interface settings for STA
217
Multiple Spanning Tree Algorithm
220
Configure Interface
MSTP
Configure Global
220
Add
Configures initial VLAN and priority for an MST instance
220
Show
Shows configured MST instances
220
Modify
Modifies priority for an MST instance
220
Add Member
Adds VLAN members for an MST instance
220
Show Member
Adds or deletes VLAN members for an MST instance
220
Show Information
Shows global settings for an MST instance
220
Configure Interface
223
Configure
Configures interface settings for an MST instance
223
Show Information
Displays interface settings for an MST instance
223
Traffic
Congestion Control
227
Rate Limit
Sets the input and output rate limits for a port
227
Storm Control
Sets the traffic storm threshold for each interface
229
– 87 –
CHAPTER 3 | Using the Web Interface
Navigating the Web Browser Interface
Table 6: Switch Main Menu (Continued)
Menu
Auto Traffic Control
Description
Page
Sets thresholds for broadcast and multicast storms which can be
used to trigger configured rate limits or to shut down a port
229
Configure Global
Sets the time to apply the control response after traffic has
233
exceeded the upper threshold, and the time to release the control
response after traffic has fallen beneath the lower threshold
Configure Interface
Sets the storm control mode (broadcast or multicast), the traffic 235
thresholds, the control response, to automatically release a
response of rate limiting, or to send related SNMP trap messages
Priority
239
Default Priority
Sets the default priority for each port or trunk
Queue
Sets queue mode for the switch; sets the service weight for each 240
queue that will use a weighted or hybrid mode
Trust Mode
Selects IP Precedence, DSCP or CoS priority processing
DSCP to DSCP
239
246
247
Add
Maps DSCP values in incoming packets to per-hop behavior and
drop precedence values for internal priority processing
247
Show
Shows the DSCP to DSCP mapping list
247
CoS to DSCP
249
Add
Maps CoS/CFI values in incoming packets to per-hop behavior and 249
drop precedence values for priority processing
Show
Shows the CoS to DSCP mapping list
PHB to Queue
249
243
Add
Maps internal per-hop behavior values to hardware queues
243
Show
Shows the PHB to Queue mapping list
243
DiffServ
245
Configure Class
246
Add
Creates a class map for a type of traffic
246
Show
Shows configured class maps
246
Modify
Modifies the name of a class map
246
Add Rule
Configures the criteria used to classify ingress traffic
246
Show Rule
Shows the traffic classification rules for a class map
246
Configure Policy
249
Add
Creates a policy map to apply to multiple interfaces
249
Show
Shows configured policy maps
249
Modify
Modifies the name of a policy map
249
Add Rule
Sets the boundary parameters used for monitoring inbound traffic, 249
and the action to take for conforming and non-conforming traffic
Show Rule
Shows the rules used to enforce bandwidth policing for a policy
map
249
Applies a policy map to an ingress port
259
Configure Interface
– 88 –
CHAPTER 3 | Using the Web Interface
Navigating the Web Browser Interface
Table 6: Switch Main Menu (Continued)
Menu
VoIP
Configure Global
Description
Page
Voice over IP
269
Configures auto-detection of VoIP traffic, sets the Voice VLAN, and 270
VLAN aging time
Configure OUI
271
Add
Maps the OUI in the source MAC address of ingress packets to the 271
VoIP device manufacturer
Show
Shows the OUI telephony list
271
Configures VoIP traffic settings for ports, including the way in
which a port is added to the Voice VLAN, filtering of non-VoIP
packets, the method of detecting VoIP traffic, and the priority
assigned to the voice traffic
272
Configure Interface
Packet Flow
Protects against DoS attacks in which the UDP or TCP source port 366
or destination port is set to zero
Security
275
AAA
Authentication, Authorization and Accounting
System Authentication
Configures authentication sequence – local, RADIUS, and TACACS 277
Server
Configure Server
276
278
Configures RADIUS and TACACS server message exchange
settings
Configure Group
278
278
Add
Specifies a group of authentication servers and sets the priority
sequence
278
Show
Shows the authentication server groups and priority sequence
278
Enables accounting of requested services for billing or security
purposes
283
Accounting
Configure Global
Specifies the interval at which the local accounting service updates 283
information to the accounting server
Configure Method
283
Add
Configures accounting for various service types
283
Show
Shows the accounting settings used for various service types
283
Configure Service
Sets the accounting method applied to specific interfaces for
283
802.1X, CLI command privilege levels for the console port, and for
Telnet
Show Information
283
Summary
Shows the configured accounting methods, and the methods
applied to specific interfaces
283
Statistics
Shows basic accounting information recorded for user sessions
283
Enables authorization of requested services
289
Authorization
Configure Method
289
Add
Configures authorization for various service types
289
Show
Shows the authorization settings used for various service types
289
Sets the authorization method applied used for the console port,
and for Telnet
289
Configure Service
– 89 –
CHAPTER 3 | Using the Web Interface
Navigating the Web Browser Interface
Table 6: Switch Main Menu (Continued)
Menu
Show Information
Description
Page
Shows the configured authorization methods, and the methods
applied to specific interfaces
289
User Accounts
292
Add
Configures user names, passwords, and access levels
292
Show
Shows authorized users
292
Modify
Modifies user attributes
292
Allows authentication and access to the network when 802.1X or
Network Access authentication are infeasible or impractical
294
Configure Global
Configures general protocol settings
294
Configure Interface
Enables Web Authentication for individual ports
295
MAC address-based network access authentication
296
Web Authentication
Network Access
Configure Global
Enables aging for authenticated MAC addresses, and sets the time 299
period after which a connected MAC address must be
reauthenticated
Configure Interface
300
General
Enables MAC authentication on a port; sets the maximum number 300
of address that can be authenticated, the guest VLAN, dynamic
VLAN and dynamic QoS
Link Detection
Configures detection of changes in link status, and the response
(i.e., send trap or shut down port)
Configure MAC Filter
302
303
Add
Specifies MAC addresses exempt from authentication
303
Show
Shows the list of exempt MAC addresses
303
Shows the authenticated MAC address list
305
Secure HTTP
306
Configure Global
Enables HTTPs, and specifies the UDP port to use
306
Copy Certificate
Replaces the default secure-site certificate
308
Secure Shell
309
Configures SSH server settings
312
Show Information
HTTPS
SSH
Configure Global
Configure Host Key
313
Generate
Generates the host key pair (public and private)
313
Clear
Displays RSA and DSA host keys; deletes host keys
313
Configure User Key
315
Copy
Imports user public keys from TFTP server
315
Show
Displays RSA and DSA user keys; deletes user keys
315
Access Control Lists
317
Show TCAM
Shows utilization parameters for TCAM
318
Add
Adds an ACL based on IP or MAC address filtering
319
Show
Shows the name and type of configured ACLs
319
ACL
Configure ACL
– 90 –
CHAPTER 3 | Using the Web Interface
Navigating the Web Browser Interface
Table 6: Switch Main Menu (Continued)
Menu
Description
Page
Add Rule
Configures packet filtering based on IP or MAC addresses and other 319
packet attributes
Show Rule
Shows the rules specified for an ACL
319
Binds a port to the specified ACL and time range
328
Configure Interface
ARP Inspection
330
Configure General
Enables inspection globally, configures validation of additional
address components, and sets the log rate for packet inspection
331
Configure VLAN
Enables ARP inspection on specified VLANs
333
Configure Interface
Sets the trust mode for ports, and sets the rate
limit for packet inspection
334
Show Statistics
Displays statistics on the inspection process
336
Show Log
Shows the inspection log list
337
Show Information
IP Filter
338
Add
Sets IP addresses of clients allowed management access via the
web, SNMP, and Telnet
338
Show
Shows the addresses to be allowed management access
338
Port Security
Configures per port security, including status, response for security 340
breach, and maximum allowed MAC addresses
Port Authentication
IEEE 802.1X
342
Configure Global
Enables authentication and EAPOL pass-through
344
Configure Interface
Sets authentication parameters for individual ports
Authenticator
Sets port authenticator settings
345
Supplicant
Sets port supplicant settings
349
Displays protocol statistics for the selected port
351
Authenticator
Displays protocol statistics for port authenticator
351
Supplicant
Displays protocol statistics for port supplicant
351
Filters IP traffic based on static entries in the IP Source Guard
table, or dynamic entries in the DHCP Snooping table
354
Enables IP source guard and selects filter type per port
354
Show Statistics
IP Source Guard
Port Configuration
Static Binding
356
Add
Adds a static addresses to the source-guard binding table
356
Show
Shows static addresses in the source-guard binding table
356
Displays the source-guard binding table for a selected interface
358
Dynamic Binding
Administration
369
Log
369
System
369
Configure Global
Stores error messages in local memory
369
Show Logs
Shows logged error messages
369
– 91 –
CHAPTER 3 | Using the Web Interface
Navigating the Web Browser Interface
Table 6: Switch Main Menu (Continued)
Menu
Description
Page
Remote
Configures the logging of messages to a remote logging process
372
SMTP
Sends an SMTP client message to a participating server
373
Configures a list of recipient SMTP servers
373
Add
Adds a recipient SMTP server
373
Show
Shows configured SMTP servers
373
Sets SMTP status, e-mail source and destination addresses
373
Configure Server
Configure General
LLDP
Configure Global
376
Configures global LLDP timing parameters
376
Configure Interface
Configure General
Sets the message transmission mode, enables SNMP notification, 378
and sets the LLDP attributes to advertise
Add CA-Type
Specifies the location of the device attached to an interface
382
Show CA-Type
Shows the location of the device attached to an interface
382
Modify CA-Type
Modifies the location of the device attached to an interface
382
Show Local Device Information
384
General
Displays general information about the local device
384
Port/Trunk
Displays information about each interface
384
Show Remote Device Information
387
Port/Trunk
Displays information about a remote device connected to a port on 387
this switch
Port/Trunk Details
Displays detailed information about a remote device connected to 387
this switch
Show Device Statistics
392
General
Displays statistics for all connected remote devices
392
Port/Trunk
Displays statistics for remote devices on a selected port or trunk
392
Power over Ethernet
393
Configure Global
Displays the power budget for the switch
394
Configure Interface
Configures port power parameters
395
Simple Network Management Protocol
397
Enables SNMP agent status, and sets related trap functions
399
PoE
SNMP
Configure Global
Configure Engine
400
Set Engine ID
Sets the SNMP v3 engine ID on this switch
400
Add Remote Engine
Sets the SNMP v3 engine ID for a remote device
401
Show Remote Engine
Shows configured engine ID for remote devices
401
– 92 –
CHAPTER 3 | Using the Web Interface
Navigating the Web Browser Interface
Table 6: Switch Main Menu (Continued)
Menu
Description
Page
Configure View
402
Add View
Adds an SNMP v3 view of the OID MIB
402
Show View
Shows configured SNMP v3 views
402
Add OID Subtree
Specifies a part of the subtree for the selected view
402
Show OID Subtree
Shows the subtrees assigned to each view
402
Configure Group
405
Add
Adds a group with access policies for assigned users
405
Show
Shows configured groups and access policies
405
Add Community
Configures community strings and access mode
410
Show Community
Shows community strings and access mode
410
Add SNMPv3 Local User
Configures SNMPv3 users on this switch
411
Show SNMPv3 Local User
Shows SNMPv3 users configured on this switch
411
Change SNMPv3 Local User Group
Assign a local user to a new group
411
Add SNMPv3 Remote User
Configures SNMPv3 users from a remote device
413
Show SNMPv3 Remote User
Shows SNMPv3 users set from a remote device
413
Configure User
Configure Trap
415
Add
Configures trap managers to receive messages on key events that 415
occur this switch
Show
Shows configured trap managers
415
Remote Monitoring
420
Alarm
Sets threshold bounds for a monitored variable
420
Event
Creates a response event for an alarm
423
Alarm
Shows all configured alarms
420
Event
Shows all configured events
423
History
Periodically samples statistics on a physical interface
425
Statistics
Enables collection of statistics on a physical interface
428
History
Shows sampling parameters for each entry in the history group
425
Statistics
Shows sampling parameters for each entry in the statistics group 428
RMON
Configure Global
Add
Show
Configure Interface
Add
Show
– 93 –
CHAPTER 3 | Using the Web Interface
Navigating the Web Browser Interface
Table 6: Switch Main Menu (Continued)
Menu
Description
Page
History
Shows sampled data for each entry in the history group
425
Statistics
Shows sampled data for each entry in the history group
428
Show Details
Cluster
Configure Global
430
Globally enables clustering for the switch; sets Commander status 431
Configure Member
Add
Adds switch Members to the cluster
432
Show Candidate
Shows cluster candidates
432
Shows cluster switch member; managed switch members
434
Sets active time range for ACLs
435
Add
Specifies the name of a time range
435
Show
Shows the name of configured time ranges
435
Show Member
Time Range
Add Rule
435
Absolute
Sets exact time or time range
435
Periodic
Sets a recurrent time
435
Shows the time specified by a rule
435
Show Rule
IP
439
General
Ping
ARP
Sends ICMP echo request packets to another node on the network 439
Address Resolution Protocol
441
Configure General
Sets the aging time for dynamic entries in the ARP cache
441
Show Information
Shows entries in the Address Resolution Protocol (ARP) cache
442
IPv6 Configuration
445
Configure Global
Sets an IPv6 default gateway for traffic with no known next hop
Configure Interface
Configures IPv6 interface address using auto-configuration or link- 446
local address, and sets related protocol settings
Add IPv6 Address
Adds an global unicast, EUI-64, or link-local IPv6 address to an
interface
450
Show IPv6 Address
Show the IPv6 addresses assigned to an interface
452
Show IPv6 Neighbor Cache
Displays information in the IPv6 neighbor discovery cache
454
Show Statistics
445
456
IPv6
Shows statistics about IPv6 traffic
456
ICMPv6
Shows statistics about ICMPv6 messages
456
UDP
Shows statistics about UDP messages
456
Show MTU
Shows the maximum transmission unit (MTU) cache for
461
destinations that have returned an ICMP packet-too-big message
along with an acceptable MTU to this switch
– 94 –
CHAPTER 3 | Using the Web Interface
Navigating the Web Browser Interface
Table 6: Switch Main Menu (Continued)
Menu
Description
Page
IP Service
DNS
463
Domain Name Service
General
463
Configure Global
Enables DNS lookup; defines the default domain name appended 463
to incomplete host names
Add Domain Name
Defines a list of domain names that can
be appended to incomplete host names
464
Show Domain Names
Shows the configured domain name list
464
Add Name Server
Specifies IP address of name servers for dynamic lookup
466
Show Name Servers
Shows the name server address list
466
Static Host Table
467
Add
Configures static entries for domain name to address mapping
467
Show
Shows the list of static mapping entries
467
Modify
Modifies the static address mapped to the selected host name
467
Displays cache entries discovered by designated
name servers
468
Cache
DHCP
Dynamic Host Configuration Protocol
Snooping
359
Configure Global
Enables DHCP snooping globally, MAC-address verification,
information option; and sets the information policy
362
Configure VLAN
Enables DHCP snooping on a VLAN
363
Configure Interface
Sets the trust mode for an interface
364
Show Information
Displays the DHCP Snooping binding information
365
Multicast
471
IGMP Snooping
General
472
Enables multicast filtering; configures parameters for multicast
snooping
Multicast Router
474
477
Add Static Multicast Router
Assigns ports that are attached to a neighboring multicast router
477
Show Static Multicast Router
Displays ports statically configured as attached to a neighboring
multicast router
477
Show Current Multicast Router
Displays ports attached to a neighboring multicast router, either
through static or dynamic configuration
477
IGMP Member
480
Add Static Member
Statically assigns multicast addresses to the selected VLAN
480
Show Static Member
Shows multicast addresses statically configured on the selected
VLAN
480
Show Current Member
Shows multicast addresses associated with the selected VLAN,
either through static or dynamic configuration
480
Interface
Configure
482
Configures IGMP snooping per VLAN interface
– 95 –
482
CHAPTER 3 | Using the Web Interface
Navigating the Web Browser Interface
Table 6: Switch Main Menu (Continued)
Menu
Show
Forwarding Entry
Description
Page
Shows IGMP snooping settings per VLAN interface
482
Displays the current multicast groups learned through IGMP
Snooping
487
Filter
Configure General
488
Enables IGMP filtering for the switch
Configure Profile
488
489
Add
Adds IGMP filter profile; and sets access mode
489
Show
Shows configured IGMP filter profiles
489
Add Multicast Group Range
Assigns multicast groups to selected profile
489
Show Multicast Group Range
Shows multicast groups assigned to a profile
489
Assigns IGMP filter profiles to port interfaces and sets throttling
action
492
Multicast VLAN Registration
493
Configure General
Globally enables MVR, sets the MVR VLAN, adds multicast
stream addresses
495
Configure Interface
Configures MVR interface type and immediate leave mode; also
displays MVR operational and active status
496
Configure Interface
MVR
Configure Static Group Member
498
Add
Statically assigns MVR multicast streams to an interface
498
Show
Shows MVR multicast streams assigned to an interface
498
Show Member
Shows the interfaces associated with multicast groups assigned to 500
the MVR VLAN
– 96 –
4
BASIC MANAGEMENT TASKS
This chapter describes the following topics:
◆
Displaying System Information – Provides basic system description,
including contact information.
◆
Displaying Hardware/Software Versions – Shows the hardware version,
power status, and firmware versions
◆
Configuring Support for Jumbo Frames – Enables support for jumbo
frames.
◆
Displaying Bridge Extension Capabilities – Shows the bridge extension
parameters.
◆
Managing System Files – Describes how to upgrade operating software
or configuration files, and set the system start-up files.
◆
Setting the System Clock – Sets the current time manually or through
specified SNTP servers.
◆
Configuring the Console Port – Sets console port connection
parameters.
◆
Configuring Telnet Settings – Sets Telnet connection parameters.
◆
Displaying CPU Utilization – Displays information on CPU utilization.
◆
Displaying Memory Utilization – Shows memory utilization parameters.
◆
Resetting the System – Restarts the switch immediately, at a specified
time, after a specified delay, or at a periodic interval.
DISPLAYING SYSTEM INFORMATION
Use the System > General page to identify the system by displaying
information such as the device name, location and contact information.
CLI REFERENCES
◆ "System Management Commands" on page 525
◆ "SNMP Commands" on page 581
– 97 –
CHAPTER 4 | Basic Management Tasks
Displaying Hardware/Software Versions
PARAMETERS
These parameters are displayed:
◆
System Description – Brief description of device type.
◆
System Object ID – MIB II object ID for switch’s network
management subsystem.
◆
System Up Time – Length of time the management agent has been
up.
◆
System Name – Name assigned to the switch system.
◆
System Location – Specifies the system location.
◆
System Contact – Administrator responsible for the system.
WEB INTERFACE
To configure general system information:
1. Click System, General.
2. Specify the system name, location, and contact information for the
system administrator.
3. Click Apply.
Figure 3: System Information
DISPLAYING HARDWARE/SOFTWARE VERSIONS
Use the System > Switch page to display hardware/firmware version
numbers for the main board and management software, as well as the
power status of the system.
CLI REFERENCES
◆ "System Management Commands" on page 525
– 98 –
CHAPTER 4 | Basic Management Tasks
Displaying Hardware/Software Versions
PARAMETERS
The following parameters are displayed:
Main Board Information
◆
Serial Number – The serial number of the switch.
◆
Number of Ports – Number of built-in ports.
◆
Hardware Version – Hardware version of the main board.
◆
Internal Power Status – Displays the status of the internal power
supply.
Management Software Information
◆
Role – Shows that this switch is operating as Master or Slave.
◆
EPLD Version – Version number of Erasable Programmable Logic
Device.
◆
Loader Version – Version number of loader code.
◆
Operation Code Version – Version number of runtime code.
WEB INTERFACE
To view hardware and software version information.
1.
Click System, then Switch.
Figure 4: General Switch Information
– 99 –
CHAPTER 4 | Basic Management Tasks
Configuring Support for Jumbo Frames
CONFIGURING SUPPORT FOR JUMBO FRAMES
Use the System > Capability page to configure support for Layer 2 jumbo
frames. The switch provides more efficient throughput for large sequential
data transfers by supporting jumbo frames up to 10240 bytes for Gigabit
Ethernet. Compared to standard Ethernet frames that run only up to
1.5 KB, using jumbo frames significantly reduces the per-packet overhead
required to process protocol encapsulation fields.
CLI REFERENCES
◆ "System Management Commands" on page 525
USAGE GUIDELINES
To use jumbo frames, both the source and destination end nodes (such as
a computer or server) must support this feature. Also, when the connection
is operating at full duplex, all switches in the network between the two end
nodes must be able to accept the extended frame size. And for half-duplex
connections, all devices in the collision domain would need to support
jumbo frames.
PARAMETERS
The following parameters are displayed:
◆
Jumbo Frame – Configures support for jumbo frames.
(Default: Disabled)
WEB INTERFACE
To configure support for jumbo frames:
1. Click System, then Capability.
2. Enable or disable support for jumbo frames.
3. Click Apply.
Figure 5: Configuring Support for Jumbo Frames
– 100 –
CHAPTER 4 | Basic Management Tasks
Displaying Bridge Extension Capabilities
DISPLAYING BRIDGE EXTENSION CAPABILITIES
Use the System > Capability page to display settings based on the Bridge
MIB. The Bridge MIB includes extensions for managed devices that support
Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these
extensions to display default settings for the key variables.
CLI REFERENCES
◆ "GVRP and Bridge Extension Commands" on page 822
PARAMETERS
The following parameters are displayed:
◆
Extended Multicast Filtering Services – This switch does not
support the filtering of individual multicast addresses based on GMRP
(GARP Multicast Registration Protocol).
◆
Traffic Classes – This switch provides mapping of user priorities to
multiple traffic classes. (Refer to "Class of Service" on page 239.)
◆
Static Entry Individual Port – This switch allows static filtering for
unicast and multicast addresses. (Refer to "Setting Static Addresses"
on page 195.)
◆
VLAN Version Number – Based on IEEE 802.1Q, “1” indicates Bridges
that support only single spanning tree (SST) operation, and “2”
indicates Bridges that support multiple spanning tree (MST) operation.
◆
VLAN Learning – This switch uses Independent VLAN Learning (IVL),
where each port maintains its own filtering database.
◆
Local VLAN Capable – This switch does not support multiple local
bridges outside of the scope of 802.1Q defined VLANs.
◆
Configurable PVID Tagging – This switch allows you to override the
default Port VLAN ID (PVID used in frame tags) and egress status
(VLAN-Tagged or Untagged) on each port. (Refer to "VLAN
Configuration" on page 167.)
◆
Max Supported VLAN Numbers – The maximum number of VLANs
supported on this switch.
◆
Max Supported VLAN ID – The maximum configurable VLAN
identifier supported on this switch.
◆
GMRP – GARP Multicast Registration Protocol (GMRP) allows network
devices to register end stations with multicast groups. This switch does
not support GMRP; it uses the Internet Group Management Protocol
(IGMP) to provide automatic multicast filtering.
– 101 –
CHAPTER 4 | Basic Management Tasks
Managing System Files
WEB INTERFACE
To view Bridge Extension information:
1. Click System, then Capability.
Figure 6: Displaying Bridge Extension Configuration
MANAGING SYSTEM FILES
This section describes how to upgrade the switch operating software or
configuration files, and set the system start-up files.
COPYING FILES VIA Use the System > File (Copy) page to upload/download firmware or
FTP/TFTP OR HTTP configuration settings using FTP, TFTP or HTTP. By backing up a file to an
FTP/TFTP server or management station, that file can later be downloaded
to the switch to restore operation. Specify the method of file transfer, along
with the file type and file names as required.
You can also set the switch to use new firmware or configuration settings
without overwriting the current version. Just download the file using a
different name from the current version, and then set the new file as the
startup file.
CLI REFERENCES
◆ "copy" on page 536
COMMAND USAGE
When logging into an FTP server, the interface prompts for a user name
and password configured on the remote server. Note that “Anonymous” is
set as the default user name.
– 102 –
CHAPTER 4 | Basic Management Tasks
Managing System Files
PARAMETERS
The following parameters are displayed:
◆
Copy Type – The firmware copy operation includes these options:
■
FTP Upgrade – Copies a file from an FTP server to the switch.
■
FTP Download – Copies a file from the switch to an FTP server.
■
HTTP Upgrade – Copies a file from a management station to the
switch.
■
HTTP Download – Copies a file from the switch to a management
station
■
TFTP Upgrade – Copies a file from a TFTP server to the switch.
■
TFTP Download – Copies a file from the switch to a TFTP server.
◆
FTP/TFTP Server IP Address – The IP address of an FTP/TFTP server.
◆
User Name – The user name for FTP server access.
◆
Password – The password for FTP server access.
◆
File Type – Specify Operation Code or Loader.
◆
File Name – The file name should not contain slashes (\ or /), the
leading letter of the file name should not be a period (.), and the
maximum length for file names is 32 characters for files on the switch
or 128 characters for files on the server. (Valid characters: A-Z, a-z,
0-9, “.”, “-”, “_”)
◆
Auto reboot after opcode upgrade completed. – Automatically
reboots the switch after the operation code has been upgraded.
NOTE: Up to two copies of the system software (i.e., the runtime firmware)
can be stored in the file directory on the switch.
NOTE: The maximum number of user-defined configuration files is limited
only by available flash memory space.
NOTE: The file “Factory_Default_Config.cfg” can be copied to a TFTP server
or management station, but cannot be used as the destination file name on
the switch.
WEB INTERFACE
To copy firmware files:
1. Click System, then File.
2. Select Copy from the Action list.
3. Select FTP Upgrade, HTTP Upgrade, or TFTP Upgrade as the file transfer
method.
– 103 –
CHAPTER 4 | Basic Management Tasks
Managing System Files
4. If FTP or TFTP Upgrade is used, enter the IP address of the file server.
5. If FTP Upgrade is used, enter the user name and password for your
account on the FTP server.
6. Set the file type to Operation Code or Loader.
7. Enter the name of the file to download.
8. Select a file on the switch to overwrite or specify a new file name.
9. Then click Apply.
Figure 7: Copy Firmware
If you replaced a file currently used for startup and want to start using the
new file, reboot the system via the System > Reset menu.
SAVING THE RUNNING Use the System > File (Copy) page to save the current configuration
CONFIGURATION TO A settings to a local file on the switch. The configuration settings are not
LOCAL FILE automatically saved by the system for subsequent use when the switch is
rebooted. You must save these settings to the current startup file, or to
another file which can be subsequently set as the startup file.
CLI REFERENCES
◆ "copy" on page 536
PARAMETERS
The following parameters are displayed:
◆
Copy Type – The copy operation includes this option:
■
◆
Running-Config – Copies the current configuration settings to a local
file on the switch.
Destination File Name – Copy to the currently designated startup
file, or to a new file. The file name should not contain slashes (\ or /),
– 104 –
CHAPTER 4 | Basic Management Tasks
Managing System Files
the leading letter of the file name should not be a period (.), and the
maximum length for file names is 32 characters for files on the switch.
(Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)
NOTE: The maximum number of user-defined configuration files is limited
only by available flash memory space.
WEB INTERFACE
To save the running configuration file:
1. Click System, then File.
2. Select Copy from the Action list.
3. Select Running-Config from the Copy Type list.
4. Select the current startup file on the switch to overwrite or specify a
new file name.
5. Then click Apply.
Figure 8: Saving the Running Configuration
If you replaced a file currently used for startup and want to start using the
new file, reboot the system via the System > Reset menu.
SETTING THE Use the System > File (Set Start-Up) page to specify the firmware or
START-UP FILE configuration file to use for system initialization.
CLI REFERENCES
◆ "whichboot" on page 540
◆ "boot system" on page 535
WEB INTERFACE
To set a file to use for system initialization:
1. Click System, then File.
2. Select Set Start-Up from the Action list.
– 105 –
CHAPTER 4 | Basic Management Tasks
Managing System Files
3. Mark the operation code or configuration file to be used at startup
4. Then click Apply.
Figure 9: Setting Start-Up Files
To start using the new firmware or configuration settings, reboot the
system via the System > Reset menu.
SHOWING SYSTEM Use the System > File (Show) page to show the files in the system
FILES directory, or to delete a file.
NOTE: Files designated for start-up, and the Factory_Default_Config.cfg
file, cannot be deleted.
CLI REFERENCES
◆ "dir" on page 539
◆ "delete" on page 539
WEB INTERFACE
To show the system files:
1. Click System, then File.
2. Select Show from the Action list.
3. To delete a file, mark it in the File List and click Delete.
– 106 –
CHAPTER 4 | Basic Management Tasks
Managing System Files
Figure 10: Displaying System Files
AUTOMATIC Use the System > File (Automatic Operation Code Upgrade) page to
OPERATION CODE automatically download an operation code file when a file newer than the
UPGRADE currently installed one is discovered on the file server. After the file is
transferred from the server and successfully written to the file system, it is
automatically set as the startup file, and the switch is rebooted.
CLI REFERENCES
◆ "upgrade opcode auto" on page 541
◆ "upgrade opcode path" on page 542
USAGE GUIDELINES
◆ If this feature is enabled, the switch searches the defined URL once
during the bootup sequence.
◆
FTP (port 21) and TFTP (port 69) are both supported. Note that the
TCP/UDP port bindings cannot be modified to support servers listening
on non-standard ports.
◆
The host portion of the upgrade file location URL must be a valid IPv4
IP address. DNS host names are not recognized. Valid IP addresses
consist of four numbers, 0 to 255, separated by periods.
◆
The path to the directory must also be defined. If the file is stored in
the root directory for the FTP/TFTP service, then use the “/” to indicate
this (e.g., ftp://192.168.0.1/).
◆
The file name must not be included in the upgrade file location URL.
The file name of the code stored on the remote server must be
ECS4110-24T_Op.bix1 (using upper case and lower case letters exactly
as indicated here). Enter the file name for other switches described in
this manual exactly as shown on the web interface.
◆
The FTP connection is made with PASV mode enabled. PASV mode is
needed to traverse some fire walls, even if FTP traffic is not blocked.
PASV mode cannot be disabled.
1.
This filename uses 24T. However, it supports a series of 24, 26 and 28-port switches.
– 107 –
CHAPTER 4 | Basic Management Tasks
Managing System Files
◆
The switch-based search function is case-insensitive in that it will
accept a file name in upper or lower case (i.e., the switch will accept
ECS4110-24T_OP.BIX from the server even though
ECS4110-24T_Op.bix was requested). However, keep in mind that the
file systems of many operating systems such as Unix and most Unixlike systems (FreeBSD, NetBSD, OpenBSD, and most Linux
distributions, etc.) are case-sensitive, meaning that two files in the
same directory, ecs4110-24t_op.bix and ECS4110-24T_Op.bix are
considered to be unique files. Thus, if the upgrade file is stored as
ECS4110-24T_Op.bix on a case-sensitive server, then the switch
(requesting ecs4110-24t_op.bix) will not be upgraded because the
server does not recognize the requested file name and the stored file
name as being equal. A notable exception in the list of case-sensitive
Unix-like operating systems is Mac OS X, which by default is caseinsensitive. Please check the documentation for your server’s operating
system if you are unsure of its file system’s behavior.
◆
Note that the switch itself does not distinguish between upper and
lower-case file names, and only checks to see if the file stored on the
server is more recent than the current runtime image.
◆
If two operation code image files are already stored on the switch’s file
system, then the non-startup image is deleted before the upgrade
image is transferred.
◆
The automatic upgrade process will take place in the background
without impeding normal operations (data switching, etc.) of the
switch.
◆
During the automatic search and transfer process, the administrator
cannot transfer or update another operation code image, configuration
file, public key, or HTTPS certificate (i.e., no other concurrent file
management operations are possible).
◆
The upgrade operation code image is set as the startup image after it
has been successfully written to the file system.
◆
The switch will send an SNMP trap and make a log entry upon all
upgrade successes and failures.
◆
The switch will immediately restart after the upgrade file is successfully
written to the file system and set as the startup image.
PARAMETERS
The following parameters are displayed:
◆
Automatic Opcode Upgrade – Enables the switch to search for an
upgraded operation code file during the switch bootup process.
(Default: Disabled)
◆
Automatic Upgrade Location URL – Defines where the switch should
search for the operation code upgrade file. The last character of this
URL must be a forward slash (“/”). The ECS4110-24T_Op.bix filename
– 108 –
CHAPTER 4 | Basic Management Tasks
Managing System Files
must not be included since it is automatically appended by the switch.
(Options: ftp, tftp)
The following syntax must be observed:
tftp://host[/filedir]/
■
■
■
■
tftp:// – Defines TFTP protocol for the server connection.
host – Defines the IP address of the TFTP server. Valid IP addresses
consist of four numbers, 0 to 255, separated by periods. DNS host
names are not recognized.
filedir – Defines the directory, relative to the TFTP server root,
where the upgrade file can be found. Nested directory structures
are accepted. The directory name must be separated from the host,
and in nested directory structures, from the parent directory, with a
prepended forward slash “/”.
/ – The forward slash must be the last character of the URL.
ftp://[username[:password@]]host[/filedir]/
■
ftp:// – Defines FTP protocol for the server connection.
■
username – Defines the user name for the FTP connection. If the
user name is omitted, then “anonymous” is the assumed user name
for the connection.
■
password – Defines the password for the FTP connection. To
differentiate the password from the user name and host portions of
the URL, a colon (:) must precede the password, and an “at” symbol
(@), must follow the password. If the password is omitted, then “”
(an empty string) is the assumed password for the connection.
■
host – Defines the IP address of the FTP server. Valid IP addresses
consist of four numbers, 0 to 255, separated by periods. DNS host
names are not recognized.
■
filedir – Defines the directory, relative to the FTP server root, where
the upgrade file can be found. Nested directory structures are
accepted. The directory name must be separated from the host, and
in nested directory structures, from the parent directory, with a
prepended forward slash “/”.
■
/ – The forward slash must be the last character of the URL.
Examples
The following examples demonstrate the URL syntax for a TFTP server
at IP address 192.168.0.1 with the operation code image stored in
various locations:
■
tftp://192.168.0.1/
The image file is in the TFTP root directory.
■
tftp://192.168.0.1/switch-opcode/
– 109 –
CHAPTER 4 | Basic Management Tasks
Managing System Files
The image file is in the “switch-opcode” directory, relative to the
TFTP root.
■
tftp://192.168.0.1/switches/opcode/
The image file is in the “opcode” directory, which is within the
“switches” parent directory, relative to the TFTP root.
The following examples demonstrate the URL syntax for an FTP server
at IP address 192.168.0.1 with various user name, password and file
location options presented:
■
ftp://192.168.0.1/
The user name and password are empty, so “anonymous” will be
the user name and the password will be blank. The image file is in
the FTP root directory.
■
ftp://switches:upgrade@192.168.0.1/
The user name is “switches” and the password is “upgrade”. The
image file is in the FTP root.
■
ftp://switches:upgrade@192.168.0.1/switches/opcode/
The user name is “switches” and the password is “upgrade”. The
image file is in the “opcode” directory, which is within the “switches”
parent directory, relative to the FTP root.
WEB INTERFACE
To configure automatic code upgrade:
1. Click System, then File.
2. Select Automatic Operation Code Upgrade from the Action list.
3. Mark the check box to enable Automatic Opcode Upgrade.
4. Enter the URL of the FTP or TFTP server, and the path and directory
containing the operation code.
5. Click Apply.
Figure 11: Configuring Automatic Code Upgrade
– 110 –
CHAPTER 4 | Basic Management Tasks
Setting the System Clock
If a new image is found at the specified location, the following type of
messages will be displayed during bootup.
.
.
.
Automatic Upgrade is looking for a new image
New image detected: current version 1.0.1.5; new version 1.1.2.0
Image upgrade in progress
The switch will restart after upgrade succeeds
Downloading new image
Flash programming started
Flash programming completed
The switch will now restart
.
.
.
SETTING THE SYSTEM CLOCK
Simple Network Time Protocol (SNTP) allows the switch to set its internal
clock based on periodic updates from a time server (SNTP or NTP).
Maintaining an accurate time on the switch enables the system log to
record meaningful dates and times for event entries. You can also manually
set the clock. If the clock is not set manually or via SNTP, the switch will
only record the time from the factory default set at the last bootup.
When the SNTP client is enabled, the switch periodically sends a request
for a time update to a configured time server. You can configure up to three
time server IP addresses. The switch will attempt to poll each server in the
configured sequence.
SETTING THE TIME Use the System > Time (Configure General - Manually) page to set the
MANUALLY system time on the switch manually without using SNTP.
CLI REFERENCES
◆ "calendar set" on page 571
◆ "show calendar" on page 571
PARAMETERS
The following parameters are displayed:
◆
Current Time – Shows the current time set on the switch.
◆
Hours – Sets the hour. (Range: 0-23)
◆
Minutes – Sets the minute value. (Range: 0-59)
◆
Seconds – Sets the second value. (Range: 0-59)
◆
Month – Sets the month. (Range: 1-12)
– 111 –
CHAPTER 4 | Basic Management Tasks
Setting the System Clock
◆
Day – Sets the day of the month. (Range: 1-31)
◆
Year – Sets the year. (Range: 1970-2037)
WEB INTERFACE
To manually set the system clock:
1. Click System, then Time.
2. Select Configure General from the Step list.
3. Select Manually from the Maintain Type list.
4. Enter the time and date in the appropriate fields.
5. Click Apply
Figure 12: Manually Setting the System Clock
SETTING THE SNTP Use the System > Time (Configure General - SNTP) page to set the polling
POLLING INTERVAL interval at which the switch will query the specified time servers.
CLI REFERENCES
◆ "Time" on page 565
PARAMETERS
The following parameters are displayed:
◆
Current Time – Shows the current time set on the switch.
◆
SNTP Polling Interval – Sets the interval between sending requests
for a time update from a time server. (Range: 16-16384 seconds;
Default: 16 seconds)
WEB INTERFACE
To set the polling interval for SNTP:
1. Click System, then Time.
2. Select Configure General from the Action list.
– 112 –
CHAPTER 4 | Basic Management Tasks
Setting the System Clock
3. Select SNTP from the Maintain Type list.
4. Modify the polling interval if required.
5. Click Apply
Figure 13: Setting the Polling Interval for SNTP
SPECIFYING SNTP Use the System > Time (Configure Time Server) page to specify the IP
TIME SERVERS address for up to three SNTP time servers.
CLI REFERENCES
◆ "sntp server" on page 567
PARAMETERS
The following parameters are displayed:
◆
SNTP Server IP Address – Sets the IPv4 or IPv6 address for up to
three time servers. The switch attempts to update the time from the
first server, if this fails it attempts an update from the next server in the
sequence.
WEB INTERFACE
To set the SNTP time servers:
1. Click System, then Time.
2. Select Configure Time Server from the Step list.
3. Enter the IP address of up to three time servers.
4. Click Apply.
– 113 –
CHAPTER 4 | Basic Management Tasks
Setting the System Clock
Figure 14: Specifying SNTP Time Servers
SETTING THE TIME Use the System > Time (Configure Time Server) page to set the time zone.
ZONE SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean
Time, or GMT) based on the time at the Earth’s prime meridian, zero
degrees longitude, which passes through Greenwich, England. To display a
time corresponding to your local time, you must indicate the number of
hours and minutes your time zone is east (before) or west (after) of UTC.
You can choose one of the 80 predefined time zone definitions, or your can
manually configure the parameters for your local time zone.
CLI REFERENCES
◆ "clock timezone" on page 569
◆ "clock timezone-predefined" on page 570
PARAMETERS
The following parameters are displayed:
◆
Predefined Configuration – A drop-down box provides access to the
80 predefined time zone configurations. Each choice indicates it’s offset
from UTC and lists at least one major city or location covered by the
time zone.
◆
User-defined Configuration – Allows the user to define all
parameters of the local time zone.
■
■
■
■
Direction: Configures the time zone to be before (east of) or after
(west of) UTC.
Name – Assigns a name to the time zone. (Range: 1-29 characters)
Hours (0-13) – The number of hours before/after UTC. The
maximum value before UTC is 12. The maximum value after UTC is
13.
Minutes (0-59) – The number of minutes before/after UTC.
– 114 –
CHAPTER 4 | Basic Management Tasks
Setting the System Clock
WEB INTERFACE
To set your local time zone:
1. Click System, then Time.
2. Select Configure Time Zone from the Action list.
3. Set the offset for your time zone relative to the UTC in hours and
minutes using either a predefined or custom definition.
4. Click Apply.
Figure 15: Setting the Time Zone
CONFIGURING Use the System > Time (Configure Summer Time) menu to configures
SUMMER TIME summer time (that is, Daylight Savings Time) for the switch’s internal
clock.
CLI REFERENCES
◆ "clock summer-time" on page 568
USAGE GUIDELINES
◆ In some countries or regions, clocks are adjusted through the summer
months so that afternoons have more daylight and mornings have less.
This is known as Summer Time, or Daylight Savings Time (DST).
Typically, clocks are adjusted forward one hour at the start of spring
and then adjusted backward in autumn.
◆
This configuration page sets the summer-time zone relative to the
currently configured time zone. To specify a time corresponding to your
local time when summer time is in effect, you must indicate the number
of minutes your summer-time zone deviates from your regular time
zone (that is, the offset).
– 115 –
CHAPTER 4 | Basic Management Tasks
Setting the System Clock
PARAMETERS
The following parameters are displayed:
◆
Summer Time in Effect – Indicates whether or not Summer Time
settings are currently is use.
◆
Status – Enables or disables Summer Time settings.
◆
Name – Name of the time zone while Summer Time is in effect, usually
an acronym. (Range: 1-30 characters)
◆
Mode (Date) – Sets the start, end, and offset times of summer time on
a one-time basis.
■
Offset – Summer time offset from the regular time zone. (Range:
0-99 minutes; Default: 60 minutes)
■
From – The date and time at which to start using Summer Time
settings.
■
To – The date and time at which to stop using Summer Time
settings.
WEB INTERFACE
To configure Summer Time:
1. Click System, then Time.
2. Select Configure Summer Time from the Step list.
3. Set the Status to enable or disable Summer Time.
4. Fill in the Name field.
5. Then set the offset and the start to end time range.
6. Click Apply
Figure 16: Summer Time Settings
– 116 –
CHAPTER 4 | Basic Management Tasks
Configuring the Console Port
CONFIGURING THE CONSOLE PORT
Use the System > Console menu to configure connection parameters for
the switch’s console port. You can access the onboard configuration
program by attaching a VT100 compatible device to the switch’s serial
console port. Management access through the console port is controlled by
various parameters, including a password (only configurable through the
CLI), time outs, and basic communication settings. Note that these
parameters can be configured via the web or CLI interface.
CLI REFERENCES
◆ "Line" on page 544
PARAMETERS
The following parameters are displayed:
◆
Login Timeout – Sets the interval that the system waits for a user to
log into the CLI. If a login attempt is not detected within the timeout
interval, the connection is terminated for the session.
(Range: 0-300 seconds; Default: 0 seconds)
◆
Exec Timeout – Sets the interval that the system waits until user input
is detected. If user input is not detected within the timeout interval, the
current session is terminated. (Range: 0-65535 seconds;
Default: Disabled)
◆
Password Threshold – Sets the password intrusion threshold, which
limits the number of failed logon attempts. When the logon attempt
threshold is reached, the system interface becomes silent for a
specified amount of time (set by the Silent Time parameter) before
allowing the next logon attempt. (Range: 0-120; Default: 3 attempts)
◆
Silent Time – Sets the amount of time the management console is
inaccessible after the number of unsuccessful logon attempts has been
exceeded. (Range: 0-65535 seconds; Default: 30 seconds)
◆
Data Bits – Sets the number of data bits per character that are
interpreted and generated by the console port. If parity is being
generated, specify 7 data bits per character. If no parity is required,
specify 8 data bits per character. (Default: 8 bits)
◆
Stop Bits – Sets the number of the stop bits transmitted per byte.
(Range: 1-2; Default: 1 stop bit)
◆
Parity – Defines the generation of a parity bit. Communication
protocols provided by some terminals can require a specific parity bit
setting. Specify Even, Odd, or None. (Default: None)
◆
Speed – Sets the terminal line’s baud rate for transmit (to terminal)
and receive (from terminal). Set the speed to match the baud rate of
the device connected to the serial port. (Range: 9600, 19200, 38400,
57600 or 115200 baud, Auto; Default: 115200 baud)
– 117 –
CHAPTER 4 | Basic Management Tasks
Configuring the Console Port
NOTE: Due to a hardware limitation, the terminal program connected to the
console port must be set to 8 data bits when using Auto baud rate
detection.
NOTE: The password for the console connection can only be configured
through the CLI (see "password" on page 548).
NOTE: Password checking can be enabled or disabled for logging in to the
console connection (see "login" on page 547). You can select
authentication by a single global password as configured for the password
command, or by passwords set up for specific user-name accounts. The
default is for local passwords configured on the switch.
WEB INTERFACE
To configure parameters for the console port:
1. Click System, then Console.
2. Specify the connection parameters as required.
3. Click Apply
Figure 17: Console Port Settings
– 118 –
CHAPTER 4 | Basic Management Tasks
Configuring Telnet Settings
CONFIGURING TELNET SETTINGS
Use the System > Telnet menu to configure parameters for accessing the
CLI over a Telnet connection. You can access the onboard configuration
program over the network using Telnet (i.e., a virtual terminal).
Management access via Telnet can be enabled/disabled and other
parameters set, including the TCP port number, time outs, and a password.
Note that the password is only configurable through the CLI.) These
parameters can be configured via the web or CLI interface.
CLI REFERENCES
◆ "Line" on page 544
PARAMETERS
The following parameters are displayed:
◆
Telnet Status – Enables or disables Telnet access to the switch.
(Default: Enabled)
◆
TCP Port – Sets the TCP port number for Telnet on the switch.
(Default: 23)
◆
Login Timeout – Sets the interval that the system waits for a user to
log into the CLI. If a login attempt is not detected within the timeout
interval, the connection is terminated for the session.
(Range: 1-300 seconds; Default: 300 seconds)
◆
Exec Timeout – Sets the interval that the system waits until user input
is detected. If user input is not detected within the timeout interval, the
current session is terminated. (Range: 1-65535 seconds; Default: 600
seconds)
◆
Password Threshold – Sets the password intrusion threshold, which
limits the number of failed logon attempts. When the logon attempt
threshold is reached, the system interface becomes silent for a
specified amount of time (set by the Silent Time parameter) before
allowing the next logon attempt. (Range: 0-120; Default: 3 attempts)
◆
Silent Time – Sets the amount of time the management interface is
inaccessible after the number of unsuccessful logon attempts has been
exceeded. (Range: 0-65535 seconds; Default: 30 seconds)
NOTE: Password checking can be enabled or disabled for login to the
console connection (see "login" on page 547). You can select
authentication by a single global password as configured for the password
command, or by passwords set up for specific user-name accounts. The
default is for local passwords configured on the switch.
– 119 –
CHAPTER 4 | Basic Management Tasks
Displaying CPU Utilization
WEB INTERFACE
To configure parameters for the console port:
1. Click System, then Telnet.
2. Specify the connection parameters as required.
3. Click Apply
Figure 18: Telnet Connection Settings
DISPLAYING CPU UTILIZATION
Use the System > CPU Utilization page to display information on CPU
utilization.
CLI REFERENCES
◆ "show process cpu" on page 528
PARAMETERS
The following parameters are displayed:
◆
Time Interval – The interval at which to update the displayed
utilization rate. (Options: 1, 5, 10, 30, 60 seconds; Default: 1 second)
◆
CPU Utilization – CPU utilization over specified interval.
WEB INTERFACE
To display CPU utilization:
1. Click System, then CPU Utilization.
2. Change the update interval if required. Note that the interval is
changed as soon as a new setting is selected.
– 120 –
CHAPTER 4 | Basic Management Tasks
Displaying Memory Utilization
Figure 19: Displaying CPU Utilization
DISPLAYING MEMORY UTILIZATION
Use the System > Memory Status page to display memory utilization
parameters.
CLI REFERENCES
◆ "show memory" on page 527
PARAMETERS
The following parameters are displayed:
◆
Free Size – The amount of memory currently free for use.
◆
Used Size – The amount of memory allocated to active processes.
◆
Total – The total amount of system memory.
– 121 –
CHAPTER 4 | Basic Management Tasks
Resetting the System
WEB INTERFACE
To display memory utilization:
1. Click System, then Memory Status.
Figure 20: Displaying Memory Utilization
RESETTING THE SYSTEM
Use the System > Reload menu to restart the switch immediately, at a
specified time, after a specified delay, or at a periodic interval.
CLI REFERENCES
◆ "reload (Privileged Exec)" on page 522
◆ "reload (Global Configuration)" on page 518
◆ "show reload" on page 523
◆ “copy running-config startup-config” on page 536
COMMAND USAGE
◆ This command resets the entire system.
◆
To retain all configuration information stored in non-volatile memory,
click the Save button prior to resetting the system.
◆
When the system is restarted, it will always run the Power-On Self-Test.
It will also retain all configuration information stored in non-volatile
memory by the copy running-config startup-config command (See
"copy" on page 536).
PARAMETERS
The following parameters are displayed:
System Reload Information
◆
Reload Settings – Displays information on the next scheduled reload
and selected reload mode as shown in the following example:
“The switch will be rebooted at March 9 12:00:00 2012. Remaining
Time: 0 days, 2 hours, 46 minutes, 5 seconds.
Reloading switch regularly time: 12:00 everyday.”
– 122 –
CHAPTER 4 | Basic Management Tasks
Resetting the System
◆
Refresh – Refreshes reload information. Changes made through the
console or to system time may need to be refreshed to display the
current settings.
◆
Cancel – Cancels the current settings shown in this field.
System Reload Configuration
◆
Reload Mode – Restarts the switch immediately or at the specified
time(s).
■
■
■
■
Immediately – Restarts the system immediately.
In – Specifies an interval after which to reload the switch.
(The specified time must be equal to or less than 24 days.)
■
hours – The number of hours, combined with the minutes,
before the switch resets. (Range: 0-576)
■
minutes – The number of minutes, combined with the hours,
before the switch resets. (Range: 0-59)
At – Specifies a time at which to reload the switch.
■
DD - The day of the month at which to reload. (Range: 1-31)
■
MM - The month at which to reload. (Range: 01-12)
■
YYYY - The year at which to reload. (Range: 1970-2037)
■
HH - The hour at which to reload. (Range: 0-23)
■
MM - The minute at which to reload. (Range: 0-59)
Regularly – Specifies a periodic interval at which to reload the
switch.
Time
■
HH - The hour at which to reload. (Range: 0-23)
■
MM - The minute at which to reload. (Range: 0-59)
Period
■
Daily - Every day.
■
Weekly - Day of the week at which to reload.
(Range: Sunday ... Saturday)
■
Monthly - Day of the month at which to reload. (Range: 1-31)
– 123 –
CHAPTER 4 | Basic Management Tasks
Resetting the System
Save Current Settings
◆
Save – Click this button to save the current configuration settings.
Use Factory Default Settings and Reboot
◆
Factory Default Settings & Reboot – Click this button to restore the
factory default settings and reboot the system.
WEB INTERFACE
To restart the switch:
1. Click System, then Reload.
2. Select the required reload mode.
3. For any option other than to reset immediately, fill in the required
parameters
4. Click Apply.
5.
When prompted, confirm that you want reset the switch.
Figure 21: Restarting the Switch (Immediately)
– 124 –
CHAPTER 4 | Basic Management Tasks
Resetting the System
Figure 22: Restarting the Switch (In)
Figure 23: Restarting the Switch (At)
– 125 –
CHAPTER 4 | Basic Management Tasks
Resetting the System
Figure 24: Restarting the Switch (Regularly)
– 126 –
5
INTERFACE CONFIGURATION
This chapter describes the following topics:
◆
Port Configuration – Configures connection settings, including autonegotiation, or manual setting of speed, duplex mode, and flow control.
◆
Local Port Mirroring – Sets the source and target ports for mirroring on
the local switch.
◆
Remote Port Mirroring – Configures mirroring of traffic from remote
switches for analysis at a destination port on the local switch.
◆
Displaying Statistics – Shows Interface, Etherlike, and RMON port
statistics in table or chart form.
◆
Cable Test – Tests the cable attached to a port.
◆
Trunk Configuration – Configures static or dynamic trunks.
◆
Saving Power – Adjusts the power provided to ports based on the
length of the cable used to connect to other devices.
◆
Traffic Segmentation – Configures the uplinks and down links to a
segmented group of ports.
◆
VLAN Trunking – Configures a tunnel across one or more intermediate
switches which pass traffic for VLAN groups to which they do not
belong.
PORT CONFIGURATION
This section describes how to configure port connections, mirror traffic
from one port to another, and run cable diagnostics.
CONFIGURING BY Use the Interface > Port > General (Configure by Port List) page to enable/
PORT LIST disable an interface, set auto-negotiation and the interface capabilities to
advertise, or manually fix the speed, duplex mode, and flow control.
CLI REFERENCES
◆ "Interface Commands" on page 729
– 127 –
CHAPTER 5 | Interface Configuration
Port Configuration
COMMAND USAGE
◆ Auto-negotiation must be disabled before you can configure or force an
RJ-45 interface to use the Speed/Duplex mode or Flow Control options.
◆
When using auto-negotiation, the optimal settings will be negotiated
between the link partners based on their advertised capabilities. To set
the speed, duplex mode, or flow control under auto-negotiation, the
required operation modes must be specified in the capabilities list for
an interface.
◆
The 1000BASE-T standard does not support forced mode. Autonegotiation should always be used to establish a connection over any
1000BASE-T port or trunk. If not used, the success of the link process
cannot be guaranteed when connecting to other types of switches.
◆
The Speed/Duplex mode is fixed at 1000full on the Gigabit SFP ports.
When auto-negotiation is enabled, the only attributes which can be
advertised include flow control and symmetric pause frames.
PARAMETERS
These parameters are displayed:
◆
Port – Port identifier. (Range: 1-26)
◆
Type – Indicates the port type. (100Base-TX, 100Base-FX,
1000Base-T, 1000Base SFP)
◆
Name – Allows you to label an interface. (Range: 1-64 characters)
◆
Admin – Allows you to manually disable an interface. You can disable
an interface due to abnormal behavior (e.g., excessive collisions), and
then re-enable it after the problem has been resolved. You may also
disable an interface for security reasons.
◆
Media Type – Not applicable for this switch.
◆
Autonegotiation (Port Capabilities) – Allows auto-negotiation to be
enabled/disabled. When auto-negotiation is enabled, you need to
specify the capabilities to be advertised. When auto-negotiation is
disabled, you can force the settings for speed, mode, and flow
control.The following capabilities are supported.
■
10h - Supports 10 Mbps half-duplex operation
■
10f - Supports 10 Mbps full-duplex operation
■
100h - Supports 100 Mbps half-duplex operation
■
100f - Supports 100 Mbps full-duplex operation
■
1000f - Supports 1000 Mbps full-duplex operation
■
Sym (Gigabit only) - Check this item to transmit and receive pause
frames.
– 128 –
CHAPTER 5 | Interface Configuration
Port Configuration
■
FC - Flow control can eliminate frame loss by “blocking” traffic from
end stations or segments connected directly to the switch when its
buffers fill. When enabled, back pressure is used for half-duplex
operation and IEEE 802.3-2005 (formally IEEE 802.3x) for fullduplex operation.
Default: Autonegotiation enabled; Advertised capabilities for
100Base-TX – 10half, 10full, 100half, 100full;
100BASE-FX (SFP) – 100full;
1000BASE-T – 10half, 10full, 100half, 100full, 1000full;
1000Base-SX/LX/LH – 1000full
◆
Speed/Duplex – Allows you to manually set the port speed and
duplex mode. (i.e., with auto-negotiation disabled)
◆
Giga PHY Mode – Forces two connected ports into a master/slave
configuration to enable 1000BASE-T full duplex for Gigabit ports. The
following options are supported:
■
Master - Sets the selected port as master.
■
Slave - Sets the selected port as slave.
To force 1000full operation requires the ports at both ends of a link to
establish their role in the connection process as a master or slave.
Before using this feature, auto-negotiation must first be disabled, and
the Speed/Duplex attribute set to 1000full. Then select compatible Giga
PHY modes at both ends of the link.
If auto-negotiation is enabled at the far end of a link, and disabled on
the local end, a link should eventually be established regardless of the
selected giga-phy mode.
◆
Flow Control – Allows automatic or manual selection of flow control.
WEB INTERFACE
To configure port connection parameters:
1. Click Interface, Port, General.
2. Select Configure by Port List from the Action List.
3. Modify the required interface settings.
4. Click Apply.
– 129 –
CHAPTER 5 | Interface Configuration
Port Configuration
Figure 25: Configuring Connections by Port List
CONFIGURING BY Use the Interface > Port > General (Configure by Port Range) page to
PORT RANGE enable/disable an interface, set auto-negotiation and the interface
capabilities to advertise, or manually fix the speed, duplex mode, and flow
control.
For more information on command usage and a description of the
parameters, refer to "Configuring by Port List" on page 127.
CLI REFERENCES
◆ "Interface Commands" on page 729
WEB INTERFACE
To configure port connection parameters:
1. Click Interface, Port, General.
2. Select Configure by Port Range from the Action List.
3. Enter to range of ports to which your configuration changes apply.
4. Modify the required interface settings.
5. Click Apply.
– 130 –
CHAPTER 5 | Interface Configuration
Port Configuration
Figure 26: Configuring Connections by Port Range
DISPLAYING Use the Interface > Port > General (Show Information) page to display the
CONNECTION STATUS current connection status, including link state, speed/duplex mode, flow
control, and auto-negotiation.
CLI REFERENCES
◆ "show interfaces status" on page 741
PARAMETERS
These parameters are displayed:
◆
Port – Port identifier.
◆
Type – Indicates the port type. (100Base-TX, 100Base-FX,
1000Base-T, 1000Base SFP)
◆
Name – Interface label.
◆
Admin – Shows if the port is enabled or disabled.
◆
Oper Status – Indicates if the link is Up or Down.
◆
Media Type – Not applicable for this switch.
◆
Autonegotiation – Shows if auto-negotiation is enabled or disabled.
◆
Oper Speed Duplex – Shows the current speed and duplex mode.
◆
Oper Flow Control – Shows the flow control type used.
– 131 –
CHAPTER 5 | Interface Configuration
Port Configuration
WEB INTERFACE
To display port connection parameters:
1. Click Interface, Port, General.
2. Select Show Information from the Action List.
Figure 27: Displaying Port Information
CONFIGURING LOCAL Use the Interface > Port > Mirror page to mirror traffic from any source
PORT MIRRORING port to a target port for real-time analysis. You can then attach a logic
analyzer or RMON probe to the target port and study the traffic crossing
the source port in a completely unobtrusive manner.
Figure 28: Configuring Local Port Mirroring
Source
port(s)
Single
target
port
CLI REFERENCES
◆ "Local Port Mirroring Commands" on page 761
COMMAND USAGE
◆ Traffic can be mirrored from one or more source ports to a destination
port on the same switch (local port mirroring as described in this
section), or from one or more source ports on remote switches to a
destination port on this switch (remote port mirroring as described in
"Configuring Remote Port Mirroring" on page 134).
◆
Monitor port speed should match or exceed source port speed,
otherwise traffic may be dropped from the monitor port.
◆
When mirroring VLAN traffic (see "Configuring VLAN Mirroring" on
page 193) or packets based on a source MAC address (see "Configuring
– 132 –
CHAPTER 5 | Interface Configuration
Port Configuration
MAC Address Mirroring" on page 200), the target port cannot be set to
the same target ports as that used for port mirroring by this command.
◆
When traffic matches the rules for both port mirroring, and for
mirroring of VLAN traffic or packets based on a MAC address, the
matching packets will not be sent to target port specified for port
mirroring.
◆
Note that Spanning Tree BPDU packets are not mirrored to the target
port.
◆
The destination port cannot be a trunk or trunk member port.
PARAMETERS
These parameters are displayed:
◆
Source Port – The port whose traffic will be monitored.
(Range: 1-26)
◆
Target Port – The port that will mirror the traffic on the source port.
(Range: 1-26)
◆
Type – Allows you to select which traffic to mirror to the target port, Rx
(receive), Tx (transmit), or Both. (Default: Both)
WEB INTERFACE
To configure a local mirror session:
1. Click Interface, Port, Mirror.
2. Select Add from the Action List.
3. Specify the source port.
4. Specify the monitor port.
5. Specify the traffic type to be mirrored.
6. Click Apply.
Figure 29: Configuring Local Port Mirroring
– 133 –
CHAPTER 5 | Interface Configuration
Port Configuration
To display the configured mirror sessions:
1. Click Interface, Port, Mirror.
2. Select Show from the Action List.
Figure 30: Displaying Local Port Mirror Sessions
CONFIGURING REMOTE Use the Interface > RSPAN page to mirror traffic from remote switches for
PORT MIRRORING analysis at a destination port on the local switch. This feature, also called
Remote Switched Port Analyzer (RSPAN), carries traffic generated on the
specified source ports for each session over a user-specified VLAN
dedicated to that RSPAN session in all participating switches. Monitored
traffic from one or more sources is copied onto the RSPAN VLAN through
IEEE 802.1Q trunk or hybrid ports that carry it to any RSPAN destination
port monitoring the RSPAN VLAN as shown in the figure below.
Figure 31: Configuring Remote Port Mirroring
Intermediate Switch
Uplink Port
Uplink Port
Destination Switch
Source Switch
Source Port
RPSAN VLAN
Uplink Port
Uplink Port
Destination Port
Tagged or untagged traffic
from the RSPAN VLAN is
analyzed at this port.
Ingress or egress traffic
is mirrored onto the RSPAN
VLAN from here.
CLI REFERENCES
◆ "RSPAN Mirroring Commands" on page 764
COMMAND USAGE
◆ Traffic can be mirrored from one or more source ports to a destination
port on the same switch (local port mirroring as described in
"Configuring Local Port Mirroring" on page 132), or from one or more
– 134 –
CHAPTER 5 | Interface Configuration
Port Configuration
source ports on remote switches to a destination port on this switch
(remote port mirroring as described in this section).
◆
Configuration Guidelines
Take the following step to configure an RSPAN session:
1. Use the VLAN Static List (see "Configuring VLAN Groups" on
page 170) to reserve a VLAN for use by RSPAN (marking the
“Remote VLAN” field on this page. (Default VLAN 1 is prohibited.)
2. Set up the source switch on the RSPAN configuration page by
specifying the mirror session, the switch’s role (Source), the RSPAN
VLAN, and the uplink port2. Then specify the source port(s), and the
traffic type to monitor (Rx, Tx or Both).
3. Set up all intermediate switches on the RSPAN configuration page,
entering the mirror session, the switch’s role (Intermediate), the
RSPAN VLAN, and the uplink port(s).
4. Set up the destination switch on the RSPAN configuration page by
specifying the mirror session, the switch’s role (Destination), the
destination port2, whether or not the traffic exiting this port will be
tagged or untagged, and the RSPAN VLAN. Then specify each uplink
port where the mirrored traffic is being received.
◆
RSPAN Limitations
The following limitations apply to the use of RSPAN on this switch:
■
■
■
■
■
RSPAN Ports – Only ports can be configured as an RSPAN source,
destination, or uplink; static and dynamic trunks are not allowed. A
port can only be configured as one type of RSPAN interface –
source, destination, or uplink. Also, note that the source port and
destination port cannot be configured on the same switch.
Local/Remote Mirror – The destination of a local mirror session
(created on the Interface > Port > Mirror page) cannot be used as
the destination for RSPAN traffic.
Spanning Tree – If the spanning tree is disabled, BPDUs will not be
flooded onto the RSPAN VLAN.
MAC address learning is not supported on RSPAN uplink ports when
RSPAN is enabled on the switch. Therefore, even if spanning tree is
enabled after RSPAN has been configured, MAC address learning
will still not be re-started on the RSPAN uplink ports.
IEEE 802.1X – RSPAN and 802.1X are mutually exclusive functions.
When 802.1X is enabled globally, RSPAN uplink ports cannot be
configured, even though RSPAN source and destination ports can
2. Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an RSPAN
uplink or destination ports – access ports are not allowed (see "Adding Static Members to
VLANs" on page 171).
– 135 –
CHAPTER 5 | Interface Configuration
Port Configuration
still be configured. When RSPAN uplink ports are enabled on the
switch, 802.1X cannot be enabled globally.
■
Port Security – If port security is enabled on any port, that port
cannot be set as an RSPAN uplink port, even though it can still be
configured as an RSPAN source or destination port. Also, when a
port is configured as an RSPAN uplink port, port security cannot be
enabled on that port.
PARAMETERS
These parameters are displayed:
◆
Session – A number identifying this RSPAN session. (Range: 1-2)
Only two mirror sessions are allowed, including both local and remote
mirroring. If local mirroring is enabled (see page 132), then there is
only one session available for RSPAN.
◆
Operation Status – Indicates whether or not RSPAN is currently
functioning.
◆
Switch Role – Specifies the role this switch performs in mirroring
traffic.
■
None – This switch will not participate in RSPAN.
■
Source - Specifies this device as the source of remotely mirrored
traffic.
■
Intermediate - Specifies this device as an intermediate switch,
transparently passing mirrored traffic from one or more sources to
one or more destinations.
■
Destination - Specifies this device as a switch configured with a
destination port which is to receive mirrored traffic for this session.
◆
Remote VLAN – The VLAN to which traffic mirrored from the source
port will be flooded. The VLAN specified in this field must first be
reserved for the RSPAN application using the VLAN > Static page (see
page 170).
◆
Uplink Port – A port on any switch participating in RSPAN through
which mirrored traffic is passed on to or received from the RSPAN
VLAN.
Only one uplink port can be configured on a source switch, but there is
no limitation on the number of uplink ports2 configured on an
intermediate or destination switch.
Only destination and uplink ports will be assigned by the switch as
members of the RSPAN VLAN. Ports cannot be manually assigned to an
RSPAN VLAN through the VLAN > Static page. Nor can GVRP
dynamically add port members to an RSPAN VLAN. Also, note that the
VLAN > Static (Show) page will not display any members for an RSPAN
VLAN, but will only show configured RSPAN VLAN identifiers.
◆
Type – Specifies the traffic type to be mirrored remotely. (Options: Rx,
Tx, Both)
– 136 –
CHAPTER 5 | Interface Configuration
Port Configuration
◆
Destination Port – Specifies the destination port2 to monitor the
traffic mirrored from the source ports. Only one destination port can be
configured on the same switch per session, but a destination port can
be configured on more than one switch for the same session. Also note
that a destination port can still send and receive switched traffic, and
participate in any Layer 2 protocols to which it has been assigned.
◆
Tag – Specifies whether or not the traffic exiting the destination port to
the monitoring device carries the RSPAN VLAN tag.
WEB INTERFACE
To configure a remote mirror session:
1. Click Interface, RSPAN.
2. Set the Switch Role to None, Source, Intermediate, or Destination.
3. Configure the required settings for each switch participating in the
RSPAN VLAN.
4. Click Apply.
Figure 32: Configuring Remote Port Mirroring (Source)
– 137 –
CHAPTER 5 | Interface Configuration
Port Configuration
Figure 33: Configuring Remote Port Mirroring (Intermediate)
Figure 34: Configuring Remote Port Mirroring (Destination)
SHOWING PORT OR Use the Interface > Port/Trunk > Statistics or Chart page to display
TRUNK STATISTICS standard statistics on network traffic from the Interfaces Group and
Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the
RMON MIB. Interfaces and Ethernet-like statistics display errors on the
traffic passing through each port. This information can be used to identify
potential problems with the switch (such as a faulty port or unusually
heavy traffic). RMON statistics provide access to a broad range of statistics,
including a total count of different frame types and sizes passing through
each port. All values displayed have been accumulated since the last
system reboot, and are shown as counts per second. Statistics are
refreshed every 60 seconds by default.
NOTE: RMON groups 2, 3 and 9 can only be accessed using SNMP
management software.
– 138 –
CHAPTER 5 | Interface Configuration
Port Configuration
CLI REFERENCES
◆ "show interfaces counters" on page 740
PARAMETERS
These parameters are displayed:
Table 7: Port Statistics
Parameter
Description
Interface Statistics
Received Octets
The total number of octets received on the interface, including
framing characters.
Transmitted Octets
The total number of octets transmitted out of the interface,
including framing characters.
Received Errors
The number of inbound packets that contained errors preventing
them from being deliverable to a higher-layer protocol.
Transmitted Errors
The number of outbound packets that could not be transmitted
because of errors.
Received Unicast Packets
The number of subnetwork-unicast packets delivered to a higherlayer protocol.
Transmitted Unicast
Packets
The total number of packets that higher-level protocols requested
be transmitted to a subnetwork-unicast address, including those
that were discarded or not sent.
Received Discarded
Packets
The number of inbound packets which were chosen to be
discarded even though no errors had been detected to prevent
their being deliverable to a higher-layer protocol. One possible
reason for discarding such a packet could be to free up buffer
space.
Transmitted Discarded
Packets
The number of outbound packets which were chosen to be
discarded even though no errors had been detected to prevent
their being transmitted. One possible reason for discarding such a
packet could be to free up buffer space.
Received Multicast
Packets
The number of packets, delivered by this sub-layer to a higher
(sub-)layer, which were addressed to a multicast address at this
sub-layer.
Transmitted Multicast
Packets
The total number of packets that higher-level protocols requested
be transmitted, and which were addressed to a multicast address
at this sub-layer, including those that were discarded or not sent.
Received Broadcast
Packets
The number of packets, delivered by this sub-layer to a higher
(sub-)layer, which were addressed to a broadcast address at this
sub-layer.
Transmitted Broadcast
Packets
The total number of packets that higher-level protocols requested
be transmitted, and which were addressed to a broadcast address
at this sub-layer, including those that were discarded or not sent.
Received Unknown
Packets
The number of packets received via the interface which were
discarded because of an unknown or unsupported protocol.
Etherlike Statistics
Single Collision Frames
The number of successfully transmitted frames for which
transmission is inhibited by exactly one collision.
Multiple Collision Frames
A count of successfully transmitted frames for which transmission
is inhibited by more than one collision.
Late Collisions
The number of times that a collision is detected later than 512 bittimes into the transmission of a packet.
Excessive Collisions
A count of frames for which transmission on a particular interface
fails due to excessive collisions. This counter does not increment
when the interface is operating in full-duplex mode.
– 139 –
CHAPTER 5 | Interface Configuration
Port Configuration
Table 7: Port Statistics (Continued)
Parameter
Description
Deferred Transmissions
A count of frames for which the first transmission attempt on a
particular interface is delayed because the medium was busy.
Frames Too Long
A count of frames received on a particular interface that exceed
the maximum permitted frame size.
Alignment Errors
The number of alignment errors (missynchronized data packets).
FCS Errors
A count of frames received on a particular interface that are an
integral number of octets in length but do not pass the FCS check.
This count does not include frames received with frame-too-long
or frame-too-short error.
SQE Test Errors
A count of times that the SQE TEST ERROR message is generated
by the PLS sublayer for a particular interface.
Carrier Sense Errors
The number of times that the carrier sense condition was lost or
never asserted when attempting to transmit a frame.
Internal MAC Receive
Errors
A count of frames for which reception on a particular interface fails
due to an internal MAC sublayer receive error.
Internal MAC Transmit
Errors
A count of frames for which transmission on a particular interface
fails due to an internal MAC sublayer transmit error.
RMON Statistics
Drop Events
The total number of events in which packets were dropped due to
lack of resources.
Jabbers
The total number of frames received that were longer than 1518
octets (excluding framing bits, but including FCS octets), and had
either an FCS or alignment error.
Fragments
The total number of frames received that were less than 64 octets
in length (excluding framing bits, but including FCS octets) and
had either an FCS or alignment error.
Collisions
The best estimate of the total number of collisions on this Ethernet
segment.
Received Octets
Total number of octets of data received on the network. This
statistic can be used as a reasonable indication of Ethernet
utilization.
Received Packets
The total number of packets (bad, broadcast and multicast)
received.
Broadcast Packets
The total number of good packets received that were directed to
the broadcast address. Note that this does not include multicast
packets.
Multicast Packets
The total number of good packets received that were directed to
this multicast address.
Undersize Packets
The total number of packets received that were less than 64
octets long (excluding framing bits, but including FCS octets) and
were otherwise well formed.
Oversize Packets
The total number of packets received that were longer than 1518
octets (excluding framing bits, but including FCS octets) and were
otherwise well formed.
64 Bytes Packets
The total number of packets (including bad packets) received and
transmitted that were 64 octets in length (excluding framing bits
but including FCS octets).
65-127 Byte Packets
128-255 Byte Packets
256-511 Byte Packets
512-1023 Byte Packets
1024-1518 Byte Packets
1519-1536 Byte Packets
The total number of packets (including bad packets) received and
transmitted where the number of octets fall within the specified
range (excluding framing bits but including FCS octets).
– 140 –
CHAPTER 5 | Interface Configuration
Port Configuration
Table 7: Port Statistics (Continued)
Parameter
Description
Utilization Statistics
Received Octet Rate
Number of octets entering this interface in kbits per second.
Received Packet Rate
Number of packets entering this interface in packets per second.
Received Utilization
The input utilization rate for this interface.
Transmitted Octet Rate
Number of octets leaving this interface in kbits per second.
Transmitted Packet Rate
Number of packets leaving this interface in packets per second.
Transmitted Utilization
The output utilization rate for this interface.
WEB INTERFACE
To show a list of port statistics:
1. Click Interface, Port, Statistics.
2. Select the statistics mode to display (Interface, Etherlike, RMON or
Utilization).
3. Select a port from the drop-down list.
4. Use the Refresh button at the bottom of the page if you need to update
the screen.
Figure 35: Showing Port Statistics (Table)
– 141 –
CHAPTER 5 | Interface Configuration
Port Configuration
To show a chart of port statistics:
1. Click Interface, Port, Chart.
2. Select the statistics mode to display (Interface, Etherlike, RMON or All).
3. If Interface, Etherlike, RMON statistics mode is chosen, select a port
from the drop-down list. If All (ports) statistics mode is chosen, select
the statistics type to display.
Figure 36: Showing Port Statistics (Chart)
PERFORMING CABLE Use the Interface > Port > Cable Test page to test the cable attached to a
DIAGNOSTICS port. The cable test will check for any cable faults (short, open, etc.). If a
fault is found, the switch reports the length to the fault. Otherwise, it
reports the cable length. It can be used to determine the quality of the
cable, connectors, and terminations. Problems such as opens, shorts, and
cable impedance mismatch can be diagnosed with this test.
CLI REFERENCES
◆ "Interface Commands" on page 729
– 142 –
CHAPTER 5 | Interface Configuration
Port Configuration
COMMAND USAGE
◆ Cable diagnostics are performed using Time Domain Reflectometry
(TDR) test methods. TDR analyses the cable by sending a pulsed signal
into the cable, and then examining the reflection of that pulse.
◆
This cable test is only accurate for Gigabit Ethernet cables 0 - 250
meters long.
◆
The test takes approximately 5 seconds. The switch displays the results
of the test immediately upon completion, including common cable
failures, as well as the status and approximate length to a fault.
◆
Potential conditions which may be listed by the diagnostics include:
◆
■
OK: Correctly terminated pair
■
Open: Open pair, no link partner
■
Short: Shorted pair
■
Not Supported: This message is displayed for any Fast Ethernet
ports, or Gigabit Ethernet ports linked up at a speed lower than
1000 Mbps.
■
Impedance mismatch: Terminating impedance is not in the
reference range.
Ports are linked down while running cable diagnostics.
PARAMETERS
These parameters are displayed:
◆
Port – Port identifier.
◆
Type – Displays media type. (FE – Fast Ethernet, GE – Gigabit
Ethernet, Other – SFP)
◆
Link Status – Shows if the port link is up or down.
◆
Test Result – The results include common cable failures, as well as the
status and approximate distance to a fault, or the approximate cable
length if no fault is found.
To ensure more accurate measurement of the length to a fault, first
disable power-saving mode on the link partner before running cable
diagnostics.
For link-down ports, the reported distance to a fault is accurate to
within +/- 2 meters. For link-up ports, the accuracy is +/- 10 meters.
◆
Last Updated – Shows the last time this port was tested.
– 143 –
CHAPTER 5 | Interface Configuration
Trunk Configuration
WEB INTERFACE
To test the cable attached to a port:
1. Click Interface, Port, Cable Test.
2. Click Test for any port to start the cable test.
Figure 37: Performing Cable Tests
TRUNK CONFIGURATION
This section describes how to configure static and dynamic trunks.
You can create multiple links between devices that work as one virtual,
aggregate link. A port trunk offers a dramatic increase in bandwidth for
network segments where bottlenecks exist, as well as providing a faulttolerant link between two devices. You can create up to 12 trunks at a time
on the switch.
The switch supports both static trunking and dynamic Link Aggregation
Control Protocol (LACP). Static trunks have to be manually configured at
both ends of the link, and the switches must comply with the Cisco
EtherChannel standard. On the other hand, LACP configured ports can
automatically negotiate a trunked link with LACP-configured ports on
another device. You can configure any number of ports on the switch as
LACP, as long as they are not already configured as part of a static trunk. If
ports on another device are also configured as LACP, the switch and the
other device will negotiate a trunk link between them. If an LACP trunk
consists of more than eight ports, all other ports will be placed in standby
mode. Should one link in the trunk fail, one of the standby ports will
automatically be activated to replace it.
– 144 –
CHAPTER 5 | Interface Configuration
Trunk Configuration
COMMAND USAGE
Besides balancing the load across each port in the trunk, the other ports
provide redundancy by taking over the load if a port in the trunk fails.
However, before making any physical connections between devices, use
the web interface or CLI to specify the trunk on the devices at both ends.
When using a trunk, take note of the following points:
◆
Finish configuring trunks before you connect the corresponding network
cables between switches to avoid creating a loop.
◆
You can create up to 12 trunks on a switch, with up to eight ports per
trunk.
◆
The ports at both ends of a connection must be configured as trunk
ports.
◆
When configuring static trunks on switches of different types, they
must be compatible with the Cisco EtherChannel standard.
◆
The ports at both ends of a trunk must be configured in an identical
manner, including communication mode (i.e., speed, duplex mode and
flow control), VLAN assignments, and CoS settings.
◆
Any of the Gigabit ports on the front panel can be trunked together,
including ports of different media types.
◆
All the ports in a trunk have to be treated as a whole when moved
from/to, added or deleted from a VLAN.
◆
STP, VLAN, and IGMP settings can only be made for the entire trunk.
CONFIGURING A Use the Interface > Trunk > Static page to create a trunk, assign member
STATIC TRUNK ports, and configure the connection parameters.
Figure 38: Configuring Static Trunks
}
statically
configured
active
links
CLI REFERENCES
◆ "Link Aggregation Commands" on page 749
◆ "Interface Commands" on page 729
COMMAND USAGE
◆ When configuring static trunks, you may not be able to link switches of
different types, depending on the vendor’s implementation. However,
– 145 –
CHAPTER 5 | Interface Configuration
Trunk Configuration
note that the static trunks on this switch are Cisco EtherChannel
compatible.
◆
To avoid creating a loop in the network, be sure you add a static trunk
via the configuration interface before connecting the ports, and also
disconnect the ports before removing a static trunk via the
configuration interface.
PARAMETERS
These parameters are displayed:
◆
Trunk ID – Trunk identifier. (Range: 1-12)
◆
Trunk Member Port List – The ports assigned to a trunk.
WEB INTERFACE
To create a static trunk:
1. Click Interface, Trunk, Static.
2. Select Configure Trunk from the Step list.
3. Enter a trunk identifier, and click Add.
4. Mark the ports assigned to each trunk.
5. Click Apply.
Figure 39: Creating Static Trunks
To configure connection parameters for a static trunk:
1. Click Interface, Trunk, Static.
2. Select Configure General from the Step list.
3. Select Configure from the Action list.
4. Modify the required interface settings. (Refer to "Configuring by Port
List" on page 127 for a description of the parameters.)
5. Click Apply.
– 146 –
CHAPTER 5 | Interface Configuration
Trunk Configuration
Figure 40: Configuring Connection Parameters for a Static Trunk
To show the static trunks configured on the switch:
1. Click Interface, Trunk, Static.
2. Select Configure General from the Step list.
3. Select Show Information from the Action list.
Figure 41: Showing Information for Static Trunks
CONFIGURING A Use the Interface > Trunk > Dynamic pages to set the administrative key
DYNAMIC TRUNK for an aggregation group, enable LACP on a port, configure protocol
parameters for local and partner ports, or to set Ethernet connection
parameters.
Figure 42: Configuring Dynamic Trunks
}
dynamically
enabled
active
links
}
backup
link
configured
members
CLI REFERENCES
◆ "Link Aggregation Commands" on page 749
– 147 –
CHAPTER 5 | Interface Configuration
Trunk Configuration
COMMAND USAGE
◆ To avoid creating a loop in the network, be sure you enable LACP before
connecting the ports, and also disconnect the ports before disabling
LACP.
◆
If the target switch has also enabled LACP on the connected ports, the
trunk will be activated automatically.
◆
A trunk formed with another switch using LACP will automatically be
assigned the next available trunk ID.
◆
If more than eight ports attached to the same target switch have LACP
enabled, the additional ports will be placed in standby mode, and will
only be enabled if one of the active links fails.
◆
All ports on both ends of an LACP trunk must be configured for full
duplex, and auto-negotiation.
◆
Ports are only allowed to join the same Link Aggregation Group (LAG) if
(1) the LACP port system priority matches, (2) the LACP port admin key
matches, and (3) the LAG admin key matches (if configured). However,
if the LAG admin key is set, then the port admin key must be set to the
same value for a port to be allowed to join that group.
NOTE: If the LACP admin key is not set when a channel group is formed
(i.e., it has a null value of 0), the operational value of this key is set to the
same value as the port admin key used by the interfaces that joined the
group (see the show lacp internal command described on page 756).
PARAMETERS
These parameters are displayed:
Configure Aggregator
◆
Admin Key – LACP administration key is used to identify a specific link
aggregation group (LAG) during local LACP setup on the switch.
(Range: 0-65535)
Configure Aggregation Port - General
◆
Port – Port identifier. (Range: 1-26)
◆
LACP Status – Enables or disables LACP on a port.
Configure Aggregation Port - Actor/Partner
◆
Port – Port number. (Range: 1-26)
◆
Admin Key – The LACP administration key must be set to the same
value for ports that belong to the same LAG. (Range: 0-65535;
Default – Actor: 1, Partner: 0)
– 148 –
CHAPTER 5 | Interface Configuration
Trunk Configuration
By default, the Actor Admin Key is determined by port's link speed, and
copied to Oper Key. The Partner Admin Key is assigned to zero, and the
Oper Key is set based upon LACP PDUs received from the Partner.
◆
System Priority – LACP system priority is used to determine link
aggregation group (LAG) membership, and to identify this device to
other switches during LAG negotiations. (Range: 0-65535;
Default: 32768)
System priority is combined with the switch’s MAC address to form the
LAG identifier. This identifier is used to indicate a specific LAG during
LACP negotiations with other systems.
◆
Port Priority – If a link goes down, LACP port priority is used to select
a backup link. (Range: 0-65535; Default: 32768)
■
Setting a lower value indicates a higher effective priority.
■
If an active port link goes down, the backup port with the highest
priority is selected to replace the downed link. However, if two or
more ports have the same LACP port priority, the port with the
lowest physical port number will be selected as the backup port.
■
If an LAG already exists with the maximum number of allowed port
members, and LACP is subsequently enabled on another port using
a higher priority than an existing member, the newly configured
port will replace an existing port member that has a lower priority.
NOTE: Configuring LACP settings for a port only applies to its administrative
state, not its operational state, and will only take effect the next time an
aggregate link is established with that port.
NOTE: Configuring the port partner sets the remote side of an aggregate
link; i.e., the ports on the attached device. The command attributes have
the same meaning as those used for the port actor.
– 149 –
CHAPTER 5 | Interface Configuration
Trunk Configuration
WEB INTERFACE
To configure the admin key for a dynamic trunk:
1. Click Interface, Trunk, Dynamic.
2. Select Configure Aggregator from the Step list.
3. Set the Admin Key for the required LACP group.
4. Click Apply.
Figure 43: Configuring the LACP Aggregator Admin Key
To enable LACP for a port:
1. Click Interface, Trunk, Dynamic.
2. Select Configure Aggregation Port from the Step list.
3. Select Configure from the Action list.
4. Click General.
5. Enable LACP on the required ports.
6. Click Apply.
Figure 44: Enabling LACP on a Port
– 150 –
CHAPTER 5 | Interface Configuration
Trunk Configuration
To configure LACP parameters for group members:
1. Click Interface, Trunk, Dynamic.
2. Select Configure Aggregation Port from the Step list.
3. Select Configure from the Action list.
4. Click Actor or Partner.
5. Configure the required settings.
6. Click Apply.
Figure 45: Configuring LACP Parameters on a Port
To configure the connection parameters for a dynamic trunk:
1. Click Interface, Trunk, Dynamic.
2. Select Configure Trunk from the Step list.
3. Select Configure from the Action list.
4. Modify the required interface settings. (Refer to "Configuring by Port
List" on page 127 for a description of the parameters.)
5. Click Apply.
– 151 –
CHAPTER 5 | Interface Configuration
Trunk Configuration
Figure 46: Configuring Connection Parameters for a Dynamic Trunk
To show the connection parameters for a dynamic trunk:
1. Click Interface, Trunk, Dynamic.
2. Select Configure Trunk from the Step list.
3. Select Show from the Action list.
Figure 47: Showing Connection Parameters for Dynamic Trunks
To show the port members of dynamic trunks:
1. Click Interface, Trunk, Dynamic.
2. Select Configure General from the Step list.
3. Select Show Member from the Action list.
Figure 48: Showing Members of Dynamic Trunks
– 152 –
CHAPTER 5 | Interface Configuration
Trunk Configuration
DISPLAYING LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show
PORT COUNTERS Information - Counters) page to display statistics for LACP protocol
messages.
CLI REFERENCES
◆ "show lacp" on page 756
PARAMETERS
These parameters are displayed:
Table 8: LACP Port Counters
Parameter
Description
LACPDUs Sent
Number of valid LACPDUs transmitted from this channel group.
LACPDUs Received
Number of valid LACPDUs received on this channel group.
Marker Sent
Number of valid Marker PDUs transmitted from this channel
group.
Marker Received
Number of valid Marker PDUs received by this channel group.
Marker Unknown Pkts
Number of frames received that either (1) Carry the Slow
Protocols Ethernet Type value, but contain an unknown PDU, or
(2) are addressed to the Slow Protocols group MAC Address, but
do not carry the Slow Protocols Ethernet Type.
Marker Illegal Pkts
Number of frames that carry the Slow Protocols Ethernet Type
value, but contain a badly formed PDU or an illegal value of
Protocol Subtype.
– 153 –
CHAPTER 5 | Interface Configuration
Trunk Configuration
WEB INTERFACE
To display LACP port counters:
1. Click Interface, Trunk, Dynamic.
2. Select Configure Aggregation Port from the Step list.
3. Select Show Information from the Action list.
4. Click Counters.
5. Select a group member from the Port list.
Figure 49: Displaying LACP Port Counters
DISPLAYING LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show
SETTINGS AND STATUS Information - Internal) page to display the configuration settings and
FOR THE LOCAL SIDE operational state for the local side of a link aggregation.
CLI REFERENCES
◆ "show lacp" on page 756
PARAMETERS
These parameters are displayed:
Table 9: LACP Internal Configuration Information
Parameter
Description
LACP System Priority LACP system priority assigned to this port channel.
LACP Port Priority
LACP port priority assigned to this interface within the channel group.
Admin Key
Current administrative value of the key for the aggregation port.
Oper Key
Current operational value of the key for the aggregation port.
LACPDUs Interval
Number of seconds before invalidating received LACPDU information.
– 154 –
CHAPTER 5 | Interface Configuration
Trunk Configuration
Table 9: LACP Internal Configuration Information (Continued)
Parameter
Description
Admin State,
Oper State
Administrative or operational values of the actor’s state parameters:
◆
Expired – The actor’s receive machine is in the expired state;
◆
Defaulted – The actor’s receive machine is using defaulted
operational partner information, administratively configured for
the partner.
◆
Distributing – If false, distribution of outgoing frames on this link
is disabled; i.e., distribution is currently disabled and is not
expected to be enabled in the absence of administrative changes
or changes in received protocol information.
◆
Collecting – Collection of incoming frames on this link is enabled;
i.e., collection is currently enabled and is not expected to be
disabled in the absence of administrative changes or changes in
received protocol information.
◆
Synchronization – The System considers this link to be IN_SYNC;
i.e., it has been allocated to the correct Link Aggregation Group,
the group has been associated with a compatible Aggregator, and
the identity of the Link Aggregation Group is consistent with the
System ID and operational Key information transmitted.
◆
Aggregation – The system considers this link to be aggregatable;
i.e., a potential candidate for aggregation.
◆
Long timeout – Periodic transmission of LACPDUs uses a slow
transmission rate.
◆
LACP-Activity – Activity control value with regard to this link.
(0: Passive; 1: Active)
– 155 –
CHAPTER 5 | Interface Configuration
Trunk Configuration
WEB INTERFACE
To display LACP settings and status for the local side:
1. Click Interface, Trunk, Dynamic.
2. Select Configure Aggregation Port from the Step list.
3. Select Show Information from the Action list.
4. Click Internal.
5. Select a group member from the Port list.
Figure 50: Displaying LACP Port Internal Information
DISPLAYING LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show
SETTINGS AND STATUS Information - Neighbors) page to display the configuration settings and
FOR THE REMOTE SIDE operational state for the remote side of a link aggregation.
CLI REFERENCES
◆ "show lacp" on page 756
PARAMETERS
These parameters are displayed:
Table 10: LACP Remote Device Configuration Information
Parameter
Description
Partner Admin
System ID
LAG partner’s system ID assigned by the user.
Partner Oper System LAG partner’s system ID assigned by the LACP protocol.
ID
Partner Admin
Port Number
Current administrative value of the port number for the protocol
Partner.
– 156 –
CHAPTER 5 | Interface Configuration
Trunk Configuration
Table 10: LACP Remote Device Configuration Information (Continued)
Parameter
Description
Partner Oper
Port Number
Operational port number assigned to this aggregation port by the
port’s protocol partner.
Port Admin Priority
Current administrative value of the port priority for the protocol
partner.
Port Oper Priority
Priority value assigned to this aggregation port by the partner.
Admin Key
Current administrative value of the Key for the protocol partner.
Oper Key
Current operational value of the Key for the protocol partner.
Admin State
Administrative values of the partner’s state parameters. (See
preceding table.)
Oper State
Operational values of the partner’s state parameters. (See preceding
table.)
WEB INTERFACE
To display LACP settings and status for the remote side:
1. Click Interface, Trunk, Dynamic.
2. Select Configure Aggregation Port from the Step list.
3. Select Show Information from the Action list.
4. Click Internal.
5. Select a group member from the Port list.
Figure 51: Displaying LACP Port Remote Information
– 157 –
CHAPTER 5 | Interface Configuration
Trunk Configuration
CONFIGURING TRUNK Use the Interface > Trunk > Mirror page to mirror traffic from any source
MIRRORING trunk to a target port for real-time analysis. You can then attach a logic
analyzer or RMON probe to the target port and study the traffic crossing
the source trunk in a completely unobtrusive manner.
Figure 52: Configuring Trunk Mirroring
Source
trunk(s)
CLI REFERENCES
◆ "Local Port Mirroring Commands" on page 761
COMMAND USAGE
◆ Traffic can be mirrored from one or more source trunks to a destination
port on the same switch.
◆
Monitor port speed should match or exceed source trunk speed,
otherwise traffic may be dropped from the monitor port.
◆
When mirroring trunk traffic, the target port must be included in the
same VLAN as the source trunk when using MSTP (see "Spanning Tree
Algorithm" on page 203).
◆
When mirroring VLAN traffic (see "Configuring VLAN Mirroring" on
page 193) or packets based on a source MAC address (see "Configuring
MAC Address Mirroring" on page 200), the target port cannot be set to
the same target port as that used for trunk mirroring by this command.
◆
When traffic matches the rules for both trunk mirroring, and for
mirroring of VLAN traffic or packets based on a MAC address, the
matching packets will not be sent to target port specified for trunk
mirroring.
PARAMETERS
These parameters are displayed:
◆
Source Trunk – The trunk whose traffic will be monitored.
(Range: 1-12)
◆
Target Port – The port that will mirror the traffic on the source trunk.
(Range: 1-26)
◆
Type – Allows you to select which traffic to mirror to the target port, Rx
(receive), Tx (transmit), or Both. (Default: Both)
WEB INTERFACE
To configure a local mirror session:
1. Click Interface, Trunk, Mirror.
– 158 –
CHAPTER 5 | Interface Configuration
Saving Power
2. Select Add from the Action List.
3. Specify the source trunk.
4. Specify the monitor port.
5. Specify the traffic type to be mirrored.
6. Click Apply.
Figure 53: Configuring Trunk Mirroring
To display the configured mirror sessions:
1. Click Interface, Trunk, Mirror.
2. Select Show from the Action List.
Figure 54: Displaying Trunk Mirror Sessions
SAVING POWER
Use the Interface > Green Ethernet page to enable power savings mode on
the selected port.
CLI REFERENCES
◆ "power-save" on page 747
◆ "show power-save" on page 748
COMMAND USAGE
◆ IEEE 802.3 defines the Ethernet standard and subsequent power
requirements based on cable connections operating at 100 meters.
– 159 –
CHAPTER 5 | Interface Configuration
Saving Power
Enabling power saving mode can reduce power used for cable lengths
of 60 meters or less, with more significant reduction for cables of 20
meters or less, and continue to ensure signal integrity.
◆
The power-saving methods provided by this switch include:
■
Power saving when there is no link partner:
Under normal operation, the switch continuously auto-negotiates to
find a link partner, keeping the MAC interface powered up even if no
link connection exists. When using power-savings mode, the switch
checks for energy on the circuit to determine if there is a link
partner. If none is detected, the switch automatically turns off the
transmitter, and most of the receive circuitry (entering Sleep Mode).
In this mode, the low-power energy-detection circuit continuously
checks for energy on the cable. If none is detected, the MAC
interface is also powered down to save additional energy. If energy
is detected, the switch immediately turns on both the transmitter
and receiver functions, and powers up the MAC interface.
■
Power saving when there is a link partner:
Traditional Ethernet connections typically operate with enough
power to support at least 100 meters of cable even though average
network cable length is shorter. When cable length is shorter, power
consumption can be reduced since signal attenuation is proportional
to cable length. When power-savings mode is enabled, the switch
analyzes cable length to determine whether or not it can reduce the
signal amplitude used on a particular link.
NOTE: Power savings can only be implemented on Gigabit Ethernet ports
when using twisted-pair cabling. Power-savings mode on a active link only
works when connection speed is 1 Gbps, and line length is less than 60
meters.
PARAMETERS
These parameters are displayed:
◆
Port – Power saving mode only applies to the Gigabit Ethernet ports
using copper media.
◆
Power Saving Status – Adjusts the power provided to ports based on
the length of the cable used to connect to other devices. Only sufficient
power is used to maintain connection requirements. (Default: Enabled
on Gigabit Ethernet RJ-45 ports)
WEB INTERFACE
To enable power savings:
1. Click Interface, Green Ethernet.
2. Mark the Enabled check box for a port.
– 160 –
CHAPTER 5 | Interface Configuration
Traffic Segmentation
3. Click Apply.
Figure 55: Enabling Power Savings
TRAFFIC SEGMENTATION
If tighter security is required for passing traffic from different clients
through downlink ports on the local network and over uplink ports to the
service provider, port-based traffic segmentation can be used to isolate
traffic between clients on different downlink ports. Data traffic on downlink
ports is only forwarded to, and from, uplink ports.
ENABLING TRAFFIC Use the Interface > Traffic Segmentation (Configure Global) page to enable
SEGMENTATION traffic segmentation.
CLI REFERENCES
◆ "Configuring Port-based Traffic Segmentation" on page 840
PARAMETERS
These parameters are displayed:
◆
Status – Enables port-based traffic segmentation. (Default: Disabled)
WEB INTERFACE
To enable traffic segmentation:
1. Click Interface, Traffic Segmentation.
2. Select Configure Global from the Step list.
3. Mark the Enabled check box.
4. Click Apply.
– 161 –
CHAPTER 5 | Interface Configuration
Traffic Segmentation
Figure 56: Enabling Traffic Segmentation
CONFIGURING UPLINK Use the Interface > Traffic Segmentation (Configure Session) page to
AND DOWNLINK PORTS assign the downlink and uplink ports to use in the segmented group. Ports
designated as downlink ports can not communicate with any other ports on
the switch except for the uplink ports. Uplink ports can communicate with
any other ports on the switch and with any designated downlink ports.
CLI REFERENCES
◆ "Configuring Port-based Traffic Segmentation" on page 840
COMMAND USAGE
◆ When traffic segmentation is disabled, all ports operate in normal
forwarding mode based on the settings specified by other functions
such as VLANs and spanning tree protocol.
◆
A downlink port can only communicate with an uplink port in the same
segment. Therefore, if an uplink port is not configured for traffic
segmentation, the assigned downlink ports will not be able to
communicate with any other ports.
◆
If a downlink port is not configured for the traffic segmentation, the
assigned uplink ports will operate as normal ports.
PARAMETERS
These parameters are displayed:
◆
Interface – Displays a list of ports or trunks.
◆
Port – Port Identifier. (Range: 1-26)
◆
Trunk – Trunk Identifier. (Range: 1-12)
◆
Direction – Adds an interface to the segmented group by setting the
direction to uplink or downlink. (Default: None)
WEB INTERFACE
To configure the members of the traffic segmentation group:
1. Click Interface, Traffic Segmentation.
2. Select Configure Session from the Step list.
3. Click Port or Trunk to specify the interface type.
– 162 –
CHAPTER 5 | Interface Configuration
VLAN Trunking
4. Select Uplink or Downlink in the Direction list to add a group member.
5. Click Apply.
Figure 57: Configuring Members for Traffic Segmentation
VLAN TRUNKING
Use the Interface > VLAN Trunking page to allow unknown VLAN groups to
pass through the specified interface.
CLI REFERENCES
◆ "vlan-trunking" on page 834
COMMAND USAGE
◆ Use this feature to configure a tunnel across one or more intermediate
switches which pass traffic for VLAN groups to which they do not
belong.
The following figure shows VLANs 1 and 2 configured on switches A and
B, with VLAN trunking being used to pass traffic for these VLAN groups
across switches C, D and E.
Figure 58: Configuring VLAN Trunking
Without VLAN trunking, you would have to configure VLANs 1 and 2 on
all intermediate switches – C, D and E; otherwise these switches would
drop any frames with unknown VLAN group tags. However, by enabling
VLAN trunking on the intermediate switch ports along the path
connecting VLANs 1 and 2, you only need to create these VLAN groups
– 163 –
CHAPTER 5 | Interface Configuration
VLAN Trunking
in switches A and B. Switches C, D and E automatically allow frames
with VLAN group tags 1 and 2 (groups that are unknown to those
switches) to pass through their VLAN trunking ports.
◆
VLAN trunking is mutually exclusive with the “access” switchport mode
(see "Adding Static Members to VLANs" on page 171). If VLAN trunking
is enabled on an interface, then that interface cannot be set to access
mode, and vice versa.
◆
To prevent loops from forming in the spanning tree, all unknown VLANs
will be bound to a single instance (either STP/RSTP or an MSTP
instance, depending on the selected STA mode).
◆
If both VLAN trunking and ingress filtering are disabled on an interface,
packets with unknown VLAN tags will still be allowed to enter this
interface and will be flooded to all other ports where VLAN trunking is
enabled. (In other words, VLAN trunking will still be effectively enabled
for the unknown VLAN).
PARAMETERS
These parameters are displayed:
◆
Interface – Displays a list of ports or trunks.
◆
Port – Port Identifier. (Range: 1-26)
◆
Trunk – Trunk Identifier. (Range: 1-12)
◆
VLAN Trunking Status – Enables VLAN trunking on the selected
interface.
WEB INTERFACE
To enable VLAN trunking on a port or trunk:
1. Click Interface, VLAN Trunking.
2. Click Port or Trunk to specify the interface type.
3. Enable VLAN trunking on any of the ports or on a trunk.
4. Click Apply.
– 164 –
CHAPTER 5 | Interface Configuration
VLAN Trunking
Figure 59: Configuring VLAN Trunking
– 165 –
CHAPTER 5 | Interface Configuration
VLAN Trunking
– 166 –
6
VLAN CONFIGURATION
This chapter includes the following topics:
◆
IEEE 802.1Q VLANs – Configures static and dynamic VLANs.
◆
IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain
customer-specific VLAN and Layer 2 protocol configurations across a
service provider network, even when different customers use the same
internal VLAN IDs.
◆
Protocol VLANs – Configures VLAN groups based on specified protocols.
◆
IP Subnet VLANs – Maps untagged ingress frames to a specified VLAN if
the source address is found in the IP subnet-to-VLAN mapping table.
◆
MAC-based VLANs – Maps untagged ingress frames to a specified VLAN
if the source MAC address is found in the IP MAC address-to-VLAN
mapping table.
◆
VLAN Mirroring – Mirrors traffic from one or more source VLANs to a
target port.
IEEE 802.1Q VLANS
In large networks, routers are used to isolate broadcast traffic for each
subnet into separate domains. This switch provides a similar service at
Layer 2 by using VLANs to organize any group of network nodes into
separate broadcast domains. VLANs confine broadcast traffic to the
originating group, and can eliminate broadcast storms in large networks.
This also provides a more secure and cleaner network environment.
An IEEE 802.1Q VLAN is a group of ports that can be located anywhere in
the network, but communicate as though they belong to the same physical
segment.
VLANs help to simplify network management by allowing you to move
devices to a new VLAN without having to change any physical connections.
VLANs can be easily organized to reflect departmental groups (such as
Marketing or R&D), usage groups (such as e-mail), or multicast groups
(used for multimedia applications such as video conferencing).
VLANs provide greater network efficiency by reducing broadcast traffic, and
allow you to make network changes without having to update IP addresses
or IP subnets. VLANs inherently provide a high level of network security
– 167 –
CHAPTER 6 | VLAN Configuration
IEEE 802.1Q VLANs
since traffic must pass through a configured Layer 3 link to reach a
different VLAN.
This switch supports the following VLAN features:
◆
Up to 256 VLANs based on the IEEE 802.1Q standard
◆
Distributed VLAN learning across multiple switches using explicit or
implicit tagging and GVRP protocol
◆
Port overlapping, allowing a port to participate in multiple VLANs
◆
End stations can belong to multiple VLANs
◆
Passing traffic between VLAN-aware and VLAN-unaware devices
◆
Priority tagging
Assigning Ports to VLANs
Before enabling VLANs for the switch, you must first assign each port to
the VLAN group(s) in which it will participate. By default all ports are
assigned to VLAN 1 as untagged ports. Add a port as a tagged port if you
want it to carry traffic for one or more VLANs, and any intermediate
network devices or the host at the other end of the connection supports
VLANs. Then assign ports on the other VLAN-aware network devices along
the path that will carry this traffic to the same VLAN(s), either manually or
dynamically using GVRP. However, if you want a port on this switch to
participate in one or more VLANs, but none of the intermediate network
devices nor the host at the other end of the connection supports VLANs,
then you should add this port to the VLAN as an untagged port.
NOTE: VLAN-tagged frames can pass through VLAN-aware or VLANunaware network interconnection devices, but the VLAN tags should be
stripped off before passing it on to any end-node host that does not
support VLAN tagging.
Figure 60: VLAN Compliant and VLAN Non-compliant Devices
tagged frames
VA
VA
VA: VLAN Aware
VU: VLAN Unaware
tagged
frames
VA
untagged
frames
VA
VU
VLAN Classification – When the switch receives a frame, it classifies the
frame in one of two ways. If the frame is untagged, the switch assigns the
frame to an associated VLAN (based on the default VLAN ID of the
– 168 –
CHAPTER 6 | VLAN Configuration
IEEE 802.1Q VLANs
receiving port). But if the frame is tagged, the switch uses the tagged
VLAN ID to identify the port broadcast domain of the frame.
Port Overlapping – Port overlapping can be used to allow access to
commonly shared network resources among different VLAN groups, such
as file servers or printers. Note that if you implement VLANs which do not
overlap, but still need to communicate, you can connect them by enabled
routing on this switch.
Untagged VLANs – Untagged VLANs are typically used to reduce
broadcast traffic and to increase security. A group of network users
assigned to a VLAN form a broadcast domain that is separate from other
VLANs configured on the switch. Packets are forwarded only between ports
that are designated for the same VLAN. Untagged VLANs can be used to
manually isolate user groups or subnets. However, you should use IEEE
802.3 tagged VLANs with GVRP whenever possible to fully automate VLAN
registration.
Automatic VLAN Registration – GVRP (GARP VLAN Registration
Protocol) defines a system whereby the switch can automatically learn the
VLANs to which each end station should be assigned. If an end station (or
its network adapter) supports the IEEE 802.1Q VLAN protocol, it can be
configured to broadcast a message to your network indicating the VLAN
groups it wants to join. When this switch receives these messages, it will
automatically place the receiving port in the specified VLANs, and then
forward the message to all other ports. When the message arrives at
another switch that supports GVRP, it will also place the receiving port in
the specified VLANs, and pass the message on to all other ports. VLAN
requirements are propagated in this way throughout the network. This
allows GVRP-compliant devices to be automatically configured for VLAN
groups based solely on end station requests.
To implement GVRP in a network, first add the host devices to the required
VLANs (using the operating system or other application software), so that
these VLANs can be propagated onto the network. For both the edge
switches attached directly to these hosts, and core switches in the
network, enable GVRP on the links between these devices. You should also
determine security boundaries in the network and disable GVRP on the
boundary ports to prevent advertisements from being propagated, or
forbid those ports from joining restricted VLANs.
NOTE: If you have host devices that do not support GVRP, you should
configure static or untagged VLANs for the switch ports connected to these
devices (as described in "Adding Static Members to VLANs" on page 171).
But you can still enable GVRP on these edge switches, as well as on the
core switches in the network.
– 169 –
CHAPTER 6 | VLAN Configuration
IEEE 802.1Q VLANs
Figure 61: Using GVRP
Port-based VLAN
2
1
9
10 11
3
4
5
13
12
6
15 16
14
7
8
18
19
Forwarding Tagged/Untagged Frames
If you want to create a small port-based VLAN for devices attached directly
to a single switch, you can assign ports to the same untagged VLAN.
However, to participate in a VLAN group that crosses several switches, you
should create a VLAN for that group and enable tagging on all ports.
Ports can be assigned to multiple tagged or untagged VLANs. Each port on
the switch is therefore capable of passing tagged or untagged frames.
When forwarding a frame from this switch along a path that contains any
VLAN-aware devices, the switch should include VLAN tags. When
forwarding a frame from this switch along a path that does not contain any
VLAN-aware devices (including the destination host), the switch must first
strip off the VLAN tag before forwarding the frame. When the switch
receives a tagged frame, it will pass this frame onto the VLAN(s) indicated
by the frame tag. However, when this switch receives an untagged frame
from a VLAN-unaware device, it first decides where to forward the frame,
and then inserts a VLAN tag reflecting the ingress port’s default VID.
CONFIGURING VLAN Use the VLAN > Static (Configure VLAN) page to create or remove VLAN
GROUPS groups, set administrative status, or specify Remote VLAN type (see
"Configuring Remote Port Mirroring" on page 134). To propagate
information about VLAN groups used on this switch to external network
devices, you must specify a VLAN ID for each of these groups.
CLI REFERENCES
◆ "Editing VLAN Groups" on page 827
PARAMETERS
These parameters are displayed:
◆
VLAN ID – ID of VLAN or range of VLANs (1-4093).
Up to 256 VLAN groups can be defined. VLAN 1 is the default untagged
VLAN.
VLAN 4093 is dedicated for Switch Clustering. Configuring this VLAN for
other purposes may cause problems in the Clustering operation.
– 170 –
CHAPTER 6 | VLAN Configuration
IEEE 802.1Q VLANs
◆
Status – Enables or disables the specified VLAN.
◆
Remote VLAN – Reserves this VLAN for RSPAN (see "Configuring
Remote Port Mirroring" on page 134).
WEB INTERFACE
To create VLAN groups:
1. Click VLAN, Static.
2. Select Configure VLAN from the Action list.
3. Enter a VLAN ID or range of IDs.
4. Mark Enabled to configure the VLAN as operational.
5. Mark Remote VLAN to use it for RSPAN.
6. Click Add.
Figure 62: Creating Static VLANs
ADDING STATIC Use the VLAN > Static (Modify VLAN and Member Ports, Edit Member by
MEMBERS TO VLANS Interface, or Edit Member by Interface Range) pages to configure port
members for the selected VLAN index, interface, or a range of interfaces.
Use the menus for editing port members to configure the VLAN behavior
for specific interfaces, including the mode of operation (Hybrid or 1Q
Trunk), the default VLAN identifier (PVID), accepted frame types, and
ingress filtering. Assign ports as tagged if they are connected to 802.1Q
VLAN compliant devices, or untagged they are not connected to any VLANaware devices. Or configure a port as forbidden to prevent the switch from
automatically adding it to a VLAN via the GVRP protocol.
CLI REFERENCES
◆ "Configuring VLAN Interfaces" on page 829
◆ "Displaying VLAN Information" on page 835
– 171 –
CHAPTER 6 | VLAN Configuration
IEEE 802.1Q VLANs
PARAMETERS
These parameters are displayed:
Modify VLAN and Member Ports
◆
VLAN – ID of configured VLAN (1-4094).
◆
VLAN Name – Name of the VLAN (1 to 32 characters).
◆
Status – Enables or disables the specified VLAN.
◆
Remote VLAN – Shows if RSPAN is enabled on this VLAN (see
"Configuring VLAN Groups" on page 170.
◆
Interface – Displays a list of ports or trunks.
◆
Port – Port Identifier. (Range: 1-26)
◆
Trunk – Trunk Identifier. (Range: 1-12)
◆
Mode – Indicates VLAN membership mode for an interface.
(Default: Hybrid)
■
Access - Sets the port to operate as an untagged interface. The
port transmits and receives untagged frames on a single VLAN only.
Access mode is mutually exclusive with VLAN trunking (see "VLAN
Trunking" on page 163). If VLAN trunking is enabled on an
interface, then that interface cannot be set to access mode, and
vice versa.
◆
■
Hybrid – Specifies a hybrid VLAN interface. The port may transmit
tagged or untagged frames.
■
1Q Trunk – Specifies a port as an end-point for a VLAN trunk. A
trunk is a direct link between two switches, so the port transmits
tagged frames that identify the source VLAN. Note that frames
belonging to the port’s default VLAN (i.e., associated with the PVID)
are also transmitted as tagged frames.
PVID – VLAN ID assigned to untagged frames received on the interface.
(Default: 1)
When using Access mode, and an interface is assigned to a new VLAN,
its PVID is automatically set to the identifier for that VLAN. When using
Hybrid mode, the PVID for an interface can be set to any VLAN for
which it is an untagged member.
◆
Acceptable Frame Type – Sets the interface to accept all frame
types, including tagged or untagged frames, or only tagged frames.
When set to receive all frame types, any received frames that are
untagged are assigned to the default VLAN. (Options: All, Tagged;
Default: All)
– 172 –
CHAPTER 6 | VLAN Configuration
IEEE 802.1Q VLANs
◆
Ingress Filtering – Determines how to process frames tagged for
VLANs for which the ingress port is not a member. (Default: Disabled)
■
■
■
■
◆
Ingress filtering only affects tagged frames.
If ingress filtering is disabled and a port receives frames tagged for
VLANs for which it is not a member, these frames will be flooded to
all other ports (except for those VLANs explicitly forbidden on this
port).
If ingress filtering is enabled and a port receives frames tagged for
VLANs for which it is not a member, these frames will be discarded.
Ingress filtering does not affect VLAN independent BPDU frames,
such as GVRP or STP. However, they do affect VLAN dependent BPDU
frames, such as GMRP.
Membership Type – Select VLAN membership for each interface by
marking the appropriate radio button for a port or trunk:
■
Tagged: Interface is a member of the VLAN. All packets
transmitted by the port will be tagged, that is, carry a tag and
therefore carry VLAN or CoS information.
■
Untagged: Interface is a member of the VLAN. All packets
transmitted by the port will be untagged, that is, not carry a tag
and therefore not carry VLAN or CoS information. Note that an
interface must be assigned to at least one group as an untagged
port.
■
Forbidden: Interface is forbidden from automatically joining the
VLAN via GVRP. For more information, see “Automatic VLAN
Registration” on page 169.
■
None: Interface is not a member of the VLAN. Packets associated
with this VLAN will not be transmitted by the interface.
NOTE: VLAN 1 is the default untagged VLAN containing all ports on the
switch using Hybrid mode.
Edit Member by Interface
All parameters are the same as those described under the preceding
section for Modify VLAN and Member Ports.
Edit Member by Interface Range
All parameters are the same as those described under the earlier section
for Modify VLAN and Member Ports, except for the items shown below.
◆
Port Range – Displays a list of ports. (Range: 1-26)
◆
Trunk Range – Displays a list of ports. (Range: 1-12)
– 173 –
CHAPTER 6 | VLAN Configuration
IEEE 802.1Q VLANs
NOTE: The PVID, acceptable frame type, and ingress filtering parameters
for each interface within the specified range must be configured on either
the Modify VLAN and Member Ports or Edit Member by Interface page.
WEB INTERFACE
To configure static members by the VLAN index:
1. Click VLAN, Static.
2. Select Modify VLAN and Member Ports from the Action list.
3. Set the Interface type to display as Port or Trunk.
4. Modify the settings for any interface as required.
5. Click Apply.
Figure 63: Configuring Static Members by VLAN Index
To configure static members by interface:
1. Click VLAN, Static.
2. Select Edit Member by Interface from the Action list.
3. Select a port or trunk configure.
4. Modify the settings for any interface as required.
5. Click Apply.
– 174 –
CHAPTER 6 | VLAN Configuration
IEEE 802.1Q VLANs
Figure 64: Configuring Static VLAN Members by Interface
To configure static members by interface range:
1. Click VLAN, Static.
2. Select Edit Member by Interface Range from the Action list.
3. Set the Interface type to display as Port or Trunk.
4. Enter an interface range.
5. Modify the VLAN parameters as required. Remember that the PVID,
acceptable frame type, and ingress filtering parameters for each
interface within the specified range must be configured on either the
Edit Member by VLAN or Edit Member by Interface page.
6. Click Apply.
Figure 65: Configuring Static VLAN Members by Interface Range
– 175 –
CHAPTER 6 | VLAN Configuration
IEEE 802.1Q VLANs
CONFIGURING Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to
DYNAMIC VLAN enable GVRP and adjust the protocol timers per interface.
REGISTRATION
CLI REFERENCES
◆ "GVRP and Bridge Extension Commands" on page 822
◆ "Configuring VLAN Interfaces" on page 829
PARAMETERS
These parameters are displayed:
Configure General
◆
GVRP Status – GVRP defines a way for switches to exchange VLAN
information in order to register VLAN members on ports across the
network. VLANs are dynamically configured based on join messages
issued by host devices and propagated throughout the network. GVRP
must be enabled to permit automatic VLAN registration, and to support
VLANs which extend beyond the local switch. (Default: Disabled)
Configure Interface
◆
Interface – Displays a list of ports or trunks.
◆
Port – Port Identifier. (Range: 1-26)
◆
Trunk – Trunk Identifier. (Range: 1-12)
◆
GVRP Status – Enables/disables GVRP for the interface. GVRP must be
globally enabled for the switch before this setting can take effect (using
the Configure General page). When disabled, any GVRP packets
received on this port will be discarded and no GVRP registrations will be
propagated from other ports. (Default: Disabled)
GVRP cannot be enabled for ports set to Access mode (see "Adding
Static Members to VLANs" on page 171).
◆
GVRP Timers – Timer settings must follow this rule:
3 x (join timer) < leave timer < leaveAll timer
■
Join – The interval between transmitting requests/queries to
participate in a VLAN group. (Range: 20-1000 centiseconds;
Default: 20)
■
Leave – The interval a port waits before leaving a VLAN group. This
time should be set to more than twice the join time. This ensures
that after a Leave or LeaveAll message has been issued, the
applicants can rejoin before the port actually leaves the group.
(Range: 60-3000 centiseconds; Default: 60)
■
LeaveAll – The interval between sending out a LeaveAll query
message for VLAN group participants and the port leaving the
group. This interval should be considerably larger than the Leave
Time to minimize the amount of traffic generated by nodes rejoining
the group. (Range: 500-18000 centiseconds; Default: 1000)
– 176 –
CHAPTER 6 | VLAN Configuration
IEEE 802.1Q VLANs
Show Dynamic VLAN – Show VLAN
VLAN ID – Identifier of a VLAN this switch has joined through GVRP.
VLAN Name – Name of a VLAN this switch has joined through GVRP.
Status – Indicates if this VLAN is currently operational.
(Display Values: Enabled, Disabled)
Show Dynamic VLAN – Show VLAN Member
◆
VLAN – Identifier of a VLAN this switch has joined through GVRP.
◆
Interface – Displays a list of ports or trunks which have joined the
selected VLAN through GVRP.
WEB INTERFACE
To configure GVRP on the switch:
1. Click VLAN, Dynamic.
2. Select Configure General from the Step list.
3. Enable or disable GVRP.
4. Click Apply.
Figure 66: Configuring Global Status of GVRP
To configure GVRP status and timers on a port or trunk:
1. Click VLAN, Dynamic.
2. Select Configure Interface from the Step list.
3. Set the Interface type to display as Port or Trunk.
4. Modify the GVRP status or timers for any interface.
5. Click Apply.
– 177 –
CHAPTER 6 | VLAN Configuration
IEEE 802.1Q VLANs
Figure 67: Configuring GVRP for an Interface
To show the dynamic VLAN joined by this switch:
1. Click VLAN, Dynamic.
2. Select Show Dynamic VLAN from the Step list.
3. Select Show VLAN from the Action list.
Figure 68: Showing Dynamic VLANs Registered on the Switch
To show the members of a dynamic VLAN:
1. Click VLAN, Dynamic.
2. Select Show Dynamic VLAN from the Step list.
3. Select Show VLAN Members from the Action list.
Figure 69: Showing the Members of a Dynamic VLAN
– 178 –
CHAPTER 6 | VLAN Configuration
IEEE 802.1Q Tunneling
IEEE 802.1Q TUNNELING
IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying
traffic for multiple customers across their networks. QinQ tunneling is used
to maintain customer-specific VLAN and Layer 2 protocol configurations
even when different customers use the same internal VLAN IDs. This is
accomplished by inserting Service Provider VLAN (SPVLAN) tags into the
customer’s frames when they enter the service provider’s network, and
then stripping the tags when the frames leave the network.
A service provider’s customers may have specific requirements for their
internal VLAN IDs and number of VLANs supported. VLAN ranges required
by different customers in the same service-provider network might easily
overlap, and traffic passing through the infrastructure might be mixed.
Assigning a unique range of VLAN IDs to each customer would restrict
customer configurations, require intensive processing of VLAN mapping
tables, and could easily exceed the maximum VLAN limit of 4096.
QinQ tunneling uses a single Service Provider VLAN (SPVLAN) for
customers who have multiple VLANs. Customer VLAN IDs are preserved
and traffic from different customers is segregated within the service
provider’s network even when they use the same customer-specific VLAN
IDs. QinQ tunneling expands VLAN space by using a VLAN-in-VLAN
hierarchy, preserving the customer’s original tagged packets, and adding
SPVLAN tags to each frame (also called double tagging).
A port configured to support QinQ tunneling must be set to tunnel port
mode. The Service Provider VLAN (SPVLAN) ID for the specific customer
must be assigned to the QinQ tunnel access port on the edge switch where
the customer traffic enters the service provider’s network. Each customer
requires a separate SPVLAN, but this VLAN supports all of the customer's
internal VLANs. The QinQ tunnel uplink port that passes traffic from the
edge switch into the service provider’s metro network must also be added
to this SPVLAN. The uplink port can be added to multiple SPVLANs to carry
inbound traffic for different customers onto the service provider’s network.
When a double-tagged packet enters another trunk port in an intermediate
or core switch in the service provider’s network, the outer tag is stripped
for packet processing. When the packet exits another trunk port on the
same core switch, the same SPVLAN tag is again added to the packet.
When a packet enters the trunk port on the service provider’s egress
switch, the outer tag is again stripped for packet processing. However, the
SPVLAN tag is not added when it is sent out the tunnel access port on the
edge switch into the customer’s network. The packet is sent as a normal
IEEE 802.1Q-tagged frame, preserving the original VLAN numbers used in
the customer’s network.
– 179 –
CHAPTER 6 | VLAN Configuration
IEEE 802.1Q Tunneling
Figure 70: QinQ Operational Concept
Customer A
(VLANs 1-10)
Customer A
(VLANs 1-10)
QinQ Tunneling
VLAN 10
Tunnel Access Port
Service Provider
(edge switch A)
Tunnel Access Port
VLAN 20
Service Provider
(edge switch B)
Tunnel Uplink Ports
Double-Tagged Packets
Outer Tag - Service Provider VID
Inner Tag - Customer VID
Customer B
(VLANs 1-50)
VLAN 10
Tunnel Access Port
Tunnel Access Port
VLAN 20
Customer B
(VLANs 1-50)
Layer 2 Flow for Packets Coming into a Tunnel Access Port
A QinQ tunnel port may receive either tagged or untagged packets. No
matter how many tags the incoming packet has, it is treated as tagged
packet.
The ingress process does source and destination lookups. If both lookups
are successful, the ingress process writes the packet to memory. Then the
egress process transmits the packet. Packets entering a QinQ tunnel port
are processed in the following manner:
1. An SPVLAN tag is added to all outbound packets on the SPVLAN
interface, no matter how many tags they already have. The switch
constructs and inserts the outer tag (SPVLAN) into the packet based on
the default VLAN ID and Tag Protocol Identifier (TPID, that is, the
ether-type of the tag). This outer tag is used for learning and switching
packets across the metropolitan network. The priority of the inner tag is
copied to the outer tag if it is a tagged or priority tagged packet.
2. After successful source and destination lookup, the ingress process
sends the packet to the switching process with two tags. If the
incoming packet is untagged, the outer tag is an SPVLAN tag, and the
inner tag is a dummy tag (8100 0000). If the incoming packet is
tagged, the outer tag is an SPVLAN tag, and the inner tag is a CVLAN
tag.
3. After packet classification through the switching process, the packet is
written to memory with one tag (an outer tag) or with two tags (both
an outer tag and inner tag).
4. The switch sends the packet to the proper egress port.
5. If the egress port is an untagged member of the SPVLAN, the outer tag
will be stripped. If it is a tagged member, the outgoing packets will
have two tags.
– 180 –
CHAPTER 6 | VLAN Configuration
IEEE 802.1Q Tunneling
Layer 2 Flow for Packets Coming into a Tunnel Uplink Port
An uplink port receives one of the following packets:
◆
Untagged
◆
One tag (CVLAN or SPVLAN)
◆
Double tag (CVLAN + SPVLAN)
The ingress process does source and destination lookups. If both lookups
are successful, the ingress process writes the packet to memory. Then the
egress process transmits the packet. Packets entering a QinQ uplink port
are processed in the following manner:
1. If incoming packets are untagged, the PVID VLAN native tag is added.
2. If the ether-type of an incoming packet (single or double tagged) is not
equal to the TPID of the uplink port, the VLAN tag is determined to be a
Customer VLAN (CVLAN) tag. The uplink port’s PVID VLAN native tag is
added to the packet. This outer tag is used for learning and switching
packets within the service provider’s network. The TPID must be
configured on a per port basis, and the verification cannot be disabled.
3. If the ether-type of an incoming packet (single or double tagged) is
equal to the TPID of the uplink port, no new VLAN tag is added. If the
uplink port is not the member of the outer VLAN of the incoming
packets, the packet will be dropped when ingress filtering is enabled. If
ingress filtering is not enabled, the packet will still be forwarded. If the
VLAN is not listed in the VLAN table, the packet will be dropped.
4. After successful source and destination lookups, the packet is double
tagged. The switch uses the TPID of 0x8100 to indicate that an
incoming packet is double-tagged. If the outer tag of an incoming
double-tagged packet is equal to the port TPID and the inner tag is
0x8100, it is treated as a double-tagged packet. If a single-tagged
packet has 0x8100 as its TPID, and port TPID is not 0x8100, a new
VLAN tag is added and it is also treated as double-tagged packet.
5. If the destination address lookup fails, the packet is sent to all member
ports of the outer tag's VLAN.
6. After packet classification, the packet is written to memory for
processing as a single-tagged or double-tagged packet.
7. The switch sends the packet to the proper egress port.
8. If the egress port is an untagged member of the SPVLAN, the outer tag
will be stripped. If it is a tagged member, the outgoing packet will have
two tags.
– 181 –
CHAPTER 6 | VLAN Configuration
IEEE 802.1Q Tunneling
Configuration Limitations for QinQ
◆
The native VLAN of uplink ports should not be used as the SPVLAN. If
the SPVLAN is the uplink port's native VLAN, the uplink port must be an
untagged member of the SPVLAN. Then the outer SPVLAN tag will be
stripped when the packets are sent out. Another reason is that it
causes non-customer packets to be forwarded to the SPVLAN.
◆
Static trunk port groups are compatible with QinQ tunnel ports as long
as the QinQ configuration is consistent within a trunk port group.
◆
The native VLAN (VLAN 1) is not normally added to transmitted frames.
Avoid using VLAN 1 as an SPVLAN tag for customer traffic to reduce the
risk of misconfiguration. Instead, use VLAN 1 as a management VLAN
instead of a data VLAN in the service provider network.
◆
There are some inherent incompatibilities between Layer 2 and Layer 3
switching:
■
Tunnel ports do not support IP Access Control Lists.
■
Layer 3 Quality of Service (QoS) and other QoS features containing
Layer 3 information are not supported on tunnel ports.
■
Spanning tree bridge protocol data unit (BPDU) filtering is
automatically disabled on a tunnel port.
General Configuration Guidelines for QinQ
1. Enable Tunnel Status, and set the Tag Protocol Identifier (TPID) value of
the tunnel access port (in the Ethernet Type field. This step is required
if the attached client is using a nonstandard 2-byte ethertype to
identify 802.1Q tagged frames. The default ethertype value is 0x8100.
(See "Enabling QinQ Tunneling on the Switch" on page 183.)
2. Create a Service Provider VLAN, also referred to as an SPVLAN (see
"Configuring VLAN Groups" on page 170).
3. Configure the QinQ tunnel access port to Access mode (see "Adding an
Interface to a QinQ Tunnel" on page 184).
4. Configure the QinQ tunnel access port to join the SPVLAN as an
untagged member (see "Adding Static Members to VLANs" on
page 171).
5. Configure the SPVLAN ID as the native VID on the QinQ tunnel access
port (see "Adding Static Members to VLANs" on page 171).
6. Configure the QinQ tunnel uplink port to Uplink mode (see "Adding an
Interface to a QinQ Tunnel" on page 184).
7. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged
member (see "Adding Static Members to VLANs" on page 171).
– 182 –
CHAPTER 6 | VLAN Configuration
IEEE 802.1Q Tunneling
ENABLING QINQ Use the VLAN > Tunnel (Configure Global) page to configure the switch to
TUNNELING ON THE operate in IEEE 802.1Q (QinQ) tunneling mode, which is used for passing
SWITCH Layer 2 traffic across a service provider’s metropolitan area network. You
can also globally set the Tag Protocol Identifier (TPID) value of the tunnel
port if the attached client is using a nonstandard 2-byte ethertype to
identify 802.1Q tagged frames.
CLI REFERENCES
◆ "Configuring IEEE 802.1Q Tunneling" on page 836
PARAMETERS
These parameters are displayed:
◆
Tunnel Status – Sets the switch to QinQ mode. (Default: Disabled)
◆
Ethernet Type – The Tag Protocol Identifier (TPID) specifies the
ethertype of incoming packets on a tunnel port. (Range: hexadecimal
0800-FFFF; Default: 8100)
Use this field to set a custom 802.1Q ethertype value for the 802.1Q
Tunnel TPID. This feature allows the switch to interoperate with thirdparty switches that do not use the standard 0x8100 ethertype to
identify 802.1Q-tagged frames. For example, if 0x1234 is set as the
custom 802.1Q ethertype on a trunk port, incoming frames containing
that ethertype are assigned to the VLAN contained in the tag following
the ethertype field, as they would be with a standard 802.1Q trunk.
Frames arriving on the port containing any other ethertype are looked
upon as untagged frames, and assigned to the native VLAN of that port.
The specified ethertype only applies to ports configured in Uplink mode
(see "Adding an Interface to a QinQ Tunnel" on page 184). If the port is
in normal mode, the TPID is always 8100. If the port is in Access mode,
received packets are processes as untagged packets.
All ports on the switch will be set to the same ethertype.
WEB INTERFACE
To enable QinQ Tunneling on the switch:
1. Click VLAN, Tunnel.
2. Select Configure Global from the Step list.
3. Enable Tunnel Status, and specify the TPID if a client attached to a
tunnel port is using a non-standard ethertype to identify 802.1Q tagged
frames.
4. Click Apply.
– 183 –
CHAPTER 6 | VLAN Configuration
IEEE 802.1Q Tunneling
Figure 71: Enabling QinQ Tunneling
ADDING AN INTERFACE Follow the guidelines in the preceding section to set up a QinQ tunnel on
TO A QINQ TUNNEL the switch. Then use the VLAN > Tunnel (Configure Interface) page to set
the tunnel mode for any participating interface.
CLI REFERENCES
◆ "Configuring IEEE 802.1Q Tunneling" on page 836
COMMAND USAGE
◆ Use the Configure Global page to set the switch to QinQ mode before
configuring a tunnel access port or tunnel uplink port (see "Enabling
QinQ Tunneling on the Switch" on page 183). Also set the Tag Protocol
Identifier (TPID) value of the tunnel access port if the attached client is
using a nonstandard 2-byte ethertype to identify 802.1Q tagged
frames.
◆
Then use the Configure Interface page to set the access interface on
the edge switch to Access mode, and set the uplink interface on the
switch attached to the service provider network to Uplink mode.
PARAMETERS
These parameters are displayed:
◆
Interface – Displays a list of ports or trunks.
◆
Port – Port Identifier. (Range: 1-26)
◆
Trunk – Trunk Identifier. (Range: 1-12)
◆
Mode – Sets the VLAN membership mode of the port.
■
■
■
None – The port operates in its normal VLAN mode. (This is the
default.)
Access – Configures QinQ tunneling for a client access port to
segregate and preserve customer VLAN IDs for traffic crossing the
service provider network.
Uplink – Configures QinQ tunneling for an uplink port to another
device within the service provider network.
– 184 –
CHAPTER 6 | VLAN Configuration
Protocol VLANs
WEB INTERFACE
To add an interface to a QinQ tunnel:
1. Click VLAN, Tunnel.
2. Select Configure Interface from the Step list.
3. Set the mode for any tunnel access port to Access and the tunnel uplink
port to Uplink.
4. Click Apply.
Figure 72: Adding an Interface to a QinQ Tunnel
PROTOCOL VLANS
The network devices required to support multiple protocols cannot be
easily grouped into a common VLAN. This may require non-standard
devices to pass traffic between different VLANs in order to encompass all
the devices participating in a specific protocol. This kind of configuration
deprives users of the basic benefits of VLANs, including security and easy
accessibility.
To avoid these problems, you can configure this switch with protocol-based
VLANs that divide the physical network into logical VLAN groups for each
required protocol. When a frame is received at a port, its VLAN
membership can then be determined based on the protocol type being
used by the inbound packets.
COMMAND USAGE
◆ To configure protocol-based VLANs, follow these steps:
1. First configure VLAN groups for the protocols you want to use
(page 827). Although not mandatory, we suggest configuring a
separate VLAN for each major protocol running on your network.
Do not add port members at this time.
2. Create a protocol group for each of the protocols you want to assign
to a VLAN using the Configure Protocol (Add) page.
– 185 –
CHAPTER 6 | VLAN Configuration
Protocol VLANs
3. Then map the protocol for each interface to the appropriate VLAN
using the Configure Interface (Add) page.
◆
When MAC-based, IP subnet-based, and protocol-based VLANs are
supported concurrently, priority is applied in this sequence, and then
port-based VLANs last.
CONFIGURING Use the VLAN > Protocol (Configure Protocol - Add) page to create protocol
PROTOCOL VLAN groups.
GROUPS
CLI REFERENCES
◆ "protocol-vlan protocol-group (Configuring Groups)" on page 843
PARAMETERS
These parameters are displayed:
◆
Frame Type – Choose either Ethernet, RFC 1042, or LLC Other as the
frame type used by this protocol.
◆
Protocol Type – Specifies the protocol type to match. The available
options are IP, ARP, RARP and IPv6. If LLC Other is chosen for the
Frame Type, the only available Protocol Type is IPX Raw.
◆
Protocol Group ID – Protocol Group ID assigned to the Protocol VLAN
Group. (Range: 1-2147483647)
NOTE: Traffic which matches IP Protocol Ethernet Frames is mapped to the
VLAN (VLAN 1) that has been configured with the switch's administrative
IP. IP Protocol Ethernet traffic must not be mapped to another VLAN or you
will lose administrative network connectivity to the switch. If lost in this
manner, network access can be regained by removing the offending
Protocol VLAN rule via the console. Alternately, the switch can be powercycled, however all unsaved configuration changes will be lost.
WEB INTERFACE
To configure a protocol group:
1. Click VLAN, Protocol.
2. Select Configure Protocol from the Step list.
3. Select Add from the Action list.
4. Select an entry from the Frame Type list.
5. Select an entry from the Protocol Type list.
6. Enter an identifier for the protocol group.]
– 186 –
CHAPTER 6 | VLAN Configuration
Protocol VLANs
7. Click Apply.
Figure 73: Configuring Protocol VLANs
To configure a protocol group:
1. Click VLAN, Protocol.
2. Select Configure Protocol from the Step list.
3. Select Show from the Action list.
Figure 74: Displaying Protocol VLANs
MAPPING PROTOCOL Use the VLAN > Protocol (Configure Interface - Add) page to map a
GROUPS TO protocol group to a VLAN for each interface that will participate in the
INTERFACES group.
CLI REFERENCES
◆ "protocol-vlan protocol-group (Configuring Interfaces)" on page 843
COMMAND USAGE
◆ When creating a protocol-based VLAN, only assign interfaces using this
configuration screen. If you assign interfaces using any of the other
VLAN menus such as the VLAN Static table (page 171), these interfaces
will admit traffic of any protocol type into the associated VLAN.
◆
When a frame enters a port that has been assigned to a protocol VLAN,
it is processed in the following manner:
■
If the frame is tagged, it will be processed according to the standard
rules applied to tagged frames.
– 187 –
CHAPTER 6 | VLAN Configuration
Protocol VLANs
■
■
If the frame is untagged and the protocol type matches, the frame
is forwarded to the appropriate VLAN.
If the frame is untagged but the protocol type does not match, the
frame is forwarded to the default VLAN for this interface.
PARAMETERS
These parameters are displayed:
◆
Interface – Displays a list of ports or trunks.
◆
Port – Port Identifier. (Range: 1-26)
◆
Trunk – Trunk Identifier. (Range: 1-12)
◆
Protocol Group ID – Protocol Group ID assigned to the Protocol VLAN
Group. (Range: 1-2147483647)
◆
VLAN ID – VLAN to which matching protocol traffic is forwarded.
(Range: 1-4093)
WEB INTERFACE
To map a protocol group to a VLAN for a port or trunk:
1. Click VLAN, Protocol.
2. Select Configure Interface from the Step list.
3. Select Add from the Action list.
4. Select a port or trunk.
5. Enter the identifier for a protocol group.
6. Enter the corresponding VLAN to which the protocol traffic will be
forwarded.
7. Click Apply.
Figure 75: Assigning Interfaces to Protocol VLANs
– 188 –
CHAPTER 6 | VLAN Configuration
Configuring IP Subnet VLANs
To show the protocol groups mapped to a port or trunk:
1. Click VLAN, Protocol.
2. Select Configure Interface from the Step list.
3. Select Show from the Action list.
4. Select a port or trunk.
Figure 76: Showing the Interface to Protocol Group Mapping
CONFIGURING IP SUBNET VLANS
Use the VLAN > IP Subnet page to configure IP subnet-based VLANs.
When using port-based classification, all untagged frames received by a
port are classified as belonging to the VLAN whose VID (PVID) is
associated with that port.
When IP subnet-based VLAN classification is enabled, the source address of
untagged ingress frames are checked against the IP subnet-to-VLAN
mapping table. If an entry is found for that subnet, these frames are
assigned to the VLAN indicated in the entry. If no IP subnet is matched, the
untagged frames are classified as belonging to the receiving port’s VLAN ID
(PVID).
CLI REFERENCES
◆ "Configuring IP Subnet VLANs" on page 846
COMMAND USAGE
◆ Each IP subnet can be mapped to only one VLAN ID. An IP subnet
consists of an IP address and a mask. The specified VLAN need not be
an existing VLAN.
◆
When an untagged frame is received by a port, the source IP address is
checked against the IP subnet-to-VLAN mapping table, and if an entry
is found, the corresponding VLAN ID is assigned to the frame. If no
mapping is found, the PVID of the receiving port is assigned to the
frame.
– 189 –
CHAPTER 6 | VLAN Configuration
Configuring IP Subnet VLANs
◆
The IP subnet cannot be a broadcast or multicast IP address.
◆
When MAC-based, IP subnet-based, and protocol-based VLANs are
supported concurrently, priority is applied in this sequence, and then
port-based VLANs last.
PARAMETERS
These parameters are displayed:
◆
IP Address – The IP address for a subnet. Valid IP addresses consist of
four decimal numbers, 0 to 255, separated by periods.
◆
Subnet Mask – This mask identifies the host address bits of the IP
subnet.
◆
VLAN – VLAN to which matching IP subnet traffic is forwarded.
(Range: 1-4093)
◆
Priority – The priority assigned to untagged ingress traffic.
(Range: 0-7, where 7 is the highest priority; Default: 0)
WEB INTERFACE
To map an IP subnet to a VLAN:
1. Click VLAN, IP Subnet.
2. Select Add from the Action list.
3. Enter an address in the IP Address field.
4. Enter a mask in the Subnet Mask field.
5. Enter the identifier in the VLAN field. Note that the specified VLAN need
not already be configured.
6. Enter a value to assign to untagged frames in the Priority field.
7. Click Apply.
Figure 77: Configuring IP Subnet VLANs
– 190 –
CHAPTER 6 | VLAN Configuration
Configuring MAC-based VLANs
To show the configured IP subnet VLANs:
1. Click VLAN, IP Subnet.
2. Select Show from the Action list.
Figure 78: Showing IP Subnet VLANs
CONFIGURING MAC-BASED VLANS
Use the VLAN > MAC-Based page to configure VLAN based on MAC
addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress
untagged frames according to source MAC addresses.
When MAC-based VLAN classification is enabled, untagged frames received
by a port are assigned to the VLAN which is mapped to the frame’s source
MAC address. When no MAC address is matched, untagged frames are
assigned to the receiving port’s native VLAN ID (PVID).
CLI REFERENCES
◆ "Configuring MAC Based VLANs" on page 848
COMMAND USAGE
◆ The MAC-to-VLAN mapping applies to all ports on the switch.
◆
Source MAC addresses can be mapped to only one VLAN ID.
◆
Configured MAC addresses cannot be broadcast or multicast addresses.
◆
When MAC-based, IP subnet-based, and protocol-based VLANs are
supported concurrently, priority is applied in this sequence, and then
port-based VLANs last.
PARAMETERS
These parameters are displayed:
◆
MAC Address – A source MAC address which is to be mapped to a
specific VLAN. The MAC address must be specified in the format xx-xxxx-xx-xx-xx.
◆
VLAN – VLAN to which ingress traffic matching the specified source
MAC address is forwarded. (Range: 1-4093)
– 191 –
CHAPTER 6 | VLAN Configuration
Configuring MAC-based VLANs
◆
Priority – The priority assigned to untagged ingress traffic.
(Range: 0-7, where 7 is the highest priority; Default: 0)
WEB INTERFACE
To map a MAC address to a VLAN:
1. Click VLAN, MAC-Based.
2. Select Add from the Action list.
3. Enter an address in the MAC Address field.
4. Enter an identifier in the VLAN field. Note that the specified VLAN need
not already be configured.
5. Enter a value to assign to untagged frames in the Priority field.
6. Click Apply.
Figure 79: Configuring MAC-Based VLANs
To show the MAC addresses mapped to a VLAN:
1. Click VLAN, MAC-Based.
2. Select Show from the Action list.
Figure 80: Showing MAC-Based VLANs
– 192 –
CHAPTER 6 | VLAN Configuration
Configuring VLAN Mirroring
CONFIGURING VLAN MIRRORING
Use the VLAN > Mirror (Add) page to mirror traffic from one or more
source VLANs to a target port for real-time analysis. You can then attach a
logic analyzer or RMON probe to the target port and study the traffic
crossing the source VLAN(s) in a completely unobtrusive manner.
CLI REFERENCES
◆ "Port Mirroring Commands" on page 761
COMMAND USAGE
◆ All active ports in a source VLAN are monitored for ingress traffic only.
◆
All VLAN mirror sessions must share the same target port, preferably
one that is not a member of the source VLAN.
◆
When VLAN mirroring and port mirroring are both enabled, they must
use the same target port.
◆
When VLAN mirroring and port mirroring are both enabled, the target
port can receive a mirrored packet twice; once from the source mirror
port and again from the source mirrored VLAN.
◆
The target port receives traffic from all monitored source VLANs and
can become congested. Some mirror traffic may therefore be dropped
from the target port.
◆
When mirroring VLAN traffic or packets based on a source MAC address
(see "Configuring MAC Address Mirroring" on page 200), the target port
cannot be set to the same target ports as that used for port mirroring
(see "Configuring Local Port Mirroring" on page 132).
◆
When traffic matches the rules for both port mirroring, and for
mirroring of VLAN traffic or packets based on a MAC address, the
matching packets will not be sent to target port specified for port
mirroring.
PARAMETERS
These parameters are displayed:
◆
Source VLAN – A VLAN whose traffic will be monitored.
(Range: 1-4093)
◆
Target Port – The destination port that receives the mirrored traffic
from the source VLAN. (Range: 1-26)
– 193 –
CHAPTER 6 | VLAN Configuration
Configuring VLAN Mirroring
WEB INTERFACE
To configure VLAN mirroring:
1. Click VLAN, Mirror.
2. Select Add from the Action list.
3. Select the source VLAN, and select a target port.
4. Click Apply.
Figure 81: Configuring VLAN Mirroring
To show the VLANs to be mirrored:
1. Click VLAN, Mirror.
2. Select Show from the Action list.
Figure 82: Showing the VLANs to Mirror
– 194 –
7
ADDRESS TABLE SETTINGS
Switches store the addresses for all known devices. This information is
used to pass traffic directly between the inbound and outbound ports. All
the addresses learned by monitoring traffic are stored in the dynamic
address table. You can also manually configure static addresses that are
bound to a specific port.
This chapter describes the following topics:
◆
Static MAC Addresses – Configures static entries in the address table.
◆
Address Aging Time – Sets time out for dynamically learned entries.
◆
Dynamic Address Cache – Shows dynamic entries in the address table.
◆
MAC Address Mirroring – Mirrors traffic matching a specified source
address to a target port.
SETTING STATIC ADDRESSES
Use the MAC Address > Static page to configure static MAC addresses. A
static address can be assigned to a specific interface on this switch. Static
addresses are bound to the assigned interface and will not be moved.
When a static address is seen on another interface, the address will be
ignored and will not be written to the address table.
CLI REFERENCES
◆ "mac-address-table static" on page 790
COMMAND USAGE
The static address for a host device can be assigned to a specific port
within a specific VLAN. Use this command to add static addresses to the
MAC Address Table. Static addresses have the following characteristics:
◆
Static addresses are bound to the assigned interface and will not be
moved. When a static address is seen on another interface, the address
will be ignored and will not be written to the address table.
◆
Static addresses will not be removed from the address table when a
given interface link is down.
◆
A static address cannot be learned on another port until the address is
removed from the table.
– 195 –
CHAPTER 7 | Address Table Settings
Setting Static Addresses
PARAMETERS
These parameters are displayed:
◆
VLAN – ID of configured VLAN. (Range: 1-4093)
◆
Interface – Port or trunk associated with the device assigned a static
address.
◆
MAC Address – Physical address of a device mapped to this interface.
Enter an address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
◆
Static Status – Sets the time to retain the specified address.
■
Delete-on-reset - Assignment lasts until the switch is reset.
■
Permanent - Assignment is permanent. (This is the default.)
WEB INTERFACE
To configure a static MAC address:
1. Click MAC Address, Static.
2. Select Add from the Action list.
3. Specify the VLAN, the port or trunk to which the address will be
assigned, the MAC address, and the time to retain this entry.
4. Click Apply.
Figure 83: Configuring Static MAC Addresses
To show the static addresses in MAC address table:
1. Click MAC Address, Static.
2. Select Show from the Action list.
– 196 –
CHAPTER 7 | Address Table Settings
Changing the Aging Time
Figure 84: Displaying Static MAC Addresses
CHANGING THE AGING TIME
Use the MAC Address > Dynamic (Configure Aging) page to set the aging
time for entries in the dynamic address table. The aging time is used to
age out dynamically learned forwarding information.
CLI REFERENCES
◆ "mac-address-table aging-time" on page 789
PARAMETERS
These parameters are displayed:
◆
Aging Status – Enables/disables the function.
◆
Aging Time – The time after which a learned entry is discarded.
(Range: 10-844 seconds; Default: 300 seconds)
WEB INTERFACE
To set the aging time for entries in the dynamic address table:
1. Click MAC Address, Dynamic.
2. Select Configure Aging from the Action list.
3. Modify the aging status if required.
4. Specify a new aging time.
5. Click Apply.
Figure 85: Setting the Address Aging Time
– 197 –
CHAPTER 7 | Address Table Settings
Displaying the Dynamic Address Table
DISPLAYING THE DYNAMIC ADDRESS TABLE
Use the MAC Address > Dynamic (Show Dynamic MAC) page to display the
MAC addresses learned by monitoring the source address for traffic
entering the switch. When the destination address for inbound traffic is
found in the database, the packets intended for that address are forwarded
directly to the associated port. Otherwise, the traffic is flooded to all ports.
CLI REFERENCES
◆ "show mac-address-table" on page 791
PARAMETERS
These parameters are displayed:
◆
Sort Key - You can sort the information displayed based on MAC
address, VLAN or interface (port or trunk).
◆
MAC Address – Physical address associated with this interface.
◆
VLAN – ID of configured VLAN (1-4093).
◆
Interface – Indicates a port or trunk.
◆
Type – Shows that the entries in this table are learned.
◆
Life Time – Shows the time to retain the specified address.
WEB INTERFACE
To show the dynamic address table:
1. Click MAC Address, Dynamic.
2. Select Show Dynamic MAC from the Action list.
3. Select the Sort Key (MAC Address, VLAN, or Interface).
4. Enter the search parameters (MAC Address, VLAN, or Interface).
5. Click Query.
– 198 –
CHAPTER 7 | Address Table Settings
Clearing the Dynamic Address Table
Figure 86: Displaying the Dynamic MAC Address Table
CLEARING THE DYNAMIC ADDRESS TABLE
Use the MAC Address > Dynamic (Clear Dynamic MAC) page to remove any
learned entries from the forwarding database.
CLI REFERENCES
◆ "clear mac-address-table dynamic" on page 791
PARAMETERS
These parameters are displayed:
◆
Clear by – All entries can be cleared; or you can clear the entries for a
specific MAC address, all the entries in a VLAN, or all the entries
associated with a port or trunk.
WEB INTERFACE
To clear the entries in the dynamic address table:
1. Click MAC Address, Dynamic.
2. Select Clear Dynamic MAC from the Action list.
3. Select the method by which to clear the entries (i.e., All, MAC Address,
VLAN, or Interface).
4. Enter information in the additional fields required for clearing entries by
MAC Address, VLAN, or Interface.
5. Click Clear.
– 199 –
CHAPTER 7 | Address Table Settings
Configuring MAC Address Mirroring
Figure 87: Clearing Entries in the Dynamic MAC Address Table
CONFIGURING MAC ADDRESS MIRRORING
Use the MAC Address > Mirror (Add) page to mirror traffic matching a
specified source address from any port on the switch to a target port for
real-time analysis. You can then attach a logic analyzer or RMON probe to
the target port and study the traffic crossing the source port in a
completely unobtrusive manner.
CLI REFERENCES
◆ "Local Port Mirroring Commands" on page 761
COMMAND USAGE
◆ When mirroring traffic from a MAC address, ingress traffic with the
specified source address entering any port in the switch, other than the
target port, will be mirrored to the destination port.
◆
All mirror sessions must share the same destination port.
◆
Spanning Tree BPDU packets are not mirrored to the target port.
◆
When mirroring port traffic, the target port must be included in the
same VLAN as the source port when using MSTP (see "Spanning Tree
Algorithm" on page 203).
◆
When mirroring VLAN traffic (see "Configuring VLAN Mirroring" on
page 193) or packets based on a source MAC address, the target port
cannot be set to the same target ports as that used for port mirroring
(see "Configuring Local Port Mirroring" on page 132).
◆
When traffic matches the rules for both port mirroring, and for
mirroring of VLAN traffic or packets based on a MAC address, the
matching packets will not be sent to target port specified for port
mirroring.
PARAMETERS
These parameters are displayed:
◆
Source MAC – MAC address in the form of xx-xx-xx-xx-xx-xx or
xxxxxxxxxxxx.
◆
Target Port – The port that will mirror the traffic from the source port.
(Range: 1-26)
– 200 –
CHAPTER 7 | Address Table Settings
Configuring MAC Address Mirroring
WEB INTERFACE
To mirror packets based on a MAC address:
1. Click MAC Address, Mirror.
2. Select Add from the Action list.
3. Specify the source MAC address and destination port.
4. Click Apply.
Figure 88: Mirroring Packets Based on the Source MAC Address
To show the MAC addresses to be mirrored:
1. Click MAC Address, Mirror.
2. Select Show from the Action list.
Figure 89: Showing the Source MAC Addresses to Mirror
– 201 –
CHAPTER 7 | Address Table Settings
Configuring MAC Address Mirroring
– 202 –
8
SPANNING TREE ALGORITHM
This chapter describes the following basic topics:
◆
Loopback Detection – Configures detection and response to loopback
BPDUs.
◆
Global Settings for STA – Configures global bridge settings for STP,
RSTP and MSTP.
◆
Interface Settings for STA – Configures interface settings for STA,
including priority, path cost, link type, and designation as an edge port.
◆
Global Settings for MSTP – Sets the VLANs and associated priority
assigned to an MST instance
◆
Interface Settings for MSTP – Configures interface settings for MSTP,
including priority and path cost.
OVERVIEW
The Spanning Tree Algorithm (STA) can be used to detect and disable
network loops, and to provide backup links between switches, bridges or
routers. This allows the switch to interact with other bridging devices (that
is, an STA-compliant switch, bridge or router) in your network to ensure
that only one route exists between any two stations on the network, and
provide backup links which automatically take over when a primary link
goes down.
The spanning tree algorithms supported by this switch include these
versions:
◆
STP – Spanning Tree Protocol (IEEE 802.1D)
◆
RSTP – Rapid Spanning Tree Protocol (IEEE 802.1w)
◆
MSTP – Multiple Spanning Tree Protocol (IEEE 802.1s)
STP – STP uses a distributed algorithm to select a bridging device (STPcompliant switch, bridge or router) that serves as the root of the spanning
tree network. It selects a root port on each bridging device (except for the
root device) which incurs the lowest path cost when forwarding a packet
from that device to the root device. Then it selects a designated bridging
device from each LAN which incurs the lowest path cost when forwarding a
packet from that LAN to the root device. All ports connected to designated
bridging devices are assigned as designated ports. After determining the
– 203 –
CHAPTER 8 | Spanning Tree Algorithm
Overview
lowest cost spanning tree, it enables all root ports and designated ports,
and disables all other ports. Network packets are therefore only forwarded
between root ports and designated ports, eliminating any possible network
loops.
Figure 90: STP Root Ports and Designated Ports
Designated
Root
x
x
x
Designated
Bridge
x
Designated
Port
Root
Port
x
Once a stable network topology has been established, all bridges listen for
Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge.
If a bridge does not get a Hello BPDU after a predefined interval (Maximum
Age), the bridge assumes that the link to the Root Bridge is down. This
bridge will then initiate negotiations with other bridges to reconfigure the
network to reestablish a valid network topology.
RSTP – RSTP is designed as a general replacement for the slower, legacy
STP. RSTP is also incorporated into MSTP. RSTP achieves much faster
reconfiguration (i.e., around 1 to 3 seconds, compared to 30 seconds or
more for STP) by reducing the number of state changes before active ports
start learning, predefining an alternate route that can be used when a node
or port fails, and retaining the forwarding database for ports insensitive to
changes in the tree structure when reconfiguration occurs.
MSTP – When using STP or RSTP, it may be difficult to maintain a stable
path between all VLAN members. Frequent changes in the tree structure
can easily isolate some of the group members. MSTP (which is based on
RSTP for fast convergence) is designed to support independent spanning
trees based on VLAN groups. Using multiple spanning trees can provide
multiple forwarding paths and enable load balancing. One or more VLANs
can be grouped into a Multiple Spanning Tree Instance (MSTI). MSTP builds
a separate Multiple Spanning Tree (MST) for each instance to maintain
connectivity among each of the assigned VLAN groups. MSTP then builds a
Internal Spanning Tree (IST) for the Region containing all commonly
configured MSTP bridges.
– 204 –
CHAPTER 8 | Spanning Tree Algorithm
Overview
Figure 91: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree
An MST Region consists of a group of interconnected bridges that have the
same MST Configuration Identifiers (including the Region Name, Revision
Level and Configuration Digest – see "Configuring Multiple Spanning Trees"
on page 220). An MST Region may contain multiple MSTP Instances. An
Internal Spanning Tree (IST) is used to connect all the MSTP switches
within an MST region. A Common Spanning Tree (CST) interconnects all
adjacent MST Regions, and acts as a virtual bridge node for
communications with STP or RSTP nodes in the global network.
Figure 92: Common Internal Spanning Tree, Common Spanning Tree,
Internal Spanning Tree
Region 1
Region 1
CIST
CST
IST
Region 4
Region 2
Region 4
Region 3
Region 2
Region 3
MSTP connects all bridges and LAN segments with a single Common and
Internal Spanning Tree (CIST). The CIST is formed as a result of the
running spanning tree algorithm between switches that support the STP,
RSTP, MSTP protocols.
Once you specify the VLANs to include in a Multiple Spanning Tree Instance
(MSTI), the protocol will automatically build an MSTI tree to maintain
connectivity among each of the VLANs. MSTP maintains contact with the
global network because each instance is treated as an RSTP node in the
Common Spanning Tree (CST).
– 205 –
CHAPTER 8 | Spanning Tree Algorithm
Configuring Loopback Detection
CONFIGURING LOOPBACK DETECTION
Use the Spanning Tree > Loopback Detection page to configure loopback
detection on an interface. When loopback detection is enabled and a port
or trunk receives it’s own BPDU, the detection agent drops the loopback
BPDU, sends an SNMP trap, and places the interface in discarding mode.
This loopback state can be released manually or automatically. If the
interface is configured for automatic loopback release, then the port will
only be returned to the forwarding state if one of the following conditions is
satisfied:
◆
The interface receives any other BPDU except for it’s own, or;
◆
The interfaces’s link status changes to link down and then link up again,
or;
◆
The interface ceases to receive it’s own BPDUs in a forward delay
interval.
NOTE: If loopback detection is not enabled and an interface receives it's
own BPDU, then the interface will drop the loopback BPDU according to
IEEE Standard 802.1w-2001 9.3.4 (Note 1).
NOTE: Loopback detection will not be active if Spanning Tree is disabled on
the switch.
NOTE: When configured for manual release mode, then a link down/up
event will not release the port from the discarding state.
CLI REFERENCES
◆ "Spanning Tree Commands" on page 795
PARAMETERS
These parameters are displayed:
◆
Interface – Displays a list of ports or trunks.
◆
Status – Enables loopback detection on this interface.
(Default: Enabled)
◆
Trap – Enables SNMP trap notification for loopback events on this
interface. (Default: Disabled)
◆
Shutdown Interval – The duration to shut down the interface.
(Range: 30-86400 seconds; Default: 300 seconds)
If an interface is shut down due to a detected loopback, and the release
mode is set to “Auto,” the selected interface will be automatically
enabled when the shutdown interval has expired.
If an interface is shut down due to a detected loopback, and the release
mode is set to “Manual,” the interface can be re-enabled using the
Release button.
– 206 –
CHAPTER 8 | Spanning Tree Algorithm
Configuring Global Settings for STA
◆
Time Left – Time remaining before the shutdown expires.
◆
Release Mode – Configures the interface for automatic or manual
loopback release. (Default: Auto)
◆
Release – Allows an interface to be manually released from discard
mode. This is only available if the interface is configured for manual
release mode.
WEB INTERFACE
To configure loopback detection:
1. Click Spanning Tree, Loopback Detection.
2. Click Port or Trunk to display the required interface type.
3. Modify the required loopback detection attributes.
4. Click Apply
Figure 93: Configuring Port Loopback Detection
CONFIGURING GLOBAL SETTINGS FOR STA
Use the Spanning Tree > STA (Configure Global - Configure) page to
configure global settings for the spanning tree that apply to the entire
switch.
CLI REFERENCES
◆ "Spanning Tree Commands" on page 795
COMMAND USAGE
◆ Spanning Tree Protocol3
This option uses RSTP set to STP forced compatibility mode. It uses
RSTP for the internal state machine, but sends only 802.1D BPDUs.
3. STP and RSTP BPDUs are transmitted as untagged frames, and will cross any VLAN
boundaries.
– 207 –
CHAPTER 8 | Spanning Tree Algorithm
Configuring Global Settings for STA
This creates one spanning tree instance for the entire network. If
multiple VLANs are implemented on a network, the path between
specific VLAN members may be inadvertently disabled to prevent
network loops, thus isolating group members. When operating multiple
VLANs, we recommend selecting the MSTP option.
◆
Rapid Spanning Tree Protocol3
RSTP supports connections to either STP or RSTP nodes by monitoring
the incoming protocol messages and dynamically adjusting the type of
protocol messages the RSTP node transmits, as described below:
◆
■
STP Mode – If the switch receives an 802.1D BPDU (i.e., STP BPDU)
after a port’s migration delay timer expires, the switch assumes it is
connected to an 802.1D bridge and starts using only 802.1D
BPDUs.
■
RSTP Mode – If RSTP is using 802.1D BPDUs on a port and receives
an RSTP BPDU after the migration delay expires, RSTP restarts the
migration delay timer and begins using RSTP BPDUs on that port.
Multiple Spanning Tree Protocol
MSTP generates a unique spanning tree for each instance. This provides
multiple pathways across the network, thereby balancing the traffic
load, preventing wide-scale disruption when a bridge node in a single
instance fails, and allowing for faster convergence of a new topology for
the failed instance.
■
To allow multiple spanning trees to operate over the network, you
must configure a related set of bridges with the same MSTP
configuration, allowing them to participate in a specific set of
spanning tree instances.
■
A spanning tree instance can exist only on bridges that have
compatible VLAN instance assignments.
■
Be careful when switching between spanning tree modes. Changing
modes stops all spanning-tree instances for the previous mode and
restarts the system in the new mode, temporarily disrupting user
traffic.
PARAMETERS
These parameters are displayed:
Basic Configuration of Global Settings
◆
Spanning Tree Status – Enables/disables STA on this switch.
(Default: Enabled)
◆
Spanning Tree Type – Specifies the type of spanning tree used on
this switch:
■
STP: Spanning Tree Protocol (IEEE 802.1D); i.e., when this option
is selected, the switch will use RSTP set to STP forced compatibility
mode).
– 208 –
CHAPTER 8 | Spanning Tree Algorithm
Configuring Global Settings for STA
◆
■
RSTP: Rapid Spanning Tree (IEEE 802.1w); RSTP is the default.
■
MSTP: Multiple Spanning Tree (IEEE 802.1s)
Priority – Bridge priority is used in selecting the root device, root port,
and designated port. The device with the highest priority becomes the
STA root device. However, if all devices have the same priority, the
device with the lowest MAC address will then become the root device.
(Note that lower numeric values indicate higher priority.)
■
Default: 32768
■
Range: 0-61440, in steps of 4096
■
Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672,
32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440
Advanced Configuration Settings
The following attributes are based on RSTP, but also apply to STP since the
switch uses a backwards-compatible subset of RSTP to implement STP, and
also apply to MSTP which is based on RSTP according to the standard:
◆
◆
Path Cost Method – The path cost is used to determine the best path
between devices. The path cost method is used to determine the range
of values that can be assigned to each interface.
■
Long: Specifies 32-bit based values that range from 1-200,000,000.
(This is the default.)
■
Short: Specifies 16-bit based values that range from 1-65535.
Transmission Limit – The maximum transmission rate for BPDUs is
specified by setting the minimum interval between the transmission of
consecutive protocol messages. (Range: 1-10; Default: 3)
When the Switch Becomes Root
◆
◆
Hello Time – Interval (in seconds) at which the root device transmits a
configuration message.
■
Default: 2
■
Minimum: 1
■
Maximum: The lower of 10 or [(Max. Message Age / 2) -1]
Maximum Age – The maximum time (in seconds) a device can wait
without receiving a configuration message before attempting to
reconverge. All device ports (except for designated ports) should
receive configuration messages at regular intervals. Any port that ages
out STA information (provided in the last configuration message)
becomes the designated port for the attached LAN. If it is a root port, a
new root port is selected from among the device ports attached to the
network. (References to “ports” in this section mean “interfaces,” which
includes both ports and trunks.)
■
Default: 20
■
Minimum: The higher of 6 or [2 x (Hello Time + 1)]
■
Maximum: The lower of 40 or [2 x (Forward Delay - 1)]
– 209 –
CHAPTER 8 | Spanning Tree Algorithm
Configuring Global Settings for STA
◆
Forward Delay – The maximum time (in seconds) this device will wait
before changing states (i.e., discarding to learning to forwarding). This
delay is required because every device must receive information about
topology changes before it starts to forward frames. In addition, each
port needs time to listen for conflicting information that would make it
return to a discarding state; otherwise, temporary data loops might
result.
■
Default: 15
■
Minimum: The higher of 4 or [(Max. Message Age / 2) + 1]
■
Maximum: 30
RSTP does not depend on the forward delay timer in most cases. It is
able to confirm that a port can transition to the forwarding state
without having to rely on any timer configuration. To achieve fast
convergence, RSTP relies on the use of edge ports, and automatic
detection of point-to-point link types, both of which allow a port to
directly transition to the forwarding state.
Configuration Settings for MSTP
◆
Max Instance Numbers – The maximum number of MSTP instances
to which this switch can be assigned.
◆
Configuration Digest – An MD5 signature key that contains the VLAN
ID to MST ID mapping table. In other words, this key is a mapping of all
VLANs to the CIST.
◆
Region Revision4 – The revision for this MSTI. (Range: 0-65535;
Default: 0)
◆
Region Name4 – The name for this MSTI. (Maximum length: 32
characters; switch’s MAC address)
◆
Max Hop Count – The maximum number of hops allowed in the MST
region before a BPDU is discarded. (Range: 1-40; Default: 20)
NOTE: Region Revision and Region Name and are both required to uniquely
identify an MST region.
WEB INTERFACE
To configure global STA settings:
1. Click Spanning Tree, STA.
2. Select Configure Global from the Step list.
3. Select Configure from the Action list.
4. The MST name and revision number are both required to uniquely identify an MST region.
– 210 –
CHAPTER 8 | Spanning Tree Algorithm
Configuring Global Settings for STA
4. Modify any of the required attributes. Note that the parameters
displayed for the spanning tree types (STP, RSTP, MSTP) varies as
described in the preceding section.
5. Click Apply
Figure 94: Configuring Global Settings for STA (STP)
Figure 95: Configuring Global Settings for STA (RSTP)
– 211 –
CHAPTER 8 | Spanning Tree Algorithm
Displaying Global Settings for STA
Figure 96: Configuring Global Settings for STA (MSTP)
DISPLAYING GLOBAL SETTINGS FOR STA
Use the Spanning Tree > STA (Configure Global - Show Information) page
to display a summary of the current bridge STA information that applies to
the entire switch.
CLI REFERENCES
◆ "show spanning-tree" on page 818
◆ "show spanning-tree mst configuration" on page 820
PARAMETERS
The parameters displayed are described in the preceding section, except
for the following items:
◆
Bridge ID – A unique identifier for this bridge, consisting of the bridge
priority, the MST Instance ID 0 for the Common Spanning Tree when
spanning tree type is set to MSTP, and MAC address (where the address
is taken from the switch system).
◆
Designated Root – The priority and MAC address of the device in the
Spanning Tree that this switch has accepted as the root device.
◆
Root Port – The number of the port on this switch that is closest to the
root. This switch communicates with the root device through this port.
– 212 –
CHAPTER 8 | Spanning Tree Algorithm
Configuring Interface Settings for STA
If there is no root port, then this switch has been accepted as the root
device of the Spanning Tree network.
◆
Root Path Cost – The path cost from the root port on this switch to
the root device.
◆
Configuration Changes – The number of times the Spanning Tree has
been reconfigured.
◆
Last Topology Change – Time since the Spanning Tree was last
reconfigured.
WEB INTERFACE
To display global STA settings:
1. Click Spanning Tree, STA.
2. Select Configure Global from the Step list.
3. Select Show Information from the Action list.
Figure 97: Displaying Global Settings for STA
CONFIGURING INTERFACE SETTINGS FOR STA
Use the Spanning Tree > STA (Configure Interface - Configure) page to
configure RSTP and MSTP attributes for specific interfaces, including port
priority, path cost, link type, and edge port. You may use a different
priority or path cost for ports of the same media type to indicate the
preferred path, link type to indicate a point-to-point connection or sharedmedia connection, and edge port to indicate if the attached device can
support fast forwarding. (References to “ports” in this section means
“interfaces,” which includes both ports and trunks.)
– 213 –
CHAPTER 8 | Spanning Tree Algorithm
Configuring Interface Settings for STA
CLI REFERENCES
◆ "Spanning Tree Commands" on page 795
PARAMETERS
These parameters are displayed:
◆
Interface – Displays a list of ports or trunks.
◆
Admin Edge Status for all ports – Since end nodes cannot cause
forwarding loops, they can pass directly through to the spanning tree
forwarding state. Specifying Edge Ports provides quicker convergence
for devices such as workstations or servers, retains the current
forwarding database to reduce the amount of frame flooding required
to rebuild address tables during reconfiguration events, does not cause
the spanning tree to initiate reconfiguration when the interface changes
state, and also overcomes other STA-related timeout problems.
However, remember that Edge Port should only be enabled for ports
connected to an end-node device. (Default: Enabled)
■
Enabled – Manually configures a port as an Edge Port.
■
Disabled – Disables the Edge Port setting.
■
Auto – The port will be automatically configured as an edge port if
the edge delay time expires without receiving any RSTP or MSTP
BPDUs. Note that edge delay time (802.1D-2004 17.20.4) equals
the protocol migration time if a port's link type is point-to-point
(which is 3 seconds as defined in IEEE 802.3D-2004 17.20.4);
otherwise it equals the spanning tree’s maximum age for
configuration messages (see maximum age under "Configuring
Global Settings for STA" on page 207).
An interface cannot function as an edge port under the following
conditions:
◆
■
If spanning tree mode is set to STP (page 207), edge-port mode
cannot automatically transition to operational edge-port state using
the automatic setting.
■
If loopback detection is enabled (page 206) and a loopback BPDU is
detected, the interface cannot function as an edge port until the
loopback state is released.
■
If an interface is in forwarding state and its role changes, the
interface cannot continue to function as an edge port even if the
edge delay time has expired.
■
If the port does not receive any BPDUs after the edge delay timer
expires, its role changes to designated port and it immediately
enters forwarding state (see "Displaying Interface Settings for STA"
on page 217).
Spanning Tree – Enables/disables STA on this interface.
(Default: Enabled)
– 214 –
CHAPTER 8 | Spanning Tree Algorithm
Configuring Interface Settings for STA
◆
◆
Priority – Defines the priority used for this port in the Spanning Tree
Protocol. If the path cost for all ports on a switch are the same, the port
with the highest priority (i.e., lowest value) will be configured as an
active link in the Spanning Tree. This makes a port with higher priority
less likely to be blocked if the Spanning Tree Protocol is detecting
network loops. Where more than one port is assigned the highest
priority, the port with lowest numeric identifier will be enabled.
■
Default: 128
■
Range: 0-240, in steps of 16
Admin Path Cost – This parameter is used by the STA to determine
the best path between devices. Therefore, lower values should be
assigned to ports attached to faster media, and higher values assigned
to ports with slower media. Note that path cost takes precedence over
port priority. (Range: 0 for auto-configuration, 1-65535 for the short
path cost method5, 1-200,000,000 for the long path cost method)
By default, the system automatically detects the speed and duplex
mode used on each port, and configures the path cost according to the
values shown below. Path cost “0” is used to indicate auto-configuration
mode. When the short path cost method is selected and the default
path cost recommended by the IEEE 8021w standard exceeds 65,535,
the default is set to 65,535.
Table 11: Recommended STA Path Cost Range
Port Type
IEEE 802.1D-1998
IEEE 802.1w-2001
Ethernet
50-600
200,000-20,000,000
Fast Ethernet
10-60
20,000-2,000,000
Gigabit Ethernet
3-10
2,000-200,000
Table 12: Default STA Path Costs
◆
Port Type
Short Path Cost
(IEEE 802.1D-1998)
Long Path Cost
(802.1D-2004)
Ethernet
65,535
1,000,000
Fast Ethernet
65,535
100,000
Gigabit Ethernet
10,000
10,000
Admin Link Type – The link type attached to this interface.
■
Point-to-Point – A connection to exactly one other bridge.
■
Shared – A connection to two or more bridges.
■
Auto – The switch automatically determines if the interface is
attached to a point-to-point link or to shared media. (This is the
default setting.)
5. Refer to "Configuring Global Settings for STA" on page 207 for information on setting the
path cost method.
– 215 –
CHAPTER 8 | Spanning Tree Algorithm
Configuring Interface Settings for STA
◆
Root Guard – STA allows a bridge with a lower bridge identifier (or
same identifier and lower MAC address) to take over as the root bridge
at any time. Root Guard can be used to ensure that the root bridge is
not formed at a suboptimal location. Root Guard should be enabled on
any designated port connected to low-speed bridges which could
potentially overload a slower link by taking over as the root port and
forming a new spanning tree topology. It could also be used to form a
border around part of the network where the root bridge is allowed.
(Default: Disabled)
◆
Admin Edge Port – Refer to “Admin Edge Status for all ports” at the
beginning of this section.
◆
BPDU Guard – This feature protects edge ports from receiving BPDUs.
It prevents loops by shutting down an edge port when a BPDU is
received instead of putting it into the spanning tree discarding state. In
a valid configuration, configured edge ports should not receive BPDUs.
If an edge port receives a BPDU an invalid configuration exists, such as
a connection to an unauthorized device. The BPDU guard feature
provides a secure response to invalid configurations because an
administrator must manually enable the port. (Default: Disabled)
◆
BPDU Filter – BPDU filtering allows you to avoid transmitting BPDUs
on configured edge ports that are connected to end nodes. By default,
STA sends BPDUs to all ports regardless of whether administrative edge
is enabled on a port. BDPU filtering is configured on a per-port basis.
(Default: Disabled)
◆
Migration – If at any time the switch detects STP BPDUs, including
Configuration or Topology Change Notification BPDUs, it will
automatically set the selected interface to forced STP-compatible
mode. However, you can also use the Protocol Migration button to
manually re-check the appropriate BPDU format (RSTP or STPcompatible) to send on the selected interfaces. (Default: Disabled)
WEB INTERFACE
To configure interface settings for STA:
1. Click Spanning Tree, STA.
2. Select Configure Interface from the Step list.
3. Select Configure from the Action list.
4. Modify any of the required attributes.
5. Click Apply.
– 216 –
CHAPTER 8 | Spanning Tree Algorithm
Displaying Interface Settings for STA
Figure 98: Configuring Interface Settings for STA
DISPLAYING INTERFACE SETTINGS FOR STA
Use the Spanning Tree > STA (Configure Interface - Show Information)
page to display the current status of ports or trunks in the Spanning Tree.
CLI REFERENCES
◆ "show spanning-tree" on page 818
PARAMETERS
These parameters are displayed:
◆
Spanning Tree – Shows if STA has been enabled on this interface.
◆
STA Status – Displays current state of this port within the Spanning
Tree:
■
Discarding - Port receives STA configuration messages, but does
not forward packets.
■
Learning - Port has transmitted configuration messages for an
interval set by the Forward Delay parameter without receiving
contradictory information. Port address table is cleared, and the
port begins learning addresses.
■
Forwarding - Port forwards packets, and continues learning
addresses.
– 217 –
CHAPTER 8 | Spanning Tree Algorithm
Displaying Interface Settings for STA
The rules defining port status are:
■
■
■
A port on a network segment with no other STA compliant bridging
device is always forwarding.
If two ports of a switch are connected to the same segment and
there is no other STA device attached to this segment, the port with
the smaller ID forwards packets and the other is discarding.
All ports are discarding when the switch is booted, then some of
them change state to learning, and then to forwarding.
◆
Forward Transitions – The number of times this port has transitioned
from the Learning state to the Forwarding state.
◆
Designated Cost – The cost for a packet to travel from this port to the
root in the current Spanning Tree configuration. The slower the media,
the higher the cost.
◆
Designated Bridge – The bridge priority and MAC address of the
device through which this port must communicate to reach the root of
the Spanning Tree.
◆
Designated Port – The port priority and number of the port on the
designated bridging device through which this switch must
communicate with the root of the Spanning Tree.
◆
Oper Path Cost – The contribution of this port to the path cost of
paths towards the spanning tree root which include this port.
◆
Oper Link Type – The operational point-to-point status of the LAN
segment attached to this interface. This parameter is determined by
manual configuration or by auto-detection, as described for Admin Link
Type in STA Port Configuration on page 213.
◆
Oper Edge Port – This parameter is initialized to the setting for Admin
Edge Port in STA Port Configuration on page 213 (i.e., true or false),
but will be set to false if a BPDU is received, indicating that another
bridge is attached to this port.
◆
Port Role – Roles are assigned according to whether the port is part of
the active topology, that is the best port connecting a non-root bridge
to the root bridge (i.e., root port), connecting a LAN through the bridge
to the root bridge (i.e., designated port), is the MSTI regional root
(i.e., master port), or is an alternate or backup port that may
provide connectivity if other bridges, bridge ports, or LANs fail or are
removed. The role is set to disabled (i.e., disabled port) if a port has
no role within the spanning tree.
– 218 –
CHAPTER 8 | Spanning Tree Algorithm
Displaying Interface Settings for STA
Figure 99: STA Port Roles
R: Root Port
A: Alternate Port
D: Designated Port
B: Backup Port
Alternate port receives more
useful BPDUs from another
bridge and is therefore not
selected as the designated
R
port.
R
A
D
x
R
A
x
Backup port receives more
useful BPDUs from the same
bridge and is therefore not
selected as the designated
port.
R
D
B
WEB INTERFACE
To display interface settings for STA:
1. Click Spanning Tree, STA.
2. Select Configure Interface from the Step list.
3. Select Show Information from the Action list.
Figure 100: Displaying Interface Settings for STA
– 219 –
B
CHAPTER 8 | Spanning Tree Algorithm
Configuring Multiple Spanning Trees
CONFIGURING MULTIPLE SPANNING TREES
Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP
instance, or to add VLAN groups to an MSTP instance.
CLI REFERENCES
◆ "Spanning Tree Commands" on page 795
COMMAND USAGE
MSTP generates a unique spanning tree for each instance. This provides
multiple pathways across the network, thereby balancing the traffic load,
preventing wide-scale disruption when a bridge node in a single instance
fails, and allowing for faster convergence of a new topology for the failed
instance.
By default all VLANs are assigned to the Internal Spanning Tree (MST
Instance 0) that connects all bridges and LANs within the MST region. This
switch supports up to 33 instances. You should try to group VLANs which
cover the same general area of your network. However, remember that you
must configure all bridges within the same MSTI Region (page 207) with
the same set of instances, and the same instance (on each bridge) with the
same set of VLANs. Also, note that RSTP treats each MSTI region as a
single node, connecting all regions to the Common Spanning Tree.
To use multiple spanning trees:
1. Set the spanning tree type to MSTP (page 207).
2. Enter the spanning tree priority for the selected MST instance on the
Spanning Tree > MSTP (Configure Global - Add) page.
3. Add the VLANs that will share this MSTI on the Spanning Tree > MSTP
(Configure Global - Add Member) page.
NOTE: All VLANs are automatically added to the IST (Instance 0).
To ensure that the MSTI maintains connectivity across the network, you
must configure a related set of bridges with the same MSTI settings.
PARAMETERS
These parameters are displayed:
◆
MST ID – Instance identifier to configure. (Range: 0-4094)
◆
VLAN ID – VLAN to assign to this MST instance. (Range: 1-4093)
◆
Priority – The priority of a spanning tree instance. (Range: 0-61440 in
steps of 4096; Options: 0, 4096, 8192, 12288, 16384, 20480, 24576,
28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440;
Default: 32768)
– 220 –
CHAPTER 8 | Spanning Tree Algorithm
Configuring Multiple Spanning Trees
WEB INTERFACE
To create instances for MSTP:
1. Click Spanning Tree, MSTP.
2. Select Configure Global from the Step list.
3. Select Add from the Action list.
4. Specify the MST instance identifier and the initial VLAN member.
Additional member can be added using the Spanning Tree > MSTP
(Configure Global - Add Member) page. If the priority is not specified,
the default value 32768 is used.
5. Click Apply.
Figure 101: Creating an MST Instance
To show the MSTP instances:
1. Click Spanning Tree, MSTP.
2. Select Configure Global from the Step list.
3. Select Show Information from the Action list.
4. Select an MST ID. The attributes displayed on this page are described
under "Displaying Global Settings for STA" on page 212.
Figure 102: Displaying Global Settings for an MST Instance
– 221 –
CHAPTER 8 | Spanning Tree Algorithm
Configuring Multiple Spanning Trees
To add additional VLAN groups to an MSTP instance:
1. Click Spanning Tree, MSTP.
2. Select Configure Global from the Step list.
3. Select Add Member from the Action list.
4. Select an MST instance from the MST ID list.
5. Enter the VLAN group to add to the instance in the VLAN ID field. Note
that the specified member does not have to be a configured VLAN.
6. Click Apply
Figure 103: Adding a VLAN to an MST Instance
To show the VLAN members of an MSTP instance:
1. Click Spanning Tree, MSTP.
2. Select Configure Global from the Step list.
3. Select Show Member from the Action list.
Figure 104: Displaying Members of an MST Instance
– 222 –
CHAPTER 8 | Spanning Tree Algorithm
Configuring Interface Settings for MSTP
CONFIGURING INTERFACE SETTINGS FOR MSTP
Use the Spanning Tree > MSTP (Configure Interface - Configure) page to
configure the STA interface settings for an MST instance.
CLI REFERENCES
◆ "Spanning Tree Commands" on page 795
PARAMETERS
These parameters are displayed:
◆
MST ID – Instance identifier to configure. (Default: 0)
◆
Interface – Displays a list of ports or trunks.
◆
STA Status – Displays the current state of this interface within the
Spanning Tree. (See "Displaying Interface Settings for STA" on
page 217 for additional information.)
■
Discarding – Port receives STA configuration messages, but does
not forward packets.
■
Learning – Port has transmitted configuration messages for an
interval set by the Forward Delay parameter without receiving
contradictory information. Port address table is cleared, and the
port begins learning addresses.
■
Forwarding – Port forwards packets, and continues learning
addresses.
◆
Priority – Defines the priority used for this port in the Spanning Tree
Protocol. If the path cost for all ports on a switch are the same, the port
with the highest priority (i.e., lowest value) will be configured as an
active link in the Spanning Tree. This makes a port with higher priority
less likely to be blocked if the Spanning Tree Protocol is detecting
network loops. Where more than one port is assigned the highest
priority, the port with lowest numeric identifier will be enabled.
(Default: 128; Range: 0-240, in steps of 16)
◆
Admin MST Path Cost – This parameter is used by the MSTP to
determine the best path between devices. Therefore, lower values
should be assigned to ports attached to faster media, and higher values
assigned to ports with slower media. (Path cost takes precedence over
port priority.) Note that when the Path Cost Method is set to short
(page 3-63), the maximum path cost is 65,535.
By default, the system automatically detects the speed and duplex
mode used on each port, and configures the path cost according to the
values shown below. Path cost “0” is used to indicate auto-configuration
mode. When the short path cost method is selected and the default
path cost recommended by the IEEE 8021w standard exceeds 65,535,
the default is set to 65,535
– 223 –
CHAPTER 8 | Spanning Tree Algorithm
Configuring Interface Settings for MSTP
The recommended range is listed in Table 11 on page 215.
The default path costs are listed in Table 12 on page 215.
WEB INTERFACE
To configure MSTP parameters for a port or trunk:
1. Click Spanning Tree, MSTP.
2. Select Configure Interface from the Step list.
3. Select Configure from the Action list.
4. Enter the priority and path cost for an interface
5. Click Apply.
Figure 105: Configuring MSTP Interface Settings
– 224 –
CHAPTER 8 | Spanning Tree Algorithm
Configuring Interface Settings for MSTP
To display MSTP parameters for a port or trunk:
1. Click Spanning Tree, MSTP.
2. Select Configure Interface from the Step list.
3. Select Show Information from the Action list.
Figure 106: Displaying MSTP Interface Settings
– 225 –
CHAPTER 8 | Spanning Tree Algorithm
Configuring Interface Settings for MSTP
– 226 –
9
CONGESTION CONTROL
The switch can set the maximum upload or download data transfer rate for
any port. It can control traffic storms by setting a maximum threshold for
broadcast traffic or multicast traffic. It can also set bounding thresholds for
broadcast and multicast storms which can be used to automatically trigger
rate limits or to shut down a port.
Congestion Control includes following options:
◆
Rate Limiting – Sets the input and output rate limits for a port.
◆
Storm Control – Sets the traffic storm threshold for each interface.
◆
Automatic Traffic Control – Sets thresholds for broadcast and multicast
storms which can be used to trigger configured rate limits or to shut
down a port.
RATE LIMITING
Use the Traffic > Congestion Control > Rate Limit page to apply rate
limiting to ingress or egress ports. This function allows the network
manager to control the maximum rate for traffic received or transmitted on
an interface. Rate limiting is configured on interfaces at the edge of a
network to limit traffic into or out of the network. Packets that exceed the
acceptable amount of traffic are dropped.
Rate limiting can be applied to individual ports. When an interface is
configured with this feature, the traffic rate will be monitored by the
hardware to verify conformity. Non-conforming traffic is dropped,
conforming traffic is forwarded without any changes.
CLI REFERENCES
◆ "Rate Limit Commands" on page 771
COMMAND USAGE
◆ The ASIC used to control the ingress rate limit has a default time frame
of 10 ms, 100 ms, and 1 second respectively for 1 Gbps, 100 Mbps,
and 10 Mbps connection rates. Ingress rate limiting is processed 100
times per second (also referred to as 100 scales per second),
regardless of the packet size.
NOTE: Egress rate limiting does not function in this manner.
– 227 –
CHAPTER 9 | Congestion Control
Rate Limiting
For example, a Gigabit port has a 10 ms window size, so there are 100
scales per second, each scale having a bandwidth of 10 Mbps, and
using an inter-packet gap of 20 bytes.
Therefore, when the rate limit is set at 64 kbit/s, each scale has a
shared bandwidth of 80 bytes.
When the packet size = 64 bytes, and the gap = 20 bytes,
each packet = 84 bytes > 80bytes. Only one packet can pass through
in each scale. One second has 100 scales, so the rate is 100 packets
per second.
When the packet size = 640 bytes, and the gap = 20 bytes,
each packet = 660 bytes > 80 bytes. The switch will only let one packet
pass in each scale, so there are still 100 packets per second.
When the packet size = 1500 bytes, and the gap = 20 bytes,
each packet = 1520 bytes > 80 bytes. The switch will only let one
packet pass in each scale, so there are still 100 packets per second.
The following table shows the actual number of packets received when
various ingress rate limits are applied to packets of different sizes. The
values shown below were measured for both ingress rate limiting and
storm control functions.
Table 13: Effective Rate Limit
Packet Size
Rate Limit
Packets Received
64 bytes
64 kbit/s
100
128 kbit/s
200
256 kbit/s
400
512 kbit/s
800
1024 kbit/s
1600
2048 kbit/s
3105
64 kbit/s
100
128 kbit/s
100
256 kbit/s
300
512 kbit/s
500
1024 kbit/s
900
2048 kbit/s
1800
64 kbit/s
100
128 kbit/s
100
256 kbit/s
100
512 kbit/s
200
1024 kbit/s
300
2048 kbit/s
500
128 bytes
512 bytes
– 228 –
CHAPTER 9 | Congestion Control
Storm Control
NOTE: Due to a chip limitation, the switch supports only one limit for both
ingress rate limiting and storm control (including broadcast unknown
unicast, multicast, and broadcast storms).
PARAMETERS
These parameters are displayed:
◆
Port – Displays the port number.
◆
Type – Indicates the port type. (100Base-TX, 1000Base-T,
100Base SFP, or 1000Base SFP)
◆
Status – Enables or disables the rate limit. (Default: Disabled)
◆
Rate – Sets the rate limit level. (Range: 64 - 100,000 kbits per second
for Fast Ethernet, 64 - 1,000,000 kbits per second for Gigabit Ethernet)
WEB INTERFACE
To configure rate limits:
1. Click Traffic, Congestion Control, Rate Limit.
2. Enable the Rate Limit Status for the required ports.
3. Set the rate limit for the individual ports,.
4. Click Apply.
Figure 107: Configuring Rate Limits
STORM CONTROL
Use the Traffic > Congestion Control > Storm Control page to configure
broadcast, multicast, and unknown unicast storm control thresholds. Traffic
storms may occur when a device on your network is malfunctioning, or if
application programs are not well designed or properly configured. If there
is too much traffic on your network, performance can be severely degraded
or everything can come to complete halt.
– 229 –
CHAPTER 9 | Congestion Control
Storm Control
You can protect your network from traffic storms by setting a threshold for
broadcast, multicast or unknown unicast traffic. Any packets exceeding the
specified threshold will then be dropped.
CLI REFERENCES
◆ "switchport packet-rate" on page 737
COMMAND USAGE
◆ Storm Control is disabled by default.
◆
Broadcast control does not effect IP multicast traffic.
◆
When traffic exceeds the threshold specified for broadcast and
multicast or unknown unicast traffic, packets exceeding the threshold
are dropped until the rate falls back down beneath the threshold.
◆
Storm control is a hardware level function. Traffic storms can also be
controlled at the software level using automatic storm control which
triggers various control responses (see "Automatic Traffic Control" on
page 232). However, only one of these control types can be applied to a
port. Enabling hardware-level storm control on a port will disable
automatic storm control on that port.
◆
Rate limits set by the storm control function are also used by automatic
storm control when the control response is set to rate control on the
Auto Traffic Control (Configure Interface) page.
◆
Using both rate limiting and storm control on the same interface may
lead to unexpected results. For example, suppose broadcast storm
control is set to 5000 Kbps, and the rate limit is set to 100000 Kbps on
a Gigabit Ethernet port. Since 200000 Kbps is 1/5 of line speed, the
received rate will actually be 1000 Kbps, or 1/5 of the 5000 Kbps limit
set by the storm control command. It is therefore not advisable to use
both of these commands on the same interface.
◆
The description of effective rate limiting (see Command Usage under
"Rate Limiting" on page 227) also applies to storm control.
NOTE: Due to a chip limitation, the switch supports only one limit for both
ingress rate limiting and storm control (including broadcast unknown
unicast, multicast, and broadcast storms).
PARAMETERS
These parameters are displayed:
◆
Interface – Displays a list of ports or trunks.
◆
Type – Indicates interface type. (100Base-TX, 1000Base-T or SFP)
◆
Unknown Unicast – Specifies storm control for unknown unicast
traffic.
– 230 –
CHAPTER 9 | Congestion Control
Storm Control
◆
Multicast – Specifies storm control for multicast traffic.
◆
Broadcast – Specifies storm control for broadcast traffic.
◆
Status – Enables or disables storm control. (Default: Disabled)
◆
Rate – Threshold level as a rate; i.e., kilobits per second.
(Range: 64-100000 Kbps for Fast Ethernet, 64-1000000 Kbps for
Gigabit Ethernet)
NOTE: Only one rate is supported for all traffic types on an interface.
WEB INTERFACE
To configure broadcast storm control:
1. Click Traffic, Congestion Control, Storm Control.
2. Set the interface type to Port or Trunk.
3. Set the Status field to enable or disable storm control.
4. Set the required threshold beyond which the switch will start dropping
packets.
5. Click Apply.
Figure 108: Configuring Storm Control
– 231 –
CHAPTER 9 | Congestion Control
Automatic Traffic Control
AUTOMATIC TRAFFIC CONTROL
Use the Traffic > Congestion Control > Auto Traffic Control pages to
configure bounding thresholds for broadcast and multicast storms which
can automatically trigger rate limits or shut down a port.
CLI REFERENCES
◆ "Automatic Traffic Control Commands" on page 773
COMMAND USAGE
ATC includes storm control for broadcast or multicast traffic. The control
response for either of these traffic types is the same, as shown in the
following diagrams.
Figure 109: Storm Control by Limiting the Traffic Rate
Traffic
[kpps]
Alarm Fire
Threshold
(1~255kpps)
Storm Alarm
Fire TRAP
Storm Alarm
Fire TRAP
Traffic without storm control
TrafficControl
Apply Trap
Traffic with storm control
StromAlarm
ClearTRAP
StromAlarm
ClearTRAP
Release Timer
expired
(0~300sec)
TrafficControl
Release Trap
AlarmClear
Threshold
(1~255kpps)
Apply Timer
expired
(0~300sec)
Auto Storm Control
Time
The key elements of this diagram are described below:
◆
Alarm Fire Threshold – The highest acceptable traffic rate. When
ingress traffic exceeds the threshold, ATC sends a Storm Alarm Fire
Trap and logs it.
◆
When traffic exceeds the alarm fire threshold and the apply timer
expires, a traffic control response is applied, and a Traffic Control Apply
Trap is sent and logged.
◆
Alarm Clear Threshold – The lower threshold beneath which a control
response can be automatically terminated after the release timer
expires. When ingress traffic falls below this threshold, ATC sends a
Storm Alarm Clear Trap and logs it.
◆
When traffic falls below the alarm clear threshold after the release
timer expires, traffic control (for rate limiting) will be stopped and a
Traffic Control Release Trap sent and logged. Note that if the control
action has shut down a port, it can only be manually re-enabled using
Manual Control Release (see page 235).
– 232 –
CHAPTER 9 | Congestion Control
Automatic Traffic Control
◆
The traffic control response of rate limiting can be released
automatically or manually. The control response of shutting down a
port can only be released manually.
Figure 110: Storm Control by Shutting Down a Port
The key elements of this diagram are the same as that described in the
preceding diagram, except that automatic release of the control response
is not provided. When traffic control is applied, you must manually reenable the port.
Functional Limitations
Automatic storm control is a software level control function. Traffic storms
can also be controlled at the hardware level using Port Broadcast Control or
Port Multicast Control (as described on page 229). However, only one of
these control types can be applied to a port. Enabling automatic storm
control on a port will disable hardware-level storm control on that port.
SETTING THE ATC Use the Traffic > Congestion Control > Auto Traffic Control (Configure
TIMERS Global) page to set the time at which to apply the control response after
ingress traffic has exceeded the upper threshold, and the time at which to
release the control response after ingress traffic has fallen beneath the
lower threshold.
CLI REFERENCES
◆ "auto-traffic-control apply-timer" on page 776
◆ "auto-traffic-control release-timer" on page 776
COMMAND USAGE
◆ After the apply timer expires, the settings in the Traffic > Automatic
Traffic Control (Configure Interface) page are used to determine if a
control action will be triggered (as configured under the Action field) or
a trap message sent (as configured under the Trap Storm Fire field).
◆
The release timer only applies to a Rate Control response set in the
Action field of the ATC (Interface Configuration) page. When a port has
– 233 –
CHAPTER 9 | Congestion Control
Automatic Traffic Control
been shut down by a control response, it must be manually re-enabled
using the Manual Control Release (see page 235).
PARAMETERS
These parameters are displayed:
◆
Broadcast Apply Timer – The interval after the upper threshold has
been exceeded at which to apply the control response to broadcast
storms. (Range: 1-300 seconds; Default: 300 seconds)
◆
Broadcast Release Timer – The time at which to release the control
response after ingress traffic has fallen beneath the lower threshold for
broadcast storms. (Range: 1-900 seconds; Default: 900 seconds)
◆
Multicast Apply Timer – The interval after the upper threshold has
been exceeded at which to apply the control response to multicast
storms. (Range: 1-300 seconds; Default: 300 seconds)
◆
Multicast Release Timer – The time at which to release the control
response after ingress traffic has fallen beneath the lower threshold for
multicast storms. (Range: 1-900 seconds; Default: 900 seconds)
WEB INTERFACE
To configure the response timers for automatic storm control:
1. Click Traffic, Congestion Control, Automatic Storm Control.
2. Select Configure Global from the Step field.
3. Set the apply and release timers for broadcast and multicast storms.
4. Click Apply.
Figure 111: Configuring ATC Timers
– 234 –
CHAPTER 9 | Congestion Control
Automatic Traffic Control
CONFIGURING ATC Use the Traffic > Congestion Control > Auto Traffic Control (Configure
THRESHOLDS AND Interface) page to set the storm control mode (broadcast or multicast), the
RESPONSES traffic thresholds, the control response, to automatically release a response
of rate limiting, or to send related SNMP trap messages.
CLI REFERENCES
◆ "Automatic Traffic Control Commands" on page 773
PARAMETERS
These parameters are displayed:
◆
Storm Control – Specifies automatic storm control for broadcast
traffic or multicast traffic.
Automatic storm control can be enabled for either broadcast or
multicast traffic. It cannot be enabled for both of these traffic types at
the same time.
◆
Port – Port identifier.
◆
State – Enables automatic traffic control for broadcast or multicast
storms. (Default: Disabled)
Automatic storm control is a software level control function. Traffic
storms can also be controlled at the hardware level using the Storm
Control menu. However, only one of these control types can be applied
to a port. Enabling automatic storm control on a port will disable
hardware-level storm control on that port.
◆
◆
Action – When the Alarm Fire Threshold (upper threshold) is exceeded
and the apply timer expires, one of the following control responses will
be triggered.
■
Rate Control – The rate of ingress traffic is limited to the level set
by the Alarm Clear Threshold. Rate limiting is discontinued only
after the traffic rate has fallen beneath the Alarm Clear Threshold
(lower threshold), and the release timer has expired. (This is the
default response.)
■
Shutdown – The port is administratively disabled. A port disabled
by automatic traffic control can only be manually re-enabled using
the Manual Control Release attribute.
Auto Release Control – Automatically stops a traffic control response
of rate limiting when traffic falls below the alarm clear threshold and
the release timer expires as illustrated in Figure 109 on page 232.
When traffic control stops, the event is logged by the system and a
Traffic Release Trap can be sent. (Default: Disabled)
If automatic control release is not enabled and a control response of
rate limiting has been triggered, you can manually stop the rate limiting
response using the Manual Control Release attribute. If the control
response has shut down a port, it can also be re-enabled using Manual
Control Release.
– 235 –
CHAPTER 9 | Congestion Control
Automatic Traffic Control
◆
Alarm Fire Threshold – The upper threshold for ingress traffic beyond
which a storm control response is triggered after the Apply Timer
expires. (Range: 1-255 kilo-packets per second; Default: 128 Kpps)
Once the traffic rate exceeds the upper threshold and the Apply Timer
expires, a trap message will be sent if configured by the Trap Storm
Fire attribute.
◆
Alarm Clear Threshold – The lower threshold for ingress traffic
beneath which a control response for rate limiting will be released after
the Release Timer expires, if so configured by the Auto Release Control
attribute. (Range: 1-255 kilo-packets per second; Default: 128 Kpps)
If rate limiting has been configured as a control response and Auto
Control Release is enabled, rate limiting will be discontinued after the
traffic rate has fallen beneath the lower threshold, and the Release
Timer has expired. Note that if a port has been shut down by a control
response, it will not be re-enabled by automatic traffic control. It can
only be manually re-enabled using Manual Control Release.
Once the traffic rate falls beneath the lower threshold and the Release
Timer expires, a trap message will be sent if configured by the Trap
Storm Clear attribute.
◆
Trap Storm Fire – Sends a trap when traffic exceeds the upper
threshold for automatic storm control. (Default: Disabled)
◆
Trap Storm Clear – Sends a trap when traffic falls beneath the lower
threshold after a storm control response has been triggered.
(Default: Disabled)
◆
Trap Traffic Apply – Sends a trap when traffic exceeds the upper
threshold for automatic storm control and the apply timer expires.
(Default: Disabled)
◆
Trap Traffic Release – Sends a trap when traffic falls beneath the
lower threshold after a storm control response has been triggered and
the release timer expires. (Default: Disabled)
◆
Manual Control Release – Manually releases a control response of
rate-limiting or port shutdown any time after the specified action has
been triggered.
– 236 –
CHAPTER 9 | Congestion Control
Automatic Traffic Control
WEB INTERFACE
To configure the response timers for automatic storm control:
1. Click Traffic, Congestion Control, Automatic Storm Control.
2. Select Configure Interface from the Step field.
3. Enable or disable ATC as required, set the control response, specify
whether or not to automatically release the control response of rate
limiting, set the upper and lower thresholds, and specify which trap
messages to send.
4. Click Apply.
Figure 112: Configuring ATC Interface Attributes
– 237 –
CHAPTER 9 | Congestion Control
Automatic Traffic Control
– 238 –
10
CLASS OF SERVICE
Class of Service (CoS) allows you to specify which data packets have
greater precedence when traffic is buffered in the switch due to congestion.
This switch supports CoS with four priority queues for each port. Data
packets in a port’s high-priority queue will be transmitted before those in
the lower-priority queues. You can set the default priority for each
interface, and configure the mapping of frame priority tags to the switch’s
priority queues.
This chapter describes the following basic topics:
◆
Layer 2 Queue Settings – Configures each queue, including the default
priority, queue mode, queue weight, and mapping of packets to queues
based on CoS tags.
◆
Layer 3/4 Priority Settings – Selects the method by which inbound
packets are processed (DSCP or CoS), and sets the per-hop behavior
and drop precedence for internal processing.
LAYER 2 QUEUE SETTINGS
This section describes how to configure the default priority for untagged
frames, set the queue mode, set the weights assigned to each queue, and
map class of service tags to queues.
SETTING THE DEFAULT Use the Traffic > Priority > Default Priority page to specify the default port
PRIORITY FOR priority for each interface on the switch. All untagged packets entering the
INTERFACES switch are tagged with the specified default port priority, and then sorted
into the appropriate priority queue at the output port.
CLI REFERENCES
◆ "switchport priority default" on page 860
COMMAND USAGE
◆ This switch provides four priority queues for each port. It uses
Weighted Round Robin to prevent head-of-queue blockage, but can be
configured to process each queue in strict order, or use a combination
of strict and weighted queueing.
◆
The default priority applies for an untagged frame received on a port
set to accept all frame types (i.e, receives both untagged and tagged
frames). This priority does not apply to IEEE 802.1Q VLAN tagged
– 239 –
CHAPTER 10 | Class of Service
Layer 2 Queue Settings
frames. If the incoming frame is an IEEE 802.1Q VLAN tagged frame,
the IEEE 802.1p User Priority bits will be used.
◆
If the output port is an untagged member of the associated VLAN,
these frames are stripped of all VLAN tags prior to transmission.
PARAMETERS
These parameters are displayed:
◆
Interface – Displays a list of ports or trunks.
◆
CoS – The priority that is assigned to untagged frames received on the
specified interface. (Range: 0-7; Default: 0)
WEB INTERFACE
To configure the queue mode:
1. Click Traffic, Priority, Default Priority.
2. Select the interface type to display (Port or Trunk).
3. Modify the default priority for any interface.
4. Click Apply.
Figure 113: Setting the Default Port Priority
SELECTING THE Use the Traffic > Priority > Queue page to set the queue mode for the
QUEUE MODE egress queues on any interface. The switch can be set to service the
queues based on a strict rule that requires all traffic in a higher priority
queue to be processed before the lower priority queues are serviced, or
Weighted Round-Robin (WRR) queuing which specifies a scheduling weight
for each queue. It can also be configured to use a combination of strict and
weighted queuing.
CLI REFERENCES
◆ "queue mode" on page 858
◆ "show queue mode" on page 861
– 240 –
CHAPTER 10 | Class of Service
Layer 2 Queue Settings
COMMAND USAGE
◆ Strict priority requires all traffic in a higher priority queue to be
processed before lower priority queues are serviced.
◆
WRR queuing specifies a relative weight for each queue. WRR uses a
predefined relative weight for each queue that determines the
percentage of service time the switch services each queue before
moving on to the next queue. This prevents the head-of-line blocking
that can occur with strict priority queuing.
◆
If Strict and WRR mode is selected, a combination of strict and
weighted service is used as specified for each queue. Regardless of the
selected mode, the queues are processed sequentially from high to
lower priority (i.e., queues 3 to 0). The queues assigned to use strict
priority should be specified using the Strict Mode field parameter.
◆
A weight can be assigned to each of the weighted queues (and thereby
to the corresponding traffic priorities). This weight sets the frequency
at which each queue is polled for service, and subsequently affects the
response time for software applications assigned a specific priority
value.
Service time is shared at the egress ports by defining scheduling
weights for WRR, or the queuing mode that uses a combination of strict
and weighted queuing. Service time is allocated to each queue by
calculating a precise number of bytes per second that will be serviced
on each round.
◆
The specified queue mode applies to all interfaces.
PARAMETERS
These parameters are displayed:
◆
Queue Mode
■
Strict – Services the egress queues in sequential order,
transmitting all traffic in the higher priority queues before servicing
lower priority queues. This ensures that the highest priority packets
are always serviced first, ahead of all other traffic.
■
WRR – Weighted Round-Robin shares bandwidth at the egress
ports by using scheduling weights, servicing each queue in a roundrobin fashion.
■
Strict and WRR – Uses strict or weighted service as specified for
each queue. (This is the default setting.)
◆
Queue ID – The ID of the priority queue. (Range: 0-3)
◆
Strict Mode – If “Strict and WRR” mode is selected, then a
combination of strict and weighted service is used as specified for each
queue. Use this parameter to specify the queues assigned to use strict
priority when using the strict-weighted queuing mode. (Default: Strict
and WRR mode, with Queue 3 using strict mode)
– 241 –
CHAPTER 10 | Class of Service
Layer 2 Queue Settings
◆
Weight – Sets a weight for each queue which is used by the WRR
scheduler. (Range: 1-255; Default: Weights 1, 2, 4 and 6 are assigned
to queues 0 - 3 respectively)
WEB INTERFACE
To configure the queue mode:
1. Click Traffic, Priority, Queue.
2. Set the queue mode.
3. If the weighted queue mode is selected, the queue weight can be
modified if required.
4. If the queue mode that uses a combination of strict and weighted
queueing is selected, the queues which are serviced first must be
specified by enabling strict mode parameter in the table.
5. Click Apply.
Figure 114: Setting the Queue Mode (Strict)
Figure 115: Setting the Queue Mode (WRR)
– 242 –
CHAPTER 10 | Class of Service
Layer 2 Queue Settings
Figure 116: Setting the Queue Mode (Strict and WRR)
MAPPING COS VALUES Use the Traffic > Priority > PHB to Queue page to specify the hardware
TO EGRESS QUEUES output queues to use based on the internal per-hop behavior value. (For
more information on exact manner in which the ingress priority tags are
mapped to egress queues for internal processing, see "Mapping CoS
Priorities to Internal DSCP Values" on page 249).
The switch processes Class of Service (CoS) priority tagged traffic by using
four priority queues for each port, with service schedules based on strict
priority, Weighted Round-Robin (WRR), or a combination of strict and
weighted queuing. Up to eight separate traffic priorities are defined in IEEE
802.1p. Default priority levels are assigned according to recommendations
in the IEEE 802.1p standard as shown in Table 14. This table indicates the
default mapping of internal per-hop behavior to the hardware queues. The
actual mapping may differ if the CoS priorities to internal DSCP values have
been modified (page 249).
Table 14: IEEE 802.1p Egress Queue Priority Mapping
Priority
0
1
2
3
4
5
6
7
Queue
1
0
0
1
2
2
3
3
The priority levels recommended in the IEEE 802.1p standard for various
network applications are shown in Table 15. However, priority levels can be
mapped to the switch’s output queues in any way that benefits application
traffic for the network.
Table 15: CoS Priority Levels
Priority Level
Traffic Type
1
Background
2
(Spare)
0 (default)
Best Effort
3
Excellent Effort
4
Controlled Load
5
Video, less than 100 milliseconds latency and jitter
– 243 –
CHAPTER 10 | Class of Service
Layer 2 Queue Settings
Table 15: CoS Priority Levels (Continued)
Priority Level
Traffic Type
6
Voice, less than 10 milliseconds latency and jitter
7
Network Control
CLI REFERENCES
◆ "qos map phb-queue" on page 865
COMMAND USAGE
◆ Egress packets are placed into the hardware queues according to the
mapping defined by this command.
◆
The default internal PHB to output queue mapping is shown below.
Table 16: Mapping Internal Per-hop Behavior to Hardware Queues
Per-hop Behavior
0
1
2
3
4
5
6
7
Hardware Queues
1
0
0
1
2
2
3
3
◆
The specified mapping applies to all interfaces.
PARAMETERS
These parameters are displayed:
◆
PHB – Per-hop behavior, or the priority used for this router hop.
(Range: 0-7, where 7 is the highest priority)
◆
Queue – Output queue buffer. (Range: 0-3, where 3 is the highest CoS
priority queue)
WEB INTERFACE
To map internal PHB to hardware queues:
1. Click Traffic, Priority, PHB to Queue.
2. Select Add from the Action list.
3. Map an internal PHB to a hardware queue. Depending on how an
ingress packet is processed internally based on its CoS value, and the
assigned output queue, the mapping done on this page can effectively
determine the service priority for different traffic classes.
4. Click Apply.
– 244 –
CHAPTER 10 | Class of Service
Layer 3/4 Priority Settings
Figure 117: Mapping CoS Values to Egress Queues
To show the internal PHB to hardware queue map:
1. Click Traffic, Priority, PHB to Queue.
2. Select Show from the Action list.
Figure 118: Showing CoS Values to Egress Queue Mapping
LAYER 3/4 PRIORITY SETTINGS
Mapping Layer 3/4 Priorities to CoS Values
The switch supports several common methods of prioritizing layer 3/4
traffic to meet application requirements. Traffic priorities can be specified in
the IP header of a frame, using the priority bits in the Type of Service (ToS)
octet, or the number of the TCP/UDP port. If priority bits are used, the ToS
octet may contain three bits for IP Precedence or six bits for Differentiated
Services Code Point (DSCP) service. When these services are enabled, the
priorities are mapped to a Class of Service value by the switch, and the
traffic then sent to the corresponding output queue.
Because different priority information may be contained in the traffic, this
switch maps priority values to the output queues in the following manner –
The precedence for priority mapping is DSCP Priority and then Default Port
Priority.
– 245 –
CHAPTER 10 | Class of Service
Layer 3/4 Priority Settings
NOTE: The default settings used for mapping priority values from ingress
traffic to internal DSCP values are used to determine the hardware queues
used for egress traffic, not to replace the priority values. These defaults are
designed to optimize priority services for the majority of network
applications. It should not be necessary to modify any of the default
settings, unless a queuing problem occurs with a particular application.
SETTING PRIORITY The switch allows a choice between using DSCP or CoS priority processing
PROCESSING TO methods. Use the Priority > Trust Mode page to select the required
DSCP OR COS processing method.
CLI REFERENCES
◆ "qos map trust-mode" on page 866
COMMAND USAGE
◆ If the QoS mapping mode is set to DSCP, and the ingress packet type is
IPv4, then priority processing will be based on the DSCP value in the
ingress packet.
◆
If the QoS mapping mode is set to DSCP, and a non-IP packet is
received, the packet’s CoS and CFI (Canonical Format Indicator) values
are used for priority processing if the packet is tagged. For an untagged
packet, the default port priority (see page 239) is used for priority
processing.
◆
If the QoS mapping mode is set to CoS, and the ingress packet type is
IPv4, then priority processing will be based on the CoS and CFI values
in the ingress packet.
For an untagged packet, the default port priority (see page 239) is used
for priority processing.
PARAMETERS
These parameters are displayed:
◆
Interface – Specifies a port or trunk.
◆
Trust Mode
■
■
CoS – Maps layer 3/4 priorities using Class of Service values.
DSCP – Maps layer 3/4 priorities using Differentiated Services Code
Point values. (This is the default setting.)
WEB INTERFACE
To configure the trust mode:
1. Click Traffic, Priority, Trust Mode.
2. Select the interface type to display (Port or Trunk).
– 246 –
CHAPTER 10 | Class of Service
Layer 3/4 Priority Settings
3. Set the trust mode.
4. Click Apply.
Figure 119: Setting the Trust Mode
MAPPING INGRESS
DSCP VALUES TO
INTERNAL DSCP
VALUES
Use the Traffic > Priority > DSCP to DSCP page to map DSCP values in
incoming packets to per-hop behavior and drop precedence values for
internal priority processing.
The DSCP is six bits wide, allowing coding for up to 64 different forwarding
behaviors. The DSCP replaces the ToS bits, but it retains backward
compatibility with the three precedence bits so that non-DSCP compliant,
ToS-enabled devices, will not conflict with the DSCP mapping. Based on
network policies, different kinds of traffic can be marked for different kinds
of forwarding.
CLI REFERENCES
◆ "qos map dscp-mutation" on page 864
COMMAND USAGE
◆ Enter per-hop behavior and drop precedence for any of the DSCP
values 0 - 63.
◆
This map is only used when the priority mapping mode is set to DSCP
(see page 246), and the ingress packet type is IPv4. Any attempt to
configure the DSCP mutation map will not be accepted by the switch,
unless the trust mode has been set to DSCP.
◆
Two QoS domains can have different DSCP definitions, so the DSCP-toPHB/Drop Precedence mutation map can be used to modify one set of
DSCP values to match the definition of another domain. The mutation
map should be applied at the receiving port (ingress mutation) at the
boundary of a QoS administrative domain.
◆
Random Early Detection starts dropping yellow and red packets when
the buffer fills up to 0x60 packets, and then starts dropping any
packets regardless of color when the buffer fills up to 0x80 packets.
◆
The specified mapping applies to all interfaces.
– 247 –
CHAPTER 10 | Class of Service
Layer 3/4 Priority Settings
PARAMETERS
These parameters are displayed:
◆
DSCP – DSCP value in ingress packets. (Range: 0-63)
◆
PHB – Per-hop behavior, or the priority used for this router hop.
(Range: 0-7)
◆
Drop Precedence – Drop precedence used for Random Early Detection
in controlling traffic congestion. (Range: 0 - Green, 3 - Yellow, 1 - Red)
Table 17: Default Mapping of DSCP Values to Internal PHB/Drop Values
ingressdscp1
0
1
2
3
4
5
6
7
8
9
0
0,0
0,1
0,0
0,3
0,0
0,1
0,0
0,3
1,0
1,1
1
1,0
1,3
1,0
1,1
1,0
1,3
2,0
2,1
2,0
2,3
2
2,0
2,1
2,0
2,3
3,0
3,1
3,0
3,3
3.0
3,1
3
3,0
3,3
4,0
4,1
4,0
4,3
4,0
4,1
4.0
4,3
4
5,0
5,1
5,0
5,3
5,0
5,1
6,0
5,3
6,0
6,1
5
6,0
6,3
6,0
6,1
6,0
6,3
7,0
7,1
7.0
7,3
6
7,0
7,1
7,0
7,3
ingressdscp10
The ingress DSCP is composed of ingress-dscp10 (most significant digit in the left column)
and ingress-dscp1 (least significant digit in the top row (in other words, ingress-dscp =
ingress-dscp10 * 10 + ingress-dscp1); and the corresponding internal-dscp is shown at
the intersecting cell in the table.
The ingress DSCP is bitwise ANDed with the binary value 11 to determine the drop
precedence. If the resulting value is 10 binary, then the drop precedence is set to 0.
WEB INTERFACE
To map DSCP values to internal PHB/drop precedence:
1. Click Traffic, Priority, DSCP to DSCP.
2. Select Add from the Action list.
3. Set the PHB and drop precedence for any DSCP value.
4. Click Apply.
Figure 120: Configuring DSCP to DSCP Internal Mapping
– 248 –
CHAPTER 10 | Class of Service
Layer 3/4 Priority Settings
To show the DSCP to internal PHB/drop precedence map:
1. Click Traffic, Priority, DSCP to DSCP.
2. Select Show from the Action list.
Figure 121: Showing DSCP to DSCP Internal Mapping
MAPPING COS Use the Traffic > Priority > CoS to DSCP page to maps CoS/CFI values in
PRIORITIES TO incoming packets to per-hop behavior and drop precedence values for
INTERNAL DSCP priority processing.
VALUES
CLI REFERENCES
◆ "qos map cos-dscp" on page 862
COMMAND USAGE
◆ The default mapping of CoS to PHB values is shown in Table 18 on
page 250.
◆
Enter up to eight CoS/CFI paired values, per-hop behavior and drop
precedence.
◆
If a packet arrives with a 802.1Q header but it is not an IP packet, then
the CoS/CFI-to-PHB/Drop Precedence mapping table is used to
generate priority and drop precedence values for internal processing.
Note that priority tags in the original packet are not modified by this
command.
◆
The internal DSCP consists of three bits for per-hop behavior (PHB)
which determines the queue to which a packet is sent; and two bits for
drop precedence (namely color) which is used by Random Early
Detection (RED) to control traffic congestion.
◆
RED starts dropping yellow and red packets when the buffer fills up to
16 packets on Fast Ethernet ports and 72 packets on Gigabit Ethernet
ports, and then starts dropping any packets regardless of color when
the buffer fills up to 58 packets on Fast Ethernet ports and 80 packets
on Gigabit Ethernet ports.
◆
The specified mapping applies to all interfaces.
– 249 –
CHAPTER 10 | Class of Service
Layer 3/4 Priority Settings
PARAMETERS
These parameters are displayed:
◆
CoS – CoS value in ingress packets. (Range: 0-7)
◆
CFI – Canonical Format Indicator. Set to this parameter to “0” to
indicate that the MAC address information carried in the frame is in
canonical format. (Range: 0-1)
◆
PHB – Per-hop behavior, or the priority used for this router hop.
(Range: 0-7)
◆
Drop Precedence – Drop precedence used for Random Early Detection
in controlling traffic congestion. (Range: 0 - Green, 3 - Yellow, 1 - Red)
Table 18: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence
0
1
0
(0,0)
(0,0)
1
(1,0)
(1,0)
2
(2,0)
(2,0)
3
(3,0)
(3,0)
4
(4,0)
(4,0)
5
(5,0)
(5,0)
6
(6,0)
(6,0)
7
(7,0)
(7,0)
CoS
CFI
WEB INTERFACE
To map CoS/CFI values to internal PHB/drop precedence:
1. Click Traffic, Priority, CoS to DSCP.
2. Select Add from the Action list.
3. Set the PHB and drop precedence for any of the CoS/CFI combinations.
4. Click Apply.
Figure 122: Configuring CoS to DSCP Internal Mapping
– 250 –
CHAPTER 10 | Class of Service
Layer 3/4 Priority Settings
To show the CoS/CFI to internal PHB/drop precedence map:
1. Click Traffic, Priority, CoS to DSCP.
2. Select Show from the Action list.
Figure 123: Showing CoS to DSCP Internal Mapping
– 251 –
CHAPTER 10 | Class of Service
Layer 3/4 Priority Settings
– 252 –
11
QUALITY OF SERVICE
This chapter describes the following tasks required to apply QoS policies:
Class Map – Creates a map which identifies a specific class of traffic.
Policy Map – Sets the boundary parameters used for monitoring inbound
traffic, and the action to take for conforming and non-conforming traffic.
Binding to a Port – Applies a policy map to an ingress port.
OVERVIEW
The commands described in this section are used to configure Quality of
Service (QoS) classification criteria and service policies. Differentiated
Services (DiffServ) provides policy-based management mechanisms used
for prioritizing network resources to meet the requirements of specific
traffic types on a per hop basis. Each packet is classified upon entry into
the network based on access lists, IP Precedence, DSCP values, or VLAN
lists. Using access lists allows you select traffic based on Layer 2, Layer 3,
or Layer 4 information contained in each packet. Based on configured
network policies, different kinds of traffic can be marked for different kinds
of forwarding.
All switches or routers that access the Internet rely on class information to
provide the same forwarding treatment to packets in the same class. Class
information can be assigned by end hosts, or switches or routers along the
path. Priority can then be assigned based on a general policy, or a detailed
examination of the packet. However, note that detailed examination of
packets should take place close to the network edge so that core switches
and routers are not overloaded.
Switches and routers along the path can use class information to prioritize
the resources allocated to different traffic classes. The manner in which an
individual device handles traffic in the DiffServ architecture is called perhop behavior. All devices along a path should be configured in a consistent
manner to construct a consistent end-to-end QoS solution.
NOTE: You can configure up to 16 rules per class map. You can also include
multiple classes in a policy map.
NOTE: You should create a class map before creating a policy map.
Otherwise, you will not be able to select a class map from the policy rule
settings screen (see page 257).
– 253 –
CHAPTER 11 | Quality of Service
Configuring a Class Map
COMMAND USAGE
To create a service policy for a specific category or ingress traffic, follow
these steps:
1. Use the Configure Class (Add) page to designate a class name for a
specific category of traffic.
2. Use the Configure Class (Add Rule) page to edit the rules for each class
which specify a type of traffic based on an access list, a DSCP or IP
Precedence value, or a VLAN.
3. Use the Configure Policy (Add) page to designate a policy name for a
specific manner in which ingress traffic will be handled.
4. Use the Configure Policy (Add Rule) page to add one or more classes to
the policy map. Assign policy rules to each class by “setting” the QoS
value (CoS or PHB) to be assigned to the matching traffic class. The
policy rule can also be configured to monitor the maximum throughput
and burst rate. Then specify the action to take for conforming traffic, or
the action to take for a policy violation.
5. Use the Configure Interface page to assign a policy map to a specific
interface.
CONFIGURING A CLASS MAP
A class map is used for matching packets to a specified class. Use the
Traffic > DiffServ (Configure Class) page to configure a class map.
CLI REFERENCES
◆ "Quality of Service Commands" on page 869
COMMAND USAGE
◆ The class map is used with a policy map (page 257) to create a service
policy (page 267) for a specific interface that defines packet
classification, service tagging, and bandwidth policing. Note that one or
more class maps can be assigned to a policy map.
◆
Up to 32 class maps can be configured.
PARAMETERS
These parameters are displayed:
Add
◆
Class Name – Name of the class map. (Range: 1-32 characters)
◆
Type – Only one match command is permitted per class map, so the
match-any field refers to the criteria specified on the Add page.
– 254 –
CHAPTER 11 | Quality of Service
Configuring a Class Map
◆
Description – A brief description of a class map. (Range: 1-64
characters)
Add Rule
◆
Class Name – Name of the class map.
◆
Type – Only one match command is permitted per class map, so the
match-any field refers to the criteria specified by the lone match
command.
◆
ACL – Name of an access control list. Any type of ACL can be specified,
including standard or extended IP ACLs and MAC ACLs.
◆
IP DSCP – A DSCP value. (Range: 0-63)
◆
IP Precedence – An IP Precedence value. (Range: 0-7)
◆
VLAN ID – A VLAN. (Range:1-4093)
WEB INTERFACE
To configure a class map:
1. Click Traffic, DiffServ.
2. Select Configure Class from the Step list.
3. Select Add from the Action list.
4. Enter a class name.
5. Enter a description.
6. Click Add.
Figure 124: Configuring a Class Map
– 255 –
CHAPTER 11 | Quality of Service
Configuring a Class Map
To show the configured class maps:
1. Click Traffic, DiffServ.
2. Select Configure Class from the Step list.
3. Select Show from the Action list.
Figure 125: Showing Class Maps
To edit the rules for a class map:
1. Click Traffic, DiffServ.
2. Select Configure Class from the Step list.
3. Select Add Rule from the Action list.
4. Select the name of a class map.
5. Specify type of traffic for this class based on an access list, a DSCP or
IP Precedence value, or a VLAN. You can specify up to 16 items to
match when assigning ingress traffic to a class map.
6. Click Apply.
Figure 126: Adding Rules to a Class Map
– 256 –
CHAPTER 11 | Quality of Service
Creating QoS Policies
To show the rules for a class map:
1. Click Traffic, DiffServ.
2. Select Configure Class from the Step list.
3. Select Show Rule from the Action list.
Figure 127: Showing the Rules for a Class Map
CREATING QOS POLICIES
Use the Traffic > DiffServ (Configure Policy) page to create a policy map
that can be attached to multiple interfaces. A policy map is used to group
one or more class map statements (page 254), modify service tagging, and
enforce bandwidth policing. A policy map can then be bound by a service
policy to one or more interfaces (page 267).
Configuring QoS policies requires several steps. A class map must first be
configured which indicates how to match the inbound packets according to
an access list, a DSCP or IP Precedence value, or a member of specific
VLAN. A policy map is then configured which indicates the boundary
parameters used for monitoring inbound traffic, and the action to take for
conforming and non-conforming traffic. A policy map may contain one or
more classes based on previously defined class maps.
The class of service or per-hop behavior (i.e., the priority used for internal
queue processing) can be assigned to matching packets. In addition, the
flow rate of inbound traffic can be monitored and the response to
conforming and non-conforming traffic based by one of three distinct
policing methods as described below.
Police Flow Meter – Defines the committed information rate (maximum
throughput), committed burst size (burst rate), and the action to take for
conforming and non-conforming traffic.
Policing is based on a token bucket, where bucket depth (that is, the
maximum burst before the bucket overflows) is specified by the “burst”
field (BC), and the average rate tokens are removed from the bucket is
specified by the “rate” option (CIR). Action may be taken for traffic
– 257 –
CHAPTER 11 | Quality of Service
Creating QoS Policies
conforming to the maximum throughput, or exceeding the maximum
throughput.
srTCM Police Meter – Defines an enforcer for classified traffic based on a
single rate three color meter scheme defined in RFC 2697. This metering
policy monitors a traffic stream and processes its packets according to the
committed information rate (CIR, or maximum throughput), committed
burst size (BC, or burst rate), and excess burst size (BE). Action may taken
for traffic conforming to the maximum throughput, exceeding the
maximum throughput, or exceeding the excess burst size.
◆
The PHB label is composed of five bits, three bits for per-hop behavior,
and two bits for the color scheme used to control queue congestion. In
addition to the actions defined by this command to transmit, remark
the DSCP service value, or drop a packet, the switch will also mark the
two color bits used to set the drop precedence of a packet for Random
Early Detection. A packet is marked green if it doesn't exceed the
committed information rate and committed burst size, yellow if it does
exceed the committed information rate and committed burst size, but
not the excess burst size, and red otherwise.
◆
The meter operates in one of two modes. In the color-blind mode, the
meter assumes that the packet stream is uncolored. In color-aware
mode the meter assumes that some preceding entity has pre-colored
the incoming packet stream so that each packet is either green, yellow,
or red. The marker (re)colors an IP packet according to the results of
the meter. The color is coded in the DS field [RFC 2474] of the packet.
◆
The behavior of the meter is specified in terms of its mode and two
token buckets, C and E, which both share the common rate CIR. The
maximum size of the token bucket C is BC and the maximum size of the
token bucket E is BE.
The token buckets C and E are initially full, that is, the token count
Tc(0) = BC and the token count Te(0) = BE. Thereafter, the token
counts Tc and Te are updated CIR times per second as follows:
■
If Tc is less than BC, Tc is incremented by one, else
■
if Te is less then BE, Te is incremented by one, else
■
neither Tc nor Te is incremented.
When a packet of size B bytes arrives at time t, the following happens if
srTCM is configured to operate in Color-Blind mode:
■
If Tc(t)-B ≥ 0, the packet is green and Tc is decremented by B down
to the minimum value of 0, else
■
if Te(t)-B ≥ 0, the packets is yellow and Te is decremented by B
down to the minimum value of 0,
■
else the packet is red and neither Tc nor Te is decremented.
– 258 –
CHAPTER 11 | Quality of Service
Creating QoS Policies
When a packet of size B bytes arrives at time t, the following happens if
srTCM is configured to operate in Color-Aware mode:
■
■
■
If the packet has been precolored as green and Tc(t)-B ≥ 0, the
packet is green and Tc is decremented by B down to the minimum
value of 0, else
If the packet has been precolored as yellow or green and if
Te(t)-B ≥ 0, the packets is yellow and Te is decremented by B down
to the minimum value of 0, else
the packet is red and neither Tc nor Te is decremented.
The metering policy guarantees a deterministic behavior where the
volume of green packets is never smaller than what has been
determined by the CIR and BC, that is, tokens of a given color are
always spent on packets of that color. Refer to RFC 2697 for more
information on other aspects of srTCM.
trTCM Police Meter – Defines an enforcer for classified traffic based on a
two rate three color meter scheme defined in RFC 2698. This metering
policy monitors a traffic stream and processes its packets according to the
committed information rate (CIR, or maximum throughput), peak
information rate (PIR), and their associated burst sizes – committed burst
size (BC, or burst rate), and peak burst size (BP). Action may taken for
traffic conforming to the maximum throughput, exceeding the maximum
throughput, or exceeding the peak burst size.
◆
The PHB label is composed of five bits, three bits for per-hop behavior,
and two bits for the color scheme used to control queue congestion. In
addition to the actions defined by this command to transmit, remark
the DSCP service value, or drop a packet, the switch will also mark the
two color bits used to set the drop precedence of a packet for Random
Early Detection. A packet is marked red if it exceeds the PIR. Otherwise
it is marked either yellow or green depending on whether it exceeds or
doesn't exceed the CIR.
The trTCM is useful for ingress policing of a service, where a peak rate
needs to be enforced separately from a committed rate.
◆
The meter operates in one of two modes. In the color-blind mode, the
meter assumes that the packet stream is uncolored. In color-aware
mode the meter assumes that some preceding entity has pre-colored
the incoming packet stream so that each packet is either green, yellow,
or red. The marker (re)colors an IP packet according to the results of
the meter. The color is coded in the DS field [RFC 2474] of the packet.
◆
The behavior of the meter is specified in terms of its mode and two
token buckets, P and C, which are based on the rates PIR and CIR,
respectively. The maximum size of the token bucket P is BP and the
maximum size of the token bucket C is BC.
The token buckets P and C are initially (at time 0) full, that is, the token
count Tp(0) = BP and the token count Tc(0) = BC. Thereafter, the token
– 259 –
CHAPTER 11 | Quality of Service
Creating QoS Policies
count Tp is incremented by one PIR times per second up to BP and the
token count Tc is incremented by one CIR times per second up to BC.
When a packet of size B bytes arrives at time t, the following happens if
trTCM is configured to operate in Color-Blind mode:
■
If Tp(t)-B < 0, the packet is red, else
■
if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else
■
the packet is green and both Tp and Tc are decremented by B.
When a packet of size B bytes arrives at time t, the following happens if
trTCM is configured to operate in Color-Aware mode:
◆
■
If the packet has been precolored as red or if Tp(t)-B < 0, the
packet is red, else
■
if the packet has been precolored as yellow or if Tc(t)-B < 0, the
packet is yellow and Tp is decremented by B, else
■
the packet is green and both Tp and Tc are decremented by B.
The trTCM can be used to mark a IP packet stream in a service, where
different, decreasing levels of assurances (either absolute or relative)
are given to packets which are green, yellow, or red. Refer to RFC 2698
for more information on other aspects of trTCM.
Random Early Detection – RED starts dropping yellow and red packets
when the buffer fills up to 0x60 packets, and then starts dropping any
packets regardless of color when the buffer fills up to 0x80 packets.
CLI REFERENCES
◆ "Quality of Service Commands" on page 869
COMMAND USAGE
◆ A policy map can contain 128 class statements that can be applied to
the same interface (page 267). Up to 32 policy maps can be configured
for ingress ports.
◆
After using the policy map to define packet classification, service
tagging, and bandwidth policing, it must be assigned to a specific
interface by a service policy (page 267) to take effect.
PARAMETERS
These parameters are displayed:
Add
◆
Policy Name – Name of policy map. (Range: 1-32 characters)
◆
Description – A brief description of a policy map. (Range: 1-64
characters)
– 260 –
CHAPTER 11 | Quality of Service
Creating QoS Policies
Add Rule
◆
Policy Name – Name of policy map.
◆
Class Name – Name of a class map that defines a traffic classification
upon which a policy can act.
◆
Action – This attribute is used to set an internal QoS value in hardware
for matching packets. The PHB label is composed of five bits, three bits
for per-hop behavior, and two bits for the color scheme used to control
queue congestion with the srTCM and trTCM metering functions.
■
Set CoS – Configures the service provided to ingress traffic by
setting an internal CoS value for a matching packet (as specified in
rule settings for a class map). (Range: 0-7)
See Table 18, "Default Mapping of CoS/CFI to Internal PHB/Drop
Precedence," on page 250).
■
Set PHB – Configures the service provided to ingress traffic by
setting the internal per-hop behavior for a matching packet (as
specified in rule settings for a class map). (Range: 0-7)
See Table 17, "Default Mapping of DSCP Values to Internal PHB/
Drop Values," on page 248).
■
Set IP DSCP – Configures the service provided to ingress traffic by
setting an IP DSCP value for a matching packet (as specified in rule
settings for a class map). (Range: 0-63)
◆
Meter – Check this to define the maximum throughput, burst rate, and
the action that results from a policy violation.
◆
Meter Mode – Selects one of the following policing methods.
■
Flow (Police Flow) – Defines the committed information rate (CIR,
or maximum throughput), committed burst size (BC, or burst rate),
and the action to take for conforming and non-conforming traffic.
Policing is based on a token bucket, where bucket depth (that is,
the maximum burst before the bucket overflows) is specified by the
“burst” field, and the average rate tokens are removed from the
bucket is by specified by the “rate” option.
■
Committed Information Rate (CIR) – Rate in kilobits per
second. (Range: 64-1000000 kbps at a granularity of 64 kbps or
maximum port speed, whichever is lower)
The rate cannot exceed the configured interface speed.
■
Committed Burst Size (BC) – Burst in bytes. (Range: 400016000000 at a granularity of 4k bytes)
The burst size cannot exceed 16 Mbytes.
– 261 –
CHAPTER 11 | Quality of Service
Creating QoS Policies
■
Conform – Specifies that traffic conforming to the maximum
rate (CIR) will be transmitted without any change to the DSCP
service level.
■
■
Violate – Specifies whether the traffic that exceeds the
maximum rate (CIR) will be dropped or the DSCP service level
will be reduced.
■
■
■
Transmit – Transmits in-conformance traffic without any
change to the DSCP service level.
Set IP DSCP – Decreases DSCP priority for out of
conformance traffic. (Range: 0-63)
Drop – Drops out of conformance traffic.
srTCM (Police Meter) – Defines the committed information rate
(CIR, or maximum throughput), committed burst size (BC, or burst
rate) and excess burst size (BE), and the action to take for traffic
conforming to the maximum throughput, exceeding the maximum
throughput but within the excess burst size, or exceeding the
excess burst size. In addition to the actions defined by this
command to transmit, remark the DSCP service value, or drop a
packet, the switch will also mark the two color bits used to set the
drop precedence of a packet for Random Early Detection.
The color modes include “Color-Blind” which assumes that the
packet stream is uncolored, and “Color-Aware” which assumes that
the incoming packets are pre-colored. The functional differences
between these modes is described at the beginning of this section
under “srTCM Police Meter.”
■
Committed Information Rate (CIR) – Rate in kilobits per
second. (Range: 64-1000000 kbps at a granularity of 64 kbps or
maximum port speed, whichever is lower)
The rate cannot exceed the configured interface speed.
■
Committed Burst Size (BC) – Burst in bytes. (Range: 400016000000 at a granularity of 4k bytes)
The burst size cannot exceed 16 Mbytes.
■
Excess Burst Size (BE) – Burst in excess of committed burst
size. (Range: 4000-16000000 at a granularity of 4k bytes)
The burst size cannot exceed 16 Mbytes.
■
Conform – Specifies that traffic conforming to the maximum
rate (CIR) will be transmitted without any change to the DSCP
service level.
■
Transmit – Transmits in-conformance traffic without any
change to the DSCP service level.
– 262 –
CHAPTER 11 | Quality of Service
Creating QoS Policies
■
Exceed – Specifies whether traffic that exceeds the maximum
rate (CIR) but is within the excess burst size (BE) will be
dropped or the DSCP service level will be reduced.
■
■
■
■
Set IP DSCP – Decreases DSCP priority for out of
conformance traffic. (Range: 0-63)
Drop – Drops out of conformance traffic.
Violate – Specifies whether the traffic that exceeds the excess
burst size (BE) will be dropped or the DSCP service level will be
reduced.
■
Set IP DSCP – Decreases DSCP priority for out of
conformance traffic. (Range: 0-63)
■
Drop – Drops out of conformance traffic.
trTCM (Police Meter) – Defines the committed information rate
(CIR, or maximum throughput), peak information rate (PIR), and
their associated burst sizes – committed burst size (BC, or burst
rate) and peak burst size (BP), and the action to take for traffic
conforming to the maximum throughput, exceeding the maximum
throughput but within the peak information rate, or exceeding the
peak information rate. In addition to the actions defined by this
command to transmit, remark the DSCP service value, or drop a
packet, the switch will also mark the two color bits used to set the
drop precedence of a packet for Random Early Detection.
The color modes include “Color-Blind” which assumes that the
packet stream is uncolored, and “Color-Aware” which assumes that
the incoming packets are pre-colored. The functional differences
between these modes is described at the beginning of this section
under “trTCM Police Meter.”
■
Committed Information Rate (CIR) – Rate in kilobits per
second. (Range: 64-1000000 kbps at a granularity of 64 kbps or
maximum port speed, whichever is lower)
The rate cannot exceed the configured interface speed.
■
Committed Burst Size (BC) – Burst in bytes.
(Range: 4000-16000000 at a granularity of 4k bytes)
The burst size cannot exceed 16 Mbytes.
■
Peak Information Rate (PIR) – Rate in kilobits per second.
(Range: 64-1000000 kbps at a granularity of 64 kbps or
maximum port speed, whichever is lower)
The rate cannot exceed the configured interface speed.
■
Peak Burst Size (BP) – Burst size in bytes. (Range: 400016000000 at a granularity of 4k bytes)
The burst size cannot exceed 16 Mbytes.
– 263 –
CHAPTER 11 | Quality of Service
Creating QoS Policies
■
Conform – Specifies that traffic conforming to the maximum
rate (CIR) will be transmitted without any change to the DSCP
service level.
■
■
Exceed – Specifies whether traffic that exceeds the maximum
rate (CIR) but is within the peak information rate (PIR) will be
dropped or the DSCP service level will be reduced.
■
■
■
Transmit – Transmits in-conformance traffic without any
change to the DSCP service level.
Set IP DSCP – Decreases DSCP priority for out of
conformance traffic. (Range: 0-63).
Drop – Drops out of conformance traffic.
Violate – Specifies whether the traffic that exceeds the peak
information rate (PIR) will be dropped or the DSCP service level
will be reduced.
■
Set IP DSCP – Decreases DSCP priority for out of
conformance traffic. (Range: 0-63).
■
Drop – Drops out of conformance traffic.
WEB INTERFACE
To configure a policy map:
1. Click Traffic, DiffServ.
2. Select Configure Policy from the Step list.
3. Select Add from the Action list.
4. Enter a policy name.
5. Enter a description.
6. Click Add.
Figure 128: Configuring a Policy Map
– 264 –
CHAPTER 11 | Quality of Service
Creating QoS Policies
To show the configured policy maps:
1. Click Traffic, DiffServ.
2. Select Configure Policy from the Step list.
3. Select Show from the Action list.
Figure 129: Showing Policy Maps
To edit the rules for a policy map:
1. Click Traffic, DiffServ.
2. Select Configure Policy from the Step list.
3. Select Add Rule from the Action list.
4. Select the name of a policy map.
5. Set the CoS or per-hop behavior for matching packets to specify the
quality of service to be assigned to the matching traffic class. Use one
of the metering options to define parameters such as the maximum
throughput and burst rate. Then specify the action to take for
conforming traffic, the action to tack for traffic in excess of the
maximum rate but within the peak information rate, or the action to
take for a policy violation.
6. Click Apply.
– 265 –
CHAPTER 11 | Quality of Service
Creating QoS Policies
Figure 130: Adding Rules to a Policy Map
To show the rules for a policy map:
1. Click Traffic, DiffServ.
2. Select Configure Policy from the Step list.
3. Select Show Rule from the Action list.
Figure 131: Showing the Rules for a Policy Map
– 266 –
CHAPTER 11 | Quality of Service
Attaching a Policy Map to a Port
ATTACHING A POLICY MAP TO A PORT
Use the Traffic > DiffServ (Configure Interface) page to bind a policy map
to an ingress port.
CLI REFERENCES
◆ "Quality of Service Commands" on page 869
COMMAND USAGE
◆ First define a class map, define a policy map, and then bind the service
policy to the required interface.
◆
Only one policy map can be bound to an interface.
◆
The switch does not allow a policy map to be bound to an interface for
egress traffic.
PARAMETERS
These parameters are displayed:
◆
Port – Specifies a port.
◆
Ingress – Applies the selected rule to ingress traffic.
WEB INTERFACE
To bind a policy map to a port:
1. Click Traffic, DiffServ.
2. Select Configure Interface from the Step list.
3. Check the box under the Ingress field to enable a policy map for a port.
4. Select a policy map from the scroll-down box.
5. Click Apply.
Figure 132: Attaching a Policy Map to a Port
– 267 –
CHAPTER 11 | Quality of Service
Attaching a Policy Map to a Port
– 268 –
12
VOIP TRAFFIC CONFIGURATION
This chapter covers the following topics:
◆
Global Settings – Enables VOIP globally, sets the Voice VLAN, and the
aging time for attached ports.
◆
Telephony OUI List – Configures the list of phones to be treated as VOIP
devices based on the specified Organization Unit Identifier (OUI).
◆
Port Settings – Configures the way in which a port is added to the Voice
VLAN, the filtering of non-VoIP packets, the method of detecting VoIP
traffic, and the priority assigned to voice traffic.
OVERVIEW
When IP telephony is deployed in an enterprise network, it is
recommended to isolate the Voice over IP (VoIP) network traffic from other
data traffic. Traffic isolation can provide higher voice quality by preventing
excessive packet delays, packet loss, and jitter. This is best achieved by
assigning all VoIP traffic to a single Voice VLAN.
The use of a Voice VLAN has several advantages. It provides security by
isolating the VoIP traffic from other data traffic. End-to-end QoS policies
and high priority can be applied to VoIP VLAN traffic across the network,
guaranteeing the bandwidth it needs. VLAN isolation also protects against
disruptive broadcast and multicast traffic that can seriously affect voice
quality.
The switch allows you to specify a Voice VLAN for the network and set a
CoS priority for the VoIP traffic. The VoIP traffic can be detected on switch
ports by using the source MAC address of packets, or by using LLDP (IEEE
802.1AB) to discover connected VoIP devices. When VoIP traffic is detected
on a configured port, the switch automatically assigns the port as a tagged
member the Voice VLAN. Alternatively, switch ports can be manually
configured.
– 269 –
CHAPTER 12 | VoIP Traffic Configuration
Configuring VoIP Traffic
CONFIGURING VOIP TRAFFIC
Use the Traffic > VoIP (Configure Global) page to configure the switch for
VoIP traffic. First enable automatic detection of VoIP devices attached to
the switch ports, then set the Voice VLAN ID for the network. The Voice
VLAN aging time can also be set to remove a port from the Voice VLAN
when VoIP traffic is no longer received on the port.
CLI REFERENCES
◆ "Configuring Voice VLANs" on page 849
COMMAND USAGE
All ports are set to VLAN access mode by default. Prior to enabling VoIP for
a port (by setting the VoIP mode to Auto or Manual as described below),
first ensure that VLAN membership is not set to access mode (see "Adding
Static Members to VLANs" on page 171).
PARAMETERS
These parameters are displayed:
◆
Auto Detection Status – Enables the automatic detection of VoIP
traffic on switch ports. (Default: Disabled)
◆
Voice VLAN – Sets the Voice VLAN ID for the network. Only one Voice
VLAN is supported and it must already be created on the switch.
(Range: 1-4093)
◆
Voice VLAN Aging Time – The time after which a port is removed
from the Voice VLAN when VoIP traffic is no longer received on the port.
(Range: 5-43200 minutes; Default: 1440 minutes)
NOTE: The Voice VLAN ID cannot be modified when the global Auto
Detection Status is enabled.
WEB INTERFACE
To configure global settings for a Voice VLAN:
1. Click Traffic, VoIP.
2. Select Configure Global from the Step list.
3. Enable Auto Detection.
4. Specify the Voice VLAN ID.
5. Adjust the Voice VLAN Aging Time if required.
6. Click Apply.
– 270 –
CHAPTER 12 | VoIP Traffic Configuration
Configuring Telephony OUI
Figure 133: Configuring a Voice VLAN
CONFIGURING TELEPHONY OUI
VoIP devices attached to the switch can be identified by the vendor’s
Organizational Unique Identifier (OUI) in the source MAC address of
received packets. OUI numbers are assigned to vendors and form the first
three octets of device MAC addresses. The MAC OUI numbers for VoIP
equipment can be configured on the switch so that traffic from these
devices is recognized as VoIP. Use the Traffic > VoIP (Configure OUI) page
to configure this feature.
CLI REFERENCES
◆ "Configuring Voice VLANs" on page 849
PARAMETERS
These parameters are displayed:
◆
Telephony OUI – Specifies a MAC address range to add to the list.
Enter the MAC address in format 01-23-45-67-89-AB.
◆
Mask – Identifies a range of MAC addresses. Setting a mask of FF-FFFF-00-00-00 identifies all devices with the same OUI (the first three
octets). Other masks restrict the MAC address range. Setting FF-FF-FFFF-FF-FF specifies a single MAC address. (Default: FF-FF-FF-00-00-00)
◆
Description – User-defined text that identifies the VoIP devices.
WEB INTERFACE
To configure MAC OUI numbers for VoIP equipment:
1. Click Traffic, VoIP.
2. Select Configure OUI from the Step list.
3. Select Add from the Action list.
4. Enter a MAC address that specifies the OUI for VoIP devices in the
network.
5. Select a mask from the pull-down list to define a MAC address range.
– 271 –
CHAPTER 12 | VoIP Traffic Configuration
Configuring VoIP Traffic Ports
6. Enter a description for the devices.
7. Click Apply.
Figure 134: Configuring an OUI Telephony List
To show the MAC OUI numbers used for VoIP equipment:
1. Click Traffic, VoIP.
2. Select Configure OUI from the Step list.
3. Select Show from the Action list.
Figure 135: Showing an OUI Telephony List
CONFIGURING VOIP TRAFFIC PORTS
Use the Traffic > VoIP (Configure Interface) page to configure ports for
VoIP traffic, you need to set the mode (Auto or Manual), specify the
discovery method to use, and set the traffic priority. You can also enable
security filtering to ensure that only VoIP traffic is forwarded on the Voice
VLAN.
CLI REFERENCES
◆ "Configuring Voice VLANs" on page 849
COMMAND USAGE
All ports are set to VLAN access mode by default. Prior to enabling VoIP for
a port (by setting the VoIP mode to Auto or Manual as described below),
– 272 –
CHAPTER 12 | VoIP Traffic Configuration
Configuring VoIP Traffic Ports
first ensure that VLAN membership is not set to access mode (see "Adding
Static Members to VLANs" on page 171).
PARAMETERS
These parameters are displayed:
◆
Mode – Specifies if the port will be added to the Voice VLAN when VoIP
traffic is detected. (Default: None)
■
None – The Voice VLAN feature is disabled on the port. The port will
not detect VoIP traffic or be added to the Voice VLAN.
■
Auto – The port will be added as a tagged member to the Voice
VLAN when VoIP traffic is detected on the port. You must select a
method for detecting VoIP traffic, either OUI or 802.1ab (LLDP).
When OUI is selected, be sure to configure the MAC address ranges
in the Telephony OUI list.
■
Manual – The Voice VLAN feature is enabled on the port, but the
port must be manually added to the Voice VLAN.
◆
Security – Enables security filtering that discards any non-VoIP
packets received on the port that are tagged with the voice VLAN ID.
VoIP traffic is identified by source MAC addresses configured in the
Telephony OUI list, or through LLDP that discovers VoIP devices
attached to the switch. Packets received from non-VoIP sources are
dropped. (Default: Disabled)
◆
Discovery Protocol – Selects a method to use for detecting VoIP
traffic on the port. (Default: OUI)
■
OUI – Traffic from VoIP devices is detected by the Organizationally
Unique Identifier (OUI) of the source MAC address. OUI numbers
are assigned to vendors and form the first three octets of a device
MAC address. MAC address OUI numbers must be configured in the
Telephony OUI list so that the switch recognizes the traffic as being
from a VoIP device.
■
LLDP – Uses LLDP (IEEE 802.1AB) to discover VoIP devices
attached to the port. LLDP checks that the “telephone bit” in the
system capability TLV is turned on. See "Link Layer Discovery
Protocol" on page 376 for more information on LLDP.
◆
Priority – Defines a CoS priority for port traffic on the Voice VLAN. The
priority of any received VoIP packet is overwritten with the new priority
when the Voice VLAN feature is active for the port. (Range: 0-6;
Default: 6)
◆
Remaining Age – Number of minutes before this entry is aged out.
The Remaining Age starts to count down when the OUI’s MAC address
expires from the MAC address table. Therefore, the MAC address aging
time should be added to the overall aging time. For example, if you
configure the MAC address table aging time to 30 seconds, and the
voice VLAN aging time to 5 minutes, then after 5.5 minutes, a port will
– 273 –
CHAPTER 12 | VoIP Traffic Configuration
Configuring VoIP Traffic Ports
be removed from voice VLAN when VoIP traffic is no longer received on
the port. Alternatively, if you clear the MAC address table manually,
then the switch will also start counting down the Remaining Age.
WEB INTERFACE
To configure VoIP traffic settings for a port:
1. Click Traffic, VoIP.
2. Select Configure Interface from the Step list.
3. Configure any required changes to the VoIP settings each port.
4. Click Apply.
Figure 136: Configuring Port Settings for a Voice VLAN
– 274 –
13
SECURITY MEASURES
You can configure this switch to authenticate users logging into the system
for management access using local or remote authentication methods.
Port-based authentication using IEEE 802.1X can also be configured to
control either management access to the uplink ports or client access to
the data ports. This switch provides secure network management access
using the following options:
◆
AAA – Use local or remote authentication to configure access rights,
specify authentication servers, configure remote authentication and
accounting.
◆
User Accounts – Manually configure access rights on the switch for
specified users.
◆
Web Authentication – Allows stations to authenticate and access the
network in situations where 802.1X or Network Access authentication
methods are infeasible or impractical.
◆
Network Access - Configure MAC authentication, intrusion response,
dynamic VLAN assignment, and dynamic QoS assignment.
◆
HTTPS – Provide a secure web connection.
◆
SSH – Provide a secure shell (for secure Telnet access).
◆
ACL – Access Control Lists provide packet filtering for IP frames (based
on address, protocol, Layer 4 protocol port number or TCP control
code).
◆
ARP Inspection – Security feature that validates the MAC Address
bindings for Address Resolution Protocol packets. Provides protection
against ARP traffic with invalid MAC to IP Address bindings, which forms
the basis for certain “man-in-the-middle” attacks.
◆
IP Filter – Filters management access to the web, SNMP or Telnet
interface.
◆
Port Security – Configure secure addresses for individual ports.
◆
Port Authentication – Use IEEE 802.1X port authentication to control
access to specific ports.
◆
IP Source Guard – Filters untrusted DHCP messages on insecure ports
by building and maintaining a DHCP snooping binding table.
– 275 –
CHAPTER 13 | Security Measures
AAA Authorization and Accounting
◆
DHCP Snooping – Filter IP traffic on insecure ports for which the source
address cannot be identified via DHCP snooping.
◆
DoS Protection – Protects against Denial-of-Service attacks.
NOTE: The priority of execution for the filtering commands is Port Security,
Port Authentication, Network Access, Web Authentication, Access Control
Lists, IP Source Guard, and then DHCP Snooping.
AAA AUTHORIZATION AND ACCOUNTING
The authentication, authorization, and accounting (AAA) feature provides
the main framework for configuring access control on the switch. The three
security functions can be summarized as follows:
◆
Authentication — Identifies users that request access to the network.
◆
Authorization — Determines if users can access specific services.
◆
Accounting — Provides reports, auditing, and billing for services that
users have accessed on the network.
The AAA functions require the use of configured RADIUS or TACACS+
servers in the network. The security servers can be defined as sequential
groups that are applied as a method for controlling user access to specified
services. For example, when the switch attempts to authenticate a user, a
request is sent to the first server in the defined group, if there is no
response the second server will be tried, and so on. If at any point a pass
or fail is returned, the process stops.
The switch supports the following AAA features:
◆
Accounting for IEEE 802.1X authenticated users that access the
network through the switch.
◆
Accounting for users that access management interfaces on the switch
through the console and Telnet.
◆
Accounting for commands that users enter at specific CLI privilege
levels.
◆
Authorization of users that access management interfaces on the
switch through the console and Telnet.
To configure AAA on the switch, you need to follow this general process:
1. Configure RADIUS and TACACS+ server access parameters. See
"Configuring Local/Remote Logon Authentication" on page 277.
– 276 –
CHAPTER 13 | Security Measures
AAA Authorization and Accounting
2. Define RADIUS and TACACS+ server groups to support the accounting
and authorization of services.
3. Define a method name for each service to which you want to apply
accounting or authorization and specify the RADIUS or TACACS+ server
groups to use.
4. Apply the method names to port or line interfaces.
NOTE: This guide assumes that RADIUS and TACACS+ servers have already
been configured to support AAA. The configuration of RADIUS and
TACACS+ server software is beyond the scope of this guide, refer to the
documentation provided with the RADIUS or TACACS+ server software.
CONFIGURING LOCAL/ Use the Security > AAA > System Authentication page to specify local or
REMOTE LOGON remote authentication. Local authentication restricts management access
AUTHENTICATION based on user names and passwords manually configured on the switch.
Remote authentication uses a remote access authentication server based
on RADIUS or TACACS+ protocols to verify management access.
CLI REFERENCES
◆ "Authentication Sequence" on page 612
COMMAND USAGE
◆ By default, management access is always checked against the
authentication database stored on the local switch. If a remote
authentication server is used, you must specify the authentication
sequence. Then specify the corresponding parameters for the remote
authentication protocol using the Security > AAA > Server page. Local
and remote logon authentication control management access via the
console port, web browser, or Telnet.
◆
You can specify up to three authentication methods for any user to
indicate the authentication sequence. For example, if you select
(1) RADIUS, (2) TACACS and (3) Local, the user name and password
on the RADIUS server is verified first. If the RADIUS server is not
available, then authentication is attempted using the TACACS+ server,
and finally the local user name and password is checked.
PARAMETERS
These parameters are displayed:
◆
Authentication Sequence – Select the authentication, or
authentication sequence required:
■
■
Local – User authentication is performed only locally by the switch.
RADIUS – User authentication is performed using a RADIUS server
only.
– 277 –
CHAPTER 13 | Security Measures
AAA Authorization and Accounting
■
■
TACACS – User authentication is performed using a TACACS+
server only.
[authentication sequence] – User authentication is performed by up
to three authentication methods in the indicated sequence.
WEB INTERFACE
To configure the method(s) of controlling management access:
1. Click Security, AAA, System Authentication.
2. Specify the authentication sequence (i.e., one to three methods).
3. Click Apply.
Figure 137: Configuring the Authentication Sequence
CONFIGURING REMOTE
LOGON
AUTHENTICATION
SERVERS
Use the Security > AAA > Server page to configure the message exchange
parameters for RADIUS or TACACS+ remote access authentication servers.
Remote Authentication Dial-in User Service (RADIUS) and Terminal Access
Controller Access Control System Plus (TACACS+) are logon authentication
protocols that use software running on a central server to control access to
RADIUS-aware or TACACS-aware devices on the network. An
authentication server contains a database of multiple user name/password
pairs with associated privilege levels for each user that requires
management access to the switch.
Figure 138: Authentication Server Operation
Web
Telnet
RADIUS/
TACACS+
server
console
1. Client attempts management access.
2. Switch contacts authentication server.
3. Authentication server challenges client.
4. Client responds with proper password or key.
5. Authentication server approves access.
6. Switch grants management access.
RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort
delivery, while TCP offers a more reliable connection-oriented transport.
Also, note that RADIUS encrypts only the password in the access-request
– 278 –
CHAPTER 13 | Security Measures
AAA Authorization and Accounting
packet from the client to the server, while TACACS+ encrypts the entire
body of the packet.
CLI REFERENCES
◆ "RADIUS Client" on page 614
◆ "TACACS+ Client" on page 618
◆ "AAA" on page 621
COMMAND USAGE
◆ If a remote authentication server is used, you must specify the
message exchange parameters for the remote authentication protocol.
Both local and remote logon authentication control management access
via the console port, web browser, or Telnet.
◆
RADIUS and TACACS+ logon authentication assign a specific privilege
level for each user name/password pair. The user name, password, and
privilege level must be configured on the authentication server. The
encryption methods used for the authentication process must also be
configured or negotiated between the authentication server and logon
client. This switch can pass authentication messages between the
server and client that have been encrypted using MD5 (Message-Digest
5), TLS (Transport Layer Security), or TTLS (Tunneled Transport Layer
Security).
PARAMETERS
These parameters are displayed:
Configure Server
◆
RADIUS
■
Global – Provides globally applicable RADIUS settings.
■
Server Index – Specifies one of five RADIUS servers that may be
configured. The switch attempts authentication using the listed
sequence of servers. The process ends when a server either
approves or denies access to a user.
■
Server IP Address – Address of authentication server.
(A Server Index entry must be selected to display this item.)
■
Accounting Server UDP Port – Network (UDP) port on
authentication server used for accounting messages.
(Range: 1-65535; Default: 1813)
■
Authentication Server UDP Port – Network (UDP) port on
authentication server used for authentication messages.
(Range: 1-65535; Default: 1812)
■
Authentication Timeout – The number of seconds the switch
waits for a reply from the RADIUS server before it resends the
request. (Range: 1-65535; Default: 5)
– 279 –
CHAPTER 13 | Security Measures
AAA Authorization and Accounting
■
■
■
■
◆
Authentication Retries – Number of times the switch tries to
authenticate logon access via the authentication server.
(Range: 1-30; Default: 2)
Set Key – Mark this box to set or modify the encryption key.
Authentication Key – Encryption key used to authenticate logon
access for client. Do not use blank spaces in the string. (Maximum
length: 48 characters)
Confirm Authentication Key – Re-type the string entered in the
previous field to ensure no errors were made. The switch will not
change the encryption key if these two fields do not match.
TACACS+
■
Global – Provides globally applicable TACACS+ settings.
■
Server Index – Specifies the index number of the server to be
configured. The switch currently supports only one TACACS+ server.
■
Server IP Address – Address of the TACACS+ server.
(A Server Index entry must be selected to display this item.)
■
Authentication Timeout – The number of seconds the switch
waits for a reply from the TACACS+ server before it resends the
request. (Range: 1-65535; Default: 5)
■
Authentication Server TCP Port – Network (TCP) port of
TACACS+ server used for authentication messages.
(Range: 1-65535; Default: 49)
■
Set Key – Mark this box to set or modify the encryption key.
■
Authentication Key – Encryption key used to authenticate logon
access for client. Do not use blank spaces in the string. (Maximum
length: 48 characters)
■
Confirm Authentication Key – Re-type the string entered in the
previous field to ensure no errors were made. The switch will not
change the encryption key if these two fields do not match.
Configure Group
◆
Server Type – Select RADIUS or TACACS+ server.
◆
Group Name - Defines a name for the RADIUS or TACACS+ server
group. (Range: 1-255 characters)
◆
Sequence at Priority - Specifies the server and sequence to use for
the group. (Range: 1-5 for RADIUS; 1 for TACACS)
– 280 –
CHAPTER 13 | Security Measures
AAA Authorization and Accounting
When specifying the priority sequence for a sever, the server index
must already be defined (see "Configuring Local/Remote Logon
Authentication" on page 277).
WEB INTERFACE
To configure the parameters for RADIUS or TACACS+ authentication:
1. Click Security, AAA, Server.
2. Select Configure Server from the Step list.
3. Select RADIUS or TACACS+ server type.
4. Select Global to specify the parameters that apply globally to all
specified servers, or select a specific Server Index to specify the
parameters that apply to a specific server.
5. To set or modify the authentication key, mark the Set Key box, enter
the key, and then confirm it
6. Click Apply.
Figure 139: Configuring Remote Authentication Server (RADIUS)
– 281 –
CHAPTER 13 | Security Measures
AAA Authorization and Accounting
Figure 140: Configuring Remote Authentication Server (TACACS+)
To configure the RADIUS or TACACS+ server groups to use for accounting
and authorization:
1. Click Security, AAA, Server.
2. Select Configure Group from the Step list.
3. Select Add from the Action list.
4. Select RADIUS or TACACS+ server type.
5. Enter the group name, followed by the index of the server to use for
each priority level.
6. Click Apply.
Figure 141: Configuring AAA Server Groups
– 282 –
CHAPTER 13 | Security Measures
AAA Authorization and Accounting
To show the RADIUS or TACACS+ server groups used for accounting and
authorization:
1. Click Security, AAA, Server.
2. Select Configure Group from the Step list.
3. Select Show from the Action list.
Figure 142: Showing AAA Server Groups
CONFIGURING AAA Use the Security > AAA > Accounting page to enable accounting of
ACCOUNTING requested services for billing or security purposes, and also to display the
configured accounting methods, the methods applied to specific interfaces,
and basic accounting information recorded for user sessions.
CLI REFERENCES
◆ "AAA" on page 621
COMMAND USAGE
AAA authentication through a RADIUS or TACACS+ server must be enabled
before accounting is enabled.
PARAMETERS
These parameters are displayed:
Configure Global
◆
Periodic Update - Specifies the interval at which the local accounting
service updates information for all users on the system to the
accounting server. (Range: 0-2147483647 minutes; where 0 means
disabled)
Configure Method
◆
Accounting Type – Specifies the service as:
■
802.1X – Accounting for end users.
– 283 –
CHAPTER 13 | Security Measures
AAA Authorization and Accounting
■
◆
Exec – Administrative accounting for local console, Telnet, or SSH
connections.
Method Name – Specifies an accounting method for service requests.
The “default” methods are used for a requested service if no other
methods have been defined. (Range: 1-255 characters)
Note that the method name is only used to describe the accounting
method configured on the specified RADIUS or TACACS+ servers. No
information is sent to the servers about the method to use.
◆
Accounting Notice – Records user activity from log-in to log-off point.
◆
Server Group Name - Specifies the accounting server group.
(Range: 1-255 characters)
The group names “radius” and “tacacs+” specifies all configured
RADIUS and TACACS+ hosts (see "Configuring Local/Remote Logon
Authentication" on page 277). Any other group name refers to a server
group configured on the Security > AAA > Server (Configure Group)
page.
Configure Service
◆
Accounting Type – Specifies the service as 802.1X, Command or Exec
as described in the preceding section.
◆
802.1X
■
◆
Method Name – Specifies a user defined accounting method to
apply to an interface. This method must be defined in the Configure
Method page. (Range: 1-255 characters)
Exec
■
Console Method Name – Specifies a user defined method name to
apply to console connections.
■
Telnet Method Name – Specifies a user defined method name to
apply to Telnet connections.
Show Information – Summary
◆
Accounting Type - Displays the accounting service.
◆
Method Name - Displays the user-defined or default accounting
method.
◆
Server Group Name - Displays the accounting server group.
◆
Interface - Displays the port, console or Telnet interface to which
these rules apply. (This field is null if the accounting method and
associated server group has not been assigned to an interface.)
– 284 –
CHAPTER 13 | Security Measures
AAA Authorization and Accounting
Show Information – Statistics
◆
User Name - Displays a registered user name.
◆
Accounting Type - Displays the accounting service.
◆
Interface - Displays the receive port number through which this user
accessed the switch.
◆
Time Elapsed - Displays the length of time this entry has been active.
WEB INTERFACE
To configure global settings for AAA accounting:
1. Click Security, AAA, Accounting.
2. Select Configure Global from the Step list.
3. Enter the required update interval.
4. Click Apply.
Figure 143: Configuring Global Settings for AAA Accounting
– 285 –
CHAPTER 13 | Security Measures
AAA Authorization and Accounting
To configure the accounting method applied to various service types and
the assigned server group:
1. Click Security, AAA, Accounting.
2. Select Configure Method from the Step list.
3. Select Add from the Action list.
4. Select the accounting type (802.1X, Exec).
5. Specify the name of the accounting method and server group name.
6. Click Apply.
Figure 144: Configuring AAA Accounting Methods
To show the accounting method applied to various service types and the
assigned server group:
1. Click Security, AAA, Accounting.
2. Select Configure Method from the Step list.
3. Select Show from the Action list.
Figure 145: Showing AAA Accounting Methods
– 286 –
CHAPTER 13 | Security Measures
AAA Authorization and Accounting
To configure the accounting method applied to specific interfaces, console
commands entered at specific privilege levels, and local console, Telnet, or
SSH connections:
1. Click Security, AAA, Accounting.
2. Select Configure Service from the Step list.
3. Select the accounting type (802.1X, Exec).
4. Enter the required accounting method.
5. Click Apply.
Figure 146: Configuring AAA Accounting Service for 802.1X Service
Figure 147: Configuring AAA Accounting Service for Exec Service
– 287 –
CHAPTER 13 | Security Measures
AAA Authorization and Accounting
To display a summary of the configured accounting methods and assigned
server groups for specified service types:
1. Click Security, AAA, Accounting.
2. Select Show Information from the Step list.
3. Click Summary.
Figure 148: Displaying a Summary of Applied AAA Accounting Methods
To display basic accounting information and statistics recorded for user
sessions:
1. Click Security, AAA, Accounting.
2. Select Show Information from the Step list.
3. Click Statistics.
Figure 149: Displaying Statistics for AAA Accounting Sessions
– 288 –
CHAPTER 13 | Security Measures
AAA Authorization and Accounting
CONFIGURING AAA Use the Security > AAA > Authorization page to enable authorization of
AUTHORIZATION requested services, and also to display the configured authorization
methods, and the methods applied to specific interfaces.
CLI REFERENCES
◆ "AAA" on page 621
COMMAND USAGE
◆ This feature performs authorization to determine if a user is allowed to
run an Exec shell.
◆
AAA authentication through a RADIUS or TACACS+ server must be
enabled before authorization is enabled.
PARAMETERS
These parameters are displayed:
Configure Method
◆
Authorization Type – Specifies the service as Exec, indicating
administrative authorization for local console, Telnet, or SSH
connections.
◆
Method Name – Specifies an authorization method for service
requests. The “default” method is used for a requested service if no
other methods have been defined. (Range: 1-255 characters)
◆
Server Group Name - Specifies the authorization server group.
(Range: 1-255 characters)
The group name “tacacs+” specifies all configured TACACS+ hosts (see
"Configuring Local/Remote Logon Authentication" on page 277). Any
other group name refers to a server group configured on the TACACS+
Group Settings page. Authorization is only supported for TACACS+
servers.
Configure Service
◆
Console Method Name – Specifies a user defined method name to
apply to console connections.
◆
Telnet Method Name – Specifies a user defined method name to
apply to Telnet connections.
Show Information
◆
Authorization Type - Displays the authorization service.
◆
Method Name - Displays the user-defined or default accounting
method.
◆
Server Group Name - Displays the authorization server group.
– 289 –
CHAPTER 13 | Security Measures
AAA Authorization and Accounting
◆
Interface - Displays the console or Telnet interface to which these
rules apply. (This field is null if the authorization method and associated
server group has not been assigned to an interface.)
WEB INTERFACE
To configure the authorization method applied to the Exec service type and
the assigned server group:
1. Click Security, AAA, Authorization.
2. Select Configure Method from the Step list.
3. Specify the name of the authorization method and server group name.
4. Click Apply.
Figure 150: Configuring AAA Authorization Methods
To show the authorization method applied to the EXEC service type and the
assigned server group:
1. Click Security, AAA, Authorization.
2. Select Configure Method from the Step list.
3. Select Show from the Action list.
Figure 151: Showing AAA Authorization Methods
– 290 –
CHAPTER 13 | Security Measures
AAA Authorization and Accounting
To configure the authorization method applied to local console, Telnet, or
SSH connections:
1. Click Security, AAA, Authorization.
2. Select Configure Service from the Step list.
3. Enter the required authorization method.
4. Click Apply.
Figure 152: Configuring AAA Authorization Methods for Exec Service
To display a the configured authorization method and assigned server
groups for The Exec service type:
1. Click Security, AAA, Authorization.
2. Select Show Information from the Step list.
Figure 153: Displaying the Applied AAA Authorization Method
– 291 –
CHAPTER 13 | Security Measures
Configuring User Accounts
CONFIGURING USER ACCOUNTS
Use the Security > User Accounts page to control management access to
the switch based on manually configured user names and passwords.
CLI REFERENCES
◆ "User Accounts" on page 609
COMMAND USAGE
◆ The default guest name is “guest” with the password “guest.” The
default administrator name is “admin” with the password “admin.”
◆
The guest only has read access for most configuration parameters.
However, the administrator has write access for all parameters
governing the onboard agent. You should therefore assign a new
administrator password as soon as possible, and store it in a safe place.
PARAMETERS
These parameters are displayed:
◆
User Name – The name of the user.
(Maximum length: 8 characters; maximum number of users: 16)
◆
Access Level – Specifies the user level. (Options: 0 - Normal,
15 - Privileged)
Normal privilege level provides access to a limited number of the
commands which display the current status of the switch, as well as
several database clear and reset functions. Privileged level provides full
access to all commands.
◆
Password Type – Plain Text or Encrypted password.
The encrypted password is required for compatibility with legacy
password settings (i.e., plain text or encrypted) when reading the
configuration file during system bootup or when downloading the
configuration file from a TFTP or FTP server. There is no need for you to
manually configure encrypted passwords.
◆
Password – Specifies the user password. (Range: 0-32 characters,
case sensitive)
◆
Confirm Password – Re-type the string entered in the previous field
to ensure no errors were made. The switch will not change the
password if these two fields do not match.
– 292 –
CHAPTER 13 | Security Measures
Configuring User Accounts
WEB INTERFACE
To configure user accounts:
1. Click Security, User Accounts.
2. Select Add from the Action list.
3. Specify a user name, select the user's access level, then enter a
password if required and confirm it.
4. Click Apply.
Figure 154: Configuring User Accounts
To show user accounts:
1. Click Security, User Accounts.
2. Select Show from the Action list.
Figure 155: Showing User Accounts
– 293 –
CHAPTER 13 | Security Measures
Web Authentication
WEB AUTHENTICATION
Web authentication allows stations to authenticate and access the network
in situations where 802.1X or Network Access authentication are infeasible
or impractical. The web authentication feature allows unauthenticated
hosts to request and receive a DHCP assigned IP address and perform DNS
queries. All other traffic, except for HTTP protocol traffic, is blocked. The
switch intercepts HTTP protocol traffic and redirects it to a switchgenerated web page that facilitates user name and password
authentication via RADIUS. Once authentication is successful, the web
browser is forwarded on to the originally requested web page. Successful
authentication is valid for all hosts connected to the port.
NOTE: RADIUS authentication must be activated and configured properly
for the web authentication feature to work properly. (See "Configuring
Local/Remote Logon Authentication" on page 277.)
NOTE: Web authentication cannot be configured on trunk ports.
CONFIGURING GLOBAL Use the Security > Web Authentication (Configure Global) page to edit the
SETTINGS FOR WEB global parameters for web authentication.
AUTHENTICATION
CLI REFERENCES
◆ "Web Authentication" on page 679
PARAMETERS
These parameters are displayed:
◆
Web Authentication Status – Enables web authentication for the
switch. (Default: Disabled)
Note that this feature must also be enabled for any port where required
under the Configure Interface menu.
◆
Session Timeout – Configures how long an authenticated session
stays active before it must re-authenticate itself. (Range: 300-3600
seconds, or 0 for disabled; Default: 3600 seconds)
◆
Quiet Period – Configures how long a host must wait to attempt
authentication again after it has exceeded the maximum allowable
failed login attempts. (Range: 1-180 seconds; Default: 60 seconds)
◆
Login Attempts – Configures the amount of times a supplicant may
attempt and fail authentication before it must wait the configured quiet
period. (Range: 1-3 attempts; Default: 3 attempts)
– 294 –
CHAPTER 13 | Security Measures
Web Authentication
WEB INTERFACE
To configure global parameters for web authentication:
1. Click Security, Web Authentication.
2. Select Configure Global from the Step list.
3. Enable web authentication globally on the switch, and adjust any of the
protocol parameters as required.
4. Click Apply.
Figure 156: Configuring Global Settings for Web Authentication
CONFIGURING Use the Security > Web Authentication (Configure Interface) page to
INTERFACE SETTINGS enable web authentication on a port, and display information for any
FOR WEB connected hosts.
AUTHENTICATION
CLI REFERENCES
◆ "Web Authentication" on page 679
PARAMETERS
These parameters are displayed:
◆
Port – Indicates the port being configured.
◆
Status – Configures the web authentication status for the port.
◆
Host IP Address – Indicates the IP address of each connected host.
◆
Remaining Session Time – Indicates the remaining time until the
current authorization session for the host expires.
◆
Apply – Enables web authentication if the Status box is checked.
◆
Re-authenticate – Ends all authenticated web sessions for selected
host IP addresses in the Authenticated Host List, and forces the users
to re-authenticate.
◆
Revert – Restores the previous configuration settings.
– 295 –
CHAPTER 13 | Security Measures
Network Access (MAC Address Authentication)
WEB INTERFACE
To enable web authentication for a port:
1. Click Security, Web Authentication.
2. Select Configure Interface from the Step list.
3. Set the status box to enabled for any port that requires web
authentication, and click Apply
4. Mark the check box for any host addresses that need to be reauthenticated, and click Re-authenticate.
Figure 157: Configuring Interface Settings for Web Authentication
NETWORK ACCESS (MAC ADDRESS AUTHENTICATION)
Some devices connected to switch ports may not be able to support 802.1X
authentication due to hardware or software limitations. This is often true
for devices such as network printers, IP phones, and some wireless access
points. The switch enables network access from these devices to be
controlled by authenticating device MAC addresses with a central RADIUS
server.
NOTE: RADIUS authentication must be activated and configured properly
for the MAC Address authentication feature to work properly. (See
"Configuring Remote Logon Authentication Servers" on page 278.)
NOTE: MAC authentication cannot be configured on trunk ports.
CLI REFERENCES
◆ "Network Access (MAC Address Authentication)" on page 666
COMMAND USAGE
◆ MAC address authentication controls access to the network by
authenticating the MAC address of each host that attempts to connect
– 296 –
CHAPTER 13 | Security Measures
Network Access (MAC Address Authentication)
to a switch port. Traffic received from a specific MAC address is
forwarded by the switch only if the source MAC address is successfully
authenticated by a central RADIUS server. While authentication for a
MAC address is in progress, all traffic is blocked until authentication is
completed. On successful authentication, the RADIUS server may
optionally assign VLAN and quality of service settings for the switch
port.
◆
When enabled on a port, the authentication process sends a Password
Authentication Protocol (PAP) request to a configured RADIUS server.
The user name and password are both equal to the MAC address being
authenticated. On the RADIUS server, PAP user name and passwords
must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all
in upper case).
◆
Authenticated MAC addresses are stored as dynamic entries in the
switch secure MAC address table and are removed when the aging time
expires. The maximum number of secure MAC addresses supported for
the switch system is 1024.
◆
Configured static MAC addresses are added to the secure address table
when seen on a switch port. Static addresses are treated as
authenticated without sending a request to a RADIUS server.
◆
When port status changes to down, all MAC addresses mapped to that
port are cleared from the secure MAC address table. Static VLAN
assignments are not restored.
◆
The RADIUS server may optionally return a VLAN identifier list to be
applied to the switch port. The following attributes need to be
configured on the RADIUS server.
■
Tunnel-Type = VLAN
■
Tunnel-Medium-Type = 802
■
Tunnel-Private-Group-ID = 1u,2t
[VLAN ID list]
The VLAN identifier list is carried in the RADIUS “Tunnel-Private-GroupID” attribute. The VLAN list can contain multiple VLAN identifiers in the
format “1u,2t,3u” where “u” indicates an untagged VLAN and “t” a
tagged VLAN.
◆
The RADIUS server may optionally return dynamic QoS assignments to
be applied to a switch port for an authenticated user. The “Filter-ID”
attribute (attribute 11) can be configured on the RADIUS server to pass
the following QoS information:
Table 19: Dynamic QoS Profiles
Profile
Attribute Syntax
Example
DiffServ
service-policy-in=policy-map-name
service-policy-in=p1
Rate Limit
rate-limit-input=rate
rate-limit-input=100
(in units of Kbps)
802.1p
switchport-priority-default=value
switchport-priority-default=2
– 297 –
CHAPTER 13 | Security Measures
Network Access (MAC Address Authentication)
Table 19: Dynamic QoS Profiles (Continued)
◆
Profile
Attribute Syntax
Example
IP ACL
ip-access-group-in=ip-acl-name
ip-access-group-in=ipv4acl
IPv6 ACL
ipv6-access-group-in=ipv6-acl-name
ipv6-access-group-in=ipv6acl
MAC ACL
mac-access-group-in=mac-acl-name
mac-access-group-in=macAcl
Multiple profiles can be specified in the Filter-ID attribute by using a
semicolon to separate each profile.
For example, the attribute “service-policy-in=pp1;rate-limitinput=100” specifies that the diffserv profile name is “pp1,” and the
ingress rate limit profile value is 100 kbps.
◆
If duplicate profiles are passed in the Filter-ID attribute, then only the
first profile is used.
For example, if the attribute is “service-policy-in=p1;service-policyin=p2”, then the switch applies only the DiffServ profile “p1.”
◆
Any unsupported profiles in the Filter-ID attribute are ignored.
For example, if the attribute is “map-ip-dscp=2:3;service-policyin=p1,” then the switch ignores the “map-ip-dscp” profile.
◆
When authentication is successful, the dynamic QoS information may
not be passed from the RADIUS server due to one of the following
conditions (authentication result remains unchanged):
■
The Filter-ID attribute cannot be found to carry the user profile.
■
The Filter-ID attribute is empty.
■
◆
The Filter-ID attribute format for dynamic QoS assignment is
unrecognizable (can not recognize the whole Filter-ID attribute).
Dynamic QoS assignment fails and the authentication result changes
from success to failure when the following conditions occur:
■
■
Illegal characters found in a profile value (for example, a non-digital
character in an 802.1p profile value).
Failure to configure the received profiles on the authenticated port.
◆
When the last user logs off on a port with a dynamic QoS assignment,
the switch restores the original QoS configuration for the port.
◆
When a user attempts to log into the network with a returned dynamic
QoS profile that is different from users already logged on to the same
port, the user is denied access.
◆
While a port has an assigned dynamic QoS profile, any manual QoS
configuration changes only take effect after all users have logged off
the port.
– 298 –
CHAPTER 13 | Security Measures
Network Access (MAC Address Authentication)
CONFIGURING GLOBAL MAC address authentication is configured on a per-port basis, however
SETTINGS FOR there are two configurable parameters that apply globally to all ports on
NETWORK ACCESS the switch. Use the Security > Network Access (Configure Global) page to
configure MAC address authentication aging and reauthentication time.
CLI REFERENCES
◆ "Network Access (MAC Address Authentication)" on page 666
PARAMETERS
These parameters are displayed:
◆
Aging Status – Enables aging for authenticated MAC addresses stored
in the secure MAC address table. (Default: Disabled)
This parameter applies to authenticated MAC addresses configured by
the MAC Address Authentication process described in this section, as
well as to any secure MAC addresses authenticated by 802.1X,
regardless of the 802.1X Operation Mode (Single-Host, Multi-Host, or
MAC-Based authentication as described on page 345).
Authenticated MAC addresses are stored as dynamic entries in the
switch’s secure MAC address table and are removed when the aging
time expires.
The maximum number of secure MAC addresses supported for the
switch system is 1024.
◆
Reauthentication Time – Sets the time period after which a
connected host must be reauthenticated. When the reauthentication
time expires for a secure MAC address, it is reauthenticated with the
RADIUS server. During the reauthentication process traffic through the
port remains unaffected. (Range: 120-1000000 seconds;
Default: 1800 seconds)
– 299 –
CHAPTER 13 | Security Measures
Network Access (MAC Address Authentication)
WEB INTERFACE
To configure aging status and reauthentication time for MAC address
authentication:
1. Click Security, Network Access.
2. Select Configure Global from the Step list.
3. Enable or disable aging for secure addresses, and modify the
reauthentication time as required.
4. Click Apply.
Figure 158: Configuring Global Settings for Network Access
CONFIGURING Use the Security > Network Access (Configure Interface - General) page to
NETWORK ACCESS configure MAC authentication on switch ports, including enabling address
FOR PORTS authentication, setting the maximum MAC count, and enabling dynamic
VLAN or dynamic QoS assignments.
CLI REFERENCES
◆ "Network Access (MAC Address Authentication)" on page 666
PARAMETERS
These parameters are displayed:
◆
6.
MAC Authentication
■
Status – Enables MAC authentication on a port. (Default: Disabled)
■
Intrusion – Sets the port response to a host MAC authentication
failure to either block access to the port or to pass traffic through.
(Options: Block, Pass; Default: Block)
■
Max MAC Count6 – Sets the maximum number of MAC addresses
that can be authenticated on a port via MAC authentication; that is,
the Network Access process described in this section.
(Range: 1-1024; Default: 1024)
The maximum number of MAC addresses per port is 1024, and the maximum number of
secure MAC addresses supported for the switch system is 1024. When the limit is
reached, all new MAC addresses are treated as authentication failures.
– 300 –
CHAPTER 13 | Security Measures
Network Access (MAC Address Authentication)
◆
Network Access Max MAC Count5 – Sets the maximum number of
MAC addresses that can be authenticated on a port interface via all
forms of authentication (including Network Access and IEEE 802.1X).
(Range: 1-1024; Default: 1024)
◆
Guest VLAN – Specifies the VLAN to be assigned to the port when
802.1X Authentication fails. (Range: 0-4093, where 0 means disabled;
Default: Disabled)
The VLAN must already be created and active (see "Configuring VLAN
Groups" on page 170). Also, when used with 802.1X authentication,
intrusion action must be set for “Guest VLAN” (see "Configuring Port
Authenticator Settings for 802.1X" on page 345).
◆
Dynamic VLAN – Enables dynamic VLAN assignment for an
authenticated port. When enabled, any VLAN identifiers returned by the
RADIUS server through the 802.1X authentication process are applied
to the port, providing the VLANs have already been created on the
switch. (GVRP is not used to create the VLANs.) (Default: Enabled)
The VLAN settings specified by the first authenticated MAC address are
implemented for a port. Other authenticated MAC addresses on the
port must have the same VLAN configuration, or they are treated as
authentication failures.
If dynamic VLAN assignment is enabled on a port and the RADIUS
server returns no VLAN configuration (to the 802.1X authentication
process), the authentication is still treated as a success, and the host is
assigned to the default untagged VLAN.
When the dynamic VLAN assignment status is changed on a port, all
authenticated addresses mapped to that port are cleared from the
secure MAC address table.
◆
Dynamic QoS – Enables dynamic QoS assignment for an
authenticated port. (Default: Disabled)
◆
MAC Filter ID – Allows a MAC Filter to be assigned to the port. MAC
addresses or MAC address ranges present in a selected MAC Filter are
exempt from authentication on the specified port (as described under
"Configuring a MAC Address Filter"). (Range: 1-64; Default: None)
WEB INTERFACE
To configure MAC authentication on switch ports:
1. Click Security, Network Access.
2. Select Configure Interface from the Step list.
3. Click the General button.
4. Make any configuration changes required to enable address
authentication on a port, set the maximum number of secure addresses
supported, the guest VLAN to use when MAC Authentication or 802.1X
Authentication fails, and the dynamic VLAN and QoS assignments.
– 301 –
CHAPTER 13 | Security Measures
Network Access (MAC Address Authentication)
5. Click Apply.
Figure 159: Configuring Interface Settings for Network Access
CONFIGURING PORT Use the Security > Network Access (Configure Interface - Link Detection)
LINK DETECTION page to send an SNMP trap and/or shut down a port when a link event
occurs.
CLI REFERENCES
◆ "Network Access (MAC Address Authentication)" on page 666
PARAMETERS
These parameters are displayed:
◆
Link Detection Status – Configures whether Link Detection is enabled
or disabled for a port.
◆
Condition – The link event type which will trigger the port action.
◆
■
Link up – Only link up events will trigger the port action.
■
Link down – Only link down events will trigger the port action.
■
Link up and down – All link up and link down events will trigger
the port action.
Action – The switch can respond in three ways to a link up or down
trigger event.
■
Trap – An SNMP trap is sent.
■
Trap and shutdown – An SNMP trap is sent and the port is shut
down.
■
Shutdown – The port is shut down.
– 302 –
CHAPTER 13 | Security Measures
Network Access (MAC Address Authentication)
WEB INTERFACE
To configure link detection on switch ports:
1. Click Security, Network Access.
2. Select Configure Interface from the Step list.
3. Click the Link Detection button.
4. Modify the link detection status, trigger condition, and the response for
any port.
5. Click Apply.
Figure 160: Configuring Link Detection for Network Access
CONFIGURING A MAC Use the Security > Network Access (Configure MAC Filter) page to
ADDRESS FILTER designate specific MAC addresses or MAC address ranges as exempt from
authentication. MAC addresses present in MAC Filter tables activated on a
port are treated as pre-authenticated on that port.
CLI REFERENCES
◆ "Network Access (MAC Address Authentication)" on page 666
COMMAND USAGE
◆ Specified MAC addresses are exempt from authentication.
◆
Up to 65 filter tables can be defined.
◆
There is no limitation on the number of entries used in a filter table.
PARAMETERS
These parameters are displayed:
◆
Filter ID – Adds a filter rule for the specified filter.
◆
MAC Address – The filter rule will check ingress packets against the
entered MAC address or range of MAC addresses (as defined by the
MAC Address Mask).
– 303 –
CHAPTER 13 | Security Measures
Network Access (MAC Address Authentication)
◆
MAC Address Mask – The filter rule will check for the range of MAC
addresses defined by the MAC bit mask. If you omit the mask, the
system will assign the default mask of an exact match.
(Range: 000000000000 - FFFFFFFFFFFF; Default: FFFFFFFFFFFF)
WEB INTERFACE
To add a MAC address filter for MAC authentication:
1. Click Security, Network Access.
2. Select Configure MAC Filter from the Step list.
3. Select Add from the Action list.
4. Enter a filter ID, MAC address, and optional mask.
5. Click Apply.
Figure 161: Configuring a MAC Address Filter for Network Access
To show the MAC address filter table for MAC authentication:
1. Click Security, Network Access.
2. Select Configure MAC Filter from the Step list.
3. Select Show from the Action list.
Figure 162: Showing the MAC Address Filter Table for Network Access
– 304 –
CHAPTER 13 | Security Measures
Network Access (MAC Address Authentication)
DISPLAYING SECURE Use the Security > Network Access (Show Information) page to display the
MAC ADDRESS authenticated MAC addresses stored in the secure MAC address table.
INFORMATION Information on the secure MAC entries can be displayed and selected
entries can be removed from the table.
CLI REFERENCES
◆ "Network Access (MAC Address Authentication)" on page 666
PARAMETERS
These parameters are displayed:
◆
◆
Query By – Specifies parameters to use in the MAC address query.
■
Sort Key – Sorts the information displayed based on MAC address,
port interface, or attribute.
■
MAC Address – Specifies a specific MAC address.
■
Interface – Specifies a port interface.
■
Attribute – Displays static or dynamic addresses.
Authenticated MAC Address List
■
MAC Address – The authenticated MAC address.
■
Interface – The port interface associated with a secure MAC
address.
■
RADIUS Server – The IP address of the RADIUS server that
authenticated the MAC address.
■
Time – The time when the MAC address was last authenticated.
■
Attribute – Indicates a static or dynamic address.
WEB INTERFACE
To display the authenticated MAC addresses stored in the secure MAC
address table:
1. Click Security, Network Access.
2. Select Show Information from the Step list.
3. Use the sort key to display addresses based MAC address, interface, or
attribute.
4. Restrict the displayed addresses by entering a specific address in the
MAC Address field, specifying a port in the Interface field, or setting the
address type to static or dynamic in the Attribute field.
5. Click Query.
– 305 –
CHAPTER 13 | Security Measures
Configuring HTTPS
Figure 163: Showing Addresses Authenticated for Network Access
CONFIGURING HTTPS
You can configure the switch to enable the Secure Hypertext Transfer
Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure
access (i.e., an encrypted connection) to the switch’s web interface.
CONFIGURING GLOBAL Use the Security > HTTPS (Configure Global) page to enable or disable
SETTINGS FOR HTTPS HTTPS and specify the UDP port used for this service.
CLI REFERENCES
◆ "Web Server" on page 629
COMMAND USAGE
◆ HTTP and HTTPS are implemented as mutually exclusive services on the
switch. (HTTP can only be configured through the CLI using the ip http
server command described on page 630.)
◆
If you enable HTTPS, you must indicate this in the URL that you specify
in your browser: https://device[:port_number]
◆
When you start HTTPS, the connection is established in this way:
■
■
■
The client authenticates the server using the server’s digital
certificate.
The client and server negotiate a set of security protocols to use for
the connection.
The client and server generate session keys for encrypting and
decrypting data.
– 306 –
CHAPTER 13 | Security Measures
Configuring HTTPS
◆
The client and server establish a secure encrypted connection.
A padlock icon should appear in the status bar for Internet Explorer 6.x
or above, or Mozilla Firefox 4.x or above.
◆
The following web browsers and operating systems currently support
HTTPS:
Table 20: HTTPS System Support
◆
Web Browser
Operating System
Internet Explorer 6.x or later
Windows 98,Windows NT (with service pack 6a),
Windows 2000, XP, Vista, 7, 8
Mozilla Firefox 6.x or later
Windows 2000, XP, 7, 8, or Linux
To specify a secure-site certificate, see "Replacing the Default Securesite Certificate" on page 308.
NOTE: Users are automatically logged off of the HTTP server or HTTPS
server if no input is detected for 600 seconds.
NOTE: Connection to the web interface is not supported for HTTPS using an
IPv6 link local address.
PARAMETERS
These parameters are displayed:
◆
HTTPS Status – Allows you to enable/disable the HTTPS server feature
on the switch. (Default: Disabled)
◆
HTTPS Port – Specifies the TCP port number used for HTTPS
connection to the switch’s web interface. (Default: Port 443)
WEB INTERFACE
To configure HTTPS:
1. Click Security, HTTPS.
2. Select Configure Global from the Step list.
3. Enable HTTPS and specify the port number if required.
4. Click Apply.
– 307 –
CHAPTER 13 | Security Measures
Configuring HTTPS
Figure 164: Configuring HTTPS
REPLACING THE Use the Security > HTTPS (Copy Certificate) page to replace the default
DEFAULT SECURE-SITE secure-site certificate.
CERTIFICATE
When you log onto the web interface using HTTPS (for secure access), a
Secure Sockets Layer (SSL) certificate appears for the switch. By default,
the certificate that the web browser displays will be associated with a
warning that the site is not recognized as a secure site. This is because the
certificate has not been signed by an approved certification authority. If
you want this warning to be replaced by a message confirming that the
connection to the switch is secure, you must obtain a unique certificate and
a private key and password from a recognized certification authority.
CAUTION: For maximum security, we recommend you obtain a unique
Secure Sockets Layer certificate at the earliest opportunity. This is because
the default certificate for the switch is not unique to the hardware you have
purchased.
When you have obtained these, place them on your TFTP server and
transfer them to the switch to replace the default (unrecognized) certificate
with an authorized one.
NOTE: The switch must be reset for the new certificate to be activated. To
reset the switch, see "Resetting the System" on page 122 or type “reload”
at the command prompt: Console#reload
CLI REFERENCES
◆ "Web Server" on page 629
PARAMETERS
These parameters are displayed:
◆
TFTP Server IP Address – IP address of TFTP server which contains
the certificate file.
◆
Certificate Source File Name – Name of certificate file stored on the
TFTP server.
– 308 –
CHAPTER 13 | Security Measures
Configuring the Secure Shell
◆
Private Key Source File Name – Name of private key file stored on
the TFTP server.
◆
Private Password – Password stored in the private key file. This
password is used to verify authorization for certificate use, and is
verified when downloading the certificate to the switch.
◆
Confirm Password – Re-type the string entered in the previous field
to ensure no errors were made. The switch will not download the
certificate if these two fields do not match.
WEB INTERFACE
To replace the default secure-site certificate:
1. Click Security, HTTPS.
2. Select Copy Certificate from the Step list.
3. Fill in the TFTP server, certificate and private key file name, and private
password.
4. Click Apply.
Figure 165: Downloading the Secure-Site Certificate
CONFIGURING THE SECURE SHELL
The Berkeley-standard includes remote access tools originally designed for
Unix systems. Some of these tools have also been implemented for
Microsoft Windows and other environments. These tools, including
commands such as rlogin (remote login), rsh (remote shell), and rcp
(remote copy), are not secure from hostile attacks.
Secure Shell (SSH) includes server/client applications intended as a secure
replacement for the older Berkeley remote access tools. SSH can also
provide remote management access to this switch as a secure replacement
for Telnet. When the client contacts the switch via the SSH protocol, the
switch generates a public-key that the client uses along with a local user
name and password for access authentication. SSH also encrypts all data
transfers passing between the switch and SSH-enabled management
– 309 –
CHAPTER 13 | Security Measures
Configuring the Secure Shell
station clients, and ensures that data traveling over the network arrives
unaltered.
NOTE: You need to install an SSH client on the management station to
access the switch for management via the SSH protocol.
NOTE: The switch supports both SSH Version 1.5 and 2.0 clients.
COMMAND USAGE
The SSH server on this switch supports both password and public key
authentication. If password authentication is specified by the SSH client,
then the password can be authenticated either locally or via a RADIUS or
TACACS+ remote authentication server, as specified on the System
Authentication page (page 277). If public key authentication is specified by
the client, then you must configure authentication keys on both the client
and the switch as described in the following section. Note that regardless of
whether you use public key or password authentication, you still have to
generate authentication keys on the switch (SSH Host Key Settings) and
enable the SSH server (Authentication Settings).
To use the SSH server, complete these steps:
1. Generate a Host Key Pair – On the SSH Host Key Settings page, create
a host public/private key pair.
2. Provide Host Public Key to Clients – Many SSH client programs
automatically import the host public key during the initial connection
setup with the switch. Otherwise, you need to manually create a known
hosts file on the management station and place the host public key in
it. An entry for a public key in the known hosts file would appear similar
to the following example:
10.1.0.54 1024 35
15684995401867669259333946775054617325313674890836547254
15020245593199868544358361651999923329781766065830956
10825913212890233 76546801726272571413428762941301196195566782
59566410486957427888146206519417467729848654686157177393901647
79355942303577413098022737087794545240839717526463580581767167
09574804776117
3. Import Client’s Public Key to the Switch – See "Importing User Public
Keys" on page 315, or use the copy tftp public-key command
(page 536) to copy a file containing the public key for all the SSH
client’s granted management access to the switch. (Note that these
clients must be configured locally on the switch via the User Accounts
page as described on page 292.) The clients are subsequently
authenticated using these keys. The current firmware only accepts
public key files based on standard UNIX format as shown in the
following example for an RSA Version 1 key:
1024 35
13410816856098939210409449201554253476316419218729589211431738
80055536161631051775940838686311092912322268285192543746031009
– 310 –
CHAPTER 13 | Security Measures
Configuring the Secure Shell
37187721199696317813662774141689851320491172048303392543241016
37997592371449011938006090253948408482717819437228840253311595
2134861022902978982721353267131629432532818915045306393916643
steve@192.168.1.19
4. Set the Optional Parameters – On the SSH Settings page, configure the
optional parameters, including the authentication timeout, the number
of retries, and the server key size.
5. Enable SSH Service – On the SSH Settings page, enable the SSH server
on the switch.
6. Authentication – One of the following authentication methods is
employed:
Password Authentication (for SSH v1.5 or V2 Clients)
a. The client sends its password to the server.
b. The switch compares the client's password to those stored in
memory.
c. If a match is found, the connection is allowed.
NOTE: To use SSH with only password authentication, the host public key
must still be given to the client, either during initial connection or manually
entered into the known host file. However, you do not need to configure
the client’s keys.
Public Key Authentication – When an SSH client attempts to contact the
switch, the SSH server uses the host key pair to negotiate a session
key and encryption method. Only clients that have a private key
corresponding to the public keys stored on the switch can access it. The
following exchanges take place during this process:
Authenticating SSH v1.5 Clients
a. The client sends its RSA public key to the switch.
b. The switch compares the client's public key to those stored in
memory.
c. If a match is found, the switch uses its secret key to generate a
random 256-bit string as a challenge, encrypts this string with
the user’s public key, and sends it to the client.
d. The client uses its private key to decrypt the challenge string,
computes the MD5 checksum, and sends the checksum back to
the switch.
e. The switch compares the checksum sent from the client against
that computed for the original string it sent. If the two
checksums match, this means that the client's private key
corresponds to an authorized public key, and the client is
authenticated.
Authenticating SSH v2 Clients
a. The client first queries the switch to determine if DSA public key
authentication using a preferred algorithm is acceptable.
– 311 –
CHAPTER 13 | Security Measures
Configuring the Secure Shell
b. If the specified algorithm is supported by the switch, it notifies
the client to proceed with the authentication process. Otherwise,
it rejects the request.
c. The client sends a signature generated using the private key to
the switch.
d. When the server receives this message, it checks whether the
supplied key is acceptable for authentication, and if so, it then
checks whether the signature is correct. If both checks succeed,
the client is authenticated.
NOTE: The SSH server supports up to four client sessions. The maximum
number of client sessions includes both current Telnet sessions and SSH
sessions.
NOTE: The SSH server can be accessed using any configured IPv4 or IPv6
interface address on the switch.
CONFIGURING THE Use the Security > SSH (Configure Global) page to enable the SSH server
SSH SERVER and configure basic settings for authentication.
NOTE: A host key pair must be configured on the switch before you can
enable the SSH server. See "Generating the Host Key Pair" on page 313.
CLI REFERENCES
◆ "Secure Shell" on page 635
PARAMETERS
These parameters are displayed:
◆
SSH Server Status – Allows you to enable/disable the SSH server on
the switch. (Default: Disabled)
◆
Version – The Secure Shell version number. Version 2.0 is displayed,
but the switch supports management access via either SSH Version 1.5
or 2.0 clients.
◆
Authentication Timeout – Specifies the time interval in seconds that
the SSH server waits for a response from a client during an
authentication attempt. (Range: 1-120 seconds; Default: 120 seconds)
◆
Authentication Retries – Specifies the number of authentication
attempts that a client is allowed before authentication fails and the
client has to restart the authentication process. (Range: 1-5 times;
Default: 3)
◆
Server-Key Size – Specifies the SSH server key size.
(Range: 512-896 bits; Default:768)
– 312 –
CHAPTER 13 | Security Measures
Configuring the Secure Shell
■
■
The server key is a private key that is never shared outside the
switch.
The host key is shared with the SSH client, and is fixed at 1024 bits.
WEB INTERFACE
To configure the SSH server:
1. Click Security, SSH.
2. Select Configure Global from the Step list.
3. Enable the SSH server.
4. Adjust the authentication parameters as required.
5. Click Apply.
Figure 166: Configuring the SSH Server
GENERATING THE Use the Security > SSH (Configure Host Key - Generate) page to generate
HOST KEY PAIR a host public/private key pair used to provide secure communications
between an SSH client and the switch. After generating this key pair, you
must provide the host public key to SSH clients and import the client’s
public key to the switch as described in the section "Importing User Public
Keys" on page 315.
NOTE: A host key pair must be configured on the switch before you can
enable the SSH server. See "Configuring the SSH Server" on page 312.
CLI REFERENCES
◆ "Secure Shell" on page 635
– 313 –
CHAPTER 13 | Security Measures
Configuring the Secure Shell
PARAMETERS
These parameters are displayed:
◆
Host-Key Type – The key type used to generate the host key pair
(i.e., public and private keys). (Range: RSA (Version 1), DSA
(Version 2), Both; Default: Both)
The SSH server uses RSA or DSA for key exchange when the client first
establishes a connection with the switch, and then negotiates with the
client to select either DES (56-bit) or 3DES (168-bit) for data
encryption.
NOTE: The switch uses only RSA Version 1 for SSHv1.5 clients and DSA
Version 2 for SSHv2 clients.
◆
Save Host-Key from Memory to Flash – Saves the host key from
RAM (i.e., volatile memory) to flash memory. Otherwise, the host key
pair is stored to RAM by default. Note that you must select this item
prior to generating the host-key pair. (Default: Disabled)
WEB INTERFACE
To generate the SSH host key pair:
1. Click Security, SSH.
2. Select Configure Host Key from the Step list.
3. Select Generate from the Action list.
4. Select the host-key type from the drop-down box.
5. Select the option to save the host key from memory to flash if required.
6. Click Apply.
Figure 167: Generating the SSH Host Key Pair
To display or clear the SSH host key pair:
1. Click Security, SSH.
2. Select Configure Host Key from the Step list.
– 314 –
CHAPTER 13 | Security Measures
Configuring the Secure Shell
3. Select Show from the Action list.
4. Select the host-key type to clear.
5. Click Clear.
Figure 168: Showing the SSH Host Key Pair
IMPORTING USER Use the Security > SSH (Configure User Key - Copy) page to upload a
PUBLIC KEYS user’s public key to the switch. This public key must be stored on the
switch for the user to be able to log in using the public key authentication
mechanism. If the user’s public key does not exist on the switch, SSH will
revert to the interactive password authentication mechanism to complete
authentication.
CLI REFERENCES
◆ "Secure Shell" on page 635
PARAMETERS
These parameters are displayed:
◆
User Name – This drop-down box selects the user who’s public key
you wish to manage. Note that you must first create users on the User
Accounts page (see "Configuring User Accounts" on page 292).
◆
User Key Type – The type of public key to upload.
■
RSA: The switch accepts a RSA version 1 encrypted public key.
■
DSA: The switch accepts a DSA version 2 encrypted public key.
The SSH server uses RSA or DSA for key exchange when the client first
establishes a connection with the switch, and then negotiates with the
client to select either DES (56-bit) or 3DES (168-bit) for data
encryption.
The switch uses only RSA Version 1 for SSHv1.5 clients and DSA
Version 2 for SSHv2 clients.
– 315 –
CHAPTER 13 | Security Measures
Configuring the Secure Shell
◆
TFTP Server IP Address – The IP address of the TFTP server that
contains the public key file you wish to import.
◆
Source File Name – The public key file to upload.
WEB INTERFACE
To copy the SSH user’s public key:
1. Click Security, SSH.
2. Select Configure User Key from the Step list.
3. Select Copy from the Action list.
4. Select the user name and the public-key type from the respective dropdown boxes, input the TFTP server IP address and the public key source
file name.
5. Click Apply.
Figure 169: Copying the SSH User’s Public Key
To display or clear the SSH user’s public key:
1. Click Security, SSH.
2. Select Configure User Key from the Step list.
3. Select Show from the Action list.
4. Select a user from the User Name list.
5. Select the host-key type to clear.
6. Click Clear.
– 316 –
CHAPTER 13 | Security Measures
Access Control Lists
Figure 170: Showing the SSH User’s Public Key
ACCESS CONTROL LISTS
Access Control Lists (ACL) provide packet filtering for IPv4 frames (based
on address, protocol, Layer 4 protocol port number or TCP control code), or
any frames (based on MAC address or Ethernet type). To filter incoming
packets, first create an access list, add the required rules, and then bind
the list to a specific port.
Configuring Access Control Lists –
An ACL is a sequential list of permit or deny conditions that apply to IP
addresses, MAC addresses, or other more specific criteria. This switch tests
ingress packets against the conditions in an ACL one by one. A packet will
be accepted as soon as it matches a permit rule, or dropped as soon as it
matches a deny rule. If no rules match, the packet is accepted.
COMMAND USAGE
The following restrictions apply to ACLs:
◆
The maximum number of ACLs is 64.
◆
The maximum number of rules per system is 512 rules.
◆
An ACL can have up to 32 rules. However, due to resource restrictions,
the average number of rules bound to the ports should not exceed 20.
◆
The maximum number of rules that can be bound to the ports is 64 for
each of the following list types: MAC ACLs, IP ACLs (including Standard
and Extended ACLs), IPv6 Standard ACLs, and IPv6 Extended ACLs.
The maximum number of rules (Access Control Entries, or ACEs) stated
above is the worst case scenario. In practice, the switch compresses
the ACEs in TCAM (a hardware table used to store ACEs), but the actual
maximum number of ACEs possible depends on too many factors to be
precisely determined. It depends on the amount of hardware resources
reserved at runtime for this purpose.
– 317 –
CHAPTER 13 | Security Measures
Access Control Lists
Auto ACE Compression is a software feature used to compress all the
ACEs of an ACL to utilize hardware resources more efficiency. Without
compression, one ACE would occupy a fixed number of entries in TCAM.
So if one ACL includes 25 ACEs, the ACL would need (25 * n) entries in
TCAM, where “n” is the fixed number of TCAM entries needed for one
ACE. When compression is employed, before writing the ACE into
TCAM, the software compresses the ACEs to reduce the number of
required TCAM entries. For example, one ACL may include 128 ACEs
which classify a continuous IP address range like 192.168.1.0~255. If
compression is disabled, the ACL would occupy (128*n) entries of
TCAM, using up nearly all of the hardware resources. When using
compression, the 128 ACEs are compressed into one ACE classifying
the IP address as 192.168.1.0/24, which requires only “n” entries in
TCAM. The above example is an ideal case for compression. The worst
case would be if no any ACE can be compressed, in which case the used
number of TCAM entries would be the same as without compression. It
would also require more time to process the ACEs.
SHOWING TCAM Use the Security > ACL (Configure ACL - Show TCAM) page to show
UTILIZATION utilization parameters for TCAM (Ternary Content Addressable Memory),
including the number policy control entries in use, the number of free
entries, and the overall percentage of TCAM in use.
CLI REFERENCES
◆ "show access-list tcam-utilization" on page 527
COMMAND USAGE
Policy control entries (PCEs) are used by various system functions which
rely on rule-based searches, including Access Control Lists (ACLs), IP
Source Guard filter rules, Quality of Service (QoS) processes, QinQ, MACbased VLANs, VLAN translation, or traps.
For example, when binding an ACL to a port, each rule in an ACL will use
two PCEs; and when setting an IP Source Guard filter rule for a port, the
system will also use two PCEs.
PARAMETERS
These parameters are displayed:
◆
Total Policy Control Entries – The number policy control entries in
use.
◆
Free Policy Control Entries – The number of policy control entries
available for use.
◆
Entries Used by System – The number of policy control entries used
by the operating system.
◆
Entries Used by User – The number of policy control entries used by
configuration settings, such as access control lists.
◆
TCAM Utilization – The overall percentage of TCAM in use.
– 318 –
CHAPTER 13 | Security Measures
Access Control Lists
WEB INTERFACE
To show information on TCAM utilization:
1. Click Security, ACL.
2. Select Configure ACL from the Step list.
3. Select Show TCAM from the Action list.
Figure 171: Showing TCAM Utilization
SETTING THE ACL Use the Security > ACL (Configure ACL - Add) page to create an ACL.
NAME AND TYPE
CLI REFERENCES
◆ "access-list ip" on page 712
◆ "show ip access-list" on page 718
PARAMETERS
These parameters are displayed:
◆
ACL Name – Name of the ACL. (Maximum length: 32 characters)
◆
Type – The following filter modes are supported:
■
IP Standard: IPv4 ACL mode filters packets based on the source
IPv4 address.
■
IP Extended: IPv4 ACL mode filters packets based on the source
or destination IPv4 address, as well as the protocol type and
protocol port number. If the “TCP” protocol is specified, then you
can also filter packets based on the TCP control code.
■
■
MAC – MAC ACL mode filters packets based on the source or
destination MAC address and the Ethernet frame type (RFC 1060).
ARP – ARP ACL specifies static IP-to-MAC address bindings used for
ARP inspection (see "ARP Inspection" on page 330).
– 319 –
CHAPTER 13 | Security Measures
Access Control Lists
WEB INTERFACE
To configure the name and type of an ACL:
1. Click Security, ACL.
2. Select Configure ACL from the Step list.
3. Select Add from the Action list.
4. Fill in the ACL Name field, and select the ACL type.
5. Click Apply.
Figure 172: Creating an ACL
To show a list of ACLs:
1. Click Security, ACL.
2. Select Configure ACL from the Step list.
3. Select Show from the Action list.
Figure 173: Showing a List of ACLs
CONFIGURING A Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to
STANDARD IPV4 ACL configure a Standard IPv4 ACL.
CLI REFERENCES
◆ "permit, deny, redirect-to (Standard IP ACL)" on page 713
◆ "show ip access-list" on page 718
◆ "Time Range" on page 572
– 320 –
CHAPTER 13 | Security Measures
Access Control Lists
PARAMETERS
These parameters are displayed:
◆
Type – Selects the type of ACLs to show in the Name list.
◆
Name – Shows the names of ACLs matching the selected type.
◆
Action – An ACL can contain any combination of rules which permit or
deny a packet, or re-direct a packet to another port.
◆
Interface – The unit and port to which a packet is redirected.
(This switch does not support stacking, so the unit is fixed at 1.)
◆
Address Type – Specifies the source IP address. Use “Any” to include
all possible addresses, “Host” to specify a specific host address in the
Address field, or “IP” to specify a range of addresses with the Address
and Subnet Mask fields. (Options: Any, Host, IP; Default: Any)
◆
Source IP Address – Source IP address.
◆
Source Subnet Mask – A subnet mask containing four integers from 0
to 255, each separated by a period. The mask uses 1 bits to indicate
“match” and 0 bits to indicate “ignore.” The mask is bitwise ANDed with
the specified source IP address, and compared with the address for
each IP packet entering the port(s) to which this ACL has been
assigned.
◆
Time Range – Name of a time range.
WEB INTERFACE
To add rules to an IPv4 Standard ACL:
1. Click Security, ACL.
2. Select Configure ACL from the Step list.
3. Select Add Rule from the Action list.
4. Select IP Standard from the Type list.
5. Select the name of an ACL from the Name list.
6. Specify the action (i.e., Permit or Deny).
7. Select the address type (Any, Host, or IP).
8. If you select “Host,” enter a specific address. If you select “IP,” enter a
subnet address and the mask for an address range.
9. Click Apply.
– 321 –
CHAPTER 13 | Security Measures
Access Control Lists
Figure 174: Configuring a Standard IPv4 ACL
CONFIGURING AN Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to
EXTENDED IPV4 ACL configure an Extended IPv4 ACL.
CLI REFERENCES
◆ "permit, deny, redirect-to (Extended IPv4 ACL)" on page 714
◆ "show ip access-list" on page 718
◆ "Time Range" on page 572
COMMAND USAGE
Due to a ASIC limitation, the switch only checks the leftmost six priority
bits. This presents no problem when checking DSCP or IP Precedence bits,
but limits the checking of ToS bits (underlined in the following example) to
the leftmost three bits, ignoring the right most fourth bit.
For example, if you configured an access list to deny packets with a ToS of
7 (00001110), the highlighted bit would be ignored, and the access list
would drop packets with a ToS of both 6 and 7.
Table 21: Priority Bits Processed by Extended IPv4 ACL
DSCP
Precedence
7
6
ToS
5
4
3
2
1
0
PARAMETERS
These parameters are displayed:
◆
Type – Selects the type of ACLs to show in the Name list.
◆
Name – Shows the names of ACLs matching the selected type.
◆
Action – An ACL can contain any combination of rules which permit or
deny a packet, or re-direct a packet to another port.
– 322 –
CHAPTER 13 | Security Measures
Access Control Lists
◆
Interface – The unit and port to which a packet is redirected.
(This switch does not support stacking, so the unit is fixed at 1.)
◆
Source/Destination Address Type – Specifies the source or
destination IP address type. Use “Any” to include all possible addresses,
“Host” to specify a specific host address in the Address field, or “IP” to
specify a range of addresses with the Address and Subnet Mask fields.
(Options: Any, Host, IP; Default: Any)
◆
Source/Destination IP Address – Source or destination IP address.
◆
Source/Destination Subnet Mask – Subnet mask for source or
destination address. (See the description for Subnet Mask on
page 320.)
◆
Source/Destination Port – Source/destination port number for the
specified protocol type. (Range: 0-65535)
◆
Source/Destination Port Bit Mask – Decimal number representing
the port bits to match. (Range: 0-65535)
◆
Protocol – Specifies the protocol type to match as TCP, UDP or Others,
where others indicates a specific protocol number (0-255).
(Options: TCP, UDP, Others; Default: TCP)
◆
Service Type – Packet priority settings based on the following criteria:
■
ToS – Type of Service level. (Range: 0-15)
■
Precedence – IP precedence level. (Range: 0-7)
■
DSCP – DSCP priority level. (Range: 0-63)
◆
Control Code – Decimal number (representing a bit string) that
specifies flag bits in byte 14 of the TCP header. (Range: 0-63)
◆
Control Code Bit Mask – Decimal number representing the code bits
to match. (Range: 0-63)
The control bit mask is a decimal number (for an equivalent binary bit
mask) that is applied to the control code. Enter a decimal number,
where the equivalent binary bit “1” means to match a bit and “0”
means to ignore a bit. The following bits may be specified:
■
1 (fin) – Finish
■
2 (syn) – Synchronize
■
4 (rst) – Reset
■
8 (psh) – Push
■
16 (ack) – Acknowledgement
■
32 (urg) – Urgent pointer
For example, use the code value and mask below to catch packets with
the following flags set:
■
SYN flag valid, use control-code 2, control bit mask 2
– 323 –
CHAPTER 13 | Security Measures
Access Control Lists
◆
■
Both SYN and ACK valid, use control-code 18, control bit mask 18
■
SYN valid and ACK invalid, use control-code 2, control bit mask 18
Time Range – Name of a time range.
WEB INTERFACE
To add rules to an IPv4 Extended ACL:
1. Click Security, ACL.
2. Select Configure ACL from the Step list.
3. Select Add Rule from the Action list.
4. Select IP Extended from the Type list.
5. Select the name of an ACL from the Name list.
6. Specify the action (i.e., Permit or Deny).
7. Select the address type (Any, Host, or IP).
8. If you select “Host,” enter a specific address. If you select “IP,” enter a
subnet address and the mask for an address range.
9. Set any other required criteria, such as service type, protocol type, or
control code.
10. Click Apply.
Figure 175: Configuring an Extended IPv4 ACL
– 324 –
CHAPTER 13 | Security Measures
Access Control Lists
CONFIGURING A Use the Security > ACL (Configure ACL - Add Rule - MAC) page to
MAC ACL configure a MAC ACL based on hardware addresses, packet format, and
Ethernet type.
CLI REFERENCES
◆ "permit, deny, redirect-to (MAC ACL)" on page 719
◆ "show ip access-list" on page 718
◆ "Time Range" on page 572
PARAMETERS
These parameters are displayed:
◆
Type – Selects the type of ACLs to show in the Name list.
◆
Name – Shows the names of ACLs matching the selected type.
◆
Action – An ACL can contain any combination of rules which permit or
deny a packet, or re-direct a packet to another port.
◆
Interface – The unit and port to which a packet is redirected.
(This switch does not support stacking, so the unit is fixed at 1.)
◆
Source/Destination Address Type – Use “Any” to include all possible
addresses, “Host” to indicate a specific MAC address, or “MAC” to
specify an address range with the Address and Bit Mask fields.
(Options: Any, Host, MAC; Default: Any)
◆
Source/Destination MAC Address – Source or destination MAC
address.
◆
Source/Destination Bit Mask – Hexadecimal mask for source or
destination MAC address.
◆
Packet Format – This attribute includes the following packet types:
■
Any – Any Ethernet packet type.
■
Untagged-eth2 – Untagged Ethernet II packets.
■
Untagged-802.3 – Untagged Ethernet 802.3 packets.
■
Tagged-eth2 – Tagged Ethernet II packets.
■
Tagged-802.3 – Tagged Ethernet 802.3 packets.
◆
VID – VLAN ID. (Range: 1-4094)
◆
VID Bit Mask – VLAN bit mask. (Range: 0-4095)
◆
Ethernet Type – This option can only be used to filter Ethernet II
formatted packets. (Range: 600-ffff hex.)
A detailed listing of Ethernet protocol types can be found in RFC 1060.
A few of the more common types include 0800 (IP), 0806 (ARP), 8137
(IPX).
◆
Ethernet Type Bit Mask – Protocol bit mask. (Range: 600-ffff hex.)
– 325 –
CHAPTER 13 | Security Measures
Access Control Lists
◆
Time Range – Name of a time range.
WEB INTERFACE
To add rules to a MAC ACL:
1. Click Security, ACL.
2. Select Configure ACL from the Step list.
3. Select Add Rule from the Action list.
4. Select MAC from the Type list.
5. Select the name of an ACL from the Name list.
6. Specify the action (i.e., Permit or Deny).
7. Select the address type (Any, Host, or MAC).
8. If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-
66). If you select “MAC,” enter a base address and a hexadecimal bit
mask for an address range.
9. Set any other required criteria, such as VID, Ethernet type, or packet
format.
10. Click Apply.
Figure 176: Configuring a MAC ACL
– 326 –
CHAPTER 13 | Security Measures
Access Control Lists
CONFIGURING AN Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure
ARP ACL ACLs based on ARP message addresses. ARP Inspection can then use these
ACLs to filter suspicious traffic (see "Configuring Global Settings for ARP
Inspection" on page 331).
CLI REFERENCES
◆ "permit, deny (ARP ACL)" on page 724
◆ "show ip access-list" on page 718
◆ "Time Range" on page 572
PARAMETERS
These parameters are displayed:
◆
Type – Selects the type of ACLs to show in the Name list.
◆
Name – Shows the names of ACLs matching the selected type.
◆
Action – An ACL can contain any combination of permit or deny rules.
◆
Packet Type – Indicates an ARP request, ARP response, or either type.
(Range: Request, Response, All; Default: All)
◆
Source/Destination IP Address Type – Specifies the source or
destination IPv4 address. Use “Any” to include all possible addresses,
“Host” to specify a specific host address in the Address field, or “IP” to
specify a range of addresses with the Address and Mask fields.
(Options: Any, Host, IP; Default: Any)
◆
Source/Destination IP Address – Source or destination IP address.
◆
Source/Destination IP Subnet Mask – Subnet mask for source or
destination address. (See the description for Subnet Mask on
page 320.)
◆
Source/Destination MAC Address Type – Use “Any” to include all
possible addresses, “Host” to indicate a specific MAC address, or “MAC”
to specify an address range with the Address and Mask fields.
(Options: Any, Host, MAC; Default: Any)
◆
Source/Destination MAC Address – Source or destination MAC
address.
◆
Source/Destination MAC Bit Mask – Hexadecimal mask for source or
destination MAC address.
◆
Log – Logs a packet when it matches the access control entry.
WEB INTERFACE
To add rules to an ARP ACL:
1. Click Security, ACL.
2. Select Configure ACL from the Step list.
– 327 –
CHAPTER 13 | Security Measures
Access Control Lists
3. Select Add Rule from the Action list.
4. Select ARP from the Type list.
5. Select the name of an ACL from the Name list.
6. Specify the action (i.e., Permit or Deny).
7. Select the packet type (Request, Response, All).
8. Select the address type (Any, Host, or IP).
9. If you select “Host,” enter a specific address (e.g., 11-22-33-44-5566). If you select “IP,” enter a base address and a hexadecimal bit mask
for an address range.
10. Enable logging if required.
11. Click Apply.
Figure 177: Configuring a ARP ACL
BINDING A PORT TO AN After configuring ACLs, use the Security > ACL (Configure Interface) page
ACCESS CONTROL to bind the ports that need to filter traffic to the appropriate ACLs. You can
LIST assign one IP access list and one MAC access list to any port.
CLI REFERENCES
◆ "ip access-group" on page 717
◆ "show ip access-group" on page 717
◆ "mac access-group" on page 722
◆ "show mac access-group" on page 722
◆ "Time Range" on page 572
– 328 –
CHAPTER 13 | Security Measures
Access Control Lists
COMMAND USAGE
◆ This switch supports ACLs for ingress filtering only.
◆
You only bind one ACL to any port for ingress filtering.
PARAMETERS
These parameters are displayed:
◆
Type – Selects the type of ACLs to bind to a port.
◆
Port – Fixed port or SFP module. (Range: 1-26)
◆
ACL – ACL used for ingress packets.
◆
Time Range – Name of a time range.
WEB INTERFACE
To bind an ACL to a port:
1. Click Security, ACL.
2. Select Configure Interface from the Step list.
3. Select IP or MAC from the Type list.
4. Select a port.
5. Select the name of an ACL from the ACL list.
6. Click Apply.
Figure 178: Binding a Port to an ACL
– 329 –
CHAPTER 13 | Security Measures
ARP Inspection
ARP INSPECTION
ARP Inspection is a security feature that validates the MAC Address
bindings for Address Resolution Protocol packets. It provides protection
against ARP traffic with invalid MAC-to-IP address bindings, which forms
the basis for certain “man-in-the-middle” attacks. This is accomplished by
intercepting all ARP requests and responses and verifying each of these
packets before the local ARP cache is updated or the packet is forwarded to
the appropriate destination. Invalid ARP packets are dropped.
ARP Inspection determines the validity of an ARP packet based on valid
IP-to-MAC address bindings stored in a trusted database – the DHCP
snooping binding database (see "DHCP Snooping Global Configuration" on
page 362). This database is built by DHCP snooping if it is enabled on
globally on the switch and on the required VLANs. ARP Inspection can also
validate ARP packets against user-configured ARP access control lists
(ACLs) for hosts with statically configured addresses (see "Configuring an
ARP ACL" on page 327).
COMMAND USAGE
Enabling & Disabling ARP Inspection
◆
ARP Inspection is controlled on a global and VLAN basis.
◆
By default, ARP Inspection is disabled both globally and on all VLANs.
■
■
■
■
■
■
◆
If ARP Inspection is globally enabled, then it becomes active only on
the VLANs where it has been enabled.
When ARP Inspection is enabled globally, all ARP request and reply
packets on inspection-enabled VLANs are redirected to the CPU and
their switching behavior handled by the ARP Inspection engine.
If ARP Inspection is disabled globally, then it becomes inactive for
all VLANs, including those where inspection is enabled.
When ARP Inspection is disabled, all ARP request and reply packets
will bypass the ARP Inspection engine and their switching behavior
will match that of all other packets.
Disabling and then re-enabling global ARP Inspection will not affect
the ARP Inspection configuration of any VLANs.
When ARP Inspection is disabled globally, it is still possible to
configure ARP Inspection for individual VLANs. These configuration
changes will only become active after ARP Inspection is enabled
globally again.
The ARP Inspection engine in the current firmware version does not
support ARP Inspection on trunk ports.
– 330 –
CHAPTER 13 | Security Measures
ARP Inspection
CONFIGURING GLOBAL Use the Security > ARP Inspection (Configure General) page to enable ARP
SETTINGS FOR ARP inspection globally for the switch, to validate address information in each
INSPECTION packet, and configure logging.
CLI REFERENCES
◆ "ARP Inspection" on page 699
COMMAND USAGE
ARP Inspection Validation
◆
By default, ARP Inspection Validation is disabled.
◆
Specifying at least one of the following validations enables ARP
Inspection Validation globally. Any combination of the following checks
can be active concurrently.
■
Destination MAC – Checks the destination MAC address in the
Ethernet header against the target MAC address in the ARP body.
This check is performed for ARP responses. When enabled, packets
with different MAC addresses are classified as invalid and are
dropped.
■
IP – Checks the ARP body for invalid and unexpected IP addresses.
These addresses include 0.0.0.0, 255.255.255.255, and all IP
multicast addresses. Sender IP addresses are checked in all ARP
requests and responses, while target IP addresses are checked only
in ARP responses.
■
Source MAC – Checks the source MAC address in the Ethernet
header against the sender MAC address in the ARP body. This check
is performed on both ARP requests and responses. When enabled,
packets with different MAC addresses are classified as invalid and
are dropped.
ARP Inspection Logging
◆
By default, logging is active for ARP Inspection, and cannot be disabled.
◆
The administrator can configure the log facility rate.
◆
When the switch drops a packet, it places an entry in the log buffer,
then generates a system message on a rate-controlled basis. After the
system message is generated, the entry is cleared from the log buffer.
◆
Each log entry contains flow information, such as the receiving VLAN,
the port number, the source and destination IP addresses, and the
source and destination MAC addresses.
◆
If multiple, identical invalid ARP packets are received consecutively on
the same VLAN, then the logging facility will only generate one entry in
the log buffer and one corresponding system message.
– 331 –
CHAPTER 13 | Security Measures
ARP Inspection
◆
If the log buffer is full, the oldest entry will be replaced with the newest
entry.
PARAMETERS
These parameters are displayed:
◆
ARP Inspection Status – Enables ARP Inspection globally.
(Default: Disabled)
◆
ARP Inspection Validation – Enables extended ARP Inspection
Validation if any of the following options are enabled.
(Default: Disabled)
■
Dst-MAC – Validates the destination MAC address in the Ethernet
header against the target MAC address in the body of ARP
responses.
■
IP – Checks the ARP body for invalid and unexpected IP addresses.
Sender IP addresses are checked in all ARP requests and responses,
while target IP addresses are checked only in ARP responses.
■
Src-MAC – Validates the source MAC address in the Ethernet
header against the sender MAC address in the ARP body. This check
is performed on both ARP requests and responses.
◆
Log Message Number – The maximum number of entries saved in a
log message. (Range: 0-256; Default: 5)
◆
Log Interval – The interval at which log messages are sent.
(Range: 0-86400 seconds; Default: 1 second)
WEB INTERFACE
To configure global settings for ARP Inspection:
1. Click Security, ARP Inspection.
2. Select Configure General from the Step list.
3. Enable ARP inspection globally, enable any of the address validation
options, and adjust any of the logging parameters if required.
4. Click Apply.
– 332 –
CHAPTER 13 | Security Measures
ARP Inspection
Figure 179: Configuring Global Settings for ARP Inspection
CONFIGURING VLAN Use the Security > ARP Inspection (Configure VLAN) page to enable ARP
SETTINGS FOR ARP inspection for any VLAN and to specify the ARP ACL to use.
INSPECTION
CLI REFERENCES
◆ "ARP Inspection" on page 699
COMMAND USAGE
ARP Inspection VLAN Filters (ACLs)
◆
By default, no ARP Inspection ACLs are configured and the feature is
disabled.
◆
ARP Inspection ACLs are configured within the ARP ACL configuration
page (see page 327).
◆
ARP Inspection ACLs can be applied to any configured VLAN.
◆
ARP Inspection uses the DHCP snooping bindings database for the list
of valid IP-to-MAC address bindings. ARP ACLs take precedence over
entries in the DHCP snooping bindings database. The switch first
compares ARP packets to any specified ARP ACLs.
◆
If Static is specified, ARP packets are only validated against the
selected ACL – packets are filtered according to any matching rules,
packets not matching any rules are dropped, and the DHCP snooping
bindings database check is bypassed.
◆
If Static is not specified, ARP packets are first validated against the
selected ACL; if no ACL rules match the packets, then the DHCP
snooping bindings database determines their validity.
PARAMETERS
These parameters are displayed:
◆
ARP Inspection VLAN ID – Selects any configured VLAN. (Default: 1)
◆
ARP Inspection VLAN Status – Enables ARP Inspection for the
selected VLAN. (Default: Disabled)
– 333 –
CHAPTER 13 | Security Measures
ARP Inspection
◆
ARP Inspection ACL Name
■
■
ARP ACL – Allows selection of any configured ARP ACLs.
(Default: None)
Static – When an ARP ACL is selected, and static mode also
selected, the switch only performs ARP Inspection and bypasses
validation against the DHCP Snooping Bindings database. When an
ARP ACL is selected, but static mode is not selected, the switch first
performs ARP Inspection and then validation against the DHCP
Snooping Bindings database. (Default: Disabled)
WEB INTERFACE
To configure VLAN settings for ARP Inspection:
1. Click Security, ARP Inspection.
2. Select Configure VLAN from the Step list.
3. Enable ARP inspection for the required VLANs, select an ARP ACL filter
to check for configured addresses, and select the Static option to
bypass checking the DHCP snooping bindings database if required.
4. Click Apply.
Figure 180: Configuring VLAN Settings for ARP Inspection
CONFIGURING Use the Security > ARP Inspection (Configure Interface) page to specify
INTERFACE SETTINGS the ports that require ARP inspection, and to adjust the packet inspection
FOR ARP INSPECTION rate.
CLI REFERENCES
◆ "ARP Inspection" on page 699
PARAMETERS
These parameters are displayed:
◆
Port – Port identifier.
◆
Trust Status – Configures the port as trusted or untrusted.
(Default: Untrusted)
– 334 –
CHAPTER 13 | Security Measures
ARP Inspection
By default, all untrusted ports are subject to ARP packet rate limiting,
and all trusted ports are exempt from ARP packet rate limiting.
Packets arriving on trusted interfaces bypass all ARP Inspection and
ARP Inspection Validation checks and will always be forwarded, while
those arriving on untrusted interfaces are subject to all configured ARP
inspection tests.
◆
Packet Rate Limit – Sets the maximum number of ARP packets that
can be processed by CPU per second on trusted or untrusted ports.
(Range: 0-2048; Default: 15)
Setting the rate limit to “0” means that there is no restriction on the
number of ARP packets that can be processed by the CPU.
The switch will drop all ARP packets received on a port which exceeds
the configured ARP-packets-per-second rate limit.
WEB INTERFACE
To configure interface settings for ARP Inspection:
1. Click Security, ARP Inspection.
2. Select Configure Interface from the Step list.
3. Specify any untrusted ports which require ARP inspection, and adjust
the packet inspection rate.
4. Click Apply.
Figure 181: Configuring Interface Settings for ARP Inspection
– 335 –
CHAPTER 13 | Security Measures
ARP Inspection
DISPLAYING ARP Use the Security > ARP Inspection (Show Information - Show Statistics)
INSPECTION page to display statistics about the number of ARP packets processed, or
STATISTICS dropped for various reasons.
CLI REFERENCES
◆ "show ip arp inspection statistics" on page 707
PARAMETERS
These parameters are displayed:
Table 22: ARP Inspection Statistics
Parameter
Description
Received ARP packets before
ARP inspection rate limit
Count of ARP packets received but not exceeding the ARP
Inspection rate limit.
Dropped ARP packets in the
process of ARP inspection rate
limit
Count of ARP packets exceeding (and dropped by) ARP rate
limiting.
ARP packets dropped by
additional validation (IP)
Count of ARP packets that failed the IP address test.
ARP packets dropped by
additional validation
(Dst-MAC)
Count of packets that failed the destination MAC address test.
Total ARP packets processed
by ARP inspection
Count of all ARP packets processed by the ARP Inspection
engine.
ARP packets dropped by
additional validation
(Src-MAC)
Count of packets that failed the source MAC address test.
ARP packets dropped by ARP
ACLs
Count of ARP packets that failed validation against ARP ACL
rules.
ARP packets dropped by
DHCP snooping
Count of packets that failed validation against the DHCP
Snooping Binding database.
– 336 –
CHAPTER 13 | Security Measures
ARP Inspection
WEB INTERFACE
To display statistics for ARP Inspection:
1. Click Security, ARP Inspection.
2. Select Show Information from the Step list.
3. Select Show Statistics from the Action list.
Figure 182: Displaying Statistics for ARP Inspection
DISPLAYING THE ARP Use the Security > ARP Inspection (Show Information - Show Log) page to
INSPECTION LOG show information about entries stored in the log, including the associated
VLAN, port, and address components.
CLI REFERENCES
◆ "show ip arp inspection log" on page 707
PARAMETERS
These parameters are displayed:
Table 23: ARP Inspection Log
Parameter
Description
VLAN ID
The VLAN where this packet was seen.
Port
The port where this packet was seen.
Src. IP Address
The source IP address in the packet.
Dst. IP Address
The destination IP address in the packet.
Src. MAC Address
The source MAC address in the packet.
Dst. MAC Address
The destination MAC address in the packet.
– 337 –
CHAPTER 13 | Security Measures
Filtering IP Addresses for Management Access
WEB INTERFACE
To display the ARP Inspection log:
1. Click Security, ARP Inspection.
2. Select Show Information from the Step list.
3. Select Show Log from the Action list.
Figure 183: Displaying the ARP Inspection Log
FILTERING IP ADDRESSES FOR MANAGEMENT ACCESS
Use the Security > IP Filter page to create a list of up to 15 IP addresses or
IP address groups that are allowed management access to the switch
through the web interface, SNMP, or Telnet.
CLI REFERENCES
◆ "Management IP Filter" on page 660
COMMAND USAGE
◆ The management interfaces are open to all IP addresses by default.
Once you add an entry to a filter list, access to that interface is
restricted to the specified addresses.
◆
If anyone tries to access a management interface on the switch from an
invalid address, the switch will reject the connection, enter an event
message in the system log, and send a trap message to the trap
manager.
◆
IP address can be configured for SNMP, web and Telnet access
respectively. Each of these groups can include up to five different sets
of addresses, either individual addresses or address ranges.
◆
When entering addresses for the same group (i.e., SNMP, web or
Telnet), the switch will not accept overlapping address ranges. When
entering addresses for different groups, the switch will accept
overlapping address ranges.
◆
You cannot delete an individual address from a specified range. You
must delete the entire range, and reenter the addresses.
– 338 –
CHAPTER 13 | Security Measures
Filtering IP Addresses for Management Access
◆
You can delete an address range just by specifying the start address, or
by specifying both the start address and end address.
PARAMETERS
These parameters are displayed:
◆
Mode
■
Web – Configures IP address(es) for the web group.
■
SNMP – Configures IP address(es) for the SNMP group.
■
Telnet – Configures IP address(es) for the Telnet group.
◆
Start IP Address – A single IP address, or the starting address of a
range.
◆
End IP Address – The end address of a range.
WEB INTERFACE
To create a list of IP addresses authorized for management access:
1. Click Security, IP Filter.
2. Select Add from the Action list.
3. Select the management interface to filter (Web, SNMP, Telnet).
4. Enter the IP addresses or range of addresses that are allowed
management access to an interface.
5. Click Apply
Figure 184: Creating an IP Address Filter for Management Access
– 339 –
CHAPTER 13 | Security Measures
Configuring Port Security
To show a list of IP addresses authorized for management access:
1. Click Security, IP Filter.
2. Select Show from the Action list.
Figure 185: Showing IP Addresses Authorized for Management Access
CONFIGURING PORT SECURITY
Use the Security > Port Security page to configure the maximum number
of device MAC addresses that can be learned by a switch port, stored in the
address table, and authorized to access the network.
When port security is enabled on a port, the switch stops learning new MAC
addresses on the specified port when it has reached a configured maximum
number. Only incoming traffic with source addresses already stored in the
address table will be authorized to access the network through that port. If
a device with an unauthorized MAC address attempts to use the switch
port, the intrusion will be detected and the switch can automatically take
action by disabling the port and sending a trap message.
CLI REFERENCES
◆ "Port Security" on page 664
COMMAND USAGE
◆ The default maximum number of MAC addresses allowed on a secure
port is zero (that is, disabled). To use port security, you must configure
the maximum number of addresses allowed on a port.
◆
To configure the maximum number of address entries which can be
learned on a port, first disable port security on a port, and then specify
the maximum number of dynamic addresses allowed. The switch will
learn up to the maximum number of allowed address pairs <source
MAC address, VLAN> for frames received on the port. When the port
has reached the maximum number of MAC addresses, the port will stop
learning new addresses. The MAC addresses already in the address
table will be retained and will not be aged out.
Note that you can manually add additional secure addresses to a port
using the Static Address Table (page 195).
– 340 –
CHAPTER 13 | Security Measures
Configuring Port Security
◆
If port security is enabled, and the maximum number of allowed
addresses are set to a non-zero value, any device not in the address
table that attempts to use the port will be prevented from accessing the
switch.
◆
When the port security state is changed from enabled to disabled, all
dynamically learned entries are cleared from the address table.
◆
If a port is disabled (shut down) due to a security violation, it must be
manually re-enabled from the Interface > Port > General page
(page 127).
◆
A secure port has the following restrictions:
■
It cannot be used as a member of a static or dynamic trunk.
■
It should not be connected to a network interconnection device.
PARAMETERS
These parameters are displayed:
◆
Interface – Port or trunk identifier.
◆
Action – Indicates the action to be taken when a port security violation
is detected:
■
None: No action should be taken. (This is the default.)
■
Trap: Send an SNMP trap message.
■
Shutdown: Disable the port.
■
Trap and Shutdown: Send an SNMP trap message and disable the
port.
◆
Security Status – Enables or disables port security on the port.
(Default: Disabled)
◆
Max MAC Count – The maximum number of MAC addresses that can
be learned on a port. (Range: 0 - 1024, where 0 means disabled)
The maximum address count is effective when port security is enabled
or disabled, but can only be set when Security Status is disabled.
WEB INTERFACE
To set the maximum number of addresses which can be learned on a port:
1. Click Security, Port Security.
2. If port security is enabled on the selected port, first clear the check box
in Security Status column to disable security.
3. Set the maximum number of MAC addresses allowed on the port.
4. Click Apply.
– 341 –
CHAPTER 13 | Security Measures
Configuring 802.1X Port Authentication
Figure 186: Setting the Maximum Address Count for Port Security
To enable port security:
1. Click Security, Port Security.
2. Set the action to take when an invalid address is detected on a port.
3. Mark the check box in the Security Status column to enable security.
4. Click Apply.
Figure 187: Configuring the Status and Response for Port Security
CONFIGURING 802.1X PORT AUTHENTICATION
Network switches can provide open and easy access to network resources
by simply attaching a client PC. Although this automatic configuration and
access is a desirable feature, it also allows unauthorized personnel to easily
intrude and possibly gain access to sensitive network data.
The IEEE 802.1X (dot1X) standard defines a port-based access control
procedure that prevents unauthorized access to a network by requiring
users to first submit credentials for authentication. Access to all switch
ports in a network can be centrally controlled from a server, which means
that authorized users can use the same credentials for authentication from
any point within the network.
This switch uses the Extensible Authentication Protocol over LANs (EAPOL)
to exchange authentication protocol messages with the client, and a
– 342 –
CHAPTER 13 | Security Measures
Configuring 802.1X Port Authentication
remote RADIUS authentication server to verify user identity and access
rights. When a client (i.e., Supplicant) connects to a switch port, the switch
(i.e., Authenticator) responds with an EAPOL identity request. The client
provides its identity (such as a user name) in an EAPOL response to the
switch, which it forwards to the RADIUS server. The RADIUS server verifies
the client identity and sends an access challenge back to the client. The
EAP packet from the RADIUS server contains not only the challenge, but
the authentication method to be used. The client can reject the
authentication method and request another, depending on the
configuration of the client software and the RADIUS server. The encryption
method used to pass authentication messages can be MD5 (MessageDigest 5), TLS (Transport Layer Security), PEAP (Protected Extensible
Authentication Protocol), or TTLS (Tunneled Transport Layer Security). The
client responds to the appropriate method with its credentials, such as a
password or certificate. The RADIUS server verifies the client credentials
and responds with an accept or reject packet. If authentication is
successful, the switch allows the client to access the network. Otherwise,
non-EAP traffic on the port is blocked or assigned to a guest VLAN based on
the “intrusion-action” setting. In “multi-host” mode, only one host
connected to a port needs to pass authentication for all other hosts to be
granted network access. Similarly, a port can become unauthorized for all
hosts if one attached host fails re-authentication or sends an EAPOL logoff
message.
Figure 188: Configuring Port Security
802.1x
client
RADIUS
server
1. Client attempts to access a switch port.
2. Switch sends client an identity request.
3. Client sends back identity information.
4. Switch forwards this to authentication server.
5. Authentication server challenges client.
6. Client responds with proper credentials.
7. Authentication server approves access.
8. Switch grants client access to this port.
The operation of 802.1X on the switch requires the following:
◆
The switch must have an IP address assigned.
◆
RADIUS authentication must be enabled on the switch and the IP
address of the RADIUS server specified.
◆
802.1X must be enabled globally for the switch.
◆
Each switch port that will be used must be set to dot1X “Auto” mode.
◆
Each client that needs to be authenticated must have dot1X client
software installed and properly configured.
– 343 –
CHAPTER 13 | Security Measures
Configuring 802.1X Port Authentication
◆
The RADIUS server and 802.1X client support EAP. (The switch only
supports EAPOL in order to pass the EAP packets from the server to the
client.)
◆
The RADIUS server and client also have to support the same EAP
authentication type – MD5, PEAP, TLS, or TTLS. (Native support for
these encryption methods is provided in Windows 8, Windows 7, Vista,
and XP, and in Windows 2000 with Service Pack 4. To support these
encryption methods in Windows 95 and 98, you can use the AEGIS
dot1x client or other comparable client software)
CONFIGURING 802.1X Use the Security > Port Authentication (Configure Global) page to
GLOBAL SETTINGS configure IEEE 802.1X port authentication. The 802.1X protocol must be
enabled globally for the switch system before port settings are active.
CLI REFERENCES
◆ "802.1X Port Authentication" on page 645
PARAMETERS
These parameters are displayed:
◆
Port Authentication Status – Sets the global setting for 802.1X.
(Default: Disabled)
◆
EAPOL Pass Through – Passes EAPOL frames through to all ports in
STP forwarding state when dot1x is globally disabled.
(Default: Disabled)
When this device is functioning as intermediate node in the network
and does not need to perform dot1x authentication, EAPOL Pass
Through can be enabled to allow the switch to forward EAPOL frames
from other switches on to the authentication servers, thereby allowing
the authentication process to still be carried out by switches located on
the edge of the network.
When this device is functioning as an edge switch but does not require
any attached clients to be authenticated, EAPOL Pass Through can be
disabled to discard unnecessary EAPOL traffic.
◆
Identity Profile User Name – The dot1x supplicant user name.
(Range: 1-8 characters)
The global supplicant user name and password are used to identify this
switch as a supplicant when responding to an MD5 challenge from the
authenticator. These parameters must be set when this switch passes
client authentication requests to another authenticator on the network
(see "Configuring Port Supplicant Settings for 802.1X" on page 349).
◆
Set Password – Allows the dot1x supplicant password to be entered.
◆
Identity Profile Password – The dot1x supplicant password used to
identify this switch as a supplicant when responding to an MD5
challenge from the authenticator. (Range: 1-8 characters)
– 344 –
CHAPTER 13 | Security Measures
Configuring 802.1X Port Authentication
◆
Confirm Profile Password – This field is used to confirm the dot1x
supplicant password.
WEB INTERFACE
To configure global settings for 802.1X:
1. Click Security, Port Authentication.
2. Select Configure Global from the Step list.
3. Enable 802.1X globally for the switch, and configure EAPOL Pass
Through if required. Then set the user name and password to use when
the switch responds an MD5 challenge from the authentication server.
4. Click Apply
Figure 189: Configuring Global Settings for 802.1X Port Authentication
CONFIGURING PORT Use the Security > Port Authentication (Configure Interface –
AUTHENTICATOR Authenticator) page to configure 802.1X port settings for the switch as the
SETTINGS FOR 802.1X local authenticator. When 802.1X is enabled, you need to configure the
parameters for the authentication process that runs between the client and
the switch (i.e., authenticator), as well as the client identity lookup process
that runs between the switch and authentication server.
CLI REFERENCES
◆ "802.1X Port Authentication" on page 645
COMMAND USAGE
◆ When the switch functions as a local authenticator between supplicant
devices attached to the switch and the authentication server, configure
the parameters for the exchange of EAP messages between the
authenticator and clients on the Authenticator configuration page.
◆
When devices attached to a port must submit requests to another
authenticator on the network, configure the Identity Profile parameters
on the Configure Global page (see "Configuring 802.1X Global Settings"
on page 344) which identify this switch as a supplicant, and configure
the supplicant parameters for those ports which must authenticate
– 345 –
CHAPTER 13 | Security Measures
Configuring 802.1X Port Authentication
clients through the remote authenticator (see "Configuring Port
Supplicant Settings for 802.1X" on page 349).
◆
This switch can be configured to serve as the authenticator on selected
ports by setting the Control Mode to Auto on this configuration page,
and as a supplicant on other ports by the setting the control mode to
Force-Authorized on this page and enabling the PAE supplicant on the
Supplicant configuration page.
PARAMETERS
These parameters are displayed:
◆
Port – Port number.
◆
Status – Indicates if authentication is enabled or disabled on the port.
The status is disabled if the control mode is set to Force-Authorized.
◆
Authorized – Displays the 802.1X authorization status of connected
clients.
■
Yes – Connected client is authorized.
■
N/A – Connected client is not authorized, or port is not connected.
◆
Supplicant – Indicates the MAC address of a connected client.
◆
Control Mode – Sets the authentication mode to one of the following
options:
◆
■
Auto – Requires a dot1x-aware client to be authorized by the
authentication server. Clients that are not dot1x-aware will be
denied access.
■
Force-Authorized – Forces the port to grant access to all clients,
either dot1x-aware or otherwise. (This is the default setting.)
■
Force-Unauthorized – Forces the port to deny access to all
clients, either dot1x-aware or otherwise.
Operation Mode – Allows single or multiple hosts (clients) to connect
to an 802.1X-authorized port. (Default: Single-Host)
■
Single-Host – Allows only a single host to connect to this port.
■
Multi-Host – Allows multiple host to connect to this port.
In this mode, only one host connected to a port needs to pass
authentication for all other hosts to be granted network access.
Similarly, a port can become unauthorized for all hosts if one
attached host fails re-authentication or sends an EAPOL logoff
message.
– 346 –
CHAPTER 13 | Security Measures
Configuring 802.1X Port Authentication
■
MAC-Based – Allows multiple hosts to connect to this port, with
each host needing to be authenticated.
In this mode, each host connected to a port needs to pass
authentication. The number of hosts allowed access to a port
operating in this mode is limited only by the available space in the
secure address table (i.e., up to 1024 addresses).
◆
Max MAC Count – The maximum number of hosts that can connect to
a port when the Multi-Host operation mode is selected.
(Range: 1-1024; Default: 5)
◆
Max-Request – Sets the maximum number of times the switch port
will retransmit an EAP request packet to the client before it times out
the authentication session. (Range: 1-10; Default 2)
◆
Quiet Period – Sets the time that a switch port waits after the Max
Request Count has been exceeded before attempting to acquire a new
client. (Range: 1-65535 seconds; Default: 60 seconds)
◆
Tx Period – Sets the time period during an authentication session that
the switch waits before re-transmitting an EAP packet.
(Range: 1-65535; Default: 30 seconds)
◆
Supplicant Timeout – Sets the time that a switch port waits for a
response to an EAP request from a client before re-transmitting an EAP
packet. (Range: 1-65535; Default: 30 seconds)
This command attribute sets the timeout for EAP-request frames other
than EAP-request/identity frames. If dot1x authentication is enabled on
a port, the switch will initiate authentication when the port link state
comes up. It will send an EAP-request/identity frame to the client to
request its identity, followed by one or more requests for authentication
information. It may also send other EAP-request frames to the client
during an active connection as required for reauthentication.
◆
Server Timeout – Sets the time that a switch port waits for a response
to an EAP request from an authentication server before re-transmitting
an EAP packet. (Default: 0 seconds)
A RADIUS server must be set before the correct operational value of 10
seconds will be displayed in this field. (See "Configuring Remote Logon
Authentication Servers" on page 278.)
◆
Re-authentication Status – Sets the client to be re-authenticated
after the interval specified by the Re-authentication Period. Reauthentication can be used to detect if a new device is plugged into a
switch port. (Default: Disabled)
◆
Re-authentication Period – Sets the time period after which a
connected client must be re-authenticated. (Range: 1-65535 seconds;
Default: 3600 seconds)
– 347 –
CHAPTER 13 | Security Measures
Configuring 802.1X Port Authentication
◆
Intrusion Action – Sets the port’s response to a failed authentication.
■
■
Block Traffic – Blocks all non-EAP traffic on the port. (This is the
default setting.)
Guest VLAN – All traffic for the port is assigned to a guest VLAN.
The guest VLAN must be separately configured (See "Configuring
VLAN Groups" on page 170) and mapped on each port (See
"Configuring Network Access for Ports" on page 300).
Authenticator PAE State Machine
◆
State – Current state (including initialize, disconnected, connecting,
authenticating, authenticated, aborting, held, force_authorized,
force_unauthorized).
◆
Reauth Count – Number of times connecting state is re-entered.
◆
Current Identifier – Identifier sent in each EAP Success, Failure or
Request packet by the Authentication Server.
Backend State Machine
◆
State – Current state (including request, response, success, fail,
timeout, idle, initialize).
◆
Request Count – Number of EAP Request packets sent to the
Supplicant without receiving a response.
◆
Identifier (Server) – Identifier carried in the most recent EAP
Success, Failure or Request packet received from the Authentication
Server.
Reauthentication State Machine
◆
State – Current state (including initialize, reauthenticate).
WEB INTERFACE
To configure port authenticator settings for 802.1X:
1. Click Security, Port Authentication.
2. Select Configure Interface from the Step list.
3. Click Authenticator.
4. Modify the authentication settings for each port as required.
5. Click Apply
– 348 –
CHAPTER 13 | Security Measures
Configuring 802.1X Port Authentication
Figure 190: Configuring Interface Settings for 802.1X Port Authenticator
CONFIGURING PORT Use the Security > Port Authentication (Configure Interface – Supplicant)
SUPPLICANT SETTINGS page to configure 802.1X port settings for supplicant requests issued from
FOR 802.1X a port to an authenticator on another device. When 802.1X is enabled and
the control mode is set to Force-Authorized (see "Configuring Port
Authenticator Settings for 802.1X" on page 345), you need to configure
the parameters for the client supplicant process if the client must be
authenticated through another device in the network.
CLI REFERENCES
◆ "802.1X Port Authentication" on page 645
– 349 –
CHAPTER 13 | Security Measures
Configuring 802.1X Port Authentication
COMMAND USAGE
◆ When devices attached to a port must submit requests to another
authenticator on the network, configure the Identity Profile parameters
on the Configure Global page (see "Configuring 802.1X Global Settings"
on page 344) which identify this switch as a supplicant, and configure
the supplicant parameters for those ports which must authenticate
clients through the remote authenticator on this configuration page.
When PAE supplicant mode is enabled on a port, it will not respond to
dot1x messages meant for an authenticator.
◆
This switch can be configured to serve as the authenticator on selected
ports by setting the Control Mode to Auto on the Authenticator
configuration page, and as a supplicant on other ports by the setting
the control mode to Force-Authorized on that configuration page and
enabling the PAE supplicant on the Supplicant configuration page.
PARAMETERS
These parameters are displayed:
◆
Port – Port number.
◆
PAE Supplicant – Enables PAE supplicant mode. (Default: Disabled)
If the attached client must be authenticated through another device in
the network, supplicant status must be enabled.
Supplicant status can only be enabled if PAE Control Mode is set to
“Force-Authorized” on this port (see "Configuring Port Authenticator
Settings for 802.1X" on page 345).
PAE supplicant status cannot be enabled if a port is a member of trunk
or LACP is enabled on the port.
◆
Authentication Period – The time that a supplicant port waits for a
response from the authenticator. (Range: 1-65535 seconds;
Default: 30 seconds)
◆
Held Period – The time that a supplicant port waits before resending
its credentials to find a new an authenticator. (Range: 1-65535
seconds; Default: 30 seconds)
◆
Start Period – The time that a supplicant port waits before resending
an EAPOL start frame to the authenticator. (Range: 1-65535 seconds;
Default: 30 seconds)
◆
Maximum Start – The maximum number of times that a port
supplicant will send an EAP start frame to the client before assuming
that the client is 802.1X unaware. (Range: 1-65535; Default: 3)
◆
Authenticated – Shows whether or not the supplicant has been
authenticated.
– 350 –
CHAPTER 13 | Security Measures
Configuring 802.1X Port Authentication
WEB INTERFACE
To configure port authenticator settings for 802.1X:
1. Click Security, Port Authentication.
2. Select Configure Interface from the Step list.
3. Click Supplicant.
4. Modify the supplicant settings for each port as required.
5. Click Apply
Figure 191: Configuring Interface Settings for 802.1X Port Supplicant
DISPLAYING 802.1X Use the Security > Port Authentication (Show Statistics) page to display
STATISTICS statistics for dot1x protocol exchanges for any port.
CLI REFERENCES
◆ "show dot1x" on page 657
PARAMETERS
These parameters are displayed:
Table 24: 802.1X Statistics
Parameter
Description
Authenticator
Rx EAPOL Start
The number of EAPOL Start frames that have been received
by this Authenticator.
Rx EAPOL Logoff
The number of EAPOL Logoff frames that have been received
by this Authenticator.
Rx EAPOL Invalid
The number of EAPOL frames that have been received by this
Authenticator in which the frame type is not recognized.
– 351 –
CHAPTER 13 | Security Measures
Configuring 802.1X Port Authentication
Table 24: 802.1X Statistics (Continued)
Parameter
Description
Rx EAPOL Total
The number of valid EAPOL frames of any type that have been
received by this Authenticator.
Rx Last EAPOLVer
The protocol version number carried in the most recent EAPOL
frame received by this Authenticator.
Rx Last EAPOLSrc
The source MAC address carried in the most recent EAPOL
frame received by this Authenticator.
Rx EAP Resp/Id
The number of EAP Resp/Id frames that have been received
by this Authenticator.
Rx EAP Resp/Oth
The number of valid EAP Response frames (other than Resp/
Id frames) that have been received by this Authenticator.
Rx EAP LenError
The number of EAPOL frames that have been received by this
Authenticator in which the Packet Body Length field is invalid.
Tx EAP Req/Id
The number of EAP Req/Id frames that have been transmitted
by this Authenticator.
Tx EAP Req/Oth
The number of EAP Request frames (other than Rq/Id frames)
that have been transmitted by this Authenticator.
Tx EAPOL Total
The number of EAPOL frames of any type that have been
transmitted by this Authenticator.
Supplicant
Rx EAPOL Invalid
The number of EAPOL frames that have been received by this
Supplicant in which the frame type is not recognized.
Rx EAPOL Total
The number of valid EAPOL frames of any type that have been
received by this Supplicant.
Rx Last EAPOLVer
The protocol version number carried in the most recent EAPOL
frame received by this Supplicant.
Rx Last EAPOLSrc
The source MAC address carried in the most recent EAPOL
frame received by this Supplicant.
Rx EAP Resp/Id
The number of EAP Resp/Id frames that have been received
by this Supplicant.
Rx EAP Resp/Oth
The number of valid EAP Response frames (other than Resp/
Id frames) that have been received by this Supplicant.
Rx EAP LenError
The number of EAPOL frames that have been received by this
Supplicant in which the Packet Body Length field is invalid.
Tx EAPOL Total
The number of EAPOL frames of any type that have been
transmitted by this Supplicant.
Tx EAPOL Start
The number of EAPOL Start frames that have been
transmitted by this Supplicant.
Tx EAPOL Logoff
The number of EAPOL Logoff frames that have been
transmitted by this Supplicant.
Tx EAP Req/Id
The number of EAP Req/Id frames that have been transmitted
by this Supplicant.
Tx EAP Req/Oth
The number of EAP Request frames (other than Rq/Id frames)
that have been transmitted by this Supplicant.
– 352 –
CHAPTER 13 | Security Measures
Configuring 802.1X Port Authentication
WEB INTERFACE
To display port authenticator statistics for 802.1X:
1. Click Security, Port Authentication.
2. Select Show Statistics from the Step list.
3. Click Authenticator.
Figure 192: Showing Statistics for 802.1X Port Authenticator
To display port supplicant statistics for 802.1X:
1. Click Security, Port Authentication.
2. Select Show Statistics from the Step list.
3. Click Supplicant.
Figure 193: Showing Statistics for 802.1X Port Supplicant
– 353 –
CHAPTER 13 | Security Measures
IP Source Guard
IP SOURCE GUARD
IP Source Guard is a security feature that filters IP traffic on network
interfaces based on manually configured entries in the IP Source Guard
table, or dynamic entries in the DHCP Snooping table when enabled (see
"DHCP Snooping" on page 359). IP source guard can be used to prevent
traffic attacks caused when a host tries to use the IP address of a neighbor
to access the network. This section describes commands used to configure
IP Source Guard.
CONFIGURING PORTS Use the Security > IP Source Guard > Port Configuration page to set the
FOR IP SOURCE filtering type based on source IP address, or source IP address and MAC
GUARD address pairs.
IP Source Guard is used to filter traffic on an insecure port which receives
messages from outside the network or fire wall, and therefore may be
subject to traffic attacks caused by a host trying to use the IP address of a
neighbor.
CLI REFERENCES
◆ "ip source-guard" on page 696
COMMAND USAGE
◆ Setting source guard mode to SIP (Source IP) or SIP-MAC (Source IP
and MAC) enables this function on the selected port. Use the SIP option
to check the VLAN ID, source IP address, and port number against all
entries in the binding table. Use the SIP-MAC option to check these
same parameters, plus the source MAC address. If no matching entry is
found, the packet is dropped.
NOTE: Multicast addresses cannot be used by IP Source Guard.
◆
When enabled, traffic is filtered based upon dynamic entries learned via
DHCP snooping (see "DHCP Snooping" on page 359), or static
addresses configured in the source guard binding table.
◆
If IP source guard is enabled, an inbound packet’s IP address (SIP
option) or both its IP address and corresponding MAC address (SIPMAC option) will be checked against the binding table. If no matching
entry is found, the packet will be dropped.
◆
Filtering rules are implemented as follows:
■
If DHCP snooping is disabled (see page 362), IP source guard will
check the VLAN ID, source IP address, port number, and source
MAC address (for the SIP-MAC option). If a matching entry is found
in the binding table and the entry type is static IP source guard
binding, the packet will be forwarded.
– 354 –
CHAPTER 13 | Security Measures
IP Source Guard
■
■
If DHCP snooping is enabled, IP source guard will check the VLAN
ID, source IP address, port number, and source MAC address (for
the SIP-MAC option). If a matching entry is found in the binding
table and the entry type is static IP source guard binding, or
dynamic DHCP snooping binding, the packet will be forwarded.
If IP source guard if enabled on an interface for which IP source
bindings have not yet been configured (neither by static
configuration in the IP source guard binding table nor dynamically
learned from DHCP snooping), the switch will drop all IP traffic on
that port, except for DHCP packets.
PARAMETERS
These parameters are displayed:
◆
◆
Filter Type – Configures the switch to filter inbound traffic based
source IP address, or source IP address and corresponding MAC
address. (Default: None)
■
None – Disables IP source guard filtering on the port.
■
SIP – Enables traffic filtering based on IP addresses stored in the
binding table.
■
SIP-MAC – Enables traffic filtering based on IP addresses and
corresponding MAC addresses stored in the binding table.
Max Binding Entry – The maximum number of entries that can be
bound to an interface. (Range: 1-5; Default: 5)
This parameter sets the maximum number of address entries that can
be mapped to an interface in the binding table, including both dynamic
entries discovered by DHCP snooping (see "DHCP Snooping" on
page 359) and static entries set by IP source guard (see "Configuring
Static Bindings for IP Source Guard" on page 356).
WEB INTERFACE
To set the IP Source Guard filter for ports:
1. Click Security, IP Source Guard, Port Configuration.
2. Set the required filtering type for each port.
3. Click Apply
– 355 –
CHAPTER 13 | Security Measures
IP Source Guard
Figure 194: Setting the Filter Type for IP Source Guard
CONFIGURING STATIC Use the Security > IP Source Guard > Static Configuration page to bind a
BINDINGS FOR IP static address to a port. Table entries include a MAC address, IP address,
SOURCE GUARD lease time, entry type (Static, Dynamic), VLAN identifier, and port
identifier. All static entries are configured with an infinite lease time, which
is indicated with a value of zero in the table.
CLI REFERENCES
◆ "ip source-guard binding" on page 694
COMMAND USAGE
◆ Static addresses entered in the source guard binding table are
automatically configured with an infinite lease time. Dynamic entries
learned via DHCP snooping are configured by the DHCP server itself.
◆
Static bindings are processed as follows:
■
■
■
■
If there is no entry with the same VLAN ID and MAC address, a new
entry is added to the binding table using the type “static IP source
guard binding.”
If there is an entry with the same VLAN ID and MAC address, and
the type of entry is static IP source guard binding, then the new
entry will replace the old one.
If there is an entry with the same VLAN ID and MAC address, and
the type of the entry is dynamic DHCP snooping binding, then the
new entry will replace the old one and the entry type will be
changed to static IP source guard binding.
Only unicast addresses are accepted for static bindings.
PARAMETERS
These parameters are displayed:
Add
◆
Port – The port to which a static entry is bound.
◆
VLAN – ID of a configured VLAN (Range: 1-4093)
– 356 –
CHAPTER 13 | Security Measures
IP Source Guard
◆
MAC Address – A valid unicast MAC address.
◆
IP Address – A valid unicast IP address, including classful types A, B
or C.
Show
◆
VLAN – VLAN to which this entry is bound.
◆
MAC Address – Physical address associated with the entry.
◆
Interface – The port to which this entry is bound.
◆
IP Address – IP address corresponding to the client.
◆
Lease Time – The time for which this IP address is leased to the client.
(This value is zero for all static addresses.)
WEB INTERFACE
To configure static bindings for IP Source Guard:
1. Click Security, IP Source Guard, Static Configuration.
2. Select Add from the Action list.
3. Enter the required bindings for each port.
4. Click Apply
Figure 195: Configuring Static Bindings for IP Source Guard
To display static bindings for IP Source Guard:
1. Click Security, IP Source Guard, Static Configuration.
2. Select Show from the Action list.
– 357 –
CHAPTER 13 | Security Measures
IP Source Guard
Figure 196: Displaying Static Bindings for IP Source Guard
DISPLAYING Use the Security > IP Source Guard > Dynamic Binding page to display the
INFORMATION FOR source-guard binding table for a selected interface.
DYNAMIC IP SOURCE
GUARD BINDINGS CLI REFERENCES
◆
"show ip dhcp snooping binding" on page 693
PARAMETERS
These parameters are displayed:
Query by
◆
Port – A port on this switch.
◆
VLAN – ID of a configured VLAN (Range: 1-4093)
◆
MAC Address – A valid unicast MAC address.
◆
IP Address – A valid unicast IP address, including classful types A, B
or C.
Dynamic Binding List
◆
VLAN – VLAN to which this entry is bound.
◆
MAC Address – Physical address associated with the entry.
◆
Interface – Port to which this entry is bound.
◆
IP Address – IP address corresponding to the client.
◆
Type – IPv4 binding.
◆
Lease Time – The time for which this IP address is leased to the client.
– 358 –
CHAPTER 13 | Security Measures
DHCP Snooping
WEB INTERFACE
To display the binding table for IP Source Guard:
1. Click Security, IP Source Guard, Dynamic Binding.
2. Mark the search criteria, and enter the required values.
3. Click Query
Figure 197: Showing the IP Source Guard Binding Table
DHCP SNOOPING
The addresses assigned to DHCP clients on insecure ports can be carefully
controlled using the dynamic bindings registered with DHCP Snooping (or
using the static bindings configured with IP Source Guard). DHCP snooping
allows a switch to protect a network from rogue DHCP servers or other
devices which send port-related information to a DHCP server. This
information can be useful in tracking an IP address back to a physical port.
COMMAND USAGE
DHCP Snooping Process
◆
Network traffic may be disrupted when malicious DHCP messages are
received from an outside source. DHCP snooping is used to filter DHCP
messages received on a non-secure interface from outside the network
or fire wall. When DHCP snooping is enabled globally and enabled on a
VLAN interface, DHCP messages received on an untrusted interface
from a device not listed in the DHCP snooping table will be dropped.
◆
Table entries are only learned for trusted interfaces. An entry is added
or removed dynamically to the DHCP snooping table when a client
receives or releases an IP address from a DHCP server. Each entry
includes a MAC address, IP address, lease time, VLAN identifier, and
port identifier.
– 359 –
CHAPTER 13 | Security Measures
DHCP Snooping
◆
The rate limit for the number of DHCP messages that can be processed
by the switch is 100 packets per second. Any DHCP packets in excess of
this limit are dropped.
◆
When DHCP snooping is enabled, DHCP messages entering an
untrusted interface are filtered based upon dynamic entries learned via
DHCP snooping.
◆
Filtering rules are implemented as follows:
■
If the global DHCP snooping is disabled, all DHCP packets are
forwarded.
■
If DHCP snooping is enabled globally, and also enabled on the VLAN
where the DHCP packet is received, all DHCP packets are forwarded
for a trusted port. If the received packet is a DHCP ACK message, a
dynamic DHCP snooping entry is also added to the binding table.
■
If DHCP snooping is enabled globally, and also enabled on the VLAN
where the DHCP packet is received, but the port is not trusted, it is
processed as follows:
■
If the DHCP packet is a reply packet from a DHCP server
(including OFFER, ACK or NAK messages), the packet is
dropped.
■
If the DHCP packet is from a client, such as a DECLINE or
RELEASE message, the switch forwards the packet only if the
corresponding entry is found in the binding table.
■
If the DHCP packet is from a client, such as a DISCOVER,
REQUEST, INFORM, DECLINE or RELEASE message, the packet
is forwarded if MAC address verification is disabled. However, if
MAC address verification is enabled, then the packet will only be
forwarded if the client’s hardware address stored in the DHCP
packet is the same as the source MAC address in the Ethernet
header.
■
If the DHCP packet is not a recognizable type, it is dropped.
■
If a DHCP packet from a client passes the filtering criteria above, it
will only be forwarded to trusted ports in the same VLAN.
■
If a DHCP packet is from server is received on a trusted port, it will
be forwarded to both trusted and untrusted ports in the same VLAN.
■
If the DHCP snooping is globally disabled, all dynamic bindings are
removed from the binding table.
■
Additional considerations when the switch itself is a DHCP client –
The port(s) through which the switch submits a client request to the
DHCP server must be configured as trusted. Note that the switch
will not add a dynamic entry for itself to the binding table when it
receives an ACK message from a DHCP server. Also, when the
switch sends out DHCP client packets for itself, no filtering takes
place. However, when the switch receives any messages from a
– 360 –
CHAPTER 13 | Security Measures
DHCP Snooping
DHCP server, any packets received from untrusted ports are
dropped.
DHCP Snooping Option 82
◆
DHCP provides a relay mechanism for sending information about its
DHCP clients or the relay agent itself to the DHCP server. Also known as
DHCP Option 82, it allows compatible DHCP servers to use the
information when assigning IP addresses, or to set other services or
policies for clients. It is also an effective tool in preventing malicious
network attacks from attached clients on DHCP services, such as IP
Spoofing, Client Identifier Spoofing, MAC Address Spoofing, and
Address Exhaustion.
◆
DHCP Snooping must be enabled for Option 82 information to be
inserted into request packets.
◆
When the DHCP Snooping Information Option 82 is enabled, the
requesting client (or an intermediate relay agent that has used the
information fields to describe itself) can be identified in the DHCP
request packets forwarded by the switch and in reply packets sent back
from the DHCP server. This information may specify the MAC address or
IP address of the requesting device (that is, the switch in this context).
By default, the switch also fills in the Option 82 circuit-id field with
information indicating the local interface over which the switch received
the DHCP client request, including the port and VLAN ID. This allows
DHCP client-server exchange messages to be forwarded between the
server and client without having to flood them to the entire VLAN.
◆
If DHCP Snooping Information Option 82 is enabled on the switch,
information may be inserted into a DHCP request packet received over
any VLAN (depending on DHCP snooping filtering rules). The
information inserted into the relayed packets includes the circuit-id and
remote-id, as well as the gateway Internet address.
◆
When the switch receives DHCP packets from clients that already
include DHCP Option 82 information, the switch can be configured to
set the action policy for these packets. The switch can either drop the
DHCP packets, keep the existing information, or replace it with the
switch’s relay information.
– 361 –
CHAPTER 13 | Security Measures
DHCP Snooping
DHCP SNOOPING Use the IP Service > DHCP > Snooping (Configure Global) page to enable
GLOBAL DHCP Snooping globally on the switch, or to configure MAC Address
CONFIGURATION Verification.
CLI REFERENCES
◆ "DHCP Snooping" on page 685
PARAMETERS
These parameters are displayed:
◆
DHCP Snooping Status – Enables DHCP snooping globally.
(Default: Disabled)
◆
DHCP Snooping MAC-Address Verification – Enables or disables
MAC address verification. If the source MAC address in the Ethernet
header of the packet is not same as the client's hardware address in the
DHCP packet, the packet is dropped. (Default: Enabled)
◆
DHCP Snooping Information Option Status – Enables or disables
DHCP Option 82 information relay. (Default: Disabled)
◆
DHCP Snooping Information Option Policy – Specifies how to
handle DHCP client request packets which already contain Option 82
information.
■
Drop – Drops the client’s request packet instead of relaying it.
■
Keep – Retains the Option 82 information in the client request, and
forwards the packets to trusted ports.
■
Replace – Replaces the Option 82 information circuit-id and
remote-id fields in the client’s request with information about the
relay agent itself, inserts the relay agent’s address (when DHCP
snooping is enabled), and forwards the packets to trusted ports.
(This is the default policy.)
WEB INTERFACE
To configure global settings for DHCP Snooping:
1. Click IP Service, DHCP, Snooping.
2. Select Configure Global from the Step list.
3. Select the required options for the general DHCP snooping process and
for the DHCP Option 82 information option.
4. Click Apply
– 362 –
CHAPTER 13 | Security Measures
DHCP Snooping
Figure 198: Configuring Global Settings for DHCP Snooping
DHCP SNOOPING Use the IP Service > DHCP > Snooping (Configure VLAN) page to enable or
VLAN disable DHCP snooping on specific VLANs.
CONFIGURATION
CLI REFERENCES
◆ "ip dhcp snooping vlan" on page 690
COMMAND USAGE
◆ When DHCP snooping is enabled globally on the switch, and enabled on
the specified VLAN, DHCP packet filtering will be performed on any
untrusted ports within the VLAN.
◆
When the DHCP snooping is globally disabled, DHCP snooping can still
be configured for specific VLANs, but the changes will not take effect
until DHCP snooping is globally re-enabled.
◆
When DHCP snooping is globally enabled, and DHCP snooping is then
disabled on a VLAN, all dynamic bindings learned for this VLAN are
removed from the binding table.
PARAMETERS
These parameters are displayed:
◆
VLAN – ID of a configured VLAN. (Range: 1-4093)
◆
DHCP Snooping Status – Enables or disables DHCP snooping for the
selected VLAN. When DHCP snooping is enabled globally on the switch,
and enabled on the specified VLAN, DHCP packet filtering will be
performed on any untrusted ports within the VLAN. (Default: Disabled)
– 363 –
CHAPTER 13 | Security Measures
DHCP Snooping
WEB INTERFACE
To configure global settings for DHCP Snooping:
1. Click IP Service, DHCP, Snooping.
2. Select Configure VLAN from the Step list.
3. Enable DHCP Snooping on any existing VLAN.
4. Click Apply
Figure 199: Configuring DHCP Snooping on a VLAN
CONFIGURING PORTS Use the IP Service > DHCP > Snooping (Configure Interface) page to
FOR DHCP SNOOPING configure switch ports as trusted or untrusted.
CLI REFERENCES
◆ "ip dhcp snooping trust" on page 691
COMMAND USAGE
◆ A trusted interface is an interface that is configured to receive only
messages from within the network. An untrusted interface is an
interface that is configured to receive messages from outside the
network or fire wall.
◆
When DHCP snooping is enabled both globally and on a VLAN, DHCP
packet filtering will be performed on any untrusted ports within the
VLAN.
◆
When an untrusted port is changed to a trusted port, all the dynamic
DHCP snooping bindings associated with this port are removed.
◆
Set all ports connected to DHCP servers within the local network or fire
wall to trusted state. Set all other ports outside the local network or fire
wall to untrusted state.
PARAMETERS
These parameters are displayed:
◆
Trust Status – Enables or disables a port as trusted.
(Default: Disabled)
– 364 –
CHAPTER 13 | Security Measures
DHCP Snooping
WEB INTERFACE
To configure global settings for DHCP Snooping:
1. Click IP Service, DHCP, Snooping.
2. Select Configure Interface from the Step list.
3. Set any ports within the local network or firewall to trusted.
4. Click Apply
Figure 200: Configuring the Port Mode for DHCP Snooping
DISPLAYING DHCP Use the IP Service > DHCP > Snooping (Show Information) page to display
SNOOPING BINDING entries in the binding table.
INFORMATION
CLI REFERENCES
◆ "show ip dhcp snooping binding" on page 693
PARAMETERS
These parameters are displayed:
◆
MAC Address – Physical address associated with the entry.
◆
IP Address – IP address corresponding to the client.
◆
Lease Time – The time for which this IP address is leased to the client.
◆
Type – Entry types include:
■
DHCP-Snooping – Dynamically snooped.
■
Static-DHCPSNP – Statically configured.
◆
VLAN – VLAN to which this entry is bound.
◆
Interface – Port or trunk to which this entry is bound.
◆
Store – Writes all dynamically learned snooping entries to flash
memory. This function can be used to store the currently learned
– 365 –
CHAPTER 13 | Security Measures
DoS Protection
dynamic DHCP snooping entries to flash memory. These entries will be
restored to the snooping table when the switch is reset. However, note
that the lease time shown for a dynamic entry that has been restored
from flash memory will no longer be valid.
◆
Clear – Removes all dynamically learned snooping entries from flash
memory.
WEB INTERFACE
To display the binding table for DHCP Snooping:
1. Click IP Service, DHCP, Snooping.
2. Select Show Information from the Step list.
3. Use the Store or Clear function if required.
Figure 201: Displaying the Binding Table for DHCP Snooping
DOS PROTECTION
Use the Traffic > Packet Flow page to protect against denial-of-service
(DoS) attacks. A DoS attack is an attempt to block the services provided by
a computer or network resource. This kind of attack tries to prevent an
Internet site or service from functioning efficiently or at all. In general, DoS
attacks are implemented by either forcing the target to reset, to consume
most of its resources so that it can no longer provide its intended service,
or to obstruct the communication media between the intended users and
the target so that they can no longer communicate adequately. This section
describes how to protect against DoS attacks.
CLI REFERENCES
◆ "flow tcp-udp-port-zero" on page 708
– 366 –
CHAPTER 13 | Security Measures
DoS Protection
PARAMETERS
These parameters are displayed:
◆
TCP/UDP Port-Zero Status – Protects against DoS attacks in which
the UDP or TCP source port or destination port is set to zero. This
technique may be used as a form of DoS attack, or it may just indicate
a problem with the source device. Use the no form to restore the
default setting. (Options: Drop, Forward; Default: Drop)
WEB INTERFACE
To set the action to take for packets with Layer 4 port set to zero:
1. Click Traffic, Packet Flow.
2. Set the status to Drop or Forward.
3. Click Apply
Figure 202: Setting Action for Packets with Layer 4 Port Set to Zero
– 367 –
CHAPTER 13 | Security Measures
DoS Protection
– 368 –
14
BASIC ADMINISTRATION PROTOCOLS
This chapter describes basic administration tasks including:
◆
Event Logging – Sets conditions for logging event messages to system
memory or flash memory, configures conditions for sending trap
messages to remote log servers, and configures trap reporting to
remote hosts using Simple Mail Transfer Protocol (SMTP).
◆
Link Layer Discovery Protocol (LLDP) – Configures advertisement of
basic information about the local switch, or discovery of information
about neighboring devices on the local broadcast domain.
◆
Power over Ethernet – Sets the priority and power budget for each port.
◆
Simple Network Management Protocol (SNMP) – Configures switch
management through SNMPv1, SNMPv2c or SNMPv3.
◆
Remote Monitoring (RMON) – Configures local collection of detailed
statistics or events which can be subsequently retrieved through SNMP.
◆
Switch Clustering – Configures centralized management by a single unit
over a group of switches connected to the same local network
◆
Time Range – Sets a time range during which various functions are
applied, including applied ACLs or PoE
CONFIGURING EVENT LOGGING
The switch allows you to control the logging of error messages, including
the type of events that are recorded in switch memory, logging to a remote
System Log (syslog) server, and displays a list of recent event messages.
SYSTEM LOG Use the Administration > Log > System (Configure Global) page to enable
CONFIGURATION or disable event logging, and specify which levels are logged to RAM or
flash memory.
Severe error messages that are logged to flash memory are permanently
stored in the switch to assist in troubleshooting network problems. Up to
4096 log entries can be stored in the flash memory, with the oldest entries
being overwritten first when the available log memory (256 kilobytes) has
been exceeded.
– 369 –
CHAPTER 14 | Basic Administration Protocols
Configuring Event Logging
The System Logs page allows you to configure and limit system messages
that are logged to flash or RAM memory. The default is for event levels 0 to
3 to be logged to flash and levels 0 to 7 to be logged to RAM.
CLI REFERENCES
◆ "Event Logging" on page 555
PARAMETERS
These parameters are displayed:
◆
System Log Status – Enables/disables the logging of debug or error
messages to the logging process. (Default: Enabled)
◆
Flash Level – Limits log messages saved to the switch’s permanent
flash memory for all levels up to the specified level. For example, if
level 3 is specified, all messages from level 0 to level 3 will be logged to
flash. (Range: 0-7, Default: 3)
Table 25: Logging Levels
Level
Severity Name
Description
7
Debug
Debugging messages
6
Informational
Informational messages only
5
Notice
Normal but significant condition, such as cold
start
4
Warning
Warning conditions (e.g., return false,
unexpected return)
3
Error
Error conditions (e.g., invalid input, default used)
2
Critical
Critical conditions (e.g., memory allocation, or
free memory error - resource exhausted)
1
Alert
Immediate action needed
0
Emergency
System unusable
* There are only Level 2, 5 and 6 error messages for the current firmware release.
◆
RAM Level – Limits log messages saved to the switch’s temporary RAM
memory for all levels up to the specified level. For example, if level 7 is
specified, all messages from level 0 to level 7 will be logged to RAM.
(Range: 0-7, Default: 7)
NOTE: The Flash Level must be equal to or less than the RAM Level.
NOTE: All log messages are retained in RAM and Flash after a warm restart
(i.e., power is reset through the command interface).
NOTE: All log messages are retained in Flash and purged from RAM after a
cold restart (i.e., power is turned off and then on through the power
source).
– 370 –
CHAPTER 14 | Basic Administration Protocols
Configuring Event Logging
WEB INTERFACE
To configure the logging of error messages to system memory:
1. Click Administration, Log, System.
2. Select Configure Global from the Step list.
3. Enable or disable system logging, set the level of event messages to be
logged to flash memory and RAM.
4. Click Apply.
Figure 203: Configuring Settings for System Memory Logs
To show the error messages logged to system or flash memory:
1. Click Administration, Log, System.
2. Select Show Logs from the Step list.
3. Click RAM to display log messages stored in system memory, or Flash
to display messages stored in flash memory.
This page allows you to scroll through the logged system and event
messages. The switch can store up to 2048 log entries in temporary
random access memory (RAM; i.e., memory flushed on power reset)
and up to 4096 entries in permanent flash memory.
– 371 –
CHAPTER 14 | Basic Administration Protocols
Configuring Event Logging
Figure 204: Showing Error Messages Logged to System Memory
REMOTE LOG Use the Administration > Log > Remote page to send log messages to
CONFIGURATION syslog servers or other management stations. You can also limit the event
messages sent to only those messages below a specified level.
CLI REFERENCES
◆ "Event Logging" on page 555
PARAMETERS
These parameters are displayed:
◆
Remote Log Status – Enables/disables the logging of debug or error
messages to the remote logging process. (Default: Disabled)
◆
Logging Facility – Sets the facility type for remote logging of syslog
messages. There are eight facility types specified by values of 16 to 23.
The facility type is used by the syslog server to dispatch log messages
to an appropriate service.
The attribute specifies the facility type tag sent in syslog messages (see
RFC 3164). This type has no effect on the kind of messages reported by
the switch. However, it may be used by the syslog server to process
messages, such as sorting or storing messages in the corresponding
database. (Range: 16-23, Default: 23)
◆
Logging Trap Level – Limits log messages that are sent to the remote
syslog server for all levels up to the specified level. For example, if level
3 is specified, all messages from level 0 to level 3 will be sent to the
remote server. (Range: 0-7, Default: 7)
◆
Server IP Address – Specifies the IPv4 or IPv6 address of a remote
server which will be sent syslog messages.
– 372 –
CHAPTER 14 | Basic Administration Protocols
Configuring Event Logging
WEB INTERFACE
To configure the logging of error messages to remote servers:
1. Click Administration, Log, Remote.
2. Enable remote logging, specify the facility type to use for the syslog
messages. and enter the IP address of the remote servers.
3. Click Apply.
Figure 205: Configuring Settings for Remote Logging of Error Messages
SENDING SIMPLE MAIL Use the Administration > Log > SMTP (Configure General and Configure
TRANSFER PROTOCOL Server) pages to alert system administrators of problems by sending SMTP
ALERTS (Simple Mail Transfer Protocol) email messages when triggered by logging
events of a specified level. The messages are sent to specified SMTP
servers on the network and can be retrieved using POP or IMAP clients.
CLI REFERENCES
◆ "SMTP Alerts" on page 561
PARAMETERS
These parameters are displayed:
Configure General
◆
SMTP Status – Enables/disables the SMTP function. (Default: Enabled)
◆
Severity – Sets the syslog severity threshold level (see table on
page 370) used to trigger alert messages. All events at this level or
higher will be sent to the configured email recipients. For example,
using Level 7 will report all events from level 7 to level 0.
(Default: Level 7)
◆
Email Source Address – Sets the email address used for the “From”
field in alert messages. You may use a symbolic email address that
– 373 –
CHAPTER 14 | Basic Administration Protocols
Configuring Event Logging
identifies the switch, or the address of an administrator responsible for
the switch.
◆
Email Destination Address – Specifies the email recipients of alert
messages. You can specify up to five recipients.
Configure Server
◆
Host Name/IP Address – Specifies a list of up to three recipient
SMTP servers. IPv4 or IPv6 addresses may be specified. The switch
attempts to connect to the listed servers in sequential order if the first
server fails to respond.
For host name-to-IP address translation to function properly, host name
lookup must be enabled ("Configuring General DNS Service
Parameters" on page 463), and one or more DNS servers specified (see
"Configuring a List of Name Servers" on page 466, or "Configuring
Static DNS Host to Address Entries" on page 467).
◆
Authentication – Enables or disables user authentication.
◆
User Name – Name of SMTP server user. (Range: 1-8 characters)
◆
Password – Password of SMTP server user. (Range: 1-8 characters)
◆
Authentication Method – Indicates that Base 64 encoding is used.
WEB INTERFACE
To configure general settings for SMTP alert messages:
1. Click Administration, Log, SMTP.
2. Select Configure General from the Step list.
3. Enable SMTP, specify a source email address, and select the minimum
severity level. Specify the source and destination email addresses.
4. Click Apply.
Figure 206: Configuring General Settings for SMTP Alert Messages
– 374 –
CHAPTER 14 | Basic Administration Protocols
Configuring Event Logging
To specify SMTP servers:
1. Click Administration, Log, SMTP.
2. Select Configure Server from the Step list.
3. Select Add from the Action list.
4. Specify the host name or IP address of an SMTP server. If
authentication is enabled, specify the name and password for a user
configured on the SMTP server.
5. Click Apply.
Figure 207: Specifying SMTP Servers
To show a list of configured SMTP servers:
1. Click Administration, Log, SMTP.
2. Select Configure Server from the Step list.
3. Select Show from the Action list.
Figure 208: Showing Configured SMTP Servers
– 375 –
CHAPTER 14 | Basic Administration Protocols
Link Layer Discovery Protocol
LINK LAYER DISCOVERY PROTOCOL
Link Layer Discovery Protocol (LLDP) is used to discover basic information
about neighboring devices on the local broadcast domain. LLDP is a Layer 2
protocol that uses periodic broadcasts to advertise information about the
sending device. Advertised information is represented in Type Length Value
(TLV) format according to the IEEE 802.1ab standard, and can include
details such as device identification, capabilities and configuration settings.
LLDP also defines how to store and maintain information gathered about
the neighboring network nodes it discovers.
Link Layer Discovery Protocol - Media Endpoint Discovery (LLDP-MED) is an
extension of LLDP intended for managing endpoint devices such as Voice
over IP phones and network switches. The LLDP-MED TLVs advertise
information such as network policy, power, inventory, and device location
details. LLDP and LLDP-MED information can be used by SNMP applications
to simplify troubleshooting, enhance network management, and maintain
an accurate network topology.
SETTING LLDP TIMING Use the Administration > LLDP (Configure Global) page to set attributes for
ATTRIBUTES general functions such as globally enabling LLDP on the switch, setting the
message ageout time, and setting the frequency for broadcasting general
advertisements or reports about changes in the LLDP MIB.
CLI REFERENCES
◆ "LLDP Commands" on page 921
PARAMETERS
These parameters are displayed:
◆
LLDP – Enables LLDP globally on the switch. (Default: Enabled)
◆
Transmission Interval – Configures the periodic transmit interval for
LLDP advertisements. (Range: 5-32768 seconds; Default: 30 seconds)
◆
Hold Time Multiplier – Configures the time-to-live (TTL) value sent in
LLDP advertisements as shown in the formula below. (Range: 2-10;
Default: 4)
The time-to-live tells the receiving LLDP agent how long to retain all
information pertaining to the sending LLDP agent if it does not transmit
updates in a timely manner.
TTL in seconds is based on the following rule:
minimum value ((Transmission Interval * Holdtime Multiplier), or 65535)
Therefore, the default TTL is 4*30 = 120 seconds.
◆
Delay Interval – Configures a delay between the successive
transmission of advertisements initiated by a change in local LLDP MIB
variables. (Range: 1-8192 seconds; Default: 2 seconds)
The transmit delay is used to prevent a series of successive LLDP
transmissions during a short period of rapid changes in local LLDP MIB
– 376 –
CHAPTER 14 | Basic Administration Protocols
Link Layer Discovery Protocol
objects, and to increase the probability that multiple, rather than single
changes, are reported in each transmission.
This attribute must comply with the rule:
(4 * Delay Interval) ≤ Transmission Interval
◆
Reinitialization Delay – Configures the delay before attempting to reinitialize after LLDP ports are disabled or the link goes down.
(Range: 1-10 seconds; Default: 2 seconds)
When LLDP is re-initialized on a port, all information in the remote
systems LLDP MIB associated with this port is deleted.
◆
Notification Interval – Configures the allowed interval for sending
SNMP notifications about LLDP MIB changes. (Range: 5-3600 seconds;
Default: 5 seconds)
This parameter only applies to SNMP applications which use data stored
in the LLDP MIB for network monitoring or management.
Information about changes in LLDP neighbors that occur between SNMP
notifications is not transmitted. Only state changes that exist at the
time of a notification are included in the transmission. An SNMP agent
should therefore periodically check the value of
lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange
notification-events missed due to throttling or transmission loss.
◆
MED Fast Start Count – Configures the amount of LLDP MED Fast
Start LLDPDUs to transmit during the activation process of the LLDPMED Fast Start mechanism. (Range: 1-10 packets; Default: 4 packets)
The MED Fast Start Count parameter is part of the timer which ensures
that the LLDP-MED Fast Start mechanism is active for the port. LLDPMED Fast Start is critical to the timely startup of LLDP, and therefore
integral to the rapid availability of Emergency Call Service.
WEB INTERFACE
To configure LLDP timing attributes:
1. Click Administration, LLDP.
2. Select Configure Global from the Step list.
3. Enable LLDP, and modify any of the timing parameters as required.
4. Click Apply.
– 377 –
CHAPTER 14 | Basic Administration Protocols
Link Layer Discovery Protocol
Figure 209: Configuring LLDP Timing Attributes
CONFIGURING LLDP Use the Administration > LLDP (Configure Interface – Configure General)
INTERFACE page to specify the message attributes for individual interfaces, including
ATTRIBUTES whether messages are transmitted, received, or both transmitted and
received, whether SNMP notifications are sent, and the type of information
advertised.
CLI REFERENCES
◆ "LLDP Commands" on page 921
PARAMETERS
These parameters are displayed:
◆
Admin Status – Enables LLDP message transmit and receive modes
for LLDP Protocol Data Units. (Options: Tx only, Rx only, TxRx,
Disabled; Default: TxRx)
◆
SNMP Notification – Enables the transmission of SNMP trap
notifications about LLDP and LLDP-MED changes. (Default: Disabled)
This option sends out SNMP trap notifications to designated target
stations at the interval specified by the Notification Interval in the
preceding section. Trap notifications include information about state
changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/
TIA-1057), or vendor-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3
MIBs.
For information on defining SNMP trap destinations, see "Specifying
Trap Managers" on page 415.
Information about additional changes in LLDP neighbors that occur
between SNMP notifications is not transmitted. Only state changes that
exist at the time of a trap notification are included in the transmission.
An SNMP agent should therefore periodically check the value of
lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange
notification-events missed due to throttling or transmission loss.
– 378 –
CHAPTER 14 | Basic Administration Protocols
Link Layer Discovery Protocol
◆
MED Notification – Enables the transmission of SNMP trap
notifications about LLDP-MED changes. (Default: Enabled)
◆
Basic Optional TLVs – Configures basic information included in the
TLV field of advertised messages.
■
Management Address – The management address protocol
packet includes the IPv4 address of the switch. If no management
address is available, the address should be the MAC address for the
CPU or for the port sending this advertisement.
The management address TLV may also include information about
the specific interface associated with this address, and an object
identifier indicating the type of hardware component or protocol
entity associated with this address. The interface number and OID
are included to assist SNMP applications in the performance of
network discovery by indicating enterprise specific or other starting
points for the search, such as the Interface or Entity MIB.
Since there are typically a number of different addresses associated
with a Layer 3 device, an individual LLDP PDU may contain more
than one management address TLV.
Every management address TLV that reports an address that is
accessible on a port and protocol VLAN through the particular port
should be accompanied by a port and protocol VLAN TLV that
indicates the VLAN identifier (VID) associated with the management
address reported by this TLV.
◆
■
Port Description – The port description is taken from the ifDescr
object in RFC 2863, which includes information about the
manufacturer, the product name, and the version of the interface
hardware/software.
■
System Capabilities – The system capabilities identifies the
primary function(s) of the system and whether or not these primary
functions are enabled. The information advertised by this TLV is
described in IEEE 802.1AB.
■
System Description – The system description is taken from the
sysDescr object in RFC 3418, which includes the full name and
version identification of the system's hardware type, software
operating system, and networking software.
■
System Name – The system name is taken from the sysName
object in RFC 3418, which contains the system’s administratively
assigned name. To configure the system name, see "Displaying
System Information" on page 97.
802.1 Organizationally Specific TLVs – Configures IEEE 802.1
information included in the TLV field of advertised messages.
■
Protocol Identity – The protocols that are accessible through this
interface (see "Protocol VLANs" on page 185).
– 379 –
CHAPTER 14 | Basic Administration Protocols
Link Layer Discovery Protocol
■
■
■
◆
◆
VLAN ID – The port’s default VLAN identifier (PVID) indicates the
VLAN with which untagged or priority-tagged frames are associated
(see "IEEE 802.1Q VLANs" on page 167).
VLAN Name – The name of all VLANs to which this interface has
been assigned (see "IEEE 802.1Q VLANs" on page 167.
Port and Protocol VLAN ID – The port-based protocol VLANs
configured on this interface (see "IEEE 802.1Q VLANs" on page 167.
802.3 Organizationally Specific TLVs – Configures IEEE 802.3
information included in the TLV field of advertised messages.
■
Link Aggregation – The link aggregation capabilities, aggregation
status of the link, and the IEEE 802.3 aggregated port identifier if
this interface is currently a link aggregation member.
■
Max Frame Size – The maximum frame size. (See "Configuring
Support for Jumbo Frames" on page 100 for information on
configuring the maximum frame size for this switch.
■
PoE – Power-over-Ethernet capabilities, including whether or not
PoE is supported, currently enabled, if the port pins through which
power is delivered can be controlled, the port pins selected to
deliver power, and the power class.
MED TLVs – Configures general information included in the MED TLV
field of advertised messages.
■
Capabilities – This option advertises LLDP-MED TLV capabilities,
allowing Media Endpoint and Connectivity Devices to efficiently
discover which LLDP-MED related TLVs are supported on the switch.
■
Extended Power – This option advertises extended Power-overEthernet capability details, such as power availability from the
switch, and power state of the switch, including whether the switch
is operating from primary or backup power (the Endpoint Device
could use this information to decide to enter power conservation
mode). Note that this device does not support PoE capabilities.
■
Inventory – This option advertises device details useful for
inventory management, such as manufacturer, model, software
version and other pertinent information.
■
Location – This option advertises location identification details.
■
Network Policy – This option advertises network policy
configuration information, aiding in the discovery and diagnosis of
VLAN configuration mismatches on a port. Improper network policy
configurations frequently result in voice quality degradation or
complete service disruption.
– 380 –
CHAPTER 14 | Basic Administration Protocols
Link Layer Discovery Protocol
◆
MED-Location Civic Address – Configures information for the
location of the attached device included in the MED TLV field of
advertised messages, including the country and the device type.
■
■
Country – The two-letter ISO 3166 country code in capital ASCII
letters. (Example: DK, DE or US)
Device entry refers to – The type of device to which the location
applies:
■
Location of DHCP server.
■
Location of network element closest to client.
■
Location of client. (This is the default.)
WEB INTERFACE
To configure LLDP interface attributes:
1. Click Administration, LLDP.
2. Select Configure Interface from the Step list.
3. Select Configure General from the Action list.
4. Select an interface from the Port or Trunk list.
5. Set the LLDP transmit/receive mode, specify whether or not to send
SNMP trap messages, and select the information to advertise in LLDP
messages.
6. Click Apply.
– 381 –
CHAPTER 14 | Basic Administration Protocols
Link Layer Discovery Protocol
Figure 210: Configuring LLDP Interface Attributes
CONFIGURING LLDP Use the Administration > LLDP (Configure Interface – Add CA-Type) page
INTERFACE CIVIC- to specify the physical location of the device attached to an interface.
ADDRESS
CLI REFERENCES
◆ "lldp med-location civic-addr" on page 933
COMMAND USAGE
◆ Use the Civic Address type (CA-Type) to advertise the physical location
of the device attached to an interface, including items such as the city,
street number, building and room information. The address location is
specified as a type and value pair, with the civic address type defined in
RFC 4776. The following table describes some of the CA type numbers
and provides examples.
Table 26: LLDP MED Location CA Types
CA Type Description
CA Value Example
1
National subdivisions (state, canton, province)
California
2
County, parish
Orange
3
City, township
Irvine
4
City division, borough, city district
West Irvine
5
Neighborhood, block
Riverside
6
Group of streets below the neighborhood level
Exchange
18
Street suffix or type
Avenue
– 382 –
CHAPTER 14 | Basic Administration Protocols
Link Layer Discovery Protocol
Table 26: LLDP MED Location CA Types (Continued)
◆
CA Type Description
CA Value Example
19
House number
320
20
House number suffix
A
21
Landmark or vanity address
Tech Center
26
Unit (apartment, suite)
Apt 519
27
Floor
5
28
Room
509B
Any number of CA type and value pairs can be specified for the civic
address location, as long as the total does not exceed 250 characters.
PARAMETERS
These parameters are displayed:
◆
CA-Type – Descriptor of the data civic address value. (Range: 0-255)
◆
CA-Value – Description of a location. (Range: 1-32 characters)
WEB INTERFACE
To specify the physical location of the attached device:
1. Click Administration, LLDP.
2. Select Configure Interface from the Step list.
3. Select Add CA-Type from the Action list.
4. Select an interface from the Port or Trunk list.
5. Specify a CA-Type and CA-Value pair.
6. Click Apply.
Figure 211: Configuring the Civic Address for an LLDP Interface
– 383 –
CHAPTER 14 | Basic Administration Protocols
Link Layer Discovery Protocol
To show the physical location of the attached device:
1. Click Administration, LLDP.
2. Select Configure Interface from the Step list.
3. Select Show CA-Type from the Action list.
4. Select an interface from the Port or Trunk list.
Figure 212: Showing the Civic Address for an LLDP Interface
DISPLAYING LLDP Use the Administration > LLDP (Show Local Device Information) page to
LOCAL DEVICE display information about the switch, such as its MAC address, chassis ID,
INFORMATION management IP address, and port information.
CLI REFERENCES
◆ "show lldp info local-device" on page 940
PARAMETERS
These parameters are displayed:
Global Settings
◆
Chassis Type – Identifies the chassis containing the IEEE 802 LAN
entity associated with the transmitting LLDP agent. There are several
ways in which a chassis may be identified and a chassis ID subtype is
used to indicate the type of component being referenced by the chassis
ID field.
– 384 –
CHAPTER 14 | Basic Administration Protocols
Link Layer Discovery Protocol
Table 27: Chassis ID Subtype
ID Basis
Reference
Chassis component
EntPhysicalAlias when entPhysClass has a value of ‘chassis(3)’
(IETF RFC 2737)
Interface alias
IfAlias (IETF RFC 2863)
Port component
EntPhysicalAlias when entPhysicalClass has a value ‘port(10)’ or
‘backplane(4)’ (IETF RFC 2737)
MAC address
MAC address (IEEE Std 802-2001)
Network address
networkAddress
Interface name
ifName (IETF RFC 2863)
Locally assigned
locally assigned
◆
Chassis ID – An octet string indicating the specific identifier for the
particular chassis in this system.
◆
System Name – A string that indicates the system’s administratively
assigned name (see "Displaying System Information" on page 97).
◆
System Description – A textual description of the network entity. This
field is also displayed by the show system command.
◆
System Capabilities Supported – The capabilities that define the
primary function(s) of the system.
Table 28: System Capabilities
ID Basis
Reference
Other
—
Repeater
IETF RFC 2108
Bridge
IETF RFC 2674
WLAN Access Point
IEEE 802.11 MIB
Router
IETF RFC 1812
Telephone
IETF RFC 2011
DOCSIS cable device
IETF RFC 2669 and IETF RFC 2670
End Station Only
IETF RFC 2011
◆
System Capabilities Enabled – The primary function(s) of the
system which are currently enabled. Refer to the preceding table.
◆
Management Address – The management address protocol packet
includes the IPv4 address of the switch. If no management address is
available, the address should be the MAC address for the CPU or for the
port sending this advertisement.
– 385 –
CHAPTER 14 | Basic Administration Protocols
Link Layer Discovery Protocol
Interface Settings
The attributes listed below apply to both port and trunk interface types.
When a trunk is listed, the descriptions apply to the first port of the trunk.
◆
Port/Trunk Description – A string that indicates the port or trunk
description. If RFC 2863 is implemented, the ifDescr object should be
used for this field.
◆
Port/Trunk ID – A string that contains the specific identifier for the
port or trunk from which this LLDPDU was transmitted.
WEB INTERFACE
To display LLDP information for the local device:
1. Click Administration, LLDP.
2. Select Show Local Device Information from the Step list.
3. Select General, Port, or Trunk.
Figure 213: Displaying Local Device Information for LLDP (General)
Figure 214: Displaying Local Device Information for LLDP (Port)
– 386 –
CHAPTER 14 | Basic Administration Protocols
Link Layer Discovery Protocol
DISPLAYING LLDP Use the Administration > LLDP (Show Remote Device Information) page to
REMOTE DEVICE display information about devices connected directly to the switch’s ports
INFORMATION which are advertising information through LLDP, or to display detailed
information about an LLDP-enabled device connected to a specific port on
the local switch.
CLI REFERENCES
◆ "show lldp info remote-device" on page 941
PARAMETERS
These parameters are displayed:
Port
◆
Local Port – The local port to which a remote LLDP-capable device is
attached.
◆
Chassis ID – An octet string indicating the specific identifier for the
particular chassis in this system.
◆
Port ID – A string that contains the specific identifier for the port from
which this LLDPDU was transmitted.
◆
System Name – A string that indicates the system’s administratively
assigned name.
Port Details
◆
Local Port – The local port to which a remote LLDP-capable device is
attached.
◆
Chassis Type – Identifies the chassis containing the IEEE 802 LAN
entity associated with the transmitting LLDP agent. There are several
ways in which a chassis may be identified and a chassis ID subtype is
used to indicate the type of component being referenced by the chassis
ID field. (See Table 27, "Chassis ID Subtype," on page 385.)
◆
Chassis ID – An octet string indicating the specific identifier for the
particular chassis in this system.
◆
System Name – A string that indicates the system’s assigned name.
◆
System Description – A textual description of the network entity.
◆
Port Type – Indicates the basis for the identifier that is listed in the
Port ID field.
Table 29: Port ID Subtype
ID Basis
Reference
Interface alias
IfAlias (IETF RFC 2863)
Chassis component
EntPhysicalAlias when entPhysClass has a value of ‘chassis(3)’
(IETF RFC 2737)
– 387 –
CHAPTER 14 | Basic Administration Protocols
Link Layer Discovery Protocol
Table 29: Port ID Subtype (Continued)
ID Basis
Reference
Port component
EntPhysicalAlias when entPhysicalClass has a value ‘port(10)’ or
‘backplane(4)’ (IETF RFC 2737)
MAC address
MAC address (IEEE Std 802-2001)
Network address
networkAddress
Interface name
ifName (IETF RFC 2863)
Agent circuit ID
agent circuit ID (IETF RFC 3046)
Locally assigned
locally assigned
◆
Port Description – A string that indicates the port’s description. If RFC
2863 is implemented, the ifDescr object should be used for this field.
◆
Port ID – A string that contains the specific identifier for the port from
which this LLDPDU was transmitted.
◆
System Capabilities Supported – The capabilities that define the
primary function(s) of the system. (See Table 28, "System
Capabilities," on page 385.)
◆
System Capabilities Enabled – The primary function(s) of the
system which are currently enabled. (See Table 28, "System
Capabilities," on page 385.)
◆
Management Address List – The management addresses for this
device. Since there are typically a number of different addresses
associated with a Layer 3 device, an individual LLDP PDU may contain
more than one management address TLV.
If no management address is available, the address should be the MAC
address for the CPU or for the port sending this advertisement.
Port Details – 802.1 Extension Information
◆
Remote Port VID – The port’s default VLAN identifier (PVID) indicates
the VLAN with which untagged or priority-tagged frames are
associated.
◆
Remote Port-Protocol VLAN List – The port-based protocol VLANs
configured on this interface, whether the given port (associated with
the remote system) supports port-based protocol VLANs, and whether
the port-based protocol VLANs are enabled on the given port associated
with the remote system.
◆
Remote VLAN Name List – VLAN names associated with a port.
◆
Remote Protocol Identity List – Information about particular
protocols that are accessible through a port. This object represents an
arbitrary local integer value used by this agent to identify a particular
protocol identity, and an octet string used to identify the protocols
associated with a port of the remote system.
– 388 –
CHAPTER 14 | Basic Administration Protocols
Link Layer Discovery Protocol
Port Details – 802.3 Extension Port Information
◆
Remote Port Auto-Neg Supported – Shows whether the given port
(associated with remote system) supports auto-negotiation.
◆
Remote Port Auto-Neg Adv-Capability – The value (bitmap) of the
ifMauAutoNegCapAdvertisedBits object (defined in IETF RFC 3636)
which is associated with a port on the remote system.
Table 30: Remote Port Auto-Negotiation Advertised Capability
Bit
Capability
0
other or unknown
1
10BASE-T half duplex mode
2
10BASE-T full duplex mode
3
100BASE-T4
4
100BASE-TX half duplex mode
5
100BASE-TX full duplex mode
6
100BASE-T2 half duplex mode
7
100BASE-T2 full duplex mode
8
PAUSE for full-duplex links
9
Asymmetric PAUSE for full-duplex links
10
Symmetric PAUSE for full-duplex links
11
Asymmetric and Symmetric PAUSE for full-duplex links
12
1000BASE-X, -LX, -SX, -CX half duplex mode
13
1000BASE-X, -LX, -SX, -CX full duplex mode
14
1000BASE-T half duplex mode
15
1000BASE-T full duplex mode
◆
Remote Port Auto-Neg Status – Shows whether port autonegotiation is enabled on a port associated with the remote system.
◆
Remote Port MAU Type – An integer value that indicates the
operational MAU type of the sending device. This object contains the
integer value derived from the list position of the corresponding
dot3MauType as listed in IETF RFC 3636 and is equal to the last number
in the respective dot3MauType OID.
Port Details – 802.3 Extension Power Information
◆
Remote Power Class – The port Class of the given port associated
with the remote system (PSE – Power Sourcing Equipment or PD –
Powered Device).
◆
Remote Power MDI Status – Shows whether MDI power is enabled
on the given port associated with the remote system.
– 389 –
CHAPTER 14 | Basic Administration Protocols
Link Layer Discovery Protocol
◆
Remote Power Pairs – “Signal” means that the signal pairs only are
in use, and “Spare” means that the spare pairs only are in use.
◆
Remote Power MDI Supported – Shows whether MDI power is
supported on the given port associated with the remote system.
◆
Remote Power Pair Controlable – Indicates whether the pair
selection can be controlled for sourcing power on the given port
associated with the remote system.
◆
Remote Power Classification – This classification is used to tag
different terminals on the Power over LAN network according to their
power consumption. Devices such as IP telephones, WLAN access
points and others, will be classified according to their power
requirements.
Port Details – 802.3 Extension Trunk Information
◆
Remote Link Aggregation Capable – Shows if the remote port is not
in link aggregation state and/or it does not support link aggregation.
◆
Remote Link Aggregation Status – The current aggregation status
of the link.
◆
Remote Link Port ID – This object contains the IEEE 802.3
aggregated port identifier, aAggPortID (IEEE 802.3-2002, 30.7.2.1.1),
derived from the ifNumber of the ifIndex for the port component
associated with the remote system. If the remote port is not in link
aggregation state and/or it does not support link aggregation, this
value should be zero.
Port Details – 802.3 Extension Frame Information
◆
Remote Max Frame Size – An integer value indicating the maximum
supported frame size in octets on the port component associated with
the remote system.
WEB INTERFACE
To display LLDP information for a remote port:
1. Click Administration, LLDP.
2. Select Show Remote Device Information from the Step list.
3. Select Port, Port Details, Trunk, or Trunk Details.
– 390 –
CHAPTER 14 | Basic Administration Protocols
Link Layer Discovery Protocol
Figure 215: Displaying Remote Device Information for LLDP (Port)
Figure 216: Displaying Remote Device Information for LLDP (Port Details)
– 391 –
CHAPTER 14 | Basic Administration Protocols
Link Layer Discovery Protocol
DISPLAYING DEVICE Use the Administration > LLDP (Show Device Statistics) page to display
STATISTICS statistics for LLDP-capable devices attached to the switch, and for LLDP
protocol messages transmitted or received on all local interfaces.
CLI REFERENCES
◆ "show lldp info statistics" on page 943
PARAMETERS
These parameters are displayed:
General Statistics on Remote Devices
◆
Neighbor Entries List Last Updated – The time the LLDP neighbor
entry list was last updated.
◆
New Neighbor Entries Count – The number of LLDP neighbors for
which the remote TTL has not yet expired.
◆
Neighbor Entries Deleted Count – The number of LLDP neighbors
which have been removed from the LLDP remote systems MIB for any
reason.
◆
Neighbor Entries Dropped Count – The number of times which the
remote database on this switch dropped an LLDPDU because of
insufficient resources.
◆
Neighbor Entries Age-out Count – The number of times that a
neighbor’s information has been deleted from the LLDP remote systems
MIB because the remote TTL timer has expired.
Port/Trunk
◆
Frames Discarded – Number of frames discarded because they did
not conform to the general validation rules as well as any specific usage
rules defined for the particular TLV.
◆
Frames Invalid – A count of all LLDPDUs received with one or more
detectable errors.
◆
Frames Received – Number of LLDP PDUs received.
◆
Frames Sent – Number of LLDP PDUs transmitted.
◆
TLVs Unrecognized – A count of all TLVs not recognized by the
receiving LLDP local agent.
◆
TLVs Discarded – A count of all LLDPDUs received and then discarded
due to insufficient memory space, missing or out-of-sequence
attributes, or any other reason.
◆
Neighbor Ageouts – A count of the times that a neighbor’s
information has been deleted from the LLDP remote systems MIB
because the remote TTL timer has expired.
– 392 –
CHAPTER 14 | Basic Administration Protocols
Power Over Ethernet
WEB INTERFACE
To display statistics for LLDP-capable devices attached to the switch:
1. Click Administration, LLDP.
2. Select Show Device Statistics from the Step list.
3. Select General, Port, or Trunk.
Figure 217: Displaying LLDP Device Statistics (General)
Figure 218: Displaying LLDP Device Statistics (Port)
POWER OVER ETHERNET
The switch can provide DC power to a wide range of connected devices,
eliminating the need for an additional power source and cutting down on
the amount of cables attached to each device. Once configured to supply
power, an automatic detection process is initialized by the switch that is
authenticated by a PoE signature from the connected device. Detection and
authentication prevent damage to non-compliant devices (IEEE 802.3af or
802.3at).
– 393 –
CHAPTER 14 | Basic Administration Protocols
Power Over Ethernet
The switch’s power management enables individual port power to be
controlled within the switch’s power budget. Port power can be
automatically turned on and off for connected devices, and a per-port
power priority can be set so that the switch never exceeds its power
budget. When a device is connected to a switch port, its power
requirements are detected by the switch before power is supplied. If the
power required by a device exceeds the power budget of the port or the
whole switch, power is not supplied.
Ports can be set to one of four power priority levels, critical, high, medium,
or low. To control the power supply within the switch’s budget, ports set at
critical to medium priority have power enabled in preference to those ports
set at low priority. For example, when a device connected to a port is set to
critical priority, the switch supplies the required power, if necessary by
denying power to ports set for a lower priority during bootup.
NOTE: For more information on using the PoE provided by this switch refer
to the Installation Guide.
DISPLAYING THE Use the Administration > PoE (Configure Global) page to display the
SWITCH’S OVERALL maximum PoE power budget for the switch (power available to all RJ-45
POE POWER BUDGET ports). The maximum power budget is fixed at the maximum available
setting, which prevents overload conditions at the power source. If the
power demand from devices connected to the switch exceeds the power
budget, the switch uses port power priority settings to limit the supplied
power.
CLI REFERENCES
◆ "Power over Ethernet Commands" on page 777
PARAMETERS
These parameters are displayed:
◆
PoE Maximum Available Power – The power budget for the switch.
If devices connected to the switch require more power than the switch
budget, the port power priority settings are used to control the supplied
power. (Fixed: 195 Watts)
◆
System Operation Status – Status of the PoE power service provided
to the switch ports.
◆
PoE Power Consumption – The amount of power being consumed by
PoE devices connected to the switch.
◆
Software Version – The version of software running on the PoE
controller subsystem in the switch.
– 394 –
CHAPTER 14 | Basic Administration Protocols
Power Over Ethernet
WEB INTERFACE
To set the overall PoE power budget for switch:
1. Click Administration, PoE.
2. Select Configure Global from the Step list.
Figure 219: Showing the Switch’s PoE Budget
SETTING THE PORT Use the Administration > PoE (Configure Interface) page to set the
POE POWER BUDGET maximum power provided to a port.
CLI REFERENCES
◆ "Power over Ethernet Commands" on page 777
◆ "Time Range" on page 572
COMMAND USAGE
◆ This switch supports both the IEEE 802.3af PoE and IEEE 802.3at-2009
PoE Plus standards. To ensure that the correct power is supplied to
powered devices (PD) compliant with these standards, the first
detection pulse from the switch is based on 802.3af to which the
802.3af PDs will respond normally. It then sends a second PoE Plus
pulse that causes an 802.3at PD to respond as a Class 4 device and
draw Class 4 current. Afterwards, the switch exchanges information
with the PD such as duty-cycle, peak and average power needs.
◆
All the RJ-45 ports support both the IEEE 802.3af and IEEE 802.3at
standards. The total PoE power delivered by all ports cannot exceed the
maximum power budget of 195W. This means that up to 5 ports can
supply a maximum 34.2W of power simultaneously to connected
devices (802.3at), up to 12 ports can supply up to 15.4W (802.3af), or
all 26 ports can supply up to 7.5W (802.3af).
◆
If a device is connected to a switch port and the switch detects that it
requires more than the power budget set for the port or to the overall
switch, no power is supplied to the device (i.e., port power remains
off).
◆
If the power demand from devices connected to all switch ports
exceeds the power budget set for the switch, the port power priority
settings are used to control the supplied power. For example:
– 395 –
CHAPTER 14 | Basic Administration Protocols
Power Over Ethernet
■
■
■
If a device is connected to a low-priority port and causes the switch
to exceed its budget, power to this port is not turned on.
If a device is connected to a critical or high-priority port and would
cause the switch to exceed its power budget as determined during
bootup, power is provided to the port only if the switch can drop
power to one or more lower-priority ports and thereby remain
within its overall budget.
If a device is connected to a port after the switch has finished
booting up and would cause the switch to exceed its budget, power
will not be provided to that port regardless of its priority setting.
PARAMETERS
These parameters are displayed:
◆
Port – The port number on the switch.
◆
Admin Status – Enables PoE power on a port. Power is automatically
supplied when a device is detected on a port, providing that the power
demanded does not exceed the switch or port power budget.
(Default: Enabled)
◆
Mode – Shows whether or not PoE power is being supplied to a port.
◆
Priority – Sets the power priority for a port. (Options: Low, High, or
Critical; Default: Low)
◆
Power Allocation – Sets the power budget for a port.
(Range: 3000-34200 milliwatts; Default: 34200 milliwatts)
◆
Power Consumption – Current power consumption on a port.
◆
Time Range – Name of a time range. If a time range is set, then PoE
will be provided to an interface during the specified period.
◆
Time Range Status – Indicates if a time range has been applied to an
interface, and whether it is currently active or inactive.
WEB INTERFACE
To set the PoE power budget for a port:
1. Click Administration, PoE.
2. Select Configure Interface from the Step list.
3. Enable PoE power on selected ports. Set the priority and the power
budget. And specify a time range during which PoE will be provided to
an interface.
4. Click Apply.
– 396 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
Figure 220: Setting a Port’s PoE Budget
SIMPLE NETWORK MANAGEMENT PROTOCOL
Simple Network Management Protocol (SNMP) is a communication protocol
designed specifically for managing devices on a network. Equipment
commonly managed with SNMP includes switches, routers and host
computers. SNMP is typically used to configure these devices for proper
operation in a network environment, as well as to monitor them to evaluate
performance or detect potential problems.
Managed devices supporting SNMP contain software, which runs locally on
the device and is referred to as an agent. A defined set of variables, known
as managed objects, is maintained by the SNMP agent and used to manage
the device. These objects are defined in a Management Information Base
(MIB) that provides a standard presentation of the information controlled
by the agent. SNMP defines both the format of the MIB specifications and
the protocol used to access this information over the network.
The switch includes an onboard agent that supports SNMP versions 1, 2c,
and 3. This agent continuously monitors the status of the switch hardware,
as well as the traffic passing through its ports. A network management
station can access this information using network management software.
Access to the onboard agent from clients using SNMP v1 and v2c is
controlled by community strings. To communicate with the switch, the
management station must first submit a valid community string for
authentication.
Access to the switch from clients using SNMPv3 provides additional security
features that cover message integrity, authentication, and encryption; as
well as controlling user access to specific areas of the MIB tree.
The SNMPv3 security structure consists of security models, with each
model having it’s own security levels. There are three security models
defined, SNMPv1, SNMPv2c, and SNMPv3. Users are assigned to “groups”
that are defined by a security model and specified security levels. Each
group also has a defined security access to set of MIB objects for reading
and writing, which are known as “views.” The switch has a default view (all
MIB objects) and default groups defined for security models v1 and v2c.
The following table shows the security models and levels available and the
system default settings.
– 397 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
Table 31: SNMPv3 Security Models and Levels
Model Level
Group
Read View
Write View
Notify View
Security
v1
noAuthNoPriv
public
(read only)
defaultview
none
none
Community string only
v1
noAuthNoPriv
private
(read/write)
defaultview
defaultview
none
Community string only
v1
noAuthNoPriv
user defined
user defined
user defined
user defined
Community string only
v2c
noAuthNoPriv
public
(read only)
defaultview
none
none
Community string only
v2c
noAuthNoPriv
private
(read/write)
defaultview
defaultview
none
Community string only
v2c
noAuthNoPriv
user defined
user defined
user defined
user defined
Community string only
v3
noAuthNoPriv
user defined
user defined
user defined
user defined
A user name match only
v3
AuthNoPriv
user defined
user defined
user defined
user defined
Provides user authentication via MD5 or
SHA algorithms
v3
AuthPriv
user defined
user defined
user defined
user defined
Provides user authentication via MD5 or
SHA algorithms and data privacy using
DES 56-bit encryption
NOTE: The predefined default groups and view can be deleted from the
system. You can then define customized groups and views for the SNMP
clients that require access.
COMMAND USAGE
Configuring SNMPv1/2c Management Access
To configure SNMPv1 or v2c management access to the switch, follow
these steps:
1. Use the Administration > SNMP (Configure Global) page to enable
SNMP on the switch, and to enable trap messages.
2. Use the Administration > SNMP (Configure User - Add Community)
page to configure the community strings authorized for management
access.
3. Use the Administration > SNMP (Configure Trap) page to specify trap
managers so that key events are reported by this switch to your
management station.
Configuring SNMPv3 Management Access
1. Use the Administration > SNMP (Configure Global) page to enable
SNMP on the switch, and to enable trap messages.
2. Use the Administration > SNMP (Configure Trap) page to specify trap
managers so that key events are reported by this switch to your
management station.
– 398 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
3. Use the Administration > SNMP (Configure Engine) page to change the
local engine ID. If you want to change the default engine ID, it must be
changed before configuring other parameters.
4. Use the Administration > SNMP (Configure View) page to specify read
and write access views for the switch MIB tree.
5. Use the Administration > SNMP (Configure User) page to configure
SNMP user groups with the required security model (i.e., SNMP v1, v2c
or v3) and security level (i.e., authentication and privacy).
6. Use the Administration > SNMP (Configure Group) page to assign SNMP
users to groups, along with their specific authentication and privacy
passwords.
CONFIGURING GLOBAL Use the Administration > SNMP (Configure Global) page to enable SNMPv3
SETTINGS FOR SNMP service for all management clients (i.e., versions 1, 2c, 3), and to enable
trap messages.
CLI REFERENCES
◆ "snmp-server" on page 582
◆ "snmp-server enable traps" on page 585
PARAMETERS
These parameters are displayed:
◆
Agent Status – Enables SNMP on the switch. (Default: Enabled)
◆
Authentication Traps7 – Issues a notification message to specified IP
trap managers whenever an invalid community string is submitted
during the SNMP access authentication process. (Default: Enabled)
◆
Link-up and Link-down Traps7 – Issues a notification message
whenever a port link is established or broken. (Default: Enabled)
WEB INTERFACE
To configure global settings for SNMP:
1. Click Administration, SNMP.
2. Select Configure Global from the Step list.
3. Enable SNMP and the required trap types.
4. Click Apply
7. These are legacy notifications and therefore when used for SNMPv3 hosts, they must be
enabled in conjunction with the corresponding entries in the Notification View (page 402).
– 399 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
Figure 221: Configuring Global Settings for SNMP
SETTING THE LOCAL Use the Administration > SNMP (Configure Engine - Set Engine ID) page to
ENGINE ID change the local engine ID. An SNMPv3 engine is an independent SNMP
agent that resides on the switch. This engine protects against message
replay, delay, and redirection. The engine ID is also used in combination
with user passwords to generate the security keys for authenticating and
encrypting SNMPv3 packets.
CLI REFERENCES
◆ "snmp-server engine-id" on page 589
COMMAND USAGE
◆ A local engine ID is automatically generated that is unique to the
switch. This is referred to as the default engine ID. If the local engine
ID is deleted or changed, all SNMP users will be cleared. You will need
to reconfigure all existing users.
PARAMETERS
These parameters are displayed:
◆
Engine ID – A new engine ID can be specified by entering 9 to 64
hexadecimal characters (5 to 32 octets in hexadecimal format). If an
odd number of characters are specified, a trailing zero is added to the
value to fill in the last octet. For example, the value “123456789” is
equivalent to “1234567890”.
WEB INTERFACE
To configure the local SNMP engine ID:
1. Click Administration, SNMP.
2. Select Configure Engine from the Step list.
3. Select Set Engine ID from the Action list.
4. Enter an ID of a least 9 hexadecimal characters.
5. Click Apply
– 400 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
Figure 222: Configuring the Local Engine ID for SNMP
SPECIFYING A REMOTE Use the Administration > SNMP (Configure Engine - Add Remote Engine)
ENGINE ID page to configure a engine ID for a remote management station. To allow
management access from an SNMPv3 user on a remote device, you must
first specify the engine identifier for the SNMP agent on the remote device
where the user resides. The remote engine ID is used to compute the
security digest for authentication and encryption of packets passed
between the switch and a user on the remote host.
CLI REFERENCES
◆ "snmp-server engine-id" on page 589
COMMAND USAGE
◆ SNMP passwords are localized using the engine ID of the authoritative
agent. For informs, the authoritative SNMP agent is the remote agent.
You therefore need to configure the remote agent’s SNMP engine ID
before you can send proxy requests or informs to it. (See "Configuring
Remote SNMPv3 Users" on page 413.)
PARAMETERS
These parameters are displayed:
◆
Remote Engine ID – The engine ID can be specified by entering 9 to
64 hexadecimal characters (5 to 32 octets in hexadecimal format). If
an odd number of characters are specified, a trailing zero is added to
the value to fill in the last octet. For example, the value “123456789” is
equivalent to “1234567890”.
◆
Remote IP Host – The IP address of a remote management station
which is using the specified engine ID.
WEB INTERFACE
To configure a remote SNMP engine ID:
1. Click Administration, SNMP.
2. Select Configure Engine from the Step list.
3. Select Add Remote Engine from the Action list.
4. Enter an ID of a least 9 hexadecimal characters, and the IP address of
the remote host.
– 401 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
5. Click Apply
Figure 223: Configuring a Remote Engine ID for SNMP
To show the remote SNMP engine IDs:
1. Click Administration, SNMP.
2. Select Configure Engine from the Step list.
3. Select Show Remote Engine from the Action list.
Figure 224: Showing Remote Engine IDs for SNMP
SETTING SNMPV3 Use the Administration > SNMP (Configure View) page to configure
VIEWS SNMPv3 views which are used to restrict user access to specified portions
of the MIB tree. The predefined view “defaultview” includes access to the
entire MIB tree.
CLI REFERENCES
◆ "snmp-server view" on page 592
PARAMETERS
These parameters are displayed:
Add View
◆
View Name – The name of the SNMP view. (Range: 1-64 characters)
◆
OID Subtree – Specifies the initial object identifier of a branch within
the MIB tree. Wild cards can be used to mask a specific portion of the
OID string. Use the Add OID Subtree page to configure additional
object identifiers. (Range: 1-64 characters).
– 402 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
◆
Type – Indicates if the object identifier of a branch within the MIB tree
is included or excluded from the SNMP view.
Add OID Subtree
◆
View Name – Lists the SNMP views configured in the Add View page.
(Range: 1-64 characters).
◆
OID Subtree – Adds an additional object identifier of a branch within
the MIB tree to the selected View. Wild cards can be used to mask a
specific portion of the OID string. (Range: 1-64 characters).
◆
Type – Indicates if the object identifier of a branch within the MIB tree
is included or excluded from the SNMP view.
WEB INTERFACE
To configure an SNMP view of the switch’s MIB database:
1. Click Administration, SNMP.
2. Select Configure View from the Step list.
3. Select Add View from the Action list.
4. Enter a view name and specify the initial OID subtree in the switch’s
MIB database to be included or excluded in the view. Use the Add OID
Subtree page to add additional object identifier branches to the view.
5. Click Apply
Figure 225: Creating an SNMP View
To show the SNMP views of the switch’s MIB database:
1. Click Administration, SNMP.
2. Select Configure View from the Step list.
3. Select Show View from the Action list.
– 403 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
Figure 226: Showing SNMP Views
To add an object identifier to an existing SNMP view of the switch’s MIB
database:
1. Click Administration, SNMP.
2. Select Configure View from the Step list.
3. Select Add OID Subtree from the Action list.
4. Select a view name from the list of existing views, and specify an
additional OID subtree in the switch’s MIB database to be included or
excluded in the view.
5. Click Apply
Figure 227: Adding an OID Subtree to an SNMP View
To show the OID branches configured for the SNMP views of the switch’s
MIB database:
1. Click Administration, SNMP.
2. Select Configure View from the Step list.
3. Select Show OID Subtree from the Action list.
4. Select a view name from the list of existing views.
– 404 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
Figure 228: Showing the OID Subtree Configured for SNMP Views
CONFIGURING Use the Administration > SNMP (Configure Group) page to add an SNMPv3
SNMPV3 GROUPS group which can be used to set the access policy for its assigned users,
restricting them to specific read, write, and notify views. You can use the
pre-defined default groups or create new groups to map a set of SNMP
users to SNMP views.
CLI REFERENCES
◆ "show snmp group" on page 594
PARAMETERS
These parameters are displayed:
◆
Group Name – The name of the SNMP group to which the user is
assigned. (Range: 1-32 characters)
◆
Security Model – The user security model; SNMP v1, v2c or v3.
◆
Security Level – The following security levels are only used for the
groups assigned to the SNMP security model:
■
■
■
noAuthNoPriv – There is no authentication or encryption used in
SNMP communications. (This is the default security level.)
AuthNoPriv – SNMP communications use authentication, but the
data is not encrypted.
AuthPriv – SNMP communications use both authentication and
encryption.
◆
Read View – The configured view for read access.
(Range: 1-64 characters)
◆
Write View – The configured view for write access.
(Range: 1-64 characters)
◆
Notify View – The configured view for notifications.
(Range: 1-64 characters)
– 405 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
Table 32: Supported Notification Messages
Model
Level
Group
newRoot
1.3.6.1.2.1.17.0.1
The newRoot trap indicates that the
sending agent has become the new
root of the Spanning Tree; the trap is
sent by a bridge soon after its election
as the new root, e.g., upon expiration
of the Topology Change Timer
immediately subsequent to its
election.
topologyChange
1.3.6.1.2.1.17.0.2
A topologyChange trap is sent by a
bridge when any of its configured ports
transitions from the Learning state to
the Forwarding state, or from the
Forwarding state to the Discarding
state. The trap is not sent if a newRoot
trap is sent for the same transition.
coldStart
1.3.6.1.6.3.1.1.5.1
A coldStart trap signifies that the
SNMPv2 entity, acting in an agent role,
is reinitializing itself and that its
configuration may have been altered.
warmStart
1.3.6.1.6.3.1.1.5.2
A warmStart trap signifies that the
SNMPv2 entity, acting in an agent role,
is reinitializing itself such that its
configuration is unaltered.
linkDown*
1.3.6.1.6.3.1.1.5.3
A linkDown trap signifies that the
SNMP entity, acting in an agent role,
has detected that the ifOperStatus
object for one of its communication
links is about to enter the down state
from some other state (but not from
the notPresent state). This other state
is indicated by the included value of
ifOperStatus.
linkUp*
1.3.6.1.6.3.1.1.5.4
A linkUp trap signifies that the SNMP
entity, acting in an agent role, has
detected that the ifOperStatus object
for one of its communication links left
the down state and transitioned into
some other state (but not into the
notPresent state). This other state is
indicated by the included value of
ifOperStatus.
authenticationFailure*
1.3.6.1.6.3.1.1.5.5
An authenticationFailure trap signifies
that the SNMPv2 entity, acting in an
agent role, has received a protocol
message that is not properly
authenticated. While all
implementations of the SNMPv2 must
be capable of generating this trap, the
snmpEnableAuthenTraps object
indicates whether this trap will be
generated.
risingAlarm
1.3.6.1.2.1.16.0.1
The SNMP trap that is generated when
an alarm entry crosses its rising
threshold and generates an event that
is configured for sending SNMP traps.
fallingAlarm
1.3.6.1.2.1.16.0.2
The SNMP trap that is generated when
an alarm entry crosses its falling
threshold and generates an event that
is configured for sending SNMP traps.
RFC 1493 Traps
SNMPv2 Traps
RMON Events (V2)
– 406 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
Table 32: Supported Notification Messages (Continued)
Model
Level
Group
swPowerStatusChangeTrap
1.3.6.1.4.1.259.10.1.38.2.1.0.1
This trap is sent when the power state
changes.
swFanFailureTrap
1.3.6.1.4.1.259.10.1.38.2.1.0.17
This trap is sent when the fan fails.
swFanRecoverTrap
1.3.6.1.4.1.259.10.1.38.2.1.0.18
This trap is sent when fan failure has
recovered.
swPortSecurityTrap
1.3.6.1.4.1.259.10.1.38.2.1.0.36
This trap is sent when the port is being
intruded. This trap will only be sent
when the portSecActionTrap is
enabled.
swAuthenticationFailure
1.3.6.1.4.1.259.10.1.38.2.1.0.66
This trap will be triggered if
authentication fails.
swAuthenticationSuccess
1.3.6.1.4.1.259.10.1.38.2.1.0.67
This trap will be triggered if
authentication is successful.
swAtcBcastStormAlarmFireTrap
1.3.6.1.4.1.259.10.1.38.2.1.0.70
When broadcast traffic is detected as a
storm, this trap is fired.
swAtcBcastStormAlarmClearTrap
1.3.6.1.4.1.259.10.1.38.2.1.0.71
When a broadcast storm is detected as
normal traffic, this trap is fired.
swAtcBcastStormTcApplyTrap
1.3.6.1.4.1.259.10.1.38.2.1.0.72
When ATC is activated, this trap is
fired.
swAtcBcastStormTcReleaseTrap
1.3.6.1.4.1.259.10.1.38.2.1.0.73
When ATC is released, this trap is fired.
swAtcMcastStormAlarmFireTrap
1.3.6.1.4.1.259.10.1.38.2.1.0.74
When multicast traffic is detected as
the storm, this trap is fired.
swAtcMcastStormAlarmClearTrap
1.3.6.1.4.1.259.10.1.38.2.1.0.75
When multicast storm is detected as
normal traffic, this trap is fired.
swAtcMcastStormTcApplyTrap
1.3.6.1.4.1.259.10.1.38.2.1.0.76
When ATC is activated, this trap is
fired.
swAtcMcastStormTcReleaseTrap
1.3.6.1.4.1.259.10.1.38.2.1.0.77
When ATC is released, this trap is fired.
stpBecomeRootBridgeTrap
1.3.6.1.4.1.259.10.1.38.2.1.0.86
The stpBecomeRootBridge trap
indicates that the sending agent has
become the new root of the Spanning
Tree; the trap is sent by a bridge soon
after it has been elected as the new
root.
stpPortEnterForwardingTrap
1.3.6.1.4.1.259.10.1.38.2.1.0.87
The trap is sent by a bridge when any
of its configured ports transit from
Learning state to Forwarding state.
stpRootPortChangedTrap
1.3.6.1.4.1.259.10.1.38.2.1.0.88
The trap is sent when the root port of
a bridge has changed.
stpRootBridgeChangedTrap
1.3.6.1.4.1.259.10.1.38.2.1.0.89
The trap will be sent when the root
bridge of bridges has changed and the
bridge sending off the trap is not the
root in STP topology.
swLoopbackDetectionTrap
1.3.6.1.4.1.259.10.1.38.2.1.0.95
This trap is sent when loopback BPDUs
have been detected.
autoUpgradeTrap
1.3.6.1.4.1.259.10.1.38.2.1.0.104
This trap is sent when auto upgrade is
executed.
swCpuUtiRisingNotification
1.3.6.1.4.1.259.10.1.38.2.1.0.107
This notification indicates that the CPU
utilization has risen from
cpuUtiFallingThreshold to
cpuUtiRisingThreshold.
Private Traps
– 407 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
Table 32: Supported Notification Messages (Continued)
Model
Level
Group
swCpuUtiFallingNotification
1.3.6.1.4.1.259.10.1.38.2.1.0.108
This notification indicates that the CPU
utilization has fallen from
cpuUtiRisingThreshold to
cpuUtiFallingThreshold.
swMemoryUtiRisingThresholdNotification
1.3.6.1.4.1.259.10.1.38.2.1.0.109
This notification indicates that the
memory utilization has risen from
memoryUtiFallingThreshold to
memoryUtiRisingThreshold.
swMemoryUtiFallingThresholdNotification
1.3.6.1.4.1.259.10.1.38.2.1.0.110
This notification indicates that the
memory utilization has fallen from
memoryUtiRisingThreshold to
memoryUtiFallingThreshold.
swIpFilterInetRejectTrap
1.3.6.1.4.1.259.10.1.38.2.1.0.111
This trap is sent when an incorrect IP
address is rejected by the IP filter.
stpLoopbackDetectionPortShutdownTrap
1.3.6.1.4.1.259.10.1.38.2.1.0.193
This trap is sent when port is shut
down by STP loopback detection.
* These are legacy notifications and therefore must be enabled in conjunction with the corresponding traps on the SNMP
Configuration menu.
– 408 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
WEB INTERFACE
To configure an SNMP group:
1. Click Administration, SNMP.
2. Select Configure Group from the Step list.
3. Select Add from the Action list.
4. Enter a group name, assign a security model and level, and then select
read, write, and notify views.
5. Click Apply
Figure 229: Creating an SNMP Group
To show SNMP groups:
1. Click Administration, SNMP.
2. Select Configure Group from the Step list.
3. Select Show from the Action list.
Figure 230: Showing SNMP Groups
– 409 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
SETTING COMMUNITY Use the Administration > SNMP (Configure User - Add Community) page to
ACCESS STRINGS configure up to five community strings authorized for management access
by clients using SNMP v1 and v2c. For security reasons, you should
consider removing the default strings.
CLI REFERENCES
◆ "snmp-server community" on page 583
PARAMETERS
These parameters are displayed:
◆
Community String – A community string that acts like a password
and permits access to the SNMP protocol.
Range: 1-32 characters, case sensitive
Default strings: “public” (Read-Only), “private” (Read/Write)
◆
Access Mode – Specifies the access rights for the community string:
■
Read-Only – Authorized management stations are only able to
retrieve MIB objects.
■
Read/Write – Authorized management stations are able to both
retrieve and modify MIB objects.
WEB INTERFACE
To set a community access string:
1. Click Administration, SNMP.
2. Select Configure User from the Step list.
3. Select Add Community from the Action list.
4. Add new community strings as required, and select the corresponding
access rights from the Access Mode list.
5. Click Apply
Figure 231: Setting Community Access Strings
– 410 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
To show the community access strings:
1. Click Administration, SNMP.
2. Select Configure User from the Step list.
3. Select Show Community from the Action list.
Figure 232: Showing Community Access Strings
CONFIGURING LOCAL Use the Administration > SNMP (Configure User - Add SNMPv3 Local User)
SNMPV3 USERS page to authorize management access for SNMPv3 clients, or to identify
the source of SNMPv3 trap messages sent from the local switch. Each
SNMPv3 user is defined by a unique name. Users must be configured with a
specific security level and assigned to a group. The SNMPv3 group restricts
users to a specific read, write, and notify view.
CLI REFERENCES
◆ "snmp-server user" on page 591
PARAMETERS
These parameters are displayed:
◆
User Name – The name of user connecting to the SNMP agent.
(Range: 1-32 characters)
◆
Group Name – The name of the SNMP group to which the user is
assigned. (Range: 1-32 characters)
◆
Security Model – The user security model; SNMP v1, v2c or v3.
◆
Security Level – The following security levels are only used for the
groups assigned to the SNMP security model:
■
noAuthNoPriv – There is no authentication or encryption used in
SNMP communications. (This is the default security level.)
■
AuthNoPriv – SNMP communications use authentication, but the
data is not encrypted.
– 411 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
■
AuthPriv – SNMP communications use both authentication and
encryption.
◆
Authentication Protocol – The method used for user authentication.
(Options: MD5, SHA; Default: MD5)
◆
Authentication Password – A minimum of eight plain text characters
is required.
◆
Privacy Protocol – The encryption algorithm use for data privacy;
only 56-bit DES is currently available.
◆
Privacy Password – A minimum of eight plain text characters is
required.
WEB INTERFACE
To configure a local SNMPv3 user:
1. Click Administration, SNMP.
2. Select Configure User from the Step list.
3. Select Add SNMPv3 Local User from the Action list.
4. Enter a name and assign it to a group. If the security model is set to
SNMPv3 and the security level is authNoPriv or authPriv, then an
authentication protocol and password must be specified. If the security
level is authPriv, a privacy password must also be specified.
5. Click Apply
Figure 233: Configuring Local SNMPv3 Users
– 412 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
To show local SNMPv3 users:
1. Click Administration, SNMP.
2. Select Configure User from the Step list.
3. Select Show SNMPv3 Local User from the Action list.
Figure 234: Showing Local SNMPv3 Users
CONFIGURING REMOTE Use the Administration > SNMP (Configure User - Add SNMPv3 Remote
SNMPV3 USERS User) page to identify the source of SNMPv3 inform messages sent from
the local switch. Each SNMPv3 user is defined by a unique name. Users
must be configured with a specific security level and assigned to a group.
The SNMPv3 group restricts users to a specific read, write, and notify view.
CLI REFERENCES
◆ "snmp-server user" on page 591
COMMAND USAGE
◆ To grant management access to an SNMPv3 user on a remote device,
you must first specify the engine identifier for the SNMP agent on the
remote device where the user resides. The remote engine ID is used to
compute the security digest for authentication and encryption of
packets passed between the switch and the remote user. (See
"Specifying Trap Managers" on page 415 and "Specifying a Remote
Engine ID" on page 401.)
PARAMETERS
These parameters are displayed:
◆
User Name – The name of user connecting to the SNMP agent.
(Range: 1-32 characters)
◆
Group Name – The name of the SNMP group to which the user is
assigned. (Range: 1-32 characters)
◆
Remote IP – The Internet address of the remote device where the
user resides.
◆
Security Model – The user security model; SNMP v1, v2c or v3.
(Default: v3)
– 413 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
◆
Security Level – The following security levels are only used for the
groups assigned to the SNMP security model:
■
■
■
noAuthNoPriv – There is no authentication or encryption used in
SNMP communications. (This is the default security level.)
AuthNoPriv – SNMP communications use authentication, but the
data is not encrypted.
AuthPriv – SNMP communications use both authentication and
encryption.
◆
Authentication Protocol – The method used for user authentication.
(Options: MD5, SHA; Default: MD5)
◆
Authentication Password – A minimum of eight plain text characters
is required.
◆
Privacy Protocol – The encryption algorithm use for data privacy;
only 56-bit DES is currently available.
◆
Privacy Password – A minimum of eight plain text characters is
required.
WEB INTERFACE
To configure a remote SNMPv3 user:
1. Click Administration, SNMP.
2. Select Configure User from the Step list.
3. Select Add SNMPv3 Remote User from the Action list.
4. Enter a name and assign it to a group. Enter the IP address to identify
the source of SNMPv3 inform messages sent from the local switch. If
the security model is set to SNMPv3 and the security level is authNoPriv
or authPriv, then an authentication protocol and password must be
specified. If the security level is authPriv, a privacy password must also
be specified.
5. Click Apply
– 414 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
Figure 235: Configuring Remote SNMPv3 Users
To show remote SNMPv3 users:
1. Click Administration, SNMP.
2. Select Configure User from the Step list.
3. Select Show SNMPv3 Remote User from the Action list.
Figure 236: Showing Remote SNMPv3 Users
SPECIFYING TRAP Use the Administration > SNMP (Configure Trap) page to specify the host
MANAGERS devices to be sent notifications and the types of notifications to send.
Notifications indicating status changes are issued by the switch to the
specified notification managers. You must specify notification managers so
that key events are reported by this switch to your management station
(using network management software). You can specify up to five
management stations that will receive authentication failure messages and
other notification messages from the switch.
CLI REFERENCES
◆ "snmp-server host" on page 586
◆ "snmp-server enable traps" on page 585
– 415 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
COMMAND USAGE
◆ Notifications are issued by the switch as trap messages by default. The
recipient of a trap message does not send a response to the switch.
Traps are therefore not as reliable as inform messages, which include a
request for acknowledgement of receipt. Informs can be used to ensure
that critical information is received by the host. However, note that
informs consume more system resources because they must be kept in
memory until a response is received. Informs also add to network
traffic. You should consider these effects when deciding whether to
issue notifications as traps or informs.
To send an inform to a SNMPv2c host, complete these steps:
1. Enable the SNMP agent (page 399).
2. Create a view with the required notification messages (page 402).
3. Configure the group (matching the community string specified on
the Configure Trap - Add page) to include the required notify view
(page 405).
4. Enable informs as described in the following pages.
To send an inform to a SNMPv3 host, complete these steps:
1. Enable the SNMP agent (page 399).
2. Create a local SNMPv3 user to use in the message exchange
process (page 411). If the user specified in the notification
configuration page does not exist, an SNMPv3 group will be
automatically created using the name of the specified local user,
and default settings for the read, write, and notify view.
3. Create a view with the required notification messages (page 402).
4. Create a group that includes the required notify view (page 405).
5. Enable informs as described in the following pages.
PARAMETERS
These parameters are displayed:
SNMP Version 1
◆
IP Address – IP address of a new management station to receive
notification message (i.e., the targeted recipient).
◆
Version – Specifies whether to send notifications using SNMP v1, v2c,
or v3. (Default: v1)
◆
Community String – Specifies a valid community string for the new
notification manager entry. (Range: 1-32 characters, case sensitive)
Although you can set this string in the Configure Notification – Add
page, we recommend defining it in the Configure User – Add
Community page.
◆
UDP Port – Specifies the UDP port number used by the notification
manager. (Default: 162)
– 416 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
SNMP Version 2c
◆
IP Address – IP address of a new management station to receive
notification message (i.e., the targeted recipient).
◆
Version – Specifies whether to send notifications using SNMP v1, v2c,
or v3.
◆
Notification Type
■
■
◆
Traps – Notifications are sent as trap messages.
Inform – Notifications are sent as inform messages. Note that this
option is only available for version 2c and 3 hosts. (Default: traps
are used)
■
Timeout – The number of seconds to wait for an
acknowledgment before resending an inform message.
(Range: 0-2147483647 centiseconds; Default: 1500
centiseconds)
■
Retry times – The maximum number of times to resend an
inform message if the recipient does not acknowledge receipt.
(Range: 0-255; Default: 3)
Community String – Specifies a valid community string for the new
notification manager entry. (Range: 1-32 characters, case sensitive)
Although you can set this string in the Configure Notification – Add
page, we recommend defining it in the Configure User – Add
Community page.
◆
UDP Port – Specifies the UDP port number used by the notification
manager. (Default: 162)
SNMP Version 3
◆
IP Address – IP address of a new management station to receive
notification message (i.e., the targeted recipient).
◆
Version – Specifies whether to send notifications using SNMP v1, v2c,
or v3.
◆
Notification Type
■
Traps – Notifications are sent as trap messages.
■
Inform – Notifications are sent as inform messages. Note that this
option is only available for version 2c and 3 hosts. (Default: traps
are used)
■
Timeout – The number of seconds to wait for an
acknowledgment before resending an inform message.
(Range: 0-2147483647 centiseconds; Default: 1500
centiseconds)
– 417 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
■
◆
Retry times – The maximum number of times to resend an
inform message if the recipient does not acknowledge receipt.
(Range: 0-255; Default: 3)
Local User Name – The name of a local user which is used to identify
the source of SNMPv3 notification messages sent from the local switch.
(Range: 1-32 characters)
If an account for the specified user has not been created (page 411),
one will be automatically generated.
◆
Remote User Name – The name of a remote user which is used to
identify the source of SNMPv3 inform messages sent from the local
switch. (Range: 1-32 characters)
If an account for the specified user has not been created (page 413),
one will be automatically generated.
◆
UDP Port – Specifies the UDP port number used by the notification
manager. (Default: 162)
◆
Security Level – When notification version 3 is selected, you must
specify one of the following security levels. (Default: noAuthNoPriv)
■
noAuthNoPriv – There is no authentication or encryption used in
SNMP communications.
■
AuthNoPriv – SNMP communications use authentication, but the
data is not encrypted.
■
AuthPriv – SNMP communications use both authentication and
encryption.
WEB INTERFACE
To configure notification managers:
1. Click Administration, SNMP.
2. Select Configure Trap from the Step list.
3. Select Add from the Action list.
4. Fill in the required parameters based on the selected SNMP version.
5. Click Apply
– 418 –
CHAPTER 14 | Basic Administration Protocols
Simple Network Management Protocol
Figure 237: Configuring Trap Managers (SNMPv1)
Figure 238: Configuring Trap Managers (SNMPv2c)
Figure 239: Configuring Trap Managers (SNMPv3)
To show configured notification managers:
1. Click Administration, SNMP.
2. Select Configure Trap from the Step list.
– 419 –
CHAPTER 14 | Basic Administration Protocols
Remote Monitoring
3. Select Show from the Action list.
Figure 240: Showing Notification Managers
REMOTE MONITORING
Remote Monitoring allows a remote device to collect information or
respond to specified events on an independent basis. This switch is an
RMON-capable device which can independently perform a wide range of
tasks, significantly reducing network management traffic. It can
continuously run diagnostics and log information on network performance.
If an event is triggered, it can automatically notify the network
administrator of a failure and provide historical information about the
event. If it cannot connect to the management agent, it will continue to
perform any specified tasks and pass data back to the management station
the next time it is contacted.
The switch supports mini-RMON, which consists of the Statistics, History,
Event and Alarm groups. When RMON is enabled, the system gradually
builds up information about its physical interfaces, storing this information
in the relevant RMON database group. A management agent then
periodically communicates with the switch using the SNMP protocol.
However, if the switch encounters a critical event, it can automatically send
a trap message to the management agent which can then respond to the
event if so configured.
CONFIGURING RMON Use the Administration > RMON (Configure Global - Add - Alarm) page to
ALARMS define specific criteria that will generate response events. Alarms can be
set to test data over any specified time interval, and can monitor absolute
or changing values (such as a statistical counter reaching a specific value,
or a statistic changing by a certain amount over the set interval). Alarms
can be set to respond to rising or falling thresholds. (However, note that
after an alarm is triggered it will not be triggered again until the statistical
value crosses the opposite bounding threshold and then back across the
trigger threshold.
CLI REFERENCES
◆ "Remote Monitoring Commands" on page 601
– 420 –
CHAPTER 14 | Basic Administration Protocols
Remote Monitoring
COMMAND USAGE
◆ If an alarm is already defined for an index, the entry must be deleted
before any changes can be made.
PARAMETERS
These parameters are displayed:
◆
Index – Index to this entry. (Range: 1-65535)
◆
Variable – The object identifier of the MIB variable to be sampled.
Only variables of the type etherStatsEntry.n.n may be sampled.
Note that etherStatsEntry.n uniquely defines the MIB variable, and
etherStatsEntry.n.n defines the MIB variable, plus the etherStatsIndex.
For example, 1.3.6.1.2.1.16.1.1.1.6.1 denotes
etherStatsBroadcastPkts, plus the etherStatsIndex of 1.
◆
Interval – The polling interval. (Range: 1-31622400 seconds)
◆
Sample Type – Tests for absolute or relative changes in the specified
variable.
■
Absolute – The variable is compared directly to the thresholds at
the end of the sampling period.
■
Delta – The last sample is subtracted from the current value and
the difference is then compared to the thresholds.
◆
Rising Threshold – If the current value is greater than or equal to the
rising threshold, and the last sample value was less than this threshold,
then an alarm will be generated. After a rising event has been
generated, another such event will not be generated until the sampled
value has fallen below the rising threshold, reaches the falling
threshold, and again moves back up to the rising threshold.
(Range: 0-2147483647)
◆
Rising Event Index – The index of the event to use if an alarm is
triggered by monitored variables reaching or crossing above the rising
threshold. If there is no corresponding entry in the event control table,
then no event will be generated. (Range: 0-65535)
◆
Falling Threshold – If the current value is less than or equal to the
falling threshold, and the last sample value was greater than this
threshold, then an alarm will be generated. After a falling event has
been generated, another such event will not be generated until the
sampled value has risen above the falling threshold, reaches the rising
threshold, and again moves back down to the failing threshold.
(Range: 0-2147483647)
◆
Falling Event Index – The index of the event to use if an alarm is
triggered by monitored variables reaching or crossing below the falling
threshold. If there is no corresponding entry in the event control table,
then no event will be generated. (Range: 0-65535)
– 421 –
CHAPTER 14 | Basic Administration Protocols
Remote Monitoring
◆
Owner – Name of the person who created this entry. (Range: 1-127
characters)
WEB INTERFACE
To configure an RMON alarm:
1. Click Administration, RMON.
2. Select Configure Global from the Step list.
3. Select Add from the Action list.
4. Click Alarm.
5. Enter an index number, the MIB object to be polled
(etherStatsEntry.n.n), the polling interval, the sample type, the
thresholds, and the event to trigger.
6. Click Apply
Figure 241: Configuring an RMON Alarm
To show configured RMON alarms:
1. Click Administration, RMON.
2. Select Configure Global from the Step list.
3. Select Show from the Action list.
4. Click Alarm.
– 422 –
CHAPTER 14 | Basic Administration Protocols
Remote Monitoring
Figure 242: Showing Configured RMON Alarms
CONFIGURING RMON Use the Administration > RMON (Configure Global - Add - Event) page to
EVENTS set the action to take when an alarm is triggered. The response can include
logging the alarm or sending a message to a trap manager. Alarms and
corresponding events provide a way of immediately responding to critical
network problems.
CLI REFERENCES
◆ "Remote Monitoring Commands" on page 601
COMMAND USAGE
◆ If an alarm is already defined for an index, the entry must be deleted
before any changes can be made.
◆
One default event is configured as follows:
event Index = 1
Description: RMON_TRAP_LOG
Event type: log & trap
Event community name is public
Owner is RMON_SNMP
PARAMETERS
These parameters are displayed:
◆
Index – Index to this entry. (Range: 1-65535)
◆
Type – Specifies the type of event to initiate:
■
■
■
None – No event is generated.
Log – Generates an RMON log entry when the event is triggered.
Log messages are processed based on the current configuration
settings for event logging (see "System Log Configuration" on
page 369).
Trap – Sends a trap message to all configured trap managers (see
"Specifying Trap Managers" on page 415).
– 423 –
CHAPTER 14 | Basic Administration Protocols
Remote Monitoring
■
◆
Log and Trap – Logs the event and sends a trap message.
Community – A password-like community string sent with the trap
operation to SNMP v1 and v2c hosts.
Although the community string can be set on this configuration page, it
is recommended that it be defined on the SNMP trap configuration page
(see "Setting Community Access Strings" on page 410) prior to
configuring it here. (Range: 1-127 characters)
◆
Description – A comment that describes this event. (Range: 1-127
characters)
◆
Owner – Name of the person who created this entry. (Range: 1-127
characters)
WEB INTERFACE
To configure an RMON event:
1. Click Administration, RMON.
2. Select Configure Global from the Step list.
3. Select Add from the Action list.
4. Click Event.
5. Enter an index number, the type of event to initiate, the community
string to send with trap messages, the name of the person who created
this event, and a brief description of the event.
6. Click Apply
Figure 243: Configuring an RMON Event
To show configured RMON events:
1. Click Administration, RMON.
2. Select Configure Global from the Step list.
– 424 –
CHAPTER 14 | Basic Administration Protocols
Remote Monitoring
3. Select Show from the Action list.
4. Click Event.
Figure 244: Showing Configured RMON Events
CONFIGURING RMON Use the Administration > RMON (Configure Interface - Add - History) page
HISTORY SAMPLES to collect statistics on a physical interface to monitor network utilization,
packet types, and errors. A historical record of activity can be used to track
down intermittent problems. The record can be used to establish normal
baseline activity, which may reveal problems associated with high traffic
levels, broadcast storms, or other unusual events. It can also be used to
predict network growth and plan for expansion before your network
becomes too overloaded.
CLI REFERENCES
◆ "Remote Monitoring Commands" on page 601
COMMAND USAGE
◆ Each index number equates to a port on the switch.
◆
If history collection is already enabled on an interface, the entry must
be deleted before any changes can be made.
◆
The information collected for each sample includes:
input octets, packets, broadcast packets, multicast packets, undersize
packets, oversize packets, fragments, jabbers, CRC alignment errors,
collisions, drop events, and network utilization.
For a description of the statistics displayed on the Show Details page,
refer to "Showing Port or Trunk Statistics" on page 138.
◆
The switch reserves two index entries for each port. If a default index
entry is re-assigned to another port using the Add page, this index will
not appear in the Show nor Show Details page for the port to which is
normally assigned. For example, if control entry 15 is assigned to port
5, this index entry will be removed from the Show and Show Details
page for port 8.
– 425 –
CHAPTER 14 | Basic Administration Protocols
Remote Monitoring
PARAMETERS
These parameters are displayed:
◆
Port – The port number on the switch.
◆
Index - Index to this entry. (Range: 1-65535)
◆
Interval - The polling interval. (Range: 1-3600 seconds; Default: 1800
seconds)
◆
Buckets - The number of buckets requested for this entry.
(Range: 1-65536; Default: 8)
The number of buckets granted are displayed on the Show page.
◆
Owner - Name of the person who created this entry. (Range: 1-127
characters)
WEB INTERFACE
To periodically sample statistics on a port:
1. Click Administration, RMON.
2. Select Configure Interface from the Step list.
3. Select Add from the Action list.
4. Click History.
5. Select a port from the list as the data source.
6. Enter an index number, the sampling interval, the number of buckets to
use, and the name of the owner for this entry.
7. Click Apply
Figure 245: Configuring an RMON History Sample
– 426 –
CHAPTER 14 | Basic Administration Protocols
Remote Monitoring
To show configured RMON history samples:
1. Click Administration, RMON.
2. Select Configure Interface from the Step list.
3. Select Show from the Action list.
4. Select a port from the list.
5. Click History.
Figure 246: Showing Configured RMON History Samples
To show collected RMON history samples:
1. Click Administration, RMON.
2. Select Configure Interface from the Step list.
3. Select Show Details from the Action list.
4. Select a port from the list.
5. Click History.
– 427 –
CHAPTER 14 | Basic Administration Protocols
Remote Monitoring
Figure 247: Showing Collected RMON History Samples
CONFIGURING RMON Use the Administration > RMON (Configure Interface - Add - Statistics)
STATISTICAL SAMPLES page to collect statistics on a port, which can subsequently be used to
monitor the network for common errors and overall traffic rates.
CLI REFERENCES
◆ "Remote Monitoring Commands" on page 601
COMMAND USAGE
◆ If statistics collection is already enabled on an interface, the entry must
be deleted before any changes can be made.
◆
The information collected for each entry includes:
input octets, packets, broadcast packets, multicast packets, undersize
packets, oversize packets, CRC alignment errors, jabbers, fragments,
collisions, drop events, and frames of various sizes.
PARAMETERS
These parameters are displayed:
◆
Port – The port number on the switch.
◆
Index - Index to this entry. (Range: 1-65535)
◆
Owner - Name of the person who created this entry. (Range: 1-127
characters)
WEB INTERFACE
To enable regular sampling of statistics on a port:
1. Click Administration, RMON.
2. Select Configure Interface from the Step list.
3. Select Add from the Action list.
– 428 –
CHAPTER 14 | Basic Administration Protocols
Remote Monitoring
4. Click Statistics.
5. Select a port from the list as the data source.
6. Enter an index number, and the name of the owner for this entry
7. Click Apply
Figure 248: Configuring an RMON Statistical Sample
To show configured RMON statistical samples:
1. Click Administration, RMON.
2. Select Configure Interface from the Step list.
3. Select Show from the Action list.
4. Select a port from the list.
5. Click Statistics.
Figure 249: Showing Configured RMON Statistical Samples
To show collected RMON statistical samples:
1. Click Administration, RMON.
2. Select Configure Interface from the Step list.
– 429 –
CHAPTER 14 | Basic Administration Protocols
Switch Clustering
3. Select Show Details from the Action list.
4. Select a port from the list.
5. Click Statistics.
Figure 250: Showing Collected RMON Statistical Samples
SWITCH CLUSTERING
Switch clustering is a method of grouping switches together to enable
centralized management through a single unit. Switches that support
clustering can be grouped together regardless of physical location or switch
type, as long as they are connected to the same local network.
COMMAND USAGE
◆ A switch cluster has a “Commander” unit that is used to manage all
other “Member” switches in the cluster. The management station can
use either Telnet or the web interface to communicate directly with the
Commander through its IP address, and then use the Commander to
manage Member switches using the cluster’s “internal” IP addresses.
◆
Clustered switches must be in the same Ethernet broadcast domain. In
other words, clustering only functions for switches which can pass
information between the Commander and potential Candidates or
active Members through VLAN 4093.
◆
Once a switch has been configured to be a cluster Commander, it
automatically discovers other cluster-enabled switches in the network.
These “Candidate” switches only become cluster Members when
– 430 –
CHAPTER 14 | Basic Administration Protocols
Switch Clustering
manually selected by the administrator through the management
station.
◆
There can be up to 100 candidates and 36 member switches in one
cluster.
◆
A switch can only be a member of one cluster.
◆
The cluster VLAN 4093 is not configured by default. Before using
clustering, take the following actions to set up this VLAN:
1. Create VLAN 4093 (see "Configuring VLAN Groups" on page 170).
2. Add the participating ports to this VLAN (see "Adding Static
Members to VLANs" on page 171), and set them to hybrid mode,
tagged members, PVID = 1, and acceptable frame type = all.
◆
After the Commander and Members have been configured, any switch
in the cluster can be managed from the web agent by choosing the
desired Member ID from the Show Member page.
CONFIGURING Use the Administration > Cluster (Configure Global) page to create a
GENERAL SETTINGS switch cluster.
FOR CLUSTERS
CLI REFERENCES
◆ "Switch Clustering" on page 575
COMMAND USAGE
First be sure that clustering is enabled on the switch (the default is
disabled), then set the switch as a Cluster Commander. Set a Cluster IP
Pool that does not conflict with the network IP subnet. Cluster IP addresses
are assigned to switches when they become Members and are used for
communication between Member switches and the Commander.
PARAMETERS
These parameters are displayed:
◆
Cluster Status – Enables or disables clustering on the switch.
(Default: Disabled)
◆
Commander Status – Enables or disables the switch as a cluster
Commander. (Default: Disabled)
◆
IP Pool – An “internal” IP address pool that is used to assign IP
addresses to Member switches in the cluster. Internal cluster IP
addresses are in the form 10.x.x.member-ID. Only the base IP address
of the pool needs to be set since Member IDs can only be between 1
and 36. Note that you cannot change the cluster IP pool when the
switch is currently in Commander mode. Commander mode must first
be disabled. (Default: 10.254.254.1)
◆
Role – Indicates the current role of the switch in the cluster; either
Commander, Member, or Candidate. (Default: Candidate)
– 431 –
CHAPTER 14 | Basic Administration Protocols
Switch Clustering
◆
Number of Members – The current number of Member switches in the
cluster.
◆
Number of Candidates – The current number of Candidate switches
discovered in the network that are available to become Members.
WEB INTERFACE
To configure a switch cluster:
1. Click Administration, Cluster.
2. Select Configure Global from the Step list.
3. Set the required attributes for a Commander or a managed candidate.
4. Click Apply
Figure 251: Configuring a Switch Cluster
CLUSTER MEMBER Use the Administration > Cluster (Configure Member - Add) page to add
CONFIGURATION Candidate switches to the cluster as Members.
CLI REFERENCES
◆ "Switch Clustering" on page 575
PARAMETERS
These parameters are displayed:
◆
Member ID – Specify a Member ID number for the selected Candidate
switch. (Range: 1-36)
◆
MAC Address – Select a discovered switch MAC address from the
Candidate Table, or enter a specific MAC address of a known switch.
– 432 –
CHAPTER 14 | Basic Administration Protocols
Switch Clustering
WEB INTERFACE
To configure cluster members:
1. Click Administration, Cluster.
2. Select Configure Member from the Step list.
3. Select Add from the Action list.
4. Select one of the cluster candidates discovered by this switch, or enter
the MAC address of a candidate.
5. Click Apply.
Figure 252: Configuring a Cluster Members
To show the cluster members:
1. Click Administration, Cluster.
2. Select Configure Member from the Step list.
3. Select Show from the Action list.
Figure 253: Showing Cluster Members
To show cluster candidates:
1. Click Administration, Cluster.
2. Select Configure Member from the Step list.
3. Select Show Candidate from the Action list.
– 433 –
CHAPTER 14 | Basic Administration Protocols
Switch Clustering
Figure 254: Showing Cluster Candidates
MANAGING CLUSTER Use the Administration > Cluster (Show Member) page to manage another
MEMBERS switch in the cluster.
CLI REFERENCES
◆ "Switch Clustering" on page 575
PARAMETERS
These parameters are displayed:
Member ID – The ID number of the Member switch. (Range: 1-36)
Role – Indicates the current status of the switch in the cluster.
IP Address – The internal cluster IP address assigned to the Member
switch.
MAC Address – The MAC address of the Member switch.
Description – The system description string of the Member switch.
Operate – Remotely manage a cluster member.
WEB INTERFACE
To manage a cluster member:
1. Click Administration, Cluster.
2. Select Show Member from the Step list.
3. Select an entry from the Cluster Member List.
4. Click Operate.
– 434 –
CHAPTER 14 | Basic Administration Protocols
Setting A Time Range
Figure 255: Managing a Cluster Member
SETTING A TIME RANGE
Use the Administration > Time Range page to sets a time range for ACLs.
CLI REFERENCES
◆ "Time Range" on page 572
COMMAND USAGE
If both an absolute rule and one or more periodic rules are configured for
the same time range (i.e., named entry), that entry will only take effect if
the current time is within the absolute time range and one of the periodic
time ranges.
PARAMETERS
These parameters are displayed:
Add
◆
Time-Range Name – Name of a time range. (Range: 1-16 characters)
Add Rule
◆
Time-Range – Name of a time range.
◆
Mode
■
Absolute – Specifies a specific time or time range.
■
■
Start/End – Specifies the hours, minutes, month, day, and year
at which to start or end.
Periodic – Specifies a periodic interval.
■
Start/To – Specifies the days of the week, hours, and minutes
at which to start or end.
– 435 –
CHAPTER 14 | Basic Administration Protocols
Setting A Time Range
WEB INTERFACE
To configure a time range:
1. Click Administration, Time Range.
2. Select Add from the Action list.
3. Enter the name of a time range.
4. Click Apply.
Figure 256: Setting the Name of a Time Range
To show a list of time ranges:
1. Click Administration, Time Range.
2. Select Show from the Action list.
Figure 257: Showing a List of Time Ranges
To configure a rule for a time range:
1. Click Administration, Time Range.
2. Select Add Rule from the Action list.
3. Select the name of time range from the drop-down list.
4. Select a mode option of Absolute or Periodic.
5. Fill in the required parameters for the selected mode.
6. Click Apply.
– 436 –
CHAPTER 14 | Basic Administration Protocols
Setting A Time Range
Figure 258: Add a Rule to a Time Range
To show the rules configured for a time range:
1. Click Administration, Time Range.
2. Select Show Rule from the Action list.
Figure 259: Showing the Rules Configured for a Time Range
– 437 –
CHAPTER 14 | Basic Administration Protocols
Setting A Time Range
– 438 –
15
IP CONFIGURATION
This chapter describes how to configure an IP interface for management
access to the switch over the network. This switch supports both IP Version
4 and Version 6, and can be managed simultaneously through either of
these address types. You can manually configure a specific IPv4 or IPv6
address or direct the switch to obtain an IPv4 address from a BOOTP or
DHCP server when it is powered on. An IPv6 address can either be
manually configured or dynamically generated.
This chapter provides information on network functions including:
◆
Ping – Sends ping message to another node on the network.
◆
Address Resolution Protocol – Specifies the timeout for ARP cache
entries. Also shows how to display the ARP cache.
◆
IPv4 Configuration – Sets an IPv4 address for management access.
◆
IPv6 Configuration – Sets an IPv6 address for management access.
USING THE PING FUNCTION
Use the IP > General > Ping page to send ICMP echo request packets to
another node on the network.
CLI REFERENCES
◆ "ping" on page 967
PARAMETERS
These parameters are displayed:
◆
Host Name/IP Address – Specifies the host name (that is, alias) or
IPv4/IPv6 address of the target.
For host name-to-IP address translation to function properly, host name
lookup must be enabled ("Configuring General DNS Service
Parameters" on page 463), and one or more DNS servers specified (see
"Configuring a List of Name Servers" on page 466, or "Configuring
Static DNS Host to Address Entries" on page 467).
◆
Probe Count – Number of packets to send. (Range: 1-16)
◆
Packet Size – Number of bytes in a packet. (Range: 32-512 bytes)
The actual packet size will be eight bytes larger than the size specified
because the switch adds header information.
– 439 –
CHAPTER 15 | IP Configuration
Using the Ping Function
COMMAND USAGE
◆ Use the ping command to see if another site on the network can be
reached.
◆
The following are some results of the ping command:
■
Normal response - The normal response occurs in one to ten
seconds, depending on network traffic.
■
Destination does not respond - If the host does not respond, a
“timeout” appears in ten seconds.
■
Destination unreachable - The gateway for this destination indicates
that the destination is unreachable.
■
Network or host unreachable - The gateway found no corresponding
entry in the route table.
WEB INTERFACE
To ping another device on the network:
1. Click IP, General, Ping.
2. Specify the target device and ping parameters.
3. Click Apply.
Figure 260: Pinging a Network Device
– 440 –
CHAPTER 15 | IP Configuration
Address Resolution Protocol
ADDRESS RESOLUTION PROTOCOL
The switch uses Address Resolution Protocol (ARP) to forward traffic from
one hop to the next. ARP is used to map an IP address to a physical layer
(i.e., MAC) address. When an IP frame is received by this switch (or any
standards-based switch/router), it first looks up the MAC address
corresponding to the destination IP address in the ARP cache. If the
address is found, the switch writes the MAC address into the appropriate
field in the frame header, and forwards the frame on to the next hop. IP
traffic passes along the path to its final destination in this way, with each
routing device mapping the destination IP address to the MAC address of
the next hop toward the recipient, until the packet is delivered to the final
destination.
If there is no entry for an IP address in the ARP cache, the switch will
broadcast an ARP request packet to all devices on the network. The ARP
request contains the following fields similar to that shown in this example:
Table 33: Address Resolution Protocol
destination IP address
10.1.0.19
destination MAC address ?
source IP address
10.1.0.253
source MAC address
00-00-ab-cd-00-00
When devices receive this request, they discard it if their address does not
match the destination IP address in the message. However, if it does
match, they write their own hardware address into the destination MAC
address field and send the message back to the source hardware address.
When the source device receives a reply, it writes the destination IP
address and corresponding MAC address into its cache, and forwards the IP
traffic on to the next hop. As long as this entry has not timed out, the
switch will be able forward traffic directly to the next hop for this
destination without having to broadcast another ARP request.
Also, if the switch receives a request for its own IP address, it will send
back a response, and also cache the MAC of the source device's IP address.
SETTING THE ARP Use the IP > ARP (Configure General) page to specify the timeout for ARP
TIMEOUT cache entries.
CLI REFERENCES
◆ "arp timeout" on page 968
PARAMETERS
These parameters are displayed:
◆
Timeout – Sets the aging time for dynamic entries in the ARP cache.
(Range: 300 - 86400 seconds; Default: 1200 seconds or 20 minutes)
The ARP aging timeout can only be set globally for all VLANs.
– 441 –
CHAPTER 15 | IP Configuration
Address Resolution Protocol
The aging time determines how long dynamic entries remain in the
cache. If the timeout is too short, the switch may tie up resources by
repeating ARP requests for addresses recently flushed from the table.
When a ARP entry expires, it is deleted from the cache and an ARP
request packet is sent to re-establish the MAC address.
WEB INTERFACE
To configure the timeout for the ARP cache:
1. Click IP, ARP.
2. Select Configure General from the Step List.
3. Set the timeout to a suitable value for the ARP cache.
4. Click Apply.
Figure 261: Setting the ARP Timeout
DISPLAYING ARP Use the IP > ARP (Show Information) page to display dynamic or local
ENTRIES entries in the ARP cache. The ARP cache contains entries for local interfaces,
including subnet, host, and broadcast addresses. However, most entries will
be dynamically learned through replies to broadcast messages.
CLI REFERENCES
◆ "show arp" on page 969
◆ "clear arp-cache" on page 969
WEB INTERFACE
To display all entries in the ARP cache:
1. Click IP, ARP.
2. Select Show Information from the Step List.
Figure 262: Displaying ARP Entries
– 442 –
CHAPTER 15 | IP Configuration
Setting the Switch’s IP Address (IP Version 4)
SETTING THE SWITCH’S IP ADDRESS (IP VERSION 4)
Use the System > IP page to configure an IPv4 address for management
access over the network. This switch supports both IPv4 and IPv6, and can
be managed through either of these address types. For information on
configuring the switch with an IPv6 address, see "Setting the Switch’s IP
Address (IP Version 6)" on page 445.
You can direct the device to obtain an address from a BOOTP or DHCP
server, or manually configure a static IP address. Valid IP addresses consist
of four decimal numbers, 0 to 255, separated by periods. Anything other
than this format will not be accepted.
To configure an address compatible with your network, you may need to
change the switch’s default settings. You may also need to a establish a
default gateway between the switch and management stations that exist
on another network segment.
CLI REFERENCES
◆ "DHCP Client" on page 955
◆ "Basic IPv4 Configuration" on page 962
PARAMETERS
These parameters are displayed:
◆
Management VLAN – ID of the configured VLAN (1-4093). By default,
all ports on the switch are members of VLAN 1. However, the
management station can be attached to a port belonging to any VLAN,
as long as that VLAN has been assigned an IP address.
◆
IP Address Mode – Specifies whether IP functionality is enabled via
manual configuration (Static), Dynamic Host Configuration Protocol
(DHCP), or Boot Protocol (BOOTP). If DHCP/BOOTP is enabled, IP will
not function until a reply has been received from the server. Requests
will be broadcast periodically by the switch for an IP address. DHCP/
BOOTP responses can include the IP address, subnet mask, and default
gateway. (Default: DHCP)
◆
IP Address – Address of the VLAN to which the management station is
attached. Valid IP addresses consist of four numbers, 0 to 255,
separated by periods. (Default: None)
◆
Subnet Mask – This mask identifies the host address bits used for
routing to specific subnets. (Default: None)
◆
Gateway IP Address – IP address of the gateway router between the
switch and management stations that exist on other network
segments. (Default: 0.0.0.0)
◆
MAC Address – The physical layer address for this switch.
◆
Restart DHCP – Requests a new IP address from the DHCP server.
– 443 –
CHAPTER 15 | IP Configuration
Setting the Switch’s IP Address (IP Version 4)
WEB INTERFACE
To set a static address for the switch:
1. Click System, IP.
2. Select the VLAN through which the management station is attached,
set the IP Address Mode to “Static,” enter the IP address, subnet mask
and gateway.
3. Click Apply.
Figure 263: Configuring a Static IPv4 Address
To obtain an dynamic address through DHCP/BOOTP for the switch:
1. Click System, IP.
2. Select the VLAN through which the management station is attached,
set the IP Address Mode to “DHCP” or “BOOTP.”
3. Click Apply to save your changes.
4. Then click Restart DHCP to immediately request a new address.
Figure 264: Configuring a Dynamic IPv4 Address
– 444 –
CHAPTER 15 | IP Configuration
Setting the Switch’s IP Address (IP Version 6)
NOTE: The switch will also broadcast a request for IP configuration settings
on each power reset.
NOTE: If you lose the management connection, make a console connection
to the switch and enter “show ip interface” to determine the new switch
address.
Renewing DHCP – DHCP may lease addresses to clients indefinitely or for
a specific period of time. If the address expires or the switch is moved to
another network segment, you will lose management access to the switch.
In this case, you can reboot the switch or submit a client request to restart
DHCP service via the CLI.
If the address assigned by DHCP is no longer functioning, you will not be
able to renew the IP settings via the web interface. You can only restart
DHCP service via the web interface if the current address is still available.
SETTING THE SWITCH’S IP ADDRESS (IP VERSION 6)
This section describes how to configure an IPv6 interface for management
access over the network. This switch supports both IPv4 and IPv6, and can
be managed through either of these address types. For information on
configuring the switch with an IPv4 address, see "Setting the Switch’s IP
Address (IP Version 4)" on page 443.
COMMAND USAGE
◆ IPv6 includes two distinct address types – link-local unicast and global
unicast. A link-local address makes the switch accessible over IPv6 for
all devices attached to the same local subnet. Management traffic using
this kind of address cannot be passed by any router outside of the
subnet. A link-local address is easy to set up, and may be useful for
simple networks or basic troubleshooting tasks. However, to connect to
a larger network with multiple segments, the switch must be configured
with a global unicast address. Both link-local and global unicast address
types can either be dynamically assigned (using the Configure Interface
page) or manually configured (using the Add IPv6 Address page).
CONFIGURING THE Use the IP > IPv6 Configuration (Configure Global) page to configure an
IPV6 DEFAULT IPv6 default gateway for the switch.
GATEWAY
CLI REFERENCES
◆ "ipv6 default-gateway" on page 971
PARAMETERS
These parameters are displayed:
◆
Default Gateway – Sets the IPv6 address of the default next hop
router.
– 445 –
CHAPTER 15 | IP Configuration
Setting the Switch’s IP Address (IP Version 6)
■
■
An IPv6 default gateway must be defined if the management station
is located in a different IPv6 segment.
An IPv6 default gateway can only be successfully set when a
network interface that directly connects to the gateway has been
configured on the switch.
WEB INTERFACE
To configure an IPv6 default gateway for the switch:
1. Click IP, IPv6 Configuration.
2. Select Configure Global from the Action list.
3. Enter the IPv6 default gateway.
4. Click Apply.
Figure 265: Configuring the IPv6 Default Gateway
CONFIGURING IPV6 Use the IP > IPv6 Configuration (Configure Interface) page to configure
INTERFACE SETTINGS general IPv6 settings for the selected VLAN, including auto-configuration of
a global unicast interface address, and explicit configuration of a link local
interface address.
CLI REFERENCES
◆ "IPv6 Interface" on page 970
◆ "DHCP Client" on page 955
COMMAND USAGE
◆ The switch must always be configured with a link-local address. The
switch’s address auto-configuration function will automatically create a
link-local address, as well as an IPv6 global address if router
advertisements are detected on the local interface.
◆
The option to explicitly enable IPv6 will also create a link-local address,
but will not generate a global IPv6 address if auto-configuration is not
enabled. In this case, you must manually configure an address (see
"Configuring an IPv6 Address" on page 450).
– 446 –
CHAPTER 15 | IP Configuration
Setting the Switch’s IP Address (IP Version 6)
PARAMETERS
These parameters are displayed:
◆
VLAN – ID of a configured VLAN which is to be used for management
access. By default, all ports on the switch are members of VLAN 1.
However, the management station can be attached to a port belonging
to any VLAN, as long as that VLAN has been assigned an IP address.
(Range: 1-4093)
◆
Address Autoconfig – Enables stateless autoconfiguration of an IPv6
address on an interface and enables IPv6 functionality on that
interface. The network portion of the address is based on prefixes
received in IPv6 router advertisement messages, and the host portion
is automatically generated using the modified EUI-64 form of the
interface identifier (i.e., the switch’s MAC address).
◆
■
If a link local address has not yet been assigned to this interface,
this command will dynamically generate one. The link-local address
is made with an address prefix in the range of FE80~FEBF and a
host portion based the switch’s MAC address in modified EUI-64
format. It will also generate a global unicast address if a global
prefix is included in received router advertisements.
■
When DHCPv6 is restarted, the switch may attempt to acquire an IP
address prefix through stateful address autoconfiguration. If the
router advertisements have the “other stateful configuration” flag
set, the switch will attempt to acquire other non-address
configuration information (such as a default gateway).
■
If auto-configuration is not selected, then an address must be
manually configured using the Add Interface page described below.
Enable IPv6 Explicitly – Enables IPv6 on an interface. Note that
when an explicit address is assigned to an interface, IPv6 is
automatically enabled, and cannot be disabled until all assigned
addresses have been removed. (Default: Disabled)
Disabling this parameter does not disable IPv6 for an interface that has
been explicitly configured with an IPv6 address.
◆
MTU – Sets the size of the maximum transmission unit (MTU) for IPv6
packets sent on an interface. (Range: 1280-65535 bytes;
Default: 1500 bytes)
■
The maximum value set in this field cannot exceed the MTU of the
physical interface, which is currently fixed at 1500 bytes.
■
IPv6 routers do not fragment IPv6 packets forwarded from other
routers. However, traffic originating from an end-station connected
to an IPv6 router may be fragmented.
■
All devices on the same physical medium must use the same MTU in
order to operate correctly.
■
IPv6 must be enabled on an interface before the MTU can be set. If
an IPv6 address has not been assigned to the switch, “N/A” is
displayed in the MTU field.
– 447 –
CHAPTER 15 | IP Configuration
Setting the Switch’s IP Address (IP Version 6)
◆
ND DAD Attempts – The number of consecutive neighbor solicitation
messages sent on an interface during duplicate address detection.
(Range: 0-600, Default: 3)
■
■
■
◆
Configuring a value of 0 disables duplicate address detection.
Duplicate address detection determines if a new unicast IPv6
address already exists on the network before it is assigned to an
interface.
Duplicate address detection is stopped on any interface that has
been suspended (see "Configuring VLAN Groups" on page 170).
While an interface is suspended, all unicast IPv6 addresses assigned
to that interface are placed in a “pending” state. Duplicate address
detection is automatically restarted when the interface is
administratively re-activated.
■
An interface that is re-activated restarts duplicate address detection
for all unicast IPv6 addresses on the interface. While duplicate
address detection is performed on the interface’s link-local address,
the other IPv6 addresses remain in a “tentative” state. If no
duplicate link-local address is found, duplicate address detection is
started for the remaining IPv6 addresses.
■
If a duplicate address is detected, it is set to “duplicate” state, and a
warning message is sent to the console. If a duplicate link-local
address is detected, IPv6 processes are disabled on the interface. If
a duplicate global unicast address is detected, it is not used. All
configuration commands associated with a duplicate address remain
configured while the address is in “duplicate” state.
■
If the link-local address for an interface is changed, duplicate
address detection is performed on the new link-local address, but
not for any of the IPv6 global unicast addresses already associated
with the interface.
ND NS Interval – The interval between transmitting IPv6 neighbor
solicitation messages on an interface. (Range: 1000-3600000
milliseconds;
Default: 1000 milliseconds is used for neighbor discovery operations,
0 milliseconds is advertised in router advertisements.
This attribute specifies the interval between transmitting neighbor
solicitation messages when resolving an address, or when probing the
reachability of a neighbor. Therefore, avoid using very short intervals
for normal IPv6 operations.
◆
Restart DHCPv6 – When DHCPv6 is restarted, the switch may attempt
to acquire an IP address prefix through stateful address
autoconfiguration. If the router advertisements have the “other stateful
configuration” flag set, the switch may also attempt to acquire other
non-address configuration information (such as a default gateway)
when DHCPv6 is restarted.
Prior to submitting a client request to a DHCPv6 server, the switch
should be configured with a link-local address using the Address
Autoconfig option. The state of the Managed Address Configuration flag
– 448 –
CHAPTER 15 | IP Configuration
Setting the Switch’s IP Address (IP Version 6)
(M flag) and Other Stateful Configuration flag (O flag) received in
Router Advertisement messages will determine the information this
switch should attempt to acquire from the DHCPv6 server as described
below.
■
Both M and O flags are set to 1:
DHCPv6 is used for both address and other configuration settings.
This combination is known as DHCPv6 stateful autoconfiguration, in
which a DHCPv6 server assigns stateful addresses to IPv6 hosts.
■
The M flag is set to 0, and the O flag is set to 1:
DHCPv6 is used only for other configuration settings.
Neighboring routers are configured to advertise non-link-local
address prefixes from which IPv6 hosts derive stateless addresses.
This combination is known as DHCPv6 stateless autoconfiguration,
in which a DHCPv6 server does not assign stateful addresses to
IPv6 hosts, but does assign stateless configuration settings.
WEB INTERFACE
To general IPv6 settings for the switch:
1. Click IP, IPv6 Configuration.
2. Select Configure Interface from the Action list.
3. Specify the VLAN to configure, enable address auto-configuration, or
enable IPv6 explicitly to automatically configure a link-local address
and enable IPv6 on the selected interface. Set the MTU size, the
maximum number of duplicate address detection messages, and the
neighbor solicitation message interval.
4. Click Apply.
Figure 266: Configuring General Settings for an IPv6 Interface
– 449 –
CHAPTER 15 | IP Configuration
Setting the Switch’s IP Address (IP Version 6)
CONFIGURING AN IPV6 Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an
ADDRESS IPv6 interface for management access over the network.
CLI REFERENCES
◆ "IPv6 Interface" on page 970
COMMAND USAGE
◆ All IPv6 addresses must be formatted according to RFC 2373 “IPv6
Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal
values. One double colon may be used in the address to indicate the
appropriate number of zeros required to fill the undefined fields.
◆
The switch must always be configured with a link-local address.
Therefore any configuration process that enables IPv6 functionality, or
assigns a global unicast address to the switch, including address autoconfiguration or explicitly enabling IPv6 (see "Configuring IPv6
Interface Settings" on page 446), will also automatically generate a
link-local unicast address. The prefix length for a link-local address is
fixed at 64 bits, and the host portion of the default address is based on
the modified EUI-64 (Extended Universal Identifier) form of the
interface identifier (i.e., the physical MAC address). Alternatively, you
can manually configure the link-local address by entering the full
address with the network prefix in the range of FE80~FEBF.
◆
To connect to a larger network with multiple subnets, you must
configure a global unicast address. There are several alternatives to
configuring this address type:
■
The global unicast address can be automatically configured by
taking the network prefix from router advertisements observed on
the local interface, and using the modified EUI-64 form of the
interface identifier to automatically create the host portion of the
address (see "Configuring IPv6 Interface Settings" on page 446).
■
It can be manually configured by specifying the entire network
prefix and prefix length, and using the EUI-64 form of the interface
identifier to automatically create the low-order 64 bits in the host
portion of the address.
■
You can also manually configure the global unicast address by
entering the full address and prefix length.
◆
You can configure multiple IPv6 global unicast addresses per interface,
but only one link-local address per interface.
◆
If a duplicate link-local address is detected on the local segment, this
interface is disabled and a warning message displayed on the console.
If a duplicate global unicast address is detected on the network, the
address is disabled on this interface and a warning message displayed
on the console.
◆
When an explicit address is assigned to an interface, IPv6 is
automatically enabled, and cannot be disabled until all assigned
addresses have been removed.
– 450 –
CHAPTER 15 | IP Configuration
Setting the Switch’s IP Address (IP Version 6)
PARAMETERS
These parameters are displayed:
◆
VLAN – ID of a configured VLAN which is to be used for management
access. By default, all ports on the switch are members of VLAN 1.
However, the management station can be attached to a port belonging
to any VLAN, as long as that VLAN has been assigned an IP address.
(Range: 1-4093)
◆
Address Type – Defines the address type configured for this interface.
■
Global – Configures an IPv6 global unicast address with a full IPv6
address including the network prefix and host address bits, followed
by a forward slash, and a decimal value indicating how many
contiguous bits (from the left) of the address comprise the prefix
(i.e., the network portion of the address).
■
EUI-64 (Extended Universal Identifier) – Configures an IPv6
address for an interface using an EUI-64 interface ID in the low
order 64 bits.
■
When using EUI-64 format for the low-order 64 bits in the host
portion of the address, the value entered in the IPv6 Address
field includes the network portion of the address, and the prefix
length indicates how many contiguous bits (starting at the left)
of the address comprise the prefix (i.e., the network portion of
the address). Note that the value specified in the IPv6 Address
field may include some of the high-order host bits if the
specified prefix length is less than 64 bits. If the specified prefix
length exceeds 64 bits, then the bits used in the network portion
of the address will take precedence over the interface identifier.
■
IPv6 addresses are 16 bytes long, of which the bottom 8 bytes
typically form a unique host identifier based on the device’s MAC
address. The EUI-64 specification is designed for devices that
use an extended 8-byte MAC address. For devices that still use a
6-byte MAC address (also known as EUI-48 format), it must be
converted into EUI-64 format by inverting the universal/local bit
in the address and inserting the hexadecimal number FFFE
between the upper and lower three bytes of the MAC address.
For example, if a device had an EUI-48 address of 28-9F-18-1C82-35, the global/local bit must first be inverted to meet EUI-64
requirements (i.e., 1 for globally defined addresses and 0 for
locally defined addresses), changing 28 to 2A. Then the two
bytes FFFE are inserted between the OUI (i.e., organizationally
unique identifier, or company identifier) and the rest of the
address, resulting in a modified EUI-64 interface identifier of 2A9F-18-FF-FE-1C-82-35.
■
This host addressing method allows the same interface identifier
to be used on multiple IP interfaces of a single device, as long as
those interfaces are attached to different subnets.
– 451 –
CHAPTER 15 | IP Configuration
Setting the Switch’s IP Address (IP Version 6)
■
Link Local – Configures an IPv6 link-local address.
■
The address prefix must be in the range of FE80~FEBF.
■
You can configure only one link-local address per interface.
■
◆
The specified address replaces a link-local address that was
automatically generated for the interface.
IPv6 Address – IPv6 address assigned to this interface.
WEB INTERFACE
To configure an IPv6 address:
1. Click IP, IPv6 Configuration.
2. Select Add IPv6 Address from the Action list.
3. Specify the VLAN to configure, select the address type, and then enter
an IPv6 address and prefix length.
4. Click Apply.
Figure 267: Configuring an IPv6 Address
SHOWING IPV6 Use the IP > IPv6 Configuration (Show IPv6 Address) page to display the
ADDRESSES IPv6 addresses assigned to an interface.
CLI REFERENCES
◆ "show ipv6 interface" on page 980
PARAMETERS
These parameters are displayed:
◆
VLAN – ID of a configured VLAN which is to be used for management
access. By default, all ports on the switch are members of VLAN 1.
However, the management station can be attached to a port belonging
to any VLAN, as long as that VLAN has been assigned an IP address.
(Range: 1-4093)
◆
IP Address Type – The address type (Global, EUI-64, Link Local).
– 452 –
CHAPTER 15 | IP Configuration
Setting the Switch’s IP Address (IP Version 6)
◆
IP Address – An IPv6 address assigned to this interface.
In addition to the unicast addresses assigned to an interface, a host is
also required to listen to the all-nodes multicast addresses FF01::1
(interface-local scope) and FF02::1 (link-local scope).
FF01::1/16 is the transient interface-local multicast address for all
attached IPv6 nodes, and FF02::1/16 is the link-local multicast address
for all attached IPv6 nodes. The interface-local multicast address is
only used for loopback transmission of multicast traffic. Link-local
multicast addresses cover the same types as used by link-local unicast
addresses, including all nodes (FF02::1), all routers (FF02::2), and
solicited nodes (FF02::1:FFXX:XXXX) as described below.
A node is also required to compute and join the associated solicitednode multicast addresses for every unicast and anycast address it is
assigned. IPv6 addresses that differ only in the high-order bits, e.g.
due to multiple high-order prefixes associated with different
aggregations, will map to the same solicited-node address, thereby
reducing the number of multicast addresses a node must join. In this
example, FF02::1:FF90:0/104 is the solicited-node multicast address
which is formed by taking the low-order 24 bits of the address and
appending those bits to the prefix.
Note that the solicited-node multicast address (link-local scope FF02) is
used to resolve the MAC addresses for neighbor nodes since IPv6 does
not support the broadcast method used by the Address Resolution
Protocol in IPv4.
These additional addresses are displayed by the CLI (see "show ip
interface" on page 964).
◆
Configuration Mode – Indicates if this address was automatically
generated for manually configured.
– 453 –
CHAPTER 15 | IP Configuration
Setting the Switch’s IP Address (IP Version 6)
WEB INTERFACE
To show the configured IPv6 addresses:
1. Click IP, IPv6 Configuration.
2. Select Show IPv6 Address from the Action list.
3. Select a VLAN from the list.
Figure 268: Showing Configured IPv6 Addresses
SHOWING THE IPV6 Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to
NEIGHBOR CACHE display the IPv6 addresses detected for neighbor devices.
CLI REFERENCES
◆ "show ipv6 neighbors" on page 989
PARAMETERS
These parameters are displayed:
Table 34: Show IPv6 Neighbors - display description
Field
Description
IPv6 Address
IPv6 address of neighbor
Age
The time since the address was verified as reachable (in seconds). A static
entry is indicated by the value “Permanent.”
Link-layer Addr
Physical layer MAC address.
– 454 –
CHAPTER 15 | IP Configuration
Setting the Switch’s IP Address (IP Version 6)
Table 34: Show IPv6 Neighbors - display description (Continued)
Field
State
Description
The following states are used for dynamic entries:
◆
Incomplete - Address resolution is being carried out on the entry.
A neighbor solicitation message has been sent to the multicast
address of the target, but it has not yet returned a neighbor
advertisement message.
◆
Invalid - An invalidated mapping. Setting the state to invalid disassociates the interface identified with this entry from the indicated
mapping (RFC 4293).
◆
Reachable - Positive confirmation was received within the last
ReachableTime interval that the forward path to the neighbor was
functioning. While in REACH state, the device takes no special action
when sending packets.
◆
Stale - More than the ReachableTime interval has elapsed since the
last positive confirmation was received that the forward path was
functioning. While in STALE state, the device takes no action until a
packet is sent.
◆
Delay - More than the ReachableTime interval has elapsed since the
last positive confirmation was received that the forward path was
functioning. A packet was sent within the last
DELAY_FIRST_PROBE_TIME interval. If no reachability confirmation is
received within this interval after entering the DELAY state, the switch
will send a neighbor solicitation message and change the state to
PROBE.
◆
Probe - A reachability confirmation is actively sought by resending
neighbor solicitation messages every RetransTimer interval until
confirmation of reachability is received.
◆
Unknown - Unknown state.
The following states are used for static entries:
VLAN
◆
Incomplete -The interface for this entry is down.
◆
Reachable - The interface for this entry is up. Reachability detection is
not applied to static entries in the IPv6 neighbor discovery cache.
VLAN interface from which the address was reached.
WEB INTERFACE
To show neighboring IPv6 devices:
1. Click IP, IPv6 Configuration.
2. Select Show IPv6 Neighbors from the Action list.
Figure 269: Showing IPv6 Neighbors
– 455 –
CHAPTER 15 | IP Configuration
Setting the Switch’s IP Address (IP Version 6)
SHOWING IPV6 Use the IP > IPv6 Configuration (Show Statistics) page to display statistics
STATISTICS about IPv6 traffic passing through this switch.
CLI REFERENCES
◆ "show ipv6 traffic" on page 983
COMMAND USAGE
This switch provides statistics for the following traffic types:
◆
IPv6 – The Internet Protocol for Version 6 addresses provides a
mechanism for transmitting blocks of data (often called packets or
frames) from a source to a destination, where these network devices
(that is, hosts) are identified by fixed length addresses. The Internet
Protocol also provides for fragmentation and reassembly of long
packets, if necessary, for transmission through “small packet”
networks.
◆
ICMPv6 – Internet Control Message Protocol for Version 6 addresses is
a network layer protocol that transmits message packets to report
errors in processing IPv6 packets. ICMP is therefore an integral part of
the Internet Protocol. ICMP messages may be used to report various
situations, such as when a datagram cannot reach its destination, when
the gateway does not have the buffering capacity to forward a
datagram, and when the gateway can direct the host to send traffic on
a shorter route. ICMP is also used by routers to feed back information
about more suitable routes (that is, the next hop router) to use for a
specific destination.
◆
UDP – User Datagram Protocol provides a datagram mode of packet
switched communications. It uses IP as the underlying transport
mechanism, providing access to IP-like services. UDP packets are
delivered just like IP packets – connection-less datagrams that may be
discarded before reaching their targets. UDP is useful when TCP would
be too complex, too slow, or just unnecessary.
PARAMETERS
These parameters are displayed:
Table 35: Show IPv6 Statistics - display description
Field
Description
IPv6 Statistics
IPv6 Received
Total
The total number of input datagrams received by the interface,
including those received in error.
Header Errors
The number of input datagrams discarded due to errors in their
IPv6 headers, including version number mismatch, other format
errors, hop count exceeded, IPv6 options, etc.
Too Big Errors
The number of input datagrams that could not be forwarded
because their size exceeded the link MTU of outgoing interface.
No Routes
The number of input datagrams discarded because no route could
be found to transmit them to their destination.
– 456 –
CHAPTER 15 | IP Configuration
Setting the Switch’s IP Address (IP Version 6)
Table 35: Show IPv6 Statistics - display description (Continued)
Field
Description
Address Errors
The number of input datagrams discarded because the IPv6
address in their IPv6 header's destination field was not a valid
address to be received at this entity. This count includes invalid
addresses (e.g., ::0) and unsupported addresses (e.g., addresses
with unallocated prefixes). For entities which are not IPv6 routers
and therefore do not forward datagrams, this counter includes
datagrams discarded because the destination address was not a
local address.
Unknown Protocols
The number of locally-addressed datagrams received successfully
but discarded because of an unknown or unsupported protocol.
This counter is incremented at the interface to which these
datagrams were addressed which might not be necessarily the
input interface for some of the datagrams.
Truncated Packets
The number of input datagrams discarded because datagram
frame didn't carry enough data.
Discards
The number of input IPv6 datagrams for which no problems were
encountered to prevent their continued processing, but which
were discarded (e.g., for lack of buffer space). Note that this
counter does not include any datagrams discarded while awaiting
re-assembly.
Delivers
The total number of datagrams successfully delivered to IPv6
user-protocols (including ICMP). This counter is incremented at
the interface to which these datagrams were addressed which
might not be necessarily the input interface for some of the
datagrams.
Reassembly Request
Datagrams
The number of IPv6 fragments received which needed to be
reassembled at this interface. Note that this counter is increment
ed at the interface to which these fragments were addressed
which might not be necessarily the input interface for some of the
fragments.
Reassembled Succeeded
The number of IPv6 datagrams successfully reassembled. Note
that this counter is incremented at the interface to which these
datagrams were addressed which might not be necessarily the
input interface for some of the fragments.
Reassembled Failed
The number of failures detected by the IPv6 re-assembly
algorithm (for whatever reason: timed out, errors, etc.). Note that
this is not necessarily a count of discarded IPv6 fragments since
some algorithms (notably the algorithm in RFC 815) can lose
track of the number of fragments by combining them as they are
received. This counter is incremented at the interface to which
these fragments were addressed which might not be necessarily
the input interface for some of the fragments.
IPv6 Transmitted
Forwards Datagrams
The number of output datagrams which this entity received and
forwarded to their final destinations. In entities which do not act
as IPv6 routers, this counter will include only those packets which
were Source-Routed via this entity, and the Source-Route
processing was successful. Note that for a successfully forwarded
datagram the counter of the outgoing interface is incremented.”
Requests
The total number of IPv6 datagrams which local IPv6 userprotocols (including ICMP) supplied to IPv6 in requests for
transmission. Note that this counter does not include any
datagrams counted in ipv6IfStatsOutForwDatagrams.
Discards
The number of output IPv6 datagrams for which no problem was
encountered to prevent their transmission to their destination, but
which were discarded (e.g., for lack of buffer space). Note that
this counter would include datagrams counted in
ipv6IfStatsOutForwDatagrams if any such packets met this
(discretionary) discard criterion.
No Routes
The number of input datagrams discarded because no route could
be found to transmit them to their destination.
– 457 –
CHAPTER 15 | IP Configuration
Setting the Switch’s IP Address (IP Version 6)
Table 35: Show IPv6 Statistics - display description (Continued)
Field
Description
Generated Fragments
The number of output datagram fragments that have been
generated as a result of fragmentation at this output interface.
Fragment Succeeded
The number of IPv6 datagrams that have been successfully
fragmented at this output interface.
Fragment Failed
The number of IPv6 datagrams that have been discarded because
they needed to be fragmented at this output interface but could
not be.
ICMPv6 Statistics
ICMPv6 received
Input
The total number of ICMP messages received by the interface
which includes all those counted by ipv6IfIcmpInErrors. Note that
this interface is the interface to which the ICMP messages were
addressed which may not be necessarily the input interface for the
messages.
Errors
The number of ICMP messages which the interface received but
determined as having ICMP-specific errors (bad ICMP checksums,
bad length, etc.).
Destination Unreachable
Messages
The number of ICMP Destination Unreachable messages received
by the interface.
Packet Too Big Messages
The number of ICMP Packet Too Big messages received by the
interface.
Time Exceeded Messages The number of ICMP Time Exceeded messages received by the
interface.
Parameter Problem
Messages
The number of ICMP Parameter Problem messages received by
the interface.
Echo Request Messages
The number of ICMP Echo (request) messages received by the
interface.
Echo Reply Messages
The number of ICMP Echo Reply messages received by the
interface.
Redirect Messages
The number of Redirect messages received by the interface.
Group Membership Query The number of ICMPv6 Group Membership Query messages
Messages
received by the interface.
Group Membership
Response Messages
The number of ICMPv6 Group Membership Response messages
received by the interface.
Group Membership
Reduction Messages
The number of ICMPv6 Group Membership Reduction messages
received by the interface.
Router Solicit Messages
The number of ICMP Router Solicit messages received by the
interface.
Router Advertisement
Messages
The number of ICMP Router Advertisement messages received by
the interface.
Neighbor Solicit Messages The number of ICMP Neighbor Solicit messages received by the
interface.
Neighbor Advertisement
Messages
The number of ICMP Neighbor Advertisement messages received
by the interface.
Redirect Messages
The number of Redirect messages received by the interface.
– 458 –
CHAPTER 15 | IP Configuration
Setting the Switch’s IP Address (IP Version 6)
Table 35: Show IPv6 Statistics - display description (Continued)
Field
Description
ICMPv6 Transmitted
Output
The total number of ICMP messages which this interface
attempted to send. Note that this counter includes all those
counted by icmpOutErrors.
Destination Unreachable
Messages
The number of ICMP Destination Unreachable messages sent by
the interface.
Packet Too Big Messages
The number of ICMP Packet Too Big messages sent by the
interface.
Time Exceeded Messages The number of ICMP Time Exceeded messages sent by the
interface.
Parameter Problem
Message
The number of ICMP Parameter Problem messages sent by the
interface.
Echo Reply Messages
The number of ICMP Echo Reply messages sent by the interface.
Router Solicit Messages
The number of ICMP Router Solicitation messages sent by the
interface.
Neighbor Advertisement
Messages
The number of ICMP Router Advertisement messages sent by the
interface.
Redirect Messages
The number of Redirect messages sent. For a host, this object will
always be zero, since hosts do not send redirects.
Group Membership
Response Messages
The number of ICMPv6 Group Membership Response messages
sent.
Group Membership
Reduction Messages
The number of ICMPv6 Group Membership Reduction messages
sent.
UDP Statistics
Input
The total number of UDP datagrams delivered to UDP users.
No Port Errors
The total number of received UDP datagrams for which there was
no application at the destination port.
Other Errors
The number of received UDP datagrams that could not be
delivered for reasons other than the lack of an application at the
destination port.
Output
The total number of UDP datagrams sent from this entity.
– 459 –
CHAPTER 15 | IP Configuration
Setting the Switch’s IP Address (IP Version 6)
WEB INTERFACE
To show the IPv6 statistics:
1. Click IP, IPv6 Configuration.
2. Select Show Statistics from the Action list.
3. Click IPv6, ICMPv6 or UDP.
Figure 270: Showing IPv6 Statistics (IPv6)
Figure 271: Showing IPv6 Statistics (ICMPv6)
– 460 –
CHAPTER 15 | IP Configuration
Setting the Switch’s IP Address (IP Version 6)
Figure 272: Showing IPv6 Statistics (UDP)
SHOWING THE MTU Use the IP > IPv6 Configuration (Show MTU) page to display the maximum
FOR RESPONDING transmission unit (MTU) cache for destinations that have returned an ICMP
DESTINATIONS packet-too-big message along with an acceptable MTU to this switch.
CLI REFERENCES
◆ "show ip interface" on page 964
PARAMETERS
These parameters are displayed:
Table 36: Show MTU - display description
Field
Description
MTU
Adjusted MTU contained in the ICMP packet-too-big message returned from
this destination, and now used for all traffic sent along this path.
Since
Time since an ICMP packet-too-big message was received from this
destination.
Destination
Address
Address which sent an ICMP packet-too-big message.
WEB INTERFACE
To show the MTU reported from other devices:
1. Click IP, IPv6 Configuration.
2. Select Show MTU from the Action list.
Figure 273: Showing Reported MTU Values
– 461 –
CHAPTER 15 | IP Configuration
Setting the Switch’s IP Address (IP Version 6)
– 462 –
16
IP SERVICES
This chapter describes how to configure Domain Name Service (DNS) on
this switch. For information on DHCP snooping which is included in this
folder, see "DHCP Snooping" on page 359.
DNS service on this switch allows host names to be mapped to IP
addresses using static table entries or by redirection to other name servers
on the network. When a client device designates this switch as a DNS
server, the client will attempt to resolve host names into IP addresses by
forwarding DNS queries to the switch, and waiting for a response.
You can manually configure entries in the DNS table used for mapping
domain names to IP addresses, configure default domain names, or specify
one or more name servers to use for domain name to address translation.
CONFIGURING GENERAL DNS SERVICE PARAMETERS
Use the IP Service > DNS - General (Configure Global) page to enable
domain lookup and set the default domain name.
CLI REFERENCES
◆ "ip domain-lookup" on page 946
◆ "ip domain-name" on page 947
COMMAND USAGE
◆ To enable DNS service on this switch, enable domain lookup status, and
configure one or more name servers (see "Configuring a List of Name
Servers" on page 466).
PARAMETERS
These parameters are displayed:
◆
Domain Lookup – Enables DNS host name-to-address translation.
(Default: Disabled)
◆
Default Domain Name – Defines the default domain name appended
to incomplete host names. Do not include the initial dot that separates
the host name from the domain name.
(Range: 1-127 alphanumeric characters)
– 463 –
CHAPTER 16 | IP Services
Configuring a List of Domain Names
WEB INTERFACE
To configure general settings for DNS:
1. Click IP Service, DNS, General.
2. Select Configure Global from the Action list.
3. Enable domain lookup, and set the default domain name.
4. Click Apply.
Figure 274: Configuring General Settings for DNS
CONFIGURING A LIST OF DOMAIN NAMES
Use the IP Service > DNS - General (Add Domain Name) page to configure
a list of domain names to be tried in sequential order.
CLI REFERENCES
◆ "ip domain-list" on page 945
◆ "show dns" on page 951
COMMAND USAGE
◆ Use this page to define a list of domain names that can be appended to
incomplete host names (i.e., host names passed from a client that are
not formatted with dotted notation).
◆
If there is no domain list, the default domain name is used (see
"Configuring General DNS Service Parameters" on page 463). If there is
a domain list, the system will search it for a corresponding entry. If
none is found, it will use the default domain name.
◆
When an incomplete host name is received by the DNS service on this
switch and a domain name list has been specified, the switch will work
through the domain list, appending each domain name in the list to the
host name, and checking with the specified name servers for a match
(see "Configuring a List of Name Servers" on page 466).
– 464 –
CHAPTER 16 | IP Services
Configuring a List of Domain Names
PARAMETERS
These parameters are displayed:
Domain Name – Name of the host. Do not include the initial dot that
separates the host name from the domain name.
(Range: 1-68 characters)
WEB INTERFACE
To create a list domain names:
1. Click IP Service, DNS, General.
2. Select Add Domain Name from the Action list.
3. Enter one domain name at a time.
4. Click Apply.
Figure 275: Configuring a List of Domain Names for DNS
To show the list domain names:
1. Click IP Service, DNS, General.
2. Select Show Domain Names from the Action list.
Figure 276: Showing the List of Domain Names for DNS
– 465 –
CHAPTER 16 | IP Services
Configuring a List of Name Servers
CONFIGURING A LIST OF NAME SERVERS
Use the IP Service > DNS - General (Add Name Server) page to configure a
list of name servers to be tried in sequential order.
CLI REFERENCES
◆ "ip name-server" on page 949
◆ "show dns" on page 951
COMMAND USAGE
◆ To enable DNS service on this switch, configure one or more name
servers, and enable domain lookup status (see "Configuring General
DNS Service Parameters" on page 463).
◆
When more than one name server is specified, the servers are queried
in the specified sequence until a response is received, or the end of the
list is reached with no response.
◆
If all name servers are deleted, DNS will automatically be disabled. This
is done by disabling the domain lookup status.
PARAMETERS
These parameters are displayed:
Name Server IP Address – Specifies the IPv4 or IPv6 address of a
domain name server to use for name-to-address resolution. Up to six IP
addresses can be added to the name server list.
WEB INTERFACE
To create a list name servers:
1. Click IP Service, DNS, General.
2. Select Add Name Server from the Action list.
3. Enter one name server at a time.
4. Click Apply.
Figure 277: Configuring a List of Name Servers for DNS
– 466 –
CHAPTER 16 | IP Services
Configuring Static DNS Host to Address Entries
To show the list name servers:
1. Click IP Service, DNS, General.
2. Select Show Name Servers from the Action list.
Figure 278: Showing the List of Name Servers for DNS
CONFIGURING STATIC DNS HOST TO ADDRESS ENTRIES
Use the IP Service > DNS - Static Host Table (Add) page to manually
configure static entries in the DNS table that are used to map domain
names to IP addresses.
CLI REFERENCES
◆ "ip host" on page 948
◆ "show hosts" on page 952
COMMAND USAGE
◆ Static entries may be used for local devices connected directly to the
attached network, or for commonly used resources located elsewhere
on the network.
PARAMETERS
These parameters are displayed:
◆
Host Name – Name of a host device that is mapped to one or more IP
addresses. (Range: 1-127 characters)
◆
IP Address – IPv4 or IPv6 address(es) associated with a host name.
WEB INTERFACE
To configure static entries in the DNS table:
1. Click IP Service, DNS, Static Host Table.
2. Select Add from the Action list.
3. Enter a host name and the corresponding address.
– 467 –
CHAPTER 16 | IP Services
Displaying the DNS Cache
4. Click Apply.
Figure 279: Configuring Static Entries in the DNS Table
To show static entries in the DNS table:
1. Click IP Service, DNS, Static Host Table.
2. Select Show from the Action list.
Figure 280: Showing Static Entries in the DNS Table
DISPLAYING THE DNS CACHE
Use the IP Service > DNS - Cache page to display entries in the DNS cache
that have been learned via the designated name servers.
CLI REFERENCES
◆ "show dns cache" on page 952
COMMAND USAGE
◆ Servers or other network devices may support one or more connections
via multiple IP addresses. If more than one IP address is associated
with a host name via information returned from a name server, a DNS
client can try each address in succession, until it establishes a
connection with the target device.
PARAMETERS
These parameters are displayed:
◆
No. – The entry number for each resource record.
– 468 –
CHAPTER 16 | IP Services
Displaying the DNS Cache
◆
Flag – The flag is always “4” indicating a cache entry and therefore
unreliable.
◆
Type – This field includes CNAME which specifies the host address for
the owner, and ALIAS which specifies an alias.
◆
IP – The IP address associated with this record.
◆
TTL – The time to live reported by the name server.
◆
Domain – The host name associated with this record.
WEB INTERFACE
To display entries in the DNS cache:
1. Click IP Service, DNS, Cache.
Figure 281: Showing Entries in the DNS Cache
– 469 –
CHAPTER 16 | IP Services
Displaying the DNS Cache
– 470 –
17
MULTICAST FILTERING
This chapter describes how to configure the following multicast services:
◆
IGMP – Configuring snooping and query parameters.
◆
Filtering and Throttling – Filtering specified multicast service, or
throttling the maximum of multicast groups allowed on an interface.
◆
Multicast VLAN Registration (MVR) – Configures a single network-wide
multicast VLAN shared by hosts residing in other standard or private
VLAN groups, preserving security and data isolation.
OVERVIEW
Multicasting is used to support real-time applications such as video
conferencing or streaming audio. A multicast server does not have to
establish a separate connection with each client. It merely broadcasts its
service to the network, and any hosts that want to receive the multicast
register with their local multicast switch/router. Although this approach
reduces the network overhead required by a multicast server, the
broadcast traffic must be carefully pruned at every multicast switch/router
it passes through to ensure that traffic is only passed on to the hosts which
subscribed to this service.
Figure 282: Multicast Filtering Concept
Unicast
Flow
Multicast
Flow
This switch can use Internet Group Management Protocol (IGMP) to filter
multicast traffic. IGMP Snooping can be used to passively monitor or
“snoop” on exchanges between attached hosts and an IGMP-enabled
– 471 –
CHAPTER 17 | Multicast Filtering
Layer 2 IGMP (Snooping and Query)
device, most commonly a multicast router. In this way, the switch can
discover the ports that want to join a multicast group, and set its filters
accordingly.
If there is no multicast router attached to the local subnet, multicast traffic
and query messages may not be received by the switch. In this case (Layer
2) IGMP Query can be used to actively ask the attached hosts if they want
to receive a specific multicast service. IGMP Query thereby identifies the
ports containing hosts requesting to join the service and sends data out to
those ports only. It then propagates the service request up to any
neighboring multicast switch/router to ensure that it will continue to
receive the multicast service.
The purpose of IP multicast filtering is to optimize a switched network’s
performance, so multicast packets will only be forwarded to those ports
containing multicast group hosts or multicast routers/switches, instead of
flooding traffic to all ports in the subnet (VLAN).
You can also configure a single network-wide multicast VLAN shared by
hosts residing in other standard or private VLAN groups, preserving
security and data isolation "Multicast VLAN Registration" on page 493.
LAYER 2 IGMP (SNOOPING AND QUERY)
IGMP Snooping and Query – If multicast routing is not supported on other
switches in your network, you can use IGMP Snooping and IGMP Query
(page 474) to monitor IGMP service requests passing between multicast
clients and servers, and dynamically configure the switch ports which need
to forward multicast traffic. IGMP Snooping conserves bandwidth on
network segments where no node has expressed interest in receiving a
specific multicast service. For switches that do not support multicast
routing, or where multicast routing is already enabled on other switches in
the local network segment, IGMP Snooping is the only service required to
support multicast filtering.
When using IGMPv3 snooping, service requests from IGMP Version 1, 2 or
3 hosts are all forwarded to the upstream router as IGMPv3 reports. The
primary enhancement provided by IGMPv3 snooping is in keeping track of
information about the specific multicast sources which downstream
IGMPv3 hosts have requested or refused8. The switch maintains
information about multicast groups, where a group indicates a multicast
flow for which the hosts have not requested a specific source (the only
option for IGMPv1 and v2 hosts unless statically configured on the switch).
For IGMPv1/v2/v3 hosts, the source address of a channel is always null
(indicating that any source is acceptable).
NOTE: When the switch is configured to use IGMPv3 snooping, the
snooping version may be downgraded to version 2 or version 1, depending
on the version of the IGMP query packets detected on each VLAN.
8.
Source IP lists is not supported in IGMPv3 reports by the switch due to an ASIC limitation.
– 472 –
CHAPTER 17 | Multicast Filtering
Layer 2 IGMP (Snooping and Query)
NOTE: IGMP snooping will not function unless a multicast router port is
enabled on the switch. This can accomplished in one of two ways. A static
router port can be manually configured (see "Specifying Static Interfaces
for a Multicast Router" on page 477). Using this method, the router port is
never timed out, and will continue to function until explicitly removed. The
other method relies on the switch to dynamically create multicast routing
ports whenever multicast routing protocol packets or IGMP query packets
are detected on a port.
NOTE: A maximum of up to 255 multicast entries can be maintained for
IGMP snooping. Once the table is full, no new entries are learned. Any
subsequent multicast traffic not found in the table is dropped if
unregistered-flooding is disabled (default behavior) and no router port is
configured in the attached VLAN, or flooded throughout the VLAN if
unregistered-flooding is enabled (see "Configuring IGMP Snooping and
Query Parameters" on page 474).
Static IGMP Router Interface – If IGMP snooping cannot locate the IGMP
querier, you can manually designate a known IGMP querier (i.e., a
multicast router/switch) connected over the network to an interface on
your switch (page 477). This interface will then join all the current
multicast groups supported by the attached router/switch to ensure that
multicast traffic is passed to all appropriate interfaces within the switch.
Static IGMP Host Interface – For multicast applications that you need to
control more carefully, you can manually assign a multicast service to
specific interfaces on the switch (page 480).
IGMP Snooping with Proxy Reporting – The switch supports last leave, and
query suppression (as defined in DSL Forum TR-101, April 2006):
◆
When proxy reporting is disabled, all IGMP reports received by the
switch are forwarded natively to the upstream multicast routers.
◆
Last Leave: Intercepts, absorbs and summarizes IGMP leaves coming
from IGMP hosts. IGMP leaves are relayed upstream only when
necessary, that is, when the last user leaves a multicast group.
◆
Query Suppression: Intercepts and processes IGMP queries in such a
way that IGMP specific queries are never sent to client ports.
The only deviation from TR-101 is that the marking of IGMP traffic initiated
by the switch with priority bits as defined in R-250 is not supported.
– 473 –
CHAPTER 17 | Multicast Filtering
Layer 2 IGMP (Snooping and Query)
CONFIGURING IGMP Use the Multicast > IGMP Snooping > General page to configure the switch
SNOOPING AND QUERY to forward multicast traffic intelligently. Based on the IGMP query and
PARAMETERS report messages, the switch forwards multicast traffic only to the ports
that request it. This prevents the switch from broadcasting the traffic to all
ports and possibly disrupting network performance.
CLI REFERENCES
◆ "IGMP Snooping" on page 887
COMMAND USAGE
◆ IGMP Snooping – This switch can passively snoop on IGMP Query and
Report packets transferred between IP multicast routers/switches and
IP multicast host groups to identify the IP multicast group members. It
simply monitors the IGMP packets passing through it, picks out the
group registration information, and configures the multicast filters
accordingly.
NOTE: If unknown multicast traffic enters a VLAN which has been
configured with a router port, the traffic is forwarded to that port. However,
if no router port exists on the VLAN, the traffic is dropped if unregistered
data flooding is disabled (default behavior), or flooded throughout the
VLAN if unregistered data flooding is enabled (see “Unregistered Data
Flooding” in the Command Attributes section).
◆
IGMP Querier – A router, or multicast-enabled switch, can periodically
ask their hosts if they want to receive multicast traffic. If there is more
than one router/switch on the LAN performing IP multicasting, one of
these devices is elected “querier” and assumes the role of querying the
LAN for group members. It then propagates the service requests on to
any upstream multicast switch/router to ensure that it will continue to
receive the multicast service.
NOTE: Multicast routers use this information from IGMP snooping and query
reports, along with a multicast routing protocol such as DVMRP or PIM, to
support IP multicasting across the Internet.
PARAMETERS
These parameters are displayed:
◆
IGMP Snooping Status – When enabled, the switch will monitor
network traffic to determine which hosts want to receive multicast
traffic. This is referred to as IGMP Snooping. (Default: Disabled)
When IGMP snooping is enabled globally, the per VLAN interface
settings for IGMP snooping take precedence (see "Setting IGMP
Snooping Status per Interface" on page 482).
When IGMP snooping is disabled globally, snooping can still be
configured per VLAN interface, but the interface settings will not take
effect until snooping is re-enabled globally.
– 474 –
CHAPTER 17 | Multicast Filtering
Layer 2 IGMP (Snooping and Query)
◆
Proxy Reporting Status – Enables IGMP Snooping with Proxy
Reporting. (Default: Disabled)
When proxy reporting is enabled with this command, the switch
performs “IGMP Snooping with Proxy Reporting” (as defined in DSL
Forum TR-101, April 2006), including last leave, and query
suppression.
Last leave sends out a proxy query when the last member leaves a
multicast group, and query suppression means that specific queries are
not forwarded from an upstream multicast router to hosts downstream
from this device.
When proxy reporting is disabled, all IGMP reports received by the
switch are forwarded natively to the upstream multicast routers.
◆
TCN Flood – Enables flooding of multicast traffic if a spanning tree
topology change notification (TCN) occurs. (Default: Disabled)
When a spanning tree topology change occurs, the multicast
membership information learned by switch may be out of date. For
example, a host linked to one port before the topology change (TC)
may be moved to another port after the change. To ensure that
multicast data is delivered to all receivers, by default, an switch in a
VLAN (with IGMP snooping enabled) that receives a Bridge Protocol
Data Unit (BPDU) with TC bit set (by the root bridge) will enter into
“multicast flooding mode” for a period of time until the topology has
stabilized and the new locations of all multicast receivers are learned.
If a topology change notification (TCN) is received, and all the uplink
ports are subsequently deleted, a time out mechanism is used to delete
all of the currently learned multicast channels.
When a new uplink port starts up, the switch sends unsolicited reports
for all currently learned channels out the new uplink port.
By default, the switch immediately enters into “multicast flooding
mode” when a spanning tree topology change occurs. In this mode,
multicast traffic will be flooded to all VLAN ports. If many ports have
subscribed to different multicast groups, flooding may cause excessive
packet loss on the link between the switch and the end host. Flooding
may be disabled to avoid this, causing multicast traffic to be delivered
only to those ports on which multicast group members have been
learned. Otherwise, the time spent in flooding mode can be manually
configured to reduce excessive loading.
When the spanning tree topology changes, the root bridge sends a
proxy query to quickly re-learn the host membership/port relations for
multicast channels. The root bridge also sends an unsolicited Multicast
Router Discover (MRD) request to quickly locate the multicast routers in
this VLAN.
The proxy query and unsolicited MRD request are flooded to all VLAN
ports except for the receiving port when the switch receives such
packets.
◆
TCN Query Solicit – Sends out an IGMP general query solicitation
when a spanning tree topology change notification (TCN) occurs.
(Default: Disabled)
– 475 –
CHAPTER 17 | Multicast Filtering
Layer 2 IGMP (Snooping and Query)
When the root bridge in a spanning tree receives a TCN for a VLAN
where IGMP snooping is enabled, it issues a global IGMP leave message
(or query solicitation). When a switch receives this solicitation, it floods
it to all ports in the VLAN where the spanning tree change occurred.
When an upstream multicast router receives this solicitation, it
immediately issues an IGMP general query.
A query solicitation can be sent whenever the switch notices a topology
change, even if it is not the root bridge in spanning tree.
◆
Router Alert Option – Discards any IGMPv2/v3 packets that do not
include the Router Alert option. (Default: Disabled)
As described in Section 9.1 of RFC 3376 for IGMP Version 3, the Router
Alert Option can be used to protect against DOS attacks. One common
method of attack is launched by an intruder who takes over the role of
querier, and starts overloading multicast hosts by sending a large
number of queries, each with the Maximum Response Time set to a
large value.
To protect against this kind of attack, (1) routers should not forward
queries. This is easier to accomplish if the query carries the Router
Alert option. (2) Also, when the switch is acting in the role of a
multicast host (such as when using proxy routing), it should ignore
version 2 or 3 queries that do not contain the Router Alert option.
◆
Unregistered Data Flooding – Floods unregistered multicast traffic
into the attached VLAN. (Default: Disabled)
Once the table used to store multicast entries for IGMP snooping and
multicast routing is filled, no new entries are learned. If no router port
is configured in the attached VLAN, and unregistered-flooding is
disabled, any subsequent multicast traffic not found in the table is
dropped, otherwise it is flooded throughout the VLAN.
◆
Version Exclusive – Discards any received IGMP messages which use
a version different to that currently configured by the IGMP Version
attribute. (Default: Disabled)
◆
IGMP Unsolicited Report Interval – Specifies how often the
upstream interface should transmit unsolicited IGMP reports when
proxy reporting is enabled. (Range: 1-65535 seconds, Default: 400
seconds)
When a new upstream interface (that is, uplink port) starts up, the
switch sends unsolicited reports for all currently learned multicast
channels via the new upstream interface.
This command only applies when proxy reporting is enabled.
◆
Router Port Expire Time – The time the switch waits after the
previous querier stops before it considers it to have expired.
(Range: 1-65535, Recommended Range: 300-500 seconds,
Default: 300)
– 476 –
CHAPTER 17 | Multicast Filtering
Layer 2 IGMP (Snooping and Query)
◆
IGMP Snooping Version – Sets the protocol version for compatibility
with other devices on the network. This is the IGMP Version the switch
uses to send snooping reports. (Range: 1-3; Default: 2)
This attribute configures the IGMP report/query version used by IGMP
snooping. Versions 1 - 3 are all supported, and versions 2 and 3 are
backward compatible, so the switch can operate with other devices,
regardless of the snooping version employed.
◆
Querier Status – When enabled, the switch can serve as the Querier,
which is responsible for asking hosts if they want to receive multicast
traffic. This feature is not supported for IGMPv3 snooping.
(Default: Disabled)
WEB INTERFACE
To configure general settings for IGMP Snooping and Query:
1. Click Multicast, IGMP Snooping, General.
2. Adjust the IGMP settings as required.
3. Click Apply.
Figure 283: Configuring General Settings for IGMP Snooping
SPECIFYING STATIC Use the Multicast > IGMP Snooping > Multicast Router (Add Static
INTERFACES FOR A Multicast Router) page to statically attach an interface to a multicast
MULTICAST ROUTER router/switch.
Depending on network connections, IGMP snooping may not always be able
to locate the IGMP querier. Therefore, if the IGMP querier is a known
multicast router/switch connected over the network to an interface (port or
trunk) on the switch, the interface (and a specified VLAN) can be manually
configured to join all the current multicast groups supported by the
attached router. This can ensure that multicast traffic is passed to all the
appropriate interfaces within the switch.
– 477 –
CHAPTER 17 | Multicast Filtering
Layer 2 IGMP (Snooping and Query)
CLI REFERENCES
◆ "Static Multicast Routing" on page 906
COMMAND USAGE
IGMP Snooping must be enabled globally on the switch (see "Configuring
IGMP Snooping and Query Parameters" on page 474) before a multicast
router port can take effect.
PARAMETERS
These parameters are displayed:
Add Static Multicast Router
◆
VLAN – Selects the VLAN which is to propagate all multicast traffic
coming from the attached multicast router. (Range: 1-4093)
◆
Interface – Activates the Port or Trunk scroll down list.
◆
Port or Trunk – Specifies the interface attached to a multicast router.
Show Static Multicast Router
◆
VLAN – Selects the VLAN for which to display any configured static
multicast routers.
◆
Interface – Shows the interface to which the specified static multicast
routers are attached.
Show Current Multicast Router
◆
VLAN – Selects the VLAN for which to display any currently active
multicast routers.
◆
Interface – Shows the interface to which an active multicast router is
attached.
◆
Type – Shows if this entry is static or dynamic.
WEB INTERFACE
To specify a static interface attached to a multicast router:
1. Click Multicast, IGMP Snooping, Multicast Router.
2. Select Add Static Multicast Router from the Action list.
3. Select the VLAN which will forward all the corresponding multicast
traffic, and select the port or trunk attached to the multicast router.
4. Click Apply.
– 478 –
CHAPTER 17 | Multicast Filtering
Layer 2 IGMP (Snooping and Query)
Figure 284: Configuring a Static Interface for a Multicast Router
To show the static interfaces attached to a multicast router:
1. Click Multicast, IGMP Snooping, Multicast Router.
2. Select Show Static Multicast Router from the Action list.
3. Select the VLAN for which to display this information.
Figure 285: Showing Static Interfaces Attached a Multicast Router
To show the all interfaces attached to a multicast router:
1. Click Multicast, IGMP Snooping, Multicast Router.
2. Select Current Multicast Router from the Action list.
3. Select the VLAN for which to display this information. Ports in the
selected VLAN which are attached to a neighboring multicast router/
switch are displayed.
Figure 286: Showing Current Interfaces Attached a Multicast Router
– 479 –
CHAPTER 17 | Multicast Filtering
Layer 2 IGMP (Snooping and Query)
ASSIGNING Use the Multicast > IGMP Snooping > IGMP Member (Add Static Member)
INTERFACES TO page to statically assign a multicast service to an interface.
MULTICAST SERVICES
Multicast filtering can be dynamically configured using IGMP Snooping and
IGMP Query messages (see "Configuring IGMP Snooping and Query
Parameters" on page 474). However, for certain applications that require
tighter control, it may be necessary to statically configure a multicast
service on the switch. First add all the ports attached to participating hosts
to a common VLAN, and then assign the multicast service to that VLAN
group.
CLI REFERENCES
◆ "ip igmp snooping vlan static" on page 903
COMMAND USAGE
◆ Static multicast addresses are never aged out.
◆
When a multicast address is assigned to an interface in a specific VLAN,
the corresponding traffic can only be forwarded to ports within that
VLAN.
PARAMETERS
These parameters are displayed:
◆
VLAN – Specifies the VLAN which is to propagate the multicast service.
(Range: 1-4093)
◆
Interface – Activates the Port or Trunk scroll down list.
◆
Port or Trunk – Specifies the interface assigned to a multicast group.
◆
Multicast IP – The IP address for a specific multicast service.
WEB INTERFACE
To statically assign an interface to a multicast service:
1. Click Multicast, IGMP Snooping, IGMP Member.
2. Select Add Static Member from the Action list.
3. Select the VLAN that will propagate the multicast service, specify the
interface attached to a multicast service (through an IGMP-enabled
switch or multicast router), and enter the multicast IP address.
4. Click Apply.
– 480 –
CHAPTER 17 | Multicast Filtering
Layer 2 IGMP (Snooping and Query)
Figure 287: Assigning an Interface to a Multicast Service
To show the static interfaces assigned to a multicast service:
1. Click Multicast, IGMP Snooping, IGMP Member.
2. Select Show Static Member from the Action list.
3. Select the VLAN for which to display this information.
Figure 288: Showing Static Interfaces Assigned to a Multicast Service
To show the all interfaces statically or dynamically assigned to a multicast
service:
1. Click Multicast, IGMP Snooping, IGMP Member.
2. Select Show Current Member from the Action list.
3. Select the VLAN for which to display this information.
Figure 289: Showing Current Interfaces Assigned to a Multicast Service
– 481 –
CHAPTER 17 | Multicast Filtering
Layer 2 IGMP (Snooping and Query)
SETTING IGMP Use the Multicast > IGMP Snooping > Interface (Configure) page to
SNOOPING STATUS configure IGMP snooping attributes for a VLAN. To configure snooping
PER INTERFACE globally, refer to "Configuring IGMP Snooping and Query Parameters" on
page 474.
CLI REFERENCES
◆ "IGMP Snooping" on page 887
COMMAND USAGE
Multicast Router Discovery
There have been many mechanisms used in the past to identify multicast
routers. This has lead to interoperability issues between multicast routers
and snooping switches from different vendors. In response to this problem,
the Multicast Router Discovery (MRD) protocol has been developed for use
by IGMP snooping and multicast routing devices. MRD is used to discover
which interfaces are attached to multicast routers, allowing IGMP-enabled
devices to determine where to send multicast source and group
membership messages. (MRD is specified in draft-ietf-magma-mrdisc-07.)
Multicast source data and group membership reports must be received by
all multicast routers on a segment. Using the group membership protocol
query messages to discover multicast routers is insufficient due to query
suppression. MRD therefore provides a standardized way to identify
multicast routers without relying on any particular multicast routing
protocol.
NOTE: The default values recommended in the MRD draft are implemented
in the switch.
Multicast Router Discovery uses the following three message types to
discover multicast routers:
◆
◆
Multicast Router Advertisement – Advertisements are sent by routers to
advertise that IP multicast forwarding is enabled. These messages are
sent unsolicited periodically on all router interfaces on which multicast
forwarding is enabled. They are sent upon the occurrence of these
events:
■
Upon the expiration of a periodic (randomized) timer.
■
As a part of a router's start up procedure.
■
During the restart of a multicast forwarding interface.
■
On receipt of a Solicitation message.
Multicast Router Solicitation – Devices send Solicitation messages in
order to solicit Advertisement messages from multicast routers. These
messages are used to discover multicast routers on a directly attached
link. Solicitation messages are also sent whenever a multicast
forwarding interface is initialized or re-initialized. Upon receiving a
solicitation on an interface with IP multicast forwarding and MRD
enabled, a router will respond with an Advertisement.
– 482 –
CHAPTER 17 | Multicast Filtering
Layer 2 IGMP (Snooping and Query)
◆
Multicast Router Termination – These messages are sent when a router
stops IP multicast routing functions on an interface. Termination
messages are sent by multicast routers when:
■
Multicast forwarding is disabled on an interface.
■
An interface is administratively disabled.
■
The router is gracefully shut down.
Advertisement and Termination messages are sent to the All-Snoopers
multicast address. Solicitation messages are sent to the All-Routers
multicast address.
NOTE: MRD messages are flooded to all ports in a VLAN where IGMP
snooping or routing has been enabled. To ensure that older switches which
do not support MRD can also learn the multicast router port, the switch
floods IGMP general query packets, which do not have a null source
address (0.0.0.0), to all ports in the attached VLAN. IGMP packets with a
null source address are only flooded to all ports in the VLAN if the system is
operating in multicast flooding mode, such as when a new VLAN or new
router port is being established, or an spanning tree topology change has
occurred. Otherwise, this kind of packet is only forwarded to known
multicast routing ports.
PARAMETERS
These parameters are displayed:
◆
VLAN – ID of configured VLANs. (Range: 1-4093)
◆
IGMP Snooping Status – When enabled, the switch will monitor
network traffic on the indicated VLAN interface to determine which
hosts want to receive multicast traffic. This is referred to as IGMP
Snooping. (Default: Disabled)
When IGMP snooping is enabled globally (see page 474), the per VLAN
interface settings for IGMP snooping take precedence.
When IGMP snooping is disabled globally, snooping can still be
configured per VLAN interface, but the interface settings will not take
effect until snooping is re-enabled globally.
◆
Version Exclusive – Discards any received IGMP messages (except for
multicast protocol packets) which use a version different to that
currently configured by the IGMP Version attribute. (Default: Disabled)
If version exclusive is disabled on a VLAN, then this setting is based on
the global setting configured on the Multicast > IGMP Snooping >
General page. If it is enabled on a VLAN, then this setting takes
precedence over the global setting.
◆
Immediate Leave Status – Immediately deletes a member port of a
multicast service if a leave packet is received at that port and
immediate leave is enabled for the parent VLAN. (Default: Disabled)
– 483 –
CHAPTER 17 | Multicast Filtering
Layer 2 IGMP (Snooping and Query)
If immediate leave is not used, a multicast router (or querier) will send
a group-specific query message when an IGMPv2 group leave message
is received. The router/querier stops forwarding traffic for that group
only if no host replies to the query within the specified time out period.
Note that this time out is set to Last Member Query Interval *
Robustness Variable (fixed at 2) as defined in RFC 2236.
If immediate leave is enabled, the switch assumes that only one host is
connected to the interface. Therefore, immediate leave should only be
enabled on an interface if it is connected to only one IGMP-enabled
device, either a service host or a neighbor running IGMP snooping.
This attribute is only effective if IGMP snooping is enabled, and IGMPv2
snooping is used.
◆
Multicast Router Discovery – MRD is used to discover which
interfaces are attached to multicast routers. (Default: Disabled)
◆
General Query Suppression – Suppresses general queries except for
ports attached to downstream multicast hosts. (Default: Disabled)
By default, general query messages are flooded to all ports, except for
the multicast router through which they are received.
If general query suppression is enabled, then these messages are
forwarded only to downstream ports which have joined a multicast
service.
◆
Proxy Reporting – Enables IGMP Snooping with Proxy Reporting.
(Default: Based on global setting)
When proxy reporting is enabled with this command, the switch
performs “IGMP Snooping with Proxy Reporting” (as defined in DSL
Forum TR-101, April 2006), including last leave, and query
suppression.
Last leave sends out a proxy query when the last member leaves a
multicast group, and query suppression means that specific queries are
not forwarded from an upstream multicast router to hosts downstream
from this device.
Rules Used for Proxy Reporting
When IGMP Proxy Reporting is disabled, the switch will use a null IP
address for the source of IGMP query and report messages unless a
proxy query address has been set.
When IGMP Proxy Reporting is enabled, the source address is based on
the following criteria:
■
If a proxy query address is configured, the switch will use that
address as the source IP address in general and group-specific
query messages sent to downstream hosts, and in report and leave
messages sent upstream from the multicast router port.
■
If a proxy query address is not configured, the switch will use the
VLAN’s IP address as the IP source address in general and groupspecific query messages sent downstream, and use the source
address of the last IGMP message received from a downstream host
– 484 –
CHAPTER 17 | Multicast Filtering
Layer 2 IGMP (Snooping and Query)
in report and leave messages sent upstream from the multicast
router port.
◆
Interface Version – Sets the protocol version for compatibility with
other devices on the network. This is the IGMP Version the switch uses
to send snooping reports. (Range: 1-3; Default: 2)
This attribute configures the IGMP report/query version used by IGMP
snooping. Versions 1 - 3 are all supported, and versions 2 and 3 are
backward compatible, so the switch can operate with other devices,
regardless of the snooping version employed.
◆
Query Interval – The interval between sending IGMP general queries.
(Range: 2-31744 seconds; Default: 125 seconds)
An IGMP general query message is sent by the switch at the interval
specified by this attribute. When this message is received by
downstream hosts, all receivers build an IGMP report for the multicast
groups they have joined.
This command applies when the switch is serving as the querier
(page 474), or as a proxy host when IGMP snooping proxy reporting is
enabled (page 474).
◆
Query Response Interval – The maximum time the system waits for
a response to general queries. (Range: 10-31744 tenths of a second;
Default: 10 seconds)
This command applies when the switch is serving as the querier
(page 474), or as a proxy host when IGMP snooping proxy reporting is
enabled (page 474).
◆
Last Member Query Interval – The interval to wait for a response to
a group-specific query message. (Range: 1-31740 tenths of a second in
multiples of 10;
Default: 1 second)
When a multicast host leaves a group, it sends an IGMP leave message.
When the leave message is received by the switch, it checks to see if
this host is the last to leave the group by sending out an IGMP groupspecific query message, and starts a timer. If no reports are received
before the timer expires, the group record is deleted, and a report is
sent to the upstream multicast router.
A reduced value will result in reduced time to detect the loss of the last
member of a group or source, but may generate more burst traffic.
This attribute will take effect only if IGMP snooping proxy reporting is
enabled (see page 474) or IGMP querier is enabled (page 474).
◆
Last Member Query Count – The number of IGMP proxy groupspecific or query messages that are sent out before the system
assumes there are no more local members. (Range: 1-255; Default: 2)
This attribute will take effect only if IGMP snooping proxy reporting or
IGMP querier is enabled.
– 485 –
CHAPTER 17 | Multicast Filtering
Layer 2 IGMP (Snooping and Query)
◆
Proxy Query Address – A static source address for locally generated
query and report messages used by IGMP Proxy Reporting.
(Range: Any valid IP unicast address; Default: 0.0.0.0)
IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP
query messages which are proxied to downstream hosts to indicate
that it is not the elected querier, but is only proxying these messages as
defined in RFC 4541. The switch also uses a null address in IGMP
reports sent to upstream ports.
Many hosts do not implement RFC 4541, and therefore do not
understand query messages with the source address of 0.0.0.0. These
hosts will therefore not reply to the queries, causing the multicast
router to stop sending traffic to them.
To resolve this problem, the source address in proxied IGMP query
messages can be replaced with any valid unicast address (other than
the router’s own address).
WEB INTERFACE
To configure IGMP snooping on a VLAN:
1. Click Multicast, IGMP Snooping, Interface.
2. Select Configure from the Action list.
3. Select the VLAN to configure and update the required parameters.
4. Click Apply.
Figure 290: Configuring IGMP Snooping on an Interface
– 486 –
CHAPTER 17 | Multicast Filtering
Layer 2 IGMP (Snooping and Query)
To show the interface settings for IGMP snooping:
1. Click Multicast, IGMP Snooping, Interface.
2. Select Show from the Action list.
Figure 291: Showing Interface Settings for IGMP Snooping
DISPLAYING Use the Multicast > IGMP Snooping > Forwarding Entry page to display the
MULTICAST GROUPS forwarding entries learned through IGMP Snooping.
DISCOVERED BY IGMP
SNOOPING CLI REFERENCES
◆
"show ip igmp snooping group" on page 905
COMMAND USAGE
To display information about multicast groups, IGMP Snooping must first
be enabled on the switch (see page 474).
PARAMETERS
These parameters are displayed:
◆
VLAN – An interface on the switch that is forwarding traffic to
downstream ports for the specified multicast group address.
◆
Group Address – IP multicast group address with subscribers directly
attached or downstream from the switch, or a static multicast group
assigned to this interface.
◆
Source Address – The address of one of the multicast servers
transmitting traffic to the specified group.
◆
Interface – A downstream port or trunk that is receiving traffic for the
specified multicast group. This field may include both dynamically and
statically configured multicast router ports.
WEB INTERFACE
To show multicast groups learned through IGMP snooping:
1. Click Multicast, IGMP Snooping, Forwarding Entry.
2. Select the VLAN for which to display this information.
– 487 –
CHAPTER 17 | Multicast Filtering
Filtering and Throttling IGMP Groups
Figure 292: Showing Multicast Groups Learned by IGMP Snooping
FILTERING AND THROTTLING IGMP GROUPS
In certain switch applications, the administrator may want to control the
multicast services that are available to end users. For example, an IP/TV
service based on a specific subscription plan. The IGMP filtering feature
fulfills this requirement by restricting access to specified multicast services
on a switch port, and IGMP throttling limits the number of simultaneous
multicast groups a port can join.
IGMP filtering enables you to assign a profile to a switch port that specifies
multicast groups that are permitted or denied on the port. An IGMP filter
profile can contain one or more addresses, or a range of multicast
addresses; but only one profile can be assigned to a port. When enabled,
IGMP join reports received on the port are checked against the filter
profile. If a requested multicast group is permitted, the IGMP join report is
forwarded as normal. If a requested multicast group is denied, the IGMP
join report is dropped.
IGMP throttling sets a maximum number of multicast groups that a port
can join at the same time. When the maximum number of groups is
reached on a port, the switch can take one of two actions; either “deny” or
“replace.” If the action is set to deny, any new IGMP join reports will be
dropped. If the action is set to replace, the switch randomly removes an
existing group and replaces it with the new multicast group.
ENABLING IGMP Use the Multicast > IGMP Snooping > Filter (Configure General) page to
FILTERING AND enable IGMP filtering and throttling globally on the switch.
THROTTLING
CLI REFERENCES
◆ "ip igmp filter (Global Configuration)" on page 907
– 488 –
CHAPTER 17 | Multicast Filtering
Filtering and Throttling IGMP Groups
PARAMETERS
These parameters are displayed:
◆
IGMP Filter Status – Enables IGMP filtering and throttling globally for
the switch. (Default: Disabled)
WEB INTERFACE
To enable IGMP filtering and throttling on the switch:
1. Click Multicast, IGMP Snooping, Filter.
2. Select Configure General from the Step list.
3. Enable IGMP Filter Status.
4. Click Apply.
Figure 293: Enabling IGMP Filtering and Throttling
CONFIGURING IGMP Use the Multicast > IGMP Snooping > Filter (Add) page to create an IGMP
FILTER PROFILES profile and set its access mode. Then use the (Add Multicast Group Range)
page to configure the multicast groups to filter.
CLI REFERENCES
◆ "IGMP Filtering and Throttling" on page 907
COMMAND USAGE
Specify a range of multicast groups by entering a start and end IP address;
or specify a single multicast group by entering the same IP address for the
start and end of the range.
PARAMETERS
These parameters are displayed:
Add
◆
Profile ID – Creates an IGMP profile. (Range: 1-4294967295)
◆
Access Mode – Sets the access mode of the profile; either permit or
deny. (Default: Deny)
When the access mode is set to permit, IGMP join reports are
processed when a multicast group falls within the controlled range.
When the access mode is set to deny, IGMP join reports are only
processed when the multicast group is not in the controlled range.
– 489 –
CHAPTER 17 | Multicast Filtering
Filtering and Throttling IGMP Groups
Add Multicast Group Range
◆
Profile ID – Selects an IGMP profile to configure.
◆
Start Multicast IP Address – Specifies the starting address of a
range of multicast groups.
◆
End Multicast IP Address – Specifies the ending address of a range
of multicast groups.
WEB INTERFACE
To create an IGMP filter profile and set its access mode:
1. Click Multicast, IGMP Snooping, Filter.
2. Select Configure Profile from the Step list.
3. Select Add from the Action list.
4. Enter the number for a profile, and set its access mode.
5. Click Apply.
Figure 294: Creating an IGMP Filtering Profile
To show the IGMP filter profiles:
1. Click Multicast, IGMP Snooping, Filter.
2. Select Configure Profile from the Step list.
3. Select Show from the Action list.
Figure 295: Showing the IGMP Filtering Profiles Created
– 490 –
CHAPTER 17 | Multicast Filtering
Filtering and Throttling IGMP Groups
To add a range of multicast groups to an IGMP filter profile:
1. Click Multicast, IGMP Snooping, Filter.
2. Select Configure Profile from the Step list.
3. Select Add Multicast Group Range from the Action list.
4. Select the profile to configure, and add a multicast group address or
range of addresses.
5. Click Apply.
Figure 296: Adding Multicast Groups to an IGMP Filtering Profile
To show the multicast groups configured for an IGMP filter profile:
1. Click Multicast, IGMP Snooping, Filter.
2. Select Configure Profile from the Step list.
3. Select Show Multicast Group Range from the Action list.
4. Select the profile for which to display this information.
Figure 297: Showing the Groups Assigned to an IGMP Filtering Profile
– 491 –
CHAPTER 17 | Multicast Filtering
Filtering and Throttling IGMP Groups
CONFIGURING IGMP
FILTERING AND
THROTTLING FOR
INTERFACES
Use the Multicast > IGMP Snooping > Filter (Configure Interface) page to
assign and IGMP filter profile to interfaces on the switch, or to throttle
multicast traffic by limiting the maximum number of multicast groups an
interface can join at the same time.
CLI REFERENCES
◆ "IGMP Filtering and Throttling" on page 907
COMMAND USAGE
◆ IGMP throttling sets a maximum number of multicast groups that a port
can join at the same time. When the maximum number of groups is
reached on a port, the switch can take one of two actions; either “deny”
or “replace.” If the action is set to deny, any new IGMP join reports will
be dropped. If the action is set to replace, the switch randomly
removes an existing group and replaces it with the new multicast
group.
PARAMETERS
These parameters are displayed:
◆
Interface – Port or trunk identifier.
An IGMP profile or throttling setting can be applied to a port or trunk.
When ports are configured as trunk members, the trunk uses the
settings applied to the first port member in the trunk.
◆
Profile ID – Selects an existing profile to assign to an interface.
◆
Max Multicast Groups – Sets the maximum number of multicast
groups an interface can join at the same time. (Range: 0-255;
Default: 255)
◆
Current Multicast Groups – Displays the current multicast groups the
interface has joined.
◆
Throttling Action Mode – Sets the action to take when the maximum
number of multicast groups for the interface has been exceeded.
(Default: Deny)
◆
■
Deny - The new multicast group join report is dropped.
■
Replace - The new multicast group replaces an existing group.
Throttling Status – Indicates if the throttling action has been
implemented on the interface. (Options: True or False)
– 492 –
CHAPTER 17 | Multicast Filtering
Multicast VLAN Registration
WEB INTERFACE
To configure IGMP filtering or throttling for a port or trunk:
1. Click Multicast, IGMP Snooping, Filter.
2. Select Configure Interface from the Step list.
3. Select a profile to assign to an interface, then set the maximum
number of allowed multicast groups and the throttling response.
4. Click Apply.
Figure 298: Configuring IGMP Filtering and Throttling Interface Settings
MULTICAST VLAN REGISTRATION
Multicast VLAN Registration (MVR) is a protocol that controls access to a
single network-wide VLAN most commonly used for transmitting multicast
traffic (such as television channels or video-on-demand) across a service
provider’s network. Any multicast traffic entering an MVR VLAN is sent to
all attached subscribers. This protocol can significantly reduce to
processing overhead required to dynamically monitor and establish the
distribution tree for a normal multicast VLAN. This makes it possible to
support common multicast services over a wide part of the network
without having to use any multicast routing protocol.
MVR maintains the user isolation and data security provided by VLAN
segregation by passing only multicast traffic into other VLANs to which the
subscribers belong. Even though common multicast streams are passed
onto different VLAN groups from the MVR VLAN, users in different IEEE
802.1Q or private VLANs cannot exchange any information (except through
upper-level routing services).
– 493 –
CHAPTER 17 | Multicast Filtering
Multicast VLAN Registration
Figure 299: MVR Concept
Multicast Router
Satellite Services
Multicast Server
Layer 2 Switch
Source
Port
Service
Network
Receiver
Ports
Set-top Box
PC
TV
Set-top Box
TV
COMMAND USAGE
◆ General Configuration Guidelines for MVR:
1. Enable MVR globally on the switch, select the MVR VLAN, and add
the multicast groups that will stream traffic to attached hosts (see
"Configuring Global MVR Settings" on page 495).
2. Set the interfaces that will join the MVR as source ports or receiver
ports (see "Configuring MVR Interface Status" on page 496).
3. For multicast streams that will run for a long term and be associated
with a stable set of hosts, you can statically bind the multicast
group to the participating interfaces (see "Assigning Static MVR
Multicast Groups to Interfaces" on page 498).
◆
Although MVR operates on the underlying mechanism of IGMP
snooping, the two features operate independently of each other. One
can be enabled or disabled without affecting the behavior of the other.
However, if IGMP snooping and MVR are both enabled, MVR reacts only
to join and leave messages from multicast groups configured under
MVR. Join and leave messages from all other multicast groups are
managed by IGMP snooping. Also, note that only IGMP version 2 or 3
hosts can issue multicast join or leave messages. If MVR must be
configured for an IGMP version 1 host, the multicast groups must be
statically assigned (see "Assigning Static MVR Multicast Groups to
Interfaces" on page 498).
– 494 –
CHAPTER 17 | Multicast Filtering
Multicast VLAN Registration
CONFIGURING GLOBAL Use the Multicast > MVR (Configure General) page to enable MVR globally
MVR SETTINGS on the switch, select the VLAN that will serve as the sole channel for
common multicast streams supported by the service provider, and assign
the multicast group address for each of these services to the MVR VLAN.
CLI REFERENCES
◆ "Multicast VLAN Registration" on page 914
COMMAND USAGE
IGMP snooping and MVR share a maximum number of 256 groups. Any
multicast streams received in excess of this limitation will be flooded to all
ports in the associated VLAN.
PARAMETERS
These parameters are displayed:
◆
MVR Status – When MVR is enabled on the switch, any multicast data
associated with an MVR group is sent from all designated source ports,
to all receiver ports that have registered to receive data from that
multicast group. (Default: Disabled)
◆
MVR VLAN – Identifier of the VLAN that serves as the channel for
streaming multicast services using MVR. MVR source ports should be
configured as members of the MVR VLAN (see "Adding Static Members
to VLANs" on page 171), but MVR receiver ports should not be
manually configured as members of this VLAN. (Default: 1)
◆
MVR Running Status – Indicates whether or not all necessary
conditions in the MVR environment are satisfied. Running status is
Active as long as MVR is enabled, the specified MVR VLAN exists, and a
source port with a valid link has been configured (see "Configuring MVR
Interface Status" on page 496).
◆
MVR Group IP – IP address for an MVR multicast group.
(Range: 224.0.1.0 - 239.255.255.255; Default: no groups are assigned
to the MVR VLAN)
Any multicast data sent to this address is sent to all source ports on the
switch and all receiver ports that have elected to receive data on that
multicast address.
The IP address range of 224.0.0.0 to 239.255.255.255 is used for
multicast streams. MVR group addresses cannot fall within the reserved
IP multicast address range of 224.0.0.x.
◆
Count – The number of contiguous MVR group addresses.
(Range: 1-255; Default: 0)
– 495 –
CHAPTER 17 | Multicast Filtering
Multicast VLAN Registration
WEB INTERFACE
To configure global settings for MVR:
1. Click Multicast, MVR.
2. Select Configure General from the Step list.
3. Enable MVR globally on the switch, select the MVR VLAN, and add the
multicast groups that will stream traffic to participating hosts.
4. Click Apply.
Figure 300: Configuring Global Settings for MVR
CONFIGURING MVR Use the Multicast > MVR (Configure Interface) page to configure each
INTERFACE STATUS interface that participates in the MVR protocol as a source port or receiver
port. If you are sure that only one subscriber attached to an interface is
receiving multicast services, you can enable the immediate leave function.
CLI REFERENCES
◆ "Multicast VLAN Registration" on page 914
COMMAND USAGE
◆ A port configured as an MVR receiver or source port can join or leave
multicast groups configured under MVR. However, note that these ports
can also use IGMP snooping to join or leave any other multicast groups
using the standard rules for multicast filtering.
◆
Receiver ports can belong to different VLANs, but should not be
configured as a member of the MVR VLAN. MVR allows a receiver port
to dynamically join or leave multicast groups sourced through the MVR
VLAN. Multicast groups can also be statically assigned to a receiver port
(see "Assigning Static MVR Multicast Groups to Interfaces" on
page 498).
Receiver ports should not be statically configured as a member of the
MVR VLAN. If so configured, its MVR status will be inactive. Also, note
that VLAN membership for MVR receiver ports cannot be set to access
mode (see "Adding Static Members to VLANs" on page 171).
– 496 –
CHAPTER 17 | Multicast Filtering
Multicast VLAN Registration
◆
One or more interfaces may be configured as MVR source ports. A
source port is able to both receive and send data for configured MVR
groups or for groups which have been statically assigned (see
"Assigning Static MVR Multicast Groups to Interfaces" on page 498).
All source ports must belong to the MVR VLAN.
Subscribers should not be directly connected to source ports.
◆
Immediate leave applies only to receiver ports. When enabled, the
receiver port is immediately removed from the multicast group
identified in the leave message. When immediate leave is disabled, the
switch follows the standard rules by sending a query message to the
receiver port and waiting for a response to determine if there are any
remaining subscribers for that multicast group before removing the
port from the group list.
■
Using immediate leave can speed up leave latency, but should only
be enabled on a port attached to one multicast subscriber to avoid
disrupting services to other group members attached to the same
interface.
■
Immediate leave does not apply to multicast groups which have
been statically assigned to a port.
PARAMETERS
These parameters are displayed:
◆
Port – Port identifier.
◆
Type – The following interface types are supported:
■
Source – An uplink port that can send and receive multicast data
for the groups assigned to the MVR VLAN. Note that the source port
must be manually configured as a member of the MVR VLAN (see
"Adding Static Members to VLANs" on page 171).
■
Receiver – A subscriber port that can receive multicast data sent
through the MVR VLAN. Any port configured as a receiver port will
be dynamically added to the MVR VLAN when it forwards an IGMP
report or join message from an attached host requesting any of the
designated multicast services supported by the MVR VLAN. Just
remember that only IGMP version 2 or 3 hosts can issue multicast
join or leave messages. If MVR must be configured for an IGMP
version 1 host, the multicast groups must be statically assigned
(see "Assigning Static MVR Multicast Groups to Interfaces" on
page 498).
■
Non-MVR – An interface that does not participate in the MVR VLAN.
(This is the default type.)
◆
Oper. Status – Shows the link status.
◆
MVR Status – Shows the MVR status. MVR status for source ports is
“Active” if MVR is globally enabled on the switch. MVR status for
receiver ports is “Active” only if there are subscribers receiving
– 497 –
CHAPTER 17 | Multicast Filtering
Multicast VLAN Registration
multicast traffic from one of the MVR groups, or a multicast group has
been statically assigned to an interface.
◆
Immediate Leave – Configures the switch to immediately remove an
interface from a multicast stream as soon as it receives a leave
message for that group. (This option only applies to an interface
configured as an MVR receiver.)
WEB INTERFACE
To configure interface settings for MVR:
1. Click Multicast, MVR.
2. Select Configure Interface from the Step list.
3. Set each port that will participate in the MVR protocol as a source port
or receiver port, and optionally enable Immediate Leave on any
receiver port to which only one subscriber is attached.
4. Click Apply.
Figure 301: Configuring Interface Settings for MVR
ASSIGNING STATIC Use the Multicast > MVR (Configure Static Group Member) page to
MVR MULTICAST statically bind multicast groups to a port which will receive long-term
GROUPS TO multicast streams associated with a stable set of hosts.
INTERFACES
CLI REFERENCES
◆ "mvr vlan group" on page 917
COMMAND USAGE
◆ Multicast groups can be statically assigned to a receiver port using this
configuration page.
◆
The IP address range from 224.0.0.0 to 239.255.255.255 is used for
multicast streams. MVR group addresses cannot fall within the reserved
IP multicast address range of 224.0.0.x.
– 498 –
CHAPTER 17 | Multicast Filtering
Multicast VLAN Registration
◆
Only IGMP version 2 or 3 hosts can issue multicast join or leave
messages. If MVR must be configured for an IGMP version 1 host, the
multicast groups must be statically assigned.
◆
The MVR VLAN cannot be specified as the receiver VLAN for static
bindings.
PARAMETERS
These parameters are displayed:
◆
Port – Port identifier.
◆
VLAN – VLAN identifier. (Range: 1-4093)
◆
Group IP Address – Defines a multicast service sent to the selected
port. Multicast groups must be assigned from the MVR group range
configured on the Configure General page.
WEB INTERFACE
To assign a static MVR group to a port:
1. Click Multicast, MVR.
2. Select Configure Static Group Member from the Step list.
3. Select Add from the Action list.
4. Select a VLAN and port member to receive the multicast stream, and
then enter the multicast group address.
5. Click Apply.
Figure 302: Assigning Static MVR Groups to a Port
To show the static MVR groups assigned to a port:
1. Click Multicast, MVR.
2. Select Configure Static Group Member from the Step list.
3. Select Show from the Action list.
– 499 –
CHAPTER 17 | Multicast Filtering
Multicast VLAN Registration
4. Select the port for which to display this information.
Figure 303: Showing the Static MVR Groups Assigned to a Port
DISPLAYING MVR Use the Multicast > MVR (Show Member) page to show the multicast
RECEIVER GROUPS groups either statically or dynamically assigned to the MVR receiver groups
on each interface.
CLI REFERENCES
◆ "show mvr" on page 918
PARAMETERS
These parameters are displayed:
◆
Group IP Address – Multicast groups assigned to the MVR VLAN.
◆
Source IP Address – Indicates the source address of the multicast
service, or displays an asterisk if the group address has been statically
assigned.
◆
VLAN – Indicates the MVR VLAN receiving the multicast service.
◆
Forwarding Port – Shows the interfaces with subscribers for multicast
services provided through the MVR VLAN. Also shows the VLAN through
which the service is received. Note that this may be different from the
MVR VLAN if the group address has been statically assigned.
WEB INTERFACE
To show the interfaces associated with multicast groups assigned to the
MVR VLAN:
1. Click Multicast, MVR.
2. Select Show Member from the Step list.
– 500 –
CHAPTER 17 | Multicast Filtering
Multicast VLAN Registration
Figure 304: Displaying MVR Receiver Groups
– 501 –
CHAPTER 17 | Multicast Filtering
Multicast VLAN Registration
– 502 –
SECTION III
COMMAND LINE INTERFACE
This section provides a detailed description of the Command Line Interface,
along with examples for all of the commands.
This section includes these chapters:
◆
"General Commands" on page 517
◆
"System Management Commands" on page 525
◆
"SNMP Commands" on page 581
◆
"Remote Monitoring Commands" on page 601
◆
"Authentication Commands" on page 609
◆
"General Security Measures" on page 663
◆
"Access Control Lists" on page 711
◆
"Interface Commands" on page 729
◆
"Link Aggregation Commands" on page 749
◆
"Port Mirroring Commands" on page 761
◆
"Rate Limit Commands" on page 771
◆
"Automatic Traffic Control Commands" on page 773
◆
"Address Table Commands" on page 789
◆
"Spanning Tree Commands" on page 795
◆
"VLAN Commands" on page 821
– 503 –
SECTION III | Command Line Interface
◆
"Class of Service Commands" on page 857
◆
"Quality of Service Commands" on page 869
◆
"Multicast Filtering Commands" on page 887
◆
"LLDP Commands" on page 921
◆
"Domain Name Service Commands" on page 945
◆
"DHCP Commands" on page 955
◆
"IP Interface Commands" on page 961
– 504 –
18
USING THE COMMAND LINE
INTERFACE
This chapter describes how to use the Command Line Interface (CLI).
ACCESSING THE CLI
When accessing the management interface for the switch over a direct
connection to the server’s console port, or via a Telnet or Secure Shell
connection (SSH), the switch can be managed by entering command
keywords and parameters at the prompt. Using the switch's command-line
interface (CLI) is very similar to entering commands on a UNIX system.
CONSOLE To access the switch through the console port, perform these steps:
CONNECTION
1. At the console prompt, enter the user name and password. (The default
user names are “admin” and “guest” with corresponding passwords of
“admin” and “guest.”) When the administrator user name and password
is entered, the CLI displays the “Console#” prompt and enters
privileged access mode (i.e., Privileged Exec). But when the guest user
name and password is entered, the CLI displays the “Console>” prompt
and enters normal access mode (i.e., Normal Exec).
2. Enter the necessary commands to complete your desired tasks.
3. When finished, exit the session with the “quit” or “exit” command.
After connecting to the system through the console port, the login screen
displays:
User Access Verification
Username: admin
Password:
CLI session with the ECS3510-26P is opened.
To end the CLI session, enter [Exit].
Console#
– 505 –
CHAPTER 18 | Using the Command Line Interface
Accessing the CLI
TELNET CONNECTION Telnet operates over the IP transport protocol. In this environment, your
management station and any network device you want to manage over the
network must have a valid IP address. Valid IP addresses consist of four
numbers, 0 to 255, separated by periods. Each address consists of a
network portion and host portion. For example, the IP address assigned to
this switch, 10.1.0.1, consists of a network portion (10.1.0) and a host
portion (1).
NOTE: The IP address for this switch is obtained via DHCP by default.
To access the switch through a Telnet session, you must first set the IP
address for the Master unit, and set the default gateway if you are
managing the switch from a different IP subnet. For example,
Console(config)#interface vlan 1
Console(config-if)#ip address 10.1.0.254 255.255.255.0
Console(config-if)#exit
Console(config)#ip default-gateway 10.1.0.254
Console(config)#
If your corporate network is connected to another network outside your
office or to the Internet, you need to apply for a registered IP address.
However, if you are attached to an isolated network, then you can use any
IP address that matches the network segment to which you are attached.
After you configure the switch with an IP address, you can open a Telnet
session by performing these steps:
1. From the remote host, enter the Telnet command and the IP address of
the device you want to access.
2. At the prompt, enter the user name and system password. The CLI will
display the “Vty-n#” prompt for the administrator to show that you are
using privileged access mode (i.e., Privileged Exec), or “Vty-n>” for the
guest to show that you are using normal access mode (i.e., Normal
Exec), where n indicates the number of the current Telnet session.
3. Enter the necessary commands to complete your desired tasks.
4. When finished, exit the session with the “quit” or “exit” command.
After entering the Telnet command, the login screen displays:
Username: admin
Password:
CLI session with the ECS3510-26P is opened.
To end the CLI session, enter [Exit].
Vty-0#
– 506 –
CHAPTER 18 | Using the Command Line Interface
Entering Commands
NOTE: You can open up to four sessions to the device via Telnet.
ENTERING COMMANDS
This section describes how to enter CLI commands.
KEYWORDS AND A CLI command is a series of keywords and arguments. Keywords identify
ARGUMENTS a command, and arguments specify configuration parameters. For
example, in the command “show interfaces status ethernet 1/5,” show
interfaces and status are keywords, ethernet is an argument that
specifies the interface type, and 1/5 specifies the unit/port.
You can enter commands as follows:
◆
To enter a simple command, enter the command keyword.
◆
To enter multiple commands, enter each command in the required
order. For example, to enable Privileged Exec command mode, and
display the startup configuration, enter:
Console>enable
Console#show startup-config
◆
To enter commands that require parameters, enter the required
parameters after the command keyword. For example, to set a
password for the administrator, enter:
Console(config)#username admin password 0 smith
MINIMUM The CLI will accept a minimum number of characters that uniquely identify
ABBREVIATION a command. For example, the command “configure” can be entered as
con. If an entry is ambiguous, the system will prompt for further input.
COMMAND If you terminate input with a Tab key, the CLI will print the remaining
COMPLETION characters of a partial keyword up to the point of ambiguity. In the “logging
history” example, typing log followed by a tab will result in printing the
command up to “logging.”
– 507 –
CHAPTER 18 | Using the Command Line Interface
Entering Commands
GETTING HELP ON You can display a brief description of the help system by entering the help
COMMANDS command. You can also display command syntax by using the “?” character
to list keywords or parameters.
SHOWING COMMANDS
If you enter a “?” at the command prompt, the system will display the first
level of keywords or command groups. You can also display a list of valid
keywords for a specific command. For example, the command “system ?”
displays a list of possible system commands:
Console#show ?
access-group
access-list
accounting
arp
authorization
auto-traffic-control
bridge-ext
cable-diagnostics
calendar
class-map
cluster
dns
dot1q-tunnel
dot1x
flow
garp
gvrp
history
hosts
interfaces
ip
ipv6
lacp
line
lldp
log
logging
mac
mac-address-table
mac-vlan
management
memory
mvr
network-access
nlm
policy-map
port
power
power-save
process
protocol-vlan
public-key
qos
queue
radius-server
reload
rmon
rspan
running-config
Access groups
Access lists
Uses an accounting list with this name
Information of ARP cache
Enables EXEC accounting
Auto traffic control information
Bridge extension information
Shows the information of cable diagnostics
Date and time information
Displays class maps
Display cluster
DNS information
dot1q-tunnel
802.1X content
Shows packet flow information
GARP properties
GVRP interface information
Shows history information
Host information
Shows interface information
IP information
IPv6 information
LACP statistics
TTY line information
LLDP
Log records
Logging setting
MAC access list
Configuration of the address table
MAC-based VLAN information
Shows management information
Memory utilization
multicast vlan registration
Shows the entries of the secure port.
Show notification log
Displays policy maps
Port characteristics
Shows power
Shows the power saving information
Device process
Protocol-VLAN information
Public key information
Quality of Service
Priority queue information
RADIUS server information
Shows the reload settings
Remote Monitoring Protocol
Display status of the current RSPAN configuration
Information on the running configuration
– 508 –
CHAPTER 18 | Using the Command Line Interface
Entering Commands
snmp
sntp
spanning-tree
ssh
startup-config
subnet-vlan
system
tacacs-server
tech-support
time-range
traffic-segmentation
upgrade
users
version
vlan
voice
web-auth
Console#show
Simple Network Management Protocol configuration and
statistics
Simple Network Time Protocol configuration
Spanning-tree configuration
Secure shell server connections
Startup system configuration
IP subnet-based VLAN information
System information
TACACS server information
Technical information
Time range
Traffic segmentation information
Shows upgrade information
Information about users logged in
System hardware and software versions
Shows virtual LAN settings
Shows the voice VLAN information
Shows web authentication configuration
The command “show interfaces ?” will display the following information:
Console#show interfaces ?
brief
Shows brief interface description
counters
Interface counters information
protocol-vlan Protocol-VLAN information
status
Shows interface status
switchport
Shows interface switchport information
transceiver
Interface of transceiver information
Console#
PARTIAL KEYWORD If you terminate a partial keyword with a question mark, alternatives that
LOOKUP match the initial letters are provided. (Remember not to leave a space
between the command and question mark.) For example “s?” shows all the
keywords starting with “s.”
Console#show s?
snmp
sntp
subnet-vlan
system
Console#show s
spanning-tree
ssh
startup-config
NEGATING THE EFFECT For many configuration commands you can enter the prefix keyword “no”
OF COMMANDS to cancel the effect of a command or reset the configuration to the default
value. For example, the logging command will log system messages to a
host server. To disable logging, specify the no logging command. This
guide describes the negation effect for all applicable commands.
– 509 –
CHAPTER 18 | Using the Command Line Interface
Entering Commands
USING COMMAND The CLI maintains a history of commands that have been entered. You can
HISTORY scroll back through the history of commands by pressing the up arrow key.
Any command displayed in the history list can be executed again, or first
modified and then executed.
Using the show history command displays a longer list of recently
executed commands.
UNDERSTANDING The command set is divided into Exec and Configuration classes. Exec
COMMAND MODES commands generally display information on system status or clear
statistical counters. Configuration commands, on the other hand, modify
interface parameters or enable certain switching functions. These classes
are further divided into different modes. Available commands depend on
the selected mode. You can always enter a question mark “?” at the
prompt to display a list of the commands available for the current mode.
The command classes and associated modes are displayed in the following
table:
Table 37: General Command Modes
Class
Mode
Exec
Normal
Privileged
Configuration
Global*
Access Control List
Class Map
IGMP Profile
Interface
Line
Multiple Spanning Tree
Policy Map
Time Range
VLAN Database
* You must be in Privileged Exec mode to access the Global configuration mode.
You must be in Global Configuration mode to access any of the other configuration
modes.
EXEC COMMANDS When you open a new console session on the switch with the user name
and password “guest,” the system enters the Normal Exec command mode
(or guest mode), displaying the “Console>” command prompt. Only a
limited number of the commands are available in this mode. You can
access all commands only from the Privileged Exec command mode (or
administrator mode). To access Privilege Exec mode, open a new console
session with the user name and password “admin.” The system will now
display the “Console#” command prompt. You can also enter Privileged
Exec mode from within Normal Exec mode, by entering the enable
command, followed by the privileged level password “super.”
– 510 –
CHAPTER 18 | Using the Command Line Interface
Entering Commands
To enter Privileged Exec mode, enter the following user names and
passwords:
Username: admin
Password: [admin login password]
CLI session with the ECS3510-26P is opened.
To end the CLI session, enter [Exit].
Console#
Username: guest
Password: [guest login password]
CLI session with the ECS3510-26P is opened.
To end the CLI session, enter [Exit].
Console>enable
Password: [privileged level password]
Console#
CONFIGURATION Configuration commands are privileged level commands used to modify
COMMANDS switch settings. These commands modify the running configuration only
and are not saved when the switch is rebooted. To store the running
configuration in non-volatile storage, use the copy running-config
startup-config command.
The configuration commands are organized into different modes:
◆
Global Configuration - These commands modify the system level
configuration, and include commands such as hostname and snmpserver community.
◆
Access Control List Configuration - These commands are used for
packet filtering.
◆
Class Map Configuration - Creates a DiffServ class map for a specified
traffic type.
◆
IGMP Profile - Sets a profile group and enters IGMP filter profile
configuration mode.
◆
Interface Configuration - These commands modify the port
configuration such as speed-duplex and negotiation.
◆
Line Configuration - These commands modify the console port and
Telnet configuration, and include command such as parity and
databits.
◆
Multiple Spanning Tree Configuration - These commands configure
settings for the selected multiple spanning tree instance.
– 511 –
CHAPTER 18 | Using the Command Line Interface
Entering Commands
◆
Policy Map Configuration - Creates a DiffServ policy map for multiple
interfaces.
◆
Time Range - Sets a time range for use by other functions, such as
Access Control Lists.
◆
VLAN Configuration - Includes the command to create VLAN groups.
To enter the Global Configuration mode, enter the command configure in
Privileged Exec mode. The system prompt will change to
“Console(config)#” which gives you access privilege to all Global
Configuration commands.
Console#configure
Console(config)#
To enter the other modes, at the configuration prompt type one of the
following commands. Use the exit or end command to return to the
Privileged Exec mode.
Table 38: Configuration Command Modes
Mode
Command
Prompt
Page
Line
line {console | vty}
Console(config-line)
544
Access
Control List
access-list
access-list
access-list
access-list
access-list
Console(config-std-acl)
Console(config-ext-acl)
Console(config-mac-acl)
712
712
719
Class Map
class-map
Console(config-cmap)
870
Interface
interface {ethernet port |
port-channel id| vlan id}
Console(config-if)
730
MSTP
spanning-tree mst-configuration
Console(config-mstp)
802
Policy Map
policy-map
Console(config-pmap)
873
Time Range
time-range
Console(config-time-range)
572
VLAN
vlan database
Console(config-vlan)
827
ip standard
ip extended
ipv6 standard
ipv6 extended
mac
For example, you can use the following commands to enter interface
configuration mode, and then return to Privileged Exec mode
Console(config)#interface ethernet 1/5
.
.
.
Console(config-if)#exit
Console(config)#
– 512 –
CHAPTER 18 | Using the Command Line Interface
Entering Commands
COMMAND LINE Commands are not case sensitive. You can abbreviate commands and
PROCESSING parameters as long as they contain enough letters to differentiate them
from any other currently available commands or parameters. You can use
the Tab key to complete partial commands, or enter a partial command
followed by the “?” character to display a list of possible matches. You can
also use the following editing keystrokes for command-line processing:
Table 39: Keystroke Commands
Keystroke
Function
Ctrl-A
Shifts cursor to start of command line.
Ctrl-B
Shifts cursor to the left one character.
Ctrl-C
Terminates the current task and displays the command prompt.
Ctrl-E
Shifts cursor to end of command line.
Ctrl-F
Shifts cursor to the right one character.
Ctrl-K
Deletes all characters from the cursor to the end of the line.
Ctrl-L
Repeats current command line on a new line.
Ctrl-N
Enters the next command line in the history buffer.
Ctrl-P
Enters the last command.
Ctrl-R
Repeats current command line on a new line.
Ctrl-U
Deletes from the cursor to the beginning of the line.
Ctrl-W
Deletes the last word typed.
Esc-B
Moves the cursor back one word.
Esc-D
Deletes from the cursor to the end of the word.
Esc-F
Moves the cursor forward one word.
Delete key or
backspace key
Erases a mistake when entering a command.
OUTPUT MODIFIERS Some of the show commands include options for output modifiers. For
example, the “show running-config” command includes the following
keyword options:
Console#show running-config ?
| Output modifiers
<cr>
The output modifiers include options which indicate a string that occurs at
the beginning of a line, in lines that are to be excluded, or in lines that are
to be included.
Console#show running-config | ?
begin
Begin with line that matches
exclude Exclude lines that match
include Include lines that match
Note that the output modifier begin can only be used as the first modifier if
more than one modifier is used in a command.
– 513 –
CHAPTER 18 | Using the Command Line Interface
CLI Command Groups
CLI COMMAND GROUPS
The system commands can be broken down into the functional groups
shown below.
Table 40: Command Group Index
Command Group
Description
Page
General
Basic commands for entering privileged access mode,
restarting the system, or quitting the CLI
517
System Management
Display and setting of system information, basic modes
of operation, maximum frame size, file management,
console port and telnet settings, system logs, SMTP
alerts, the system clock, and switch clustering
525
Simple Network
Management Protocol
Activates authentication failure traps; configures
community access strings, and trap receivers
581
Remote Monitoring
Supports statistics, history, alarm and event groups
601
User Authentication
Configures user names and passwords, logon access
using local or remote authentication, management
access through the web server, Telnet server and Secure
Shell; as well as port security, IEEE 802.1X port access
control, and restricted access based on specified IP
addresses
609
General Security
Measures
Segregates traffic for clients attached to common data
ports; and prevents unauthorized access by configuring
valid static or dynamic addresses, web authentication,
MAC address authentication, filtering DHCP requests and
replies, and discarding invalid ARP responses
663
Access Control List
Provides filtering for IPv4 frames (based on address,
protocol, TCP/UDP port number or TCP control code),
IPv6 frames (based on address or DSCP traffic class), or
non-IP frames (based on MAC address or Ethernet type)
711
Interface
Configures the connection parameters for all Ethernet
ports, aggregated links, and VLANs
729
Link Aggregation
Statically groups multiple ports into a single logical trunk; 749
configures Link Aggregation Control Protocol for port
trunks
Power over Ethernet
Configures power output for connected devices
777
Mirror Port
Mirrors data to another port for analysis without affecting
the data passing through or the performance of the
monitored port
761
Rate Limit
Controls the maximum rate for traffic transmitted or
received on a port
771
Automatic Traffic Control
Configures bounding thresholds for broadcast and
multicast storms which can be used to trigger configured
rate limits or to shut down a port
773
Address Table
Configures the address table for filtering specified
addresses, displays current entries, clears the table, or
sets the aging time
789
Spanning Tree
Configures Spanning Tree settings for the switch
795
VLANs
Configures VLAN settings, and defines port membership
for VLAN groups; also enables or configures private
VLANs, protocol VLANs, voice VLANs, and QinQ tunneling
821
Class of Service
Sets port priority for untagged frames, selects strict
priority or weighted round robin, relative weight for each
priority queue, also sets priority for DSCP
857
– 514 –
CHAPTER 18 | Using the Command Line Interface
CLI Command Groups
Table 40: Command Group Index (Continued)
Command Group
Description
Page
Quality of Service
Configures Differentiated Services
869
Multicast Filtering
Configures IGMP multicast filtering, query, profile, and
proxy parameters; specifies ports attached to a multicast
router; also configures multicast VLAN registration
887
Link Layer Discovery
Protocol
Configures LLDP settings to enable information discovery
about neighbor devices
921
Domain Name Service
Configures DNS services.
945
Dynamic Host
Configuration Protocol
Configures DHCP client functions
955
IP Interface
Configures IP address for the switch interfaces; also
configures ARP parameters and static entries
961
The access mode shown in the following tables is indicated by these
abbreviations:
ACL (Access Control List Configuration)
CM (Class Map Configuration)
GC (Global Configuration)
IC (Interface Configuration)
IPC (IGMP Profile Configuration)
LC (Line Configuration)
MST (Multiple Spanning Tree)
NE (Normal Exec)
PE (Privileged Exec)
PM (Policy Map Configuration)
VC (VLAN Database Configuration)
– 515 –
CHAPTER 18 | Using the Command Line Interface
CLI Command Groups
– 516 –
19
GENERAL COMMANDS
The general commands are used to control the command access mode,
configuration mode, and other basic functions.
Table 41: General Commands
Command
Function
Mode
prompt
Customizes the CLI prompt
GC
reload
Restarts the system at a specified time, after a specified delay,
or at a periodic interval
GC
enable
Activates privileged mode
NE
quit
Exits a CLI session
NE, PE
show history
Shows the command history buffer
NE, PE
configure
Activates global configuration mode
PE
disable
Returns to normal mode from privileged mode
PE
reload
Restarts the system immediately
PE
show reload
Displays the current reload settings, and the time at which next
scheduled reload will take place
PE
end
Returns to Privileged Exec mode
any config.
mode
exit
Returns to the previous configuration mode, or exits the CLI
any mode
help
Shows how to use help
any mode
?
Shows options for command completion (context sensitive)
any mode
prompt This command customizes the CLI prompt. Use the no form to restore the
default prompt.
SYNTAX
prompt string
no prompt
string - Any alphanumeric string to use for the CLI prompt.
(Maximum length: 255 characters)
DEFAULT SETTING
Console
COMMAND MODE
Global Configuration
– 517 –
CHAPTER 19 | General Commands
EXAMPLE
Console(config)#prompt RD2
RD2(config)#
reload (Global This command restarts the system at a specified time, after a specified
Configuration) delay, or at a periodic interval. You can reboot the system immediately, or
you can configure the switch to reset after a specified amount of time. Use
the cancel option to remove a configured setting.
SYNTAX
reload {at hour minute [{month day | day month} [year]] |
in {hour hours | minute minutes | hour hours minute minutes} |
regularity hour minute [period {daily | weekly day-of-week |
monthly day}] | cancel [at | in | regularity]}
reload at - A specified time at which to reload the switch.
hour - The hour at which to reload. (Range: 0-23)
minute - The minute at which to reload. (Range: 0-59)
month - The month at which to reload. (january ... december)
day - The day of the month at which to reload. (Range: 1-31)
year - The year at which to reload. (Range: 1970-2037)
reload in - An interval after which to reload the switch.
hours - The number of hours, combined with the minutes,
before the switch resets. (Range: 0-576)
minutes - The number of minutes, combined with the hours,
before the switch resets. (Range: 0-59)
reload regularity - A periodic interval at which to reload the
switch.
hour - The hour at which to reload. (Range: 0-23)
minute - The minute at which to reload. (Range: 0-59)
day-of-week - Day of the week at which to reload.
(Range: monday ... saturday)
day - Day of the month at which to reload. (Range: 1-31)
reload cancel - Cancels the specified reload option.
DEFAULT SETTING
None
COMMAND MODE
Global Configuration
– 518 –
CHAPTER 19 | General Commands
COMMAND USAGE
◆ This command resets the entire system.
◆
Any combination of reload options may be specified. If the same option
is re-specified, the previous setting will be overwritten.
◆
When the system is restarted, it will always run the Power-On Self-Test.
It will also retain all configuration information stored in non-volatile
memory by the copy running-config startup-config command (See
"copy" on page 536).
EXAMPLE
This example shows how to reset the switch after 30 minutes:
Console(config)#reload in minute 30
***
*** --- Rebooting at January 1 02:10:43 2007 --***
Are you sure to reboot the system at the specified time? <y/n>
enable This command activates Privileged Exec mode. In privileged mode,
additional commands are available, and certain commands display
additional information. See "Understanding Command Modes" on
page 510.
SYNTAX
enable [level]
level - Privilege level to log into the device.
The device has two predefined privilege levels: 0: Normal Exec,
15: Privileged Exec. Enter level 15 to access Privileged Exec mode.
DEFAULT SETTING
Level 15
COMMAND MODE
Normal Exec
COMMAND USAGE
◆ “super” is the default password required to change the command mode
from Normal Exec to Privileged Exec. (To set this password, see the
enable password command.)
◆
The “#” character is appended to the end of the prompt to indicate that
the system is in privileged access mode.
– 519 –
CHAPTER 19 | General Commands
EXAMPLE
Console>enable
Password: [privileged level password]
Console#
RELATED COMMANDS
disable (522)
enable password (610)
quit This command exits the configuration program.
DEFAULT SETTING
None
COMMAND MODE
Normal Exec, Privileged Exec
COMMAND USAGE
The quit and exit commands can both exit the configuration program.
EXAMPLE
This example shows how to quit a CLI session:
Console#quit
Press ENTER to start session
User Access Verification
Username:
show history This command shows the contents of the command history buffer.
DEFAULT SETTING
None
COMMAND MODE
Normal Exec, Privileged Exec
COMMAND USAGE
The history buffer size is fixed at 10 Execution commands and
10 Configuration commands.
– 520 –
CHAPTER 19 | General Commands
EXAMPLE
In this example, the show history command lists the contents of the
command history buffer:
Console#show history
Execution command history:
2 config
1 show history
Configuration command history:
4 interface vlan 1
3 exit
2 interface vlan 1
1 end
Console#
The ! command repeats commands from the Execution command history
buffer when you are in Normal Exec or Privileged Exec Mode, and
commands from the Configuration command history buffer when you are in
any of the configuration modes. In this example, the !2 command repeats
the second command in the Execution history buffer (config).
Console#!2
Console#config
Console(config)#
configure This command activates Global Configuration mode. You must enter this
mode to modify any settings on the switch. You must also enter Global
Configuration mode prior to enabling some of the other configuration
modes, such as Interface Configuration, Line Configuration, and VLAN
Database Configuration. See "Understanding Command Modes" on
page 510.
DEFAULT SETTING
None
COMMAND MODE
Privileged Exec
EXAMPLE
Console#configure
Console(config)#
RELATED COMMANDS
end (523)
– 521 –
CHAPTER 19 | General Commands
disable This command returns to Normal Exec mode from privileged mode. In
normal access mode, you can only display basic information on the switch's
configuration or Ethernet statistics. To gain access to all commands, you
must use the privileged mode. See "Understanding Command Modes" on
page 510.
DEFAULT SETTING
None
COMMAND MODE
Privileged Exec
COMMAND USAGE
The “>” character is appended to the end of the prompt to indicate that the
system is in normal access mode.
EXAMPLE
Console#disable
Console>
RELATED COMMANDS
enable (519)
reload (Privileged This command restarts the system.
Exec)
NOTE: When the system is restarted, it will always run the Power-On SelfTest. It will also retain all configuration information stored in non-volatile
memory by the copy running-config startup-config command.
DEFAULT SETTING
None
COMMAND MODE
Privileged Exec
COMMAND USAGE
This command resets the entire system.
EXAMPLE
This example shows how to reset the switch:
Console#reload
System will be restarted, continue <y/n>? y
– 522 –
CHAPTER 19 | General Commands
show reload This command displays the current reload settings, and the time at which
next scheduled reload will take place.
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show reload
Reloading switch in time:
0 hours 29 minutes.
The switch will be rebooted at January 1 02:11:50 2001.
Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds.
Console#
end This command returns to Privileged Exec mode.
DEFAULT SETTING
None
COMMAND MODE
Global Configuration, Interface Configuration, Line Configuration, VLAN
Database Configuration, and Multiple Spanning Tree Configuration.
EXAMPLE
This example shows how to return to the Privileged Exec mode from the
Interface Configuration mode:
Console(config-if)#end
Console#
exit This command returns to the previous configuration mode or exits the
configuration program.
DEFAULT SETTING
None
COMMAND MODE
Any
– 523 –
CHAPTER 19 | General Commands
EXAMPLE
This example shows how to return to the Privileged Exec mode from the
Global Configuration mode, and then quit the CLI session:
Console(config)#exit
Console#exit
Press ENTER to start session
User Access Verification
Username:
– 524 –
20
SYSTEM MANAGEMENT COMMANDS
The system management commands are used to control system logs,
passwords, user names, management options, and display or configure a
variety of other system information.
Table 42: System Management Commands
Command Group
Function
Device Designation
Configures information that uniquely identifies this switch
System Status
Displays system configuration, active managers, and version
information
Frame Size
Enables support for jumbo frames
File Management
Manages code image or switch configuration files
Line
Sets communication parameters for the serial port, including baud
rate and console time-out
Event Logging
Controls logging of error messages
SMTP Alerts
Configures SMTP email alerts
Time (System Clock)
Sets the system clock automatically via NTP/SNTP server or
manually
Time Range
Sets a time range for use by other functions, such as Access
Control Lists
Switch Clustering
Configures management of multiple devices via a single IP
address
DEVICE DESIGNATION
This section describes commands used to configure information that
uniquely identifies the switch.
Table 43: Device Designation Commands
Command
Function
Mode
hostname
Specifies the host name for the switch
GC
snmp-server contact
Sets the system contact string
GC
snmp-server location
Sets the system location string
GC
– 525 –
CHAPTER 20 | System Management Commands
System Status
hostname This command specifies or modifies the host name for this device. Use the
no form to restore the default host name.
SYNTAX
hostname name
no hostname
name - The name of this host. (Maximum length: 255 characters)
DEFAULT SETTING
None
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#hostname RD#1
Console(config)#
SYSTEM STATUS
This section describes commands used to display system information.
Table 44: System Status Commands
Command
Function
Mode
show access-list tcamutilization
Shows utilization parameters for TCAM
PE
show memory
Shows memory utilization parameters
NE, PE
show process cpu
Shows CPU utilization parameters
NE, PE
show running-config
Displays the configuration data currently in use
PE
show startup-config
Displays the contents of the configuration file (stored
in flash memory) that is used to start up the system
PE
show system
Displays system information
NE, PE
show tech-support
Displays a detailed list of system settings designed to
help technical support resolve configuration or
functional problems
PE
show users
Shows all active console and Telnet sessions, including
user name, idle time, and IP address of Telnet clients
NE, PE
show version
Displays version information for the system
NE, PE
– 526 –
CHAPTER 20 | System Management Commands
System Status
show access-list This command shows utilization parameters for TCAM (Ternary Content
tcam-utilization Addressable Memory), including the number policy control entries in use,
the number of free entries, and the overall percentage of TCAM in use.
COMMAND MODE
Privileged Exec
COMMAND USAGE
Policy control entries (PCEs) are used by various system functions which
rely on rule-based searches, including Access Control Lists (ACLs), IP
Source Guard filter rules, Quality of Service (QoS) processes, or traps.
For example, when binding an ACL to a port, each rule in an ACL will use
two PCEs; and when setting an IP Source Guard filter rule for a port, the
system will also use two PCEs.
EXAMPLE
Console#show access-list tcam-utilization
Total Policy Control Entries
: 256
Free Policy Control Entries
: 176
Entries Used by System
: 80
Entries Used by User
: 0
TCAM Utilization
: 31.25%
Console#
show memory This command shows memory utilization parameters.
COMMAND MODE
Normal Exec, Privileged Exec
COMMAND USAGE
This command shows the amount of memory currently free for use, the
amount of memory allocated to active processes, and the total amount of
system memory.
EXAMPLE
Console#show memory
Status
Bytes
------ ---------Free
50917376
Used
83300352
Total
134217728
Console#
– 527 –
CHAPTER 20 | System Management Commands
System Status
show process cpu This command shows the CPU utilization parameters.
COMMAND MODE
Normal Exec, Privileged Exec
EXAMPLE
Console#show process cpu
CPU Utilization in the past 5 seconds : 3.98%
Console#
show This command displays the configuration information currently in use.
running-config
COMMAND MODE
Privileged Exec
COMMAND USAGE
◆ Use this command in conjunction with the show startup-config
command to compare the information in running memory to the
information stored in non-volatile memory.
◆
This command displays settings for key command modes. Each mode
group is separated by “!” symbols, and includes the configuration mode
command, and corresponding commands. This command displays the
following information:
■
■
■
■
■
■
■
■
■
■
■
■
MAC address for the switch
SNTP server settings
SNMP community strings
Users (names, access levels, and encrypted passwords)
VLAN database (VLAN ID, name and state)
VLAN configuration settings for each interface
Multiple spanning tree instances (name and interfaces)
IP address configured for management VLAN
Layer 4 precedence settings
Spanning tree settings
Interface settings
Any configured settings for the console port and Telnet
EXAMPLE
Console#show running-config
Building startup configuration. Please wait...
!<stackingDB>00</stackingDB>
!<stackingMac>01_00-e0-0c-00-00-fd_00</stackingMac>
!
snmp-server community public ro
snmp-server community private rw
!
snmp-server enable traps authentication
!
username admin access-level 15
username admin password 7 21232f297a57a5a743894a0e4a801fc3
username guest access-level 0
– 528 –
CHAPTER 20 | System Management Commands
System Status
username guest password 7 084e0343a0486ff05530df6c705c8bb4
enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca
!
vlan database
vlan 1 name DefaultVlan media ethernet state active
!
spanning-tree mst configuration
!
interface ethernet 1/1
switchport allowed vlan add 1 untagged
switchport native vlan 1
.qos map dscp-mutation 6 0 from 46
.
.
!
interface vlan 1
ip address 192.168.1.10 255.255.255.0
!
queue mode strict-wrr 0 0 0 1
!
line console
!
line vty
!
end
!
Console#
RELATED COMMANDS
show startup-config (529)
show startup-config This command displays the configuration file stored in non-volatile memory
that is used to start up the system.
COMMAND MODE
Privileged Exec
COMMAND USAGE
◆ Use this command in conjunction with the show running-config
command to compare the information in running memory to the
information stored in non-volatile memory.
◆
This command displays settings for key command modes. Each mode
group is separated by “!” symbols, and includes the configuration mode
command, and corresponding commands. This command displays the
following information:
■
■
■
■
■
■
■
■
■
MAC address for the switch
SNMP community strings
SNMP trap authentication
RMON alarms settings
Users (names and access levels)
VLAN database (VLAN ID, name and state)
Multiple spanning tree instances (name and interfaces)
Interface settings and VLAN configuration settings for each interface
IP address for management VLAN
– 529 –
CHAPTER 20 | System Management Commands
System Status
■
Any configured settings for the console port and Telnet
EXAMPLE
Refer to the example for the running configuration file.
RELATED COMMANDS
show running-config (528)
show system This command displays system information.
DEFAULT SETTING
None
COMMAND MODE
Normal Exec, Privileged Exec
COMMAND USAGE
◆ For a description of the items shown by this command, refer to
"Displaying System Information" on page 97.
◆
The POST results should all display “PASS.” If any POST test indicates
“FAIL,” contact your distributor for assistance.
EXAMPLE
Console#show system
System Description : ECS3510-26P Managed FE POE Switch
System OID String : 1.3.6.1.4.1.259.10.1.38.104
System Information
System Up Time
System Name
System Location
System Contact
MAC Address (Unit 1)
Web Server
Web Server Port
Web Secure Server
Web Secure Server Port
Telnet Server
Telnet Server Port
Jumbo Frame
:
:
:
:
:
:
:
:
:
:
:
:
0 days, 7 hours, 20 minutes, and 43.30 seconds
00-E0-0C-00-00-FD
Enabled
80
Enabled
443
Enabled
23
Disabled
System Fan:
Unit 1
POST Result:
Console#
– 530 –
CHAPTER 20 | System Management Commands
System Status
show tech-support This command displays a detailed list of system settings designed to help
technical support resolve configuration or functional problems.
COMMAND MODE
Normal Exec, Privileged Exec
COMMAND USAGE
This command generates a long list of information including detailed
system and interface settings. It is therefore advisable to direct the output
to a file using any suitable output capture function provided with your
terminal emulation program.
EXAMPLE
Console#show tech-support
Show System:
System Description : ECS3510-26P Managed FE POE Switch
System OID String : 1.3.6.1.4.1.259.10.1.38.104
System Information
System Up Time
: 0 days, 1 hours, 28 minutes, and 51.70 seconds
System Name
:
System Location
:
System Contact
:
MAC Address (Unit 1)
: 00-E0-0C-00-00-FD
Web Server
: Enabled
Web Server Port
: 80
Web Secure Server
: Disabled
Web Secure Server Port : 443
Telnet Server
: Enabled
Telnet Server Port
: 23
Jumbo Frame
: Disabled
.
.
.
show users Shows all active console and Telnet sessions, including user name, idle
time, and IP address of Telnet client.
DEFAULT SETTING
None
COMMAND MODE
Normal Exec, Privileged Exec
COMMAND USAGE
The session used to execute this command is indicated by a “*” symbol
next to the Line (i.e., session) index number.
– 531 –
CHAPTER 20 | System Management Commands
System Status
EXAMPLE
Console#show users
User Name Accounts:
User Name Privilege
--------- --------admin
15
guest
0
steve
15
Public-Key
---------None
None
RSA
Online Users:
Line
Username Idle time (h:m:s) Remote IP addr.
----------- -------- ----------------- --------------0
console
admin
0:14:14
* 1
VTY 0
admin
0:00:00
192.168.1.19
2
SSH 1
steve
0:00:06
192.168.1.19
Web Online Users:
Line
Remote IP Addr User Name Idle time (h:m:s)
----------- --------------- --------- -----------------1
HTTP
192.168.1.19
admin
0:00:0
Console#
show version This command displays hardware and software version information for the
system.
COMMAND MODE
Normal Exec, Privileged Exec
COMMAND USAGE
See "Displaying Hardware/Software Versions" on page 98 for detailed
information on the items displayed by this command.
EXAMPLE
Console#show version
Unit 1
Serial Number
Hardware Version
CPLD Version
Number of Ports
Main Power Status
Role
Loader Version
Linux Kernel Version
Operation Code Version
:
:
:
:
:
:
:
:
:
LN11130371
R0B
0.00
26
Up
Master
0.0.0.1
2.6.22.18
0.0.0.5
Console#
– 532 –
CHAPTER 20 | System Management Commands
Frame Size
FRAME SIZE
This section describes commands used to configure the Ethernet frame size
on the switch.
Table 45: Frame Size Commands
Command
Function
Mode
jumbo frame
Enables support for jumbo frames
GC
jumbo frame This command enables support for Layer 2 jumbo frames for Gigabit
Ethernet ports. Use the no form to disable it.
SYNTAX
[no] jumbo frame
DEFAULT SETTING
Disabled
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ This switch provides more efficient throughput for large sequential data
transfers by supporting Layer 2 jumbo frames on Gigabit Ethernet ports
or trunks up to 10240 bytes. Compared to standard Ethernet frames
that run only up to 1.5 KB, using jumbo frames significantly reduces
the per-packet overhead required to process protocol encapsulation
fields.
◆
To use jumbo frames, both the source and destination end nodes (such
as a computer or server) must support this feature. Also, when the
connection is operating at full duplex, all switches in the network
between the two end nodes must be able to accept the extended frame
size. And for half-duplex connections, all devices in the collision domain
would need to support jumbo frames.
◆
The current setting for jumbo frames can be displayed with the show
system command.
EXAMPLE
Console(config)#jumbo frame
Console(config)#
– 533 –
CHAPTER 20 | System Management Commands
File Management
FILE MANAGEMENT
Managing Firmware
Firmware can be uploaded and downloaded to or from an FTP/TFTP server.
By saving runtime code to a file on an FTP/TFTP server, that file can later
be downloaded to the switch to restore operation. The switch can also be
set to use new firmware without overwriting the previous version.
When downloading runtime code, the destination file name can be specified
to replace the current image, or the file can be first downloaded using a
different name from the current runtime code file, and then the new file set
as the startup file.
Saving or Restoring Configuration Settings
Configuration settings can be uploaded and downloaded to and from an
FTP/TFTP server. The configuration file can be later downloaded to restore
switch settings.
The configuration file can be downloaded under a new file name and then
set as the startup file, or the current startup configuration file can be
specified as the destination file to directly replace it. Note that the file
“Factory_Default_Config.cfg” can be copied to the FTP/TFTP server, but
cannot be used as the destination on the switch.
Table 46: Flash/File Commands
Command
Function
Mode
boot system
Specifies the file or image used to start up the system
GC
copy
Copies a code image or a switch configuration to or
from flash memory or an FTP/TFTP server
PE
delete
Deletes a file or code image
PE
dir
Displays a list of files in flash memory
PE
whichboot
Displays the files booted
PE
General Commands
Automatic Code Upgrade Commands
upgrade opcode auto
Automatically upgrades the current image when a new
version is detected on the indicated server
GC
upgrade opcode path
Specifies an FTP/TFTP server and directory in which
the new opcode is stored
GC
show upgrade
Shows the opcode upgrade configuration settings.
PE
– 534 –
CHAPTER 20 | System Management Commands
File Management
General Commands
boot system This command specifies the file or image used to start up the system.
SYNTAX
boot system {boot-rom | config | opcode}: filename
boot-rom* - Boot ROM.
config* - Configuration file.
opcode* - Run-time operation code.
filename - Name of configuration file or code image.
* The colon (:) is required.
DEFAULT SETTING
None
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ A colon (:) is required after the specified file type.
◆
If the file contains an error, it cannot be set as the default file.
EXAMPLE
Console(config)#boot system config: startup
Console(config)#
RELATED COMMANDS
dir (539)
whichboot (540)
– 535 –
CHAPTER 20 | System Management Commands
File Management
copy This command moves (upload/download) a code image or configuration file
between the switch’s flash memory and an FTP/TFTP server. When you
save the system code or configuration settings to a file on an FTP/TFTP
server, that file can later be downloaded to the switch to restore system
operation. The success of the file transfer depends on the accessibility of
the FTP/TFTP server and the quality of the network connection.
SYNTAX
copy file {file | ftp | running-config | startup-config | tftp}
copy running-config {file | ftp | startup-config | tftp}
copy startup-config {file | ftp | running-config | tftp}
copy tftp {file | https-certificate | public-key |
running-config | startup-config}
file - Keyword that allows you to copy to/from a file.
ftp - Keyword that allows you to copy to/from an FTP server.
https-certificate - Keyword that allows you to copy the HTTPS
secure site certificate.
public-key - Keyword that allows you to copy a SSH key from a
TFTP server. (See "Secure Shell" on page 635.)
running-config - Keyword that allows you to copy to/from the
current running configuration.
startup-config - The configuration used for system initialization.
tftp - Keyword that allows you to copy to/from a TFTP server.
DEFAULT SETTING
None
COMMAND MODE
Privileged Exec
COMMAND USAGE
◆ The system prompts for data required to complete the copy command.
◆
The destination file name should not contain slashes (\ or /), and the
maximum length for file names is 32 characters for files on the switch
or 128 characters for files on the server. (Valid characters: A-Z, a-z,
0-9, “.”, “-”)
◆
The switch supports only two operation code files, but the maximum
number of user-defined configuration files is 16.
◆
You can use “Factory_Default_Config.cfg” as the source to copy from
the factory default configuration file, but you cannot use it as the
destination.
◆
To replace the startup configuration, you must use startup-config as
the destination.
– 536 –
CHAPTER 20 | System Management Commands
File Management
◆
The Boot ROM cannot be uploaded or downloaded from the FTP/TFTP
server. You must follow the instructions in the release notes for new
firmware, or contact your distributor for help.
◆
For information on specifying an https-certificate, see "Replacing the
Default Secure-site Certificate" on page 308. For information on
configuring the switch to use HTTPS for a secure connection, see the ip
http secure-server command.
◆
When logging into an FTP server, the interface prompts for a user name
and password configured on the remote server. Note that “anonymous”
is set as the default user name.
EXAMPLE
The following example shows how to download new firmware from a TFTP
server:
Console#copy tftp file
TFTP server ip address: 10.1.0.19
Choose file type:
1. config; 2. opcode; 3. loader: 2
Source file name: m360.bix
Destination file name: m360.bix
\Write to FLASH Programming.
-Write to FLASH finish.
Success.
Console#
The following example shows how to upload the configuration settings to a
file on the TFTP server:
Console#copy file tftp
Choose file type:
1. config: 2. opcode: 1
Source file name: startup
TFTP server ip address: 10.1.0.99
Destination file name: startup.01
TFTP completed.
Success.
Console#
The following example shows how to copy the running configuration to a
startup file.
Console#copy running-config file
destination file name: startup
Write to FLASH Programming.
\Write to FLASH finish.
Success.
Console#
– 537 –
CHAPTER 20 | System Management Commands
File Management
The following example shows how to download a configuration file:
Console#copy tftp startup-config
TFTP server ip address: 10.1.0.99
Source configuration file name: startup.01
Startup configuration file name [startup]:
Write to FLASH Programming.
\Write to FLASH finish.
Success.
Console#
This example shows how to copy a secure-site certificate from an TFTP
server. It then reboots the switch to activate the certificate:
Console#copy tftp https-certificate
TFTP server ip address: 10.1.0.19
Source certificate file name: SS-certificate
Source private file name: SS-private
Private password: ********
Success.
Console#reload
System will be restarted, continue <y/n>? y
This example shows how to copy a public-key used by SSH from an TFTP
server. Note that public key authentication via SSH is only supported for
users configured locally on the switch.
Console#copy tftp public-key
TFTP server IP address: 192.168.1.19
Choose public key type:
1. RSA: 2. DSA: <1-2>: 1
Source file name: steve.pub
Username: steve
TFTP Download
Success.
Write to FLASH Programming.
Success.
Console#
This example shows how to copy a file to an FTP server.
Console#copy ftp file
FTP server IP address: 169.254.1.11
User[anonymous]: admin
Password[]: *****
Choose file type:
1. config: 2. opcode: 2
Source file name: BLANC.BIX
Destination file name: BLANC.BIX
Console#
– 538 –
CHAPTER 20 | System Management Commands
File Management
delete This command deletes a file or image.
SYNTAX
delete filename
filename - Name of configuration file or code image.
DEFAULT SETTING
None
COMMAND MODE
Privileged Exec
COMMAND USAGE
◆ If the file type is used for system startup, then this file cannot be
deleted.
◆
“Factory_Default_Config.cfg” cannot be deleted.
EXAMPLE
This example shows how to delete the test2.cfg configuration file from
flash memory.
Console#delete test2.cfg
Console#
RELATED COMMANDS
dir (539)
delete public-key (640)
dir This command displays a list of files in flash memory.
SYNTAX
dir {boot-rom: | config: | opcode:} [filename]}
boot-rom - Boot ROM (or diagnostic) image file.
config - Switch configuration file.
opcode - Run-time operation code image file.
filename - Name of configuration file or code image. If this file
exists but contains errors, information on this file cannot be shown.
DEFAULT SETTING
None
COMMAND MODE
Privileged Exec
– 539 –
CHAPTER 20 | System Management Commands
File Management
COMMAND USAGE
◆ If you enter the command dir without any parameters, the system
displays all files.
File information is shown below:
Table 47: File Directory Information
Column Heading
Description
File Name
The name of the file.
File Type
File types: Boot-Rom, Operation Code, and Config file.
Startup
Shows if this file is used when the system is started.
Create Time
The date and time the file was created.
Size
The length of the file in bytes.
EXAMPLE
The following example shows how to display all file information:
Console#dir
File Name
Type Startup Modify Time
Size(bytes)
-------------------------- -------------- ------- ------------------- --------Unit 1:
ECS4110-24T_Op_V0.0.0.1.bix
OpCode
Y
2012-11-29 01:31:57
11331488
ECS4110-24T_Op_V0.0.0.2.bix
OpCode
N
2012-11-20 12:46:25
11331488
Factory_Default_Config.cfg
Config
N
2010-04-02 11:20:49
509
startup1.cfg
Config
Y
2010-06-30 05:48:16
3484
----------------------------------------------------------------------------Free space for compressed user config files:
745472
Used space : 32751616
Total space : 33554432
Console#
whichboot This command displays which files were booted when the system powered
up.
SYNTAX
whichboot
DEFAULT SETTING
None
COMMAND MODE
Privileged Exec
– 540 –
CHAPTER 20 | System Management Commands
File Management
EXAMPLE
This example shows the information displayed by the whichboot
command. See the table under the dir command for a description of the
file information displayed by this command.
Console#whichboot
File Name
Type Startup Modify Time
Size(bytes)
-------------------------------- ------- ------- ------------------- ---------Unit 1:
ECS4110-24T_Op_V0.0.0.1.bix
OpCode
Y
2012-11-29 01:31:57
11331488
startup1.cfg
Config
Y
2010-06-30 05:48:16
3484
Console#
Automatic Code Upgrade Commands
upgrade opcode This command automatically upgrades the current operational code when a
auto new version is detected on the server indicated by the upgrade opcode
path command. Use the no form of this command to restore the default
setting.
SYNTAX
[no] upgrade opcode auto
DEFAULT SETTING
Disabled
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ This command is used to enable or disable automatic upgrade of the
operational code. When the switch starts up and automatic image
upgrade is enabled by this command, the switch will follow these steps
when it boots up:
1. It will search for a new version of the image at the location specified
by upgrade opcode path command. The name for the new image
stored on the TFTP server must be ECS4110-24T_Op.bix9. If the
switch detects a code version newer than the one currently in use, it
will download the new image. If two code images are already stored
in the switch, the image not set to start up the system will be
overwritten by the new version.
2. After the image has been downloaded, the switch will send a trap
message to log whether or not the upgrade operation was
successful.
3. It sets the new version as the startup image.
9.
This filename uses 24T. However, it supports a series of 24, 26 and 28-port switches.
– 541 –
CHAPTER 20 | System Management Commands
File Management
4. It then restarts the system to start using the new image.
◆
Any changes made to the default setting can be displayed with the
show running-config or show startup-config commands.
EXAMPLE
Console(config)#upgrade opcode auto
Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/
Console(config)#
If a new image is found at the specified location, the following type of
messages will be displayed during bootup.
.
.
.
Automatic Upgrade is looking for a new image
New image detected: current version 1.0.1.5; new version 1.1.2.0
Image upgrade in progress
The switch will restart after upgrade succeeds
Downloading new image
Flash programming started
Flash programming completed
The switch will now restart
.
.
.
upgrade opcode This command specifies an TFTP server and directory in which the new
path opcode is stored. Use the no form of this command to clear the current
setting.
SYNTAX
upgrade opcode path opcode-dir-url
no upgrade opcode path
opcode-dir-url - The location of the new code.
DEFAULT SETTING
None
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ This command is used in conjunction with the upgrade opcode auto
command to facilitate automatic upgrade of new operational code
stored at the location indicated by this command.
– 542 –
CHAPTER 20 | System Management Commands
File Management
◆
The name for the new image stored on the TFTP server must be
ECS4110-24T_Op.bix10. However, note that file name is not to be
included in this command.
◆
When specifying a TFTP server, the following syntax must be used,
where filedir indicates the path to the directory containing the new
image:
tftp://192.168.0.1[/filedir]/
◆
When specifying an FTP server, the following syntax must be used,
where filedir indicates the path to the directory containing the new
image:
ftp://[username[:password@]]192.168.0.1[/filedir]/
If the user name is omitted, “anonymous” will be used for the
connection. If the password is omitted a null string (“”) will be used for
the connection.
EXAMPLE
This shows how to specify a TFTP server where new code is stored.
Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/
Console(config)#
This shows how to specify an FTP server where new code is stored.
Console(config)#upgrade opcode path ftp://admin:billy@192.168.0.1/sm24/
Console(config)#
show upgrade This command shows the opcode upgrade configuration settings.
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show upgrade
Auto Image Upgrade Global Settings:
Status
: Disabled
Path
:
File Name : ECS4110-24T_Op.bix
Console#
10. This filename uses 24T. However, it supports a series of 24, 26 and 28-port switches.
– 543 –
CHAPTER 20 | System Management Commands
Line
LINE
You can access the onboard configuration program by attaching a VT100
compatible device to the server’s serial port. These commands are used to
set communication parameters for the serial port or Telnet (i.e., a virtual
terminal).
Table 48: Line Commands
Command
Function
Mode
line
Identifies a specific line for configuration and starts the GC
line configuration mode
accounting exec
Applies an accounting method to local console, Telnet
or SSH connections
LC
authorization exec
Applies an authorization method to local console,
Telnet or SSH connections
LC
databits*
Sets the number of data bits per character that are
interpreted and generated by hardware
LC
exec-timeout
Sets the interval that the command interpreter waits
until user input is detected
LC
login
Enables password checking at login
LC
parity*
Defines the generation of a parity bit
LC
password
Specifies a password on a line
LC
password-thresh
Sets the password intrusion threshold, which limits the
number of failed logon attempts
LC
silent-time*
Sets the amount of time the management console is
inaccessible after the number of unsuccessful logon
attempts exceeds the threshold set by the passwordthresh command
LC
speed*
Sets the terminal baud rate
LC
stopbits*
Sets the number of the stop bits transmitted per byte
LC
timeout login response
Sets the interval that the system waits for a login
attempt
LC
disconnect
Terminates a line connection
PE
terminal
Configures terminal settings, including escapecharacter, line length, terminal type, and width
PE
show line
Displays a terminal line's parameters
NE, PE
* These commands only apply to the serial port.
line This command identifies a specific line for configuration, and to process
subsequent line configuration commands.
SYNTAX
line {console | vty}
console - Console terminal line.
vty - Virtual terminal for remote console access (i.e., Telnet).
– 544 –
CHAPTER 20 | System Management Commands
Line
DEFAULT SETTING
There is no default line.
COMMAND MODE
Global Configuration
COMMAND USAGE
Telnet is considered a virtual terminal connection and will be shown as
“VTY” in screen displays such as show users. However, the serial
communication parameters (e.g., databits) do not affect Telnet
connections.
EXAMPLE
To enter console line mode, enter the following command:
Console(config)#line console
Console(config-line)#
RELATED COMMANDS
show line (554)
show users (531)
databits This command sets the number of data bits per character that are
interpreted and generated by the console port. Use the no form to restore
the default value.
SYNTAX
databits {7 | 8}
no databits
7 - Seven data bits per character.
8 - Eight data bits per character.
DEFAULT SETTING
8 data bits per character
COMMAND MODE
Line Configuration
COMMAND USAGE
The databits command can be used to mask the high bit on input from
devices that generate 7 data bits with parity. If parity is being generated,
specify 7 data bits per character. If no parity is required, specify 8 data bits
per character.
– 545 –
CHAPTER 20 | System Management Commands
Line
EXAMPLE
To specify 7 data bits, enter this command:
Console(config-line)#databits 7
Console(config-line)#
RELATED COMMANDS
parity (548)
exec-timeout This command sets the interval that the system waits until user input is
detected. Use the no form to restore the default.
SYNTAX
exec-timeout [seconds]
no exec-timeout
seconds - Integer that specifies the timeout interval.
(Range: 0 - 65535 seconds; 0: no timeout)
DEFAULT SETTING
CLI: No timeout
Telnet: 10 minutes
COMMAND MODE
Line Configuration
COMMAND USAGE
◆ If user input is detected within the timeout interval, the session is kept
open; otherwise the session is terminated.
◆
This command applies to both the local console and Telnet connections.
◆
The timeout for Telnet cannot be disabled.
◆
Using the command without specifying a timeout restores the default
setting.
EXAMPLE
To set the timeout to two minutes, enter this command:
Console(config-line)#exec-timeout 120
Console(config-line)#
– 546 –
CHAPTER 20 | System Management Commands
Line
login This command enables password checking at login. Use the no form to
disable password checking and allow connections without a password.
SYNTAX
login [local]
no login
local - Selects local password checking. Authentication is based on
the user name specified with the username command.
DEFAULT SETTING
login local
COMMAND MODE
Line Configuration
COMMAND USAGE
◆ There are three authentication modes provided by the switch itself at
login:
■
■
■
◆
login selects authentication by a single global password as
specified by the password line configuration command. When using
this method, the management interface starts in Normal Exec (NE)
mode.
login local selects authentication via the user name and password
specified by the username command (i.e., default setting). When
using this method, the management interface starts in Normal Exec
(NE) or Privileged Exec (PE) mode, depending on the user’s
privilege level (0 or 15 respectively).
no login selects no authentication. When using this method, the
management interface starts in Normal Exec (NE) mode.
This command controls login authentication via the switch itself. To
configure user names and passwords for remote authentication
servers, you must use the RADIUS or TACACS software installed on
those servers.
EXAMPLE
Console(config-line)#login local
Console(config-line)#
RELATED COMMANDS
username (611)
password (548)
– 547 –
CHAPTER 20 | System Management Commands
Line
parity This command defines the generation of a parity bit. Use the no form to
restore the default setting.
SYNTAX
parity {none | even | odd}
no parity
none - No parity
even - Even parity
odd - Odd parity
DEFAULT SETTING
No parity
COMMAND MODE
Line Configuration
COMMAND USAGE
Communication protocols provided by devices such as terminals and
modems often require a specific parity bit setting.
EXAMPLE
To specify no parity, enter this command:
Console(config-line)#parity none
Console(config-line)#
password This command specifies the password for a line. Use the no form to
remove the password.
SYNTAX
password {0 | 7} password
no password
{0 | 7} - 0 means plain password, 7 means encrypted password
password - Character string that specifies the line password.
(Maximum length: 32 characters plain text or encrypted, case
sensitive)
DEFAULT SETTING
No password is specified.
COMMAND MODE
Line Configuration
– 548 –
CHAPTER 20 | System Management Commands
Line
COMMAND USAGE
◆ When a connection is started on a line with password protection, the
system prompts for the password. If you enter the correct password,
the system shows a prompt. You can use the password-thresh
command to set the number of times a user can enter an incorrect
password before the system terminates the line connection and returns
the terminal to the idle state.
◆
The encrypted password is required for compatibility with legacy
password settings (i.e., plain text or encrypted) when reading the
configuration file during system bootup or when downloading the
configuration file from a TFTP server. There is no need for you to
manually configure encrypted passwords.
EXAMPLE
Console(config-line)#password 0 secret
Console(config-line)#
RELATED COMMANDS
login (547)
password-thresh (549)
password-thresh This command sets the password intrusion threshold which limits the
number of failed logon attempts. Use the no form to remove the threshold
value.
SYNTAX
password-thresh [threshold]
no password-thresh
threshold - The number of allowed password attempts.
(Range: 1-120; 0: no threshold)
DEFAULT SETTING
The default value is three attempts.
COMMAND MODE
Line Configuration
COMMAND USAGE
When the logon attempt threshold is reached, the system interface
becomes silent for a specified amount of time before allowing the next
logon attempt. (Use the silent-time command to set this interval.) When
this threshold is reached for Telnet, the Telnet logon interface shuts down.
– 549 –
CHAPTER 20 | System Management Commands
Line
EXAMPLE
To set the password threshold to five attempts, enter this command:
Console(config-line)#password-thresh 5
Console(config-line)#
RELATED COMMANDS
silent-time (550)
silent-time This command sets the amount of time the management console is
inaccessible after the number of unsuccessful logon attempts exceeds the
threshold set by the password-thresh command. Use the no form to
remove the silent time value.
SYNTAX
silent-time [seconds]
no silent-time
seconds - The number of seconds to disable console response.
(Range: 0-65535; where 0 means disabled)
DEFAULT SETTING
30 seconds
COMMAND MODE
Line Configuration
EXAMPLE
To set the silent time to 60 seconds, enter this command:
Console(config-line)#silent-time 60
Console(config-line)#
RELATED COMMANDS
password-thresh (549)
speed This command sets the terminal line’s baud rate. This command sets both
the transmit (to terminal) and receive (from terminal) speeds. Use the no
form to restore the default setting.
SYNTAX
speed bps
no speed
bps - Baud rate in bits per second.
(Options: 9600, 19200, 38400, 57600, 115200 bps, or auto)
– 550 –
CHAPTER 20 | System Management Commands
Line
DEFAULT SETTING
auto
COMMAND MODE
Line Configuration
COMMAND USAGE
Set the speed to match the baud rate of the device connected to the serial
port. Some baud rates available on devices connected to the port might not
be supported. The system indicates if the speed you selected is not
supported. If you select the “auto” option, the switch will automatically
detect the baud rate configured on the attached terminal, and adjust the
speed accordingly.
NOTE: Due to a hardware limitation, the terminal program connected to the
console port must be set to 8 data bits when using auto baud rate
detection.
EXAMPLE
To specify 57600 bps, enter this command:
Console(config-line)#speed 57600
Console(config-line)#
stopbits This command sets the number of the stop bits transmitted per byte. Use
the no form to restore the default setting.
SYNTAX
stopbits {1 | 2}
no stopbits
1 - One stop bit
2 - Two stop bits
DEFAULT SETTING
1 stop bit
COMMAND MODE
Line Configuration
EXAMPLE
To specify 2 stop bits, enter this command:
Console(config-line)#stopbits 2
Console(config-line)#
– 551 –
CHAPTER 20 | System Management Commands
Line
timeout login This command sets the interval that the system waits for a user to log into
response the CLI. Use the no form to restore the default setting.
SYNTAX
timeout login response [seconds]
no timeout login response
seconds - Integer that specifies the timeout interval.
(Range: 0 - 300 seconds for CLI. 1 - 300 seconds for Telnet)
DEFAULT SETTING
CLI: Disabled (0 seconds)
Telnet: 300 seconds
COMMAND MODE
Line Configuration
COMMAND USAGE
◆ If a login attempt is not detected within the timeout interval, the
connection is terminated for the session.
◆
This command applies to both the local console and Telnet connections.
◆
The timeout for Telnet cannot be disabled.
◆
Using the command without specifying a timeout restores the default
setting.
EXAMPLE
To set the timeout to two minutes, enter this command:
Console(config-line)#timeout login response 120
Console(config-line)#
disconnect This command terminates an SSH, Telnet, or console connection.
SYNTAX
disconnect session-id
session-id – The session identifier for an SSH, Telnet or console
connection. (Range: 0-4)
COMMAND MODE
Privileged Exec
COMMAND USAGE
Specifying session identifier “0” will disconnect the console connection.
Specifying any other identifiers for an active session will disconnect an SSH
or Telnet connection.
– 552 –
CHAPTER 20 | System Management Commands
Line
EXAMPLE
Console#disconnect 1
Console#
RELATED COMMANDS
show ssh (644)
show users (531)
terminal This command configures terminal settings, including escape-character,
lines displayed, terminal type, width, and command history. Use the no
form with the appropriate keyword to restore the default setting.
SYNTAX
terminal {escape-character {ASCII-number | character} |
history [size size] | length length | terminal-type {ansi-bbs |
vt-100 | vt-102} | width width}
escape-character - The keyboard character used to escape from
current line input.
ASCII-number - ASCII decimal equivalent. (Range: 0-255)
character - Any valid keyboard character.
history - The number of lines stored in the command buffer, and
recalled using the arrow keys. (Range: 0-256)
length - The number of lines displayed on the screen.
(Range: 0-512, where 0 means not to pause)
terminal-type - The type of terminal emulation used.
ansi-bbs - ANSI-BBS
vt-100 - VT-100
vt-102 - VT-102
width - The number of character columns displayed on the
terminal. (Range: 0-80)
DEFAULT SETTING
Escape Character: 27 (ASCII-number)
History: 10
Length: 24
Terminal Type: VT100
Width: 80
COMMAND MODE
Privileged Exec
– 553 –
CHAPTER 20 | System Management Commands
Line
EXAMPLE
This example sets the number of lines displayed by commands with lengthy
output such as show running-config to 48 lines.
Console#terminal length 48
Console#
show line This command displays the terminal line’s parameters.
SYNTAX
show line [console | vty]
console - Console terminal line.
vty - Virtual terminal for remote console access (i.e., Telnet).
DEFAULT SETTING
Shows all lines
COMMAND MODE
Normal Exec, Privileged Exec
EXAMPLE
To show all lines, enter this command:
Console#show line
Console Configuration:
Password Threshold : 3 times
Inactive Timeout
: Disabled
Login Timeout
: Disabled
Silent Time
: 30 sec.
Baud Rate
: 115200
Data Bits
: 8
Parity
: None
Stop Bits
: 1
VTY Configuration:
Password Threshold : 3 times
Inactive Timeout
: 600 sec.
Login Timeout
: 300 sec.
Silent Time
: 30 sec.
Console#
– 554 –
CHAPTER 20 | System Management Commands
Event Logging
EVENT LOGGING
This section describes commands used to configure event logging on the
switch.
Table 49: Event Logging Commands
Command
Function
Mode
logging facility
Sets the facility type for remote logging of syslog
messages
GC
logging history
Limits syslog messages saved to switch memory based GC
on severity
logging host
Adds a syslog server host IP address that will receive
logging messages
GC
logging on
Controls logging of error messages
GC
logging trap
Limits syslog messages saved to a remote server
based on severity
GC
clear log
Clears messages from the logging buffer
PE
show log
Displays log messages
PE
show logging
Displays the state of logging
PE
logging facility This command sets the facility type for remote logging of syslog messages.
Use the no form to return the type to the default.
SYNTAX
logging facility type
no logging facility
type - A number that indicates the facility used by the syslog server
to dispatch log messages to an appropriate service. (Range: 16-23)
DEFAULT SETTING
23
COMMAND MODE
Global Configuration
COMMAND USAGE
The command specifies the facility type tag sent in syslog messages. (See
RFC 3164.) This type has no effect on the kind of messages reported by
the switch. However, it may be used by the syslog server to sort messages
or to store messages in the corresponding database.
EXAMPLE
Console(config)#logging facility 19
Console(config)#
– 555 –
CHAPTER 20 | System Management Commands
Event Logging
logging history This command limits syslog messages saved to switch memory based on
severity. The no form returns the logging of syslog messages to the default
level.
SYNTAX
logging history {flash | ram} level
no logging history {flash | ram}
flash - Event history stored in flash memory (i.e., permanent
memory).
ram - Event history stored in temporary RAM (i.e., memory flushed
on power reset).
level - One of the levels listed below. Messages sent include the
selected level down to level 0. (Range: 0-7)
Table 50: Logging Levels
Level
Severity Name
Description
7
debugging
Debugging messages
6
informational
Informational messages only
5
notifications
Normal but significant condition, such as cold start
4
warnings
Warning conditions (e.g., return false, unexpected
return)
3
errors
Error conditions (e.g., invalid input, default used)
2
critical
Critical conditions (e.g., memory allocation, or free
memory error - resource exhausted)
1
alerts
Immediate action needed
0
emergencies
System unusable
DEFAULT SETTING
Flash: errors (level 3 - 0)
RAM: debugging (level 7 - 0)
COMMAND MODE
Global Configuration
COMMAND USAGE
The message level specified for flash memory must be a higher priority
(i.e., numerically lower) than that specified for RAM.
EXAMPLE
Console(config)#logging history ram 0
Console(config)#
– 556 –
CHAPTER 20 | System Management Commands
Event Logging
logging host This command adds a syslog server host IP address that will receive
logging messages. Use the no form to remove a syslog server host.
SYNTAX
[no] logging host host-ip-address
host-ip-address - The IPv4 or IPv6 address of a syslog server.
DEFAULT SETTING
None
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ Use this command more than once to build up a list of host IP
addresses.
◆
The maximum number of host IP addresses allowed is five.
EXAMPLE
Console(config)#logging host 10.1.0.3
Console(config)#
logging on This command controls logging of error messages, sending debug or error
messages to a logging process. The no form disables the logging process.
SYNTAX
[no] logging on
DEFAULT SETTING
None
COMMAND MODE
Global Configuration
COMMAND USAGE
The logging process controls error messages saved to switch memory or
sent to remote syslog servers. You can use the logging history command to
control the type of error messages that are stored in memory. You can use
the logging trap command to control the type of error messages that are
sent to specified syslog servers.
EXAMPLE
Console(config)#logging on
Console(config)#
– 557 –
CHAPTER 20 | System Management Commands
Event Logging
RELATED COMMANDS
logging history (556)
logging trap (558)
clear log (558)
logging trap This command enables the logging of system messages to a remote server,
or limits the syslog messages saved to a remote server based on severity.
Use this command without a specified level to enable remote logging. Use
the no form to disable remote logging.
SYNTAX
logging trap [level level]
no logging trap [level]
level - One of the syslog severity levels listed in the table on
page 556. Messages sent include the selected level through level 0.
DEFAULT SETTING
Disabled
Level 7
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ Using this command with a specified level enables remote logging and
sets the minimum severity level to be saved.
◆
Using this command without a specified level also enables remote
logging, but restores the minimum severity level to the default.
EXAMPLE
Console(config)#logging trap 4
Console(config)#
clear log This command clears messages from the log buffer.
SYNTAX
clear log [flash | ram]
flash - Event history stored in flash memory (i.e., permanent
memory).
ram - Event history stored in temporary RAM (i.e., memory flushed
on power reset).
DEFAULT SETTING
Flash and RAM
– 558 –
CHAPTER 20 | System Management Commands
Event Logging
COMMAND MODE
Privileged Exec
EXAMPLE
Console#clear log
Console#
RELATED COMMANDS
show log (559)
show log This command displays the log messages stored in local memory.
SYNTAX
show log {flash | ram}
flash - Event history stored in flash memory (i.e., permanent
memory).
ram - Event history stored in temporary RAM (i.e., memory flushed
on power reset).
DEFAULT SETTING
None
COMMAND MODE
Privileged Exec
COMMAND USAGE
◆ All log messages are retained in RAM and Flash after a warm restart
(i.e., power is reset through the command interface).
◆
All log messages are retained in Flash and purged from RAM after a
cold restart (i.e., power is turned off and then on through the power
source).
EXAMPLE
The following example shows the event message stored in RAM.
Console#show log ram
[1] 00:01:30 2001-01-01
"VLAN 1 link-up notification."
level: 6, module: 5, function: 1, and event no.: 1
[0] 00:01:30 2001-01-01
"Unit 1, Port 1 link-up notification."
level: 6, module: 5, function: 1, and event no.: 1
Console#
– 559 –
CHAPTER 20 | System Management Commands
Event Logging
show logging This command displays the configuration settings for logging messages to
local switch memory, to an SMTP event handler, or to a remote syslog
server.
SYNTAX
show logging {flash | ram | sendmail | trap}
flash - Displays settings for storing event messages in flash
memory (i.e., permanent memory).
ram - Displays settings for storing event messages in temporary
RAM (i.e., memory flushed on power reset).
sendmail - Displays settings for the SMTP event handler
(page 564).
trap - Displays settings for the trap function.
DEFAULT SETTING
None
COMMAND MODE
Privileged Exec
EXAMPLE
The following example shows that system logging is enabled, the message
level for flash memory is “errors” (i.e., default level 3 - 0), and the
message level for RAM is “debugging” (i.e., default level 7 - 0).
Console#show logging flash
Syslog logging:
Enabled
History logging in FLASH: level errors
Console#show logging ram
Syslog logging:
Enabled
History logging in RAM: level debugging
Console#
Table 51: show logging flash/ram - display description
Field
Description
Syslog logging
Shows if system logging has been enabled via the logging on
command.
History logging in FLASH
The message level(s) reported based on the logging history
command.
History logging in RAM
The message level(s) reported based on the logging history
command.
The following example displays settings for the trap function.
Console#show logging trap
Remote Log Status
Remote Log Facility Type
Remote Log Level Type
– 560 –
: Enabled
: Local use 7
: Debugging messages
CHAPTER 20 | System Management Commands
SMTP Alerts
Remote
Remote
Remote
Remote
Remote
Log
Log
Log
Log
Log
Server
Server
Server
Server
Server
IP
IP
IP
IP
IP
Address
Address
Address
Address
Address
:
:
:
:
:
1.2.3.4
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
Console#
Table 52: show logging trap - display description
Field
Description
Remote Log Status
Shows if remote logging has been enabled via the logging trap
command.
Remote Log Facility Type
The facility type for remote logging of syslog messages as
specified in the logging facility command.
Remote Log Level Type
The severity threshold for syslog messages sent to a remote
server as specified in the logging trap command.
Remote Log Server IP
Address
The address of syslog servers as specified in the logging host
command.
RELATED COMMANDS
show logging sendmail (564)
SMTP ALERTS
These commands configure SMTP event handling, and forwarding of alert
messages to the specified SMTP servers and email recipients.
Table 53: Event Logging Commands
Command
Function
Mode
logging sendmail
Enables SMTP event handling
GC
logging sendmail host
SMTP servers to receive alert messages
GC
logging sendmail level
Severity threshold used to trigger alert messages
GC
logging sendmail
destination-email
Email recipients of alert messages
GC
logging sendmail sourceemail
Email address used for “From” field of alert messages GC
show logging sendmail
Displays SMTP event handler settings
NE, PE
logging sendmail This command enables SMTP event handling. Use the no form to disable
this function.
SYNTAX
[no] logging sendmail
DEFAULT SETTING
Enabled
– 561 –
CHAPTER 20 | System Management Commands
SMTP Alerts
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#logging sendmail
Console(config)#
logging sendmail This command specifies SMTP servers that will be sent alert messages. Use
host the no form to remove an SMTP server.
SYNTAX
[no] logging sendmail host host [username username password
password auth-basic]
host - IP address or alias of an SMTP server that will be sent alert
messages for event handling.
username - Name of SMTP server user. (Range: 1-8 characters)
password - Password of SMTP server user. (Range: 1-8 characters)
auth-basic - Indicates that Base 64 encoding is used.
DEFAULT SETTING
None
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ You can specify up to three SMTP servers for event handing. However,
you must enter a separate command to specify each server.
◆
To send email alerts, the switch first opens a connection, sends all the
email alerts waiting in the queue one by one, and finally closes the
connection.
◆
To open a connection, the switch first selects the server that
successfully sent mail during the last connection, or the first server
configured by this command. If it fails to send mail, the switch selects
the next server in the list and tries to send mail again. If it still fails, the
system will repeat the process at a periodic interval. (A trap will be
triggered if the switch cannot successfully open a connection.)
EXAMPLE
Console(config)#logging sendmail host 192.168.1.19
Console(config)#
– 562 –
CHAPTER 20 | System Management Commands
SMTP Alerts
logging sendmail This command sets the severity threshold used to trigger alert messages.
level Use the no form to restore the default setting.
SYNTAX
logging sendmail level level
no logging sendmail level
level - One of the system message levels (page 556). Messages
sent include the selected level down to level 0. (Range: 0-7;
Default: 7)
DEFAULT SETTING
Level 7
COMMAND MODE
Global Configuration
COMMAND USAGE
The specified level indicates an event threshold. All events at this level or
higher will be sent to the configured email recipients. (For example, using
Level 7 will report all events from level 7 to level 0.)
EXAMPLE
This example will send email alerts for system errors from level 3 through
0.
Console(config)#logging sendmail level 3
Console(config)#
logging sendmail This command specifies the email recipients of alert messages. Use the no
destination-email form to remove a recipient.
SYNTAX
[no] logging sendmail destination-email email-address
email-address - The source email address used in alert messages.
(Range: 1-41 characters)
DEFAULT SETTING
None
COMMAND MODE
Global Configuration
COMMAND USAGE
You can specify up to five recipients for alert messages. However, you must
enter a separate command to specify each recipient.
– 563 –
CHAPTER 20 | System Management Commands
SMTP Alerts
EXAMPLE
Console(config)#logging sendmail destination-email ted@this-company.com
Console(config)#
logging sendmail This command sets the email address used for the “From” field in alert
source-email messages. Use the no form to restore the default value.
SYNTAX
logging sendmail source-email email-address
no logging sendmail source-email
email-address - The source email address used in alert messages.
(Range: 1-41 characters)
DEFAULT SETTING
None
COMMAND MODE
Global Configuration
COMMAND USAGE
You may use an symbolic email address that identifies the switch, or the
address of an administrator responsible for the switch.
EXAMPLE
Console(config)#logging sendmail source-email bill@this-company.com
Console(config)#
show logging This command displays the settings for the SMTP event handler.
sendmail
COMMAND MODE
Normal Exec, Privileged Exec
EXAMPLE
Console#show logging sendmail
SMTP servers
----------------------------------------------192.168.1.19
SMTP Minimum Severity Level: 7
SMTP destination email addresses
----------------------------------------------ted@this-company.com
SMTP Source Email Address: bill@this-company.com
– 564 –
CHAPTER 20 | System Management Commands
Time
SMTP Status: Enabled
Console#
TIME
The system clock can be dynamically set by polling a set of specified time
servers (NTP or SNTP). Maintaining an accurate time on the switch enables
the system log to record meaningful dates and times for event entries. If
the clock is not set, the switch will only record the time from the factory
default set at the last bootup.
Table 54: Time Commands
Command
Function
Mode
sntp client
Accepts time from specified time servers
GC
sntp poll
Sets the interval at which the client polls for time
GC
sntp server
Specifies one or more time servers
GC
show sntp
Shows current SNTP configuration settings
NE, PE
SNTP Commands
Manual Configuration Commands
clock summer-time
Configures summer time* for the switch’s internal
clock
GC
clock timezone
Sets the time zone for the switch’s internal clock
GC
clock timezonepredefined
Sets the time zone for the switch’s internal clock using
predefined time zone configurations
GC
calendar set
Sets the system date and time
PE
show calendar
Displays the current date and time setting
NE, PE
* Daylight savings time.
SNTP Commands
sntp client This command enables SNTP client requests for time synchronization from
NTP or SNTP time servers specified with the sntp server command. Use the
no form to disable SNTP client requests.
SYNTAX
[no] sntp client
DEFAULT SETTING
Disabled
COMMAND MODE
Global Configuration
– 565 –
CHAPTER 20 | System Management Commands
Time
COMMAND USAGE
◆ The time acquired from time servers is used to record accurate dates
and times for log events. Without SNTP, the switch only records the
time starting from the factory default set at the last bootup (i.e.,
00:00:00, Jan. 1, 2001).
◆
This command enables client time requests to time servers specified via
the sntp server command. It issues time synchronization requests
based on the interval set via the sntp poll command.
EXAMPLE
Console(config)#sntp server 10.1.0.19
Console(config)#sntp poll 60
Console(config)#sntp client
Console(config)#end
Console#show sntp
Current Time: Dec 23 02:52:44 2002
Poll Interval: 60
Current Mode: unicast
SNTP Status : Enabled
SNTP Server 137.92.140.80 0.0.0.0 0.0.0.0
Current Server: 137.92.140.80
Console#
RELATED COMMANDS
sntp server (567)
sntp poll (566)
show sntp (567)
sntp poll This command sets the interval between sending time requests when the
switch is set to SNTP client mode. Use the no form to restore to the
default.
SYNTAX
sntp poll seconds
no sntp poll
seconds - Interval between time requests.
(Range: 16-16384 seconds)
DEFAULT SETTING
16 seconds
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#sntp poll 60
Console#
– 566 –
CHAPTER 20 | System Management Commands
Time
RELATED COMMANDS
sntp client (565)
sntp server This command sets the IP address of the servers to which SNTP time
requests are issued. Use the this command with no arguments to clear all
time servers from the current list. Use the no form to clear all time servers
from the current list, or to clear a specific server.
SYNTAX
sntp server [ip1 [ip2 [ip3]]]
no sntp server [ip1 [ip2 [ip3]]]
ip - IP address of an time server (NTP or SNTP).
(Range: 1 - 3 addresses)
DEFAULT SETTING
None
COMMAND MODE
Global Configuration
COMMAND USAGE
This command specifies time servers from which the switch will poll for
time updates when set to SNTP client mode. The client will poll the time
servers in the order specified until a response is received. It issues time
synchronization requests based on the interval set via the sntp poll
command.
EXAMPLE
Console(config)#sntp server 10.1.0.19
Console#
RELATED COMMANDS
sntp client (565)
sntp poll (566)
show sntp (567)
show sntp This command displays the current time and configuration settings for the
SNTP client, and indicates whether or not the local time has been properly
updated.
COMMAND MODE
Normal Exec, Privileged Exec
COMMAND USAGE
This command displays the current time, the poll interval used for sending
time synchronization requests, and the current SNTP mode (i.e., unicast).
– 567 –
CHAPTER 20 | System Management Commands
Time
EXAMPLE
Console#show sntp
Current Time
: Nov 5 18:51:22 2006
Poll Interval : 16 seconds
Current Mode
: Unicast
SNTP Status
: Enabled
SNTP Server
: 137.92.140.80 0.0.0.0 0.0.0.0
Current Server : 137.92.140.80
Console#
Manual Configuration Commands
clock summer-time This command sets the start, end, and offset times of summer time
(daylight savings time) for the switch on a one-time basis. Use the no form
to disable summer time.
SYNTAX
clock summer-time name date b-date b-month b-year b-hour
b-minute e-date e-month e-year e-hour e-minute [offset]
no clock summer-time
name - Name of the time zone while summer time is in effect,
usually an acronym. (Range: 1-30 characters)
b-date - Day of the month when summer time will begin.
(Range: 1-31)
b-month - The month when summer time will begin.
(Options: january | february | march | april | may | june | july
| august | september | october | november | december)
b-year- The year summer time will begin.
b-hour - The hour summer time will begin. (Range: 0-23 hours)
b-minute - The minute summer time will begin. (Range: 0-59
minutes)
e-date - Day of the month when summer time will end.
(Range: 1-31)
e-month - The month when summer time will end.
(Options: january | february | march | april | may | june |
july | august | september | october | november | december)
e-year - The year summer time will end.
e-hour - The hour summer time will end. (Range: 0-23 hours)
e-minute - The minute summer time will end. (Range: 0-59
minutes)
offset - Summer time offset from the regular time zone, in minutes.
(Range: 0-99 minutes)
DEFAULT SETTING
Disabled
– 568 –
CHAPTER 20 | System Management Commands
Time
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ In some countries or regions, clocks are adjusted through the summer
months so that afternoons have more daylight and mornings have less.
This is known as Summer Time, or Daylight Savings Time (DST).
Typically, clocks are adjusted forward one hour at the start of spring
and then adjusted backward in autumn.
◆
This command sets the summer-time zone relative to the currently
configured time zone. To specify a time corresponding to your local
time when summer time is in effect, you must indicate the number of
minutes your summer-time zone deviates from your regular time zone.
EXAMPLE
Console(config)#clock summer-time DEST date april 1 2007 23 23 april 23 2007
23 23 60
Console(config)#
RELATED COMMANDS
show sntp (567)
clock timezone This command sets the time zone for the switch’s internal clock.
SYNTAX
clock timezone name hour hours minute minutes
{before-utc | after-utc}
name - Name of timezone, usually an acronym. (Range: 1-30
characters)
hours - Number of hours before/after UTC. (Range: 0-12 hours
before UTC, 0-13 hours after UTC)
minutes - Number of minutes before/after UTC. (Range: 0-59
minutes)
before-utc - Sets the local time zone before (east) of UTC.
after-utc - Sets the local time zone after (west) of UTC.
DEFAULT SETTING
None
COMMAND MODE
Global Configuration
COMMAND USAGE
This command sets the local time zone relative to the Coordinated
Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on
the earth’s prime meridian, zero degrees longitude. To display a time
– 569 –
CHAPTER 20 | System Management Commands
Time
corresponding to your local time, you must indicate the number of hours
and minutes your time zone is east (before) or west (after) of UTC.
EXAMPLE
Console(config)#clock timezone Japan hours 8 minute 0 after-UTC
Console(config)#
RELATED COMMANDS
show sntp (567)
clock timezone- This command uses predefined time zone configurations to set the time
predefined zone for the switch’s internal clock. Use the no form to restore the default.
SYNTAX
clock timezone-predefined offset-city
no clock timezone-predefined
offset - Select the offset from GMT. (Range: GMT-0100 - GMT-1200;
GMT-Greenwich-Mean-Time; GMT+0100 - GMT+1300)
city - Select the city associated with the chosen GMT offset. After
the offset has been entered, use the tab-complete function to
display the available city options.
DEFAULT SETTING
GMT-Greenwich-Mean-Time-Dublin,Edinburgh,Lisbon,London
COMMAND MODE
Global Configuration
COMMAND USAGE
This command sets the local time zone relative to the Coordinated
Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on
the earth’s prime meridian, zero degrees longitude. To display a time
corresponding to your local time, you must indicate the number of hours
and minutes your time zone is east (before) or west (after) of UTC.
EXAMPLE
Console(config)#clock timezone-predefined GMT-0930-Taiohae
Console(config)#
RELATED COMMANDS
show sntp (567)
– 570 –
CHAPTER 20 | System Management Commands
Time
calendar set This command sets the system clock. It may be used if there is no time
server on your network, or if you have not configured the switch to receive
signals from a time server.
SYNTAX
calendar set hour min sec {day month year | month day year}
hour - Hour in 24-hour format. (Range: 0 - 23)
min - Minute. (Range: 0 - 59)
sec - Second. (Range: 0 - 59)
day - Day of month. (Range: 1 - 31)
month - january | february | march | april | may | june | july |
august | september | october | november | december
year - Year (4-digit). (Range: 1970-2037)
DEFAULT SETTING
None
COMMAND MODE
Privileged Exec
COMMAND USAGE
Note that when SNTP is enabled, the system clock cannot be manually
configured.
EXAMPLE
This example shows how to set the system clock to 15:12:34, February
1st, 2012.
Console#calendar set 15:12:34 1 February 2012
Console#
show calendar This command displays the system clock.
DEFAULT SETTING
None
COMMAND MODE
Normal Exec, Privileged Exec
EXAMPLE
Console#show calendar
Current Time
: Nov 20 13:05:50 2012
Time Zone
: GMT-Greenwich-Mean-TimeDublin,Edinburgh,Lisbon,London
Summer Time
: Not configured
– 571 –
CHAPTER 20 | System Management Commands
Time Range
Summer Time in Effect : No
Console#
TIME RANGE
This section describes the commands used to sets a time range for use by
other functions, such as Access Control Lists.
Table 55: Time Range Commands
Command
Function
Mode
time-range
Specifies the name of a time range, and enters time
range configuration mode
GC
absolute
Sets the time range for the execution of a command
TR
periodic
Sets the time range for the periodic execution of a
command
TR
show time-range
Shows configured time ranges.
PE
time-range This command specifies the name of a time range, and enters time range
configuration mode. Use the no form to remove a previously specified time
range.
SYNTAX
[no] time-range name
name - Name of the time range. (Range: 1-16 characters)
DEFAULT SETTING
None
COMMAND MODE
Global Configuration
COMMAND USAGE
This command sets a time range for use by other functions, such as Access
Control Lists.
EXAMPLE
Console(config)#time-range r&d
Console(config-time-range)#
RELATED COMMANDS
Access Control Lists (711)
– 572 –
CHAPTER 20 | System Management Commands
Time Range
absolute This command sets the time range for the execution of a command. Use
the no form to remove a previously specified time.
SYNTAX
absolute start hour minute day month year
[end hour minutes day month year]
absolute end hour minutes day month year
no absolute
hour - Hour in 24-hour format. (Range: 0-23)
minute - Minute. (Range: 0-59)
day - Day of month. (Range: 1-31)
month - january | february | march | april | may | june | july |
august | september | october | november | december
year - Year (4-digit). (Range: 2009-2109)
DEFAULT SETTING
None
COMMAND MODE
Time Range Configuration
COMMAND USAGE
◆ If a time range is already configured, you must use the no form of this
command to remove the current entry prior to configuring a new time
range.
◆
If both an absolute rule and one or more periodic rules are configured
for the same time range (i.e., named entry), that entry will only take
effect if the current time is within the absolute time range and one of
the periodic time ranges.
EXAMPLE
This example configures the time for the single occurrence of an event.
Console(config)#time-range r&d
Console(config-time-range)#absolute start 1 1 1 april 2009 end 2 1 1 april
2009
Console(config-time-range)#
– 573 –
CHAPTER 20 | System Management Commands
Time Range
periodic This command sets the time range for the periodic execution of a
command. Use the no form to remove a previously specified time range.
SYNTAX
[no] periodic {daily | friday | monday | saturday | sunday |
thursday | tuesday | wednesday | weekdays | weekend}
hour minute to {daily | friday | monday | saturday | sunday |
thursday | tuesday | wednesday | weekdays | weekend |
hour minute}
daily - Daily
friday - Friday
monday - Monday
saturday - Saturday
sunday - Sunday
thursday - Thursday
tuesday - Tuesday
wednesday - Wednesday
weekdays - Weekdays
weekend - Weekends
hour - Hour in 24-hour format. (Range: 0-23)
minute - Minute. (Range: 0-59)
DEFAULT SETTING
None
COMMAND MODE
Time Range Configuration
COMMAND USAGE
◆ If a time range is already configured, you must use the no form of this
command to remove the current entry prior to configuring a new time
range.
◆
If both an absolute rule and one or more periodic rules are configured
for the same time range (i.e., named entry), that entry will only take
effect if the current time is within the absolute time range and one of
the periodic time ranges.
EXAMPLE
This example configures a time range for the periodic occurrence of an
event.
Console(config)#time-range sales
Console(config-time-range)#periodic daily 1 1 to 2 1
Console(config-time-range)#
– 574 –
CHAPTER 20 | System Management Commands
Switch Clustering
show time-range This command shows configured time ranges.
SYNTAX
show time-range [name]
name - Name of the time range. (Range: 1-30 characters)
DEFAULT SETTING
None
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show time-range r&d
Time-range r&d:
absolute start 01:01 01 April 2009
periodic
Daily 01:01 to
Daily 02:01
periodic
Daily 02:01 to
Daily 03:01
Console#
SWITCH CLUSTERING
Switch Clustering is a method of grouping switches together to enable
centralized management through a single unit. Switches that support
clustering can be grouped together regardless of physical location or switch
type, as long as they are connected to the same local network.
Table 56: Switch Cluster Commands
Command
Function
Mode
cluster
Configures clustering on the switch
GC
cluster commander
Configures the switch as a cluster Commander
GC
cluster ip-pool
Sets the cluster IP address pool for Members
GC
cluster member
Sets Candidate switches as cluster members
GC
rcommand
Provides configuration access to Member switches
GC
show cluster
Displays the switch clustering status
PE
show cluster members
Displays current cluster Members
PE
show cluster candidates
Displays current cluster Candidates in the network
PE
Using Switch Clustering
◆
A switch cluster has a primary unit called the “Commander” which is
used to manage all other “Member” switches in the cluster. The
management station can use either Telnet or the web interface to
communicate directly with the Commander through its IP address, and
– 575 –
CHAPTER 20 | System Management Commands
Switch Clustering
then use the Commander to manage the Member switches through the
cluster’s “internal” IP addresses.
◆
Clustered switches must be in the same Ethernet broadcast domain. In
other words, clustering only functions for switches which can pass
information between the Commander and potential Candidates or
active Members through VLAN 4093.
◆
Once a switch has been configured to be a cluster Commander, it
automatically discovers other cluster-enabled switches in the network.
These “Candidate” switches only become cluster Members when
manually selected by the administrator through the management
station.
◆
The cluster VLAN 4093 is not configured by default. Before using
clustering, take the following actions to set up this VLAN:
1. Create VLAN 4093 (see "Editing VLAN Groups" on page 827).
2. Add the participating ports to this VLAN (see "Configuring VLAN
Interfaces" on page 829), and set them to hybrid mode, tagged
members, PVID = 1, and acceptable frame type = all.
NOTE: Cluster Member switches can be managed either through a Telnet
connection to the Commander, or through a web management connection
to the Commander. When using a console connection, from the
Commander CLI prompt, use the rcommand to connect to the Member
switch.
cluster This command enables clustering on the switch. Use the no form to disable
clustering.
SYNTAX
[no] cluster
DEFAULT SETTING
Disabled
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ To create a switch cluster, first be sure that clustering is enabled on the
switch (the default is enabled), then set the switch as a Cluster
Commander. Set a Cluster IP Pool that does not conflict with any other
IP subnets in the network. Cluster IP addresses are assigned to
switches when they become Members and are used for communication
between Member switches and the Commander.
◆
Switch clusters are limited to the same Ethernet broadcast domain.
– 576 –
CHAPTER 20 | System Management Commands
Switch Clustering
◆
There can be up to 100 candidates and 36 member switches in one
cluster.
◆
A switch can only be a Member of one cluster.
◆
Configured switch clusters are maintained across power resets and
network changes.
EXAMPLE
Console(config)#cluster
Console(config)#
cluster commander This command enables the switch as a cluster Commander. Use the no
form to disable the switch as cluster Commander.
SYNTAX
[no] cluster commander
DEFAULT SETTING
Disabled
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ Once a switch has been configured to be a cluster Commander, it
automatically discovers other cluster-enabled switches in the network.
These “Candidate” switches only become cluster Members when
manually selected by the administrator through the management
station.
◆
Cluster Member switches can be managed through a Telnet connection
to the Commander. From the Commander CLI prompt, use the
rcommand id command to connect to the Member switch.
EXAMPLE
Console(config)#cluster commander
Console(config)#
– 577 –
CHAPTER 20 | System Management Commands
Switch Clustering
cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to
the default address.
SYNTAX
cluster ip-pool ip-address
no cluster ip-pool
ip-address - The base IP address for IP addresses assigned to
cluster Members. The IP address must start 10.x.x.x.
DEFAULT SETTING
10.254.254.1
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ An “internal” IP address pool is used to assign IP addresses to Member
switches in the cluster. Internal cluster IP addresses are in the form
10.x.x.member-ID. Only the base IP address of the pool needs to be
set since Member IDs can only be between 1 and 36.
◆
Set a Cluster IP Pool that does not conflict with addresses in the
network IP subnet. Cluster IP addresses are assigned to switches when
they become Members and are used for communication between
Member switches and the Commander.
◆
You cannot change the cluster IP pool when the switch is currently in
Commander mode. Commander mode must first be disabled.
EXAMPLE
Console(config)#cluster ip-pool 10.2.3.4
Console(config)#
cluster member This command configures a Candidate switch as a cluster Member. Use the
no form to remove a Member switch from the cluster.
SYNTAX
cluster member mac-address mac-address id member-id
no cluster member id member-id
mac-address - The MAC address of the Candidate switch.
member-id - The ID number to assign to the Member switch.
(Range: 1-36)
DEFAULT SETTING
No Members
– 578 –
CHAPTER 20 | System Management Commands
Switch Clustering
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ The maximum number of cluster Members is 36.
◆
The maximum number of cluster Candidates is 100.
EXAMPLE
Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5
Console(config)#
rcommand This command provides access to a cluster Member CLI for configuration.
SYNTAX
rcommand id member-id
member-id - The ID number of the Member switch. (Range: 1-36)
COMMAND MODE
Privileged Exec
COMMAND USAGE
◆ This command only operates through a Telnet connection to the
Commander switch. Managing cluster Members using the local console
CLI on the Commander is not supported.
◆
There is no need to enter the username and password for access to the
Member switch CLI.
EXAMPLE
Console#rcommand id 1
CLI session with the ECS3510-26P is opened.
To end the CLI session, enter [Exit].
Vty-0##
show cluster This command shows the switch clustering configuration.
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show cluster
Role
: commander
Interval Heartbeat
: 30
– 579 –
CHAPTER 20 | System Management Commands
Switch Clustering
Heartbeat Loss Count : 3 seconds
Number of Members
: 1
Number of Candidates : 2
Console#
show cluster This command shows the current switch cluster members.
members
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show cluster members
Cluster Members:
ID
: 1
Role
: Active member
IP Address : 10.254.254.2
MAC Address : 00-E0-0C-00-00-FE
Description : ECS3510-26P Managed FE POE Switch
Console#
show cluster This command shows the discovered Candidate switches in the network.
candidates
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show cluster candidates
Cluster Candidates:
Role
MAC Address
--------------- ----------------Active member
00-E0-0C-00-00-FE
CANDIDATE
00-12-CF-0B-47-A0
Console#
– 580 –
Description
---------------------------------------ECS3510-26P Managed FE POE Switch
ECS3510-26P Managed FE POE Switch
21
SNMP COMMANDS
SNMP commands control access to this switch from management stations
using the Simple Network Management Protocol (SNMP), as well as the
error types sent to trap managers.
SNMP Version 3 also provides security features that cover message
integrity, authentication, and encryption; as well as controlling user access
to specific areas of the MIB tree. To use SNMPv3, first set an SNMP engine
ID (or accept the default), specify read and write access views for the MIB
tree, configure SNMP user groups with the required security model (i.e.,
SNMP v1, v2c or v3) and security level (i.e., authentication and privacy),
and then assign SNMP users to these groups, along with their specific
authentication and privacy passwords.
Table 57: SNMP Commands
Command
Function
Mode
snmp-server
Enables the SNMP agent
GC
snmp-server community
Sets up the community access string to permit access
to SNMP commands
GC
snmp-server contact
Sets the system contact string
GC
snmp-server location
Sets the system location string
GC
show snmp
Displays the status of SNMP communications
NE, PE
General SNMP Commands
SNMP Target Host Commands
snmp-server enable traps Enables the device to send SNMP traps (i.e., SNMP
notifications)
GC
snmp-server host
GC
Specifies the recipient of an SNMP notification
operation
SNMPv3 Engine Commands
snmp-server engine-id
Sets the SNMP engine ID
GC
snmp-server group
Adds an SNMP group, mapping users to views
GC
snmp-server user
Adds a user to an SNMP group
GC
snmp-server view
Adds an SNMP view
GC
show snmp engine-id
Shows the SNMP engine ID
PE
show snmp group
Shows the SNMP groups
PE
show snmp user
Shows the SNMP users
PE
show snmp view
Shows the SNMP views
PE
– 581 –
CHAPTER 21 | SNMP Commands
General SNMP Commands
Table 57: SNMP Commands (Continued)
Command
Function
Mode
Notification Log Commands
nlm
Enables the specified notification log
GC
snmp-server notify-filter
Creates a notification log and specifies the target host GC
show nlm oper-status
Shows operation status of configured notification logs PE
show snmp notify-filter
Displays the configured notification logs
PE
ATC Trap Commands
snmp-server enable port- Sends a trap when broadcast traffic falls beneath the
traps atc broadcastlower threshold after a storm control response has
alarm-clear
been triggered
IC (Port)
snmp-server enable port- Sends a trap when broadcast traffic exceeds the upper
traps atc broadcastthreshold for automatic storm control
alarm-fire
IC (Port)
snmp-server enable port- Sends a trap when broadcast traffic exceeds the upper
traps atc broadcastthreshold for automatic storm control and the apply
control-apply
timer expires
IC (Port)
snmp-server enable port- Sends a trap when broadcast traffic falls beneath the
traps atc broadcastlower threshold after a storm control response has
control-release
been triggered and the release timer expires
IC (Port)
snmp-server enable port- Sends a trap when multicast traffic falls beneath the
traps atc multicast-alarm- lower threshold after a storm control response has
clear
been triggered
IC (Port)
snmp-server enable port- Sends a trap when multicast traffic exceeds the upper
traps atc multicast-alarm- threshold for automatic storm control
fire
IC (Port)
snmp-server enable port- Sends a trap when multicast traffic exceeds the upper
traps atc multicastthreshold for automatic storm control and the apply
control-apply
timer expires
IC (Port)
snmp-server enable port- Sends a trap when multicast traffic falls beneath the
traps atc multicastlower threshold after a storm control response has
control-release
been triggered and the release timer expires
IC (Port)
General SNMP Commands
snmp-server This command enables the SNMPv3 engine and services for all
management clients (i.e., versions 1, 2c, 3). Use the no form to disable the
server.
SYNTAX
[no] snmp-server
DEFAULT SETTING
Enabled
COMMAND MODE
Global Configuration
– 582 –
CHAPTER 21 | SNMP Commands
General SNMP Commands
EXAMPLE
Console(config)#snmp-server
Console(config)#
snmp-server This command defines community access strings used to authorize
community management access by clients using SNMP v1 or v2c. Use the no form to
remove the specified community string.
SYNTAX
snmp-server community string [ro | rw]
no snmp-server community string
string - Community string that acts like a password and permits
access to the SNMP protocol. (Maximum length: 32 characters, case
sensitive; Maximum number of strings: 5)
ro - Specifies read-only access. Authorized management stations
are only able to retrieve MIB objects.
rw - Specifies read/write access. Authorized management stations
are able to both retrieve and modify MIB objects.
DEFAULT SETTING
◆ public - Read-only access. Authorized management stations are only
able to retrieve MIB objects.
◆ private - Read/write access. Authorized management stations are able
to both retrieve and modify MIB objects.
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#snmp-server community alpha rw
Console(config)#
snmp-server This command sets the system contact string. Use the no form to remove
contact the system contact information.
SYNTAX
snmp-server contact string
no snmp-server contact
string - String that describes the system contact information.
(Maximum length: 255 characters)
DEFAULT SETTING
None
– 583 –
CHAPTER 21 | SNMP Commands
General SNMP Commands
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#snmp-server contact Paul
Console(config)#
RELATED COMMANDS
snmp-server location (584)
snmp-server This command sets the system location string. Use the no form to remove
location the location string.
SYNTAX
snmp-server location text
no snmp-server location
text - String that describes the system location.
(Maximum length: 255 characters)
DEFAULT SETTING
None
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#snmp-server location WC-19
Console(config)#
RELATED COMMANDS
snmp-server contact (583)
show snmp This command can be used to check the status of SNMP communications.
DEFAULT SETTING
None
COMMAND MODE
Normal Exec, Privileged Exec
COMMAND USAGE
This command provides information on the community access strings,
counter information for SNMP input and output protocol data units, and
whether or not SNMP logging has been enabled with the snmp-server
enable traps command.
– 584 –
CHAPTER 21 | SNMP Commands
SNMP Target Host Commands
EXAMPLE
Console#show snmp
SNMP Agent : Enabled
SNMP Traps :
Authentication : Enabled
Link-up-down
: Enabled
SNMP Communities :
1. public, and the access level is read-only
2. private, and the access level is read/write
0 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Set-request PDUs
0 SNMP packets output
0 Too big errors
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
0 Trap PDUs
SNMP Logging: Disabled
Console#
SNMP Target Host Commands
snmp-server This command enables this device to send Simple Network Management
enable traps Protocol traps or informs (i.e., SNMP notifications). Use the no form to
disable SNMP notifications.
SYNTAX
[no] snmp-server enable traps [authentication | link-up-down]
authentication - Keyword to issue authentication failure
notifications.
link-up-down - Keyword to issue link-up or link-down notifications.
DEFAULT SETTING
Issue authentication and link-up-down traps.
COMMAND MODE
Global Configuration
– 585 –
CHAPTER 21 | SNMP Commands
SNMP Target Host Commands
COMMAND USAGE
◆ If you do not enter an snmp-server enable traps command, no
notifications controlled by this command are sent. In order to configure
this device to send SNMP notifications, you must enter at least one
snmp-server enable traps command. If you enter the command with
no keywords, both authentication and link-up-down notifications are
enabled. If you enter the command with a keyword, only the
notification type related to that keyword is enabled.
◆
The snmp-server enable traps command is used in conjunction with
the snmp-server host command. Use the snmp-server host command
to specify which host or hosts receive SNMP notifications. In order to
send notifications, you must configure at least one snmp-server host
command.
◆
The authentication, link-up, and link-down traps are legacy
notifications, and therefore when used for SNMP Version 3 hosts, they
must be enabled in conjunction with the corresponding entries in the
Notify View assigned by the snmp-server group command.
EXAMPLE
Console(config)#snmp-server enable traps link-up-down
Console(config)#
RELATED COMMANDS
snmp-server host (586)
snmp-server host This command specifies the recipient of a Simple Network Management
Protocol notification operation. Use the no form to remove the specified
host.
SYNTAX
snmp-server host host-addr [inform [retry retries |
timeout seconds]] community-string
[version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]}
no snmp-server host host-addr
host-addr - Internet address of the host (the targeted recipient).
(Maximum host addresses: 5 trap destination IP address entries)
inform - Notifications are sent as inform messages. Note that this
option is only available for version 2c and 3 hosts. (Default: traps
are used)
retries - The maximum number of times to resend an inform
message if the recipient does not acknowledge receipt. (Range:
0-255; Default: 3)
seconds - The number of seconds to wait for an
acknowledgment before resending an inform message. (Range:
0-2147483647 centiseconds; Default: 1500 centiseconds)
– 586 –
CHAPTER 21 | SNMP Commands
SNMP Target Host Commands
community-string - Password-like community string sent with the
notification operation to SNMP V1 and V2c hosts. Although you can
set this string using the snmp-server host command by itself, we
recommend defining it with the snmp-server community command
prior to using the snmp-server host command. (Maximum length:
32 characters)
version - Specifies whether to send notifications as SNMP Version
1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1)
auth | noauth | priv - This group uses SNMPv3 with
authentication, no authentication, or with authentication and
privacy. See "Simple Network Management Protocol" on
page 397 for further information about these authentication and
encryption options.
port - Host UDP port to use. (Range: 1-65535; Default: 162)
DEFAULT SETTING
Host Address: None
Notification Type: Traps
SNMP Version: 1
UDP Port: 162
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ If you do not enter an snmp-server host command, no notifications
are sent. In order to configure the switch to send SNMP notifications,
you must enter at least one snmp-server host command. In order to
enable multiple hosts, you must issue a separate snmp-server host
command for each host.
◆
The snmp-server host command is used in conjunction with the
snmp-server enable traps command. Use the snmp-server enable traps
command to enable the sending of traps or informs and to specify
which SNMP notifications are sent globally. For a host to receive
notifications, at least one snmp-server enable traps command and the
snmp-server host command for that host must be enabled.
◆
Some notification types cannot be controlled with the snmp-server
enable traps command. For example, some notification types are
always enabled.
◆
Notifications are issued by the switch as trap messages by default. The
recipient of a trap message does not send a response to the switch.
Traps are therefore not as reliable as inform messages, which include a
request for acknowledgement of receipt. Informs can be used to ensure
that critical information is received by the host. However, note that
informs consume more system resources because they must be kept in
memory until a response is received. Informs also add to network
traffic. You should consider these effects when deciding whether to
issue notifications as traps or informs.
– 587 –
CHAPTER 21 | SNMP Commands
SNMP Target Host Commands
To send an inform to a SNMPv2c host, complete these steps:
1.
2.
3.
4.
5.
Enable the SNMP agent (page 582).
Create a view with the required notification messages (page 592).
Create a group that includes the required notify view (page 590).
Allow the switch to send SNMP traps; i.e., notifications (page 585).
Specify the target host that will receive inform messages with the
snmp-server host command as described in this section.
To send an inform to a SNMPv3 host, complete these steps:
1. Enable the SNMP agent (page 582).
2. Create a local SNMPv3 user to use in the message exchange
3.
4.
5.
6.
process (page 591).
Create a view with the required notification messages (page 592).
Create a group that includes the required notify view (page 590).
Allow the switch to send SNMP traps; i.e., notifications (page 585).
Specify the target host that will receive inform messages with the
snmp-server host command as described in this section.
◆
The switch can send SNMP Version 1, 2c or 3 notifications to a host IP
address, depending on the SNMP version that the management station
supports. If the snmp-server host command does not specify the
SNMP version, the default is to send SNMP version 1 notifications.
◆
If you specify an SNMP Version 3 host, then the community string is
interpreted as an SNMP user name. The user name must first be
defined with the snmp-server user command. Otherwise, an SNMPv3
group will be automatically created by the snmp-server host
command using the name of the specified community string, and
default settings for the read, write, and notify view.
EXAMPLE
Console(config)#snmp-server host 10.1.19.23 batman
Console(config)#
RELATED COMMANDS
snmp-server enable traps (585)
– 588 –
CHAPTER 21 | SNMP Commands
SNMPv3 Commands
SNMPv3 Commands
snmp-server This command configures an identification string for the SNMPv3 engine.
engine-id Use the no form to restore the default.
SYNTAX
snmp-server engine-id {local | remote {ip-address}}
engineid-string
no snmp-server engine-id {local | remote {ip-address}}
local - Specifies the SNMP engine on this switch.
remote - Specifies an SNMP engine on a remote device.
ip-address - The Internet address of the remote device.
engineid-string - String identifying the engine ID. (Range: 1-26
hexadecimal characters)
DEFAULT SETTING
A unique engine ID is automatically generated by the switch based on its
MAC address.
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ An SNMP engine is an independent SNMP agent that resides either on
this switch or on a remote device. This engine protects against
message replay, delay, and redirection. The engine ID is also used in
combination with user passwords to generate the security keys for
authenticating and encrypting SNMPv3 packets.
◆
A remote engine ID is required when using SNMPv3 informs. (See the
snmp-server host command.) The remote engine ID is used to compute
the security digest for authentication and encryption of packets passed
between the switch and a user on the remote host. SNMP passwords
are localized using the engine ID of the authoritative agent. For
informs, the authoritative SNMP agent is the remote agent. You
therefore need to configure the remote agent’s SNMP engine ID before
you can send proxy requests or informs to it.
◆
Trailing zeroes need not be entered to uniquely specify a engine ID. In
other words, the value “0123456789” is equivalent to “0123456789”
followed by 16 zeroes for a local engine ID.
◆
A local engine ID is automatically generated that is unique to the
switch. This is referred to as the default engine ID. If the local engine
ID is deleted or changed, all SNMP users will be cleared. You will need
to reconfigure all existing users (page 591).
– 589 –
CHAPTER 21 | SNMP Commands
SNMPv3 Commands
EXAMPLE
Console(config)#snmp-server engine-id local 1234567890
Console(config)#snmp-server engineID remote 9876543210 192.168.1.19
Console(config)#
RELATED COMMANDS
snmp-server host (586)
snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views.
Use the no form to remove an SNMP group.
SYNTAX
snmp-server group groupname
{v1 | v2c | v3 {auth | noauth | priv}}
[read readview] [write writeview] [notify notifyview]
no snmp-server group groupname
groupname - Name of an SNMP group. (Range: 1-32 characters)
v1 | v2c | v3 - Use SNMP version 1, 2c or 3.
auth | noauth | priv - This group uses SNMPv3 with
authentication, no authentication, or with authentication and
privacy. See "Simple Network Management Protocol" on page 397
for further information about these authentication and encryption
options.
readview - Defines the view for read access. (1-32 characters)
writeview - Defines the view for write access. (1-32 characters)
notifyview - Defines the view for notifications. (1-32 characters)
DEFAULT SETTING
Default groups: public11 (read only), private12 (read/write)
readview - Every object belonging to the Internet OID space (1).
writeview - Nothing is defined.
notifyview - Nothing is defined.
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ A group sets the access policy for the assigned users.
◆
When authentication is selected, the MD5 or SHA algorithm is used as
specified in the snmp-server user command.
◆
When privacy is selected, the DES 56-bit algorithm is used for data
encryption.
11. No view is defined.
12. Maps to the defaultview.
– 590 –
CHAPTER 21 | SNMP Commands
SNMPv3 Commands
◆
For additional information on the notification messages supported by
this switch, see Table 32, "Supported Notification Messages," on
page 406. Also, note that the authentication, link-up and link-down
messages are legacy traps and must therefore be enabled in
conjunction with the snmp-server enable traps command.
EXAMPLE
Console(config)#snmp-server group r&d v3 auth write daily
Console(config)#
snmp-server user This command adds a user to an SNMP group, restricting the user to a
specific SNMP Read, Write, or Notify View. Use the no form to remove a
user from an SNMP group.
SYNTAX
snmp-server user username groupname [remote ip-address]
{v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password
[priv des56 priv-password]]
no snmp-server user username {v1 | v2c | v3 | remote}
username - Name of user connecting to the SNMP agent.
(Range: 1-32 characters)
groupname - Name of an SNMP group to which the user is assigned.
(Range: 1-32 characters)
remote - Specifies an SNMP engine on a remote device.
ip-address - The Internet address of the remote device.
v1 | v2c | v3 - Use SNMP version 1, 2c or 3.
encrypted - Accepts the password as encrypted input.
auth - Uses SNMPv3 with authentication.
md5 | sha - Uses MD5 or SHA authentication.
auth-password - Authentication password. Enter as plain text if the
encrypted option is not used. Otherwise, enter an encrypted
password. (A minimum of eight characters is required.)
priv des56 - Uses SNMPv3 with privacy with DES56 encryption.
priv-password - Privacy password. Enter as plain text if the
encrypted option is not used. Otherwise, enter an encrypted
password.
DEFAULT SETTING
None
COMMAND MODE
Global Configuration
– 591 –
CHAPTER 21 | SNMP Commands
SNMPv3 Commands
COMMAND USAGE
◆ Local users (i.e., the command does not specify a remote engine
identifier) must be configured to authorize management access for
SNMPv3 clients, or to identify the source of SNMPv3 trap messages
sent from the local switch.
◆
Remote users (i.e., the command specifies a remote engine identifier)
must be configured to identify the source of SNMPv3 inform messages
sent from the local switch.
◆
The SNMP engine ID is used to compute the authentication/privacy
digests from the password. You should therefore configure the engine
ID with the snmp-server engine-id command before using this
configuration command.
◆
Before you configure a remote user, use the snmp-server engine-id
command to specify the engine ID for the remote device where the
user resides. Then use the snmp-server user command to specify the
user and the IP address for the remote device where the user resides.
The remote agent’s SNMP engine ID is used to compute authentication/
privacy digests from the user’s password. If the remote engine ID is not
first configured, the snmp-server user command specifying a remote
user will fail.
◆
SNMP passwords are localized using the engine ID of the authoritative
agent. For informs, the authoritative SNMP agent is the remote agent.
You therefore need to configure the remote agent’s SNMP engine ID
before you can send proxy requests or informs to it.
EXAMPLE
Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace priv
des56 einstien
Console(config)#snmp-server user mark group r&d remote 192.168.1.19 v3 auth
md5 greenpeace priv des56 einstien
Console(config)#
snmp-server view This command adds an SNMP view which controls user access to the MIB.
Use the no form to remove an SNMP view.
SYNTAX
snmp-server view view-name oid-tree {included | excluded}
no snmp-server view view-name
view-name - Name of an SNMP view. (Range: 1-32 characters)
oid-tree - Object identifier of a branch within the MIB tree. Wild
cards can be used to mask a specific portion of the OID string.
(Refer to the examples.)
included - Defines an included view.
excluded - Defines an excluded view.
– 592 –
CHAPTER 21 | SNMP Commands
SNMPv3 Commands
DEFAULT SETTING
defaultview (includes access to the entire MIB tree)
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ Views are used in the snmp-server group command to restrict user
access to specified portions of the MIB tree.
◆
The predefined view “defaultview” includes access to the entire MIB
tree.
EXAMPLES
This view includes MIB-2.
Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included
Console(config)#
This view includes the MIB-2 interfaces table, ifDescr. The wild card is used
to select all the index values in this table.
Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included
Console(config)#
This view includes the MIB-2 interfaces table, and the mask selects all
index entries.
Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included
Console(config)#
show snmp This command shows the SNMP engine ID.
engine-id
COMMAND MODE
Privileged Exec
EXAMPLE
This example shows the default engine ID.
Console#show snmp engine-id
Local SNMP EngineID: 8000002a8000000000e8666672
Local SNMP EngineBoots: 1
Remote SNMP EngineID
80000000030004e2b316c54321
Console#
– 593 –
IP address
192.168.1.19
CHAPTER 21 | SNMP Commands
SNMPv3 Commands
Table 58: show snmp engine-id - display description
Field
Description
Local SNMP engineID
String identifying the engine ID.
Local SNMP engineBoots
The number of times that the engine has (re-)initialized since the
snmp EngineID was last configured.
Remote SNMP engineID
String identifying an engine ID on a remote device.
IP address
IP address of the device containing the corresponding remote
SNMP engine.
show snmp group Four default groups are provided – SNMPv1 read-only access and read/
write access, and SNMPv2c read-only access and read/write access.
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show snmp group
Group Name: r&d
Security Model: v3
Read View: defaultview
Write View: daily
Notify View: none
Storage Type: permanent
Row Status: active
Group Name: public
Security Model: v1
Read View: defaultview
Write View: none
Notify View: none
Storage Type: volatile
Row Status: active
Group Name: public
Security Model: v2c
Read View: defaultview
Write View: none
Notify View: none
Storage Type: volatile
Row Status: active
Group Name: private
Security Model: v1
Read View: defaultview
Write View: defaultview
Notify View: none
Storage Type: volatile
Row Status: active
Group Name: private
Security Model: v2c
Read View: defaultview
Write View: defaultview
Notify View: none
Storage Type: volatile
Row Status: active
– 594 –
CHAPTER 21 | SNMP Commands
SNMPv3 Commands
Console#
Table 59: show snmp group - display description
Field
Description
Group Name
Name of an SNMP group.
Security Model
The SNMP version.
Read View
The associated read view.
Write View
The associated write view.
Notify View
The associated notify view.
Storage Type
The storage type for this entry.
Row Status
The row status of this entry.
show snmp user This command shows information on SNMP users.
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show snmp user
EngineId: 800000ca030030f1df9ca00000
User Name: steve
Authentication Protocol: md5
Privacy Protocol: des56
Storage Type: nonvolatile
Row Status: active
SNMP remote user
EngineId: 80000000030004e2b316c54321
User Name: mark
Authentication Protocol: mdt
Privacy Protocol: des56
Storage Type: nonvolatile
Row Status: active
Console#
Table 60: show snmp user - display description
Field
Description
EngineId
String identifying the engine ID.
User Name
Name of user connecting to the SNMP agent.
Authentication Protocol
The authentication protocol used with SNMPv3.
Privacy Protocol
The privacy protocol used with SNMPv3.
Storage Type
The storage type for this entry.
– 595 –
CHAPTER 21 | SNMP Commands
Notification Log Commands
Table 60: show snmp user - display description (Continued)
Field
Description
Row Status
The row status of this entry.
SNMP remote user
A user associated with an SNMP engine on a remote device.
show snmp view This command shows information on the SNMP views.
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show snmp view
View Name: mib-2
Subtree OID: 1.2.2.3.6.2.1
View Type: included
Storage Type: permanent
Row Status: active
View Name: defaultview
Subtree OID: 1
View Type: included
Storage Type: volatile
Row Status: active
Console#
Table 61: show snmp view - display description
Field
Description
View Name
Name of an SNMP view.
Subtree OID
A branch in the MIB tree.
View Type
Indicates if the view is included or excluded.
Storage Type
The storage type for this entry.
Row Status
The row status of this entry.
Notification Log Commands
nlm This command enables or disables the specified notification log.
SYNTAX
[no] nlm filter-name
filter-name - Notification log name. (Range: 1-32 characters)
DEFAULT SETTING
Enabled
– 596 –
CHAPTER 21 | SNMP Commands
Notification Log Commands
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ Notification logging is enabled by default, but will not start recording
information until a logging profile specified by the snmp-server
notify-filter command is enabled by the nlm command.
◆
Disabling logging with this command does not delete the entries stored
in the notification log.
EXAMPLE
This example enables the notification logs A1 and A2.
Console(config)#nlm A1
Console(config)#nlm A2
Console(config)#
snmp-server This command creates an SNMP notification log. Use the no form to
notify-filter remove this log.
SYNTAX
[no] snmp-server notify-filter profile-name remote ip-address
profile-name - Notification log profile name. (Range: 1-32
characters)
ip-address - The Internet address of a remote device. The specified
target host must already have been configured using the snmpserver host command.
NOTE: The notification log is stored locally. It is not sent to a remote
device. This remote host parameter is only required to complete
mandatory fields in the SNMP Notification MIB.
DEFAULT SETTING
None
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ Systems that support SNMP often need a mechanism for recording
Notification information as a hedge against lost notifications, whether
those are Traps or Informs that exceed retransmission limits. The
Notification Log MIB (NLM, RFC 3014) provides an infrastructure in
which information from other MIBs may be logged.
– 597 –
CHAPTER 21 | SNMP Commands
Notification Log Commands
◆
Given the service provided by the NLM, individual MIBs can now bear
less responsibility to record transient information associated with an
event against the possibility that the Notification message is lost, and
applications can poll the log to verify that they have not missed any
important Notifications.
◆
If notification logging is not configured and enabled, when the switch
reboots, some SNMP traps (such as warm start) cannot be logged.
◆
To avoid this problem, notification logging should be configured and
enabled using the snmp-server notify-filter command and nlm
command, and these commands stored in the startup configuration file.
Then when the switch reboots, SNMP traps (such as warm start) can
now be logged.
◆
When this command is executed, a notification log is created (with the
default parameters defined in RFC 3014). Notification logging is
enabled by default (see the nlm command), but will not start recording
information until a logging profile specified with this command is
enabled with the nlm command.
◆
Based on the default settings used in RFC 3014, a notification log can
contain up to 256 entries, and the entry aging time is 1440 minutes.
Information recorded in a notification log, and the entry aging time can
only be configured using SNMP from a network management station.
◆
When a trap host is created with the snmp-server host command, a
default notify filter will be created as shown in the example under the
show snmp notify-filter command.
EXAMPLE
This example first creates an entry for a remote host, and then instructs
the switch to record this device as the remote host for the specified
notification log.
Console(config)#snmp-server host 10.1.19.23 batman
Console(config)#snmp-server notify-filter A1 remote 10.1.19.23
Console#
show nlm This command shows the operational status of configured notification logs.
oper-status
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show
Filter Name:
Oper-Status:
Filter Name:
nlm oper-status
A1
Operational
A2
– 598 –
CHAPTER 21 | SNMP Commands
Notification Log Commands
Oper-Status: Operational
Console#
show snmp This command displays the configured notification logs.
notify-filter
COMMAND MODE
Privileged Exec
EXAMPLE
This example displays the configured notification logs and associated
target hosts. Note that the last entry is a default filter created when a trap
host is initially created.
Console#show snmp notify-filter
Filter profile name
IP address
---------------------------- ---------------A1
10.1.19.23
A2
10.1.19.22
traphost.1.1.1.1.private
1.1.1.1
Console#
– 599 –
CHAPTER 21 | SNMP Commands
Notification Log Commands
– 600 –
22
REMOTE MONITORING COMMANDS
Remote Monitoring allows a remote device to collect information or
respond to specified events on an independent basis. This switch is an
RMON-capable device which can independently perform a wide range of
tasks, significantly reducing network management traffic. It can
continuously run diagnostics and log information on network performance.
If an event is triggered, it can automatically notify the network
administrator of a failure and provide historical information about the
event. If it cannot connect to the management agent, it will continue to
perform any specified tasks and pass data back to the management station
the next time it is contacted.
This switch supports mini-RMON, which consists of the Statistics, History,
Event and Alarm groups. When RMON is enabled, the system gradually
builds up information about its physical interfaces, storing this information
in the relevant RMON database group. A management agent then
periodically communicates with the switch using the SNMP protocol.
However, if the switch encounters a critical event, it can automatically send
a trap message to the management agent which can then respond to the
event if so configured.
Table 62: RMON Commands
Command
Function
Mode
rmon alarm
Sets threshold bounds for a monitored variable
GC
rmon event
Creates a response event for an alarm
GC
rmon collection history
Periodically samples statistics
IC
rmon collection rmon1
Enables statistics collection
IC
show rmon alarms
Shows the settings for all configured alarms
PE
show rmon events
Shows the settings for all configured events
PE
show rmon history
Shows the sampling parameters for each entry
PE
show rmon statistics
Shows the collected statistics
PE
– 601 –
CHAPTER 22 | Remote Monitoring Commands
rmon alarm This command sets threshold bounds for a monitored variable. Use the no
form to remove an alarm.
SYNTAX
rmon alarm index variable interval {absolute | delta}
rising-threshold threshold [event-index]
falling-threshold threshold [event-index]
[owner name]
no rmon alarm index
index – Index to this entry. (Range: 1-65535)
variable – The object identifier of the MIB variable to be sampled.
Only variables of the type etherStatsEntry.n.n may be sampled.
Note that etherStatsEntry.n uniquely defines the MIB variable, and
etherStatsEntry.n.n defines the MIB variable, plus the
etherStatsIndex. For example, 1.3.6.1.2.1.16.1.1.1.6.1 denotes
etherStatsBroadcastPkts, plus the etherStatsIndex of 1.
interval – The polling interval. (Range: 1-31622400 seconds)
absolute – The variable is compared directly to the thresholds at
the end of the sampling period.
delta – The last sample is subtracted from the current value and
the difference is then compared to the thresholds.
threshold – An alarm threshold for the sampled variable.
(Range: 0-2147483647)
event-index – The index of the event to use if an alarm is triggered.
If there is no corresponding entry in the event control table, then no
event will be generated. (Range: 0-65535)
name – Name of the person who created this entry. (Range: 1-127
characters)
DEFAULT SETTING
1.3.6.1.2.1.16.1.1.1.6.1 - 1.3.6.1.2.1.16.1.1.1.6.26
Taking delta samples every 30 seconds,
Rising threshold is 892800, assigned to event 0
Falling threshold is 446400, assigned to event 0
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ If an event is already defined for an index, the entry must be deleted
before any changes can be made with this command.
◆
If the current value is greater than or equal to the rising threshold, and
the last sample value was less than this threshold, then an alarm will be
generated. After a rising event has been generated, another such event
will not be generated until the sampled value has fallen below the rising
threshold, reaches the falling threshold, and again moves back up to
the rising threshold.
– 602 –
CHAPTER 22 | Remote Monitoring Commands
◆
If the current value is less than or equal to the falling threshold, and
the last sample value was greater than this threshold, then an alarm
will be generated. After a falling event has been generated, another
such event will not be generated until the sampled value has risen
above the falling threshold, reaches the rising threshold, and again
moves back down to the failing threshold.
EXAMPLE
Console(config)#rmon alarm 1 1 1.3.6.1.2.1.16.1.1.1.6.1 15 delta
rising-threshold 100 1 falling-threshold 30 1 owner mike
Console(config)#
rmon event This command creates a response event for an alarm. Use the no form to
remove an event.
SYNTAX
rmon event index [log] | [trap community] | [description string] |
[owner name]
no rmon event index
index – Index to this entry. (Range: 1-65535)
log – Generates an RMON log entry when the event is triggered.
Log messages are processed based on the current configuration
settings for event logging (see "Event Logging" on page 555).
trap – Sends a trap message to all configured trap managers (see
"snmp-server host" on page 586).
community – A password-like community string sent with the trap
operation to SNMP v1 and v2c hosts. Although this string can be set
using the rmon event command by itself, it is recommended that
the string be defined using the snmp-server community command
(page 583) prior to using the rmon event command. (Range: 1-127
characters)
string – A comment that describes this event. (Range: 1-127
characters)
name – Name of the person who created this entry. (Range: 1-127
characters)
DEFAULT SETTING
None
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ If an event is already defined for an index, the entry must be deleted
before any changes can be made with this command.
– 603 –
CHAPTER 22 | Remote Monitoring Commands
◆
The specified events determine the action to take when an alarm
triggers this event. The response to an alarm can include logging the
alarm or sending a message to a trap manager.
EXAMPLE
Console(config)#rmon event 2 log description urgent owner mike
Console(config)#
rmon collection This command periodically samples statistics on a physical interface. Use
history the no form to disable periodic sampling.
SYNTAX
rmon collection history controlEntry index
[buckets number [interval seconds]] |
[interval seconds] |
[owner name [buckets number [interval seconds]]
no rmon collection history controlEntry index
index – Index to this entry. (Range: 1-65535)
number – The number of buckets requested for this entry.
(Range: 1-65536)
seconds – The polling interval. (Range: 1-3600 seconds)
name – Name of the person who created this entry. (Range: 1-127
characters)
DEFAULT SETTING
1.3.6.1.2.1.16.1.1.1.6.1 - 1.3.6.1.2.1.16.1.1.1.6.26
Buckets: 8
Interval: 30 seconds for even numbered entries,
1800 seconds for odd numbered entries
COMMAND MODE
Interface Configuration (Ethernet)
COMMAND USAGE
◆ By default, each index number equates to a port on the switch, but can
be changed to any number not currently in use.
◆
If periodic sampling is already enabled on an interface, the entry must
be deleted before any changes can be made with this command.
◆
The information collected for each sample includes:
input octets, packets, broadcast packets, multicast packets, undersize
packets, oversize packets, fragments, jabbers, CRC alignment errors,
collisions, drop events, and network utilization.
◆
The switch reserves two controlEntry index entries for each port. If a
default index entry is re-assigned to another port by this command, the
– 604 –
CHAPTER 22 | Remote Monitoring Commands
show running-config command will display a message indicating that
this index is not available for the port to which is normally assigned.
For example, if control entry 15 is assigned to port 5 as shown below,
the show running-config command will indicate that this entry is not
available for port 8.
Console(config)#interface ethernet 1/5
Console(config-if)#rmon collection history controlEntry 15
Console(config-if)#end
Console#show running-config
!
interface ethernet 1/5
rmon collection history controlEntry 15 buckets 50 interval 1800
...
interface ethernet 1/8
no rmon collection history controlEntry 15
EXAMPLE
Console(config)#interface ethernet 1/1
Console(config-if)#rmon collection history controlentry 21 buckets 24
interval 60 owner mike
Console(config-if)#
rmon collection This command enables the collection of statistics on a physical interface.
rmon1 Use the no form to disable statistics collection.
SYNTAX
rmon collection rmon1 controlEntry index [owner name]
no rmon collection rmon1 controlEntry index
index – Index to this entry. (Range: 1-65535)
name – Name of the person who created this entry. (Range: 1-127
characters)
DEFAULT SETTING
Enabled
COMMAND MODE
Interface Configuration (Ethernet)
COMMAND USAGE
◆ By default, each index number equates to a port on the switch, but can
be changed to any number not currently in use.
◆
If statistics collection is already enabled on an interface, the entry must
be deleted before any changes can be made with this command.
◆
The information collected for each entry includes:
input octets, packets, broadcast packets, multicast packets, undersize
packets, oversize packets, fragments, jabbers, CRC alignment errors,
collisions, drop events, and packets of specified lengths
– 605 –
CHAPTER 22 | Remote Monitoring Commands
EXAMPLE
Console(config)#interface ethernet 1/1
Console(config-if)#rmon collection rmon1 controlEntry 1 owner mike
Console(config-if)#
show rmon alarms This command shows the settings for all configured alarms.
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show rmon alarms
Alarm 1 is valid, owned by
Monitors 1.3.6.1.2.1.16.1.1.1.6.1 every 30 seconds
Taking delta samples, last value was 0
Rising threshold is 892800, assigned to event 0
Falling threshold is 446400, assigned to event 0
.
.
.
show rmon events This command shows the settings for all configured events.
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show rmon events
Event 2 is valid, owned by mike
Description is urgent
Event firing causes log and trap to community , last fired
Console#
00:00:00
show rmon history This command shows the sampling parameters configured for each entry in
the history group.
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show rmon history
Entry 1 is valid, and owned by
Monitors 1.3.6.1.2.1.2.2.1.1.1 every 1800 seconds
Requested # of time intervals, ie buckets, is 8
Granted # of time intervals, ie buckets, is 8
Sample # 1 began measuring at 00:00:01
Received 77671 octets, 1077 packets,
61 broadcast and 978 multicast packets,
– 606 –
CHAPTER 22 | Remote Monitoring Commands
0 undersized and 0 oversized packets,
0 fragments and 0 jabbers packets,
0 CRC alignment errors and 0 collisions.
# of dropped packet events is 0
Network utilization is estimated at 0
.
.
.
show rmon This command shows the information collected for all configured entries in
statistics the statistics group.
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show rmon statistics
Interface 1 is valid, and owned by
Monitors 1.3.6.1.2.1.2.2.1.1.1 which has
Received 164289 octets, 2372 packets,
120 broadcast and 2211 multicast packets,
0 undersized and 0 oversized packets,
0 fragments and 0 jabbers,
0 CRC alignment errors and 0 collisions.
# of dropped packet events (due to lack of resources): 0
# of packets received of length (in octets):
64: 2245, 65-127: 87, 128-255: 31,
256-511: 5, 512-1023: 2, 1024-1518: 2
.
.
.
– 607 –
CHAPTER 22 | Remote Monitoring Commands
– 608 –
23
AUTHENTICATION COMMANDS
You can configure this switch to authenticate users logging into the system
for management access using local or remote authentication methods.
Port-based authentication using IEEE 802.1X can also be configured to
control either management access to the uplink ports or client access13 to
the data ports.
Table 63: Authentication Commands
Command Group
Function
User Accounts
Configures the basic user names and passwords for management
access
Authentication Sequence
Defines logon authentication method and precedence
RADIUS Client
Configures settings for authentication via a RADIUS server
TACACS+ Client
Configures settings for authentication via a TACACS+ server
AAA
Configures authentication, authorization, and accounting for
network access
Web Server
Enables management access via a web browser
Telnet Server
Enables management access via Telnet
Secure Shell
Provides secure replacement for Telnet
802.1X Port
Authentication
Configures host authentication on specific ports using 802.1X
Management IP Filter
Configures IP addresses that are allowed management access
USER ACCOUNTS
The basic commands required for management access are listed in this
section. This switch also includes other options for password checking via
the console or a Telnet connection (page 544), user authentication via a
remote authentication server (page 609), and host access authentication
for specific ports (page 645).
Table 64: User Access Commands
Command
Function
Mode
enable password
Sets a password to control access to the Privileged
Exec level
GC
username
Establishes a user name-based authentication system
at login
GC
13. For other methods of controlling client access, see "General Security Measures" on
page 663.
– 609 –
CHAPTER 23 | Authentication Commands
User Accounts
enable password After initially logging onto the system, you should set the Privileged Exec
password. Remember to record it in a safe place. This command controls
access to the Privileged Exec level from the Normal Exec level. Use the no
form to reset the default password.
SYNTAX
enable password [level level] {0 | 7} password
no enable password [level level]
level level - Level 15 for Privileged Exec. (Levels 0-14 are not
used.)
{0 | 7} - 0 means plain password, 7 means encrypted password.
password - Password for this privilege level. (Maximum length:
8 characters plain text, 32 encrypted, case sensitive)
DEFAULT SETTING
The default is level 15.
The default password is “super”
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ You cannot set a null password. You will have to enter a password to
change the command mode from Normal Exec to Privileged Exec with
the enable command.
◆
The encrypted password is required for compatibility with legacy
password settings (i.e., plain text or encrypted) when reading the
configuration file during system bootup or when downloading the
configuration file from a TFTP server. There is no need for you to
manually configure encrypted passwords.
EXAMPLE
Console(config)#enable password level 15 0 admin
Console(config)#
RELATED COMMANDS
enable (519)
authentication enable (612)
– 610 –
CHAPTER 23 | Authentication Commands
User Accounts
username This command adds named users, requires authentication at login,
specifies or changes a user's password (or specify that no password is
required), or specifies or changes a user's access level. Use the no form to
remove a user name.
SYNTAX
username name {access-level level | nopassword |
password {0 | 7} password}
no username name
name - The name of the user. (Maximum length: 8 characters,
case sensitive. Maximum users: 16)
access-level level - Specifies the user level.
The device has two predefined privilege levels:
0: Normal Exec, 15: Privileged Exec.
nopassword - No password is required for this user to log in.
{0 | 7} - 0 means plain password, 7 means encrypted password.
password password - The authentication password for the user.
(Maximum length: 32 characters plain text or encrypted, case
sensitive)
DEFAULT SETTING
The default access level is Normal Exec.
The factory defaults for the user names and passwords are:
Table 65: Default Login Settings
username
access-level
password
guest
admin
0
15
guest
admin
COMMAND MODE
Global Configuration
COMMAND USAGE
The encrypted password is required for compatibility with legacy password
settings (i.e., plain text or encrypted) when reading the configuration file
during system bootup or when downloading the configuration file from an
FTP/TFTP server. There is no need for you to manually configure encrypted
passwords.
EXAMPLE
This example shows how the set the access level and password for a user.
Console(config)#username bob access-level 15
Console(config)#username bob password 0 smith
Console(config)#
– 611 –
CHAPTER 23 | Authentication Commands
Authentication Sequence
AUTHENTICATION SEQUENCE
Three authentication methods can be specified to authenticate users
logging into the system for management access. The commands in this
section can be used to define the authentication method and sequence.
Table 66: Authentication Sequence Commands
Command
Function
Mode
authentication enable
Defines the authentication method and precedence for
command mode change
GC
authentication login
Defines logon authentication method and precedence
GC
authentication This command defines the authentication method and precedence to use
enable when changing from Exec command mode to Privileged Exec command
mode with the enable command. Use the no form to restore the default.
SYNTAX
authentication enable {[local] [radius] [tacacs]}
no authentication enable
local - Use local password only.
radius - Use RADIUS server password only.
tacacs - Use TACACS server password.
DEFAULT SETTING
Local
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort
delivery, while TCP offers a connection-oriented transport. Also, note
that RADIUS encrypts only the password in the access-request packet
from the client to the server, while TACACS+ encrypts the entire body
of the packet.
◆
RADIUS and TACACS+ logon authentication assigns a specific privilege
level for each user name and password pair. The user name, password,
and privilege level must be configured on the authentication server.
◆
You can specify three authentication methods in a single command to
indicate the authentication sequence. For example, if you enter
“authentication enable radius tacacs local,” the user name and
password on the RADIUS server is verified first. If the RADIUS server is
not available, then authentication is attempted on the TACACS+ server.
If the TACACS+ server is not available, the local user name and
password is checked.
– 612 –
CHAPTER 23 | Authentication Commands
Authentication Sequence
EXAMPLE
Console(config)#authentication enable radius
Console(config)#
RELATED COMMANDS
enable password - sets the password for changing command modes (610)
authentication login This command defines the login authentication method and precedence.
Use the no form to restore the default.
SYNTAX
authentication login {[local] [radius] [tacacs]}
no authentication login
local - Use local password.
radius - Use RADIUS server password.
tacacs - Use TACACS server password.
DEFAULT SETTING
Local
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort
delivery, while TCP offers a connection-oriented transport. Also, note
that RADIUS encrypts only the password in the access-request packet
from the client to the server, while TACACS+ encrypts the entire body
of the packet.
◆
RADIUS and TACACS+ logon authentication assigns a specific privilege
level for each user name and password pair. The user name, password,
and privilege level must be configured on the authentication server.
◆
You can specify three authentication methods in a single command to
indicate the authentication sequence. For example, if you enter
“authentication login radius tacacs local,” the user name and
password on the RADIUS server is verified first. If the RADIUS server is
not available, then authentication is attempted on the TACACS+ server.
If the TACACS+ server is not available, the local user name and
password is checked.
EXAMPLE
Console(config)#authentication login radius
Console(config)#
– 613 –
CHAPTER 23 | Authentication Commands
RADIUS Client
RELATED COMMANDS
username - for setting the local user names and passwords (611)
RADIUS CLIENT
Remote Authentication Dial-in User Service (RADIUS) is a logon
authentication protocol that uses software running on a central server to
control access to RADIUS-aware devices on the network. An authentication
server contains a database of multiple user name/password pairs with
associated privilege levels for each user or group that require management
access to a switch.
Table 67: RADIUS Client Commands
Command
Function
Mode
radius-server acct-port
Sets the RADIUS server network port
GC
radius-server auth-port
Sets the RADIUS server network port
GC
radius-server host
Specifies the RADIUS server
GC
radius-server key
Sets the RADIUS encryption key
GC
radius-server retransmit
Sets the number of retries
GC
radius-server timeout
Sets the interval between sending authentication
requests
GC
show radius-server
Shows the current RADIUS settings
PE
radius-server This command sets the RADIUS server network port for accounting
acct-port messages. Use the no form to restore the default.
SYNTAX
radius-server acct-port port-number
no radius-server acct-port
port-number - RADIUS server UDP port used for accounting
messages. (Range: 1-65535)
DEFAULT SETTING
1813
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#radius-server acct-port 181
Console(config)#
– 614 –
CHAPTER 23 | Authentication Commands
RADIUS Client
radius-server This command sets the RADIUS server network port. Use the no form to
auth-port restore the default.
SYNTAX
radius-server auth-port port-number
no radius-server auth-port
port-number - RADIUS server UDP port used for authentication
messages. (Range: 1-65535)
DEFAULT SETTING
1812
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#radius-server auth-port 181
Console(config)#
radius-server host This command specifies primary and backup RADIUS servers, and
authentication and accounting parameters that apply to each server. Use
the no form to remove a specified server, or to restore the default values.
SYNTAX
[no] radius-server index host host-ip-address [acct-port acct-port]
[auth-port auth-port] [key key] [retransmit retransmit]
[timeout timeout]
index - Allows you to specify up to five servers. These servers are
queried in sequence until a server responds or the retransmit period
expires.
host-ip-address - IP address of server.
acct-port - RADIUS server UDP port used for accounting messages.
(Range: 1-65535)
auth-port - RADIUS server UDP port used for authentication
messages. (Range: 1-65535)
key - Encryption key used to authenticate logon access for client.
Do not use blank spaces in the string. (Maximum length: 48
characters)
retransmit - Number of times the switch will try to authenticate
logon access via the RADIUS server. (Range: 1-30)
timeout - Number of seconds the switch waits for a reply before
resending a request. (Range: 1-65535)
– 615 –
CHAPTER 23 | Authentication Commands
RADIUS Client
DEFAULT SETTING
auth-port - 1812
acct-port - 1813
timeout - 5 seconds
retransmit - 2
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#radius-server 1 host 192.168.1.20 port 181 timeout 10
retransmit 5 key green
Console(config)#
radius-server key This command sets the RADIUS encryption key. Use the no form to restore
the default.
SYNTAX
radius-server key key-string
no radius-server key
key-string - Encryption key used to authenticate logon access for
client. Do not use blank spaces in the string. (Maximum length: 48
characters)
DEFAULT SETTING
None
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#radius-server key green
Console(config)#
radius-server This command sets the number of retries. Use the no form to restore the
retransmit default.
SYNTAX
radius-server retransmit number-of-retries
no radius-server retransmit
number-of-retries - Number of times the switch will try to
authenticate logon access via the RADIUS server. (Range: 1 - 30)
– 616 –
CHAPTER 23 | Authentication Commands
RADIUS Client
DEFAULT SETTING
2
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#radius-server retransmit 5
Console(config)#
radius-server This command sets the interval between transmitting authentication
timeout requests to the RADIUS server. Use the no form to restore the default.
SYNTAX
radius-server timeout number-of-seconds
no radius-server timeout
number-of-seconds - Number of seconds the switch waits for a
reply before resending a request. (Range: 1-65535)
DEFAULT SETTING
5
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#radius-server timeout 10
Console(config)#
show radius-server This command displays the current settings for the RADIUS server.
DEFAULT SETTING
None
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show radius-server
Remote RADIUS Server Configuration:
Global Settings:
Authentication Port Number : 1812
Accounting Port Number
: 1813
– 617 –
CHAPTER 23 | Authentication Commands
TACACS+ Client
Retransmit Times
Request Timeout
Key
: 2
: 5
:
Server 1:
Server IP Address
Authentication Port Number
Accounting Port Number
Retransmit Times
Request Timeout
Key
:
:
:
:
:
:
192.168.1.1
1812
1813
2
5
*
Radius Server Group:
Group Name
Member Index
------------------------- ------------radius
1
Console#
TACACS+ CLIENT
Terminal Access Controller Access Control System (TACACS+) is a logon
authentication protocol that uses software running on a central server to
control access to TACACS-aware devices on the network. An authentication
server contains a database of multiple user name/password pairs with
associated privilege levels for each user or group that require management
access to a switch.
Table 68: TACACS+ Client Commands
Command
Function
Mode
tacacs-server host
Specifies the TACACS+ server and optional
parameters
GC
tacacs-server key
Sets the TACACS+ encryption key
GC
tacacs-server port
Specifies the TACACS+ server network port
GC
show tacacs-server
Shows the current TACACS+ settings
GC
tacacs-server host This command specifies the TACACS+ server and other optional
parameters. Use the no form to remove the server, or to restore the
default values.
SYNTAX
tacacs-server index host host-ip-address [key key]
[port port-number] [retransmit retransmit] [timeout timeout]
no tacacs-server index
index - The index for this server. (Range: 1)
host-ip-address - IP address of a TACACS+ server.
key - Encryption key used to authenticate logon access for the
client. Do not use blank spaces in the string. (Maximum length: 48
characters)
– 618 –
CHAPTER 23 | Authentication Commands
TACACS+ Client
port-number - TACACS+ server TCP port used for authentication
messages. (Range: 1-65535)
retransmit - Number of times the switch will try to authenticate
logon access via the TACACS+ server. (Range: 1-30)
timeout - Number of seconds the switch waits for a reply before
resending a request. (Range: 1-540)
DEFAULT SETTING
authentication port - 49
timeout - 4 seconds
retransmit - 2
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#tacacs-server 1 host 192.168.1.25 port 181 timeout 10
retransmit 5 key green
Console(config)#
tacacs-server key This command sets the TACACS+ encryption key. Use the no form to
restore the default.
SYNTAX
tacacs-server key key-string
no tacacs-server key
key-string - Encryption key used to authenticate logon access for
the client. Do not use blank spaces in the string.
(Maximum length: 48 characters)
DEFAULT SETTING
None
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#tacacs-server key green
Console(config)#
– 619 –
CHAPTER 23 | Authentication Commands
TACACS+ Client
tacacs-server port This command specifies the TACACS+ server network port. Use the no
form to restore the default.
SYNTAX
tacacs-server port port-number
no tacacs-server port
port-number - TACACS+ server TCP port used for authentication
messages. (Range: 1-65535)
DEFAULT SETTING
49
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#tacacs-server port 181
Console(config)#
show tacacs-server This command displays the current settings for the TACACS+ server.
DEFAULT SETTING
None
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show tacacs-server
Remote TACACS+ Server Configuration:
Global Settings:
Server Port Number : 49
Key
: *
Server 1:
Server IP Address : 192.168.1.25
Server Port Number : 181
Server Time Out : 4
Key
: *
Console#
– 620 –
CHAPTER 23 | Authentication Commands
AAA
AAA
The Authentication, Authorization, and Accounting (AAA) feature provides
the main framework for configuring access control on the switch. The AAA
functions require the use of configured RADIUS or TACACS+ servers in the
network.
Table 69: AAA Commands
Command
Function
Mode
aaa accounting
commands
Enables accounting of Exec mode commands
GC
aaa accounting dot1x
Enables accounting of 802.1X services
GC
aaa accounting exec
Enables accounting of Exec services
GC
aaa accounting update
Enables periodoc updates to be sent to the accounting
server
GC
aaa authorization exec
Enables authorization of Exec sessions
GC
aaa group server
Groups security servers in to defined lists
GC
server
Configures the IP address of a server in a group list
SG
accounting dot1x
Applies an accounting method to an interface for
802.1X service requests
IC
accounting exec
Applies an accounting method to local console, Telnet
or SSH connections
Line
authorization exec
Applies an authorization method to local console,
Telnet or SSH connections
Line
show accounting
Displays all accounting information
PE
aaa accounting This command enables the accounting of Exec mode commands. Use the
commands no form to disable the accounting service.
SYNTAX
aaa accounting commands level {default | method-name}
start-stop group {tacacs+ |server-group}
no aaa accounting commands level {default | method-name}
level - The privilege level for executing commands. (Range: 0-15)
default - Specifies the default accounting method for service
requests.
method-name - Specifies an accounting method for service
requests. (Range: 1-255 characters)
start-stop - Records accounting from starting point and stopping
point.
– 621 –
CHAPTER 23 | Authentication Commands
AAA
group - Specifies the server group to use.
tacacs+ - Specifies all TACACS+ hosts configure with the
tacacs-server host command.
server-group - Specifies the name of a server group configured
with the aaa group server command. (Range: 1-255 characters)
DEFAULT SETTING
Accounting is not enabled
No servers are specified
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ The accounting of Exec mode commands is only supported by TACACS+
servers.
◆
Note that the default and method-name fields are only used to
describe the accounting method(s) configured on the specified
TACACS+ server, and do not actually send any information to the
server about the methods to use.
EXAMPLE
Console(config)#aaa accounting commands 15 default start-stop group tacacs+
Console(config)#
aaa accounting This command enables the accounting of requested 802.1X services for
dot1x network access. Use the no form to disable the accounting service.
SYNTAX
aaa accounting dot1x {default | method-name}
start-stop group {radius | tacacs+ |server-group}
no aaa accounting dot1x {default | method-name}
default - Specifies the default accounting method for service
requests.
method-name - Specifies an accounting method for service
requests. (Range: 1-255 characters)
start-stop - Records accounting from starting point and stopping
point.
– 622 –
CHAPTER 23 | Authentication Commands
AAA
group - Specifies the server group to use.
radius - Specifies all RADIUS hosts configure with the radiusserver host command.
tacacs+ - Specifies all TACACS+ hosts configure with the
tacacs-server host command.
server-group - Specifies the name of a server group configured
with the aaa group server command. (Range: 1-255 characters)
DEFAULT SETTING
Accounting is not enabled
No servers are specified
COMMAND MODE
Global Configuration
COMMAND USAGE
Note that the default and method-name fields are only used to describe
the accounting method(s) configured on the specified RADIUS or TACACS+
servers, and do not actually send any information to the servers about the
methods to use.
EXAMPLE
Console(config)#aaa accounting dot1x default start-stop group radius
Console(config)#
aaa accounting exec This command enables the accounting of requested Exec services for
network access. Use the no form to disable the accounting service.
SYNTAX
aaa accounting exec {default | method-name}
start-stop group {radius | tacacs+ |server-group}
no aaa accounting exec {default | method-name}
default - Specifies the default accounting method for service
requests.
method-name - Specifies an accounting method for service
requests. (Range: 1-255 characters)
start-stop - Records accounting from starting point and stopping
point.
– 623 –
CHAPTER 23 | Authentication Commands
AAA
group - Specifies the server group to use.
radius - Specifies all RADIUS hosts configure with the radiusserver host command.
tacacs+ - Specifies all TACACS+ hosts configure with the
tacacs-server host command.
server-group - Specifies the name of a server group configured
with the aaa group server command. (Range: 1-255 characters)
DEFAULT SETTING
Accounting is not enabled
No servers are specified
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ This command runs accounting for Exec service requests for the local
console and Telnet connections.
◆
Note that the default and method-name fields are only used to
describe the accounting method(s) configured on the specified RADIUS
or TACACS+ servers, and do not actually send any information to the
servers about the methods to use.
EXAMPLE
Console(config)#aaa accounting exec default start-stop group tacacs+
Console(config)#
aaa accounting This command enables the sending of periodic updates to the accounting
update server. Use the no form to restore the default setting.
SYNTAX
aaa accounting update [periodic interval]
no aaa accounting update
interval - Sends an interim accounting record to the server at this
interval. (Range: 0-2147483647 minutes; where 0 means disabled)
DEFAULT SETTING
1 minute
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ When accounting updates are enabled, the switch issues periodic
interim accounting records for all users on the system.
– 624 –
CHAPTER 23 | Authentication Commands
AAA
◆
Using the command without specifying an interim interval enables
updates, but does not change the current interval setting.
EXAMPLE
Console(config)#aaa accounting update periodic 30
Console(config)#
aaa authorization This command enables the authorization for Exec access. Use the no form
exec to disable the authorization service.
SYNTAX
aaa authorization exec {default | method-name}
group {tacacs+ | server-group}
no aaa authorization exec {default | method-name}
default - Specifies the default authorization method for Exec
access.
method-name - Specifies an authorization method for Exec access.
(Range: 1-255 characters)
group - Specifies the server group to use.
tacacs+ - Specifies all TACACS+ hosts configured with the
tacacs-server host command.
server-group - Specifies the name of a server group configured
with the aaa group server command. (Range: 1-255 characters)
DEFAULT SETTING
Authorization is not enabled
No servers are specified
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ This command performs authorization to determine if a user is allowed
to run an Exec shell.
◆
AAA authentication must be enabled before authorization is enabled.
◆
If this command is issued without a specified named method, the
default method list is applied to all interfaces or lines (where this
authorization type applies), except those that have a named method
explicitly defined.
EXAMPLE
Console(config)#aaa authorization exec default group tacacs+
Console(config)#
– 625 –
CHAPTER 23 | Authentication Commands
AAA
aaa group server Use this command to name a group of security server hosts. To remove a
server group from the configuration list, enter the no form of this
command.
SYNTAX
[no] aaa group server {radius | tacacs+} group-name
radius - Defines a RADIUS server group.
tacacs+ - Defines a TACACS+ server group.
group-name - A text string that names a security server group.
(Range: 1-7 characters)
DEFAULT SETTING
None
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#aaa group server radius tps
Console(config-sg-radius)#
server This command adds a security server to an AAA server group. Use the no
form to remove the associated server from the group.
SYNTAX
[no] server {index | ip-address}
index - Specifies the server index.
(Range: RADIUS 1-5, TACACS+ 1)
ip-address - Specifies the host IP address of a server.
DEFAULT SETTING
None
COMMAND MODE
Server Group Configuration
COMMAND USAGE
◆ When specifying the index for a RADIUS server, that server index must
already be defined by the radius-server host command.
◆
When specifying the index for a TACACS+ server, that server index
must already be defined by the tacacs-server host command.
– 626 –
CHAPTER 23 | Authentication Commands
AAA
EXAMPLE
Console(config)#aaa group server radius tps
Console(config-sg-radius)#server 10.2.68.120
Console(config-sg-radius)#
accounting dot1x This command applies an accounting method for 802.1X service requests
on an interface. Use the no form to disable accounting on the interface.
SYNTAX
accounting dot1x {default | list-name}
no accounting dot1x
default - Specifies the default method list created with the aaa
accounting dot1x command.
list-name - Specifies a method list created with the aaa accounting
dot1x command.
DEFAULT SETTING
None
COMMAND MODE
Interface Configuration
EXAMPLE
Console(config)#interface ethernet 1/2
Console(config-if)#accounting dot1x tps
Console(config-if)#
accounting exec This command applies an accounting method to local console, Telnet or
SSH connections. Use the no form to disable accounting on the line.
SYNTAX
accounting exec {default | list-name}
no accounting exec
default - Specifies the default method list created with the aaa
accounting exec command.
list-name - Specifies a method list created with the aaa accounting
exec command.
DEFAULT SETTING
None
COMMAND MODE
Line Configuration
– 627 –
CHAPTER 23 | Authentication Commands
AAA
EXAMPLE
Console(config)#line console
Console(config-line)#accounting exec tps
Console(config-line)#exit
Console(config)#line vty
Console(config-line)#accounting exec default
Console(config-line)#
authorization exec This command applies an authorization method to local console, Telnet or
SSH connections. Use the no form to disable authorization on the line.
SYNTAX
authorization exec {default | list-name}
no authorization exec
default - Specifies the default method list created with the aaa
authorization exec command.
list-name - Specifies a method list created with the aaa
authorization exec command.
DEFAULT SETTING
None
COMMAND MODE
Line Configuration
EXAMPLE
Console(config)#line console
Console(config-line)#authorization exec tps
Console(config-line)#exit
Console(config)#line vty
Console(config-line)#authorization exec default
Console(config-line)#
show accounting This command displays the current accounting settings per function and
per port.
SYNTAX
show accounting [[dot1x [statistics [username user-name |
interface interface]] | exec [statistics] | statistics]
level - Displays command accounting information for a specifiable
command level.
dot1x - Displays dot1x accounting information.
exec - Displays Exec accounting records.
statistics - Displays accounting records.
– 628 –
CHAPTER 23 | Authentication Commands
Web Server
user-name - Displays accounting records for a specifiable
username.
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-26)
DEFAULT SETTING
None
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show accounting
Accounting Type: dot1x
Method List
: default
Group List
: radius
Interface
: Eth 1/1
Method List
Group List
Interface
: tps
: radius
: Eth 1/2
Accounting Type: EXEC
Method List
: default
Group List
: tacacs+
Interface
: vty
Console#
WEB SERVER
This section describes commands used to configure web browser
management access to the switch.
Table 70: Web Server Commands
Command
Function
Mode
ip http port
Specifies the port to be used by the web browser
interface
GC
ip http server
Allows the switch to be monitored or configured from
a browser
GC
ip http secure-port
Specifies the UDP port number for HTTPS
GC
ip http secure-server
Enables HTTPS (HTTP/SSL) for encrypted
communications
GC
NOTE: Users are automatically logged off of the HTTP server or HTTPS
server if no input is detected for 600 seconds.
– 629 –
CHAPTER 23 | Authentication Commands
Web Server
ip http port This command specifies the TCP port number used by the web browser
interface. Use the no form to use the default port.
SYNTAX
ip http port port-number
no ip http port
port-number - The TCP port to be used by the browser interface.
(Range: 1-65535)
DEFAULT SETTING
80
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#ip http port 769
Console(config)#
RELATED COMMANDS
ip http server (630)
show system (530)
ip http server This command allows this device to be monitored or configured from a
browser. Use the no form to disable this function.
SYNTAX
[no] ip http server
DEFAULT SETTING
Enabled
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#ip http server
Console(config)#
RELATED COMMANDS
ip http port (630)
show system (530)
– 630 –
CHAPTER 23 | Authentication Commands
Web Server
ip http secure-port This command specifies the UDP port number used for HTTPS connection to
the switch’s web interface. Use the no form to restore the default port.
SYNTAX
ip http secure-port port_number
no ip http secure-port
port_number – The UDP port used for HTTPS. (Range: 1-65535)
DEFAULT SETTING
443
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ If you change the HTTPS port number, clients attempting to connect to
the HTTPS server must specify the port number in the URL, in this
format: https://device:port_number
EXAMPLE
Console(config)#ip http secure-port 1000
Console(config)#
RELATED COMMANDS
ip http secure-server (631)
show system (530)
ip http This command enables the secure hypertext transfer protocol (HTTPS) over
secure-server the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted
connection) to the switch’s web interface. Use the no form to disable this
function.
SYNTAX
[no] ip http secure-server
DEFAULT SETTING
Disabled
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ HTTP and HTTPS are implemented as mutually exclusive services on the
switch.
◆
If you enable HTTPS, you must indicate this in the URL that you specify
in your browser: https://device[:port_number]
– 631 –
CHAPTER 23 | Authentication Commands
Web Server
◆
When you start HTTPS, the connection is established in this way:
■
■
■
◆
The client authenticates the server using the server’s digital
certificate.
The client and server negotiate a set of security protocols to use for
the connection.
The client and server generate session keys for encrypting and
decrypting data.
The client and server establish a secure encrypted connection.
A padlock icon should appear in the status bar for Internet Explorer 6.x
or above, and Mozilla Firefox 3.6.2/4/5.
The following web browsers and operating systems currently support
HTTPS:
Table 71: HTTPS System Support
Web Browser
Operating System
Internet Explorer 6.0 or later
Windows 98,Windows NT (with service pack 6a),
Windows 2000, Windows XP, Windows Vista, Windows 7,
Windows 8
Mozilla Firefox 3.6.2 or later
Windows 2000, Windows XP, Linux
◆
To specify a secure-site certificate, see “Replacing the Default Securesite Certificate” on page 308. Also refer to the copy tftp https-certificate
command.
◆
Connection to the web interface is not supported for HTTPS using an
IPv6 link local address.
EXAMPLE
Console(config)#ip http secure-server
Console(config)#
RELATED COMMANDS
ip http secure-port (631)
copy tftp https-certificate (536)
show system (530)
– 632 –
CHAPTER 23 | Authentication Commands
Telnet Server
TELNET SERVER
This section describes commands used to configure Telnet management
access to the switch.
Table 72: Telnet Server Commands
Command
Function
Mode
ip telnet max-sessions
Specifies the maximum number of Telnet sessions that
can simultaneously connect to this system
GC
ip telnet port
Specifies the port to be used by the Telnet interface
GC
ip telnet server
Allows the switch to be monitored or configured from
Telnet
GC
show ip telnet
Displays configuration settings for the Telnet server
PE
NOTE: This switch also supports a Telnet client function. A Telnet connection
can be made from this switch to another device by entering the telnet
command at the Privileged Exec configuration level.
ip telnet This command specifies the maximum number of Telnet sessions that can
max-sessions simultaneously connect to this system. Use the no from to restore the
default setting.
SYNTAX
ip telnet max-sessions session-count
no ip telnet max-sessions
session-count - The maximum number of allowed Telnet session.
(Range: 0-4)
DEFAULT SETTING
4 sessions
COMMAND MODE
Global Configuration
COMMAND USAGE
A maximum of four sessions can be concurrently opened for Telnet and
Secure Shell (i.e., both Telnet and SSH share a maximum number or four
sessions).
EXAMPLE
Console(config)#ip telnet max-sessions 1
Console(config)#
– 633 –
CHAPTER 23 | Authentication Commands
Telnet Server
ip telnet port This command specifies the TCP port number used by the Telnet interface.
Use the no form to use the default port.
SYNTAX
ip telnet port port-number
no telnet port
port-number - The TCP port number to be used by the browser
interface. (Range: 1-65535)
DEFAULT SETTING
23
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#ip telnet port 123
Console(config)#
ip telnet server This command allows this device to be monitored or configured from
Telnet. Use the no form to disable this function.
SYNTAX
[no] ip telnet server
DEFAULT SETTING
Enabled
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#ip telnet server
Console(config)#
– 634 –
CHAPTER 23 | Authentication Commands
Secure Shell
show ip telnet This command displays the configuration settings for the Telnet server.
COMMAND MODE
Normal Exec, Privileged Exec
EXAMPLE
Console#show ip telnet
IP Telnet Configuration:
Telnet Status: Enabled
Telnet Service Port: 23
Telnet Max Session: 4
Console#
SECURE SHELL
This section describes the commands used to configure the SSH server.
Note that you also need to install a SSH client on the management station
when using this protocol to configure the switch.
NOTE: The switch supports both SSH Version 1.5 and 2.0 clients.
Table 73: Secure Shell Commands
Command
Function
Mode
ip ssh authenticationretries
Specifies the number of retries allowed by a client
GC
ip ssh server
Enables the SSH server on the switch
GC
ip ssh server-key size
Sets the SSH server key size
GC
ip ssh timeout
Specifies the authentication timeout for the SSH
server
GC
copy tftp public-key
Copies the user’s public key from a TFTP server to the
switch
PE
delete public-key
Deletes the public key for the specified user
PE
disconnect
Terminates a line connection
PE
ip ssh crypto host-key
generate
Generates the host key
PE
ip ssh crypto zeroize
Clear the host key from RAM
PE
ip ssh save host-key
Saves the host key from RAM to flash memory
PE
show ip ssh
Displays the status of the SSH server and the
configured values for authentication timeout and
retries
PE
show public-key
Shows the public key for the specified user or for the
host
PE
– 635 –
CHAPTER 23 | Authentication Commands
Secure Shell
Table 73: Secure Shell Commands (Continued)
Command
Function
Mode
show ssh
Displays the status of current SSH sessions
PE
show users
Shows SSH users, including privilege level and public
key type
PE
Configuration Guidelines
The SSH server on this switch supports both password and public key
authentication. If password authentication is specified by the SSH client,
then the password can be authenticated either locally or via a RADIUS or
TACACS+ remote authentication server, as specified by the authentication
login command. If public key authentication is specified by the client, then
you must configure authentication keys on both the client and the switch
as described in the following section. Note that regardless of whether you
use public key or password authentication, you still have to generate
authentication keys on the switch and enable the SSH server.
To use the SSH server, complete these steps:
1. Generate a Host Key Pair – Use the ip ssh crypto host-key generate
command to create a host public/private key pair.
2. Provide Host Public Key to Clients – Many SSH client programs
automatically import the host public key during the initial connection
setup with the switch. Otherwise, you need to manually create a known
hosts file on the management station and place the host public key in
it. An entry for a public key in the known hosts file would appear similar
to the following example:
10.1.0.54 1024 35
15684995401867669259333946775054617325313674890836547254
15020245593199868544358361651999923329781766065830956
10825913212890233765468017262725714134287629413011961955667825
95664104869574278881462065194174677298486546861571773939016477
93559423035774130980227370877945452408397175264635805817671670
9574804776117
3. Import Client’s Public Key to the Switch – Use the copy tftp public-key
command to copy a file containing the public key for all the SSH client’s
granted management access to the switch. (Note that these clients
must be configured locally on the switch with the username command.)
The clients are subsequently authenticated using these keys. The
current firmware only accepts public key files based on standard UNIX
format as shown in the following example for an RSA key:
1024 35
13410816856098939210409449201554253476316419218729589211431738
80055536161631051775940838686311092912322268285192543746031009
37187721199696317813662774141689851320491172048303392543241016
37997592371449011938006090253948408482717819437228840253311595
2134861022902978982721353267131629432532818915045306393916643
steve@192.168.1.19
– 636 –
CHAPTER 23 | Authentication Commands
Secure Shell
4. Set the Optional Parameters – Set other optional parameters, including
the authentication timeout, the number of retries, and the server key
size.
5. Enable SSH Service – Use the ip ssh server command to enable the
SSH server on the switch.
6. Authentication – One of the following authentication methods is
employed:
Password Authentication (for SSH v1.5 or V2 Clients)
a. The client sends its password to the server.
b. The switch compares the client's password to those stored in
memory.
c. If a match is found, the connection is allowed.
NOTE: To use SSH with only password authentication, the host public key
must still be given to the client, either during initial connection or manually
entered into the known host file. However, you do not need to configure
the client's keys.
Public Key Authentication – When an SSH client attempts to contact the
switch, the SSH server uses the host key pair to negotiate a session
key and encryption method. Only clients that have a private key
corresponding to the public keys stored on the switch can access it. The
following exchanges take place during this process:
Authenticating SSH v1.5 Clients
a. The client sends its RSA public key to the switch.
b. The switch compares the client's public key to those stored in
memory.
c. If a match is found, the switch uses its secret key to generate
a random 256-bit string as a challenge, encrypts this string
with the user’s public key, and sends it to the client.
d. The client uses its private key to decrypt the challenge string,
computes the MD5 checksum, and sends the checksum back
to the switch.
e. The switch compares the checksum sent from the client
against that computed for the original string it sent. If the two
check sums match, this means that the client's private key
corresponds to an authorized public key, and the client is
authenticated.
Authenticating SSH v2 Clients
a. The client first queries the switch to determine if DSA public
key authentication using a preferred algorithm is acceptable.
b. If the specified algorithm is supported by the switch, it notifies
the client to proceed with the authentication process.
Otherwise, it rejects the request.
– 637 –
CHAPTER 23 | Authentication Commands
Secure Shell
c. The client sends a signature generated using the private key
to the switch.
d. When the server receives this message, it checks whether the
supplied key is acceptable for authentication, and if so, it then
checks whether the signature is correct. If both checks
succeed, the client is authenticated.
NOTE: The SSH server supports up to four client sessions. The maximum
number of client sessions includes both current Telnet sessions and SSH
sessions.
NOTE: The SSH server can be accessed using any configured IPv4 or IPv6
interface address on the switch.
ip ssh This command configures the number of times the SSH server attempts to
authentication- reauthenticate a user. Use the no form to restore the default setting.
retries
SYNTAX
ip ssh authentication-retries count
no ip ssh authentication-retries
count – The number of authentication attempts permitted after
which the interface is reset. (Range: 1-5)
DEFAULT SETTING
3
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#ip ssh authentication-retires 2
Console(config)#
RELATED COMMANDS
show ip ssh (643)
ip ssh server This command enables the Secure Shell (SSH) server on this switch. Use
the no form to disable this service.
SYNTAX
[no] ip ssh server
DEFAULT SETTING
Disabled
– 638 –
CHAPTER 23 | Authentication Commands
Secure Shell
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ The SSH server supports up to four client sessions. The maximum
number of client sessions includes both current Telnet sessions and
SSH sessions.
◆
The SSH server uses DSA or RSA for key exchange when the client first
establishes a connection with the switch, and then negotiates with the
client to select either DES (56-bit) or 3DES (168-bit) for data
encryption.
◆
You must generate DSA and RSA host keys before enabling the SSH
server.
EXAMPLE
Console#ip ssh crypto host-key generate dsa
Console#configure
Console(config)#ip ssh server
Console(config)#
RELATED COMMANDS
ip ssh crypto host-key generate (641)
show ssh (644)
ip ssh server-key This command sets the SSH server key size. Use the no form to restore the
size default setting.
SYNTAX
ip ssh server-key size key-size
no ip ssh server-key size
key-size – The size of server key. (Range: 512-896 bits)
DEFAULT SETTING
768 bits
COMMAND MODE
Global Configuration
COMMAND USAGE
The server key is a private key that is never shared outside the switch.
The host key is shared with the SSH client, and is fixed at 1024 bits.
EXAMPLE
Console(config)#ip ssh server-key size 512
Console(config)#
– 639 –
CHAPTER 23 | Authentication Commands
Secure Shell
ip ssh timeout This command configures the timeout for the SSH server. Use the no form
to restore the default setting.
SYNTAX
ip ssh timeout seconds
no ip ssh timeout
seconds – The timeout for client response during SSH negotiation.
(Range: 1-120)
DEFAULT SETTING
10 seconds
COMMAND MODE
Global Configuration
COMMAND USAGE
The timeout specifies the interval the switch will wait for a response from
the client during the SSH negotiation phase. Once an SSH session has been
established, the timeout for user input is controlled by the exec-timeout
command for vty sessions.
EXAMPLE
Console(config)#ip ssh timeout 60
Console(config)#
RELATED COMMANDS
exec-timeout (546)
show ip ssh (643)
delete public-key This command deletes the specified user’s public key.
SYNTAX
delete public-key username [dsa | rsa]
username – Name of an SSH user. (Range: 1-8 characters)
dsa – DSA public key type.
rsa – RSA public key type.
DEFAULT SETTING
Deletes both the DSA and RSA key.
COMMAND MODE
Privileged Exec
– 640 –
CHAPTER 23 | Authentication Commands
Secure Shell
EXAMPLE
Console#delete public-key admin dsa
Console#
ip ssh crypto This command generates the host key pair (i.e., public and private).
host-key generate
SYNTAX
ip ssh crypto host-key generate [dsa | rsa]
dsa – DSA (Version 2) key type.
rsa – RSA (Version 1) key type.
DEFAULT SETTING
Generates both the DSA and RSA key pairs.
COMMAND MODE
Privileged Exec
COMMAND USAGE
◆ The switch uses only RSA Version 1 for SSHv1.5 clients and DSA
Version 2 for SSHv2 clients.
◆
This command stores the host key pair in memory (i.e., RAM). Use the
ip ssh save host-key command to save the host key pair to flash
memory.
◆
Some SSH client programs automatically add the public key to the
known hosts file as part of the configuration process. Otherwise, you
must manually create a known hosts file and place the host public key
in it.
◆
The SSH server uses this host key to negotiate a session key and
encryption method with the client trying to connect to it.
EXAMPLE
Console#ip ssh crypto host-key generate dsa
Console#
RELATED COMMANDS
ip ssh crypto zeroize (642)
ip ssh save host-key (642)
– 641 –
CHAPTER 23 | Authentication Commands
Secure Shell
ip ssh crypto This command clears the host key from memory (i.e. RAM).
zeroize
SYNTAX
ip ssh crypto zeroize [dsa | rsa]
dsa – DSA key type.
rsa – RSA key type.
DEFAULT SETTING
Clears both the DSA and RSA key.
COMMAND MODE
Privileged Exec
COMMAND USAGE
◆ This command clears the host key from volatile memory (RAM). Use
the no ip ssh save host-key command to clear the host key from flash
memory.
◆
The SSH server must be disabled before you can execute this
command.
EXAMPLE
Console#ip ssh crypto zeroize dsa
Console#
RELATED COMMANDS
ip ssh crypto host-key generate (641)
ip ssh save host-key (642)
no ip ssh server (638)
ip ssh save host-key This command saves the host key from RAM to flash memory.
SYNTAX
ip ssh save host-key
DEFAULT SETTING
Saves both the DSA and RSA key.
COMMAND MODE
Privileged Exec
EXAMPLE
Console#ip ssh save host-key dsa
Console#
– 642 –
CHAPTER 23 | Authentication Commands
Secure Shell
RELATED COMMANDS
ip ssh crypto host-key generate (641)
show ip ssh This command displays the connection settings used when authenticating
client access to the SSH server.
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show ip ssh
SSH Enabled - Version 2.0
Negotiation Timeout : 120 seconds; Authentication Retries : 3
Server Key Size
: 768 bits
Console#
show public-key This command shows the public key for the specified user or for the host.
SYNTAX
show public-key [user [username]| host]
username – Name of an SSH user. (Range: 1-8 characters)
DEFAULT SETTING
Shows all public keys.
COMMAND MODE
Privileged Exec
COMMAND USAGE
◆ If no parameters are entered, all keys are displayed. If the user
keyword is entered, but no user name is specified, then the public keys
for all users are displayed.
◆
When an RSA key is displayed, the first field indicates the size of the
host key (e.g., 1024), the second field is the encoded public exponent
(e.g., 35), and the last string is the encoded modulus. When a DSA key
is displayed, the first field indicates that the encryption method used by
SSH is based on the Digital Signature Standard (DSS), and the last
string is the encoded modulus.
EXAMPLE
Console#show public-key host
Host:
RSA:
1024 65537 13236940658254764031382795526536375927835525327972629521130241
071942106165575942459093923609695405036277525755625100386613098939383452310
332802149888661921595568598879891919505883940181387440468908779160305837768
– 643 –
CHAPTER 23 | Authentication Commands
Secure Shell
185490002831341625008348718449522087429212255691665655296328163516964040831
5547660664151657116381
DSA:
ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc
YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv
JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjwbv
wrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR
2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw/Kjw6Bm
iFq7O+jAhf1Dg45loAc27s6TLdtny1wRq/ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy
DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF/+DjKGWtPNIQqabKgYCw2
o/dVzX4Gg+yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7
w0W
Console#
show ssh This command displays the current SSH server connections.
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show ssh
Connection Version State
0
2.0
Session-Started
Username Encryption
admin
ctos aes128-cbc-hmac-md5
stoc aes128-cbc-hmac-md5
Console#
Table 74: show ssh - display description
Field
Description
Connection
The session number. (Range: 0-3)
Version
The Secure Shell version number.
State
The authentication negotiation state.
(Values: Negotiation-Started, Authentication-Started, Session-Started)
Username
The user name of the client.
– 644 –
CHAPTER 23 | Authentication Commands
802.1X Port Authentication
802.1X PORT AUTHENTICATION
The switch supports IEEE 802.1X (dot1x) port-based access control that
prevents unauthorized access to the network by requiring users to first
submit credentials for authentication. Client authentication is controlled
centrally by a RADIUS server using EAP (Extensible Authentication
Protocol).
Table 75: 802.1X Port Authentication Commands
Command
Function
Mode
dot1x default
Resets all dot1x parameters to their default values
GC
dot1x eapol-pass-through
Passes EAPOL frames to all ports in STP forwarding
state when dot1x is globally disabled
GC
dot1x system-auth-control
Enables dot1x globally on the switch.
GC
dot1x intrusion-action
Sets the port response to intrusion when
authentication fails
IC
dot1x max-req
Sets the maximum number of times that the switch
retransmits an EAP request/identity packet to the
client before it times out the authentication session
IC
dot1x operation-mode
Allows single or multiple hosts on an dot1x port
IC
dot1x port-control
Sets dot1x mode for a port interface
IC
dot1x re-authentication
Enables re-authentication for all ports
IC
dot1x timeout quiet-period
Sets the time that a switch port waits after the Max
Request Count has been exceeded before attempting
to acquire a new client
IC
dot1x timeout
re-authperiod
Sets the time period after which a connected client
must be re-authenticated
IC
General Commands
Authenticator Commands
dot1x timeout supp-timeout Sets the interval for a supplicant to respond
IC
dot1x timeout tx-period
Sets the time period during an authentication session
that the switch waits before re-transmitting an EAP
packet
IC
dot1x re-authenticate
Forces re-authentication on specific ports
PE
Supplicant Commands
dot1x identity profile
Configures dot1x supplicant user name and password GC
dot1x max-start
Sets the maximum number of times that a port
supplicant will send an EAP start frame to the client
IC
dot1x pae supplicant
Enables dot1x supplicant mode on an interface
IC
dot1x timeout auth-period
Sets the time that a supplicant port waits for a
response from the authenticator
IC
dot1x timeout held-period
Sets the time a port waits after the maximum start
count has been exceeded before attempting to find
another authenticator
IC
– 645 –
CHAPTER 23 | Authentication Commands
802.1X Port Authentication
Table 75: 802.1X Port Authentication Commands (Continued)
Command
Function
Mode
dot1x timeout start-period
Sets the time that a supplicant port waits before
resending an EAPOL start frame to the authenticator
IC
Display Information Commands
show dot1x
Shows all dot1x related information
PE
General Commands
dot1x default This command sets all configurable dot1x global and port settings to their
default values.
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#dot1x default
Console(config)#
dot1x This command passes EAPOL frames through to all ports in STP forwarding
eapol-pass-through state when dot1x is globally disabled. Use the no form to restore the
default.
SYNTAX
[no] dot1x eapol-pass-through
DEFAULT SETTING
Discards all EAPOL frames when dot1x is globally disabled
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ When this device is functioning as intermediate node in the network
and does not need to perform dot1x authentication, the dot1x eapol
pass-through command can be used to forward EAPOL frames from
other switches on to the authentication servers, thereby allowing the
authentication process to still be carried out by switches located on the
edge of the network.
◆
When this device is functioning as an edge switch but does not require
any attached clients to be authenticated, the no dot1x eapol-passthrough command can be used to discard unnecessary EAPOL traffic.
– 646 –
CHAPTER 23 | Authentication Commands
802.1X Port Authentication
EXAMPLE
This example instructs the switch to pass all EAPOL frame through to any
ports in STP forwarding state.
Console(config)#dot1x eapol-pass-through
Console(config)#
dot1x This command enables IEEE 802.1X port authentication globally on the
system-auth-control switch. Use the no form to restore the default.
SYNTAX
[no] dot1x system-auth-control
DEFAULT SETTING
Disabled
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#dot1x system-auth-control
Console(config)#
Authenticator Commands
dot1x This command sets the port’s response to a failed authentication, either to
intrusion-action block all traffic, or to assign all traffic for the port to a guest VLAN. Use the
no form to reset the default.
SYNTAX
dot1x intrusion-action {block-traffic | guest-vlan}
no dot1x intrusion-action
block-traffic - Blocks traffic on this port.
guest-vlan - Assigns the user to the Guest VLAN.
DEFAULT
block-traffic
COMMAND MODE
Interface Configuration
– 647 –
CHAPTER 23 | Authentication Commands
802.1X Port Authentication
COMMAND USAGE
For guest VLAN assignment to be successful, the VLAN must be configured
and set as active (see the vlan database command) and assigned as the
guest VLAN for the port (see the network-access guest-vlan command).
EXAMPLE
Console(config)#interface eth 1/2
Console(config-if)#dot1x intrusion-action guest-vlan
Console(config-if)#
dot1x max-req This command sets the maximum number of times the switch port will
retransmit an EAP request/identity packet to the client before it times out
the authentication session. Use the no form to restore the default.
SYNTAX
dot1x max-req count
no dot1x max-req
count – The maximum number of requests (Range: 1-10)
DEFAULT
2
COMMAND MODE
Interface Configuration
EXAMPLE
Console(config)#interface eth 1/2
Console(config-if)#dot1x max-req 2
Console(config-if)#
– 648 –
CHAPTER 23 | Authentication Commands
802.1X Port Authentication
dot1x This command allows hosts (clients) to connect to an 802.1X-authorized
operation-mode port. Use the no form with no keywords to restore the default to single
host. Use the no form with the multi-host max-count keywords to
restore the default maximum count.
SYNTAX
dot1x operation-mode {single-host |
multi-host [max-count count] | mac-based-auth}
no dot1x operation-mode [multi-host max-count]
single-host – Allows only a single host to connect to this port.
multi-host – Allows multiple host to connect to this port.
max-count – Keyword for the maximum number of hosts.
count – The maximum number of hosts that can connect to a
port. (Range: 1-1024; Default: 5)
mac-based – Allows multiple hosts to connect to this port, with
each host needing to be authenticated.
DEFAULT
Single-host
COMMAND MODE
Interface Configuration
COMMAND USAGE
◆ The “max-count” parameter specified by this command is only effective
if the dot1x mode is set to “auto” by the dot1x port-control command.
◆
In “multi-host” mode, only one host connected to a port needs to pass
authentication for all other hosts to be granted network access.
Similarly, a port can become unauthorized for all hosts if one attached
host fails re-authentication or sends an EAPOL logoff message.
◆
In “mac-based-auth” mode, each host connected to a port needs to
pass authentication. The number of hosts allowed access to a port
operating in this mode is limited only by the available space in the
secure address table (i.e., up to 1024 addresses).
EXAMPLE
Console(config)#interface eth 1/2
Console(config-if)#dot1x operation-mode multi-host max-count 10
Console(config-if)#
– 649 –
CHAPTER 23 | Authentication Commands
802.1X Port Authentication
dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to
restore the default.
SYNTAX
dot1x port-control {auto | force-authorized |
force-unauthorized}
no dot1x port-control
auto – Requires a dot1x-aware connected client to be authorized by
the RADIUS server. Clients that are not dot1x-aware will be denied
access.
force-authorized – Configures the port to grant access to all
clients, either dot1x-aware or otherwise.
force-unauthorized – Configures the port to deny access to all
clients, either dot1x-aware or otherwise.
DEFAULT
force-authorized
COMMAND MODE
Interface Configuration
EXAMPLE
Console(config)#interface eth 1/2
Console(config-if)#dot1x port-control auto
Console(config-if)#
dot1x This command enables periodic re-authentication for a specified port. Use
re-authentication the no form to disable re-authentication.
SYNTAX
[no] dot1x re-authentication
COMMAND MODE
Interface Configuration
COMMAND USAGE
◆ The re-authentication process verifies the connected client’s user ID
and password on the RADIUS server. During re-authentication, the
client remains connected the network and the process is handled
transparently by the dot1x client software. Only if re-authentication
fails is the port blocked.
◆
The connected client is re-authenticated after the interval specified by
the dot1x timeout re-authperiod command. The default is 3600
seconds.
– 650 –
CHAPTER 23 | Authentication Commands
802.1X Port Authentication
EXAMPLE
Console(config)#interface eth 1/2
Console(config-if)#dot1x re-authentication
Console(config-if)#
RELATED COMMANDS
dot1x timeout re-authperiod (651)
dot1x timeout This command sets the time that a switch port waits after the maximum
quiet-period request count (see page 648) has been exceeded before attempting to
acquire a new client. Use the no form to reset the default.
SYNTAX
dot1x timeout quiet-period seconds
no dot1x timeout quiet-period
seconds - The number of seconds. (Range: 1-65535)
DEFAULT
60 seconds
COMMAND MODE
Interface Configuration
EXAMPLE
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout quiet-period 350
Console(config-if)#
dot1x timeout This command sets the time period after which a connected client must be
re-authperiod re-authenticated. Use the no form of this command to reset the default.
SYNTAX
dot1x timeout re-authperiod seconds
no dot1x timeout re-authperiod
seconds - The number of seconds. (Range: 1-65535)
DEFAULT
3600 seconds
COMMAND MODE
Interface Configuration
– 651 –
CHAPTER 23 | Authentication Commands
802.1X Port Authentication
EXAMPLE
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout re-authperiod 300
Console(config-if)#
dot1x timeout This command sets the time that an interface on the switch waits for a
supp-timeout response to an EAP request from a client before re-transmitting an EAP
packet. Use the no form to reset to the default value.
SYNTAX
dot1x timeout supp-timeout seconds
no dot1x timeout supp-timeout
seconds - The number of seconds. (Range: 1-65535)
DEFAULT
30 seconds
COMMAND MODE
Interface Configuration
COMMAND USAGE
This command sets the timeout for EAP-request frames other than EAPrequest/identity frames. If dot1x authentication is enabled on a port, the
switch will initiate authentication when the port link state comes up. It will
send an EAP-request/identity frame to the client to request its identity,
followed by one or more requests for authentication information. It may
also send other EAP-request frames to the client during an active
connection as required for reauthentication.
EXAMPLE
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout supp-timeout 300
Console(config-if)#
dot1x timeout This command sets the time that an interface on the switch waits during an
tx-period authentication session before re-transmitting an EAP packet. Use the no
form to reset to the default value.
SYNTAX
dot1x timeout tx-period seconds
no dot1x timeout tx-period
seconds - The number of seconds. (Range: 1-65535)
– 652 –
CHAPTER 23 | Authentication Commands
802.1X Port Authentication
DEFAULT
30 seconds
COMMAND MODE
Interface Configuration
EXAMPLE
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout tx-period 300
Console(config-if)#
dot1x This command forces re-authentication on all ports or a specific interface.
re-authenticate
SYNTAX
dot1x re-authenticate [interface]
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-26)
COMMAND MODE
Privileged Exec
COMMAND USAGE
The re-authentication process verifies the connected client’s user ID and
password on the RADIUS server. During re-authentication, the client
remains connected the network and the process is handled transparently
by the dot1x client software. Only if re-authentication fails is the port
blocked.
EXAMPLE
Console#dot1x re-authenticate
Console#
– 653 –
CHAPTER 23 | Authentication Commands
802.1X Port Authentication
Supplicant Commands
dot1x identity This command sets the dot1x supplicant user name and password. Use the
profile no form to delete the identity settings.
SYNTAX
dot1x identity profile {username username | password password}
no dot1x identity profile {username | password}
username - Specifies the supplicant user name.
(Range: 1-8 characters)
password - Specifies the supplicant password.
(Range: 1-8 characters)
DEFAULT
No user name or password
COMMAND MODE
Global Configuration
COMMAND USAGE
The global supplicant user name and password are used to identify this
switch as a supplicant when responding to an MD5 challenge from the
authenticator. These parameters must be set when this switch passes client
authentication requests to another authenticator on the network (see the
dot1x pae supplicant command on page 655).
EXAMPLE
Console(config)#dot1x identity profile username steve
Console(config)#dot1x identity profile password excess
Console(config)#
dot1x max-start This command sets the maximum number of times that a port supplicant
will send an EAP start frame to the client before assuming that the client is
802.1X unaware. Use the no form to restore the default value.
SYNTAX
dot1x max-start count
no dot1x max-start
count - Specifies the maximum number of EAP start frames.
(Range: 1-65535)
DEFAULT
3
– 654 –
CHAPTER 23 | Authentication Commands
802.1X Port Authentication
COMMAND MODE
Interface Configuration
EXAMPLE
Console(config)#interface eth 1/2
Console(config-if)#dot1x max-start 10
Console(config-if)#
dot1x pae This command enables dot1x supplicant mode on a port. Use the no form
supplicant to disable dot1x supplicant mode on a port.
SYNTAX
[no] dot1x pae supplicant
DEFAULT
Disabled
COMMAND MODE
Interface Configuration
COMMAND USAGE
◆ When devices attached to a port must submit requests to another
authenticator on the network, configure the identity profile parameters
(see dot1x identity profile command on page 654) which identify this
switch as a supplicant, and enable dot1x supplicant mode for those
ports which must authenticate clients through a remote authenticator
using this command. In this mode the port will not respond to dot1x
messages meant for an authenticator.
◆
This switch can be configured to serve as the authenticator on selected
ports by setting the control mode to “auto” (see the dot1x port-control
command on page 650), and as a supplicant on other ports by the
setting the control mode to “force-authorized” and enabling dot1x
supplicant mode with this command.
◆
A port cannot be configured as a dot1x supplicant if it is a member of a
trunk or LACP is enabled on the port.
EXAMPLE
Console(config)#interface ethernet 1/2
Console(config-if)#dot1x pae supplicant
Console(config-if)#
– 655 –
CHAPTER 23 | Authentication Commands
802.1X Port Authentication
dot1x timeout This command sets the time that a supplicant port waits for a response
auth-period from the authenticator. Use the no form to restore the default setting.
SYNTAX
dot1x timeout auth-period seconds
no dot1x timeout auth-period
seconds - The number of seconds. (Range: 1-65535)
DEFAULT
30 seconds
COMMAND MODE
Interface Configuration
COMMAND USAGE
This command sets the time that the supplicant waits for a response from
the authenticator for packets other than EAPOL-Start.
EXAMPLE
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout auth-period 60
Console(config-if)#
dot1x timeout This command sets the time that a supplicant port waits before resending
held-period its credentials to find a new an authenticator. Use the no form to reset the
default.
SYNTAX
dot1x timeout held-period seconds
no dot1x timeout held-period
seconds - The number of seconds. (Range: 1-65535)
DEFAULT
60 seconds
COMMAND MODE
Interface Configuration
EXAMPLE
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout held-period 120
Console(config-if)#
– 656 –
CHAPTER 23 | Authentication Commands
802.1X Port Authentication
dot1x timeout This command sets the time that a supplicant port waits before resending
start-period an EAPOL start frame to the authenticator. Use the no form to restore the
default setting.
SYNTAX
dot1x timeout start-period seconds
no dot1x timeout start-period
seconds - The number of seconds. (Range: 1-65535)
DEFAULT
30 seconds
COMMAND MODE
Interface Configuration
EXAMPLE
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout start-period 60
Console(config-if)#
Display Information Commands
show dot1x This command shows general port authentication related settings on the
switch or a specific interface.
SYNTAX
show dot1x [statistics] [interface interface]
statistics - Displays dot1x status for each port.
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-26)
COMMAND MODE
Privileged Exec
COMMAND USAGE
This command displays the following information:
◆
Global 802.1X Parameters – Shows whether or not 802.1X port
authentication is globally enabled on the switch (page 647).
◆
Authenticator Parameters – Shows whether or not EAPOL pass-through
is enabled (page 646).
– 657 –
CHAPTER 23 | Authentication Commands
802.1X Port Authentication
◆
Supplicant Parameters – Shows the supplicant user name used when
the switch responds to an MD5 challenge from an authenticator
(page 654).
◆
802.1X Port Summary – Displays the port access control parameters
for each interface that has enabled 802.1X, including the following
items:
■
■
■
■
◆
802.1X Port Details – Displays the port access control parameters for
each interface, including the following items:
■
■
■
■
■
■
■
■
■
■
■
■
◆
Reauthentication – Periodic re-authentication (page 650).
Reauth Period – Time after which a connected client must be reauthenticated (page 651).
Quiet Period – Time a port waits after Max Request Count is
exceeded before attempting to acquire a new client (page 651).
TX Period – Time a port waits during authentication session before
re-transmitting EAP packet (page 652).
Supplicant Timeout – Supplicant timeout.
Server Timeout – Server timeout. A RADIUS server must be set
before the correct operational value of 10 seconds will be displayed
in this field.
Reauth Max Retries – Maximum number of reauthentication
attempts.
Max Request – Maximum number of times a port will retransmit an
EAP request/identity packet to the client before it times out the
authentication session (page 648).
Operation Mode– Shows if single or multiple hosts (clients) can
connect to an 802.1X-authorized port.
Port Control–Shows the dot1x mode on a port as auto, forceauthorized, or force-unauthorized (page 650).
Intrusion Action– Shows the port response to intrusion when
authentication fails (page 647).
Supplicant– MAC address of authorized client.
Authenticator PAE State Machine
■
■
■
◆
Type – Administrative state for port access control (Enabled,
Authenticator, or Supplicant).
Operation Mode–Allows single or multiple hosts (page 649).
Control Mode – Dot1x port control mode (page 650).
Authorized– Authorization status (yes or n/a - not authorized).
State – Current state (including initialize, disconnected, connecting,
authenticating, authenticated, aborting, held, force_authorized,
force_unauthorized).
Reauth Count– Number of times connecting state is re-entered.
Current Identifier– The integer (0-255) used by the Authenticator to
identify the current authentication session.
Backend State Machine
■
State – Current state (including request, response, success, fail,
timeout, idle, initialize).
– 658 –
CHAPTER 23 | Authentication Commands
802.1X Port Authentication
■
■
◆
Request Count– Number of EAP Request packets sent to the
Supplicant without receiving a response.
Identifier (Server)– Identifier carried in the most recent EAP
Success, Failure or Request packet received from the Authentication
Server.
Reauthentication State Machine
State – Current state (including initialize, reauthenticate).
EXAMPLE
Console#show dot1x
Global 802.1X Parameters
System Auth Control
: Enabled
Authenticator Parameters:
EAPOL Pass Through
: Disabled
Supplicant Parameters:
Identity Profile Username : steve
802.1X Port Summary
Port
-------Eth 1/ 1
Eth 1/ 2
.
.
.
Eth 1/25
Eth 1/26
Type
------------Disabled
Disabled
Operation Mode
-------------Single-Host
Single-Host
Control Mode
-----------------Force-Authorized
Force-Authorized
Authorized
---------Yes
Yes
Disabled
Enabled
Single-Host
Single-Host
Force-Authorized
Auto
Yes
Yes
802.1X Port Details
802.1X Authenticator is enabled on port 1/1
802.1X Supplicant is disabled on port 1/1
.
.
.
802.1X Authenticator
Reauthentication
Reauth Period
Quiet Period
TX Period
Supplicant Timeout
Server Timeout
Reauth Max Retries
Max Request
Operation Mode
Port Control
Intrusion Action
is enabled on port 50
: Enabled
: 3600
: 60
: 30
: 30
: 10
: 2
: 2
: Multi-host
: Auto
: Block traffic
Supplicant
: 00-e0-29-94-34-65
Authenticator PAE State Machine
State
: Authenticated
Reauth Count
: 0
Current Identifier : 3
Backend State Machine
State
: Idle
Request Count
: 0
– 659 –
CHAPTER 23 | Authentication Commands
Management IP Filter
Identifier(Server)
: 2
Reauthentication State Machine
State
: Initialize
Console#
MANAGEMENT IP FILTER
This section describes commands used to configure IP management access
to the switch.
Table 76: Management IP Filter Commands
Command
Function
Mode
management
Configures IP addresses that are allowed management
access
GC
show management
Displays the switch to be monitored or configured from
a browser
PE
management This command specifies the client IP addresses that are allowed
management access to the switch through various protocols. Use the no
form to restore the default setting.
SYNTAX
[no] management {all-client | http-client | snmp-client |
telnet-client} start-address [end-address]
all-client - Adds IP address(es) to all groups.
http-client - Adds IP address(es) to the web group.
snmp-client - Adds IP address(es) to the SNMP group.
telnet-client - Adds IP address(es) to the Telnet group.
start-address - A single IP address, or the starting address of a
range.
end-address - The end address of a range.
DEFAULT SETTING
All addresses
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ If anyone tries to access a management interface on the switch from an
invalid address, the switch will reject the connection, enter an event
message in the system log, and send a trap message to the trap
manager.
– 660 –
CHAPTER 23 | Authentication Commands
Management IP Filter
◆
IP address can be configured for SNMP, web, and Telnet access
respectively. Each of these groups can include up to five different sets
of addresses, either individual addresses or address ranges.
◆
When entering addresses for the same group (i.e., SNMP, web, or
Telnet), the switch will not accept overlapping address ranges. When
entering addresses for different groups, the switch will accept
overlapping address ranges.
◆
You cannot delete an individual address from a specified range. You
must delete the entire range, and reenter the addresses.
◆
You can delete an address range just by specifying the start address, or
by specifying both the start address and end address.
EXAMPLE
This example restricts management access to the indicated addresses.
Console(config)#management all-client 192.168.1.19
Console(config)#management all-client 192.168.1.25 192.168.1.30
Console#
show management This command displays the client IP addresses that are allowed
management access to the switch through various protocols.
SYNTAX
show management {all-client | http-client | snmp-client |
telnet-client}
all-client - Displays IP addresses for all groups.
http-client - Displays IP addresses for the web group.
snmp-client - Displays IP addresses for the SNMP group.
telnet-client - Displays IP addresses for the Telnet group.
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show management all-client
Management Ip Filter
HTTP-Client:
Start IP address
End IP address
----------------------------------------------1. 192.168.1.19
192.168.1.19
2. 192.168.1.25
192.168.1.30
SNMP-Client:
Start IP address
End IP address
----------------------------------------------1. 192.168.1.19
192.168.1.19
2. 192.168.1.25
192.168.1.30
– 661 –
CHAPTER 23 | Authentication Commands
Management IP Filter
TELNET-Client:
Start IP address
End IP address
----------------------------------------------1. 192.168.1.19
192.168.1.19
2. 192.168.1.25
192.168.1.30
Console#
– 662 –
24
GENERAL SECURITY MEASURES
This switch supports many methods of segregating traffic for clients
attached to each of the data ports, and for ensuring that only authorized
clients gain access to the network. Port-based authentication using IEEE
802.1X is commonly used for these purposes. In addition to these method,
several other options of providing client security are described in this
chapter. These include port-based authentication, which can be configured
to allow network client access by specifying a fixed set of MAC addresses.
The addresses assigned to DHCP clients can also be carefully controlled
with IP Source Guard and DHCP Snooping commands.
Table 77: General Security Commands
Command Group
Function
Port Security*
Configures secure addresses for a port
802.1X Port
Authentication*
Configures host authentication on specific ports using 802.1X
Network Access*
Configures MAC authentication and dynamic VLAN assignment
Web Authentication*
Configures Web authentication
Access Control Lists*
Provides filtering for IP frames (based on address, protocol, TCP/
UDP port number or TCP control code) or non-IP frames (based on
MAC address or Ethernet type)
DHCP Snooping*
Filters untrusted DHCP messages on unsecure ports by building
and maintaining a DHCP snooping binding table
IP Source Guard*
Filters IP traffic on insecure ports for which the source address
cannot be identified via DHCP snooping nor static source bindings
ARP Inspection
Validates the MAC-to-IP address bindings in ARP packets
DoS Protection
Protects against Denial-of-Service attacks
* The priority of execution for these filtering commands is Port Security, Port
Authentication, Network Access, Web Authentication, Access Control Lists, DHCP
Snooping, and then IP Source Guard.
– 663 –
CHAPTER 24 | General Security Measures
Port Security
PORT SECURITY
These commands can be used to enable port security on a port.
When using port security, the switch stops learning new MAC addresses on
the specified port when it has reached a configured maximum number.
Only incoming traffic with source addresses already stored in the dynamic
or static address table for this port will be authorized to access the
network. The port will drop any incoming frames with a source MAC
address that is unknown or has been previously learned from another port.
If a device with an unauthorized MAC address attempts to use the switch
port, the intrusion will be detected and the switch can automatically take
action by disabling the port and sending a trap message.
Table 78: Management IP Filter Commands
Command
Function
Mode
mac-address-table static
Maps a static address to a port in a VLAN
GC
port security
Configures a secure port
IC
show mac-address-table
Displays entries in the bridge-forwarding database
PE
port security This command enables or configures port security. Use the no form without
any keywords to disable port security. Use the no form with the
appropriate keyword to restore the default settings for a response to
security violation or for the maximum number of allowed addresses.
SYNTAX
port security
[[action {shutdown | trap | trap-and-shutdown}] |
[max-mac-count address-count]]
no port security [action | max-mac-count]
action - Response to take when port security is violated.
shutdown - Disable port only.
trap - Issue SNMP trap message only.
trap-and-shutdown - Issue SNMP trap message and disable
port.
max-mac-count
address-count - The maximum number of MAC addresses that
can be learned on a port. (Range: 0 - 1024, where 0 means
disabled)
DEFAULT SETTING
Status: Disabled
Action: None
Maximum Addresses: 0
– 664 –
CHAPTER 24 | General Security Measures
Port Security
COMMAND MODE
Interface Configuration (Ethernet)
COMMAND USAGE
◆ The default maximum number of MAC addresses allowed on a secure
port is zero (that is, port security is disabled). To use port security, you
must configure the maximum number of addresses allowed on a port
using the port security max-mac-count command.
◆
When port security is enabled using the port security command, or
the maximum number or allowed addresses is set to value lower than
the limit after port security has been enabled, the switch first clears all
dynamically learned entries from the address table. It then starts
learning new MAC addresses on the specified port, and stops learning
addresses when it reaches a configured maximum number. Only
incoming traffic with source addresses already stored in the dynamic or
static address table will be accepted.
◆
To configure the maximum number of address entries which can be
learned on a port, first disable port security on a port using the no port
security command, and then specify the maximum number of dynamic
addresses allowed. The switch will learn up to the maximum number of
allowed address pairs <source MAC address, VLAN> for frames
received on the port. (The specified maximum address count is
effective when port security is enabled or disabled.) Note that you can
manually add additional secure addresses to a port using the macaddress-table static command. When the port has reached the
maximum number of MAC addresses, the port will stop learning new
addresses. The MAC addresses already in the address table will be
retained and will not be aged out.
◆
If port security is enabled, and the maximum number of allowed
addresses are set to a non-zero value, any device not in the address
table that attempts to use the port will be prevented from accessing the
switch.
◆
If a port is disabled due to a security violation, it must be manually reenabled using the no shutdown command.
◆
A secure port has the following restrictions:
■
■
Cannot be connected to a network interconnection device.
Cannot be a trunk port.
EXAMPLE
The following example enables port security for port 5, and sets the
response to a security violation to issue a trap message:
Console(config)#interface ethernet 1/5
Console(config-if)#port security action trap
– 665 –
CHAPTER 24 | General Security Measures
Network Access (MAC Address Authentication)
RELATED COMMANDS
show interfaces status (741)
shutdown (736)
mac-address-table static (790)
NETWORK ACCESS (MAC ADDRESS AUTHENTICATION)
Network Access authentication controls access to the network by
authenticating the MAC address of each host that attempts to connect to a
switch port. Traffic received from a specific MAC address is forwarded by
the switch only if the source MAC address is successfully authenticated by
a central RADIUS server. While authentication for a MAC address is in
progress, all traffic is blocked until authentication is completed. Once
successfully authenticated, the RADIUS server may optionally assign VLAN
and QoS settings for the switch port.
Table 79: Network Access Commands
Command
Function
Mode
network-access aging
Enables MAC address aging
GC
network-access mac-filter
Adds a MAC address to a filter table
GC
mac-authentication reauthtime
Sets the time period after which a connected MAC
address must be re-authenticated
GC
network-access dynamic-qos
Enables the dynamic quality of service feature
IC
network-access dynamic-vlan Enables dynamic VLAN assignment from a RADIUS
server
IC
network-access guest-vlan
IC
Specifies the guest VLAN
network-access link-detection Enables the link detection feature
IC
network-access link-detection Configures the link detection feature to detect and
link-down
act upon link-down events
IC
network-access link-detection Configures the link detection feature to detect and
link-up
act upon link-up events
IC
network-access link-detection Configures the link detection feature to detect and
link-up-down
act upon both link-up and link-down events
IC
network-access max-maccount
Sets the maximum number of MAC addresses that
can be authenticated on a port via all forms of
authentication
IC
network-access mode
mac-authentication
Enables MAC authentication on an interface
IC
network-access port-macfilter
Enables the specified MAC address filter
IC
mac-authentication intrusion- Determines the port response when a connected
action
host fails MAC authentication.
IC
mac-authentication maxmac-count
Sets the maximum number of MAC addresses that
can be authenticated on a port via MAC
authentication
IC
clear network-access
Clears authenticated MAC addresses from the
address table
PE
show network-access
Displays the MAC authentication settings for port
interfaces
PE
– 666 –
CHAPTER 24 | General Security Measures
Network Access (MAC Address Authentication)
Table 79: Network Access Commands (Continued)
Command
Function
Mode
show network-access macaddress-table
Displays information for entries in the secure MAC
address table
PE
show network-access macfilter
Displays information for entries in the MAC filter
tables
PE
network-access Use this command to enable aging for authenticated MAC addresses stored
aging in the secure MAC address table. Use the no form of this command to
disable address aging.
SYNTAX
[no] network-access aging
DEFAULT SETTING
Disabled
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ Authenticated MAC addresses are stored as dynamic entries in the
switch’s secure MAC address table and are removed when the aging
time expires. The address aging time is determined by the macaddress-table aging-time command.
◆
This parameter applies to authenticated MAC addresses configured by
the MAC Address Authentication process described in this section, as
well as to any secure MAC addresses authenticated by 802.1X,
regardless of the 802.1X Operation Mode (Single-Host, Multi-Host, or
MAC-Based authentication as described on page 649).
◆
The maximum number of secure MAC addresses supported for the
switch system is 1024.
EXAMPLE
Console(config-if)#network-access aging
Console(config-if)#
network-access Use this command to add a MAC address into a filter table. Use the no
mac-filter form of this command to remove the specified MAC address.
SYNTAX
[no] network-access mac-filter filter-id
mac-address mac-address [mask mask-address]
filter-id - Specifies a MAC address filter table. (Range: 1-64)
– 667 –
CHAPTER 24 | General Security Measures
Network Access (MAC Address Authentication)
mac-address - Specifies a MAC address entry.
(Format: xx-xx-xx-xx-xx-xx)
mask - Specifies a MAC address bit mask for a range of addresses.
DEFAULT SETTING
Disabled
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ Specified addresses are exempt from network access authentication.
◆
This command is different from configuring static addresses with the
mac-address-table static command in that it allows you configure a
range of addresses when using a mask, and then to assign these
addresses to one or more ports with the network-access port-mac-filter
command.
◆
Up to 64 filter tables can be defined.
◆
There is no limitation on the number of entries that can entered in a
filter table.
EXAMPLE
Console(config)#network-access mac-filter 1 mac-address 11-22-33-44-55-66
Console(config)#
mac-authentication Use this command to set the time period after which a connected MAC
reauth-time address must be re-authenticated. Use the no form of this command to
restore the default value.
SYNTAX
mac-authentication reauth-time seconds
no mac-authentication reauth-time
seconds - The reauthentication time period.
(Range: 120-1000000 seconds)
DEFAULT SETTING
1800
COMMAND MODE
Global Configuration
– 668 –
CHAPTER 24 | General Security Measures
Network Access (MAC Address Authentication)
COMMAND USAGE
◆ The reauthentication time is a global setting and applies to all ports.
◆
When the reauthentication time expires for a secure MAC address it is
reauthenticated with the RADIUS server. During the reauthentication
process traffic through the port remains unaffected.
EXAMPLE
Console(config)#mac-authentication reauth-time 300
Console(config)#
network-access Use this command to enable the dynamic QoS feature for an authenticated
dynamic-qos port. Use the no form to restore the default.
SYNTAX
[no] network-access dynamic-qos
DEFAULT SETTING
Disabled
COMMAND MODE
Interface Configuration
COMMAND USAGE
◆ The RADIUS server may optionally return dynamic QoS assignments to
be applied to a switch port for an authenticated user. The “Filter-ID”
attribute (attribute 11) can be configured on the RADIUS server to pass
the following QoS information:
Table 80: Dynamic QoS Profiles
Profile
Attribute Syntax
Example
DiffServ
service-policy-in=policy-map-name
service-policy-in=p1
Rate Limit
rate-limit-input=rate
rate-limit-input=100 (Kbps)
802.1p
switchport-priority-default=value
switchport-priority-default=2
IP ACL
ip-access-group-in=ip-acl-name
ip-access-group-in=ipv4acl
IPv6 ACL
ipv6-access-group-in=ipv6-acl-name
ipv6-access-group-in=ipv6acl
MAC ACL
mac-access-group-in=mac-acl-name
mac-access-group-in=macAcl
◆
When the last user logs off of a port with a dynamic QoS assignment,
the switch restores the original QoS configuration for the port.
◆
When a user attempts to log into the network with a returned dynamic
QoS profile that is different from users already logged on to the same
port, the user is denied access.
– 669 –
CHAPTER 24 | General Security Measures
Network Access (MAC Address Authentication)
◆
While a port has an assigned dynamic QoS profile, any manual QoS
configuration changes only take effect after all users have logged off of
the port.
NOTE: Any configuration changes for dynamic QoS are not saved to the
switch configuration file.
EXAMPLE
The following example enables the dynamic QoS feature on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#network-access dynamic-qos
Console(config-if)#
network-access Use this command to enable dynamic VLAN assignment for an
dynamic-vlan authenticated port. Use the no form to disable dynamic VLAN assignment.
SYNTAX
[no] network-access dynamic-vlan
DEFAULT SETTING
Enabled
COMMAND MODE
Interface Configuration
COMMAND USAGE
◆ When enabled, the VLAN identifiers returned by the RADIUS server
through the 802.1X authentication process will be applied to the port,
providing the VLANs have already been created on the switch. GVRP is
not used to create the VLANs.
◆
The VLAN settings specified by the first authenticated MAC address are
implemented for a port. Other authenticated MAC addresses on the
port must have same VLAN configuration, or they are treated as an
authentication failure.
◆
If dynamic VLAN assignment is enabled on a port and the RADIUS
server returns no VLAN configuration, the authentication is still treated
as a success, and the host assigned to the default untagged VLAN.
◆
When the dynamic VLAN assignment status is changed on a port, all
authenticated addresses are cleared from the secure MAC address
table.
– 670 –
CHAPTER 24 | General Security Measures
Network Access (MAC Address Authentication)
EXAMPLE
The following example enables dynamic VLAN assignment on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#network-access dynamic-vlan
Console(config-if)#
network-access Use this command to assign all traffic on a port to a guest VLAN when
guest-vlan 802.1x authentication is rejected. Use the no form of this command to
disable guest VLAN assignment.
SYNTAX
network-access guest-vlan vlan-id
no network-access guest-vlan
vlan-id - VLAN ID (Range: 1-4093)
DEFAULT SETTING
Disabled
COMMAND MODE
Interface Configuration
COMMAND USAGE
◆ The VLAN to be used as the guest VLAN must be defined and set as
active (See the vlan database command).
◆
When used with 802.1X authentication, the intrusion-action must be
set for “guest-vlan” to be effective (see the dot1x intrusion-action
command).
EXAMPLE
Console(config)#interface ethernet 1/1
Console(config-if)#network-access guest-vlan 25
Console(config-if)#
network-access Use this command to enable link detection for the selected port. Use the
link-detection no form of this command to restore the default.
SYNTAX
[no] network-access link-detection
DEFAULT SETTING
Disabled
– 671 –
CHAPTER 24 | General Security Measures
Network Access (MAC Address Authentication)
COMMAND MODE
Interface Configuration
EXAMPLE
Console(config)#interface ethernet 1/1
Console(config-if)#network-access link-detection
Console(config-if)#
network-access Use this command to detect link-down events. When detected, the switch
link-detection can shut down the port, send an SNMP trap, or both. Use the no form of
link-down this command to disable this feature.
SYNTAX
network-access link-detection link-down
action [shutdown | trap | trap-and-shutdown]
no network-access link-detection
action - Response to take when port security is violated.
shutdown - Disable port only.
trap - Issue SNMP trap message only.
trap-and-shutdown - Issue SNMP trap message and disable
the port.
DEFAULT SETTING
Disabled
COMMAND MODE
Interface Configuration
EXAMPLE
Console(config)#interface ethernet 1/1
Console(config-if)#network-access link-detection link-down action trap
Console(config-if)#
network-access Use this command to detect link-up events. When detected, the switch can
link-detection shut down the port, send an SNMP trap, or both. Use the no form of this
link-up command to disable this feature.
SYNTAX
network-access link-detection link-up
action [shutdown | trap | trap-and-shutdown]
no network-access link-detection
– 672 –
CHAPTER 24 | General Security Measures
Network Access (MAC Address Authentication)
action - Response to take when port security is violated.
shutdown - Disable port only.
trap - Issue SNMP trap message only.
trap-and-shutdown - Issue SNMP trap message and disable
the port.
DEFAULT SETTING
Disabled
COMMAND MODE
Interface Configuration
EXAMPLE
Console(config)#interface ethernet 1/1
Console(config-if)#network-access link-detection link-up action trap
Console(config-if)#
network-access Use this command to detect link-up and link-down events. When either
link-detection event is detected, the switch can shut down the port, send an SNMP trap,
link-up-down or both. Use the no form of this command to disable this feature.
SYNTAX
network-access link-detection link-up-down
action [shutdown | trap | trap-and-shutdown]
no network-access link-detection
action - Response to take when port security is violated.
shutdown - Disable port only.
trap - Issue SNMP trap message only.
trap-and-shutdown - Issue SNMP trap message and disable
the port.
DEFAULT SETTING
Disabled
COMMAND MODE
Interface Configuration
EXAMPLE
Console(config)#interface ethernet 1/1
Console(config-if)#network-access link-detection link-up-down action trap
Console(config-if)#
– 673 –
CHAPTER 24 | General Security Measures
Network Access (MAC Address Authentication)
network-access Use this command to set the maximum number of MAC addresses that can
max-mac-count be authenticated on a port interface via all forms of authentication. Use the
no form of this command to restore the default.
SYNTAX
network-access max-mac-count count
no network-access max-mac-count
count - The maximum number of authenticated IEEE 802.1X and
MAC addresses allowed. (Range: 0-1024; 0 for unlimited)
DEFAULT SETTING
1024
COMMAND MODE
Interface Configuration
COMMAND USAGE
The maximum number of MAC addresses per port is 1024, and the
maximum number of secure MAC addresses supported for the switch
system is 1024. When the limit is reached, all new MAC addresses are
treated as authentication failures.
EXAMPLE
Console(config-if)#network-access max-mac-count 5
Console(config-if)#
network-access Use this command to enable network access authentication on a port. Use
mode the no form of this command to disable network access authentication.
mac-authentication
SYNTAX
[no] network-access mode mac-authentication
DEFAULT SETTING
Disabled
COMMAND MODE
Interface Configuration
COMMAND USAGE
◆ When enabled on a port, the authentication process sends a Password
Authentication Protocol (PAP) request to a configured RADIUS server.
The user name and password are both equal to the MAC address being
authenticated.
◆
On the RADIUS server, PAP user name and passwords must be
configured in the MAC address format XX-XX-XX-XX-XX-XX (all in upper
case).
– 674 –
CHAPTER 24 | General Security Measures
Network Access (MAC Address Authentication)
◆
Authenticated MAC addresses are stored as dynamic entries in the
switch secure MAC address table and are removed when the aging time
expires. The maximum number of secure MAC addresses supported for
the switch system is 1024.
◆
Configured static MAC addresses are added to the secure address table
when seen on a switch port. Static addresses are treated as
authenticated without sending a request to a RADIUS server.
◆
MAC authentication, 802.1X, and port security cannot be configured
together on the same port. Only one security mechanism can be
applied.
◆
MAC authentication cannot be configured on trunk ports.
◆
When port status changes to down, all MAC addresses are cleared from
the secure MAC address table. Static VLAN assignments are not
restored.
◆
The RADIUS server may optionally return a VLAN identifier list. VLAN
identifier list is carried in the “Tunnel-Private-Group-ID” attribute. The
VLAN list can contain multiple VLAN identifiers in the format “1u,2t,”
where “u” indicates untagged VLAN and “t” tagged VLAN. The “TunnelType” attribute should be set to “VLAN,” and the “Tunnel-Medium-Type”
attribute set to “802.”
EXAMPLE
Console(config-if)#network-access mode mac-authentication
Console(config-if)#
network-access Use this command to enable the specified MAC address filter. Use the no
port-mac-filter form of this command to disable the specified MAC address filter.
SYNTAX
network-access port-mac-filter filter-id
no network-access port-mac-filter
filter-id - Specifies a MAC address filter table. (Range: 1-64)
DEFAULT SETTING
None
COMMAND MODE
Interface Configuration
COMMAND MODE
◆ Entries in the MAC address filter table can be configured with the
network-access mac-filter command.
◆
Only one filter table can be assigned to a port.
– 675 –
CHAPTER 24 | General Security Measures
Network Access (MAC Address Authentication)
EXAMPLE
Console(config)#interface ethernet 1/1
Console(config-if)#network-access port-mac-filter 1
Console(config-if)#
mac-authentication Use this command to configure the port response to a host MAC
intrusion-action authentication failure. Use the no form of this command to restore the
default.
SYNTAX
mac-authentication intrusion-action {block traffic | pass traffic}
no mac-authentication intrusion-action
DEFAULT SETTING
Block Traffic
COMMAND MODE
Interface Con figuration
EXAMPLE
Console(config-if)#mac-authentication intrusion-action block-traffic
Console(config-if)#
mac-authentication Use this command to set the maximum number of MAC addresses that can
max-mac-count be authenticated on a port via MAC authentication. Use the no form of this
command to restore the default.
SYNTAX
mac-authentication max-mac-count count
no mac-authentication max-mac-count
count - The maximum number of MAC-authenticated MAC
addresses allowed. (Range: 1-1024)
DEFAULT SETTING
1024
COMMAND MODE
Interface Configuration
EXAMPLE
Console(config-if)#mac-authentication max-mac-count 32
Console(config-if)#
– 676 –
CHAPTER 24 | General Security Measures
Network Access (MAC Address Authentication)
clear Use this command to clear entries from the secure MAC addresses table.
network-access
SYNTAX
clear network-access mac-address-table [static | dynamic]
[address mac-address] [interface interface]
static - Specifies static address entries.
dynamic - Specifies dynamic address entries.
mac-address - Specifies a MAC address entry. (Format: xx-xx-xxxx-xx-xx)
interface - Specifies a port interface.
ethernet unit/port
unit - This is unit 1.
port - Port number.
(Range: Range: 1-26)
DEFAULT SETTING
None
COMMAND MODE
Privileged Exec
EXAMPLE
Console#clear network-access mac-address-table interface ethernet 1/1
Console#
show Use this command to display the MAC authentication settings for port
network-access interfaces.
SYNTAX
show network-access [interface interface]
interface - Specifies a port interface.
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-26)
DEFAULT SETTING
Displays the settings for all interfaces.
COMMAND MODE
Privileged Exec
– 677 –
CHAPTER 24 | General Security Measures
Network Access (MAC Address Authentication)
EXAMPLE
Console#show network-access interface ethernet 1/1
Global secure port information
Reauthentication Time
: 1800
MAC address Aging
: Disabled
Port : 1/1
MAC Authentication
MAC Authentication Intrusion action
MAC Authentication Maximum MAC Counts
Maximum MAC Counts
Dynamic VLAN Assignment
Dynamic QoS Assignment
MAC Filter ID
Guest VLAN
Link Detection
Detection Mode
Detection Action
Console#
:
:
:
:
:
:
:
:
:
:
:
Disabled
Block traffic
1024
2048
Enabled
Disabled
Disabled
Disabled
Disabled
Link-down
Trap
show Use this command to display secure MAC address table entries.
network-access
mac-address-table SYNTAX
show network-access mac-address-table [static | dynamic]
[address mac-address [mask]] [interface interface]
[sort {address | interface}]
static - Specifies static address entries.
dynamic - Specifies dynamic address entries.
mac-address - Specifies a MAC address entry.
(Format: xx-xx-xx-xx-xx-xx)
mask - Specifies a MAC address bit mask for filtering displayed
addresses.
interface - Specifies a port interface.
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-26)
sort - Sorts displayed entries by either MAC address or interface.
DEFAULT SETTING
Displays all filters.
COMMAND MODE
Privileged Exec
COMMAND USAGE
When using a bit mask to filter displayed MAC addresses, a 1 means “care”
and a 0 means “don't care”. For example, a MAC of 00-00-01-02-03-04 and
mask FF-FF-FF-00-00-00 would result in all MACs in the range 00-00-01– 678 –
CHAPTER 24 | General Security Measures
Web Authentication
00-00-00 to 00-00-01-FF-FF-FF to be displayed. All other MACs would be
filtered out.
EXAMPLE
Console#show network-access mac-address-table
---- ----------------- --------------- --------Port MAC-Address
RADIUS-Server
Attribute
---- ----------------- --------------- --------1/1 00-00-01-02-03-04 172.155.120.17 Static
1/1 00-00-01-02-03-05 172.155.120.17 Dynamic
1/1 00-00-01-02-03-06 172.155.120.17 Static
1/3 00-00-01-02-03-07 172.155.120.17 Dynamic
------------------------Time
------------------------00d06h32m50s
00d06h33m20s
00d06h35m10s
00d06h34m20s
Console#
show network- Use this command to display information for entries in the MAC filter
access mac-filter tables.
SYNTAX
show network-access mac-filter [filter-id]
filter-id - Specifies a MAC address filter table. (Range: 1-64)
DEFAULT SETTING
Displays all filters.
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show network-access
Filter ID MAC Address
--------- ----------------1 00-00-01-02-03-08
Console#
mac-filter
MAC Mask
----------------FF-FF-FF-FF-FF-FF
WEB AUTHENTICATION
Web authentication allows stations to authenticate and access the network
in situations where 802.1X or Network Access authentication are infeasible
or impractical. The web authentication feature allows unauthenticated
hosts to request and receive a DHCP assigned IP address and perform DNS
queries. All other traffic, except for HTTP protocol traffic, is blocked. The
switch intercepts HTTP protocol traffic and redirects it to a switchgenerated web page that facilitates user name and password
authentication via RADIUS. Once authentication is successful, the web
browser is forwarded on to the originally requested web page. Successful
authentication is valid for all hosts connected to the port.
– 679 –
CHAPTER 24 | General Security Measures
Web Authentication
NOTE: RADIUS authentication must be activated and configured for the web
authentication feature to work properly (see "Authentication Sequence" on
page 612).
NOTE: Web authentication cannot be configured on trunk ports.
Table 81: Web Authentication
Command
Function
Mode
web-auth login-attempts
Defines the limit for failed web authentication login
attempts
GC
web-auth quiet-period
Defines the amount of time to wait after the limit for
failed login attempts is exceeded.
GC
web-auth session-timeout
Defines the amount of time a session remains valid
GC
web-auth system-authcontrol
Enables web authentication globally for the switch
GC
web-auth
Enables web authentication for an interface
IC
web-auth re-authenticate
(Port)
Ends all web authentication sessions on the port and
forces the users to re-authenticate
PE
web-auth re-authenticate (IP) Ends the web authentication session associated with PE
the designated IP address and forces the user to reauthenticate
show web-auth
Displays global web authentication parameters
PE
show web-auth interface
Displays interface-specific web authentication
parameters and statistics
PE
show web-auth summary
Displays a summary of web authentication port
parameters and statistics
PE
web-auth This command defines the limit for failed web authentication login
login-attempts attempts. After the limit is reached, the switch refuses further login
attempts until the quiet time expires. Use the no form to restore the
default.
SYNTAX
web-auth login-attempts count
no web-auth login-attempts
count - The limit of allowed failed login attempts. (Range: 1-3)
DEFAULT SETTING
3 login attempts
COMMAND MODE
Global Configuration
– 680 –
CHAPTER 24 | General Security Measures
Web Authentication
EXAMPLE
Console(config)#web-auth login-attempts 2
Console(config)#
web-auth This command defines the amount of time a host must wait after exceeding
quiet-period the limit for failed login attempts, before it may attempt web
authentication again. Use the no form to restore the default.
SYNTAX
web-auth quiet-period time
no web-auth quiet period
time - The amount of time the host must wait before attempting
authentication again. (Range: 1-180 seconds)
DEFAULT SETTING
60 seconds
COMMAND MODE
Global Configuration
EXAMPLE
Console(config)#web-auth quiet-period 120
Console(config)#
web-auth This command defines the amount of time a web-authentication session
session-timeout remains valid. When the session timeout has been reached, the host is
logged off and must re-authenticate itself the next time data transmission
takes place. Use the no form to restore the default.
SYNTAX
web-auth session-timeout timeout
no web-auth session timeout
timeout - The amount of time that an authenticated session
remains valid. (Range: 300-3600 seconds, or 0 for disabled)
DEFAULT SETTING
3600 seconds
COMMAND MODE
Global Configuration
– 681 –
CHAPTER 24 | General Security Measures
Web Authentication
EXAMPLE
Console(config)#web-auth session-timeout 1800
Console(config)#
web-auth This command globally enables web authentication for the switch. Use the
system-auth-control no form to restore the default.
SYNTAX
[no] web-auth system-auth-control
DEFAULT SETTING
Disabled
COMMAND MODE
Global Configuration
COMMAND USAGE
Both web-auth sy