Tech Template - Red Lion Controls

EL Series
Industrial Ethernet
Managed Switch
Management Guide
Version 1.3.5
www.sixnet.com
1
This page intentionally left blank.
About This Guide
Purpose
This guide gives specific information on how to operate and use the management
functions of the switch.
Audience
The guide is intended for use by network administrators who are responsible for operating
and maintaining network equipment; consequently, it assumes a basic working
knowledge of general switch functions, the Internet Protocol (IP), and Simple Network
Management Protocol (SNMP).
Conventions
The following conventions are used throughout this guide to show information:
Note: Emphasizes important information or calls your attention to related features or
instructions.
Caution: Alerts you to a potential hazard that could cause loss of data, or damage the
system or equipment.
Warning: Alerts you to a potential hazard that could cause personal injury.
Related Publications
The following publication details the hardware features of the switch, including the
physical and performance-related characteristics, and how to install the switch:
The Installation Guide
Also, as part of the switch’s software, there is an online web-based help that describes all
management related features.
Revision History
1.3.5 Release to include EL212
1.3.4.0 First Release
v
Contents
Chapter 1: Introduction
Key Features
Description of Software Features
System Defaults
1-1
1-1
1-2
1-6
Chapter 2: Initial Configuration
Connecting to the Switch
Configuration Options
Required Connections
Remote Connections
Basic Configuration
Console Connection
Setting Passwords
Setting an IP Address
Manual Configuration
Dynamic Configuration
Downloading a Configuration File Referenced by a DHCP Server
Enabling SNMP Management Access
Community Strings (for SNMP version 1 and 2c clients)
Trap Receivers
Configuring Access for SNMP Version 3 Clients
Managing System Files
Saving Configuration Settings
2-1
2-1
2-1
2-2
2-3
2-3
2-3
2-4
2-4
2-4
2-5
2-6
2-8
2-9
2-9
2-10
2-10
2-11
Chapter 3: Configuring the Switch
Using the Web Interface
Navigating the Web Browser Interface
Home Page
Configuration Options
Panel Display
Main Menu
Basic Configuration
Displaying System Information
Displaying Switch Hardware/Software Versions
Displaying Bridge Extension Capabilities
Setting the Switch’s IP Address
Manual Configuration
Using DHCP/BOOTP
Enabling Jumbo Frames
Managing Firmware
3-1
3-1
3-2
3-2
3-3
3-3
3-4
3-13
3-13
3-15
3-16
3-17
3-18
3-19
3-20
3-21
i
Contents
Automatic Operation Code Upgrade
Downloading System Software from a Server
Saving or Restoring Configuration Settings
Downloading Configuration Settings from a Server
Uploading and Downloading Files Using HTTP
Console Port Settings
Telnet Settings
Configuring Event Logging
System Log Configuration
Remote Log Configuration
Displaying Log Messages
Sending Simple Mail Transfer Protocol Alerts
Resetting the System
Setting the System Clock
Setting the Time Manually
Configuring SNTP
Configuring NTP
Setting the Time Zone
Configuring Summer Time
Simple Network Management Protocol
Enabling the SNMP Agent
Setting Community Access Strings
Specifying Trap Managers and Trap Types
Configuring SNMPv3 Management Access
Setting the Local Engine ID
Specifying a Remote Engine ID
Configuring SNMPv3 Users
Configuring Remote SNMPv3 Users
Configuring SNMPv3 Groups
Setting SNMPv3 Views
Sampling Traffic Flows
Configuring sFlow Global Parameters
Configuring sFlow Port Parameters
User Authentication
Configuring User Accounts
Configuring Local/Remote Logon Authentication
Configuring Encryption Keys
AAA Authorization and Accounting
Configuring AAA RADIUS Group Settings
Configuring AAA TACACS+ Group Settings
Configuring AAA Accounting
AAA Accounting Update
AAA Accounting 802.1X Port Settings
AAA Accounting Exec Command Privileges
AAA Accounting Exec Settings
ii
3-22
3-26
3-27
3-29
3-30
3-32
3-34
3-36
3-36
3-37
3-39
3-39
3-41
3-42
3-43
3-43
3-44
3-46
3-47
3-50
3-51
3-52
3-53
3-56
3-56
3-57
3-58
3-60
3-62
3-65
3-66
3-67
3-69
3-71
3-71
3-73
3-77
3-78
3-79
3-79
3-80
3-82
3-83
3-84
3-85
Contents
AAA Accounting Summary
Authorization Settings
Authorization EXEC Settings
Authorization Summary
Configuring HTTPS
Replacing the Default Secure-site Certificate
Configuring the Secure Shell
Generating the Host Key Pair
Importing User Public Keys
Configuring the SSH Server
Configuring 802.1X Port Authentication
Displaying 802.1X Global Settings
Configuring 802.1X Global Settings
Configuring Port Settings for 802.1X
Displaying 802.1X Statistics
Filtering IP Addresses for Management Access
General Security Measures
Configuring Port Security
Web Authentication
Configuring Web Authentication
Configuring Web Authentication for Ports
Displaying Web Authentication Port Information
Re-authenticating Web Authenticated Ports
Network Access (MAC Address Authentication)
Configuring the MAC Authentication Reauthentication Time
Configuring MAC Authentication for Ports
Configuring Port Link Detection
Displaying Secure MAC Address Information
MAC Filter Configuration
Access Control Lists
Setting the ACL Name and Type
Configuring a Standard IPv4 ACL
Configuring an Extended IPv4 ACL
Configuring a Standard IPv6 ACL
Configuring an Extended IPv6 ACL
Configuring a MAC ACL
Configuring an ARP ACL
Binding a Port to an Access Control List
ARP Inspection
Configuring ARP Inspection
Displaying ARP Inspection Port Information
DHCP Snooping
DHCP Snooping Configuration
DHCP Snooping VLAN Configuration
DHCP Snooping Information Option Configuration
3-85
3-87
3-88
3-89
3-90
3-91
3-93
3-95
3-97
3-100
3-101
3-102
3-103
3-104
3-108
3-110
3-112
3-113
3-114
3-115
3-116
3-117
3-117
3-118
3-120
3-121
3-123
3-124
3-125
3-127
3-128
3-129
3-130
3-132
3-133
3-134
3-136
3-138
3-139
3-139
3-144
3-146
3-147
3-148
3-149
iii
Contents
Configuring Ports for DHCP Snooping
Displaying DHCP Snooping Binding Information
IP Source Guard
Configuring Ports for IP Source Guard
Configuring Static Binding for IP Source Guard
Displaying Information for Dynamic IP Source Guard Bindings
Port Configuration
Displaying Connection Status
Configuring Interface Connections
Creating Trunk Groups
Statically Configuring a Trunk
Enabling LACP on Selected Ports
Configuring Parameters for LACP Group Members
Configuring Parameters for LACP Groups
Displaying LACP Port Counters
Displaying LACP Settings and Status for the Local Side
Displaying LACP Settings and Status for the Remote Side
Setting Broadcast Storm Thresholds
Setting Multicast Storm Thresholds
Setting Unknown Unicast Storm Thresholds
Configuring Port Mirroring
Configuring Rate Limits
Rate Limit Configuration
Showing Port Statistics
Address Table Settings
Setting Static Addresses
Displaying the Address Table
Changing the Aging Time
Spanning Tree Algorithm Configuration
Configuring Port and Trunk Loopback Detection
Displaying Global Settings for STA
Configuring Global Settings for STA
Displaying Interface Settings for STA
Configuring Interface Settings for STA
Spanning Tree Edge Port Configuration
Configuring Multiple Spanning Trees
Displaying Interface Settings for MSTP
Configuring Interface Settings for MSTP
VLAN Configuration
IEEE 802.1Q VLANs
Enabling or Disabling GVRP (Global Setting)
Displaying Basic VLAN Information
Displaying Current VLANs
Creating VLANs
Adding Static Members to VLANs (VLAN Index)
iv
3-150
3-152
3-153
3-153
3-155
3-157
3-158
3-158
3-160
3-163
3-164
3-165
3-167
3-169
3-170
3-171
3-173
3-175
3-177
3-178
3-180
3-181
3-181
3-183
3-188
3-188
3-189
3-190
3-191
3-193
3-194
3-197
3-201
3-204
3-207
3-209
3-212
3-214
3-215
3-215
3-218
3-219
3-220
3-221
3-223
Contents
Adding Static Members to VLANs (Port Index)
Configuring VLAN Behavior for Interfaces
Configuring IEEE 802.1Q Tunneling
Enabling QinQ Tunneling on the Switch
Adding an Interface to a QinQ Tunnel
Traffic Segmentation
Configuring Global Settings for Traffic Segmentation
Configuring Traffic Segmentation Sessions
Private VLANs
Displaying Current Private VLANs
Configuring Private VLANs
Associating VLANs
Displaying Private VLAN Interface Information
Configuring Private VLAN Interfaces
Protocol VLANs
Configuring Protocol VLAN Groups
Mapping Protocols to VLANs
Configuring VLAN Mirroring
Configuring IP Subnet VLANs
Configuring MAC-based VLANs
OAM Configuration
Enabling OAM on Local Ports
Reporting of Errored Frame Link Events
Displaying Statistics for OAM Messages
Displaying the OAM Event Log
Displaying the Status of Remote Interfaces
Configuring Remote Device VLANs
Resetting a Remote Device
Configuring General Settings on a Remote Port
Displaying Statistics for a Remote Port
Configuring a Remote Loopback Test
Displaying the Results of Remote Loopback Testing
Link Layer Discovery Protocol
Setting LLDP Timing Attributes
Configuring LLDP Interface Attributes
Displaying LLDP Local Device Information
Displaying LLDP Remote Port Information
Displaying LLDP Remote Information Details
Displaying Device Statistics
Displaying Detailed Device Statistics
Class of Service Configuration
Layer 2 Queue Settings
Setting the Default Priority for Interfaces
Mapping CoS Values to Egress Queues
Selecting the Queue Mode
3-225
3-226
3-228
3-232
3-233
3-235
3-235
3-236
3-237
3-237
3-238
3-239
3-240
3-241
3-242
3-243
3-244
3-245
3-246
3-247
3-248
3-248
3-251
3-253
3-254
3-255
3-257
3-258
3-258
3-260
3-261
3-264
3-265
3-265
3-267
3-270
3-273
3-274
3-276
3-277
3-279
3-279
3-279
3-281
3-283
v
Contents
Displaying the Service Weight for Traffic Classes
Layer 3/4 Priority Settings
Mapping Layer 3/4 Priorities to CoS Values
Enabling IP DSCP Priority
Mapping DSCP Priority
Quality of Service
Configuring Quality of Service Parameters
Configuring a Class Map
Creating QoS Policies
Attaching a Policy Map to Ingress Queues
VoIP Traffic Configuration
Configuring VoIP Traffic
Configuring VoIP Traffic Ports
Configuring Telephony OUI
Multicast Filtering
Layer 2 IGMP (Snooping and Query)
Configuring IGMP Snooping and Query Parameters
Enabling IGMP Immediate Leave
Displaying Interfaces Attached to a Multicast Router
Specifying Static Interfaces for a Multicast Router
Displaying Port Members of Multicast Services
Assigning Ports to Multicast Services
IGMP Filtering and Throttling
Enabling IGMP Filtering and Throttling
Configuring IGMP Filter Profiles
Configuring IGMP Filtering and Throttling for Interfaces
Multicast VLAN Registration
Configuring Global MVR Settings
Displaying MVR Interface Status
Displaying Port Members of Multicast Groups
Configuring MVR Interface Status
Assigning Static Multicast Groups to Interfaces
Configuring MVR Receiver VLAN and Group Addresses
Displaying MVR Receiver Groups
Configuring Static MVR Receiver Group Members
Domain Name Service
Configuring General DNS Service Parameters
Configuring Static DNS Host to Address Entries
Displaying the DNS Cache
Switch Clustering
Configuring General Settings for Clusters
Cluster Member Configuration
Displaying Information on Cluster Members
Cluster Candidate Information
vi
3-284
3-285
3-285
3-285
3-286
3-288
3-288
3-289
3-291
3-294
3-295
3-295
3-296
3-298
3-300
3-301
3-302
3-304
3-306
3-307
3-308
3-309
3-310
3-310
3-311
3-313
3-315
3-316
3-318
3-319
3-320
3-322
3-323
3-324
3-325
3-326
3-326
3-328
3-330
3-331
3-331
3-333
3-334
3-335
Contents
UPnP
UPnP Configuration
RTR
Chapter 4: Command Line Interface
Using the Command Line Interface
Accessing the CLI
Console Connection
Telnet Connection
Entering Commands
Keywords and Arguments
Minimum Abbreviation
Command Completion
Getting Help on Commands
Showing Commands
Partial Keyword Lookup
Negating the Effect of Commands
Using Command History
Understanding Command Modes
Exec Commands
Configuration Commands
Command Line Processing
Command Groups
General Commands
enable
disable
configure
show history
reload (Privileged Exec)
reload (Global Configuration)
show reload
prompt
end
exit
quit
System Management Commands
Device Designation Commands
hostname
Banner Information Commands
banner configure
banner configure company
banner configure dc-power-info
banner configure department
banner configure equipment-info
banner configure equipment-location
3-336
3-337
3-338
4-1
4-1
4-1
4-1
4-2
4-3
4-3
4-3
4-3
4-3
4-4
4-5
4-5
4-5
4-6
4-6
4-7
4-9
4-10
4-11
4-12
4-12
4-13
4-13
4-14
4-14
4-16
4-16
4-16
4-17
4-17
4-18
4-18
4-18
4-19
4-20
4-21
4-22
4-22
4-23
4-24
vii
Contents
banner configure ip-lan
banner configure lp-number
banner configure manager-info
banner configure mux
banner configure note
show banner
System Status Commands
show startup-config
show running-config
show system
show users
show version
Frame Size Commands
jumbo frame
File Management Commands
copy
delete
dir
whichboot
boot system
upgrade opcode auto
upgrade opcode path
Line Commands
line
login
password
timeout login response
exec-timeout
password-thresh
silent-time
databits
parity
speed
stopbits
terminal length
terminal width
terminal escape-character
terminal terminal-type
terminal history
disconnect
show line
Event Logging Commands
logging on
logging history
logging host
viii
4-24
4-25
4-26
4-26
4-27
4-28
4-29
4-29
4-31
4-33
4-33
4-34
4-35
4-35
4-36
4-37
4-40
4-40
4-41
4-42
4-43
4-44
4-45
4-46
4-46
4-47
4-48
4-49
4-50
4-50
4-51
4-52
4-52
4-53
4-53
4-54
4-54
4-55
4-55
4-56
4-56
4-58
4-58
4-59
4-60
Contents
logging facility
logging trap
clear log
show logging
show log
SMTP Alert Commands
logging sendmail host
logging sendmail level
logging sendmail source-email
logging sendmail destination-email
logging sendmail
show logging sendmail
Time Commands
sntp client
sntp server
sntp poll
show sntp
ntp client
ntp server
ntp authenticate
ntp authentication-key
show ntp
clock timezone
clock timezone-predefined
clock summer-time (date)
clock summer-time (predefined)
clock summer-time (recurring)
calendar set
show calendar
Switch Cluster Commands
cluster
cluster commander
cluster ip-pool
cluster member
rcommand
show cluster
show cluster members
show cluster candidates
UPnP Commands
upnp device
upnp device ttl
upnp device advertise duration
show upnp
SNMP Commands
snmp-server
4-60
4-61
4-61
4-62
4-63
4-64
4-64
4-65
4-65
4-66
4-66
4-66
4-68
4-69
4-70
4-70
4-71
4-71
4-72
4-73
4-74
4-75
4-75
4-76
4-77
4-78
4-79
4-80
4-81
4-81
4-82
4-82
4-83
4-84
4-84
4-85
4-85
4-85
4-86
4-86
4-87
4-87
4-88
4-88
4-89
ix
Contents
show snmp
snmp-server community
snmp-server contact
snmp-server location
snmp-server host
snmp-server enable traps
snmp-server engine-id
show snmp engine-id
snmp-server view
show snmp view
snmp-server group
show snmp group
snmp-server user
show snmp user
Flow Sampling Commands
sflow
sflow source
sflow sample
sflow polling-interval
sflow owner
sflow timeout
sflow destination
sflow max-header-size
sflow max-datagram-size
show sflow
Authentication Commands
User Account and Privilege Level Commands
username
enable password
privilege
privilege rerun
show privilege
Authentication Sequence
authentication login
authentication enable
RADIUS Client
radius-server host
radius-server acct-port
radius-server auth-port
radius-server key
radius-server retransmit
radius-server timeout
show radius-server
TACACS+ Client
tacacs-server host
x
4-90
4-91
4-91
4-92
4-93
4-95
4-96
4-97
4-97
4-98
4-99
4-100
4-101
4-102
4-103
4-104
4-104
4-105
4-105
4-106
4-106
4-107
4-107
4-108
4-108
4-109
4-110
4-110
4-111
4-112
4-113
4-113
4-114
4-114
4-115
4-116
4-116
4-117
4-117
4-118
4-118
4-119
4-120
4-121
4-121
Contents
tacacs-server port
tacacs-server key
tacacs-server retransmit
tacacs-server timeout
show tacacs-server
AAA Commands
aaa group server
server
aaa accounting dot1x
aaa accounting exec
aaa accounting commands
aaa accounting update
accounting dot1x
accounting exec
accounting commands
aaa authorization exec
authorization exec
show accounting
Web Server Commands
ip http port
ip http server
ip http secure-server
ip http secure-port
Telnet Server Commands
ip telnet server
Secure Shell Commands
ip ssh server
ip ssh timeout
ip ssh authentication-retries
ip ssh server-key size
delete public-key
ip ssh crypto host-key generate
ip ssh crypto zeroize
ip ssh save host-key
show ip ssh
show ssh
show public-key
802.1X Port Authentication
dot1x system-auth-control
dot1x default
dot1x max-req
dot1x port-control
dot1x operation-mode
dot1x re-authenticate
dot1x re-authentication
4-122
4-122
4-123
4-123
4-124
4-125
4-125
4-126
4-127
4-128
4-129
4-130
4-130
4-131
4-131
4-132
4-133
4-133
4-134
4-134
4-135
4-135
4-136
4-137
4-137
4-138
4-140
4-141
4-141
4-142
4-142
4-143
4-143
4-144
4-144
4-145
4-146
4-147
4-147
4-148
4-148
4-148
4-149
4-150
4-151
xi
Contents
dot1x timeout quiet-period
dot1x timeout re-authperiod
dot1x timeout tx-period
dot1x timeout supp-timeout
dot1x intrusion-action
show dot1x
Management IP Filter Commands
management
show management
General Security Measures
Port Security Commands
port security
Network Access (MAC Address Authentication)
network-access aging
network-access mac-filter
network-access port-mac-filter
network-access max-mac-count
network-access mode
mac-authentication reauth-time
mac-authentication intrusion-action
mac-authentication max-mac-count
network-access dynamic-vlan
network-access guest-vlan
network-access dynamic-qos
network-access link-detection
network-access link-detection link-down
network-access link-detection link-up
network-access link-detection link-up-down
clear network-access
show network-access
show network-access mac-address-table
show network-access mac-filter
Web Authentication
web-auth login-attempts
web-auth quiet-period
web-auth session-timeout
web-auth system-auth-control
web-auth
web-auth re-authenticate (Port)
web-auth re-authenticate (IP)
show web-auth
show web-auth interface
show web-auth summary
DHCP Snooping Commands
ip dhcp snooping
xii
4-151
4-152
4-152
4-153
4-153
4-154
4-157
4-157
4-158
4-159
4-160
4-160
4-162
4-163
4-163
4-164
4-165
4-165
4-166
4-167
4-167
4-168
4-168
4-169
4-170
4-170
4-171
4-171
4-172
4-172
4-173
4-174
4-175
4-175
4-176
4-176
4-177
4-177
4-178
4-178
4-179
4-179
4-179
4-180
4-181
Contents
ip dhcp snooping vlan
ip dhcp snooping trust
ip dhcp snooping verify mac-address
ip dhcp snooping information option
ip dhcp snooping information policy
ip dhcp snooping database flash
clear ip dhcp snooping database flash
show ip dhcp snooping
show ip dhcp snooping binding
IP Source Guard Commands
ip source-guard
ip source-guard binding
show ip source-guard
show ip source-guard binding
ARP Inspection Commands
ip arp inspection
ip arp inspection vlan
ip arp inspection filter
ip arp inspection validate
ip arp inspection log-buffer logs
ip arp inspection trust
ip arp inspection limit
show ip arp inspection configuration
show ip arp inspection interface
show ip arp inspection vlan
show ip arp inspection log
show ip arp inspection statistics
Access Control List Commands
IPv4 ACLs
access-list rule-mode
access-list ip
permit, deny (Standard IPv4 ACL)
permit, deny (Extended IPv4 ACL)
show ip access-list
ip access-group
show ip access-group
IPv6 ACLs
access-list ipv6
permit, deny (Standard IPv6 ACL)
permit, deny (Extended IPv6 ACL)
show ipv6 access-list
ipv6 access-group
show ipv6 access-group
ARP ACLs
access-list arp
4-182
4-183
4-184
4-185
4-186
4-186
4-187
4-187
4-187
4-188
4-188
4-190
4-191
4-191
4-192
4-192
4-193
4-194
4-195
4-196
4-197
4-197
4-198
4-198
4-199
4-199
4-200
4-200
4-201
4-201
4-202
4-203
4-204
4-206
4-206
4-207
4-207
4-208
4-209
4-210
4-211
4-211
4-212
4-212
4-213
xiii
Contents
permit, deny (ARP ACL)
show arp access-list
MAC ACLs
access-list mac
permit, deny (MAC ACL)
show mac access-list
mac access-group
show mac access-group
ACL Information
show access-list
show access-group
Interface Commands
interface
description
speed-duplex
negotiation
capabilities
flowcontrol
media-type
giga-phy-mode
shutdown
switchport packet-rate
clear counters
show interfaces brief
show interfaces status
show interfaces counters
show interfaces switchport
Automatic Traffic Control Commands
auto-traffic-control apply-timer
auto-traffic-control release-timer
auto-traffic-control
auto-traffic-control alarm-fire-threshold
auto-traffic-control alarm-clear-threshold
auto-traffic-control action
auto-traffic-control control-release
auto-traffic-control auto-control-release
snmp-server enable port-traps atc broadcast-alarm-fire
snmp-server enable port-traps atc multicast-alarm-fire
snmp-server enable port-traps atc broadcast-alarm-clear
snmp-server enable port-traps atc multicast-alarm-clear
snmp-server enable port-traps atc broadcast-control-apply
snmp-server enable port-traps atc multicast-control-apply
snmp-server enable port-traps atc broadcast-control-release
snmp-server enable port-traps atc multicast-control-release
show auto-traffic-control
xiv
4-214
4-215
4-216
4-216
4-217
4-218
4-219
4-219
4-220
4-220
4-220
4-221
4-222
4-222
4-223
4-224
4-225
4-226
4-227
4-227
4-228
4-229
4-230
4-231
4-231
4-232
4-233
4-235
4-238
4-239
4-240
4-240
4-241
4-242
4-243
4-244
4-244
4-245
4-245
4-246
4-246
4-247
4-247
4-248
4-248
Contents
show auto-traffic-control interface
Link Aggregation Commands
channel-group
lacp
lacp system-priority
lacp admin-key (Ethernet Interface)
lacp admin-key (Port Channel)
lacp port-priority
lacp active/passive
show lacp
Mirror Port Commands
port monitor
show port monitor
Rate Limit Commands
rate-limit
Address Table Commands
mac-address-table static
clear mac-address-table dynamic
show mac-address-table
mac-address-table aging-time
show mac-address-table aging-time
Spanning Tree Commands
spanning-tree
spanning-tree mode
spanning-tree forward-time
spanning-tree hello-time
spanning-tree max-age
spanning-tree priority
spanning-tree system-bpdu-flooding
spanning-tree pathcost method
spanning-tree transmission-limit
spanning-tree mst-configuration
mst vlan
mst priority
name
revision
max-hops
spanning-tree spanning-disabled
spanning-tree cost
spanning-tree port-priority
spanning-tree edge-port
spanning-tree portfast
spanning-tree bpdu-filter
spanning-tree bpdu-guard
spanning-tree port-bpdu-flooding
4-249
4-250
4-251
4-252
4-253
4-254
4-255
4-256
4-257
4-257
4-262
4-262
4-263
4-265
4-265
4-266
4-266
4-267
4-268
4-269
4-269
4-270
4-271
4-272
4-273
4-273
4-274
4-275
4-275
4-276
4-277
4-277
4-278
4-279
4-279
4-280
4-281
4-281
4-282
4-283
4-284
4-285
4-286
4-287
4-287
xv
Contents
spanning-tree root-guard
spanning-tree link-type
spanning-tree loopback-detection
spanning-tree loopback-detection release-mode
spanning-tree loopback-detection trap
spanning-tree mst cost
spanning-tree mst port-priority
spanning-tree protocol-migration
show spanning-tree
show spanning-tree mst configuration
VLAN Commands
GVRP and Bridge Extension Commands
bridge-ext gvrp
show bridge-ext
switchport gvrp
show gvrp configuration
garp timer
show garp timer
Editing VLAN Groups
vlan database
vlan
Configuring VLAN Interfaces
interface vlan
switchport mode
switchport acceptable-frame-types
switchport ingress-filtering
switchport native vlan
switchport allowed vlan
switchport forbidden vlan
vlan-trunking
Displaying VLAN Information
show vlan
Configuring IEEE 802.1Q Tunneling
dot1q-tunnel system-tunnel-control
switchport dot1q-tunnel mode
switchport dot1q-tunnel tpid
show dot1q-tunnel
Configuring Port-based Traffic Segmentation
pvlan
pvlan uplink/downlink
pvlan session
pvlan up-to-up
show pvlan
Configuring Private VLANs
private-vlan
xvi
4-288
4-289
4-289
4-290
4-291
4-291
4-292
4-293
4-294
4-296
4-296
4-297
4-297
4-298
4-298
4-299
4-299
4-300
4-301
4-301
4-302
4-303
4-303
4-304
4-305
4-305
4-306
4-307
4-308
4-308
4-310
4-310
4-311
4-312
4-313
4-314
4-315
4-315
4-316
4-317
4-317
4-318
4-318
4-319
4-320
Contents
private vlan association
switchport mode private-vlan
switchport private-vlan host-association
switchport private-vlan mapping
show vlan private-vlan
Configuring Protocol-based VLANs
protocol-vlan protocol-group (Configuring Groups)
protocol-vlan protocol-group (Configuring VLANs)
show protocol-vlan protocol-group
show protocol-vlan protocol-group-vid
Configuring IP Subnet VLANs
subnet-vlan
show subnet-vlan
Configuring MAC Based VLANs
mac-vlan
show mac-vlan
Configuring Voice VLANs
voice vlan
voice vlan aging
voice vlan mac-address
switchport voice vlan
switchport voice vlan rule
switchport voice vlan security
switchport voice vlan priority
show voice vlan
OAM Commands
efm oam
efm oam mode
efm oam critical-link-event
efm oam link-monitor frame
efm oam link-monitor frame threshold
efm oam link-monitor frame window
efm oam remote factory-default
efm oam remote reset
efm oam remote vlan
efm oam remote-port default-priority
efm oam remote-port default-vlan
efm oam remote-port igmp-snooping
efm oam remote-port shudown
efm oam remote-loopback
efm oam remote-loopback test
clear efm oam counters
show efm oam counters interface
show efm oam event-log interface
show efm oam remote vlan interface
4-321
4-322
4-322
4-323
4-323
4-324
4-325
4-325
4-326
4-327
4-327
4-328
4-328
4-329
4-329
4-330
4-331
4-331
4-332
4-333
4-334
4-334
4-335
4-336
4-336
4-337
4-338
4-339
4-340
4-340
4-341
4-341
4-342
4-342
4-343
4-343
4-344
4-345
4-345
4-346
4-347
4-348
4-348
4-349
4-350
xvii
Contents
show efm oam remote-port counters interface
show efm oam remote-port status interface
show efm oam status interface
show efm oam status remote interface
show efm oam remote-loopback interface
LLDP Commands
lldp
lldp holdtime-multiplier
lldp medFastStartCount
lldp notification-interval
lldp refresh-interval
lldp reinit-delay
lldp tx-delay
lldp admin-status
lldp notification
lldp mednotification
lldp basic-tlv management-ip-address
lldp basic-tlv port-description
lldp basic-tlv system-capabilities
lldp basic-tlv system-description
lldp basic-tlv system-name
lldp dot1-tlv proto-ident
lldp dot1-tlv proto-vid
lldp dot1-tlv pvid
lldp dot1-tlv vlan-name
lldp dot3-tlv link-agg
lldp dot3-tlv mac-phy
lldp dot3-tlv max-frame
lldp dot3-tlv poe
lldp medtlv extpoe
lldp medtlv inventory
lldp medtlv location
lldp medtlv med-cap
lldp medtlv network-policy
show lldp config
show lldp info local-device
show lldp info remote-device
show lldp info statistics
Class of Service Commands
Priority Commands (Layer 2)
queue mode
switchport priority default
queue cos-map
show queue mode
show queue bandwidth
xviii
4-350
4-351
4-352
4-353
4-353
4-354
4-356
4-356
4-357
4-357
4-358
4-358
4-359
4-360
4-360
4-361
4-362
4-362
4-363
4-363
4-364
4-364
4-365
4-365
4-366
4-366
4-367
4-367
4-368
4-368
4-369
4-369
4-370
4-370
4-371
4-373
4-374
4-375
4-376
4-376
4-376
4-377
4-378
4-379
4-379
Contents
show queue cos-map
Priority Commands (Layer 3 and 4)
map ip dscp (Global Configuration)
map ip dscp (Interface Configuration)
show map ip dscp
Quality of Service Commands
class-map
match
rename
description
policy-map
class
set
police
service-policy
show class-map
show policy-map
show policy-map interface
Multicast Filtering Commands
IGMP Snooping Commands
ip igmp snooping
ip igmp snooping vlan static
ip igmp snooping version
ip igmp snooping leave-proxy
ip igmp snooping immediate-leave
show ip igmp snooping
show mac-address-table multicast
IGMP Query Commands (Layer 2)
ip igmp snooping querier
ip igmp snooping query-count
ip igmp snooping query-interval
ip igmp snooping query-max-response-time
ip igmp snooping router-port-expire-time
Static Multicast Routing Commands
ip igmp snooping vlan mrouter
show ip igmp snooping mrouter
IGMP Filtering and Throttling Commands
ip igmp filter (Global Configuration)
ip igmp profile
permit, deny
range
ip igmp filter (Interface Configuration)
ip igmp max-groups
ip igmp max-groups action
show ip igmp filter
4-380
4-381
4-381
4-381
4-383
4-384
4-385
4-386
4-387
4-387
4-388
4-388
4-389
4-390
4-391
4-392
4-392
4-393
4-394
4-394
4-395
4-395
4-396
4-397
4-397
4-398
4-399
4-399
4-400
4-400
4-401
4-401
4-402
4-403
4-403
4-404
4-405
4-405
4-406
4-406
4-407
4-407
4-408
4-409
4-409
xix
Contents
show ip igmp profile
show ip igmp throttle interface
Multicast VLAN Registration Commands
mvr (Global Configuration)
mvr (Interface Configuration)
mvr immediate
show mvr
Domain Name Service Commands
ip host
clear host
ip domain-name
ip domain-list
ip name-server
ip domain-lookup
show hosts
show dns
show dns cache
clear dns cache
IP Interface Commands
ip address
ip default-gateway
ip dhcp restart
show ip interface
show ip redirects
show arp
ping
4-410
4-410
4-411
4-412
4-414
4-415
4-416
4-419
4-419
4-420
4-421
4-421
4-422
4-423
4-424
4-424
4-425
4-425
4-426
4-426
4-427
4-428
4-428
4-429
4-429
4-430
Appendix A: Software Specifications
Software Features
Management Features
Standards
Management Information Bases
A-1
A-1
A-2
A-2
A-3
Appendix B: Troubleshooting
Problems Accessing the Management Interface
Using System Logs
B-1
B-1
B-2
Glossary
Index
xx
Tables
Table 1-1
Table 1-2
Table 3-1
Table 3-2
Table 3-3
Table 3-4
Table 3-5
Table 3-6
Table 3-7
Table 3-8
Table 3-9
Table 3-10
Table 3-11
Table 3-12
Table 3-13
Table 3-14
Table 3-15
Table 3-16
Table 3-17
Table 3-18
Table 3-19
Table 3-20
Table 3-21
Table 3-22
Table 3-23
Table 4-1
Table 4-2
Table 4-3
Table 4-4
Table 4-5
Table 4-6
Table 4-7
Table 4-8
Table 4-9
Table 4-10
Table 4-11
Table 4-12
Table 4-13
Table 4-14
Table 4-15
Table 4-16
Table 4-17
Key Features
System Defaults
Configuration Options
Main Menu
Logging Levels
Supported Notification Messages
HTTPS System Support
802.1X Statistics
Dynamic QoS Profiles
LACP Port Counters
LACP Internal Configuration Information
LACP Neighbor Configuration Information
Port Statistics
Recommended STA Path Cost Range
Recommended STA Path Costs
Default STA Path Costs
OAM Operation Status
Remote Port Statistics
Remote Loopback Status
Chassis ID Subtype
System Capabilities
Port ID Subtype
Mapping CoS Values to Egress Queues
CoS Priority Levels
Mapping DSCP Priority Values
Command Modes
Configuration Modes
Command Line Processing
Command Groups
General Commands
System Management Commands
Device Designation Commands
Banner Commands
System Status Commands
Frame Size Commands
Flash/File Commands
File Directory Information
Line Commands
Event Logging Commands
Logging Levels
show logging flash/ram - display description
SMTP Alert Commands
1-1
1-6
3-3
3-4
3-36
3-62
3-90
3-108
3-119
3-170
3-171
3-173
3-183
3-205
3-206
3-206
3-249
3-260
3-262
3-270
3-271
3-274
3-281
3-281
3-286
4-6
4-8
4-9
4-10
4-11
4-18
4-18
4-19
4-29
4-35
4-36
4-41
4-45
4-58
4-59
4-62
4-64
xxi
Tables
Table 4-18
Table 4-19
Table 4-20
Table 4-21
Table 4-22
Table 4-23
Table 4-24
Table 4-26
Table 4-25
Table 4-27
Table 4-28
Table 4-29
Table 4-30
Table 4-31
Table 4-32
Table 4-33
Table 4-34
Table 4-35
Table 4-36
Table 4-37
Table 4-38
Table 4-39
Table 4-40
Table 4-41
Table 4-42
Table 4-43
Table 4-44
Table 4-45
Table 4-46
Table 4-47
Table 4-48
Table 4-49
Table 4-50
Table 4-51
Table 4-52
Table 4-53
Table 4-54
Table 4-55
Table 4-56
Table 4-57
Table 4-58
Table 4-59
Table 4-60
Table 4-61
Table 4-62
xxii
Time Commands
Predefined Summer-Time Parameters
Switch Cluster Commands
SNMP Commands
show snmp engine-id - display description
show snmp view - display description
show snmp group - display description
sFlow Commands
show snmp user - display description
Authentication Commands
User Access Commands
Default Login Settings
Authentication Sequence
RADIUS Client Commands
TACACS Commands
AAA Commands
Web Server Commands
HTTPS System Support
Telnet Server Commands
SSH Commands
show ssh - display description
802.1X Port Authentication
IP Filter Commands
General Security Commands
Port Security Commands
Network Access
Dynamic QoS Profiles
Web Authentication
DHCP Snooping Commands
IP Source Guard Commands
ARP Inspection Commands
Access Control Lists
IPv4 ACL Commands
IPv6 ACL Commands
ARP ACL Commands
MAC ACL Commands
ACL Information
Interface Commands
show interfaces switchport - display description
ATC Commands
Link Aggregation Commands
show lacp counters - display description
show lacp internal - display description
show lacp neighbors - display description
show lacp sysid - display description
4-68
4-79
4-81
4-88
4-97
4-98
4-101
4-103
4-103
4-109
4-110
4-110
4-114
4-116
4-121
4-125
4-134
4-136
4-137
4-138
4-145
4-147
4-157
4-159
4-160
4-162
4-169
4-175
4-180
4-188
4-192
4-200
4-201
4-207
4-212
4-216
4-220
4-221
4-234
4-235
4-250
4-258
4-259
4-260
4-261
Tables
Table 4-63
Table 4-64
Table 4-65
Table 4-66
Table 4-67
Table 4-68
Table 4-69
Table 4-70
Table 4-71
Table 4-72
Table 4-73
Table 4-74
Table 4-75
Table 4-76
Table 4-77
Table 4-78
Table 4-79
Table 4-80
Table 4-81
Table 4-82
Table 4-83
Table 4-84
Table 4-85
Table 4-86
Table 4-87
Table 4-88
Table 4-89
Table 4-90
Table 4-91
Table 4-92
Table 4-93
Table 4-94
Table 4-95
Table 4-96
Table 4-97
Table 4-98
Table 4-99
Table 4-101
Table 4-100
Table 4-102
Table 4-103
Table B-1
Mirror Port Commands
Rate Limit Commands
Address Table Commands
Spanning Tree Commands
Recommended STA Path Cost Range
Recommended STA Path Cost
Default STA Path Costs
VLAN Command Groups
GVRP and Bridge Extension Commands
Editing VLAN Groups
Configuring VLAN Interfaces
Show VLAN Commands
IEEE 802.1Q Tunneling Commands
Traffic Segmentation Commands
Traffic Segmentation Forwarding
Private VLAN Commands
Protocol-based VLAN Commands
IP Subnet VLAN Commands
IP Subnet VLAN Commands
Voice VLAN Commands
OAM Commands
LLDP Commands
Priority Commands
Priority Commands (Layer 2)
Default CoS Values to Egress Queues
Priority Commands (Layer 3 and 4)
IP DSCP to CoS Vales
Quality of Service Commands
Multicast Filtering Commands
IGMP Snooping Commands
IGMP Query Commands (Layer 2)
Static Multicast Routing Commands
IGMP Filtering and Throttling Commands
Multicast VLAN Registration Commands
show mvr - display description
show mvr interface - display description
show mvr members - display description
DNS Commands
show mvr receiver members - display description
show dns cache - display description
IP Interface Commands
Troubleshooting Chart
4-262
4-265
4-266
4-270
4-282
4-282
4-283
4-296
4-297
4-301
4-303
4-310
4-311
4-315
4-316
4-319
4-324
4-327
4-329
4-331
4-337
4-354
4-376
4-376
4-378
4-381
4-382
4-384
4-394
4-394
4-399
4-403
4-405
4-411
4-417
4-417
4-418
4-419
4-419
4-425
4-426
B-1
xxiii
Tables
xxiv
Figures
Figure 3-1
Figure 3-2
Figure 3-3
Figure 3-4
Figure 3-5
Figure 3-6
Figure 3-7
Figure 3-8
Figure 3-9
Figure 3-10
Figure 3-11
Figure 3-12
Figure 3-13
Figure 3-14
Figure 3-15
Figure 3-16
Figure 3-17
Figure 3-18
Figure 3-19
Figure 3-20
Figure 3-21
Figure 3-22
Figure 3-23
Figure 3-24
Figure 3-25
Figure 3-26
Figure 3-27
Figure 3-28
Figure 3-29
Figure 3-30
Figure 3-31
Figure 3-32
Figure 3-33
Figure 3-34
Figure 3-35
Figure 3-36
Figure 3-37
Figure 3-38
Figure 3-39
Figure 3-40
Figure 3-41
Figure 3-42
Home Page
Panel Display
System Information
Switch Information
Bridge Extension Configuration
Manual IP Configuration
DHCP IP Configuration
Jumbo Frames Configuration
Configuring Automatic Code Upgrade
Copy Firmware
Setting the Startup Code
Deleting Files
Downloading Configuration Settings for Startup
Setting the Startup Configuration Settings
Uploading Files Using HTTP
Downloading Files Using HTTP
Console Port Settings
Enabling Telnet
System Logs
Remote Logs
Displaying Logs
Enabling and Configuring SMTP
Resetting the System
Current Time Configuration
SNTP Configuration
NTP Client Configuration
Setting the System Clock
Summer Time
Enabling SNMP Agent Status
Configuring SNMP Community Strings
Configuring IP Trap Managers
Setting an Engine ID
Setting a Remote Engine ID
Configuring SNMPv3 Users
Configuring Remote SNMPv3 Users
Configuring SNMPv3 Groups
Configuring SNMPv3 Views
sFlow Global Configuration
sFlow Port Configuration
Access Levels
Authentication Settings
Encryption Key Settings
3-2
3-3
3-14
3-15
3-17
3-18
3-19
3-21
3-25
3-26
3-26
3-27
3-29
3-29
3-31
3-31
3-33
3-35
3-37
3-38
3-39
3-40
3-42
3-43
3-44
3-45
3-47
3-49
3-51
3-52
3-55
3-56
3-57
3-59
3-61
3-64
3-65
3-68
3-70
3-72
3-75
3-77
xxv
Figures
Figure 3-43
Figure 3-44
Figure 3-45
Figure 3-46
Figure 3-47
Figure 3-48
Figure 3-49
Figure 3-50
Figure 3-51
Figure 3-52
Figure 3-53
Figure 3-54
Figure 3-55
Figure 3-56
Figure 3-57
Figure 3-58
Figure 3-59
Figure 3-60
Figure 3-61
Figure 3-62
Figure 3-63
Figure 3-64
Figure 3-65
Figure 3-66
Figure 3-67
Figure 3-68
Figure 3-69
Figure 3-70
Figure 3-71
Figure 3-72
Figure 3-73
Figure 3-74
Figure 3-75
Figure 3-76
Figure 3-77
Figure 3-78
Figure 3-79
Figure 3-80
Figure 3-81
Figure 3-82
Figure 3-83
Figure 3-84
Figure 3-85
Figure 3-86
Figure 3-87
xxvi
AAA Radius Group Settings
AAA TACACS+ Group Settings
AAA Accounting Settings
AAA Accounting Update
AAA Accounting 802.1X Port Settings
AAA Accounting Exec Command Privileges
AAA Accounting Exec Settings
AAA Accounting Summary
AAA Authorization Settings
AAA Authorization Exec Settings
AAA Authorization Summary
HTTPS Settings
HTTPS Settings
SSH Host-Key Settings
SSH User Public-Key Settings
SSH Server Settings
802.1X Global Information
802.1X Global Configuration
802.1X Port Configuration
Displaying 802.1X Port Statistics
Creating an IP Filter List
Configuring Port Security
Web Authentication Configuration
Web Authentication Port Configuration
Web Authentication Port Information
Web Authentication Port Re-authentication
Network Access Configuration
Network Access Port Configuration
Network Access Port Link Detection Configuration
Network Access MAC Address Information
Network Access MAC Filter Configuration
Selecting ACL Type
ACL Configuration - Standard IPv4
ACL Configuration - Extended IPv4
ACL Configuration - Standard IPv6
ACL Configuration - Extended IPv6
ACL Configuration - MAC
ACL Configuration - ARP
Configuring ACL Port Binding
Configuring ARP Inspection
Displaying Statistics for ARP Inspection
DHCP Snooping Configuration
DHCP Snooping VLAN Configuration
DHCP Snooping Information Option Configuration
DHCP Snooping Port Configuration
3-79
3-80
3-81
3-82
3-83
3-84
3-85
3-86
3-88
3-88
3-89
3-91
3-92
3-96
3-98
3-100
3-102
3-103
3-106
3-109
3-111
3-114
3-115
3-116
3-117
3-118
3-121
3-122
3-124
3-125
3-126
3-128
3-129
3-131
3-132
3-133
3-135
3-137
3-138
3-143
3-145
3-147
3-148
3-150
3-151
Figures
Figure 3-88
Figure 3-89
Figure 3-90
Figure 3-91
Figure 3-92
Figure 3-93
Figure 3-94
Figure 3-95
Figure 3-96
Figure 3-97
Figure 3-98
Figure 3-99
Figure 3-100
Figure 3-101
Figure 3-102
Figure 3-103
Figure 3-104
Figure 3-105
Figure 3-106
Figure 3-107
Figure 3-108
Figure 3-109
Figure 3-110
Figure 3-111
Figure 3-112
Figure 3-113
Figure 3-114
Figure 3-115
Figure 3-116
Figure 3-117
Figure 3-118
Figure 3-119
Figure 3-120
Figure 3-121
Figure 3-122
Figure 3-123
Figure 3-124
Figure 3-125
Figure 3-126
Figure 3-127
Figure 3-128
Figure 3-129
Figure 3-130
Figure 3-131
Figure 3-132
DHCP Snooping Binding Information
IP Source Guard Port Configuration
Static IP Source Guard Binding Configuration
Dynamic IP Source Guard Binding Information
Displaying Port/Trunk Information
Port/Trunk Configuration
Configuring Static Trunks
LACP Trunk Configuration
LACP Port Configuration
LACP Aggregation Group Configuration
LACP - Port Counters Information
LACP - Port Internal Information
LACP - Port Neighbors Information
Port Broadcast Control
Port Multicast Control
Port Unknown Unicast Control
Mirror Port Configuration
Input Rate Limit Port Configuration
Port Statistics
Configuring a Static Address Table
Configuring a Dynamic Address Table
Setting the Address Aging Time
Configuring Port Loopback Detection
Displaying Spanning Tree Information
Configuring Spanning Tree
Displaying Spanning Tree Port Information
Configuring Spanning Tree per Port
Configuring Edge Port Parameters
Configuring Multiple Spanning Trees
Displaying MSTP Interface Settings
Displaying MSTP Interface Settings
Globally Enabling GVRP
Displaying Basic VLAN Information
Displaying Current VLANs
Configuring a VLAN Static List
Configuring a VLAN Static Table
VLAN Static Membership by Port
Configuring VLANs per Port
802.1Q Tunnel Status and Ethernet Type
Tunnel Port Configuration
Traffic Segmentation Status Configuration
Traffic Segmentation Session Configuration
Private VLAN Information
Private VLAN Configuration
Private VLAN Association
3-152
3-154
3-156
3-157
3-158
3-162
3-164
3-166
3-168
3-170
3-171
3-172
3-174
3-176
3-178
3-179
3-180
3-182
3-186
3-188
3-189
3-190
3-194
3-196
3-200
3-203
3-207
3-208
3-210
3-212
3-215
3-218
3-219
3-220
3-222
3-224
3-225
3-227
3-232
3-234
3-235
3-236
3-238
3-239
3-239
xxvii
Figures
Figure 3-133
Figure 3-134
Figure 3-135
Figure 3-136
Figure 3-137
Figure 3-138
Figure 3-139
Figure 3-140
Figure 3-141
Figure 3-142
Figure 3-143
Figure 3-144
Figure 3-145
Figure 3-146
Figure 3-147
Figure 3-148
Figure 3-149
Figure 3-150
Figure 3-151
Figure 3-152
Figure 3-153
Figure 3-154
Figure 3-155
Figure 3-156
Figure 3-157
Figure 3-158
Figure 3-159
Figure 3-160
Figure 3-161
Figure 3-162
Figure 3-163
Figure 3-164
Figure 3-165
Figure 3-166
Figure 3-167
Figure 3-168
Figure 3-169
Figure 3-170
Figure 3-171
Figure 3-172
Figure 3-173
Figure 3-174
Figure 3-175
Figure 3-176
Figure 3-177
xxviii
Private VLAN Port Information
Private VLAN Port Configuration
Protocol VLAN Configuration
Protocol VLAN System Configuration
VLAN Mirror Configuration
IP Subnet VLAN Configuration
MAC-based VLAN Configuration
Enabling OAM for Local Ports
Reporting Errored Frame Link Events
Displaying Statistics for OAM Messages
Displaying the OAM Event Log
Displaying Status of Remote Interfaces
Remote Device VLAN Configuration
Remote Device Reset
Remote Port Configuration
Remote Port Counters
Running a Remote Loopback Test
Displaying the Results of Remote Loopback Testing
LLDP Configuration
LLDP Port Configuration
LLDP Local Device Information
LLDP Remote Port Information
LLDP Remote Information Details
LLDP Device Statistics
LLDP Device Statistics Details
Port Priority Configuration
Traffic Classes
Queue Mode
Displaying Queue Scheduling
IP DSCP Priority Status
Mapping IP DSCP Priority Values
Configuring Class Maps
Configuring Policy Maps
Service Policy Settings
Configuring VoIP Traffic
VoIP Traffic Port Configuration
Telephony OUI List
IGMP Configuration
IGMP Immediate Leave
Displaying Multicast Router Port Information
Static Multicast Router Port Configuration
IP Multicast Registration Table
IGMP Member Port Table
Enabling IGMP Filtering and Throttling
IGMP Profile Configuration
3-240
3-242
3-243
3-244
3-245
3-247
3-248
3-250
3-251
3-253
3-254
3-256
3-257
3-258
3-259
3-261
3-263
3-264
3-266
3-269
3-272
3-273
3-275
3-276
3-278
3-280
3-282
3-283
3-284
3-285
3-287
3-290
3-293
3-294
3-296
3-297
3-299
3-303
3-305
3-306
3-307
3-308
3-309
3-311
3-312
Figures
Figure 3-178
Figure 3-179
Figure 3-180
Figure 3-181
Figure 3-182
Figure 3-183
Figure 3-184
Figure 3-185
Figure 3-186
Figure 3-187
Figure 3-188
Figure 3-189
Figure 3-190
Figure 3-191
Figure 3-192
Figure 3-193
Figure 3-194
Figure 3-195
IGMP Filter and Throttling Port Configuration
MVR Global Configuration
MVR Port Information
MVR Group IP Information
MVR Port Configuration
MVR Group Member Configuration
MVR Receiver VLAN Configuration
MVR Receiver Group Address Table
Static MVR Receiver Group Member Configuration
DNS General Configuration
DNS Static Host Table
DNS Cache
Cluster Member Choice
Cluster Configuration
Cluster Member Configuration
Cluster Member Information
Cluster Candidate Information
UPnP Configuration
3-314
3-317
3-318
3-319
3-321
3-322
3-323
3-324
3-325
3-327
3-329
3-330
3-331
3-332
3-333
3-334
3-335
3-337
xxix
Figures
xxx
Chapter 1: Introduction
This switch provides a broad range of features for Layer 2 switching. It includes a
management agent that allows you to configure the features listed in this manual.
The default configuration can be used for most of the features provided by this
switch. However, there are many options that you should configure to maximize the
switch’s performance for your particular network environment.
Key Features
Table 1-1 Key Features
Feature
Description
Configuration Backup and
Restore
Backup to FTP/TFTP server
Authentication and
Security Measures
Console, Telnet, web – User name / password, RADIUS, TACACS+,
AAA, ARP inspection
Web – HTTPS
Telnet – SSH
SNMP v1/2c - Community strings
SNMP version 3 – MD5 or SHA password
Port Authentication – IEEE 802.1X,
Port Security – MAC address filtering
Private VLANs
Network Access – MAC Address Authentication
Web Authentication – Web access with RADIUS Authentication
DHCP Snooping (with Option 82 relay information)
IP Source Guard
Access Control Lists
Supports IP and MAC ACLs, 100 rules per system
DHCP
Client
DNS
Client and Proxy service
Port Configuration
Speed, duplex mode and flow control
Rate Limiting
Input rate limiting per port
Port Mirroring
One port mirrored to a single analysis port
Port Trunking
Supports up to 8 trunks using either static or dynamic trunking (LACP)
Storm Control
Throttling for broadcast, multicast, and unknown unicast storms
Address Table
Up to 8K MAC addresses in the forwarding table
IEEE 802.1D Bridge
Supports dynamic data switching and address learning
Store-and-Forward Switching Supported to ensure wire-speed switching while eliminating bad frames
Spanning Tree Algorithm
Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple
Spanning Trees (MSTP)
1-1
1
Introduction
Table 1-1 Key Features (Continued)
Feature
Description
Virtual LANs
Up to 255 using IEEE 802.1Q, port-based, protocol-based, and private
VLANs
Traffic Prioritization
Default port priority, traffic class map, queue scheduling, or Differentiated
Services Code Point (DSCP)
Quality of Service
Supports Differentiated Services (DiffServ)
Link Layer Discovery Protocol Used to discover basic information about neighboring devices
Multicast Filtering
Supports IGMP snooping and query, as well as Multicast VLAN Registration
Switch Clustering
Supports up to 36 member switches in a cluster
Tunneling
Supports IEEE 802.1Q tunneling (QinQ)
Description of Software Features
The switch provides a wide range of advanced performance enhancing features.
Flow control eliminates the loss of packets due to bottlenecks caused by port
saturation. Storm suppression prevents broadcast, multicast or unknown unicast
traffic storms from engulfing the network. Port-based, protocol based and private
VLANs, plus support for automatic GVRP VLAN registration provide traffic security
and efficient use of network bandwidth. CoS priority queueing ensures the minimum
delay for moving real-time multimedia data across the network. While multicast
filtering provides support for real-time network applications. Some of the
management features are briefly described below.
Configuration Backup and Restore – You can save the current configuration
settings to a file on an FTP/TFTP server or to a management station using a web
browser, and later download this file to restore the switch configuration settings.
Authentication – This switch authenticates management access via the console
port, Telnet or web browser. User names and passwords can be configured locally or
can be verified via a remote authentication server (i.e., RADIUS or TACACS+).
Port-based authentication is also supported via the IEEE 802.1X protocol. This
protocol uses the Extensible Authentication Protocol over LANs (EAPOL) to request
user credentials from the 802.1X client, and then verifies the client’s right to access
the network via an authentication server.
Other authentication options include HTTPS for secure management access via the
web, SSH for secure management access over a Telnet-equivalent connection,
SNMP Version 3, IP address filtering for SNMP/web/Telnet management access.
MAC address filtering and IP source guard also provide authenticated port access.
While DHCP snooping is provided to prevent malicious attacks from insecure ports.
1-2
Description of Software Features
1
Access Control Lists – ACLs provide packet filtering for IPv4 frames (based on
address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames
(based on address, or DSCP), or any frames (based on MAC address or Ethernet
type). ACLs can be used to improve performance by blocking unnecessary network
traffic or to implement security controls by restricting access to specific network
resources or protocols.
Port Configuration – You can manually configure the speed, duplex mode, and
flow control used on specific ports, or use auto-negotiation to detect the connection
settings used by the attached device. Use full-duplex mode on ports whenever
possible to double the throughput of switch connections. Flow control should also be
enabled to control network traffic during periods of congestion and prevent the loss
of packets when port buffer thresholds are exceeded. The switch supports flow
control based on the IEEE 802.3x standard (now incorporated in IEEE 802.3-2002).
Rate Limiting – This feature controls the maximum rate for traffic transmitted or
received on an interface. Rate limiting is configured on interfaces at the edge of a
network to limit traffic into or out of the network. Packets that exceed the acceptable
amount of traffic are dropped.
Port Mirroring – The switch can unobtrusively mirror traffic from any port, VLAN or
packets with a specified MAC address to a monitor port. You can then attach a
protocol analyzer or RMON probe to this port to perform traffic analysis and verify
connection integrity.
Port Trunking – Ports can be combined into an aggregate connection. Trunks can
be manually set up or dynamically configured using Link Aggregation Control
Protocol (LACP). The additional ports dramatically increase the throughput across
any connection, and provide redundancy by taking over the load if a port in the trunk
should fail. The switch supports up to 8 trunks.
Storm Control – Broadcast, multicast and unknown unicast storm suppression
prevents traffic from overwhelming the network. When enabled on a port, the level of
traffic passing through the port is restricted. If traffic rises above a pre-defined
threshold, it will be throttled until the level falls back beneath the threshold.
Static Addresses – A static address can be assigned to a specific interface on this
switch. Static addresses are bound to the assigned interface and will not be moved.
When a static address is seen on another interface, the address will be ignored and
will not be written to the address table. Static addresses can be used to provide
network security by restricting access for a known host to a specific port.
IP Address Filtering – Access to insecure ports can be controlled using DHCP
Snooping which filters ingress traffic based on static IP addresses and addresses
stored in the DHCP Snooping table. Traffic can also be restricted to specific source
IP addresses or source IP/MAC address pairs based on static entries or entries
stored in the DHCP Snooping table.
1-3
1
Introduction
IEEE 802.1D Bridge – The switch supports IEEE 802.1D transparent bridging. The
address table facilitates data switching by learning addresses, and then filtering or
forwarding traffic based on this information. The address table supports up to 8K
addresses.
Store-and-Forward Switching – The switch copies each frame into its memory
before forwarding them to another port. This ensures that all frames are a standard
Ethernet size and have been verified for accuracy with the cyclic redundancy check
(CRC). This prevents bad frames from entering the network and wasting bandwidth.
To avoid dropping frames on congested ports, the switch provides 4 Mbits for frame
buffering. This buffer can queue packets awaiting transmission on congested
networks.
Spanning Tree Algorithm – The switch supports these spanning tree protocols:
Spanning Tree Protocol (STP, IEEE 802.1D) – This protocol provides loop detection
and recovery by allowing two or more redundant connections to be created between
a pair of LAN segments. When there are multiple physical paths between segments,
this protocol will choose a single path and disable all others to ensure that only one
route exists between any two stations on the network. This prevents the creation of
network loops. However, if the chosen path should fail for any reason, an alternate
path will be activated to maintain the connection.
Rapid Spanning Tree Protocol (RSTP, IEEE 802.1D-2004) – This protocol reduces
the convergence time for network topology changes to 3 to 5 seconds, compared to
30 seconds or more for the older IEEE 802.1D STP standard. It is intended as a
complete replacement for STP, but can still interoperate with switches running the
older standard by automatically reconfiguring ports to STP-compliant mode if they
detect STP protocol messages from attached devices.
Multiple Spanning Tree Protocol (MSTP, IEEE 802.1D-2004) – This protocol is a
direct extension of RSTP. It can provide an independent spanning tree for different
VLANs. It simplifies network management, provides for even faster convergence
than RSTP by limiting the size of each region, and prevents VLAN members from
being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D
STP).
Virtual LANs – The switch supports up to 255 VLANs. A Virtual LAN is a collection
of network nodes that share the same collision domain regardless of their physical
location or connection point in the network. The switch supports tagged VLANs
based on the IEEE 802.1Q standard. Members of VLAN groups can be dynamically
learned via GVRP, or ports can be manually assigned to a specific set of VLANs.
This allows the switch to restrict traffic to the VLAN groups to which a user has been
assigned. By segmenting your network into VLANs, you can:
• Eliminate broadcast storms which severely degrade performance in a flat network.
• Simplify network management for node changes/moves by remotely configuring
VLAN membership for any port, rather than having to manually change the network
connection.
• Provide data security by restricting all traffic to the originating VLAN.
1-4
Description of Software Features
1
• Use private VLANs to restrict traffic to pass only between data ports and the uplink
ports, thereby isolating adjacent ports within the same VLAN, and allowing you to
limit the total number of VLANs that need to be configured.
• Use protocol VLANs to restrict traffic to specified interfaces based on protocol type.
Note: The switch allows 255 user-manageable VLANs. One other VLAN (VLAN ID 4093)
is reserved for switch clustering.
Traffic Prioritization – This switch prioritizes each packet based on the required
level of service, using four priority queues with strict or Weighted Round Robin
Queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on
input from the end-station application. These functions can be used to provide
independent priorities for delay-sensitive data and best-effort data.
This switch also supports several common methods of prioritizing layer 3/4 traffic to
meet application requirements. Traffic can be prioritized based on the DSCP field in
the IP frame. When these services are enabled, the priorities are mapped to a Class
of Service value by the switch, and the traffic then sent to the corresponding output
queue.
Quality of Service – Differentiated Services (DiffServ) provides policy-based
management mechanisms used for prioritizing network resources to meet the
requirements of specific traffic types on a per-hop basis. Each packet is classified
upon entry into the network based on access lists, IP Precedence or DSCP values,
or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3,
or Layer 4 information contained in each packet. Based on network policies, different
kinds of traffic can be marked for different kinds of forwarding.
Multicast Filtering – Specific multicast traffic can be assigned to its own VLAN to
ensure that it does not interfere with normal network traffic and to guarantee
real-time delivery by setting the required priority level for the designated VLAN. The
switch uses IGMP Snooping and Query to manage multicast group registration. It
also supports Multicast VLAN Registration (MVR) which allows common multicast
traffic, such as television channels, to be transmitted across a single network-wide
multicast VLAN shared by hosts residing in other standard or private VLAN groups,
while preserving security and data isolation for normal traffic.
IEEE 802.1Q Tunneling (QinQ) – This feature is designed for service providers
carrying traffic for multiple customers across their networks. QinQ tunneling is used
to maintain customer-specific VLAN and Layer 2 protocol configurations even when
different customers use the same internal VLAN IDs. This is accomplished by
inserting Service Provider VLAN (SPVLAN) tags into the customer’s frames when
they enter the service provider’s network, and then stripping the tags when the
frames leave the network.
1-5
1
Introduction
System Defaults
The switch’s system defaults are provided in the configuration file
“Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as
the startup configuration file (page 3-27).
The following table lists some of the basic system defaults.
Table 1-2 System Defaults
Function
Parameter
Default
Console Port
Connection
Baud Rate
9600
Data bits
8
Stop bits
1
Parity
none
Local Console Timeout
0 (disabled)
Privileged Exec Level
Username “admin”
Password “admin”
Normal Exec Level
Username “guest”
Password “guest”
Authentication and
Security Measures
Enable Privileged Exec from Normal Password “super”
Exec Level
Web Management
1-6
RADIUS Authentication
Disabled
TACACS Authentication
Disabled
802.1X Port Authentication
Disabled
Web Authentication
Disabled
MAC Authentication
Disabled
HTTPS
Enabled
SSH
Disabled
Port Security
Disabled
IP Filtering
Disabled
DHCP Snooping
Disabled
IP Source Guard
Disabled (all ports)
HTTP Server
Enabled
HTTP Port Number
80
HTTP Secure Server
Enabled
HTTP Secure Port Number
443
System Defaults
1
Table 1-2 System Defaults (Continued)
Function
Parameter
Default
SNMP
SNMP Agent
Enabled
Community Strings
“public” (read only)
“private” (read/write)
Traps
Authentication traps: enabled
Link-up-down events: enabled
SNMP V3
View: defaultview
Group: public (read only); private (read/write)
Admin Status
Enabled
Auto-negotiation
Enabled
Flow Control
Disabled
Rate Limiting
Input limits
Disabled
Port Trunking
Static Trunks
None
LACP (all ports)
Disabled
Status
Broadcast: enabled (all ports)
Multicast: disabled
Unknown Unicast: disabled
Rate Limit
Broadcast: 64 kbits per second
Status
Enabled, RSTP
(Defaults: Based on RSTP standard)
Fast Forwarding (Edge Port)
Disabled
Address Table
Aging Time
300 seconds
Virtual LANs
Default VLAN
1
PVID
1
Acceptable Frame Type
All
Ingress Filtering
Enabled
Switchport Mode (Egress Mode)
Hybrid: tagged/untagged frames
GVRP (global)
Disabled
GVRP (port interface)
Disabled
Ingress Port Priority
0
Weighted Round Robin
Queue: 0 1 2 3
Weight: 1 2 4 8
IP DSCP Priority
Disabled
Port Configuration
Storm Protection
Spanning Tree
Algorithm
Traffic Prioritization
1-7
1
Introduction
Table 1-2 System Defaults (Continued)
Function
Parameter
Default
IP Settings
IP Address
DHCP assigned
Subnet Mask
255.255.255.0
Default Gateway
0.0.0.0
DHCP
Client: Enabled
DNS
Client/Proxy service: Disabled
BOOTP
Disabled
IGMP Snooping
Snooping: Enabled
Querier: Enabled
Multicast VLAN Registration
Disabled
Status
Enabled
Messages Logged
Levels 0-7 (all)
Messages Logged to Flash
Levels 0-3
SMTP Email Alerts
Event Handler
Enabled (but no server defined)
SNTP
Clock Synchronization
Disabled
NTP
Clock Synchronization
Disabled
Switch Clustering
Status
Enabled
Commander
Disabled
Multicast Filtering
System Log
1-8
Chapter 2: Initial Configuration
Connecting to the Switch
Configuration Options
The switch includes a built-in network management agent. The agent offers a variety
of management options, including SNMP, RMON (Groups 1, 2, 3, 9), and a
web-based interface. A PC may also be connected directly to the switch for
configuration and monitoring via a command line interface (CLI).
Note: The IP address for this switch is obtained via DHCP by default. To change this
address, see "Setting an IP Address" on page 2-4.
The switch’s HTTP web agent allows you to configure switch parameters, monitor
port connections, and display statistics using a standard web browser such as
Internet Explorer 5.x or above, Netscape 6.2 or above, and Mozilla Firefox 2.0.0.0
or above. The switch’s web management interface can be accessed from any
computer attached to the network.
The CLI program can be accessed by a direct connection to the RS-232 serial
console port on the switch, or remotely by a Telnet or Secure Shell (SSH)
connection over the network.
The switch’s management agent also supports SNMP (Simple Network
Management Protocol). This SNMP agent permits the switch to be managed from
any system in the network using network management software such as
HP OpenView.
The switch’s web interface, CLI configuration program, and SNMP agent allow you
to perform the following management functions:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Set user names and passwords
Set an IP interface for a management VLAN
Configure SNMP parameters
Enable/disable any port
Set the speed/duplex mode for any port
Configure the bandwidth of any port by limiting input rates
Control port access through IEEE 802.1X security or static address filtering
Filter packets using Access Control Lists (ACLs)
Configure up to 255 IEEE 802.1Q VLANs
Enable GVRP automatic VLAN registration
Configure IGMP multicast filtering
Upload and download system firmware via FTP/TFTP
Upload and download switch configuration files via FTP/TFTP
Configure Spanning Tree parameters
Configure Class of Service (CoS) priority queuing
2-1
2
•
•
•
•
•
Initial Configuration
Configure up to 8 static or LACP trunks
Enable port mirroring
Set broadcast, multicast or unknown unicast storm control on any port
Display system information and statistics
Configure attached CPEs using the OAM protocol
Required Connections
The switch provides an RS-232 serial port that enables a connection to a PC or
terminal for monitoring and configuring the switch. A null-modem console cable is
provided with the switch.
Attach a VT100-compatible terminal, or a PC running a terminal emulation program
to the switch. You can use the console cable provided with this package, or use a
null-modem cable that complies with the wiring assignments shown in the
Installation Guide.
To connect a terminal to the console port, complete the following steps:
1.
Connect the console cable to the serial port on a terminal, or a PC running
terminal emulation software, and tighten the captive retaining screws on the
DB-9 connector.
2.
Connect the other end of the cable to the RS-232 serial port on the switch.
3.
Make sure the terminal emulation software is set as follows:
•
•
•
•
•
•
Select the appropriate serial port (COM port 1 or COM port 2).
Set the baud rate to 9600 bps.
Set the data format to 8 data bits, 1 stop bit, and no parity.
Set flow control to none.
Set the emulation mode to VT100.
When using HyperTerminal, select Terminal keys, not Windows keys.
Notes: 1. Refer to "Line Commands" on page 4-45 for a complete description of
console configuration options.
2. Once you have set up the terminal correctly, the console login screen will be
displayed.
For a description of how to use the CLI, see "Using the Command Line Interface" on
page 4-1. For a list of all the CLI commands and detailed information on using the
CLI, refer to "Command Groups" on page 4-10.
2-2
2
Basic Configuration
Remote Connections
Prior to accessing the switch’s onboard agent via a network connection, you must
first configure it with a valid IP address, subnet mask, and default gateway using a
console connection, DHCP or BOOTP protocol.
The IP address for this switch is obtained via DHCP by default. To manually
configure this address or enable dynamic address assignment via DHCP or BOOTP,
see "Setting an IP Address" on page 2-4.
Note: This switch supports four concurrent Telnet/SSH sessions.
After configuring the switch’s IP parameters, you can access the onboard
configuration program from anywhere within the attached network. The switch’s
command-line interface can be accessed using Telnet or SSH from any computer
attached to the network. The switch can also be managed by any computer using a
web browser (Internet Explorer 5.x or above, or Netscape 6.2 or above, or Mozilla
Firefox 2.0.0.0), or from a network computer using SNMP network management
software.
Note: The onboard program only provides access to basic configuration functions. To
access the full range of SNMP management functions, you must use
SNMP-based network management software.
Basic Configuration
Console Connection
The CLI program provides two different command levels — normal access level
(Normal Exec) and privileged access level (Privileged Exec). The commands
available at the Normal Exec level are a limited subset of those available at the
Privileged Exec level and allow you to only display information and use basic
utilities. To fully configure the switch parameters, you must access the CLI at the
Privileged Exec level.
Access to both CLI levels are controlled by user names and passwords. The switch
has a default user name and password for each level. To log into the CLI at the
Privileged Exec level using the default user name and password, perform these
steps:
1.
To initiate your console connection, press <Enter>. The “User Access
Verification” procedure starts.
2.
At the Username prompt, enter “admin.”
3.
At the Password prompt, also enter “admin.” (The password characters are not
displayed on the console screen.)
4.
The session is opened and the CLI displays the “Console#” prompt indicating
you have access at the Privileged Exec level.
2-3
2
Initial Configuration
Setting Passwords
Note: If this is your first time to log into the CLI program, you should define new
passwords for both default user names using the “username” command, record
them and put them in a safe place.
Passwords can consist of up to 8 alphanumeric characters and are case sensitive.
To prevent unauthorized access to the switch, set the passwords as follows:
1.
Open the console interface with the default user name and password “admin” to
access the Privileged Exec level.
2.
Type “configure” and press <Enter>.
3.
Type “username guest password 0 password,” for the Normal Exec level, where
password is your new password. Press <Enter>.
4.
Type “username admin password 0 password,” for the Privileged Exec level,
where password is your new password. Press <Enter>.
Note: ‘0’ specifies a password in plain text, ‘7’ specifies a password in encrypted form.
Username: admin
Password:
CLI session with the EL228 is opened.
To end the CLI session, enter [Exit].
Console#configure
Console(config)#username guest password 0 [password]
Console(config)#username admin password 0 [password]
Console(config)#
4-110
Setting an IP Address
You must establish IP address information for the stack to obtain management
access through the network. This can be done in either of the following ways:
Manual — You have to input the information, including IP address and subnet mask.
If your management station is not in the same IP subnet as the switch, you will also
need to specify the default gateway router.
Dynamic — The switch sends IP configuration requests to BOOTP or DHCP
address allocation servers on the network.
Manual Configuration
You can manually assign an IP address to the switch. You may also need to specify
a default gateway that resides between this device and management stations that
exist on another network segment. Valid IP addresses consist of four decimal
numbers, 0 to 255, separated by periods. Anything outside this format will not be
accepted by the CLI program.
Note: The IP address for this switch is obtained via DHCP by default.
2-4
Basic Configuration
2
Before you can assign an IP address to the switch, you must obtain the following
information from your network administrator:
• IP address for the switch
• Default gateway for the network
• Network mask for this network
To assign an IP address to the switch, complete the following steps:
1.
From the Global Configuration mode prompt, type “interface vlan 1” to access
the interface-configuration mode. Press <Enter>.
2.
Type “ip address ip-address netmask,” where “ip-address” is the switch IP
address and “netmask” is the network mask for the network. Press <Enter>.
3.
Type “exit” to return to the global configuration mode prompt. Press <Enter>.
4.
To set the IP address of the default gateway for the network to which the switch
belongs, type “ip default-gateway gateway,” where “gateway” is the IP address
of the default gateway. Press <Enter>.
Console(config)#interface vlan 1
Console(config-if)#ip address 192.168.1.5 255.255.255.0
Console(config-if)#exit
Console(config)#ip default-gateway 192.168.1.254
Console(config)#
4-222
4-426
4-427
Dynamic Configuration
If you select the “bootp” or “dhcp” option, IP will be enabled but will not function until
a BOOTP or DHCP reply has been received. Requests will be sent periodically in an
effort to obtain IP configuration information. BOOTP and DHCP values can include
the IP address, subnet mask, and default gateway. If the DHCP/BOOTP server is
slow to respond, you may need to use the “ip dhcp restart” command to re-start
broadcasting service requests.
If the “bootp” or “dhcp” option is saved to the startup-config file (step 6), then the
switch will start broadcasting service requests as soon as it is powered on.
To automatically configure the switch by communicating with BOOTP or DHCP
address allocation servers on the network, complete the following steps:
1.
From the Global Configuration mode prompt, type “interface vlan 1” to access
the interface-configuration mode. Press <Enter>.
2.
At the interface-configuration mode prompt, use one of the following commands:
• To obtain IP settings via DHCP, type “ip address dhcp” and press <Enter>.
• To obtain IP settings via BOOTP, type “ip address bootp” and press <Enter>.
3.
Type “end” to return to the Privileged Exec mode. Press <Enter>.
2-5
2
Initial Configuration
4.
If network connections are normally slow, type “ip dhcp restart” to re-start
broadcasting service requests. Press <Enter>.
5.
Wait a few minutes, and then check the IP configuration settings by typing the
“show ip interface” command. Press <Enter>.
6.
Then save your configuration changes by typing “copy running-config
startup-config.” Enter the startup file name and press <Enter>.
Console(config)#interface vlan 1
Console(config-if)#ip address dhcp
Console(config-if)#end
Console#ip dhcp restart
Console#show ip interface
IP Address and Netmask: 192.168.1.54 255.255.255.0 on VLAN 1,
Address Mode: DHCP
Console#copy running-config startup-config
Startup configuration file name []: startup
\Write to FLASH Programming.
4-222
4-426
4-428
4-428
4-37
\Write to FLASH finish.
Success.
Downloading a Configuration File Referenced by a DHCP Server
Information passed on to the switch from a DHCP server may also include a
configuration file to be downloaded and the TFTP servers where that file can be
accessed. If the Factory Default Configuration file is used to provision the switch at
startup, in addition to requesting IP configuration settings from the DHCP server, it
will also ask for the name of a bootup configuration file and TFTP servers where that
file is stored.
If the switch receives information that allows it to download the remote bootup file, it
will save this file to a local buffer, and then restart the provision process.
Note the following DHCP client behavior:
• The bootup configuration file received from a TFTP server is stored on the switch
with the original file name. If this file name already exists in the switch, the file is
overwritten.
• If the name of the bootup configuration file is the same as the Factory Default
Configuration file, the download procedure will be terminated, and the switch will
not send any further DHCP client requests.
• If the switch fails to download the bootup configuration file based on information
passed by the DHCP server, it will not send any further DHCP client requests.
• If the switch does not receive a DHCP response prior to completing the bootup
process, it will continue to send a DHCP client request once a minute. These
requests will only be terminated if the switch’s address is manually configured, but
will resume if the address mode is set back to DHCP.
2-6
Basic Configuration
2
To successfully transmit a bootup configuration file to the switch the DHCP daemon
(using a Linux based system for this example) must be configured with the following
information:
• Options 60, 66 and 67 statements can be added to the daemon’s configuration file.
Option
Statement
Keyword
Parameter
60
vendor-class-identifier
a string indicating the vendor class identifier
66
tftp-server-name
a string indicating the tftp server name
67
bootfile-name
a string indicating the bootfile name
• By default, DHCP option 66/67 parameters are not carried in a DHCP server reply.
To ask for a DHCP reply with option 66/67 information, the DHCP client request
sent by this switch includes a “parameter request list” asking for this information.
Besides, the client request also includes a “vendor class identifier” that allows the
DHCP server to identify the device, and select the appropriate configuration file for
download. This information is included in Option 55 and 124.
Option
Statement
Keyword
Parameter
55
dhcp-parameter-request-list
a list of parameters, separated by ','
124
vendor-class-identifier
a string indicating the vendor class identifier
The following configuration examples are provided for a Linux-based DHCP daemon
(dhcpd.conf file). The server will reply with Options 66/67 encapsulated in Option 43.
Note that in the “Vendor class two” section, the server still sends Option 43 telling
the switch to download the test2 configuration file from the server 192.168.255.101.
ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
server-name "Server1";
Server-identifier 192.168.255.250;
#option 43 with encapsulated option 66, 67
option space dynamicProvision code width 1 length 1 hash size 2;
option dynamicProvision.tftp-server-name code 66 = text;
option dynamicProvision.bootfile-name code 67 = text;
subnet 192.168.255.0 netmask 255.255.255.0 {
range 192.168.255.160 192.168.255.200;
option routers 192.168.255.101;
option tftp-server-name "192.168.255.100";#Default Option 66
option bootfile-name "bootfile";
#Default Option 67
}
2-7
2
Initial Configuration
class "Option66,67_1" {
#DHCP Option 60
Vendor class one
match if option vendor-class-identifier = "Sixnet";
option dhcp-parameter-request-list 1,43,66,67;
#option 43
option vendor-class-information code 43 = encapsulate
dynamicProvision;
#option 66 encapsulated in option 43
option vendor-class-information.tftp-server-name
"192.168.255.100";
#option 67 encapsulated in option 43
option vendor-class-information.bootfile-name "test1"
}
class "Option66,67_2" {
#DHCP Option 60
Vendor class two
match if option vendor-class-identifier = "Sixnet";
option dhcp-parameter-request-list 1,43,66,67;
option tftp-server-name "192.168.255.101";
option bootfile-name "test2";
}
Enabling SNMP Management Access
The switch can be configured to accept management commands from Simple
Network Management Protocol (SNMP) applications such as HP OpenView. You
can configure the switch to (1) respond to SNMP requests or (2) generate SNMP
traps.
When SNMP management stations send requests to the switch (either to return
information or to set a parameter), the switch provides the requested data or sets the
specified parameter. The switch can also be configured to send information to
SNMP managers (without being requested by the managers) through trap
messages, which inform the manager that certain events have occurred.
The switch includes an SNMP agent that supports SNMP version 1, 2c, and 3
clients. To provide management access for version 1 or 2c clients, you must specify
a community string. The switch provides a default MIB View (i.e., an SNMPv3
construct) for the default “public” community string that provides read access to the
entire MIB tree, and a default view for the “private” community string that provides
read/write access to the entire MIB tree. However, you may assign new views to
version 1 or 2c community strings that suit your specific security requirements (see
page 3-65).
2-8
Basic Configuration
2
Community Strings (for SNMP version 1 and 2c clients)
Community strings are used to control management access to SNMP version 1
and 2c stations, as well as to authorize SNMP stations to receive trap messages
from the switch. You therefore need to assign community strings to specified users,
and set the access level.
The default strings are:
• public - with read-only access. Authorized management stations are only able to
retrieve MIB objects.
• private - with read/write access. Authorized management stations are able to both
retrieve and modify MIB objects.
To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is
recommended that you change the default community strings.
To configure a community string, complete the following steps:
1.
From the Privileged Exec level global configuration mode prompt, type
“snmp-server community string mode,” where “string” is the community access
string and “mode” is rw (read/write) or ro (read only). Press <Enter>. (Note that
the default mode is read only.)
2.
To remove an existing string, simply type “no snmp-server community string,”
where “string” is the community access string to remove. Press <Enter>.
Console(config)#snmp-server community admin rw
Console(config)#snmp-server community private
Console(config)#
4-91
Note: If you do not intend to support access to SNMP version 1 and 2c clients, we
recommend that you delete both of the default community strings. If there are no
community strings, then SNMP management access from SNMP v1 and v2c
clients is disabled.
Trap Receivers
You can also specify SNMP stations that are to receive traps from the switch. To
configure a trap receiver, use the “snmp-server host” command. From the Privileged
Exec level global configuration mode prompt, type:
“snmp-server host host-address community-string
[version {1 | 2c | 3 {auth | noauth | priv}}]”
where “host-address” is the IP address for the trap receiver, “community-string”
specifies access rights for a version 1/2c host, or is the user name of a version 3
host, “version” indicates the SNMP client version, and “auth | noauth | priv” means
that authentication, no authentication, or authentication and privacy is used for v3
clients. Then press <Enter>. For a more detailed description of these parameters,
2-9
2
Initial Configuration
see "snmp-server host" on page 4-93. The following example creates a trap host for
each type of SNMP client.
Console(config)#snmp-server host 10.1.19.23 batman
Console(config)#snmp-server host 10.1.19.98 robin version 2c
Console(config)#snmp-server host 10.1.19.34 barbie version 3 auth
Console(config)#
4-93
Configuring Access for SNMP Version 3 Clients
To configure management access for SNMPv3 clients, you need to first create a
view that defines the portions of MIB that the client can read or write, assign the view
to a group, and then assign the user to a group. The following example creates one
view called “mib-2” that includes the entire MIB-2 tree branch, and then another view
that includes the IEEE 802.1D bridge MIB. It assigns these respective read and
read/write views to a group call “r&d” and specifies group authentication via MD5 or
SHA. In the last step, it assigns a v3 user to this group, indicating that MD5 will be
used for authentication, provides the password “greenpeace” for authentication, and
the password “einstien” for encryption.
Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included
Console(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included
Console(config)#snmp-server group r&d v3 auth mib-2 802.1d
Console(config)#snmp-server user steve group r&d v3 auth md5
greenpeace priv des56 einstien
Console(config)#
4-97
4-99
4-101
For a more detailed explanation on how to configure the switch for access from
SNMPv3 clients, refer to "Simple Network Management Protocol" on page 3-50, or
refer to the specific CLI commands for SNMP starting on page 4-88.
Managing System Files
The switch’s flash memory supports three types of system files that can be managed
by the CLI program, web interface, or SNMP. The switch’s file system allows files to
be uploaded and downloaded, copied, deleted, and set as a start-up file.
The three types of files are:
• Configuration — This file type stores system configuration information and is
created when configuration settings are saved. Saved configuration files can be
selected as a system start-up file or can be uploaded via FTP/TFTP to a server for
backup. The file named “Factory_Default_Config.cfg” contains all the system
default settings and cannot be deleted from the system. If the system is booted with
the factory default settings, the switch will also create a file named “startup1.cfg”
that contains system settings for initialization, including information about the unit
identifier, MAC address, and installed module type. The configuration settings from
the factory defaults configuration file are copied to this file, which is then used to
2-10
Managing System Files
2
boot the switch. See "Saving or Restoring Configuration Settings" on page 3-27 for
more information.
• Operation Code — System software that is executed after boot-up, also known as
run-time code. This code runs the switch operations and provides the CLI and web
management interfaces. See "Managing Firmware" on page 3-21 for more
information.
• Diagnostic Code — Software that is run during system boot-up, also known as
POST (Power On Self-Test).
Due to the size limit of the flash memory, the switch supports only two operation
code files. However, you can have as many diagnostic code files and configuration
files as available flash memory space allows. The switch has a total of 16 Mbytes of
flash memory for system files.
In the system flash memory, one file of each type must be set as the start-up file.
During a system boot, the diagnostic and operation code files set as the start-up file
are run, and then the start-up configuration file is loaded.
Note that configuration files should be downloaded using a file name that reflects the
contents or usage of the file settings. If you download directly to the running-config,
the system will reboot, and the settings will have to be copied from the
running-config to a permanent file.
Saving Configuration Settings
Configuration commands only modify the running configuration file and are not
saved when the switch is rebooted. To save all your configuration changes in
non-volatile storage, you must copy the running configuration file to the start-up
configuration file using the “copy” command.
New startup configuration files must have a name specified. File names on the
switch are case-sensitive, can be from 1 to 31 characters, must not contain slashes
(\ or /), and the leading letter of the file name must not be a period (.).
(Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)
There can be more than one user-defined configuration file saved in the switch’s
flash memory, but only one is designated as the “startup” file that is loaded when the
switch boots. The copy running-config startup-config command always sets the
new file as the startup file. To select a previously saved configuration file, use the
boot system config:<filename> command.
The maximum number of saved configuration files depends on available flash
memory, with each configuration file normally requiring less than 20 kbytes. The
amount of available flash memory can be checked by using the dir command.
To save the current configuration settings, enter the following command:
1.
From the Privileged Exec mode prompt, type “copy running-config
startup-config” and press <Enter>.
2-11
2
2.
Initial Configuration
Enter the name of the start-up file. Press <Enter>.
Console#copy running-config startup-config
Startup configuration file name []: startup
\Write to FLASH Programming.
\Write to FLASH finish.
Success.
Console#
2-12
4-37
Chapter 3: Configuring the Switch
Using the Web Interface
This switch provides an embedded HTTP web agent. Using a web browser you can
configure the switch and view statistics to monitor network activity. The web agent
can be accessed by any computer on the network using a standard web browser
(Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or
above).
Note: You can also use the Command Line Interface (CLI) to manage the switch over a
serial connection to the console port or via Telnet. For more information on using
the CLI, refer to “Chapter 4: Command Line Interface.”
Prior to accessing the switch from a web browser, be sure you have first performed
the following tasks:
1. Configure the switch with a valid IP address, subnet mask, and default gateway
using an out-of-band serial connection, BOOTP or DHCP protocol. (See "Setting
an IP Address" on page 2-4.)
2. Set user names and passwords using an out-of-band serial connection. Access
to the web agent is controlled by the same user names and passwords as the
onboard configuration program. (See "Setting Passwords" on page 2-4)
3. After you enter a user name and password, you will have access to the system
configuration program.
Notes: 1. You are allowed three attempts to enter the correct password; on the third
failed attempt the current connection is terminated.
2. If you log into the web interface as guest (Normal Exec level), you can view
the configuration settings or change the guest password. If you log in as
“admin” (Privileged Exec level), you can change the settings on any page.
3. If the path between your management station and this switch does not pass
through any device that uses the Spanning Tree Algorithm, then you can set
the switch port attached to your management station to fast forwarding (i.e.,
enable Admin Edge Port) to improve the switch’s response time to
management commands issued through the web interface. See "Configuring
Interface Settings for STA" on page 3-204.
3-1
3
Configuring the Switch
Navigating the Web Browser Interface
To access the web-browser interface you must first enter a user name and
password. The administrator has Read/Write access to all configuration parameters
and statistics. The default user name and password for the administrator is “admin.”
Home Page
When your web browser connects with the switch’s web agent, the home page is
displayed as shown below. The home page displays the Main Menu on the left side
of the screen and System Information on the right side. The Main Menu links are
used to navigate to other menus, and display configuration parameters and
statistics.
Figure 3-1 Home Page
3-2
Panel Display
3
Configuration Options
Configurable parameters have a dialog box or a drop-down list. Once a configuration
change has been made on a page, be sure to click on the Apply button to confirm
the new setting. The following table summarizes the web page configuration
buttons.
Table 3-1 Configuration Options
Button
Action
Revert
Cancels specified values and restores current values prior to pressing Apply.
Apply
Sets specified values to the system.
Help
Links directly to webhelp.
Notes: 1. To ensure proper screen refresh, be sure that Internet Explorer is configured
so that the setting “Check for newer versions of stored pages” reads “Every
visit to the page”.
Internet Explorer 6.x and earlier: This option is available under the menu
“Tools / Internet Options / General / Temporary Internet Files / Settings”.
Internet Explorer 7.x: This option is available under “Tools / Internet Options
/ General / Browsing History / Settings / Temporary Internet Files”.
2. You may have to manually refresh the screen after making configuration
changes by pressing the browser’s refresh button.
Panel Display
The web agent displays an image of the switch’s ports. The Mode can be set to
display different information for the ports, including Active (i.e., up or down), Duplex
(i.e., half or full duplex, or Flow Control (i.e., with or without flow control). Clicking on
the image of a port opens the Port Configuration page as described on page 3-160.
Figure 3-2 Panel Display
3-3
3
Configuring the Switch
Main Menu
Using the onboard web agent, you can define system parameters, manage and
control the switch, and all its ports, or monitor network conditions. The following
table briefly describes the selections available from this program.
Table 3-2 Main Menu
Menu
Description
System
Page
3-13
System Information
Provides basic system description, including contact information
3-13
Switch Information
Shows the number of ports, hardware/firmware version
numbers, and power status
3-15
Bridge Extension
Configuration
Shows the bridge extension parameters
3-16
IP Configuration
Sets the IP address for management access
3-17
Jumbo Frames
Enables jumbo frame packets
3-20
File Management
3-21
Auto Operation Code
Upgrade
Automatically upgrades operation code if a newer version is
found on the server
3-22
Copy Operation
Allows the transfer and copying of files
3-21
Delete
Allows deletion of files from the flash memory
3-26
HTTP Upgrade
Copies operation code or configuration files from management
station to the switch
3-30
HTTP Download
Copies operation code or configuration files from the switch to
the management station
3-30
Set Start-Up
Sets the startup file
3-26
Line
3-32
Console
Sets console port connection parameters
3-32
Telnet
Sets Telnet connection parameters
3-34
Log
3-36
Logs
Displays error messages
3-36
System Logs
Enables event logging and sets error levels to be logged
3-36
Remote Logs
Configures the logging of messages to a remote logging process
3-37
SMTP
Sends an SMTP client message to a participating server.
3-39
Restarts the switch
3-41
Simple Network Time Protocol
3-42
Current Time
Manually sets the current time
3-43
Configuration
Configures SNTP and NTP client settings, including
authentication parameters or a specified list of servers
3-43
Reset
SNTP
3-4
Main Menu
3
Table 3-2 Main Menu (Continued)
Menu
Description
Page
Time Zone
Sets the local time zone for the system clock
3-46
Summer Time
Configures summer time settings
3-47
Simple Network Management Protocol
3-50
Configuration
Configures community strings and related trap functions
3-52
Agent Status
Enables or disables SNMP
3-51
SNMP
SNMPv3
3-56
Engine ID
Sets the SNMP v3 engine ID on this switch
3-56
Remote Engine ID
Sets the SNMP v3 engine ID for a remote device
3-57
Users
Configures SNMP v3 users on this switch
3-58
Remote Users
Configures SNMP v3 users from a remote device
3-60
Groups
Configures SNMP v3 groups
3-62
Views
Configures SNMP v3 views
3-65
Samples traffic flows, and forwards data to designated collector
3-66
Configuration
Globally enables flow sampling, enables sampling per port, and
sets the sampling rate per port
3-67
Port Configuration
Sets destination parameters, payload parameters, and sampling
interval
3-69
sFlow
Security
3-71
User Accounts
Configures user names, passwords, and access levels
3-71
Authentication Settings
Configures authentication sequence, RADIUS and TACACS
3-73
Encryption Key
Configures RADIUS and TACACS encryption key settings
3-77
AAA
Authentication, Authorization and Accounting
3-78
RADIUS Group Settings
Defines the configured RADIUS servers to use for accounting
3-79
TACACS+ Group Settings
Defines the configured TACACS+ servers to use for accounting
3-79
Settings
Configures accounting of requested services for billing or
security purposes
3-80
Periodic Update
Sets the interval at which accounting updates are sent to
RADIUS AAA servers
3-82
802.1X Port Settings
Applies the specified accounting method to an interface
3-83
Command Privileges
Specifies a method name to apply to commands entered at
specific CLI privilege levels
3-84
Exec Settings
Specifies console or Telnet authentication method
3-85
Summary
Displays accounting information and statistics
3-85
Accounting
3-5
3
Configuring the Switch
Table 3-2 Main Menu (Continued)
Menu
Description
Authorization
Page
3-87
Settings
Configures authorization of requested services
3-87
EXEC Settings
Specifies console or Telnet authorization method
3-88
Summary
Displays authorization information
3-89
HTTPS Settings
Configures secure HTTP settings
3-90
SSH
Secure Shell
3-93
Settings
Configures Secure Shell server settings
3-93
Host-Key Settings
Generates the host key pair (public and private)
3-95
User Public-Key Settings
Imports and manages user RSA and DSA public keys
3-97
Port Security
Configures per port security, including status, response for
security breach, and maximum allowed MAC addresses
3-113
802.1X
Port authentication
3-101
Information
Displays global configuration settings
3-103
Configuration
Configures the global configuration settings
3-103
Port Configuration
Sets parameters for individual ports
3-104
Statistics
Displays protocol statistics for the selected port
3-108
Web Authentication
3-114
Configuration
Configures Web Authentication settings
3-115
Port Configuration
Enables Web Authentication for individual ports
3-116
Port Information
Displays status information for individual ports
3-117
Re-authentication
Forces a host to re-authenticate itself immediately
3-117
Network Access
Configuration
Configures global Network Access parameters
3-120
Port Configuration
Configures Network Access parameters for individual ports
3-121
Port Link Detection
Configuration
Configures Port Link Detection parameters
3-123
MAC Address Information
Displays Network Access statistics sorted by various attributes
3-124
MAC Filter Configuration
Filters Network Access authentication by MAC address
3-125
Access Control Lists
3-127
Configuration
Configures packet filtering based on IP or MAC addresses
3-127
Port Binding
Binds a port to the specified ACL
3-138
ACL
3-6
3-118
Main Menu
3
Table 3-2 Main Menu (Continued)
Menu
ARP Inspection
Description
Page
Validates the MAC-to-IP address bindings in ARP packets
3-139
Configuration
Enables inspection globally and per VLAN, specifies ACL filter
containing address bindings, configures validation of additional
address components, sets trust mode for ports, and sets rate
limit for packet inspection
3-127
Information
Displays information on results of inspection process
3-138
Sets IP addresses of clients allowed management access via
the web, SNMP, and Telnet
3-110
IP Filter
Port
3-158
Port Information
Displays port connection status
3-158
Trunk Information
Displays trunk connection status
3-158
Port Configuration
Configures port connection settings
3-160
Trunk Configuration
Configures trunk connection settings
3-160
Trunk Membership
Specifies ports to group into static trunks
3-164
LACP
Link Aggregation Control Protocol
3-165
Configuration
Allows ports to dynamically join trunks
3-165
Aggregation Port
Configures parameters for link aggregation group members
3-167
Aggregation Group
Configures the administration key for specific LACP groups
3-169
Port Counters Information
Displays statistics for LACP protocol messages
3-170
Port Internal Information
Displays settings and operational state for the local side
3-171
Port Neighbors Information Displays settings and operational state for the remote side
3-173
Port Broadcast Control
Sets the broadcast storm threshold for each port
3-175
Trunk Broadcast Control
Sets the broadcast storm threshold for each trunk
3-175
Port Multicast Control
Sets the multicast storm threshold for each port
3-175
Trunk Multicast Control
Sets the multicast storm threshold for each trunk
3-175
Port Unknown Unicast Control Sets the unknown unicast storm threshold for each port
3-175
Trunk Unknown Unicast Control Sets the unknown unicast storm threshold for each trunk
3-175
Mirror Port Configuration
3-180
Sets the source and target ports for mirroring
Rate Limit
3-181
Input Port Configuration
Sets the input rate limit for each port
3-181
Input Trunk Configuration
Sets the input rate limit for each trunk
3-181
Output Port Configuration
Sets the output rate limit for ports
3-181
Output Trunk Configuration Sets the output rate limit for trunks
Port Statistics
Lists Ethernet and RMON port statistics
3-181
3-183
3-7
3
Configuring the Switch
Table 3-2 Main Menu (Continued)
Menu
Description
Address Table
Page
3-188
Static Addresses
Displays entries for interface, address or VLAN
3-188
Dynamic Addresses
Displays or edits static entries in the Address Table
3-189
Address Aging
Sets timeout for dynamically learned entries
3-190
Spanning Tree
3-191
Port Loopback Detection
Configures Port Loopback Detection parameters
3-194
Trunk Loopback Detection
Configures Trunk Loopback Detection parameters
3-194
STA
Spanning Tree Algorithm
3-191
Information
Displays STA values used for the bridge
3-194
Configuration
Configures global bridge settings for STP, RSTP and MSTP
3-197
Port Information
Displays individual port settings for STA
3-201
Trunk Information
Displays individual trunk settings for STA
3-201
Port Configuration
Configures individual port settings for STA
3-204
Trunk Configuration
Configures individual trunk settings for STA
3-204
Port Edge Port
Configuration
Sets an interface to function as an edge port, either manually or
by automatic configuration
3-214
Trunk Edge Port
Configuration
Sets an interface to function as an edge port, either manually or
by automatic configuration
3-214
Multiple Spanning Tree Protocol
3-209
VLAN Configuration
Configures priority and VLANs for a spanning tree instance
3-209
Port Information
Displays port settings for a specified MST instance
3-212
Trunk Information
Displays trunk settings for a specified MST instance
3-212
Port Configuration
Configures port settings for a specified MST instance
3-214
Trunk Configuration
Configures trunk settings for a specified MST instance
3-214
Virtual LAN
3-215
IEEE 802.1Q VLANs
3-215
GVRP Status
Enables GVRP VLAN registration protocol
3-218
Basic Information
Displays information on the VLAN type supported by this switch
3-219
Current Table
Shows the current port members of each VLAN and whether or
not the port is tagged or untagged
3-220
Static List
Used to create or remove VLAN groups
3-221
Static Table
Modifies the settings for an existing VLAN
3-223
MSTP
VLAN
802.1Q VLAN
Static Membership by Port Configures membership type for interfaces, including tagged,
untagged or forbidden
3-8
3-225
Main Menu
3
Table 3-2 Main Menu (Continued)
Menu
Description
Page
Port Configuration
Specifies default PVID and VLAN attributes
3-226
Trunk Configuration
Specifies default trunk VID and VLAN attributes
3-226
802.1Q Tunnel
Configuration
Enables 802.1Q (QinQ) Tunneling
3-232
Tunnel Port Configuration
Sets the tunnel mode for an interface
3-233
Tunnel Trunk Configuration Sets the tunnel mode for an interface
3-233
Traffic Segmentation
Configures traffic segmentation for different client sessions
based on specified downlink and uplink ports
3-235
Status
Enables traffic segmentation, and blocks or forwards traffic
between uplink ports assigned to different client sessions
3-235
Session Configuration
Creates a client session, and assigns the downlink and uplink
ports to service the traffic
3-236
Private VLAN
3-237
Information
Displays Private VLAN feature information
3-237
Configuration
This page is used to create/remove primary or community
VLANs
3-238
Association
Each community VLAN must be associated with a primary VLAN
3-239
Port Information
Shows VLAN port type, and associated primary or secondary
VLANs
3-240
Port Configuration
Sets the private VLAN interface type, and associates the
interfaces with a private VLAN
3-241
Trunk Information
Shows VLAN port type, and associated primary or secondary
VLANs
3-240
Trunk Configuration
Sets the private VLAN interface type, and associates the
interfaces with a private VLAN
3-241
Protocol VLAN
3-242
Configuration
Creates a protocol group, specifying the supported protocols
3-243
System Configuration
Configures protocol VLAN system parameters
3-244
Sets source VLANs and a target port for mirroring
3-245
VLAN Mirror Configuration
IP Subnet VLAN
Configuration
3-246
Maps IP subnet traffic to a VLAN
MAC Based VLAN
Configuration
3-246
3-247
Maps traffic with specified source MAC address to a VLAN
3-247
Operation, Administration and Maintenance
3-248
OAM Configuration
Enables OAM on specified port, sets the mode to active or
passive, and enables the reporting of critical events
3-248
Errored Frame Configuration
Enables reporting of errored frames
3-251
OAM
3-9
3
Configuring the Switch
Table 3-2 Main Menu (Continued)
Menu
Description
Page
Counters
Displays statistics on OAM PDUs
3-253
Event Log
Displays log for recorded link events
3-254
Remote Interface Status
Displays information about attached OAM-enabled devices
3-255
Remote Device VLAN
Configures VLANs to which attached device is a tagged member
3-257
Remote Device Reset
Resets power on CPE, or restores its settings to factory defaults
3-258
Remote Port Configuration
Configures general settings for a LAN port on attached CPE
3-258
Remote Port Counters
Display statistics for traffic crossing a LAN port on remote device
3-260
Remote Loopback Test
Performs a loopback test on the specified port
3-261
Remote Loopback Test
Results
Displays the results of a loopback test
3-264
Link Layer Discovery Protocol
3-265
Configuration
Configures global LLDP timing parameters
3-265
Port Configuration
Configures parameters for individual ports
3-267
Trunk Configuration
Configures parameters for trunks
3-267
Local Information
Displays LLDP information about the local device
3-270
Remote Port Information
Displays LLDP information about a remote device connected to
a port on this switch
3-273
Remote Trunk Information
Displays LLDP information about a remote device connected to
a trunk on this switch
3-273
Remote Information Details
Displays detailed LLDP information about a remote device
connected to this switch
3-274
Device Statistics
Displays LLDP statistics for all connected remote devices
3-276
Device Statistics Details
Displays LLDP statistics for remote devices on a selected port or
trunk
3-277
LLDP
Priority
3-279
Default Port Priority
Sets the default priority for each port
3-279
Default Trunk Priority
Sets the default priority for each trunk
3-279
Traffic Classes
Maps IEEE 802.1p priority tags to output queues
3-281
Traffic Classes Status
Enables/disables traffic class priorities (not implemented)
Queue Mode
Sets queue mode to strict priority or Weighted Round-Robin
3-283
Queue Scheduling
Configures Weighted Round Robin queueing
3-284
IP DSCP Priority Status
Globally selects DSCP Priority, or disables it.
3-285
IP DSCP Priority
Sets IP Differentiated Services Code Point priority, mapping a
DSCP tag to a class-of-service value
3-286
3-10
NA
Main Menu
3
Table 3-2 Main Menu (Continued)
Menu
Description
QoS
Quality of Service
3-288
Configure QoS classification criteria and service policies
3-288
Class Map
Creates a class map for a type of traffic
3-289
Policy Map
Creates a policy map for multiple interfaces
3-291
Service Policy
Applies a policy map defined to an ingress port
3-294
DiffServ
VoIP Traffic Setting
Page
3-295
Configuration
VoIP Traffic Setting Configuration
3-295
Port Configuration
Configures VoIP Traffic Settings for ports
3-296
OUI Configuration
Defines OUI settings
3-298
IGMP Snooping
3-301
IGMP Configuration
Enables multicast filtering; configures parameters for multicast
query
3-302
IGMP Immediate Leave
Configures immediate leave for multicast services no longer
required
3-304
Multicast Router Port
Information
Displays the ports that are attached to a neighboring multicast
router for each VLAN ID
3-306
Static Multicast Router Port
Configuration
Assigns ports that are attached to a neighboring multicast router
3-307
IP Multicast Registration
Table
Displays all multicast groups active on this switch, including
multicast IP addresses and VLAN ID
3-308
IGMP Member Port Table
Indicates multicast addresses associated with the selected
VLAN
3-309
IGMP Filter Configuration
Configures IGMP filtering
3-310
IGMP Filter Profile
Configuration
Configures IGMP filter profiles, controlling groups and access
mode
3-310
IGMP Filter/Throttling Port
Configuration
Assigns IGMP filter profiles to port interfaces and sets throttling
action
3-310
IGMP Filter/Throttling Trunk
Configuration
Assigns IGMP filter profiles to trunk interfaces and sets throttling
action
3-310
Multicast VLAN Registration
3-315
Configuration
Globally enables MVR, sets the MVR VLAN, adds multicast
stream addresses
3-316
Port Information
Displays MVR interface type, MVR operational and activity
status, and immediate leave status
3-318
Trunk Information
Displays MVR interface type, MVR operational and activity
status, and immediate leave status
3-318
Group IP Information
Displays the ports attached to an MVR multicast stream
3-319
Port Configuration
Configures MVR interface type and immediate leave status
3-320
MVR
3-11
3
Configuring the Switch
Table 3-2 Main Menu (Continued)
Menu
Trunk Configuration
Description
Configures MVR interface type and immediate leave status
Page
3-320
Group Member Configuration Statically assigns MVR multicast streams to an interface
3-322
Receiver Configuration
Permits forwarding of tagged multicast traffic by specifying MVR
receiver VLAN and MVR receiver groups
3-323
Receiver Group IP
Information
Displays ports assigned to MVR receiver groups
3-324
Receiver Group Member
Configuration
Statically assigns MVR receiver groups to selected ports
3-325
Domain Name Service
3-326
General Configuration
Enables DNS; configures domain name and domain list; and
specifies IP address of name servers for dynamic lookup
3-326
Static Host Table
Configures static entries for domain name to address mapping
3-328
Cache
Displays cache entries discovered by designated name servers
3-330
DNS
DHCP Snooping
3-146
Configuration
Enables DHCP Snooping and DHCP Snooping MAC-Address
Verification
3-147
VLAN Configuration
Enables DHCP Snooping for a VLAN
3-148
Information Option
Configuration
Enables DHCP Snooping Information Option
3-149
Port Configuration
Selects the DHCP Snooping Information Option policy
3-150
Binding Information
Displays the DHCP Snooping binding information
3-152
IP Source Guard
3-153
Port Configuration
Enables IP source guard and selects filter type per port
3-153
Static Configuration
Adds a static addresses to the source-guard binding table
3-155
Dynamic Information
Displays the source-guard binding table for a selected interface
3-157
Cluster
3-331
Configuration
Globally enables clustering for the switch
3-331
Member Configuration
Adds switch Members to the cluster
3-333
Member Information
Displays cluster Member switch information
3-334
Candidate Information
Displays network Candidate switch information
3-335
Universal Plug and Play
3-336
Enables UPNP and defines timeout values
3-337
UPNP
Configuration
3-12
3
Basic Configuration
Basic Configuration
This section describes the basic functions required to set up management access to
the switch, display or upgrade operating software, or reset the system.
Displaying System Information
You can easily identify the system by displaying the device name, location and
contact information.
Field Attributes
• System Name – Name assigned to the switch system.
•
•
•
•
Object ID – MIB II object ID for switch’s network management subsystem.
Location – Specifies the system location.
Contact – Administrator responsible for the system.
System Up Time – Length of time the management agent has been up.
These additional parameters are displayed for the CLI.
•
•
•
•
•
•
•
•
•
•
MAC Address – The physical layer address for this switch.
Web Server – Shows if management access via is enabled.
Web Server Port – Shows the TCP port number used by the web interface.
Web Secure Server – Shows if management access via HTTPS is enabled.
Web Secure Server Port – Shows the TCP port used by the HTTPS interface.
Telnet Server – Shows if management access via Telnet is enabled.
Telnet Server Port – Shows the TCP port used by the Telnet interface.
Authentication Login – Shows the user login authentication sequence.
Jumbo Frame – Shows if jumbo frames are enabled.
POST result – Shows results of the power-on self-test.
3-13
3
Configuring the Switch
Web – Click System, System Information. Specify the system name, location, and
contact information for the system administrator, then click Apply. (This page also
includes a Telnet button that allows access to the Command Line Interface via Telnet.)
Figure 3-3 System Information
CLI – Specify the hostname, location and contact information.
Console(config)#hostname R&D 5
4-18
Console(config)#snmp-server location WC 9
4-92
Console(config)#snmp-server contact Ted
4-91
Console(config)#exit
Console#show system
4-33
System description
: EL228
System OID string
: 1.3.6.1.4.1.259.8.1.4
System Information
System Up Time:
0 days, 0 hours, 38 minutes, and 44.16 seconds
System Name
: R&D 5
System Location
: WC 9
System Contact
: Ted
MAC Address (Unit1):
00-12-CF-12-34-56
Web Server:
Enabled
Web Server Port:
80
Web Secure Server:
Enabled
Web Secure Server Port: 443
Telnet Server:
Enable
Telnet Server Port:
23
Jumbo Frame:
Disabled
DUMMY Test 1 .................
UART Loopback Test ...........
DRAM Test ....................
Timer Test ...................
Console#
3-14
PASS
PASS
PASS
PASS
Basic Configuration
3
Displaying Switch Hardware/Software Versions
Use the Switch Information page to display hardware/firmware version numbers for
the main board and management software, as well as the power status of the system.
Field Attributes
Main Board
•
•
•
•
•
Serial Number – The serial number of the switch.
Number of Ports – Number of built-in RJ-45 ports.
Hardware Version – Hardware version of the main board.
Chip Device ID – Identifier for basic MAC/Physical Layer switch chip.
Internal Power Status – Displays the status of the internal power supply.
Management Software
• EPLD Version – Version number of EEPROM Programmable Logic Device code.
• Loader Version – Version number of loader code.
• Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code.
• Operation Code Version – Version number of run-time code.
• Role – Shows that this switch is operating as Master.
Web – Click System, Switch Information.
Figure 3-4 Switch Information
3-15
3
Configuring the Switch
CLI – Use the following command to display version information.
Console#show version
Unit 1
Serial Number:
Hardware Version:
Chip Device ID:
EPLD Version:
Number of Ports:
Main Power Status:
Redundant Power Status:
4-34
0012CF123456
R01A
Marvell 98DX107-A2, 88E6095[F]
1.03
28
Up
Not present
Agent (Master)
Unit ID:
Loader Version:
Boot ROM Version:
Operation Code Version:
1
1.0.1.0
1.2.1.0
1.3.3.0
Console#
Displaying Bridge Extension Capabilities
The Bridge MIB includes extensions for managed devices that support Multicast
Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to
display default settings for the key variables.
Field Attributes
• Extended Multicast Filtering Services – This switch does not support the filtering
of individual multicast addresses based on GMRP (GARP Multicast Registration
Protocol).
• Traffic Classes – This switch provides mapping of user priorities to multiple traffic
classes. (Refer to "Class of Service Configuration" on page 3-279.)
• Static Entry Individual Port – This switch allows static filtering for unicast and
multicast addresses. (Refer to "Setting Static Addresses" on page 3-188.)
• VLAN Learning – This switch uses Independent VLAN Learning (IVL), where each
port maintains its own filtering database.
• Configurable PVID Tagging – This switch allows you to override the default Port
VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or
Untagged) on each port. (Refer to "VLAN Configuration" on page 3-215.)
• Local VLAN Capable – This switch does not support multiple local bridges outside
of the scope of 802.1Q defined VLANs.
• GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to
register endstations with multicast groups. This switch does not support GMRP; it
uses the Internet Group Management Protocol (IGMP) to provide automatic
multicast filtering.
3-16
Basic Configuration
3
Web – Click System, Bridge Extension Configuration.
Figure 3-5 Bridge Extension Configuration
CLI – Enter the following command.
Console#show bridge-ext
Max support VLAN numbers:
Max support VLAN ID:
Extended multicast filtering services:
Static entry individual port:
VLAN learning:
Configurable PVID tagging:
Local VLAN capable:
Traffic classes:
Global GVRP status:
GMRP:
Console#
4-298
256
4092
No
Yes
IVL
Yes
No
Enabled
Disabled
Disabled
Setting the Switch’s IP Address
This section describes how to configure an IP interface for management access
over the network. The IP address for the stack is obtained via DHCP by default. To
manually configure an address, you need to change the switch’s default settings to
values that are compatible with your network. You may also need to a establish a
default gateway between the stack and management stations that exist on another
network segment.
You can manually configure a specific IP address, or direct the device to obtain an
address from a BOOTP or DHCP server. Valid IP addresses consist of four decimal
numbers, 0 to 255, separated by periods. Anything outside this format will not be
accepted by the CLI program.
3-17
3
Configuring the Switch
Command Attributes
• Management VLAN – ID of the configured VLAN (1-4094). By default, all ports on
the switch are members of VLAN 1. However, the management station can be
attached to a port belonging to any VLAN, as long as that VLAN has been assigned
an IP address.
• IP Address Mode – Specifies whether IP functionality is enabled via manual
configuration (Static), Dynamic Host Configuration Protocol (DHCP), or Boot
Protocol (BOOTP). If DHCP/BOOTP is enabled, IP will not function until a reply has
been received from the server. Requests will be broadcast periodically by the
switch for an IP address. (DHCP/BOOTP values can include the IP address,
subnet mask, and default gateway.)
• IP Address – Address of the VLAN that is allowed management access. Valid IP
addresses consist of four numbers, 0 to 255, separated by periods.
(Default: 0.0.0.0)
• Subnet Mask – This mask identifies the host address bits used for routing to
specific subnets. (Default: 255.0.0.0)
• Gateway IP Address – IP address of the gateway router between this device and
• management stations that exist on other network segments. (Default: 0.0.0.0)
• MAC Address – The physical layer address for this switch.
• Restart DHCP – Requests a new IP address from the DHCP server.
Manual Configuration
Web – Click System, IP Configuration. Select the VLAN through which the
management station is attached, set the IP Address Mode to “Static,” enter the IP
address, subnet mask and gateway, then click Apply.
Figure 3-6 Manual IP Configuration
3-18
Basic Configuration
3
CLI – Specify the management interface, IP address and default gateway.
Console#config
Console(config)#interface vlan 1
Console(config-if)#ip address 192.168.1.1 255.255.255.0
Console(config-if)#exit
Console(config)#ip default-gateway 10.1.0.254
Console(config)#
4-222
4-426
4-427
Using DHCP/BOOTP
If your network provides DHCP/BOOTP services, you can configure the switch to be
dynamically configured by these services.
Web – Click System, IP Configuration. Specify the VLAN to which the management
station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to
save your changes. Then click Restart DHCP to immediately request a new
address. Note that the switch will also broadcast a request for IP configuration
settings on each power reset.
Figure 3-7 DHCP IP Configuration
Note: If you lose your management connection, use a console connection and enter
“show ip interface” to determine the new switch address.
3-19
3
Configuring the Switch
CLI – Specify the management interface, and set the IP address mode to DHCP or
BOOTP, and then enter the “ip dhcp restart” command.
Console#config
Console(config)#interface vlan 1
Console(config-if)#ip address dhcp
Console(config-if)#end
Console#ip dhcp restart
Console#show ip interface
IP Address and Netmask: 192.168.1.1 255.255.255.0 on VLAN 1,
Address Mode:
DHCP
Console#
4-222
4-426
4-428
4-428
Renewing DHCP – DHCP may lease addresses to clients indefinitely or for a
specific period of time. If the address expires or the switch is moved to another
network segment, you will lose management access to the switch. In this case, you
can reboot the switch or submit a client request to restart DHCP service via the CLI.
Web – If the address assigned by DHCP is no longer functioning, you will not be
able to renew the IP settings via the web interface. You can only restart DHCP
service via the web interface if the current address is still available.
CLI – Enter the following command to restart DHCP service.
Console#ip dhcp restart
Console#
4-428
Enabling Jumbo Frames
The switch provides more efficient throughput for large sequential data transfers by
supporting jumbo frames up to 10 KB for the Gigabit Ethernet ports. Compared to
standard Ethernet frames that run only up to 1.5 KB, using jumbo frames
significantly reduces the per-packet overhead required to process protocol
encapsulation fields.
Command Usage
To use jumbo frames, both the source and destination end nodes (such as a
computer or server) must support this feature. Also, when the connection is
operating at full duplex, all switches in the network between the two end nodes must
be able to accept the extended frame size. And for half-duplex connections, all
devices in the collision domain would need to support jumbo frames.
Command Attributes
• Jumbo Packet Status – Configures support for jumbo frames. (Default: Disabled)
3-20
Basic Configuration
3
Web – Click System, Jumbo Frames. Enable or disable support for jumbo frames,
and click Apply.
Figure 3-8 Jumbo Frames Configuration
CLI – This example enables jumbo frames globally for the switch.
Console#config
Console(config)#jumbo frame
Console(config)#
Managing Firmware
You can upload/download firmware to or from an FTP or TFTP server. Just specify
the method of file transfer, along with the file type and file names as required. By
saving run-time code to a file on an FTP or TFTP server, that file can later be
downloaded to the switch to restore operation.
Note: You can also download and upload files to the switch using HTTP, see "Uploading
and Downloading Files Using HTTP" on page 3-30.
Only two copies of the system software (i.e., the run-time firmware) can be stored in
the file directory on the switch. When downloading run-time code, the destination file
name can be specified to replace the current run-time code file, or the file can be
first downloaded using a different name from the current run-time code file, and then
the new file set as the startup file.
Command Attributes
• File Transfer Method – The firmware copy operation includes these options:
- file to file – Copies a file within the switch directory, assigning it a new name.
- file to tftp – Copies a file from the switch to a TFTP server.
- tftp to file – Copies a file from a TFTP server to the switch.
- file to ftp – Copies a file from the switch to an FTP server.
- ftp to file – Copies a file from an FTP server to the switch.
• TFTP/FTP Server IP Address – The IP address of an FTP or TFTP server.
• User Name – The user name for FTP server access.
• Password – The password for FTP server access.
• File Type – Specify opcode (operational code) to copy firmware.
• File Name – The file name should not contain slashes (\ or /), the leading letter of
the file name should not be a period (.), and the maximum length for file names on
the FTP/TFTP server is 127 characters or 31 characters for files on the switch.
(Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)
3-21
3
Configuring the Switch
Note: Up to two copies of the system software (i.e., the run-time firmware) can be stored
in the file directory on the switch. The currently designated startup version of this
file cannot be deleted.
Automatic Operation Code Upgrade
The system can be configured to automatically download an operation code file
when a file newer than the currently installed one is discovered on the file server.
After the file is transferred from the server and successfully written to the file system,
it is automatically set as the startup file, and the switch is rebooted.
Command Usage
• If this feature is enabled, the switch searches the defined URL once during the
bootup sequence.
• FTP (port 21) and TFTP (port 69) are both supported. Note that the TCP/UDP port
bindings cannot be modified to support servers listening on non-standard ports.
• The host portion of the upgrade file location URL must be a valid IPv4 IP address.
DNS host names are not recognized. Valid IP addresses consist of four numbers,
0 to 255, separated by periods.
• The path to the directory must also be defined. If the file is stored in the root
directory for the FTP/TFTP service, then use the “/” to indicate this (e.g.,
ftp://192.168.0.1/).
• The file name must not be included in the upgrade file location URL. The file name
of the code stored on the remote server must be EL228.bix (using
upper case and lower case letters exactly as indicated here).
• The FTP connection is made with PASV mode enabled. PASV mode is needed to
traverse some fire walls, even if FTP traffic is not blocked. PASV mode cannot be
disabled.
• The switch-based search function is case-insensitive in that it will accept a file
name in upper or lower case (i.e., the switch will accept EL228.BIX
from the server even though el228.bix was requested). However, keep
in mind that the file systems of many operating systems such as Unix and most
Unix-like systems (FreeBSD, NetBSD, OpenBSD, and most Linux distributions,
etc.) are case-sensitive, meaning that two files in the same directory,
el228.bix and EL228.BIX are considered to be unique files.
Thus, if the upgrade file is stored as EL228.BIX (or even
EL228.bix) on a case-sensitive server, then the switch (requesting
el228.bix) will not be upgraded because the server does not recognize
the requested file name and the stored file name as being equal. A notable
exception in the list of case-sensitive Unix-like operating systems is Mac OS X,
which by default is case-insensitive. Please check the documentation for your
server’s operating system if you are unsure of its file system’s behavior.
Note that the switch itself does not distinguish between upper and lower-case file
names, and only checks to see if the file stored on the server is more recent than
the current runtime image.
3-22
Basic Configuration
3
• If two operation code image files are already stored on the switch’s file system,
then the non-startup image is deleted before the upgrade image is transferred.
• If the startup operation code file is named el228.bix, then the upgrade
image will be stored as op1.bix, and the next upgrade image as op2.bix.
• The automatic upgrade process will take place in the background without impeding
normal operations (data switching, etc.) of the switch.
• During the automatic search and transfer process, the administrator cannot
transfer or update another operation code image, configuration file, public key, or
HTTPS certificate (i.e., no other concurrent file management operations are
possible).
• The upgrade operation code image is set as the startup image after it has been
successfully written to the file system.
• The switch will send an SNMP trap and make a log entry upon all upgrade
successes and failures.
• The switch will immediately restart after the upgrade file is successfully written to
the file system and set as the startup image.
Command Attributes
• Automatic Opcode Upgrade – Enables the switch to search for an upgraded
operation code file during the switch bootup process.
- Enabled check box – Defines the state of this feature. (Default: Disabled)
• Automatic Upgrade Location URL – Defines where the switch should search for
the operation code upgrade file. The last character of this URL must be a forward
slash (“/”). The el228.bix filename must not be included since it is
automatically appended by the switch. (Options: ftp, tftp)
The following syntax must be observed:
tftp://host[/filedir]/
tftp:// – Defines TFTP protocol for the server connection.
host – Defines the IP address of the TFTP server. Valid IP addresses
consist of four numbers, 0 to 255, separated by periods. DNS hostnames
are not recognized.
filedir – Defines the directory, relative to the TFTP server root, where the
upgrade file can be found. Nested directory structures are accepted. The
directory name must be separated from the host, and in nested directory
structures, from the parent directory, with a prepended forward slash “/”.
/ – The forward slash must be the last character of the URL.
ftp://[username[:password@]]host[/filedir]/
ftp:// – Defines FTP protocol for the server connection.
username – Defines the user name for the FTP connection. If the user
name is omitted, then “anonymous” is the assumed user name for the
connection.
password – Defines the password for the FTP connection. To differentiate
the password from the user name and host portions of the URL, a colon
3-23
3
Configuring the Switch
(:) must precede the password, and an “at” symbol (@), must follow the
password. If the password is omitted, then “” (an empty string) is the
assumed password for the connection.
host – Defines the IP address of the FTP server. Valid IP addresses
consist of four numbers, 0 to 255, separated by periods. DNS hostnames
are not recognized.
filedir – Defines the directory, relative to the FTP server root, where the
upgrade file can be found. Nested directory structures are accepted. The
directory name must be separated from the host, and in nested directory
structures, from the parent directory, with a prepended forward slash “/”.
/ – The forward slash must be the last character of the URL.
Examples
• The following examples demonstrate the URL syntax for a TFTP server at IP
address 192.168.0.1 with the operation code image stored in various locations:
- tftp://192.168.0.1/
The image file is in the TFTP root directory.
- tftp://192.168.0.1/switch-opcode/
The image file is in the “switch-opcode” directory, relative to the TFTP root.
- tftp://192.168.0.1/switches/opcode/
The image file is in the “opcode” directory, which is within the “switches” parent
directory, relative to the TFTP root.
• The following examples demonstrate the URL syntax for an FTP server at IP
address 192.168.0.1 with various user name, password and file location options
presented:
- ftp://192.168.0.1/
The user name and password are empty, so “anonymous” will be the user name
and the password will be blank. The image file is in the FTP root directory.
- ftp://switches:upgrade@192.168.0.1/
The user name is “switches” and the password is “upgrade”. The image file is in
the FTP root.
- ftp://switches:upgrade@192.168.0.1/switches/opcode/
The user name is “switches” and the password is “upgrade”. The image file is in
the “opcode” directory, which is within the “switches” parent directory, relative to
the FTP root.
3-24
Basic Configuration
3
Web –Click System, File Management, Automatic Operation Code Upgrade. Check
the Automatic Opcode Upgrade box, enter the URL of the FTP or TFTP server, the
path and directory containing the operation code, and click Apply.
Figure 3-9 Configuring Automatic Code Upgrade
CLI – This example specifies the URL of a TFTP server, and the directory containing
the new operation code.
Console(config)#upgrade opcode auto
Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/
Console(config)#
4-43
4-44
If a new image is found at the specified location, the following type of messages will
be displayed during bootup.
.
.
.
Automatic Upgrade is looking for a new image
New image detected: current version 1.1.1.0; new version 1.1.1.2
Image upgrade in progress
The switch will restart after upgrade succeeds
Downloading new image
Flash programming started
Flash programming completed
The
switch will now restart
.
.
.
3-25
3
Configuring the Switch
Downloading System Software from a Server
When downloading run-time code, you can specify the destination file name to
replace the current image, or first download the file using a different name from the
current run-time code file, and then set the new file as the startup file.
Web –Click System, File Management, Copy Operation. Select “tftp to file” as the file
transfer method, enter the IP address of the TFTP server, set the file type to
“opcode,” enter the file name of the software to download, select a file on the switch
to overwrite or specify a new file name, then click Apply. If you replaced the current
firmware used for startup and want to start using the new operation code, reboot the
system via the System/Reset menu.
Figure 3-10 Copy Firmware
If you download to a new destination file, go to the System/File/Set Start-Up menu,
mark the operation code file used at startup, and click Apply. To start the new
firmware, reboot the system via the System/Reset menu.
Figure 3-11 Setting the Startup Code
3-26
Basic Configuration
3
To delete a file, select System, File, Delete. Select the file name from the given list
by checking the tick box and click Apply. Note that the file currently designated as the
startup code cannot be deleted.
Figure 3-12 Deleting Files
CLI – To download new firmware form a TFTP server, enter the IP address of the
TFTP server, select “opcode” as the file type, then enter the source and destination
file names. When the file has finished downloading, set the new file to start up the
system, and then restart the switch.
To start the new firmware, enter the “reload” command or reboot the system.
Console#copy tftp file
TFTP server ip address: 192.168.1.23
Choose file type:
1. config: 2. opcode: 4. diag: 5. loader: <1,2,4,5>: 2
Source file name: V2.2.7.1.bix
Destination file name: V2271.F
\Write to FLASH Programming.
-Write to FLASH finish.
Success.
Console#config
Console(config)#boot system opcode:V2271.F
Console(config)#exit
Console#reload
4-37
4-42
4-14
Saving or Restoring Configuration Settings
You can upload/download configuration settings to/from an FTP/TFTP server. The
configuration files can be later downloaded to restore the switch’s settings.
Command Attributes
• File Transfer Method – The configuration copy operation includes these options:
- file to file – Copies a file within the switch directory, assigning it a new name.
- file to ftp – Copies a file from the switch to an FTP server.
- file to running-config – Copies a file in the switch to the running configuration.
- file to startup-config – Copies a file in the switch to the startup configuration.
- file to tftp – Copies a file from the switch to a TFTP server.
- ftp to file – Copies a file from an FTP server to the switch.
- tftp to file – Copies a file from a TFTP server to the switch.
- ftp to running-config – Copies a file from an FTP server to the running config.
- ftp to startup-config – Copies a file from an FTP server to the startup config.
- running-config to file – Copies the running configuration to a file.
3-27
3
•
•
•
•
•
Configuring the Switch
- running-config to ftp – Copies the running configuration to an FTP server.
- running-config to startup-config – Copies the running config to the startup config.
- running-config to tftp – Copies the running configuration to a TFTP server.
- startup-config to file – Copies the startup configuration to a file on the switch.
- startup-config to ftp – Copies the startup configuration to an FTP server.
- startup-config to running-config – Copies the startup config to the running config.
- startup-config to tftp – Copies the startup configuration to a TFTP server.
- ttftp to file – Copies a file from a TFTP server to the switch.
- tftp to running-config – Copies a file from a TFTP server to the running config.
- tftp to startup-config – Copies a file from a TFTP server to the startup config.
FTP/TFTP Server IP Address – The IP address of an FTP or TFTP server.
User Name – The user name for FTP server access.
Password – The password for FTP server access.
File Type – Specify config (configuration) to copy configuration settings.
File Name — The file name should not contain slashes (\ or /), the leading letter of
the file name should not be a period (.), and the maximum length for file names on
the FTP/TFTP server is 127 characters or 31 characters for files on the switch.
(Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)
Note: The maximum number of user-defined configuration files is limited only by
available flash memory space.
Command Usage
• FTP (port 21) and TFTP (port 69) are both supported.
• The server’s location must be specified as a valid IPv4 IP address. DNS
hostnames are not recognized. Valid IP addresses consist of four numbers, 0 to
255, separated by periods.
3-28
Basic Configuration
3
Downloading Configuration Settings from a Server
You can download the configuration file under a new file name and then set it as the
startup file, or you can specify the current startup configuration file as the destination
file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be
copied to the TFTP server, but cannot be used as the destination on the switch.
Web – Click System, File Management, Copy Operation. Select “tftp to
startup-config” or “tftp to file” and enter the IP address of the TFTP server. If you
download from an FTP server, enter the user name and password for an account on
the server. Specify the name of the file to download and select a file on the switch to
overwrite or specify a new file name, then click Apply.
Figure 3-13 Downloading Configuration Settings for Startup
If you download to a new file name using ftp/tftp to startup-config or ftp/tftp to file, the
file is automatically set as the start-up configuration file. To use the new settings,
reboot the system via the System/Reset menu.
You can also select any configuration file as the start-up configuration by using the
System/File/Set Start-Up page.
Figure 3-14 Setting the Startup Configuration Settings
3-29
3
Configuring the Switch
CLI – Enter the IP address of the TFTP server, specify the source file on the server,
set the startup file name on the switch, and then restart the switch.
Console#copy tftp startup-config
TFTP server ip address: 192.168.1.19
Source configuration file name: config-1
Startup configuration file name [] : startup
\Write to FLASH Programming.
-Write to FLASH finish.
Success.
4-37
Console#reload
To select another configuration file as the start-up configuration, use the boot
system command and then restart the switch.
Console#config
Console(config)#boot system config: startup-new
Console(config)#exit
Console#reload
4-42
4-14
Uploading and Downloading Files Using HTTP
In addition to performing copy operations to and from an FTP or TFTP server, the
switch can upload or download files to the web management station using HTTP.
Both switch operation code files and configuration files can be uploaded/
downloaded using HTTP.
Command Attributes
• File Type – Specify opcode (operation code) to copy a firmware file, or config
(configuration) to copy a switch configuration file.
• Source File Name – Use the Browse button to locate the file on the web
management station. The file name should not contain slashes (\ or /), the leading
letter of the file name should not be a period (.), and the maximum length for file
names on the FTP/TFTP server is 127 characters or 31 characters for files on the
switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)
• Destination File Name – Select an existing file on the switch to overwrite, or
specify a new file name.
3-30
Basic Configuration
3
Web – To upload files using HTTP: Click System, File Management, HTTP Upgrade.
Select “opcode” or “config” as the file type and then use the Browse button to locate
the file on the local web management station. Specify the name of a file on the
switch to overwrite or specify a new file name, then click Apply.
Figure 3-15 Uploading Files Using HTTP
Web – To download files using HTTP: Click System, File Management, HTTP
Download. Select an operation code file or configuration file on the switch to
download to the web management station. Click Apply.
Figure 3-16 Downloading Files Using HTTP
3-31
3
Configuring the Switch
Console Port Settings
You can access the onboard configuration program by attaching a VT100
compatible device to the switch’s serial console port. Management access through
the console port is controlled by various parameters, including a password, timeouts,
and basic communication settings. These parameters can be configured via the web
or CLI interface.
Command Attributes
• Login Timeout – Sets the interval that the system waits for a user to log into the
CLI. If a login attempt is not detected within the timeout interval, the connection is
terminated for the session. (Range: 0-300 seconds; Default: 0 seconds)
• Exec Timeout – Sets the interval that the system waits until user input is detected.
If user input is not detected within the timeout interval, the current session is
terminated. (Range: 0-65535 seconds; Default: 600 seconds)
• Password Threshold – Sets the password intrusion threshold, which limits the
number of failed logon attempts. When the logon attempt threshold is reached, the
system interface becomes silent for a specified amount of time (set by the Silent
Time parameter) before allowing the next logon attempt.
(Range: 0-120; Default: 3 attempts)
• Silent Time – Sets the amount of time the management console is inaccessible
after the number of unsuccessful logon attempts has been exceeded.
(Range: 0-65535; Default: 0)
• Data Bits – Sets the number of data bits per character that are interpreted and
generated by the console port. If parity is being generated, specify 7 data bits per
character. If no parity is required, specify 8 data bits per character. (Default: 8 bits)
• Parity – Defines the generation of a parity bit. Communication protocols provided
by some terminals can require a specific parity bit setting. Specify Even, Odd, or
None. (Default: None)
• Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive
(from terminal). Set the speed to match the baud rate of the device connected to
the serial port. (Range: 9600, 19200, or 38400 baud; Default: 9600 baud)
• Stop Bits – Sets the number of the stop bits transmitted per byte.
(Range: 1-2; Default: 1 stop bit)
• Password1 – Specifies a password for the line connection. When a connection is
started on a line with password protection, the system prompts for the password.
If you enter the correct password, the system shows a prompt.
(Default: No password)
• Login1 – Enables password checking at login. You can select authentication by a
single global password as configured for the Password parameter, or by
passwords set up for specific user-name accounts. (Default: Local)
1. CLI only.
3-32
3
Basic Configuration
Web – Click System, Line, Console. Specify the console port connection parameters
as required, then click Apply.
Figure 3-17 Console Port Settings
CLI – Enter Line Configuration mode for the console, then specify the connection
parameters as required. To display the current console port settings, use the show
line command from the Normal Exec level.
Console(config)#line console
Console(config-line)#login local
Console(config-line)#password 0 secret
Console(config-line)#timeout login response 0
Console(config-line)#exec-timeout 0
Console(config-line)#password-thresh 3
Console(config-line)#silent-time 60
Console(config-line)#databits 8
Console(config-line)#parity none
Console(config-line)#speed 19200
Console(config-line)#stopbits 1
Console(config-line)#end
Console#show line console
Console Configuration:
Password Threshold: 3 times
Interactive Timeout: Disabled
Login Timeout:
Disabled
Silent Time:
Disabled
Baudrate:
9600
Databits:
8
Parity:
None
Stopbits:
1
Console#
4-46
4-46
4-47
4-48
4-49
4-50
4-50
4-51
4-52
4-52
4-53
4-56
3-33
3
Configuring the Switch
Telnet Settings
You can access the onboard configuration program over the network using Telnet
(i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and
other various parameters set, including the TCP port number, timeouts, and a
password. These parameters can be configured via the web or CLI interface.
Command Attributes
• Telnet Status – Enables or disables Telnet access to the switch.
(Default: Enabled)
• Telnet Port Number – Sets the TCP port number for Telnet on the switch.
(Default: 23)
• Login Timeout – Sets the interval that the system waits for a user to log into the
CLI. If a login attempt is not detected within the timeout interval, the connection is
terminated for the session. (Range: 0-300 seconds; Default: 300 seconds)
• Exec Timeout – Sets the interval that the system waits until user input is detected.
If user input is not detected within the timeout interval, the current session is
terminated. (Range: 0-65535 seconds; Default: 600 seconds)
• Password Threshold – Sets the password intrusion threshold, which limits the
number of failed logon attempts. When the logon attempt threshold is reached, the
system interface becomes silent for a specified amount of time (set by the Silent
Time parameter) before allowing the next logon attempt.
(Range: 0-120; Default: 3 attempts)
• Password2 – Specifies a password for the line connection. When a connection is
started on a line with password protection, the system prompts for the password.
If you enter the correct password, the system shows a prompt.
(Default: No password)
• Login2 – Enables password checking at login. You can select authentication by a
single global password as configured for the Password parameter, or by
passwords set up for specific user-name accounts. (Default: Local)
2. CLI only.
3-34
3
Basic Configuration
Web – Click System, Line, Telnet. Specify the connection parameters for Telnet
access, then click Apply.
Figure 3-18 Enabling Telnet
CLI – Enter Line Configuration mode for a virtual terminal, then specify the
connection parameters as required. To display the current virtual terminal settings,
use the show line command from the Normal Exec level.
Console(config)#line vty
Console(config-line)#login local
Console(config-line)#password 0 secret
Console(config-line)#timeout login response 300
Console(config-line)#exec-timeout 600
Console(config-line)#password-thresh 3
Console(config-line)#end
Console#show line vty
VTY Configuration:
Password Threshold: 3 times
Interactive Timeout: 600 sec
Login Timeout: 300 sec
Console#
4-46
4-46
4-47
4-48
4-49
4-50
4-56
3-35
3
Configuring the Switch
Configuring Event Logging
The switch allows you to control the logging of error messages, including the type of
events that are recorded in switch memory, logging to a remote System Log (syslog)
server, and displays a list of recent event messages.
System Log Configuration
The system allows you to enable or disable event logging, and specify which levels
are logged to RAM or flash memory.
Severe error messages that are logged to flash memory are permanently stored in
the switch to assist in troubleshooting network problems. Up to 4096 log entries can
be stored in the flash memory, with the oldest entries being overwritten first when the
available log memory (256 kilobytes) has been exceeded.
The System Logs page allows you to configure and limit system messages that are
logged to flash or RAM memory. The default is for event levels 0 to 3 to be logged to
flash and levels 0 to 7 to be logged to RAM.
Command Attributes
• System Log Status – Enables/disables the logging of debug or error messages to
the logging process. (Default: Enabled)
• Flash Level – Limits log messages saved to the switch’s permanent flash memory
for all levels up to the specified level. For example, if level 3 is specified, all
messages from level 0 to level 3 will be logged to flash. (Range: 0-7, Default: 3)
Table 3-3 Logging Levels
Level
Severity Name
Description
7
Debug
Debugging messages
6
Informational
Informational messages only
5
Notice
Normal but significant condition, such as cold start
4
Warning
Warning conditions (e.g., return false, unexpected return)
3
Error
Error conditions (e.g., invalid input, default used)
2
Critical
Critical conditions (e.g., memory allocation, or free memory
error - resource exhausted)
1
Alert
Immediate action needed
0
Emergency
System unusable
* There are only Level 2, 5 and 6 error messages for the current firmware release.
• RAM Level – Limits log messages saved to the switch’s temporary RAM memory
for all levels up to the specified level. For example, if level 7 is specified, all
messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7)
Note: The Flash Level must be equal to or less than the RAM Level.
3-36
Basic Configuration
3
Web – Click System, Log, System Logs. Specify System Log Status, set the level of
event messages to be logged to RAM and flash memory, then click Apply.
Figure 3-19 System Logs
CLI – Enable system logging and then specify the level of messages to be logged to
RAM and flash memory. Use the show logging command to display the current
settings.
Console(config)#logging on
Console(config)#logging history ram 0
Console(config)#end
Console#show logging flash
Syslog logging: Enabled
History logging in FLASH: level emergencies
4-58
4-59
4-62
Remote Log Configuration
The Remote Logs page allows you to configure the logging of messages that are
sent to syslog servers or other management stations. You can also limit the event
messages sent to only those messages below a specified level.
Command Attributes
• Remote Log Status – Enables/disables the logging of debug or error messages
to the remote logging process. (Default: Disabled)
• Logging Facility – Sets the facility type for remote logging of syslog messages.
There are eight facility types specified by values of 16 to 23. The facility type is
used by the syslog server to dispatch log messages to an appropriate service.
The attribute specifies the facility type tag sent in syslog messages (see
RFC 3164). This type has no effect on the kind of messages reported by the switch.
However, it may be used by the syslog server to process messages, such as
sorting or storing messages in the corresponding database. (Range: 16-23,
Default: 23)
• Logging Trap – Limits log messages that are sent to the remote syslog server for
all levels up to the specified level. For example, if level 3 is specified, all messages
from level 0 to level 3 will be sent to the remote server. (Range: 0-7, Default: 7)
• Host IP List – Displays the list of remote server IP addresses that receive the
syslog messages. The maximum number of host IP addresses allowed is five.
• Host IP Address – Specifies a new server IP address to add to the Host IP List.
3-37
3
Configuring the Switch
Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List,
type the new IP address in the Host IP Address box, and then click Add. To delete
an IP address, click the entry in the Host IP List, and then click Remove.
Figure 3-20 Remote Logs
CLI – Enter the syslog server host IP address, choose the facility type and set the
logging trap.
Console(config)#logging host 192.168.1.15
Console(config)#logging facility 23
Console(config)#logging trap 4
Console(config)#end
Console#show logging trap
Syslog logging:
Enabled
REMOTELOG status:
Enabled
REMOTELOG facility type:
local use 7
REMOTELOG level type:
Warning conditions
REMOTELOG server ip address: 192.168.1.15
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
Console#
3-38
4-60
4-60
4-61
4-61
Basic Configuration
3
Displaying Log Messages
The Logs page allows you to scroll through the logged system and event messages.
The switch can store up to 2048 log entries in temporary random access memory
(RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent
flash memory.
Web – Click System, Log, Logs.
Figure 3-21 Displaying Logs
CLI – This example shows the event message stored in RAM.
Console#show log ram
[1] 00:00:27 2001-01-01
"VLAN 1 link-up notification."
level: 6, module: 5, function: 1, and event no.: 1
[0] 00:00:25 2001-01-01
"System coldStart notification."
level: 6, module: 5, function: 1, and event no.: 1
Console#
4-62
Sending Simple Mail Transfer Protocol Alerts
To alert system administrators of problems, the switch can use SMTP (Simple Mail
Transfer Protocol) to send email messages when triggered by logging events of a
specified level. The messages are sent to specified SMTP servers on the network
and can be retrieved using POP or IMAP clients.
Command Attributes
• Admin Status – Enables/disables the SMTP function. (Default: Enabled)
• Email Source Address – Sets the email address used for the “From” field in alert
messages. You may use a symbolic email address that identifies the switch, or the
address of an administrator responsible for the switch.
3-39
3
Configuring the Switch
• Severity – Sets the syslog severity threshold level (see table on page 3-36) used
to trigger alert messages. All events at this level or higher will be sent to the
configured email recipients. For example, using Level 7 will report all events from
level 7 to level 0. (Default: Level 7)
• SMTP Server List – Specifies a list of up to three recipient SMTP servers. The
switch attempts to connect to the other listed servers if the first fails. Use the New
SMTP Server text field and the Add/Remove buttons to configure the list.
• SMTP Server – Specifies a new SMTP server address to add to the SMTP Server
List.
• Email Destination Address List – Specifies the email recipients of alert
messages. You can specify up to five recipients. Use the New Email Destination
Address text field and the Add/Remove buttons to configure the list.
• Email Destination Address – This command specifies SMTP servers that may
receive alert messages.
Web – Click System, Log, SMTP. Enable SMTP, specify a source email address,
and select the minimum severity level. To add an IP address to the SMTP Server
List, type the new IP address in the SMTP Server field and click Add. To delete an IP
address, click the entry in the Server IP List and click Remove. Specify up to five
email addresses to receive the alert messages, and click Apply.
Figure 3-22 Enabling and Configuring SMTP
3-40
3
Basic Configuration
CLI – Enter the IP address of at least one SMTP server, set the syslog severity level
to trigger an email message, and specify the switch (source) and up to five recipient
(destination) email addresses. Enable SMTP with the logging sendmail command
to complete the configuration. Use the show logging sendmail command to display
the current SMTP configuration.
Console(config)#logging sendmail host 192.168.1.4
Console(config)#logging sendmail level 3
Console(config)#logging sendmail source-email
big-wheels@matel.com
Console(config)#logging sendmail destination-email
chris@matel.com
Console(config)#logging sendmail
Console(config)#exit
Console#show logging sendmail
SMTP servers
----------------------------------------------1. 192.168.1.4
4-64
4-65
4-65
4-66
4-66
4-66
SMTP minimum severity level: 4
SMTP destination email addresses
----------------------------------------------1. chris@matel.com
SMTP source email address: big-wheels@matel.com
SMTP status:
Console#
Enabled
Resetting the System
This feature restarts the system. You can reboot the system immediately, or you can
configure the switch to reset after a specified amount of time.
Command Attributes
• Hours – Specifies the amount of hours to wait, combined with the minutes, before
the switch resets. (Range: 0-576; Default: 0)
• Minutes – Specifies the amount of minutes to wait, combined with the hours,
before the switch resets. (Range: 1-34560; Default: 0)
• Reset – Resets the switch after the specified time. If the hour and minute fields are
blank, then the switch will reset immediately.
• Refresh – Refreshes the countdown timer of a pending delayed reset.
• Cancel – Cancels a pending delayed reset.
Note: To immediately restart the switch, enter “0” in both the Hours and Minutes fields,
and click Reset.
3-41
3
Configuring the Switch
Web – Click System, Reset. Enter the amount of time the switch should wait before
rebooting. Click the Reset button to reboot the switch or click the Cancel button to
cancel a configured reset. If prompted, confirm that you want reset the switch or
cancel a configured reset.
Figure 3-23 Resetting the System
CLI – Use the reload command to restart the switch. When prompted, confirm that
you want to reset the switch.
Console(config)#reload
***
*** --- Rebooting at January
***
4-14
1 23:53:44 2001 ---
Are you sure to reboot the system at the specified time? <y/n> y
Note: When restarting the system, it will always run the Power-On Self-Test. It will also
retain all configuration information stored in non-volatile memory (See "Saving or
Restoring Configuration Settings" on page 3-27 or the copy running-config
startup-config command (See "copy" on page 4-37).
Setting the System Clock
Simple Network Time Protocol (SNTP) allows the switch to set its internal clock
based on periodic updates from a time server (SNTP or NTP). Maintaining an
accurate time on the switch enables the system log to record meaningful dates and
times for event entries. You can also manually set the clock. If the clock is not set
manually or via SNTP, the switch will only record the time from the factory default set
at the last bootup.
When the SNTP client is enabled, the switch periodically sends a request for a time
update to a configured time server. You can configure up to three time server IP
addresses. The switch will attempt to poll each server in the configured sequence.
3-42
3
Basic Configuration
Setting the Time Manually
You can manually set the system clock if there is no time server on your network, or
if you have not configured the switch to receive signals from a time server.
Command Attributes
•
•
•
•
•
•
Hours – Sets the hour. (Range: 0-23; Default: 0)
Minutes – Sets the minute value. (Range: 0-59; Default: 0)
Seconds – Sets the second value. (Range: 0-59; Default: 0)
Month – Sets the month. (Range: 1-12; Default: 1)
Day – Sets the day of the month. (Range: 1-31; Default: 1)
Year – Sets the year. (Range: 2001-2100; Default: 2001)
Web – Select SNTP, Current Time. Modify any of the required time and date
parameters, and click Apply.
Figure 3-24 Current Time Configuration
CLI – This example sets the system clock time and then displays the current time
and date
.
Console#calendar set 17 46 00 october 18 2008
Console#show calendar
Current Time
: Oct 2 17:03:35 2008
Time Zone
:
GMT-Greenwich-Mean-Time-Dublin,Edinburgh,Lisbon,London
Summer Time
: Not configured
Summer Time in Effect : No
Console#
4-80
4-81
Configuring SNTP
You can configure the switch to send time synchronization requests to time servers.
Command Attributes
• SNTP Client – Configures the switch to operate as an SNTP client. This requires
at least one NTP or SNTP time server to be specified in the SNTP Server field.
(Default: Disabled)
• SNTP Poll Interval – Sets the interval between sending requests for a time update
from a time server. (Range: 16-16384 seconds; Default: 16 seconds)
3-43
3
Configuring the Switch
• SNTP Server – Sets the IP address for up to three time servers. The switch
attempts to update the time from the first server, if this fails it attempts an update
from the next server in the sequence.
Web – Select SNTP, Configuration. Modify any of the required parameters, and click
Apply.
Figure 3-25 SNTP Configuration
CLI – This example configures the switch to operate as an SNTP client and then
displays the current time and settings.
Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2
Console(config)#sntp poll 60
Console(config)#sntp client
Console(config)#exit
Console#show sntp
Current time: Jan 6 14:56:05 2004
Poll interval: 60
Current mode: unicast
SNTP status : Enabled
SNTP server 10.1.0.19 137.82.140.80 128.250.36.2
Current server: 128.250.36.2
Console#
4-70
4-70
4-69
Configuring NTP
The NTP client allows you to configure up to 50 NTP servers to poll for time updates.
You can also enable authentication to ensure that reliable updates are received from
only authorized NTP servers. The authentication keys and their associated key
number must be centrally managed and manually distributed to NTP servers and
clients. The key numbers and key values must match on both the server and client.
Command Attributes
• NTP Client – Configures the switch to operate as an NTP client. This requires at
least one time server to be specified in the NTP Server list. (Default: Disabled)
• NTP Polling Interval – Sets the interval between sending requests for a time
update from NTP servers. (Fixed: 1024 seconds)
• NTP Authenticate – Enables authentication for time requests and updates
between the switch and NTP servers. (Default: Disabled)
3-44
Basic Configuration
3
• NTP Server – Sets the IP address for an NTP server to be polled. The switch
requests an update from all configured servers, then determines the most accurate
time update from the responses received.
• Version – Specifies the NTP version supported by the server. (Range: 1-3;
Default: 3)
• Authenticate Key – Specifies the number of the key in the NTP Authentication Key
List to use for authentication with the configured server. The authentication key
must match the key configured on the NTP server.
• Key Number – A number that specifies a key value in the NTP Authentication Key
List. Up to 255 keys can be configured in the NTP Authentication Key List. Note
that key numbers and values must match on both the server and client.
(Range: 1-65535)
• Key Context – Specifies an MD5 authentication key string. The key string can be
up to 32 case-sensitive printable ASCII characters (no spaces).
Note: SNTP and NTP clients cannot both be enabled at the same time.
Web – Select SNTP, Configuration. Modify any of the required NTP parameters, and
click Apply.
Figure 3-26 NTP Client Configuration
3-45
3
Configuring the Switch
CLI – This example configures the switch to operate as an NTP client and then
displays the current settings.
Console(config)#ntp authentication-key 19 md5 thisiskey19
Console(config)#ntp authentication-key 30 md5 ntpkey30
Console(config)#ntp server 192.168.3.20
Console(config)#ntp server 192.168.3.21
Console(config)#ntp server 192.168.4.22 version 2
Console(config)#ntp server 192.168.5.23 version 3 key 19
Console(config)#ntp client
Console(config)#ntp authenticate
Console(config)#exit
Console#show ntp
Current Time
: Jan 1 00:09:30 2001
Polling
: 1024 seconds
Current Mode
: unicast
NTP Status
: Enabled
NTP Authenticate Status : Enabled
Last Update NTP Server
: 0.0.0.0
Port: 0
Last Update Time
: Dec 31 00:00:00 2000 UTC
NTP Server 192.168.3.20 version 3
NTP Server 192.168.3.21 version 3
NTP Server 192.168.4.22 version 2
NTP Server 192.168.5.23 version 3 key 19
NTP Authentication-Key 19 md5 Q33O16Q6338241J022S29Q731K7 7
NTP Authentication-Key 30 md5 D2V8777I51K1132K3552L26R6141O4 7
Console#
4-74
4-72
4-71
4-73
4-75
Setting the Time Zone
SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time,
or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude,
which passes through Greenwich, England. To display a time corresponding to your
local time, you must indicate the number of hours and minutes your time zone is
east (before) or west (after) of UTC. You can choose one of the 80 predefined time
zone definitions, or your can manually configure the parameters for your local time
zone.
Command Attributes
• Predefined Configuration – A drop-down box provides access to the 80
predefined time zone configurations. Each choice indicates it’s offset from UTC
and lists at least one major city or location covered by the time zone.
• User-defined Configuration – Allows the user to define all parameters of the local
time zone.
- Direction: Configures the time zone to be before (east of) or after (west of)
UTC.
- Name – Assigns a name to the time zone. (Range: 1-29 characters)
- Hours (0-13) – The number of hours before/after UTC. The maximum value
before UTC is 12. The maximum value after UTC is 13.
- Minutes (0-59) – The number of minutes before/after UTC.
3-46
3
Basic Configuration
Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to
the UTC using either a predefined or custom definition, and click Apply.
Figure 3-27 Setting the System Clock
CLI - This example shows how to set the time zone for the system clock using one of
the predefined time zone configurations.
Console(config)#clock timezone-predefined GMT-0930-Taiohae
Console(config)#
4-76
Configuring Summer Time
Use the Summer Time page to set the system clock forward during the summer
months (also known as daylight savings time).
Command Usage
In some countries or regions, clocks are adjusted through the summer months so
that afternoons have more daylight and mornings have less. This is known as
Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted
forward one hour at the start of spring and then adjusted backward in autumn.
Command Attributes
General Configuration
• Summer Time in Effect – Shows if the system time has been adjusted.
• Status – Shows if summer time is set to take effect during the specified period.
• Name – Name of the time zone while summer time is in effect, usually an acronym.
(Range: 1-30 characters)
• Mode – Selects one of the following configuration modes. (The Mode option can
only be managed when the Summer Time Status option has been set to enabled
for the switch.)
Predefined Mode – Configures the summer time status and settings for the switch
using predefined configurations for several major regions of the world. To specify
the time corresponding to your local time when summer time is in effect, select the
predefined summer-time zone appropriate for your location.
3-47
3
Configuring the Switch
Date Mode – Sets the start, end, and offset times of summer time for the switch on a
one-time basis. This mode sets the summer-time zone relative to the currently
configured time zone. To specify a time corresponding to your local time when
summer time is in effect, you must indicate the number of minutes your
summer-time zone deviates from your regular time zone.
• Offset – Summer-time offset from the regular time zone, in minutes.
(Range: 0-99 minutes)
• From – Start time for summer-time offset.
• To – End time for summer-time offset.
Recurring Mode – Sets the start, end, and offset times of summer time for the switch
on a recurring basis. This mode sets the summer-time zone relative to the currently
configured time zone. To specify a time corresponding to your local time when
summer time is in effect, you must indicate the number of minutes your
summer-time zone deviates from your regular time zone.
• Offset – Summer-time offset from the regular time zone, in minutes.
(Range: 0-99 minutes)
• From – Start time for summer-time offset.
• To – End time for summer-time offset.
3-48
3
Basic Configuration
Web – Select SNTP, Summer Time. Select one of the configuration modes,
configure the relevant attributes, enable summer time status, and click Apply.
Figure 3-28 Summer Time
CLI - This example configures summer time to take effect for a predefined zone.
Console(config)#clock summer-time MESZ predefined usa
Console#
4-78
3-49
3
Configuring the Switch
Simple Network Management Protocol
Simple Network Management Protocol (SNMP) is a communication protocol
designed specifically for managing devices on a network. Equipment commonly
managed with SNMP includes switches, routers and host computers. SNMP is
typically used to configure these devices for proper operation in a network
environment, as well as to monitor them to evaluate performance or detect potential
problems.
Managed devices supporting SNMP contain software, which runs locally on the
device and is referred to as an agent. A defined set of variables, known as managed
objects, is maintained by the SNMP agent and used to manage the device. These
objects are defined in a Management Information Base (MIB) that provides a
standard presentation of the information controlled by the agent. SNMP defines both
the format of the MIB specifications and the protocol used to access this information
over the network.
The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3.
This agent continuously monitors the status of the switch hardware, as well as the
traffic passing through its ports. A network management station can access this
information using software such as HP OpenView. Access to the onboard agent
from clients using SNMP v1 and v2c is controlled by community strings. To
communicate with the switch, the management station must first submit a valid
community string for authentication.
Access to the switch using from clients using SNMPv3 provides additional security
features that cover message integrity, authentication, and encryption; as well as
controlling user access to specific areas of the MIB tree.
The SNMPv3 security structure consists of security models, with each model having
it’s own security levels. There are three security models defined, SNMPv1,
SNMPv2c, and SNMPv3. Users are assigned to “groups” that are defined by a
security model and specified security levels. Each group also has a defined security
access to set of MIB objects for reading and writing, which are known as “views.”
The switch has a default view (all MIB objects) and default groups defined for
security models v1 and v2c. The following table shows the security models and
levels available and the system default settings.
3-50
3
Simple Network Management Protocol
Table 3-4 SNMPv3 Security Models and Levels
Model Level
Group
Read View
Write View Notify View Security
v1
noAuthNoPriv public
(read only)
defaultview
none
none
Community string only
v1
noAuthNoPriv private
(read/write)
defaultview
defaultview none
Community string only
v1
noAuthNoPriv user defined user defined user defined user defined Community string only
v2c
noAuthNoPriv public
(read only)
defaultview
none
none
Community string only
v2c
noAuthNoPriv private
(read/write)
defaultview
defaultview none
Community string only
v2c
noAuthNoPriv user defined user defined user defined user defined Community string only
v3
noAuthNoPriv user defined user defined user defined user defined A user name match only
v3
AuthNoPriv
user defined user defined user defined user defined Provides user
authentication via MD5 or
SHA algorithms
v3
AuthPriv
user defined user defined user defined user defined Provides user
authentication via MD5 or
SHA algorithms and data
privacy using DES 56-bit
encryption
Note: The predefined default groups and view can be deleted from the system. You can
then define customized groups and views for the SNMP clients that require access.
Enabling the SNMP Agent
Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3).
Command Attributes
SNMP Agent Status – Enables SNMP on the switch.
Web – Click SNMP, Agent Status. Enable the SNMP Agent by marking the Enabled
checkbox, and click Apply.
Figure 3-29 Enabling SNMP Agent Status
3-51
3
Configuring the Switch
CLI – The following example enables SNMP on the switch.
Console(config)#snmp-server
Console(config)#
4-89
Setting Community Access Strings
You may configure up to five community strings authorized for management access
by clients using SNMP v1 and v2c. All community strings used for IP Trap Managers
should be listed in this table. For security reasons, you should consider removing the
default strings.
Command Attributes
• SNMP Community Capability – The switch supports up to five community strings.
• Current – Displays a list of the community strings currently configured.
• Community String – A community string that acts like a password and permits
access to the SNMP protocol.
Default strings: “public” (read-only), “private” (read/write)
Range: 1-32 characters, case sensitive
• Access Mode – Specifies the access rights for the community string:
- Read-Only – Authorized management stations are only able to retrieve MIB
objects.
- Read/Write – Authorized management stations are able to both retrieve and
modify MIB objects.
Web – Click SNMP, Configuration. Add new community strings as required, select
the access rights from the Access Mode drop-down list, then click Add.
Figure 3-30 Configuring SNMP Community Strings
CLI – The following example adds the string “spiderman” with read/write access.
Console(config)#snmp-server community spiderman rw
Console(config)#
3-52
4-91
Simple Network Management Protocol
3
Specifying Trap Managers and Trap Types
Traps indicating status changes are issued by the switch to specified trap managers.
You must specify trap managers so that key events are reported by this switch to
your management station (using network management platforms such as HP
OpenView). You can specify up to five management stations that will receive
authentication failure messages and other trap messages from the switch.
Command Usage
• If you specify an SNMP Version 3 host, then the “Trap Manager Community String”
is interpreted as an SNMP user name. If you use V3 authentication or encryption
options (authNoPriv or authPriv), the user name must first be defined in the
SNMPv3 Users page (page 3-58). Otherwise, the authentication password and/or
privacy password will not exist, and the switch will not authorize SNMP access for
the host. However, if you specify a V3 host with the no authentication (noAuth)
option, an SNMP user account will be automatically generated, and the switch will
authorize SNMP access for the host.
• Notifications are issued by the switch as trap messages by default. The recipient
of a trap message does not send a response to the switch. Traps are therefore not
as reliable as inform messages, which include a request for acknowledgement of
receipt. Informs can be used to ensure that critical information is received by the
host. However, note that informs consume more system resources because they
must be kept in memory until a response is received. Informs also add to network
traffic. You should consider these effects when deciding whether to issue
notifications as traps or informs.
To send an inform to a SNMPv2c host, complete these steps:
1. Enable the SNMP agent (page 3-51).
2. Enable trap informs as described in the following pages.
3. Create a view with the required notification messages (page 3-65).
4. Create a group that includes the required notify view (page 3-62).
To send an inform to a SNMPv3 host, complete these steps:
1. Enable the SNMP agent (page 3-51).
2. Enable trap informs as described in the following pages.
3. Create a view with the required notification messages (page 3-65).
4. Create a group that includes the required notify view (page 3-62).
5. Specify a remote engine ID where the user resides (page 3-57).
6. Then configure a remote user (page 3-60).
Command Attributes
• Trap Manager Capability – This switch supports up to five trap managers.
• Current – Displays a list of the trap managers currently configured.
• Trap Manager IP Address – IP address of a new management station to receive
notification message (i.e., the targeted recipient).
• Trap Manager Community String – Specifies a valid community string for the
new trap manager entry. Though you can set this string in the Trap Managers table,
we recommend that you define this string in the SNMP Community section at the
3-53
3
•
•
•
•
Configuring the Switch
top of the SNMP Configuration page (for Version 1 or 2c clients), or define a
corresponding “User Name” in the SNMPv3 Users page (for Version 3 clients).
(Range: 1-32 characters, case sensitive)
Trap UDP Port – Specifies the UDP port number used by the trap manager.
(Default: 162)
Trap Version – Specifies whether to send notifications as SNMP v1, v2c, or v3
traps. (Default: v1)
Trap Security Level – When trap version 3 is selected, you must specify one of
the following security levels. (Default: noAuthNoPriv)
- noAuthNoPriv – There is no authentication or encryption used in SNMP
communications.
- AuthNoPriv – SNMP communications use authentication, but the data is not
encrypted (only available for the SNMPv3 security model).
- AuthPriv – SNMP communications use both authentication and encryption (only
available for the SNMPv3 security model).
Trap Inform – Notifications are sent as inform messages. Note that this option is
only available for version 2c and 3 hosts. (Default: traps are used)
- Timeout – The number of seconds to wait for an acknowledgment before
resending an inform message. (Range: 0-2147483647 centiseconds;
Default: 1500 centiseconds)
- Retry times – The maximum number of times to resend an inform message if
the recipient does not acknowledge receipt. (Range: 0-255; Default: 3)
• Enable Authentication Traps3 – Issues a notification message to specified IP
trap managers whenever an invalid community string is submitted during the
SNMP access authentication process. (Default: Enabled)
• Enable Link-up and Link-down Traps3 – Issues a notification message
whenever a port link is established or broken. (Default: Enabled)
3.
These are legacy notifications and therefore when used for SNMP Version 3 hosts, they must be
enabled in conjunction with the corresponding entries in the Notification View (page 3-65).
3-54
3
Simple Network Management Protocol
Web – Click SNMP, Configuration. Enter the IP address and community string for
each management station that will receive trap messages, specify the UDP port,
trap version, trap security level (for v3 clients), trap inform settings (for v2c/v3
clients), and then click Add. Select the trap types required using the check boxes for
Authentication and Link-up/down traps, and then click Apply.
Figure 3-31 Configuring IP Trap Managers
CLI – This example adds a trap manager and enables both authentication and
link-up, link-down traps.
Console(config)#snmp-server host 192.168.1.19 private version 2c
Console(config)#snmp-server enable traps
4-93
4-95
3-55
3
Configuring the Switch
Configuring SNMPv3 Management Access
To configure SNMPv3 management access to the switch, follow these steps:
1. If you want to change the default engine ID, it must be changed first before
configuring other parameters.
2. Specify read and write access views for the switch MIB tree.
3. Configure SNMP user groups with the required security model (i.e., SNMP v1,
v2c or v3) and security level (i.e., authentication and privacy).
4. Assign SNMP users to groups, along with their specific authentication and
privacy passwords.
Setting the Local Engine ID
An SNMPv3 engine is an independent SNMP agent that resides on the switch. This
engine protects against message replay, delay, and redirection. The engine ID is
also used in combination with user passwords to generate the security keys for
authenticating and encrypting SNMPv3 packets.
A local engine ID is automatically generated that is unique to the switch. This is
referred to as the default engine ID. If the local engine ID is deleted or changed, all
SNMP users will be cleared. You will need to reconfigure all existing users.
A new engine ID can be specified by entering 9 to 64 hexadecimal characters (5 to
32 octets in hexadecimal format). If an odd number of characters are specified, a
trailing zero is added to the value to fill in the last octet. For example, the value
“123456789” is equivalent to “1234567890”.
Web – Click SNMP, SNMPv3, Engine ID. Enter an ID of a least 9 hexadecimal
characters and then click Save.
Figure 3-32 Setting an Engine ID
CLI – This example sets an SNMPv3 engine ID.
Console(config)#snmp-server engine-id local 12345abcdef
Console(config)#exit
Console#show snmp engine-id
Local SNMP engineID: 12345abcdef000000000000000
Local SNMP engineBoots: 1
Console#
3-56
4-96
4-97
3
Simple Network Management Protocol
Specifying a Remote Engine ID
To send inform messages to an SNMPv3 user on a remote device, you must first
specify the engine identifier for the SNMP agent on the remote device where the
user resides. The remote engine ID is used to compute the security digest for
authenticating and encrypting packets sent to a user on the remote host.
SNMP passwords are localized using the engine ID of the authoritative agent. For
informs, the authoritative SNMP agent is the remote agent. You therefore need to
configure the remote agent’s SNMP engine ID before you can send proxy requests
or informs to it. (See "Specifying Trap Managers and Trap Types" on page 3-53 and
"Configuring Remote SNMPv3 Users" on page 3-60.)
The engine ID can be specified by entering 9 to 64 hexadecimal characters (5 to 32
octets in hexadecimal format). If an odd number of characters are specified, a
trailing zero is added to the value to fill in the last octet. For example, the value
“123456789” is equivalent to “1234567890”.
Web – Click SNMP, SNMPv3, Remote Engine ID. Enter an ID of up to 64
hexadecimal characters and then click Save.
Figure 3-33 Setting a Remote Engine ID
CLI – This example specifies a remote SNMPv3 engine ID.
Console(config)#snmp-server engine-id remote 54321 192.168.1.19
Console(config)#exit
Console#show snmp engine-id
Local SNMP engineID: 8000002a8000000000e8666672
Local SNMP engineBoots: 1
Remote SNMP engineID
80000000030004e2b316c54321
Console#
4-96
4-97
IP address
192.168.1.19
3-57
3
Configuring the Switch
Configuring SNMPv3 Users
Each SNMPv3 user is defined by a unique name. Users must be configured with a
specific security level and assigned to a group. The SNMPv3 group restricts users to
a specific read, write, and notify view.
Command Attributes
• User Name – The name of user connecting to the SNMP agent.
(Range: 1-32 characters)
• Group Name – The name of the SNMP group to which the user is assigned.
(Range: 1-32 characters)
• Security Model – The user security model; SNMP v1, v2c or v3.
• Security Level – The security level used for the user:
- noAuthNoPriv – There is no authentication or encryption used in SNMP
communications. (This is the default for SNMPv3.)
- AuthNoPriv – SNMP communications use authentication, but the data is not
encrypted (only available for the SNMPv3 security model).
- AuthPriv – SNMP communications use both authentication and encryption (only
available for the SNMPv3 security model).
• Authentication Protocol – The method used for user authentication.
(Options: MD5, SHA; Default: MD5)
• Authentication Password – A minimum of eight plain text characters is required.
• Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES
is currently available.
• Privacy Password – A minimum of eight plain text characters is required.
• Actions – Enables the user to be assigned to another SNMPv3 group.
3-58
Simple Network Management Protocol
3
Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the
New User page, define a name and assign it to a group, then click Add to save the
configuration and return to the User Name list. To delete a user, check the box next
to the user name, then click Delete. To change the assigned group of a user, click
Change Group in the Actions column of the users table and select the new group.
Figure 3-34 Configuring SNMPv3 Users
CLI – Use the snmp-server user command to configure a new user name and
assign it to a group.
Console(config)#snmp-server user chris group r&d v3 auth md5
greenpeace priv des56 einstien
Console(config)#exit
Console#show snmp user
EngineId: 80000034030001f488f5200000
User Name: chris
Authentication Protocol: md5
Privacy Protocol: des56
Storage Type: nonvolatile
Row Status: active
4-101
4-102
Console#
3-59
3
Configuring the Switch
Configuring Remote SNMPv3 Users
Each SNMPv3 user is defined by a unique name. Users must be configured with a
specific security level and assigned to a group. The SNMPv3 group restricts users to
a specific read, write, and notify view.
To send inform messages to an SNMPv3 user on a remote device, you must first
specify the engine identifier for the SNMP agent on the remote device where the
user resides. The remote engine ID is used to compute the security digest for
authenticating and encrypting packets sent to a user on the remote host. (See
"Specifying Trap Managers and Trap Types" on page 3-53 and "Specifying a
Remote Engine ID" on page 3-57.)
Command Attributes
• User Name – The name of user connecting to the SNMP agent.
(Range: 1-32 characters)
• Group Name – The name of the SNMP group to which the user is assigned.
(Range: 1-32 characters)
• Engine ID – The engine identifier for the SNMP agent on the remote device where
the remote user resides. Note that the remote engine identifier must be specified
before you configure a remote user. (See “Specifying a Remote Engine ID” on
page 44.)
• Remote IP – The Internet address of the remote device where the user resides.
• Security Model – The user security model; SNMP v1, v2c or v3. (Default: v3)
• Security Level – The security level used for the user:
- noAuthNoPriv – There is no authentication or encryption used in SNMP
communications. (This is the default for SNMPv3.)
- AuthNoPriv – SNMP communications use authentication, but the data is not
encrypted (only available for the SNMPv3 security model).
- AuthPriv – SNMP communications use both authentication and encryption (only
available for the SNMPv3 security model).
• Authentication Protocol – The method used for user authentication.
(Options: MD5, SHA; Default: MD5)
• Authentication Password – A minimum of eight plain text characters is required.
• Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES
is currently available.
• Privacy Password – A minimum of eight plain text characters is required.
3-60
Simple Network Management Protocol
3
Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name.
In the New User page, define a name and assign it to a group, then click Add to save
the configuration and return to the User Name list. To delete a user, check the box
next to the user name, then click Delete.
Figure 3-35 Configuring Remote SNMPv3 Users
CLI – Use the snmp-server user command to configure a new user name and
assign it to a group.
Console(config)#snmp-server user mark group r&d remote
192.168.1.19 v3 auth md5 greenpeace priv des56 einstien
Console(config)#exit
Console#show snmp user
No user exist
4-101
4-102
SNMP remote user
EngineId: 80000000030004e2b316c54321
User Name: mark
Authentication Protocol: none
Privacy Protocol: none
Storage Type: nonvolatile
Row Status: active
Console#
3-61
3
Configuring the Switch
Configuring SNMPv3 Groups
An SNMPv3 group sets the access policy for its assigned users, restricting them to
specific read, write, and notify views. You can use the pre-defined default groups or
create new groups to map a set of SNMP users to SNMP views.
Command Attributes
• Group Name – The name of the SNMP group to which the user is assigned.
(Range: 1-32 characters)
• Model – The user security model; SNMP v1, v2c or v3.
• Level – The security level used for the group:
- noAuthNoPriv – There is no authentication or encryption used in SNMP
communications. (This is the default for SNMPv3.)
- AuthNoPriv – SNMP communications use authentication, but the data is not
encrypted (only available for the SNMPv3 security model).
- AuthPriv – SNMP communications use both authentication and encryption (only
available for the SNMPv3 security model).
• Read View – The configured view for read access. (Range: 1-64 characters)
• Write View – The configured view for write access. (Range: 1-64 characters)
• Notify View – The configured view for notifications. (Range: 1-64 characters)
Table 3-4 Supported Notification Messages
Object Label
Object ID
Description
newRoot
1.3.6.1.2.1.17.0.1
The newRoot trap indicates that the sending
agent has become the new root of the Spanning
Tree; the trap is sent by a bridge soon after its
election as the new root, e.g., upon expiration of
the Topology Change Timer immediately
subsequent to its election.
topologyChange
1.3.6.1.2.1.17.0.2
A topologyChange trap is sent by a bridge when
any of its configured ports transitions from the
Learning state to the Forwarding state, or from
the Forwarding state to the Discarding state.
The trap is not sent if a newRoot trap is sent for
the same transition.
coldStart
1.3.6.1.6.3.1.1.5.1
A coldStart trap signifies that the SNMPv2
entity, acting in an agent role, is reinitializing
itself and that its configuration may have been
altered.
warmStart
1.3.6.1.6.3.1.1.5.2
A warmStart trap signifies that the SNMPv2
entity, acting in an agent role, is reinitializing
itself such that its configuration is unaltered.
RFC 1493 Traps
SNMPv2 Traps
3-62
3
Simple Network Management Protocol
Table 3-4 Supported Notification Messages (Continued)
Object Label
Object ID
Description
linkDown*
1.3.6.1.6.3.1.1.5.3
A linkDown trap signifies that the SNMP entity,
acting in an agent role, has detected that the
ifOperStatus object for one of its
communication links is about to enter the down
state from some other state (but not from the
notPresent state). This other state is indicated
by the included value of ifOperStatus.
linkUp*
1.3.6.1.6.3.1.1.5.4
A linkUp trap signifies that the SNMP entity,
acting in an agent role, has detected that the
ifOperStatus object for one of its
communication links left the down state and
transitioned into some other state (but not into
the notPresent state). This other state is
indicated by the included value of ifOperStatus.
authenticationFailure*
1.3.6.1.6.3.1.1.5.5
An authenticationFailure trap signifies that the
SNMPv2 entity, acting in an agent role, has
received a protocol message that is not
properly authenticated. While all
implementations of the SNMPv2 must be
capable of generating this trap, the
snmpEnableAuthenTraps object indicates
whether this trap will be generated.
risingAlarm
1.3.6.1.2.1.16.0.1
The SNMP trap that is generated when an
alarm entry crosses its rising threshold and
generates an event that is configured for
sending SNMP traps.
fallingAlarm
1.3.6.1.2.1.16.0.2
The SNMP trap that is generated when an
alarm entry crosses its falling threshold and
generates an event that is configured for
sending SNMP traps.
swPowerStatus
ChangeTrap
1.3.6.1.4.1.835.6.10.51.2.1.0.1
This trap is sent when the power state changes.
swIpFilterRejectTrap
1.3.6.1.4.1.835.6.10.512.1.0.40
This trap is sent when an incorrect IP address is
rejected by the IP Filter.
RMON Events (V2)
Private Traps
* These are legacy notifications and therefore must be enabled in conjunction with the corresponding traps on the
SNMP Configuration menu.
3-63
3
Configuring the Switch
Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the
New Group page, define a name, assign a security model and level, and then select
read, write, and notify views. Click Add to save the new group and return to the
Groups list. To delete a group, check the box next to the group name, then click
Delete.
Figure 3-36 Configuring SNMPv3 Groups
CLI – Use the snmp-server group command to configure a new group, specifying
the security model and level, and restricting MIB access to defined read, write, and
notify views.
Console(config)#snmp-server group secure-users v3 priv
read defaultview write defaultview notify defaultview
Console(config)#exit
Console#show
snmp group
.
.
.
Group Name: secure-users
Security Model: v3
Read View: defaultview
Write View: defaultview
Notify View: defaultview
Storage Type: nonvolatile
Row Status: active
Console#
3-64
4-99
4-100
Simple Network Management Protocol
3
Setting SNMPv3 Views
SNMPv3 views are used to restrict user access to specified portions of the MIB tree.
The predefined view “defaultview” includes access to the entire MIB tree.
Command Attributes
• View Name – The name of the SNMP view. (Range: 1-64 characters)
• View OID Subtrees – Shows the currently configured object identifiers of branches
within the MIB tree that define the SNMP view.
• Edit OID Subtrees – Allows you to configure the object identifiers of branches
within the MIB tree. Wild cards can be used to mask a specific portion of the OID
string.
• Type – Indicates if the object identifier of a branch within the MIB tree is included
or excluded from the SNMP view.
Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New
View page, define a name and specify OID subtrees in the switch MIB to be included
or excluded in the view. Click Back to save the new view and return to the SNMPv3
Views list. For a specific view, click on View OID Subtrees to display the current
configuration, or click on Edit OID Subtrees to make changes to the view settings.
To delete a view, check the box next to the view name, then click Delete.
Figure 3-37 Configuring SNMPv3 Views
3-65
3
Configuring the Switch
CLI – Use the snmp-server view command to configure a new view. This example
view includes the MIB-2 interfaces table, and the wildcard mask selects all index
entries.
Console(config)#snmp-server view ifEntry.a
1.3.6.1.2.1.2.2.1.1.* included
Console(config)#exit
Console#show snmp view
View Name: ifEntry.a
Subtree OID: 1.3.6.1.2.1.2.2.1.1.*
View Type: included
Storage Type: nonvolatile
Row Status: active
4-97
4-98
View Name: readaccess
Subtree OID: 1.3.6.1.2
View Type: included
Storage Type: nonvolatile
Row Status: active
View Name: defaultview
Subtree OID: 1
View Type: included
Storage Type: nonvolatile
Row Status: active
Console#
Sampling Traffic Flows
The flow sampling (sFlow) feature embedded on this switch, together with a remote
sFlow Collector, can provide network administrators with an accurate, detailed and
real-time overview of the types and levels of traffic present on their network. The
sFlow Agent samples 1 out of n packets from all data traversing the switch,
re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow
Collector. This sampling occurs at the internal hardware level where all traffic is
seen, whereas traditional probes will only have a partial view of traffic as it is
sampled at the monitored interface. Moreover, the processor and memory load
imposed by the sFlow agent is minimal since local analysis does not take place. The
wire-speed transmission characteristic of the switch is thus preserved even at high
traffic levels.
As the Collector receives streams from the various sFlow agents (other switches or
routers) throughout the network, a timely, network-wide picture of utilization and
traffic flows is created. Analysis of the sFlow stream(s) can reveal trends and
information that can be leveraged in the following ways:
•
•
•
•
•
•
Detecting, diagnosing, and fixing network problems
Real-time congestion management
Understanding application mix (P2P, Web, DNS, etc.) and changes
Identification and tracing of unauthorized network activity
Usage accounting
Trending and capacity planning
3-66
Sampling Traffic Flows
3
Configuring sFlow Global Parameters
Flow sampling must be enabled globally on the switch, as well as for those ports
where it is required. Due to the switch’s hardware design, flow sampling and the
sampling rate can only be enabled for specific SFP port groups (1-8, 9-16, and
17-24). However, sampling for each of the Gigabit ports (25-28) can be controlled
individually.
Command Usage
• Global Status – Enables sFlow globally for the switch.
• Group/Port Members – The SFP ports are organized into groups of 8 based on a
restriction in the switch ASIC, and the 4 Gigabit ports each in it’s own separate
group.
Table 3-5 sFlow Groups and Port Members
Group
Port Members
1
1, 2, 3, 4, 5, 6, 7, 8
2
9, 10, 11, 12, 13, 14, 15, 16
3
17, 18, 19, 20, 21, 22, 23, 24
4
25
5
26
6
27
7
28
• Status – Enables sFlow on the ports in the indicated group.
• Rate – Configures the packet sampling rate. Setting the rate to 0 disables
sampling. Setting the rate to 100 configures sampling to 1 packet out of every 100
received. (Range: 0-10000000; Default: 0)
3-67
3
Configuring the Switch
Web – Click sFlow, Configuration. Set the global status for flow sampling, the ports
or port groups to be sampled, the sampling rate, and then click Apply.
Figure 3-38 sFlow Global Configuration
CLI – This example enables sFlow globally, and then enables sampling and sets the
sampling rate for Port 1 (which effectively configures the same sFlow settings for all
port members in Group 1).
Console(config)#sflow
Console(config)#interface ethernet 1/1
Console(config-if)#sflow source
Console(config-if)#sflow sample 10
Console(config-if)#end
Console#show sflow
4-104
4-222
4-104
4-105
4-108
sFlow global status : Enabled
Console#show sflow interface ethernet 1/1
Interface of Ethernet 1/1 :
Interface status
: Enabled
Owner name
: None
Owner destination
: 0.0.0.0
Owner socket port
: 6343
Time out
: 0
Maximum header size
: 128
Maximum datagram size : 1400
Sample rate
: 1/10
Polling interval
: Console#
3-68
4-108
Sampling Traffic Flows
3
Configuring sFlow Port Parameters
Use the sFlow Port Configuration page to set the destination parameters for the
sampled data, payload parameters, and sampling interval.
Command Usage
• Port – Choose the port to configure. (Range: 1-28; Default: 1)
• Receiver Owner4 – The name of the receiver. (Range: 1-256 characters;
Default: None)
• Receiver IP Address4 – IP address of the sFlow Collector.
• Receiver Port4 – The UDP port on which the sFlow Collector is listening for sFlow
streams. (Range: 0-65534; Default: 6343)
• Time Out – The time that the sFlow process will continuously send samples to the
Collector before resetting all sFlow port parameters (receiver owner, time out, max
header size, max datagram size, and flow interval). A time out value of 0 seconds
indicates no time out. (Range: 0-10000000 seconds; Default: 0 seconds)
The check box is cleared by the system if flow sampling is currently under way.
To change the timeout, mark the check box, enter a timeout value, and click Apply.
• Max Header Size – Maximum size of the sFlow datagram header.
(Range: 64-256 bytes; Default: 128 bytes)
• Max Datagram Size – Maximum size of the sFlow datagram payload.
(Range: 200-1500 bytes; Default: 1400 bytes)
• Flow Interval – The interval at which the sFlow process adds counter values to the
sample datagram. An interval of 0 seconds effectively disables this feature.
(Range: 0-10000000 seconds; Default: 0 seconds)
4.
Sampling must be disabled by setting the time out to 0 before these fields can be configured.
3-69
3
Configuring the Switch
Web – Click sFlow, Port Configuration. Set the parameters for flow Collector, the
reset timeout, the payload, and flow interval. Then click Apply.
Figure 3-39 sFlow Port Configuration
CLI – This example enables sFlow globally, and then enables sampling and sets the
sampling rate for Port 1 (which effectively configures the same sFlow settings for all
port members in Group 1).
Console(config)#interface ethernet 1/1
Console(config-if)#sflow owner Bobby
Console(config-if)#sflow destination ipv4 192.168.0.4
Console(config-if)#sflow timeout 1000
Console(config-if)#sflow max-header-size 128
Console(config-if)#sflow max-datagram-size 1400
Console(config-if)#sflow polling interval 10
Console(config-if)#end
Console#show flow
Console#show sflow interface ethernet 1/1
Interface of Ethernet 1/1 :
Interface status
: Enabled
Owner name
: Bobby
Owner destination
: 192.168.0.4
Owner socket port
: 6343
Time out
: 986
Maximum header size
: 128
Maximum datagram size : 1400
Sample rate
: 1/10
Polling interval
: 10
Console#
3-70
4-222
4-106
4-107
4-106
4-107
4-108
4-105
4-108
User Authentication
3
User Authentication
You can configure this switch to authenticate users logging into the system for
management access using local or remote authentication methods. Port-based
authentication using IEEE 802.1X can also be configured to control either
management access to the uplink ports or client access to the data ports. This
switch provides secure network management access5 using the following options:
•
•
•
•
•
•
•
•
•
User Accounts – Manually configure access rights on the switch for specified users.
Authentication Settings – Use remote authentication to configure access rights.
Encryption Key – Configures RADIUS and TACACS+ encryption keys.
AAA – Provides a framework for configuring access control on the switch.
HTTPS Settings – Provide a secure web connection.
SSH Settings – Provide a secure shell (for secure Telnet access).
Port Security – Configure secure addresses for individual ports.
802.1X – Use IEEE 802.1X port authentication to control access to specific ports.
IP Filter – Filters management access to the web, SNMP or Telnet interface.
Configuring User Accounts
The guest only has read access for most configuration parameters. However, the
administrator has write access for all parameters governing the onboard agent. You
should therefore assign a new administrator password as soon as possible, and
store it in a safe place.
The default guest name is “guest” with the password “guest.” The default
administrator name is “admin” with the password “admin.”
Command Attributes
• Account List – Displays the current list of user accounts and associated access
levels. (Defaults: admin, and guest)
• New Account – Displays configuration settings for a new account.
- User Name – The name of the user.
(Maximum length: 8 characters; maximum number of users: 16)
- Access Level – Specifies the user level.
(Options: Normal, Manager, and Privileged)
Normal privilege level provides access to a limited number of the commands
which display the current status of the switch, as well as several database clear
and reset functions. Manager level provides access to all display status and
configuration commands, except for those controlling various authentication and
security features. Privileged level provides full access to all commands.
- Password – Specifies the user password.
(Range: 0-8 characters plain text, case sensitive)
• Change Password – Sets a new password for the specified user name.
5.
For other methods of controlling client access, see "General Security Measures" on page 3-112.
3-71
3
Configuring the Switch
• Add/Remove – Adds or removes an account from the list.
Web – Click Security, User Accounts. To configure a new user account, specify a
user name, select the user’s access level, then enter a password and confirm it.
Click Add to save the new user account and add it to the Account List. To change the
password for a specific user, enter the user name and new password, confirm the
password by entering it again, then click Apply.
Figure 3-40 Access Levels
CLI – Assign a user name to access-level 15 (i.e., administrator), then specify the
password.
Console(config)#username bob access-level 15
Console(config)#username bob password 0 smith
Console(config)#
3-72
4-110
User Authentication
3
Configuring Local/Remote Logon Authentication
Use the Authentication Settings menu to restrict management access based on
specified user names and passwords. You can manually configure access rights on
the switch, or you can use a remote access authentication server based on RADIUS
or TACACS+ protocols.
Remote Authentication Dial-in
User Service (RADIUS) and
Terminal Access Controller
Access Control System Plus
console
Web
(TACACS+) are logon
Telnet
authentication protocols that
use software running on a
1. Client attempts management access.
central server to control
2. Switch contacts authentication server.
3. Authentication server challenges client.
RADIUS/
access to RADIUS-aware or
4. Client responds with proper password or key.
TACACS+
5. Authentication server approves access.
TACACS-aware devices on the
server
6. Switch grants management access.
network. An authentication
server contains a database of
multiple user name/password pairs with associated privilege levels for each user
that requires management access to the switch.
RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery,
while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts
only the password in the access-request packet from the client to the server, while
TACACS+ encrypts the entire body of the packet.
Command Usage
• By default, management access is always checked against the authentication
database stored on the local switch. If a remote authentication server is used, you
must specify the authentication sequence and the corresponding parameters for
the remote authentication protocol. Local and remote logon authentication control
management access via the console port, web browser, or Telnet.
• RADIUS and TACACS+ logon authentication assign a specific privilege level for
each user name/password pair. The user name, password, and privilege level
must be configured on the authentication server. The encryption methods used for
the authentication process must also be configured or negotiated between the
authentication server and logon client. This switch can pass authentication
messages between the server and client that have been encrypted using MD5
(Message-Digest 5), TLS (Transport Layer Security), or TTLS (Tunneled Transport
Layer Security).
• You can specify up to three authentication methods for any user to indicate the
authentication sequence. For example, if you select (1) RADIUS, (2) TACACS and
(3) Local, the user name and password on the RADIUS server is verified first. If the
RADIUS server is not available, then authentication is attempted using the
TACACS+ server, and finally the local user name and password is checked.
3-73
3
Configuring the Switch
Command Attributes
• Authentication – Select the authentication, or authentication sequence required:
- Local – User authentication is performed only locally by the switch.
- Radius – User authentication is performed using a RADIUS server only.
- TACACS – User authentication is performed using a TACACS+ server only.
- [authentication sequence] – User authentication is performed by up to three
authentication methods in the indicated sequence.
• RADIUS Settings
- Global – Provides globally applicable RADIUS settings.
- Server Index – Specifies one of five RADIUS servers that may be configured.
The switch attempts authentication using the listed sequence of servers. The
process ends when a server either approves or denies access to a user.
- Server IP Address6 – Address of authentication server.
- Authentication Port Number – Network (UDP) port of authentication server
used for authentication messages. (Range: 1-65535; Default: 1812)
- Accounting Port Number – UDP port on authentication server used for
accounting messages. (Range: 1-65535; Default: 1813)
- Number of Server Transmits – Number of times the switch tries to authenticate
logon access via the authentication server. (Range: 1-30; Default: 2)
- Timeout for a Reply – The number of seconds the switch waits for a reply from
the RADIUS server before it resends the request. (Range: 1-65535; Default: 5)
• TACACS Settings
- Global – Provides globally applicable TACACS+ settings.
- Server Index – Specifies the index number of the server to be configured. The
switch currently supports only one TACACS+ server.
- Server IP Address6 – Address of the TACACS+ server.
- Server Port Number – Network (TCP) port of TACACS+ server used for
authentication messages. (Range: 1-65535; Default: 49)
- Number of Server Transmits – Number of times the switch tries to authenticate
logon access via the authentication server. (Range: 1-30; Default: 2)
- Timeout for a Reply – The number of seconds the switch waits for a reply from
the RADIUS server before it resends the request. (Range: 1-540; Default: 5)
Note: The local switch user database has to be set up by manually entering user names
and passwords using the Web or CLI. (See "Configuring User Accounts" on
page 3-71 or "username" on page 4-110)
6. A Server Index must be selected to display this item.
3-74
User Authentication
3
Web – Click Security, Authentication Settings. To configure local or remote
authentication preferences, specify the authentication sequence (i.e., one to three
methods), fill in the parameters for RADIUS or TACACS+ authentication if selected,
and click Apply.
Figure 3-41 Authentication Settings
CLI – Specify all the required parameters to enable logon authentication.
Console(config)#authentication login radius
Console(config)#radius-server auth-port 181
Console(config)#radius-server key green
Console(config)#radius-server retransmit 5
Console(config)#radius-server timeout 10
Console(config)#radius-server 1 host 192.168.1.25
Console(config)#end
Console#show radius-server
Global Settings:
Authentication Port:
Accounting Port:
Retransmit Times:
Request Timeout:
181
1813
5
10
Server 1:
Server IP Address:
Authentication Port:
Accounting Port:
Retransmit Times:
Request Timeout:
192.168.1.25
181
1813
5
10
Radius server group:
Group Name
--------------------radius
4-114
4-117
4-118
4-118
4-119
4-116
4-120
Member Index
------------1
3-75
3
Configuring the Switch
Console#configure
Console(config)#authentication login tacacs
Console(config)#tacacs-server 1 host 10.20.30.40
Console(config)#tacacs-server port 200
Console(config)#tacacs-server retransmit 5
Console(config)#tacacs-server timeout 10
Console(config)#tacacs-server key green
Console#show tacacs-server
Remote TACACS+ server configuration:
Global Settings:
Server Port Number:
Retransmit Times :
Request Times
:
200
5
10
Server 1:
Server IP address:
Server port number:
Retransmit Times :
Request Times
:
10.20.30.40
200
5
10
Tacacs server group:
Group Name
--------------------tacacs+
Console#
3-76
Member Index
------------1
4-114
4-121
4-122
4-123
4-123
4-122
4-124
3
User Authentication
Configuring Encryption Keys
The Encryption Key feature provides a central location for the management of all
RADIUS and TACACS+ server encryption keys.
Command Attributes
• RADIUS Settings
- Global – Provides globally applicable RADIUS encryption key settings.
- Server Index – Specifies one of five RADIUS servers for which an encryption
key may be configured.
- Secret Text String – Encryption key used to authenticate logon access for
client. Do not use blank spaces in the string. (Maximum length: 48 characters)
- Confirm Secret Text String – Re-type the string entered in the previous field to
ensure no errors were made. The switch will not change the encryption key if
these two fields do not match.
- Change – Clicking this button adds or modifies the selected encryption key.
• TACACS+ Settings
- Global – Provides globally applicable TACACS+ encryption key settings.
- ServerIndex – Specifies the index number of the TACACS+ server for which an
encryption key may be configured. The switch currently supports only one
TACACS+ server.
- Secret Text String – Encryption key used to authenticate logon access for
client. Do not use blank spaces in the string. (Maximum length: 48 characters)
- Confirm Secret Text String – Re-type the string entered in the previous field to
ensure no errors were made. The switch will not change the encryption key if
these two fields do not match.
- Change – Clicking this button adds or modifies the selected encryption key.
Web – Click Security, Encryption Key. Choose the appropriate RADIUS or
TACACS+ Server Index, enter Secret Text String and confirm it, then click Change.
Figure 3-42 Encryption Key Settings
3-77
3
Configuring the Switch
CLI – This example sets a global encryption key for RADIUS and TACACS servers.
Console(config)#radius-server key green
Console(config)#tacacs-server key green
Console(config)#
4-118
4-122
AAA Authorization and Accounting
The Authentication, authorization, and accounting (AAA) feature provides the main
framework for configuring access control on the switch. The three security functions
can be summarized as follows:
• Authentication — Identifies users that request access to the network.
• Authorization — Determines if users can access specific services.
• Accounting — Provides reports, auditing, and billing for services that users have
accessed on the network.
The AAA functions require the use of configured RADIUS or TACACS+ servers in
the network. The security servers can be defined as sequential groups that are then
applied as a method for controlling user access to specified services. For example,
when the switch attempts to authenticate a user, a request is sent to the first server
in the defined group, if there is no response the second server will be tried, and so
on. If at any point a pass or fail is returned, the process stops.
The switch supports the following AAA features:
• Accounting for IEEE 802.1X authenticated users that access the network through
the switch.
• Accounting for users that access management interfaces on the switch through the
console and Telnet.
• Accounting for commands that users enter at specific CLI privilege levels.
• Authorization of users that access management interfaces on the switch through
the console and Telnet.
To configure AAA on the switch, you need to follow this general process:
1. Configure RADIUS and TACACS+ server access parameters. See "Configuring
Local/Remote Logon Authentication" on page 3-73.
2. Define RADIUS and TACACS+ server groups to support the accounting and
authorization of services.
3. Define a method name for each service to which you want to apply accounting or
authorization and specify the RADIUS or TACACS+ server groups to use.
4. Apply the method names to port or line interfaces.
Note: This guide assumes that RADIUS and TACACS+ servers have already been
configured to support AAA. The configuration of RADIUS and TACACS+ server
software is beyond the scope of this guide, refer to the documentation provided
with the RADIUS or TACACS+ server software.
3-78
User Authentication
3
Configuring AAA RADIUS Group Settings
The AAA RADIUS Group Settings screen defines the configured RADIUS servers to
use for accounting and authorization.
Command Attributes
• Group Name - Defines a name for the RADIUS server group. (1-255 characters)
• Server Index - Specifies the RADIUS server and sequence to use for the group.
(Range: 1-5)
When specifying the index for a RADIUS sever, the server index must already be
defined (see "Configuring Local/Remote Logon Authentication" on page 3-73).
Web – Click Security, AAA, Radius Group Settings. Enter the RADIUS group name,
followed by the number of the server, then click Add.
Figure 3-43 AAA Radius Group Settings
CLI – Specify the group name for a list of RADIUS servers, and then specify the
index number of a RADIUS server to add it to the group.
Console(config)#aaa group server radius tps-radius
Console(config-sg-radius)#server 1
Console(config-sg-radius)#server 2
Console(config-sg-radius)#
4-125
4-126
4-126
Configuring AAA TACACS+ Group Settings
The AAA TACACS+ Group Settings screen defines the configured TACACS+
servers to use for accounting and authorization.
Command Attributes
• Group Name - Defines a name for the TACACS+ server group. (1-255 characters)
• Server - Spefies the TACACS+ server to use for the group. (Range: 1)
When specifying the index for a TACACS+ server, the server index must already
be defined (see "Configuring Local/Remote Logon Authentication" on page
3-73).
3-79
3
Configuring the Switch
Web – Click Security, AAA, TACACS+ Group Settings. Enter the TACACS+ group
name, followed by the number of the server, then click Add.
Figure 3-44 AAA TACACS+ Group Settings
CLI – Specify the group name for a list of TACACS+ servers, and then specify the
index number of a TACACS+ server to add it to the group.
Console(config)#aaa group server tacacs+ tps-tacacs+
Console(config-sg-tacacs+)#server 1
Console(config-sg-tacacs+)#
4-125
4-126
Configuring AAA Accounting
AAA accounting is a feature that enables the accounting of requested services for
billing or security purposes.
Command Attributes
• Method Name – Specifies an accounting method for service requests.
The “default” methods are used for a requested service if no other methods have
been defined. (Range: 1-255 characters)
The method name is only used to describe the accounting method(s) configured
on the specified accounting servers, and do not actually send any information to
the servers about the methods to use.
• Service Request – Specifies the service as either 802.1X (user accounting) or
Exec (administrative accounting for local console, Telnet, or SSH connections).
• Accounting Notice – Records user activity from log-in to log-off point.
• Group Name - Specifies the accounting server group. (Range: 1-255 characters)
The group names “radius” and “tacacs+” specifies all configured RADIUS and
TACACS+ hosts (see "Configuring Local/Remote Logon Authentication" on page
3-73). Any other group name refers to a server group configured on the RADIUS
or TACACS+ Group Settings pages.
3-80
3
User Authentication
Web – Click Security, AAA, Accounting, Settings. To configure a new accounting
method, specify a method name and a group name, then click Add.
Figure 3-45 AAA Accounting Settings
CLI – Specify the accounting method required, followed by the chosen parameters.
Console(config)#aaa accounting dot1x tps start-stop group radius
Console(config)#
4-127
3-81
3
Configuring the Switch
AAA Accounting Update
This feature sets the interval at which accounting updates are sent to accounting
servers.
Command Attributes
Periodic Update - Specifies the interval at which the local accounting service
updates information to the accounting server. (Range: 1-2147483647 minutes;
Default: Disabled)
Web – Click Security, AAA, Accounting, Periodic Update. Enter the required update
interval and click Apply.
Figure 3-46 AAA Accounting Update
CLI – This example sets the periodic accounting update interval at 10 minutes.
Console(config)#aaa accounting update periodic 10
Console(config)#
3-82
4-130
3
User Authentication
AAA Accounting 802.1X Port Settings
This feature applies the specified accounting method to an interface.
Command Attributes
• Port/Trunk - Specifies a port or trunk number.
• Method Name - Specifies a user defined method name to apply to the interface.
This method must be defined in the AAA Accounting Settings menu (page 3-79).
(Range: 1-255 characters)
Web – Click Security, AAA, Accounting, 802.1X Port Settings. Enter the required
accounting method and click Apply.
Figure 3-47 AAA Accounting 802.1X Port Settings
CLI – Specify the accounting method to apply to the selected interface.
Console(config)#interface ethernet 1/2
Console(config-if)#accounting dot1x tps-method
Console(config-if)#
4-130
3-83
3
Configuring the Switch
AAA Accounting Exec Command Privileges
This feature specifies a method name to apply to commands entered at specific CLI
privilege levels.
Command Attributes
• Commands Privilege Level - The CLI privilege levels (0-15).
• Console/Telnet - Specifies a user-defined method name to apply to commands
entered at the specified CLI privilege level.
Web – Click Security, AAA, Accounting, Command Privileges. Enter a defined
method name for console and Telnet privilege levels. Click Apply.
Figure 3-48 AAA Accounting Exec Command Privileges
CLI – Specify the accounting method to use for console and Telnet privilege levels.
Console(config)#line console
Console(config-line)#accounting commands 15 tps-method
Console(config-line)#exit
Console(config)#line vty
Console(config-line)#accounting commands 15 tps-method
Console(config-line)#
3-84
4-46
4-131
User Authentication
3
AAA Accounting Exec Settings
This feature specifies a method name to apply to console and Telnet connections.
Command Attributes
Method Name - Specifies a user defined method name to apply to console and
Telnet connections.
Web – Click Security, AAA, Accounting, Exec Settings. Enter a defined method
name for console and Telnet connections, and click Apply.
Figure 3-49 AAA Accounting Exec Settings
CLI – Specify the accounting method to use for Console and Telnet interfaces.
Console(config)#line console
Console(config-line)#accounting exec tps-method
Console(config-line)#exit
Console(config)#line vty
Console(config-line)#accounting exec tps-method
Console(config-line)#
4-46
4-131
AAA Accounting Summary
This feature displays all accounting configured accounting methods, the methods
applied to specified interfaces, and basic accounting information recorded for user
sessions.
Command Attributes
AAA Accounting Summary
•
•
•
•
Accounting Type - Displays the accounting service.
Method List - Displays the user-defined or default accounting method.
Group List - Displays the accounting server group.
Interface - Displays the port or trunk to which these rules apply. (This field is null
if the accounting method and associated server group has not been assigned to an
interface.)
AAA Accounting Statistics Summary
• Accounting Type - Displays the accounting service.
• User Name - Displays a registered user name.
• Interface - Displays the receive port number through which this user accessed the
switch.
• Time Elapsed - Displays the length of time this entry has been active.
3-85
3
Configuring the Switch
Web – Click Security, AAA, Summary.
Figure 3-50 AAA Accounting Summary
3-86
User Authentication
3
CLI – Use the following command to display the currently applied accounting
methods, and registered users.
Console#show accounting
Accounting Type : dot1x
Method List
: default
Group List
: radius
Interface
:
Method List
Group List
Interface
4-133
: tps-method
: tps-radius
:
Accounting Type
Method List
Group List
Interface
: Exec
: default
: tacacs+
:
Accounting Type
Method List
Group List
Interface
: Commands 0
: default
: tacacs+
:
Console#show accounting statistics
Total entries: 3
Acconting type : dot1x
Username
: testpc
Interface
: eth 1/1
Time elapsed since connected: 00:24:44
Acconting type
Username
Interface
Time elapsed
: exec
: admin
: vty 0
since connected: 00:25:09
Console#
Authorization Settings
AAA authorization is a feature that verifies a user has access to specific services.
Command Attributes
• Method Name – Specifies an authorization method for service requests.
The “default” method is used for a requested service if no other methods have been
defined. (Range: 1-255 characters)
• Service Request – Specifies the service as Exec (authorization for local console
or Telnet connections).
• Group Name - Specifies the authorization server group.
(Range: 1-255 characters)
The group name “tacacs+” specifies all configured TACACS+ hosts (see
"Configuring Local/Remote Logon Authentication" on page 3-73). Any other group
name refers to a server group configured on the TACACS+ Group Settings page.
Authorization is only supported for TACACS+ servers.
3-87
3
Configuring the Switch
Web – Click Security, AAA, Authorization, Settings. To configure a new authorization
method, specify a method name and a group name, select the service, then click
Add.
Figure 3-51 AAA Authorization Settings
CLI – Specify the authorization method required and the server group.
Console(config)#aaa authorization exec default group tacacs+
Console(config)#
4-132
Authorization EXEC Settings
This feature specifies an authorization method name to apply to console and Telnet
connections.
Command Attributes
Method Name - Specifies a user-defined method name to apply to console and
Telnet connections.
Web – Click Security, AAA, Authorization, Exec Settings. Enter a defined method
name for console and Telnet connections, and click Apply.
Figure 3-52 AAA Authorization Exec Settings
3-88
3
User Authentication
CLI – Specify the authorization method to use for Console and Telnet interfaces.
Console(config)#line console
Console(config-line)#authorization exec tps-auth
Console(config-line)#exit
Console(config)#line vty
Console(config-line)#authorization exec tps-auth
Console(config-line)#
4-46
4-133
Authorization Summary
The Authorization Summary displays the configured authorization methods and the
interfaces to which they are applied.
Command Attributes
•
•
•
•
Authorization Type - Displays the authorization service.
Method List - Displays the user-defined or default authorization method.
Group List - Displays the authorization server group.
Interface - Displays the console or Telnet interface to which the authorization
method applies. (This field is null if the authorization method and associated server
group has not been assigned.)
Web – Click Security, AAA, Authorization, Summary.
Figure 3-53 AAA Authorization Summary
CLI – This example displays the configured authorization methods and the
interfaces to which they are applied.
Console#show accounting
Accounting type: dot1x
Method list: default
Group list: radius
Interface:
4-133
Method list: tps
Group list: radius
Interface: eth 1/2
Accounting type: Exec
Method list: default
Group list: radius
Interface: vty
Console#
3-89
3
Configuring the Switch
Configuring HTTPS
You can configure the switch to enable the Secure Hypertext Transfer Protocol
(HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an
encrypted connection) to the switch’s web interface.
Command Usage
• Both the HTTP and HTTPS service can be enabled independently on the switch.
However, you cannot configure both services to use the same UDP port. (HTTP
can only be configured through the CLI using the ip http server command
described on page 4-135.)
• If you enable HTTPS, you must indicate this in the URL that you specify in your
browser: https://device[:port_number]
• When you start HTTPS, the connection is established in this way:
- The client authenticates the server using the server’s digital certificate.
- The client and server negotiate a set of security protocols to use for the
connection.
- The client and server generate session keys for encrypting and decrypting data.
• The client and server establish a secure encrypted connection.
A padlock icon should appear in the status bar for Internet Explorer 5.x or above,
Netscape 6.2 or above, and Mozilla Firefox 2.0.0.0 or above.
• The following web browsers and operating systems currently support HTTPS:
Table 3-5 HTTPS System Support
Web Browser
Operating System
Internet Explorer 5.0 or later
Windows 98,Windows NT (with service pack 6a),
Windows 2000, Windows XP
Netscape 6.2 or later
Windows 98,Windows NT (with service pack 6a),
Windows 2000, Windows XP, Solaris 2.6
Mozilla Firefox 2.0.0.0 or later
Windows 2000, Windows XP, Linux
• To specify a secure-site certificate, see "Replacing the Default Secure-site
Certificate" on page 3-91.
Command Attributes
HTTPS Settings
• HTTPS Status – Allows you to enable/disable the HTTPS server feature on the
switch. (Default: Enabled)
• Change HTTPS Port Number – Specifies the UDP port number used for HTTPS
connection to the switch’s web interface. (Default: Port 443)
Copy HTTPS Certificate
For more information on this function, see "Replacing the Default Secure-site
Certificate" on page 3-91.
3-90
3
User Authentication
Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number,
then click Apply.
Figure 3-54 HTTPS Settings
CLI – This example enables the HTTP secure server and modifies the port number.
Console(config)#ip http secure-server
Console(config)#ip http secure-port 443
Console(config)#
4-135
4-136
Replacing the Default Secure-site Certificate
When you log onto the web interface using HTTPS (for secure access), a Secure
Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that
Netscape and Internet Explorer display will be associated with a warning that the
site is not recognized as a secure site. This is because the certificate has not been
signed by an approved certification authority. If you want this warning to be replaced
by a message confirming that the connection to the switch is secure, you must
obtain a unique certificate and a private key and password from a recognized
certification authority.
Caution: For maximum security, we recommend you obtain a unique Secure Sockets
Layer certificate at the earliest opportunity. This is because the default
certificate for the switch is not unique to the hardware you have purchased.
When you have obtained a unique certificate file and a private key file, place them
on your TFTP server and transfer them to the switch to replace the default
(unrecognized) certificate with an authorized one.
Note: The switch must be reset for the new certificate to be activated.
Command Attributes
• TFTP Server IP Address – IP address of TFTP server which contains the
certificate file.
3-91
3
Configuring the Switch
• Source Certificate File Name – The file name of the unique certificate file as
provided by the recognized certification authority.
• Source Private File Name – The file name of the private key file as provided by
the recognized certification authority.
• Private Password – The private key password as provided by the recognized
certification authority. This password is used to verify authorization for certificate
use, and is verified when downloading the certificate to the switch.
Web – Click Security, HTTPS Settings. Specify the IP address of the TFTP server,
the certificate and private key file names, and the private key password, then click
Copy Certificate.
Figure 3-55 HTTPS Settings
CLI – This example replaces the default (unrecognized) HTTPS certificate with an
authorized one.
Console#copy tftp https-certificate
TFTP server ip address: <server ip-address>
Source certificate file name: <certificate file name>
Source private file name: <private key file name>
Private password: <password for private key>
4-37
Note: The switch must be reset for the new certificate to be activated. To reset the
switch, See "Resetting the System" on page 3-41 or type: Console#reload
3-92
User Authentication
3
Configuring the Secure Shell
The Berkeley-standard includes remote access tools originally designed for Unix
systems. Some of these tools have also been implemented for Microsoft Windows
and other environments. These tools, including commands such as rlogin (remote
login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
The Secure Shell (SSH) includes server/client applications intended as a secure
replacement for the older Berkeley remote access tools. SSH can also provide
remote management access to this switch as a secure replacement for Telnet.
When the client contacts the switch via the SSH protocol, the switch generates a
public-key that the client uses along with a local user name and password for access
authentication. SSH also encrypts all data transfers passing between the switch and
SSH-enabled management station clients, and ensures that data traveling over the
network arrives unaltered.
Notes: 1. You need to install an SSH client on the management station to access the
switch for management via the SSH protocol.
2. The switch supports both SSH Version 1.5 and 2.0 clients.
Command Usage
The SSH server on this switch supports both password and public key
authentication. If password authentication is specified by the SSH client, then the
password can be authenticated either locally or via a RADIUS or TACACS+ remote
authentication server, as specified on the Authentication Settings page
(page 3-73). If public key authentication is specified by the client, then you must
configure authentication keys on both the client and the switch as described in the
following section. Note that regardless of whether you use public key or password
authentication, you still have to generate authentication keys on the switch (SSH
Host Key Settings) and enable the SSH server (Authentication Settings).
To use the SSH server, complete these steps:
1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a host
public/private key pair.
2. Provide Host Public Key to Clients – Many SSH client programs automatically
import the host public key during the initial connection setup with the switch.
Otherwise, you need to manually create a known hosts file on the management
station and place the host public key in it. An entry for a public key in the known
hosts file would appear similar to the following example:
10.1.0.54 1024 35 15684995401867669259333946775054617325313674890836547254
15020245593199868544358361651999923329781766065830956 10825913212890233
76546801726272571413428762941301196195566782 59566410486957427888146206
519417467729848654686157177393901647793559423035774130980227370877945452
4083971752646358058176716709574804776117
3. Import Client’s Public Key to the Switch – See "Importing User Public Keys" on
page 3-97, or use the copy tftp public-key command (page 4-37) to copy a file
containing the public key for all the SSH client’s granted management access to
3-93
3
Configuring the Switch
the switch. (Note that these clients must be configured locally on the switch via
the User Accounts page as described on page 3-71.) The clients are
subsequently authenticated using these keys. The current firmware only accepts
public key files based on standard UNIX format as shown in the following
example for an RSA Version 1 key:
1024 35 1341081685609893921040944920155425347631641921872958921143173880
055536161631051775940838686311092912322268285192543746031009371877211996
963178136627741416898513204911720483033925432410163799759237144901193800
609025394840848271781943722884025331159521348610229029789827213532671316
29432532818915045306393916643 steve@192.168.1.19
4. Set the Optional Parameters – On the SSH Settings page, configure the optional
parameters, including the authentication timeout, the number of retries, and the
server key size.
5. Enable SSH Service – On the SSH Settings page, enable the SSH server on the
switch.
6. Authentication – One of the following authentication methods is employed:
Password Authentication (for SSH v1.5 or V2 Clients)
a. The client sends its password to the server.
b. The switch compares the client's password to those stored in memory.
c. If a match is found, the connection is allowed.
Note: To use SSH with only password authentication, the host public key must still be
given to the client, either during initial connection or manually entered into the
known host file. However, you do not need to configure the client’s keys.
Public Key Authentication – When an SSH client attempts to contact the switch,
the SSH server uses the host key pair to negotiate a session key and encryption
method. Only clients that have a private key corresponding to the public keys
stored on the switch can access it. The following exchanges take place during
this process:
Authenticating SSH v1.5 Clients
a. The client sends its RSA public key to the switch.
b. The switch compares the client's public key to those stored in memory.
c. If a match is found, the switch uses its secret key to generate a random
256-bit string as a challenge, encrypts this string with the user’s public key,
and sends it to the client.
d. The client uses its private key to decrypt the challenge string, computes the
MD5 checksum, and sends the checksum back to the switch.
e. The switch compares the checksum sent from the client against that
computed for the original string it sent. If the two checksums match, this
means that the client's private key corresponds to an authorized public key,
and the client is authenticated.
3-94
User Authentication
3
Authenticating SSH v2 Clients
a. The client first queries the switch to determine if DSA public key
authentication using a preferred algorithm is acceptable.
b. If the specified algorithm is supported by the switch, it notifies the client to
proceed with the authentication process. Otherwise, it rejects the request.
c. The client sends a signature generated using the private key to the switch.
d. When the server receives this message, it checks whether the supplied key
is acceptable for authentication, and if so, it then checks whether the
signature is correct. If both checks succeed, the client is authenticated.
Note: The SSH server supports up to four client sessions. The maximum number of
client sessions includes both current Telnet sessions and SSH sessions.
Generating the Host Key Pair
A host public/private key pair is used to provide secure communications between an
SSH client and the switch. After generating this key pair, you must provide the host
public key to SSH clients and import the client’s public key to the switch as
described in the section "Importing User Public Keys" on page 3-97.
Field Attributes
• Public-Key of Host-Key – The public key for the host.
- RSA (Version 1): The first field indicates the size of the host key (e.g., 1024), the
second field is the encoded public exponent (e.g., 65537), and the last string is
the encoded modulus.
- DSA (Version 2): The first field indicates that the encryption method used by
SSH is based on the Digital Signature Standard (DSS). The last string is the
encoded modulus.
• Host-Key Type – The key type used to generate the host key pair (i.e., public and
private keys). (Range: RSA (Version 1), DSA (Version 2), Both; Default: Both)
The SSH server uses RSA or DSA for key exchange when the client first
establishes a connection with the switch, and then negotiates with the client to
select either DES (56-bit) or 3DES (168-bit) for data encryption.
Note: The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for
SSHv2 clients.
• Save Host-Key from Memory to Flash – Saves the host key from RAM (i.e.,
volatile memory) to flash memory. Otherwise, the host key pair is stored to RAM
by default. Note that you must select this item prior to generating the host-key pair.
• Generate – This button is used to generate the host key pair. Note that you must
first generate the host key pair before you can enable the SSH server on the SSH
Server Settings page.
• Clear – This button clears the host key from both volatile memory (RAM) and
non-volatile memory (Flash).
3-95
3
Configuring the Switch
Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the
drop-down box, select the option to save the host key from memory to flash (if
required) prior to generating the key, and then click Generate.
Figure 3-56 SSH Host-Key Settings
CLI – This example generates a host-key pair using both the RSA and DSA
algorithms, stores the keys to flash memory, and then displays the host’s public keys.
Console#ip ssh crypto host-key generate
4-140
Console#ip ssh save host-key
4-140
Console#show public-key host
4-140
Host:
RSA:
1024 65537 127250922544926402131336514546131189679055192360076028653006761
82409690947448320102524878965977592168322225584652387791546479807396314033
86925793105105765212243052807865885485789272602937866089236841423275912127
60325919683697053439336438445223335188287173896894511729290510813919642025
190932104328579045764891
DSA:
ssh-dss AAAAB3NzaC1kc3MAAACBAN6zwIqCqDb3869jYVXlME1sHL0EcE/Re6hlasfEthIwmj
hLY4O0jqJZpcEQUgCfYlum0Y2uoLka+Py9ieGWQ8f2gobUZKIICuKg6vjO9XTs7XKc05xfzkBi
KviDa+2OrIz6UK+6vFOgvUDFedlnixYTVo+h5v8r0ea2rpnO6DkZAAAAFQCNZn/x17dwpW8RrV
DQnSWw4Qk+6QAAAIEAptkGeB6B5hwagH4gUOCY6i1TmrmSiJgfwO9OqRPUMbCAkCC+uzxatOo7
drnIZypMx+Sx5RUdMGgKS+9ywsa1cWqHeFY5ilc3lDCNBueeLykZzVS+RS+azTKIk/zrJh8GLG
Nq375R55yRxFvmcGIn/Q7IphPqyJ3o9MK8LFDfmJEAAACAL8A6tESiswP2OFqX7VGoEbzVDSOI
RTMFy3iUXtvGyQAOVSy67Mfc3lMtgqPRUOYXDiwIBp5NXgilCg5z7VqbmRm28mWc5a//f8TUAg
PNWKV6W0hqmshQdotVzDR1e+XKNTZj0uTwWfjO5Kytdn4MdoTHgrbl/DMdAfjnte8MZZs=
Console#
3-96
User Authentication
3
Importing User Public Keys
A user’s Public Key must be uploaded to the switch in order for the user to be able to
log in using the public key authentication mechanism. If the user’s public key does
not exist on the switch, SSH will revert to the interactive password authentication
mechanism to complete authentication.
Field Attributes
• Public-Key of user – The RSA and DSA public keys for the selected user.
- RSA: The first field indicates the size of the host key (e.g., 1024), the second
field is the encoded public exponent (e.g., 37), and the last string is the encoded
modulus.
- DSA: The first field indicates that SSH version 2 was used to create the key. The
second field contains the key comment. The third string is the encoded modulus,
and the last field is a comment denoting the end of the key.
• User Name – This drop-down box selects the user who’s public key you wish to
manage. Note that you must first create users on the User Accounts page (See
"Configuring User Accounts" on page 3-71).
• Public-Key Type – The type of public key to upload.
- RSA: The switch accepts a RSA version 1 encrypted public key.
- DSA: The switch accepts a DSA version 2 encrypted public key.
The SSH server uses RSA or DSA for key exchange when the client first
establishes a connection with the switch, and then negotiates with the client to
select either DES (56-bit) or 3DES (168-bit) for data encryption.
The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for
SSHv2 clients.
• TFTP Server IP Address – The IP address of the TFTP server that contains the
public key file you wish to import. (Default: 0.0.0.0)
• Source File Name – The public key file to upload.
• Copy Public Key – Initiates the public key TFTP import process. If you are
replacing an outdated public key file, it is not necessary to first delete the original
key from the switch. The import process will overwrite the existing key.
• Delete – Deletes a selected RSA or DSA public key that has already been imported
to the switch.
3-97
3
Configuring the Switch
Web – Click Security, SSH, SSH User Public-Key Settings. Select the user name
and the public-key type from the respective drop-down boxes, input the TFTP server
IP address and the public key source file name, and then click Copy Public Key.
Figure 3-57 SSH User Public-Key Settings
3-98
User Authentication
3
CLI – This example imports an SSHv2 DSA public key for the user admin and then
displays admin’s imported public keys.
Console#copy tftp public-key
TFTP server IP address: 192.168.1.254
Choose public key type:
1. RSA: 2. DSA: <1-2>: 2
Source file name: admin-ssh2-dsa-pub.key
Username: admin
TFTP Download
Success.
Write to FLASH Programming.
Success.
4-37
Console#show public-key user admin
4-146
admin:
RSA:
1024 37 154886675541099600242673908076171863880953984597454546825066951007
29617437427136900505591624068119579408716226078634780682201498685790475062
34519480679939485042653504179153032795337422103356695026441903823445835730
88823472889690842821665429031315937652815279387868298539820466143474130023
09979848162607182657 rsa-key-20071106
DSA:
---- BEGIN SSH2 PUBLIC KEY ---Comment: "dsa-key-20071105"
AAAAB3NzaC1kc3MAAA
CAeqNnwpAVz82Z3zFif0KGF846S5m5useW8rQp8DBv1IQ/sLYRuoCtW/+hllIaUu2F9Ps6D5gJ
dKjyEPKRutJv1rAwq1YZ61/fat9OGpM3oaqMf6UiVUK4gEsaq8T6UqrGsIDcXWyvmbI02+R/
owN43kwEJCfmpBXelhU962AA2G0AAAAVAKxtZo+MjTVzRJ+9mFTFIUpawm7HAAAAgCINbco4jT
WcdMKS1oQTA+WnCehlsd8j5MpDc3VccySMaFzcPgxT+N79WVxWNJQaS8l9TfY3EDg9VfCooLZD
rn/yX67MV3p/IJej57DsNjLnCHpaGE/OKfkAhvjRzlufS4f4wAzOYCBNxb6XY6Vew8Pi7Wri
L/Xrm4AQ0t4wSjjEAAAAgDNcKKEpZw16wW7E9EmbQp5s5gu9lCVCqMz5r76EyEzc
9uIYvxy54GHMtyBwLTITh6lbxEGD6cOnkCW+ieRye9fiJfs7u4QdL9NZb+WLZvcUXm6E1vUc70
OpelDFxbfhQawgGFxvx7rzv85D75ffNEqbLW2mKApehuQrHYbPZOnX
---- END SSH2 PUBLIC KEY ----
Console#
3-99
3
Configuring the Switch
Configuring the SSH Server
The SSH server includes basic settings for authentication.
Note: You must first generate the host key pair on the SSH Host-Key Settings page
before you can enable the SSH server.
Field Attributes
• SSH Server Status – Allows you to enable/disable the SSH server on the switch.
(Default: Disabled)
• Version – The Secure Shell version number. Version 2.0 is displayed, but the
switch supports management access via either SSH Version 1.5 or 2.0 clients.
• SSH Authentication Timeout – Specifies the time interval in seconds that the
SSH server waits for a response from a client during an authentication attempt.
(Range: 1-120 seconds; Default: 120 seconds)
• SSH Authentication Retries – Specifies the number of authentication attempts
that a client is allowed before authentication fails and the client has to restart the
authentication process. (Range: 1-5 times; Default: 3)
• SSH Server-Key Size – Specifies the SSH server key size.
(Range: 512-896 bits; Default: 768)
- The server key is a private key that is never shared outside the switch.
- The host key is shared with the SSH client, and is fixed at 1024 bits.
Web – Click Security, SSH, Settings. Enable SSH and adjust the authentication
parameters as required, then click Apply. Note that you must first generate the host
key pair on the SSH Host-Key Settings page before you can enable the SSH server.
Figure 3-58 SSH Server Settings
3-100
User Authentication
3
CLI – This example enables SSH, sets the authentication parameters, and displays
the current configuration. It shows that the administrator has made a connection via
SHH, and then disables this connection.
Console(config)#ip ssh server
4-140
Console(config)#ip ssh timeout 100
4-141
Console(config)#ip ssh authentication-retries 5
4-141
Console(config)#ip ssh server-key size 512
4-142
Console(config)#end
Console#show ip ssh
4-144
SSH Enabled - version 2.0
Negotiation timeout: 120 secs; Authentication retries: 5
Server key size: 512 bits
Console#show ssh
4-145
Connection Version State
Username Encryption
0
2.0
Session-Started
admin
ctos aes128-cbc-hmac-md5
stoc aes128-cbc-hmac-md5
Console#disconnect 0
4-56
Console#
Configuring 802.1X Port Authentication
Network switches can provide open and easy access to network resources by
simply attaching a client PC. Although this automatic configuration and access is a
desirable feature, it also allows unauthorized personnel to easily intrude and
possibly gain access to sensitive network data.
The IEEE 802.1X (dot1X) standard defines a port-based access control procedure
that prevents unauthorized access to a network by requiring users to first submit
credentials for authentication. Access to all switch ports in a network can be
centrally controlled from a server, which means that authorized users can use the
same credentials for authentication from any point within the network.
This switch uses the
Extensible Authentication
Protocol over LANs (EAPOL)
802.1x
to exchange authentication
client
protocol messages with the
client, and a remote RADIUS
1. Client attempts to access a switch port.
authentication server to verify
2. Switch sends client an identity request.
3. Client sends back identity information.
RADIUS
user identity and access
4. Switch forwards this to authentication server.
server
5. Authentication server challenges client.
rights. When a client (i.e.,
6. Client responds with proper credentials.
Supplicant) connects to a
7. Authentication server approves access.
8. Switch grants client access to this port.
switch port, the switch (i.e.,
Authenticator) responds with an EAPOL identity request. The client provides its
identity (such as a user name) in an EAPOL response to the switch, which it
forwards to the RADIUS server. The RADIUS server verifies the client identity and
sends an access challenge back to the client. The EAP packet from the RADIUS
server contains not only the challenge, but the authentication method to be used.
The client can reject the authentication method and request another, depending on
the configuration of the client software and the RADIUS server. The encryption
method used to pass authentication messages can be MD5 (Message-Digest 5),
3-101
3
Configuring the Switch
TLS (Transport Layer Security), PEAP (Protected Extensible Authentication
Protocol), or TTLS (Tunneled Transport Layer Security). The client responds to the
appropriate method with its credentials, such as a password or certificate. The
RADIUS server verifies the client credentials and responds with an accept or reject
packet. If authentication is successful, the switch allows the client to access the
network. Otherwise, non-EAP traffic on the port is blocked or assigned to a guest
VLAN based on the “intrusion-action” setting. In “multi-host” mode, only one host
connected to a port needs to pass authentication for all other hosts to be granted
network access. Similarly, a port can become unauthorized for all hosts if one
attached host fails re-authentication or sends an EAPOL logoff message.
The operation of 802.1X on the switch requires the following:
• The switch must have an IP address assigned.
• RADIUS authentication must be enabled on the switch and the IP address of the
RADIUS server specified.
• 802.1X must be enabled globally for the switch.
• Each switch port that will be used must be set to dot1X “Auto” mode.
• Each client that needs to be authenticated must have dot1X client software
installed and properly configured.
• The RADIUS server and 802.1X client support EAP. (The switch only supports
EAPOL in order to pass the EAP packets from the server to the client.)
• The RADIUS server and client also have to support the same EAP encryption
method for passing authentication messages – MD5, PEAP, TLS, or TTLS. Native
support for these encryption methods is provided in Windows XP, and in Windows
2000 with Service Pack 4. To support these encryption methods in Windows 95
and 98, you can use the AEGIS dot1x client or other comparable client software.
Displaying 802.1X Global Settings
The 802.1X protocol provides client authentication.
Command Attributes
802.1X System Authentication Control – The global setting for 802.1X.
Web – Click Security, 802.1X, Information.
Figure 3-59 802.1X Global Information
3-102
3
User Authentication
CLI – This example shows the default global setting for 802.1X.
Console#show dot1x
Global 802.1X Parameters
system-auth-control: enable
4-154
802.1X Port Summary
Port Name Status
1/1
disabled
1/2
disabled
.
.
.
802.1X Port Details
Operation Mode
Single-Host
Single-Host
Mode
ForceAuthorized
ForceAuthorized
Authorized
n/a
n/a
802.1X is disabled on port 1/1
.
.
.
802.1X is disabled on port 1/28
Console#
Configuring 802.1X Global Settings
The 802.1X protocol provides port authentication. The 802.1X protocol must be
enabled globally for the switch system before port settings are active.
Command Attributes
802.1X System Authentication Control – Sets the global setting for 802.1X.
(Default: Disabled)
Web – Select Security, 802.1X, Configuration. Enable 802.1X globally for the switch,
and click Apply.
Figure 3-60 802.1X Global Configuration
CLI – This example enables 802.1X globally for the switch.
Console(config)#dot1x system-auth-control
Console(config)#
4-147
3-103
3
Configuring the Switch
Configuring Port Settings for 802.1X
When 802.1X is enabled, you need to configure the parameters for the
authentication process that runs between the client and the switch (i.e.,
authenticator), as well as the client identity lookup process that runs between the
switch and authentication server. These parameters are described in this section.
Command Attributes
• Port – Port number.
• Status – Indicates if authentication is enabled or disabled on the port.
(Default: Disabled)
• Operation Mode – Allows single or multiple hosts (clients) to connect to an
802.1X-authorized port. (Options: Single-Host, Multi-Host, MAC-Based-Auth;
Default: Single-Host)
- In Single-Host mode, only one host connected to a port can be authenticated for
network access.
- In Multi-Host mode, only one host connected to a port needs to pass
authentication for all other hosts to be granted network access. Similarly, a port
can become unauthorized for all hosts if one attached host fails re-authentication
or sends an EAPOL logoff message. The number of hosts allowed access to a
port operating in this mode is determined by the Max Count attribute described
below.
- In MAC-Based mode, each host connected to a port needs to pass
authentication based on addresses configured in the authentication server (see
"Configuring MAC Authentication for Ports" on page 3-121). The number of
hosts allowed access to a port operating in this mode is limited only by the
available space in the secure address table (i.e., up to 1024 addresses).
• Max Count – The maximum number of hosts that can connect to a port when the
Multi-Host operation mode is selected. (Range: 1-1024; Default: 5)
• Mode – Sets the authentication mode to one of the following options:
- Auto – Requires a dot1x-aware client to be authorized by the authentication
server. Clients that are not dot1x-aware will be denied access.
- Force-Authorized – Forces the port to grant access to all clients, either
dot1x-aware or otherwise. (This is the default setting.)
- Force-Unauthorized – Forces the port to deny access to all clients, either
dot1x-aware or otherwise.
802.1X port authentication and port security (page 3-113) cannot be configured
together on the same port. Only one of these security mechanisms can be applied.
802.1X port authentication cannot be configured on trunk ports. In other words, a
static or dynamically configured trunk cannot be set to Auto or Force-Unauthorized
mode.
When 802.1X authentication is enabled on a port, the MAC address learning
function for this interface is disabled, and the addresses dynamically learned on
this port are removed.
3-104
User Authentication
3
Authenticated MAC addresses are stored as dynamic entries in the switch’s secure
MAC address table. Configured static MAC addresses are added to the secure
address table when seen on a switch port. Static addresses are treated as
authenticated without sending a request to a RADIUS server.
•
•
•
•
•
•
•
•
•
When port status changes to down, all MAC addresses are cleared from the secure
MAC address table. Static VLAN assignments are not restored.
Re-authentication – Sets the client to be re-authenticated after the interval
specified by the Re-authentication Period. Re-authentication can be used to detect
if a new device is plugged into a switch port. (Default: Disabled)
Max-Request – Sets the maximum number of times the switch port will retransmit
an EAP request packet to the client before it times out the authentication session.
(Range: 1-10; Default 2)
Quiet Period – Sets the time that a switch port waits after the Max Request Count
has been exceeded before attempting to acquire a new client.
(Range: 1-65535 seconds; Default: 60 seconds)
Re-authentication Period – Sets the time period after which a connected client
must be re-authenticated. (Range: 1-65535 seconds; Default: 3600 seconds)
Tx Period – Sets the time period during an authentication session that the switch
waits before re-transmitting an EAP packet. (Range: 1-65535; Default: 30 seconds)
Intrusion Action – Sets the port’s response to a failed authentication.
- Block Traffic – Blocks all non-EAP traffic on the port. (This is the default setting.)
- Guest VLAN – All traffic for the port is assigned to a guest VLAN. The guest
VLAN must be separately configured (See "Creating VLANs" on page 3-221)
and mapped on each port (see "Configuring MAC Authentication for Ports" on
page 3-121).
Authorized – Displays the 802.1X authorization status of connected clients.
- Yes – Connected client is authorized.
- No – Connected client is not authorized.
- Blank – Displays nothing when dot1x is disabled on a port.
Supplicant – Indicates the MAC address of a connected client.
Trunk – Indicates if the port is configured as a trunk port.
3-105
3
Configuring the Switch
Web – Click Security, 802.1X, Port Configuration. Modify the parameters required,
and click Apply.
Figure 3-61 802.1X Port Configuration
3-106
User Authentication
3
CLI – This example sets the 802.1X parameters on port 2. For a description of the
additional fields displayed in this example, see "show dot1x" on page 4-154.
Console(config)#interface ethernet 1/2
Console(config-if)#dot1x port-control auto
Console(config-if)#dot1x re-authentication
Console(config-if)#dot1x max-req 5
Console(config-if)#dot1x timeout quiet-period 30
Console(config-if)#dot1x timeout re-authperiod 1800
Console(config-if)#dot1x timeout tx-period 40
Console(config-if)#dot1x intrusion-action guest-vlan
Console(config-if)#exit
Console(config)#exit
Console#show dot1x
Global 802.1X Parameters
system-auth-control: enable
4-222
4-148
4-151
4-148
4-151
4-152
4-152
4-153
4-154
802.1X Port Summary
Port Name
1/1
1/2
.
.
.
1/28
Status
disabled
enabled
Operation Mode
Single-Host
Single-Host
Mode
ForceAuthorized
auto
Authorized
n/a
yes
disabled
Single-Host
ForceAuthorized
n/a
802.1X Port Details
802.1X is disabled on port 1/1
802.1X is enabled on port 1/2
reauth-enabled: Enable
reauth-period: 1800
quiet-period:
30
tx-period:
40
supplicant-timeout:
30
server-timeout: 10
reauth-max:
2
max-req:
5
Status
Authorized
Operation mode
Single-Host
Max count
5
Port-control
Auto
Supplicant
00-12-CF-49-5e-dc
Current Identifier 3
Intrusion action
Guest VLAN
Authenticator State Machine
State
Authenticated
Reauth Count
0
Backend State Machine
State
Idle
Request Count
0
Identifier(Server) 2
Reauthentication State Machine
State
Initialize
.
.
.
802.1X is disabled on port 1/28
Console#
3-107
3
Configuring the Switch
Displaying 802.1X Statistics
This switch can display statistics for dot1x protocol exchanges for any port.
Table 3-6 802.1X Statistics
Parameter
Description
Rx EAPOL Start
The number of EAPOL Start frames that have been received by this Authenticator.
Rx EAPOL Logoff
The number of EAPOL Logoff frames that have been received by this Authenticator.
Rx EAPOL Invalid
The number of EAPOL frames that have been received by this Authenticator in which
the frame type is not recognized.
Rx EAPOL Total
The number of valid EAPOL frames of any type that have been received by this
Authenticator.
Rx EAP Resp/Id
The number of EAP Resp/Id frames that have been received by this Authenticator.
Rx EAP Resp/Oth
The number of valid EAP Response frames (other than Resp/Id frames) that have
been received by this Authenticator.
Rx EAP LenError
The number of EAPOL frames that have been received by this Authenticator in which
the Packet Body Length field is invalid.
Rx Last EAPOLVer
The protocol version number carried in the most recently received EAPOL frame.
Rx Last EAPOLSrc
The source MAC address carried in the most recently received EAPOL frame.
Tx EAPOL Total
The number of EAPOL frames of any type that have been transmitted by this
Authenticator.
Tx EAP Req/Id
The number of EAP Req/Id frames that have been transmitted by this Authenticator.
Tx EAP Req/Oth
The number of EAP Request frames (other than Rq/Id frames) that have been
transmitted by this Authenticator.
3-108
3
User Authentication
Web – Select Security, 802.1X, Statistics. Select the required port and then click
Query. Click Refresh to update the statistics.
Figure 3-62 Displaying 802.1X Port Statistics
CLI – This example displays the 802.1X statistics for port 4.
Console#show dot1x statistics interface ethernet 1/4
Eth 1/4
Rx: EAPOL
Start
2
Last
EAPOLVer
1
Tx: EAPOL
Total
2017
Console#
EAPOL
Logoff
0
EAPOL
Invalid
0
EAPOL
Total
1007
EAP
Resp/Id
672
4-154
EAP
EAP
Resp/Oth LenError
0
0
Last
EAPOLSrc
00-12-CF-94-34-DE
EAP
Req/Id
1005
EAP
Req/Oth
0
3-109
3
Configuring the Switch
Filtering IP Addresses for Management Access
You can create a list of up to 16 IP addresses or IP address groups that are allowed
management access to the switch through the web interface, SNMP, or Telnet.
Command Usage
• The management interfaces are open to all IP addresses by default. Once you add
an entry to a filter list, access to that interface is restricted to the specified
addresses.
• If anyone tries to access a management interface on the switch from an invalid
address, the switch will reject the connection, enter an event message in the
system log, and send a trap message to the trap manager.
• IP address can be configured for SNMP, web and Telnet access respectively. Each
of these groups can include up to five different sets of addresses, either individual
addresses or address ranges.
• When entering addresses for the same group (i.e., SNMP, web or Telnet), the
switch will not accept overlapping address ranges. When entering addresses for
different groups, the switch will accept overlapping address ranges.
• You cannot delete an individual address from a specified range. You must delete
the entire range, and reenter the addresses.
• You can delete an address range just by specifying the start address, or by
specifying both the start address and end address.
Command Attributes
•
•
•
•
•
•
•
Web IP Filter – Configures IP address(es) for the web group.
SNMP IP Filter – Configures IP address(es) for the SNMP group.
Telnet IP Filter – Configures IP address(es) for the Telnet group.
IP Filter List – IP address which are allowed management access to this interface.
Start IP Address – A single IP address, or the starting address of a range.
End IP Address – The end address of a range.
Add/Remove Filtering Entry – Adds/removes an IP address from the list.
3-110
3
User Authentication
Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that
are allowed management access to an interface, and click Add Web IP Filtering
Entry to update the filter list.
Figure 3-63 Creating an IP Filter List
CLI – This example allows SNMP access for a specific client.
Console(config)#management snmp-client 10.1.2.3
Console(config)#end
Console#show management all-client
Management IP Filter
HTTP-Client:
Start IP address End IP address
-----------------------------------------------
4-157
SNMP-Client:
Start IP address End IP address
----------------------------------------------1. 10.1.2.3
10.1.2.3
TELNET-Client:
Start IP address End IP address
----------------------------------------------Console#
3-111
3
Configuring the Switch
General Security Measures
This switch supports many methods of segregating traffic for clients attached to
each of the data ports, and for ensuring that only authorized clients gain access to
the network. Private VLANs and port-based authentication using IEEE 802.1X are
commonly used for these purposes. In addition to these methods, several other
options of providing client security are supported by this switch. These include
port-based authentication, which can be configured for network client access
by specifying a fixed set of MAC addresses. The addresses assigned to DHCP
clients can also be carefully controlled using static or dynamic bindings with the IP
Source Guard and DHCP Snooping commands.
This switch provides client security using the following options:
• Private VLANs – Provide port-based security and isolation between ports within the
assigned VLAN. (See "Private VLANs" on page 3-237.)
• Port Security – Configure secure addresses for individual ports.
• 802.1X – Use IEEE 802.1X port authentication to control access to specific ports.
(See "Configuring 802.1X Port Authentication" on page 3-101.)
• Web Authentication - Allows stations to authenticate and access the network in
situations where 802.1X or Network Access authentication methods are infeasible
or impractical.
• Network Access - Configures MAC authentication and dynamic VLAN assignment.
• ACL - Access Control Lists provide packet filtering for IPv4 frames (based on
address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames
(based on address, next header type, or flow label), or any frames (based on MAC
address or Ethernet type).
• ARP Inspection – Security feature that validates the MAC Address bindings for
Address Resolution Protocol packets. Provides protection against ARP traffic with
invalid MAC to IP Address bindings, which forms the basis for certain
“man-in-the-middle” attacks.
• DHCP Snooping – Filters IP traffic on insecure ports for which the source address
cannot be identified via DHCP snooping. (See "DHCP Snooping" on page 3-146.)
• IP Source Guard – Filters untrusted DHCP messages on insecure ports by building
and maintaining a DHCP snooping binding table. (See "IP Source Guard" on page
3-153.)
Note: The priority of execution for the filtering commands is Port Security, Port
Authentication, Network Access, Web Authentication, Access Control Lists, IP
Source Guard, and then DHCP Snooping.
3-112
3
General Security Measures
Configuring Port Security
Port security is a feature that allows you to configure a switch port with one or more
device MAC addresses that are authorized to access the network through that port.
When port security is enabled on a port, the switch stops learning new MAC
addresses on the specified port when it has reached a configured maximum
number. Only incoming traffic with source addresses already stored in the dynamic
or static address table will be authorized to access the network through that port. If a
device with an unauthorized MAC address attempts to use the switch port, the
intrusion will be detected and the switch can automatically take action by disabling
the port and sending a trap message.
To use port security, specify a maximum number of addresses to allow on the port
and then let the switch dynamically learn the <source MAC address, VLAN> pair for
frames received on the port. Note that you can also manually add secure addresses
to the port using the Static Address Table (page 3-188). When the port has reached
the maximum number of MAC addresses the selected port will stop learning. The
MAC addresses already in the address table will be retained and will not age out.
Any other device that attempts to use the port will be prevented from accessing the
switch.
Command Usage
• A secure port has the following restrictions:
- It cannot be used as a member of a static or dynamic trunk.
- It should not be connected to a network interconnection device.
• The default maximum number of MAC addresses allowed on a secure port is zero.
You must configure a maximum address count from 1 - 1024 for the port to allow
access.
• If a port is disabled (shut down) due to a security violation, it must be manually
re-enabled from the Port/Port Configuration page (page 3-160).
Command Attributes
• Port – Port number.
• Name – Descriptive text (page 4-222).
• Action – Indicates the action to be taken when a port security violation is detected:
- None: No action should be taken. (This is the default.)
- Trap: Send an SNMP trap message.
- Shutdown: Disable the port.
- Trap and Shutdown: Send an SNMP trap message and disable the port.
• Security Status – Enables or disables port security on the port. (Default: Disabled)
• Max MAC Count – The maximum number of MAC addresses that can be learned
on a port. (Range: 0 - 1024, where 0 means disabled)
• Trunk – Trunk number if port is a member (page 3-164 and 3-165).
3-113
3
Configuring the Switch
Web – Click Security, Port Security. Set the action to take when an invalid address is
detected on a port, mark the checkbox in the Status column to enable security for a
port, set the maximum number of MAC addresses allowed on a port, and click Apply.
Figure 3-64 Configuring Port Security
CLI – This example selects the target port, sets the port security action to send a
trap and disable the port, specifies the maximum number of MAC addresses allowed
on the port, and then enables port security for the port.
Console(config)#interface ethernet 1/5
Console(config-if)#port security action trap-and-shutdown
Console(config-if)#port security max-mac-count 20
Console(config-if)#port security
Console(config-if)#
4-160
4-160
4-160
Web Authentication
Web authentication allows stations to authenticate and access the network in
situations where 802.1X or Network Access authentication are infeasible or
impractical. The web authentication feature allows unauthenticated hosts to request
and receive a DHCP assigned IP address and perform DNS queries. All other traffic,
except for HTTP protocol traffic, is blocked. The switch intercepts HTTP protocol
traffic and redirects it to a switch-generated web page that facilitates username and
password authentication via RADIUS. Once authentication is successful, the web
browser is forwarded on to the originally requested web page. Successful
authentication is valid for all hosts connected to the port.
Notes: 1. RADIUS authentication must be activated and configured properly for the
web authentication feature to work properly. (See "Configuring Local/Remote
Logon Authentication" on page 3-73)
2. Web authentication cannot be configured on trunk ports.
3-114
General Security Measures
3
Configuring Web Authentication
Web authentication is configured on a per-port basis, however there are four
configurable parameters that apply globally to all ports on the switch.
Command Attributes
• System Authentication Control – Enables Web Authentication for the switch.
(Default: Disabled)
• Session Timeout – Configures how long an authenticated session stays active
before it must re-authenticate itself. (Default: 3600 seconds; Range: 300-3600
seconds)
• Quiet Period – Configures how long a host must wait to attempt authentication
again after it has exceeded the maximum allowable failed login attempts.
(Range: 1-180 seconds; Default: 60 seconds)
• Login Attempts – Configures the amount of times a supplicant may attempt and
fail authentication before it must wait the configured quiet period. (Range: 1-3
attempts; Default: 3 attempts)
Web – Click Security, Web Authentication, Configuration.
Figure 3-65 Web Authentication Configuration
CLI – This example globally enables the system authentication control, configures
the session timeout, quiet period and login attempts, and displays the configured
global parameters.
Console(config)#mac-authentication reauth-time 3000
Console(config)#web-auth system-auth-control
Console(config)#web-auth session-timeout 1800
Console(config)#web-auth quiet-period 20
Console(config)#web-auth login-attempts 2
Console(config)#end
Console#show web-auth
4-166
4-177
4-176
4-176
4-175
4-179
Global Web-Auth Parameters
System Auth Control
Session Timeout
Quiet Period
Max Login Attempts
Console#
:
:
:
:
Enabled
1800
20
2
3-115
3
Configuring the Switch
Configuring Web Authentication for Ports
Web authentication is configured on a per-port basis. The following parameters are
associated with each port.
Command Attributes
• Port – Indicates the port being configured
• Status – Configures the web authentication status for the port.
• Authenticated Host Counts – Indicates how many authenticated hosts are
connected to the port.
Web – Click Security, Web Authentication, Port Configuration. Set the status box to
enabled for any port that requires web authentication, and click Apply.
Figure 3-66 Web Authentication Port Configuration
CLI – This example enables web authentication for ethernet port 1/5 and displays a
summary of web authentication parameters.
Console(config)#interface ethernet 1/5
Console(config-if)#web-auth
Console(config-if)#end
Console#show web-auth summary
Global Web-Auth Parameters
System Auth Control
Port
Status
--------1/ 1
Disabled
1/ 2
Enabled
1/ 3
Disabled
1/ 4
Disabled
1/ 5
Enabled
1/ 6
Disabled
1/ 7
Disabled
1/ 8
Disabled
1/
9
Disabled
.
.
.
3-116
: Enabled
Authenticated Host Count
-----------------------0
0
0
0
0
0
0
0
0
4-222
4-177
4-179
3
General Security Measures
Displaying Web Authentication Port Information
This switch can display web authentication information for all ports and connected
hosts.
Command Attributes
•
•
•
•
Interface – Indicates the ethernet port to query.
IP Address – Indicates the IP address of each connected host.
Status – Indicates the authorization status of each connected host.
Remaining Session Time (seconds) – Indicates the remaining time until the
current authorization session for the host expires.
Web – Click Security, Web Authentication, Port Information.
Figure 3-67 Web Authentication Port Information
CLI – This example displays web authentication parameters for port 1/5.
Console#show web-auth interface ethernet 1/5
Web Auth Status
: Enabled
4-179
Host Summary
IP address
--------------1.1.1.1
1.1.1.2
Console#
Web-Auth-State
-------------Authenticated
Authenticated
Remaining-Session-Time
---------------------295
111
Re-authenticating Web Authenticated Ports
The switch allows an administrator to manually force re-authentication of any
web-authenticated host connected to any port.
Command Attributes
• Interface – Indicates the Ethernet port to query.
• Host IP – Indicates the IP address of the host selected for re-authentication.
• Re-authenticate – Ends all web authentication sessions connected to the port and
forces the users to re-authenticate.
3-117
3
Configuring the Switch
Web – Click Security, Web Authentication, Re-authentication.
Figure 3-68 Web Authentication Port Re-authentication
CLI – This example forces the re-authentication of all hosts connected to port 1/5.
Console#web-auth re-authenticate interface ethernet 1/5
Failed to reauth.
Console#
4-178
Network Access (MAC Address Authentication)
Some devices connected to switch ports may not be able to support 802.1X
authentication due to hardware or software limitations. This is often true for devices
such as network printers, IP phones, and some wireless access points. The switch
enables network access from these devices to be controlled by authenticating
device MAC addresses with a central RADIUS server.
Notes: 1. RADIUS authentication must be activated and configured properly for the
MAC Address authentication feature to work properly. (See "RADIUS Client"
on page 4-116.)
2. MAC authentication cannot be configured on trunk ports.
Command Usage
• Network Access authentication controls access to the network by authenticating
the MAC address of each host that attempts to connect to a switch port. Traffic
received from a specific MAC address is forwarded by the switch only if the source
MAC address is successfully authenticated by a central RADIUS server. While
authentication for a MAC address is in progress, all traffic is blocked until
authentication is completed. On successful authentication, the RADIUS server
may optionally assign VLAN settings for the switch port.
• When enabled on a port interface, the authentication process sends a Password
Authentication Protocol (PAP) request to a configured RADIUS server. The user
name and password are both equal to the MAC address being authenticated. On
the RADIUS server, PAP username and passwords must be configured in the MAC
address format XX-XX-XX-XX-XX-XX (all in upper case).
3-118
3
General Security Measures
• Authenticated MAC addresses are stored as dynamic entries in the switch secure
MAC address table and are removed when the aging time expires. The maximum
number of secure MAC addresses supported for the switch system is 1024.
• Configured static MAC addresses are added to the secure address table when
seen on a switch port. Static addresses are treated as authenticated without
sending a request to a RADIUS server.
• When port status changes to down, all MAC addresses are cleared from the secure
MAC address table. Static VLAN assignments are not restored.
• The RADIUS server may optionally return a VLAN identifier list to be applied to the
switch port. The following attributes need to be configured on the RADIUS server.
- Tunnel-Type = VLAN
- Tunnel-Medium-Type = 802
- Tunnel-Private-Group-ID = 1u,2t
[VLAN ID list]
The VLAN identifier list is carried in the RADIUS “Tunnel-Private-Group-ID”
attribute. The VLAN list can contain multiple VLAN identifiers in the format
“1u,2t,3u” where “u” indicates an untagged VLAN and “t” a tagged VLAN.
• The RADIUS server may optionally return dynamic QoS assignments to be applied
to a switch port for an authenticated user. The “Filter-ID” attribute (attribute 11) can
be configured on the RADIUS server to pass the following QoS information:
Table 3-7 Dynamic QoS Profiles
Profile
Attribute Syntax
Example
DiffServ
service-policy-in=policy-map-name
service-policy-in=p1
Rate Limit
rate-limit-input=rate
rate-limit-input=100 (in units of Kbps)
802.1p
switchport-priority-default=value
switchport-priority-default=2
• Multiple profiles can be specified in the Filter-ID attribute by using a semicolon
to separate each profile.
For example, the attribute “service-policy-in=pp1;rate-limit-input=100” specifies
that the diffserv profile name is “pp1,” and the ingress rate limit profile value is
100 kbps.
• If duplicate profiles are passed in the Filter-ID attribute, then only the first profile
is used.
For example, if the attribute is “service-policy-in=p1;service-policy-in=p2”, then
switch applies only the DiffServ profile “p1.”
• Any unsupported profiles in the Filter-ID attribute are ignored.
For example, if the attribute is “map-ip-dscp=2:3;service-policy-in=p1,” then the
switch ignores the “map-ip-dscp” profile.
• When authentication is successful, the dynamic QoS information may not be
passed from the RADIUS server due to one of the following conditions
(authentication result remains unchanged):
- The Filter-ID attribute cannot be found to carry the user profile.
3-119
3
Configuring the Switch
- The Filter-ID attribute is empty.
- The Filter-ID attribute format for dynamic QoS assignment is unrecognizable
(can not recognize the whole Filter-ID attribute).
• Dynamic QoS assignment fails and the authentication result changes from
success to failure when the following conditions occur:
- Illegal characters found in a profile value (for example, a non-digital character
in an 802.1p profile value).
- Failure to configure the received profiles on the authenticated port.
• When the last user logs off on a port with a dynamic QoS assignment, the switch
restores the original QoS configuration for the port.
• When a user attempts to log into the network with a returned dynamic QoS
profile that is different from users already logged on to the same port, the user
is denied access.
• While a port has an assigned dynamic QoS profile, any manual QoS
configuration changes only take effect after all users have logged off the port.
Note: All configuration changes for dynamic QoS are not saved to the switch
configuration file.
Configuring the MAC Authentication Reauthentication Time
MAC address authentication is configured on a per-port basis, however there are
two configurable parameters that apply globally to all ports on the switch.
Command Attributes
• Authenticated Age – The secure MAC address table aging time. This parameter
setting is the same as switch MAC address table aging time and is only
configurable from the Address Table, Aging Time web page (see page 3-190).
(Default: 300 seconds)
• MAC Authentication Reauthentication Time – Sets the time period after which
a connected MAC address must be reauthenticated. When the reauthentication
time expires for a secure MAC address, it is reauthenticated with the RADIUS
server. During the reauthentication process traffic through the port remains
unaffected. (Default: 1800 seconds; Range: 120-1000000 seconds)
• MAC Address Aging – Enables aging for authenticated MAC addresses stored in
the secure MAC address table. (Default: Disabled)
This parameter applies to authenticated MAC addresses configured by the MAC
Address Authentication process described in this section, as well as to any secure
MAC addresses authenticated by 802.1X, regardless of the 802.1X Operation
Mode (Single-Host, Multi-Host, or MAC-Based authentication as described in
"Configuring Port Settings for 802.1X" on page 3-104).
Authenticated MAC addresses are stored as dynamic entries in the switch’s secure
MAC address table and are removed when the aging time expires.
The maximum number of secure MAC addresses supported for the switch system
is 1024.
3-120
General Security Measures
3
Web – Click Security, Network Access, Configuration.
Figure 3-69 Network Access Configuration
CLI – This example sets and displays the reauthentication time.
Console(config)#mac-authentication reauth-time 3000
Console(config)#network-access aging
Console(config)#exit
Console#show network-access interface ethernet 1/1
Global secure port information
Reauthentication Time
: 1800
MAC address Aging
: Enabled
--------------------------------------------------------------------------------------------------Port : 1/1
MAC Authentication
: Disabled
MAC Authentication Intrusion action
: Block traffic
MAC Authentication Maximum MAC Counts : 1024
Maximum MAC Counts
: 2048
Dynamic VLAN Assignment
: Enabled
Dynamic QoS Assignment
: Disabled
MAC Filter ID
: Disabled
Guest VLAN
: Disabled
Link Detection
: Disabled
Detection Mode
: Link-down
Detection Action
: Shutdown
Console#
4-166
4-163
4-172
Configuring MAC Authentication for Ports
Configures MAC authentication on switch ports, including setting the maximum MAC
count, applying a MAC address filter, and enabling dynamic VLAN or dynamic QoS
assignments.
Command Attributes
• Mode – Enables MAC authentication on a port. (Default: None)
• Maximum MAC Count – Sets the maximum number of MAC addresses that can
be authenticated on a port. The maximum number of MAC addresses per port is
2048, and the maximum number of secure MAC addresses supported for the
switch system is 1024. When the limit is reached, all new MAC addresses are
treated as authentication failed. (Default: 2048; Range: 1-2048)
• MAC Filter ID – Allows a MAC Filter to be assigned to the port. MAC addresses or
MAC address ranges present in a selected MAC Filter are exempt from
3-121
3
Configuring the Switch
authentication on the specified port (as described under "MAC Filter Configuration"
on page 3-125). (Range: 1-64; Default: None)
• Guest VLAN – Specifies the VLAN to be assigned to the port when MAC
Authentication or 802.1X Authentication fails. (Default: Disabled; Range: 1-4094)
The VLAN must already be created and active (see "Creating VLANs" on page
3-221). Also, when used with 802.1X authentication, intrusion action must be set
for “Guest VLAN” (see "Configuring Port Settings for 802.1X" on page 3-104).
• Dynamic VLAN – Enables dynamic VLAN assignment for an authenticated port.
When enabled, any VLAN identifiers returned by the RADIUS server are applied to
the port, providing the VLANs have already been created on the switch. (GVRP is
not used to create the VLANs.) (Default: Enabled)
The VLAN settings specified by the first authenticated MAC address are
implemented for a port. Other authenticated MAC addresses on the port must have
the same VLAN configuration, or they are treated as authentication failures.
If dynamic VLAN assignment is enabled on a port and the RADIUS server returns
no VLAN configuration, the authentication is still treated as a success, and the host
is assigned to the default untagged VLAN.
When the dynamic VLAN assignment status is changed on a port, all authenticated
addresses are cleared from the secure MAC address table.
• Dynamic QoS – Enables dynamic QoS assignment for an authenticated port.
(Default: Disabled)
Note: MAC authentication cannot be configured on trunk ports. Ports configured as trunk
members are indicated on the Network Access Port Configuration page in the
“Trunk” column.
Web – Click Security, Network Access, Port Configuration.
Figure 3-70 Network Access Port Configuration
3-122
3
General Security Measures
CLI – This example configures MAC authentication for port 1.
Console(config)#interface ethernet 1/1
4-165
Console(config-if)#network-access mode mac-authentication
Console(config-if)#network-access max-mac-count 10
4-165
Console(config-if)#network-access port-mac-filter 1
4-164
Console(config-if)#mac-authentication max-mac-count 24
4-167
Console(config-if)#network-access dynamic-vlan
4-168
Console(config-if)#network-access dynamic-qos
4-169
Console(config-if)#network-access guest-vlan 2
4-168
Console(config-if)#network-access link-detection
4-170
Console(config-if)#network-access link-detection link-up action trap4-171
Console(config-if)#end
Console#show network-access interface ethernet 1/1
Global secure port information
Reauthentication Time
: 1800
MAC address Aging
: Enabled
--------------------------------------------------------------------------------------------------Port : 1/2
MAC Authentication
: Enabled
MAC Authentication Intrusion action
: Block traffic
MAC Authentication Maximum MAC Counts : 24
Maximum MAC Counts
: 10
Dynamic VLAN Assignment
: Enabled
Dynamic QoS Assignment
: Enabled
MAC Filter ID
: 1
Guest VLAN
: 2
Link Detection
: Enabled
Detection Mode
: Link-up
Detection Action
: Trap
Console#
Configuring Port Link Detection
The Port Link Detection feature can send an SNMP trap and/or shut down a port
when a link event occurs.
Command Attributes
• Port – Indicates the port being configured.
• Status – Configures whether Link Detection is enabled or disabled for a port.
• Condition – The link event type which will trigger the port action.
- Link Up – Only link up events will trigger the port action.
- Link Down – Only link down events will trigger the port action.
- Link Up and Down – All link up and link down events will trigger the port action.
• Action – The switch can respond in three ways to a link up or down trigger event.
- Trap – An SNMP trap is sent.
- Trap and Shutdown – An SNMP trap is sent and the port is shut down.
- Shutdown – The port is shut down.
• Trunk – Indicates if the port is a trunk member.
3-123
3
Configuring the Switch
Web – Click Security, Network Access, Port Link Detection Configuration. Modify the
Status, Condition and Action. Click Apply.
Figure 3-71 Network Access Port Link Detection Configuration
CLI – This example configures Port Link Detection to send an SNMP trap for all link
events on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#network-access link-detection link-up-down
action trap
Console(config-if)#
4-222
4-171
Displaying Secure MAC Address Information
Authenticated MAC addresses are stored in the secure MAC address table.
Information on the secure MAC entries can be displayed and selected entries can be
removed from the table.
Command Attributes
• Network Access MAC Address Count – The number of MAC addresses
currently in the secure MAC address table.
• Query By – Specifies parameters to use in the MAC address query.
• Port – Specifies a port interface.
• MAC Address – Specifies a single MAC address information.
• Attribute – Displays static or dynamic addresses.
• Address Table Sort Key – Sorts the information displayed based on MAC
address or port interface.
• Unit/Port – The port interface associated with a secure MAC address.
• MAC Address – The authenticated MAC address.
• RADIUS Server – The IP address of the RADIUS server that authenticated the
MAC address.
• Time – The time when the MAC address was last authenticated.
3-124
General Security Measures
3
• Attribute – Indicates a static or dynamic address.
• Remove – Click the Remove button to remove selected MAC addresses from the
secure MAC address table.
Web – Click Security, Network Access, MAC Address Information. Restrict the
displayed addresses by port, MAC Address, or attribute, then select the method of
sorting the displayed addresses. Click Query.
Figure 3-72 Network Access MAC Address Information
CLI – This example displays all entries currently in the secure MAC address table.
Console#show network-access mac-address-table
---- ----------------- --------------- --------Port MAC-Address
RADIUS-Server
Attribute
---- ----------------- --------------- --------1/7 00-10-B5-62-03-74 192.168.0.121
Dynamic
4-173
------------------------Time
------------------------2001y 01m 01d 00h 07m 04s
Console#
MAC Filter Configuration
The MAC Filter allows you to designate specific MAC addresses or MAC address
ranges as exempt from authentication. MAC addresses present in MAC Filter tables
activated on a port are treated as pre-authenticated on that port.
Command Usage
• Specified MAC addresses are exempt from authentication.
• Up to 64 filter tables can be defined.
• There is no limitation on the number of entries used in a filter table.
3-125
3
Configuring the Switch
Command Attributes
• Filter ID (1-64) - top
- ALL – Displays all configured MAC filter tables.
- Filter ID – Displays all entries associated with the specified MAC Filter ID.
- Query – Displays all entries in the specified table(s).
• Filter ID - bottom
- Filter ID (1-64) – Adds or removes a filter rule for the specified filter.
- MAC Address – The filter rule will check ingress packets against the entered
MAC address or range of MAC addresses (as defined by the MAC mask).
- MAC Mask – The filter rule will check for the range of MAC addresses defined
by the MAC bit mask. If the user omits the mask, the system will assign the
default mask of an exact match. (Range: 000000000000 - FFFFFFFFFFFF;
Default: FFFFFFFFFFFF)
- Add – Adds a filter rule. There is no limitation on the number of entries that can
be used in a filter table.
- Remove – Removes the filter rule selected in the filter display. Multiple rules can
be selected and removed simultaneously.
Web – Click Security, Network Access, MAC Filter Configuration. To add a new filter
rule, enter the desired Filter ID, MAC Address and MAC Mask. Then click Add. To
search and display existing filter rules, choose All and click Query. To limit the
search, specify a Filter ID and click Query. To remove an existing filter, select the
desired rule(s) from those displayed by the query, and click Remove.
Figure 3-73 Network Access MAC Filter Configuration
3-126
3
General Security Measures
CLI – This example adds Filter ID 22 and configures it to block traffic from MAC
address 11-22-33-44-55-66.
Console(config)#network-access mac-filter 22 mac-address
11-22-33-44-55-66
Console(config)#exit
Console#show network-access mac-filter 22
Filter ID MAC Address
MAC Mask
--------- ----------------- ----------------22 11-22-33-44-55-66 FF-FF-FF-FF-FF-FF
Console#
4-163
Access Control Lists
Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on
address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames
(based on address or DSCP traffic class), or any frames (based on MAC address or
Ethernet type). To filter incoming packets, first create an access list, add the required
rules, and then bind the list to a specific port.
Configuring Access Control Lists –
An ACL is a sequential list of permit or deny conditions that apply to IP addresses,
MAC addresses, or other more specific criteria. This switch tests ingress packets
against the conditions in an ACL one by one. A packet will be accepted as soon as it
matches a permit rule, or dropped as soon as it matches a deny rule. If no rules
match, the packet is accepted.
Command Usage
The following restrictions apply to ACLs:
• The maximum number of ACLs is 64.
• The maximum number of rules per system is 1024 rules for mixed mode, or 500
rules for extended mode.
• Each ACL can have up to 64 rules. However, due to resource restrictions, the
average number of rules bound to the ports should not exceed 20.
• Rules within an ACL are checked in the configured order, from top to bottom.
Note: The CLI includes a control function which restricts access lists to only extended
rules, or permits both standard and extended rules. For a detailed description of
this feature, refer to the access-list rule-mode command (page 4-201).
The default setting only permits extended rules, storing any standard rules entered
through the web or command line interface in extended rule format.
3-127
3
Configuring the Switch
Setting the ACL Name and Type
Use the ACL Configuration page to designate the name and type of an ACL.
Command Attributes
• Name – Name of the ACL. (Maximum length: 15 characters)
• Type – The following filter modes are supported:
- IP Standard: IPv4 ACL mode filters packets based on the source IPv4 address.
- IP Extended: IPv4 ACL mode filters packets based on the source or destination
IPv4 address, as well as the protocol type and protocol port number. If the “TCP”
protocol is specified, then you can also filter packets based on the TCP control
code.
- IPv6 Standard: IPv6 ACL mode filters packets based on the source IPv6
address.
- IPv6 Extended: IPv6 ACL mode filters packets based on the source or
destination IP address, as well as the type of the next header and the flow label
(i.e., a request for special handling by IPv6 routers).
- MAC – MAC ACL mode filters packets based on the source or destination MAC
address and the Ethernet frame type (RFC 1060).
- ARP – ARP ACL specifies static IP-to-MAC address bindings used for ARP
inspection (see "ARP Inspection" on page 3-139).
Web – Select Security, ACL, Configuration. Enter an ACL name in the Name field,
select the list type (IP Standard, IP Extended, IPv6 Standard, IPv6 Extended, MAC,
or ARP), and click Add to open the configuration page for the new list.
Figure 3-74 Selecting ACL Type
CLI – This example creates a standard IP ACL named david.
Console(config)#access-list ip standard david
Console(config-std-acl)#
3-128
4-202
General Security Measures
3
Configuring a Standard IPv4 ACL
Command Attributes
• Action – An ACL can contain any combination of permit or deny rules.
• Address Type – Specifies the source IP address. Use “Any” to include all possible
addresses, “Host” to specify a specific host address in the Address field, or “IP” to
specify a range of addresses with the Address and SubMask fields. (Options: Any,
Host, IP; Default: Any)
• IP Address – Source IP address.
• Subnet Mask – A subnet mask containing four integers from 0 to 255, each
separated by a period. The mask uses 1 bits to indicate “match” and 0 bits to
indicate “ignore.” The mask is bitwise ANDed with the specified source IP address,
and compared with the address for each IP packet entering the port(s) to which this
ACL has been assigned.
Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host,
or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet
address and the mask for an address range. Then click Add.
Figure 3-75 ACL Configuration - Standard IPv4
CLI – This example configures one permit rule for the specific address 10.1.1.21
and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask.
Console(config-std-acl)#permit host 10.1.1.21
Console(config-std-acl)#permit 168.92.16.0 255.255.240.0
Console(config-std-acl)#
4-203
3-129
3
Configuring the Switch
Configuring an Extended IPv4 ACL
Command Attributes
• Action – An ACL can contain any combination of permit or deny rules.
• Source/Destination Address Type – Specifies the source or destination IP
address. Use “Any” to include all possible addresses, “Host” to specify a specific
host address in the Address field, or “IP” to specify a range of addresses with the
Address and SubMask fields. (Options: Any, Host, IP; Default: Any)
• Source/Destination IP Address – Source or destination IP address.
• Source/Destination Subnet Mask – Subnet mask for source or destination
address. (See the description for SubMask on page 3-129.)
• Service Type – Packet priority settings based on the following criteria:
- Precedence – IP precedence level. (Range: 0-7)
- TOS – Type of Service level. (Range: 0-15)
- DSCP – DSCP priority level. (Range: 0-63)
• Protocol – Specifies the protocol type to match as TCP, UDP or Others, where
others indicates a specific protocol number (0-255). (Options: TCP, UDP, Others;
Default: TCP)
• Source/Destination Port – Source/destination port number for the specified
protocol type. (Range: 0-65535)
• Source/Destination Port Bitmask – Decimal number representing the port bits to
match. (Range: 0-65535)
• Control Code – Decimal number (representing a bit string) that specifies flag bits
in byte 14 of the TCP header. (Range: 0-63)
• Control Code Bit Mask – Decimal number representing the code bits to match.
The control bitmask is a decimal number (for an equivalent binary bit mask) that is
applied to the control code. Enter a decimal number, where the equivalent binary
bit “1” means to match a bit and “0” means to ignore a bit. The following bits may
be specified:
-
1 (fin) – Finish
2 (syn) – Synchronize
4 (rst) – Reset
8 (psh) – Push
16 (ack) – Acknowledgement
32 (urg) – Urgent pointer
For example, use the code value and mask below to catch packets with the following
flags set:
- SYN flag valid, use control-code 2, control bitmask 2
- Both SYN and ACK valid, use control-code 18, control bitmask 18
- SYN valid and ACK invalid, use control-code 2, control bitmask 18
3-130
3
General Security Measures
Web – Specify the action (i.e., Permit or Deny). Specify the source and/or
destination addresses. Select the address type (Any, Host, or IP). If you select
“Host,” enter a specific address. If you select “IP,” enter a subnet address and the
mask for an address range. Set any other required criteria, such as service type,
protocol type, or TCP control code. Then click Add.
Figure 3-76 ACL Configuration - Extended IPv4
CLI – This example adds two rules:
(1) Accept any incoming packets if the source address is in subnet 10.7.1.x. For
example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals
the masked address (10.7.1.2 & 255.255.255.0), the packet passes through.
(2) Allow TCP packets from class C addresses 192.168.1.0 to any destination
address when set for destination TCP port 80 (i.e., HTTP).
(3) Permit all TCP packets from class C addresses 192.168.1.0 with the TCP control
code set to “SYN.”
Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any
Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any
destination-port 80
Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any
control-flag 2 2
Console(config-std-acl)#
4-204
3-131
3
Configuring the Switch
Configuring a Standard IPv6 ACL
Command Attributes
• Action – An ACL can contain any combination of permit or deny rules.
• Source Address Type – Specifies the source IP address. Use “Any” to include all
possible addresses, “Host” to specify a specific host address in the Address field,
or “IPv6-prefix” to specify a range of addresses. (Options: Any, Host, IPv6-prefix;
Default: Any)
• Source IPv6 Address – An IPv6 source address or network class. The address
must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8
colon-separated 16-bit hexadecimal values. One double colon may be used in the
address to indicate the appropriate number of zeros required to fill the undefined
fields.
• Source Prefix-Length – A decimal value indicating how many contiguous bits
(from the left) of the address comprise the prefix; i.e., the network portion of the
address. (Range: 0-128).
Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host,
or IPv6-prefix). If you select “Host,” enter a specific address. If you select
“IPv6-prefix,” enter a subnet address and the prefix length. Then click Add.
Figure 3-77 ACL Configuration - Standard IPv6
CLI – This example configures one permit rule for the specific address
2009:DB9:2229::79 and another rule for addresses with the network prefix
2009:DB9:2229:5::/64.
Console(config-std-ipv6-acl)#permit host 2009:DB9:2229::79
Console(config-std-ipv6-acl)#permit 2009:DB9:2229:5::/64
Console(config-std-ipv6-acl)#
3-132
4-209
General Security Measures
3
Configuring an Extended IPv6 ACL
Command Attributes
• Action – An ACL can contain any combination of permit or deny rules.
• Source/Destination Address Type – Specifies the source or destination IP
address. Use “Any” to include all possible addresses, “Host” to specify a specific
host address in the Source IPv6 Address field, or “IPv6-prefix” to specify a range
of addresses. (Options: Any, IPv6-prefix; Default: Any)
• Source/Destination IP Address – An IPv6 address or network class. The address
must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8
colon-separated 16-bit hexadecimal values. One double colon may be used in the
address to indicate the appropriate number of zeros required to fill the undefined
fields. (The switch only checks the first 64 bits of the destination address.)
• Source/Destination Prefix-Length – A decimal value indicating how many
contiguous bits (from the left) of the address comprise the prefix; i.e., the network
portion of the address. (Range: 0-128 for source prefix, 0-8 for destination prefix)
• DSCP – DSCP traffic class. (Range: 0-63)
Web – Specify the action (i.e., Permit or Deny). Select the address type (Any or
IPv6-prefix). If you select “IPv6-prefix,” enter a subnet address and prefix length. Set
any other required criteria. Then click Add.
Figure 3-78 ACL Configuration - Extended IPv6
3-133
3
Configuring the Switch
CLI – This example adds these rules:
(1) Accepts any incoming packets for the destination 2009:DB9:2229::79/8.
(2) Allows packets to any destination address when the DSCP value is 5.
Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/8
Console(config-ext-ipv6-acl)#permit any dscp 5
Console(config-ext-ipv6-acl)#
4-210
Configuring a MAC ACL
Use this page to configure ACLs based on hardware addresses, packet format, and
Ethernet type.
Command Attributes
• Action – An ACL can contain any combination of permit or deny rules.
• Source/Destination Address Type – Use “Any” to include all possible addresses,
“Host” to indicate a specific MAC address, or “MAC” to specify an address range
with the Address and Bitmask fields. (Options: Any, Host, MAC; Default: Any)
• Source/Destination MAC Address – Source or destination MAC address.
• Source/Destination Bitmask7 – Hexadecimal mask for source or destination
MAC address.
• CoS – Class-of-Service value (Range: 0-7)
•
•
•
•
CoS Bit Mask7 – Class-of-Service bitmask. (Range: 0-7)
VID – VLAN ID. (Range: 1-4094)
VID Bit Mask – VLAN bitmask. (Range: 1-4095)
Ethernet Type – This option can only be used to filter Ethernet II formatted
packets. (Range: 600-fff hex.)
A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the
more common types include 0800 (IP), 0806 (ARP), 8137 (IPX).
• Ethernet Type Bitmask – Protocol bitmask. (Range: 600-fff hex.)
• Packet Format – This attribute includes the following packet types:
- Any – Any Ethernet packet type.
- Untagged-eth2 – Untagged Ethernet II packets.
- Untagged-802.3 – Untagged Ethernet 802.3 packets.
- Tagged-802.3 – Tagged Ethernet 802.3 packets.
- Tagged-802.3 – Tagged Ethernet 802.3 packets.
7. For all bitmasks, “1” means care and “0” means ignore.
3-134
General Security Measures
3
Web – Specify the action (i.e., Permit or Deny). Specify the source and/or
destination addresses. Select the address type (Any, Host, or MAC). If you select
“Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter
a base address and a hexadecimal bitmask for an address range. Set any other
required criteria, such as CoS, VID, Ethernet type, or packet format. Then click Add.
Figure 3-79 ACL Configuration - MAC
CLI – This example configures one permit rule for all source mac addresses to
communicate with all destination mac addresses on VLAN 12, and another permit
rule for source mac address to communicate with all destination mac addresses.
Console(config-mac-acl)#permit any any vid 12 4095
Console(config-mac-acl)#permit host 00-10-b5-e9-52-79 any
Console(config-mac-acl)#
4-217
3-135
3
Configuring the Switch
Configuring an ARP ACL
Use this page to configure ACLs based on ARP message addresses. ARP
Inspection can then use these ACLs to filter suspicious traffic (see "Configuring ARP
Inspection" on page 3-139).
Command Attributes
• Action – An ACL can contain any combination of permit or deny rules.
• Packet Type – Indicates an ARP request, ARP response, or either type.
(Range: Request, Response, All; Default: Request)
• Sender/Target IP Address Type – Specifies the source or destination IPv4
address. Use “Any” to include all possible addresses, “Host” to specify a specific
host address in the Address field, or “IP” to specify a range of addresses with the
Address and Mask fields. (Options: Any, Host, IP; Default: Any)
• Sender/Target IP Address – Source or destination IP address.
• Sender/Target IP Address Mask – Subnet mask for source or destination
address. (See the description for Subnet Mask on page 3-129.)
• Sender/Target MAC Address Type – Use “Any” to include all possible addresses,
“Host” to indicate a specific MAC address, or “MAC” to specify an address range
with the Address and Mask fields. (Options: Any, Host, MAC; Default: Any)
• Sender/Target MAC Address – Source or destination MAC address.
• Sender/Target MAC Address Mask – Hexadecimal mask for source or
destination MAC address.
• Log – Logs a packet when it matches the access control entry.
Command Usage
• An ACL can contain up to 32 rules.
• New rules are added to the end of the list.
3-136
General Security Measures
3
Web – Specify the action (i.e., Permit or Deny). Specify the packet type, the address
type (Any, Host, or MAC), the source and/or destination addresses. If you select
“Host,” enter a specific address. If you select “IP” or “MAC,” enter a base address
and a hexadecimal bitmask for an address range. Enable logging if required. Then
click Add.
Figure 3-80 ACL Configuration - ARP
CLI – This rule permits packets from any source IP and MAC address to the
destination subnet address 192.168.0.0.
Console(config-arp-acl)#permit response ip any 192.168.0.0 255.255.0.0 mac
any any
4-214
Console(config-arp-acl)#
3-137
3
Configuring the Switch
Binding a Port to an Access Control List
After configuring the Access Control Lists (ACL), you can bind the ports that need to
filter traffic to the appropriate ACLs. You can assign one IP/IPv6 access list and one
MAC access list to any port.
Command Usage
• Each ACL can have up to 64 rules.
• This switch supports ACLs for ingress filtering only.
• You only bind one ACL to any port for ingress filtering.
Command Attributes
•
•
•
•
•
•
Port – Fixed port or SFP module. (Range: 1-28)
IP – Specifies the IPv4 ACL to bind to a port.
MAC – Specifies the MAC ACL to bind to a port.
IPv6 – Specifies the IPv6 ACL to bind to a port.
IN – ACL for ingress packets.
Trunk – Indicates if a port is a member of a trunk. To create trunks and select port
members, see "Creating Trunk Groups" on page 3-163.
Web – Click Security, ACL, Port Binding. Mark the Enabled check box for the port
you want to bind to an ACL for ingress traffic, select the required ACL from the
drop-down list, then click Apply.
Figure 3-81 Configuring ACL Port Binding
3-138
General Security Measures
3
CLI – This example assigns an IP access list to port 1, and an IP access list to
port 3.
Console(config)#interface ethernet
Console(config-if)#ip access-group
Console(config-if)#exit
Console(config)#interface ethernet
Console(config-if)#ip access-group
Console(config-if)#
1/1
david in
4-222
4-206
1/3
david in
ARP Inspection
ARP Inspection is a security feature that validates the MAC Address bindings for
Address Resolution Protocol packets. It provides protection against ARP traffic with
invalid MAC-to-IP address bindings, which forms the basis for certain
“man-in-the-middle” attacks. This is accomplished by intercepting all ARP requests
and responses and verifying each of these packets before the local ARP cache is
updated or the packet is forwarded to the appropriate destination. Invalid ARP
packets are dropped.
ARP Inspection determines the validity of an ARP packet based on valid IP-to-MAC
address bindings stored in a trusted database – the DHCP snooping binding
database (see "DHCP Snooping Configuration" on page 3-147). This database is
built by DHCP snooping if it is enabled on globally on the switch and on the VLANs.
ARP Inspection can also validate ARP packets against user-configured ARP access
control lists (ACLs) for hosts with statically configured addresses (see "Configuring
an ARP ACL" on page 3-136).
Configuring ARP Inspection
ARP Inspection must be activated both globally for the switch and per VLAN, and
inspection parameters set for each VLAN. These functions, as well as logging and
configuration of trusted ports are provided on the ARP Inspection Configuration
page. ARP Inspection ACLs must be configured on the ARP ACL page before they
can be activated here (see page 3-136).
Command Usage
Enabling & Disabling ARP Inspection
• ARP Inspection is controlled on a global and VLAN basis.
• By default, ARP Inspection is disabled globally.
• By default, ARP Inspection is disabled on all VLANs.
- If ARP Inspection is globally enabled, then it becomes active only on the VLANs
where it has been enabled.
- When ARP Inspection is enabled globally, all ARP request and reply packets on
inspection-enabled VLANs are redirected to the CPU and their switching
behavior handled by the ARP Inspection engine.
- If ARP Inspection is disabled globally, then it becomes inactive for all VLANs,
including those where inspection is enabled.
3-139
3
Configuring the Switch
- When ARP Inspection is disabled, all ARP request and reply packets will bypass
the ARP Inspection engine and their switching behavior will match that of all
other packets.
- Disabling and then re-enabling global ARP Inspection will not affect the ARP
Inspection configuration of any VLANs.
- When ARP Inspection is disabled globally, it is still possible to configure ARP
Inspection for individual VLANs. These configuration changes will only become
active after ARP Inspection is enabled globally again.
• The ARP Inspection engine in the current firmware version does not support ARP
Inspection on trunk ports.
ARP Inspection VLAN Filters (ACLs)
• By default, no ARP Inspection ACLs are configured and the feature is disabled.
• ARP Inspection ACLs are configured within the ARP ACL configuration page (see
page 3-136).
• ARP Inspection ACLs can be applied to any configured VLAN.
• ARP Inspection uses the DHCP snooping bindings database for the list of valid
IP-to-MAC address bindings. ARP ACLs take precedence over entries in the
DHCP snooping bindings database. The switch first compares ARP packets to any
specified ARP ACLs.
• If static is specified, ARP packets are only validated against the selected ACL –
packets are filtered according to any matching rules, packets not matching any
rules are dropped, and the DHCP snooping bindings database check is bypassed.
• If static is not specified, ARP packets are first validated against the selected ACL;
if no ACL rules match the packets, then the DHCP snooping bindings database
determines their validity.
ARP Inspection Validation
• By default, ARP Inspection Validation is disabled.
• Specifying at least one of the following validations enables ARP Inspection
Validation globally. Any combination of the following checks can be active
concurrently.
- Destination MAC – Checks the destination MAC address in the Ethernet header
against the target MAC address in the ARP body. This check is performed for
ARP responses. When enabled, packets with different MAC addresses are
classified as invalid and are dropped.
- IP – Checks the ARP body for invalid and unexpected IP addresses. These
addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
Sender IP addresses are checked in all ARP requests and responses, while
target IP addresses are checked only in ARP responses.
- Source MAC – Checks the source MAC address in the Ethernet header against
the sender MAC address in the ARP body. This check is performed on both ARP
requests and responses. When enabled, packets with different MAC addresses
are classified as invalid and are dropped.
3-140
General Security Measures
3
ARP Inspection Logging
• By default, logging is active for ARP Inspection, and cannot be disabled.
• The administrator can configure the log facility rate.
• When the switch drops a packet, it places an entry in the log buffer, then generates
a system message on a rate-controlled basis. After the system message is
generated, the entry is cleared from the log buffer.
• Each log entry contains flow information, such as the receiving VLAN, the port
number, the source and destination IP addresses, and the source and destination
MAC addresses.
• If multiple, identical invalid ARP packets are received consecutively on the same
VLAN, then the logging facility will only generate one entry in the log buffer and one
corresponding system message.
• If the log buffer is full, the oldest entry will be replaced with the newest entry.
Trusted & Untrusted Ports
• By default all ports are configured as untrusted.
• Specific ports can be configured as trusted or untrusted ports.
• Packets arriving on trusted interfaces bypass all ARP Inspection and ARP
Inspection Validation checks and will always be forwarded, while those arriving on
untrusted interfaces are subject to all configured ARP inspection tests.
ARP Packet Rate Limiting
• By default, all untrusted ports are subject to ARP packet rate limiting.
• By default, all trusted ports are exempt from ARP packet rate limiting.
• The switch will drop all ARP packets received on a port which exceeds the
configured ARP-packets-per-second rate limit.
• Setting the ARP Inspection Packet Rate Limit to “none” means that no rate limiting
will be enforced.
Command Attributes
• ARP Inspection Status – Enables ARP Inspection globally. (Default: Disabled)
• ARP Inspection VLAN – Selects any configured VLAN. (Default: 1)
• ARP Inspection VLAN Status – Enables ARP Inspection for the selected VLAN.
(Default: Disabled)
• ARP Inspection VLAN Filter
- ARP ACL – Allows selection of any configured ARP ACLs. (Default: None)
- Static – When an ARP ACL is selected, and static mode also selected, the
switch only performs ARP Inspection and bypasses validation against the DHCP
Snooping Bindings database. When an ARP ACL is selected, but static mode is
not selected, the switch first performs ARP Inspection and then validation
against the DHCP Snooping Bindings database. (Default: Disabled)
• ARP Inspection Validation – Enables extended ARP Inspection Validation if any
of the following options are enabled. (Default: Disabled)
3-141
3
Configuring the Switch
- Dst-MAC – Validates the destination MAC address in the Ethernet header
against the target MAC address in the body of ARP responses.
- IP – Checks the ARP body for invalid and unexpected IP addresses. Sender IP
addresses are checked in all ARP requests and responses, while target IP
addresses are checked only in ARP responses.
- Src-MAC – Validates the source MAC address in the Ethernet header against
the sender MAC address in the ARP body. This check is performed on both ARP
requests and responses.
• ARP Inspection Log – Configures ARP Inspection logging parameters.
- Message Number – The maximum number of entries saved in a log message.
(Range: 0-256; Default: 5)
- Interval – The interval at which log messages are sent. (Range: 0-86400
seconds; Default: 1 second)
• Port – Port identifier. (Range: 1-28; Default: 1)
• Trust Status – Configures the port as trusted or untrusted. (Default: Untrusted)
• ARP Inspection Packet Rate Limit – Limits the rate of accepted ARP packets on
untrusted ports.
- Rate – The maximum number of ARP packets that can be processed by CPU
per second. (Range: 0-2048; Default: 15)
- None – Sets no limit on the number of ARP packets that can be processed by
the CPU.
3-142
3
General Security Measures
Web – Click Security, ARP Inspection, Configuration. Enable inspection both
globally and for the required VLANs, select an ARP ACL filter to check for statically
configured addresses, select any required additional validation, adjust the logging
parameters if required, specify any untrusted ports which require ARP inspection,
and adjust the packet inspection rate. Then click Apply.
Figure 3-82 Configuring ARP Inspection
CLI – This example configures various inspection parameters for port 1.
Console(config)#ip arp inspection
Console(config)#ip arp inspection vlan 1,2
Console(config)#ip arp inspection filter sales vlan 1 static
Console(config)#ip arp inspection validate dst-mac
Console(config)#ip arp inspection log-buffer logs 10 interval 100
Console(config)#interface ethernet 1/1
Console(config-if)#no ip arp inspection trust
Console(config-if)#ip arp inspection limit 50
Console(config-if)#exit
Console#show ip arp inspection configuration
4-192
4-193
4-194
4-195
4-196
4-222
4-197
4-197
4-198
ARP inspection global information:
Global IP ARP Inspection status : enabled
Log Message Interval
: 100 s
Log Message Number
: 10
Need Additional Validation(s)
: Yes
Additional Validation Type
: Destination MAC address
Console#show ip arp inspection interface ethernet 1/1
Port Number
------------Eth 1/1
Console#
Trust Status
-------------------untrusted
4-198
Limit Rate (pps)
-----------------------------50
3-143
3
Configuring the Switch
Displaying ARP Inspection Port Information
Use the ARP Inspection Port Information page to display a list of trusted ports and
statistics about the number of ARP packets processed, or dropped for various
reasons.
Command Attributes
• Trusted Port List – Displays all ports configured as trusted.
• ARP Inspection Statistics Information
- Received ARP packets before ARP inspection rate limit – Count of ARP packets
received but not exceeding the ARP Inspection rate limit.
- Dropped ARP packets in the process of ARP inspection rate limit – Count of ARP
packets exceeding (and dropped by) ARP rate limiting.
- Total ARP packets processed by ARP inspection – Count of all ARP packets
processed by the ARP Inspection engine.
- ARP packets dropped by additional validation (Src-MAC) – Count of packets that
failed the source MAC address test.
- ARP packets dropped by additional validation (Dst-MAC) – Count of packets that
failed the destination MAC address test.
- ARP packets dropped by additional validation (IP) – Count of ARP packets that
failed the IP address test.
- ARP packets dropped by ARP ACLs – Count of ARP packets that failed
validation against ARP ACL rules.
- ARP packets dropped by DHCP snooping – Count of packets that failed
validation against the DHCP Snooping Binding database.
• Refresh – Updates all counters and trusted port information.
3-144
3
General Security Measures
Web – Click Security, ARP Inspection, Information.
Figure 3-83 Displaying Statistics for ARP Inspection
CLI – This example displays statistics for ARP Inspection.
Console#show ip arp inspection log
Total log entries number is 1
Num VLAN Port Src IP Address Dst IP Address
--- ---- ---- -------------- -------------Console#show ip arp inspection statistics
Src MAC Address
---------------
Dst MAC Address
---------------
ARP packets received before rate limit
:
ARP packets dropped due to rate limt
:
Total ARP packets processed by ARP Inspection
:
ARP packets dropped by additional validation (source MAC address)
:
ARP packets dropped by additional validation (destination MAC address):
ARP packets dropped by additional validation (IP address)
:
ARP packets dropped by ARP ACLs
:
ARP packets dropped by DHCP snooping
:
150
5
150
0
0
0
0
0
Console#
3-145
3
Configuring the Switch
DHCP Snooping
The addresses assigned to DHCP clients on insecure ports can be carefully
controlled using the dynamic bindings registered with DHCP Snooping (or using the
static bindings configured with IP Source Guard). DHCP snooping allows a switch to
protect a network from rogue DHCP servers or other devices which send
port-related information to a DHCP server. This information can be useful in tracking
an IP address back to a physical port.
Command Usage
• Network traffic may be disrupted when malicious DHCP messages are received
from an outside source. DHCP snooping is used to filter DHCP messages received
on a non-secure interface from outside the network or fire wall. When DHCP
snooping is enabled globally and enabled on a VLAN interface, DHCP messages
received on an untrusted interface from a device not listed in the DHCP snooping
table will be dropped.
• Table entries are only learned for trusted interfaces. An entry is added or removed
dynamically to the DHCP snooping table when a client receives or releases an IP
address from a DHCP server. Each entry includes a MAC address, IP address,
lease time, VLAN identifier, and port identifier.
• The rate limit for the number of DHCP messages that can be processed by the
switch is 100 packets per second. Any DHCP packets in excess of this limit are
dropped.
• When DHCP snooping is enabled, DHCP messages entering an untrusted
interface are filtered based upon dynamic entries learned via DHCP snooping.
• Filtering rules are implemented as follows:
- If the global DHCP snooping is disabled, all DHCP packets are forwarded.
- If DHCP snooping is enabled globally, and also enabled on the VLAN where the
DHCP packet is received, all DHCP packets are forwarded for a trusted port. If
the received packet is a DHCP ACK message, a dynamic DHCP snooping entry
is also added to the binding table.
- If DHCP snooping is enabled globally, and also enabled on the VLAN where the
DHCP packet is received, but the port is not trusted, it is processed as follows:
* If the DHCP packet is a reply packet from a DHCP server (including OFFER,
ACK or NAK messages), the packet is dropped.
* If the DHCP packet is from a client, such as a DECLINE or RELEASE
message, the switch forwards the packet only if the corresponding entry is
found in the binding table.
* If the DHCP packet is from a client, such as a DISCOVER, REQUEST,
INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC
address verification is disabled. However, if MAC address verification is
enabled, then the packet will only be forwarded if the client’s hardware
address stored in the DHCP packet is the same as the source MAC address
in the Ethernet header.
* If the DHCP packet is not a recognizable type, it is dropped.
3-146
General Security Measures
3
- If a DHCP packet from a client passes the filtering criteria above, it will only be
forwarded to trusted ports in the same VLAN.
- If a DHCP packet is from server is received on a trusted port, it will be forwarded
to both trusted and untrusted ports in the same VLAN.
- If the DHCP snooping is globally disabled, all dynamic bindings are removed
from the binding table.
- Additional considerations when the switch itself is a DHCP client – The port(s)
through which the switch submits a client request to the DHCP server must be
configured as trusted. Note that the switch will not add a dynamic entry for itself
to the binding table when it receives an ACK message from a DHCP server.
Also, when the switch sends out DHCP client packets for itself, no filtering takes
place. However, when the switch receives any messages from a DHCP server,
any packets received from untrusted ports are dropped.
DHCP Snooping Configuration
Use the DHCP Snooping Configuration page to enable DHCP Snooping globally on
the switch, or to configure MAC Address Verification.
Command Attributes
• DHCP Snooping Status – Enables DHCP snooping globally. (Default: Disabled)
• DHCP Snooping MAC-Address Verification – Enables or disables MAC address
verification. If the source MAC address in the Ethernet header of the packet is not
same as the client's hardware address in the DHCP packet, the packet is dropped.
Web – Click DHCP Snooping, Configuration. Select the required options and click
Apply.
Figure 3-84 DHCP Snooping Configuration
CLI – This example first enables DHCP Snooping, and then enables DHCP
Snooping MAC-Address Verification.
Console(config)#ip dhcp snooping
Console(config)#ip dhcp snooping verify mac-address
Console(config)#
4-181
4-184
3-147
3
Configuring the Switch
DHCP Snooping VLAN Configuration
Use the DHCP Snooping VLAN Configuration page to enable or disable DHCP
snooping on specific VLANs.
Command Usage
• When DHCP snooping is enabled globally on the switch, and enabled on the
specified VLAN, DHCP packet filtering will be performed on any untrusted ports
within the VLAN.
• When the DHCP snooping is globally disabled, DHCP snooping can still be
configured for specific VLANs, but the changes will not take effect until DHCP
snooping is globally re-enabled.
• When DHCP snooping is globally enabled, and DHCP snooping is then disabled
on a VLAN, all dynamic bindings learned for this VLAN are removed from the
binding table.
Command Attributes
• VLAN ID – ID of a configured VLAN. (Range: 1-4094)
• DHCP Snooping Status – Enables or disables DHCP snooping for the selected
VLAN. When DHCP snooping is enabled globally on the switch, and enabled on
the specified VLAN, DHCP packet filtering will be performed on any untrusted ports
within the VLAN.
Web – Click DHCP Snooping, VLAN Configuration.
Figure 3-85 DHCP Snooping VLAN Configuration
CLI – This example first enables DHCP Snooping for VLAN 1.
Console(config)#ip dhcp snooping vlan 1
Console(config)#
3-148
4-182
General Security Measures
3
DHCP Snooping Information Option Configuration
DHCP provides a relay mechanism for sending information about the switch and its
DHCP clients to the DHCP server. Known as DHCP Option 82, it allows compatible
DHCP servers to use the information when assigning IP addresses, or to set other
services or policies for clients. It is also an effective tool in preventing malicious
network attacks from attached clients on DHCP services, such as IP Spoofing, Client
Identifier Spoofing, MAC Address Spoofing, and Address Exhaustion.
Command Usage
• DHCP Snooping (see page 3-147) must be enabled for Option 82 information to be
inserted into request packets.
• When Option 82 is enabled, the requesting client (or an intermediate relay agent
that has used the information fields to describe itself) can be identified in the DHCP
request packets forwarded by the switch and in reply packets sent back from the
DHCP server.
• When the DHCP Snooping Information Option is enabled, clients can be identified
by the switch port to which they are connected rather than just their MAC address.
DHCP client-server exchange messages are then forwarded directly between the
server and client without having to flood them to the entire VLAN.
• If Option 82 is enabled on the switch, information about the switch itself may be
included in any relayed request packet.
• In some cases, the switch may receive DHCP packets from a client that already
includes DHCP Option 82 information. The switch can be configured to set the
action policy for these packets. The switch can either drop the DHCP packets, keep
the existing information, or replace it with the switch’s relay information.
Command Attributes
• DHCP Snooping Information Option Status – Enables or disables DHCP Option
82 information relay. (Default: Disabled)
• DHCP Snooping Information Option Policy – Specifies how to handle DHCP
client request packets which already contain Option 82 information.
- Drop – Drops the client’s request packet instead of relaying it.
- Keep – Retains the Option 82 information in the client request, and forwards the
packets to trusted ports.
- Replace – Replaces the Option 82 information in the client’s request with
information about the relay agent itself, inserts the relay agent’s address (when
DHCP snooping is enabled), and forwards the packets to trusted ports. (This is
the default policy.)
3-149
3
Configuring the Switch
Web – Click DHCP Snooping, Information Option Configuration.
Figure 3-86 DHCP Snooping Information Option Configuration
CLI – This example enables DHCP Snooping Information Option, and sets the policy
as replace.
Console(config)#ip dhcp snooping information option
Console(config)#ip dhcp snooping information policy replace
Console(config)#exit
Console#show ip dhcp snooping
Global DHCP Snooping status: disable
DHCP Snooping Information Option Status: disable
DHCP Snooping Information Policy: replace
DHCP Snooping is configured on the following VLANs:
4-185
4-186
4-187
Verify Source Mac-Address: enable
Interface
Trusted
------------------Eth 1/1
No
Eth 1/2
No
Eth
1/3
No
.
.
.
Configuring Ports for DHCP Snooping
Use the DHCP Snooping Port Configuration page to configure switch ports as
trusted or untrusted.
Command Usage
• A trusted interface is an interface that is configured to receive only messages from
within the network. An untrusted interface is an interface that is configured to
receive messages from outside the network or fire wall.
• When DHCP snooping is enabled both globally and on a VLAN, DHCP packet
filtering will be performed on any untrusted ports within the VLAN.
• When an untrusted port is changed to a trusted port, all the dynamic DHCP
snooping bindings associated with this port are removed.
• Set all ports connected to DHCP servers within the local network or fire wall to
trusted state. Set all other ports outside the local network or fire wall to untrusted
state.
3-150
3
General Security Measures
Command Attributes
• Trust Status – Enables or disables a port as trusted.
Web – Click DHCP Snooping, Port Configuration. Set any ports within the local
network or firewall to trusted, and click Apply.
Figure 3-87 DHCP Snooping Port Configuration
CLI – This example shows how to enable the DHCP Snooping Trust Status for ports.
Console(config)#interface ethernet 1/5
Console(config-if)#ip dhcp snooping trust
Console(config-if)#end
Console#show ip dhcp snooping
Global DHCP Snooping status: disable
DHCP Snooping Information Option Status: disable
DHCP Snooping Information Policy: replace
DHCP Snooping is configured on the following VLANs:
4-183
4-187
Verify Source Mac-Address: enable
Interface
Trusted
------------------Eth 1/1
No
Eth 1/2
No
Eth 1/3
No
Eth 1/4
No
Eth
1/5
Yes
.
.
.
3-151
3
Configuring the Switch
Displaying DHCP Snooping Binding Information
Binding table entries can be displayed on the Binding Information page.
Command Attributes
• Store DHCP snooping binding entries to flash. – Writes all dynamically learned
snooping entries to flash memory.
This function can be used to store the currently learned dynamic DHCP snooping
entries to flash memory. These entries will be restored to the snooping table when
the switch is reset. However, note that the lease time shown for a dynamic entry
that has been restored from flash memory will no longer be valid.
• Clear DHCP snooping binding entries from flash. – Removes all dynamically
learned snooping entries from flash memory.
• No. – Entry number for DHCP snooping binding information.
• Unit – Stack unit.
• Port – Port number.
• VLAN ID – VLAN for which DHCP snooping has been enabled.
• MAC Address – Physical address associated with the entry.
• IP Address – IP address corresponding to the client.
• IP Address Type – Indicates an IPv4 or IPv6 address type.
• Lease Time (Seconds) – The time for which this IP address is leased to the client.
Web – Click DHCP Snooping, DHCP Snooping Binding Information.
.
Figure 3-88 DHCP Snooping Binding Information
CLI – This example shows how to display the DHCP Snooping binding table entries.
Console#show ip dhcp snooping binding
4-187
MacAddress
IpAddress
Lease(sec) Type
VLAN Interface
----------------- --------------- ---------- -------------------- ---- --------11-22-33-44-55-66 192.168.0.99
0 Dynamic
1 Eth 1/5
Console#
3-152
General Security Measures
3
IP Source Guard
IP Source Guard is a security feature that filters IP traffic on network interfaces
based on manually configured entries in the IP Source Guard table, or dynamic
entries in the DHCP Snooping table when enabled (see "DHCP Snooping" on page
3-146). IP source guard can be used to prevent traffic attacks caused when a host
tries to use the IP address of a neighbor to access the network. This section
describes commands used to configure IP Source Guard.
Configuring Ports for IP Source Guard
Use the IP Source Guard Port Configuration page to set the filtering type based on
source IP address or source IP address and MAC address pairs.
IP Source Guard is used to filter traffic on an insecure port which receives messages
from outside the network or fire wall, and therefore may be subject to traffic attacks
caused by a host trying to use the IP address of a neighbor.
Command Usage
• Setting source guard mode to SIP (Source IP) or SIP-MAC (Source IP and MAC)
enables this function on the selected port. Use the SIP option to check the VLAN
ID, source IP address, and port number against all entries in the binding table. Use
the SIP-MAC option to check these same parameters, plus the source MAC
address. If no matching entry is found, the packet is dropped.
• When enabled, traffic is filtered based upon dynamic entries learned via DHCP
snooping (see "DHCP Snooping Configuration" on page 3-147), or static
addresses configured in the source guard binding table.
• If IP source guard is enabled, an inbound packet’s IP address (SIP option) or both
its IP address and corresponding MAC address (SIP-MAC option) will be checked
against the binding table. If no matching entry is found, the packet will be dropped.
• Filtering rules are implemented as follows:
- If DHCP snooping is disabled (see page 3-147), IP source guard will check the
VLAN ID, source IP address, port number, and source MAC address (for the
SIP-MAC option). If a matching entry is found in the binding table and the entry
type is static IP source guard binding, the packet will be forwarded.
- If DHCP snooping is enabled, IP source guard will check the VLAN ID, source
IP address, port number, and source MAC address (for the SIP-MAC option). If
a matching entry is found in the binding table and the entry type is static IP
source guard binding, or dynamic DHCP snooping binding, the packet will be
forwarded.
- If IP source guard if enabled on an interface for which IP source bindings have
not yet been configured (neither by static configuration in the IP source guard
binding table nor dynamically learned from DHCP snooping), the switch will drop
all IP traffic on that port, except for DHCP packets.
3-153
3
Configuring the Switch
Command Attributes
• Filter Type – Configures the switch to filter inbound traffic based source IP
address, or source IP address and corresponding MAC address. (Default: None)
• None – Disables IP source guard filtering on the port.
• SIP – Enables traffic filtering based on IP addresses stored in the binding table.
• SIP-MAC – Enables traffic filtering based on IP addresses and corresponding
MAC addresses stored in the binding table.
Web – Click IP Source Guard, Port Configuration. Set the required filtering type for
each port and click Apply.
Figure 3-89 IP Source Guard Port Configuration
CLI – This example shows how to enable IP source guard on port 5 to check the
source IP address for ingress packets against the binding table.
Console(config)#interface ethernet 1/5
Console(config-if)#ip source-guard sip
Console(config-if)#end
Console#show ip source-guard
Interface
Filter-type
------------------Eth 1/1
DISABLED
Eth 1/2
DISABLED
Eth 1/3
DISABLED
Eth 1/4
DISABLED
Eth 1/5
SIP
Eth
1/6
DISABLED
.
.
3-154
4-188
4-191
3
General Security Measures
Configuring Static Binding for IP Source Guard
Use the IP Source Guard Static Configuration page to bind a static address to a port.
Table entries include a MAC address, IP address, lease time, entry type (Static,
Dynamic), VLAN identifier, and port identifier. All static entries are configured with
an infinite lease time, which is indicated with a value of zero in the table.
Command Usage
• Static addresses entered in the source guard binding table are automatically
configured with an infinite lease time. Dynamic entries learned via DHCP snooping
are configured by the DHCP server itself.
• Static bindings are processed as follows:
- If there is no entry with the same VLAN ID and MAC address, a new entry is
added to the binding table using the type “static IP source guard binding.”
- If there is an entry with the same VLAN ID and MAC address, and the type of
entry is static IP source guard binding, then the new entry will replace the old
one.
- If there is an entry with the same VLAN ID and MAC address, and the type of the
entry is dynamic DHCP snooping binding, then the new entry will replace the old
one and the entry type will be changed to static IP source guard binding.
Command Attributes
•
•
•
•
•
•
Static Binding Table Counts – The total number of static entries in the table.
Current Static Binding Table – The list of current static entries in the table.
Port – The port to which a static entry is bound. (Range: 1-28)
VLAN ID – ID of a configured VLAN (Range: 1-4094)
MAC Address – A valid unicast MAC address.
IP Address – A valid unicast IP address, including classful types A, B or C.
3-155
3
Configuring the Switch
Web – Click IP Source Guard, Static Configuration. Select the VLAN and port to
which the entry will be bound, enter the MAC address and associated IP address,
then click Add.
Figure 3-90 Static IP Source Guard Binding Configuration
CLI – This example shows how to configure a static source-guard binding on port 5.
Console(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1
192.168.0.99 interface ethernet 1/5
Console(config)#
3-156
4-190
General Security Measures
3
Displaying Information for Dynamic IP Source Guard Bindings
Use the Dynamic Information page to display the source-guard binding table for a
selected interface.
Command Attributes
• Query by – Select an interface to display the source-guard binding. (Options: Port,
VLAN, MAC Address, or IP Address)
• Dynamic Binding Table Counts – Displays the number of IP addresses in the
source-guard binding table.
• Current Dynamic Binding Table – Displays the IP addresses in the source-guard
binding table.
Web – Click IP Source Guard, Dynamic Information.
Figure 3-91 Dynamic IP Source Guard Binding Information
CLI – This example shows how to configure a static source-guard binding on port 5.
Console#show ip source-guard binding
4-191
MacAddress
IpAddress
Lease(sec) Type
VLAN
Interface
----------------- --------------- ---------- -------------------- ---- -------11-22-33-44-55-66 192.168.0.99
0 Static
1 Eth 1/5
Console#
3-157
3
Configuring the Switch
Port Configuration
Displaying Connection Status
You can use the Port Information or Trunk Information pages to display the current
connection status, including link state, speed/duplex mode, flow control, and
auto-negotiation.
Field Attributes (Web)
Name – Interface label.
Type – Indicates the port type. (100BASE-FX, 1000BASE-T, or SFP)
Admin Status – Shows if the interface is enabled or disabled.
Oper Status – Indicates if the link is Up or Down.
Speed Duplex Status – Shows the current speed and duplex mode.
(Auto, or fixed choice)
• Flow Control Status – Indicates the type of flow control currently in use.
(IEEE 802.3x, Back-Pressure or None)
• Autonegotiation – Shows if auto-negotiation is enabled or disabled.
•
•
•
•
•
• Media Type8 – Shows the forced/preferred port type to use for combination ports.
(Copper-Forced, SFP-Forced, or SFP-Preferred-Auto)
• Trunk Member8 – Shows if port is a trunk member.
• Creation9 – Shows if a trunk is manually configured or dynamically set via LACP.
Web – Click Port, Port Information or Trunk Information.
Figure 3-92 Displaying Port/Trunk Information
8. Port information only.
9. Trunk information only.
3-158
Port Configuration
3
Field Attributes (CLI)
Basic Information:
• Port Type – Indicates the port type. (100BASE-FX, 1000BASE-T, or SFP)
• MAC Address – The physical layer address for this port. (To access this item on
the web, see "Setting the Switch’s IP Address" on page 3-17.)
Configuration:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Name – Interface label.
Port Admin – Shows if the interface is enabled or disabled (i.e., up or down).
Speed-duplex – Shows the current speed and duplex mode. (Auto, or fixed choice)
Capabilities – Specifies the capabilities to be advertised for a port during
auto-negotiation. (To access this item on the web, see “Configuring Interface
Connections” on page 3-48.) The following capabilities are supported.
- 10half - Supports 10 Mbps half-duplex operation
- 10full - Supports 10 Mbps full-duplex operation
- 100half - Supports 100 Mbps half-duplex operation
- 100full - Supports 100 Mbps full-duplex operation
- 1000full - Supports 1000 Mbps full-duplex operation
- Sym - Transmits and receives pause frames for flow control
- FC - Supports flow control
Broadcast Storm – Shows if broadcast storm control is enabled or disabled.
Broadcast Storm Limit – Shows the broadcast storm threshold. (240-1488100
packets per second)
Multicast Storm – Shows if multicast storm control is enabled or disabled.
Multicast Storm Limit – Shows the multicast storm threshold. (64 - 1,000,000
kilobits per second)
Unknown Unicast Storm – Shows if unknown unicast storm control is enabled or
disabled.
Unknown Unicast Storm Limit – Shows the unknown unicast storm threshold.
(64 - 1,000,000 kilobits per second)
Flow Control – Shows if flow control is enabled or disabled.
LACP – Shows if LACP is enabled or disabled.
Port Security – Shows if port security is enabled or disabled.
Max MAC Count – Shows the maximum number of MAC address that can be
learned by a port. (0 - 1024 addresses)
Port Security Action – Shows the response to take when a security violation is
detected. (shutdown, trap, trap-and-shutdown, or none)
Media Type – Shows the forced or preferred port type to use for combination ports
25-26. (Display options: copper forced, SFP forced, SFP preferred auto)
Giga PHY Mode – Shows the master/slave configuration mode used by negotiate
a 1000BASE-T full duplex connection for a link pair.
3-159
3
Configuring the Switch
Current Status:
• Link Status – Indicates if the link is up or down.
• Port Operation Status – Provides detailed information on port state.
(Displayed only when the link is up.)
• Operation Speed-duplex – Shows the current speed and duplex mode.
• Flow Control Type – Indicates the type of flow control currently in use.
(IEEE 802.3x, Back-Pressure or none)
CLI – This example shows the connection status for Port 5.
Console#show interfaces status ethernet 1/5
Information of Eth 1/5
Basic Information:
Port Type:
100FX
MAC Address:
00-12-CF-12-34-61
Configuration:
Name:
Port Admin:
Up
Speed-duplex:
100full
Capabilities:
100full
Broadcast Storm Limit: 64 Kbits/second
Multicast Storm:
Disabled
Multicast Storm Limit: 64 Kbits/second
Unknown Unicast Storm:
Disabled
Unknown Unicast Storm Limit: 64 Kbits/second
Flow Control:
Disabled
VLAN Trunking:
Disabled
LACP:
Disabled
Port Security:
Disabled
Max MAC Count:
0
Port Security Action:
None
Media Type:
None
Giga PHY Mode: Auto preferred master
Current Status:
Link Status:
Down
Operation Speed-duplex: 100full
Flow Control Type:
None
Console#
4-231
Configuring Interface Connections
You can use the Port Configuration or Trunk Configuration page to enable/disable an
interface, set auto-negotiation and the interface capabilities to advertise, or manually
fix the speed, duplex mode, and flow control.
Command Usage
• Auto-negotiation must be disabled before you can configure or force the interface
to use the Speed/Duplex Mode or Flow Control options.
• When using auto-negotiation, the optimal settings will be negotiated between the
link partners based on their advertised capabilities. To set the speed, duplex mode,
or flow control under auto-negotiation, the required operation modes must be
specified in the capabilities list for an interface.
• The 1000BASE-T standard does not support forced mode. Auto-negotiation
should always be used to establish a connection over any 1000BASE-T port or
3-160
Port Configuration
3
trunk. If not used, the success of the link process cannot be guaranteed when
connecting to other types of switches. However, this switch does provide a means
of safely forcing a link to operate at 1000 Mbps, full-duplex using the Giga Phy
Mode attribute described below.
Command Attributes
• Name – Allows you to label an interface. (Range: 1-64 characters)
• Admin – Allows you to manually disable an interface. You can disable an interface
due to abnormal behavior (e.g., excessive collisions), and then re-enable it after
the problem has been resolved. You may also disable an interface for security
reasons.
• Speed/Duplex – Allows you to manually set the port speed and duplex mode.
(i.e., with auto-negotiation disabled)
• Flow Control – Allows automatic or manual selection of flow control.
• Giga PHY Mode – Forces two connected ports into a master/slave configuration
to enable 1000BASE-T full duplex for Gigabit ports 25-28. The following options
are supported:
- Master - Sets the selected port as master.
- Slave - Sets the selected port as slave.
- Auto Prefer Master - Uses master mode as the initial configuration setting
regardless of the mode configured at the other end of the link.
- Auto Prefer Slave - Uses slave mode as the initial configuration regardless of
the mode configured at the other end of the link.
To force 1000full operation requires the ports at both ends of a link to establish their
role in the connection process as a master or slave. Before using this feature,
auto-negotiation must first be disabled, and the Speed/Duplex attribute set to
1000full. Then select compatible Giga PHY modes at both ends of the link. Note
that using one of the preferred modes ensures that the ports at both ends of a link
will eventually cooperate to establish a valid master-slave relationship.
• Autonegotiation (Port Capabilities) – Allows auto-negotiation to be enabled/
disabled. When auto-negotiation is enabled, you need to specify the capabilities to
be advertised. When auto-negotiation is disabled, you can force the settings for
speed, mode, and flow control.The following capabilities are supported.
- 10half - Supports 10 Mbps half-duplex operation
- 10full - Supports 10 Mbps full-duplex operation
- 100half - Supports 100 Mbps half-duplex operation
- 100full - Supports 100 Mbps full-duplex operation
- 1000full (Gigabit ports only) - Supports 1000 Mbps full-duplex operation
- Sym (Gigabit only) - Check this item to transmit and receive pause frames, or
clear it to auto-negotiate the sender and receiver for asymmetric pause frames.
(The current switch chip only supports symmetric pause frames.)
- FC - Flow control can eliminate frame loss by “blocking” traffic from end stations
or segments connected directly to the switch when its buffers fill. When enabled,
back pressure is used for half-duplex operation and IEEE 802.3-2005 (formally
IEEE 802.3x) for full-duplex operation.
3-161
3
Configuring the Switch
Avoid using flow control on a port connected to a hub unless it is actually
required to solve a problem. Otherwise back pressure jamming signals may
degrade overall performance for the segment attached to the hub.
(Default: Autonegotiation enabled; Advertised capabilities for 100BASE-FX –
100full; 1000BASE-T – 10half, 10full, 100half, 100full, 1000full; 1000BASE-SX/LX/
LH – 1000full)
• Media Type – Configures the forced/preferred port type to use for the combination
ports (Ports 25-26).
- Copper-Forced - Always uses the built-in RJ-45 port.
- SFP-Forced - Always uses the SFP port (even if a module is not installed).
- SFP-Preferred-Auto - Uses SFP port if both combination types are functioning
and the SFP port has a valid link. (This is the default.)
• Trunk – Indicates if a port is a member of a trunk. To create trunks and select port
members, see "Creating Trunk Groups" on page 3-163.
Web – Click Port, Port Configuration or Trunk Configuration. Modify the required
interface settings, and click Apply.
Figure 3-93 Port/Trunk Configuration
CLI – Select the interface, and then enter the required settings.
Console(config)#interface ethernet 1/13
Console(config-if)#description RD SW#13
Console(config-if)#shutdown
.
Console(config-if)#no shutdown
Console(config-if)#no negotiation
Console(config-if)#speed-duplex 100half
Console(config-if)#flowcontrol
.
Console(config-if)#negotiation
Console(config-if)#capabilities 100half
Console(config-if)#capabilities 100full
Console(config-if)#capabilities flowcontrol
3-162
4-222
4-222
4-228
4-224
4-223
4-226
4-225
3
Port Configuration
Creating Trunk Groups
You can create multiple links between devices that work as one virtual, aggregate
link. A port trunk offers a dramatic increase in bandwidth for network segments
where bottlenecks exist, as well as providing a fault-tolerant link between two
devices. You can create up to eight trunks at a time.
The switch supports both static trunking and dynamic Link Aggregation Control
Protocol (LACP). Static trunks have to be manually configured at both ends of the
link, and the switches must comply with the Cisco EtherChannel standard. On the
other hand, LACP configured ports can automatically negotiate a trunked link with
LACP-configured ports on another device. You can configure any number of ports
on the switch as LACP, as long as they are not already configured as part of a static
trunk. If ports on another device are also configured as LACP, the switch and the
other device will negotiate a trunk link between them. If an LACP trunk consists of
more than eight ports, all other ports will be placed in a standby mode. Should one
link in the trunk fail, one of the standby ports will automatically be activated to
replace it.
Command Usage
Besides balancing the load across each port in the trunk, the other ports provide
redundancy by taking over the load if a port in the trunk fails. However, before
making any physical connections between devices, use the web interface or CLI to
specify the trunk on the devices at both ends. When using a port trunk, take note of
the following points:
• Finish configuring port trunks before you connect the corresponding network
cables between switches to avoid creating a loop.
• You can create up to eight trunks on a switch, with up to eight ports per trunk.
• The ports at both ends of a connection must be configured as trunk ports.
• When configuring static trunks on switches of different types, they must be
compatible with the Cisco EtherChannel standard.
• The ports at both ends of a trunk must be configured in an identical manner,
including communication mode (i.e., speed, duplex mode and flow control), VLAN
assignments, and CoS settings.
• Any of the Gigabit ports on the front panel can be trunked together, including ports
of different media types.
• All the ports in a trunk have to be treated as a whole when moved from/to, added
or deleted from a VLAN.
• STP, VLAN, and IGMP settings can only be made for the entire trunk.
3-163
3
Configuring the Switch
Statically Configuring a Trunk
Command Usage
statically
configured
}
• When configuring static trunks, you may not be
able to link switches of different types,
depending on the manufacturer’s
implementation. However, note that the static
trunks on this switch are Cisco EtherChannel
compatible.
• To avoid creating a loop in the network, be sure
you add a static trunk via the configuration
interface before connecting the ports, and also
disconnect the ports before removing a static
trunk via the configuration interface.
active
links
Command Attributes
• Member List (Current) – Shows configured trunks (Trunk ID, Unit, Port).
• New – Includes entry fields for creating new trunks.
- Trunk – Trunk identifier. (Range: 1-8)
- Port – Port identifier. (Range: 1-28)
Web – Click Port, Trunk Membership. Enter a trunk ID of 1-8 in the Trunk field,
select any of the switch ports from the scroll-down port list, and click Add. After you
have completed adding ports to the member list, click Apply.
Figure 3-94 Configuring Static Trunks
3-164
Port Configuration
3
CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to
two static trunk ports on another switch to form a trunk.
Console(config)#interface port-channel 2
Console(config-if)#exit
Console(config)#interface ethernet 1/1
Console(config-if)#channel-group 2
Console(config-if)#exit
Console(config)#interface ethernet 1/2
Console(config-if)#channel-group 2
Console(config-if)#end
Console#show interfaces status port-channel 2
Information of Trunk 2
Basic Information:
Port Type:
100FX
MAC Address:
00-12-CF-12-34-84
Configuration:
Name:
Port Admin:
Up
Speed-duplex:
Auto
Capabilities:
10half, 10full, 100half, 100full
Flow Control:
Disabled
VLAN Trunking:
Disabled
Port Security:
Disabled
Max MAC Count:
0
Giga PHY Mode:
Auto preferred master
Current status:
Created By:
User
Link Status:
Up
Port Operation Status: Up
Operation Speed-duplex: 100full
Flow Cntrol Type:
None
Member Ports: Eth1/1, Eth1/2,
Console#
4-222
4-222
4-251
4-231
Enabling LACP on Selected Ports
Command Usage
}
}
• To avoid creating a loop in the network, be sure
dynamically
enabled
you enable LACP before connecting the ports,
and also disconnect the ports before disabling
LACP.
backup
active
• If the target switch has also enabled LACP on the
link
links
connected ports, the trunk will be activated
automatically.
• A trunk formed with another switch using LACP
will automatically be assigned the next available
configured
members
trunk ID.
• If more than eight ports attached to the same
target switch have LACP enabled, the additional ports will be placed in standby
mode, and will only be enabled if one of the active links fails.
• All ports on both ends of an LACP trunk must be configured for full duplex, either
by forced mode or auto-negotiation.
3-165
3
Configuring the Switch
• Trunks dynamically established through LACP will also be shown in the Member
List on the Trunk Membership menu (see page 3-164).
Command Attributes
• Member List (Current) – Shows configured trunks (Port).
• New – Includes entry fields for creating new trunks.
- Port – Port identifier. (Range: 1-28)
Web – Click Port, LACP, Configuration. Select any of the switch ports from the
scroll-down port list and click Add. After you have completed adding ports to the
member list, click Apply.
Figure 3-95 LACP Trunk Configuration
CLI – The following example enables LACP for ports 1 to 6. Just connect these ports
to LACP-enabled trunk ports on another switch to form a trunk.
Console(config)#interface ethernet 1/1
Console(config-if)#lacp
Console(config-if)#exit
.
.
.
Console(config)#interface ethernet 1/6
Console(config-if)#lacp
Console(config-if)#end
3-166
4-222
4-252
Port Configuration
Console#show interfaces status port-channel 1
Information of Trunk 1
Basic Information:
Port Type:
100FX
MAC Address:
00-12-CF-12-34-89
Configuration:
Name:
Port Admin:
Up
Speed-duplex:
Auto
Capabilities:
10half, 10full, 100half, 100full
Flow Control:
Disabled
VLAN Trunking:
Disabled
Port Security:
Disabled
Max MAC Count:
0
Giga PHY Mode:
Auto preferred master
Current Status:
Created By:
Lacp
Link Status:
Up
Port Operation Status: Up
Operation Speed-duplex: 100full
Flow Control Type:
None
Member Ports: Eth1/1, Eth1/2, Eth1/3, Eth1/4, Eth1/5, Eth1/6,
Console#
3
4-231
Configuring Parameters for LACP Group Members
Dynamically Creating a Port Channel –
Ports assigned to a common port channel must meet the following criteria:
• Ports must have the same LACP System Priority.
• Ports must have the same LACP port Admin Key.
• However, if the “port channel” Admin Key is set (page 4-142), then the port Admin
Key must be set to the same value for a port to be allowed to join a channel group.
Note – If the port channel admin key (lacp admin key, page 4-255) is not set (through
the CLI) when a channel group is formed (i.e., it has a null value of 0), this key is set to
the same value as the port admin key used by the interfaces that joined the group (lacp
admin key, as described in this section and on page 4-254).
Command Attributes
Set Port Actor – This menu sets the local side of an aggregate link; i.e., the ports on
this switch.
• Port – Port number. (Range: 1-28)
• System Priority – LACP system priority is used to determine link aggregation
group (LAG) membership, and to identify this device to other switches during LAG
negotiations. (Range: 0-65535; Default: 32768)
- Ports must be configured with the same system priority to join the same LAG.
- System priority is combined with the switch’s MAC address to form the LAG
identifier. This identifier is used to indicate a specific LAG during LACP
negotiations with other systems.
• Admin Key – The LACP administration key must be set to the same value for ports
that belong to the same LAG. (Range: 0-65535; Default: 1)
3-167
3
Configuring the Switch
• Port Priority – If a link goes down, LACP port priority is used to select a backup
link. (Range: 0-65535; Default: 32768)
Set Port Partner – This menu sets the remote side of an aggregate link; i.e., the
ports on the attached device. The command attributes have the same meaning as
those used for the port actor. However, configuring LACP settings for the partner
only applies to its administrative state, not its operational state, and will only take
effect the next time an aggregate link is established with the partner.
Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and
Port Priority for the Port Actor. You can optionally configure these settings for the
Port Partner. (Be aware that these settings only affect the administrative state of the
partner, and will not take effect until the next time an aggregate link is formed with
this device.) After you have completed setting the port LACP parameters, click Apply.
Figure 3-96 LACP Port Configuration
CLI – The following example configures LACP parameters for ports 1-4. Ports 1-4
are used as active members of the LAG.
Console(config)#interface ethernet 1/1
Console(config-if)#lacp actor system-priority 3
Console(config-if)#lacp actor admin-key 120
Console(config-if)#lacp actor port-priority 128
Console(config-if)#exit
.
.
.
Console(config)#interface ethernet 1/4
Console(config-if)#lacp actor system-priority 3
Console(config-if)#lacp actor admin-key 120
Console(config-if)#lacp actor port-priority 512
Console(config-if)#end
3-168
4-222
4-253
4-254
4-256
3
Port Configuration
Console#show lacp sysid
4-257
Port Channel
System Priority
System MAC Address
------------------------------------------------------------------------1
3
00-12-CF-31-31-31
2
32768
00-12-CF-31-31-31
3
32768
00-12-CF-31-31-31
4
32768
00-12-CF-31-31-31
Console#show lacp 1 internal
4-257
Port Channel: 1
------------------------------------------------------------------------Oper Key: 120
Admin Key: 0
Eth 1/1
------------------------------------------------------------------------LACPDUs Internal:
30 sec
LACP System Priority: 3
LACP Port Priority:
128
Admin Key:
120
Oper Key:
120
Admin State : defaulted, aggregation, long timeout, LACP-activity
Oper State:
distributing, collecting, synchronization,
aggregation, long timeout, LACP-activity
.
.
.
Configuring Parameters for LACP Groups
Use the Aggregator page to configure system parameters which apply to specific
LACP groups.
Command Attributes
• Admin Key – LACP administration key is used to identify a specific link
aggregation group (LAG) during local LACP setup on the switch. (Range: 0-65535)
Ports are only allowed to join the same LAG if (1) the LACP port system priority
matches, (2) the LACP port admin key matches, and (3) the LACP port channel
admin key matches (if configured).
If the port channel admin key is not set when a channel group is formed (that is, it
has the null value of 0), this key is set to the same value as the port admin key used
by the interfaces that joined the group. Note that when the LAG is no longer used,
the port channel admin key is reset to 0.
3-169
3
Configuring the Switch
Web – Click Port, LACP, Aggregator. Set the Admin Key for the required LACP
group, and click Apply.
Figure 3-97 LACP Aggregation Group Configuration
CLI – The following example sets the LACP admin key for port channel 1.
Console(config)#interface port-channel 1
Console(config-if)#lacp actor admin-key 3
Console(config-if)#
4-222
4-255
Displaying LACP Port Counters
You can display statistics for LACP protocol messages.
Table 3-8 LACP Port Counters
Field
Description
LACPDUs Sent
Number of valid LACPDUs transmitted from this channel group.
LACPDUs Received
Number of valid LACPDUs received on this channel group.
Marker Sent
Number of valid Marker PDUs transmitted from this channel group.
Marker Received
Number of valid Marker PDUs received by this channel group.
Marker Unknown Pkts
Number of frames received that either (1) Carry the Slow Protocols
Ethernet Type value, but contain an unknown PDU, or (2) are addressed
to the Slow Protocols group MAC Address, but do not carry the Slow
Protocols Ethernet Type.
Marker Illegal Pkts
Number of frames that carry the Slow Protocols Ethernet Type value, but
contain a badly formed PDU or an illegal value of Protocol Subtype.
3-170
Port Configuration
3
Web – Click Port, LACP, Port Counters Information. Select a member port to display
the corresponding information.
Figure 3-98 LACP - Port Counters Information
CLI – The following example displays LACP counters.
Console#show lacp counters
4-257
Port channel : 1
------------------------------------------------------------------------Eth 1/ 1
------------------------------------------------------------------------LACPDUs Sent:
91
LACPDUs Receive:
43
Marker Sent:
0
Marker Receive:
0
LACPDUs Unknown Pkts: 0
LACPDUs Illegal Pkts: 0
.
.
.
Displaying LACP Settings and Status for the Local Side
You can display configuration settings and the operational state for the local side of
an link aggregation.
Table 3-9 LACP Internal Configuration Information
Field
Description
Oper Key
Current operational value of the key for the aggregation port.
Admin Key
Current administrative value of the key for the aggregation port.
LACPDUs Interval
Number of seconds before invalidating received LACPDU information.
LACP System Priority
LACP system priority assigned to this port channel.
LACP Port Priority
LACP port priority assigned to this interface within the channel group.
3-171
3
Configuring the Switch
Table 3-9 LACP Internal Configuration Information (Continued)
Field
Description
Admin State,
Oper State
Administrative or operational values of the actor’s state parameters:
• Expired – The actor’s receive machine is in the expired state;
• Defaulted – The actor’s receive machine is using defaulted operational partner
information, administratively configured for the partner.
• Distributing – If false, distribution of outgoing frames on this link is disabled; i.e.,
distribution is currently disabled and is not expected to be enabled in the absence
of administrative changes or changes in received protocol information.
• Collecting – Collection of incoming frames on this link is enabled; i.e., collection
is currently enabled and is not expected to be disabled in the absence of
administrative changes or changes in received protocol information.
• Synchronization – The System considers this link to be IN_SYNC; i.e., it has
been allocated to the correct Link Aggregation Group, the group has been
associated with a compatible Aggregator, and the identity of the Link Aggregation
Group is consistent with the System ID and operational Key information
transmitted.
• Aggregation – The system considers this link to be aggregatable; i.e., a potential
candidate for aggregation.
• Long timeout – Periodic transmission of LACPDUs uses a slow transmission rate.
• LACP-Activity – Activity control value with regard to this link.
(0: Passive; 1: Active)
Web – Click Port, LACP, Port Internal Information. Select a port channel to display
the corresponding information.
Figure 3-99 LACP - Port Internal Information
3-172
3
Port Configuration
CLI – The following example displays the LACP configuration settings and
operational state for the local side of port channel 1.
Console#show lacp 1 internal
4-257
Port channel : 1
------------------------------------------------------------------------Oper Key : 120
Admin Key : 0
Eth 1/1
------------------------------------------------------------------------LACPDUs Internal:
30 sec
LACP System Priority: 3
LACP Port Priority:
128
Admin Key:
120
Oper Key:
120
Admin State : defaulted, aggregation, long timeout, LACP-activity
Oper State:
distributing, collecting, synchronization,
aggregation, long timeout, LACP-activity
.
.
.
Displaying LACP Settings and Status for the Remote Side
You can display configuration settings and the operational state for the remote side
of an link aggregation.
Table 3-10 LACP Neighbor Configuration Information
Field
Description
Partner Admin System ID
LAG partner’s system ID assigned by the user.
Partner Oper System ID
LAG partner’s system ID assigned by the LACP protocol.
Partner Admin Port Number
Current administrative value of the port number for the protocol Partner.
Partner Oper Port Number
Operational port number assigned to this aggregation port by the port’s
protocol partner.
Port Admin Priority
Current administrative value of the port priority for the protocol partner.
Port Oper Priority
Priority value assigned to this aggregation port by the partner.
Admin Key
Current administrative value of the Key for the protocol partner.
Oper Key
Current operational value of the Key for the protocol partner.
Admin State
Administrative values of the partner’s state parameters. (See preceding table.)
Oper State
Operational values of the partner’s state parameters. (See preceding table.)
3-173
3
Configuring the Switch
Web – Click Port, LACP, Port Neighbors Information. Select a port channel to
display the corresponding information.
Figure 3-100 LACP - Port Neighbors Information
CLI – The following example displays the LACP configuration settings and
operational state for the remote side of port channel 1.
Console#show lacp 1 neighbors
4-257
Port channel 1 neighbors
------------------------------------------------------------------------Eth 1/1
------------------------------------------------------------------------Partner Admin System ID:
32768, 00-00-00-00-00-00
Partner Oper System ID:
3, 00-12-CF-CE-2A-20
Partner Admin Port Number: 5
Partner Oper Port Number: 3
Port Admin Priority:
32768
Port Oper Priority:
128
Admin Key:
0
Oper Key:
120
Admin State:
defaulted, distributing, collecting,
synchronization, long timeout,
Oper State:
distributing, collecting, synchronization,
aggregation, long timeout, LACP-activity
.
.
.
3-174
Port Configuration
3
Setting Broadcast Storm Thresholds
Broadcast storms may occur when a device on your network is malfunctioning, or if
application programs are not well designed or properly configured. If there is too
much broadcast traffic on your network, performance can be severely degraded or
everything can come to complete halt.
You can protect your network from broadcast storms by setting a threshold for
broadcast traffic. Any broadcast packets exceeding the specified threshold will be
dropped.
Command Usage
• Broadcast Storm Control is enabled by default.
• Broadcast control does not effect IP multicast traffic.
• Due to an ASIC chip limitation, the supported storm control modes include:
- broadcast
- broadcast + multicast
- broadcast + multicast + unknown unicast
This means that when mulicast storm control is enabled, broadcast storm control
is also enabled (using the threshold value set by the multicast storm control
command). And when unknown unicast storm control is enabled, both broadcast
and multicast storm control are also enabled (using the threshold value set by the
unknown unicast storm control command).
• The storm control feature provided on this configuration page is a hardware level
control function. Traffic storms can also be controlled at the software level using
automatic storm control which triggers various control responses. This control type
is only supported by the Command Line Interface as described under "Automatic
Traffic Control Commands" on page 4-235. However, note that only one of these
control types can be applied to a port. Enabling hardware-level storm control on a
port will disable automatic storm control on that port.
Command Attributes
Port – Port number.
Type – Indicates the port type. (100BASE-FX, 1000BASE-T, or SFP)
Protect Status – Enables or disables broadcast storm control. (Default: Enabled)
Threshold – Threshold level as a rate; i.e., kilobits per second.
(Range: 64-100000 kilobits per second for Fast Ethernet ports; 64-1000000 kilobits
per second for Gigabit ports; Default: 64 kilobits per second)
• Trunk – Shows if a port is a trunk member.
•
•
•
•
3-175
3
Configuring the Switch
Web – Click Port, Port/Trunk Broadcast Control. Set the threshold, mark the
Enabled field for the desired interface and click Apply.
Figure 3-101 Port Broadcast Control
CLI – Specify any interface, and then enter the threshold. The following disables
broadcast storm control for port 1, and then sets broadcast suppression at 500
kilobits per second for port 2.
Console(config)#interface ethernet 1/1
Console(config-if)#no switchport broadcast
Console(config-if)#exit
Console(config)#interface ethernet 1/2
Console(config-if)#switchport broadcast packet-rate 500
Console(config-if)#end
Console#show interfaces switchport ethernet 1/2
Information of Eth 1/2
Broadcast Threshold:
Enabled, 500 Kbits/second
Multicast Threshold:
Disabled
Unknown-unicast Threshold:
Disabled
LACP Status:
Disabled
Ingress Rate Limit:
Disabled, 100000 Kbits per second
Egress Rate Limit:
Disabled, 100000 Kbits per second
VLAN Membership Mode:
Hybrid
Ingress Rule:
Enabled
Acceptable Frame Type:
All frames
Native VLAN:
1
Priority for Untagged Traffic: 0
GVRP Status:
Disabled
Allowed VLAN:
1(u),
Forbidden VLAN:
Private-VLAN Mode:
NONE
Private-VLAN Host-association: NONE
Private-VLAN Mapping:
NONE
802.1Q-tunnel Status:
Disable
802.1Q-tunnel Mode:
NORMAL
802.1Q-tunnel TPID:
8100(Hex)
3-176
4-222
4-229
4-229
4-233
Port Configuration
3
Setting Multicast Storm Thresholds
You can protect your network from excess multicast traffic by setting thresholds for
each port. Any multicast packets exceeding the specified threshold will then be
dropped.
Command Usage
• Multicast Storm Control is disabled by default.
• Due to an ASIC chip limitation, the supported storm control modes include:
- broadcast
- broadcast + multicast
- broadcast + multicast + unknown unicast
This means that when mulicast storm control is enabled, broadcast storm control
is also enabled (using the threshold value set by the multicast storm control
command). And when unknown unicast storm control is enabled, both broadcast
and multicast storm control are also enabled (using the threshold value set by the
unknown unicast storm control command).
• The storm control feature provided on this configuration page is a hardware level
control function. Traffic storms can also be controlled at the software level using
automatic storm control which triggers various control responses. This control type
is only supported by the Command Line Interface as described under "Automatic
Traffic Control Commands" on page 4-235. However, note that only one of these
control types can be applied to a port. Enabling hardware-level storm control on a
port will disable automatic storm control on that port.
Command Attributes
Port – Port number. (Range: 1-28)
Type – Indicates the port type. (100BASE-FX, 1000BASE-T, or SFP)
Protect Status – Enables or disables multicast storm control. (Default: Disabled)
Threshold – Threshold as percentage of port bandwidth. (Range: 64-100000
kilobits per second for Fast Ethernet ports; 64-1000000 kilobits per second for
Gigabit ports; Default: 64 kilobits per second)
• Trunk – Shows if port is a trunk member.
•
•
•
•
3-177
3
Configuring the Switch
Web – Click Configuration, Port, Port Multicast Control or Trunk Multicast Control.
Check the Enabled box for any interface, set the threshold, and click Apply.
Figure 3-102 Port Multicast Control
CLI – Specify any interface, and then enter the threshold. The following example
sets the multicast threshold at 600 packets per second for port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#switchport multicast packet-rate 600
Console(config-if)#
4-222
4-229
Setting Unknown Unicast Storm Thresholds
You can protect your network from excess unknown unicast traffic by setting
thresholds for each port. Any multicast packets exceeding the specified threshold
will then be dropped.
Command Usage
• Due to an ASIC chip limitation, the supported storm control modes include:
- broadcast
- broadcast + multicast
- broadcast + multicast + unknown unicast
This means that when mulicast storm control is enabled, broadcast storm control
is also enabled (using the threshold value set by the multicast storm control
command). And when unknown unicast storm control is enabled, both broadcast
and multicast storm control are also enabled (using the threshold value set by the
unknown unicast storm control command).
3-178
3
Port Configuration
• The storm control feature provided on this configuration page is a hardware level
control function. Traffic storms can also be controlled at the software level using
automatic storm control which triggers various control responses. This control type
is only supported by the Command Line Interface as described under "Automatic
Traffic Control Commands" on page 4-235. However, note that only one of these
control types can be applied to a port. Enabling hardware-level storm control on a
port will disable automatic storm control on that port.
Command Attributes
• Port – Port number. (Range: 1-28)
• Type – Indicates the port type. (100BASE-TX, 1000BASE-T, or 1000BASE-SFP)
• Protect Status – Enables or disables unknown unicast storm control.
(Default: Disabled)
• Threshold – Threshold as percentage of port bandwidth. (Range: 64-100000
kilobits per second for Fast Ethernet ports; 64-1000000 kilobits per second for
Gigabit ports; Default: 64 kilobits per second)
• Trunk – Shows if port is a trunk member.
Web – Click Configuration, Port, Port Unknown Unicast Control or Trunk Unknown
Unicast Control. Check the Enabled box for any interface, set the threshold, and
click Apply.
Figure 3-103 Port Unknown Unicast Control
CLI – Specify any interface, and then enter the threshold. The following example
sets the unknown unicast threshold at 900 packets per second for port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#switchport unknown-unicast packet-rate 900
Console(config-if)#
4-222
4-229
3-179
3
Configuring the Switch
Configuring Port Mirroring
You can mirror traffic from any source port to a
target port for real-time analysis. You can then
attach a logic analyzer or RMON probe to the
target port and study the traffic crossing the
source port in a completely unobtrusive manner.
Source
port(s)
Command Usage
Single
target
port
• Monitor port speed should match or exceed source port speed, otherwise traffic
may be dropped from the monitor port.
• All mirror sessions must share the same destination port.
• Spanning Tree BPDU packets are not mirrored to the target port.
• When mirroring port traffic, the target port must be included in the same VLAN as
the source port when using MSTP (see "Spanning Tree Algorithm Configuration"
on page 3-191).
Command Attributes
• Mirror Sessions – Displays a list of current mirror sessions.
• Source Port – The port whose traffic will be monitored. (Range: 1-28)
• Type – Allows you to select which traffic to mirror to the target port, Rx (receive),
Tx (transmit), or Both. (Default: Rx)
• Target Port – The port that will mirror the traffic on the source port.
(Range: 1-28)
Web – Click Port, Mirror Port Configuration. Specify the source port, the traffic type
to be mirrored, and the monitor port, then click Add.
Figure 3-104 Mirror Port Configuration
3-180
Port Configuration
3
CLI – Use the interface command to select the monitor port, then use the port
monitor command to specify the source port and traffic type.
Console(config)#interface ethernet 1/10
Console(config-if)#port monitor ethernet 1/13 tx
Console(config-if)#
4-222
4-262
Configuring Rate Limits
This function allows the network manager to control the maximum rate for traffic
received or transmitted on an interface. Rate limiting is configured on interfaces at
the edge of a network to limit traffic into or out of the network. Packets that exceed
the acceptable amount of traffic are dropped.
Rate limiting can be applied to individual ports or trunks. When an interface is
configured with this feature, the traffic rate will be monitored by the hardware to
verify conformity. Non-conforming traffic is dropped, conforming traffic is forwarded
without any changes.
Rate Limit Configuration
Use the rate limit configuration pages to apply rate limiting.
Command Usage
Input and output rate limits can be enabled or disabled for individual interfaces.
Command Attributes
• Port/Trunk – Displays the port/trunk number.
• Rate Limit Status – Enables or disables the rate limit. (Default: Disabled)
• Rate Limit – Sets the rate limit level. (Range: 64 - 100000 kilobits per second for
Fast Ethernet ports; 64 to 1000000 kilobits per second for Gigabit Ethernet ports)
3-181
3
Configuring the Switch
Web – Click Port, Rate Limit, Input/Output Port/Trunk Configuration. Enable the
Rate Limit Status for the required interfaces, then set the rate limit for the individual
interfaces, and click Apply.
Figure 3-105 Input Rate Limit Port Configuration
CLI - This example sets the rate limit level for input traffic passing through port 3.
Console(config)#interface ethernet 1/3
Console(config-if)#rate-limit input 500
Console(config-if)#
3-182
4-222
4-265
3
Port Configuration
Showing Port Statistics
You can display standard statistics on network traffic from the Interfaces Group and
Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON
MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing
through each port. This information can be used to identify potential problems with
the switch (such as a faulty port or unusually heavy loading). RMON statistics
provide access to a broad range of statistics, including a total count of different
frame types and sizes passing through each port. All values displayed have been
accumulated since the last system reboot, and are shown as counts per second.
Statistics are refreshed every 60 seconds by default.
Note: RMON groups 2, 3 and 9 can only be accessed using SNMP management
software such as HP OpenView.
Table 3-11 Port Statistics
Parameter
Description
Interface Statistics
Received Octets
The total number of octets received on the interface, including framing
characters.
Received Unicast Packets
The number of subnetwork-unicast packets delivered to a higher-layer
protocol.
Received Multicast Packets
The number of packets, delivered by this sub-layer to a higher (sub-)layer,
which were addressed to a multicast address at this sub-layer.
Received Broadcast Packets
The number of packets, delivered by this sub-layer to a higher (sub-)layer,
which were addressed to a broadcast address at this sub-layer.
Received Discarded Packets
The number of inbound packets which were chosen to be discarded even
though no errors had been detected to prevent their being deliverable to a
higher-layer protocol. One possible reason for discarding such a packet
could be to free up buffer space.
Received Unknown Packets
The number of packets received via the interface which were discarded
because of an unknown or unsupported protocol.
Received Errors
The number of inbound packets that contained errors preventing them
from being deliverable to a higher-layer protocol.
Transmit Octets
The total number of octets transmitted out of the interface, including
framing characters.
Transmit Unicast Packets
The total number of packets that higher-level protocols requested be
transmitted to a subnetwork-unicast address, including those that were
discarded or not sent.
Transmit Multicast Packets
The total number of packets that higher-level protocols requested be
transmitted, and which were addressed to a multicast address at this
sub-layer, including those that were discarded or not sent.
Transmit Broadcast Packets
The total number of packets that higher-level protocols requested be
transmitted, and which were addressed to a broadcast address at this
sub-layer, including those that were discarded or not sent.
3-183
3
Configuring the Switch
Table 3-11 Port Statistics (Continued)
Parameter
Description
Transmit Discarded Packets
The number of outbound packets which were chosen to be discarded even
though no errors had been detected to prevent their being transmitted.
One possible reason for discarding such a packet could be to free up
buffer space.
Transmit Errors
The number of outbound packets that could not be transmitted because of
errors.
Etherlike Statistics
Alignment Errors
The number of alignment errors (missynchronized data packets).
Late Collisions
The number of times that a collision is detected later than 512 bit-times
into the transmission of a packet.
FCS Errors
A count of frames received on a particular interface that are an integral
number of octets in length but do not pass the FCS check. This count does
not include frames received with frame-too-long or frame-too-short error.
Excessive Collisions
A count of frames for which transmission on a particular interface fails due
to excessive collisions. This counter does not increment when the
interface is operating in full-duplex mode.
Single Collision Frames
The number of successfully transmitted frames for which transmission is
inhibited by exactly one collision.
Internal MAC Transmit Errors
A count of frames for which transmission on a particular interface fails due
to an internal MAC sublayer transmit error.
Multiple Collision Frames
A count of successfully transmitted frames for which transmission is
inhibited by more than one collision.
Carrier Sense Errors
The number of times that the carrier sense condition was lost or never
asserted when attempting to transmit a frame.
SQE Test Errors
A count of times that the SQE TEST ERROR message is generated by the
PLS sublayer for a particular interface.
Frames Too Long
A count of frames received on a particular interface that exceed the
maximum permitted frame size.
Deferred Transmissions
A count of frames for which the first transmission attempt on a particular
interface is delayed because the medium was busy.
Internal MAC Receive Errors
A count of frames for which reception on a particular interface fails due to
an internal MAC sublayer receive error.
RMON Statistics
Drop Events
The total number of events in which packets were dropped due to lack of
resources.
Jabbers
The total number of frames received that were longer than 1518 octets
(excluding framing bits, but including FCS octets), and had either an FCS
or alignment error.
Received Bytes
Total number of bytes of data received on the network. This statistic can
be used as a reasonable indication of Ethernet utilization.
Collisions
The best estimate of the total number of collisions on this Ethernet
segment.
3-184
3
Port Configuration
Table 3-11 Port Statistics (Continued)
Parameter
Description
Received Frames
The total number of frames (bad, broadcast and multicast) received.
Broadcast Frames
The total number of good frames received that were directed to the
broadcast address. Note that this does not include multicast packets.
Multicast Frames
The total number of good frames received that were directed to this
multicast address.
CRC/Alignment Errors
The number of CRC/alignment errors (FCS or alignment errors).
Undersize Frames
The total number of frames received that were less than 64 octets long
(excluding framing bits, but including FCS octets) and were otherwise well
formed.
Oversize Frames
The total number of frames received that were longer than 1518 octets
(excluding framing bits, but including FCS octets) and were otherwise well
formed.
Fragments
The total number of frames received that were less than 64 octets in length
(excluding framing bits, but including FCS octets) and had either an FCS
or alignment error.
64 Bytes Frames
The total number of frames (including bad packets) received and
transmitted that were 64 octets in length (excluding framing bits but
including FCS octets).
65-127 Byte Frames
128-255 Byte Frames
256-511 Byte Frames
512-1023 Byte Frames
1024-1518 Byte Frames
1519-1536 Byte Frames
The total number of frames (including bad packets) received and
transmitted where the number of octets fall within the specified range
(excluding framing bits but including FCS octets).
3-185
3
Configuring the Switch
Web – Click Port, Port Statistics. Select the required interface, and click Query. You
can also use the Refresh button at the bottom of the page to update the screen.
Figure 3-106 Port Statistics
3-186
Port Configuration
3
CLI – This example shows statistics for port 13.
Console#show interfaces counters ethernet 1/13
4-232
Ethernet 1/13
Iftable stats:
Octets input: 868453, Octets output: 3492122
Unicast input: 7315, Unitcast output: 6658
Discard input: 0, Discard output: 0
Error input: 0, Error output: 0
Unknown protos input: 0, QLen output: 0
Extended iftable stats:
Multi-cast input: 0, Multi-cast output: 17027
Broadcast input: 231, Broadcast output: 7
Ether-like stats:
Alignment errors: 0, FCS errors: 0
Single Collision frames: 0, Multiple collision frames: 0
SQE Test errors: 0, Deferred transmissions: 0
Late collisions: 0, Excessive collisions: 0
Internal mac transmit errors: 0, Internal mac receive errors: 0
Frame too longs: 0, Carrier sense errors: 0
Symbol errors: 0
RMON stats:
Drop events: 0, Octets: 4422579, Packets: 31552
Broadcast pkts: 238, Multi-cast pkts: 17033
Undersize pkts: 0, Oversize pkts: 0
Fragments: 0, Jabbers: 0
CRC align errors: 0, Collisions: 0
Packet size <= 64 octets: 25568, Packet size 65 to 127 octets: 1616
Packet size 128 to 255 octets: 1249, Packet size 256 to 511 octets: 1449
Packet size 512 to 1023 octets: 802, Packet size 1024 to 1518 octets: 871
Console#
3-187
3
Configuring the Switch
Address Table Settings
Switches store the addresses for all known devices. This information is used to pass
traffic directly between the inbound and outbound ports. All the addresses learned
by monitoring traffic are stored in the dynamic address table. You can also manually
configure static addresses that are bound to a specific port.
Setting Static Addresses
A static address can be assigned to a specific interface on this switch. Static
addresses are bound to the assigned interface and will not be moved. When a static
address is seen on another interface, the address will be ignored and will not be
written to the address table.
Command Attributes
•
•
•
•
•
Static Address Counts10 – The number of manually configured addresses.
Current Static Address Table – Lists all the static addresses.
Interface – Port or trunk associated with the device assigned a static address.
MAC Address – Physical address of a device mapped to this interface.
VLAN – ID of configured VLAN (1-4094).
Web – Click Address Table, Static Addresses. Specify the interface, the MAC
address and VLAN, then click Add Static Address.
Figure 3-107 Configuring a Static Address Table
10. Web only.
3-188
3
Address Table Settings
CLI – This example adds an address to the static address table, but sets it to be
deleted when the switch is reset.
Console(config)#mac-address-table static 00-12-cf-94-34-de
interface ethernet 1/1 vlan 1 delete-on-reset
Console(config)#
4-266
Displaying the Address Table
The Dynamic Address Table contains the MAC addresses learned by monitoring the
source address for traffic entering the switch. When the destination address for
inbound traffic is found in the database, the packets intended for that address are
forwarded directly to the associated port. Otherwise, the traffic is flooded to all ports.
Command Attributes
• Interface – Indicates a port or trunk.
• MAC Address – Physical address associated with this interface.
• VLAN – ID of configured VLAN (1-4094).
• Address Table Sort Key – You can sort the information displayed based on MAC
address, VLAN or interface (port or trunk).
• Dynamic Address Counts – The number of addresses dynamically learned.
• Current Dynamic Address Table – Lists all the dynamic addresses.
Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark
the Interface, MAC Address, or VLAN checkbox), select the method of sorting the
displayed addresses, and then click Query.
Figure 3-108 Configuring a Dynamic Address Table
3-189
3
Configuring the Switch
CLI – This example also displays the address table entries for port 1.
Console#show mac-address-table interface ethernet 1/1
Interface MAC Address
VLAN Type
--------- ----------------- ---- ----------------Eth 1/ 1 00-12-CF-48-82-93
1 Delete-on-reset
Eth 1/ 1 00-12-CF-94-34-DE
2 Learned
Console#
4-268
Changing the Aging Time
You can set the aging time for entries in the dynamic address table.
Command Attributes
• Aging Status – Enables/disables the function.
• Aging Time – The time after which a learned entry is discarded.
(Range: 10-630 seconds; Default: 300 seconds)
Web – Click Address Table, Address Aging. Specify the new aging time, click Apply.
Figure 3-109 Setting the Address Aging Time
CLI – This example sets the aging time to 300 seconds.
Console(config)#mac-address-table aging-time 300
Console(config)#
3-190
4-269
3
Spanning Tree Algorithm Configuration
Spanning Tree Algorithm Configuration
The Spanning Tree Algorithm (STA) can be used to detect and disable network
loops, and to provide backup links between switches, bridges or routers. This allows
the switch to interact with other bridging devices (that is, an STA-compliant switch,
bridge or router) in your network to ensure that only one route exists between any
two stations on the network, and provide backup links which automatically take over
when a primary link goes down.
The spanning tree algorithms supported by this switch include these versions:
• STP – Spanning Tree Protocol (IEEE 802.1D)
• RSTP – Rapid Spanning Tree Protocol (IEEE 802.1w)
• MSTP – Multiple Spanning Tree Protocol (IEEE 802.1s)
STP – STP uses a distributed algorithm to select a bridging device (STP-compliant
switch, bridge or router) that serves as the root of the spanning tree network. It
selects a root port on each bridging device (except for the root device) which incurs
the lowest path cost when forwarding a packet from that device to the root device.
Then it selects a designated bridging device from each LAN which incurs the lowest
path cost when forwarding a packet from that LAN to the root device. All ports
connected to designated bridging devices are assigned as designated ports. After
determining the lowest cost spanning tree, it enables all root ports and designated
ports, and disables all other ports. Network packets are therefore only forwarded
between root ports and designated ports, eliminating any possible network loops.
Designated
Root
x
x
x
Designated
Bridge
x
Designated
Port
Root
Port
x
Once a stable network topology has been established, all bridges listen for Hello
BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge
does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge
assumes that the link to the Root Bridge is down. This bridge will then initiate
negotiations with other bridges to reconfigure the network to reestablish a valid
network topology.
RSTP – RSTP is designed as a general replacement for the slower, legacy STP.
RSTP is also incorporated into MSTP. RSTP achieves much faster reconfiguration
(i.e., around 1 to 3 seconds, compared to 30 seconds or more for STP) by reducing
the number of state changes before active ports start learning, predefining an
alternate route that can be used when a node or port fails, and retaining the
forwarding database for ports insensitive to changes in the tree structure when
reconfiguration occurs.
3-191
3
Configuring the Switch
MSTP – When using STP or RSTP, it may be difficult to maintain a stable path
between all VLAN members. Frequent changes in the tree structure can easily
isolate some of the group members. MSTP (which is based on RSTP for fast
convergence) is designed to support independent spanning trees based on VLAN
groups. Using multiple spanning trees can provide multiple forwarding paths and
enable load balancing. One or more VLANs can be grouped into a Multiple Spanning
Tree Instance (MSTI). MSTP builds a separate Multiple Spanning Tree (MST) for
each instance to maintain connectivity among each of the assigned VLAN groups.
MSTP then builds a Internal Spanning Tree (IST) for the Region containing all
commonly configured MSTP bridges.
An MST Region consists of a group of interconnected bridges that have the same
MST Configuration Identifiers (including the Region Name, Revision Level and
Configuration Digest – see "Configuring Multiple Spanning Trees" on page 3-209).
An MST Region may contain multiple MSTP Instances. An Internal Spanning Tree
(IST) is used to connect all the MSTP switches within an MST region. A Common
Spanning Tree (CST) interconnects all adjacent MST Regions, and acts as a virtual
bridge node for communications with STP or RSTP nodes in the global network.
MSTP connects all bridges and LAN segments with a single Common and Internal
Spanning Tree (CIST). The CIST is formed as a result of the running spanning tree
algorithm between switches that support the STP, RSTP, MSTP protocols.
3-192
Spanning Tree Algorithm Configuration
3
Once you specify the VLANs to include in a Multiple Spanning Tree Instance (MSTI),
the protocol will automatically build an MSTI tree to maintain connectivity among
each of the VLANs. MSTP maintains contact with the global network because each
instance is treated as an RSTP node in the Common Spanning Tree (CST).
Configuring Port and Trunk Loopback Detection
When Port Loopback Detection is enabled and a port receives it’s own BPDU, the
detection agent drops the loopback BPDU, sends an SNMP trap, and places the
port in discarding mode. This loopback state can be released manually or
automatically. If the port is configured for automatic loopback release, then the port
will only be returned to the forwarding state if one of the following conditions is
satisfied:
• The port receives any other BPDU except for it’s own, or;
• The port’s link status changes to link down and then link up again, or;
• The port ceases to receive it’s own BPDUs in a forward delay interval.
Notes: 1. If Port Loopback Detection is not enabled and a port receives it’s own BPDU,
then the port will drop the loopback BPDU according to IEEE Standard
802.1w-2001 9.3.4 (Note 1).
2. Port Loopback Detection will not be active if Spanning Tree is disabled on
the switch.
3. When configured for manual release mode, then a link down / up event will
not release the port from the discarding state.
Field Attributes
• Port – Indicates the interface to be configured. (Range: 1-28)
• Status – Enables Loopback Detection on this interface. (Default: Enabled)
• Trap – Enables SNMP trap notification for loopback events on this port.
(Default: Disabled)
• Release Mode – Configures the port for automatic or manual loopback release.
(Default: Auto)
• Release – Allows a port to be manually released from discard mode. This is only
available if the port is configured for manual release mode.
• Trunk – Indicates if this port is a trunk member.
3-193
3
Configuring the Switch
Web – Click Spanning Tree, Port Loopback Detection or Trunk Loopback Detection.
Modify the required attributes, then click Apply.
Figure 3-110 Configuring Port Loopback Detection
CLI – This command enables loopback detection for port 1/5, configures automatic
release-mode, and enables SNMP trap notification for detected loopback BPDUs.
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree loopback-detection
Console(config-if)#spanning-tree loopback-detection
release-mode auto
Console(config-if)#spanning-tree loopback-detection trap
Console(config-if)#
4-222
4-289
4-290
4-291
Displaying Global Settings for STA
You can display a summary of the current bridge STA information that applies to the
entire switch using the STA Information screen.
Field Attributes
• Spanning Tree State – Shows if the switch is enabled to participate in an
STA-compliant network.
• Bridge ID – A unique identifier for this bridge, consisting of the bridge priority, the
MST Instance ID 0 for the Common Spanning Tree when spanning tree mode is
set to MSTP (page 3-197), and MAC address (where the address is taken from the
switch system).
• Max Age – The maximum time (in seconds) a device can wait without receiving a
configuration message before attempting to reconfigure. All device ports (except
for designated ports) should receive configuration messages at regular intervals.
Any port that ages out STA information (provided in the last configuration
message) becomes the designated port for the attached LAN. If it is a root port, a
new root port is selected from among the device ports attached to the network.
(References to “ports” in this section mean “interfaces,” which includes both ports
and trunks.)
• Hello Time – Interval (in seconds) at which the root device transmits a
configuration message.
3-194
3
Spanning Tree Algorithm Configuration
• Forward Delay – The maximum time (in seconds) the root device will wait before
changing states (i.e., discarding to learning to forwarding). This delay is required
because every device must receive information about topology changes before it
starts to forward frames. In addition, each port needs time to listen for conflicting
information that would make it return to a discarding state; otherwise, temporary
data loops might result.
• Designated Root – The priority and MAC address of the device in the Spanning
Tree that this switch has accepted as the root device.
- Root Port – The number of the port on this switch that is closest to the root. This
switch communicates with the root device through this port. If there is no root
port, then this switch has been accepted as the root device of the Spanning Tree
network.
- Root Path Cost – The path cost from the root port on this switch to the root
device.
• Configuration Changes – The number of times the Spanning Tree has been
reconfigured.
• Last Topology Change – Time since the Spanning Tree was last reconfigured.
These additional parameters are only displayed for the CLI:
• Spanning Tree Mode – Specifies the type of spanning tree used on this switch:
- STP: Spanning Tree Protocol (IEEE 802.1D)
- RSTP: Rapid Spanning Tree (IEEE 802.1w)
- MSTP: Multiple Spanning Tree (IEEE 802.1s)
• Instance – Instance identifier of this spanning tree. (This is always 0 for the CIST.)
• VLANs Configuration – VLANs assigned to the CIST.
• Priority – Bridge priority is used in selecting the root device, root port, and
designated port. The device with the highest priority (i.e., lower numeric value)
becomes the STA root device. However, if all devices have the same priority, the
device with the lowest MAC address will then become the root device.
• Root Hello Time – Interval (in seconds) at which this device transmits a
configuration message.
• Root Maximum Age – The maximum time (in seconds) this device can wait
without receiving a configuration message before attempting to reconfigure. All
device ports (except for designated ports) should receive configuration messages
at regular intervals. If the root port ages out STA information (provided in the last
configuration message), a new root port is selected from among the device ports
attached to the network. (References to “ports” in this section means “interfaces,”
which includes both ports and trunks.)
• Root Forward Delay – The maximum time (in seconds) this device will wait before
changing states (i.e., discarding to learning to forwarding). This delay is required
because every device must receive information about topology changes before it
starts to forward frames. In addition, each port needs time to listen for conflicting
information that would make it return to a discarding state; otherwise, temporary
data loops might result.
• Max Hops – The max number of hop counts for the MST region.
3-195
3
Configuring the Switch
• Remaining Hops – The remaining number of hop counts for the MST instance.
• Transmission Limit – The minimum interval between the transmission of
consecutive RSTP/MSTP BPDUs.
• Path Cost Method – The path cost is used to determine the best path between
devices. The path cost method is used to determine the range of values that can
be assigned to each interface.
• Flooding Behavior – Shows if the system is configured to flood BPDUs to all other
ports on the switch or just to all other ports in the same VLAN when spanning tree
is disabled globally on the switch or disabled on a specific port.
Web – Click Spanning Tree, STA, Information.
Figure 3-111 Displaying Spanning Tree Information
CLI – This command displays global STA settings, followed by settings for each port.
Console#show spanning-tree
Spanning Tree Information
--------------------------------------------------------------Spanning Tree Mode:
RSTP
Spanning Tree Enabled/Disabled:
Enabled
Instance:
0
VLANs Configuration:
1-4094
Priority:
32768
Bridge Hello Time (sec.):
2
Bridge Max Age (sec.):
20
Bridge Forward Delay (sec.):
15
Root Hello Time (sec.):
2
Root Max Age (sec.):
20
Root Forward Delay (sec.):
15
Max Hops:
20
Remaining Hops:
20
Designated Root:
32768.0013F7D37E60
Current Root Port:
54
Current Root Cost:
5000
Number of Topology Changes:
12
Last Topology Change Time (sec.): 4738
Transmission Limit:
3
Path Cost Method:
Long
Flooding
Behavior:
To VLAN
.
.
.
4-294
Note: The current root port and current root cost display as zero when this device is not
connected to the network.
3-196
Spanning Tree Algorithm Configuration
3
Configuring Global Settings for STA
Global settings apply to the entire switch.
Command Usage
• Spanning Tree Protocol11
Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This
creates one spanning tree instance for the entire network. If multiple VLANs are
implemented on a network, the path between specific VLAN members may be
inadvertently disabled to prevent network loops, thus isolating group members.
When operating multiple VLANs, we recommend selecting the MSTP option.
• Rapid Spanning Tree Protocol11
RSTP supports connections to either STP or RSTP nodes by monitoring the
incoming protocol messages and dynamically adjusting the type of protocol
messages the RSTP node transmits, as described below:
- STP Mode – If the switch receives an 802.1D BPDU (i.e., STP BPDU) after a
port’s migration delay timer expires, the switch assumes it is connected to an
802.1D bridge and starts using only 802.1D BPDUs.
- RSTP Mode – If RSTP is using 802.1D BPDUs on a port and receives an RSTP
BPDU after the migration delay expires, RSTP restarts the migration delay timer
and begins using RSTP BPDUs on that port.
• Multiple Spanning Tree Protocol
MSTP generates a unique spanning tree for each instance. This provides multiple
pathways across the network, thereby balancing the traffic load, preventing
wide-scale disruption when a bridge node in a single instance fails, and allowing
for faster convergence of a new topology for the failed instance.
- To allow multiple spanning trees to operate over the network, you must configure
a related set of bridges with the same MSTP configuration, allowing them to
participate in a specific set of spanning tree instances.
- A spanning tree instance can exist only on bridges that have compatible VLAN
instance assignments.
- Be careful when switching between spanning tree modes. Changing modes
stops all spanning-tree instances for the previous mode and restarts the system
in the new mode, temporarily disrupting user traffic.
Command Attributes
Basic Configuration of Global Settings
• Spanning Tree State – Enables/disables STA on this switch. (Default: Enabled)
• Spanning Tree Type – Specifies the type of spanning tree used on this switch:
- STP: Spanning Tree Protocol (IEEE 802.1D); i.e., when this option is selected,
the switch will use RSTP set to STP forced compatibility mode).
- RSTP: Rapid Spanning Tree (IEEE 802.1w); RSTP is the default.
- MSTP: Multiple Spanning Tree (IEEE 802.1s)
11. STP and RSTP BPDUs are transmitted as untagged frames, and will cross any VLAN boundaries.
3-197
3
Configuring the Switch
• Priority – Bridge priority is used in selecting the root device, root port, and
designated port. The device with the highest priority becomes the STA root device.
However, if all devices have the same priority, the device with the lowest MAC
address will then become the root device. (Note that lower numeric values indicate
higher priority.)
- Default: 32768
- Range: 0-61440, in steps of 4096
- Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864,
40960, 45056, 49152, 53248, 57344, 61440
• Spanning Tree BPDU Flooding – Configures the system to flood BPDUs to all
other ports on the switch or just to all other ports in the same VLAN when spanning
tree is disabled globally on the switch or disabled on a specific port.
- To VLAN: Floods BPDUs to all other ports within the receiving port’s native
VLAN (i.e., as determined by port’s PVID). This is the default.
- To All: Floods BPDUs to all other ports on the switch.
The setting has no effect if BPDU flooding is disabled on a port (see "Configuring
Interface Settings for STA" on page 3-204).
Root Device Configuration
• Hello Time – Interval (in seconds) at which the root device transmits a
configuration message.
- Default: 2
- Minimum: 1
- Maximum: The lower of 10 or [(Max. Message Age / 2) -1]
• Maximum Age – The maximum time (in seconds) a device can wait without
receiving a configuration message before attempting to reconfigure. All device
ports (except for designated ports) should receive configuration messages at
regular intervals. Any port that ages out STA information (provided in the last
configuration message) becomes the designated port for the attached LAN. If it is
a root port, a new root port is selected from among the device ports attached to the
network. (References to “ports” in this section mean “interfaces,” which includes
both ports and trunks.)
- Default: 20
- Minimum: The higher of 6 or [2 x (Hello Time + 1)].
- Maximum: The lower of 40 or [2 x (Forward Delay - 1)]
• Forward Delay – The maximum time (in seconds) this device will wait before
changing states (i.e., discarding to learning to forwarding). This delay is required
because every device must receive information about topology changes before it
starts to forward frames. In addition, each port needs time to listen for conflicting
information that would make it return to a discarding state; otherwise, temporary
data loops might result.
- Default: 15
- Minimum: The higher of 4 or [(Max. Message Age / 2) + 1]
- Maximum: 30
3-198
3
Spanning Tree Algorithm Configuration
Configuration Settings for RSTP
The following attributes apply to both RSTP and MSTP:
• Path Cost Method – The path cost is used to determine the best path between
devices. The path cost method is used to determine the range of values that can
be assigned to each interface.
- Long: Specifies 32-bit based values that range from 1-200,000,000.
(This is the default.)
- Short: Specifies 16-bit based values that range from 1-65535.
• Transmission Limit – The maximum transmission rate for BPDUs is specified by
setting the minimum interval between the transmission of consecutive protocol
messages. (Range: 1-10; Default: 3)
Configuration Settings for MSTP
• Max Instance Numbers – The maximum number of MSTP instances to which this
switch can be assigned.
• Configuration Digest – An MD5 signature key that contains the VLAN ID to MST
ID mapping table. In other words, this key is a mapping of all VLANs to the CIST.
• Region Revision12 – The revision for this MSTI. (Range: 0-65535; Default: 0)
• Region Name12 – The name for this MSTI. (Maximum length: 32 characters;
switch’s MAC address)
• Maximum Hop Count – The maximum number of hops allowed in the MST region
before a BPDU is discarded. (Range: 1-40; Default: 20)
12. The MST name and revision number are both required to uniquely identify an MST region.
3-199
3
Configuring the Switch
Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and
click Apply.
Figure 3-112 Configuring Spanning Tree
3-200
3
Spanning Tree Algorithm Configuration
CLI – This example enables Spanning Tree Protocol, sets the mode to RSTP, and
then configures the STA and RSTP parameters.
Console(config)#spanning-tree
Console(config)#spanning-tree
Console(config)#spanning-tree
Console(config)#spanning-tree
Console(config)#spanning-tree
Console(config)#spanning-tree
Console(config)#spanning-tree
Console(config)#spanning-tree
Console(config)#spanning-tree
Console(config-mstp)#revision
Console(config-mstp)#name R&D
Console(config-mstp)#max-hops
Console(config-mstp)#
mode mstp
priority 45056
hello-time 5
max-age 38
forward-time 20
pathcost method long
transmission-limit 4
mst configuration
1
30
4-271
4-272
4-275
4-273
4-274
4-273
4-276
4-277
4-277
4-280
4-279
4-281
Displaying Interface Settings for STA
The STA Port Information and STA Trunk Information pages display the current
status of ports and trunks in the Spanning Tree.
Field Attributes
• Spanning Tree – Shows if STA has been enabled on this interface.
• BPDU Flooding – Shows if BPDUs will be flooded to other ports when spanning
tree is disabled globally on the switch or disabled on a specific port.
• STA Status – Displays current state of this port within the Spanning Tree:
• Discarding - Port receives STA configuration messages, but does not forward
packets.
• Learning - Port has transmitted configuration messages for an interval set by
the Forward Delay parameter without receiving contradictory information. Port
address table is cleared, and the port begins learning addresses.
• Forwarding - Port forwards packets, and continues learning addresses.
The rules defining port status are:
- A port on a network segment with no other STA compliant bridging device is
always forwarding.
- If two ports of a switch are connected to the same segment and there is no other
STA device attached to this segment, the port with the smaller ID forwards
packets and the other is discarding.
- All ports are discarding when the switch is booted, then some of them change
state to learning, and then to forwarding.
• Forward Transitions – The number of times this port has transitioned from the
Learning state to the Forwarding state.
• Designated Cost – The cost for a packet to travel from this port to the root in the
current Spanning Tree configuration. The slower the media, the higher the cost.
• Designated Bridge – The bridge priority and MAC address of the device through
which this port must communicate to reach the root of the Spanning Tree.
3-201
3
Configuring the Switch
• Designated Port – The port priority and number of the port on the designated
bridging device through which this switch must communicate with the root of the
Spanning Tree.
• Oper Path Cost – The contribution of this port to the path cost of paths towards
the spanning tree root which include this port.
• Oper Link Type – The operational point-to-point status of the LAN segment
attached to this interface. This parameter is determined by manual configuration or
by auto-detection, as described for Admin Link Type in STA Port Configuration on
page 3-204.
• Oper Edge Port – This parameter is initialized to the setting for Admin Edge Port
in STA Port Configuration on page 3-204 (i.e., true or false), but will be set to false
if a BPDU is received, indicating that another bridge is attached to this port.
• Port Role – Roles are assigned according to whether the port is part of the active
topology connecting the bridge to the root bridge (i.e., root port), connecting a LAN
through the bridge to the root bridge (i.e., designated port), is the MSTI regional
root (i.e., master port), or is an alternate or backup port that may provide
connectivity if other bridges, bridge ports, or LANs fail or are removed. The role is
set to disabled (i.e., disabled port) if a port has no role within the spanning tree.
R: Root Port
A: Alternate Port
D: Designated Port
B: Backup Port
Alternate port receives more
useful BPDUs from another
bridge and is therefore not
selected as the designated
R
port.
R
A
D
x
R
A
x
Backup port receives more
useful BPDUs from the same
bridge and is therefore not
selected as the designated
port.
R
D
B
B
• Trunk Member – Indicates if a port is a member of a trunk.
(STA Port Information only)
3-202
Spanning Tree Algorithm Configuration
3
These additional parameters are only displayed for the CLI:
• Admin Status – Shows if this interface is enabled.
• External Admin Path Cost – The path cost for the IST. This parameter is used
by the STA to determine the best path between devices. Therefore, lower values
should be assigned to ports attached to faster media, and higher values assigned
to ports with slower media. (Path cost takes precedence over port priority.)
• Internal Admin Path Cost – The path cost for the MST. See the preceding item.
• Priority – Defines the priority used for this port in the Spanning Tree Algorithm. If
the path cost for all ports on a switch is the same, the port with the highest priority
(i.e., lowest value) will be configured as an active link in the Spanning Tree. This
makes a port with higher priority less likely to be blocked if the Spanning Tree
Algorithm is detecting network loops. Where more than one port is assigned the
highest priority, the port with the lowest numeric identifier will be enabled.
• Designated Root – The priority and MAC address of the device in the Spanning
Tree that this switch has accepted as the root device.
• Fast Forwarding – This field provides the same information as Admin Edge port,
and is only included for backward compatibility with earlier products.
• Admin Edge Port – You can enable this option if an interface is attached to a LAN
segment that is at the end of a bridged LAN or to an end node. Since end nodes
cannot cause forwarding loops, they can pass directly through to the spanning tree
forwarding state. Specifying Edge Ports provides quicker convergence for devices
such as workstations or servers, retains the current forwarding database to reduce
the amount of frame flooding required to rebuild address tables during
reconfiguration events, does not cause the spanning tree to reconfigure when the
interface changes state, and also overcomes other STA-related timeout problems.
However, remember that Edge Port should only be enabled for ports connected to
an end-node device.
• Admin Link Type – The link type attached to this interface.
- Point-to-Point – A connection to exactly one other bridge.
- Shared – A connection to two or more bridges.
- Auto – The switch automatically determines if the interface is attached to a
point-to-point link or to shared media.
Web – Click Spanning Tree, STA, Port Information or STA Trunk Information.
Figure 3-113 Displaying Spanning Tree Port Information
3-203
3
Configuring the Switch
CLI – This example shows the STA attributes for port 5.
Console#show spanning-tree ethernet 1/5
Eth 1/ 5 information
-------------------------------------------------------------Admin Status:
Enabled
Role:
Disabled
State:
Discarding
Admin Path Cost:
0
Oper Path Cost:
100000
Priority:
128
Designated Cost:
100000
Designated Port:
128.5
Designated Root:
32768.0001ECF8D8C6
Designated Bridge:
32768.0012CF123456
Fast Forwarding:
Enabled
Forward Transitions:
0
Admin Edge Port:
Enabled
Oper Edge Port:
Enabled
Admin Link Type:
Auto
Oper Link Type:
Point-to-point
Flooding Behavior:
Enabled
Spanning Tree Status:
Enabled
Loopback Detection Status:
Enabled
Loopback Detection Release Mode:Auto
Loopback Detection Trap:
Disabled
Admin Root Guard:
Disabled
Oper Root Guard:
Disabled
BPDU Guard:
Disabled
BPDU Filtering:
Disabled
4-294
Console#
Configuring Interface Settings for STA
You can configure RSTP and MSTP attributes for specific interfaces, including port
priority, path cost, link type, and edge port. You may use a different priority or path
cost for ports of the same media type to indicate the preferred path, link type to
indicate a point-to-point connection or shared-media connection, and edge port to
indicate if the attached device can support fast forwarding. (References to “ports” in
this section means “interfaces,” which includes both ports and trunks.)
Command Attributes
The following attributes are read-only and cannot be changed:
• STA State – Displays current state of this port within the Spanning Tree.
(See Displaying Interface Settings for STA on page 3-201 for additional
information.)
- Discarding - Port receives STA configuration messages, but does not forward
packets.
- Learning - Port has transmitted configuration messages for an interval set by
the Forward Delay parameter without receiving contradictory information. Port
address table is cleared, and the port begins learning addresses.
- Forwarding - Port forwards packets, and continues learning addresses.
• Trunk – Indicates if a port is a member of a trunk. (STA Port Configuration only)
3-204
Spanning Tree Algorithm Configuration
3
The following interface attributes can be configured:
• Spanning Tree – Enables/disables STA on this interface. (Default: Enabled).
• BPDU Flooding - Enables/disables the flooding of BPDUs to other ports when
global spanning tree is disabled (page 3-197) or when spanning tree is disabled on
specific port. When flooding is enabled, BPDUs are flooded to all other ports on the
switch or to all other ports within the receiving port’s native VLAN as specified by
the Spanning Tree BPDU Flooding attribute (page 3-197).
• Priority – Defines the priority used for this port in the Spanning Tree Protocol. If
the path cost for all ports on a switch are the same, the port with the highest priority
(i.e., lowest value) will be configured as an active link in the Spanning Tree. This
makes a port with higher priority less likely to be blocked if the Spanning Tree
Protocol is detecting network loops. Where more than one port is assigned the
highest priority, the port with lowest numeric identifier will be enabled.
• Default: 128
• Range: 0-240, in steps of 16
• Admin Path Cost – This parameter is used by the STA to determine the best path
between devices. Therefore, lower values should be assigned to ports attached to
faster media, and higher values assigned to ports with slower media. (Path cost
takes precedence over port priority.)
(Range: 0 for auto-configuration, 1-65535 for the short path cost method 13,
1-200,000,000 for the long path cost method)
By default, the system automatically detects the speed and duplex mode used on
each port, and configures the path cost according to the values shown below. Path
cost “0” is used to indicate auto-configuration mode. When the short path cost
method is selected and the default path cost recommended by the IEEE 8021w
standard exceeds 65,535, the default is set to 65,535.
Table 3-12 Recommended STA Path Cost Range
Port Type
IEEE 802.1D-1998
IEEE 802.1w-2001
Ethernet
50-600
200,000-20,000,000
Fast Ethernet
10-60
20,000-2,000,000
Gigabit Ethernet
3-10
2,000-200,000
13. Refer to "Configuring Global Settings for STA" on page 3-197 for information on setting the path
cost method.
3-205
3
Configuring the Switch
Table 3-13 Recommended STA Path Costs
Port Type
Link Type
IEEE 802.1D-1998
IEEE 802.1w-2001
Ethernet
Half Duplex
Full Duplex
Trunk
100
95
90
2,000,000
1,999,999
1,000,000
Fast Ethernet
Half Duplex
Full Duplex
Trunk
19
18
15
200,000
100,000
50,000
Gigabit Ethernet
Full Duplex
Trunk
4
3
10,000
5,000
Table 3-14 Default STA Path Costs
Port Type
Link Type
IEEE 802.1w-2001
Ethernet
Half Duplex
Full Duplex
Trunk
2,000,000
1,000,000
500,000
Fast Ethernet
Half Duplex
Full Duplex
Trunk
200,000
100,000
50,000
Gigabit Ethernet
Full Duplex
Trunk
10,000
5,000
• Admin Link Type – The link type attached to this interface.
- Point-to-Point – A connection to exactly one other bridge.
- Shared – A connection to two or more bridges.
- Auto – The switch automatically determines if the interface is attached to a
point-to-point link or to shared media. (This is the default setting.)
• Root Guard – STA allows a bridge with a lower bridge identifier (or same identifier
and lower MAC address) to take over as the root bridge at any time. Root Guard
can be used to ensure that the root bridge is not formed at a suboptimal location.
Root Guard should be enabled on any designated port connected to low-speed
bridges which could potentially overload a slower link by taking over as the root port
and forming a new spanning tree topology. It could also be used to form a border
around part of the network where the root bridge is allowed. (Default: Disabled)
• Migration – If at any time the switch detects STP BPDUs, including Configuration
or Topology Change Notification BPDUs, it will automatically set the selected
interface to forced STP-compatible mode. However, you can also use the Protocol
Migration button to manually re-check the appropriate BPDU format (RSTP or
STP-compatible) to send on the selected interfaces. (Default: Disabled)
3-206
Spanning Tree Algorithm Configuration
3
Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration. Modify
the required attributes, then click Apply.
Figure 3-114 Configuring Spanning Tree per Port
CLI – This example sets STA attributes for port 7.
Console(config)#interface ethernet 1/7
Console(config-if)#no spanning-tree port-bpdu-flooding
Console(config-if)#spanning-tree port-priority 0
Console(config-if)#spanning-tree cost 50
Console(config-if)#spanning-tree link-type auto
Console(config-if)#no spanning-tree root-guard
Console(config-if)#
4-222
4-287
4-283
4-282
4-289
4-288
Spanning Tree Edge Port Configuration
You can enable some STA options when an interface is attached to a LAN segment
that is at the end of a bridged LAN or is attached to an end node.
Command Attributes
The following interface attributes can be configured:
• Admin Edge Port (Fast Forwarding) – Since end nodes cannot cause forwarding
loops, they can pass directly through to the spanning tree forwarding state.
Specifying Edge Ports provides quicker convergence for devices such as
workstations or servers, retains the current forwarding database to reduce the
amount of frame flooding required to rebuild address tables during reconfiguration
events, does not cause the spanning tree to initiate reconfiguration when the
interface changes state, and also overcomes other STA-related timeout problems.
However, remember that Edge Port should only be enabled for ports connected to
an end-node device. (Default: Enabled)
- Enabled – Manually configures a port as an Edge Port.
- Disabled – Disables the Edge Port setting.
- Auto – The port will be automatically configured as an edge port if the edge
delay time expires without receiving any RSTP or MSTP BPDUs. Note that edge
delay time (802.1D-2004 17.20.4) equals the protocol migration time if a port's
3-207
3
Configuring the Switch
link type is point-to-point; otherwise it equals the spanning-tree’s maximum age
(see "Configuring Global Settings for STA" on page 3-197).
An interface cannot function as an edge port under the following conditions:
- If spanning tree mode is set to STP (page 3-197), edge-port mode can be
manually enabled or set to auto, but will have no effect.
- If loopback detection is enabled (page 3-193) and a loopback BPDU is detected,
the interface cannot function as an edge port until the loopback state is released.
- If an interface is in forwarding state and its role changes, the interface cannot
continue to function as an edge port even if the edge delay time has expired.
If the port does not receive any BPDUs after the edge delay timer expires, its role
changes to designated port and it immediately enters forwarding state (see
"Displaying Interface Settings for STA" on page 3-201).
The edge delay time equals the protocol migration time when the port link type
is point-to-point (which is 3 seconds as defined in IEEE 802.3D-2004 17.20.4),
otherwise it equals the maximum age for configuration messages (see
"Displaying Global Settings for STA" on page 3-194).
• BPDU Guard – This feature protects edge ports from receiving BPDUs. It prevents
loops by shutting down an edge port when a BPDU is received instead of putting it
into the spanning tree discarding state. In a valid configuration, configured edge
ports should not receive BPDUs. If an edge port receives a BPDU an invalid
configuration exists, such as a connection to an unauthorized device. The BPDU
guard feature provides a secure response to invalid configurations because an
administrator must manually enable the port. (Default: Disabled)
• BPDU Filter – BPDU filtering allows you to avoid transmitting BPDUs on
configured edge ports that are connected to end nodes. By default, STA sends
BPDUs to all ports regardless of whether administrative edge is enabled on a port.
BDPU filtering is configured on a per-port basis. (Default: Disabled)
Web – Click Spanning Tree, STA, Port/Trunk Edge Port Configuration. Modify the
required attributes, then click Apply.
Figure 3-115 Configuring Edge Port Parameters
3-208
3
Spanning Tree Algorithm Configuration
CLI – This example sets edge port attributes for port 5.
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree edge-port
Console(config-if)#spanning-tree bpdu-guard
Console(config-if)#spanning-tree bpdu-filter
Console(config-if)#
4-222
4-284
4-287
4-286
Configuring Multiple Spanning Trees
MSTP generates a unique spanning tree for each instance. This provides multiple
pathways across the network, thereby balancing the traffic load, preventing
wide-scale disruption when a bridge node in a single instance fails, and allowing for
faster convergence of a new topology for the failed instance.
By default all VLANs are assigned to the Internal Spanning Tree (MST Instance 0)
that connects all bridges and LANs within the MST region. This switch supports up
to 9 instances. You should try to group VLANs which cover the same general area of
your network. However, remember that you must configure all bridges within the
same MSTI Region (page 3-199) with the same set of instances, and the same
instance (on each bridge) with the same set of VLANs. Also, note that RSTP treats
each MSTI region as a single node, connecting all regions to the Common Spanning
Tree.
To use multiple spanning trees:
1. Set the spanning tree type to MSTP (STA Configuration, page 3-130).
2. Enter the spanning tree priority for the selected MST instance (MSTP VLAN
Configuration).
3. Add the VLANs that will share this MSTI (MSTP VLAN Configuration).
Note: All VLANs are automatically added to the IST (Instance 0).
To ensure that the MSTI maintains connectivity across the network, you must
configure a related set of bridges with the same MSTI settings.
Command Attributes
• MST Instance – Instance identifier of this spanning tree. (Default: 0)
• Priority – The priority of a spanning tree instance. (Range: 0-61440 in steps of
4096; Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864,
40960, 45056, 49152, 53248, 57344, 61440; Default: 32768)
• VLANs in MST Instance – VLANs assigned to this instance.
• MST ID – Instance identifier to configure. (Range: 0-57; Default: 0)
• VLAN ID – VLAN to assign to this selected MST instance. (Range: 1-4094)
The other global attributes are described under “Displaying Global Settings for STA,” page 3-194. The
attributes displayed by the CLI for individual interfaces are described under “Displaying Interface
Settings for STA,” page 3-201
3-209
3
Configuring the Switch
Web – Click Spanning Tree, MSTP, VLAN Configuration. Select an instance
identifier from the list, set the instance priority, and click Apply. To add the VLAN
members to an MSTI instance, enter the instance identifier, the VLAN identifier, and
click Add.
Figure 3-116 Configuring Multiple Spanning Trees
CLI – This example sets the priority for MSTI 1, and adds VLANs 1-5 to this MSTI.
Console(config)#spanning-tree mst configuration
Console(config-mstp)#mst 1 priority 4096
Console(config-mstp)#mst 1 vlan 1-5
Console(config-mstp)#
4-277
4-279
4-278
CLI – This displays STA settings for instance 1, followed by settings for each port.
Console#show spanning-tree mst 1
Spanning Tree Information
--------------------------------------------------------------Spanning Tree Mode:
MSTP
Spanning Tree Enabled/Disabled:
Enabled
Instance:
1
VLANs Configuration:
1
Priority:
4096
Bridge Hello Time (sec.):
2
Bridge Max Age (sec.):
20
Bridge Forward Delay (sec.):
15
Root Hello Time (sec.):
2
Root Max Age (sec.):
20
Root Forward Delay (sec.):
15
Max Hops:
20
3-210
4-294
Spanning Tree Algorithm Configuration
3
Remaining Hops:
20
Designated Root:
32768.1.0012CF123456
Current Root Port:
0
Current Root Cost:
0
Number of Topology Changes:
5
Last Topology Change Time (sec.): 164
Transmission Limit:
3
Path Cost Method:
Long
Flooding Behavior:
To VLAN
--------------------------------------------------------------Eth 1/ 1 Information
--------------------------------------------------------------Admin Status:
Enabled
Role:
Disabled
State:
Discarding
External Admin Path Cost: 0
Internal Admin Path Cost: 0
External Oper Path Cost: 100000
Internal Oper Path Cost: 100000
Priority:
128
Designated Cost:
0
Designated Port:
128.1
Designated Root:
32768.1.0012CF123456
Designated Bridge:
32768.1.0012CF123456
Fast Forwarding:
Enabled
Forward Transitions:
0
Admin Edge Port:
Enabled
Oper Edge Port:
Enabled
Admin Link Type:
Auto
Oper Link Type:
Point-to-point
Flooding Behavior:
Enabled
Spanning Tree Status:
Enabled
Loopback Detection Status:
Enabled
Loopback Detection Release Mode:Auto
Loopback Detection Trap:
Disabled
Admin Root Guard:
Disabled
Oper Root Guard:
Disabled
BPDU Guard:
Disabled
BPDU Filtering:
Disabled
.
.
.
3-211
3
Configuring the Switch
Displaying Interface Settings for MSTP
The MSTP Port Information and MSTP Trunk Information pages display the current
status of ports and trunks in the selected MST instance.
Command Attributes
MST Instance ID – Instance identifier to configure. (Range: 0-4094; Default: 0)
The other attributes are described under "Displaying Interface Settings for STA" on page 3-201
Web – Click Spanning Tree, MSTP, Port or Trunk Information. Select the required
MST instance to display the current spanning tree values.
Figure 3-117 Displaying MSTP Interface Settings
3-212
Spanning Tree Algorithm Configuration
3
CLI – This displays STA settings for instance 0, followed by settings for each port.
The settings for instance 0 are global settings that apply to the IST, the settings for
other instances only apply to the local spanning tree.
Console#show spanning-tree mst 0
Spanning Tree Information
--------------------------------------------------------------Spanning Tree Mode:
MSTP
Spanning Tree Enabled/Disabled:
Enabled
Instance:
0
VLANs Configuration:
1-4094
Priority:
32768
Bridge Hello Time (sec.):
2
Bridge Max Age (sec.):
20
Bridge Forward Delay (sec.):
15
Root Hello Time (sec.):
2
Root Max Age (sec.):
20
Root Forward Delay (sec.):
15
Max Hops:
20
Remaining Hops:
20
Designated Root:
32768.0.0001ECF8D8C6
Current Root Port:
26
Current Root Cost:
100000
Number of Topology Changes:
4
Last Topology Change Time (sec.): 539
Transmission Limit:
3
Path Cost Method:
Long
Flooding Behavior:
To VLAN
--------------------------------------------------------------Eth 1/ 1 Information
--------------------------------------------------------------Admin Status:
Enabled
Role:
Disabled
State:
Discarding
External Admin Path Cost: 0
Internal Admin Path Cost: 0
External Oper Path Cost: 100000
Internal Oper Path Cost: 100000
Priority:
128
Designated Cost:
100000
Designated Port:
128.1
Designated Root:
32768.0.0001ECF8D8C6
Designated Bridge:
32768.0.0012CF123456
Fast Forwarding:
Enabled
Forward Transitions:
0
Admin Edge Port:
Enabled
Oper Edge Port:
Enabled
Admin Link Type:
Auto
Oper Link Type:
Point-to-point
Flooding Behavior:
Enabled
Spanning Tree Status:
Enabled
Loopback Detection Status:
Enabled
Loopback Detection Release Mode:Auto
Loopback Detection Trap:
Disabled
Admin Root Guard:
Disabled
Oper Root Guard:
Disabled
BPDU Guard:
Disabled
BPDU
Filtering:
Disabled
.
.
.
4-294
3-213
3
Configuring the Switch
Configuring Interface Settings for MSTP
You can configure the STA interface settings for an MST Instance using the MSTP
Port Configuration and MSTP Trunk Configuration pages.
Field Attributes
The following attributes are read-only and cannot be changed:
• STA State – Displays current state of this port within the Spanning Tree. (See
"Displaying Interface Settings for STA" on page 3-201 for additional information.)
- Discarding – Port receives STA configuration messages, but does not forward
packets.
- Learning – Port has transmitted configuration messages for an interval set by
the Forward Delay parameter without receiving contradictory information. Port
address table is cleared, and the port begins learning addresses.
- Forwarding – Port forwards packets, and continues learning addresses.
• Trunk – Indicates if a port is a member of a trunk. (STA Port Configuration only)
The following interface attributes can be configured:
• MST Instance ID – Instance identifier to configure. (Default: 0)
• Priority – Defines the priority used for this port in the Spanning Tree Protocol. If
the path cost for all ports on a switch are the same, the port with the highest priority
(i.e., lowest value) will be configured as an active link in the Spanning Tree. This
makes a port with higher priority less likely to be blocked if the Spanning Tree
Protocol is detecting network loops. Where more than one port is assigned the
highest priority, the port with lowest numeric identifier will be enabled.
(Default: 128; Range: 0-240, in steps of 16)
• Admin MST Path Cost – This parameter is used by the MSTP to determine the
best path between devices. Therefore, lower values should be assigned to ports
attached to faster media, and higher values assigned to ports with slower media.
(Path cost takes precedence over port priority.) Note that when the Path Cost
Method is set to short (page 3-63), the maximum path cost is 65,535.
By default, the system automatically detects the speed and duplex mode used on
each port, and configures the path cost according to the values shown below. Path
cost “0” is used to indicate auto-configuration mode. When the short path cost
method is selected and the default path cost recommended by the IEEE 8021w
standard exceeds 65,535, the default is set to 65,535
The recommended range is listed in Table 3-12 on page 3-205.
The recommended path cost is listed in Table 3-13 on page 3-206.
The default path costs are listed in Table 3-14 on page 3-206.
3-214
3
VLAN Configuration
Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter
the priority and path cost for an interface, and click Apply.
Figure 3-118 Displaying MSTP Interface Settings
CLI – This example sets the MSTP attributes for port 4.
Console(config)#interface ethernet 1/4
Console(config-if)#spanning-tree mst port-priority 0
Console(config-if)#spanning-tree mst cost 50
Console(config-if)
VLAN Configuration
IEEE 802.1Q VLANs
In large networks, routers are used to isolate broadcast traffic for each subnet into
separate domains. This switch provides a similar service at Layer 2 by using VLANs
to organize any group of network nodes into separate broadcast domains. VLANs
confine broadcast traffic to the originating group, and can eliminate broadcast
storms in large networks. This also provides a more secure and cleaner network
environment.
An IEEE 802.1Q VLAN is a group of ports that can be located anywhere in the
network, but communicate as though they belong to the same physical segment.
VLANs help to simplify network management by allowing you to move devices to a
new VLAN without having to change any physical connections. VLANs can be easily
organized to reflect departmental groups (such as Marketing or R&D), usage groups
(such as e-mail), or multicast groups (used for multimedia applications such as
videoconferencing).
VLANs provide greater network efficiency by reducing broadcast traffic, and allow
you to make network changes without having to update IP addresses or IP subnets.
VLANs inherently provide a high level of network security since traffic must pass
through a configured Layer 3 link to reach a different VLAN.
3-215
3
Configuring the Switch
This switch supports the following VLAN features:
• Up to 255 VLANs based on the IEEE 802.1Q standard
• Distributed VLAN learning across multiple switches using explicit or implicit tagging
and GVRP protocol
• Port overlapping, allowing a port to participate in multiple VLANs
• End stations can belong to multiple VLANs
• Passing traffic between VLAN-aware and VLAN-unaware devices
• Priority tagging
Note: The switch allows 255 user-manageable VLANs. One extra, unmanageable VLAN
(VLAN ID 4093) is maintained for IP clustering.
Assigning Ports to VLANs
Before enabling VLANs for the switch, you must first assign each port to the VLAN
group(s) in which it will participate. By default all ports are assigned to VLAN 1 as
untagged ports. Add a port as a tagged port if you want it to carry traffic for one or
more VLANs, and any intermediate network devices or the host at the other end of
the connection supports VLANs. Then assign ports on the other VLAN-aware
network devices along the path that will carry this traffic to the same VLAN(s), either
manually or dynamically using GVRP. However, if you want a port on this switch to
participate in one or more VLANs, but none of the intermediate network devices nor
the host at the other end of the connection supports VLANs, then you should add
this port to the VLAN as an untagged port.
Note: VLAN-tagged frames can pass through VLAN-aware or VLAN-unaware network
interconnection devices, but the VLAN tags should be stripped off before passing it
on to any end-node host that does not support VLAN tagging.
tagged frames
VA
VA
VA: VLAN Aware
VU: VLAN Unaware
tagged
frames
VA
untagged
frames
VA
VU
VLAN Classification – When the switch receives a frame, it classifies the frame in
one of two ways. If the frame is untagged, the switch assigns the frame to an
associated VLAN (based on the default VLAN ID of the receiving port). But if the
frame is tagged, the switch uses the tagged VLAN ID to identify the port broadcast
domain of the frame.
Port Overlapping – Port overlapping can be used to allow access to commonly
shared network resources among different VLAN groups, such as file servers or
printers. Note that if you implement VLANs which do not overlap, but still need to
communicate, you can connect them by enabled routing on this switch.
3-216
VLAN Configuration
3
Untagged VLANs – Untagged (or static) VLANs are typically used to reduce
broadcast traffic and to increase security. A group of network users assigned to a
VLAN form a broadcast domain that is separate from other VLANs configured on the
switch. Packets are forwarded only between ports that are designated for the same
VLAN. Untagged VLANs can be used to manually isolate user groups or subnets.
However, you should use IEEE 802.3 tagged VLANs with GVRP whenever possible
to fully automate VLAN registration.
Automatic VLAN Registration – GVRP (GARP VLAN Registration Protocol)
defines a system whereby the switch can automatically learn the VLANs to which
each end station should be assigned. If an end station (or its network adapter)
supports the IEEE 802.1Q VLAN protocol, it can be configured to broadcast a
message to your network indicating the VLAN groups it wants to join. When this
switch receives these messages, it will automatically place the receiving port in the
specified VLANs, and then forward the message to all other ports. When the
message arrives at another switch that supports GVRP, it will also place the
receiving port in the specified VLANs, and pass the message on to all other ports.
VLAN requirements are propagated in this way throughout the network. This allows
GVRP-compliant devices to be automatically configured for VLAN groups based
solely on endstation requests.
To implement GVRP in a network, first add the host devices to the required VLANs
(using the operating system or other application software), so that these VLANs can
be propagated onto the network. For both the edge switches attached directly to
these hosts, and core switches in the network, enable GVRP on the links between
these devices. You should also determine security boundaries in the network and
disable GVRP on the boundary ports to prevent advertisements from being
propagated, or forbid those ports from joining restricted VLANs.
Note: If you have host devices that do not support GVRP, you should configure static or
untagged VLANs for the switch ports connected to these devices (as described in
"Adding Static Members to VLANs (VLAN Index)" on page 3-223). But you can still
enable GVRP on these edge switches, as well as on the core switches in the
network.
Port-based VLAN
2
1
9
10 11
3
4
5
13
12
14
6
15 16
7
8
18
19
3-217
3
Configuring the Switch
Forwarding Tagged/Untagged Frames
If you want to create a small port-based VLAN for devices attached directly to a
single switch, you can assign ports to the same untagged VLAN. However, to
participate in a VLAN group that crosses several switches, you should create a
VLAN for that group and enable tagging on all ports.
Ports can be assigned to multiple tagged or untagged VLANs. Each port on the
switch is therefore capable of passing tagged or untagged frames. When forwarding
a frame from this switch along a path that contains any VLAN-aware devices, the
switch should include VLAN tags. When forwarding a frame from this switch along a
path that does not contain any VLAN-aware devices (including the destination host),
the switch must first strip off the VLAN tag before forwarding the frame. When the
switch receives a tagged frame, it will pass this frame onto the VLAN(s) indicated by
the frame tag. However, when this switch receives an untagged frame from a
VLAN-unaware device, it first decides where to forward the frame, and then inserts a
VLAN tag reflecting the ingress port’s default VID.
Enabling or Disabling GVRP (Global Setting)
GARP VLAN Registration Protocol (GVRP) defines a way for switches to exchange
VLAN information in order to register VLAN members on ports across the network.
VLANs are dynamically configured based on join messages issued by host devices
and propagated throughout the network. GVRP must be enabled to permit automatic
VLAN registration, and to support VLANs which extend beyond the local switch.
(Default: Disabled)
Web – Click VLAN, 802.1Q VLAN, GVRP Status. Enable or disable GVRP, click
Apply
Figure 3-119 Globally Enabling GVRP
CLI – This example enables GVRP for the switch.
Console(config)#bridge-ext gvrp
Console(config)#
3-218
4-297
3
VLAN Configuration
Displaying Basic VLAN Information
The VLAN Basic Information page displays basic information on the VLAN type
supported by the switch.
Field Attributes
• VLAN Version Number14 – The VLAN version used by this switch as specified in
the IEEE 802.1Q standard.
• Maximum VLAN ID – Maximum VLAN ID recognized by this switch.
• Maximum Number of Supported VLANs – Maximum number of VLANs that can
be configured on this switch.
Web – Click VLAN, 802.1Q VLAN, Basic Information.
Figure 3-120 Displaying Basic VLAN Information
CLI – Enter the following command.
Console#show bridge-ext
Max Support VLAN Numbers:
Max Support VLAN ID:
Extended Multicast Filtering Services:
Static Entry Individual Port:
VLAN Learning:
Configurable PVID Tagging:
Local VLAN Capable:
Traffic Classes:
Global GVRP Status:
GMRP:
Console#
4-298
256
4094
No
Yes
IVL
Yes
No
Enabled
Disabled
Disabled
14. Web Only.
3-219
3
Configuring the Switch
Displaying Current VLANs
The VLAN Current Table shows the current port members of each VLAN and
whether or not the port supports VLAN tagging. Ports assigned to a large VLAN
group that crosses several switches should use VLAN tagging. However, if you just
want to create a small port-based VLAN for one or two switches, you can disable
tagging.
Command Attributes (Web)
• VLAN ID – ID of configured VLAN (1-4094).
• Up Time at Creation – Time this VLAN was created (i.e., System Up Time).
• Status – Shows how this VLAN was added to the switch.
- Dynamic GVRP: Automatically learned via GVRP.
- Permanent: Added as a static entry.
• Egress Ports – Shows all the VLAN port members.
• Untagged Ports – Shows the untagged VLAN port members.
Web – Click VLAN, 802.1Q VLAN, Current Table. Select any ID from the scroll-down
list.
Figure 3-121 Displaying Current VLANs
Command Attributes (CLI)
• VLAN – ID of configured VLAN (1-4094, no leading zeroes).
• Type – Shows how this VLAN was added to the switch.
- Dynamic: Automatically learned via GVRP.
- Static: Added as a static entry.
3-220
3
VLAN Configuration
• Name – Name of the VLAN (1-100 characters).
• Status – Shows if this VLAN is enabled or disabled.
- Active: VLAN is operational.
- Suspend: VLAN is suspended; i.e., does not pass packets.
• Ports / Port channel – Shows the VLAN interface members.
CLI – Current VLAN information can be displayed with the following command.
Console#show vlan id 1
Vlan ID:
Type:
Name:
Status:
Ports/Port channel:
1
Static
DefaultVlan
Active
Eth1/ 1(S) Eth1/ 2(S)
Eth1/ 6(S) Eth1/ 7(S)
Eth1/11(S) Eth1/12(S)
Eth1/16(S) Eth1/17(S)
Eth1/21(S) Eth1/22(S)
Eth1/26(S) Eth1/27(S)
4-310
Eth1/ 3(S)
Eth1/ 8(S)
Eth1/13(S)
Eth1/18(S)
Eth1/23(S)
Eth1/28(S)
Eth1/ 4(S)
Eth1/ 9(S)
Eth1/14(S)
Eth1/19(S)
Eth1/24(S)
Eth1/ 5(S)
Eth1/10(S)
Eth1/15(S)
Eth1/20(S)
Eth1/25(S)
Console#
Creating VLANs
Use the VLAN Static List to create or remove VLAN groups. To propagate
information about VLAN groups used on this switch to external network devices, you
must specify a VLAN ID for each of these groups.
Command Attributes
• Current – Lists all the current VLAN groups created for this system. Up to 255
VLAN groups can be defined. VLAN 1 is the default untagged VLAN. VLAN 4093
is reserved for switch clustering and is not user-configurable or removable.
• New – Allows you to specify the name and numeric identifier for a new VLAN
group. (The VLAN name is only used for management on this system; it is not
added to the VLAN tag.)
• VLAN ID – ID of configured VLAN (1-4094, no leading zeroes).
• VLAN Name – Name of the VLAN (1-100 characters, no spaces).
• Status (Web) – Enables or disables the specified VLAN.
- Enabled: VLAN is operational.
- Disabled: VLAN is suspended; i.e., does not pass packets.
• State (CLI) – Enables or disables the specified VLAN.
- Active: VLAN is operational.
- Suspend: VLAN is suspended; i.e., does not pass packets.
• Add – Adds a new VLAN group to the current list.
• Remove – Removes a VLAN group from the current list. If any port is assigned to
this group as untagged, it will be reassigned to VLAN group 1 as untagged.
3-221
3
Configuring the Switch
Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the
VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and
then click Add.
Figure 3-122 Configuring a VLAN Static List
CLI – This example creates a new VLAN.
Console(config)#vlan database
Console(config-vlan)#vlan 2 name R&D media ethernet state active
Console(config-vlan)#end
Console#show vlan
Default VLAN ID : 1
VLAN ID:
Type:
Name:
Status:
Ports/Port Channels:
1
Static
DefaultVlan
Active
Eth1/ 1(S) Eth1/ 2(S)
Eth1/ 6(S) Eth1/ 7(S)
Eth1/11(S) Eth1/12(S)
Eth1/16(S) Eth1/17(S)
Eth1/21(S) Eth1/22(S)
Eth1/26(S) Eth1/27(S)
VLAN ID:
Type:
Name:
Status:
Ports/Port Channels:
2
Static
R&D
Active
VLAN ID:
Type:
Name:
Status:
Ports/Port Channels:
4093
Static
Console#
3-222
Active
Eth1/ 1(S)
Eth1/ 6(S)
Eth1/11(S)
Eth1/16(S)
Eth1/21(S)
Eth1/26(S)
Eth1/ 2(S)
Eth1/ 7(S)
Eth1/12(S)
Eth1/17(S)
Eth1/22(S)
Eth1/27(S)
4-301
4-302
4-310
Eth1/ 3(S)
Eth1/ 8(S)
Eth1/13(S)
Eth1/18(S)
Eth1/23(S)
Eth1/28(S)
Eth1/ 4(S)
Eth1/ 9(S)
Eth1/14(S)
Eth1/19(S)
Eth1/24(S)
Eth1/ 5(S)
Eth1/10(S)
Eth1/15(S)
Eth1/20(S)
Eth1/25(S)
Eth1/ 3(S)
Eth1/ 8(S)
Eth1/13(S)
Eth1/18(S)
Eth1/23(S)
Eth1/28(S)
Eth1/ 4(S)
Eth1/ 9(S)
Eth1/14(S)
Eth1/19(S)
Eth1/24(S)
Eth1/ 5(S)
Eth1/10(S)
Eth1/15(S)
Eth1/20(S)
Eth1/25(S)
3
VLAN Configuration
Adding Static Members to VLANs (VLAN Index)
Use the VLAN Static Table to configure port members for the selected VLAN index.
Assign ports as tagged if they are connected to 802.1Q VLAN compliant devices, or
untagged they are not connected to any VLAN-aware devices. Or configure a port
as forbidden to prevent the switch from automatically adding it to a VLAN via the
GVRP protocol.
Notes: 1. You can also use the VLAN Static Membership by Port page to configure
VLAN groups based on the port index (page 3-225). However, note that this
configuration page can only add ports to a VLAN as tagged members.
2. VLAN 1 is the default untagged VLAN containing all ports on the switch, and
can only be modified by first reassigning the default port VLAN ID as
described under "Configuring VLAN Behavior for Interfaces" on page 3-226.
Command Attributes
• VLAN – ID of configured VLAN (1-4094).
• Name – Name of the VLAN (1-100 characters).
• Status – Enables or disables the specified VLAN.
- Enable: VLAN is operational.
- Disable: VLAN is suspended; i.e., does not pass packets.
• Port – Port identifier.
• Membership Type – Select VLAN membership for each interface by marking the
appropriate radio button for a port or trunk:
- Tagged: Interface is a member of the VLAN. All packets transmitted by the port
will be tagged, that is, carry a tag and therefore carry VLAN or CoS information.
- Untagged: Interface is a member of the VLAN. All packets transmitted by the
port will be untagged, that is, not carry a tag and therefore not carry VLAN or
CoS information. Note that an interface must be assigned to at least one group
as an untagged port.
- Forbidden: Interface is forbidden from automatically joining the VLAN via
GVRP. For more information, see “Automatic VLAN Registration” on page
3-217.
- None: Interface is not a member of the VLAN. Packets associated with this
VLAN will not be transmitted by the interface.
• Trunk Member – Indicates if a port is a member of a trunk. To add a trunk to the
selected VLAN, use the last table on the VLAN Static Table page.
3-223
3
Configuring the Switch
Web – Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the
scroll-down list. Modify the VLAN name and status if required. Select the
membership type by marking the appropriate radio button in the list of ports or
trunks. Click Apply.
Figure 3-123 Configuring a VLAN Static Table
CLI – The following example adds tagged and untagged ports to VLAN 2.
Console(config)#interface ethernet 1/1
Console(config-if)#switchport allowed vlan add 2 tagged
Console(config-if)#exit
Console(config)#interface ethernet 1/2
Console(config-if)#switchport allowed vlan add 2 untagged
Console(config-if)#exit
Console(config)#interface ethernet 1/13
Console(config-if)#switchport allowed vlan add 2 tagged
Console(config-if)#
3-224
4-222
4-307
3
VLAN Configuration
Adding Static Members to VLANs (Port Index)
Use the VLAN Static Membership by Port menu to assign VLAN groups to the
selected interface as a tagged member.
Command Attributes
• Interface – Port or trunk identifier.
• Member – VLANs for which the selected interface is a tagged member.
• Non-Member – VLANs for which the selected interface is not a tagged member.
Web – Open VLAN, 802.1Q VLAN, Static Membership by Port. Select an interface
from the scroll-down box (Port or Trunk). Click Query to display membership
information for the interface. Select a VLAN ID, and then click Add to add the
interface as a tagged member, or click Remove to remove the interface. After
configuring VLAN membership for each interface, click Apply.
Figure 3-124 VLAN Static Membership by Port
CLI – This example adds Port 3 to VLAN 1 as a tagged port, and removes Port 3
from VLAN 2.
Console(config)#interface ethernet 1/3
Console(config-if)#switchport allowed vlan add 1 tagged
Console(config-if)#switchport allowed vlan remove 2
Console(config-if)#
4-222
4-307
3-225
3
Configuring the Switch
Configuring VLAN Behavior for Interfaces
You can configure VLAN behavior for specific interfaces, including the default VLAN
identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP
timers.
Command Usage
• GVRP – GARP VLAN Registration Protocol defines a way for switches to
exchange VLAN information in order to automatically register VLAN members on
interfaces across the network.
• GARP – Group Address Registration Protocol is used by GVRP to register or
deregister client attributes for client services within a bridged LAN. The default
values for the GARP timers are independent of the media access method or data
rate. These values should not be changed unless you are experiencing difficulties
with GVRP registration/deregistration.
Command Attributes
• PVID – VLAN ID assigned to untagged frames received on the interface. (Default: 1)
If an interface is not a member of VLAN 1 and you assign its PVID to this VLAN,
the interface will automatically be added to VLAN 1 as an untagged member. For
all other VLANs, the PVID must be defined first, then the status of the VLAN can
be configured as a tagged or untagged member.
• Acceptable Frame Type – Sets the interface to accept all frame types, including
tagged or untagged frames, or only tagged frames. When set to receive all frame
types, any received frames that are untagged are assigned to the default VLAN.
(Options: All, Tagged; Default: All)
• Ingress Filtering – Determines how to process frames tagged for VLANs for which
the ingress port is not a member. (Default: Enabled)
- Ingress filtering only affects tagged frames.
- If ingress filtering is disabled and a port receives frames tagged for VLANs for
which it is not a member, these frames will be flooded to all other ports (except
for those VLANs explicitly forbidden on this port).
- If ingress filtering is enabled and a port receives frames tagged for VLANs for
which it is not a member, these frames will be discarded.
- Ingress filtering does not affect VLAN independent BPDU frames, such as GVRP
or STP. However, they do affect VLAN dependent BPDU frames, such as GMRP.
• GVRP Status – Enables/disables GVRP for the interface. GVRP must be globally
enabled for the switch before this setting can take effect. (See "Displaying Bridge
Extension Capabilities" on page 3-16.) When disabled, any GVRP packets
received on this port will be discarded and no GVRP registrations will be
propagated from other ports. (Default: Disabled)
• GARP Join Timer15 – The interval between transmitting requests/queries to
participate in a VLAN group. (Range: 20-1000 centiseconds; Default: 20)
15. Timer settings must follow this rule: 2 x (join timer) < leave timer < leaveAll timer
3-226
VLAN Configuration
3
• GARP Leave Timer15 – The interval a port waits before leaving a VLAN group.
This time should be set to more than twice the join time. This ensures that after a
Leave or LeaveAll message has been issued, the applicants can rejoin before the
port actually leaves the group. (Range: 60-3000 centiseconds; Default: 60)
• GARP LeaveAll Timer15 – The interval between sending out a LeaveAll query
message for VLAN group participants and the port leaving the group. This interval
should be considerably larger than the Leave Time to minimize the amount of traffic
generated by nodes rejoining the group.
(Range: 500-18000 centiseconds; Default: 1000)
• Mode – Indicates VLAN membership mode for an interface. (Default: Hybrid)
- Access - Sets the port to operate as an untagged interface. All frames are sent
untagged.
- 1Q Trunk – Specifies a port as an end-point for a VLAN trunk. A trunk is a direct
link between two switches, so the port transmits tagged frames that identify the
source VLAN. Note that frames belonging to the port’s default VLAN (i.e.,
associated with the PVID) are also transmitted as tagged frames.
- Hybrid – Specifies a hybrid VLAN interface. The port may transmit tagged or
untagged frames.
• Trunk Member – Indicates if a port is a member of a trunk. To add a trunk to the
selected VLAN, use the last table on the VLAN Static Table page.
Web – Click VLAN, 802.1Q VLAN, Port Configuration or Trunk Configuration. Fill in
the required settings for each interface, click Apply.
Figure 3-125 Configuring VLANs per Port
3-227
3
Configuring the Switch
CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the
native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport
mode to hybrid.
Console(config)#interface ethernet 1/3
Console(config-if)#switchport acceptable-frame-types tagged
Console(config-if)#switchport ingress-filtering
Console(config-if)#switchport native vlan 3
Console(config-if)#switchport gvrp
Console(config-if)#garp timer join 20
Console(config-if)#garp timer leave 90
Console(config-if)#garp timer leaveall 2000
Console(config-if)#switchport mode hybrid
Console(config-if)#
4-222
4-305
4-305
4-306
4-298
4-299
4-304
Configuring IEEE 802.1Q Tunneling
IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for
multiple customers across their networks. QinQ tunneling is used to maintain
customer-specific VLAN and Layer 2 protocol configurations even when different
customers use the same internal VLAN IDs. This is accomplished by inserting
Service Provider VLAN (SPVLAN) tags into the customer’s frames when they enter
the service provider’s network, and then stripping the tags when the frames leave
the network.
A service provider’s customers may have specific requirements for their internal
VLAN IDs and number of VLANs supported. VLAN ranges required by different
customers in the same service-provider network might easily overlap, and traffic
passing through the infrastructure might be mixed. Assigning a unique range of
VLAN IDs to each customer would restrict customer configurations, require intensive
processing of VLAN mapping tables, and could easily exceed the maximum VLAN
limit of 4096.
QinQ tunneling uses a single Service Provider VLAN (SPVLAN) for customers who
have multiple VLANs. Customer VLAN IDs are preserved and traffic from different
customers is segregated within the service provider’s network even when they use
the same customer-specific VLAN IDs. QinQ tunneling expands VLAN space by
using a VLAN-in-VLAN hierarchy, preserving the customer’s original tagged packets,
and adding SPVLAN tags to each frame (also called double tagging).
A port configured to support QinQ tunneling must be set to tunnel port mode. The
Service Provider VLAN (SPVLAN) ID for the specific customer must be assigned to
the QinQ tunnel access port on the edge switch where the customer traffic enters
the service provider’s network. Each customer requires a separate SPVLAN, but this
VLAN supports all of the customer's internal VLANs. The QinQ tunnel uplink port
that passes traffic from the edge switch into the service provider’s metro network
must also be added to this SPVLAN. The uplink port can be added to multiple
SPVLANs to carry inbound traffic for different customers onto the service provider’s
network.
3-228
3
VLAN Configuration
When a double-tagged packet enters another trunk port in an intermediate or core
switch in the service provider’s network, the outer tag is stripped for packet
processing. When the packet exits another trunk port on the same core switch, the
same SPVLAN tag is again added to the packet.
When a packet enters the trunk port on the service provider’s egress switch, the
outer tag is again stripped for packet processing. However, the SPVLAN tag is not
added when it is sent out the tunnel access port on the edge switch into the
customer’s network. The packet is sent as a normal IEEE 802.1Q-tagged frame,
preserving the original VLAN numbers used in the customer’s network.
Customer A
(VLANs 1-10)
Customer A
(VLANs 1-10)
QinQ Tunneling
VLAN 10
Tunnel Access Port
Tunnel Access Port
VLAN 20
Customer B
(VLANs 1-50)
Service Provider
(edge switch A)
Service Provider
(edge switch B)
Tunnel Uplink Ports
Double-Tagged Packets
Outer Tag - Service Provider VID
Inner Tag - Customer VID
VLAN 10
Tunnel Access Port
Tunnel Access Port
VLAN 20
Customer B
(VLANs 1-50)
Layer 2 Flow for Packets Coming into a Tunnel Access Port
A QinQ tunnel port may receive either tagged or untagged packets. No matter how
many tags the incoming packet has, it is treated as tagged packet.
The ingress process does source and destination lookups. If both lookups are
successful, the ingress process writes the packet to memory. Then the egress
process transmits the packet. Packets entering a QinQ tunnel port are processed in
the following manner:
1. New SPVLAN tags are added to all incoming packets, no matter how many tags
they already have. The ingress process constructs and inserts the outer tag
(SPVLAN) into the packet based on the default VLAN ID and Tag Protocol
Identifier (TPID, that is, the ether-type of the tag). This outer tag is used for
learning and switching packets. The priority of the inner tag is copied to the outer
tag if it is a tagged or priority tagged packet.
2. After successful source and destination lookup, the ingress process sends the
packet to the switching process with two tags. If the incoming packet is
untagged, the outer tag is an SPVLAN tag, and the inner tag is a dummy tag
(8100 0000). If the incoming packet is tagged, the outer tag is an SPVLAN tag,
and the inner tag is a CVLAN tag.
3-229
3
Configuring the Switch
3. After packet classification through the switching process, the packet is written to
memory with one tag (an outer tag) or with two tags (both an outer tag and inner
tag).
4. The switch sends the packet to the proper egress port.
5. If the egress port is an untagged member of the SPVLAN, the outer tag will be
stripped. If it is a tagged member, the outgoing packets will have two tags.
Layer 2 Flow for Packets Coming into a Tunnel Uplink Port
An uplink port receives one of the following packets:
• Untagged
• One tag (CVLAN or SPVLAN)
• Double tag (CVLAN + SPVLAN)
The ingress process does source and destination lookups. If both lookups are
successful, the ingress process writes the packet to memory. Then the egress
process transmits the packet. Packets entering a QinQ uplink port are processed in
the following manner:
1. If incoming packets are untagged, the PVID VLAN native tag is added.
2. If the ether-type of an incoming packet (single or double tagged) is not equal to
the TPID of the uplink port, the VLAN tag is determined to be a Customer VLAN
(CVLAN) tag. The uplink port’s PVID VLAN native tag is added to the packet.
This outer tag is used for learning and switching packets within the service
provider’s network. The TPID must be configured on a per port basis, and the
verification cannot be disabled.
3. If the ether-type of an incoming packet (single or double tagged) is equal to the
TPID of the uplink port, no new VLAN tag is added. If the uplink port is not the
member of the outer VLAN of the incoming packets, the packet will be dropped
when ingress filtering is enabled. If ingress filtering is not enabled, the packet will
still be forwarded. If the VLAN is not listed in the VLAN table, the packet will be
dropped.
4. After successful source and destination lookups, the packet is double tagged.
The switch uses the TPID of 0x8100 to indicate that an incoming packet is
double-tagged. If the outer tag of an incoming double-tagged packet is equal to
the port TPID and the inner tag is 0x8100, it is treated as a double-tagged
packet. If a single-tagged packet has 0x8100 as its TPID, and port TPID is not
0x8100, a new VLAN tag is added and it is also treated as double-tagged packet.
5. If the destination address lookup fails, the packet is sent to all member ports of
the outer tag's VLAN.
6. After packet classification, the packet is written to memory for processing as a
single-tagged or double-tagged packet.
7. The switch sends the packet to the proper egress port.
8. If the egress port is an untagged member of the SPVLAN, the outer tag will be
stripped. If it is a tagged member, the outgoing packet will have two tags.
3-230
VLAN Configuration
3
Configuration Limitations for QinQ
• The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN
is the uplink port's native VLAN, the uplink port must be an untagged member of
the SPVLAN. Then the outer SPVLAN tag will be stripped when the packets are
sent out. Another reason is that it causes non-customer packets to be forwarded
to the SPVLAN.
• Static trunk port groups are compatible with QinQ tunnel ports as long as the QinQ
configuration is consistent within a trunk port group.
• The native VLAN (VLAN 1) is not normally added to transmitted frames. Avoid
using VLAN 1 as an SPVLAN tag for customer traffic to reduce the risk of
misconfiguration. Instead, use VLAN 1 as a management VLAN instead of a data
VLAN in the service provider network.
• There are some inherent incompatibilities between Layer 2 and Layer 3 switching:
- Tunnel ports do not support IP Access Control Lists.
- Layer 3 Quality of Service (QoS) and other QoS features containing Layer 3
information are not supported on tunnel ports.
- Spanning tree bridge protocol data unit (BPDU) filtering is automatically disabled
on a tunnel port.
General Configuration Guidelines for QinQ
1. Configure the switch to QinQ mode (see "Enabling QinQ Tunneling on the
Switch" on page 3-232).
2. Set the Tag Protocol Identifier (TPID) value of the tunnel access port. This step is
required if the attached client is using a nonstandard 2-byte ethertype to identify
802.1Q tagged frames. The default ethertype value is 0x8100. (See "Enabling
QinQ Tunneling on the Switch" on page 3-232.)
3. Create a Service Provider VLAN, also referred to as an SPVLAN (see "Creating
VLANs" on page 3-221).
4. Configure the QinQ tunnel access port to 802.1Q Tunnel mode (see "Adding an
Interface to a QinQ Tunnel" on page 3-233).
5. Configure the QinQ tunnel access port to join the SPVLAN as an untagged
member (see "Adding Static Members to VLANs (VLAN Index)" on page 3-223).
6. Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (see
"Configuring VLAN Behavior for Interfaces" on page 3-226).
7. Configure the QinQ tunnel uplink port to 802.1Q Tunnel Uplink mode (see
"Adding an Interface to a QinQ Tunnel" on page 3-233).
8. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member
(see "Adding Static Members to VLANs (VLAN Index)" on page 3-223).
3-231
3
Configuring the Switch
Enabling QinQ Tunneling on the Switch
The switch can be configured to operate in normal VLAN mode or IEEE 802.1Q
(QinQ) tunneling mode which is used for passing Layer 2 traffic across a service
provider’s metropolitan area network. You can also globally set the Tag Protocol
Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard
2-byte ethertype to identify 802.1Q tagged frames.
Command Usage
• Use the TPID field to set a custom 802.1Q ethertype value on the selected
interface. This feature allows the switch to interoperate with third-party switches
that do not use the standard 0x8100 ethertype to identify 802.1Q-tagged frames.
For example, if 0x1234 is set as the custom 802.1Q ethertype on a trunk port,
incoming frames containing that ethertype are assigned to the VLAN contained in
the tag following the ethertype field, as they would be with a standard 802.1Q trunk.
Frames arriving on the port containing any other ethertype are looked upon as
untagged frames, and assigned to the native VLAN of that port.
• All ports on the switch will be set to the same ethertype.
Command Attributes
• 802.1Q Tunnel Status – Sets the switch to QinQ mode, and allows the QinQ
tunnel port to be configured. The default is for the switch to function in normal
mode.
• 802.1Q Ethernet Type – The Tag Protocol Identifier (TPID) specifies the ethertype
of incoming packets on a tunnel port. (Range: hexadecimal 0800-FFFF;
Default: 8100)
Web – Click VLAN, 802.1Q VLAN, 802.1Q Tunnel Status. Check the Enabled box,
set the TPID of the ports if the client is using a non-standard ethertype to identify
802.1Q tagged frames, and click Apply.
Figure 3-126 802.1Q Tunnel Status and Ethernet Type
3-232
VLAN Configuration
3
CLI – This example sets the switch to operate in QinQ mode.
4-312
4-314
Console(config)#dot1q-tunnel system-tunnel-control
Console(config-if)#switchport dot1q-tunnel tpid 9100
Console(config)#exit
Console#show dot1q-tunnel
4-315
Current double-tagged status of the system is Enabled
The
The
The
The
The
.
.
.
dot1q-tunnel
dot1q-tunnel
dot1q-tunnel
dot1q-tunnel
dot1q-tunnel
mode
mode
mode
mode
mode
of
of
of
of
of
the
the
the
the
the
set
set
set
set
set
interface
interface
interface
interface
interface
1/1
1/2
1/3
1/4
1/5
is
is
is
is
is
Access
Uplink
Normal
Normal
Normal
mode,
mode,
mode,
mode,
mode,
TPID
TPID
TPID
TPID
TPID
is
is
is
is
is
0x9100.
0x9100.
0x9100.
0x9100.
0x9100.
Adding an Interface to a QinQ Tunnel
Follow the guidelines in the preceding section to set up a QinQ tunnel on the switch.
Command Usage
• Use the VLAN Port Configuration or VLAN Trunk Configuration screen to set the
access port on the edge switch to 802.1Q Tunnel mode.
• Use the 802.1Q Tunnel Configuration screen to set the switch to QinQ mode before
configuring a tunnel port (see "Enabling QinQ Tunneling on the Switch" on page
3-232). Also set the Tag Protocol Identifier (TPID) value of the tunnel port if the
attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged
frames (see "Enabling QinQ Tunneling on the Switch" on page 3-232).
Command Attributes
Mode – Set the VLAN membership mode of the port.
• None – The port operates in its normal VLAN mode. (This is the default.)
• 802.1Q Tunnel – Configures IEEE 802.1Q tunneling (QinQ) for a client access port
to segregate and preserve customer VLAN IDs for traffic crossing the service
provider network.
• 802.1Q Tunnel Uplink – Configures IEEE 802.1Q tunneling (QinQ) for an uplink
port to another device within the service provider network.
• Trunk Member – Shows if a port is a member or a trunk.
3-233
3
Configuring the Switch
Web – Click VLAN, 802.1Q VLAN, 802.1Q Tunnel Configuration or Tunnel Trunk
Configuration. Set the mode for a tunnel access port to 802.1Q Tunnel and a tunnel
uplink port to 802.1Q Tunnel Uplink. Click Apply.
Figure 3-127 Tunnel Port Configuration
CLI – This example sets port 1 to tunnel access mode, indicates that the TPID used
for 802.1Q tagged frames is 9100 hexadecimal, and sets port 2 to tunnel uplink
mode.
4-222
4-313
Console(config)#interface ethernet 1/1
Console(config-if)#switchport dot1q-tunnel mode access
Console(config-if)#interface ethernet 1/2
Console(config-if)#switchport dot1q-tunnel mode uplink
Console(config-if)#end
Console#show dot1q-tunnel
Current double-tagged
The dot1q-tunnel mode
The dot1q-tunnel mode
The dot1q-tunnel mode
The dot1q-tunnel mode
The dot1q-tunnel mode
The dot1q-tunnel mode
The
dot1q-tunnel mode
.
.
.
3-234
status
of the
of the
of the
of the
of the
of the
of the
of the system
set interface
set interface
set interface
set interface
set interface
set interface
set interface
is Enabled
1/1 is Access
1/2 is Uplink
1/3 is Normal
1/4 is Normal
1/5 is Normal
1/6 is Normal
1/7 is Normal
4-313
4-315
mode,
mode,
mode,
mode,
mode,
mode,
mode,
TPID
TPID
TPID
TPID
TPID
TPID
TPID
is
is
is
is
is
is
is
0x9100.
0x8100.
0x8100.
0x8100.
0x8100.
0x8100.
0x9100.
3
VLAN Configuration
Traffic Segmentation
If tighter security is required for passing traffic from different clients through downlink
ports on the local network and over uplink ports to the service provider, port-based
traffic segmentation can be used to isolate traffic for individual client sessions.
Traffic belonging to each client is isolated to the allocated downlink ports. But the
switch can be configured to either isolate traffic passing across a client’s allocated
uplink ports from the uplink ports assigned to other clients, or to forward traffic
through the uplink ports used by other clients, allowing different clients to share
access to their uplink ports where security is less likely to be compromised.
Configuring Global Settings for Traffic Segmentation
Use the Traffic Segmentation Status page to enable traffic segmentation, and to
block or forward traffic between uplink ports assigned to different client sessions.
Command Attributes
• Traffic Segmentation Status – Enables port-based traffic segmentation.
(Default: Disabled)
• Uplink-to-Uplink – Specifies whether or not traffic can be forwarded between
uplink ports assigned to different client sessions. (Default: Blocking)
Web – Click VLAN, Traffic Segmentation, Status. Set the traffic segmentation status
or uplink-to-uplink forwarding mode, and click Apply.
Figure 3-128 Traffic Segmentation Status Configuration
CLI – This example enables traffic segmentation and allows traffic to be forwarded
across the uplink ports assigned to different client sessions.
4-316
4-318
Console(config)#pvlan
Console(config)#pvlan up-to-up forwarding
Console(config)#exit
Console#show pvlan
Private VLAN Status
:
Uplink-to-Uplink Mode :
4-318
Enabled
Forwarding
Session
Uplink Ports
Downlink Ports
--------- ------------------------------ ----------------------------1
Console#
3-235
3
Configuring the Switch
Configuring Traffic Segmentation Sessions
Use the Traffic Segmentation Session Configuration page to create a client session,
and assign the downlink and uplink ports to service the traffic associated with each
session.
Command Attributes
• Session ID – Traffic segmentation session. (Range: 1-15)
• Direction – Uplink or downlink interface.
• Interface – Port or trunk used for assigned traffic segmentation session.
Due to switch ASIC limitations, ports 1-8, 9-16, 17-24 are grouped together when
any of the group members are configured as an uplink or downlink interface.
Web – Click VLAN, Traffic Segmentation, Session Configuration. Set the session
number, specify whether an uplink or downlink is to be used, select the interface,
and click Apply.
Figure 3-129 Traffic Segmentation Session Configuration
CLI – This example enables traffic segmentation and allows traffic to be forwarded
across the uplink ports assigned to different client sessions.
Console(config)#pvlan session 1 uplink ethernet 1/24 downlink ethernet 1/14-317
Console(config)#exit
4-318
Console#show pvlan
Private VLAN Status
:
Uplink-to-Uplink Mode :
Enabled
Forwarding
Session
Uplink Ports
Downlink Ports
--------- ------------------------------ ----------------------------1
Ethernet 1/24
Ethernet 1/1
Ethernet 1/2
Ethernet 1/3
Ethernet 1/4
Ethernet 1/5
Ethernet 1/6
Ethernet 1/7
Ethernet 1/8
Console#
3-236
3
VLAN Configuration
Private VLANs
Private VLANs provide port-based security and isolation of local ports contained
within different private VLAN groups. This switch supports two types of private
VLANs – primary and community groups. A primary VLAN contains promiscuous
ports that can communicate with all other ports in the associated private VLAN
groups, while a community (or secondary) VLAN contains community ports that can
only communicate with other hosts within the community VLAN and with any of the
promiscuous ports in the associated primary VLAN. The promiscuous ports are
designed to provide open access to an external network such as the Internet, while
the community ports provide restricted access to local users.
Multiple primary VLANs can be configured on this switch, and multiple community
VLANs can be associated with each primary VLAN. (Note that private VLANs and
normal VLANs can exist simultaneously within the same switch.)
To configure primary/secondary associated groups, follow these steps:
1.
Use the Private VLAN Configuration menu (page 3-238) to designate one or
more community VLANs, and the primary VLAN that will channel traffic outside
of the VLAN groups.
2.
Use the Private VLAN Association menu (page 3-239) to map the secondary
(i.e., community) VLAN(s) to the primary VLAN.
3.
Use the Private VLAN Port Configuration menu (page 3-241) to set the port
type to promiscuous (i.e., having access to all ports in the primary VLAN), or
host (i.e., having access restricted to community VLAN members, and
channeling all other traffic through promiscuous ports). Then assign any
promiscuous ports to a primary VLAN and any host ports a community VLAN.
Displaying Current Private VLANs
The Private VLAN Information page displays information on the private VLANs
configured on the switch, including primary and community VLANs, and their
assigned interfaces.
Command Attributes
• VLAN ID – ID of configured VLAN (1-4094), and VLAN type.
• Primary VLAN – The VLAN with which the selected VLAN ID is associated. A
primary VLAN displays its own ID, and a community VLAN displays the associated
primary VLAN.
• Ports List – The list of ports (and assigned port type) in the selected private VLAN.
3-237
3
Configuring the Switch
Web – Click VLAN, Private VLAN, Information. Select the desired port from the
VLAN ID drop-down menu.
Figure 3-130 Private VLAN Information
CLI – This example shows the switch configured with primary VLAN 5 and
secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped
to VLAN 5, while ports 4 and 5 have been configured as a host ports and are
associated with VLAN 6. This means that traffic for port 4 and 5 can only pass
through port 3.
Console#show vlan private-vlan
Primary
Secondary
Type
-------- ----------- ---------5
primary
5
6
community
Console#
4-323
Interfaces
-------------------------------------Eth1/ 3
Eth1/ 4 Eth1/ 5
Configuring Private VLANs
The Private VLAN Configuration page is used to create/remove primary or
community VLANs.
Command Attributes
• VLAN ID – ID of configured VLAN (2-4094).
• Type – There are three types of private VLANs:
- Primary VLANs – Conveys traffic between promiscuous ports, and to
community ports within secondary (or community) VLANs.
- Community VLANs - Conveys traffic between community ports, and to their
promiscuous ports in the associated primary VLAN.
• Current – Displays a list of the currently configured VLANs.
3-238
VLAN Configuration
3
Web – Click VLAN, Private VLAN, Configuration. Enter the VLAN ID number, select
Primary, Isolated or Community type, then click Add. To remove a private VLAN from
the switch, highlight an entry in the Current list box and then click Remove. Note that
all member ports must be removed from the VLAN before it can be deleted.
Figure 3-131 Private VLAN Configuration
CLI – This example configures VLAN 5 as a primary VLAN, and VLAN 6 as a
community VLAN.
Console(config)#vlan database
Console(config-vlan)#private-vlan 5 primary
Console(config-vlan)#private-vlan 6 community
Console(config-vlan)#
4-301
4-320
Associating VLANs
Each community VLAN must be associated with a primary VLAN.
Command Attributes
• Primary VLAN ID – ID of primary VLAN (2-4094).
• Association – Community VLANs associated with the selected primary VLAN.
• Non-Association – Community VLANs not associated with the selected VLAN.
Web – Click VLAN, Private VLAN, Association. Select the required primary VLAN
from the scroll-down box, highlight one or more community VLANs in the
Non-Association list box, and click Add to associate these entries with the selected
primary VLAN. (A community VLAN can only be associated with one primary VLAN.)
Figure 3-132 Private VLAN Association
3-239
3
Configuring the Switch
CLI – This example associates community VLANs 6 and 7 with primary VLAN 5.
Console(config)#vlan database
Console(config-vlan)#private-vlan 5 association 6
Console(config-vlan)#private-vlan 5 association 7
Console(config)#
4-301
4-321
4-321
Displaying Private VLAN Interface Information
Use the Private VLAN Port Information and Private VLAN Trunk Information menus
to display the interfaces associated with private VLANs.
Command Attributes
• Port/Trunk – The switch interface.
• PVLAN Port Type – Displays private VLAN port types.
- Normal – The port is not configured in a private VLAN.
- Host – The port is a community port and can only communicate with other ports
in its own community VLAN, and with the designated promiscuous port(s). Or the
port is an isolated port that can only communicate with the lone promiscuous
port within its own isolated VLAN.
- Promiscuous – A promiscuous port can communicate with all the interfaces
within a private VLAN.
• Primary VLAN – Conveys traffic between promiscuous ports, and between
promiscuous ports and community ports within the associated secondary VLANs.
• Community VLAN – A community VLAN conveys traffic between community
ports, and from community ports to their designated promiscuous ports.
• Trunk – The trunk identifier. (Port Information only)
Web – Click VLAN, Private VLAN, Port Information or Trunk Information.
Figure 3-133 Private VLAN Port Information
3-240
VLAN Configuration
3
CLI – This example shows the switch configured with primary VLAN 5 and
community VLAN 6. Port 3 has been configured as a promiscuous port and mapped
to VLAN 5, while ports 4 and 5 have been configured as host ports and associated
with VLAN 6. This means that traffic for port 4 and 5 can only pass through port 3.
Console#show vlan private-vlan
Primary
Secondary
Type
-------- ----------- ---------5
primary
5
6
community
Console#
4-323
Interfaces
-----------------------------Eth1/ 3
Eth1/ 4 Eth1/ 5
Configuring Private VLAN Interfaces
Use the Private VLAN Port Configuration and Private VLAN Trunk Configuration
menus to set the private VLAN interface type, and assign the interfaces to a private
VLAN.
Command Attributes
• Port/Trunk – The switch interface.
• PVLAN Port Type – Sets the private VLAN port types.
- Normal – The port is not assigned to a private VLAN.
- Host – The port is a community port. A community port can communicate with
other ports in its own community VLAN and with designated promiscuous
port(s).
- Promiscuous – A promiscuous port can communicate with all interfaces within
a private VLAN.
• Primary VLAN – Conveys traffic between promiscuous ports, and between
promiscuous ports and community ports within the associated secondary VLANs.
If PVLAN type is “Promiscuous,” then specify the associated primary VLAN.
• Community VLAN – A community VLAN conveys traffic between community
ports, and from community ports to their designated promiscuous ports. Set
PVLAN Port Type to “Host,” and then specify the associated Community VLAN.
• Trunk – The trunk identifier. (Port Information only)
3-241
3
Configuring the Switch
Web – Click VLAN, Private VLAN, Port Configuration or Trunk Configuration. Set the
PVLAN Port Type for each port that will join a private VLAN. Assign promiscuous
ports to a primary VLAN. Assign host ports to a community VLAN. After all the ports
have been configured, click Apply.
Figure 3-134 Private VLAN Port Configuration
CLI – This example shows the switch configured with primary VLAN 5 and
secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped
to VLAN 5, while ports 4 and 5 have been configured as a host ports and associated
with VLAN 6. This means that traffic for port 4 and 5 can only pass through port 3.
Console(config)#interface ethernet 1/3
Console(config-if)#switchport mode private-vlan promiscuous
Console(config-if)#switchport private-vlan mapping 5
Console(config-if)#exit
Console(config)#interface ethernet 1/4
Console(config-if)#switchport mode private-vlan host
Console(config-if)#switchport private-vlan host-association 6
Console(config-if)#exit
Console(config)#interface ethernet 1/5
Console(config-if)#switchport mode private-vlan host
Console(config-if)#switchport private-vlan host-association 6
Console(config-if)#
4-322
4-323
4-322
4-322
Protocol VLANs
The network devices required to support multiple protocols cannot be easily grouped
into a common VLAN. This may require non-standard devices to pass traffic
between different VLANs in order to encompass all the devices participating in a
specific protocol. This kind of configuration deprives users of the basic benefits of
VLANs, including security and easy accessibility.
To avoid these problems, you can configure this switch with protocol-based VLANs
that divide the physical network into logical VLAN groups for each required protocol.
When a frame is received at a port, its VLAN membership can then be determined
based on the protocol type being used by the inbound packets.
3-242
3
VLAN Configuration
Command Usage
To configure protocol-based VLANs, follow these steps:
1. First configure VLAN groups for the protocols you want to use (page 3-221).
Although not mandatory, we suggest configuring a separate VLAN for each
major protocol running on your network. Do not add port members at this time.
2. Create a protocol group for each of the protocols you want to assign to a VLAN
using the Protocol VLAN Configuration page.
3. Then map the protocol for each interface to the appropriate VLAN using the
Protocol VLAN Port Configuration page.
When MAC-based, IP subnet-based, and protocol-based VLANs are supported
concurrently, priority is applied in this sequence, and then port-based VLANs last.
Configuring Protocol VLAN Groups
Use the Protocol VLAN Configuration menu to create or remove protocol groups.
Command Attributes
• Protocol Group ID – Protocol Group ID assigned to the Protocol VLAN Group.
(Range: 1-2147483647)
• Frame Type – Frame type used by this protocol. (Options: Ethernet, RFC 1042,
LLC Other)
• Protocol Type – Specifies the protocol type to match. The available options are
IP, ARP, and RARP. If LLC Other is chosen for the Frame Type, the only available
Protocol Type is IPX Raw.
Note: Traffic which matches IP Protocol Ethernet Frames is mapped to the VLAN
(VLAN 1) that has been configured with the switch’s administrative IP. IP Protocol
Ethernet traffic must not be mapped to another VLAN or you will lose
administrative network connectivity to the switch. If lost in this manner, network
access can be regained by removing the offending Protocol VLAN rule via the
console. Alternately, the switch can be power-cycled, however all unsaved
configuration changes will be lost.
Web – Click VLAN, Protocol VLAN, Configuration. Enter a protocol group ID, frame
type and protocol type, then click Apply.
Figure 3-135 Protocol VLAN Configuration
3-243
3
Configuring the Switch
CLI – This example creates protocol group 1 for Ethernet frames using the IP
protocol, and group 2 for Ethernet frames using the ARP protocol.
Console(config)#protocol-vlan protocol-group 1
add frame-type ethernet protocol-type ip
Console(config)#protocol-vlan protocol-group 2
add frame-type ethernet protocol-type arp
Console(config)#
4-325
Mapping Protocols to VLANs
Use the Protocol VLAN System Configuration menu to map a Protocol VLAN Group
to a VLAN.
Command Usage
• When creating a protocol-based VLAN, only assign interfaces using this
configuration screen. If you assign interfaces using any of the other VLAN menus
such as the VLAN Static Table (page 3-223) or VLAN Static Membership by Port
menu (page 3-225), these interfaces will admit traffic of any protocol type into the
associated VLAN.
• When a frame enters a port that has been assigned to a protocol VLAN, it is
processed in the following manner:
- If the frame is tagged, it will be processed according to the standard rules applied
to tagged frames.
- If the frame is untagged and the protocol type matches, the frame is forwarded
to the appropriate VLAN.
- If the frame is untagged but the protocol type does not match, the frame is
forwarded to the default VLAN for this interface.
Command Attributes
• Protocol Group ID – Protocol Group ID assigned to the Protocol VLAN Group.
(Range: 1-2147483647)
• VLAN ID – VLAN to which matching protocol traffic is forwarded. (Range: 1-4094)
Web – Click VLAN, Protocol VLAN, System Configuration. Enter a protocol group
ID, the corresponding VLAN ID, and click Apply.
Figure 3-136 Protocol VLAN System Configuration
3-244
3
VLAN Configuration
CLI – This example shows the switch configured with Protocol Group 2 mapped to
VLAN 2.
Console(config)#protocol-vlan protocol-group 2 vlan 2
Console(config)#
4-325
Configuring VLAN Mirroring
You can mirror traffic from one or more source VLANs to a target port for real-time
analysis. You can then attach a logic analyzer or RMON probe to the target port and
study the traffic crossing the source VLAN(s) in a completely unobtrusive manner.
Command Usage
• All active ports in a source VLAN are monitored for ingress traffic only.
• All VLAN mirror sessions must share the same target port.
• When VLAN mirroring and port mirroring are both enabled, they must use the same
target port.
• When VLAN mirroring and port mirroring are both enabled, the target port can
receive a mirrored packet twice; once from the source mirror port and again from
the source mirrored VLAN.
• The target port receives traffic from all monitored source VLANs and can become
congested. Some mirror traffic may therefore be dropped from the target port.
Note: Spanning Tree BPDU packets are not mirrored to the target port.
Command Attributes
• Mirror Sessions – Displays a list of current mirror sessions.
• Source VLAN – A VLAN whose traffic will be monitored. (Range: 1-4094)
• Target Port – The destination port that receives the mirrored traffic from the source
VLAN. (Range: 1-28)
Web – Click VLAN, VLAN Mirror Configuration. Select the source VLAN, select a
target port that is not a member of the source VLAN, and click Apply.
Figure 3-137 VLAN Mirror Configuration
3-245
3
Configuring the Switch
CLI – This example mirrors all traffic entering VLAN 1 to port 28.
Console(config)#interface ethernet 1/1
Console(config-if)#port monitor vlan 1
Console(config-if)#
4-222
4-262
Configuring IP Subnet VLANs
When using port-based classification, all untagged frames received by a port are
classified as belonging to the VLAN whose VID (PVID) is associated with that port.
When IP subnet-based VLAN classification is enabled, the source address of
untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
If an entry is found for that subnet, these frames are assigned to the VLAN indicated
in the entry. If no IP subnet is matched, the untagged frames are classified as
belonging to the receiving port’s VLAN ID (PVID).
Command Usage
• Each IP subnet can be mapped to only one VLAN ID. An IP subnet consists of an
IP address and a mask.
• When an untagged frame is received by a port, the source IP address is checked
against the IP subnet-to-VLAN mapping table, and if an entry is found, the
corresponding VLAN ID is assigned to the frame. If no mapping is found, the PVID
of the receiving port is assigned to the frame.
• The IP subnet cannot be a broadcast or multicast IP address.
• When MAC-based, IP subnet-based, and protocol-based VLANs are supported
concurrently, priority is applied in this sequence, and then port-based VLANs last.
Command Attributes
• IP Address – The IP address for a subnet. Valid IP addresses consist of four
decimal numbers, 0 to 255, separated by periods.
• Subnet Mask – This mask identifies the host address bits of the IP subnet.
• VLAN ID – VLAN to which matching IP subnet traffic is forwarded. (Range: 1-4094)
3-246
3
VLAN Configuration
Web – Click VLAN, IP Subnet VLAN, Configuration. Enter the IP address, subnet
mask, and the VLAN to which matching frames will be forwarded. Then click Apply.
Figure 3-138 IP Subnet VLAN Configuration
CLI – This example maps all traffic from the IP subnet of 192.168.2.0 to VLAN 2.
Console(config)#subnet-vlan subnet 192.168.1.0 255.255.255.0 vlan 2
Console(config)#
4-328
Configuring MAC-based VLANs
The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames
according to source MAC addresses.
When MAC-based VLAN classification is enabled, untagged frames received by a
port are assigned to the VLAN which is mapped to the frame’s source MAC address.
When no MAC address is matched, untagged frames are assigned to the receiving
port’s native VLAN ID (PVID).
Command Usage
•
•
•
•
The MAC-to-VLAN mapping applies to all ports on the switch.
Source MAC addresses can be mapped to only one VLAN ID.
Configured MAC addresses cannot be broadcast or multicast addresses.
When MAC-based, IP subnet-based, and protocol-based VLANs are supported
concurrently, priority is applied in this sequence, and then port-based VLANs last.
Command Attributes
• MAC Address – A source MAC address which is to be mapped to a specific VLAN.
The MAC address must be specified in the format xx-xx-xx-xx-xx-xx.
• VLAN ID – VLAN to which ingress traffic matching the specified source MAC
address is forwarded. (Range: 1-4094)
3-247
3
Configuring the Switch
Web – Click VLAN, MAC-based VLAN, Configuration. Enter the MAC address, the
VLAN to which matching frames will be forwarded, and then click Apply.
Figure 3-139 MAC-based VLAN Configuration
CLI – This example maps all traffic matching the specified address to VLAN 2.
Console(config)#mac-vlan mac-address 00-ab-cd-11-22-33 vlan 2
Console(config)#
4-329
OAM Configuration
The switch provides OAM (Operation, Administration, and Maintenance) remote
management tools required to monitor and maintain the links to subscriber CPEs
(Customer Premise Equipment). This section describes functions including enabling
OAM for selected ports, loopback testing, and displaying device information.
Note: The switch also provides extended configuration options for CPEs through the
Remote Device menu.
Enabling OAM on Local Ports
Not all CPEs support operation and maintenance (OAM) functions, and OAM is
therefore disabled by default. If a CPE supports OAM, then this functionality must
first be enabled on the connected port to gain access to the configuration functions
provided under the OAM menu and Remote Device menu.
Command Attributes
• Port – Port identifier. (Range: 1-28)
• Admin Status – Enables or disables OAM functions. (Default: Disabled)
3-248
3
OAM Configuration
• Operation State – Shows the operational state between the local and remote OAM
devices. This value is always “disabled” if OAM is disabled on the local interface.
Table 3-15 OAM Operation Status
State
Description
Disabled
OAM is disabled on this interface via the OAM Admin Status.
Link Fault
The link has detected a fault or the interface is not operational.
Passive Wait
This value is returned only by OAM entities in passive mode and
indicates the OAM entity is waiting to see if the peer device is OAM
capable.
Active Send Local
This value is used by active mode devices and indicates the OAM entity
is actively trying to discover whether the peer has OAM capability but
has not yet made that determination.
Send Local And Remote
The local OAM entity has discovered the peer but has not yet accepted
or rejected the configuration of the peer.
Send Local And Remote OK
OAM peering is allowed by the local device.
OAM Peering Locally Rejected
The local OAM entity rejects the peering.
OAM Peering Remotely
Rejected
The remote OAM entity rejects the peering.
Operational
When the local OAM entity learns that both it and the remote OAM
entity have accepted the peering, the state moves to this state.
Non Oper Half Duplex
This state is returned whenever Ethernet OAM is enabled but the
interface is in half-duplex operation.
• Mode – Sets the OAM operation mode. (Default: Active)
- Active – All OAM functions are enabled.
- Passive – All OAM functions are enabled, except for OAM discovery, sending
variable request OAMPDUs, and sending loopback control OAMPDUs.
• Critical Link Event – Controls reporting of critical link events to its OAM peer.
- Dying Gasp – If an unrecoverable condition occurs, the local OAM entity (i.e.,
this switch) indicates this by immediately sending an OAMPDU to its peer with
the appropriate flag set and stores this information in its OAM event log.
(Default: Enabled)
Dying gasp events are caused by an unrecoverable failure, such as a power
failure or device reset.
- Critical Event – If a critical event occurs, the local OAM entity indicates this to
its peer by setting the appropriate flag in the next OAMPDU to be sent and stores
this information in its OAM event log. (Default: Enabled)
Critical events include various failures, such as abnormal voltage fluctuations,
out-of-range temperature detected, fan failure, CRC error in flash memory,
insufficient memory, or other hardware faults.
3-249
3
Configuring the Switch
Web – Click OAM, OAM Configuration. Set the OAM administrative status and
operational mode for the required ports. Specify whether or not critical link events
will be reported by the switch. Then click Apply.
Figure 3-140 Enabling OAM for Local Ports
CLI – This example enables active mode OAM on port 1, and enables the reporting
of critical link events.
Console(config)#interface ethernet 1/1
Console(config-if)#efm oam
Successfully enabled OAM on port(s) 1/1.
Console(config-if)#efm oam mode active
Successfully updated OAM mode to active on port(s) 1/1.
Console(config-if)#efm oam critical-link-event dying-gasp
Console(config-if)#efm oam critical-link-event critical-event
Console(config-if)#end
Console#show efm oam status interface 1/1
OAM information of Eth 1/1:
Basic Information:
Admin State
: Enabled
Operation State
: Active Send Local
Mode
: Active
Remote Loopback
: Disabled
Remote Loopback Status
: No loopback
Dying Gasp
: Enabled
Critical Event
: Enabled
Link Monitor (Errored Frame)
: Enabled
Link Monitor:
Errored Frame Window (100msec) : 10
Errored Frame Threshold
: 1
Console#
3-250
4-222
4-338
4-339
4-340
4-340
4-352
OAM Configuration
3
Reporting of Errored Frame Link Events
Use the Errored Frame Configuration page to enable the reporting of errored frame
link events based on a specified sampling window and threshold.
Command Usage
• An errored frame is a frame in which one or more bits are errored.
• An errored frame link event occurs if the threshold is reached or exceeded within
the specified period.
• If reporting is enabled and an errored frame link event occurs, the local OAM entity
(this switch) sends an Event Notification OAMPDU to the remote OAM entity. The
Errored Frame Event TLV includes the number of errored frames detected during
the specified period.
Command Attributes
• Port – Port identifier. (Range: 1-28)
• Status – Enables reporting of errored frame link events. (Default: Enabled)
• Window Size (1/10 sec.) – The period of time in which to check the reporting
threshold for errored frame link events. (Range: 10-65535 units of 10 milliseconds;
Default: 10 units of 10 milliseconds, or the equivalent of 1 second)
• Threshold Count – The threshold for errored frame link events.
(Range: 1-65535; Default: 1)
Web – Click OAM, Errored Frame Configuration. Set the status for reporting errored
frame link events, along with the required window size and threshold. Click Apply.
Figure 3-141 Reporting Errored Frame Link Events
3-251
3
Configuring the Switch
CLI – This example enables reporting of errored frame link events on port 1, and
then sets the required window size and threshold.
Console(config)#interface ethernet 1/1
Console(config-if)#efm oam link-monitor frame
Console(config-if)#efm oam link-monitor frame window 50
Console(config-if)#efm oam link-monitor frame threshold 5
Console(config-if)#end
Console#show efm oam status interface 1/1
OAM information of Eth 1/1:
Basic Information:
Admin State
: Enabled
Operation State
: Operational
Mode
: Active
Remote Loopback
: Disabled
Remote Loopback Status
: No loopback
Dying Gasp
: Enabled
Critical Event
: Enabled
Link Monitor (Errored Frame)
: Enabled
Link Monitor:
Errored Frame Window (100msec) : 50
Errored Frame Threshold
: 5
Console#
3-252
4-222
4-340
4-341
4-341
4-352
3
OAM Configuration
Displaying Statistics for OAM Messages
Use the Counters page to display statistics for the various types of OAM messages
passed across each port.
Command Attributes
• Reset – Clears the check box for all ports.
• Select All – Selects all ports for the clear counters function.
• Clear Counters – Clears counters for the selected ports.
• Refresh – Refreshes counters for all ports.
• Port – Port identifier. (Range: 1-28)
• Clear – Clears statistical counters for the selected ports.
• OAMPDU – Message types transmitted and received by the OAM protocol,
including Information OAMPDUs, unique Event OAMPDUs, Loopback Control
OAMPDUs, and Organization Specific OAMPDUs.
Web – Click OAM, Counters.
Figure 3-142 Displaying Statistics for OAM Messages
CLI – This example shows statistics for OAM messages seen on port 1.
Console(config)#interface ethernet 1/1
Console#show efm oam counters interface 1/1
Port OAMPDU Type
TX
RX
---- --------------------- ---------- ---------1/1 Information
2907
62
1/1 Event Notification
0
0
1/1 Loopback Control
1
0
1/1 Organization Specific 0
0
Console#
4-222
4-348
3-253
3
Configuring the Switch
Displaying the OAM Event Log
Use the Event Log page to display link events for the selected port.
Command Usage
• When a link event occurs, no matter whether the location is local or remote, this
information is entered in OAM event log.
• When the log system becomes full, older events are automatically deleted to make
room for new entries.
• The time of locally generated events can be accurately retrieved from the
sysUpTime variable. For remotely generated events, the time of an event is
indicated by the reception of an Event Notification OAMPDU from the peer.
Web – Click OAM, Event Log.
Figure 3-143 Displaying the OAM Event Log
3-254
OAM Configuration
3
CLI – This example shows the event log for port 1.
Console(config)#interface ethernet 1/1
Console#show efm oam event-log interface 1/1
OAM event log of Eth 1/1:
07:46:38 2001/01/01
"Unit 1, Port 1: Critical Event at Remote"
07:46:39 2001/01/01
"Unit 1, Port 1: Critical Event at Remote"
07:46:40 2001/01/01
"Unit 1, Port 1: Critical Event at Remote"
07:46:41 2001/01/01
"Unit 1, Port 1: Critical Event at Remote"
07:46:42 2001/01/01
"Unit 1, Port 1: Critical Event at Remote"
07:46:44 2001/01/01
"Unit 1, Port 1: Critical Event at Remote"
07:46:45 2001/01/01
"Unit 1, Port 1: Critical Event at Remote"
4-222
4-349
Displaying the Status of Remote Interfaces
Use the Remote Interface Status page to display information about attached
OAM-enabled devices.
Command Attributes
• Port – Port identifier. (Range: 1-28)
• MAC Address – MAC address of the OAM peer.
• OUI – Organizational Unit Identifier of the OAM peer.
• Remote Loopback – Shows if remote loopback is supported by the OAM peer.
• Unidirectional Function – Shows if this function is supported by the OAM peer.
If supported, this indicates that the OAM entity supports the transmission of
OAMPDUs on links that are operating in unidirectional mode (where traffic flows in
one direction only). Some newer physical layer devices support the optional ability
to encode and transmit data while one direction of the link is non-operational. This
function allows OAM remote fault indication during fault conditions. This switch
does not support the unidirectional function, but can parse error messages sent
from a peer with unidirectional capability.
• Link Monitor – Shows if the OAM entity can send and receive Event Notification
OAMPDUs.
• MIB Variable Retrieval – Shows if the OAM entity can send and receive Variable
Request and Response OAMPDUs
3-255
3
Configuring the Switch
Web – Click OAM, Remote Interface Status.
Figure 3-144 Displaying Status of Remote Interfaces
CLI – This example shows the status for the remote interface attached to Port 1.
Console#show efm oam status remote interface 1/1
Port MAC Address
OUI
Remote
Unidirectional
Loopback
---- ----------------- ------ -------- -------------1/1 00-01-95-84-CB-90 000084 Disabled Disabled
Console#
3-256
4-353
Link
MIB Variable
Monitor Retrieval
------- -----------Disabled Disabled
3
OAM Configuration
Configuring Remote Device VLANs
Use the Remote Device VLAN page to configure the VLANs to which the attached
device is a tagged member.
Command Attributes
• Port – Port identifier. (Range: 1-28)
• VIDs at Remote – VLANs for which the attached device is a tagged member.
(Default: None)
• Specify a VLAN ID – VLAN ID to assign to attached device. (1-4094)
Web – Click OAM, Remote Device VLAN. Set the VLANs to which the remote
device will be a member, and click Apply.
Figure 3-145 Remote Device VLAN Configuration
CLI – This example assigns the remote device attached to port 1 to VLAN 2.
Console#efm oam remote vlan 1/1 2
Console#
4-343
3-257
3
Configuring the Switch
Resetting a Remote Device
Use the Remote Device Reset page to reset power on the attached CPE, or to
restore its settings to the factory defaults.
Command Attributes
• Port – Port identifier. (Range: 1-28)
• Factory Defaults – This selection will both reset the attached device and restore
its factory default settings. (Default: Disabled)
Web – Click OAM, Remote Device Reset. Select the interface to which a CPE is
attached from the drop-down list, mark the Factory Defaults check box if required,
and click Apply.
Figure 3-146 Remote Device Reset
CLI – This example resets the CPE attached to port 1. After rebooting, it then resets
the device to its factory default settings.
Console#efm
oam remote reset 1/1
.
.
.
Console#efm oam remote factory-default 1/1
4-342
4-342
Configuring General Settings on a Remote Port
Use the Remote Port Configuration page to configure general settings for a LAN port
on the attached CPE.
Command Attributes
• Port – Port identifier. (Range: 1-28)
• Remote Port – Port number on attached CPE. (Range: 1-16)
• Query – Displays the configured settings for the selected remote port.
• Shutdown – Shuts down a port on the attached CPE.
This command allows you to disable a port due to abnormal behavior (e.g.,
excessive collisions), and then reenable it after the problem has been resolved.
You may also want to disable a port for security reasons.
Default VLAN – Sets the PVID (or native VLAN) for a port on the attached
CPE. The remote port will be added to the default VLAN as an untagged
member. (Range: 1-4094, no leading zeroes)
3-258
OAM Configuration
3
• Default Priority Value – Sets the priority for incoming untagged frames for a port
on the attached CPE. (Range: 0-7; Default: 0)
The default priority applies for an untagged frame received on a port. This priority
does not apply to IEEE 802.1Q VLAN tagged frames. If the incoming frame is an
IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used.
This CPE provides eight priority queues for each port. Inbound frames that do not
have VLAN tags are tagged with the input port’s default priority, and then placed in
the appropriate priority queue at the output port. The default priority for all ingress
ports is zero. Therefore, any inbound frames that do not have priority tags will be
placed in queue 0 of the output port by default. (Note that if the output port is an
untagged member of the associated VLAN, these frames are stripped of all VLAN
tags prior to transmission.)
• IGMP Snooping – Enables IGMP snooping on a port on the attached CPE.
(Default: Disabled)
Web – Click OAM, Remote Port Configuration. Select the interface to which a CPE
is attached, select a port on the CPE, set the required attributes, and click Apply.
Figure 3-147 Remote Port Configuration
CLI – This example configures various attributes for remote port 1 on the CPE
attached to local port 1.
Console#efm
Console#efm
Console#efm
Console#efm
Console#
oam
oam
oam
oam
remote-port
remote-port
remote-port
remote-port
shudown 1/1 1
default-vlan 1/1 1 2
default-priority 1/1 1 2
igmp-snooping 1/1 1
4-345
4-344
4-343
4-345
3-259
3
Configuring the Switch
Displaying Statistics for a Remote Port
Use the Remote Port Counters page to display statistics for traffic crossing a LAN
port on the remote device.
Command Attributes
• Port – Port identifier. (Range: 1-28)
• Remote Port – Port number on attached CPE. (Range: 1-16)
• Query – Displays statistical counters for the selected remote port.
• Item – Variables for traffic crossing the specified port.
Table 3-16 Remote Port Statistics
Parameter
Description
In Unicast
The number of subnetwork-unicast packets delivered to a higher-layer protocol.
In Broadcast
The number of packets, delivered by this sub-layer to a higher (sub-)layer, which were
addressed to a broadcast address at this sub-layer.
In Multicast
The number of packets, delivered by this sub-layer to a higher (sub-)layer, which were
addressed to a multicast address at this sub-layer.
In Pause
The number of pause frames received on this interface.
Out Unicast
The total number of packets that higher-level protocols requested be transmitted to a
subnetwork-unicast address, including those that were discarded or not sent.
Out Broadcast
The total number of packets that higher-level protocols requested be transmitted, and
which were addressed to a broadcast address at this sub-layer, including those that
were discarded or not sent.
Out Multicast
The total number of packets that higher-level protocols requested be transmitted, and
which were addressed to a multicast address at this sub-layer, including those that
were discarded or not sent.
In FCS Errors
A count of frames received on a particular interface that are an integral number of
octets in length but do not pass the FCS check. This count does not include frames
received with frame-too-long or frame-too-short error.
Out FCS Errors
A count of frames transmitted on a particular interface that are an integral number of
octets in length but do not pass the FCS check.
Alignment Errors The number of alignment errors (missynchronized data packets).
Under Errors
The total number of frames received that were less than 64 octets long (excluding
framing bits, but including FCS octets) and were otherwise well formed.
In Good Octets
The total number of good octets received on the interface, including framing characters.
Out Good Octets The total number of octets transmitted out of the interface, including framing characters.
In Bad Octets
The number of inbound packets that contained errors preventing them from being
deliverable to a higher-layer protocol.
In Discards
The number of inbound packets which were chosen to be discarded even though no
errors had been detected to prevent their being deliverable to a higher-layer protocol.
One possible reason for discarding such a packet could be to free up buffer space.
• Count – Value of statistical variable.
3-260
3
OAM Configuration
Web – Click OAM, Remote Port Counters. Select the interface to which a CPE is
attached, select a port on the CPE, and click Query.
Figure 3-148 Remote Port Counters
CLI – This example statistical counters for remote port 1 on the CPE attached to
local port 1.
Console#show efm oam remote-port counters interface 1/1 1
Statistics of remote port 1 on ethernet 1/1
In Unicast: 0
In Broadcast: 0
In Multicast: 0
In Pause: 0
Out Unicast: 0
Out Broadcast: 0
Out Multicast: 0
In FCS Errors: 0
Out FCS Errors: 0
Alignment Errors: 0
Under Errors: 0
In Good Octets: 0
Out Good Octets:
In Bad Octets: 0
In Discards: 0
Console#
4-350
Configuring a Remote Loopback Test
Use the Remote Loopback Test page to initiate a loopback test to the peer device
attached to the selected port.
Command Usage
• You can use this command to perform an OAM remote loopback test on the
specified port. The port that you specify to run this test must be connected to a peer
OAM device capable of entering into OAM remote loopback mode. During a
remote loopback test, the remote OAM entity loops back every frame except for
OAMPDUs and pause frames.
• OAM remote loopback can be used for fault localization and link performance
testing. Statistics from both the local and remote DTE can be queried and
compared at any time during loopback testing.
3-261
3
Configuring the Switch
Command Attributes
• Port – Port identifier. (Range: 1-28)
Loopback Test Parameters
• Number of Packets – Number of packets to send. (Range: 1-99999999;
Default: 10000)
• Packet Size – Size of packets to send. (Range: 64-1518 bytes; Default: 64 bytes)
• Test – Starts the loopback test.
• End – Stops the loopback test.
Loopback Status of Remote Device
• Remote Loopback Mode – Shows if lookback mode is enabled on the peer. This
attribute must be enabled before starting the loopback test.
• Remote Loopback Status – Shows the loopback status on the peer. The
loopback states shown in this field are described below.
Table 3-17 Remote Loopback Status
State
Description
No Loopback
Operating in normal mode with no loopback in progress.
Initiating Loopback
The local OAM entity is starting the loopback process with its peer. It
has yet to receive any acknowledgement that the remote OAM entity
has received its loopback command request.
Remote Loopback
The local OAM client knows that the remote OAM entity is in loopback
mode.
Terminating Loopback
The local OAM client is in the process of terminating the remote
loopback.
Local Loopback
The remote OAM client has put the local OAM entity in loopback mode.
Unknown
This status may be returned if the OAM loopback is in a transition state
but should not persist.
• Packets Transmitted – The number of loopback frames transmitted during the
current loopback test on this interface.
• Packets Received – The number of loopback frames received during the current
loopback test on this interface
• Refresh – Refreshes statistical counters for the remote loopback test.
3-262
3
OAM Configuration
Web – Click OAM, Remote Loopback Test. Select the port on which to initiate
remote loopback testing, enable the Remote Loopback Mode attribute, and click
Apply. Set the number of packets to send and the packet size, and then click Test.
Figure 3-149 Running a Remote Loopback Test
CLI – This example shows several ways of running a loopback test from port 1.
Console#efm oam remote-loopback test 1/1
Loopback test is processing, press ESC to suspend.
............
Port OAM loopback Tx OAM loopback Rx
---- --------------- --------------1/1 1100
1100
Console#efm oam remote-loopback start 1/1
Loopback operation is processing, please wait.
Enter loopback mode succeeded.
Console#efm oam remote-loopback stop 1/1
Loopback operation is processing, please wait.
Exit loopback mode succeeded.
Console#
4-347
4-346
4-346
3-263
3
Configuring the Switch
Displaying the Results of Remote Loopback Testing
Use the Remote Loopback Test Results page to display the results of remote
loopback testing for each port for which this information is available.
Command Attributes
• Port – Port identifier. (Range: 1-28)
• Packets Transmitted – The number of loopback frames transmitted during the
last loopback test on this interface.
• Packets Received – The number of loopback frames received during the last
loopback test on this interface
Web – Click OAM, Remote Loopback Test Results.
Figure 3-150 Displaying the Results of Remote Loopback Testing
CLI – This example shows the event log for port 1.
Console#show efm oam
Port OAM loopback Tx
---- --------------1/1 10000
Console#
3-264
remote-loopback interface 1/1
OAM loopback Rx
--------------10000
4-353
Link Layer Discovery Protocol
3
Link Layer Discovery Protocol
Link Layer Discovery Protocol (LLDP) is used to discover basic information about
neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that
uses periodic broadcasts to advertise information about the sending device.
Advertised information is represented in Type Length Value (TLV) format according
to the IEEE 802.1ab standard, and can include details such as device identification,
capabilities and configuration settings. LLDP also defines how to store and maintain
information gathered about the neighboring network nodes it discovers.
Link Layer Discovery Protocol - Media Endpoint Discovery (LLDP-MED) is an
extension of LLDP intended for managing endpoint devices such as Voice over IP
phones and network switches. The LLDP-MED TLVs advertise information such as
network policy, power, inventory, and device location details. LLDP and LLDP-MED
information can be used by SNMP applications to simplify troubleshooting, enhance
network management, and maintain an accurate network topology.
Setting LLDP Timing Attributes
Use the LLDP Configuration screen to set attributes for general functions such as
globally enabling LLDP on the switch, setting the message ageout time, and setting
the frequency for broadcasting general advertisements or reports about changes in
the LLDP MIB.
Command Attributes
• LLDP – Enables LLDP globally on the switch. (Default: Enabled)
• Transmission Interval – Configures the periodic transmit interval for LLDP
advertisements. (Range: 5-32768 seconds; Default: 30 seconds)
This attribute must comply with the following rule:
(Transmission Interval * Hold Time Multiplier) ≤ 65536, and
Transmission Interval >= (4 * Delay Interval)
• Hold Time Multiplier – Configures the time-to-live (TTL) value sent in LLDP
advertisements as shown in the formula below. (Range: 2-10; Default: 4)
The time-to-live tells the receiving LLDP agent how long to retain all information
pertaining to the sending LLDP agent if it does not transmit updates in a timely
manner.
TTL in seconds is based on the following rule:
(Transmission Interval * Holdtime Multiplier) ≤ 65536.
Therefore, the default TTL is 4*30 = 120 seconds.
• Delay Interval – Configures a delay between the successive transmission of
advertisements initiated by a change in local LLDP MIB variables.
(Range: 1-8192 seconds; Default: 2 seconds)
The transmit delay is used to prevent a series of successive LLDP transmissions
during a short period of rapid changes in local LLDP MIB objects, and to increase
the probability that multiple, rather than single changes, are reported in each
transmission.
3-265
3
Configuring the Switch
This attribute must comply with the rule: (4 * Delay Interval) ≤ Transmission Interval
• Reinitialization Delay – Configures the delay before attempting to re-initialize
after LLDP ports are disabled or the link goes down. (Range: 1-10 seconds;
Default: 2 seconds)
When LLDP is re-initialized on a port, all information in the remote systems LLDP
MIB associated with this port is deleted.
• Notification Interval – Configures the allowed interval for sending SNMP
notifications about LLDP MIB changes. (Range: 5-3600 seconds;
Default: 5 seconds)
This parameter only applies to SNMP applications which use data stored in the
LLDP MIB for network monitoring or management.
Information about changes in LLDP neighbors that occur between SNMP
notifications is not transmitted. Only state changes that exist at the time of a
notification are included in the transmission. An SNMP agent should therefore
periodically check the value of lldpStatsRemTableLastChangeTime to detect any
lldpRemTablesChange notification-events missed due to throttling or transmission
loss.
• MED Fast Start Count – Configures the amount of LLDP MED Fast Start
LLDPDUs to transmit during the activation process of the LLDP-MED Fast Start
mechanism. (Range: 1-10 packets; Default: 4 packets)
The MED Fast Start Count parameter is part of the timer which ensures that the
LLDP-MED Fast Start mechanism is active for the port. LLDP-MED Fast Start is
critical to the timely startup of LLDP, and therefore integral to the rapid availability
of Emergency Call Service.
Web – Click LLDP, Configuration. Enable LLDP, modify any of the timing parameters
as required, and click Apply.
Figure 3-151 LLDP Configuration
3-266
Link Layer Discovery Protocol
3
CLI – This example sets several attributes which control basic LLDP message timing.
Console(config)#lldp
Console(config)#lldp refresh-interval 60
Console(config)#lldp holdtime-multiplier 10
Console(config)#lldp tx-delay 10
Console(config)#lldp reinit-delay 10
Console(config)#lldp notification-interval 30
Console(config)#lldp medFastStartCount 6
Console(config)#exit
Console#show lldp config
LLDP Global Configuation
LLDP Enable
LLDP Transmit interval
LLDP Hold Time Multiplier
LLDP Delay Interval
LLDP Reinit Delay
LLDP Notification Interval
.
.
.
:
:
:
:
:
:
4-356
4-358
4-356
4-359
4-358
4-357
4-357
Yes
60
10
10
10
30
Configuring LLDP Interface Attributes
Use the LLDP Port/Trunk Configuration to specify the message attributes for
individual interfaces, including whether messages are transmitted, received, or both
transmitted and received, whether SNMP notifications are sent, and the type of
information advertised.
Command Attributes
• Admin Status – Enables LLDP message transmit and receive modes for LLDP
Protocol Data Units. (Options: Tx only, Rx only, TxRx, Disabled; Default: TxRx)
• SNMP Notification – Enables the transmission of SNMP trap notifications about
LLDP and LLDP-MED changes. (Default: Enabled)
This option sends out SNMP trap notifications to designated target stations at the
interval specified by the Notification Interval in the preceding section. Trap
notifications include information about state changes in the LLDP MIB
(IEEE 802.1AB), the LLDP-MED MIB (ANSI/TIA-1057), or vendor-specific
LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs.
For information on defining SNMP trap destinations, see "Specifying Trap
Managers and Trap Types" on page 3-53.
Information about additional changes in LLDP neighbors that occur between
SNMP notifications is not transmitted. Only state changes that exist at the time of
a trap notification are included in the transmission. An SNMP agent should
therefore periodically check the value of lldpStatsRemTableLastChangeTime to
detect any lldpRemTablesChange notification-events missed due to throttling or
transmission loss.
3-267
3
Configuring the Switch
• TLV Type – Configures the information included in the TLV field of advertised
messages.
- Port Description – The port description is taken from the ifDescr object in
RFC 2863, which includes information about the manufacturer, the product
name, and the version of the interface hardware/software.
- System Description – The system description is taken from the sysDescr
object in RFC 3418, which includes the full name and version identification of the
system's hardware type, software operating system, and networking software.
- Management Address – The management address protocol packet includes
the IPv4 address of the switch. If no management address is available, the
address should be the MAC address for the CPU or for the port sending this
advertisement.
The management address TLV may also include information about the specific
interface associated with this address, and an object identifier indicating the type
of hardware component or protocol entity associated with this address. The
interface number and OID are included to assist SNMP applications in the
performance of network discovery by indicating enterprise specific or other
starting points for the search, such as the Interface or Entity MIB.
Since there are typically a number of different addresses associated with a
Layer 3 device, an individual LLDP PDU may contain more than one
management address TLV.
Every management address TLV that reports an address that is accessible on a
port and protocol VLAN through the particular port should be accompanied by a
port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated
with the management address reported by this TLV.
- System Name – The system name is taken from the sysName object in
RFC 3418, which contains the system’s administratively assigned name. To
configure the system name, see "Displaying System Information" on page 3-13.
- System Capabilities – The system capabilities identifies the primary function(s)
of the system and whether or not these primary functions are enabled. The
information advertised by this TLV is described in IEEE 802.1AB.
• MED TLV Type – Configures the information included in the MED TLV field of
advertised messages.
- Port Capabilities – This option advertises LLDP-MED TLV capabilities, allowing
Media Endpoint and Connectivity Devices to efficiently discover which
LLDP-MED related TLVs are supported on the switch.
- Network Policy – This option advertises network policy configuration
information, aiding in the discovery and diagnosis of VLAN configuration
mismatches on a port. Improper network policy configurations frequently result
in voice quality degradation or complete service disruption.
- Location – This option advertises location identification details.
- Extended Power – This option advertises extended Power-over-Ethernet
capability details, such as power availability from the switch, and power state of
the switch, including whether the switch is operating from primary or backup
3-268
Link Layer Discovery Protocol
3
power (the Endpoint Device could use this information to decide to enter power
conservation mode). Note that this device does not support PoE capabilities.
- Inventory – This option advertises device details useful for inventory
management, such as manufacturer, model, software version and other
pertinent information.
• MED Notification – Enables the transmission of SNMP trap notifications about
LLDP-MED changes. (Default: Enabled)
• Trunk – The trunk identifier. (Port Information only)
Web – Click LLDP, Port/Trunk Configuration. Set the LLDP transmit/receive mode,
specify whether or not to send SNMP trap messages, select the information to
advertise in LLDP messages, select the information to advertise in MED-TLV
messages and specify whether or not to send MED notifications. Then click Apply.
Figure 3-152 LLDP Port Configuration
3-269
3
Configuring the Switch
CLI – This example sets the interface to both transmit and receive LLDP messages,
enables SNMP trap messages, enables MED notification, and specifies the TLV,
MED-TLV, dot1-TLV and dot3-TLV parameters to advertise.
Console(config)#interface ethernet 1/1
Console(config-if)#lldp admin-status tx-rx
Console(config-if)#lldp notification
Console(config-if)#lldp medNotification
Console(config-if)#lldp basic-tlv port-description
Console(config-if)#lldp basic-tlv system-description
Console(config-if)#lldp basic-tlv management-ip-address
Console(config-if)#lldp basic-tlv system-name
Console(config-if)#lldp basic-tlv system-capabilities
Console(config-if)#lldp medtlv extPoe
Console(config-if)#lldp medtlv inventory
Console(config-if)#lldp medtlv location
Console(config-if)#lldp medtlv med-cap
Console(config-if)#lldp medtlv network-policy
Console(config-if)#lldp dot1-tlv proto-ident
Console(config-if)#lldp dot1-tlv proto-vid
Console(config-if)#lldp dot1-tlv pvid
Console(config-if)#lldp dot1-tlv vlan-name
Console(config-if)#lldp dot3-tlv link-agg
Console(config-if)#lldp dot3-tlv mac-phy
Console(config-if)#lldp dot3-tlv max-frame
Console(config-if)#lldp dot3-tlv poe
Console(config-if)#
4-222
4-360
4-360
4-361
4-362
4-363
4-362
4-364
4-363
4-368
4-369
4-369
4-370
4-370
4-364
4-365
4-365
4-366
4-366
4-367
4-367
4-368
Displaying LLDP Local Device Information
Use the LLDP Local Device Information screen to display information about the
switch, such as its MAC address, chassis ID, management IP address, and port
information.
Field Attributes
Global Settings
• Chassis Type – Identifies the chassis containing the IEEE 802 LAN entity
associated with the transmitting LLDP agent. There are several ways in which a
chassis may be identified and a chassis ID subtype is used to indicate the type of
component being referenced by the chassis ID field.
Table 3-18 Chassis ID Subtype
ID Basis
Reference
Chassis component EntPhysicalAlias when entPhysClass has a value of ‘chassis(3)’ (IETF RFC 2737)
Interface alias
IfAlias (IETF RFC 2863)
Port component
EntPhysicalAlias when entPhysicalClass has a value ‘port(10)’ or ‘backplane(4)’
(IETF RFC 2737)
MAC address
MAC address (IEEE Std 802-2001)
Network address
networkAddress
Interface name
ifName (IETF RFC 2863)
Locally assigned
locally assigned
3-270
Link Layer Discovery Protocol
3
• Chassis ID – An octet string indicating the specific identifier for the particular
chassis in this system.
• System Name – An string that indicates the system’s administratively assigned
name (see "Displaying System Information" on page 3-13).
• System Description – A textual description of the network entity. This field is also
displayed by the show system command.
• System Capabilities Supported – The capabilities that define the primary
function(s) of the system.
Table 3-19 System Capabilities
ID Basis
Reference
Other
—
Repeater
IETF RFC 2108
Bridge
IETF RFC 2674
WLAN Access Point
IEEE 802.11 MIB
Router
IETF RFC 1812
Telephone
IETF RFC 2011
DOCSIS cable device
IETF RFC 2669 and IETF RFC 2670
End Station Only
IETF RFC 2011
• System Capabilities Enabled – The primary function(s) of the system which are
currently enabled. Refer to the preceding table.
• Management Address – The management address protocol packet includes the
IPv4 address of the switch. If no management address is available, the address
should be the MAC address for the CPU or for the port sending this advertisement.
Interface Settings
The attributes listed below apply to both port and trunk interface types. When a trunk
is listed, the descriptions apply to the first port of the trunk.
• Port Description – A string that indicates the port’s description. If RFC 2863 is
implemented, the ifDescr object should be used for this field.
• Port ID – A string that contains the specific identifier for the port from which this
LLDPDU was transmitted.
3-271
3
Configuring the Switch
Web – Click LLDP, Local Information.
Figure 3-153 LLDP Local Device Information
CLI – This example displays LLDP information for the local switch.
Console#show lldp info local-device
4-373
LLDP Local System Information
Chassis Type : MAC Address
Chassis ID
: 00-01-02-03-04-05
System Name :
System Description : SM24-100SFP-AH
System Capabilities Support : Bridge
System Capabilities Enable : Bridge
Management Address : 192.168.0.101 (IPv4)
LLDP Port Information
Interface |PortID Type
PortID
PortDesc
--------- + ---------------- ----------------- --------------------------Eth 1/1 |MAC Address
00-01-02-03-04-06 Ethernet Port on unit 1, port 1
Eth 1/2 |MAC Address
00-01-02-03-04-07 Ethernet Port on unit 1, port 2
Eth 1/3 |MAC Address
00-01-02-03-04-08 Ethernet Port on unit 1, port 3
Eth 1/4 |MAC Address
00-01-02-03-04-09 Ethernet Port on unit 1, port 4
Eth
1/5
|MAC
Address
00-01-02-03-04-0A Ethernet Port on unit 1, port 5
.
.
.
3-272
3
Link Layer Discovery Protocol
This example displays detailed information for a specific port on the local switch.
Console#show lldp info local-device ethernet 1/1
4-373
LLDP Port Information Detail
Port
: Eth 1/1
Port Type : MAC Address
Port ID
: 00-01-02-03-04-06
Port Desc : Ethernet Port on unit 1, port 1
Console#
Displaying LLDP Remote Port Information
Use the LLDP Remote Port/Trunk Information screen to display information about
devices connected directly to the switch’s ports which are advertising information
through LLDP.
Field Attributes
• Local Port – The local port to which a remote LLDP-capable device is attached.
• Chassis ID – An octet string indicating the specific identifier for the particular
chassis in this system.
• Port ID – A string that contains the specific identifier for the port from which this
LLDPDU was transmitted.
• Port Name – A string that indicates the port’s description. If RFC 2863 is
implemented, the ifDescr object should be used for this field.
• System Name – An string that indicates the system’s administratively assigned
name.
Web – Click LLDP, Remote Port/Trunk Information.
Figure 3-154 LLDP Remote Port Information
CLI – This example displays LLDP information for remote devices attached to this
switch which are advertising information through LLDP.
Console#show lldp info remote-device
4-374
LLDP Remote Devices Information
Interface | ChassisId
PortId
SysName
--------- + ----------------- ----------------- --------------------Eth 1/1
| 00-01-02-03-04-05 00-01-02-03-04-06
Console#
3-273
3
Configuring the Switch
Displaying LLDP Remote Information Details
Use the LLDP Remote Information Details screen to display detailed information
about an LLDP-enabled device connected to a specific port on the local switch.
Field Attributes
• Local Port – The local port to which a remote LLDP-capable device is attached.
• Chassis Type – Identifies the chassis containing the IEEE 802 LAN entity
associated with the transmitting LLDP agent. There are several ways in which a
chassis may be identified and a chassis ID subtype is used to indicate the type of
component being referenced by the chassis ID field. (See Table 3-18, "Chassis ID
Subtype," on page 3-270.)
• Chassis ID – An octet string indicating the specific identifier for the particular
chassis in this system.
• Port Type – Indicates the basis for the identifier that is listed in the Port ID field.
Table 3-20 Port ID Subtype
ID Basis
Reference
Interface alias
IfAlias (IETF RFC 2863)
Chassis component EntPhysicalAlias when entPhysClass has a value of ‘chassis(3)’ (IETF RFC 2737)
Port component
EntPhysicalAlias when entPhysicalClass has a value ‘port(10)’ or ‘backplane(4)’
(IETF RFC 2737)
MAC address
MAC address (IEEE Std 802-2001)
Network address
networkAddress
Interface name
ifName (IETF RFC 2863)
Agent circuit ID
agent circuit ID (IETF RFC 3046)
Locally assigned
locally assigned
• Port Description – A string that indicates the port’s description. If RFC 2863 is
implemented, the ifDescr object should be used for this field.
• Port ID – A string that contains the specific identifier for the port from which this
LLDPDU was transmitted.
• System Name – An string that indicates the system’s assigned name.
• System Description – A textual description of the network entity.
• System Capabilities Supported – The capabilities that define the primary
function(s) of the system. (See Table 3-19, "System Capabilities," on page 3-271.)
• System Capabilities Enabled – The primary function(s) of the system which are
currently enabled. (See Table 3-19, "System Capabilities," on page 3-271.)
• Management Address – The IPv4 address of the remote device. If no
management address is available, the address should be the MAC address for the
CPU or for the port sending this advertisement.
3-274
3
Link Layer Discovery Protocol
Web – Click LLDP, Remote Information Details. Select an interface from the drop
down lists, and click Query.
Figure 3-155 LLDP Remote Information Details
CLI – This example displays LLDP information for an LLDP-enabled remote device
attached to a specific port on this switch.
Console#show lldp info remote-device detail ethernet 1/1
4-374
LLDP Remote Devices Information Detail
--------------------------------------------------------------Local PortName
: Eth 1/1
Chassis Type
: MAC Address
Chassis Id
: 00-01-02-03-04-05
PortID Type
: MAC Address
PortID
: 00-01-02-03-04-06
SysName
:
SysDescr
: EL228
PortDescr
: Ethernet Port on unit 1, port 1
SystemCapSupported : Bridge
SystemCapEnabled
: Bridge
Remote Management Address :
00-01-02-03-04-05 (MAC Address)
Console#
3-275
3
Configuring the Switch
Displaying Device Statistics
Use the LLDP Device Statistics screen to display general statistics for LLDP-capable
devices attached to the switch, and for LLDP protocol messages transmitted or
received on all local interfaces.
Field Attributes
General Statistics on Remote Devices
• Neighbor Entries List Last Updated – The time the LLDP neighbor entry list was
last updated.
• New Neighbor Entries Count – The number of LLDP neighbors for which the
remote TTL has not yet expired.
• Neighbor Entries Deleted Count – The number of LLDP neighbors which have
been removed from the LLDP remote systems MIB for any reason.
• Neighbor Entries Dropped Count – The number of times which the remote
database on this switch dropped an LLDPDU because of insufficient resources.
• Neighbor Entries Age-out Count – The number of times that a neighbor’s
information has been deleted from the LLDP remote systems MIB because the
remote TTL timer has expired.
Interface Statistics on LLDP Protocol Messages
• Num Frames Recvd – Number of LLDP PDUs received.
• Num Frames Sent – Number of LLDP PDUs transmitted.
• Num Frames Discarded – Number of frames discarded because they did not
conform to the general validation rules as well as any specific usage rules defined
for the particular TLV.
Web – Click LLDP, Device Statistics.
Figure 3-156 LLDP Device Statistics
3-276
Link Layer Discovery Protocol
3
CLI – This example displays LLDP statistics received from all LLDP-enabled remote
devices connected directly to this switch.
switch#show lldp info statistics
4-375
LLDP Device Statistics
Neighbor Entries List Last Updated
New Neighbor Entries Count
Neighbor Entries Deleted Count
Neighbor Entries Dropped Count
Neighbor Entries Ageout Count
Interface
--------Eth 1/1
Eth 1/2
Eth 1/3
Eth 1/4
Eth 1/5
.
.
.
|
+
|
|
|
|
|
NumFramesRecvd
-------------10
0
0
0
0
:
:
:
:
:
2450279 seconds
1
0
0
0
NumFramesSent
------------11
0
0
0
0
NumFramesDiscarded
-----------------0
0
0
0
0
Displaying Detailed Device Statistics
Use the LLDP Device Statistics Details screen to display detailed statistics for
LLDP-capable devices attached to specific interfaces on the switch.
Field Attributes
• Frames Discarded – Number of frames discarded because they did not conform
to the general validation rules as well as any specific usage rules defined for the
particular TLV.
• Frames Invalid – A count of all LLDPDUs received with one or more detectable
errors.
• Frames Received – Number of LLDP PDUs received.
• Frames Sent – Number of LLDP PDUs transmitted.
• TLVs Unrecognized – A count of all TLVs not recognized by the receiving LLDP
local agent.
• TLVs Discarded – A count of all LLDPDUs received and then discarded due to
insufficient memory space, missing or out-of-sequence attributes, or any other
reason.
• Neighbor Ageouts – A count of the times that a neighbor’s information has been
deleted from the LLDP remote systems MIB because the remote TTL timer has
expired.
3-277
3
Configuring the Switch
Web – Click LLDP, Device Statistics Details.
Figure 3-157 LLDP Device Statistics Details
CLI – This example displays detailed LLDP statistics for an LLDP-enabled remote
device attached to a specific port on this switch.
switch#show lldp info statistics detail ethernet 1/1
LLDP Port Statistics Detail
PortName
Frames Discarded
Frames Invalid
Frames Received
Frames Sent
TLVs Unrecognized
TLVs Discarded
Neighbor Ageouts
switch#
3-278
:
:
:
:
:
:
:
:
Eth 1/1
0
0
12
13
0
0
0
4-375
Class of Service Configuration
3
Class of Service Configuration
Class of Service (CoS) allows you to specify which data packets have greater
precedence when traffic is buffered in the switch due to congestion. This switch
supports CoS with four priority queues for each port. Data packets in a port’s
high-priority queue will be transmitted before those in the lower-priority queues. You
can set the default priority for each interface, and configure the mapping of frame
priority tags to the switch’s priority queues.
Layer 2 Queue Settings
Setting the Default Priority for Interfaces
You can specify the default port priority for each interface on the switch. All untagged
packets entering the switch are tagged with the specified default port priority, and
then sorted into the appropriate priority queue at the output port.
Command Usage
• This switch provides four priority queues for each port. It uses Weighted Round
Robin to prevent head-of-queue blockage.
• The default priority applies for an untagged frame received on a port set to accept
all frame types (i.e, receives both untagged and tagged frames). This priority does
not apply to IEEE 802.1Q VLAN tagged frames. If the incoming frame is an
IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used.
• If the output port is an untagged member of the associated VLAN, these frames are
stripped of all VLAN tags prior to transmission.
Command Attributes
• Default Priority16 – The priority that is assigned to untagged frames received on
the specified interface. (Range: 0-7; Default: 0)
• Number of Egress Traffic Classes – The number of queue buffers provided for
each port.
16. CLI displays this information as “Priority for untagged traffic.”
3-279
3
Configuring the Switch
Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default
priority for any interface, then click Apply.
Figure 3-158 Port Priority Configuration
CLI – This example assigns a default priority of 5 to port 3.
Console(config)#interface ethernet 1/3
Console(config-if)#switchport priority default 5
Console(config-if)#end
Console#show interfaces switchport ethernet 1/3
Information of Eth 1/3
Broadcast Threshold:
Enabled, 64 Kbits/second
Multicast Threshold:
Disabled
Unknown-unicast Threshold:
Disabled
LACP Status:
Disabled
Ingress Rate Limit:
Disabled, 100000 Kbits per second
Egress Rate Limit:
Disabled, 100000 Kbits per second
VLAN Membership Mode:
Hybrid
Ingress Rule:
Enabled
Acceptable Frame Type:
All frames
Native VLAN:
1
Priority for Untagged Traffic: 5
GVRP Status:
Disabled
Allowed VLAN:
1(u),4093(t),
Forbidden VLAN:
Private-VLAN Mode:
NONE
Private-VLAN host-association: NONE
Private-VLAN Mapping:
NONE
802.1Q-tunnel Status:
Disable
802.1Q-tunnel Mode:
NORMAL
802.1Q-tunnel TPID:
8100(Hex)
Console#
3-280
4-222
4-377
4-233
Class of Service Configuration
3
Mapping CoS Values to Egress Queues
This switch processes Class of Service (CoS) priority tagged traffic by using four
priority queues for each port, with service schedules based on strict or Weighted
Round Robin (WRR). Up to eight separate traffic priorities are defined in
IEEE 802.1p. The default priority levels are assigned according to recommendations
in the IEEE 802.1p standard as shown in the following table.
Table 3-21 Mapping CoS Values to Egress Queues
Queue
0
1
2
3
Priority
1,2
0,3
4,5
6,7
The priority levels recommended in the IEEE 802.1p standard for various network
applications are shown in the following table. However, you can map the priority
levels to the switch’s output queues in any way that benefits application traffic for
your own network.
Table 3-22 CoS Priority Levels
Priority Level
Traffic Type
1
Background
2
(Spare)
0 (default)
Best Effort
3
Excellent Effort
4
Controlled Load
5
Video, less than 100 milliseconds latency and jitter
6
Voice, less than 10 milliseconds latency and jitter
7
Network Control
3-281
3
Configuring the Switch
Command Attributes
• Priority – CoS value. (Range: 0-7, where 7 is the highest priority)
• Traffic Class17 – Output queue buffer. (Range: 0-3, where 3 is the highest CoS
priority queue)
Web – Click Priority, Traffic Classes. Assign priorities to the traffic classes (i.e.,
output queues), then click Apply.
Figure 3-159 Traffic Classes
CLI – The following example shows how to change the CoS assignments.
Console(config)#interface ethernet 1/1
Console(config-if)#queue cos-map 0 0
Console(config-if)#queue cos-map 1 1
Console(config-if)#queue cos-map 2 2
Console(config-if)#end
Console#show queue cos-map ethernet 1/1
Information of Eth 1/1
CoS Value:
0 1 2 3 4 5 6 7
Priority Queue: 0 1 2 1 2 2 3 3
Console#
*
Mapping specific values for CoS priorities is implemented as an interface configuration
command, but any changes will apply to the all interfaces on the switch.
17. CLI shows Queue ID.
3-282
4-222
4-378
4-380
Class of Service Configuration
3
Selecting the Queue Mode
You can set the switch to service the queues based on a strict rule that requires all
traffic in a higher priority queue to be processed before lower priority queues are
serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative
weight of each queue.
Command Usage
• Strict priority requires all traffic in a higher priority queue to be processed before
lower priority queues are serviced.
• WRR uses a relative weighting for each queue which determines the amount of
packets the switch transmits every time it services each queue before moving on
to the next queue. Thus, a queue weighted 8 will be allowed to transmit up to 8
packets, after which the next lower priority queue will be serviced according to it’s
weighting. This prevents the head-of-line blocking that can occur with strict priority
queuing.
Command Attributes
• WRR - Weighted Round-Robin shares bandwidth at the egress ports by using
scheduling weights with default values of 1, 2, 4, 8 for queues 0 through 3,
respectively. (This is the default selection.)
• Strict - Services the egress queues in sequential order, transmitting all traffic in the
higher priority queues before servicing lower priority queues.
Web – Click Priority, Queue Mode. Select Strict or WRR, then click Apply.
Figure 3-160 Queue Mode
CLI – The following sets the queue mode to strict priority service mode.
Console(config)#queue mode strict
Console(config)#exit
Console#show queue mode
Queue mode: strict
Console#
4-376
4-379
3-283
3
Configuring the Switch
Displaying the Service Weight for Traffic Classes
This switch uses the Weighted Round Robin (WRR) algorithm to determine the
frequency at which it services each priority queue. As described in "Mapping CoS
Values to Egress Queues" on page 3-281, the traffic classes are mapped to one of
the four egress queues provided for each port. This weight sets the limit for the
number of packets the switch will transmit each time the queue is serviced, and
subsequently affects the response time for software applications assigned a specific
priority value.
Note: This switch does not allow the queue service weights to be set. The weights are
fixed as 1, 2, 4, 8, for queues 0 through 3 respectively.
Command Attributes
• WRR Setting Table18 – Displays a list of weights for each traffic class (i.e., queue).
• Weight Value – Displays the weight for each traffic class.
Web – Click Priority, Queue Scheduling.
Figure 3-161 Displaying Queue Scheduling
CLI – The following example shows how to display the WRR weights assigned to
each of the priority queues.
Console#show queue bandwidth
Queue ID Weight
-------- -----0
1
1
2
2
4
3
8
Console
18. CLI shows Queue ID.
3-284
4-379
Class of Service Configuration
3
Layer 3/4 Priority Settings
Mapping Layer 3/4 Priorities to CoS Values
This switch supports one method of prioritizing layer 3/4 traffic to meet application
requirements. Traffic priorities can be specified in the IP header of a frame, using the
priority bits in the Type of Service (ToS) octet or the number of the TCP/UDP port. If
the priority bits are used, the ToS octet may contain six bits for Differentiated
Services Code Point (DSCP) service. When these service is enabled, the priorities
are mapped to a Class of Service value by the switch, and the traffic then sent to the
corresponding output queue.
Because different priority information may be contained in the traffic, this switch
maps priority values to the output queues in the following manner – The precedence
for priority mapping is IP DSCP Priority and then Default Port Priority.
Enabling IP DSCP Priority
The switch allows you to enable or disable the IP DSCP priority.
Command Attributes
• IP DSCP Priority Status – The following options are:
- Disabled – Disables the priority service. (Default Setting: Disabled)
- IP DSCP – Maps layer 3/4 priorities using Differentiated Services Code Point
Mapping.
Web – Click Priority, IP DSCP Priority Status. Select IP DSCP from the drop down
menu, then click Apply.
Figure 3-162 IP DSCP Priority Status
3-285
3
Configuring the Switch
CLI – The following example globally enables DSCP Priority service on the switch.
Console(config)#map ip dscp
Console(config)#end
Console#show map ip dscp
dscp Mapping Status: Enabled
4-381
4-383
DSCP COS
---- --0
1
1
0
2
0
3
0
.
.
.
Mapping DSCP Priority
The DSCP is six bits wide, allowing coding for up to 64 different forwarding
behaviors. The DSCP replaces the ToS bits, but it retains backward compatibility
with the three precedence bits so that non-DSCP compliant, ToS-enabled devices,
will not conflict with the DSCP mapping. Based on network policies, different kinds of
traffic can be marked for different kinds of forwarding. The DSCP default mapping is
defined in the following table. Note that all the DSCP values that are not specified
are mapped to CoS value 0.
Table 3-23 Mapping DSCP Priority Values
IP DSCP Value
CoS Value
0
0
8
1
10, 12, 14, 16
2
18, 20, 22, 24
3
26, 28, 30, 32, 34, 36
4
38, 40, 42
5
48
6
46, 56
7
Command Attributes
• DSCP Priority Table – Shows the DSCP Priority to CoS map.
• Class of Service Value – Maps a CoS value to the selected DSCP Priority value.
Note that “0” represents low priority and “7” represent high priority.
Note: IP DSCP settings apply to all interfaces.
3-286
Class of Service Configuration
3
Web – Click Priority, IP DSCP Priority. Select an entry from the DSCP table, enter a
value in the Class of Service Value field, then click Apply.
Figure 3-163 Mapping IP DSCP Priority Values
CLI – The following example globally enables DSCP Priority service on the switch,
maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority
settings.
Console(config)#map ip dscp
Console(config)#interface ethernet 1/1
Console(config-if)#map ip dscp 1 cos 0
Console(config-if)#end
Console#show map ip dscp ethernet 1/1
DSCP mapping status: disabled
4-381
4-222
4-381
4-383
Port
DSCP COS
--------- ---- --Eth 1/ 1
0
0
Eth 1/ 1
1
0
Eth 1/ 1
2
0
Eth
1/
1
3
0
.
.
.
Eth 1/ 1
61
0
Eth 1/ 1
62
0
Eth 1/ 1
63
0
Console#
*
Mapping specific values for IP DSCP is implemented as an interface configuration
command, but any changes will apply to the all interfaces on the switch.
3-287
3
Configuring the Switch
Quality of Service
The commands described in this section are used to configure Quality of Service
(QoS) classification criteria and service policies. Differentiated Services (DiffServ)
provides policy-based management mechanisms used for prioritizing network
resources to meet the requirements of specific traffic types on a per hop basis.
Each packet is classified upon entry into the network based on access lists, IP
Precedence, DSCP values, or VLAN lists. Using access lists allows you select traffic
based on Layer 2, Layer 3, or Layer 4 information contained in each packet. Based
on configured network policies, different kinds of traffic can be marked for different
kinds of forwarding.
All switches or routers that access the Internet rely on class information to provide
the same forwarding treatment to packets in the same class. Class information can
be assigned by end hosts, or switches or routers along the path. Priority can then be
assigned based on a general policy, or a detailed examination of the packet.
However, note that detailed examination of packets should take place close to the
network edge so that core switches and routers are not overloaded.
Switches and routers along the path can use class information to prioritize the
resources allocated to different traffic classes. The manner in which an individual
device handles traffic in the DiffServ architecture is called per-hop behavior. All
devices along a path should be configured in a consistent manner to construct a
consistent end-to-end QoS solution.
Notes: 1. You can configure up to 16 rules per Class Map. You can also include
multiple classes in a Policy Map.
2. You should create a Class Map before creating a Policy Map. Otherwise, you
will not be able to select a Class Map from the Policy Rule Settings screen
(see page 3-293).
Configuring Quality of Service Parameters
To create a service policy for a specific category or ingress traffic, follow these steps:
1. Use the “Class Map” to designate a class name for a specific category of traffic.
2. Edit the rules for each class to specify a type of traffic based on an access list, a
DSCP or IP Precedence value, or a VLAN.
3. Use the “Policy Map” to designate a policy name for a specific manner in which
ingress traffic will be handled.
4. Add one or more classes to the Policy Map. Assign policy rules to each class by
“setting” the QoS value to be assigned to the matching traffic class. The policy
rule can also be configured to monitor the average flow and burst rate, and drop
any traffic that exceeds the specified rate, or just reduce the DSCP service level
for traffic exceeding the specified rate.
5. Use the “Service Policy” to assign a policy map to a specific interface.
3-288
Quality of Service
3
Configuring a Class Map
A class map is used for matching packets to a specified class.
Command Usage
• To configure a Class Map, follow these steps:
- Open the Class Map page, and click Add Class.
- When the Class Configuration page opens, fill in the “Class Name” field, and
click Add.
- When the Match Class Settings page opens, specify type of traffic for this class
based on an access list, a DSCP or IP Precedence value, or a VLAN, and click
the Add button next to the field for the selected traffic criteria. You can specify up
to 16 items to match when assigning ingress traffic to a class map.
• The class map is used with a policy map (page 3-291) to create a service policy
(page 3-294) for a specific interface that defines packet classification, service
tagging, and bandwidth policing. Note that one or more class maps can be
assigned to a policy map.
Command Attributes
Class Map
• Modify Name and Description – Configures the name and a brief description of
a class map. (Range: 1-16 characters for the name; 1-64 characters for the
description)
• Edit Rules – Opens the “Match Class Settings” page for the selected class entry.
Modify the criteria used to classify ingress traffic on this page.
• Add Class – Opens the “Class Configuration” page. Enter a class name and
description on this page, and click Add to open the “Match Class Settings” page.
Enter the criteria used to classify ingress traffic on this page.
• Remove Class – Removes the selected class.
Class Configuration
• Class Name – Name of the class map. (Range: 1-16 characters)
• Type – Only one match command is permitted per class map, so the match-any
field refers to the criteria specified by the lone match command.
• Description – A brief description of a class map. (Range: 1-64 characters)
• Add – Adds the specified class.
• Back – Returns to previous page with making any changes.
Match Class Settings
• Class Name – List of class maps.
• ACL List – Name of an access control list. Any type of ACL can be specified,
including standard or extended IP ACLs and MAC ACLs. (Range: 1-16 characters)
• IP DSCP – A DSCP value. (Range: 0-63)
• IP Precedence – An IP Precedence value. (Range: 0-7)
3-289
3
Configuring the Switch
• VLAN – A VLAN. (Range:1-4094)
• Add – Adds specified criteria to the class. Up to 16 items are permitted per class.
• Remove – Deletes the selected criteria from the class.
Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules
to change the rules of an existing class.
Figure 3-164 Configuring Class Maps
3-290
Quality of Service
3
CLI - This example creates a class map call “rd_class,” and sets it to match packets
marked for DSCP service value 3.
Console(config)#class-map rd_class match-any
Console(config-cmap)#match ip dscp 3
Console(config-cmap)#
4-385
4-386
Creating QoS Policies
This function creates a policy map that can be attached to multiple interfaces.
Command Usage
• To configure a Policy Map, follow these steps:
- Create a Class Map as described on page 3-289.
- Open the Policy Map page, and click Add Policy.
- When the Policy Configuration page opens, fill in the “Policy Name” field, and
click Add.
- When the Policy Rule Settings page opens, select a class name from the
scroll-down list (Class Name field). Configure a policy for traffic that matches
criteria defined in this class by setting the quality of service that an IP packet will
receive (in the Action field), defining the maximum throughput and burst rate (in
the Meter field), and the action that results from a policy violation (in the Exceed
field). Then finally click Add to register the new policy.
• A policy map can contain multiple class statements that can be applied to the same
interface with the Service Policy Settings (page 3-294). You can configure up to 64
policers (i.e., meters or class maps) for each of the following access list types:
MAC ACL, IP ACL (including Standard ACL and Extended ACL). Also, note that
the maximum number of classes that can be applied to a policy map is 16.
Policing is based on a token bucket, where bucket depth (i.e., the maximum burst
before the bucket overflows) is specified by the “Burst” field, and the average rate
at which tokens are removed from the bucket is specified by the “Rate” option.
• After using the policy map to define packet classification, service tagging, and
bandwidth policing, it must be assigned to a specific interface by a service policy
(page 3-294) to take effect.
Command Attributes
Policy Map
• Modify Name and Description – Configures the name and a brief description of
a policy map. (Range: 1-16 characters for the name; 1-64 characters for the
description)
• Edit Classes – Opens the “Policy Rule Settings” page for the selected class entry.
Modify the criteria used to service ingress traffic on this page.
• Add Policy – Opens the “Policy Configuration” page. Enter a policy name and
description on this page, and click Add to open the “Policy Rule Settings” page.
Enter the criteria used to service ingress traffic on this page.
• Remove Policy – Deletes a specified policy.
3-291
3
Configuring the Switch
Policy Configuration
•
•
•
•
Policy Name – Name of policy map. (Range: 1-16 characters)
Description – A brief description of a policy map. (Range: 1-64 characters)
Add – Adds the specified policy.
Back – Returns to previous page with making any changes.
Policy Rule Settings
- Class Settings • Class Name – Name of class map.
• Action – Shows the service provided to ingress traffic by setting a CoS, DSCP, or
IP Precedence value in a matching packet (as specified in Match Class Settings on
page 3-289).
• Meter – The maximum throughput and burst rate.
- Rate (kbps) – Rate in kilobits per second.
- Burst (byte) – Burst in bytes.
• Exceed Action – Specifies whether the traffic that exceeds the specified rate will
be dropped or the DSCP service level will be reduced.
• Remove Class – Deletes a class.
- Policy Options • Class Name – Name of class map.
• Action – Configures the service provided to ingress traffic by setting a CoS, DSCP,
or IP Precedence value in a matching packet (as specified in Match Class Settings
on page 3-289). (Range - CoS: 0-7, DSCP: 0-63, IP Precedence: 0-7,
IPv6 DSCP: 0-63)
• Meter – Check this to define the maximum throughput, burst rate, and the action
that results from a policy violation.
- Rate (kbps) – Rate in kilobits per second. (Range: 1-100000 kbps or maximum
port speed, whichever is lower)
- Burst (byte) – Burst in bytes. (Range: 64-1522)
• Exceed – Specifies whether the traffic that exceeds the specified rate or burst will
be dropped or the DSCP service level will be reduced.
- Set – Decreases DSCP priority for out of conformance traffic. (Range: 0-63).
- Drop – Drops out of conformance traffic.
• Add – Adds the specified criteria to the policy map.
3-292
Quality of Service
3
Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To
add a new policy map click Add Policy. To configure the policy rule settings click Edit
Classes.
Figure 3-165 Configuring Policy Maps
3-293
3
Configuring the Switch
CLI – This example creates a policy map called “rd-policy,” sets the average
bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the
DSCP value for violating packets to 0.
Console(config)#policy-map rd_policy#3
Console(config-pmap)#class rd_class#3
Console(config-pmap-c)#set ip dscp 4
Console(config-pmap-c)#police 100000 1522 exceed-action
set ip dscp 0
Console(config-pmap-c)#
4-388
4-388
4-389
4-390
Attaching a Policy Map to Ingress Queues
This function binds a policy map to the ingress queue of a particular interface.
Command Usage
• You must first define a class map, then define a policy map, and finally bind the
service policy to the required interface.
• You can only bind one policy map to an interface.
• The current firmware does not allow you to bind a policy map to an egress queue.
Command Attributes
•
•
•
•
Ports – Specifies a port.
Ingress – Applies the rule to ingress traffic.
Enabled – Check this to enable a policy map on the specified port.
Policy Map – Select the appropriate policy map from the scroll-down box.
Web – Click QoS, DiffServ, Service Policy Settings. Check Enabled and choose a
Policy Map for a port from the scroll-down box, then click Apply.
Figure 3-166 Service Policy Settings
CLI - This example applies a service policy to an ingress interface.
Console(config)#interface ethernet 1/5
Console(config-if)#service-policy input rd_policy#3
Console(config-if)#
3-294
4-391
4-391
Quality of Service
3
VoIP Traffic Configuration
When IP telephony is deployed in an enterprise network, it is recommended to
isolate the Voice over IP (VoIP) network traffic from other data traffic. Traffic isolation
can provide higher voice quality by preventing excessive packet delays, packet loss,
and jitter. This is best achieved by assigning all VoIP traffic to a single Voice VLAN.
The use of a Voice VLAN has several advantages. It provides security by isolating
the VoIP traffic from other data traffic. End-to-end QoS policies and high priority can
be applied to the VoIP VLAN traffic across the network, guaranteeing the bandwidth
it needs. The VLAN isolation also protects against disruptive broadcast and
multicast traffic that can seriously affect voice quality.
The switch allows you to specify a Voice VLAN for the network and set a CoS priority
for the VoIP traffic. VoIP traffic can be detected on switch ports by using the source
MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected
VoIP devices. When VoIP traffic is detected on a configured port, the switch
automatically assigns the port as a tagged member the Voice VLAN. Alternatively,
switch ports can be manually configured.
Configuring VoIP Traffic
To configure the switch for VoIP traffic, first enable the automatic detection of VoIP
devices attached to switch ports, then set the Voice VLAN ID for the network. The
Voice VLAN aging time can also be set to remove a port from the Voice VLAN when
VoIP traffic is no longer received on the port.
Command Attributes
• Auto Detection Status – Enables the automatic detection of VoIP traffic on switch
ports. (Default: Disabled)
• Voice VLAN ID – Sets the Voice VLAN ID for the network. Only one Voice VLAN
is supported and it must already be created on the switch. (Range: 1-4094)
• Voice VLAN Aging Time – The time after which a port is removed from the Voice
VLAN when VoIP traffic is no longer received on the port.
(Range: 5-43200 minutes; Default: 1440 minutes).
Note: The Voice VLAN ID cannot be modified when the global Auto Detection Status is
enabled.
3-295
3
Configuring the Switch
Web – Click QoS, VoIP Traffic Setting, Configuration. Enable Auto Detection,
specify the Voice VLAN ID, the set the Voice VLAN Aging Time. Click Apply.
Figure 3-167 Configuring VoIP Traffic
CLI – This example enables VoIP traffic detection and specifies the Voice VLAN ID
as 1234, then sets the VLAN aging time to 3000 seconds.
Console(config)#voice vlan 1234
Console(config)#voice vlan aging 3000
Console(config)#
4-331
4-332
Configuring VoIP Traffic Ports
To configure ports for VoIP traffic, you need to set the mode (Auto or Manual),
specify the discovery method to use, and set the traffic priority. You can also enable
security filtering to ensure that only VoIP traffic is forwarded on the Voice VLAN.
Command Attributes
• Mode – Specifies if the port will be added to the Voice VLAN when VoIP traffic is
detected. (Default: None)
- None – The Voice VLAN feature is disabled on the port. The port will not detect
VoIP traffic or be added to the Voice VLAN.
- Auto – The port will be added as a tagged member to the Voice VLAN when
VoIP traffic is detected on the port. You must select a method for detecting VoIP
traffic, either OUI or 802.1ab (LLDP). When OUI is selected, be sure to configure
the MAC address ranges in the Telephony OUI list.
- Manual – The Voice VLAN feature is enabled on the port, but the port must be
manually added to the Voice VLAN.
• Security – Enables security filtering that discards any non-VoIP packets received
on the port that are tagged with the voice VLAN ID. VoIP traffic is identified by
source MAC addresses configured in the Telephony OUI list, or through LLDP that
discovers VoIP devices attached to the switch. Packets received from non-VoIP
sources are dropped. (Default: Disabled)
• Discovery Protocol – Selects a method to use for detecting VoIP traffic on the
port. (Default: OUI)
- OUI – Traffic from VoIP devices is detected by the Organizationally Unique
Identifier (OUI) of the source MAC address. OUI numbers are assigned to
manufacturers and form the first three octets of a device MAC address. MAC
3-296
Quality of Service
3
address OUI numbers must be configured in the Telephony OUI list so that the
switch recognizes the traffic as being from a VoIP device.
- 802.1ab – Uses LLDP to discover VoIP devices attached to the port. LLDP
checks that the “telephone bit” in the system capability TLV is turned on. See
"Link Layer Discovery Protocol" on page 3-265 for more information on LLDP.
• Priority – Defines a CoS priority for port traffic on the Voice VLAN. The priority of
any received VoIP packet is overwritten with the new priority when the Voice VLAN
feature is active for the port.
Web – Click QoS, VoIP Traffic Setting, Port Configuration. Set the mode for a VoIP
traffic port, select the detection mechanism to use, and specify the VoIP traffic
priority. Click Apply.
Figure 3-168 VoIP Traffic Port Configuration
3-297
3
Configuring the Switch
CLI – This example configures VoIP traffic settings for port 2 and displays the
current Voice VLAN status.
Console(config)#interface ethernet 1/2
Console(config-if)#switchport voice vlan
Console(config-if)#switchport voice vlan
Console(config-if)#switchport voice vlan
Console(config-if)#switchport voice vlan
Console(config-if)#exit
Console#show voice vlan status
Global Voice VLAN Status
Voice VLAN Status
: Enabled
Voice VLAN ID
: 1234
Voice VLAN aging time : 1440 minutes
Voice VLAN Port Summary
Port
Mode
Security
-------- -------- -------Eth 1/ 1 Auto
Enabled
Eth 1/ 2 Auto
Enabled
Eth 1/ 3 Manual
Enabled
Eth 1/ 4 Auto
Enabled
Eth 1/ 5 Disabled Disabled
Eth 1/ 6 Disabled Disabled
Eth 1/ 7 Disabled Disabled
Eth 1/ 8 Disabled Disabled
Eth 1/ 9 Disabled Disabled
Eth
1/10 Disabled Disabled
.
.
.
auto
security
rule oui
priority 5
4-334
4-335
4-334
4-336
4-336
Rule
Priority
--------- -------OUI
6
OUI
5
OUI
5
OUI
6
OUI
6
OUI
6
OUI
6
OUI
6
OUI
6
OUI
6
Configuring Telephony OUI
VoIP devices attached to the switch can be identified by the manufacturer’s
Organizational Unique Identifier (OUI) in the source MAC address of received
packets. OUI numbers are assigned to manufacturers and form the first three octets
of device MAC addresses. The MAC OUI numbers for VoIP equipment can be
configured on the switch so that traffic from these devices is recognized as VoIP.
Command Attributes
• Telephony OUI – Specifies a MAC address range to add to the list. Enter the MAC
address in format 01-23-45-67-89-AB.
• Mask – Identifies a range of MAC addresses. Selecting a mask of
FF-FF-FF-00-00-00 identifies all devices with the same OUI (the first three octets).
Other masks restrict the MAC address range. Selecting FF-FF-FF-FF-FF-FF
specifies a single MAC address. (Default: FF-FF-FF-00-00-00)
• Description – User-defined text that identifies the VoIP devices.
3-298
Quality of Service
3
Web – Click QoS, VoIP Traffic Setting, OUI Configuration. Enter a MAC address that
specifies the OUI for VoIP devices in the network. Select a mask from the pull-down
list to define a MAC address range. Enter a description for the devices, then click
Add.
Figure 3-169 Telephony OUI List
CLI – This example adds an identifier to the list, then displays the current list
Console(config)#voice vlan mac-address 00-e0-bb-00-00-00 mask
ff-ff-ff-00-00-00 description old phones
Console(config)#exit
Console#show voice vlan oui
OUIAddress
Mask
Description
00-e0-bb-00-00-00 FF-FF-FF-00-00-00 old phones
00-11-22-33-44-55 FF-FF-FF-00-00-00 new phones
00-98-76-54-32-10 FF-FF-FF-FF-FF-FF Chris' phone
4-333
4-336
Console#
3-299
3
Configuring the Switch
Multicast Filtering
Multicasting is used to support real-time
applications such as videoconferencing or
streaming audio. A multicast server does not have
to establish a separate connection with each
client. It merely broadcasts its service to the
network, and any hosts that want to receive the
multicast register with their local multicast switch/
router. Although this approach reduces the
network overhead required by a multicast server,
the broadcast traffic must be carefully pruned at
every multicast switch/router it passes through to
ensure that traffic is only passed on to the hosts
which subscribed to this service.
Unicast
Flow
Multicast
Flow
This switch can use Internet Group Management
Protocol (IGMP) to filter multicast traffic. IGMP
Snooping can be used to passively monitor or
“snoop” on exchanges between attached hosts
and an IGMP-enabled device, most commonly a
multicast router. In this way, the switch can discover the ports that want to join a
multicast group, and set its filters accordingly.
If there is no multicast router attached to the local subnet, multicast traffic and query
messages may not be received by the switch. In this case (Layer 2) IGMP Query
can be used to actively ask the attached hosts if they want to receive a specific
multicast service. IGMP Query thereby identifies the ports containing hosts
requesting to join the service and sends data out to those ports only. It then
propagates the service request up to any neighboring multicast switch/router to
ensure that it will continue to receive the multicast service.
The purpose of IP multicast filtering is to optimize a switched network’s
performance, so multicast packets will only be forwarded to those ports containing
multicast group hosts or multicast routers/switches, instead of flooding traffic to all
ports in the subnet (VLAN).
You can also configure a single network-wide multicast VLAN shared by hosts
residing in other standard or private VLAN groups, preserving security and data
isolation (see "Multicast VLAN Registration" on page 3-315).
3-300
3
Multicast Filtering
Layer 2 IGMP (Snooping and Query)
IGMP Snooping and Query – If multicast routing is not supported on other switches
in your network, you can use IGMP Snooping and Query (page 3-302) to monitor
IGMP service requests passing between multicast clients and servers, and
dynamically configure the switch ports which need to forward multicast traffic.
When using IGMPv3 snooping, service requests from IGMP Version 1, 2 or 3 hosts
are all forwarded to the upstream router as IGMPv3 reports. The primary
enhancement provided by IGMPv3 snooping is in keeping track of information about
the specific multicast sources which downstream IGMPv3 hosts have requested or
refused. The switch maintains information about both multicast groups and
channels, where a group indicates a multicast flow for which the hosts have not
requested a specific source (the only option for IGMPv1 and v2 hosts unless
statically configured on the switch), and a channel indicates a flow for which the
hosts have requested service from a specific source.
Only IGMPv3 hosts can request service from a specific multicast source. When
downstream hosts request service from a specific source for a multicast service,
these sources are all placed in the Include list, and traffic is forwarded to the hosts
from each of these sources. IGMPv3 hosts may also request that service be
forwarded from all sources except for those specified. In this case, traffic is filtered
from sources in the Exclude list, and forwarded from all other available sources.
Notes: 1. When the switch is configured to use IGMPv3 snooping, the snooping
version may be downgraded to version 2 or version 1, depending on the
version of the IGMP query packets detected on each VLAN.
2. IGMP snooping will not function unless a multicast router port is enabled on
the switch. This can be accomplished in one of two ways. A static router port
can be manually configured (see “Specifying Static Interfaces for a Multicast
Router” on page 3-307). Using this method, the router port is never timed
out, and will continue to function until explicitly removed. The other method
relies on the switch to dynamically create multicast routing ports whenever
multicast routing protocol packets or IGMP query packets are detected on a
port.
3. A maximum of up to 255 multicast entries can be maintained for IGMP
snooping, and 255 entries for Multicast Routing, when both of these features
are enabled. If the table’s capacity is exceeded, the IGMPv3 snooping will
not support multicast source filtering, but will forward multicast traffic from all
relevant sources to the requesting hosts.
Static IGMP Router Interface – If IGMP snooping cannot locate the IGMP querier,
you can manually designate a known IGMP querier (i.e., a multicast router/switch)
connected over the network to an interface on your switch (page 3-307). This
interface will then join all the current multicast groups supported by the attached
router/switch to ensure that multicast traffic is passed to all appropriate interfaces
within the switch.
3-301
3
Configuring the Switch
Static IGMP Host Interface – For multicast applications that you need to control
more carefully, you can manually assign a multicast service to specific interfaces on
the switch (page 3-309).
Configuring IGMP Snooping and Query Parameters
You can configure the switch to forward multicast traffic intelligently. Based on the
IGMP query and report messages, the switch forwards traffic only to the ports that
request multicast traffic. This prevents the switch from broadcasting the traffic to all
ports and possibly disrupting network performance.
Command Usage
• IGMP Snooping – This switch can passively snoop on IGMP Query and Report
packets transferred between IP multicast routers/switches and IP multicast host
groups to identify the IP multicast group members. It simply monitors the IGMP
packets passing through it, picks out the group registration information, and
configures the multicast filters accordingly.
Note: Unknown multicast traffic is flooded to all ports in the VLAN for several seconds
when first received. If a multicast router port exists on the VLAN, the traffic will
be filtered by subjecting it to IGMP snooping. If no router port exists on the
VLAN or the multicast filtering table is already full, the switch will continue
flooding the traffic into the VLAN.
• IGMP Querier – A router, or multicast-enabled switch, can periodically ask their
hosts if they want to receive multicast traffic. If there is more than one router/switch
on the LAN performing IP multicasting, one of these devices is elected “querier”
and assumes the role of querying the LAN for group members. It then propagates
the service requests on to any upstream multicast switch/router to ensure that it will
continue to receive the multicast service.
Note: Multicast routers use this information from IGMP snooping and query reports,
along with a multicast routing protocol such as DVMRP or PIM, to support IP
multicasting across the Internet.
• IGMP Leave Proxy – This function is only effective if IGMP snooping is enabled.
IGMP leave proxy suppresses all unnecessary IGMP leave messages so that the
non-querier switch forwards an IGMP leave packet only when the last dynamic
member port leaves a multicast group.
The leave-proxy feature does not function when a switch is set as the querier.
When the switch a non-querier, the receiving port is not the last dynamic member
port in the group, the receiving port is not a router port, and no IGMPv1 member
port exists in the group, the switch will generate and send a GS-query to the
member port which received the leave message, and then start the last member
query timer for that port.
When the conditions in the preceding item all apply, except that the receiving port
is a router port, then the switch will not send a GS-query, but will immediately start
the last member query timer for that port.
3-302
3
Multicast Filtering
Command Attributes
• IGMP Status — When enabled, the switch will monitor network traffic to determine
which hosts want to receive multicast traffic. This is also referred to as IGMP
Snooping. (Default: Enabled)
• Act as IGMP Querier — When enabled, the switch can serve as the Querier,
which is responsible for asking hosts if they want to receive multicast traffic. This
feature is not supported for IGMPv3 snooping. (Default: Disabled)
• IGMP Leave Proxy Status — Suppresses leave messages unless received from
the last member port in the group. (Default: Disabled)
• IGMP Query Count — Sets the maximum number of queries issued for which
there has been no response before the switch takes action to drop a client from the
multicast group. (Range: 2-10; Default: 2)
• IGMP Query Interval — Sets the frequency at which the switch sends IGMP
host-query messages. (Range: 60-125 seconds; Default: 125)
• IGMP Report Delay — Sets the time between receiving an IGMP Report for an IP
multicast address on a port before the switch sends an IGMP Query out of that port
and removes the entry from its list. (Range: 5-25 seconds; Default: 10)
• IGMP Query Timeout — The time the switch waits after the previous querier stops
before it considers the router port (i.e., the interface which had been receiving
query packets) to have expired. (Range: 300-500 seconds; Default: 300)
• IGMP Version — Sets the protocol version for compatibility with other devices on
the network. (Range: 1-3; Default: 2)
Notes: 1. All systems on the subnet must support the same version.
2. Some attributes are only enabled for IGMPv2 and/or v3, including Act as
IGMP Querier, IGMP Report Delay and IGMP Query Timeout.
Web – Click IGMP Snooping, IGMP Configuration. Adjust the IGMP settings as
required, and then click Apply. (The default settings are shown below.)
Figure 3-170 IGMP Configuration
3-303
3
Configuring the Switch
CLI – This example modifies the settings for multicast filtering, and then displays the
current status.
Console(config)#ip igmp snooping
Console(config)#ip igmp snooping querier
Console(config)#ip igmp snooping leave-proxy
Console(config)#ip igmp snooping query-count 10
Console(config)#ip igmp snooping query-interval 100
Console(config)#ip igmp snooping query-max-response-time 20
Console(config)#ip igmp snooping router-port-expire-time 300
Console(config)#ip igmp snooping version 2
Console(config)#exit
Console#show ip igmp snooping
Service status:
Enabled
Querier status:
Enabled
Leave proxy status:
Enabled
Query count:
10
Query interval:
100 sec
Query max response time: 20 sec
Router port expire time: 300 sec
Immediate Leave Processing: Disabled on all VLAN
IGMP snooping version:
Version 2
Console#
4-395
4-400
4-397
4-400
4-401
4-401
4-402
4-396
4-397
Enabling IGMP Immediate Leave
The switch can be configured to immediately delete a member port of a multicast
service if a leave packet is received at that port and the immediate-leave function is
enabled for the parent VLAN. This allows the switch to remove a port from the
multicast forwarding table without first having to send an IGMP group-specific query
to that interface.
Command Usage
• If immediate leave is not used, a multicast router (or querier) will send a
group-specific query message when an IGMPv2/v3 group leave message is
received. The router/querier stops forwarding traffic for that group only if no host
replies to the query within the specified timeout period. Note that the timeout period
is determined by the IGMP Query Report Delay (see “Configuring IGMP Snooping
and Query Parameters” on page 3-302).
• If immediate leave is enabled, the switch assumes that only one host is connected
to the interface. Therefore, immediate leave should only be enabled on an interface
if it is connected to only one IGMP-enabled device, either a service host or a
neighbor running IGMP snooping.
• Immediate leave is only effective if IGMP snooping is enabled, and IGMPv2 or
IGMPv3 snooping is used.
• Immediate leave does not apply to a port if the switch has learned that a multicast
router is attached to it.
• Immediate leave can improve bandwidth usage for a network which frequently
experiences many IGMP host add and leave requests.
3-304
Multicast Filtering
3
Command Attributes
• VLAN ID – VLAN Identifier. (Range: 1-4094).
• Immediate Leave – Sets the status for immediate leave on the specified VLAN.
(Default: Disabled)
Web – Click IGMP Snooping, IGMP Immediate Leave. Select the VLAN interface to
configure, set the status for immediate leave, and click Apply.
Figure 3-171 IGMP Immediate Leave
CLI – This example enables IGMP immediate leave for VLAN 1 and then displays
the current IGMP snooping status.
Console(config)#interface vlan 1
Console(config-if)#ip igmp snooping immediate-leave
Console(config-if)#end
Console#show ip igmp snooping
Service Status:
Enabled
Querier Status:
Disabled
Leave proxy status:
Enabled
Query Count:
2
Query Interval:
125 sec
Query Max Response Time: 10 sec
Router Port Expire Time: 300 sec
Immediate Leave Processing: Enabled on VLAN
1,
IGMP Snooping Version:
Version 2
Console#
4-397
4-397
3-305
3
Configuring the Switch
Displaying Interfaces Attached to a Multicast Router
Multicast routers that are attached to ports on the switch use information obtained
from IGMP, along with a multicast routing protocol such as DVMRP or PIM, to
support IP multicasting across the Internet. These routers may be dynamically
discovered by the switch or statically assigned to an interface on the switch.
You can use the Multicast Router Port Information page to display the ports on this
switch attached to a neighboring multicast router/switch for each VLAN ID.
Command Attributes
• VLAN ID – ID of configured VLAN (1-4094).
• Multicast Router List – Multicast routers dynamically discovered by this switch or
those that are statically assigned to an interface on this switch.
Web – Click IGMP Snooping, Multicast Router Port Information. Select the required
VLAN ID from the scroll-down list to display the associated multicast routers.
Figure 3-172 Displaying Multicast Router Port Information
CLI – This example shows that Port 11 has been statically configured as a port
attached to a multicast router.
Console#show ip igmp snooping mrouter vlan 1
VLAN M'cast Router Port Type
---- ------------------ ------1
Eth 1/11 Static
Console#
3-306
4-404
3
Multicast Filtering
Specifying Static Interfaces for a Multicast Router
Depending on your network connections, IGMP snooping may not always be able to
locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/
switch connected over the network to an interface (port or trunk) on your switch, you
can manually configure the interface (and a specified VLAN) to join all the current
multicast groups supported by the attached router. This can ensure that multicast
traffic is passed to all the appropriate interfaces within the switch.
Command Attributes
• Interface – Activates the Port or Trunk scroll down list.
• VLAN ID – Selects the VLAN to propagate all multicast traffic coming from the
attached multicast router.
• Port or Trunk – Specifies the interface attached to a multicast router.
Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the
interfaces attached to a multicast router, indicate the VLAN which will forward all the
corresponding multicast traffic, and then click Add. After you have finished adding
interfaces to the list, click Apply.
Figure 3-173 Static Multicast Router Port Configuration
CLI – This example configures port 1 as a multicast router port within VLAN 1.
Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/1
Console(config)#exit
Console#show ip igmp snooping mrouter vlan 1
VLAN M'cast Router Port Type
---- ------------------ ------1
Eth 1/1 Static
Console#
4-403
4-404
3-307
3
Configuring the Switch
Displaying Port Members of Multicast Services
You can display the port members associated with a specified VLAN and multicast
service.
Command Attributes
• VLAN ID – Selects the VLAN for which to display port members. (Range: 1-4094)
• Multicast IP Address – The IP address for a specific multicast service.
• Multicast Group Port List – Shows the interfaces that have already been
assigned to the selected VLAN to propagate a specific multicast service.
Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and
the IP address for a multicast service from the scroll-down lists. The switch will
display all the interfaces that are propagating this multicast service.
Figure 3-174 IP Multicast Registration Table
CLI – This example displays all the known multicast services supported on VLAN 1,
along with the ports propagating the corresponding services. The Type field shows if
this entry was learned dynamically or was statically configured.
Console#show mac-address-table multicast vlan 1
VLAN M'cast IP addr. Member ports Type
---- --------------- ------------ ------1
224.1.1.12
Eth1/12
USER
1
224.1.2.3
Eth1/12
IGMP
Console#
3-308
4-399
3
Multicast Filtering
Assigning Ports to Multicast Services
Multicast filtering can be dynamically configured using IGMP Snooping and IGMP
Query messages as described in “Configuring IGMP snooping and Query
Parameters” on page 3-133. For certain applications that require tighter control, you
may need to statically configure a multicast service on the switch. First add all the
ports attached to participating hosts to a common VLAN, and then assign the
multicast service to that VLAN group.
Command Usage
• Static multicast addresses are never aged out.
• When a multicast address is assigned to an interface in a specific VLAN, the
corresponding traffic can only be forwarded to ports within that VLAN.
Command Attributes
• Interface – Activates the Port or Trunk scroll down list.
• VLAN ID – Selects the VLAN to propagate all multicast traffic coming from the
attached multicast router/switch. (Range: 1-4094)
• Multicast IP – The IP address for a specific multicast service.
• Port or Trunk – Specifies the interface attached to a multicast router/switch.
Web – Click IGMP Snooping, IGMP Member Port Table. Specify the interface
attached to a multicast service (via an IGMP-enabled switch or multicast router),
indicate the VLAN that will propagate the multicast service, specify the multicast IP
address, and click Add. After you have completed adding ports to the member list,
click Apply.
Figure 3-175 IGMP Member Port Table
3-309
3
Configuring the Switch
CLI – This example assigns a multicast address to VLAN 1, and then displays all the
known multicast services supported on VLAN 1.
Console(config)#ip igmp snooping vlan 1 static 224.1.1.12
ethernet 1/12
Console(config)#exit
Console#show mac-address-table multicast vlan 1
VLAN M'cast IP addr. Member ports Type
---- --------------- ------------ ------1
224.1.1.12
Eth1/12
USER
1
224.1.2.3
Eth1/12
IGMP
Console#
4-395
4-399
IGMP Filtering and Throttling
In certain switch applications, the administrator may want to control the multicast
services that are available to end users. For example, an IP/TV service based on a
specific subscription plan. The IGMP filtering feature fulfills this requirement by
restricting access to specified multicast services on a switch port, and IGMP
throttling limits the number of simultaneous multicast groups a port can join.
IGMP filtering enables you to assign a profile to a switch port that specifies multicast
groups that are permitted or denied on the port. An IGMP filter profile can contain
one or more, or a range of multicast addresses; but only one profile can be assigned
to a port. When enabled, IGMP join reports received on the port are checked against
the filter profile. If a requested multicast group is permitted, the IGMP join report is
forwarded as normal. If a requested multicast group is denied, the IGMP join report
is dropped.
IGMP throttling sets a maximum number of multicast groups that a port can join at
the same time. When the maximum number of groups is reached on a port, the
switch can take one of two actions; either “deny” or “replace”. If the action is set to
deny, any new IGMP join reports will be dropped. If the action is set to replace, the
switch randomly removes an existing group and replaces it with the new multicast
group.
Note: IGMP filtering and throttling only applies to dynamically learned multicast groups.
It does not apply to statically configured groups.
Enabling IGMP Filtering and Throttling
To implement IGMP filtering and throttling on the switch, you must first enable the
feature globally and create IGMP profile numbers.
Command Attributes
• IGMP Filter – Enables IGMP filtering and throttling globally for the switch.
(Default: Disabled)
• IGMP Profile – Creates IGMP profile numbers. (Range: 1-4294967295)
3-310
3
Multicast Filtering
Web – Click IGMP Snooping, IGMP Filter Configuration. Create a profile group by
entering a number in the text box and clicking Add. Enable the IGMP filter status,
then click Apply.
Figure 3-176 Enabling IGMP Filtering and Throttling
CLI – This example enables IGMP filtering and creates a profile number. It then
displays the current status and the existing profile numbers.
Console(config)#ip igmp filter
Console(config)#ip igmp profile 19
Console(config)#end
Console#show ip igmp filter
IGMP filter enable
Console#show ip igmp profile
IGMP Profile 19
IGMP Profile 50
IGMP Profile 60
Console#
4-405
4-406
4-409
4-410
Configuring IGMP Filter Profiles
When you have created an IGMP profile number, you can then configure the
multicast groups to filter and set the access mode.
Command Usage
• Each profile has only one access mode; either permit or deny.
• When the access mode is set to permit, IGMP join reports are processed when a
multicast group falls within the controlled range. When the access mode is set to
deny, IGMP join reports are only processed when the multicast group is not in the
controlled range.
3-311
3
Configuring the Switch
Command Attributes
• Profile ID – Selects an existing profile number to configure. After selecting an ID
number, click the Query button to display the current configuration.
• Access Mode – Sets the access mode of the profile; either permit or deny.
(Default: Deny)
• New Multicast Address Range List – Specifies multicast groups to include in the
profile. Specify a multicast group range by entering a start and end IP address.
Specify a single multicast group by entering the same IP address for the start and
end of the range. Click the Add button to add a range to the current list.
• Current Multicast Address Range List – Lists multicast groups currently
included in the profile. Select an entry and click the Remove button to delete it from
the list.
Web – Click IGMP Snooping, IGMP Filter Profile Configuration. Select the profile
number you want to configure; then click Query to display the current settings.
Specify the access mode for the profile and then add multicast groups to the profile
list. Click Apply.
Figure 3-177 IGMP Profile Configuration
3-312
3
Multicast Filtering
CLI – This example configures profile number 19 by setting the access mode to
“permit” and then specifying a range of multicast groups that a user can join. The
current profile configuration is then displayed.
Console(config)#ip igmp profile 19
Console(config-igmp-profile)#permit
Console(config-igmp-profile)#range 239.1.2.3
Console(config-igmp-profile)#range 239.2.3.1 239.2.3.200
Console(config-igmp-profile)#end
Console#show ip igmp profile 19
IGMP Profile 19
permit
range 239.1.2.3 239.1.2.3
range 239.2.3.1 239.2.3.200
Console#
4-406
4-406
4-407
4-410
Configuring IGMP Filtering and Throttling for Interfaces
Once you have configured IGMP profiles, you can assign them to interfaces on the
switch. Also you can set the IGMP throttling number to limit the number of multicast
groups an interface can join at the same time.
Command Usage
• Only one profile can be assigned to an interface.
• An IGMP profile or throttling setting can also be applied to a trunk interface. When
ports are configured as trunk members, the trunk uses the settings applied to the
first port member in the trunk.
• IGMP throttling sets a maximum number of multicast groups that a port can join at
the same time. When the maximum number of groups is reached on a port, the
switch can take one of two actions; either “deny” or “replace”. If the action is set to
deny, any new IGMP join reports will be dropped. If the action is set to replace, the
switch randomly removes an existing group and replaces it with the new multicast
group.
Command Attributes
• Profile – Selects an existing profile number to assign to an interface.
• Max Multicast Groups – Sets the maximum number of multicast groups an
interface can join at the same time. (Range: 0-255; Default: 255)
• Current Multicast Groups – Displays the current multicast groups the interface
has joined.
• Throttling Action Mode – Sets the action to take when the maximum number of
multicast groups for the interface has been exceeded. (Default: Deny)
- deny - The new multicast group join report is dropped.
- replace - The new multicast group replaces an existing group.
• Throttling Status – Indicates if the throttling action has been implemented on the
interface. (Options: True or False)
• Trunk – Indicates if a port is a trunk member.
3-313
3
Configuring the Switch
Web – Click IGMP Snooping, IGMP Filter/Throttling Port Configuration or IGMP
Filter/Throttling Trunk Configuration. Select a profile to assign to an interface, then
set the throttling number and action. Click Apply.
Figure 3-178 IGMP Filter and Throttling Port Configuration
CLI – This example assigns IGMP profile number 19 to port 1, and then sets the
throttling number and action. The current IGMP filtering and throttling settings for the
interface are then displayed.
Console(config)#interface ethernet 1/1
Console(config-if)#ip igmp filter 19
Console(config-if)#ip igmp max-groups 64
Console(config-if)#ip igmp max-groups action deny
Console(config-if)#end
Console#show ip igmp filter interface ethernet 1/1
Information of Eth 1/1
IGMP Profile 19
permit
range 239.1.2.3 239.1.2.3
range 239.2.3.1 239.2.3.200
Console#show ip igmp throttle interface ethernet 1/1
Information of Eth 1/1
status : TRUE
action : deny
max multicast groups : 64
current multicast groups: 0
Console#
3-314
4-222
4-407
4-408
4-409
4-409
4-410
3
Multicast VLAN Registration
Multicast VLAN Registration
Multicast VLAN Registration (MVR) is a protocol that controls access to a single
network-wide VLAN most commonly used for transmitting multicast traffic (such as
television channels or video-on-demand) across a service provider’s network. Any
multicast traffic entering an MVR VLAN is sent to all attached subscribers. This
protocol can significantly reduce the processing overhead required to dynamically
monitor and establish the distribution tree for a normal multicast VLAN. This makes
it possible to support common multicast services over a wide part of the network
without having to use any multicast routing protocol.
MVR maintains the user isolation and data security provided by VLAN segregation
by passing only multicast traffic into other VLANs to which the subscribers belong.
Even though common multicast streams are passed onto different VLAN groups
from the MVR VLAN, users in different IEEE 802.1Q or private VLANs cannot
exchange any information (except through upper-level routing services).
Multicast Router
Satellite Services
Multicast Server
Layer 2 Switch
Source
Port
Service
Network
Receiver
Ports
Set-top Box
PC
TV
Set-top Box
TV
General Configuration Guidelines for MVR
1. Enable MVR globally on the switch, select the MVR VLAN, and add the multicast
groups that will stream traffic to attached hosts (see "Configuring Global MVR
Settings" on page 3-316).
2. Set the interfaces that will join the MVR as source ports or receiver ports (see
"Configuring MVR Interface Status" on page 3-320).
3. Enable IGMP Snooping to a allow a subscriber to dynamically join or leave an
MVR group (see "Configuring IGMP Snooping and Query Parameters" on
page 3-302). Note that only IGMP version 2 or 3 hosts can issue multicast join or
leave messages.
4. For multicast streams that will run for a long term and be associated with a stable
set of hosts, you can statically bind the multicast group to the participating
interfaces (see "Assigning Static Multicast Groups to Interfaces" on page 3-322).
3-315
3
Configuring the Switch
Configuring Global MVR Settings
The global settings for Multicast VLAN Registration (MVR) include enabling or
disabling MVR for the switch, selecting the VLAN that will serve as the sole channel
for common multicast streams supported by the service provider, and assigning the
multicast group address for each of these services to the MVR VLAN.
Command Usage
IGMP snooping and MVR share a maximum number of 255 groups. Any multicast
streams received in excess of this limitation will be flooded to all ports in the
associated VLAN.
Command Attributes
• MVR Status – When MVR is enabled on the switch, any multicast data associated
with an MVR group is sent from all designated source ports, and to all receiver
ports that have registered to receive data from that multicast group.
(Default: Disabled)
• MVR Running Status – Indicates whether or not all necessary conditions in the
MVR environment are satisfied. (Running status is true as long as MVR Status is
enabled, and the specified MVR VLAN exists.)
• MVR VLAN – Identifier of the VLAN that serves as the channel for streaming
multicast services using MVR. MVR source ports should be configured as
members of the MVR VLAN (see "Adding Static Members to VLANs (VLAN Index)"
on page 3-223), but MVR receiver ports should not be manually configured as
members of this VLAN. (Range: 1-4094; Default: 1)
• MVR Group IP – IP address for an MVR multicast group. (Range: 224.0.1.0 239.255.255.255; Default: no groups are assigned to the MVR VLAN)
The IP address range of 224.0.0.0 to 239.255.255.255 is used for multicast
streams. MVR group addresses cannot fall within the reserved IP multicast
address range of 224.0.0.x.
• Count – The number of contiguous MVR group addresses. (Range: 1-255;
Default: 0)
3-316
Multicast VLAN Registration
3
Web – Click MVR, Configuration. Enable MVR globally on the switch, select the
MVR VLAN, add the multicast groups that will stream traffic to attached hosts, and
then click Apply.
Figure 3-179 MVR Global Configuration
CLI – This example first enables IGMP snooping, enables MVR globally, and then
configures a range of MVR group addresses.
Console(config)#ip igmp snooping
Console(config)#mvr
Console(config)#mvr group 228.1.23.1 10
Console(config)#
4-395
4-412
4-412
3-317
3
Configuring the Switch
Displaying MVR Interface Status
You can display information about the interfaces attached to the MVR VLAN.
Field Attributes
• Type – Shows the MVR port type.
• Oper Status – Shows the link status.
• MVR Status – Shows the MVR status. MVR status for source ports is “ACTIVE” if
MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE”
only if there are subscribers receiving multicast traffic from one of the MVR groups,
or a multicast group has been statically assigned to an interface.
• Immediate Leave – Shows if immediate leave is enabled or disabled.
• Trunk Member19 – Shows if port is a trunk member.
Web – Click MVR, Port or Trunk Information.
Figure 3-180 MVR Port Information
CLI – This example shows information about interfaces attached to the MVR VLAN.
Console#show mvr
Port
Type
------- -------eth1/1 SOURCE
eth1/2 RECEIVER
Console#
interface
Status
------------ACTIVE/UP
ACTIVE/UP
19. Port Information only.
3-318
4-416
Immediate Leave
--------------Disable
Disable
3
Multicast VLAN Registration
Displaying Port Members of Multicast Groups
You can display the multicast groups assigned to the MVR VLAN either through
IGMP snooping or static configuration.
Field Attributes
• Group IP – Multicast groups assigned to the MVR VLAN.
• Group Port List – Shows the interfaces with subscribers for multicast services
provided through the MVR VLAN.
Web – Click MVR, Group IP Information.
Figure 3-181 MVR Group IP Information
CLI – This example following shows information about the interfaces associated with
multicast groups assigned to the MVR VLAN.
Console#show mvr
MVR Group IP
---------------225.0.0.1
225.0.0.2
225.0.0.3
225.0.0.4
225.0.0.5
225.0.0.6
225.0.0.7
225.0.0.8
225.0.0.9
225.0.0.10
Console#
interface
Status
Members
-------- ------ACTIVE
eth1/1(d), eth1/2(s)
INACTIVE None
INACTIVE None
INACTIVE None
INACTIVE None
INACTIVE None
INACTIVE None
INACTIVE None
INACTIVE None
INACTIVE None
4-416
3-319
3
Configuring the Switch
Configuring MVR Interface Status
Each interface that participates in the MVR VLAN must be configured as an MVR
source port or receiver port. If only one subscriber attached to an interface is
receiving multicast services, you can enable the immediate leave function.
Command Usage
• A port which is not configured as an MVR receiver or source port can use IGMP
snooping to join or leave multicast groups using the standard rules for multicast
filtering.
• Receiver ports can belong to different VLANs, but should not be configured as a
member of the MVR VLAN. IGMP snooping can be used to allow a receiver port to
dynamically join or leave multicast groups within an MVR VLAN. Multicast groups
can also be statically assigned to a receiver port (see "Assigning Static Multicast
Groups to Interfaces" on page 3-322). However, if a receiver port is statically
configured as a member of an MVR VLAN, its MVR status will be inactive. Also,
note that VLAN membership for MVR receiver ports cannot be set to trunk mode
(see "Configuring VLAN Behavior for Interfaces" on page 3-226).
• One or more interfaces may be configured as MVR source ports. A source port is
able to both receive and send data for multicast groups which it has joined through
IGMP snooping or which have been statically assigned (see "Assigning Static
Multicast Groups to Interfaces" on page 3-322).
• Immediate leave applies only to receiver ports. When enabled, the receiver port is
immediately removed from the multicast group identified in the leave message.
When immediate leave is disabled, the switch follows the standard rules by
sending a group-specific query to the receiver port and waiting for a response to
determine if there are any remaining subscribers for that multicast group before
removing the port from the group list.
- Using immediate leave can speed up leave latency, but should only be enabled
on a port attached to one multicast subscriber to avoid disrupting services to
other group members attached to the same interface.
- Immediate leave does not apply to multicast groups which have been statically
assigned to a port.
Command Attributes
• MVR Type – The following interface types are supported:
- Source – An uplink port that can send and receive multicast data for the groups
assigned to the MVR VLAN. Note that the source port must be manually
configured as a member of the MVR VLAN (see "Adding Static Members to
VLANs (VLAN Index)" on page 3-223).
- Receiver – A subscriber port that can receive multicast data sent through the
MVR VLAN. Any port configured as an receiver port will be dynamically added
to the MVR VLAN when it forwards an IGMP report or join message from an
attached host requesting any of the designated multicast services supported by
the MVR VLAN.
3-320
3
Multicast VLAN Registration
- Non-MVR – An interface that does not participate in the MVR VLAN. (This is the
default type.)
• Immediate Leave – Configures the switch to immediately remove an interface
from a multicast stream as soon as it receives a leave message for that group.
(This option only applies to an interface configured as an MVR receiver.)
• Trunk20 – Shows if port is a trunk member.
Web – Click MVR, Port or Trunk Configuration.
Figure 3-182 MVR Port Configuration
CLI – This example configures an MVR source port and receiver port, and then
enables immediate leave on the receiver port.
Console(config)#interface ethernet 1/1
Console(config-if)#mvr type source
Console(config-if)#exit
Console(config)#interface ethernet 1/2
Console(config-if)#mvr type receiver
Console(config-if)#mvr immediate
Console(config-if)#
4-414
4-414
4-414
20. Port Information only.
3-321
3
Configuring the Switch
Assigning Static Multicast Groups to Interfaces
For multicast streams that will run for a long term and be associated with a stable set
of hosts, you can statically bind the multicast group to the participating interfaces.
Command Usage
• Any multicast groups that use the MVR VLAN must be statically assigned to it
under the MVR Configuration menu (see"Configuring Global MVR Settings" on
page 3-316).
• The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast
streams. MVR group addresses cannot fall within the reserved IP multicast
address range of 224.0.0.x.
Command Attributes
• Interface – Indicates a port or trunk.
• Member – Shows the IP addresses for MVR multicast groups which have been
statically assigned to the selected interface.
• Non-Member – Shows the IP addresses for all MVR multicast groups which have
not been statically assigned to the selected interface.
Web – Click MVR, Group Member Configuration. Select a port or trunk from the
“Interface” field, and click Query to display the assigned multicast groups. Select a
multicast address from the displayed lists, and click the Add or Remove button to
modify the Member list.
Figure 3-183 MVR Group Member Configuration
CLI – This example statically assigns a multicast group to a receiver port.
Console(config)#interface ethernet 1/2
Console(config-if)#mvr group 228.1.23.1
Console(config-if)#
3-322
4-414
Multicast VLAN Registration
3
Configuring MVR Receiver VLAN and Group Addresses
Multicast traffic forwarded to subscribers is normally stripped of frame tags to
prevent hosts from discovering the identity of the MVR VLAN. An MVR Receiver
VLAN and the multicast services supported by this VLAN can be configured to hide
the MVR VLAN, while allowing multicast traffic with frame tags to be forwarded to
subscribers.
If a port is manually assigned to the receiver VLAN as a tagged member, multicast
traffic forwarded to the subscriber will also carry tags.
Command Attributes
• MVR Receiver VLAN – Allows multicast traffic to be forwarded from the specified
Receiver VLAN without revealing the identity of the MVR VLAN in tagged frames.
(Range: 1-4094)
• MVR Receiver Group IP Address – Specifies groups to be managed through the
receiver VLAN.
Web – Click MVR, Receiver Configuration. Select a VLAN from the “MVR Receiver
VLAN” field, enter the required multicast groups in the member list, and then click
the Add or Remove button to modify the list.
Figure 3-184 MVR Receiver VLAN Configuration
CLI – This example configures the MVR receiver group and two MVR receiver
groups.
Console(config)#mvr receiver-vlan 2
Console(config)#mvr receiver-group 224.0.1.1
Console(config)#mvr receiver-group 224.0.1.2
Console(config)#
4-412
3-323
3
Configuring the Switch
Displaying MVR Receiver Groups
Interfaces assigned to the MVR receiver groups can be displayed using the
Receiver Group IP Information page.
Field Attributes
• Group IP Address – Multicast groups assigned to the MVR Receiver VLAN.
• Group Port List – Interfaces with subscribers for multicast services provided
through the MVR Receiver VLAN.
Web – Click MVR, Receiver Group IP Information. Select a receiver group multicast
address from the “Group IP Address” field to show the interfaces which have joined
the selected group.
Figure 3-185 MVR Receiver Group Address Table
CLI – This example shows the interfaces which have joined MVR receiver groups,
and the status of MVR traffic for each group.
Console#show mvr receiver-group members
MVR Group IP
Status
Members
---------------- -------- ------224.0.1.1
ACTIVE
eth1/5
224.0.2.2
INACTIVE None
Console#
3-324
4-416
Multicast VLAN Registration
3
Configuring Static MVR Receiver Group Members
You can statically assign a multicast receiver group to the selected interface using
the Receiver Group Member Configuration page.
Field Attributes
• Interface – Indicates a port or trunk.
• Group Address List – Multicast receiver groups assigned to the selected
interface. Note that the displayed multicast services have been configured as a
receiver group to be managed through the MVR receiver VLAN (see "Configuring
MVR Receiver VLAN and Group Addresses" on page 3-323).
Web – Click MVR, Receiver Group Member Configuration. Select a port or trunk
from the “Interface” field, select a multicast group address from the member list, and
then click the Add or Remove button to modify the list.
Figure 3-186 Static MVR Receiver Group Member Configuration
CLI – This example sets the type of a port as an MVR receiver, and then statically
assigns an MVR receiver group to the MVR receiver VLAN.
Console(config)#interface ethernet 1/8
Console(config-if)#mvr type receiver
onsole(config-if)#mvr static-receiver-group 225.0.1.6
onsole(config-if)#
4-414
3-325
3
Configuring the Switch
Domain Name Service
The Domain Naming System (DNS) service on this switch allows host names to be
mapped to IP addresses using static table entries or by redirection to other name
servers on the network. When a client device designates this switch as a DNS
server, the client will attempt to resolve host names into IP addresses by forwarding
DNS queries to the switch, and waiting for a response.
You can manually configure entries in the DNS table used for mapping domain
names to IP addresses, configure default domain names, or specify one or more
name servers to use for domain name to address translation.
Configuring General DNS Service Parameters
Command Usage
• To enable DNS service on this switch, first configure one or more name servers,
and then enable domain lookup status.
• To append domain names to incomplete host names received from a DNS client
(i.e., not formatted with dotted notation), you can specify a default domain name or
a list of domain names to be tried in sequential order.
• If there is no domain list, the default domain name is used. If there is a domain list,
the system will search it for a corresponding entry. If none is found, the default
domain name is used.
• When an incomplete host name is received by the DNS service on this switch and
a domain name list has been specified, the switch will work through the domain list,
appending each domain name in the list to the host name, and checking with the
specified name servers for a match.
• When more than one name server is specified, the servers are queried in the
specified sequence until a response is received, or the end of the list is reached
with no response.
• Note that if all name servers are deleted, DNS will automatically be disabled.
Command Attributes
• Domain Lookup Status – Enables DNS host name-to-address translation.
• Default Domain Name21 – Defines the default domain name appended to
incomplete host names. (Range: 1-64 alphanumeric characters)
• Domain Name List21 – Defines a list of domain names that can be appended to
incomplete host names. (Range: 1-64 alphanumeric characters. 1-5 names)
• Name Server List – Specifies the address of one or more domain name servers
to use for name-to-address resolution. (Range: 1-6 IP addresses)
21. Do not include the initial dot that separates the host name from the domain name.
3-326
3
Domain Name Service
Web – Select DNS, General Configuration. Set the default domain name or list of
domain names, specify one or more name servers to use to use for address
resolution, enable domain lookup status, and click Apply.
Figure 3-187 DNS General Configuration
CLI - This example sets a default domain name and a domain list. However,
remember that if a domain list is specified, the default domain name is not used.
Console(config)#ip domain-name sample.com
Console(config)#ip domain-list sample.com.uk
Console(config)#ip domain-list sample.com.jp
Console(config)#ip name-server 192.168.1.55 10.1.0.55
Console(config)#ip domain-lookup
Console#show dns
Domain Lookup Status:
DNS enabled
Default Domain Name:
.sample.com
Domain Name List:
.sample.com.uk
.sample.com.jp
Name Server List:
192.168.1.55
10.1.0.55
Console#
4-421
4-421
4-422
4-423
4-424
3-327
3
Configuring the Switch
Configuring Static DNS Host to Address Entries
You can manually configure static entries in the DNS table that are used to map
domain names to IP addresses.
Command Usage
• Static entries may be used for local devices connected directly to the attached
network, or for commonly used resources located elsewhere on the network.
• Servers or other network devices may support one or more connections via
multiple IP addresses. If more than one IP address is associated with a host name
in the static table or via information returned from a name server, a DNS client can
try each address in succession, until it establishes a connection with the target
device.
Field Attributes
• Host Name – Name of a host device that is mapped to one or more IP addresses.
(Range: 1-64 characters)
• IP Address – Internet address(es) associated with a host name.
(Range: 1-8 addresses)
3-328
Domain Name Service
3
Web – Select DNS, Static Host Table. Enter a host name and one or more
corresponding addresses, then click Apply.
Figure 3-188 DNS Static Host Table
CLI - This example maps two address to a host name.
Console(config)#ip host rd5 192.168.1.55 10.1.0.55
Console(config)#ip host rd6 10.1.0.55
Console#show hosts
4-419
4-424
Hostname
rd5
Inet address
10.1.0.55 192.168.1.55
Console#
3-329
3
Configuring the Switch
Displaying the DNS Cache
You can display entries in the DNS cache that have been learned via the designated
name servers.
Field Attributes
• No – The entry number for each resource record.
• Flag – The flag is always “4” indicating a cache entry and therefore unreliable.
• Type – This field includes ADDRESS which specifies the host address for the
owner, and CNAME which specifies an alias.
• IP – The IP address associated with this record.
• TTL – The time to live reported by the name server.
• Domain – The domain name associated with this record.
Web – Select DNS, Cache.
Figure 3-189 DNS Cache
CLI - This example displays all the resource records learned from the designated
name servers.
Console#show dns cache
NO
FLAG
TYPE
0
4
Address
1
4
Address
2
4
Address
3
4
CNAME
4
4
CNAME
Console#
3-330
DOMAIN
www.times.com
a1116.x.akamai.net
a1116.x.akamai.net
graphics8.nytimes.com
graphics478.nytimes.com.edgesui
TTL
198
19
19
19
19
4-425
IP
199.239.136.200
61.213.189.120
61.213.189.104
POINTER TO:2
POINTER TO:2
Switch Clustering
3
Switch Clustering
Switch Clustering is a method of grouping switches together to enable centralized
management through a single unit. Switches that support clustering can be grouped
together regardless of physical location or switch type, as long as they are
connected to the same local network.
Command Usage
• A switch cluster has a “Commander” unit that is used to manage all other “Member”
switches in the cluster. The management station can use both Telnet and the web
interface to communicate directly with the Commander through its IP address,
while the Commander manages Member switches using cluster “internal” IP
addresses.
• Clustered switches must be in the same Ethernet broadcast domain. In other
words, clustering only functions for switches which can pass information between
the Commander and potential Candidates or active Members through VLAN 4093.
• Once a switch has been configured to be a cluster Commander, it automatically
discovers other cluster-enabled switches in the network. These “Candidate”
switches only become cluster Members when manually selected by the
administrator through the management station.
• There can be up to 100 candidates and 36 member switches in one cluster.
• A switch can only be a member of one cluster.
• After the Commander and Members have been configured, any switch in the
cluster can be managed from the web agent by choosing the desired Member ID
from the Cluster drop down menu. To connect to the Member switch from the
Commander CLI prompt, use the rcommand (see page 4-84) .
Figure 3-190 Cluster Member Choice
Configuring General Settings for Clusters
To create a switch cluster, first be sure that clustering is enabled on the switch (the
default is enabled), then set the switch as a Cluster Commander. Set a Cluster IP
Pool that does not conflict with the network IP subnet. Cluster IP addresses are
assigned to switches when they become Members and are used for communication
between Member switches and the Commander.
3-331
3
Configuring the Switch
Command Attributes
• Cluster Status – Enables or disables clustering on the switch. (Default: Enabled)
• Cluster Commander – Enables or disables the switch as a cluster Commander.
(Default: Disabled)
• Role – Indicates the current role of the switch in the cluster; either Commander,
Member, or Candidate. (Default: Candidate)
• Cluster IP Pool – An “internal” IP address pool that is used to assign IP addresses
to Member switches in the cluster. Internal cluster IP addresses are in the form
10.x.x.member-ID. Only the base IP address of the pool needs to be set since
Member IDs can only be between 1 and 36. Note that you cannot change the cluster
IP pool when the switch is currently in Commander mode. Commander mode must first
be disabled. (Default: 10.254.254.1)
• Number of Members – The current number of Member switches in the cluster.
• Number of Candidates – The current number of Candidate switches discovered
in the network that are available to become Members.
Web – Click Cluster, Configuration. Set the required attributes for a Commander or a
managed candidate, and click Apply.
Figure 3-191 Cluster Configuration
CLI – This example first enables clustering on the switch, sets the switch as the
cluster Commander, and then configures the cluster IP pool.
Console(config)#cluster
Console(config)#cluster commander
Console(config)#cluster ip-pool 10.2.3.4
Console(config)#exit
Console#show cluster
Role:
commander
Interval heartbeat:
30
Heartbeat loss count: 3
Number of Members:
0
Number of Candidates: 0
Console#
3-332
4-82
4-82
4-83
4-85
3
Switch Clustering
Cluster Member Configuration
Adds Candidate switches to the cluster as Members.
Command Attributes
• Member ID – Specify a Member ID number for the selected Candidate switch.
(Range: 1-36)
• MAC Address – Select a discovered switch MAC address from the Candidate
Table, or enter a specific MAC address of a known switch.
Web – Click Cluster, Member Configuration.
Figure 3-192 Cluster Member Configuration
CLI – This example creates a new cluster Member by specifying the Candidate
switch MAC address and setting a Member ID.
Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5
4-84
Console(config)#end
Console#show cluster candidates
4-85
Cluster Candidates:
Role
Mac
Description
--------------- ----------------- -----------------------------------ACTIVE MEMBER
00-12-cf-23-49-c0 SM24-100SFP-AH
CANDIDATE
00-12-cf-0b-47-a0 SM24-100SFP-AH
Console#
3-333
3
Configuring the Switch
Displaying Information on Cluster Members
Use the Cluster Member Information page to display information on current cluster
Member switches.
Command Attributes
•
•
•
•
•
Member ID – The ID number of the Member switch. (Range: 1-36)
Role – Indicates the current status of the switch in the cluster.
IP Address – The internal cluster IP address assigned to the Member switch.
MAC Address – The MAC address of the Member switch.
Description – The system description string of the Member switch.
Web – Click Cluster, Member Information.
Figure 3-193 Cluster Member Information
CLI – This example shows information about cluster Member switches.
Vty-0#show cluster members
Cluster Members:
ID:
1
Role:
Active member
IP Address: 10.254.254.2
MAC Address: 00-12-cf-23-49-c0
Description: 24/48 L2/L4 IPV4/IPV6 GE Switch
Vty-0#
3-334
4-85
Switch Clustering
3
Cluster Candidate Information
Use the Cluster Candidate Information page to display information about discovered
switches in the network that are already cluster Members or are available to become
cluster Members.
Command Attributes
• Role – Indicates the current status of Candidate switches in the network.
• MAC Address – The MAC address of the Candidate switch.
• Description – The system description string of the Candidate switch.
Web – Click Cluster, Candidate Information.
Figure 3-194 Cluster Candidate Information
CLI – This example shows information about cluster Candidate switches.
Vty-0#show cluster candidates
Cluster Candidates:
Role
Mac
--------------- ----------------ACTIVE MEMBER
00-12-cf-23-49-c0
CANDIDATE
00-12-cf-0b-47-a0
Vty-0#
4-85
Description
----------------------------------------24/48 L2/L4 IPV4/IPV6 GE Switch
24/48 L2/L4 IPV4/IPV6 GE Switch
3-335
3
Configuring the Switch
UPnP
Universal Plug and Play (UPnP) is a set of protocols that allows devices to connect
seamlessly and simplifies the deployment of home and office networks. UPnP
achieves this by issuing UPnP device control protocols designed upon open,
Internet-based communication standards.
The first step in UPnP networking is discovery. When a device is added to the
network, the UPnP discovery protocol allows that device to broadcast its services to
control points on the network. Similarly, when a control point is added to the network,
the UPnP discovery protocol allows that control point to search for UPnP enabled
devices on the network.
Once a control point has discovered a device its next step is to learn more about the
device and its capabilities by retrieving the device's description from the URL
provided by the device in the discovery message. After a control point has retrieved
a description of the device, it can send actions to the device’s service. To do this, a
control point sends a suitable control message to the control URL for the service
(provided in the device description).
When a device is known to the control point, periodic event notification messages
are sent. A UPnP description for a service includes a list of actions the service
responds to and a list of variables that model the state of the service at run time.
If a device has a URL for presentation, then the control point can retrieve a page
from this URL, load the page into a web browser, and depending on the capabilities
of the page, allow a user to control the device and/or view device status.
Using UPnP under Windows XP –
To access or manage the switch with
the aid of UPnP under Windows XP,
open My Network Places in the
Explore file manager. An entry for
“EL228” will appear in the list
of discovered devices. Double-click on
this entry to access the switch’s web
management interface. Or right-click
on the entry and select “Properties” to
display a list of device attributes
advertised through UPnP.
3-336
3
UPnP
UPnP Configuration
Use the UPnP Configuration page to enable or disable UPnP, and to set
advertisement and time out values.
Command Attributes
• UPNP Status – Enables/disables UPnP on the device. (Default: Disabled)
• Advertising Duration – This sets the duration of which a device will advertise its
status to the control point. (Range: 60-86400 seconds; Default: 100 seconds)
• TTL Value – Sets the time-to-live (TTL) value for UPnP messages transmitted by
the device. (Range: 1-255; Default: 4)
Web – Click UPNP, Configuration and enter the desired variables.
Figure 3-195 UPnP Configuration
CLI – This example enables UPnP, sets the device advertise duration to 200
seconds, the device TTL to 6, and displays information about basic UPnP
configuration.
Console(config)#upnp device
Console(config)#upnp device advertise duration 200
Console(config)#upnp device ttl 6
Console(config)#end
Console#show upnp
UPnP global settings:
Status:
Enabled
Advertise duration:
200
TTL:
6
Console#
4-86
4-87
4-87
4-88
3-337
Configuring the Switch
Real-Time-Ring™ (RTR) Guidelines and Setup
Important Note:
Make sure you have firmware v1.3.4.0 or newer when using RTR.
Overview:
The Real-Time-Ring™ (here after referred to as RTR) allows you to connect the switches
into a ring as shown in the diagram below. The switches will automatically select a master
switch (or you can chose one) which will break one of its ring connections and make that the
backup path. If there is a failure anywhere else in the ring the master will quickly enable the
backup path and instruct all the other switches to reroute their data accordingly. This
recovery can happen as fast as <10 milliseconds/hop (small network with low load).
Backup Path
Operation:
With a typical Ethernet network, messages are intelligently routed for the sake of increasing
the efficiency and reliability of your network. By using RTR you can implement redundant
paths for a even more resilient network. Ring topology is very popular for path redundancy
because no matter where in the ring that a path gets “cut”, all devices connected to a node
in the ring will still be able to communicate with each other.
A switch without RTR or other redundancy protocol (such as RSTP) enabled cannot be
connected into a ring because messages will continuously be re-broadcast causing a
broadcast storm. Broadcast storms will quickly bring the network to a halt.
RTR versus RSTP:
RTR is a proprietary protocol (only found in Sixnet switches) and is designed for very fast
recovery with simple ring networks. RTR can have any number of switches in a ring but <50
is recommended for best performance. The total recovery time can be as fast as 50 ms but
increases with the number of switches and the network load.
RSTP (Rapid Spanning Tree Protocol) is an industry standard (found in most managed
switches) and is designed for ring or mesh network configurations but the recovery time is
slower (1 to 2 seconds typically). RSTP allow up to 40 switches in a ring.
3-338
RTR
Ring Algorithm and Performance:
The RTR feature utilizes a special algorithm that assures very fast recovery times. Each
RTR switch utilizes this high-speed algorithm to keep track of the health of the ring. In a
healthy ring (a complete ring), one ring switch will be automatically picked to act as a master
(switch with lowest MAC address) for the ring network. Alternatively, you can designate one
of your ring switches to be the master. It is the master switch’s job to determine which one of
its local ring ports are to be in the forwarding or backup state. The ring port chosen to be in
the backup state is where the backup segment of the ring will be. By default, the ring port
with the higher port number will become the backup port.
All RTR switches in the ring must have a way to keep track of each other in case a failure in
communication occurs along the ring. To keep track of the health of the ring, the RTR
switches periodically send test messages to each other. Therefore, when a ring gets “cut” at
a certain location, the RTR switches will know and they will take the appropriate action to
bring the network back online. The time that it takes for the last RTR switch to “know” and
take appropriate action to rectify the communication problem will be when the network
“recovers”.
Recovery time can be estimated by multiplying 10 ms (low network load) to 50 ms (high
network load) times the number of switches. For example, a ring of 10 EL Series switches
would have a recovery time of 100 to 500 ms depending on the network load. Whereas,
standard RSTP would offer a recovery time of typically 1 to 2 seconds.
Master Switch Selection:
As mentioned above, the RTR switch with the lowest MAC address will automatically
become the master and block one of its ports (highest number port). Alternatively, you can
designate one of your ring switches to be the master. This advanced capability allows you to
control where the backup port will be in your network. It is recommended that only one ring
switch be designated as the master. If more than one is designated as the master then the
one with the lowest MAC address will prevail.
Configuring Rings:
First and foremost, make sure that ring operation is enabled for the appropriate ports. In
other words it is required to tell the switch what ports it is going to use as ring ports. Never
wire a switch in a ring topology without having defined the ring ports and enabled the RTR.
3-339
Configuring the Switch
Valid Ring Topologies:
Below are examples of how you should wire your RTR switches together. In general, you
should keep your topology simple.
9
9
9
9
Invalid Ring Topologies:
The examples below are invalid ring topologies. Do NOT connect RTR switches in the ways
shown below, as they will lead to unpredictable network performance. Paths indicated by the
color red create unintended rings (see unintended rings example below).
;
;
;
;
3-340
RTR
Unintended Rings Example:
Refer to the diagram below. In this example, RTR switches A and B have been software
configured for two rings each. RTR switches C and D have been software configured for one
ring each. The physical connections for the two rings are shown in blue and red.
Since the rule for configuring RTR switches is to make sure that each RTR switch knows
about all rings that are attached to it, it would appear that the example below is legal.
However, this is not the case. There are actually more than two ring paths that were
created. There are multiple paths that traffic can use to move from switch A and back to
switch A. The same applies to switch B. These unintended RTR paths that switch A and
switch B don’t know about are labeled as Unintended Rings A, B, C, and D.
Since RTR switch A and RTR switch B don’t know about these extra ring paths, they aren’t
included in A or B’s ring algorithm. Paths that are not included in the ring algorithm will result
in harmful broadcast storms.
A
C
D
B
Intended Rings
Blue = Ring 1
Red = Ring 2
Unintended Rings
Green = Unintended Ring A
Orange = Unintended Ring B
Unintended Rings
Purple = Unintended Ring C
Pink = Unintended Ring D
3-341
Configuring the Switch
Real-Time-Ring™ (RTR) Configuration
Configuration Via HTTP Web Interface:
1. Open the RTR Configuration page (Home>RTR>Configuration)
2. Enable a Ring by checking the “Enabled” check box, and assigning a Primary and
Backup Port.
3. Press the “Apply” button to set the configuration.
Note: Real-Time-Ring cannot be enabled on any port with Spanning Tree enabled, so be
sure to disable Spanning Tree/RSTP on the ports before enabling Real-Time-Ring. If
Spanning Tree is accidentally left enabled, the error “Invalid Data” will be displayed. Consult
“Spanning Tree” section for instructions on how to disable Spanning Tree/RSTP.
3-342
RTR
Real-Time-Ring Status Via HTTP Web Interface:
Open the RTR Configuration page (Home>RTR>Information).
The RTR Information Page will display the status of the Real-Time-Rings configured.
•
Number of Supported rings − The total number of rings the switch can enable
simultaneously.
•
Ring Master − The master switch will have this enabled.
•
Ring Status − The status of each configured ring, including port status of both ring
ports.
3-343
Configuring the Switch
Configuration Via Command Line Interface:
CLI – This example disables Spanning Tree Protocol, disables fixed master switch mode so
that the master is automatically assigned, and sets the Real-Time-Ring to Ports 25 and 26.
Username: admin
Password:
CLI session with the EL228 is opened.
To end the CLI session, enter [Exit].
Console#config
Console(config)#interface ethernet 1/25
Console(config)#no channel-group
Console(config)#spanning-tree spanning-disabled
Console(config)#exit
Console(config)#interface ethernet 1/26
Console(config)#no channel-group
Console(config)#spanning-tree spanning-disabled
Console(config)#exit
Console(config)#no rtr master
Console(config)#rtr 1
Console(config)#enable
Console(config)#name kema
Console(config)#port primary-port ethernet 1/25 backup-port ethernet 1/26
Console(config)#end
Recommendations for Optimizing Real-Time-Ring Performance:
To achieve quickest failover recovery performance on a Real-Time-Ring, the following
conditions must be observed:
1) Fiber Optic Networks can have a complete TX and RX break, or a break in only one
direction (TX or RX). The latter situation takes slightly longer to detect. RTR
performance on fiber optic ports therefore may be slightly slower depending on the
type of break that occurs. Copper Ethernet ports with the Loss of Signal (LOS)
detection typically provide for better recovery times.
2) Gigabit speed copper ports have a slower Loss of Signal notification than 100
Megabit copper ports. Use 100 Megabit copper (for example: Ports #25 and #26
configured for 100M speed) to achieve fastest possible RTR recovery time.
3-344
Chapter 4: Command Line Interface
This chapter describes how to use the Command Line Interface (CLI).
Using the Command Line Interface
Accessing the CLI
When accessing the management interface for the switch over a direct connection
to the server’s console port, or via a Telnet connection, the switch can be managed
by entering command keywords and parameters at the prompt. Using the switch's
command-line interface (CLI) is very similar to entering commands on a UNIX
system.
Console Connection
To access the switch through the console port, perform these steps:
1.
At the console prompt, enter the user name and password. (The default user
names are “admin” and “guest” with corresponding passwords of “admin” and
“guest.”) When the administrator user name and password is entered, the CLI
displays the “Console#” prompt and enters privileged access mode
(i.e., Privileged Exec). But when the guest user name and password is entered,
the CLI displays the “Console>” prompt and enters normal access mode
(i.e., Normal Exec).
2.
Enter the necessary commands to complete your desired tasks.
3.
When finished, exit the session with the “quit” or “exit” command.
After connecting to the system through the console port, the login screen displays:
User Access Verification
Username: admin
Password:
CLI session with the EL228 is opened.
To end the CLI session, enter [Exit].
Console#
4-1
4
Command Line Interface
Telnet Connection
Telnet operates over the IP transport protocol. In this environment, your
management station and any network device you want to manage over the network
must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255,
separated by periods. Each address consists of a network portion and host portion.
For example, the IP address assigned to this switch, 10.1.0.1, with subnet mask
255.255.255.0, consists of a network portion (10.1.0) and a host portion (1).
Note: The IP address for this switch is obtained via DHCP by default.
To access the switch through a Telnet session, you must first set the IP address for
the Master unit, and set the default gateway if you are managing the switch from a
different IP subnet. For example,
Console(config)#interface vlan 1
Console(config-if)#ip address 10.1.0.254 255.255.255.0
Console(config-if)#exit
Console(config)#ip default-gateway 10.1.0.254
If your corporate network is connected to another network outside your office or to
the Internet, you need to apply for a registered IP address. However, if you are
attached to an isolated network, then you can use any IP address that matches the
network segment to which you are attached.
After you configure the switch with an IP address, you can open a Telnet session by
performing these steps:
1.
From the remote host, enter the Telnet command and the IP address of the
device you want to access.
2.
At the prompt, enter the user name and system password. The CLI will display
the “Vty-n#” prompt for the administrator to show that you are using privileged
access mode (i.e., Privileged Exec), or “Vty-n>” for the guest to show that you
are using normal access mode (i.e., Normal Exec), where n indicates the
number of the current Telnet session.
3.
Enter the necessary commands to complete your desired tasks.
4.
When finished, exit the session with the “quit” or “exit” command.
After entering the Telnet command, the login screen displays:
Username: admin
Password:
CLI session with the EL228 is opened.
To end the CLI session, enter [Exit].
Vty-0#
Note: You can open up to four sessions to the device via Telnet.
4-2
Entering Commands
4
Entering Commands
This section describes how to enter CLI commands.
Keywords and Arguments
A CLI command is a series of keywords and arguments. Keywords identify a
command, and arguments specify configuration parameters. For example, in the
command “show interfaces status ethernet 1/5,” show interfaces and status are
keywords, ethernet is an argument that specifies the interface type, and 1/5
specifies the unit/port.
You can enter commands as follows:
• To enter a simple command, enter the command keyword.
• To enter multiple commands, enter each command in the required order. For
example, to enable Privileged Exec command mode, and display the startup
configuration, enter:
Console>enable
Console#show startup-config
• To enter commands that require parameters, enter the required parameters after
the command keyword. For example, to set a password for the administrator,
enter:
Console(config)#username admin password 0 smith
Minimum Abbreviation
The CLI will accept a minimum number of characters that uniquely identify a
command. For example, the command “configure” can be entered as con. If an
entry is ambiguous, the system will prompt for further input.
Command Completion
If you terminate input with a Tab key, the CLI will print the remaining characters of a
partial keyword up to the point of ambiguity. In the “logging history” example, typing
log followed by a tab will result in printing the command up to “logging.”
Getting Help on Commands
You can display a brief description of the help system by entering the help
command. You can also display command syntax by using the “?” character to list
keywords or parameters.
4-3
4
Command Line Interface
Showing Commands
If you enter a “?” at the command prompt, the system will display the first level of
keywords for the current command class (Normal Exec or Privileged Exec) or
configuration class (Global, ACL, Interface, Line or VLAN Database). You can also
display a list of valid keywords for a specific command. For example, the command
“show ?” displays a list of possible show commands:
Console#show ?
access-group
access-list
accounting
arp
auto-traffic-control
banner
bridge-ext
calendar
class-map
cluster
debug
dns
dot1q-tunnel
dot1x
efm
garp
gvrp
history
interfaces
ip
ipv6
lacp
line
lldp
log
logging
mac
mac-address-table
mac-vlan
management
map
memory
mvr
network-access
ntp
policy-map
port
privilege
process
protocol-vlan
public-key
pvlan
queue
radius-server
reload
running-config
sflow
snmp
sntp
spanning-tree
ssh
4-4
Access groups
Access lists
Uses an accounting list with this name
Information of ARP cache
Auto traffic control information
Banner info
Bridge extension information
Date and time information
Displays class maps
Display cluster
State of each debugging option
DNS information
802.1Q tunnel ports information
802.1x content
Ethernet First Mile feature
GARP properties
GVRP interface information
History information
Interface information
IP information
IPv6 information
LACP statistics
TTY line information
LLDP
Login records
Logging setting
MAC access list
Shows the MAC address table
MAC-based VLAN information
Show management information
Maps priority
Memory utilization
Shows MVR global parameters
Shows the entries of the secure port.
Network Time Protocol configuration
Displays policy maps
Port characteristics
Shows current privilege level
Device process
Protocol-VLAN information
Public key information
Shows the Private VLAN information
Priority queue information
RADIUS server information
Shows the reload settings
Information on the running configuration
Shows the sflow information
Simple Network Management Protocol statistics
Simple Network Time Protocol configuration
Spanning-tree configuration
Secure shell server connections
Entering Commands
startup-config
subnet-vlan
system
tacacs-server
tech-support
upnp
users
version
vlan
voice
web-auth
Console#show
4
Startup system configuration
IP subnet-based VLAN information
System information
TACACS server settings
Technical information
UPnP settings
Information about terminal lines
System hardware and software versions
Virtual LAN settings
Shows the voice VLAN information
Shows web authentication configuration
The command “show interfaces ?” will display the following information:
Console#show interfaces ?
brief
brief interface description
counters
Interface counters information
status
Interface status information
switchport Interface switchport information
Console#show interfaces
Partial Keyword Lookup
If you terminate a partial keyword with a question mark, alternatives that match the
initial letters are provided. (Remember not to leave a space between the command
and question mark.) For example “s?” shows all the keywords starting with “s.”
Console#show s?
sflow
snmp
startup-config subnet-vlan
sntp
system
spanning-tree
ssh
Console#show s
Negating the Effect of Commands
For many configuration commands you can enter the prefix keyword “no” to cancel
the effect of a command or reset the configuration to the default value. For example,
the logging command will log system messages to a host server. To disable
logging, specify the no logging command. This guide describes the negation effect
for all applicable commands.
Using Command History
The CLI maintains a history of commands that have been entered. You can scroll
back through the history of commands by pressing the up arrow key. Any command
displayed in the history list can be executed again, or first modified and then
executed.
Using the show history command displays a longer list of recently executed
commands.
4-5
4
Command Line Interface
Understanding Command Modes
The command set is divided into Exec and Configuration classes. Exec commands
generally display information on system status or clear statistical counters.
Configuration commands, on the other hand, modify interface parameters or enable
certain switching functions. These classes are further divided into different modes.
Available commands depend on the selected mode. You can always enter a
question mark “?” at the prompt to display a list of the commands available for the
current mode. The command classes and associated modes are displayed in the
following table:
Table 4-1 Command Modes
Class
Mode
Exec
Normal
Privileged
Configuration
Global*
Access Control List
Class Map
Interface
Line
Multiple Spanning Tree
Policy Map
Server Group
VLAN Database
* You must be in Privileged Exec mode to access the Global configuration mode.
You must be in Global Configuration mode to access any of the other configuration modes.
Exec Commands
When you open a new console session on the switch with the user name and
password “guest,” the system enters the Normal Exec command mode (or guest
mode), displaying the “Console>” command prompt. Only a limited number of the
commands are available in this mode. You can access all commands only from the
Privileged Exec command mode (or administrator mode). To access Privilege Exec
mode, open a new console session with the user name and password “admin.” The
system will now display the “Console#” command prompt. You can also enter
Privileged Exec mode from within Normal Exec mode, by entering the enable
command, followed by the privileged level password “super” (page 4-111).
To enter Privileged Exec mode, enter the following user names and passwords:
Username: admin
Password: [admin login password]
CLI session with the EL228 is opened.
To end the CLI session, enter [Exit].
Console#
4-6
Entering Commands
4
Username: guest
Password: [guest login password]
CLI session with the EL228 is opened.
To end the CLI session, enter [Exit].
Console>enable
Password: [privileged level password]
Console#
Configuration Commands
Configuration commands are privileged level commands used to modify switch
settings. These commands modify the running configuration only and are not saved
when the switch is rebooted. To store the running configuration in non-volatile
storage, use the copy running-config startup-config command.
The configuration commands are organized into different modes:
• Global Configuration - These commands modify the system level configuration,
and include commands such as hostname and snmp-server community.
• Access Control List Configuration - These commands are used for packet filtering.
• Class Map Configuration - Creates a DiffServ class map for a specified traffic type.
• Interface Configuration - These commands modify the port configuration such as
speed-duplex and negotiation.
• Line Configuration - These commands modify the console port and Telnet
configuration, and include command such as parity and databits.
• Multiple Spanning Tree Configuration - These commands configure settings for the
selected multiple spanning tree instance.
• Policy Map Configuration - Creates a DiffServ policy map for multiple interfaces.
• Server Group Configuration - Adds security servers to defined lists.
• VLAN Configuration - Includes the command to create VLAN groups.
To enter the Global Configuration mode, enter the command configure in Privileged
Exec mode. The system prompt will change to “Console(config)#” which gives you
access privilege to all Global Configuration commands.
Console#configure
Console(config)#
4-7
4
Command Line Interface
To enter the other modes, at the configuration prompt type one of the following
commands. Use the exit or end command to return to the Privileged Exec mode.
Table 4-2 Configuration Modes
Mode
Command
Prompt
Line
line {console | vty}
Console(config-line)
Access
Control List
access-list arp
access-list ip standard
access-list ip extended
access-list ipv6 standard
access-list ipv6 extended
access-list mac
Console(config-arp-acl)
Console(config-std-acl)
Console(config-ext-acl)
Console(config-std-ipv6-acl)
Console(config-ext-ipv6-acl)
Console(config-mac-acl)
4-213
4-202
4-202
4-208
4-208
4-216
Class Map
class map
Console(config-cmap)
4-388
Interface
interface {ethernet port | port-channel id| vlan id} Console(config-if)
4-222
MSTP
spanning-tree mst-configuration
Console(config-mstp)
4-277
Policy Map
policy map
Console(config-pmap)
4-388
Server Group aaa group server {radius | tacacs+}
Console(config-sg-radius)
Console(config-sg-tacacs+)
4-125
VLAN
Console(config-vlan)
4-301
vlan database
Page
4-45
For example, you can use the following commands to enter interface configuration
mode, and then return to Privileged Exec mode
Console(config)#interface ethernet 1/5
.
.
.
Console(config-if)#exit
Console(config)#
4-8
Entering Commands
4
Command Line Processing
Commands are not case sensitive. You can abbreviate commands and parameters
as long as they contain enough letters to differentiate them from any other currently
available commands or parameters. You can use the Tab key to complete partial
commands, or enter a partial command followed by the “?” character to display a list
of possible matches. You can also use the following editing keystrokes for
command-line processing:
Table 4-3 Command Line Processing
Keystroke
Function
Ctrl-A
Shifts cursor to start of command line.
Ctrl-B
Shifts cursor to the left one character.
Ctrl-C
Terminates the current task and displays the command prompt.
Ctrl-E
Shifts cursor to end of command line.
Ctrl-F
Shifts cursor to the right one character.
Ctrl-K
Deletes all characters from the cursor to the end of the line.
Ctrl-L
Repeats current command line on a new line.
Ctrl-N
Enters the next command line in the history buffer.
Ctrl-P
Enters the last command.
Ctrl-R
Repeats current command line on a new line.
Ctrl-U
Deletes from the cursor to the beginning of the line.
Ctrl-W
Deletes the last word typed.
Esc-B
Moves the cursor back one word.
Esc-D
Deletes from the cursor to the end of the word.
Esc-F
Moves the cursor forward one word.
Delete key or backspace key
Erases a mistake when entering a command.
4-9
4
Command Line Interface
Command Groups
The system commands can be broken down into the functional groups shown below.
Table 4-4 Command Groups
Command Group
Description
General
Basic commands for entering privileged access mode, restarting the
system, or quitting the CLI
4-11
System Management
Display and setting of system information, basic modes of operation,
maximum frame size, file management, console port and telnet settings,
system logs, SMTP alerts, system clock, switch clustering, and UPnP
4-18
Simple Network
Management Protocol
Activates authentication failure traps; configures community access
strings, and trap managers
4-88
Flow Sampling
Samples traffic flows, and forwards data to designated collector
4-103
Authentication
Configures user names and passwords, logon access using local or
remote authentication (including AAA), management access through
the web server, Telnet server and Secure Shell; as well as port security,
IEEE 802.1X port access control, and restricted access based on
specified IP addresses
4-109
General Security
Measures
Segregates traffic for clients attached to common data ports; and
prevents unauthorized access by configuring valid static or dynamic
addresses, web authentication, MAC address authentication, filtering
DHCP requests and replies, and discarding invalid ARP responses
4-159
Access Control List
Provides filtering for IPv4 frames (based on address, protocol, TCP/
UDP port number, TCP control code, ARP request/response packets),
IPv6 frames (based on destination address or DSCP), or non-IP
frames (based on MAC address or Ethernet type)
4-200
Interface
Configures the connection parameters for all Ethernet ports,
aggregated links, and VLANs
4-221
Automatic Traffic Control
Configures bounding thresholds for broadcast and multicast storms
which can be used to trigger configured rate limits or to shut down a port
4-235
Link Aggregation
Statically groups multiple ports into a single logical trunk; configures
Link Aggregation Control Protocol for port trunks
4-250
Mirror Port
Mirrors data to a port for analysis without affecting the data passing
through or the performance of the monitored port or VLAN
4-262
Rate Limiting
Controls the maximum rate for traffic transmitted or received on a port
4-265
Address Table
Configures the address table for filtering specified addresses, displays
current entries, clears the table, or sets the aging time
4-266
Spanning Tree
Configures Spanning Tree settings for the switch
4-270
VLANs
Configures VLAN settings, and defines port membership for VLAN
groups; also enables or configures private VLANs, protocol VLANs,
IP-subnet VLANs, MAC-based VLANs, and voice VLANs
4-296
OAM
Provides tools used to monitor and maintain links to subscriber CPEs,
including enabling OAM for selected ports, loopback testing, and
displaying device information
4-337
Link Layer Discovery
Protocol
Configures LLDP settings to enable information discovery about
neighbor devices
4-354
4-10
Page
4
General Commands
Table 4-4 Command Groups (Continued)
Command Group
Description
Page
Class of Service
Sets port priority for untagged frames, selects strict priority or weighted
round robin, relative weight for each priority queue, also sets priority for
DSCP
4-376
Quality of Service
Configures Differentiated Services classification criteria and service
policies
4-384
Multicast Filtering
Configures IGMP multicast filtering, query parameters, specifies ports
attached to a multicast router, and enables multicast VLAN registration
4-394
Domain Name Service
Configures DNS services
4-419
IP Interface
Configures IP address for the switch
4-426
The access mode shown in the following tables is indicated by these abbreviations:
ACL (Access Control List Configuration)
CM (Class Map Configuration)
GC (Global Configuration)
IC (Interface Configuration)
LC (Line Configuration)
MST (Multiple Spanning Tree)
NE (Normal Exec)
PE (Privileged Exec)
PM (Policy Map Configuration)
SG (Server Group)
VC (VLAN Database Configuration)
General Commands
These commands are used to control the command access mode, configuration
mode, and other basic functions.
Table 4-5 General Commands
Command
Function
Mode
Page
enable
Activates privileged mode
NE
4-12
disable
Returns to normal mode from privileged mode
PE
4-12
configure
Activates global configuration mode
PE
4-13
show history
Shows the command history buffer
NE, PE
4-13
reload
Restarts the system
PE
4-14
reload
Sets the time at which to reset the system
GC
4-14
show reload
Displays the current reload settings, and the time at which next
scheduled reload will take place
PE
4-16
prompt
Customizes the prompt used in PE and NE mode
GC
4-16
end
Returns to Privileged Exec mode
any
config.
mode
4-16
exit
Returns to the previous configuration mode, or exits the CLI
any
4-17
quit
Exits a CLI session
NE, PE
4-17
help
Shows how to use help
any
NA
?
Shows options for command completion (context sensitive)
any
NA
4-11
4
Command Line Interface
enable
This command activates Privileged Exec mode. In privileged mode, additional
commands are available, and certain commands display additional information. See
"Understanding Command Modes" on page 4-6.
Syntax
enable [level]
level - Privilege level to log into the device.
The device has two predefined privilege levels: 0: Normal Exec,
15: Privileged Exec. Enter level 15 to access Privileged Exec mode.
Default Setting
Level 15
Command Mode
Normal Exec
Command Usage
• “super” is the default password required to change the command mode from
Normal Exec to Privileged Exec. (To set this password, see the enable
password command on page 4-111.)
• The “#” character is appended to the end of the prompt to indicate that the
system is in privileged access mode.
Example
Console>enable
Password: [privileged level password]
Console#
Related Commands
disable (4-12)
enable password (4-111)
disable
This command returns to Normal Exec mode from privileged mode. In normal
access mode, you can only display basic information on the switch's configuration or
Ethernet statistics. To gain access to all commands, you must use the privileged
mode. See "Understanding Command Modes" on page 4-6.
Command Mode
Privileged Exec
Command Usage
The “>” character is appended to the end of the prompt to indicate that the
system is in normal access mode.
4-12
General Commands
4
Example
Console#disable
Console>
Related Commands
enable (4-12)
configure
This command activates Global Configuration mode. You must enter this mode to
modify any settings on the switch. You must also enter Global Configuration mode
prior to enabling some of the other configuration modes, including Interface
Configuration, Line Configuration, and VLAN Database Configuration, and Multiple
Spanning Tree Configuration. See "Understanding Command Modes" on page 4-6.
Command Mode
Privileged Exec
Example
Console#configure
Console(config)#
Related Commands
end (4-16)
show history
This command shows the contents of the command history buffer.
Command Mode
Normal Exec, Privileged Exec
Command Usage
The history buffer size is fixed at 10 Execution commands and
10 Configuration commands.
Example
In this example, the show history command lists the contents of the command
history buffer:
Console#show history
Execution command history:
2 config
1 show history
Configuration command history:
4 interface vlan 1
3 exit
2 interface vlan 1
1 end
Console#
4-13
4
Command Line Interface
The ! command repeats commands from the Execution command history buffer
when you are in Normal Exec or Privileged Exec Mode, and commands from the
Configuration command history buffer when you are in any of the configuration
modes. In this example, the !2 command repeats the second command in the
Execution history buffer (config).
Console#!2
Console#config
Console(config)#
Related Commands
terminal history (4-55)
reload (Privileged Exec)
This command restarts the system immediately.
Command Mode
Privileged Exec
Command Usage
• This command resets the entire system.
• When the system is restarted, it will always run the Power-On Self-Test. It will
also retain all configuration information stored in non-volatile memory by the
copy running-config startup-config command.
Example
This example shows how to reset the switch:
Console#reload
System will be restarted, continue <y/n>? y
reload (Global Configuration)
This command restarts the system at a specified time, after a specified delay, or at a
periodic interval. You can reboot the system immediately, or you can configure the
switch to reset after a specified amount of time. Use the cancel option to remove a
configured setting.
Syntax
reload {at hour minute [{month day | day month} [year]] |
in {hour hours | minute minutes | hour hours minute minutes} |
regularity hour minute [period {daily | weekly day-of-week | monthly day}] |
cancel [at | in | regularity]}
• reload at - A specified time at which to reload the switch.
- hour - The hour at which to reload. (Range: 0-23)
- minute - The minute at which to reload. (Range: 0-59)
- month - The month at which to reload. (january ... december)
- day - The day of the month at which to reload. (Range: 1-31)
- year - The year at which to reload. (Range: 2001-2050)
4-14
General Commands
4
• reload in - An interval after which to reload the switch.
- hours - The number of hours, combined with the minutes, before the
switch resets. (Range: 0-576)
- minutes - The number of minutes, combined with the hours, before the
switch resets. (Range: 0-59)
• reload regularity - A periodic interval at which to reload the switch.
- hour - The hour at which to reload. (Range: 0-23)
- minute - The minute at which to reload. (Range: 0-59)
- day-of-week - Day of the week at which to reload.
(Range: monday ... saturday)
- day - Day of the month at which to reload. (Range: 1-31)
• reload cancel - Cancels the specified reload option.
Default Setting
None
Command Mode
Global Configuration
Command Usage
• This command resets the entire system.
• Any combination of reload options may be specified. If the same option is
re-specified, the previous setting will be overwritten.
• When the system is restarted, it will always run the Power-On Self-Test. It will
also retain all configuration information stored in non-volatile memory by the
copy running-config startup-config command (See "copy" on page 4-37).
Example
This example shows how to reset the switch after 30 minutes:
Console(config)#reload in minute 30
***
*** --- Rebooting at January 1 02:10:43 2007 --***
Are you sure to reboot the system at the specified time? <y/n>
4-15
4
Command Line Interface
show reload
This command displays the current reload settings, and the time at which next
scheduled reload will take place.
Command Mode
Privileged Exec
Example
Console#show reload
Reloading switch in time:
0 hours 29 minutes.
The switch will be rebooted at January 1 02:11:50 2001.
Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds.
Console#
prompt
This command customizes the CLI prompt. Use the no form to restore the default
prompt.
Syntax
prompt string
no prompt
string - Any alphanumeric string to use for the CLI prompt. (Maximum
length: 255 characters)
Default Setting
Console
Command Mode
Global Configuration
Example
Console(config)#prompt RD2
RD2(config)#
end
This command returns to Privileged Exec mode.
Command Mode
Global Configuration, Interface Configuration, Line Configuration, VLAN
Database Configuration, and Multiple Spanning Tree Configuration
Example
This example shows how to return to the Privileged Exec mode from the Interface
Configuration mode:
Console(config-if)#end
Console#
4-16
General Commands
4
exit
This command returns to the previous configuration mode or exit the configuration
program.
Command Mode
Any
Example
This example shows how to return to the Privileged Exec mode from the Global
Configuration mode, and then quit the CLI session:
Console(config)#exit
Console#exit
Press ENTER to start session
User Access Verification
Username:
quit
This command exits the configuration program.
Command Mode
Normal Exec, Privileged Exec
Command Usage
The quit and exit commands can both exit the configuration program.
Example
This example shows how to quit a CLI session:
Console#quit
Press ENTER to start session
User Access Verification
Username:
4-17
4
Command Line Interface
System Management Commands
These commands are used to control system logs, passwords, user names, browser
configuration options, and display or configure a variety of other system information.
Table 4-6 System Management Commands
Command Group
Function
Page
Device Designation
Configures information that uniquely identifies this switch
4-18
Banner Information
Configures administrative contact, device identification and location
4-19
System Status
Displays system configuration, active managers, and version information
4-29
Frame Size
Enables support for jumbo frames
4-35
File Management
Manages code image or switch configuration files
4-36
Line
Sets communication parameters for the serial port, including baud rate and
console time-out
4-45
Event Logging
Controls logging of error messages
4-58
SMTP Alerts
Configures SMTP email alerts
4-64
Time (System Clock)
Sets the system clock automatically via NTP/SNTP server or manually
4-68
Switch Clustering
Configures management of multiple devices via a single IP address
4-81
UPnP
Sets Universal Plug-and-Play parameters used to advertise the switch
4-86
Device Designation Commands
Table 4-7 Device Designation Commands
Command
Function
Mode
Page
prompt
Customizes the prompt used in PE and NE mode
GC
4-16
hostname
Specifies the host name for the switch
GC
4-18
snmp-server contact
Sets the system contact string
GC
4-91
snmp-server location
Sets the system location string
GC
4-92
hostname
This command specifies or modifies the host name for this device. Use the no form
to restore the default host name.
Syntax
hostname name
no hostname
name - The name of this host. (Maximum length: 255 characters)
Default Setting
None
Command Mode
Global Configuration
4-18
System Management Commands
4
Example
Console(config)#hostname RD#1
Console(config)#
Banner Information Commands
These commands are used to configure and manage administrative information
about the switch, its exact data center location, details of the electrical and network
circuits that supply the switch, as well as contact information for the network
administrator and system manager. This information is only available via the CLI and
is automatically displayed before login as soon as a console or telnet connection has
been established.
Table 4-8 Banner Commands
Command
Function
Mode
Page
banner configure
Configures the banner information that is displayed before login GC
4-20
banner configure
company
Configures the Company information that is displayed by banner GC
4-21
banner configure
dc-power-info
Configures the DC Power information that is displayed by
banner
GC
4-22
banner configure
department
Configures the Department information that is displayed by
banner
GC
4-22
banner configure
equipment-info
Configures the Equipment information that is displayed by
banner
GC
4-23
banner configure
equipment-location
Configures the Equipment Location information that is displayed GC
by banner
4-24
banner configure
ip-lan
Configures the IP and LAN information that is displayed by
banner
GC
4-24
banner configure
lp-number
Configures the LP Number information that is displayed by
banner
GC
4-25
banner configure
manager-info
Configures the Manager contact information that is displayed by GC
banner
4-26
banner configure
mux
Configures the MUX information that is displayed by banner
GC
4-26
banner configure
note
Configures miscellaneous information that is displayed by
banner under the Notes heading
GC
4-27
show banner
Displays all banner information
NE, PE
4-28
4-19
4
Command Line Interface
banner configure
This command is used to interactively specify administrative information for this
device.
Syntax
banner configure
Default Setting
None
Command Mode
Global Configuration
Command Usage
The administrator can batch-input all details for the switch with one command.
When the administrator finishes typing the company name and presses the
enter key, the script prompts for the next piece of information, and so on, until
all information has been entered. Pressing enter without inputting information
at any prompt during the script’s operation will leave the field empty. Spaces
can be used during script mode because pressing the enter key signifies the
end of data input. The delete and left-arrow keys terminate the script. The use
of the backspace key during script mode is not supported. If, for example, a
mistake is made in the company name, it can be corrected with the banner
configure company command.
4-20
4
System Management Commands
Example
Console(config)#banner configure
Company: Sixnet
Responsible department: R&D Dept
Name and telephone to Contact the management people
Manager1 name: Sr. Network Admin
phone number: 123-555-1212
Manager2 name: Jr. Network Admin
phone number: 123-555-1213
Manager3 name: Night-shift Net Admin / Janitor
phone number: 123-555-1214
The physical location of the equipment.
City and street address: 12 Straight St. Motown, Zimbabwe
Information about this equipment:
Manufacturer: Sixnet
ID: 123_unique_id_number
Floor: 2
Row: 7
Rack: 29
Shelf in this rack: 8
Information about DC power supply.
Floor: 2
Row: 7
Rack: 25
Electrical circuit: : ec-177743209-xb
Number of LP:12
Position of the equipment in the MUX:1/23
IP LAN:192.168.1.1
Note: This is a random note about this managed switch and can contain
miscellaneous information.
Console(config)#
banner configure company
This command is used to configure company information displayed in the banner.
Use the no form to remove the company name from the banner display.
Syntax
banner configure company name
no banner configure company
name - The name of the company. (Maximum length: 32 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
Input strings cannot contain spaces. The banner configure company
command interprets spaces as data input boundaries. The use of underscores
( _ ) or other unobtrusive non-letter characters is suggested for situations
where white space is necessary for clarity.
4-21
4
Command Line Interface
Example
Console(config)#banner configure company Sixnet
Console(config)#
banner configure dc-power-info
This command is use to configure DC power information displayed in the banner.
Use the no form to restore the default setting.
Syntax
banner configure dc-power-info floor floor-id row row-id rack rack-id
electrical-circuit ec-id
no banner configure dc-power-info [floor | row | rack | electrical-circuit]
• floor-id - The floor number.
• row-id - The row number.
• rack-id - The rack number.
• ec-id - The electrical circuit ID.
Maximum length of each parameter: 32 characters
Default Setting
None
Command Mode
Global Configuration
Command Usage
Input strings cannot contain spaces. The banner configure dc-power-info
command interprets spaces as data input boundaries. The use of underscores
( _ ) or other unobtrusive non-letter characters is suggested for situations
where white space is necessary for clarity.
Example
Console(config)#banner configure floor 3 row 15 rack 24
electrical-circuit 48v-id_3.15.24.2
Console(config)#
banner configure department
This command is used to configure the department information displayed in the
banner. Use the no form to restore the default setting.
Syntax
banner configure department dept-name
no banner configure company
dept-name - The name of the department.
(Maximum length: 32 characters)
4-22
System Management Commands
4
Default Setting
None
Command Mode
Global Configuration
Command Usage
Input strings cannot contain spaces. The banner configure department
command interprets spaces as data input boundaries. The use of underscores
( _ ) or other unobtrusive non-letter characters is suggested for situations
where white space is necessary for clarity.
Example
Console(config)#banner configure department R&D
Console(config)#
banner configure equipment-info
This command is used to configure the equipment information displayed in the
banner. Use the no form to restore the default setting.
Syntax
banner configure equipment-info manufacturer-id mfr-id floor floor-id
row row-id rack rack-id shelf-rack sr-id manufacturer mfr-name
no banner configure equipment-info [floor | manufacturer |
manufacturer-id | rack | row | shelf-rack]
•
•
•
•
•
•
mfr-id - The name of the device model number.
floor-id - The floor number.
row-id - The row number.
rack-id - The rack number.
sr-id - The shelf number in the rack.
mfr-name - The name of the device manufacturer.
Maximum length of each parameter: 32 characters
Default Setting
None
Command Mode
Global Configuration
Command Usage
Input strings cannot contain spaces. The banner configure equipment-info
command interprets spaces as data input boundaries. The use of underscores
( _ ) or other unobtrusive non-letter characters is suggested for situations
where white space is necessary for clarity.
4-23
4
Command Line Interface
Example
Console(config)#banner configure equipment-info manufacturer-id
EL228 floor 3 row 10 rack 15 shelf-rack 12 manufacturer Sixnet
Console(config)#
banner configure equipment-location
This command is used to configure the equipment location information displayed in
the banner. Use the no form to restore the default setting.
Syntax
banner configure equipment-location location
no banner configure equipment-location
location - The address location of the device.
(Maximum length: 32 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
Input strings cannot contain spaces. The banner configure
equipment-location command interprets spaces as data input boundaries.
The use of underscores ( _ ) or other unobtrusive non-letter characters is
suggested for situations where white space is necessary for clarity.
Example
Console(config)#banner configure equipment-location
710_Network_Path,_Indianapolis
Console(config)#
banner configure ip-lan
This command is used to configure the device IP address and subnet mask
information displayed in the banner. Use the no form to restore the default setting.
Syntax
banner configure ip-lan ip-mask
no banner configure ip-lan
ip-mask - The IP address and subnet mask of the device.
(Maximum length: 32 characters)
Default Setting
None
4-24
System Management Commands
4
Command Mode
Global Configuration
Command Usage
Input strings cannot contain spaces. The banner configure ip-lan command
interprets spaces as data input boundaries. The use of underscores ( _ ) or
other unobtrusive non-letter characters is suggested for situations where white
space is necessary for clarity.
Example
Console(config)#banner configure ip-lan 192.168.1.1/255.255.255.0
Console(config)#
banner configure lp-number
This command is used to configure the LP number information displayed in the
banner. Use the no form to restore the default setting.
Syntax
banner configure lp-number lp-num
no banner configure lp-number
lp-num - The LP number. (Maximum length: 32 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
Input strings cannot contain spaces. The banner configure lp-number
command interprets spaces as data input boundaries. The use of underscores
( _ ) or other unobtrusive non-letter characters is suggested for situations
where white space is necessary for clarity.
Example
Console(config)#banner configure lp-number 12
Console(config)#
4-25
4
Command Line Interface
banner configure manager-info
This command is used to configure the manager contact information displayed in the
banner. Use the no form to restore the default setting.
Syntax
banner configure manager-info
name mgr1-name phone-number mgr1-number
[name2 mgr2-name phone-number mgr2-number |
name3 mgr3-name phone-number mgr3-number]
no banner configure manager-info [name1 | name2 | name3]
•
•
•
•
•
•
mgr1-name - The name of the first manager.
mgr1-number - The phone number of the first manager.
mgr2-name - The name of the second manager.
mgr2-number - The phone number of the second manager.
mgr3-name - The name of the third manager.
mgr3-number - The phone number of the third manager.
Maximum length of each parameter: 32 characters
Default Setting
None
Command Mode
Global Configuration
Command Usage
Input strings cannot contain spaces. The banner configure manager-info
command interprets spaces as data input boundaries. The use of underscores
( _ ) or other unobtrusive non-letter characters is suggested for situations
where white space is necessary for clarity.
Example
Console(config)#banner configure manager-info name Albert_Einstein
phone-number 123-555-1212 name2 Lamar phone-number 123-555-1219
Console(config)#
banner configure mux
This command is used to configure the mux information displayed in the banner.
Use the no form to restore the default setting.
Syntax
banner configure mux muxinfo
no banner configure mux
muxinfo - The circuit and PVC to which the switch is connected.
(Maximum length: 32 characters)
4-26
4
System Management Commands
Default Setting
None
Command Mode
Global Configuration
Command Usage
Input strings cannot contain spaces. The banner configure mux command
interprets spaces as data input boundaries. The use of underscores ( _ ) or
other unobtrusive non-letter characters is suggested for situations where white
space is necessary for clarity.
Example
Console(config)#banner configure mux telco-8734212kx_PVC-1/23
Console(config)#
banner configure note
This command is used to configure the note displayed in the banner. Use the no
form to restore the default setting.
Syntax
banner configure note note-info
no banner configure note
note-info - Miscellaneous information that does not fit the other banner
categories, or any other information of importance to users of the switch
CLI. (Maximum length: 150 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
Input strings cannot contain spaces. The banner configure note command
interprets spaces as data input boundaries. The use of underscores ( _ ) or
other unobtrusive non-letter characters is suggested for situations where white
space is necessary for clarity.
Example
Console(config)#banner configure note !!!!!ROUTINE_MAINTENANCE_firmwareupgrade_0100-0500_GMT-0500_20071022!!!!!_20min_network_impact_expected
Console(config)#
4-27
4
Command Line Interface
show banner
This command displays all banner information.
Command Mode
Normal Exec, Privileged Exec
Example
Console#show banner
WARNING - MONITORED ACTIONS AND ACCESSES
R&D_Dept
Albert_Einstein - 123-555-1212
Steve - 123-555-9876
Lamar - 123-555-3322
Station's information:
710_Network_Path,Indianapolis
Sixnet - EL228
Floor / Row / Rack / Sub-Rack
7 / 10 / 15 / 6
DC power supply:
Power Source A: Floor / Row / Rack / Electrical circuit
3 / 15 / 24 / 48V-id_3.15.24.2
Number of LP: 4
Position MUX: telco-9734212kx_PVC-1/23
IP LAN: 216.241.132.3/255.255.255.0
Note:
!!!!!ROUTINE_MAINTENANCE_firmware-upgrade_0100--0500_GMT-0500_20071022!!!
!!_20min_network_impact_expected
Console#
4-28
System Management Commands
4
System Status Commands
This section describes commands used to display system information.
Table 4-9 System Status Commands
Command
Function
Mode
show startup-config
Displays the contents of the configuration file (stored in flash
memory) that is used to start up the system
PE
4-29
show running-config
Displays the configuration data currently in use
PE
4-31
show system
Displays system information
NE, PE
4-33
show users
Shows all active console, SSH, Telnet and web sessions,
NE, PE
including user name, idle time, and IP address of network clients
4-33
show version
Displays version information for the system
4-34
NE, PE
Page
show startup-config
This command displays the configuration file stored in non-volatile memory that is
used to start up the system.
Command Mode
Privileged Exec
Command Usage
• Use this command in conjunction with the show running-config command to
compare the information in running memory to the information stored in
non-volatile memory.
• This command displays settings for key command modes. Each mode group
is separated by “!” symbols, and includes the configuration mode command,
and corresponding commands. This command displays the following
information:
-
Switch’s MAC address
SNTP server settings
SNMP community strings
Users (names and access levels)
VLAN database (VLAN ID, name and state)
VLAN configuration settings for each interface
Multiple spanning tree instances (name and interfaces)
IP address configured for the switch
Spanning tree settings
Interface settings
Any configured settings for the console port and Telnet
4-29
4
Command Line Interface
Example
Console#show startup-config
!<stackingDB>00</stackingDB>
!<stackingMac>01_00-12-cf-12-34-56_01</stackingMac>
!
phymap 00-12-cf-12-34-56
!
sntp server 0.0.0.0 0.0.0.0 0.0.0.0
!
snmp-server community public ro
snmp-server community private rw
!
username admin access-level 15
username admin password 7 21232f297a57a5a743894a0e4a801fc3
username guest access-level 0
username guest password 7 084e0343a0486ff05530df6c705c8bb4
enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca
!
vlan database
vlan 1 name DefaultVlan media ethernet state active
vlan 4093 media ethernet state active
!
spanning-tree mst configuration
!
interface vlan 1
ip address dhcp
!
interface vlan 4093
!
interface ethernet 1/1
switchport allowed vlan add 1 untagged
switchport allowed vlan add 4093 tagged
sflow owner None
.
.
.
line console
silent-time 0
!
line VTY
!
end
!
Console#
Related Commands
show running-config (4-31)
4-30
System Management Commands
4
show running-config
This command displays the configuration information currently in use.
Command Mode
Privileged Exec
Command Usage
• Use this command in conjunction with the show startup-config command to
compare the information in running memory to the information stored in
non-volatile memory.
• This command displays settings for key command modes. Each mode group
is separated by “!” symbols, and includes the configuration mode command,
and corresponding commands. This command displays the following
information:
-
Switch’s MAC address
SNTP server settings
SNMP community strings
Users (names and access levels)
VLAN database (VLAN ID, name and state)
VLAN configuration settings for each interface
Multiple spanning tree instances (name and interfaces)
IP address configured for the switch
Spanning tree settings
Interface settings
Any configured settings for the console port and Telnet
4-31
4
Command Line Interface
Example
Console#show running-config
!<stackingDB>00</stackingDB>
!<stackingMac>01_00-12-cf-12-34-56_01</stackingMac>
!
phymap 00-12-cf-12-34-56
!
sntp server 0.0.0.0 0.0.0.0 0.0.0.0
!
snmp-server community public ro
snmp-server community private rw
!
username admin access-level 15
username admin password 7 21232f297a57a5a743894a0e4a801fc3
username guest access-level 0
username guest password 7 084e0343a0486ff05530df6c705c8bb4
enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca
!
vlan database
vlan 1 name DefaultVlan media ethernet state active
vlan 4093 media ethernet state active
!
spanning-tree mst configuration
!
interface vlan 1
ip address dhcp
!
interface vlan 4093
!
interface ethernet 1/1
switchport allowed vlan add 1 untagged
switchport allowed vlan add 4093 tagged
sflow owner None
.
.
.
line console
silent-time 0
!
line VTY
!
end
!
Console#
Related Commands
show startup-config (4-29)
4-32
4
System Management Commands
show system
This command displays system information.
Command Mode
Normal Exec, Privileged Exec
Command Usage
• For a description of the items shown by this command, refer to ?$paratext>?
on page 3-13.
• The POST results should all display “PASS.” If any POST test indicates
“FAIL,” contact your distributor for assistance.
Example
Console#show system
System Description: EL228
System OID String: 1.3.6.1.4.1.259.8.1.4
System Information
System Up Time:
0 days, 2 hours, 52 minutes, and 32.16 seconds
System Name:
[NONE]
System Location:
[NONE]
System Contact:
[NONE]
MAC Address (Unit1):
00-12-CF-12-34-56
Web Server:
Enabled
Web Server Port:
80
Web Secure Server:
Enabled
Web Secure Server Port: 443
Telnet Server:
Enable
Telnet Server Port:
23
Jumbo Frame:
Disabled
DUMMY Test 1 .................
UART Loopback Test ...........
DRAM Test ....................
Timer Test ...................
PASS
PASS
PASS
PASS
Console#
show users
Shows all active console and Telnet sessions, including user name, idle time, and IP
address of Telnet client.
Command Mode
Normal Exec, Privileged Exec
Command Usage
The session used to execute this command is indicated by a “*” symbol next to
the Line (i.e., session) index number.
4-33
4
Command Line Interface
Example
Console#show users
Username accounts:
Username Privilege Public-Key
-------- --------- ---------admin
15
None
guest
0
None
steve
15
RSA
Online users:
Line
Username Idle time (h:m:s) Remote IP addr.
----------- -------- ----------------- --------------0
console
admin
0:14:14
* 1
VTY 0
admin
0:00:00
192.168.1.19
2
SSH 1
steve
0:00:06
192.168.1.19
Web online users:
Line
Remote IP addr Username Idle time (h:m:s).
----------- -------------- -------- -----------------1
HTTP
192.168.1.19
admin
0:00:00
Console#
show version
This command displays hardware and software version information for the system.
Command Mode
Normal Exec, Privileged Exec
Command Usage
See "Displaying Switch Hardware/Software Versions" on page 3-15 for
detailed information on the items displayed by this command.
Example
Console#show version
Unit 1
Serial Number:
Hardware Version:
Chip Device ID:
EPLD Version:
Number of Ports:
Main Power Status:
Redundant Power Status:
0012CF123456
R01A
Marvell 98DX107-A2, 88E6095[F]
1.03
28
Up
Not present
Agent (Master)
Unit ID:
Loader Version:
Boot ROM Version:
Operation Code Version:
1
1.0.1.0
1.2.1.0
1.3.3.0
Console#
4-34
4
System Management Commands
Frame Size Commands
This section describes commands used to configure the Ethernet frame size on the
switch.
Table 4-10 Frame Size Commands
Command
Function
Mode
jumbo frame
Enables support for jumbo frames
GC
Page
4-35
jumbo frame
This command enables support for jumbo frames. Use the no form to disable it.
Syntax
[no] jumbo frame
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
• This switch provides more efficient throughput for large sequential data
transfers by supporting jumbo frames up to 10 KB for the Gigabit Ethernet
ports. Compared to standard Ethernet frames that run only up to 1.5 KB, using
jumbo frames significantly reduces the per-packet overhead required to
process protocol encapsulation fields.
• To use jumbo frames, both the source and destination end nodes (such as a
computer or server) must support this feature. Also, when the connection is
operating at full duplex, all switches in the network between the two end nodes
must be able to accept the extended frame size. And for half-duplex
connections, all devices in the collision domain would need to support jumbo
frames.
• The current setting for jumbo frames can be displayed with the show system
command (page 4-33).
Example
Console(config)#jumbo frame
Console(config)#
4-35
4
Command Line Interface
File Management Commands
Managing Firmware
Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By
saving run-time code to a file on an FTP/TFTP server, that file can later be
downloaded to the switch to restore operation. The switch can also be set to use
new firmware without overwriting the previous version.
When downloading run-time code, the destination file name can be specified to
replace the current image, or the file can be first downloaded using a different name
from the current run-time code file, and then the new file set as the startup file.
Saving or Restoring Configuration Settings
Configuration settings can be uploaded and downloaded to and from an FTP/TFTP
server. The configuration file can be later downloaded to restore switch settings.
The configuration file can be downloaded under a new file name and then set as the
startup file, or the current startup configuration file can be specified as the
destination file to directly replace it. Note that the file “Factory_Default_Config.cfg”
can be copied to the FTP/TFTP server, but cannot be used as the destination on the
switch.
Table 4-11 Flash/File Commands
Command
Function
Mode
Page
copy
Copies a code image or a switch configuration to or from flash PE
memory or a FTP/TFTP server
4-37
delete
Deletes a file or code image
PE
4-40
dir
Displays a list of files in flash memory
PE
4-40
whichboot
Displays the files booted
PE
4-41
boot system
Specifies the file or image used to start up the system
GC
4-42
Automatic Code Upgrade Commands
upgrade opcode auto
Automatically upgrades the current image when a new
version is detected on the indicated server
GC
4-43
upgrade opcode path
Specifies an FTP/TFTP server and directory in which the new GC
opcode is stored
4-44
4-36
System Management Commands
4
copy
This command moves (uploads/downloads) a code image or configuration file
between the switch’s flash memory and an FTP/TFTP server. It can also download a
diagnostics file or loader file from an FTP/TFTP server. When you save the system
code or configuration settings to a file on an FTP/TFTP server, that file can later be
downloaded to the switch to restore system operation. The success of the file
transfer depends on the accessibility of the FTP/TFTP server and the quality of the
network connection.
Syntax
copy file {file | ftp | running-config | startup-config | tftp}
copy running-config {file | ftp | startup-config | tftp}
copy startup-config {file | ftp | running-config | tftp}
copy ftp {file | running-config | startup-config | https-certificate |
public-key}
copy tftp {add-to-running-config | file | running-config | startup-config |
https-certificate | public-key}
• add-to-running-config - Keyword that adds the settings listed in the
specified file to the running configuration.
• file - Keyword that allows you to copy to/from a file.
• ftp - Keyword that allows you to copy to/from an FTP server.
• running-config - Keyword that allows you to copy to/from the current
running configuration.
• startup-config - The configuration used for system initialization.
• tftp - Keyword that allows you to copy to/from a TFTP server.
• https-certificate - Copies an HTTPS certificate from an TFTP server to the
switch.
• public-key - Keyword that allows you to copy a SSH key from a TFTP
server. ("Secure Shell Commands" on page 4-138)
Default Setting
None
Command Mode
Privileged Exec
Command Usage
• The system prompts for data required to complete the copy command.
• The destination file name should not contain slashes (\ or /), the leading letter
of the file name should not be a period (.), and the maximum length for file
names on the FTP/TFTP server is 127 characters or 31 characters for files on
the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)
• Due to the size limit of the flash memory, the switch supports only two
operation code files.
• The maximum number of user-defined configuration files depends on
available memory.
4-37
4
Command Line Interface
• You can use “Factory_Default_Config.cfg” as the source to copy from the
factory default configuration file, but you cannot use it as the destination.
• To replace the startup configuration, you must use startup-config as the
destination.
• The Boot ROM and Loader can be downloaded from an FTP/TFTP server, but
cannot be uploaded from the switch to a file server.
• For information on specifying an https-certificate, see "Replacing the Default
Secure-site Certificate" on page 3-91. For information on configuring the
switch to use HTTPS for a secure connection, see "ip http secure-server" on
page 4-135.
• When logging into an FTP server, the interface prompts for a user name and
password configured on the remote server. Note that “anonymous” is set as
the default user name.
Example
The following example shows how to download new firmware from a TFTP server:
Console#copy tftp file
TFTP server ip address: 10.1.0.19
Choose file type:
1. config: 2. opcode: 4. diag:
Source file name: V3.1.16.20.BIX
Destination file name: V311620
\Write to FLASH Programming.
-Write to FLASH finish.
Success.
Console#
5. loader: <1,2,4,5>: 2
This example shows how to download a file from an FTP server.
Console#copy ftp file
FTP server IP address: 169.254.1.11
User[anonymous]: admin
Password[]: *****
Choose file type:
1. config: 2. opcode: 4. diag: 5. loader: <1,2,4,5>: 2
Source file name: BLANC.BIX
Destination file name: BLANC.BIX
Console#
The following example shows how to upload the configuration settings to a file on
the TFTP server:
Console#copy file tftp
Choose file type:
1. config: 2. opcode: <1-2>: 1
Source file name: startup
TFTP server ip address: 10.1.0.99
Destination file name: startup.01
TFTP completed.
Success.
Console#
4-38
4
System Management Commands
The following example shows how to copy the running configuration to a startup file.
Console#copy running-config file
destination file name: startup
Write to FLASH Programming.
\Write to FLASH finish.
Success.
Console#
The following example shows how to download a configuration file:
Console#copy tftp startup-config
TFTP server ip address: 10.1.0.99
Source configuration file name: startup.01
Startup configuration file name [startup]:
Write to FLASH Programming.
\Write to FLASH finish.
Success.
Console#
This example shows how to copy a secure-site certificate from an TFTP server. It
then reboots the switch to activate the certificate:
Console#copy tftp https-certificate
TFTP server ip address: 10.1.0.19
Source certificate file name: SS-certificate
Source private file name: SS-private
Private password: ********
Success.
Console#reload
System will be restarted, continue <y/n>? y
This example shows how to copy a public-key used by SSH from a TFTP server.
Note that public key authentication via SSH is only supported for users configured
locally on the switch:
Console#copy tftp public-key
TFTP server IP address: 192.168.1.19
Choose public key type:
1. RSA: 2. DSA: <1-2>: 1
Source file name: steve.pub
Username: steve
TFTP Download
Success.
Write to FLASH Programming.
Success.
Console#
4-39
4
Command Line Interface
This example shows how to copy a file to an FTP server.
Console#copy ftp file
FTP server IP address: 169.254.1.11
User[anonymous]: admin
Password[]: *****
Choose file type:
1. config: 2. opcode: 4. diag: 5. loader: <1,2,4,5>: 2
Source file name: BLANC.BIX
Destination file name: BLANC.BIX
Console#
delete
This command deletes a file or image.
Syntax
delete filename
filename - Name of the configuration file or image name.
Command Mode
Privileged Exec
Command Usage
• If the file type is used for system startup, then this file cannot be deleted.
• “Factory_Default_Config.cfg” cannot be deleted.
Example
This example shows how to delete the test2.cfg configuration file from flash memory.
Console#delete test2.cfg
Console#
Related Commands
dir (4-40)
delete public-key (4-142)
dir
This command displays a list of files in flash memory.
Syntax
dir {{boot-rom: | config: | opcode:} [:filename]}
The type of file or image to display includes:
•
•
•
•
4-40
boot-rom - Boot ROM (or diagnostic) image file.
config - Switch configuration file.
opcode - Run-time operation code image file.
filename - Name of the configuration file or code image.
System Management Commands
4
Default Setting
None
Command Mode
Privileged Exec
Command Usage
• If you enter the command dir without any parameters, the system displays all
files.
• File information is shown below:
Table 4-12 File Directory Information
Column Heading
Description
File name
The name of the file.
File type
File types: Boot-Rom, Operation Code, and Config file.
Startup
Shows if this file is used when the system is started.
Size
The length of the file in bytes.
Example
The following example shows how to display all file information:
Console#dir
File name
File type
Startup Size (byte)
-------------------------------------------------- ------- ----------Unit1:
EL228_Diag_V1.0.0.3.BIX
Boot-Rom Image N
1316056
EL228_Diag_V1.2.1.0.bix
Boot-Rom Image Y
1329392
EL228_V2.0.0.1
Operation Code N
4168416
EL228_V1.3.3.0.bix
Operation Code Y
4310516
Factory_Default_Config.cfg
Config File
N
455
startup1.cfg
Config File
Y
4386
--------------------------------------------------------------------------Total free space:
3801088
Console#
whichboot
This command displays which files were booted when the system powered up.
Command Mode
Privileged Exec
4-41
4
Command Line Interface
Example
This example shows the information displayed by the whichboot command. See
the table under the dir command for a description of the file information displayed by
this command.
Console#whichboot
File name
File type Startup Size (byte)
-------------------------------------------------- ------- ----------Unit1:
EL228_Diag_V1.2.1.0.bix
Boot-Rom Image Y
1329392
EL228_V1.3.3.0.bix
Operation Code Y
4310516
startup1.cfg
Config File
Y
4386
Console#
boot system
This command specifies the image used to start up the system.
Syntax
boot system {boot-rom| config | opcode}: filename
The type of file or image to set as a default includes:
•
•
•
•
boot-rom* - Boot ROM.
config* - Configuration file.
opcode* - Run-time operation code.
filename - Name of the configuration file or code image.
* The colon (:) is required.
Default Setting
None
Command Mode
Global Configuration
Command Usage
• A colon (:) is required after the specified file type.
• If the file contains an error, it cannot be set as the default file.
Example
Console(config)#boot system config: startup
Console(config)#
Related Commands
dir (4-40)
whichboot (4-41)
4-42
4
System Management Commands
upgrade opcode auto
This command automatically upgrades the current operational code when a new
version is detected on the server indicated by the upgrade opcode path command.
Use the no form of this command to restore the default setting.
Syntax
[no] upgrade opcode auto
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
• This command is used to enable or disable automatic upgrade of the
operational code. When the switch starts up and automatic image upgrade is
enabled by this command, the switch will follow these steps when it boots up:
1. It will search for a new version of the image at the location specified by
upgrade opcode path command (page 4-44). The name for the new
image stored on the FTP/TFTP server must be EL228.bix. If
the switch detects a code version newer than the one currently in use, it
will download the new image. If two code images are already stored in
the switch, the image not set to start up the system will be overwritten by
the new version.
2. After the image has been downloaded, the switch will send a trap
message to log whether or not the upgrade operation was successful.
3. It sets the new version as the startup image.
4. It then restarts the system to start using the new image.
• Any changes made to the default setting can be displayed with the show
running-config (page 4-31) or show startup-config (page 4-29)
commands.
Example
Console(config)#upgrade opcode auto
Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/
Console(config)#
4-43
4
Command Line Interface
If a new image is found at the specified location, the following type of messages will
be displayed during bootup.
.
.
.
Automatic Upgrade is looking for a new image
New image detected: current version 1.1.1.0; new version 1.1.1.2
Image upgrade in progress
The switch will restart after upgrade succeeds
Downloading new image
Flash programming started
Flash programming completed
The
switch will now restart
.
.
.
upgrade opcode path
This command specifies an FTP/TFTP server and directory in which the new
opcode is stored. Use the no form of this command to clear the current setting.
Syntax
upgrade opcode path opcode-dir-url
no upgrade opcode path
opcode-dir-url - The location of the new code.
Default Setting
None
Command Mode
Global Configuration
Command Usage
• This command is used in conjunction with the upgrade opcode auto
command (page 4-43) to facilitate automatic upgrade of new operational code
stored at the location indicated by this command.
• The name for the new image stored on the FTP/TFTP server must be
EL228.bix. However, note that file name is not to be included in
this command.
• When specifying a TFTP server, the following syntax must be used, where
filedir indicates the path to the directory containing the new image:
tftp://192.168.0.1[/filedir]/
• When specifying an FTP server, the following syntax must be used, where
filedir indicates the path to the directory containing the new image:
ftp://[username[:password@]]192.168.0.1[/filedir]/
If the user name is omitted, “Anonymous” will be used for the connection. If
the password is omitted a null string (“”) will be used for the connection.
4-44
4
System Management Commands
Example
This shows how to specify a TFTP server where new code is stored.
Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/
Console(config)#
This shows how to specify an FTP server where new code is stored.
Console(config)#upgrade opcode path ftp://admin:billy@192.168.0.1/sm24/
Console(config)#
Line Commands
You can access the onboard configuration program by attaching a VT100
compatible device to the server’s serial port. These commands are used to set
communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Table 4-13 Line Commands
Command
Function
Mode
line
Identifies a specific line for configuration and starts the line
configuration mode
GC
4-46
login
Enables password checking at login
LC
4-46
password
Specifies a password on a line
LC
4-47
timeout login
response
Sets the interval that the system waits for a user to log into the LC
CLI
4-48
exec-timeout
Sets the interval that the command interpreter waits until user
input is detected
LC
4-49
password-thresh
Sets the password intrusion threshold, which limits the number LC
of failed logon attempts
4-49
silent-time*
Sets the amount of time the management console is
LC
inaccessible after the number of unsuccessful logon attempts
exceeds the threshold set by the password-thresh command
4-50
databits*
Sets the number of data bits per character that are interpreted LC
and generated by hardware
4-51
parity*
Defines the generation of a parity bit
LC
4-52
speed*
Sets the terminal baud rate
LC
4-52
stopbits*
Sets the number of the stop bits transmitted per byte
LC
4-53
terminal length
Sets the number of lines displayed on a terminal
PE
4-53
terminal width
Sets the width of the display terminal
PE
4-54
terminal
escape-character
Sets the escape character used to break display output
PE
4-54
terminal terminal-type Specifies the terminal type connected to the console port
PE
4-55
terminal history
PE
4-55
Configures parameters for storing previously entered
commands
Page
* These commands only apply to the serial port.
4-45
4
Command Line Interface
Table 4-13 Line Commands (Continued)
Command
Function
Mode
Page
disconnect
Terminates a line connection
PE
4-56
show line
Displays a terminal line's parameters
NE, PE
4-56
* These commands only apply to the serial port.
line
This command identifies a specific line for configuration, and to process subsequent
line configuration commands.
Syntax
line {console | vty}
• console - Console terminal line.
• vty - Virtual terminal for remote console access (i.e., Telnet).
Default Setting
There is no default line.
Command Mode
Global Configuration
Command Usage
Telnet is considered a virtual terminal connection and will be shown as “VTY”
in screen displays such as show users. However, the serial communication
parameters (e.g., databits) do not affect Telnet connections.
Example
To enter console line mode, enter the following command:
Console(config)#line console
Console(config-line)#
Related Commands
show line (4-56)
show users (4-33)
login
This command enables password checking at login. Use the no form to disable
password checking and allow connections without a password.
Syntax
login [local]
no login
local - Selects local password checking. Authentication is based on the
user name specified with the username command.
4-46
4
System Management Commands
Default Setting
login local
Command Mode
Line Configuration
Command Usage
• There are three authentication modes provided by the switch itself at login:
- login selects authentication by a single global password as specified by the
password line configuration command. When using this method, the
management interface starts in Normal Exec (NE) mode.
- login local selects authentication via the user name and password
specified by the username command (i.e., default setting). When using this
method, the management interface starts in Normal Exec (NE) or Privileged
Exec (PE) mode, depending on the user’s privilege level (0 - NE, 8/15 - PE).
- no login selects no authentication. When using this method, the
management interface starts in Normal Exec (NE) mode.
• This command controls login authentication via the switch itself. To configure
user names and passwords for remote authentication servers, you must use
the RADIUS or TACACS software installed on those servers.
Example
Console(config-line)#login local
Console(config-line)#
Related Commands
username (4-110)
password (4-47)
password
This command specifies the password for a line. Use the no form to remove the
password.
Syntax
password {0 | 7} password
no password
• {0 | 7} - 0 means plain password, 7 means encrypted password
• password - Character string that specifies the line password.
(Maximum length: 8 characters plain text, 32 encrypted, case sensitive)
Default Setting
No password is specified.
Command Mode
Line Configuration
4-47
4
Command Line Interface
Command Usage
• When a connection is started on a line with password protection, the system
prompts for the password. If you enter the correct password, the system
shows a prompt. You can use the password-thresh command to set the
number of times a user can enter an incorrect password before the system
terminates the line connection and returns the terminal to the idle state.
• The encrypted password is required for compatibility with legacy password
settings (i.e., plain text or encrypted) when reading the configuration file
during system bootup or when downloading the configuration file from an FTP/
TFTP server. There is no need for you to manually configure encrypted
passwords.
Example
Console(config-line)#password 0 secret
Console(config-line)#
Related Commands
login (4-46)
password-thresh (4-50)
timeout login response
This command sets the interval that the system waits for a user to log into the CLI.
Use the no form to restore the default.
Syntax
timeout login response [seconds]
no timeout login response
seconds - Integer that specifies the timeout interval.
(Range: 0 - 300 seconds; 0: disabled)
Default Setting
• CLI: Disabled (0 seconds)
• Telnet: 600 seconds
Command Mode
Line Configuration
Command Usage
• If a login attempt is not detected within the timeout interval, the connection is
terminated for the session.
• This command applies to both the local console and Telnet connections.
• The timeout for Telnet cannot be disabled.
• Using the command without specifying a timeout restores the default setting.
4-48
4
System Management Commands
Example
To set the timeout to two minutes, enter this command:
Console(config-line)#timeout login response 120
Console(config-line)#
Related Commands
silent-time (4-50)
exec-timeout (4-14)
exec-timeout
This command sets the interval that the system waits until user input is detected.
Use the no form to restore the default.
Syntax
exec-timeout [seconds]
no exec-timeout
seconds - Integer that specifies the number of seconds.
(Range: 0-65535 seconds; 0: no timeout)
Default Setting
10 minutes
Command Mode
Line Configuration
Command Usage
• If user input is detected within the timeout interval, the session is kept open;
otherwise the session is terminated.
• This command applies to both the local console and Telnet connections.
• The timeout for Telnet cannot be disabled.
• Using the command without specifying a timeout restores the default setting.
Example
To set the timeout to two minutes, enter this command:
Console(config-line)#exec-timeout 120
Console(config-line)#
Related Commands
silent-time (4-50)
timeout login response (4-48)
4-49
4
Command Line Interface
password-thresh
This command sets the password intrusion threshold which limits the number of
failed logon attempts. Use the no form to remove the threshold value.
Syntax
password-thresh [threshold]
no password-thresh
threshold - The number of allowed password attempts.
(Range: 1-120; 0: no threshold)
Default Setting
The default value is three attempts.
Command Mode
Line Configuration
Command Usage
• When the logon attempt threshold is reached, the system interface becomes
silent for a specified amount of time before allowing the next logon attempt.
(Use the silent-time command to set this interval.) When this threshold is
reached for Telnet, the Telnet logon interface shuts down.
• This command applies to both the local console and Telnet connections.
Example
To set the password threshold to five attempts, enter this command:
Console(config-line)#password-thresh 5
Console(config-line)#
Related Commands
silent-time (4-50)
timeout login response (4-13)
silent-time
This command sets the amount of time the management console is inaccessible
after the number of unsuccessful logon attempts exceeds the threshold set by the
password-thresh command. Use the no form to remove the silent time value.
Syntax
silent-time [seconds]
no silent-time
seconds - The number of seconds to disable console response.
(Range: 0-65535; 0: no silent-time)
Default Setting
The default value is no silent-time.
4-50
System Management Commands
4
Command Mode
Line Configuration (console only)
Example
To set the silent time to 60 seconds, enter this command:
Console(config-line)#silent-time 60
Console(config-line)#
Related Commands
password-thresh (4-50)
databits
This command sets the number of data bits per character that are interpreted and
generated by the console port. Use the no form to restore the default value.
Syntax
databits {7 | 8}
no databits
• 7 - Seven data bits per character.
• 8 - Eight data bits per character.
Default Setting
8 data bits per character
Command Mode
Line Configuration
Command Usage
The databits command can be used to mask the high bit on input from
devices that generate 7 data bits with parity. If parity is being generated,
specify 7 data bits per character. If no parity is required, specify 8 data bits per
character.
Example
To specify 7 data bits, enter this command:
Console(config-line)#databits 7
Console(config-line)#
Related Commands
parity (4-52)
4-51
4
Command Line Interface
parity
This command defines the generation of a parity bit. Use the no form to restore the
default setting.
Syntax
parity {none | even | odd}
no parity
• none - No parity
• even - Even parity
• odd - Odd parity
Default Setting
No parity
Command Mode
Line Configuration
Command Usage
Communication protocols provided by devices such as terminals and modems
often require a specific parity bit setting.
Example
To specify no parity, enter this command:
Console(config-line)#parity none
Console(config-line)#
speed
This command sets the terminal line’s baud rate. This command sets both the
transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore
the default setting.
Syntax
speed bps
no speed
bps - Baud rate in bits per second.
(Options: 9600, 19200, 38400 bps)
Default Setting
9600
Command Mode
Line Configuration
Command Usage
Set the speed to match the baud rate of the device connected to the serial
port. Some baud rates available on devices connected to the port might not be
supported. The system indicates if the speed you selected is not supported.
4-52
4
System Management Commands
Example
To specify 38400 bps, enter this command:
Console(config-line)#speed 38400
Console(config-line)#
stopbits
This command sets the number of the stop bits transmitted per byte. Use the no
form to restore the default setting.
Syntax
stopbits {1 | 2}
• 1 - One stop bit
• 2 - Two stop bits
Default Setting
1 stop bit
Command Mode
Line Configuration
Example
To specify 2 stop bits, enter this command:
Console(config-line)#stopbits 2
Console(config-line)#
terminal length
This command sets the number of lines displayed on a terminal. Use the no form to
restore the default setting.
Syntax
terminal length screen-length
no terminal length
screen-length – The number of lines displayed on a terminal.
(Range: 0-512, where 0 means no pause for output displays)
Default Setting
24
Command Mode
Privileged Exec
Example
Console#terminal length 20
Console#
4-53
4
Command Line Interface
terminal width
This command sets the number of characters displayed across a terminal. Use the
no form to restore the default setting.
Syntax
terminal width characters
no terminal width
characters – The number of characters displayed across a terminal.
(Range: 0-80)
Default Setting
80
Command Mode
Privileged Exec
Example
Console#terminal width 70
Console#
terminal escape-character
This command sets the escape character used to break display output. Use the no
form to restore the default setting.
Syntax
terminal escape-character {character | ASCII-number ASCII-number}
no terminal escape-character
• characters – The escape character.
• ASCII-number – ASCII decimal equivalent of the escape character.
(Range: 0-255)
Default Setting
27 (ASCII equivalent of the backspace key)
Command Mode
Privileged Exec
Command Usage
Both Ctrl-C and the escape character specified by this command can be used
to break off screen output. Ctrl-C can also be used to break off the current
command-line input string.
Example
Console#terminal escape-character *
Console#
4-54
4
System Management Commands
terminal terminal-type
This command specifies the terminal type connected to the console port. Use the no
form to restore the default setting.
Syntax
terminal terminal-type {ansi-bbs | vt-100 | vt-102}
no terminal terminal-type
• ansi-bbs – ANSI-BBS
• vt-100 – VT100
• vt-102 – VT102
Default Setting
VT100
Command Mode
Privileged Exec
Command Usage
This command specifies the terminal type connected to the console port, or
the terminal emulation type used by a computer connected to the console port.
Example
Console#terminal terminal-type vt-102
Console#
terminal history
This command configures parameters for storing previously entered commands.
Use the no form to restore the default setting.
Syntax
terminal history [size number-of-lines]
no terminal history [size]
Default Setting
Enabled
10 lines
Command Mode
Privileged Exec
Command Usage
• Use this command without the size keyword to enable the command history
buffer. Use the size keyword to set the size of the command history buffer.
• The default history buffer size is fixed at 10 Execution commands and
10 Configuration commands.
4-55
4
Command Line Interface
Example
Console#terminal history size 20
Console#
Related Commands
show history (4-13)
disconnect
This command terminates an SSH, Telnet, or console connection.
Syntax
disconnect session-id
session-id – The session identifier for an SSH, Telnet or console
connection. (Range: 0-4)
Command Mode
Privileged Exec
Command Usage
Specifying session identifier “0” will disconnect the console connection.
Specifying any other identifiers for an active session will disconnect an SSH or
Telnet connection.
Example
Console#disconnect 1
Console#
Related Commands
show ssh (4-145)
show users (4-33)
show line
This command displays the terminal line’s parameters.
Syntax
show line [console | vty]
• console - Console terminal line.
• vty - Virtual terminal for remote console access (i.e., Telnet).
Default Setting
Shows all lines
Command Mode
Normal Exec, Privileged Exec
4-56
System Management Commands
4
Example
To show all lines, enter this command:
Console#show line
Terminal Configuration for this session:
Length: 24
Width: 80
History size: 10
Escape character(ASCII-number): 27
Terminal type: VT100
Console Configuration:
Password Threshold: 3 times
Interactive Timeout: 65535 sec
Login Timeout: Disabled
Silent Time:
Disabled
Baudrate:
9600
Databits:
8
Parity:
None
Stopbits:
1
VTY Configuration:
Password Threshold: 3 times
Interactive Timeout: 600 sec
Login Timeout: 300 sec
4-57
4
Command Line Interface
Event Logging Commands
This section describes commands used to configure event logging on the switch.
Table 4-14 Event Logging Commands
Command
Function
Mode
Page
logging on
Controls logging of error messages
GC
4-58
logging history
Limits syslog messages saved to switch memory based on
severity
GC
4-59
logging host
Adds a syslog server host IP address that will receive logging
messages
GC
4-60
logging facility
Sets the facility type for remote logging of syslog messages
GC
4-60
logging trap
Limits syslog messages saved to a remote server based on
severity
GC
4-61
clear log
Clears messages from the logging buffer
PE
4-61
show logging
Displays the state of logging
PE
4-62
show log
Displays log messages
PE
4-63
logging on
This command controls logging of error messages, sending debug or error
messages to switch memory. The no form disables the logging process.
Syntax
[no] logging on
Default Setting
None
Command Mode
Global Configuration
Command Usage
The logging process controls error messages saved to switch memory or sent
to remote syslog servers. You can use the logging history command to
control the type of error messages that are stored in memory. You can use the
logging trap command to control the type of error messages that are sent to
specified syslog servers.
Example
Console(config)#logging on
Console(config)#
Related Commands
logging history (4-59)
logging trap (4-61)
clear log (4-61)
4-58
4
System Management Commands
logging history
This command limits syslog messages saved to switch memory based on severity.
The no form returns the logging of syslog messages to the default level.
Syntax
logging history {flash | ram} level
no logging history {flash | ram}
• flash - Event history stored in flash memory (i.e., permanent memory).
• ram - Event history stored in temporary RAM (i.e., memory flushed on
power reset).
• level - One of the levels listed below. Messages sent include the selected
level down to level 0. (Range: 0-7)
Table 4-15 Logging Levels
Level
Severity Name
Description
7
debugging
Debugging messages
6
informational
Informational messages only
5
notifications
Normal but significant condition, such as cold start
4
warnings
Warning conditions (e.g., return false, unexpected return)
3
errors
Error conditions (e.g., invalid input, default used)
2
critical
Critical conditions (e.g., memory allocation, or free
memory error - resource exhausted)
1
alerts
Immediate action needed
0
emergencies
System unusable
* There are only Level 2, 5 and 6 error messages for the current firmware release.
Default Setting
Flash: errors (level 3 - 0)
RAM: debugging (level 7 - 0)
Command Mode
Global Configuration
Command Usage
The message level specified for flash memory must be a higher priority (i.e.,
numerically lower) than that specified for RAM.
Example
Console(config)#logging history ram 0
Console(config)#
4-59
4
Command Line Interface
logging host
This command adds a syslog server host IP address that will receive logging
messages. Use the no form to remove a syslog server host.
Syntax
[no] logging host host-ip-address
host-ip-address - The IP address of a syslog server.
Default Setting
None
Command Mode
Global Configuration
Command Usage
• Use this command more than once to build up a list of host IP addresses.
• The maximum number of host IP addresses allowed is five.
Example
Console(config)#logging host 10.1.0.3
Console(config)#
logging facility
This command sets the facility type for remote logging of syslog messages. Use the
no form to return the type to the default.
Syntax
[no] logging facility type
type - A number that indicates the facility used by the syslog server to
dispatch log messages to an appropriate service. (Range: 16-23)
Default Setting
23
Command Mode
Global Configuration
Command Usage
The command specifies the facility type tag sent in syslog messages. (See
RFC 3164.) This type has no effect on the kind of messages reported by the
switch. However, it may be used by the syslog server to sort messages or to
store messages in the corresponding database.
Example
Console(config)#logging facility 19
Console(config)#
4-60
4
System Management Commands
logging trap
This command enables the logging of system messages to a remote server, or
limits the syslog messages saved to a remote server based on severity. Use this
command without a specified level to enable remote logging. Use the no form to
disable remote logging.
Syntax
logging trap [level]
no logging trap
level - One of the level arguments listed in the table on page 4-59.
Messages sent include the selected level up through level 0.
Default Setting
• Enabled
• Level 7 - 0
Command Mode
Global Configuration
Command Usage
• Using this command with a specified level enables remote logging and sets
the minimum severity level to be saved.
• Using this command without a specified level also enables remote logging, but
restores the minimum severity level to the default.
Example
Console(config)#logging trap 4
Console(config)#
clear log
This command clears messages from the log buffer.
Syntax
clear log [flash | ram]
• flash - Event history stored in flash memory (i.e., permanent memory).
• ram - Event history stored in temporary RAM (i.e., memory flushed on
power reset).
Default Setting
Flash and RAM
Command Mode
Privileged Exec
Example
Console#clear log
Console#
4-61
4
Command Line Interface
Related Commands
show log (4-63)
show logging
This command displays the configuration settings for logging messages to local
switch memory, to an SMTP event handler, or to a remote syslog server.
Syntax
show logging {flash | ram | sendmail}
• flash - Displays settings for storing event messages in flash memory
(i.e., permanent memory).
• ram - Displays settings for storing event messages in temporary RAM
(i.e., memory flushed on power reset).
• sendmail - Displays settings for the SMTP event handler (page 4-66).
Default Setting
None
Command Mode
Privileged Exec
Example
The following example shows that system logging is enabled, the message level for
flash memory is “errors” (i.e., default level 3 - 0), the message level for RAM is
“informational” (i.e., default level 7 - 0).
Console#show logging flash
Syslog logging:
Enabled
History logging in FLASH: level errors
Console#show logging ram
Syslog logging:
Enabled
History logging in RAM: level informational
Console#
Table 4-16 show logging flash/ram - display description
Field
Description
Syslog logging
Shows if system logging has been enabled via the logging on command.
History logging in FLASH The message level(s) reported based on the logging history command.
History logging in RAM
The message level(s) reported based on the logging history command.
Related Commands
show logging sendmail (4-66)
4-62
4
System Management Commands
show log
This command displays the system and event messages stored in memory.
Syntax
show log {flash | ram} [login]
• flash - Event history stored in flash memory (i.e., permanent memory).
• ram - Event history stored in temporary RAM (i.e., memory flushed on
power reset).
• login - Shows the login record only.
Default Setting
None
Command Mode
Privileged Exec
Command Usage
This command shows the system and event messages stored in memory,
including the time stamp, message level (page 4-59), program module,
function, and event number.
Example
The following example shows sample messages stored in RAM.
Console#show log ram
[5] 00:01:06 2001-01-01
"STA root change notification."
level: 6, module: 6, function: 1, and
[4] 00:01:00 2001-01-01
"STA root change notification."
level: 6, module: 6, function: 1, and
[3] 00:00:54 2001-01-01
"STA root change notification."
level: 6, module: 6, function: 1, and
[2] 00:00:50 2001-01-01
"STA topology change notification."
level: 6, module: 6, function: 1, and
[1] 00:00:48 2001-01-01
"VLAN 1 link-up notification."
level: 6, module: 6, function: 1, and
Console#
event no.: 1
event no.: 1
event no.: 1
event no.: 1
event no.: 1
4-63
4
Command Line Interface
SMTP Alert Commands
These commands configure SMTP event handling, and forwarding of alert
messages to the specified SMTP servers and email recipients.
Table 4-17 SMTP Alert Commands
Command
Function
Mode
Page
logging sendmail host
SMTP servers to receive alert messages
GC
4-64
logging sendmail level
Severity threshold used to trigger alert messages
GC
4-65
logging sendmail
source-email
Email address used for “From” field of alert messages
GC
4-65
logging sendmail
destination-email
Email recipients of alert messages
GC
4-66
logging sendmail
Enables SMTP event handling
GC
4-66
show logging sendmail
Displays SMTP event handler settings
NE, PE
4-66
logging sendmail host
This command specifies SMTP servers that will be sent alert messages. Use the no
form to remove an SMTP server.
Syntax
[no] logging sendmail host ip-address
ip-address - IP address of an SMTP server that will be sent alert
messages for event handling.
Default Setting
None
Command Mode
Global Configuration
Command Usage
• You can specify up to three SMTP servers for event handing. However, you
must enter a separate command to specify each server.
• To send email alerts, the switch first opens a connection, sends all the email
alerts waiting in the queue one by one, and finally closes the connection.
• To open a connection, the switch first selects the server that successfully sent
mail during the last connection, or the first server configured by this command.
If it fails to send mail, the switch selects the next server in the list and tries to
send mail again. If it still fails, the system will repeat the process at a periodic
interval. (A trap will be triggered if the switch cannot successfully open a
connection.)
Example
Console(config)#logging sendmail host 192.168.1.200
Console(config)#
4-64
4
System Management Commands
logging sendmail level
This command sets the severity threshold used to trigger alert messages.
Syntax
logging sendmail level level
level - One of the system message levels (page 4-59). Messages sent
include the selected level down to level 0. (Range: 0-7; Default: 7)
Default Setting
Level 7
Command Mode
Global Configuration
Command Usage
The specified level indicates an event threshold. All events at this level or
higher will be sent to the configured email recipients. (For example, using
Level 7 will report all events from level 7 to level 0.)
Example
This example will send email alerts for system errors from level 4 through 0.
Console(config)#logging sendmail level 4
Console(config)#
logging sendmail source-email
This command sets the email address used for the “From” field in alert messages.
Use the no form to delete the source email address.
Syntax
[no] logging sendmail source-email email-address
email-address - The source email address used in alert messages.
(Range: 0-41 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
You may use an symbolic email address that identifies the switch, or the
address of an administrator responsible for the switch.
Example
This example will set the source email john@acme.com.
Console(config)#logging sendmail source-email john@acme.com
Console(config)#
4-65
4
Command Line Interface
logging sendmail destination-email
This command specifies the email recipients of alert messages. Use the no form to
remove a recipient.
Syntax
[no] logging sendmail destination-email email-address
email-address - The source email address used in alert messages.
(Range: 1-41 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
You can specify up to five recipients for alert messages. However, you must
enter a separate command to specify each recipient.
Example
Console(config)#logging sendmail destination-email ted@this-company.com
Console(config)#
logging sendmail
This command enables SMTP event handling. Use the no form to disable this
function.
Syntax
[no] logging sendmail
Default Setting
Enabled
Command Mode
Global Configuration
Example
Console(config)#logging sendmail
Console(config)#
show logging sendmail
This command displays the settings for the SMTP event handler.
Command Mode
Normal Exec, Privileged Exec
4-66
System Management Commands
4
Example
Console#show logging sendmail
SMTP servers
----------------------------------------------1. 192.168.1.200
SMTP Minimum Severity Level: 4
SMTP destination email addresses
----------------------------------------------1. geoff@acme.com
SMTP Source Email Address:
SMTP status:
Console#
john@acme.com
Enabled
4-67
4
Command Line Interface
Time Commands
The system clock can be dynamically set by polling a set of specified time servers
(NTP or SNTP). Maintaining an accurate time on the switch enables the system log
to record meaningful dates and times for event entries. If the clock is not set, the
switch will only record the time from the factory default set at the last bootup.
Table 4-18 Time Commands
Command
Function
Mode
Page
sntp client
Accepts time from specified time servers
GC
4-69
sntp server
Specifies one or more time servers
GC
4-70
sntp poll
Sets the interval at which the client polls for time
GC
4-70
show sntp
Shows current SNTP configuration settings
NE, PE
4-71
SNTP Commands
NTP Commands
ntp client
Enables the NTP client for time updates from specified servers GC
4-71
ntp server
Specifies NTP servers to poll for time updates
GC
4-72
ntp authenticate
Enables authentication for NTP traffic
GC
4-73
ntp authentication-key Configures authentication keys
GC
4-74
show ntp
NE, PE
4-75
Shows current NTP configuration settings
Manual Configuration Commands
clock timezone
Manually sets the time zone for the switch’s internal clock
GC
4-75
clock
timezone-predefined
Sets the time zone for the switch’s internal clock using
predefined time zone configurations
GC
4-76
clock summertime
(date)
Configures summer time* for the switch’s internal clock
GC
4-77
clock summertime
(predefined)
Configures summer time* for the switch’s internal clock
GC
4-78
clock summertime
(recurring)
Configures summer time* for the switch’s internal clock
GC
4-79
calendar set
Sets the system date and time
PE
4-80
show calendar
Displays the current date and time setting
NE, PE
4-81
* Daylight savings time.
4-68
System Management Commands
4
sntp client
This command enables SNTP client requests for time synchronization from NTP or
SNTP time servers specified with the sntp servers command. Use the no form to
disable SNTP client requests.
Syntax
[no] sntp client
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
• The time acquired from time servers is used to record accurate dates and
times for log events. Without SNTP, the switch only records the time starting
from the factory default set at the last bootup (i.e., 00:00:00, Jan. 1, 2001).
• This command enables client time requests to time servers specified via the
sntp servers command. It issues time synchronization requests based on the
interval set via the sntp poll command.
Example
Console(config)#sntp server 10.1.0.19
Console(config)#sntp poll 60
Console(config)#sntp client
Console(config)#end
Console#show sntp
Current time: Dec 23 02:52:44 2002
Poll interval: 60
Current mode: unicast
SNTP status: Enabled
SNTP server: 10.1.0.19 0.0.0.0 0.0.0.0
Current server: 10.1.0.19
Console#
Related Commands
sntp server (4-70)
sntp poll (4-70)
show sntp (4-71)
4-69
4
Command Line Interface
sntp server
This command sets the IP address of the servers to which SNTP time requests are
issued. Use the this command with no arguments to clear all time servers from the
current list.
Syntax
sntp server [ip1 [ip2 [ip3]]]
ip - IP address of a time server (NTP or SNTP).
(Range: 1-3 addresses)
Default Setting
None
Command Mode
Global Configuration
Command Usage
This command specifies time servers from which the switch will poll for time
updates when set to SNTP client mode. The client will poll the time servers in
the order specified until a response is received. It issues time synchronization
requests based on the interval set via the sntp poll command.
Example
Console(config)#sntp server 10.1.0.19
Console(config)#
Related Commands
sntp client (4-69)
sntp poll (4-70)
show sntp (4-71)
sntp poll
This command sets the interval between sending time requests when the switch is
set to SNTP client mode. Use the no form to restore to the default.
Syntax
sntp poll seconds
no sntp poll
seconds - Interval between time requests. (Range: 16-16384 seconds)
Default Setting
16 seconds
Command Mode
Global Configuration
4-70
4
System Management Commands
Example
Console(config)#sntp poll 60
Console(config)#
Related Commands
sntp client (4-69)
show sntp
This command displays the current time and configuration settings for the SNTP
client, and indicates whether or not the local time has been properly updated.
Command Mode
Normal Exec, Privileged Exec
Command Usage
This command displays the current time, the poll interval used for sending
time synchronization requests, and the current SNTP mode (i.e., unicast).
Example
Console#show sntp
Current time: Dec 23 05:13:28 2002
Poll interval: 16
Current mode: unicast
SNTP status : Enabled
SNTP server 137.92.140.80 0.0.0.0 0.0.0.0
Current server: 137.92.140.80
Console#
ntp client
This command enables NTP client requests for time synchronization from NTP time
servers specified with the ntp servers command. Use the no form to disable NTP
client requests.
Syntax
[no] ntp client
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
• The SNTP and NTP clients cannot be enabled at the same time. First disable
the SNTP client before using this command.
• The time acquired from time servers is used to record accurate dates and
times for log events. Without NTP, the switch only records the time starting
from the factory default set at the last bootup (i.e., 00:00:00, Jan. 1, 2001).
4-71
4
Command Line Interface
• This command enables client time requests to time servers specified via the
ntp servers command.
Example
Console(config)#ntp client
Console(config)#
Related Commands
sntp client (4-69)
ntp server (4-72)
ntp server
This command sets the IP addresses of the servers to which NTP time requests are
issued. Use the no form of the command to clear a specific time server or all servers
from the current list.
Syntax
ntp server ip-address [version number] [key key-number]
no ntp server [ip-address]
• ip-address - IP address of an NTP time server.
• number - The NTP version number supported by the server. (Range: 1-3)
• key-number - The number of an authentication key to use in
communications with the server. (Range: 1-65535)
Default Setting
Version number: 3
Command Mode
Global Configuration
Command Usage
• This command specifies time servers that the switch will poll for time updates
when set to NTP client mode. It issues time synchronization requests based
on the interval set with the ntp poll command. The client will poll all the time
servers configured, the responses received are filtered and compared to
determine the most reliable and accurate time update for the switch.
• You can configure up to 50 NTP servers on the switch. Re-enter this
command for each server you want to configure.
• NTP authentication is optional. If enabled with the ntp authenticate
command, you must also configure at least one key number using the ntp
authentication-key command.
• Use the no form of this command without an argument to clear all configured
servers in the list.
4-72
System Management Commands
4
Example
Console(config)#ntp
Console(config)#ntp
Console(config)#ntp
Console(config)#ntp
Console(config)#
server
server
server
server
192.168.3.20
192.168.3.21
192.168.4.22 version 2
192.168.5.23 version 3 key 19
Related Commands
ntp client (4-71)
show ntp (4-75)
ntp authenticate
This command enables authentication for NTP client-server communications. Use
the no form to disable authentication.
Syntax
[no] ntp authenticate
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
You can enable NTP authentication to ensure that reliable updates are
received from only authorized NTP servers. The authentication keys and their
associated key number must be centrally managed and manually distributed to
NTP servers and clients. The key numbers and key values must match on
both the server and client.
Example
Console(config)#ntp authenticate
Console(config)#
Related Commands
ntp authentication-key (4-74)
4-73
4
Command Line Interface
ntp authentication-key
This command configures authentication keys and key numbers to use when NTP
authentication is enabled. Use the no form of the command to clear a specific
authentication key or all keys from the current list.
Syntax
ntp authentication-key number md5 key
no ntp authentication-key [number]
• number - The NTP authentication key ID number. (Range: 1-65535)
• md5 - Specifies that authentication is provided by using the message digest
algorithm 5.
• key - An MD5 authentication key string. The key string can be up to 32
case-sensitive printable ASCII characters (no spaces).
Default Setting
None
Command Mode
Global Configuration
Command Usage
• The key number specifies a key value in the NTP authentication key list. Up
to 255 keys can be configured on the switch. Re-enter this command for each
server you want to configure.
• Note that NTP authentication key numbers and values must match on both the
server and client.
• NTP authentication is optional. When enabled with the ntp authenticate
command, you must also configure at least one key number using this
command.
• Use the no form of this command without an argument to clear all
authentication keys in the list.
Example
Console(config)#ntp authentication-key 45 md5 thisiskey45
Console(config)#
Related Commands
ntp authenticate (4-73)
4-74
4
System Management Commands
show ntp
This command displays the current time and configuration settings for the NTP
client, and indicates whether or not the local time has been properly updated.
Command Mode
Normal Exec, Privileged Exec
Command Usage
This command displays the current time, the poll interval used for sending
time synchronization requests, and the current NTP mode (i.e., unicast).
Example
Console#show ntp
Current Time
: Jan 1 00:09:30 2001
Polling
: 1024 seconds
Current Mode
: unicast
NTP Status
: Enabled
NTP Authenticate Status : Enabled
Last Update NTP Server
: 0.0.0.0
Port: 0
Last Update Time
: Dec 31 00:00:00 2000 UTC
NTP Server 192.168.3.20 version 3
NTP Server 192.168.3.21 version 3
NTP Server 192.168.3.22 version 2
NTP Server 192.168.4.50 version 3 key 30
NTP Server 192.168.5.35 version 3 key 19
NTP Authentication-Key 12 md5 156S46Q24142414222711K66N80 7
NTP Authentication-Key 19 md5 Q33O16Q6338241J022S29Q731K7 7
NTP Authentication-Key 30 md5 D2V8777I51K1132K3552L26R6141O4 7
NTP Authentication-Key 45 md5 3U865531O13K38F0R8 7
NTP Authentication-Key 125 md5 A48S2810327947M76 7
Console#
clock timezone
This command sets the time zone for the switch’s internal clock.
Syntax
clock timezone name hour hours minute minutes {before-utc | after-utc}
• name - Name of timezone, usually an acronym. (Range: 1-29 characters)
• hours - Number of hours before/after UTC. (Range: 0-12 hours before;
0-13 hours after)
• minutes - Number of minutes before/after UTC. (Range: 0-59 minutes)
• before-utc - Sets the local time zone before (east) of UTC.
• after-utc - Sets the local time zone after (west) of UTC.
Default Setting
None
Command Mode
Global Configuration
4-75
4
Command Line Interface
Command Usage
This command sets the local time zone relative to the Coordinated Universal
Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s
prime meridian, zero degrees longitude. To display a time corresponding to
your local time, you must indicate the number of hours and minutes your time
zone is east (before) or west (after) of UTC.
Example
Console(config)#clock timezone Japan hours 8 minute 0 after-UTC
Console(config)#
Related Commands
show sntp (4-71)
clock timezone-predefined
This command uses predefined time zone configurations to set the time zone for the
switch’s internal clock. Use the no form to restore the default.
Syntax
clock timezone-predefined offset-city
no clock timezone-predefined
• offset - Select the offset from GMT. (Range: GMT-0100 - GMT-1200;
GMT-Greenwich-Mean-Time; GMT+0100 - GMT+1300)
• city - Select the city associated with the chosen GMT offset. After the offset
has been entered, use the tab-complete function to display the available
city options.
Default Setting
GMT-Greenwich-Mean-Time-Dublin,Edinburgh,Lisbon,London
Command Mode
Global Configuration
Command Usage
This command sets the local time zone relative to the Coordinated Universal
Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s
prime meridian, zero degrees longitude. To display a time corresponding to
your local time, you must indicate the number of hours and minutes your time
zone is east (before) or west (after) of UTC.
Example
Console(config)#clock timezone-predefined GMT-0930-Taiohae
Console(config)#
4-76
System Management Commands
4
Related Commands
show sntp (4-71)
clock summer-time (date)
This command sets the start, end, and offset times of summer time (daylight savings
time) for the switch on a one-time basis. Use the no form to disable summer time.
Syntax
clock summer-time name date b-month b-day b-year b-hour b-minute
e-month e-day e-year e-hour e-minute offset
no clock summer-time
• name - Name of the time zone while summer time is in effect, usually an
acronym. (Range: 1-30 characters)
• b-month - The month when summer time will begin. (Options: january |
february | march | april | may | june | july | august | september | october
| november | december)
• b-day - The day summer time will begin. (Options: sunday | monday |
tuesday | wednesday | thursday | friday | saturday)
• b-year- The year summer time will begin.
• b-hour - The hour summer time will begin. (Range: 0-23 hours)
• b-minute - The minute summer time will begin. (Range: 0-59 minutes)
• e-month - The month when summer time will end. (Options: january |
february | march | april | may | june | july | august | september | october
| november | december)
• e-day - The day summer time will end. (Options: sunday | monday |
tuesday | wednesday | thursday | friday | saturday)
• e-year- The year summer time will end.
• e-hour - The hour summer time will end. (Range: 0-23 hours)
• e-minute - The minute summer time will end. (Range: 0-59 minutes)
• offset - Summer time offset from the regular time zone, in minutes.
(Range: 0-99 minutes)
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
• In some countries or regions, clocks are adjusted through the summer months
so that afternoons have more daylight and mornings have less. This is known
as Summer Time, or Daylight Savings Time (DST). Typically, clocks are
adjusted forward one hour at the start of spring and then adjusted backward
in autumn.
4-77
4
Command Line Interface
• This command sets the summer-time time zone relative to the currently
configured time zone. To specify a time corresponding to your local time when
summer time is in effect, you must indicate the number of minutes your
summer-time time zone deviates from your regular time zone.
Example
Console(config)#clock summer-time DEST date april 1 2007 23 23 april 23
2007 23 23 60
Console(config)#
Related Commands
show sntp (4-71)
clock summer-time (predefined)
This command configures the summer time (daylight savings time) status and
settings for the switch using predefined configurations for several major regions of
the world. Use the no form to disable summer time.
Syntax
clock summer-time name predefined [australia | europe | new-zealand |
usa]
no clock summer-time
name - Name of the timezone while summer time is in effect, usually an
acronym. (Range: 1-30 characters)
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
• In some countries or regions, clocks are adjusted through the summer months
so that afternoons have more daylight and mornings have less. This is known
as Summer Time, or Daylight Savings Time (DST). Typically, clocks are
adjusted forward one hour at the start of spring and then adjusted backward
in autumn.
• This command sets the summer-time time relative to the configured time
zone. To specify the time corresponding to your local time when summer time
is in effect, select the predefined summer-time time zone appropriate for your
location, or manually configure summer time if these predefined
configurations do not apply to your location (see clock summer-time (date)
on page 4-77 or clock summer-time (recurring) on page 4-79).
4-78
System Management Commands
4
Table 4-19 Predefined Summer-Time Parameters
Region
Start Time, Day, Week, & Month
End Time, Day, Week, & Month
Australia
00:00:00, Sunday, Week 5 of October 23:59:59, Sunday, Week 5 of March
60 min
Europe
00:00:00, Sunday, Week 5 of March
60 min
23:59:59, Sunday, Week 5 of October
Rel. Offset
New Zealand 00:00:00, Sunday, Week 1 of October 23:59:59, Sunday, Week 3 of March
60 min
USA
60 min
02:00:00, Sunday, Week 2 of March
02:00:00, Sunday, Week 1 of November
Example
Console(config)#clock summer-time MESZ predefined europe
Console(config)#
Related Commands
show sntp (4-71)
clock summer-time (recurring)
This command allows the user to manually configure the start, end, and offset times
of summer time (daylight savings time) for the switch on a recurring basis. Use the
no form to disable summer-time.
Syntax
clock summer-time name recurring b-week b-day b-month b-hour b-minute
e-week e-day e-month e-hour e-minute offset
no clock summer-time
• name - Name of the timezone while summer time is in effect, usually an
acronym. (Range: 1-30 characters)
• b-week - The week of the month when summer time will begin. (Range: 1-5)
• b-day - The day of the week when summer time will begin. (Options:
sunday | monday | tuesday | wednesday | thursday | friday | saturday)
• b-month - The month when summer time will begin. (Options: january |
february | march | april | may | june | july | august | september | october
| november | december)
• b-hour - The hour when summer time will begin. (Range: 0-23 hours)
• b-minute - The minute when summer time will begin. (Range: 0-59 minutes)
• e-week - The week of the month when summer time will end. (Range: 1-5)
• e-day - The day of the week summer time will end. (Options: sunday |
monday | tuesday | wednesday | thursday | friday | saturday)
• e-month - The month when summer time will end. (Options: january |
february | march | april | may | june | july | august | september | october
| november | december)
• e-hour - The hour when summer time will end. (Range: 0-23 hours)
• e-minute - The minute when summer time will end. (Range: 0-59 minutes)
• offset - Summer-time offset from the regular time zone, in minutes.
(Range: 0-99 minutes)
4-79
4
Command Line Interface
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
• In some countries or regions, clocks are adjusted through the summer months
so that afternoons have more daylight and mornings have less. This is known
as Summer Time, or Daylight Savings Time (DST). Typically, clocks are
adjusted forward one hour at the start of spring and then adjusted backward
in autumn.
• This command sets the summer-time time zone relative to the currently
configured time zone. To display a time corresponding to your local time when
summer time is in effect, you must indicate the number of minutes your
summer-time time zone deviates from your regular time zone.
Example
Console(config)#clock summer-time MESZ recurring 1 friday june 23 59 3
saturday september 2 55 60
Console(config)#
Related Commands
show sntp (4-71)
calendar set
This command sets the system clock. It may be used if there is no time server on
your network, or if you have not configured the switch to receive signals from a time
server.
Syntax
calendar set hour min sec {day month year | month day year}
•
•
•
•
•
hour - Hour in 24-hour format. (Range: 0-23)
min - Minute. (Range: 0-59)
sec - Second. (Range: 0-59)
day - Day of month. (Range: 1-31)
month - january | february | march | april | may | june | july | august |
september | october | november | december
• year - Year (4-digit). (Range: 2001-2100)
Default Setting
None
Command Mode
Privileged Exec
4-80
System Management Commands
4
Example
Console#calendar set 15 12 34 1 April 2004
Console#
show calendar
This command displays the system clock.
Default Setting
None
Command Mode
Normal Exec, Privileged Exec
Example
Console#show calendar
15:12:43 April 1 2004
Console#
Switch Cluster Commands
Switch Clustering is a method of grouping switches together to enable centralized
management through a single unit. Switches that support clustering can be grouped
together regardless of physical location or switch type, as long as they are
connected to the same local network.
Table 4-20 Switch Cluster Commands
Command
Function
Mode
cluster
Configures clustering on the switch
GC
4-82
cluster commander
Configures the switch as a cluster Commander
GC
4-82
cluster ip-pool
Sets the cluster IP address pool for Members
GC
4-83
cluster member
Sets Candidate switches as cluster members
GC
4-84
rcommand
Provides configuration access to Member switches
GC
4-84
show cluster
Displays the switch clustering status
PE
4-85
show cluster members
Displays current cluster Members
PE
4-85
PE
4-85
show cluster candidates Displays current cluster Candidates in the network
Page
Using Switch Clustering
• A switch cluster has a primary unit called the “Commander” which is used to
manage all other “Member” switches in the cluster. The management station uses
both Telnet and the web interface to communicate directly with the Commander
through its IP address, while the Commander manages Member switches using
the cluster’s “internal” IP addresses.
• Once a switch has been configured to be a cluster Commander, it automatically
discovers other cluster-enabled switches in the network. These “Candidate”
4-81
4
Command Line Interface
switches only become cluster Members when manually selected by the
administrator through the management station.
Note: Cluster Member switches can be managed either through a Telnet connection to
the Commander, or through a web management connection to the Commander.
When using a console connection, from the Commander CLI prompt, use the
rcommand (see page 4-84) to connect to the Member switch.
cluster
This command enables clustering on the switch. Use the no form to disable
clustering.
Syntax
[no] cluster
Default Setting
Enabled
Command Mode
Global Configuration
Command Usage
• To create a switch cluster, first be sure that clustering is enabled on the switch
(the default is enabled), then set the switch as a Cluster Commander. Set a
Cluster IP Pool that does not conflict with any other IP subnets in the network.
Cluster IP addresses are assigned to switches when they become Members
and are used for communication between Member switches and the
Commander.
• Switch clusters are limited to the same Ethernet broadcast domain.
• There can be up to 100 candidates and 36 member switches in one cluster.
• A switch can only be a Member of one cluster.
• Configured switch clusters are maintained across power resets and network
changes.
Example
Console(config)#cluster
Console(config)#
cluster commander
This command enables the switch as a cluster Commander. Use the no form to
disable the switch as cluster Commander.
Syntax
[no] cluster commander
Default Setting
Disabled
4-82
4
System Management Commands
Command Mode
Global Configuration
Command Usage
• Once a switch has been configured to be a cluster Commander, it
automatically discovers other cluster-enabled switches in the network. These
“Candidate” switches only become cluster Members when manually selected
by the administrator through the management station.
• Cluster Member switches can be managed through a Telnet connection to the
Commander. From the Commander CLI prompt, use the rcommand id command
to connect to the Member switch.
Example
Console(config)#cluster commander
Console(config)#
cluster ip-pool
This command sets the cluster IP address pool. Use the no form to reset to the
default address.
Syntax
cluster ip-pool ip-address
no cluster ip-pool
ip-address - The base IP address for IP addresses assigned to cluster
Members. The IP address must start 10.x.x.x.
Default Setting
10.254.254.1
Command Mode
Global Configuration
Command Usage
• An “internal” IP address pool is used to assign IP addresses to Member
switches in the cluster. Internal cluster IP addresses are in the form
10.x.x.member-ID. Only the base IP address of the pool needs to be set since
Member IDs can only be between 1 and 36.
• Set a Cluster IP Pool that does not conflict with addresses in the network IP
subnet. Cluster IP addresses are assigned to switches when they become
Members and are used for communication between Member switches and the
Commander.
• You cannot change the cluster IP pool when the switch is currently in Commander
mode. Commander mode must first be disabled.
Example
Console(config)#cluster ip-pool 10.2.3.4
Console(config)#
4-83
4
Command Line Interface
cluster member
This command configures a Candidate switch as a cluster Member. Use the no form
to remove a Member switch from the cluster.
Syntax
cluster member mac-address mac-address id member-id
no cluster member id member-id
• mac-address - The MAC address of the Candidate switch.
• member-id - The ID number to assign to the Member switch. (Range: 1-36)
Default Setting
No Members
Command Mode
Global Configuration
Command Usage
• The maximum number of cluster Members is 36.
• The maximum number of cluster Candidates is 100.
Example
Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5
Console(config)#
rcommand
This command provides access to a cluster Member CLI for configuration.
Syntax
rcommand id member-id
member-id - The ID number of the Member switch. (Range: 1-36)
Command Mode
Privileged Exec
Command Usage
• This command only operates through a Telnet connection to the Commander
switch. Managing cluster Members using the local console CLI on the
Commander is not supported.
• There is no need to enter the username and password for access to the
Member switch CLI.
Example
Vty-0#rcommand id 1
CLI session with the EL228 is opened.
To end the CLI session, enter [Exit].
Vty-0#
4-84
System Management Commands
4
show cluster
This command shows the switch clustering configuration.
Command Mode
Privileged Exec
Example
Console#show cluster
Role:
Interval heartbeat:
Heartbeat loss count:
Number of Members:
Number of Candidates:
Console#
commander
30
3
1
2
show cluster members
This command shows the current switch cluster members.
Command Mode
Privileged Exec
Example
Console#show cluster members
Cluster Members:
ID:
1
Role:
Active member
IP Address: 10.254.254.2
MAC Address: 00-12-cf-23-49-c0
Description: 24/48 L2/L4 IPV4/IPV6 GE Switch
Console#
show cluster candidates
This command shows the discovered Candidate switches in the network.
Command Mode
Privileged Exec
Example
Console#show cluster candidates
Cluster Candidates:
Role
Mac
--------------- ----------------ACTIVE MEMBER
00-12-cf-23-49-c0
CANDIDATE
00-12-cf-0b-47-a0
Console#
Description
--------------------------------------EL228
EL228
4-85
4
Command Line Interface
UPnP Commands
Universal Plug and Play (UPnP) is a set of protocols that allows devices to connect
seamlessly and simplifies the deployment of home and office networks. UPnP
achieves this by issuing UPnP device control protocols designed upon open,
Internet-based communication standards.
The commands described in this section allow the switch to advertise itself as a
UPnP compliant device. When discovered by a host device, basic information about
this switch can be displayed, and the web management interface accessed.
Table 4-1. UPnP Commands
Command
Function
Mode
Page
upnp device
Enables/disables UPnP on the network
GC
4-86
upnp device ttl
Sets the time-to-live (TTL) value.
GC
4-87
upnp device advertise
duration
Sets the advertisement duration of the device
GC
4-87
show upnp
Displays UPnP status and parameters
PE
4-88
upnp device
This command enables UPnP on the device. Use the no form to disable UPnP.
Syntax
[no] upnp device
Default Setting
Enabled
Command Mode
Global Configuration
Command Usage
You must enable UPnP before you can configure time-out settings for sending
UPnP messages.
Example
In the following example, UPnP is enabled on the device.
Console(config)#upnp device
Console(config)#
Related Commands
upnp device ttl (4-87)
upnp device advertise duration (4-87)
4-86
4
System Management Commands
upnp device ttl
This command sets the time-to-live (TTL) value for sending of UPnP messages from
the device.
Syntax
upnp device ttl value
value - The number of router hops a UPnP packet can travel before it is
discarded. (Range:1-255)
Default Setting
4
Command Mode
Global Configuration
Command Usage
UPnP devices and control points must be within the local network, that is
within the TTL value for multicast messages.
Example
In the following example, the TTL is set to 6.
Console(config)#upnp device ttl 6
Console(config)#
upnp device advertise duration
This command sets the duration for which a device will advertise its presence on the
local network.
Syntax
upnp device advertise duration value
value - A time out value expressed in seconds. (Range: 6-86400 seconds)
Default Setting
100 seconds
Command Mode
Global Configuration
Example
In the following example, the device advertise duration is set to 200 seconds.
Console(config)#upnp device advertise duration 200
Console(config)#
4-87
4
Command Line Interface
Related Commands
upnp device ttl (4-87)
show upnp
This command displays the UPnP management status and time out settings.
Command Mode
Privileged Exec
Example
Console#show upnp
UPnP global settings:
Status:
Advertise duration:
TTL:
Console#
Enabled
200
20
SNMP Commands
Controls access to this switch from management stations using the Simple Network
Management Protocol (SNMP), as well as the error types sent to trap managers.
SNMP Version 3 also provides security features that cover message integrity,
authentication, and encryption; as well as controlling user access to specific areas of
the MIB tree. To use SNMPv3, first set an SNMP engine ID (or accept the default),
specify read and write access views for the MIB tree, configure SNMP user groups
with the required security model (i.e., SNMP v1, v2c or v3) and security level (i.e.,
authentication and privacy), and then assign SNMP users to these groups, along
with their specific authentication and privacy passwords.
Table 4-21 SNMP Commands
Command
Function
Mode
Page
General SNMP Commands
snmp-server
Enables the SNMP agent
GC
4-89
show snmp
Displays the status of SNMP communications
NE, PE
4-90
snmp-server community
Sets up the community access string to permit access to
SNMP commands
GC
4-91
snmp-server contact
Sets the system contact string
GC
4-91
snmp-server location
Sets the system location string
GC
4-92
GC
4-93
GC
4-95
SNMP Target Host Commands
snmp-server host
Specifies the recipient of an SNMP notification operation
snmp-server enable traps Enables the device to send SNMP traps (i.e., SNMP
notifications)
4-88
SNMP Commands
4
Table 4-21 SNMP Commands (Continued)
Command
Function
Mode
Page
snmp-server engine-id
Sets the SNMPv3 engine ID
GC
4-96
show snmp engine-id
Shows the SNMPv3 engine ID
PE
4-97
snmp-server view
Adds an SNMPv3 view
GC
4-97
show snmp view
Shows the SNMPv3 views
PE
4-98
snmp-server group
Adds an SNMPv3 group, mapping users to views
GC
4-99
show snmp group
Shows the SNMPv3 groups
PE
4-100
snmp-server user
Adds a user to an SNMPv3 group
GC
4-101
show snmp user
Shows the SNMPv3 users
PE
4-102
snmp-server
enable port-traps atc
broadcast-alarm-fire
Sends a trap when broadcast traffic exceeds the upper
threshold for automatic storm control
IC (Port)
4-244
snmp-server
enable port-traps atc
multicast-alarm-fire
Sends a trap when multicast traffic exceeds the upper
threshold for automatic storm control
IC (Port)
4-245
snmp-server
enable port-traps atc
broadcast-alarm-clear
Sends a trap when broadcast traffic falls beneath the lower IC (Port)
threshold after a storm control response has been triggered
4-245
snmp-server
enable port-traps atc
multicast-alarm-clear
Sends a trap when multicast traffic falls beneath the lower IC (Port)
threshold after a storm control response has been triggered
4-246
snmp-server
enable port-traps atc
broadcast-control-apply
Sends a trap when broadcast traffic exceeds the upper
threshold for automatic storm control and the apply timer
expires
IC (Port)
4-246
snmp-server
enable port-traps atc
multicast-control-apply
Sends a trap when multicast traffic exceeds the upper
threshold for automatic storm control and the apply timer
expires
IC (Port)
4-247
snmp-server
Sends a trap when broadcast traffic falls beneath the lower IC (Port)
enable port-traps atc
threshold after a storm control response has been triggered
broadcast-control-release and the release timer expires
4-247
snmp-server
Sends a trap when multicast traffic falls beneath the lower IC (Port)
enable port-traps atc
threshold after a storm control response has been triggered
multicast-control-release and the release timer expires
4-248
SNMPv3 Commands
ATC Trap Commands
snmp-server
This command enables the SNMPv3 engine and services for all management clients
(i.e., versions 1, 2c, 3). Use the no form to disable the server.
Syntax
[no] snmp-server
Default Setting
Enabled
4-89
4
Command Line Interface
Command Mode
Global Configuration
Example
Console(config)#snmp-server
Console(config)#
show snmp
This command can be used to check the status of SNMP communications.
Default Setting
None
Command Mode
Normal Exec, Privileged Exec
Command Usage
This command provides information on the community access strings, counter
information for SNMP input and output protocol data units, and whether or not
SNMP logging has been enabled with the snmp-server enable traps
command.
Example
Console#show snmp
SNMP Agent: enabled
SNMP traps:
Authentication: enable
Link-up-down: enable
SNMP communities:
1. private, and the privilege is read-write
2. public, and the privilege is read-only
0 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Set-request PDUs
0 SNMP packets output
0 Too big errors
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
0 Trap PDUs
SNMP logging: disabled
Console#
4-90
SNMP Commands
4
snmp-server community
This command defines the SNMP v1 and v2c community access string. Use the no
form to remove the specified community string.
Syntax
snmp-server community string [ro|rw]
no snmp-server community string
• string - Community string that acts like a password and permits access to
the SNMP protocol. (Maximum length: 32 characters, case sensitive;
Maximum number of strings: 5)
• ro - Specifies read-only access. Authorized management stations are only
able to retrieve MIB objects.
• rw - Specifies read/write access. Authorized management stations are able
to both retrieve and modify MIB objects.
Default Setting
• public - Read-only access. Authorized management stations are only able to
retrieve MIB objects.
• private - Read/write access. Authorized management stations are able to both
retrieve and modify MIB objects.
Command Mode
Global Configuration
Example
Console(config)#snmp-server community alpha rw
Console(config)#
snmp-server contact
This command sets the system contact string. Use the no form to remove the
system contact information.
Syntax
snmp-server contact string
no snmp-server contact
string - String that describes the system contact information.
(Maximum length: 255 characters)
Default Setting
None
Command Mode
Global Configuration
Example
Console(config)#snmp-server contact Paul
Console(config)#
4-91
4
Command Line Interface
Related Commands
snmp-server location (4-92)
snmp-server location
This command sets the system location string. Use the no form to remove the
location string.
Syntax
snmp-server location text
no snmp-server location
text - String that describes the system location.
(Maximum length: 255 characters)
Default Setting
None
Command Mode
Global Configuration
Example
Console(config)#snmp-server location WC-19
Console(config)#
Related Commands
snmp-server contact (4-91)
4-92
4
SNMP Commands
snmp-server host
This command specifies the recipient of a Simple Network Management Protocol
notification operation. Use the no form to remove the specified host.
Syntax
snmp-server host host-addr [inform [retry retries | timeout seconds]]
community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]}
no snmp-server host host-addr
• host-addr - Internet address of the host (the targeted recipient).
(Maximum host addresses: 5 trap destination IP address entries)
• inform - Notifications are sent as inform messages. Note that this option is
only available for version 2c and 3 hosts. (Default: traps are used)
- retries - The maximum number of times to resend an inform message if
the recipient does not acknowledge receipt. (Range: 0-255; Default: 3)
- seconds - The number of seconds to wait for an acknowledgment before
resending an inform message. (Range: 0-2147483647 centiseconds;
Default: 1500 centiseconds)
• community-string - Password-like community string sent with the
notification operation to SNMP V1 and V2c hosts. Although you can set this
string using the snmp-server host command by itself, we recommend that
you define this string using the snmp-server community command prior
to using the snmp-server host command.
(Maximum length: 32 characters)
• version - Specifies whether to send notifications as SNMP Version 1, 2c or
3 traps. (Range: 1, 2c, 3; Default: 1)
- auth | noauth | priv - This group uses SNMPv3 with authentication, no
authentication, or with authentication and privacy. See "Simple Network
Management Protocol" on page 3-50 for further information about these
authentication and encryption options.
• port - Host UDP port to use. (Range: 1-65535; Default: 162)
Default Setting
• Host Address: None
• Notification Type: Traps
• SNMP Version: 1
• UDP Port: 162
Command Mode
Global Configuration
Command Usage
• If you do not enter an snmp-server host command, no notifications are sent.
In order to configure the switch to send SNMP notifications, you must enter at
least one snmp-server host command. In order to enable multiple hosts, you
must issue a separate snmp-server host command for each host.
4-93
4
Command Line Interface
• The snmp-server host command is used in conjunction with the
snmp-server enable traps command. Use the snmp-server enable traps
command to enable the sending of traps or informs and to specify which
SNMP notifications are sent globally. For a host to receive notifications, at
least one snmp-server enable traps command and the snmp-server host
command for that host must be enabled.
• Some notification types cannot be controlled with the snmp-server enable
traps command. For example, some notification types are always enabled.
• Notifications are issued by the switch as trap messages by default. The
recipient of a trap message does not send a response to the switch. Traps are
therefore not as reliable as inform messages, which include a request for
acknowledgement of receipt. Informs can be used to ensure that critical
information is received by the host. However, note that informs consume more
system resources because they must be kept in memory until a response is
received. Informs also add to network traffic. You should consider these
effects when deciding whether to issue notifications as traps or informs.
To send an inform to a SNMPv2c host, complete these steps:
1. Enable the SNMP agent (page 4-89).
2. Allow the switch to send SNMP traps; i.e., notifications (page 4-95).
3. Specify the target host that will receive inform messages with the
snmp-server host command as described in this section.
4. Create a view with the required notification messages (page 4-97).
5. Create a group that includes the required notify view (page 4-99).
To send an inform to a SNMPv3 host, complete these steps:
1. Enable the SNMP agent (page 4-89).
2. Allow the switch to send SNMP traps; i.e., notifications (page 4-95).
3. Specify the target host that will receive inform messages with the
snmp-server host command as described in this section.
4. Create a view with the required notification messages (page 4-97).
5. Create a group that includes the required notify view (page 4-99).
6. Specify a remote engine ID where the user resides (page 4-96).
7. Then configure a remote user (page 4-101).
• The switch can send SNMP Version 1, 2c or 3 notifications to a host IP
address, depending on the SNMP version that the management station
supports. If the snmp-server host command does not specify the SNMP
version, the default is to send SNMP version 1 notifications.
• If you specify an SNMP Version 3 host, then the community string is
interpreted as an SNMP user name. If you use the V3 “auth” or “priv” options,
the user name must first be defined with the snmp-server user command.
Otherwise, the authentication password and/or privacy password will not
exist, and the switch will not authorize SNMP access for the host. However, if
you specify a V3 host with the “noauth” option, an SNMP user account will be
generated, and the switch will authorize SNMP access for the host.
4-94
SNMP Commands
4
Example
Console(config)#snmp-server host 10.1.19.23 batman
Console(config)#
Related Commands
snmp-server enable traps (4-95)
snmp-server enable traps
This command enables this device to send Simple Network Management Protocol
traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP
notifications.
Syntax
[no] snmp-server enable traps [authentication | link-up-down]
• authentication - Keyword to issue authentication failure notifications.
• link-up-down - Keyword to issue link-up or link-down notifications.
Default Setting
Issue authentication and link-up-down traps.
Command Mode
Global Configuration
Command Usage
• If you do not enter an snmp-server enable traps command, no notifications
controlled by this command are sent. In order to configure this device to send
SNMP notifications, you must enter at least one snmp-server enable traps
command. If you enter the command with no keywords, both authentication
and link-up-down notifications are enabled. If you enter the command with a
keyword, only the notification type related to that keyword is enabled.
• The snmp-server enable traps command is used in conjunction with the
snmp-server host command. Use the snmp-server host command to
specify which host or hosts receive SNMP notifications. In order to send
notifications, you must configure at least one snmp-server host command.
• The authentication, link-up, and link-down traps are legacy notifications, and
therefore when used for SNMP Version 3 hosts, they must be enabled in
conjunction with the corresponding entries in the Notify View assigned by the
snmp-server group command (page 4-99).
Example
Console(config)#snmp-server enable traps link-up-down
Console(config)#
Related Commands
snmp-server host (4-93)
4-95
4
Command Line Interface
snmp-server engine-id
This command configures an identification string for the SNMPv3 engine. Use the
no form to restore the default.
Syntax
snmp-server engine-id {local | remote {ip-address}} engineid-string
no snmp-server engine-id {local | remote {ip-address}}
•
•
•
•
local - Specifies the SNMP engine on this switch.
remote - Specifies an SNMP engine on a remote device.
ip-address - The Internet address of the remote device.
engineid-string - String identifying the engine ID.
(Range: 10-64 hexadecimal characters representing 5-32 octets)
Default Setting
A unique engine ID is automatically generated by the switch based on its MAC
address.
Command Mode
Global Configuration
Command Usage
• An SNMP engine is an independent SNMP agent that resides either on this
switch or on a remote device. This engine protects against message replay,
delay, and redirection. The engine ID is also used in combination with user
passwords to generate the security keys for authenticating and encrypting
SNMPv3 packets.
• A remote engine ID is required when using SNMPv3 informs. (See
snmp-server host on page 4-93.) The remote engine ID is used to compute
the security digest for authenticating and encrypting packets sent to a user on
the remote host. SNMP passwords are localized using the engine ID of the
authoritative agent. For informs, the authoritative SNMP agent is the remote
agent. You therefore need to configure the remote agent’s SNMP engine ID
before you can send proxy requests or informs to it.
• Trailing zeroes need not be entered to uniquely specify a engine ID. In other
words, the value “123456789” is equivalent to “1234567890” because a
trailing zero will be added to fill in the last octet if an odd number of
hexadecimal characters is specified.
• A local engine ID is automatically generated that is unique to the switch. This
is referred to as the default engine ID. If the local engine ID is deleted or
changed, all SNMP users will be cleared. You will need to reconfigure all
existing users (page 4-101).
Example
Console(config)#snmp-server engine-id local 123456789
Console(config)#snmp-server engine-id remote 987654321 192.168.1.19
Console(config)#
4-96
SNMP Commands
4
Related Commands
snmp-server host (4-93)
show snmp engine-id
This command shows the SNMP engine ID.
Command Mode
Privileged Exec
Example
This example shows the default engine ID.
Console#show snmp engine-id
Local SNMP engineID: 8000002a8000000000e8666672
Local SNMP engineBoots: 1
Remote SNMP engineID
80000000030004e2b316c54321
Console#
IP address
192.168.1.19
Table 4-22 show snmp engine-id - display description
Field
Description
Local SNMP engineID
String identifying the engine ID.
Local SNMP engineBoots The number of times that the engine has (re-)initialized since the snmp EngineID
was last configured.
Remote SNMP engineID
String identifying an engine ID on a remote device.
IP address
IP address of the device containing the corresponding remote SNMP engine.
snmp-server view
This command adds an SNMP view which controls user access to the MIB. Use the
no form to remove an SNMP view.
Syntax
snmp-server view view-name oid-tree {included | excluded}
no snmp-server view view-name
• view-name - Name of an SNMP view. (Range: 1-64 characters)
• oid-tree - Object identifier of a branch within the MIB tree. Wild cards can
be used to mask a specific portion of the OID string. (Refer to the
examples.)
• included - Defines an included view.
• excluded - Defines an excluded view.
Default Setting
defaultview (includes access to the entire MIB tree)
Command Mode
Global Configuration
4-97
4
Command Line Interface
Command Usage Command Usage
• Views are used in the snmp-server group command to restrict user access
to specified portions of the MIB tree.
• The predefined view “defaultview” includes access to the entire MIB tree.
Examples
This view includes MIB-2.
Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included
Console(config)#
This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select
all the index values in this table.
Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included
Console(config)#
This view includes the MIB-2 interfaces table, and the mask selects all index entries.
Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included
Console(config)#
show snmp view
This command shows information on the SNMP views.
Command Mode
Privileged Exec
Example
Console#show snmp view
View Name: mib-2
Subtree OID: 1.2.2.3.6.2.1
View Type: included
Storage Type: permanent
Row Status: active
View Name: defaultview
Subtree OID: 1
View Type: included
Storage Type: volatile
Row Status: active
Console#
Table 4-23 show snmp view - display description
Field
Description
View Name
Name of an SNMP view.
Subtree OID
A branch in the MIB tree.
View Type
Indicates if the view is included or excluded.
Storage Type
The storage type for this entry.
Row Status
The row status of this entry.
4-98
4
SNMP Commands
snmp-server group
This command adds an SNMP group, mapping SNMP users to SNMP views. Use
the no form to remove an SNMP group.
Syntax
snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}}
[read readview] [write writeview] [notify notifyview]
no snmp-server group groupname
• groupname - Name of an SNMP group. (Range: 1-32 characters)
• v1 | v2c | v3 - Use SNMP version 1, 2c or 3.
• auth | noauth | priv - This group uses SNMPv3 with authentication, no
authentication, or with authentication and privacy. See "Simple Network
Management Protocol" on page 3-50 for further information about these
authentication and encryption options.
• readview - Defines the view for read access. (1-64 characters)
• writeview - Defines the view for write access. (1-64 characters)
• notifyview - Defines the view for notifications. (1-64 characters)
Default Setting
•
•
•
•
Default groups: public22 (read only), private23 (read/write)
readview - Every object belonging to the Internet OID space (1.3.6.1).
writeview - Nothing is defined.
notifyview - Nothing is defined.
Command Mode
Global Configuration
Command Usage
• A group sets the access policy for the assigned users.
• When authentication is selected, the MD5 or SHA algorithm is used as
specified in the snmp-server user command.
• When privacy is selected, the DES 56-bit algorithm is used for data encryption.
• Note that the authentication, link-up and link-down messages are legacy traps
and must therefore be enabled in conjunction with the snmp-server enable
traps command (page 4-95).
Example
Console(config)#snmp-server group r&d v3 auth write daily
Console(config)#
22. No view is defined.
23. Maps to the defaultview.
4-99
4
Command Line Interface
show snmp group
Four default groups are provided – SNMPv1 read-only access and read/write
access, and SNMPv2c read-only access and read/write access.
Command Mode
Privileged Exec
Example
Console#show snmp group
Group Name: r&d
Security Model: v3
Read View: defaultview
Write View: daily
Notify View: none
Storage Type: permanent
Row Status: active
Group Name: public
Security Model: v1
Read View: defaultview
Write View: none
Notify View: none
Storage Type: volatile
Row Status: active
Group Name: public
Security Model: v2c
Read View: defaultview
Write View: none
Notify View: none
Storage Type: volatile
Row Status: active
Group Name: private
Security Model: v1
Read View: defaultview
Write View: defaultview
Notify View: none
Storage Type: volatile
Row Status: active
Group Name: private
Security Model: v2c
Read View: defaultview
Write View: defaultview
Notify View: none
Storage Type: volatile
Row Status: active
Console#
4-100
SNMP Commands
4
Table 4-24 show snmp group - display description
Field
Description
Group Name
Name of an SNMP group.
Security Model
The SNMP version.
Read View
The associated read view.
Write View
The associated write view.
Notify View
The associated notify view.
Storage Type
The storage type for this entry.
Row Status
The row status of this entry.
snmp-server user
This command adds a user to an SNMP group, restricting the user to a specific
SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP
group.
Syntax
snmp-server user username groupname [remote ip-address] {v1 | v2c | v3
[encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]]
no snmp-server user username {v1 | v2c | v3 | remote}
• username - Name of user connecting to the SNMP agent.
(Range: 1-32 characters)
• groupname - Name of an SNMP group to which the user is assigned.
(Range: 1-32 characters)
• remote - Specifies an SNMP engine on a remote device.
• ip-address - The Internet address of the remote device.
• v1 | v2c | v3 - Use SNMP version 1, 2c or 3.
• encrypted - Accepts the password as encrypted input.
• auth - Uses SNMPv3 with authentication.
• md5 | sha - Uses MD5 or SHA authentication.
• auth-password - Authentication password. Enter as plain text if the
encrypted option is not used. Otherwise, enter an encrypted password.
(A minimum of eight characters is required.)
• priv des56 - Uses SNMPv3 with privacy with DES56 encryption.
• priv-password - Privacy password. Enter as plain text if the encrypted
option is not used. Otherwise, enter an encrypted password.
Default Setting
None
Command Mode
Global Configuration
4-101
4
Command Line Interface
Command Usage
• The SNMP engine ID is used to compute the authentication/privacy digests
from the password. You should therefore configure the engine ID with the
snmp-server engine-id command before using this configuration command.
• Before you configure a remote user, use the snmp-server engine-id
command (page 4-96) to specify the engine ID for the remote device where
the user resides. Then use the snmp-server user command to specify the
user and the IP address for the remote device where the user resides. The
remote agent’s SNMP engine ID is used to compute authentication/privacy
digests from the user’s password. If the remote engine ID is not first configured,
the snmp-server user command specifying a remote user will fail.
• SNMP passwords are localized using the engine ID of the authoritative agent.
For informs, the authoritative SNMP agent is the remote agent. You therefore
need to configure the remote agent’s SNMP engine ID before you can send
proxy requests or informs to it.
Example
Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace
priv des56 einstien
Console(config)#snmp-server user mark group r&d remote 192.168.1.19 v3
auth md5 greenpeace priv des56 einstien
Console(config)#
show snmp user
This command shows information on SNMP users.
Command Mode
Privileged Exec
Example
Console#show snmp user
EngineId: 800000ca030030f1df9ca00000
User Name: steve
Authentication Protocol: md5
Privacy Protocol: des56
Storage Type: nonvolatile
Row Status: active
SNMP remote user
EngineId: 80000000030004e2b316c54321
User Name: mark
Authentication Protocol: mdt
Privacy Protocol: des56
Storage Type: nonvolatile
Row Status: active
Console#
4-102
4
Flow Sampling Commands
Table 4-25 show snmp user - display description
Field
Description
EngineId
String identifying the engine ID.
User Name
Name of user connecting to the SNMP agent.
Authentication Protocol
The authentication protocol used with SNMPv3.
Privacy Protocol
The privacy protocol used with SNMPv3.
Storage Type
The storage type for this entry.
Row Status
The row status of this entry.
SNMP remote user
A user associated with an SNMP engine on a remote device.
Flow Sampling Commands
Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an
accurate, detailed and real-time overview of the types and levels of traffic present on
the network. The sFlow Agent samples 1 out of n packets from all data traversing the
switch, re-encapsulates the samples as sFlow datagrams and transmits them to the
sFlow Collector. This sampling occurs at the internal hardware level where all traffic
is seen, whereas traditional probes only have a partial view of traffic as it is sampled
at the monitored interface. Moreover, the processor and memory load imposed by
the sFlow agent is minimal since local analysis does not take place
Table 4-26 sFlow Commands
Command
Function
Mode
Page
sflow
Enables sFlow globally for the switch
GC
4-104
sflow source*
Enables sFlow on the source ports to be monitored
IC
4-104
sflow sample*
Configures the packet sampling rate
IC
4-105
sflow polling-interval
Configures the interval at which counters are added to the
sample datagram
IC
4-105
sflow owner
Configures the name of the receiver
IC
4-106
sflow timeout
Configures the length of time samples are sent to the
Collector before resetting all sFlow port parameters
IC
4-106
sflow destination
Configures the IP address and UDP port used by the Collector IC
4-107
sflow max-header-size
Configures the maximum size of the sFlow datagram header IC
4-107
sflow max-datagram-size Configures the maximum size of the sFlow datagram payload IC
4-108
show sflow
4-108
Shows the global and interface settings for the sFlow process PE
* Due to the switch’s hardware design, these commands can only be enabled for specific SFP port groups (1-8, 9-16,
and 17-24). However, sampling for each of the Gigabit combination ports (25-28) can be controlled individually.
4-103
4
Command Line Interface
sflow
This command enables sFlow globally for the switch. Use the no form to disable this
feature.
Syntax
[no] sflow
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
Flow sampling must be enabled globally on the switch, as well as for those
ports where it is required (see the sflow source command on page 4-104).
Example
Console(config)#sflow
Console(config)#
sflow source
This command enables sFlow on the source ports to be monitored. Use the no form
to disable sFlow on the specified ports.
Syntax
[no] sflow source
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Command Usage
The 100BASE-SFP ports are organized into groups of 8 based on a restriction
in the switch ASIC (1-8, 9-16, 17-24). Selecting any port in one of these
groups effectively configures all of the group members as an sFlow source
port. However, the four Gigabit ports (25, 26, 27, 28) can be independently
configured as an sFlow source port.
Example
This example enables flow control on ports 9 through 16.
Console(config)#interface ethernet 1/9
Console(config-if)#sflow source
Console(config-if)#
4-104
4
Flow Sampling Commands
sflow sample
This command configures the packet sampling rate. Use the no form to restore the
default rate.
Syntax
sflow sample rate
no sflow sample
rate - The packet sampling rate, or the number of packets out of which one
sample will be taken. (Range: 0-10000000, where 0 disables sampling)
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Example
This example sets the sample rate to 1 out of every 100 packets.
Console(config)#interface ethernet 1/9
Console(config-if)#sflow sample 100
Console(config-if)#
sflow polling-interval
This command configures the interval at which counters are added to the sample
datagram. Use the no form to restore the default polling interval.
Syntax
sflow polling-interval seconds
no sflow polling-interval
seconds - The interval at which the sFlow process adds counter values to
the sample datagram. (Range: 0-10000000 seconds, where 0 disables this
feature)
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Example
This example sets the polling interval to 10 seconds.
Console(config)#interface ethernet 1/9
Console(config-if)#sflow polling-interval 10
Console(config-if)#
4-105
4
Command Line Interface
sflow owner
This command configures the name of the receiver (i.e., sFlow Collector). Use the
no form to remove this name.
Syntax
sflow owner name
no sflow owner
name - The name of the receiver. (Range: 1-256 characters)
Default Setting
None
Command Mode
Interface Configuration (Ethernet)
Example
This example set the owner’s name to Lamar.
Console(config)#interface ethernet 1/9
Console(config-if)#sflow owner Lamer
Console(config-if)#
sflow timeout
This command configures the length of time samples are sent to the Collector
before resetting all sFlow port parameters. Use the no form to restore the default
time out.
Syntax
sflow timeout seconds
no sflow timeout
seconds - The length of time the sFlow process continuously sends
samples to the Collector before resetting all sFlow port parameters.
(Range: 0-10000000 seconds, where 0 indicates no time out)
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Command Usage
The sFlow parameters affected by this command include the sampling interval,
the receiver’s name, address and UDP port, the time out, maximum header
size, and maximum datagram size.
4-106
Flow Sampling Commands
4
Example
This example sets the time out to 1000 seconds.
Console(config)#interface ethernet 1/9
Console(config-if)#sflow timeout 10000
Console(config-if)#
sflow destination
This command configures the IP address and UDP port used by the Collector. Use
the no form to restore the default settings.
Syntax
sflow destination ipv4 ip-address [destination-udp-port]
no sflow destination
• ip-address - IP address of the sFlow Collector.
• destination-udp-port - The UDP port on which the Collector is listening for
sFlow streams. (Range: 0-65534)
Default Setting
IP Address: null
UDP Port: 6343
Command Mode
Interface Configuration (Ethernet)
Example
This example configures the Collector’s IP address, and uses the default UDP port.
Console(config)#interface ethernet 1/9
Console(config-if)#sflow destination ipv4 192.168.0.4
Console(config-if)#
sflow max-header-size
This command configures the maximum size of the sFlow datagram header. Use the
no form to restore the default setting.
Syntax
sflow max-header-size max-header-size
no max-header-size
max-header-size - The maximum size of the sFlow datagram header.
(Range: 64-256 bytes)
Default Setting
128 bytes
Command Mode
Interface Configuration (Ethernet)
4-107
4
Command Line Interface
Example
Console(config)#interface ethernet 1/9
Console(config-if)#sflow max-header-size 256
Console(config-if)#
sflow max-datagram-size
This command configures the maximum size of the sFlow datagram payload. Use
the no form to restore the default setting.
Syntax
sflow max-datagram-size max-datagram-size
no max-datagram-size
max-datagram-size - The maximum size of the sFlow datagram payload.
(Range: 200-1500 bytes)
Default Setting
1400 bytes
Command Mode
Interface Configuration (Ethernet)
Example
Console(config)#interface ethernet 1/9
Console(config-if)#sflow max-datagram-size 1500
Console(config-if)#
show sflow
This command shows the global and interface settings for the sFlow process.
Syntax
show sflow [interface [interface]]
interface
• ethernet unit/port
- unit - Stack unit. (Range: 1)
- port - Port number. (Range: 1-28)
Command Mode
Privileged Exec
4-108
Authentication Commands
4
Example
Console#show sflow
sFlow global status : Enabled
Console#sh sf int e 1/9
Interface of Ethernet 1/9 :
Interface status
: Enabled
Owner name
: Lamar
Owner destination
: 192.168.0.4
Owner socket port
: 6343
Time out
: 10000
Maximum header size
: 256
Maximum datagram size : 1500
Sample rate
: 1/100
Polling interval
: 10
Console#
Authentication Commands
You can configure this switch to authenticate users logging into the system for
management access using local or RADIUS authentication methods. You can also
enable port-based authentication for network client access using IEEE 802.1X.
Table 4-27 Authentication Commands
Command Group
Function
Page
User Accounts
Configures the basic user names and passwords for management
access
4-110
Authentication Sequence
Defines logon authentication method and precedence
4-114
RADIUS Client
Configures settings for authentication via a RADIUS server
4-116
TACACS+ Client
Configures settings for authentication via a TACACS+ server
4-121
AAA
Configures authentication, authorization, and accounting for
network access
4-125
Web Server
Enables management access via a web browser
4-134
Telnet Server
Enables management access via Telnet
4-137
Secure Shell
Provides a secure replacement for Telnet
4-138
Port Authentication
Configures host authentication on specific ports using 802.1X
4-147
Management IP Filter
Configures IP addresses that are allowed management access
4-157
4-109
4
Command Line Interface
User Account and Privilege Level Commands
The basic commands required for management access are listed in this section.
This switch also includes other options for password checking via the console or a
Telnet connection (page 4-45), user authentication via a remote authentication
server (page 4-109), and host access authentication for specific ports (page 4-147).
Table 4-28 User Access Commands
Command
Function
Mode
Page
username
Establishes a user name-based authentication system at login
GC
4-110
enable password
Sets a password to control access to the Privileged Exec level
GC
4-111
privilege
Assigns a privilege level to specified command groups or
individual commands
GC
4-112
privilege rerun
Updates all privilege commands entered during the current
session to the running configuration file
PE
4-113
show privilege
Shows the privilege level for the current user, or the privilege
level for commands modified by the privilege command
PE
4-113
username
This command adds named users, requires authentication at login, specifies or
changes a user's password (or specify that no password is required), or specifies or
changes a user's access level. Use the no form to remove a user name.
Syntax
username name {access-level level | nopassword |
password {0 | 7} password}
no username name
• name - The name of the user.
(Maximum length: 8 characters, case sensitive. Maximum users: 16)
• access-level level - Specifies the user level.
The device has three predefined privilege levels:
0: Normal Exec, 8: Manager, 15: Privileged Exec.
• nopassword - No password is required for this user to log in.
• {0 | 7} - 0 means plain password, 7 means encrypted password.
• password password - The authentication password for the user.
(Maximum length: 8 characters plain text, 32 encrypted, case sensitive)
Default Setting
• The default access level is Normal Exec.
• The factory defaults for the user names and passwords are:
Table 4-29 Default Login Settings
4-110
username
access-level
password
guest
admin
0
15
guest
admin
Authentication Commands
4
Command Mode
Global Configuration
Command Usage
• Privilege level 0 provides access to a limited number of the commands which
display the current status of the switch, as well as several database clear and
reset functions. Level 8 provides access to all display status and configuration
commands, except for those controlling various authentication and security
features. Level 15 provides full access to all commands.
• The encrypted password is required for compatibility with legacy password
settings (i.e., plain text or encrypted) when reading the configuration file
during system bootup or when downloading the configuration file from an FTP/
TFTP server. There is no need for you to manually configure encrypted
passwords.
Example
This example shows how to set the access level and password for a user.
Console(config)#username bob access-level 15
Console(config)#username bob password 0 smith
Console(config)#
enable password
After initially logging onto the system, you should set the Privileged Exec password.
Remember to record it in a safe place. This command controls access to the
Privileged Exec level from the Normal Exec level. Use the no form to reset the
default password.
Syntax
enable password [level level] {0 | 7} password
no enable password [level level]
• level level - Level 15 for Privileged Exec. (Levels 0-14 are not used.)
• {0 | 7} - 0 means plain password, 7 means encrypted password.
• password - password for this privilege level.
(Maximum length: 8 characters plain text, 32 encrypted, case sensitive)
Default Setting
• The default is level 15.
• The default password is “super”
Command Mode
Global Configuration
Command Usage
• You cannot set a null password. You will have to enter a password to change
the command mode from Normal Exec to Privileged Exec with the enable
command (page 4-12).
4-111
4
Command Line Interface
• The encrypted password is required for compatibility with legacy password
settings (i.e., plain text or encrypted) when reading the configuration file
during system bootup or when downloading the configuration file from an FTP/
TFTP server. There is no need for you to manually configure encrypted
passwords.
Example
Console(config)#enable password level 15 0 admin
Console(config)#
Related Commands
enable (4-12)
authentication enable (4-115)
privilege
This command assigns a privilege level to specified command groups or individual
commands. Use the no form to restore the default setting.
Syntax
privilege mode [all] level level command
no privilege mode [all] command
• mode - The configuration mode containing the specified command.
(See "Understanding Command Modes" on page 4-6 and "Configuration
Commands" on page 4-7.)
• all - Modifies the privilege level for all subcommands under the specified
command.
• level level - Specifies the privilege level for the specified command.
This device has three predefined privilege levels: 0: Normal Exec,
8: Manager, 15: Privileged Exec. (Range: 0-15)
• command - Specifies any command contained within the specified mode.
Default Setting
Privilege level 0 provides access to a limited number of the commands which
display the current status of the switch, as well as several database clear and
reset functions. Level 8 provides access to all display status and configuration
commands, except for those controlling various authentication and security
features. Level 15 provides full access to all commands.
Command Mode
Global Configuration
Example
This example sets the privilege level for the ping command to Privileged Exec.
Console(config)#privilege exec level 15 ping
Console(config)#
4-112
Authentication Commands
4
privilege rerun
This command updates all privilege commands entered during the current session
to the running configuration.
Command Mode
Privileged Exec
Command Usage
Due to system limitations in the current software, privilege commands
(page 4-112) entered during the current switch session will not be stored
properly in the running-config file (see show running-config on page 4-31).
The privilege rerun command must therefore be used to correctly update
these commands to the running-config file.
Example
Console#privilege rerun
Console#
show privilege
This command shows the privilege level for the current user, or the privilege level for
commands modified by the privilege command (see page 4-112).
Syntax
show privilege [command]
command - Displays the privilege level for all commands modified by the
privilege command.
Command Mode
Privileged Exec
Example
This example shows the privilege level for any command modified by the privilege
command.
Console#show privilege command
privilege line all level 0 accounting
privilege exec level 15 ping
Console(config)#
4-113
4
Command Line Interface
Authentication Sequence
Three authentication methods can be specified to authenticate users logging into the
system for management access. The commands in this section can be used to
define the authentication method and sequence.
Table 4-30 Authentication Sequence
Command
Function
Mode
Page
authentication login
Defines logon authentication method and precedence
GC
4-114
authentication enable
Defines the authentication method and precedence for
command mode change
GC
4-115
authentication login
This command defines the login authentication method and precedence. Use the no
form to restore the default.
Syntax
authentication login {[local] [radius] [tacacs]}
no authentication login
• local - Use local password.
• radius - Use RADIUS server password.
• tacacs - Use TACACS server password.
Default Setting
Local
Command Mode
Global Configuration
Command Usage
• RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort
delivery, while TCP offers a connection-oriented transport. Also, note that
RADIUS encrypts only the password in the access-request packet from the
client to the server, while TACACS+ encrypts the entire body of the packet.
• RADIUS and TACACS+ logon authentication assigns a specific privilege level
for each user name and password pair. The user name, password, and
privilege level must be configured on the authentication server.
• You can specify three authentication methods in a single command to indicate
the authentication sequence. For example, if you enter “authentication login
radius tacacs local,” the user name and password on the RADIUS server is
verified first. If the RADIUS server is not available, then authentication is
attempted on the TACACS+ server. If the TACACS+ server is not available,
the local user name and password is checked.
4-114
4
Authentication Commands
Example
Console(config)#authentication login radius
Console(config)#
Related Commands
username - for setting the local user names and passwords (4-110)
authentication enable
This command defines the authentication method and precedence to use when
changing from Exec command mode to Privileged Exec command mode with the
enable command (see page 4-12). Use the no form to restore the default.
Syntax
authentication enable {[local] [radius] [tacacs]}
no authentication enable
• local - Use local password only.
• radius - Use RADIUS server password only.
• tacacs - Use TACACS server password.
Default Setting
Local
Command Mode
Global Configuration
Command Usage
• RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort
delivery, while TCP offers a connection-oriented transport. Also, note that
RADIUS encrypts only the password in the access-request packet from the
client to the server, while TACACS+ encrypts the entire body of the packet.
• RADIUS and TACACS+ logon authentication assigns a specific privilege level
for each user name and password pair. The user name, password, and
privilege level must be configured on the authentication server.
• You can specify three authentication methods in a single command to indicate
the authentication sequence. For example, if you enter “authentication
enable radius tacacs local,” the user name and password on the RADIUS
server is verified first. If the RADIUS server is not available, then
authentication is attempted on the TACACS+ server. If the TACACS+ server
is not available, the local user name and password is checked.
Example
Console(config)#authentication enable radius
Console(config)#
Related Commands
enable password - sets the password for changing command modes (4-111)
4-115
4
Command Line Interface
RADIUS Client
Remote Authentication Dial-in User Service (RADIUS) is a logon authentication
protocol that uses software running on a central server to control access to
RADIUS-aware devices on the network. An authentication server contains a
database of multiple user name/password pairs with associated privilege levels for
each user or group that require management access to a switch.
Table 4-31 RADIUS Client Commands
Command
Function
Mode
Page
radius-server host
Specifies the RADIUS server
GC
4-116
radius-server acct-port
Sets the RADIUS server network port
GC
4-117
radius-server auth-port
Sets the RADIUS server network port
GC
4-117
radius-server key
Sets the RADIUS encryption key
GC
4-118
radius-server retransmit
Sets the number of retries
GC
4-118
radius-server timeout
Sets the interval between sending authentication requests GC
4-119
show radius-server
Shows the current RADIUS settings
4-120
PE
radius-server host
This command specifies primary and backup RADIUS servers and authentication
parameters that apply to each server. Use the no form to restore the default values.
Syntax
[no] radius-server index host host-ip-address [auth-port auth-port]
[acct-port acct-port] [timeout timeout] [retransmit retransmit] [key key]
• index - Allows you to specify up to five servers. These servers are queried
in sequence until a server responds or the retransmit period expires.
• host-ip-address - IP address of server.
• auth-port - RADIUS server UDP port used for authentication messages.
(Range: 1-65535)
• acct-port - RADIUS server UDP port used for accounting messages.
(Range: 1-65535)
• timeout - Number of seconds the switch waits for a reply before resending
a request. (Range: 1-65535)
• retransmit - Number of times the switch will try to authenticate logon access
via the RADIUS server. (Range: 1-30)
• key - Encryption key used to authenticate logon access for client. Do not
use blank spaces in the string. (Maximum length: 48 characters)
Default Setting
• auth-port - 1812
• acct-port - 1813
• timeout - 5 seconds
• retransmit - 2
4-116
4
Authentication Commands
Command Mode
Global Configuration
Example
Console(config)#radius-server 1 host 192.168.1.20 auth-port 181 timeout
10 retransmit 5 key green
Console(config)#
radius-server acct-port
This command sets the RADIUS server network port for accounting messages. Use
the no form to restore the default.
Syntax
radius-server acct-port port-number
no radius-server acct-port
port-number - RADIUS server UDP port used for accounting messages.
(Range: 1-65535)
Default Setting
1813
Command Mode
Global Configuration
Example
Console(config)#radius-server acct-port 181
Console(config)#
radius-server auth-port
This command sets the RADIUS server network port for authentication messages.
Use the no form to restore the default.
Syntax
radius-server auth-port port-number
no radius-server auth-port
port-number - RADIUS server UDP port used for authentication
messages. (Range: 1-65535)
Default Setting
1812
Command Mode
Global Configuration
Example
Console(config)#radius-server port 181
Console(config)#
4-117
4
Command Line Interface
radius-server key
This command sets the RADIUS encryption key. Use the no form to restore the
default.
Syntax
radius-server key key-string
no radius-server key
key-string - Encryption key used to authenticate logon access for client.
Do not use blank spaces in the string. (Maximum length: 48 characters)
Default Setting
None
Command Mode
Global Configuration
Example
Console(config)#radius-server key green
Console(config)#
radius-server retransmit
This command sets the number of retries. Use the no form to restore the default.
Syntax
radius-server retransmit number-of-retries
no radius-server retransmit
number-of-retries - Number of times the switch will try to authenticate
logon access via the RADIUS server. (Range: 1-30)
Default Setting
2
Command Mode
Global Configuration
Example
Console(config)#radius-server retransmit 5
Console(config)#
4-118
Authentication Commands
4
radius-server timeout
This command sets the interval between transmitting authentication requests to the
RADIUS server. Use the no form to restore the default.
Syntax
radius-server timeout number-of-seconds
no radius-server timeout
number-of-seconds - Number of seconds the switch waits for a reply
before resending a request. (Range: 1-65535)
Default Setting
5
Command Mode
Global Configuration
Example
Console(config)#radius-server timeout 10
Console(config)#
4-119
4
Command Line Interface
show radius-server
This command displays the current settings for the RADIUS server.
Default Setting
None
Command Mode
Privileged Exec
Example
Console#show radius-server
Remote RADIUS Server Configuration:
Global Settings:
Authentication Port
Accounting Port
Retransmit Times
Request Timeout
:
:
:
:
Attributes:
NAS-IP-Address (4)
: 192.168.1.1
Server 1:
Server IP Address
Authentication Port
Accounting Port
Retransmit Times
Request Timeout
:
:
:
:
:
Radius server group:
Group Name
--------------------radius
Console#
4-120
1812
1813
2
5 seconds
10.1.2.3
1812
1813
2
5 seconds
Member Index
------------1
Authentication Commands
4
TACACS+ Client
Terminal Access Controller Access Control System (TACACS+) is a logon
authentication protocol that uses software running on a central server to control
access to TACACS-aware devices on the network. An authentication server
contains a database of multiple user name/password pairs with associated privilege
levels for each user or group that require management access to a switch.
Table 4-32 TACACS Commands
Command
Function
Mode
Page
tacacs-server host
Specifies the TACACS+ server
GC
4-121
tacacs-server port
Specifies the TACACS+ server network port
GC
4-122
tacacs-server key
Sets the TACACS+ encryption key
GC
4-122
tacacs-server retransmit
Sets the number of retries
GC
4-123
tacacs-server timeout
Sets the interval before resending an authentication request GC
4-123
show tacacs-server
Shows the current TACACS+ settings
4-124
GC
tacacs-server host
This command specifies the TACACS+ server. Use the no form to restore the
default.
Syntax
[no] tacacs-server index host host-ip-address [port port-number]
[timeout timeout] [retransmit retransmit] [key key]
• index - Specifies the index number of the server. (Range: 1)
• host-ip-address - IP address of the server.
• port-number - The TACACS+ server TCP port used for authentication
messages. (Range: 1-65535)
• timeout - Number of seconds the switch waits for a reply before resending
a request. (Range: 1-540 seconds)
• retransmit - Number of times the switch will resend an authentication
request to the TACACS+ server. (Range: 1-30)
• key - Encryption key used to authenticate logon access for client. Do not
use blank spaces in the string. (Maximum length: 48 characters)
Default Setting
• port - 49
• timeout - 5 seconds
• retransmit - 2
Command Mode
Global Configuration
4-121
4
Command Line Interface
Example
Console(config)#tacacs-server 1 host 192.168.1.25
Console(config)#
tacacs-server port
This command specifies the TACACS+ server network port. Use the no form to
restore the default.
Syntax
tacacs-server port port-number
no tacacs-server port
port-number - TACACS+ server TCP port used for authentication
messages. (Range: 1-65535)
Default Setting
49
Command Mode
Global Configuration
Example
Console(config)#tacacs-server port 181
Console(config)#
tacacs-server key
This command sets the TACACS+ encryption key. Use the no form to restore the
default.
Syntax
tacacs-server key key-string
no tacacs-server key
key-string - Encryption key used to authenticate logon access for the
client. Do not use blank spaces in the string.
(Maximum length: 48 characters)
Default Setting
None
Command Mode
Global Configuration
Example
Console(config)#tacacs-server key green
Console(config)#
4-122
4
Authentication Commands
tacacs-server retransmit
This command sets the number of retries. Use the no form to restore the default.
Syntax
tacacs-server retransmit number-of-retries
no tacacs-server retransmit
number-of-retries - Number of times the switch will try to authenticate
logon access via the TACACS+ server. (Range: 1-30)
Default Setting
2
Command Mode
Global Configuration
Example
Console(config)#tacacs-server retransmit 5
Console(config)#
tacacs-server timeout
This command sets the interval between transmitting authentication requests to the
TACACS+ server. Use the no form to restore the default.
Syntax
tacacs-server timeout number-of-seconds
no tacacs-server timeout
number-of-seconds - Number of seconds the switch waits for a reply
before resending a request. (Range: 1-540)
Default Setting
5 seconds
Command Mode
Global Configuration
Example
Console(config)#tacacs-server timeout 10
Console(config)#
4-123
4
Command Line Interface
show tacacs-server
This command displays the current settings for the TACACS+ server.
Default Setting
None
Command Mode
Privileged Exec
Example
Console#show tacacs-server
Remote TACACS+ server configuration:
Global Settings:
Communication Key with TACACS+ Server:
Server Port Number:
49
Retransmit Times :
2
Request Times
:
5
Server 1:
Server IP address:
1.2.3.4
Communication key with TACACS+ server: *****
Server port number:
49
Retransmit Times :
2
Request Times
:
5
Tacacs server group:
Group Name
--------------------tacacs+
Console#
4-124
Member Index
------------1
4
Authentication Commands
AAA Commands
The Authentication, authorization, and accounting (AAA) feature provides the main
framework for configuring access control on the switch. The AAA functions require
the use of configured RADIUS or TACACS+ servers in the network.
Table 4-33 AAA Commands
Command
Function
Mode
Page
aaa group server
Groups security servers in to defined lists
GC
4-125
server
Configures the IP address of a server in a group list
SG
4-126
aaa accounting dot1x
Enables accounting of 802.1X services
GC
4-127
aaa accounting exec
Enables accounting of Exec services
GC
4-128
aaa accounting commands
Enables accounting of Exec mode commands
GC
4-129
aaa accounting update
Enables periodoc updates to be sent to the accounting
server
GC
4-130
accounting dot1x
Applies an accounting method to an interface for 802.1X IC
service requests
4-130
accounting exec
Applies an accounting method to local console, Telnet or Line
SSH connections
4-131
accounting commands
Applies an accounting method to CLI commands entered Line
by a user
4-131
aaa authorization exec
Enables authorization of Exec sessions
4-132
authorization exec
Applies an authorization method to local console, Telnet or Line
SSH connections
4-133
show accounting
Displays all accounting information
4-133
GC
PE
aaa group server
Use this command to name a group of security server hosts. To remove a server
group from the configuration list, enter the no form of this command.
Syntax
[no] aaa group server {radius | tacacs+} group-name
• radius - Defines a RADIUS server group.
• tacacs+ - Defines a TACACS+ server group.
• group-name - A text string that names a security server group.
(Range: 1-7 characters)
Default Setting
None
Command Mode
Global Configuration
4-125
4
Command Line Interface
Example
Console(config)#aaa group server radius tps
Console(config-sg-radius)#
server
This command adds a security server to an AAA server group. Use the no form to
remove the associated server from the group.
Syntax
[no] server {index | ip-address}
• index - Specifies the server index. (Range: RADIUS 1-5, TACACS+ 1)
• ip-address - Specifies the host IP address of a server.
Default Setting
None
Command Mode
Server Group Configuration
Command Usage
• When specifying the index for a RADIUS server, that server index must
already be defined by the radius-server host command (see page 4-116).
• When specifying the index for a TACACS+ server, that server index must
already be defined by the tacacs-server host command (see page 4-121).
Example
Console(config)#aaa group server radius tps
Console(config-sg-radius)#server 10.2.68.120
Console(config-sg-radius)#
4-126
4
Authentication Commands
aaa accounting dot1x
This command enables the accounting of requested 802.1X services for network
access. Use the no form to disable the accounting service.
Syntax
aaa accounting dot1x {default | method-name} start-stop group {radius |
tacacs+ |server-group}
no aaa accounting dot1x {default | method-name}
• default - Specifies the default accounting method for service requests.
• method-name - Specifies an accounting method for service requests.
(Range: 1-255 characters)
• start-stop - Records accounting from starting point and stopping point.
• group - Specifies the server group to use.
- radius - Specifies all RADIUS hosts configure with the radius-server
host command described on page 4-116.
- tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server
host command described on page 4-121.
- server-group - Specifies the name of a server group configured with the
aaa group server command described on page 4-125.
(Range: 1-255 characters)
Default Setting
Accounting is not enabled
No servers are specified
Command Mode
Global Configuration
Command Usage
Note that the default and method-name fields are only used to describe the
accounting method(s) configured on the specified RADIUS or TACACS+
servers, and do not actually send any information to the servers about the
methods to use.
Example
Console(config)#aaa accounting dot1x default start-stop group radius
Console(config)#
4-127
4
Command Line Interface
aaa accounting exec
This command enables the accounting of requested Exec services for network
access. Use the no form to disable the accounting service.
Syntax
aaa accounting exec {default | method-name} start-stop group {radius |
tacacs+ |server-group}
no aaa accounting exec {default | method-name}
• default - Specifies the default accounting method for service requests.
• method-name - Specifies an accounting method for service requests.
(Range: 1-255 characters)
• start-stop - Records accounting from starting point and stopping point.
• group - Specifies the server group to use.
- radius - Specifies all RADIUS hosts configure with the radius-server
host command described on page 4-116.
- tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server
host command described on page 4-121.
- server-group - Specifies the name of a server group configured with the
aaa group server command described on 4-125.
(Range: 1-255 characters)
Default Setting
Accounting is not enabled
No servers are specified
Command Mode
Global Configuration
Command Usage
• This command runs accounting for Exec service requests for the local console
and Telnet connections.
• Note that the default and method-name fields are only used to describe the
accounting method(s) configured on the specified RADIUS or TACACS+
servers, and do not actually send any information to the servers about the
methods to use.
Example
Console(config)#aaa accounting exec default start-stop group tacacs+
Console(config)#
4-128
Authentication Commands
4
aaa accounting commands
This command enables the accounting of Exec mode commands. Use the no form
to disable the accounting service.
Syntax
aaa accounting commands level {default | method-name} start-stop group
{tacacs+ |server-group}
no aaa accounting commands level {default | method-name}
• level - The privilege level for executing commands. (Range: 0-15)
• default - Specifies the default accounting method for service requests.
• method-name - Specifies an accounting method for service requests.
(Range: 1-255 characters)
• start-stop - Records accounting from starting point and stopping point.
• group - Specifies the server group to use.
- tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server
host command described on page 4-121.
- server-group - Specifies the name of a server group configured with the
aaa group server command described on 4-125.
(Range: 1-255 characters)
Default Setting
Accounting is not enabled
No servers are specified
Command Mode
Global Configuration
Command Usage
• The accounting of Exec mode commands is only supported by TACACS+
servers.
• Note that the default and method-name fields are only used to describe the
accounting method(s) configured on the specified TACACS+ server, and do
not actually send any information to the server about the methods to use.
Example
Console(config)#aaa accounting commands 15 default start-stop group
tacacs+
Console(config)#
4-129
4
Command Line Interface
aaa accounting update
This command enables the sending of periodic updates to the accounting server.
Use the no form to disable accounting updates.
Syntax
aaa accounting update [periodic interval]
no aaa accounting update
interval - Sends an interim accounting record to the server at this interval.
(Range: 1-2147483647 minutes)
Default Setting
1 minute
Command Mode
Global Configuration
Command Usage
• When accounting updates are enabled, the switch issues periodic interim
accounting records for all users on the system.
• Using the command without specifying an interim interval enables updates,
but does not change the current interval setting.
Example
Console(config)#aaa accounting update periodic 30
Console(config)#
accounting dot1x
This command applies an accounting method for 802.1X service requests on an
interface. Use the no form to disable accounting on the interface.
Syntax
accounting dot1x {default | list-name}
no accounting dot1x
• default - Specifies the default method list created with the aaa accounting
dot1x command (page 4-127).
• list-name - Specifies a method list created with the aaa accounting dot1x
command.
Default Setting
None
Command Mode
Interface Configuration
4-130
Authentication Commands
4
Example
Console(config)#interface ethernet 1/2
Console(config-if)#accounting dot1x tps
Console(config-if)#
accounting exec
This command applies an accounting method to local console or Telnet connections.
Use the no form to disable accounting on the line.
Syntax
accounting exec {default | list-name}
no accounting exec
• default - Specifies the default method list created with the aaa accounting
exec command (page 4-128).
• list-name - Specifies a method list created with the aaa accounting exec
command.
Default Setting
None
Command Mode
Line Configuration
Example
Console(config)#line console
Console(config-line)#accounting exec tps
Console(config-line)#exit
Console(config)#line vty
Console(config-line)#accounting exec default
Console(config-line)#
accounting commands
This command applies an accounting method to entered CLI commands. Use the
no form to disable accounting for entered CLI commands.
Syntax
accounting commands level {default | list-name}
no accounting commands level
• level - The privilege level for executing commands. (Range: 0-15)
• default - Specifies the default method list created with the aaa accounting
commands command (page 4-129).
• list-name - Specifies a method list created with the aaa accounting
commands command.
Default Setting
None
4-131
4
Command Line Interface
Command Mode
Line Configuration
Example
Console(config)#line console
Console(config-line)#accounting commands 15 default
Console(config-line)#
aaa authorization exec
This command enables the authorization for Exec access. Use the no form to
disable the authorization service.
Syntax
aaa authorization exec {default | method-name} group {tacacs+
| server-group}
no aaa authorization exec {default | method-name}
• default - Specifies the default authorization method for Exec access.
• method-name - Specifies an authorization method for Exec access.
(Range: 1-255 characters)
• group - Specifies the server group to use.
- tacacs+ - Specifies all TACACS+ hosts configured with the
tacacs-server host command described on page 4-121.
- server-group - Specifies the name of a server group configured with the
aaa group server command described on 4-125.
(Range: 1-255 characters)
Default Setting
Authorization is not enabled
No servers are specified
Command Mode
Global Configuration
Command Usage
• This command performs authorization to determine if a user is allowed to run
an Exec shell.
• AAA authentication must be enabled before authorization is enabled.
• If this command is issued without a specified named method, the default
method list is applied to all interfaces or lines (where this authorization type
applies), except those that have a named method explicitly defined.
Example
Console(config)#aaa authorization exec default group tacacs+
Console(config)#
4-132
4
Authentication Commands
authorization exec
This command applies an authorization method to local console or Telnet
connections. Use the no form to disable authorization on the line.
Syntax
authorization exec {default | list-name}
no authorization exec
• default - Specifies the default method list created with the aaa
authorization exec command (page 4-132).
• list-name - Specifies a method list created with the aaa authorization exec
command.
Default Setting
None
Command Mode
Line Configuration
Example
Console(config)#line console
Console(config-line)#authorization exec tps
Console(config-line)#exit
Console(config)#line vty
Console(config-line)#authorization exec default
Console(config-line)#
show accounting
This command displays the current accounting settings per function and per port.
Syntax
show accounting [commands [level]] |
[[dot1x [statistics [username user-name | interface interface]] |
exec [statistics] | statistics]
• commands - Displays command accounting information.
• level - Displays command accounting information for a specifiable
command level.
• dot1x - Displays dot1x accounting information.
• exec - Displays Exec accounting records.
• statistics - Displays accounting records.
• user-name - Displays accounting records for a specifiable username.
• interface
ethernet unit/port
- unit - Stack unit. (Range: 1)
- port - Port number. (Range: 1-28)
Default Setting
None
4-133
4
Command Line Interface
Command Mode
Privileged Exec
Example
Console#show accounting
Accounting type: dot1x
Method list: default
Group list: radius
Interface:
Method list: tps
Group list: radius
Interface: eth 1/2
Accounting type: Exec
Method list: default
Group list: radius
Interface: vty
Console#
Web Server Commands
This section describes commands used to configure web browser management
access to the switch.
Table 4-34 Web Server Commands
Command
Function
Mode
Page
ip http port
Specifies the port to be used by the web browser interface
GC
4-134
ip http server
Allows the switch to be monitored or configured from a browser GC
4-135
ip http secure-server
Enables HTTPS for encrypted communications
GC
4-135
ip http secure-port
Specifies the UDP port number for HTTPS
GC
4-136
ip http port
This command specifies the TCP port number used by the web browser interface.
Use the no form to use the default port.
Syntax
ip http port port-number
no ip http port
port-number - The TCP port to be used by the browser interface.
(Range: 1-65535)
Default Setting
80
Command Mode
Global Configuration
4-134
Authentication Commands
4
Example
Console(config)#ip http port 769
Console(config)#
Related Commands
ip http server (4-135)
ip http server
This command allows this device to be monitored or configured from a browser. Use
the no form to disable this function.
Syntax
[no] ip http server
Default Setting
Enabled
Command Mode
Global Configuration
Example
Console(config)#ip http server
Console(config)#
Related Commands
ip http port (4-134)
ip http secure-server
This command enables the secure hypertext transfer protocol (HTTPS) over the
Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection)
to the switch’s web interface. Use the no form to disable this function.
Syntax
[no] ip http secure-server
Default Setting
Enabled
Command Mode
Global Configuration
Command Usage
• Both HTTP and HTTPS service can be enabled independently on the switch.
However, you cannot configure the HTTP and HTTPS servers to use the
same UDP port.
• If you enable HTTPS, you must indicate this in the URL that you specify in
your browser: https://device[:port-number]
4-135
4
Command Line Interface
• When you start HTTPS, the connection is established in this way:
- The client authenticates the server using the server’s digital certificate.
- The client and server negotiate a set of security protocols to use for the
connection.
- The client and server generate session keys for encrypting and decrypting
data.
• The client and server establish a secure encrypted connection.
A padlock icon should appear in the status bar for Internet Explorer 5.x or
above, Netscape 6.2 or above, and Mozilla Firefox 2.0.0.0 or above.
• The following web browsers and operating systems currently support HTTPS:
Table 4-35 HTTPS System Support
Web Browser
Operating System
Internet Explorer 5.0 or later
Windows 98,Windows NT (with service pack 6a),
Windows 2000, Windows XP
Mozilla Firefox 2.0.0.0 or later
Windows 2000, Windows XP, Linux
• To specify a secure-site certificate, see “Replacing the Default Secure-site
Certificate” on page 3-91. Also refer to the copy command on page 4-37.
Example
Console(config)#ip http secure-server
Console(config)#
Related Commands
ip http secure-port (4-136)
copy tftp https-certificate (4-37)
ip http secure-port
This command specifies the UDP port number used for HTTPS connection to the
switch’s web interface. Use the no form to restore the default port.
Syntax
ip http secure-port port-number
no ip http secure-port
port-number – The UDP port used for HTTPS.
(Range: 1-65535)
Default Setting
443
Command Mode
Global Configuration
Command Usage
• You cannot configure the HTTP and HTTPS servers to use the same port.
4-136
Authentication Commands
4
• If you change the HTTPS port number, clients attempting to connect to the
HTTPS server must specify the port number in the URL, in this format:
https://device:port-number
Example
Console(config)#ip http secure-port 1000
Console(config)#
Related Commands
ip http secure-server (4-135)
Telnet Server Commands
This section describes commands used to configure Telnet management access to
the switch.
Table 4-36 Telnet Server Commands
Command
Function
Mode
ip telnet server
Allows the switch to be monitored or configured from Telnet; also GC
specifies the port to be used by the Telnet interface
Page
4-135
ip telnet server
This command allows this device to be monitored or configured from Telnet. It also
specifies the TCP port number used by the Telnet interface. Use the no form without
the “port” keyword to disable this function. Use the no from with the “port” keyword
to use the default port.
Syntax
ip telnet server [port port-number]
no telnet server [port]
• port - The TCP port used by the Telnet interface.
• port-number - The TCP port number to be used by the browser interface.
(Range: 1-65535)
Default Setting
• Server: Enabled
• Server Port: 23
Command Mode
Global Configuration
Example
Console(config)#ip telnet server
Console(config)#ip telnet server port 123
Console(config)#
4-137
4
Command Line Interface
Secure Shell Commands
This section describes the commands used to configure the SSH server. However,
note that you also need to install a SSH client on the management station when
using this protocol to configure the switch.
Note: The switch supports both SSH Version 1.5 and 2.0.
Table 4-37 SSH Commands
Command
Function
Mode
Page
ip ssh server
Enables the SSH server on the switch
GC
4-140
ip ssh timeout
Specifies the authentication timeout for the SSH server
GC
4-141
ip ssh
authentication-retries
Specifies the number of retries allowed by a client
GC
4-141
ip ssh server-key size
Sets the SSH server key size
GC
4-142
copy tftp public-key
Copies the user’s public key from a TFTP server to the switch
PE
4-37
delete public-key
Deletes the public key for the specified user
PE
4-142
ip ssh crypto host-key
generate
Generates the host key
PE
4-143
ip ssh crypto zeroize
Clear the host key from RAM
PE
4-143
ip ssh save host-key
Saves the host key from RAM to flash memory
PE
4-144
disconnect
Terminates a line connection
PE
4-56
show ip ssh
Displays the status of the SSH server and the configured values PE
for authentication timeout and retries
4-144
show ssh
Displays the status of current SSH sessions
PE
4-145
show public-key
Shows the public key for the specified user or for the host
PE
4-146
show users
Shows SSH users, including privilege level and public key type PE
4-33
Configuration Guidelines
The SSH server on this switch supports both password and public key
authentication. If password authentication is specified by the SSH client, then the
password can be authenticated either locally or via a RADIUS or TACACS+ remote
authentication server, as specified by the authentication login command on
page 4-114. If public key authentication is specified by the client, then you must
configure authentication keys on both the client and the switch as described in the
following section. Note that regardless of whether you use public key or password
authentication, you still have to generate authentication keys on the switch and
enable the SSH server.
To use the SSH server, complete these steps:
1.
Generate a Host Key Pair – Use the ip ssh crypto host-key generate
command to create a host public/private key pair.
4-138
4
Authentication Commands
2.
Provide Host Public Key to Clients – Many SSH client programs automatically
import the host public key during the initial connection setup with the switch.
Otherwise, you need to manually create a known hosts file on the management
station and place the host public key in it. An entry for a public key in the known
hosts file would appear similar to the following example:
10.1.0.54 1024 35 15684995401867669259333946775054617325313674890836547254
15020245593199868544358361651999923329781766065830956 10825913212890233
76546801726272571413428762941301196195566782 59566410486957427888146206
51941746772984865468615717739390164779355942303577413098022737087794545
24083971752646358058176716709574804776117
3.
Import Client’s Public Key to the Switch – Use the copy tftp public-key
command to copy a file containing the public key for all the SSH client’s granted
management access to the switch. (Note that these clients must be configured
locally on the switch with the username command as described on
page 4-110.) The clients are subsequently authenticated using these keys. The
current firmware only accepts public key files based on standard UNIX format
as shown in the following example for an RSA Version 1 key:
1024 35 1341081685609893921040944920155425347631641921872958921143173880
05553616163105177594083868631109291232226828519254374603100937187721199
69631781366277414168985132049117204830339254324101637997592371449011938
00609025394840848271781943722884025331159521348610229029789827213532671
31629432532818915045306393916643 steve@192.168.1.19
4.
Set the Optional Parameters – Set other optional parameters, including the
authentication timeout, the number of retries, and the server key size.
5.
Enable SSH Service – Use the ip ssh server command to enable the SSH
server on the switch.
6. Authentication – One of the following authentication methods is employed:
Password Authentication (for SSH v1.5 or V2 Clients)
a) The client sends its password to the server.
b) The switch compares the client's password to those stored in memory.
c) If a match is found, the connection is allowed.
Note: To use SSH with only password authentication, the host public key must still be
given to the client, either during initial connection or manually entered into the
known host file. However, you do not need to configure the client’s keys.
Public Key Authentication – When an SSH client attempts to contact the switch,
the SSH server uses the host key pair to negotiate a session key and encryption
method. Only clients that have a private key corresponding to the public keys
stored on the switch can access it. The following exchanges take place during
this process:
Authenticating SSH v1.5 Clients
a) The client sends its RSA public key to the switch.
b) The switch compares the client's public key to those stored in memory.
4-139
4
Command Line Interface
c) If a match is found, the switch uses its secret key to generate a random
256-bit string as a challenge, encrypts this string with the user’s public key,
and sends it to the client.
d) The client uses its private key to decrypt the challenge string, computes the
MD5 checksum, and sends the checksum back to the switch.
e) The switch compares the checksum sent from the client against that
computed for the original string it sent. If the two checksums match, this
means that the client's private key corresponds to an authorized public key,
and the client is authenticated.
Authenticating SSH v2 Clients
a) The client first queries the switch to determine if DSA public key
authentication using a preferred algorithm is acceptable.
b) If the specified algorithm is supported by the switch, it notifies the client to
proceed with the authentication process. Otherwise, it rejects the request.
c) The client sends a signature generated using the private key to the switch.
d) When the server receives this message, it checks whether the supplied key
is acceptable for authentication, and if so, it then checks whether the
signature is correct. If both checks succeed, the client is authenticated.
Note: The SSH server supports up to four client sessions. The maximum number of
client sessions includes both current Telnet sessions and SSH sessions.
ip ssh server
This command enables the Secure Shell (SSH) server on this switch. Use the no
form to disable this service.
Syntax
[no] ip ssh server
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
• The SSH server supports up to four client sessions. The maximum number of
client sessions includes both current Telnet sessions and SSH sessions.
• The SSH server uses DSA or RSA for key exchange when the client first
establishes a connection with the switch, and then negotiates with the client
to select either DES (56-bit) or 3DES (168-bit) for data encryption.
• You must generate the host key before enabling the SSH server.
Example
Console#ip ssh crypto host-key generate dsa
Console#configure
Console(config)#ip ssh server
Console(config)#
4-140
Authentication Commands
4
Related Commands
ip ssh crypto host-key generate (4-143)
show ssh (4-145)
ip ssh timeout
This command configures the timeout for the SSH server. Use the no form to restore
the default setting.
Syntax
ip ssh timeout seconds
no ip ssh timeout
seconds – The timeout for client response during SSH negotiation.
(Range: 1-120)
Default Setting
10 seconds
Command Mode
Global Configuration
Command Usage
The timeout specifies the interval the switch will wait for a response from the
client during the SSH negotiation phase. Once an SSH session has been
established, the timeout for user input is controlled by the exec-timeout
command for vty sessions.
Example
Console(config)#ip ssh timeout 60
Console(config)#
Related Commands
exec-timeout (4-49)
show ip ssh (4-144)
ip ssh authentication-retries
This command configures the number of times the SSH server attempts to
reauthenticate a user. Use the no form to restore the default setting.
Syntax
ip ssh authentication-retries count
no ip ssh authentication-retries
count – The number of authentication attempts permitted after which the
interface is reset. (Range: 1-5)
Default Setting
3
4-141
4
Command Line Interface
Command Mode
Global Configuration
Example
Console(config)#ip ssh authentication-retires 2
Console(config)#
Related Commands
show ip ssh (4-144)
ip ssh server-key size
This command sets the SSH server key size. Use the no form to restore the default
setting.
Syntax
ip ssh server-key size key-size
no ip ssh server-key size
key-size – The size of server key. (Range: 512-896 bits)
Default Setting
768 bits
Command Mode
Global Configuration
Command Usage
• The server key is a private key that is never shared outside the switch.
• The host key is shared with the SSH client, and is fixed at 1024 bits.
Example
Console(config)#ip ssh server-key size 512
Console(config)#
delete public-key
This command deletes the specified user’s public key.
Syntax
delete public-key username [dsa | rsa]
• username – Name of an SSH user. (Range: 1-8 characters)
• dsa – DSA public key type.
• rsa – RSA public key type.
Default Setting
Deletes both the DSA and RSA key.
Command Mode
Privileged Exec
4-142
Authentication Commands
4
Example
Console#delete public-key admin dsa
Console#
ip ssh crypto host-key generate
This command generates the host key pair (i.e., public and private).
Syntax
ip ssh crypto host-key generate [dsa | rsa]
• dsa – DSA (Version 2) key type.
• rsa – RSA (Version 1) key type.
Default Setting
Generates both the DSA and RSA key pairs.
Command Mode
Privileged Exec
Command Usage
• The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2
for SSHv2 clients.
• This command stores the host key pair in memory (i.e., RAM). Use the ip ssh
save host-key command to save the host key pair to flash memory.
• Some SSH client programs automatically add the public key to the known
hosts file as part of the configuration process. Otherwise, you must manually
create a known hosts file and place the host public key in it.
• The SSH server uses this host key to negotiate a session key and encryption
method with the client trying to connect to it.
Example
Console#ip ssh crypto host-key generate dsa
Console#
Related Commands
ip ssh crypto zeroize (4-143)
ip ssh save host-key (4-144)
ip ssh crypto zeroize
This command clears the host key from memory (i.e. RAM).
Syntax
ip ssh crypto zeroize [dsa | rsa]
• dsa – DSA key type.
• rsa – RSA key type.
4-143
4
Command Line Interface
Default Setting
Clears both the DSA and RSA key.
Command Mode
Privileged Exec
Command Usage
• This command clears the host key from volatile memory (RAM). Use the no
ip ssh save host-key command to clear the host key from flash memory.
• The SSH server must be disabled before you can execute this command.
Example
Console#ip ssh crypto zeroize dsa
Console#
Related Commands
ip ssh crypto host-key generate (4-143)
ip ssh save host-key (4-144)
no ip ssh server (4-140)
ip ssh save host-key
This command saves host key from RAM to flash memory.
Syntax
ip ssh save host-key [dsa | rsa]
• dsa – DSA key type.
• rsa – RSA key type.
Default Setting
Saves both the DSA and RSA key.
Command Mode
Privileged Exec
Example
Console#ip ssh save host-key dsa
Console#
Related Commands
ip ssh crypto host-key generate (4-143)
show ip ssh
This command displays the connection settings used when authenticating client
access to the SSH server.
Command Mode
Privileged Exec
4-144
4
Authentication Commands
Example
Console#show ip ssh
SSH Enabled - version 1.99
Negotiation timeout: 120 secs; Authentication retries: 3
Server key size: 768 bits
Console#
show ssh
This command displays the current SSH server connections.
Command Mode
Privileged Exec
Example
Console#show ssh
Connection Version State
0
2.0
Session-Started
Username
admin
Encryption
ctos aes128-cbc-hmac-md5
stoc aes128-cbc-hmac-md5
Console#
Table 4-38 show ssh - display description
Field
Description
Session
The session number. (Range: 0-3)
Version
The Secure Shell version number.
State
The authentication negotiation state.
(Values: Negotiation-Started, Authentication-Started, Session-Started)
Username
The user name of the client.
Encryption
The encryption method is automatically negotiated between the client and server.
Options for SSHv1.5 include: DES, 3DES
Options for SSHv2.0 can include different algorithms for the client-to-server (ctos)
and server-to-client (stoc):
aes128-cbc-hmac-sha1
aes192-cbc-hmac-sha1
aes256-cbc-hmac-sha1
3des-cbc-hmac-sha1
blowfish-cbc-hmac-sha1
aes128-cbc-hmac-md5
aes192-cbc-hmac-md5
aes256-cbc-hmac-md5
3des-cbc-hmac-md5
blowfish-cbc-hmac-md5
Terminology:
DES – Data Encryption Standard (56-bit key)
3DES – Triple-DES (Uses three iterations of DES, 112-bit key)
aes – Advanced Encryption Standard (160 or 224-bit key)
blowfish – Blowfish (32-448 bit key)
cbc – cypher-block chaining
sha1 – Secure Hash Algorithm 1 (160-bit hashes)
md5 – Message Digest algorithm number 5 (128-bit hashes)
4-145
4
Command Line Interface
show public-key
This command shows the public key for the specified user or for the host.
Syntax
show public-key [user [username]| host]
username – Name of an SSH user. (Range: 1-8 characters)
Default Setting
Shows all public keys.
Command Mode
Privileged Exec
Command Usage
• If no parameters are entered, all keys are displayed. If the user keyword is
entered, but no user name is specified, then the public keys for all users are
displayed.
• When an RSA key is displayed, the first field indicates the size of the host key
(e.g., 1024), the second field is the encoded public exponent (e.g., 35), and
the last string is the encoded modulus. When a DSA key is displayed, the first
field indicates that the encryption method used by SSH is based on the Digital
Signature Standard (DSS), and the last string is the encoded modulus.
Example
Console#show public-key host
Host:
RSA:
1024 35
1568499540186766925933394677505461732531367489083654725415020245593199868
5443583616519999233297817660658309586108259132128902337654680172627257141
3428762941301196195566782595664104869574278881462065194174677298486546861
5717739390164779355942303577413098022737087794545240839717526463580581767
16709574804776117
DSA:
ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc
YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv
JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjw
bvwrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR
2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw/Kjw6Bm
iFq7O+jAhf1Dg45loAc27s6TLdtny1wRq/ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy
DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF/+DjKGWtPNIQqabKgYCw2
o/dVzX4Gg+yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7
w0W
Console#
4-146
Authentication Commands
4
802.1X Port Authentication
The switch supports IEEE 802.1X (dot1x) port-based access control that prevents
unauthorized access to the network by requiring users to first submit credentials for
authentication. Client authentication is controlled centrally by a RADIUS server
using EAP (Extensible Authentication Protocol).
Table 4-39 802.1X Port Authentication
Command
Function
Mode
Page
dot1x system-auth-control
Enables dot1x globally on the switch.
GC
4-147
dot1x default
Resets all dot1x parameters to their default values
GC
4-148
dot1x max-req
Sets the maximum number of times that the switch
retransmits an EAP request/identity packet to the client
before it times out the authentication session
IC
4-148
dot1x port-control
Sets dot1x mode for a port interface
IC
4-148
dot1x operation-mode
Allows single or multiple hosts on an dot1x port
IC
4-149
dot1x re-authenticate
Forces re-authentication on specific ports
PE
4-150
dot1x re-authentication
Enables re-authentication for all ports
IC
4-151
dot1x timeout quiet-period
Sets the time that a switch port waits after the Max
Request Count has been exceeded before attempting to
acquire a new client
IC
4-151
dot1x timeout re-authperiod
Sets the time period after which a connected client must
be re-authenticated
IC
4-152
dot1x timeout tx-period
Sets the time period during an authentication session that IC
the switch waits before re-transmitting an EAP packet
4-152
dot1x timeout supp-timeout
Sets the interval for a supplicant to respond
IC
4-153
dot1x intrusion-action
Sets the port response to intrusion when authentication
fails
IC
4-153
show dot1x
Shows all dot1x related information
PE
4-154
dot1x system-auth-control
This command enables 802.1X port authentication globally on the switch. Use the
no form to restore the default.
Syntax
[no] dotx system-auth-control
Default Setting
Disabled
Command Mode
Global Configuration
Example
Console(config)#dot1x system-auth-control
Console(config)#
4-147
4
Command Line Interface
dot1x default
This command sets all configurable dot1x global and port settings to their default
values.
Command Mode
Global Configuration
Example
Console(config)#dot1x default
Console(config)#
dot1x max-req
This command sets the maximum number of times the switch port will retransmit an
EAP request/identity packet to the client before it times out the authentication
session. Use the no form to restore the default.
Syntax
dot1x max-req count
no dot1x max-req
count – The maximum number of requests (Range: 1-10)
Default
2
Command Mode
Interface Configuration
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x max-req 2
Console(config-if)#
dot1x port-control
This command sets the dot1x mode on a port interface. Use the no form to restore
the default.
Syntax
dot1x port-control {auto | force-authorized | force-unauthorized}
no dot1x port-control
• auto – Requires a dot1x-aware connected client to be authorized by the
RADIUS server. Clients that are not dot1x-aware will be denied access.
• force-authorized – Configures the port to grant access to all clients, either
dot1x-aware or otherwise.
• force-unauthorized – Configures the port to deny access to all clients,
either dot1x-aware or otherwise.
4-148
Authentication Commands
4
Default
force-authorized
Command Mode
Interface Configuration
Command Usage
• 802.1X port authentication and port security cannot be configured together on
the same port. Only one of these security mechanisms can be applied.
• 802.1X port authentication cannot be configured on trunk ports. In other
words, a static trunk or dynamically configured trunk cannot be set to auto or
force-unauthorized mode.
• When 802.1X authentication is enabled on a port, the MAC address learning
function for this interface is disabled, and the addresses dynamically learned
on this port are removed.
• Authenticated MAC addresses are stored as dynamic entries in the switch’s
secure MAC address table. Configured static MAC addresses are added to
the secure address table when seen on a switch port. Static addresses are
treated as authenticated without sending a request to a RADIUS server.
• When port status changes to down, all MAC addresses are cleared from the
secure MAC address table. Static VLAN assignments are not restored.
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x port-control auto
Console(config-if)#
dot1x operation-mode
This command allows single or multiple hosts (clients) to connect to an
802.1X-authorized port. Use the no form with no keywords to restore the default to
single host. Use the no form with the multi-host max-count keywords to restore the
default maximum count.
Syntax
dot1x operation-mode {single-host | multi-host [max-count count] |
mac-based-auth}
no dot1x operation-mode [multi-host max-count]
• single-host – Allows only a single host to connect to this port.
• multi-host – Allows multiple host to connect to this port.
• max-count – Keyword for the maximum number of hosts.
count – The maximum number of hosts that can connect to a port.
(Range: 1-1024; Default: 5)
• mac-based-auth – Allows multiple hosts to connect to this port, with each
host needing to be authenticated.
4-149
4
Command Line Interface
Default
Single-host
Command Mode
Interface Configuration
Command Usage
• The “max-count” parameter specified by this command is only effective if the
dot1x mode is set to “auto” by the dot1x port-control command
(page 4-148).
• In “multi-host” mode, only one host connected to a port needs to pass
authentication for all other hosts to be granted network access. Similarly, a
port can become unauthorized for all hosts if one attached host fails
re-authentication or sends an EAPOL logoff message.
• In “mac-based-auth” mode, each host connected to a port needs to pass
authentication based on addresses configured in the authentication server
(see the network-access mode command on page 4-165). The number of
hosts allowed access to a port operating in this mode is limited only by the
available space in the secure address table (i.e., up to 1024 addresses).
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x operation-mode multi-host max-count 10
Console(config-if)#
dot1x re-authenticate
This command forces re-authentication on all ports or a specific interface.
Syntax
dot1x re-authenticate [interface]
interface
• ethernet unit/port
- unit - Stack unit. (Range: 1)
- port - Port number. (Range: 1-28)
Command Mode
Privileged Exec
Command Usage
The re-authentication process verifies the connected client’s user ID and
password on the RADIUS server. During re-authentication, the client remains
connected the network and the process is handled transparently by the dot1x
client software. Only if re-authentication fails is the port blocked or the user
assigned to the Guest VLAN (see dot1x intrusion-action on page 4-153).
4-150
Authentication Commands
4
Example
Console#dot1x re-authenticate
Console#
dot1x re-authentication
This command enables periodic re-authentication globally for all ports. Use the no
form to disable re-authentication.
Syntax
[no] dot1x re-authentication
Command Mode
Interface Configuration
Command Usage
• The re-authentication process verifies the connected client’s user ID and
password on the RADIUS server. During re-authentication, the client remains
connected the network and the process is handled transparently by the dot1x
client software. Only if re-authentication fails is the port blocked or the user
assigned to the Guest VLAN (see dot1x intrusion-action on page 4-153).
• The connected client is re-authenticated after the interval specified by the
dot1x timeout re-authperiod command. The default is 3600 seconds.
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x re-authentication
Console(config-if)#
Related Commands
dot1x timeout re-authperiod (4-152)
dot1x timeout quiet-period
This command sets the time that a switch port waits after the Max Request Count
has been exceeded before attempting to acquire a new client. Use the no form to
reset the default.
Syntax
dot1x timeout quiet-period seconds
no dot1x timeout quiet-period
seconds - The number of seconds. (Range: 1-65535)
Default
60 seconds
Command Mode
Interface Configuration
4-151
4
Command Line Interface
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout quiet-period 350
Console(config-if)#
dot1x timeout re-authperiod
This command sets the time period after which a connected client must be
re-authenticated. Use the no form of this command to reset the default.
Syntax
dot1x timeout re-authperiod seconds
no dot1x timeout re-authperiod
seconds - The number of seconds. (Range: 1-65535)
Default
3600 seconds
Command Mode
Interface Configuration
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout re-authperiod 300
Console(config-if)#
dot1x timeout tx-period
This command sets the time that an interface on the switch waits during an
authentication session before re-transmitting an EAP packet. Use the no form to
reset to the default value.
Syntax
dot1x timeout tx-period seconds
no dot1x timeout tx-period
seconds - The number of seconds. (Range: 1-65535)
Default
30 seconds
Command Mode
Interface Configuration
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout tx-period 300
Console(config-if)#
4-152
Authentication Commands
4
dot1x timeout supp-timeout
This command sets the time that an interface on the switch waits for a response to
an EAP request from a client before re-transmitting an EAP packet. Use the no form
to reset to the default value.
Syntax
dot1x timeout supp-timeout seconds
no dot1x timeout supp-timeout
seconds - The number of seconds. (Range: 1-65535)
Default
30 seconds
Command Mode
Interface Configuration
Command Usage
This command sets the timeout for EAP-request frames other than
EAP-request/identity frames. If dot1x authentication is enabled on a port, the
switch will initiate authentication when the port link state comes up. It will send
an EAP-request/identity frame to the client to request its identity, followed by
one or more requests for authentication information. It may also send other
EAP-request frames to the client during an active connection as required for
reauthentication.
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout supp-timeout 300
Console(config-if)#
dot1x intrusion-action
This command sets the port’s response to a failed authentication, either to block all
traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset
the default.
Syntax
dot1x intrusion-action {block-traffic | guest-vlan}
no dot1x intrusion-action
Default
block-traffic
Command Mode
Interface Configuration
4-153
4
Command Line Interface
Command Usage
For guest VLAN assignment to be successful, the VLAN must be configured
and set as active ("vlan database" on page 4-301) and assigned as the guest
VLAN for the port ("network-access guest-vlan" on page 4-168).
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x intrusion-action guest-vlan
Console(config-if)#
show dot1x
This command shows general port authentication related settings on the switch or a
specific interface.
Syntax
show dot1x [statistics] [interface interface]
• statistics - Displays dot1x status for each port.
• interface
• ethernet unit/port
- unit - Stack unit. (Range: 1)
- port - Port number. (Range: 1-28)
Command Mode
Privileged Exec
Command Usage
This command displays the following information:
• Global 802.1X Parameters – Shows whether or not 802.1X port
authentication is globally enabled on the switch.
• 802.1X Port Summary – Displays the port access control parameters for
each interface, including the following items:
- Status
– Administrative state for port access control.
- Operation Mode – Dot1x port control operation mode (page 4-149).
- Mode
– Dot1x port control mode (page 4-148).
- Authorized
– Authorization status (yes or n/a - not authorized).
• 802.1X Port Details – Displays the port access control parameters for each
interface, including the following items:
- reauth-enabled
– Periodic re-authentication (page 4-151).
- reauth-period
– Time after which a connected client must be
re-authenticated (page 4-152).
- quiet-period
– Time a port waits after Max Request Count is
exceeded before attempting to acquire a new
client (page 4-151).
4-154
Authentication Commands
- tx-period
-
supplicant-timeout
server-timeout
reauth-max
max-req
- Status
- Operation Mode
- Max Count
- Port-control
- Supplicant
- Current Identifier
- Intrusion action
4
– Time a port waits during authentication session
before re-transmitting EAP packet (page 4-152).
– Supplicant timeout.
– Server timeout.
– Maximum number of reauthentication attempts.
– Maximum number of times a port will retransmit
an EAP request/identity packet to the client
before it times out the authentication session
(page 4-148).
– Authorization status (authorized or not).
– Shows if single or multiple hosts (clients) can
connect to an 802.1X-authorized port.
– The maximum number of hosts allowed to
access this port (page 4-149).
– Shows the dot1x mode on a port as auto,
force-authorized, or force-unauthorized
(page 4-148).
– MAC address of authorized client.
– The integer (0-255) used by the Authenticator to
identify the current authentication session.
– Shows whether the switch will block all non-EAP
traffic or assign traffic on the port to a guest
VLAN if authentication fails.
• Authenticator State Machine
- State
– Current state (including initialize, disconnected,
connecting, authenticating, authenticated, aborting,
held, force_authorized, force_unauthorized).
- Reauth Count
– Number of times connecting state is re-entered.
• Backend State Machine
- State
– Current state (including request, response,
success, fail, timeout, idle, initialize).
- Request Count
– Number of EAP Request packets sent to the
Supplicant without receiving a response.
- Identifier(Server) – Identifier carried in the most recent EAP Success,
Failure or Request packet received from the
Authentication Server.
• Reauthentication State Machine
- State
– Current state (including initialize, reauthenticate).
4-155
4
Command Line Interface
Example
Console#show dot1x
Global 802.1X Parameters
system-auth-control: enable
802.1X Port Summary
Port Name
1/1
1/2
.
.
.
1/28
Status
disabled
enabled
Operation Mode
Single-Host
Single-Host
Mode
ForceAuthorized
auto
Authorized
n/a
yes
disabled
Single-Host
ForceAuthorized
n/a
802.1X Port Details
802.1X is disabled on port 1/1
802.1X is enabled on port 1/2
reauth-enabled: Enable
reauth-period: 1800
quiet-period:
30
tx-period:
40
supplicant-timeout:
30
server-timeout: 10
reauth-max:
2
max-req:
5
Status
Authorized
Operation mode
Single-Host
Max count
5
Port-control
Auto
Supplicant
00-12-cf-49-5e-dc
Current Identifier 3
Intrusion action
Guest VLAN
Authenticator State Machine
State
Authenticated
Reauth Count
0
Backend State Machine
State
Idle
Request Count
0
Identifier(Server) 2
Reauthentication State Machine
State
Initialize
.
.
.
4-156
4
Authentication Commands
Management IP Filter Commands
This section describes commands used to configure IP management access to the
switch.
Table 4-40 IP Filter Commands
Command
Function
Mode
management
Configures IP addresses that are allowed management access GC
4-157
show management
Displays the switch to be monitored or configured from a
browser
4-158
PE
Page
management
This command specifies the client IP addresses that are allowed management
access to the switch through various protocols. Use the no form to restore the
default setting.
Syntax
[no] management {all-client | http-client | snmp-client | telnet-client}
start-address [end-address]
•
•
•
•
•
•
all-client - Adds IP address(es) to the SNMP, web and Telnet groups.
http-client - Adds IP address(es) to the web group.
snmp-client - Adds IP address(es) to the SNMP group.
telnet-client - Adds IP address(es) to the Telnet group.
start-address - A single IP address, or the starting address of a range.
end-address - The end address of a range.
Default Setting
All addresses
Command Mode
Global Configuration
Command Usage
• If anyone tries to access a management interface on the switch from an invalid
address, the switch will reject the connection, enter an event message in the
system log, and send a trap message to the trap manager.
• IP address can be configured for SNMP, web and Telnet access respectively.
Each of these groups can include up to five different sets of addresses, either
individual addresses or address ranges.
• When entering addresses for the same group (i.e., SNMP, web or Telnet), the
switch will not accept overlapping address ranges. When entering addresses
for different groups, the switch will accept overlapping address ranges.
• You cannot delete an individual address from a specified range. You must
delete the entire range, and reenter the addresses.
• You can delete an address range just by specifying the start address, or by
specifying both the start address and end address.
4-157
4
Command Line Interface
Example
This example restricts management access to the indicated addresses.
Console(config)#management all-client 192.168.1.19
Console(config)#management all-client 192.168.1.25 192.168.1.30
Console(config)#
show management
This command displays the client IP addresses that are allowed management
access to the switch through various protocols.
Syntax
show management {all-client | http-client | snmp-client | telnet-client}
•
•
•
•
all-client - Adds IP address(es) to the SNMP, web and Telnet groups.
http-client - Adds IP address(es) to the web group.
snmp-client - Adds IP address(es) to the SNMP group.
telnet-client - Adds IP address(es) to the Telnet group.
Command Mode
Privileged Exec
Example
Console#show management all-client
Management IP Filter
HTTP-Client:
Start IP address
End IP address
----------------------------------------------1. 192.168.1.19
192.168.1.19
2. 192.168.1.25
192.168.1.30
SNMP-Client:
Start IP address
End IP address
----------------------------------------------1. 192.168.1.19
192.168.1.19
2. 192.168.1.25
192.168.1.30
TELNET-Client:
Start IP address
End IP address
----------------------------------------------1. 192.168.1.19
192.168.1.19
2. 192.168.1.25
192.168.1.30
Console#
4-158
General Security Measures
4
General Security Measures
This switch supports many methods of segregating traffic for clients attached to
each of the data ports, and for ensuring that only authorized clients gain access to
the network. Private VLANs and port-based authentication using IEEE 802.1X are
commonly used for these purposes. In addition to these methods, several other
options of providing client security are described in this section. These include
port-based authentication, which can be configured to allow network client access
by specifying a fixed set of MAC addresses. The addresses assigned to DHCP
clients can also be carefully controlled using static or dynamic bindings with the IP
Source Guard and DHCP Snooping commands.
Table 4-41 General Security Commands
Command Group
Function
Page
Private VLANs
Configures private VLANs, including uplink and downlink ports
4-319
Port Security*
Configures secure addresses for a port
4-160
Port Authentication*
Configures host authentication on specific ports using 802.1X
4-147
Network Access*
Configures MAC authentication and dynamic VLAN assignment
4-162
Web Authentication*
Configures Web authentication
4-175
Access Control Lists*
Provides filtering for IPv4 frames (based on address, protocol,
Layer 4 protocol port number or TCP control code), IPv6 frames
(based on address, next header type, or flow label), or non-IP
frames (based on MAC address or Ethernet type)
4-200
DHCP Snooping*
Filters untrusted DHCP messages on insecure ports by building and
maintaining a DHCP snooping binding table
4-180
IP Source Guard*
Filters IP traffic on insecure ports for which the source address
cannot be identified via DHCP snooping nor static source bindings
4-188
ARP Inspection
Validates the MAC-to-IP address bindings in ARP packets
4-192
* The priority of execution for these filtering commands is Port Security, Port Authentication, Network Access, Web
Authentication, Access Control Lists, DHCP Snooping, and then IP Source Guard.
4-159
4
Command Line Interface
Port Security Commands
These commands can be used to enable port security on a port. When using port
security, the switch stops learning new MAC addresses on the specified port when it
has reached a configured maximum number. Only incoming traffic with source
addresses already stored in the dynamic or static address table for this port will be
authorized to access the network. The port will drop any incoming frames with a
source MAC address that is unknown or has been previously learned from another
port. If a device with an unauthorized MAC address attempts to use the switch port,
the intrusion will be detected and the switch can automatically take action by
disabling the port and sending a trap message.
Table 4-42 Port Security Commands
Command
Function
Mode
Page
port security
Configures a secure port
IC
4-160
mac-address-table static
Maps a static address to a port in a VLAN
GC
4-266
show mac-address-table
Displays entries in the bridge-forwarding database
PE
4-268
port security
This command enables or configures port security. Use the no form without any
keywords to disable port security. Use the no form with the appropriate keyword to
restore the default settings for a response to a security violation or for the maximum
number of allowed addresses.
Syntax
port security [action {shutdown | trap | trap-and-shutdown}
| max-mac-count address-count]
no port security [action | max-mac-count]
• action - Response to take when port security is violated.
- shutdown - Disable port only.
- trap - Issue SNMP trap message only.
- trap-and-shutdown - Issue SNMP trap message and disable port.
• max-mac-count
- address-count - The maximum number of MAC addresses that can be
learned on a port. (Range: 0 - 1024, where 0 means disabled)
Default Setting
• Status: Disabled
• Action: None
• Maximum Addresses: 0
Command Mode
Interface Configuration (Ethernet)
4-160
General Security Measures
4
Command Usage
• If you enable port security, the switch stops learning new MAC addresses on
the specified port when it has reached a configured maximum number. Only
incoming traffic with source addresses already stored in the dynamic or static
address table will be accepted.
• Use the port security command to enable security on a port. Then use the
port security action command to set the response to a port security violation,
and the port security max-mac-count command to set the maximum
number of addresses allowed on a port.
• You can also manually add secure addresses with the mac-address-table
static command.
• A secure port has the following restrictions:
- Cannot be connected to a network interconnection device.
- Cannot be a trunk port.
• If a port is disabled due to a security violation, it must be manually re-enabled
using the no shutdown command.
Example
The following example enables port security for port 5, and sets the response to a
security violation to issue a trap message:
Console(config)#interface ethernet 1/5
Console(config-if)#port security
Console(config-if)#port security action trap
Console(config-if)#
Related Commands
shutdown (4-228)
mac-address-table static (4-266)
show mac-address-table (4-268)
4-161
4
Command Line Interface
Network Access (MAC Address Authentication)
Network Access authentication controls access to the network by authenticating the
MAC address of each host that attempts to connect to a switch port. Traffic received
from a specific MAC address is forwarded by the switch only if the source MAC
address is successfully authenticated by a central RADIUS server. While
authentication for a MAC address is in progress, all traffic is blocked until
authentication is completed. On successful authentication, the RADIUS server may
optionally assign VLAN and QoS settings for the switch port.
Table 4-43 Network Access
Command
Function
Mode
Page
network-access aging
Enables MAC address aging
GC
4-163
network-access mac-filter
Adds a MAC address to a filter table
GC
4-163
network-access
port-mac-filter
Enables the specified MAC address filter
IC
4-164
network-access
max-mac-count
Sets a maximum number for authenticated MAC
addresses on an interface
IC
4-165
network-access mode
Enables MAC authentication on an interface
IC
4-165
mac-authentication
reauth-time
Sets the time period after which a connected MAC
address must be re-authenticated
GC
4-166
mac-authentication
max-mac-count
Sets a maximum number for mac-authentication
authenticated MAC addresses on an interface
IC
4-167
mac-authentication
intrusion-action
Determines the port response when a connected host fails IC
MAC authentication.
4-167
network-access dynamic-vlan Enables dynamic VLAN assignment from a RADIUS
server
IC
4-168
network-access guest-vlan
IC
4-168
network-access dynamic-qos Enables the dynamic quality of service feature
IC
4-169
network-access
link-detection
Enables the link detection feature
IC
4-168
network-access
link-detection link-down
Configures the link detection feature to detect and act
upon link-down events
IC
4-168
network-access
link-detection link-up
Configures the link detection feature to detect and act
upon link-up events
IC
4-168
network-access
link-detection link-up-down
Configures the link detection feature to detect and act
upon both link-up and link-down events
IC
4-168
clear network-access
Clears authenticated MAC addresses from the address
table
PE
4-172
show network-access
Displays the MAC authentication settings for port
interfaces
PE
4-172
show network-access
mac-address-table
Displays information for entries in the secure MAC
address table
PE
4-173
show network-access
mac-filter
Displays information for entries in the MAC filter tables
PE
4-174
4-162
Specifies the guest VLAN
General Security Measures
4
network-access aging
Use this command to enable aging for authenticated MAC addresses stored in the
secure MAC address table. Use the no form of this command to disable address
aging.
Syntax
[no] network-access aging
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
• Authenticated MAC addresses are stored as dynamic entries in the switch’s
secure MAC address table and are removed when the aging time expires. The
address aging time is determined by the mac-address-table aging-time
command (page 4-269).
• This parameter applies to authenticated MAC addresses configured by the
MAC Address Authenticataion process described in this section, as well as to
any secure MAC addresses authenticated by 802.1X, regardless of the
802.1X Operation Mode (Single-Host, Multi-Host, or MAC-Based
authentication as described on page 4-149).
• The maximum number of secure MAC addresses supported for the switch
system is 1024.
Example
Console(config-if)#network-access aging
Console(config-if)#
network-access mac-filter
Use this command to add a MAC address into a filter table. Use the no form of this
command to remove the specified MAC address.
Syntax
[no] network-access mac-filter filter-id
mac-address mac-address [mask mask-address]
• filter-id - Specifies a MAC address filter table. (Range: 1-64)
• mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx)
• mask - Specifies a MAC address bit mask for a range of addresses.
Default Setting
Disabled
4-163
4
Command Line Interface
Command Mode
Global Configuration
Command Usage
• Specified addresses are exempt from network access authentication.
• This command is different from configuring static addresses with the
mac-address-table static command (page 4-266) in that it allows you
configure a range of addresses when using a mask, and then to assign these
addresses to one or more ports with the network-access port-mac-filter
command (page 4-164).
• Up to 64 filter tables can be defined.
• There is no limitation on the number of entries that can entered in a filter table.
Example
Console(config)#network-access mac-filter 1 mac-address 11-22-33-44-55-66
Console(config)#
network-access port-mac-filter
Use this command to enable the specified MAC address filter. Use the no form of
this command to disable the specified MAC address filter.
Syntax
network-access port-mac-filter filter-id
no network-access port-mac-filter
filter-id - Specifies a MAC address filter table. (Range: 1-64)
Default Setting
None
Command Mode
Interface Configuration
Command Mode
Only one filter table can be assigned to a port.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#network-access port-mac-filter 1
Console(config-if)#
4-164
General Security Measures
4
network-access max-mac-count
Use this command to set the maximum number of MAC addresses that can be
authenticated on a port interface via all forms of authentication. Use the no form of
this command to restore the default.
Syntax
network-access max-mac-count count
no network-access max-mac-count
count - The maximum number of authenticated MAC addresses allowed.
(Range: 1 to 2048; 0 for unlimited)
Default Setting
2048
Command Mode
Interface Configuration
Command Usage
The maximum number of MAC addresses per port is 2048, and the maximum
number of secure MAC addresses supported for the switch system is 1024.
When the limit is reached, all new MAC addresses are treated as
authentication failures.
Example
Console(config-if)#network-access max-mac-count 5
Console(config-if)#
network-access mode
Use this command to enable network access authentication on a port. Use the no
form of this command to disable network access authentication.
Syntax
[no] network-access mode mac-authentication
Default Setting
Disabled
Command Mode
Interface Configuration
Command Usage
• When enabled on a port, the authentication process sends a Password
Authentication Protocol (PAP) request to a configured RADIUS server. The
username and password are both equal to the MAC address being
authenticated.
4-165
4
Command Line Interface
• On the RADIUS server, PAP username and passwords must be configured in
the MAC address format XX-XX-XX-XX-XX-XX (all in upper case).
• Authenticated MAC addresses are stored as dynamic entries in the switch’s
secure MAC address table and are removed when the aging time expires. The
maximum number of secure MAC addresses supported for the switch system
is 1024.
• Configured static MAC addresses are added to the secure address table
when seen on a switch port. Static addresses are treated as authenticated
without sending a request to a RADIUS server.
• MAC authentication, 802.1X, and port security cannot be configured together
on the same port. Only one security mechanism can be applied.
• MAC authentication cannot be configured on trunk ports.
• When port status changes to down, all MAC addresses are cleared from the
secure MAC address table. Static VLAN assignments are not restored.
• The RADIUS server may optionally return a VLAN identifier list. VLAN
identifier list is carried in the “Tunnel-Private-Group-ID” attribute. The VLAN
list can contain multiple VLAN identifiers in the format “1u,2t,” where “u”
indicates untagged VLAN and “t” tagged VLAN. The “Tunnel-Type” attribute
should be set to “VLAN,” and the “Tunnel-Medium-Type” attribute set to “802.”
Example
Console(config-if)#network-access mode mac-authentication
Console(config-if)#
mac-authentication reauth-time
Use this command to set the time period after which a connected MAC address
must be re-authenticated. Use the no form of this command to restore the default
value.
Syntax
mac-authentication reauth-time seconds
no mac-authentication reauth-time
seconds - The reauthentication time period.
(Range: 120-1000000 seconds)
Default Setting
1800
Command Mode
Global Configuration
Command Usage
• The reauthentication time is a global setting and applies to all ports.
• When the reauthentication time expires for a secure MAC address it is
reauthenticated with the RADIUS server. During the reauthentication process
traffic through the port remains unaffected.
4-166
4
General Security Measures
Example
Console(config)#mac-authentication reauth-time 300
Console(config)#
mac-authentication intrusion-action
Use this command to configure the port response to a host MAC authentication
failure. Use the no form of this command to restore the default.
Syntax
mac-authentication intrusion-action [block traffic | pass traffic]
no mac-authentication intrusion-action
Default Setting
Block Traffic
Command Mode
Interface Configuration
Example
Console(config-if)#mac-authentication intrusion-action block-traffic
Console(config-if)#
mac-authentication max-mac-count
Use this command to set the maximum number of MAC addresses that can be
authenticated on a port via 802.1X authentication or MAC authentication. Use the
no form of this command to restore the default.
Syntax
mac-authentication max-mac-count count
no mac-authentication max-mac-count
count - The maximum number of 802.1X and MAC-authenticated MAC
addresses allowed. (Range: 1-1024)
Default Setting
1024
Command Mode
Interface Configuration
Example
Console(config-if)#mac-authentication max-mac-count 32
Console(config-if)#
4-167
4
Command Line Interface
network-access dynamic-vlan
Use this command to enable dynamic VLAN assignment for an authenticated port.
Use the no form to disable dynamic VLAN assignment.
Syntax
[no] network-access dynamic-vlan
Default Setting
Enabled
Command Mode
Interface Configuration
Command Usage
• When enabled, the VLAN identifiers returned by the RADIUS server will be
applied to the port, providing the VLANs have already been created on the
switch. GVRP is not used to create the VLANs.
• The VLAN settings specified by the first authenticated MAC address are
implemented for a port. Other authenticated MAC addresses on the port must
have the same VLAN configuration, or they are treated as authentication
failures.
• If dynamic VLAN assignment is enabled on a port and the RADIUS server
returns no VLAN configuration, the authentication is still treated as a success.
• When the dynamic VLAN assignment status is changed on a port, all
authenticated addresses are cleared from the secure MAC address table.
Example
The following example enables dynamic VLAN assignment on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#network-access dynamic-vlan
Console(config-if)#
network-access guest-vlan
Use this command to assign all traffic on a port to a guest VLAN when network
access (MAC authentication) or 802.1X authentication is rejected. Use the no form
of this command to disable guest VLAN assignment.
Syntax
network-access guest-vlan vlan-id
no network-access guest-vlan
vlan-id - VLAN ID (Range: 1-4094)
Default Setting
Disabled
4-168
4
General Security Measures
Command Mode
Interface Configuration
Command Usage
• The VLAN to be used as the guest VLAN must be defined and set as active
("vlan database" on page 4-301).
• When used with 802.1X authentication, the intrusion-action must be set for
‘guest-vlan’ to be effective (see "dot1x intrusion-action" on page 4-153).
Example
Console(config)#interface ethernet 1/1
Console(config-if)#network-access guest-vlan 25
Console(config-if)#
network-access dynamic-qos
Use this command to enable the dynamic QoS feature for an authenticated port.
Use the no form to restore the default.
Syntax
[no] network-access dynamic-qos
Default Setting
Disabled
Command Mode
Interface Configuration
Command Usage
• The RADIUS server may optionally return dynamic QoS assignments to be applied
to a switch port for an authenticated user. The “Filter-ID” attribute (attribute 11) can
be configured on the RADIUS server to pass the following QoS information:
Table 4-44 Dynamic QoS Profiles
Profile
Attribute Syntax
Example
DiffServ
service-policy-in=policy-map-name
service-policy-in=p1
Rate Limit
rate-limit-input=rate
rate-limit-input=100 (in units of Kbps)
802.1p
switchport-priority-default=value
switchport-priority-default=2
• When the last user logs off of a port with a dynamic QoS assignment, the switch
restores the original QoS configuration for the port.
• When a user attempts to log into the network with a returned dynamic QoS profile
that is different from users already logged on to the same port, the user is denied
access.
• While a port has an assigned dynamic QoS profile, any manual QoS configuration
changes only take effect after all users have logged off of the port.
4-169
4
Command Line Interface
Note: Any configuration changes for dynamic QoS are not saved to the switch
configuration file.
Example
The following example enables the dynamic QoS feature on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#network-access dynamic-qos
Console(config-if)#
network-access link-detection
Use this command to enable link detection for the selected port. Use the no form of
this command to restore the default.
Syntax
[no] network-access link-detection
Default Setting
Disabled
Command Mode
Interface Configuration
Example
Console(config)#interface ethernet 1/1
Console(config-if)#network-access link-detection
Console(config-if)#
network-access link-detection link-down
Use this command to detect link-down events. When detected, the switch can shut
down the port, send an SNMP trap, or both. Use the no form of this command to
disable this feature.
Syntax
network-access link-detection link-down
action [shutdown | trap | trap-and-shutdown]
no network-access link-detection
Default Setting
Disabled
Command Mode
Interface Configuration
Example
Console(config)#interface ethernet 1/1
Console(config-if)#network-access link-detection link-down action trap
Console(config-if)#
4-170
4
General Security Measures
network-access link-detection link-up
Use this command to detect link-up events. When detected, the switch can shut
down the port, send an SNMP trap, or both. Use the no form of this command to
disable this feature.
Syntax
network-access link-detection link-up
action [shutdown | trap | trap-and-shutdown]
no network-access link-detection
Default Setting
Disabled
Command Mode
Interface Configuration
Example
Console(config)#interface ethernet 1/1
Console(config-if)#network-access link-detection link-up action trap
Console(config-if)#
network-access link-detection link-up-down
Use this command to detect link-up and link-down events. When either event is
detected, the switch can shut down the port, send an SNMP trap, or both. Use the
no form of this command to disable this feature.
Syntax
network-access link-detection link-up-down
action [shutdown | trap | trap-and-shutdown]
no network-access link-detection
Default Setting
Disabled
Command Mode
Interface Configuration
Example
Console(config)#interface ethernet 1/1
Console(config-if)#network-access link-detection link-up-down action trap
Console(config-if)#
4-171
4
Command Line Interface
clear network-access
Use this command to clear entries from the secure MAC addresses table.
Syntax
clear network-access mac-address-table [static | dynamic]
[address mac-address] [interface interface]
•
•
•
•
static - Specifies static address entries.
dynamic - Specifies dynamic address entries.
mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx)
interface - Specifies a port interface.
ethernet unit/port
- unit - This is unit 1.
- port - Port number. (Range: 1-28)
Default Setting
None
Command Mode
Privileged Exec
Example
Console#clear network-access mac-address-table interface ethernet 1/1
Console#
show network-access
Use this command to display the MAC authentication settings for port interfaces.
Syntax
show network-access [interface interface]
interface - Specifies a port interface.
ethernet unit/port
• unit - This is unit 1.
• port - Port number. (Range: 1-28)
Default Setting
Displays the settings for all interfaces.
Command Mode
Privileged Exec
4-172
General Security Measures
4
Example
Console#show network-access interface ethernet 1/1
Global secure port information
Reauthentication Time
: 1800
--------------------------------------------------------------------------------------------------Port : 1/1
MAC Authentication
: Disabled
MAC Authentication Intrusion action
: Block traffic
MAC Authentication Maximum MAC Counts : 1024
Maximum MAC Counts
: 2048
Dynamic VLAN Assignment
: Enabled
Guest VLAN
: Disabled
Console#
show network-access mac-address-table
Use this command to display secure MAC address table entries.
Syntax
show network-access mac-address-table [static | dynamic]
[address mac-address [mask]] [interface interface]
[sort {address | interface}]
static - Specifies static address entries.
dynamic - Specifies dynamic address entries.
mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx)
mask - Specifies a MAC address bit mask for filtering displayed addresses.
interface - Specifies a port interface.
ethernet unit/port
- unit - This is unit 1.
- port - Port number. (Range: 1-28)
• sort - Sorts displayed entries by either MAC address or interface.
•
•
•
•
•
Default Setting
Displays all entries.
Command Mode
Privileged Exec
Command Usage
When using a bit mask to filter displayed MAC addresses, a 1 means “care”
and a 0 means “don't care”. For example, a MAC of 00-00-01-02-03-04 and
mask FF-FF-FF-00-00-00 would result in all MACs in the range
00-00-01-00-00-00 to 00-00-01-FF-FF-FF to be displayed. All other MACs
would be filtered out.
4-173
4
Command Line Interface
Example
Console#show network-access mac-address-table
---- ----------------- --------------- --------Port MAC-Address
RADIUS-Server
Attribute
---- ----------------- --------------- --------1/1 00-00-01-02-03-04 172.155.120.17 Static
1/1 00-00-01-02-03-05 172.155.120.17 Dynamic
1/1 00-00-01-02-03-06 172.155.120.17 Static
1/3 00-00-01-02-03-07 172.155.120.17 Dynamic
------------------------Time
------------------------2009y 01m 00d 06h 32m 50s
2009y 01m 00d 06h 33m 20s
2009y 01m 00d 06h 35m 10s
2009y 01m 00d 06h 34m 20s
Console#
show network-access mac-filter
Use this command to display information for entries in the MAC filter tables.
Syntax
show network-access mac-filter [filter-id]
filter-id - Specifies a MAC address filter table. (Range: 1-64)
Default Setting
Displays all filters.
Command Mode
Privileged Exec
Example
Console#sh network-access mac-filter
Filter ID MAC Address
MAC Mask
--------- ----------------- ----------------1 00-00-01-02-03-08 FF-FF-FF-FF-FF-FF
Console#
4-174
4
General Security Measures
Web Authentication
Web authentication allows stations to authenticate and access the network in
situations where 802.1X or Network Access authentication are infeasible or
impractical. The web authentication feature allows unauthenticated hosts to request
and receive a DHCP assigned IP address and perform DNS queries. All other traffic,
except for HTTP protocol traffic, is blocked. The switch intercepts HTTP protocol
traffic and redirects it to a switch-generated web page that facilitates user name and
password authentication via RADIUS. Once authentication is successful, the web
browser is forwarded on to the originally requested web page. Successful
authentication is valid for all hosts connected to the port.
Notes: 1. RADIUS authentication must be activated and configured for the web
authentication feature to work properly (see "Configuring Local/Remote
Logon Authentication" on page 3-73).
2. Web authentication cannot be configured on trunk ports.
Table 4-45 Web Authentication
Command
Function
Mode
Page
web-auth login-attempts
Defines the limit for failed web authentication login
attempts
GC
4-175
web-auth quiet-period
Defines the amount of time to wait after the limit for
failed login attempts is exceeded.
GC
4-176
web-auth session-timeout
Defines the amount of time a session remains valid
GC
4-176
web-auth system-auth-control
Enables web authentication globally for the switch
GC
4-177
web-auth
Enables web authentication for an interface
IC
4-177
web-auth re-authenticate (Port)
Ends all web authentication sessions on the port and
forces the users to re-authenticate
PE
4-178
web-auth re-authenticate (IP)
Ends the web authentication session associated with
the designated IP address and forces the user to
re-authenticate
PE
4-178
show web-auth
Displays global web authentication parameters
PE
4-179
show web-auth interface
Displays interface-specific web authentication
parameters and statistics
PE
4-179
show web-auth summary
Displays a summary of web authentication port
parameters and statistics
PE
4-178
web-auth login-attempts
This command defines the limit for failed web authentication login attempts. After the
limit is reached, the switch refuses further login attempts until the quiet time expires.
Use the no form to restore the default.
Syntax
web-auth login-attempts count
no web-auth login-attempts
count - The limit of allowed failed login attempts. (Range: 1-3)
4-175
4
Command Line Interface
Default Setting
3 login attempts
Command Mode
Global Configuration
Example
Console(config)#web-auth login-attempts 2
Console(config)#
web-auth quiet-period
This command defines the amount of time a host must wait after exceeding the limit
for failed login attempts, before it may attempt web authentication again. Use the no
form to restore the default.
Syntax
web-auth quiet-period time
no web-auth quiet period
time - The amount of time the host must wait before attempting
authentication again. (Range: 1-180 seconds)
Default Setting
60 seconds
Command Mode
Global Configuration
Example
Console(config)#web-auth quiet-period 120
Console(config)#
web-auth session-timeout
This command defines the amount of time a web-authentication session remains
valid. When the session timeout has been reached, the host is logged off and must
re-authenticate itself the next time data transmission takes place. Use the no form to
restore the default.
Syntax
web-auth session-timeout timeout
no web-auth session timeout
timeout - The amount of time that an authenticated session remains valid.
(Range: 300-3600 seconds)
Default Setting
3600 seconds
4-176
4
General Security Measures
Command Mode
Global Configuration
Example
Console(config)#web-auth session-timeout 1800
Console(config)#
web-auth system-auth-control
This command globally enables web authentication for the switch. Use the no form
to restore the default.
Syntax
[no] web-auth system-auth-control
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
Both web-auth system-auth-control for the switch and web-auth for an
interface must be enabled for the web authentication feature to be active.
Example
Console(config)#web-auth system-auth-control
Console(config)#
web-auth
This command enables web authentication for an interface. Use the no form to
restore the default.
Syntax
[no] web-auth
Default Setting
Disabled
Command Mode
Interface Configuration
Command Usage
Both web-auth system-auth-control for the switch and web-auth for a port
must be enabled for the web authentication feature to be active.
Example
Console(config-if)#web-auth
Console(config-if)#
4-177
4
Command Line Interface
web-auth re-authenticate (Port)
This command ends all web authentication sessions connected to the port and
forces the users to re-authenticate.
Syntax
web-auth re-authenticate interface interface
interface - Specifies a port interface.
ethernet unit/port
• unit - This is unit 1.
• port - Port number. (Range: 1-28)
Default Setting
None
Command Mode
Privileged Exec
Example
Console#web-auth re-authenticate interface ethernet 1/2
Failed to reauth.
Console#
web-auth re-authenticate (IP)
This command ends the web authentication session associated with the designated
IP address and forces the user to re-authenticate.
Syntax
web-auth re-authenticate interface interface ip
• interface - Specifies a port interface.
ethernet unit/port
- unit - This is unit 1.
- port - Port number. (Range: 1-28)
• ip - IPv4 formatted IP address
Default Setting
None
Command Mode
Privileged Exec
Example
Console#web-auth re-authenticate interface ethernet 1/2 192.168.1.5
Failed to reauth port.
Console#
4-178
General Security Measures
4
show web-auth
This command displays global web authentication parameters.
Command Mode
Privileged Exec
Example
Console#show web-auth
Global Web-Auth Parameters
System Auth Control
Session Timeout
Quiet Period
Max Login Attempts
Console#
:
:
:
:
Enabled
3600
60
3
show web-auth interface
This command displays interface-specific web authentication parameters and
statistics.
Syntax
show web-auth interface interface
interface - Specifies a port interface.
• ethernet unit/port
- unit - This is unit 1.
- port - Port number. (Range: 1-28)
Command Mode
Privileged Exec
Example
Console#show web-auth interface ethernet 1/2
Web Auth Status
: Enabled
Host Summary
IP address
--------------1.1.1.1
1.1.1.2
Console#
Web-Auth-State
-------------Authenticated
Authenticated
Remaining-Session-Time
---------------------295
111
show web-auth summary
This command displays a summary of web authentication port parameters and
statistics.
Command Mode
Privileged Exec
4-179
4
Command Line Interface
Example
Console#show web-auth summary
Global Web-Auth Parameters
System Auth Control
Port
Status
--------1/ 1
Disabled
1/ 2
Enabled
1/ 3
Disabled
1/ 4
Disabled
1/
5
Disabled
.
.
.
: Enabled
Authenticated Host Count
-----------------------0
8
0
0
0
DHCP Snooping Commands
DHCP snooping allows a switch to protect a network from rogue DHCP servers or
other devices which send port-related information to a DHCP server. This
information can be useful in tracking an IP address back to a physical port. This
section describes commands used to configure DHCP snooping.
Table 4-46 DHCP Snooping Commands
Command
Function
Mode
ip dhcp snooping
Enables DHCP snooping globally
GC
4-181
ip dhcp snooping vlan
Enables DHCP snooping on the specified VLAN
GC
4-182
ip dhcp snooping trust
Configures the specified interface as trusted
IC
4-183
ip dhcp snooping verify
mac-address
Verifies the client’s hardware address stored in the DHCP
GC
packet against the source MAC address in the Ethernet header
4-184
ip dhcp snooping
information option
Enables or disables DHCP Option 82 information relay
GC
4-185
ip dhcp snooping
information policy
Sets the information option policy for DHCP client packets that GC
include Option 82 information
4-186
ip dhcp snooping
database flash
Writes all dynamically learned snooping entries to flash memory GC
4-186
clear ip dhcp snooping
database flash
Removes all dynamically learned snooping entries from flash
memory.
PE
4-187
show ip dhcp snooping
Shows the DHCP snooping configuration settings
PE
4-187
show ip dhcp snooping
binding
Shows the DHCP snooping binding table entries
PE
4-187
4-180
Page
4
General Security Measures
ip dhcp snooping
This command enables DHCP snooping globally. Use the no form to restore the
default setting.
Syntax
[no] ip dhcp snooping
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
• Network traffic may be disrupted when malicious DHCP messages are
received from an outside source. DHCP snooping is used to filter DHCP
messages received on an insecure interface from outside the network or fire
wall. When DHCP snooping is enabled globally by this command, and
enabled on a VLAN interface by the ip dhcp snooping vlan command
(page 4-182), DHCP messages received on an untrusted interface (as
specified by the no ip dhcp snooping trust command, page 4-183) from a
device not listed in the DHCP snooping table will be dropped.
• When enabled, DHCP messages entering an untrusted interface are filtered
based upon dynamic entries learned via DHCP snooping.
• Table entries are only learned for untrusted interfaces. Each entry includes a
MAC address, IP address, lease time, VLAN identifier, and port identifier.
• When DHCP snooping is enabled, the rate limit for the number of DHCP
messages that can be processed by the switch is 100 packets per second.
Any DHCP packets in excess of this limit are dropped.
• Filtering rules are implemented as follows:
- If the global DHCP snooping is disabled, all DHCP packets are forwarded.
- If DHCP snooping is enabled globally, and also enabled on the VLAN where
the DHCP packet is received, all DHCP packets are forwarded for a trusted
port. If the received packet is a DHCP ACK message, a dynamic DHCP
snooping entry is also added to the binding table.
- If DHCP snooping is enabled globally, and also enabled on the VLAN where
the DHCP packet is received, but the port is not trusted, it is processed as
follows:
* If the DHCP packet is a reply packet from a DHCP server (including
OFFER, ACK or NAK messages), the packet is dropped.
* If the DHCP packet is from a client, such as a DECLINE or RELEASE
message, the switch forwards the packet only if the corresponding entry
is found in the binding table.
* If the DHCP packet is from client, such as a DISCOVER, REQUEST,
INFORM, DECLINE or RELEASE message, the packet is forwarded if
MAC address verification is disabled (as specified by the ip dhcp
snooping verify mac-address command, page 4-184). However, if
4-181
4
Command Line Interface
MAC address verification is enabled, then the packet will only be
forwarded if the client’s hardware address stored in the DHCP packet is
the same as the source MAC address in the Ethernet header.
* If the DHCP packet is not a recognizable type, it is dropped.
- If a DHCP packet from a client passes the filtering criteria above, it will only
be forwarded to trusted ports in the same VLAN.
- If a DHCP packet is from server is received on a trusted port, it will be
forwarded to both trusted and untrusted ports in the same VLAN.
• If the DHCP snooping is globally disabled, all dynamic bindings are removed
from the binding table.
• Additional considerations when the switch itself is a DHCP client – The port(s)
through which the switch submits a client request to the DHCP server must be
configured as trusted (ip dhcp snooping trust, page 4-183). Note that the
switch will not add a dynamic entry for itself to the binding table when it
receives an ACK message from a DHCP server. Also, when the switch sends
out DHCP client packets for itself, no filtering takes place. However, when the
switch receives any messages from a DHCP server, any packets received
from untrusted ports are dropped.
Example
This example enables DHCP snooping globally for the switch.
Console(config)#ip dhcp snooping
Console(config)#
Related Commands
ip dhcp snooping vlan (4-182)
ip dhcp snooping trust (4-183)
ip dhcp snooping vlan
This command enables DHCP snooping on the specified VLAN. Use the no form to
restore the default setting.
Syntax
[no] ip dhcp snooping vlan vlan-id
vlan-id - ID of a configured VLAN (Range: 1-4094)
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
• When DHCP snooping enabled globally using the ip dhcp snooping
command (page 4-181), and enabled on a VLAN with this command, DHCP
4-182
4
General Security Measures
packet filtering will be performed on any untrusted ports within the VLAN as
specified by the ip dhcp snooping trust command (page 4-183).
• When the DHCP snooping is globally disabled, DHCP snooping can still be
configured for specific VLANs, but the changes will not take effect until DHCP
snooping is globally re-enabled.
• When DHCP snooping is globally enabled, configuration changes for specific
VLANs have the following effects:
- If DHCP snooping is disabled on a VLAN, all dynamic bindings learned for
this VLAN are removed from the binding table.
Example
This example enables DHCP snooping for VLAN 1.
Console(config)#ip dhcp snooping vlan 1
Console(config)#
Related Commands
ip dhcp snooping (4-181)
ip dhcp snooping trust (4-183)
ip dhcp snooping trust
This command configures the specified interface as trusted. Use the no form to
restore the default setting.
Syntax
[no] ip dhcp snooping trust
Default Setting
All interfaces are untrusted
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
• A trusted interface is an interface that is configured to receive only messages
from within the network. An untrusted interface is an interface that is
configured to receive messages from outside the network or fire wall.
• Set all ports connected to DHCP servers within the local network or fire wall
to trusted, and all other ports outside the local network or fire wall to untrusted.
• When DHCP snooping ia enabled globally using the ip dhcp snooping
command (page 4-181), and enabled on a VLAN with ip dhcp snooping vlan
command (page 4-182), DHCP packet filtering will be performed on any
untrusted ports within the VLAN according to the default status, or as
specifically configured for an interface with the no ip dhcp snooping trust
command.
• When an untrusted port is changed to a trusted port, all the dynamic DHCP
snooping bindings associated with this port are removed.
4-183
4
Command Line Interface
• Additional considerations when the switch itself is a DHCP client – The port(s)
through which it submits a client request to the DHCP server must be
configured as trusted.
Example
This example sets port 5 to untrusted.
Console(config)#interface ethernet 1/5
Console(config-if)#no ip dhcp snooping trust
Console(config-if)#
Related Commands
ip dhcp snooping (4-181)
ip dhcp snooping vlan (4-182)
ip dhcp snooping verify mac-address
This command verifies the client’s hardware address stored in the DHCP packet
against the source MAC address in the Ethernet header. Use the no form to disable
this function.
Syntax
[no] ip dhcp snooping verify mac-address
Default Setting
Enabled
Command Mode
Global Configuration
Command Usage
If MAC address verification is enabled, and the source MAC address in the
Ethernet header of the packet is not same as the client’s hardware address in
the DHCP packet, the packet is dropped.
Example
This example enables MAC address verification.
Console(config)#ip dhcp snooping verify mac-address
Console(config)#
Related Commands
ip dhcp snooping (4-181)
ip dhcp snooping vlan (4-182)
ip dhcp snooping trust (4-183)
4-184
General Security Measures
4
ip dhcp snooping information option
This command enables the DHCP Option 82 information relay for the switch. Use
the no form to disable this function.
Syntax
[no] ip dhcp snooping information option
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
• DHCP provides a relay mechanism for sending information about the switch
and its DHCP clients to the DHCP server. Known as DHCP Option 82, it
allows compatible DHCP servers to use the information when assigning IP
addresses, or to set other services or policies for clients.
• When the DHCP Snooping Information Option is enabled, the requesting
client (or an intermediate relay agent that has used the information fields to
describe itself) can be identified in the DHCP request packets forwarded by
the switch and in reply packets sent back from the DHCP server, by the switch
port to which they are connected rather than just their MAC address. DHCP
client-server exchange messages are then forwarded directly between the
server and client without having to flood them to the entire VLAN.
• DHCP snooping must be enabled on the switch for the DHCP Option 82
information to be inserted into packets.
• Use the ip dhcp snooping information option command (page 4-185) to
specify how to handle DHCP client request packets which already contain
Option 82 information.
Example
This example enables the DHCP Snooping Information Option.
Console(config)#ip dhcp snooping information option
Console(config)#
4-185
4
Command Line Interface
ip dhcp snooping information policy
This command sets the DHCP snooping information option policy for DHCP client
packets that include Option 82 information.
Syntax
ip dhcp snooping information policy {drop | keep | replace}
• drop - Drops the client’s request packet instead of relaying it.
• keep - Retains the Option 82 information in the client request, and forwards
the packets to trusted ports.
• replace - Replaces the Option 82 information in the client’s request with
information about the relay agent itself, inserts the relay agent’s address
(when DHCP snooping is enabled), and forwards the packets to trusted
ports.
Default Setting
replace
Command Mode
Global Configuration
Command Usage
When the switch receives DHCP packets from clients that already include
DHCP Option 82 information, the switch can be configured to set the action
policy for these packets. The switch can drop the DHCP packets, keep the
existing information, or replace it with the switch’s relay information.
Example
Console(config)#ip dhcp snooping information policy drop
Console(config)#
ip dhcp snooping database flash
This command writes all dynamically learned snooping entries to flash memory.
Command Mode
Global Configuration
Command Usage
This command can be used to store the currently learned dynamic DHCP
snooping entries to flash memory. These entries will be restored to the
snooping table when the switch is reset. However, note that the lease time
shown for a dynamic entry that has been restored from flash memory will no
longer be valid.
Example
Console(config)#ip dhcp snooping database flash
Console(config)#
4-186
General Security Measures
4
clear ip dhcp snooping database flash
This command removes all dynamically learned snooping entries from flash
memory.
Command Mode
Privileged Exec
Example
Console(config)#ip dhcp snooping database flash
Console(config)#
show ip dhcp snooping
This command shows the DHCP snooping configuration settings.
Command Mode
Privileged Exec
Example
Console#show ip dhcp snooping
Global DHCP Snooping status: disable
DHCP Snooping Information Option Status: disable
DHCP Snooping Information Policy: replace
DHCP Snooping is configured on the following VLANs:
1
Verify Source Mac-Address: enable
Interface
Trusted
------------------Eth 1/1
No
Eth 1/2
No
Eth 1/3
No
Eth 1/4
No
Eth
1/5
Yes
.
.
.
show ip dhcp snooping binding
This command shows the DHCP snooping binding table entries.
Command Mode
Privileged Exec
Example
Console#show ip dhcp snooping binding
MacAddress
IpAddress
Lease(sec) Type
VLAN Interface
----------------- --------------- ---------- -------------------- ---- --------11-22-33-44-55-66 192.168.0.99
0 Static
1 Eth 1/5
Console#
4-187
4
Command Line Interface
IP Source Guard Commands
IP Source Guard is a security feature that filters IP traffic on network interfaces
based on manually configured entries in the IP Source Guard table, or dynamic
entries in the DHCP Snooping table when enabled (see "DHCP Snooping
Commands" on page 4-180). IP source guard can be used to prevent traffic attacks
caused when a host tries to use the IP address of a neighbor to access the network.
This section describes commands used to configure IP Source Guard.
Table 4-47 IP Source Guard Commands
Command
Function
Mode
Page
ip source-guard
Configures the switch to filter inbound traffic based on source IP
address, or source IP address and corresponding MAC address
IC
4-188
ip source-guard
binding
Adds a static address to the source-guard binding table
GC
4-190
show ip
source-guard
Shows whether source guard is enabled or disabled on each
interface
PE
4-191
show ip
source-guard
binding
Shows the source guard binding table
PE
4-191
ip source-guard
This command configures the switch to filter inbound traffic based source IP
address, or source IP address and corresponding MAC address. Use the no form to
disable this function.
Syntax
ip source-guard {sip | sip-mac}
no ip source-guard
• sip - Filters traffic based on IP addresses stored in the binding table.
• sip-mac - Filters traffic based on IP addresses and corresponding MAC
addresses stored in the binding table.
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Command Usage
• Source guard is used to filter traffic on an insecure port which receives
messages from outside the network or fire wall, and therefore may be subject
to traffic attacks caused by a host trying to use the IP address of a neighbor.
• Setting source guard mode to “sip” or “sip-mac” enables this function on the
selected port. Use the “sip” option to check the VLAN ID, source IP address,
and port number against all entries in the binding table. Use the “sip-mac”
option to check these same parameters, plus the source MAC address. Use
the no source guard command to disable this function on the selected port.
4-188
General Security Measures
4
• When enabled, traffic is filtered based upon dynamic entries learned via
DHCP snooping, or static addresses configured in the source guard binding
table.
• Table entries include a MAC address, IP address, lease time, entry type
(Static-IP-SG-Binding, Dynamic-DHCP-Binding), VLAN identifier, and port
identifier.
• Static addresses entered in the source guard binding table with the ip
source-guard binding command (page 4-190) are automatically configured
with an infinite lease time. Dynamic entries learned via DHCP snooping are
configured by the DHCP server itself.
• If the IP source guard is enabled, an inbound packet’s IP address (sip option)
or both its IP address and corresponding MAC address (sip-mac option) will
be checked against the binding table. If no matching entry is found, the packet
will be dropped.
• Filtering rules are implemented as follows:
- If DHCP snooping is disabled (see page 4-181), IP source guard will check
the VLAN ID, source IP address, port number, and source MAC address
(for the sip-mac option). If a matching entry is found in the binding table and
the entry type is static IP source guard binding, the packet will be
forwarded.
- If the DHCP snooping is enabled, IP source guard will check the VLAN ID,
source IP address, port number, and source MAC address (for the sip-mac
option). If a matching entry is found in the binding table and the entry type
is static IP source guard binding, or dynamic DHCP snooping binding, the
packet will be forwarded.
- If IP source guard if enabled on an interface for which IP source bindings
(dynamically learned via DHCP snooping or manually configured) are not
yet configured, the switch will drop all IP traffic on that port, except for
DHCP packets.
Example
This example enables IP source guard on port 5.
Console(config)#interface ethernet 1/5
Console(config-if)#ip source-guard sip
Console(config-if)#
Related Commands
ip source-guard binding (4-190)
ip dhcp snooping (4-181)
ip dhcp snooping vlan (4-182)
4-189
4
Command Line Interface
ip source-guard binding
This command adds a static address to the source-guard binding table. Use the no
form to remove a static entry.
Syntax
ip source-guard binding mac-address vlan vlan-id ip-address
interface ethernet unit/port
no ip source-guard binding mac-address vlan vlan-id
•
•
•
•
•
mac-address - A valid unicast MAC address.
vlan-id - ID of a configured VLAN (Range: 1-4094)
ip-address - A valid unicast IP address, including classful types A, B or C.
unit - Stack unit. (Range: 1)
port - Port number. (Range: 1-28)
Default Setting
No configured entries
Command Mode
Global Configuration
Command Usage
• Table entries include a MAC address, IP address, lease time, entry type
(Static-IP-SG-Binding, Dynamic-DHCP-Binding), VLAN identifier, and port
identifier.
• All static entries are configured with an infinite lease time, which is indicated
with a value of zero by the show ip source-guard command (page 4-191).
• When source guard is enabled, traffic is filtered based upon dynamic entries
learned via DHCP snooping, or static addresses configured in the source
guard binding table with this command.
• Static bindings are processed as follows:
- If there is no entry with same VLAN ID and MAC address, a new entry is
added to binding table using the type of static IP source guard binding.
- If there is an entry with same VLAN ID and MAC address, and the type of
entry is static IP source guard binding, then the new entry will replace the
old one.
- If there is an entry with same VLAN ID and MAC address, and the type of
the entry is dynamic DHCP snooping binding, then the new entry will
replace the old one and the entry type will be changed to static IP source
guard binding.
Example
This example configures a static source-guard binding on port 5.
Console(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1
192.168.0.99 interface ethernet 1/5
Console(config-if)#
4-190
General Security Measures
4
Related Commands
ip source-guard (4-188)
ip dhcp snooping (4-181)
ip dhcp snooping vlan (4-182)
show ip source-guard
This command shows whether source guard is enabled or disabled on each
interface.
Command Mode
Privileged Exec
Example
Console#show ip source-guard
Interface
Filter-type
------------------Eth 1/1
DISABLED
Eth 1/2
DISABLED
Eth 1/3
DISABLED
Eth 1/4
DISABLED
Eth 1/5
SIP
Eth
1/6
DISABLED
.
.
.
show ip source-guard binding
This command shows the source guard binding table.
Syntax
show ip source-guard binding [dhcp-snooping | static]
• dhcp-snooping - Shows dynamic entries configured with DHCP Snooping
commands (see page 4-180)
• static - Shows static entries configured with the ip source-guard binding
command (see page 4-190).
Command Mode
Privileged Exec
Example
Console#show ip source-guard binding
MacAddress
IpAddress
Lease(sec) Type
VLAN Interface
----------------- --------------- ---------- -------------------- ---- --------11-22-33-44-55-66 192.168.0.99
0 Static
1 Eth 1/5
Console#
4-191
4
Command Line Interface
ARP Inspection Commands
ARP Inspection validates the MAC-to-IP address bindings in Address Resolution
Protocol (ARP) packets. It protects against ARP traffic with invalid address bindings,
which forms the basis for certain “man-in-the-middle” attacks. This is accomplished
by intercepting all ARP requests and responses and verifying each of these packets
before the local ARP cache is updated or the packet is forwarded to the appropriate
destination, dropping any invalid ARP packets.
ARP Inspection determines the validity of an ARP packet based on valid IP-to-MAC
address bindings stored in a trusted database – the DHCP snooping binding
database. ARP Inspection can also validate ARP packets against user-configured
ARP access control lists (ACLs) for hosts with statically configured IP addresses.
This section describes commands used to configure ARP Inspection.
Table 4-48 ARP Inspection Commands
Command
Function
Mode
ip arp inspection
Enables ARP Inspection globally on the switch
GC
4-192
ip arp inspection vlan
Enables ARP Inspection for a specified VLAN or range of VLANs GC
4-193
ip arp inspection filter
Specifies an ARP ACL to apply to one or more VLANs
GC
4-194
ip arp inspection
validate
Specifies additional validation of address components in an ARP GC
packet
4-195
ip arp inspection
log-buffer logs
Sets the maximum number of entries saved in a log message,
and the rate at these messages are sent
4-196
ip arp inspection trust
Sets a port as trusted, and thus exempted from ARP Inspection IC
4-197
ip arp inspection limit
Sets a rate limit for the ARP packets received on a port
IC
4-197
show ip arp inspection Displays the global configuration settings for ARP Inspection
configuration
PE
4-198
show ip arp inspection Shows the trust status and inspection rate limit for ports
interface
PE
4-198
show ip arp inspection Shows configuration setting for VLANs, including ARP
vlan
Inspection status, the ARP ACL name, and if the DHCP
Snooping database is used after ACL validation is completed
PE
4-199
show ip arp inspection Shows information about entries stored in the log, including the PE
log
associated VLAN, port, and address components
4-199
show ip arp inspection Shows statistics about the number of ARP packets processed,
statistics
or dropped for various reasons
4-200
GC
PE
Page
ip arp inspection
This command enables ARP Inspection globally on the switch. Use the no form to
disable this function.
Syntax
[no] ip arp inspection
Default Setting
Disabled
4-192
4
General Security Measures
Command Mode
Global Configuration
Command Usage
• When ARP Inspection is enabled globally with this command, it becomes
active only on those VLANs where it has been enabled with the ip arp
inspection vlan command (page 4-193).
• When ARP Inspection is enabled globally and enabled on selected VLANs, all
ARP request and reply packets on those VLANs are redirected to the CPU
and their switching is handled by the ARP Inspection engine.
• When ARP Inspection is disabled globally, it becomes inactive for all VLANs,
including those where ARP Inspection is enabled.
• When ARP Inspection is disabled, all ARP request and reply packets bypass
the ARP Inspection engine and their manner of switching matches that of all
other packets.
• Disabling and then re-enabling global ARP Inspection will not affect the ARP
Inspection configuration for any VLANs.
• When ARP Inspection is disabled globally, it is still possible to configure ARP
Inspection for individual VLANs. These configuration changes will only
become active after ARP Inspection is globally enabled again.
Example
Console(config)#ip arp inspection
Console(config)#
ip arp inspection vlan
This command enables ARP Inspection for a specified VLAN or range of VLANs.
Use the no form to disable this function.
Syntax
[no] ip arp inspection vlan {vlan-id | vlan-range}
• vlan-id - VLAN ID. (Range: 1-4094)
• vlan-range - A consecutive range of VLANs indicated by the use a hyphen,
or a random group of VLANs with each entry separated by a comma.
Default Setting
Disabled on all VLANs
Command Mode
Global Configuration
Command Usage
• When ARP Inspection is enabled globally with the ip arp inspection
command (page 4-192), it becomes active only on those VLANs where it has
been enabled with this command.
4-193
4
Command Line Interface
• When ARP Inspection is enabled globally and enabled on selected VLANs, all
ARP request and reply packets on those VLANs are redirected to the CPU
and their switching is handled by the ARP Inspection engine.
• When ARP Inspection is disabled globally, it becomes inactive for all VLANs,
including those where ARP Inspection is enabled.
• When ARP Inspection is disabled, all ARP request and reply packets bypass
the ARP Inspection engine and their manner of switching matches that of all
other packets.
• Disabling and then re-enabling global ARP Inspection will not affect the ARP
Inspection configuration for any VLANs.
• When ARP Inspection is disabled globally, it is still possible to configure ARP
Inspection for individual VLANs. These configuration changes will only
become active after ARP Inspection is globally enabled again.
Example
Console(config)#ip arp inspection vlan 1,2
Console(config)#
ip arp inspection filter
This command specifies an ARP ACL to apply to one or more VLANs. Use the no
form to remove an ACL binding.
Syntax
ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static]
• arp-acl-name - Name of an ARP ACL. (Maximum length: 16 characters)
• vlan-id - VLAN ID. (Range: 1-4094)
• vlan-range - A consecutive range of VLANs indicated by the use a hyphen,
or a random group of VLANs with each entry separated by a comma.
• static - ARP packets are only validated against the specified ACL, address
bindings in the DHCP snooping database is not checked.
Default Setting
ARP ACLs are not bound to any VLAN
Static mode is not enabled
Command Mode
Global Configuration
Command Usage
• ARP ACLs are configured with the commands described on page 4-212.
• If static mode is enabled, the switch compares ARP packets to the specified
ARP ACLs. Packets matching an IP-to-MAC address binding in a permit or
deny rule are processed accordingly. Packets not matching any of the ACL
rules are dropped. Address bindings in the DHCP snooping database are not
checked.
4-194
4
General Security Measures
• If static mode is not enabled, packets are first validated against the specified
ARP ACL. Packets matching a deny rule are dropped. All remaining packets
are validated against the address bindings in the DHCP snooping database.
Example
Console(config)#ip arp inspection filter sales vlan 1
Console(config)#
ip arp inspection validate
This command specifies additional validation of address components in an ARP
packet. Use the no form to restore the default setting.
Syntax
ip arp inspection validate {dst-mac [ip] [src-mac] | ip [src-mac] | src-mac}
no ip arp inspection validate
• dst-mac - Checks the destination MAC address in the Ethernet header
against the target MAC address in the ARP body. This check is performed
for ARP responses. When enabled, packets with different MAC addresses
are classified as invalid and are dropped.
• ip - Checks the ARP body for invalid and unexpected IP addresses.
Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast
addresses. Sender IP addresses are checked in all ARP requests and
responses, while target IP addresses are checked only in ARP responses.
• src-mac - Checks the source MAC address in the Ethernet header
against the sender MAC address in the ARP body. This check is
performed on both ARP requests and responses. When enabled, packets
with different MAC addresses are classified as invalid and are dropped.
Default Setting
No additional validation is performed
Command Mode
Global Configuration
Command Usage
By default, ARP Inspection only checks the IP-to-MAC address bindings
specified in an ARP ACL or in the DHCP Snooping database.
Example
Console(config)#ip arp inspection validate dst-mac
Console(config)#
4-195
4
Command Line Interface
ip arp inspection log-buffer logs
This command sets the maximum number of entries saved in a log message, and
the rate at which these messages are sent. Use the no form to restore the default
settings.
Syntax
ip arp inspection log-buffer logs message-number interval seconds
no ip arp inspection log-buffer logs
• message-number - The maximum number of entries saved in a log
message. (Range: 0-256, where 0 means no events are saved)
• seconds - The interval at which log messages are sent. (Range: 0-86400)
Default Setting
Message Number: 5
Interval: 1 second
Command Mode
Global Configuration
Command Usage
• ARP Inspection must be enabled with the ip arp inspection command
(page 4-192) before this command will be accepted by the switch.
• By default, logging is active for ARP Inspection, and cannot be disabled.
• When the switch drops a packet, it places an entry in the log buffer. Each entry
contains flow information, such as the receiving VLAN, the port number, the
source and destination IP addresses, and the source and destination MAC
addresses.
• If multiple, identical invalid ARP packets are received consecutively on the
same VLAN, then the logging facility will only generate one entry in the log
buffer and one corresponding system message.
• The maximum number of entries that can be stored in the log buffer is
determined by the message-number parameter. If the log buffer fills up before
a message is sent, the oldest entry will be replaced with the newest one.
• The switch generates a system message on a rate-controlled basis
determined by the seconds values. After the system message is generated,
all entries are cleared from the log buffer.
Example
Console(config)#ip arp inspection log-buffer logs 1 interval 10
Console(config)#
4-196
4
General Security Measures
ip arp inspection trust
This command sets a port as trusted, and thus exempted from ARP Inspection. Use
the no form to restore the default setting.
Syntax
[no] ip arp inspection trust
Default Setting
Untrusted
Command Mode
Interface Configuration (Port)
Command Usage
Packets arriving on untrusted ports are subject to any configured ARP
Inspection and additional validation checks. Packets arriving on trusted ports
bypass all of these checks, and are forwarded according to normal switching
rules.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#ip arp inspection trust
Console(config-if)#
ip arp inspection limit
This command sets a rate limit for the ARP packets received on a port. Use the no
form to restore the default setting.
Syntax
ip arp inspection limit {rate pps | none}
no ip arp inspection limit
• pps - The maximum number of ARP packets that can be processed by the
CPU per second. (Range: 0-2048, where 0 means that no ARP packets
can be forwarded)
• none - There is no limit on the number of ARP packets that can be
processed by the CPU.
Default Setting
15
Command Mode
Interface Configuration (Port)
Command Usage
• This command only applies to untrusted ports.
• When the rate of incoming ARP packets exceeds the configured limit, the
switch drops all ARP packets in excess of the limit.
4-197
4
Command Line Interface
Example
Console(config)#interface ethernet 1/1
Console(config-if)#ip arp inspection limit 150
Console(config-if)#
show ip arp inspection configuration
This command displays the global configuration settings for ARP Inspection.
Command Mode
Privileged Exec
Example
Console#show ip arp inspection configuration
ARP inspection global information:
Global IP ARP Inspection status
Log Message Interval
Log Message Number
Need Additional Validation(s)
Additional Validation Type
Console#
:
:
:
:
:
disabled
10 s
1
Yes
Destination MAC address
show ip arp inspection interface
This command shows the trust status and ARP Inspection rate limit for ports.
Syntax
ip arp inspection interface [interface]
interface
ethernet unit/port
• unit - Stack unit. (Range: 1)
• port - Port number. (Range: 1-28)
Command Mode
Privileged Exec
Example
Console#show ip arp inspection interface ethernet 1/1
Port Number
------------Eth 1/1
Console#
4-198
Trust Status
-------------------trusted
Limit Rate (pps)
-----------------------------150
General Security Measures
4
show ip arp inspection vlan
This command shows the configuration settings for VLANs, including ARP
Inspection status, the ARP ACL name, and if the DHCP Snooping database is used
after ARP ACL validation is completed.
Syntax
show ip arp inspection vlan [vlan-id | vlan-range]
• vlan-id - VLAN ID. (Range: 1-4094)
• vlan-range - A consecutive range of VLANs indicated by the use a hyphen,
or a random group of VLANs with each entry separated by a comma.
Command Mode
Privileged Exec
Example
Console#show ip arp inspection vlan 1
VLAN ID
-------1
Console#
DAI Status
--------------disabled
ACL Name
-------------------sales
ACL Status
-------------------static
show ip arp inspection log
This command shows information about entries stored in the log, including the
associated VLAN, port, and address components.
Command Mode
Privileged Exec
Example
Console#show ip arp inspection log
Total log entries number is 1
Num VLAN Port Src IP Address
--- ---- ---- -------------1
1
11 192.168.2.2
Console#
Dst IP Address
-------------192.168.2.1
Src MAC Address Dst MAC Address
--------------- --------------00-04-E2-A0-E2-7C FF-FF-FF-FF-FF-FF
4-199
4
Command Line Interface
show ip arp inspection statistics
This command shows statistics about the number of ARP packets processed, or
dropped for various reasons.
Command Mode
Privileged Exec
Example
Console#show ip arp inspection log
Total log entries number is 1
Num VLAN Port Src IP Address Dst IP Address
--- ---- ---- -------------- -------------Console#show ip arp inspection statistics
Src MAC Address
---------------
Dst MAC Address
---------------
ARP packets received before rate limit
:
ARP packets dropped due to rate limt
:
Total ARP packets processed by ARP Inspection
:
ARP packets dropped by additional validation (source MAC address)
:
ARP packets dropped by additional validation (destination MAC address):
ARP packets dropped by additional validation (IP address)
:
ARP packets dropped by ARP ACLs
:
ARP packets dropped by DHCP snooping
:
150
5
150
0
0
0
0
0
Console#
Access Control List Commands
Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on
address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames
(based on address or DSCP traffic class), or any frames (based on MAC address or
Ethernet type). To filter packets, first create an access list, add the required rules,
and then bind the list to a specific port. This section describes the Access Control
List commands.
Table 4-49 Access Control Lists
Command Groups
Function
Page
IPv4 ACLs
Configures ACLs based on IPv4 addresses, TCP/UDP port number,
protocol type, and TCP control code
4-201
IPv6 ACLs
Configures ACLs based on IPv6 addresses or DSCP traffic class
4-207
ARP ACLs
Configures ACLs based on ARP messages addresses
4-212
MAC ACLs
Configures ACLs based on hardware addresses, packet format, and
Ethernet type
4-216
ACL Information
Displays ACLs and associated rules; shows ACLs assigned to each port 4-220
4-200
Access Control List Commands
4
IPv4 ACLs
The commands in this section configure ACLs based on IP addresses, TCP/UDP
port number, protocol type, and TCP control code. To configure IP ACLs, first create
an access list containing the required permit or deny rules, and then bind the access
list to one or more ports.
Table 4-50 IPv4 ACL Commands
Command
Function
Mode
Page
access-list rule-mode
Permits only extended rules, or permits both standard and GC
extended rules
4-201
access-list ip
Creates an IPv4 ACL and enters configuration mode for
standard or extended IPv4 ACLs
GC
4-202
permit, deny
Filters packets matching a specified source IPv4 address
STD-ACL
4-203
permit, deny
Filters packets meeting the specified criteria, including
source and destination IPv4 address, TCP/UDP port
number, protocol type, and TCP control code
EXT-ACL
4-204
show ip access-list
Displays the rules for configured IPv4 ACLs
PE
4-206
ip access-group
Adds a port to an IPv4 ACL
IC
4-206
show ip access-group
Shows port assignments for IPv4 ACLs
PE
4-206
access-list rule-mode
This command restricts access lists to only extended rules, or permits both standard
and extended rules. Use the no form to restore the default setting.
Syntax
access-list rule-mode {extended | mixed}
[no] access-list rule-mode
• extended – The system only permits extended rules, each of which
occupies the space of two standard rules.
• mixed – The system permits both standard and extended rules.
Default Setting
Extended mode
Command Mode
Global Configuration
Command Usage
When the rule mode is set to mixed, the following features are not supported:
• When the rule mode is changed, the change must be saved in the startup
configuration file, and the switch rebooted for the new mode to take effect.
• When using extended rule mode, each rule used in an ACL occupies the
space of two standard rules.
4-201
4
Command Line Interface
• When using mixed rule mode, either standard or extended rules can be used.
However, the rules used in the same ACL must either be all standard or all
extended rules. If standard rules are used for all ACLs, the maximum number
of rules permitted by the system can be used.
• When using mixed rule mode, the following functions are not supported:
DHCP Snooping, IP Source Guard, Web Authentication, Switch Cluster,
UPnP, MAC-Based VLANs, MVR, and OAM.
• If the rule mode is changed from the default setting, the current status can be
displayed with the show running-config (page 4-31) and show
startup-config (page 4-29) commands.
Example
Console(config)#access-list rule-mode extended
Warning: This will take effect only after rebooting the switch.
Console(config)#
access-list ip
This command adds an IP access list and enters configuration mode for standard or
extended IPv4 ACLs. Use the no form to remove the specified ACL.
Syntax
[no] access-list ip {standard | extended} acl-name
• standard – Specifies an ACL that filters packets based on the source IP
address.
• extended – Specifies an ACL that filters packets based on the source or
destination IP address, and other more specific criteria.
• acl-name – Name of the ACL. (Maximum length: 16 characters, no spaces)
Default Setting
None
Command Mode
Global Configuration
Command Usage
• When you create a new ACL or enter configuration mode for an existing ACL,
use the permit or deny command to add new rules to the bottom of the list.
To create an ACL, you must add at least one rule to the list.
• To remove a rule, use the no permit or no deny command followed by the
exact text of a previously configured rule.
• An ACL can contain up to 100 rules.
Example
Console(config)#access-list ip standard david
Console(config-std-acl)#
4-202
Access Control List Commands
4
Related Commands
permit, deny 4-203
ip access-group (4-206)
show ip access-list (4-206)
permit, deny (Standard IPv4 ACL)
This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition
for packets emanating from the specified source. Use the no form to remove a rule.
Syntax
[no] {permit | deny} {any | source bitmask | host source}
•
•
•
•
any – Any source IP address.
source – Source IP address.
bitmask – Decimal number representing the address bits to match.
host – Keyword followed by a specific IP address.
Default Setting
None
Command Mode
Standard IPv4 ACL
Command Usage
• New rules are appended to the end of the list.
• Address bitmasks are similar to a subnet mask, containing four integers from
0 to 255, each separated by a period. The binary mask uses 1 bits to indicate
“match” and 0 bits to indicate “ignore.” The bitmask is bitwise ANDed with the
specified source IP address, and then compared with the address for each IP
packet entering the port(s) to which this ACL has been assigned.
Example
This example configures one permit rule for the specific address 10.1.1.21 and
another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask.
Console(config-std-acl)#permit host 10.1.1.21
Console(config-std-acl)#permit 168.92.16.0 255.255.240.0
Related Commands
access-list ip (4-202)
4-203
4
Command Line Interface
permit, deny (Extended IPv4 ACL)
This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition
for packets with specific source or destination IP addresses, protocol types, source
or destination protocol ports, or TCP control codes. Use the no form to remove a
rule.
Syntax
[no] {permit | deny} [protocol-number | udp]
{any | source address-bitmask | host source}
{any | destination address-bitmask | host destination}
[precedence precedence] [tos tos] [dscp dscp]
[source-port sport [bitmask]] [destination-port dport [port-bitmask]]
[no] {permit | deny} tcp
{any | source address-bitmask | host source}
{any | destination address-bitmask | host destination}
[precedence precedence] [tos tos] [dscp dscp]
[source-port sport [bitmask]] [destination-port dport [port-bitmask]]
[control-flag control-flags flag-bitmask]
•
•
•
•
•
•
•
•
•
•
•
protocol-number – A specific protocol number. (Range: 0-255)
source – Source IP address.
destination – Destination IP address.
address-bitmask – Decimal number representing the address bits to match.
host – Keyword followed by a specific IP address.
precedence – IP precedence level. (Range: 0-7)
tos – Type of Service level. (Range: 0-15)
dscp – DSCP priority level. (Range: 0-63)
sport – Protocol24 source port number. (Range: 0-65535)
dport – Protocol24 destination port number. (Range: 0-65535)
port-bitmask – Decimal number representing the port bits to match.
(Range: 0-65535)
• control-flags – Decimal number (representing a bit string) that specifies flag
bits in byte 14 of the TCP header. (Range: 0-63)
• flag-bitmask – Decimal number representing the code bits to match.
Default Setting
None
Command Mode
Extended IPv4 ACL
24. Includes TCP, UDP or other protocol types.
4-204
4
Access Control List Commands
Command Usage
• All new rules are appended to the end of the list.
• Address bitmasks are similar to a subnet mask, containing four integers from
0 to 255, each separated by a period. The binary mask uses 1 bits to indicate
“match” and 0 bits to indicate “ignore.” The bitmask is bitwise ANDed with the
specified source IP address, and then compared with the address for each IP
packet entering the port(s) to which this ACL has been assigned.
• You can specify both Precedence and ToS in the same rule. However, if
DSCP is used, then neither Precedence nor ToS can be specified.
• The control-code bitmask is a decimal number (representing an equivalent bit
mask) that is applied to the control code. Enter a decimal number, where the
equivalent binary bit “1” means to match a bit and “0” means to ignore a bit.
The following bits may be specified:
- 1 (fin) – Finish
- 2 (syn) – Synchronize
- 4 (rst) – Reset
- 8 (psh) – Push
- 16 (ack) – Acknowledgement
- 32 (urg) – Urgent pointer
For example, use the code value and mask below to catch packets with the
following flags set:
- SYN flag valid, use “control-code 2 2”
- Both SYN and ACK valid, use “control-code 18 18”
- SYN valid and ACK invalid, use “control-code 2 18”
Example
This example accepts any incoming packets if the source address is within subnet
10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0)
equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through.
Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any
Console(config-ext-acl)#
This allows TCP packets from class C addresses 192.168.1.0 to any destination
address when set for destination TCP port 80 (i.e., HTTP).
Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any
destination-port 80
Console(config-ext-acl)#
This permits all TCP packets from class C addresses 192.168.1.0 with the TCP
control code set to “SYN.”
Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any
control-flag 2 2
Console(config-ext-acl)#
4-205
4
Command Line Interface
Related Commands
access-list ip (4-202)
show ip access-list
This command displays the rules for configured IPv4 ACLs.
Syntax
show ip access-list {standard | extended} [acl-name]
• standard – Specifies a standard IP ACL.
• extended – Specifies an extended IP ACL.
• acl-name – Name of the ACL. (Maximum length: 16 characters, no spaces)
Command Mode
Privileged Exec
Example
Console#show ip access-list standard
IP standard access-list david:
permit host 10.1.1.21
permit 168.92.0.0 255.255.255.0
Console#
Related Commands
permit, deny 4-203
ip access-group (4-206)
ip access-group
This command binds a port to an IPv4 ACL. Use the no form to remove the port.
Syntax
[no] ip access-group acl-name in
• acl-name – Name of the ACL. (Maximum length: 16 characters, no spaces)
• in – Indicates that this list applies to ingress packets.
Default Setting
None
Command Mode
Interface Configuration (Ethernet)
Command Usage
• A port can only be bound to one ACL.
• If a port is already bound to an ACL and you bind it to a different ACL, the
switch will replace the old binding with the new one.
4-206
Access Control List Commands
4
Example
Console(config)#int eth 1/25
Console(config-if)#ip access-group david in
Console(config-if)#
Related Commands
show ip access-list (4-206)
show ip access-group
This command shows the ports assigned to IPv4 ACLs.
Command Mode
Privileged Exec
Example
Console#show ip access-group
Interface ethernet 1/25
IP access-list david in
Console#
Related Commands
ip access-group (4-206)
IPv6 ACLs
The commands in this section configure ACLs based on IPv6 addresses, next
header type, and flow label. To configure IPv6 ACLs, first create an access list
containing the required permit or deny rules, and then bind the access list to one or
more ports.
Table 4-51 IPv6 ACL Commands
Command
Function
Mode
Page
access-list ipv6
Creates an IPv6 ACL and enters configuration mode for
standard or extended IPv6 ACLs
GC
4-208
permit, deny
Filters packets matching a specified source IPv6 address
IPv6STD-ACL
4-209
permit, deny
Filters packets meeting the specified criteria, including
destination IPv6 address or DSCP traffic class
IPv6EXT-ACL
4-210
show ipv6 access-list
Displays the rules for configured IPv6 ACLs
PE
4-211
ipv6 access-group
Adds a port to an IPv6 ACL
IC
4-211
show ipv6 access-group
Shows port assignments for IPv6 ACLs
PE
4-212
4-207
4
Command Line Interface
access-list ipv6
This command adds an IP access list and enters configuration mode for standard or
extended IPv6 ACLs. Use the no form to remove the specified ACL.
Syntax
[no] access-list ipv6 {standard | extended} acl-name
• standard – Specifies an ACL that filters packets based on the source IP
address.
• extended – Specifies an ACL that filters packets based on the destination
IP address, and other more specific criteria.
• acl-name – Name of the ACL. (Maximum length: 16 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
• When you create a new ACL or enter configuration mode for an existing ACL,
use the permit or deny command to add new rules to the bottom of the list.
To create an ACL, you must add at least one rule to the list.
• To remove a rule, use the no permit or no deny command followed by the
exact text of a previously configured rule.
• An ACL can contain up to 64 rules.
Example
Console(config)#access-list ipv6 standard david
Console(config-std-ipv6-acl)#
Related Commands
permit, deny (4-209)
ipv6 access-group (4-211)
show ipv6 access-list (4-211)
4-208
Access Control List Commands
4
permit, deny (Standard IPv6 ACL)
This command adds a rule to a Standard IPv6 ACL. The rule sets a filter condition
for packets emanating from the specified source. Use the no form to remove a rule.
Syntax
[no] {permit | deny}
{any | host source-ipv6-address | source-ipv6-address[/prefix-length]}
• any – Any source IP address (an abbreviation for the IPv6 prefix ::/0).
• host – Keyword followed by a specific source IP address.
• source-ipv6-address - An IPv6 source address or network class. The
address must be formatted according to RFC 2373 “IPv6 Addressing
Architecture,” using 8 colon-separated 16-bit hexadecimal values. One
double colon may be used in the address to indicate the appropriate
number of zeros required to fill the undefined fields.
• prefix-length - A decimal value indicating how many contiguous bits (from
the left) of the address comprise the prefix; i.e., the network portion of the
address. (Range: 0-128)
Default Setting
None
Command Mode
Standard IPv6 ACL
Command Usage
New rules are appended to the end of the list.
Example
This example configures one permit rule for the specific address 2009:DB9:2229::79
and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
Console(config-std-ipv6-acl)#permit host 2009:DB9:2229::79
Console(config-std-ipv6-acl)#permit 2009:DB9:2229:5::/64
Console(config-std-ipv6-acl)#
Related Commands
access-list ipv6 (4-208)
4-209
4
Command Line Interface
permit, deny (Extended IPv6 ACL)
This command adds a rule to an Extended IPv6 ACL. The rule sets a filter condition
for packets with specific destination IP addresses, next header type, or flow label.
Use the no form to remove a rule.
Syntax
[no] {permit | deny}
{any | host source-ipv6-address | source-ipv6-address[/prefix-length]}
{any | destination-ipv6-address[/prefix-length]} [dscp dscp]
• any – Any IP address (an abbreviation for the IPv6 prefix ::/0).
• host – Keyword followed by a specific source IP address.
• source-ipv6-address - An IPv6 source address or network class. The
address must be formatted according to RFC 2373 “IPv6 Addressing
Architecture,” using 8 colon-separated 16-bit hexadecimal values. One
double colon may be used in the address to indicate the appropriate
number of zeros required to fill the undefined fields.
• destination-ipv6-address - An IPv6 destination address or network class.
The address must be formatted according to RFC 2373 “IPv6 Addressing
Architecture,” using 8 colon-separated 16-bit hexadecimal values. One
double colon may be used in the address to indicate the appropriate
number of zeros required to fill the undefined fields. (The switch only checks
the first 64 bits of the destination address.)
• prefix-length - A decimal value indicating how many contiguous bits (from
the left) of the address comprise the prefix; i.e., the network portion of the
address. (Range: 0-128 for source prefix, 0-8 for destination prefix)
• dscp – DSCP traffic class. (Range: 0-63)
Default Setting
None
Command Mode
Extended IPv6 ACL
Command Usage
All new rules are appended to the end of the list.
Example
This example accepts any incoming packets if the destination address is
2009:DB9:2229::79/8.
Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/8
Console(config-ext-ipv6-acl)#
This allows packets to any destination address when the DSCP value is 5.
Console(config-ext-ipv6-acl)#permit any dscp 5
Console(config-ext-ipv6-acl)#
4-210
4
Access Control List Commands
Related Commands
access-list ipv6 (4-208)
show ipv6 access-list
This command displays the rules for configured IPv6 ACLs.
Syntax
show ip access-list {standard | extended} [acl-name]
• standard – Specifies a standard IPv6 ACL.
• extended – Specifies an extended IPv6 ACL.
• acl-name – Name of the ACL. (Maximum length: 16 characters)
Command Mode
Privileged Exec
Example
Console#show ipv6 access-list standard
IPv6 standard access-list david:
permit host 2009:DB9:2229::79
permit 2009:DB9:2229:5::/64
Console#
Related Commands
permit, deny (4-209)
ipv6 access-group (4-211)
ipv6 access-group
This command binds a port to an IPv6 ACL. Use the no form to remove the port.
Syntax
[no] ipv6 access-group acl-name in
• acl-name – Name of the ACL. (Maximum length: 16 characters)
• in – Indicates that this list applies to ingress packets.
Default Setting
None
Command Mode
Interface Configuration (Ethernet)
Command Usage
• A port can only be bound to one ACL.
• If a port is already bound to an ACL and you bind it to a different ACL, the
switch will replace the old binding with the new one.
• IPv6 ACLs can only be applied to ingress packets.
4-211
4
Command Line Interface
Example
Console(config)#int eth 1/2
Console(config-if)#ipv6 access-group standard david in
Console(config-if)#
Related Commands
show ipv6 access-list (4-211)
show ipv6 access-group
This command shows the ports assigned to IPv6 ACLs.
Command Mode
Privileged Exec
Example
Console#show ip access-group
Interface ethernet 1/2
IPv6 standard access-list david in
Console#
Related Commands
ipv6 access-group (4-211)
ARP ACLs
The commands in this section configure ACLs based on the IP or MAC address
contained in ARP request and reply messages. To configure ARP ACLs, first create
an access list containing the required permit or deny rules, and then bind the access
list to one or more VLANs using the ip arp inspection vlan command (page 4-193).
Table 4-52 ARP ACL Commands
Command
Function
Mode
Page
access-list arp
Creates a ARP ACL and enters configuration mode
GC
4-213
permit, deny
Filters packets matching a specified source or destination ARP-ACL
address in ARP messages
4-214
show arp access-list
Displays the rules for configured ARP ACLs
4-215
4-212
PE
Access Control List Commands
4
access-list arp
This command adds an ARP access list and enters ARP ACL configuration mode.
Use the no form to remove the specified ACL.
Syntax
[no] access-list arp acl-name
acl-name – Name of the ACL. (Maximum length: 16 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
• When you create a new ACL or enter configuration mode for an existing ACL,
use the permit or deny command to add new rules to the bottom of the list.
To create an ACL, you must add at least one rule to the list.
• To remove a rule, use the no permit or no deny command followed by the
exact text of a previously configured rule.
• An ACL can contain up to 64 rules.
Example
Console(config)#access-list arp factory
Console(config-arp-acl)#
Related Commands
permit, deny (4-214)
show arp access-list (4-215)
4-213
4
Command Line Interface
permit, deny (ARP ACL)
This command adds a rule to an ARP ACL. The rule filters packets matching a
specified source or destination address in ARP messages. Use the no form to
remove a rule.
Syntax
[no] {permit | deny}
ip {any | host source-ip | source-ip ip-address-bitmask}
mac {any | host source-ip | source-ip ip-address-bitmask} [log]
Note: This form indicates either request or response packets.
[no] {permit | deny} request
ip {any | host source-ip | source-ip ip-address-bitmask}
mac {any | host source-mac | source-mac mac-address-bitmask} [log]
[no] {permit | deny} response
ip {any | host source-ip | source-ip ip-address-bitmask}
{any | host destination-ip | destination-ip ip-address-bitmask}
mac {any | host source-mac | source-mac mac-address-bitmask}
[any | host destination-mac | destination-mac mac-address-bitmask] [log]
• source-ip – Source IP address.
• destination-ip – Destination IP address with bitmask.
• ip-address-bitmask25 – IPv4 number representing the address bits to
match.
• source-mac – Source MAC address.
• destination-mac – Destination MAC address range with bitmask.
• mac-address-bitmask25 – Bitmask for MAC address (in hexidecimal
format).
• log - Logs a packet when it matches the access control entry.
Default Setting
None
Command Mode
ARP ACL
Command Usage
New rules are added to the end of the list.
Example
This rule permits packets from any source IP and MAC address to the destination
subnet address 192.168.0.0.
Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac
any any
Console(config-mac-acl)#
25. For all bitmasks, binary “1” means care and “0” means ignore.
4-214
Access Control List Commands
4
Related Commands
access-list arp (4-213)
show arp access-list
This command displays the rules for configured ARP ACLs.
Syntax
show arp access-list [acl-name]
acl-name – Name of the ACL. (Maximum length: 16 characters)
Command Mode
Privileged Exec
Example
Console#show arp access-list
ARP access-list factory:
permit response ip any 192.168.0.0 255.255.0.0 mac any any
Console#
Related Commands
permit, deny 4-214
4-215
4
Command Line Interface
MAC ACLs
The commands in this section configure ACLs based on hardware addresses,
packet format, and Ethernet type. To configure MAC ACLs, first create an access list
containing the required permit or deny rules, and then bind the access list to one or
more ports.
Table 4-53 MAC ACL Commands
Command
Function
Mode
Page
access-list mac
Creates a MAC ACL and enters configuration mode
GC
4-216
permit, deny
Filters packets matching a specified source and
destination address, packet format, and Ethernet type
MAC-ACL
4-217
show mac access-list
Displays the rules for configured MAC ACLs
PE
4-218
mac access-group
Adds a port to a MAC ACL
IC
4-219
show mac access-group
Shows port assignments for MAC ACLs
PE
4-219
access-list mac
This command adds a MAC access list and enters MAC ACL configuration mode.
Use the no form to remove the specified ACL.
Syntax
[no] access-list mac acl-name
acl-name – Name of the ACL. (Maximum length: 16 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
• When you create a new ACL or enter configuration mode for an existing ACL,
use the permit or deny command to add new rules to the bottom of the list.
To create an ACL, you must add at least one rule to the list.
• To remove a rule, use the no permit or no deny command followed by the
exact text of a previously configured rule.
• An ACL can contain up to 64 rules.
Example
Console(config)#access-list mac jerry
Console(config-mac-acl)#
Related Commands
permit, deny (4-217)
mac access-group (4-219)
show mac access-list (4-218)
4-216
4
Access Control List Commands
permit, deny (MAC ACL)
This command adds a rule to a MAC ACL. The rule filters packets matching a
specified MAC source or destination address (i.e., physical layer address), or
Ethernet protocol type. Use the no form to remove a rule.
Syntax
[no] {permit | deny}
{any | host source | source address-bitmask}
{any | host destination | destination address-bitmask}
[cos cos cos-bitmask] [vid vid vid-bitmask]
[ethertype protocol [protocol-bitmask]]
Note: The default is for Ethernet II packets.
[no] {permit | deny} tagged-eth2
{any | host source | source address-bitmask}
{any | host destination | destination address-bitmask}
[cos cos cos-bitmask] [vid vid vid-bitmask]
[ethertype protocol [protocol-bitmask]]
[no] {permit | deny} untagged-eth2
{any | host source | source address-bitmask}
{any | host destination | destination address-bitmask}
[ethertype protocol [protocol-bitmask]]
[no] {permit | deny} tagged-802.3
{any | host source | source address-bitmask}
{any | host destination | destination address-bitmask}
[cos cos cos-bitmask] [vid vid vid-bitmask]
[no] {permit | deny} untagged-802.3
{any | host source | source address-bitmask}
{any | host destination | destination address-bitmask}
•
•
•
•
•
•
•
•
•
•
•
•
•
tagged-eth2 – Tagged Ethernet II packets.
untagged-eth2 – Untagged Ethernet II packets.
tagged-802.3 – Tagged Ethernet 802.3 packets.
untagged-802.3 – Untagged Ethernet 802.3 packets.
any – Any MAC source or destination address.
host – A specific MAC address.
source – Source MAC address.
destination – Destination MAC address range with bitmask.
address-bitmask26 – Bitmask for MAC address (in hexidecimal format).
cos – Class-of-Service value (Range: 0-7)
cos-bitmask26 – Class-of-Service bitmask. (Range: 0-7)
vid – VLAN ID. (Range: 1-4094)
vid-bitmask26 – VLAN bitmask. (Range: 1-4095)
26. For all bitmasks, “1” means care and “0” means ignore.
4-217
4
Command Line Interface
• protocol – A specific Ethernet protocol number. (Range: 600-fff hex.)
• protocol-bitmask26 – Protocol bitmask. (Range: 600-fff hex.)
Default Setting
None
Command Mode
MAC ACL
Command Usage
• New rules are added to the end of the list.
• The ethertype option can only be used to filter Ethernet II formatted packets.
• A detailed listing of Ethernet protocol types can be found in RFC 1060. A few
of the more common types include the following:
- 0800 - IP
- 0806 - ARP
- 8137 - IPX
Example
This rule permits packets from any source MAC address to the destination address
00-e0-29-94-34-de where the Ethernet type is 0800.
Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800
Console(config-mac-acl)#
Related Commands
access-list mac (4-216)
show mac access-list
This command displays the rules for configured MAC ACLs.
Syntax
show mac access-list [acl-name]
acl-name – Name of the ACL. (Maximum length: 16 characters)
Command Mode
Privileged Exec
Example
Console#show mac access-list
MAC access-list jerry:
permit any 00-e0-29-94-34-de ethertype 0800
Console#
Related Commands
permit, deny 4-217
mac access-group (4-219)
4-218
4
Access Control List Commands
mac access-group
This command binds a port to a MAC ACL. Use the no form to remove the port.
Syntax
mac access-group acl-name in
• acl-name – Name of the ACL. (Maximum length: 16 characters)
• in – Indicates that this list applies to ingress packets.
Default Setting
None
Command Mode
Interface Configuration (Ethernet)
Command Usage
• A port can only be bound to one ACL.
• If a port is already bound to an ACL and you bind it to a different ACL, the
switch will replace the old binding with the new one.
Example
Console(config)#interface ethernet 1/2
Console(config-if)#mac access-group jerry in
Console(config-if)#
Related Commands
show mac access-list (4-218)
show mac access-group
This command shows the ports assigned to MAC ACLs.
Command Mode
Privileged Exec
Example
Console#show mac access-group
Interface ethernet 1/5
MAC access-list M5 in
Console#
Related Commands
mac access-group (4-219)
4-219
4
Command Line Interface
ACL Information
Table 4-54 ACL Information
Command
Function
Mode
Page
show access-list
Show all ACLs and associated rules
PE
4-220
show access-group
Shows the ACLs assigned to each port
PE
4-220
show access-list
This command shows all ACLs and associated rules.
Command Mode
Privileged Exec
Example
Console#show access-list
IP standard access-list david:
permit host 10.1.1.21
permit 168.92.16.0 255.255.240.0
IP extended access-list bob:
permit 10.7.1.1 255.255.255.0 any
permit 192.168.1.0 255.255.255.0 any destination-port 80 80
permit 192.168.1.0 255.255.255.0 any protocol tcp control-code 2 2
IP access-list jerry:
permit any host 00-30-29-94-34-de ethertype 800 800
IP extended access-list A6:
deny tcp any any control-flag 2 2
permit any any
Console#
show access-group
This command shows the port assignments of ACLs.
Command Mode
Privileged Executive
Example
Console#show access-group
Interface ethernet 1/1
IP access-list jerry in
.
.
.
Interface ethernet 1/28
IP access-list jerry in
Console#
4-220
4
Interface Commands
Interface Commands
These commands are used to display or set communication parameters for an
Ethernet port, aggregated link, or VLAN.
Table 4-55
Interface Commands
Command
Function
Mode
Page
interface
Configures an interface type and enters interface configuration
mode
GC
4-222
description
Adds a description to an interface configuration
IC
4-222
speed-duplex
Configures the speed and duplex operation of a given interface IC
when autonegotiation is disabled
4-223
negotiation
Enables autonegotiation of a given interface
IC
4-224
capabilities
Advertises the capabilities of a given interface for use in
autonegotiation
IC
4-225
flowcontrol
Enables flow control on a given interface
IC
4-226
media-type
Forces port type selected for combination ports
IC
4-227
giga-phy-mode
Forces two connected ports in to a master/slave configuration to IC
enable 1000BASE-T full duplex
4-227
shutdown
Disables an interface
IC
4-228
switchport packet-rate* Configures storm control thresholds
IC
4-229
clear counters
Clears statistics on an interface
PE
4-230
show interfaces brief
Displays a summary of key information, including operational
PE
status, native VLAN ID, default priority, speed/duplex mode, and
port type
4-231
show interfaces status Displays status for the specified interface
NE, PE
4-231
show interfaces
counters
Displays statistics for the specified interfaces
NE, PE
4-232
show interfaces
switchport
Displays the administrative and operational status of an
interface
NE, PE
4-233
* Enabling hardware-level storm control with this command on a port will disable software-level automatic storm
control on the same port if configured by the auto-traffic-control command (page 4-240).
4-221
4
Command Line Interface
interface
This command configures an interface type and enters interface configuration mode.
Use the no form to remove a trunk.
Syntax
interface interface
no interface port-channel channel-id
interface
• ethernet unit/port
- unit - Stack unit. (Range: 1)
- port - Port number. (Range: 1-28)
• port-channel channel-id (Range: 1-8)
• vlan vlan-id (Range: 1-4094)
Default Setting
None
Command Mode
Global Configuration
Example
To specify port 24, enter the following command:
Console(config)#interface ethernet 1/24
Console(config-if)#
description
This command adds a description to an interface. Use the no form to remove the
description.
Syntax
description string
no description
string - Comment or a description to help you remember what is attached
to this interface. (Range: 1-64 characters)
Default Setting
None
Command Mode
Interface Configuration (Ethernet, Port Channel)
4-222
4
Interface Commands
Command Usage
The description is displayed by the show interfaces status command
(page 4-231) and in the running-configuration file. An example of the value
which a network manager might store in this object is the name of the
manufacturer, and the product name.
Example
The following example adds a description to port 24.
Console(config)#interface ethernet 1/24
Console(config-if)#description RD-SW#3
Console(config-if)#
speed-duplex
This command configures the speed and duplex mode of a given interface when
autonegotiation is disabled. Use the no form to restore the default.
Syntax
speed-duplex {1000full | 100full | 100half | 10full | 10half}
no speed-duplex
•
•
•
•
•
1000full - Forces 1000 Mbps full-duplex operation
100full - Forces 100 Mbps full-duplex operation
100half - Forces 100 Mbps half-duplex operation
10full - Forces 10 Mbps full-duplex operation
10half - Forces 10 Mbps half-duplex operation
Default Setting
• Auto-negotiation is enabled by default.
• When auto-negotiation is disabled, the default speed-duplex setting for
Gigabit Ethernet ports is 100full.
• 100BASE-FX ports are fixed at 100 Mbps, full-duplex.
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
• The 1000BASE-T standard does not support forced mode. Auto-negotiation
should always be used to establish a connection over any 1000BASE-T port
or trunk. If not used, the success of the link process cannot be guaranteed
when connecting to other types of switches. However, this switch does
provide a means of safely forcing a link to operate at 1000 Mbps, full-duplex
using the giga-phy-mode command (page 4-227).
• To force operation to the speed and duplex mode specified in a speed-duplex
command, use the no negotiation command to disable auto-negotiation on
the selected interface.
4-223
4
Command Line Interface
• When using the negotiation command to enable auto-negotiation, the
optimal settings will be determined by the capabilities command. To set the
speed/duplex mode under auto-negotiation, the required mode must be
specified in the capabilities list for an interface.
Example
The following example configures port 5 to 100 Mbps, half-duplex operation.
Console(config)#interface ethernet 1/5
Console(config-if)#speed-duplex 100half
Console(config-if)#no negotiation
Console(config-if)#
Related Commands
negotiation (4-224)
capabilities (4-225)
negotiation
This command enables autonegotiation for a given interface. Use the no form to
disable autonegotiation.
Syntax
[no] negotiation
Default Setting
Enabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
• When auto-negotiation is enabled the switch will negotiate the best settings
for a link based on the capabilities command. When auto-negotiation is
disabled, you must manually specify the link attributes with the speed-duplex
and flowcontrol commands.
• If autonegotiation is disabled, auto-MDI/MDI-X pin signal configuration will
also be disabled for the RJ-45 ports.
Example
The following example configures port 11 to use autonegotiation.
Console(config)#interface ethernet 1/11
Console(config-if)#negotiation
Console(config-if)#
Related Commands
capabilities (4-225)
speed-duplex (4-223)
4-224
4
Interface Commands
capabilities
This command advertises the port capabilities of a given interface during
autonegotiation. Use the no form with parameters to remove an advertised
capability, or the no form without parameters to restore the default values.
Syntax
[no] capabilities {1000full | 100full | 100half | 10full | 10half | flowcontrol |
symmetric}
•
•
•
•
•
•
•
1000full - Supports 1000 Mbps full-duplex operation
100full - Supports 100 Mbps full-duplex operation
100half - Supports 100 Mbps half-duplex operation
10full - Supports 10 Mbps full-duplex operation
10half - Supports 10 Mbps half-duplex operation
flowcontrol - Supports flow control
symmetric (Gigabit only) - When specified, the port transmits and receives
pause frames; when not specified, the port will auto-negotiate to determine
the sender and receiver for asymmetric pause frames. (The current switch
ASIC only supports symmetric pause frames.)
Default Setting
• 100BASE-FX: 100full
• 1000BASE-T: 10half, 10full, 100half, 100full, 1000full
• SFP: 1000full
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
When auto-negotiation is enabled with the negotiation command, the switch
will negotiate the best settings for a link based on the capabilites command.
When auto-negotiation is disabled, you must manually specify the link
attributes with the speed-duplex and flowcontrol commands.
Example
The following example configures Ethernet port 25 capabilities to 100half, 100full
and flow control.
Console(config)#interface ethernet 1/25
Console(config-if)#capabilities 100half
Console(config-if)#capabilities 100full
Console(config-if)#capabilities flowcontrol
Console(config-if)#
4-225
4
Command Line Interface
Related Commands
negotiation (4-224)
speed-duplex (4-223)
flowcontrol (4-226)
flowcontrol
This command enables flow control. Use the no form to disable flow control.
Syntax
[no] flowcontrol
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
• Flow control can eliminate frame loss by “blocking” traffic from end stations or
segments connected directly to the switch when its buffers fill. When enabled,
back pressure is used for half-duplex operation and IEEE 802.3-2005
(formally IEEE 802.3x) for full-duplex operation.
• To force flow control on or off (with the flowcontrol or no flowcontrol
command), use the no negotiation command to disable auto-negotiation on
the selected interface.
• When using the negotiation command to enable auto-negotiation, the
optimal settings will be determined by the capabilities command. To enable
flow control under auto-negotiation, “flowcontrol” must be included in the
capabilities list for any port
• Avoid using flow control on a port connected to a hub unless it is actually
required to solve a problem. Otherwise back pressure jamming signals may
degrade overall performance for the segment attached to the hub.
Example
The following example enables flow control on port 5.
Console(config)#interface ethernet 1/5
Console(config-if)#flowcontrol
Console(config-if)#no negotiation
Console(config-if)#
Related Commands
negotiation (4-224)
capabilities (flowcontrol, symmetric) (4-225)
4-226
4
Interface Commands
media-type
This command forces the port type selected for combination ports 25-26. Use the no
form to restore the default mode.
Syntax
media-type mode
no media-type
mode
• copper-forced - Always uses the built-in RJ-45 port.
• sfp-forced - Always uses the SFP port (even if module not installed).
• sfp-preferred-auto - Uses SFP port if both combination types are
functioning and the SFP port has a valid link.
Default Setting
sfp-preferred-auto
Command Mode
Interface Configuration (Ethernet - Ports 25-26)
Example
This forces the switch to use the built-in RJ-45 port for the combination port 25.
Console(config)#interface ethernet 1/25
Console(config-if)#media-type copper-forced
Console(config-if)#
giga-phy-mode
This command forces two connected ports in to a master/slave configuration to
enable 1000BASE-T full duplex for Gigabit ports 25-28. Use the no form to restore
the default mode.
Syntax
giga-phy-mode mode
no giga-phy-mode
mode
• master - Sets the selected port as master.
• slave - Sets the selected port as slave.
• auto-prefer-master - Uses master mode as the initial configuration
setting regardless of the mode configured at the other end of the link.
• auto-prefer-slave - Uses slave mode as the initial configuration
regardless of the mode configured at the other end of the link.
Default Setting
master
Command Mode
Interface Configuration (Ethernet - Ports 25-28)
4-227
4
Command Line Interface
Command Usage
• The 1000BASE-T standard does not support forced mode. Auto-negotiation
should always be used to establish a connection over any 1000BASE-T port
or trunk. If not used, the success of the link process cannot be guaranteed
when connecting to other types of switches. However, this switch does
provide a means of forcing a link to operate at 1000 Mbps, full-duplex using
the giga-phy-mode command.
• To force 1000full operation requires the ports at both ends of a link to establish
their role in the connection process as a master or slave. Before using this
feature, auto-negotiation must first be disabled, and the Speed/Duplex
attribute set to 1000full. Then select compatible Giga PHY modes at both
ends of the link. Note that using one of the preferred modes ensures that the
ports at both ends of a link will eventually cooperate to establish a valid
master-slave relationship.
Example
This forces the switch port to master mode on port 24.
Console(config)#interface ethernet 1/24
Console(config-if)#no negotiation
Console(config-if)#speed-duplex 1000full
Console(config-if)#giga-phy-mode master
Console(config-if)#
shutdown
This command disables an interface. To restart a disabled interface, use the no
form.
Syntax
[no] shutdown
Default Setting
All interfaces are enabled.
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
This command allows you to disable a port due to abnormal behavior
(e.g., excessive collisions), and then reenable it after the problem has been
resolved. You may also want to disable a port for security reasons.
Example
The following example disables port 5.
Console(config)#interface ethernet 1/5
Console(config-if)#shutdown
Console(config-if)#
4-228
4
Interface Commands
switchport packet-rate
This command configures broadcast, multicast and unknown unicast storm control.
Use the no form to restore the default setting.
Syntax
switchport {broadcast | multicast | unicast} packet-rate rate
no switchport {broadcast | multicast | unicast}
•
•
•
•
broadcast - Specifies storm control for broadcast traffic.
multicast - Specifies storm control for multicast traffic.
unicast - Specifies storm control for unknown unicast traffic.
rate - Threshold level as a rate; i.e., kilobits per second.
(Range: 64-100000 for 100 Mbps ports, 64-1000000 for 1 Gbps ports)
Default Setting
Broadcast Storm Control: Enabled, packet-rate limit: 64 kbps
Multicast Storm Control: Disabled
Unknown Unicast Storm Control: Disabled
Command Mode
Interface Configuration (Ethernet)
Command Usage
• When traffic exceeds the threshold specified for broadcast and multicast or
unknown unicast traffic, packets exceeding the threshold are dropped until the
rate falls back down beneath the threshold.
• Due to an ASIC chip limitation, the supported storm control modes include:
- broadcast
- broadcast + multicast
- broadcast + multicast + unknown unicast
This means that when multicast storm control is enabled, broadcast storm
control is also enabled (using the threshold value set by the multicast storm
control command). And when unknown unicast storm control is enabled,
broadcast and multicast storm control are also enabled (using the threshold
value set by the unknown unicast storm control command).
• Traffic storms can be controlled at the hardware level using this command or
at the software level using the auto-traffic-control command (page 4-240).
However, only one of these control types can be applied to a port. Enabling
hardware-level storm control on a port will disable automatic storm control on
that port.
• The rate limits set by this command are also used by automatic storm control
when the control response is set to rate limiting by the auto-traffic-control
action command (page 4-242).
4-229
4
Command Line Interface
Example
The following shows how to configure broadcast storm control at 500 kilobits per
second:
Console(config)#interface ethernet 1/5
Console(config-if)#switchport broadcast packet-rate 500
Console(config-if)#
clear counters
This command clears statistics on an interface.
Syntax
clear counters interface
interface
• ethernet unit/port
- unit - Stack unit. (Range: 1)
- port - Port number. (Range: 1-28)
• port-channel channel-id (Range: 1-8)
Default Setting
None
Command Mode
Privileged Exec
Command Usage
Statistics are only initialized for a power reset. This command sets the base
value for displayed statistics to zero for the current management session.
However, if you log out and back into the management interface, the statistics
displayed will show the absolute value accumulated since the last power reset.
Example
The following example clears statistics on port 5.
Console#clear counters ethernet 1/5
Console#
4-230
4
Interface Commands
show interfaces brief
This command displays a summary of key information, including operational status,
native VLAN ID, default priority, speed/duplex mode, and port type for all ports.
Command Mode
Privileged Exec
Example
Console#show interfaces brief
Interface Name
Status
PVID Pri Speed/Duplex
--------- ------------------ -------- ---- --- ------------Eth 1/ 1
Linkup
1
0 Auto-100full
Eth 1/ 2
Linkdown
1
0 Auto
Eth 1/ 3
Linkdown
1
0 Auto
Eth 1/ 4
Linkdown
1
0 Auto
Eth 1/ 5
Linkdown
1
0 Auto
Eth 1/ 6
Linkdown
1
0 Auto
Eth 1/ 7
Linkdown
1
0 Auto
Eth
1/
8
Linkdown
1
0 Auto
.
Type
-----------100FX
100FX
100FX
100FX
100FX
100FX
100FX
100FX
Trunk
----None
None
None
None
None
None
None
None
.
.
show interfaces status
This command displays the status for an interface.
Syntax
show interfaces status [interface]
interface
• ethernet unit/port
- unit - Stack unit. (Range: 1)
- port - Port number. (Range: 1-28)
• port-channel channel-id (Range: 1-8)
• vlan vlan-id (Range: 1-4094)
Default Setting
Shows the status for all interfaces.
Command Mode
Normal Exec, Privileged Exec
Command Usage
If no interface is specified, information on all interfaces is displayed. For a
description of the items displayed by this command, see "Displaying
Connection Status" on page 3-158.
4-231
4
Command Line Interface
Example
Console#show interfaces status ethernet 1/5
Information of Eth 1/5
Basic Information:
Port Type:
100FX
Mac Address:
00-12-CF-12-34-57
Configuration:
Name:
Port Admin:
Up
Speed-duplex:
100full
Capabilities:
100full
Broadcast Storm:
Enabled
Broadcast Storm Limit: 64 Kbits/second
Multicast Storm:
Disabled
Multicast Storm Limit: 64 Kbits/second
UnknownUnicast Storm:
Disabled
UnknownUnicast Storm Limit: 64 Kbits/second
Flow Control:
Disabled
VLAN Trunking:
Disabled
LACP:
Disabled
Port Security:
Disabled
Max MAC Count:
0
Port Security Action:
None
Media Type:
None
Giga PHY mode: Auto preferred master
Current status:
Link Status:
Up
Port Operation Status: Up
Operation Speed-duplex: 100full
Flow Control Type:
None
Console#show interfaces status vlan 1
Information of VLAN 1
MAC Address:
00-12-CF-12-34-56
Console#
show interfaces counters
This command displays interface statistics.
Syntax
show interfaces counters [interface]
interface
• ethernet unit/port
- unit - Stack unit. (Range: 1)
- port - Port number. (Range: 1-28)
• port-channel channel-id (Range: 1-8)
Default Setting
Shows the counters for all interfaces.
Command Mode
Normal Exec, Privileged Exec
4-232
4
Interface Commands
Command Usage
If no interface is specified, information on all interfaces is displayed. For a
description of the items displayed by this command, see "Showing Port
Statistics" on page 3-183.
Example
Console#show interfaces counters ethernet 1/7
Ethernet 1/7
Iftable Stats:
Octets Input: 335955, Octets Output: 359180
Unicast Input: 0, Unicast Output: 0
Discard Input: 0, Discard Output: 0
Error Input: 0, Error Output: 0
Unknown Protos Input: 0, QLen Output: 0
Extended Iftable Stats:
Multi-cast Input: 4642, Multi-cast Output: 4921
Broadcast Input: 258, Broadcast Output: 6
Ether-like Stats:
Alignment Errors: 0, FCS Errors: 0
Single Collision Frames: 0, Multiple Collision Frames: 0
SQE Test Errors: 0, Deferred Transmissions: 0
Late Collisions: 0, Excessive Collisions: 0
Internal Mac Transmit Errors: 0, Internal Mac Receive Errors: 0
Frames Too Long: 0, Carrier Sense Errors: 0
Symbol Errors: 0
RMON Stats:
Drop Events: 0, Octets: 695199, Packets: 9827
Broadcast PKTS: 264, Multi-cast PKTS: 9563
Undersize PKTS: 0, Oversize PKTS: 0
Fragments: 0, Jabbers: 0
CRC Align Errors: 0, Collisions: 0
Packet Size <= 64 Octets: 9261, Packet Size 65 to 127 Octets: 176
Packet Size 128 to 255 Octets: 377, Packet Size 256 to 511 Octets: 13
Packet Size 512 to 1023 Octets: 0, Packet Size 1024 to 1518 Octets: 0
Console#
show interfaces switchport
This command displays the administrative and operational status of the specified
interfaces.
Syntax
show interfaces switchport [interface]
interface
• ethernet unit/port
- unit - Stack unit. (Range: 1)
- port - Port number. (Range: 1-28)
• port-channel channel-id (Range: 1-8)
Default Setting
Shows all interfaces.
4-233
4
Command Line Interface
Command Mode
Normal Exec, Privileged Exec
Command Usage
If no interface is specified, information on all interfaces is displayed.
Example
This example shows the configuration setting for port 24.
Console#show interfaces switchport ethernet 1/24
Broadcast Threshold:
Enabled, 64 Kbits/second
Multicast Threshold:
Disabled
Unknown-unicast Threshold:
Disabled
LACP Status:
Disabled
Ingress Rate Limit:
Disabled, 1000000 Kbits per second
Egress Rate Limit:
Disabled, 1000000 Kbits per second
VLAN Membership Mode:
Hybrid
Ingress Rule:
Enabled
Acceptable Frame Type:
All frames
Native VLAN:
1
Priority for Untagged Traffic: 0
GVRP Status:
Disabled
Allowed VLAN:
1(u),4093(t),
Forbidden VLAN:
Private-VLAN Mode:
NONE
Private-VLAN host-association: NONE
Private-VLAN Mapping:
NONE
802.1Q-tunnel Status:
Disable
802.1Q-tunnel Mode:
NORMAL
802.1Q-tunnel TPID:
8100(Hex)
Console#
Table 4-56
show interfaces switchport - display description
Field
Description
Broadcast Threshold
Shows if broadcast storm suppression is enabled or disabled; if enabled it also
shows the threshold level (page 4-229).
Multicast Threshold
Shows if multicast storm suppression is enabled or disabled; if enabled it also
shows the threshold level (page 4-229).
Unknown-unicast
Threshold
Shows if unknown unicast storm suppression is enabled or disabled; if enabled
it also shows the threshold level (page 4-229).
LACP Status
Shows if Link Aggregation Control Protocol has been enabled or disabled
(page 4-252).
Ingress Rate Limit
Shows if ingress rate limiting is enabled, and the current rate limit. (page 4-265).
Egress Rate Limit
Shows if egress rate limiting is enabled, and the current rate limit. (page 4-265).
VLAN Membership Mode Indicates membership mode as Trunk or Hybrid (page 4-304).
Ingress Rule
Shows if ingress filtering is enabled or disabled (page 4-305).
Note: Ingress filtering is always enabled.
Acceptable Frame Type
Shows if acceptable VLAN frames include all types or tagged frames only
(page 4-305).
Native VLAN
Indicates the default Port VLAN ID (page 4-306).
4-234
4
Automatic Traffic Control Commands
Table 4-56
show interfaces switchport - display description (Continued)
Field
Description
Priority for Untagged
Traffic
Indicates the default priority for untagged frames (page 4-376).
GVRP Status
Shows if GARP VLAN Registration Protocol is enabled or disabled (page 4-298).
Allowed VLAN
Shows the VLANs this interface has joined, where “(u)” indicates untagged and
“(t)” indicates tagged (page 4-307).
Forbidden VLAN
Shows the VLANs this interface can not dynamically join via GVRP (page 4-308).
Private-VLAN Mode
Shows the private VLAN mode as host, promiscuous, or none (4-322).
Private VLAN
host-association
Shows the secondary (or community) VLAN with which this port is associated
(4-322).
Private VLAN mapping
Shows the primary VLAN mapping for a promiscuous port (4-323).
802.1Q-tunnel Status
Shows if 802.1Q tunnel is enabled on this interface (page 4-312).
802.1Q-tunnel Mode
Shows the tunnel mode as Normal, 802.1Q Tunnel or 802.1Q Tunnel Uplink
(page 4-313).
802.1Q-tunnel TPID
Shows the Tag Protocol Identifier used for learning and switching packets
(page 4-314).
Automatic Traffic Control Commands
Automatic Traffic Control (ATC) configures bounding thresholds for broadcast and
multicast storms which can be used to trigger configured rate limits or to shut down a
port.
Table 4-57
Command
ATC Commands
Function
Mode
Page
Threshold Commands
auto-traffic-control
apply-timer
Sets the time at which to apply the control response after GC
ingress traffic has exceeded the upper threshold
4-238
auto-traffic-control
release-timer
Sets the time at which to release the control response
GC
after ingress traffic has fallen beneath the lower threshold
4-239
auto-traffic-control*
Enables automatic traffic control for broadcast or multicast IC (Port)
storms
4-240
auto-traffic-control
alarm-fire-threshold
Sets the upper threshold for ingress traffic beyond which IC (Port)
a storm control response is triggered after the apply timer
expires
4-240
auto-traffic-control
alarm-clear-threshold
Sets the lower threshold for ingress traffic beneath which IC (Port)
a cleared storm control trap is sent
4-241
auto-traffic-control action
Sets the control action to limit ingress traffic or shut down IC (Port)
the offending port
4-242
auto-traffic-control
control-release
Manually releases a control response
IC (Port)
4-243
auto-traffic-control
auto-control-release
Automatically releases a control response
PE
4-244
4-235
4
Command Line Interface
Table 4-57
Command
ATC Commands (Continued)
Function
Mode
Page
snmp-server
enable port-traps atc
broadcast-alarm-fire
Sends a trap when broadcast traffic exceeds the upper
threshold for automatic storm control
IC (Port)
4-244
snmp-server
enable port-traps atc
multicast-alarm-fire
Sends a trap when multicast traffic exceeds the upper
threshold for automatic storm control
IC (Port)
4-245
snmp-server
enable port-traps atc
broadcast-alarm-clear
Sends a trap when broadcast traffic falls beneath the
lower threshold after a storm control response has been
triggered
IC (Port)
4-245
snmp-server
enable port-traps atc
multicast-alarm-clear
Sends a trap when multicast traffic falls beneath the lower IC (Port)
threshold after a storm control response has been
triggered
4-246
snmp-server
enable port-traps atc
broadcast-control-apply
Sends a trap when broadcast traffic exceeds the upper IC (Port)
threshold for automatic storm control and the apply timer
expires
4-246
snmp-server
enable port-traps atc
multicast-control-apply
Sends a trap when multicast traffic exceeds the upper
IC (Port)
threshold for automatic storm control and the apply timer
expires
4-247
snmp-server
enable port-traps atc
broadcast-control-release
Sends a trap when broadcast traffic falls beneath the
lower threshold after a storm control response has been
triggered and the release timer expires
IC (Port)
4-247
snmp-server
enable port-traps atc
multicast-control-release
Sends a trap when multicast traffic falls beneath the lower IC (Port)
threshold after a storm control response has been
triggered and the release timer expires
4-248
show auto-traffic-control
Shows global configuration settings for automatic storm
control
PE
4-248
show auto-traffic-control
interface
Shows interface configuration settings and storm control PE
status for the specified port
4-249
SNMP Trap Commands
ATC Display Commands
* Enabling automatic storm control on a port will disable hardware-level storm control on the same port if configured
by the switchport packet-rate command (page 4-229).
4-236
4
Automatic Traffic Control Commands
Usage Guidelines
ATC includes storm control for broadcast or multicast traffic. The control response
for either of these traffic types is the same, as shown in the following diagrams.
Storm control by limiting the traffic rate:
Traffic
[kpps]
Alarm Fire
Threshold
(1~255kpps)
Storm Alarm
Fire TRAP
Storm Alarm
Fire TRAP
Traffic without storm control
TrafficControl
Apply Trap
Traffic with storm control
StromAlarm
ClearTRAP
StromAlarm
ClearTRAP
Release Timer
expired
(0~300sec)
TrafficControl
Release Trap
AlarmClear
Threshold
(1~255kpps)
Apply Timer
expired
(0~300sec)
Auto Storm Control
Time
The key elements of this diagram are described below:
• Alarm Fire Threshold – The highest acceptable traffic rate. When ingress traffic
exceeds the threshold, ATC sends a Storm Alarm Fire Trap and logs it.
• When traffic exceeds the alarm fire threshold and the apply timer expires, a traffic
control response is applied, and a Traffic Control Apply Trap is sent and logged.
• Alarm Clear Threshold – The lower threshold beneath which an control response
can be automatically terminated after the release timer expires. When ingress
traffic falls below this threshold, ATC sends a Storm Alarm Clear Trap and logs it.
• When traffic falls below the alarm clear threshold after the release timer expires,
traffic control will be stopped and a Traffic Control Release Trap sent and logged.
• The traffic control response of rate limiting can be released automatically or
manually. The control response of shutting down a port can only be released
manually.
4-237
4
Command Line Interface
Storm control by shutting down a port:
The key elements of this diagram are the same as that described in the preceding
diagram, except that automatic release of the control response is not provided.
When traffic control is applied, you must manually re-enable the port.
Functional Limitations
Automatic storm control is a software level control function. Traffic storms can also
be controlled at the hardware level using the switchport packet-rate command
(page 4-229). However, only one of these control types can be applied to a port.
Enabling automatic storm control on a port will disable hardware-level storm control
on that port.
auto-traffic-control apply-timer
This command sets the time at which to apply the control response after ingress
traffic has exceeded the upper threshold. Use the no form to restore the default
setting.
Syntax
auto-traffic-control {broadcast | multicast} apply-timer seconds
no auto-traffic-control {broadcast | multicast} apply-timer
• broadcast - Specifies automatic storm control for broadcast traffic.
• multicast - Specifies automatic storm control for multicast traffic.
• seconds - The interval after the upper threshold has been exceeded at
which to apply the control response. (Range: 1-300 seconds)
Default Setting
300 seconds
Command Mode
Global Configuration
4-238
Automatic Traffic Control Commands
4
Command Usage
After the apply timer expires, a control action may be triggered as specified by
the auto-traffic-control action command (page 4-242) and a trap message
sent as specified by the snmp-server enable port-traps atc
broadcast-control-apply command (page 4-246) or snmp-server enable
port-traps atc multicast-control-apply command (page 4-247).
Example
This example sets the apply timer to 200 seconds for all ports.
Console(config)#auto-traffic-control broadcast apply-timer 200
Console(config)#
auto-traffic-control release-timer
This command sets the time at which to release the control response after ingress
traffic has fallen beneath the lower threshold. Use the no form to restore the default
setting.
Syntax
auto-traffic-control {broadcast | multicast} release-timer seconds
no auto-traffic-control {broadcast | multicast} release-timer
• broadcast - Specifies automatic storm control for broadcast traffic.
• multicast - Specifies automatic storm control for multicast traffic.
• seconds - The time at which to release the control response after ingress
traffic has fallen beneath the lower threshold. (Range: 1-900 seconds)
Default Setting
900 seconds
Command Mode
Global Configuration
Command Usage
This command sets the delay after which the control response can be
terminated. The auto-traffic-control auto-control-release command
(page 4-244) must be used to enable or disable the automatic release.
Example
This example sets the release timer to 800 seconds for all ports.
Console(config)#auto-traffic-control broadcast release-timer 800
Console(config)#
4-239
4
Command Line Interface
auto-traffic-control
This command enables automatic traffic control for broadcast or multicast storms.
Use the no form to disable this feature.
Syntax
[no] auto-traffic-control {broadcast | multicast}
• broadcast - Specifies automatic storm control for broadcast traffic.
• multicast - Specifies automatic storm control for multicast traffic.
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Command Usage
• Automatic storm control can be enabled for either broadcast or multicast
traffic. It cannot be enabled for both of these traffic types at the same time.
• Automatic storm control is a software level control function. Traffic storms can
also be controlled at the hardware level using the switchport packet-rate
command (page 4-229). However, only one of these control types can be
applied to a port. Enabling automatic storm control on a port will disable
hardware-level storm control on that port.
Example
This example enables automatic storm control for broadcast traffic on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#auto-traffic-control broadcast
Console(config-if)#
auto-traffic-control alarm-fire-threshold
This command sets the upper threshold for ingress traffic beyond which a storm
control response is triggered after the apply timer expires. Use the no form to
restore the default setting.
Syntax
auto-traffic-control {broadcast | multicast} alarm-fire-threshold threshold
no auto-traffic-control {broadcast | multicast} alarm-fire-threshold
• broadcast - Specifies automatic storm control for broadcast traffic.
• multicast - Specifies automatic storm control for multicast traffic.
• threshold - The upper threshold for ingress traffic beyond which a storm
control response is triggered after the apply timer expires. (Range: 1-255
kilo-packets per second)
4-240
4
Automatic Traffic Control Commands
Default Setting
128 kilo-packets per seconds
Command Mode
Interface Configuration (Ethernet)
Command Usage
• Once the upper threshold is exceeded, a trap message may be sent if
configured by the snmp-server enable port-traps atc broadcast-alarm-fire
command (page 4-244) or snmp-server enable port-traps atc
multicast-alarm-fire command (page 4-245).
• After the upper threshold is exceeded, the control timer must first expire as
configured by the auto-traffic-control apply-timer command (page 4-238)
before a control response is triggered if configured by the auto-traffic-control
action command (page 4-242).
Example
This example sets the trigger threshold for automatic storm control for broadcast
traffic on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#auto-traffic-control broadcast alarm-fire-threshold 255
Console(config-if)#
auto-traffic-control alarm-clear-threshold
This command sets the lower threshold for ingress traffic beneath which a cleared
storm control trap is sent. Use the no form to restore the default setting.
Syntax
auto-traffic-control {broadcast | multicast} alarm-clear-threshold threshold
no auto-traffic-control {broadcast | multicast} alarm-clear-threshold
• broadcast - Specifies automatic storm control for broadcast traffic.
• multicast - Specifies automatic storm control for multicast traffic.
• threshold - The lower threshold for ingress traffic beneath which a cleared
storm control trap is sent. (Range: 1-255 kilo-packets per second)
Default Setting
128 kilo-packets per seconds
Command Mode
Interface Configuration (Ethernet)
Command Usage
• Once the traffic rate falls beneath the lower threshold, a trap message may be
sent if configured by the snmp-server enable port-traps atc
4-241
4
Command