Manuel d'utilisation / d'entretien du produit SMC8150L2 du fabricant SMC Networks
Aller à la page of 502
MANA GEMENT GUIDE Tige rSwitch TM 10 /100 /1000 2 6-Port Gigabit Managed Swit ch 50-Port Gigabit Managed S witch SMC812 6L2 SMC8150L2 ta.
.
20 Mason Ir vine, CA 92618 Phone: (949) 67 9-8000 Tige rSwitch 10/100/1000 Management Guide F rom SMC’ s Tiger line of f eature-rich wor kgroup LAN solutions September 2 007 Pub.
Information furnished by SMC Networ ks, Inc. (SMC) is believed to be accurate and reliable. However , no re sponsibility is as sumed by SMC for its use, nor for any infringements of patents or other rights of third p arties w hich may result from its use.
i Contents Chapter 1: Intr oductio n 1-1 Key Features 1-1 Description of Software Features 1-2 System Defaults 1-6 Chapter 2: Initial Configuratio n 2-1 Connecting to the Switch 2-1 Configuration Opti.
Contents ii Saving or Restoring Configuration Settings 3-19 Downloading Configuration Setti ngs from a Server 3-20 Console Port Setti ngs 3-21 Telnet Settings 3-23 Configuring Event Logging 3-25 Displ.
Contents iii Binding a Port to an Access Control List 3-73 Filtering IP Addresses for Managemen t Access 3-74 Port Configuration 3-76 Displaying Connectio n Status 3-76 Configuring Interface Connectio.
Contents iv Protocol VLAN Group Configuration 3-142 Configuring Protocol VLAN Interfaces 3-143 Class of Service C onfiguration 3-144 Layer 2 Queue Settings 3-144 Setting the Default Priority for Inter.
Contents v DHCP Snooping Information Option Configuration 3-188 DHCP Snooping Port Configuration 3-189 DHCP Snooping Binding Information 3-190 IP Source Guard 3-191 IP Source Guard Port Configuration .
Contents vi disconnect 4-18 show line 4-18 General Commands 4-19 enable 4-19 disable 4-20 configure 4-21 show history 4-21 reload 4-22 end 4-22 exit 4-23 quit 4-23 System Management Commands 4-24 Devi.
Contents vii logging facility 4-45 logging trap 4-46 clear logging 4-46 show logging 4-47 show log 4-48 SMTP Alert Commands 4-49 logging sendmail host 4-49 logging sendmail leve l 4-50 logging sendmai.
Contents viii TACACS+ Client 4-77 tacacs-server host 4-77 tacacs-server port 4-77 tacacs-server key 4-78 show tacacs-server 4-78 Port Security Commands 4-79 port security 4-79 802.
Contents ix show snmp engine-id 4-108 snmp-server view 4-109 show snmp view 4-110 snmp-server group 4-110 show snmp group 4-112 snmp-server user 4-113 show snmp user 4-115 Interface Commands 4-116 int.
Contents x spanning-tree priority 4-148 spanning-tree pathcost method 4-149 spanning-tree transmission-limit 4-150 spanning-tree mst-configuration 4-150 mst vlan 4-151 mst priority 4-151 name 4-152 re.
Contents xi Related Commands 4-178 show dot1q-tunnel 4-178 Configuring Private VLANs 4-179 pvlan 4-179 show pvlan 4-180 Configuring Protocol-based VL ANs 4-181 protocol-vlan proto col-group (Configuri.
Contents xii ip igmp snooping querier 4-206 ip igmp snooping query-cou nt 4-206 ip igmp snooping query-i nterval 4-207 ip igmp snooping query-max-resp onse-time 4-208 ip igmp snooping router-port-expi.
Contents xiii cluster 4-238 cluster commander 4-239 cluster ip-pool 4-239 cluster member 4-240 rcommand 4-240 show cluster 4-241 show cluster members 4-241 show cluster candidates 4-242 Appendix A: So.
Contents xiv.
xv Tables Table 1-1 Key Featur es 1-1 Table 1-2 System Defau lts 1-6 Table 3-1 Configuration Options 3-3 Table 3-2 Main Menu 3-4 Table 3-3 Logging Levels 3-26 Table 3-4 Supported Notification Messages 3-41 Table 3-5 HTTPS System Support 3-52 Table 3-6 802.
T ables xvi Table 4-27 Authentication Comma nds 4-70 Table 4-28 Authentication Seq uence 4-70 Table 4-29 RADIUS Client Commands 4-73 Table 4-30 TACACS Commands 4-77 Table 4-31 Port Security Commands 4-79 Table 4-32 802.
Ta b l e s xvii Table 4-69 IGMP Query Commands (Layer 2) 4-206 Table 4-70 Static Multicast Routing Commands 4-209 Table 4-71 IGMP Filtering and T hrottling Commands 4-211 Table 4-72 Multicast VLAN Reg.
T ables xviii.
xix Figures Figure 3-1 Home Page 3-2 Figure 3-2 Panel Display 3-3 Figure 3-3 System Information 3-10 Figure 3-4 Switch Information 3-12 Figure 3-5 Bridge Extension Configuration 3-13 Figure 3-6 Manual.
Figures xx Figure 3-43 Selecting ACL Type 3-68 Figure 3-44 Configuring Standard IP ACLs 3-69 Figure 3-45 Configuring Extended IP ACLs 3-71 Figure 3-46 Configuring MAC ACLs 3-73 Figure 3-47 Configuring.
Figures xxi Figure 3-88 Configuring Queue Scheduli ng 3-14 8 Figure 3-89 IP Precedence/DSCP Priority Status 3-150 Figure 3-90 Mapping IP Precedence Priority Values 3-151 Figure 3-91 Mapping IP DSCP Pr.
Figures xxii.
1-1 Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching . It includes a management agent that allows you to configure t he features l isted in this manual. The default configurati on can be used for most of the featu res provided by this switch.
Introduction 1-2 1 Description of Software Features The switch provides a wide range of advanced perf ormance enhancing features. Flow control eliminates the l oss of packet s due to bottlenecks caused by port saturation. Broadcast storm supp ression prevents broa dcast traf fic storms from engulfing the network.
Description of Softwa re Features 1-3 1 Rate Limiting – This feature controls the maximum rate fo r traff ic transmitted or received on an interface. Rate limiting i s configured on interfaces at the edge of a network to limit traf fic into the network.
Introduction 1-4 1 seconds or more for the older IEEE 8 02.1D STP stan dard. It is inten ded as a complete replacement for STP , but can still interop erate with switches running th e older st andard by auto matically reconf iguring port s to STP-compliant mod e if they detect STP protocol messa ges from attache d devices.
Description of Softwa re Features 1-5 1 Multicast Filtering – S pecific multicast traf fic can be assigned to it s own VLAN to ensure that i t does not i nterfere with normal network t raff ic and to gua rantee real-time delive ry by setting the required priorit y level for the designated VLAN.
Introduction 1-6 1 System Defaults The switch’s system default s are provided in the configurat ion file “Factory_Default_Config. cfg.” To reset the swi tch defaults, this f ile should be set as the startup config uration file (page 3-19). The following t able list s some of the basic system defaults.
System Defaults 1-7 1 Port Config uration Admin Status Enabled Auto-negotiation Enabled Flow Cont rol Disabled Rate Limiting Input and output limits Disabled Port T runking Static T runks None LACP (a.
Introduction 1-8 1 System Log Status Ena bled Messages Logged Levels 0-7 (all) Messages Logged to Flash Levels 0-3 SMTP Email Alerts Event Handler En abled (but no serv er defined) SNTP Clock Synchron.
2-1 Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in net work management agent. The agent of fers a variety of management options, including SNMP , RMON (Groups 1, 2, 3, 9) and a web-based interface .
Initial Configuration 2-2 2 • Configure up to 32 stati c or LACP trunks • Enable port mirroring • Set broadcast storm cont rol on any port • Display syst em information a nd statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and co nfiguring the swit ch.
Basic Configuration 2-3 2 Remote Connections Prior to accessing the switch’ s onboard agent via a network connection, you must first config ure it with a valid IP ad dress, subnet mask, and default gateway usin g a console connection, DHCP or BOOTP protocol .
Initial Configuration 2-4 2 Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names us ing the “usern ame” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric charact ers and are case sensitive.
Basic Configuration 2-5 2 Before you can assign an IP address to the swit ch, you must obt ain the following information fr om your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this ne twork T o assig n an IP address to the switch, comp lete the following steps: 1.
Initial Configuration 2-6 2 5. W ait a few minutes, and then check the IP configurati on settings by typing the “show ip interface” command. Pre ss <Enter>. 6. Then save your conf iguration change s by typing “copy running-config startup-con fig.
Basic Configuration 2-7 2 The default strings are: • public - with read-only access. Authorized management st ations are only able to retrieve MIB objects . • private - with read-write access. Authoriz ed management station s are able to both retrieve and modify MIB ob jects.
Initial Configuration 2-8 2 Configuring Access for SNMP Version 3 Clients T o configu re management access for SNMPv3 client s, you need to first create a view that defines the portions of MIB that the cl ient can read or write, assign the view to a group, and then assi gn the user to a group.
Managing System Fi les 2-9 2 Managing System Files The switch’s flash memory suppo rts thre e types of system files that can be managed by the CLI program, web interface, or SNMP . The switch’s file system allows files to be uploaded an d downloaded, copied, delet ed, and set a s a st art-up file.
Initial Configuration 2-10 2.
3-1 Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web ag ent. Using a web browser you can configure the switch and view statistics to monitor network activity . The web agent can be accessed by any computer on th e network using a st andard web browser (Internet Explorer 5.
Configuring the Switch 3-2 3 Navigating the Web Browser Interface T o access the we b-browser interface you must first enter a user name and password. The administra tor has Read/Write acce ss to all configurati on parameters and stat istics. The defau lt user name and password for the administrator is “ad min.
Navigating the Web Browser Inte rface 3-3 3 Configuration Options Configurable p arameters have a dialog box or a drop-down li st. Once a configuration change has been made on a page, be sure to click o n the Apply button to confi rm the new setting. The followi ng table summarize s the web page config uration buttons.
Configuring the Switch 3-4 3 Main Menu Using the onboa rd web agent , you can def ine system p arameters, manage and control the s witch, and all its p orts, or mo nitor network conditi ons. The fol lowing table brie fly describes the selection s available from this program.
Navigating the Web Browser Inte rface 3-5 3 Engine ID Sets the SNMP v3 engine ID on th is switch 3-36 Remote Engine ID Sets the SNMP v3 engine ID fo r a remote device 3-37 Users Configures SNMP v 3 us.
Configuring the Switch 3-6 3 Aggregation Port Configures para meters for link aggre gation group members 3-84 Port Counters Information Displays stat is tics for LACP protocol messages 3-86 Port Inter.
Navigating the Web Browser Inte rface 3-7 3 VLAN 3-122 802.1Q VLAN 3-122 GVRP Status Enables GVRP VL AN registrati on protocol 3-125 802.1Q Tunnel Configuration Enables QinQ T unneling on the switch 3.
Configuring the Switch 3-8 3 IP DSCP Priority Sets IP Dif f erentiated Services Code Point priority , mapping a DSCP tag to a class-of-s ervice value 3-152 IP Port Prioriey Status Globally enables or .
Navigating the Web Browser Inte rface 3-9 3 Port Configura tion Configures MVR interface type and immediate leave status 3-179 Trunk Configuration Configures MVR inte rface ty pe and immediate leave s.
Configuring the Switch 3-10 3 Basic Configuration Displaying System Information Y ou can easily identif y the system by displayi ng the device name, locatio n and contact information. Field Attributes • System Name – Name assigned to the switch system.
Basic Configuration 3-11 3 CLI – S pecify the hostname, loca tion and cont act information. Displaying Switch Hardware/Software Versions Use the Switch Information p age to display hardware/f irmware version numbers for the main board and management software, as well as the power status of the system.
Configuring the Switch 3-12 3 Web – Click System, Switch Information. Figure 3-4 Switch Info rmation CLI – Use the following command to di splay version informatio n. Console#show version 4-62 Unit 1 Serial number: Hardware version: EPLD Version: 4.
Basic Configuration 3-13 3 Displaying Bridge Extension Capabilities The Bridge MIB includes ext ensions for managed devices that support Multicast Filtering, T raffic Cl asses, and V irtual LANs. Y ou can access these extens ions to display default sett ings for the key variables.
Configuring the Switch 3-14 3 CLI – Enter the following command. Setting the Switch’s IP Address This section describes how to con figure an IP interface for management access over the network. T he IP addres s for the stack is obt ained via DHCP by default.
Basic Configuration 3-15 3 Manual Config uration Web – Click System, IP Configu ration. Select the VLAN thro ugh which the management st ation is attac hed, set the IP Address Mode to “S tatic,” enter the IP address, subnet mask and gat eway , then click Apply .
Configuring the Switch 3-16 3 Using DHCP/BOOTP If your network provides DHCP/BOOTP serv ices, you can configure the switch to be dynamically con figured by these services. Web – Click Syste m, IP Configu r ation. S pecify the VLAN to which the management statio n is attached, set the IP Address Mode to DHCP or BOOTP .
Basic Configuration 3-17 3 Web – If the address assigned by DHCP is no longer funct ioning, you will not be able to renew the IP settings via the w e b interface. Y ou can only restart DHCP service via the web interface if the current address is still av ailable.
Configuring the Switch 3-18 3 • File Name – The file name should not contain slashes ( or /), the leading lett er of the file name should not be a period (.), and t he maximum length for file names on the TFTP server is 127 characters or 31 characters for fil es on the switch.
Basic Configuration 3-19 3 T o del ete a file selec t System, File, Dele te. Select the file name from t he given list b y checking the tick box and click Apply .
Configuring the Switch 3-20 3 - tf tp to file – Copies a file from a TFTP server to the switch. - tftp to running-config – Copies a f ile from a TFTP server to the running config . - tftp to startup-config – Copie s a file from a TFTP server to the startu p config.
Basic Configuration 3-21 3 Note: You can also select any configuration file as the start-up configuration by using the System/File/Set Start-Up page. Figure 3-13 Setting the Startup Configur ation Set.
Configuring the Switch 3-22 3 system interfa ce becomes silent for a specif ied amount of t ime (set by the Silent Time parameter) before al lowing the next log on attempt.
Basic Configuration 3-23 3 CLI – Enter Line Configuration mode for the con sole, then specify th e connection parameters a s required. T o display the current console port s ettings, use the show line comm and from the Norm al Exec level. Telnet Settings Y ou can access the onboard config uration pr ogram o ver the network usi ng T elnet (i.
Configuring the Switch 3-24 3 system interfa ce becomes silent for a specif ied amount of t ime (set by the Silent Time parameter) before al lowing the next log on attempt. (Range: 0-120; Default: 3 attem pt s) • Password 2 – S pecifies a password for the li ne connection.
Basic Configuration 3-25 3 CLI – Enter Line Configuration mode for a virtu al terminal, then specify the connection p arameters as required. T o display the curre nt virtual termina l settings, use the show li ne command fro m the Normal Exec le vel.
Configuring the Switch 3-26 3 CLI – This example shows the event message st ored in RAM. System Log Configuration The system allows you to enable or disable event logging, an d specify which levels are logged to RAM or flash memory .
Basic Configuration 3-27 3 Web – Click System, Log, System Logs. S pecify System Log S tatus, set the level of event messages to be logged to RAM and flash memory , then click Apply . Figure 3-17 System Logs CLI – Enable system l ogging and then sp ecify the level of messages to be logged to RAM and flash memory .
Configuring the Switch 3-28 3 • Host IP Ad dress – S pecifies a new server IP addre ss to add to the Host IP List. Web – Click System, Log, Remote Logs. T o add an IP address to the Host IP List, type the new IP address in the Host IP Addr ess box, and the n click Add.
Basic Configuration 3-29 3 • Severity – Specifie s the degree of urg ency that the message carries. • Debugging – Sends a debugging notifica tion. (Level 7 ) • Infor mation – Sends informa t ative notif ication only. (L evel 6) • Notice – Sends not ification of a normal but significant cond ition, such as a cold start.
Configuring the Switch 3-30 3 CLI – Enter the host ip address, foll owed by the mail severity level, source and destination emai l addresses and enter the sendmail comman d to complete the action. Use the sho w logging command to displ ay SMTP information.
Basic Configuration 3-31 3 Setting the System Clock Simple Network T ime Protocol (SNTP) allo ws the switch to set its internal clo ck based on periodic upda tes from a time server (SNTP or NTP). Mainta ining an accurate time on the switch enables the system lo g to record meaningful dates and times for event entries .
Configuring the Switch 3-32 3 CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current ti me and settings. Setting the Time Zone SNTP uses Coordinated Universal T ime (or UTC, formerly Greenwich Mean T ime, or GMT) based on the time at the Eart h’s prime merid ian, zero degrees longit ude.
Simple Network Manag ement Protocol 3-33 3 Simple Network Management Protocol Simple Network Management Protoc ol (SNMP) is a communication proto col designed specifi cally for managing devices on a network. Equipment commonly managed with SNMP i ncludes switches, routers a nd host computers.
Configuring the Switch 3-34 3 Web – Click SNMP , Configuratio n. Add new communi ty strings as required, select the access right s from the Access Mode drop-down list , then click Add. Figure 3-24 Configuring S NMP Community St rings CLI – The following example adds the strin g “spiderman” with read/write acce ss.
Simple Network Manag ement Protocol 3-35 3 Web – Click SNMP , Configuration. Fill in the IP addres s and community string for each trap manager that will receive trap messages, and then click Add. Select the trap types required using t he check boxes for Authenticati on and Link-up/down traps, and th en click Apply .
Configuring the Switch 3-36 3 Configuring SNMPv3 Management Access T o configu re SNMPv3 management access to the switch, follow these step s: 1. If you want to change the defau lt engine ID, it must be changed f irst before configuring other p arameters.
Simple Network Manag ement Protocol 3-37 3 Specifying a Remote Engi ne ID T o se nd inform messa ges to an SN MPv3 user on a remote device , you must first specify the engine ident ifier for the SNMP agent on the remote devi ce where the user resides.
Configuring the Switch 3-38 3 • Level – The security level used for the user: - noAuthNoPriv – There is no authentication or encrypti on used in SNMP communications. (Th is is the default for SNMPv3.) - AuthNoPriv – SNMP communications use authent ication, but the data i s not encrypted (only available f or the SNMPv3 security model).
Simple Network Manag ement Protocol 3-39 3 Web – Click SNMP , SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group , then click Add to save the configurati on and return to the User Name list.
Configuring the Switch 3-40 3 Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security l e vel and assign ed to a group. The SNMPv3 group restrict s users to a specific rea d, write, and notify view .
Simple Network Manag ement Protocol 3-41 3 CLI – Use the snmp-server user command to confi gure a new user name and assign it t o a group. Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for it s assigned users, restricting them to specific read, write, and notify views.
Configuring the Switch 3-42 3 topologyChange 1.3.6.1.2.1.17.0.2 A top ologyChange trap is sent by a bridge when any of its configured ports trans itions from the Learning state to t he Forwarding stat e, or from the Forwarding state to the Discard ing state.
Simple Network Manag ement Protocol 3-43 3 Private T raps swPowerStatus ChangeT rap 1.3.6.1.4.1.20 2.20.68.2.1.0.1 This trap is sent when the power state changes. swIpFilterRejectT rap 1.3.6.1.4.1.202.2 0.68.2.1.0.1 This trap is sent when an in correct IP address is rejected by the I P Filter .
Configuring the Switch 3-44 3 Web – Click SNMP , SNMPv3, Groups. Click New to configure a new group. In the New Group page, d efine a name, assi gn a security model and level, and then select read and write views. Click Ad d to save the new group and return t o the Groups li st.
Simple Network Manag ement Protocol 3-45 3 Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified p ortions of the MIB tree. The predefined view “default view” includes access to the entire MIB tree. Command Attributes • View Name – The name of the SNMP view.
Configuring the Switch 3-46 3 CLI – Use the snmp-server view command to confi gure a new view . This example view includes the MIB-2 i nterfaces tab le, and the wildcard mask select s all index entries.
User Authentication 3-47 3 • New Account – Displays configuratio n settings for a new account. - User Name – The name of the user. (Maximum length: 8 charact ers; maximum number of users: 16) - Access Level – Specifies the user level. (Options: Normal and Privil eged) - Password – Specifies the user password.
Configuring the Switch 3-48 3 Configuring Local/Remote Logon Authentic a tion Use the Authenticati on Settings menu to restrict management access based on specified user name s and password s. Y ou can manually configure access right s on the switch, or you can use a remote access aut hentication server based on RADIUS or T ACACS+ protocols.
User Authentication 3-49 3 Command Attributes • Authentication – Select the authenticatio n, or authenticatio n sequence required: - Local – User authentica t ion is pe rformed only l ocally by the switch. - Radius – User authentication is performed using a RADIUS server onl y.
Configuring the Switch 3-50 3 Web – Click Securi ty , Authentication Sett ings. T o configure local or remote authenticati on preferences, specify the authent ication sequence (i. e., one to three methods), fill in the parameters for RADIUS or T ACAC S+ authentication if selected, and click Apply .
User Authentication 3-51 3 CLI – S pecify all the required p arameters to enable logon authentica tion. Console(config)#authentication login ra dius 4-71 Console(config)#radius-server port 181 4-7 4.
Configuring the Switch 3-52 3 Configuring HTTPS Y ou can configure the switch t o enable the Secure Hypertext T ransfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to th e switch’s we b interface.
User Authentication 3-53 3 CLI – This example enables the HTTP secu re server and modifies the port number . Replacing the Default Secure-site Certificate When you log onto the web int erface using HTTPS (for secure access ), a Secure Sockets Laye r (SSL) certificat e appears for the switch.
Configuring the Switch 3-54 3 Configuring the Secure Shell The Berkley-st andard includes remote acces s tools originally desi gned for Unix systems. Some of these tool s have also been implemented for Microsoft Windows and other envi ronments.
User Authentication 3-55 3 3. Import Client’ s Public Key to the Switch – Use the copy t ftp public-key command (4-64) to copy a file cont aining the public key for all the SSH clien t’s granted management access to the switch.
Configuring the Switch 3-56 3 Configuring the SSH Server The SSH server incl udes basic se ttings for authenticati on. Field Attributes • SSH Server St atus – Allows you to enable/disable the SSH serve r on the switch. (Default: Disabl ed) • Version – The Secure Shell vers ion number.
User Authentication 3-57 3 CLI – This exampl e enables SSH, se ts the authentication p arameters, and displays the current configuration. It shows that the administrator has made a conne ction via SHH, and then disables th is connection.
Configuring the Switch 3-58 3 Web – Click Security , SSH, Host-Key Settings. Select the host-k ey type from the drop-down box, select the opti on to save the host key from memory to flash (if required) prior t o generating the key , and then click Generat e.
User Authentication 3-59 3 Configuring Port Security Port security is a feature th at allows you to configure a switch port with one or more device MAC addresses that are authorized t o access the network through that port .
Configuring the Switch 3-60 3 Web – Click Sec urity , Port Security . Set the action to t ake when an invalid address is detected on a port, mark the c heckbox in the S tatus col umn to enabl e security for a port, set the maximu m number of MAC addresses all owed on a port, and click Apply .
User Authentication 3-61 3 This switch uses the Extensible Authenti cation Protocol over LANs (EAPOL) to exchange authent ication protocol messages with th e client, and a remote RADIUS authenticati on server to verify user identity and access rights.
Configuring the Switch 3-62 3 Web – Click Security , 802.1X, Information. Figure 3-39 802.1X Global Information CLI – This example shows the default globa l setting for 802.1X. Configuring 802.1X Global Settin gs The 802.1X protocol provides port au thentication.
User Authentication 3-63 3 Configuring Port Setting s for 802.1X When 802.1X is enabled, yo u need to configur e the paramete rs for the authenticati on process that runs between the clien t and the switch (i.e., authenticator), as well as t he client identity loo kup process that runs between the switch and authenticat ion server .
Configuring the Switch 3-64 3 Figure 3-41 802.1X Port Configurati on.
User Authentication 3-65 3 CLI – This example set s the 802.1X para meters on port 2. For a description of the additional fields displa yed in this e xample, see “show d ot1x” on page 4-86.
Configuring the Switch 3-66 3 Displaying 802.1X Statistics This switch can display st atistics fo r dot1x protoc ol exchanges for any port. Web – Select Security , 802.1X, S tatistics. Select the require d port and then click Query . Click Refresh to update the st atistics.
Access Control Li sts 3-67 3 CLI – This example displays the 802. 1X statisti cs for port 4. Access Control Lists Access Control List s (ACL) provide packet fi ltering for IP fr ames (based on add ress, protocol, Layer 4 protocol port nu mber or TCP control code) or any frames (based on MAC address or Ethernet type).
Configuring the Switch 3-68 3 3. Explicit defa ult rule (permi t any any) in the ingress IP ACL for ingress ports. 4. If no explicit rule is matched, the implici t default is permit al l. Setting the ACL Name and Type Use the ACL Configuration p age to designate the name and type of an ACL.
Access Control Li sts 3-69 3 Configuring a Standard IP ACL Command Attributes • Action – An ACL can contain any combination of permit or de ny rules.
Configuring the Switch 3-70 3 host address in the Address fiel d, or “IP” to specify a range of addresses with the Address and SubMask fields. (Optio ns: Any, Host, IP; Default: Any) • Source/Destinatio n I P Address – Source or destinatio n IP address.
Access Control Li sts 3-71 3 Figure 3-45 Config uring Extended IP ACLs CLI – This example adds two rules : (1) Accept any incoming p ackets if the source address is in subnet 10.7.1. x. For example, if the ru le is matched; i.e., th e rule (10.7.1.0 & 255.
Configuring the Switch 3-72 3 Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or de ny rules. • Source/Destinatio n Address Ty pe – Use “Any.
Access Control Li sts 3-73 3 Figure 3-46 Configuri ng MAC ACLs Binding a Port to an Access Control List After configuring the Access Control List s (ACL), you can bind the ports that need to filter traf fic to the appropriate ACLs. Y ou can assign o ne IP access list to any p ort.
Configuring the Switch 3-74 3 Figure 3-47 Configuri ng ACL Port Binding CLI – This example assigns an IP access list to port 1, and an IP access list to port 3.
Access Control Li sts 3-75 3 • You cannot delete an i ndividual address from a specif ied range. You must delet e the entire ran ge, and reent er the addresses. • You can delete an addre ss range just by specifyi ng the start address, or by specifying both the sta rt address and end address.
Configuring the Switch 3-76 3 CLI – This example allows SNMP access for a specific cli ent. Port Configuration Displaying Connection Status Y ou can use the Port Information or T runk Information p ages to display the curren t connection st atus, including link state , speed/duplex mode , flow control, and auto-negot iation.
Port Configuration 3-77 3 Web – Click Port, Port Info rmation or Trunk Informatio n. Figure 3-49 Displayi ng Port/Trunk Inform ation Field Attributes (CLI ) Basic Information: • Port type – Indicates the port type. (100BASE-TX, 1000BASE-T, or SFP) • MAC address – The physical layer address for this port.
Configuring the Switch 3-78 3 • Port Security – Shows if port security is enabled or disabled. • Max MAC count – Shows the maximum number of MAC address th at can be learned by a p ort. (0 - 1024 addresse s) • Port security action – Shows the response to take when a security violation is detected.
Port Configuration 3-79 3 • Speed/Duplex – Al lows you to manual ly set the port speed and duplex mode. (i.e., with auto-negot iation disabled) • Flow Control – Allows automatic or manual selection of fl ow control. • Autonegotiation (Port Capabili ties) – Allows au to-negotiation t o be enabled/ disabled.
Configuring the Switch 3-80 3 CLI – Select the interface, and t hen enter the requi red settings. Creating Trunk Groups Y ou can create multiple li nks between devices that work as one vi rtual, aggregate link.
Port Configuration 3-81 3 • The ports at both ends of a trunk must be configured in an identic al manner, including communi cation mode (i.e ., speed, duplex mo de and flow con trol), VLAN assignments, and Co S settings. • All the ports in a trun k have to be treated as a whole wh en moved from/to, added or deleted from a VLAN.
Configuring the Switch 3-82 3 CLI – This example creates trunk 2 wi th ports 1 and 2. Just connect these port s to two stati c trunk port s on another switch to fo rm a trunk.
Port Configuration 3-83 3 Command Attributes • Member List ( Current ) – Shows configured trunks (Port) . • New – Includes entry fields for creating n ew trunks. - Port – Port identifier. (Range: 1-26/50) Web – Click Port, L ACP , Configuration.
Configuring the Switch 3-84 3 CLI – The followi ng example enables LACP for ports 1 to 6. Just c onnect these port s to LACP-enabled trunk port s on another switch to form a trunk.
Port Configuration 3-85 3 - System priority is combined with the swit ch’s MAC address to form the LAG identifier. This ident ifier is used to indicate a specific LAG during LACP negotiations with other systems. • Admin Key – The LACP administration key must be set to the same value for ports that belong to the same LAG.
Configuring the Switch 3-86 3 CLI – The following example configures LACP p arameters for ports 1-4. Ports 1-4 are used as active members of the LAG .
Port Configuration 3-87 3 Web – Click Port, LACP , Port Counters Information . Select a member port to display the corresponding info rmation. Figure 3-54 LACP - Port Counte rs Information CLI – The following example displ ays LACP counters.
Configuring the Switch 3-88 3 Displaying LACP Settings and Status for the Local Side Y ou can display configurat ion settings and the operati onal stat e for the local side of an link aggrega tion. T able 3-8 LACP Internal Confi guration Informati on Field Description Oper Key Current operational value of the key for the aggregation port.
Port Configuration 3-89 3 Web – Click Port, LACP , Port Internal Informati on. Select a port channel to di splay the corresponding info rmation. Figure 3-55 LACP - Port Internal Inf ormation CLI – The following example displ ays the LACP configuration set tings and operational st ate for the local side of port channel 1.
Configuring the Switch 3-90 3 Displaying LACP Set tings an d Status for the Remote Side Y ou can display configurat ion settings and the operati onal stat e for the remote side of an link aggregat ion. Web – Click Port, LACP , Port Neighbors Informa tion.
Port Configuration 3-91 3 CLI – The following example displ ays the LACP configuration set tings and operational st ate for the remote side of port channel 1. Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is ma lfunctioning, o r if application programs are no t well designed or prope rly configured.
Configuring the Switch 3-92 3 Web – Click Port, Port/T runk Broadcast Control. Set the threshold, mark the Enabled field for the desired i nterface and click Apply . Figure 3-57 Port Broadcast Control CLI – S pecify any interface, and then enter th e threshold.
Port Configuration 3-93 3 Configuring Port Mirroring Y ou can mirror traf fic from any source port to a target port for real-time analy sis. Y ou can the n attach a logic analy zer or RMON probe to the target port and study the traf fic crossing the source port in a completely unobt rusive manner .
Configuring the Switch 3-94 3 Configuring Rate Limits This function allows th e network manager to cont rol the maximum rate for tr affic transmitted or received on a n interface. Rate limiting is configured on i nterfaces at the edge of a network to limi t traffi c into or out of the switch.
Port Configuration 3-95 3 CLI - This example sets the rat e limit level for i nput traff ic passing th rough port 3. Showing Port Statistics Y ou can display st andard stat istics on network traf fic from the Interfaces Group and Ethernet-like MIBs, as well as a detaile d breakdown of traf fic based on the RMON MIB.
Configuring the Switch 3-96 3 Tr ansmit Multicast Packets The total number of packe ts that higher-lev el protocols req uested be transmitted, and which were addressed to a multicast address a t this sub-layer , including those that were discard ed or not sent.
Port Configuration 3-97 3 RMON Statistics Drop Events Th e total number of even ts in which packets were dropped due t o lack of resources. Jabbers The total number of frames receive d that were longer than 1518 octets (excluding framing bits, but includ ing FCS octets), and had eit her an FCS or alignment error .
Configuring the Switch 3-98 3 Web – Click Port, Port S tatistics. Select the required int erface, and click Query . Y ou can also use the Refresh butt on at the bottom of the p age to update the screen.
Address T able Settings 3-99 3 CLI – This example shows stat istics for port 13. Address Table Settings Switches store th e addresses for all known devices. Thi s information is us ed to pass traff ic directly between the inboun d and outbound port s.
Configuring the Switch 3-100 3 Web – Click Address T able, S tatic Addresses. S pecify the interface, the MAC address and VLAN, then click Add S tatic Address. Figure 3-61 Configurin g a Static Address Table CLI – This exampl e adds an address to the static address table, but set s it to be deleted when t he switch is res et.
Address T able Settings 3-101 3 Web – Click Address T able, Dynamic Addr esses. S pecify the search type (i. e., mark the Interfac e, MAC Address, or VLAN checkbox), select t he method of sorting the displayed addresses, and then click Query .
Configuring the Switch 3-102 3 Changing the Aging Time Y ou can set the aging ti me for entries in th e dynamic address t able. Command Attributes • Aging Status – Enables/disables the funct ion. • Aging Time – The time after which a learned entry is di scarded.
Spanning Tree Algorithm Configuration 3-103 3 disables all other port s. Network packets are therefore only fo rwarded between root ports and desig nated ports, eli minating any possible ne twork loops.
Configuring the Switch 3-104 3 An MST Region consists of a group of interconnected brid ges that have the same MST Configuration Ident ifiers (includi ng the Region Name , Revision Level and Configuration Digest -V see 3-1 16). An MST Region ma y contain multiple MSTP Instanc es.
Spanning Tree Algorithm Configuration 3-105 3 Displaying Global Settings Y ou can display a s ummary of the current b ridge ST A information that applies to the entire switch usi ng the ST A Information screen. Field Attributes • Spanning Tr ee State – Shows if the switch is enabled t o participate in an STA-compliant network.
Configuring the Switch 3-106 3 However, if all d evices have the same pr iority, the device wi th the lo west MAC address will then become th e root device. • Root Hello Time – Interval (in seco nds) at which this device transmi ts a configuration messa ge.
Spanning Tree Algorithm Configuration 3-107 3 CLI – This command displays global ST A settings, followed by settings for each port . Note: The current root port and current root cost display as zero when this device is not connected to the network. Configuring Global Settings Global setti ngs apply to t he entire s witch.
Configuring the Switch 3-108 3 - To allow multiple spa nning trees to op erate over the ne twork, you must conf igure a related set of bridges with the same MSTP configuration, al lowing them to participate in a speci fic set of spanning tre e instances.
Spanning Tree Algorithm Configuration 3-109 3 • Forward Delay – The maximum time (in seconds) this devic e will wait before changing states (i. e., discarding to learning t o forwarding). This delay is required because every device must re ceive information about topology changes before i t starts to forward frames.
Configuring the Switch 3-110 3 Web – Click S panning T ree, ST A, Configuration. Modify the required attr ibutes, and click Apply . Figure 3-65 Config uring Spanning Tree CLI – This example enables S panning T ree Protocol, sets the mode to RSTP , and then configures the ST A and RSTP parameters.
Spanning Tree Algorithm Configuration 3-111 3 Displaying Interface Settings The ST A Port Information and ST A Trunk Info rmation pag es display the current status of ports and trunks in the S panning T ree. Field Attributes • Spanning Tr ee – Shows if STA has been enable d on this interface.
Configuring the Switch 3-112 3 • Trunk Member – Indicates if a port is a member of a trunk. (STA Port Information only) These additional p arameters are only displayed for the CLI: • Admin status – Shows if this interface is enabled. • Path cost – This p arameter is used by t he STA to determin e the best path between devices.
Spanning Tree Algorithm Configuration 3-113 3 the amount of frame flo oding required to rebuil d address tables during reconfiguration eve nts, does not cause the spanning tree to reconfi gure when the interface changes stat e, and also overcomes oth er STA-related timeout problems .
Configuring the Switch 3-114 3 Configuring Interface Settings Y ou can configure RSTP and MSTP attribute s for specific interface s, including port priority , path cost, link typ e, and edge port.
Spanning Tree Algorithm Configuration 3-115 3 • Admin Link Type – The link type attached to this interface . - Point-to-Point – A connection to exactly one other bridge. - Shared – A connection to two or more bridges. - Auto – The switch automatically determines if the interface is attache d to a point-to-point link or to s hared media.
Configuring the Switch 3-116 3 Configuring Multiple Spanning Trees MSTP generates a unique sp anning tree for each inst ance. This provides multiple path ways across the network , thereby balancin g t.
Spanning Tree Algorithm Configuration 3-117 3 Web – Click S panning T ree, MSTP , VLAN Configuration. Select an ins tance identifier from the li st, set the instance priority , and click Apply . T o add the VLAN members to an MSTI inst ance, enter the inst ance identifier , the VLAN identifier , and click Add.
Configuring the Switch 3-118 3 CLI – This example sets ST A attributes for port 1, , fo llowed by settings for each port. Displaying Interface Settings for MSTP The MSTP Port Informati on and MSTP T runk Informa tion pag es display the current status of ports and trunks in the selecte d MST inst ance.
Spanning Tree Algorithm Configuration 3-119 3 Web – Click S panning T ree, MSTP , Port or Trunk Information. Sele ct the required MST instance to display the current sp anning tree values.
Configuring the Switch 3-120 3 CLI – This displays ST A settings for insta nce 0, followed by settings fo r each port. The settings for inst ance 0 are global setting s that apply to the IST , the settings fo r other inst ances only apply to the local span ning tree.
Spanning Tree Algorithm Configuration 3-121 3 - Discarding – Port receives STA configur ation messages, but does not forward packets. - Learning – Port has transmitted configuration messages for an interval set by the Forward Delay parameter wi thout receivin g contradicto ry information.
Configuring the Switch 3-122 3 Web – Click S panning T ree, MSTP , Port Configuration or T runk Configurati on. Enter the priority and p ath cost for an inte rface, and click Apply . Figure 3-70 Displ aying MSTP Interface Settings CLI – This example sets the MSTP attributes for port 4.
VLAN Configuration 3-123 3 This switch support s the following VL AN features: • Up to 255 VLANs based on the IEEE 802.1Q standard • Distributed VLAN lea r ning across multi ple switches using exp.
Configuring the Switch 3-124 3 VLAN form a broadcast domain that is sep arate from other VLANs configured on the switch. Packet s are forwarded only between p orts that a r e designated for the same VLAN. Untagged VL ANs can be used to manually isola te user groups or subnet s.
VLAN Configuration 3-125 3 Forwarding T agged/ Unt agged Frames If you want to create a smal l port-based VLAN for devices at tached di rectly to a single switch, you can ass ign ports to the same u ntagged VLAN.
Configuring the Switch 3-126 3 Displaying Basic VLAN Information The VLAN Basic Inf ormation p age displays ba sic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number 8 – The VLAN version used by this switch as spec ified in the IEEE 802.
VLAN Configuration 3-127 3 • Status – Shows how this VLAN was added to the swit ch. - Dynamic GVRP : Aut omatically learned via GVRP. - Permanent : Added as a stati c entry. • Egress Ports – Shows all the VLAN port members. • Untagged Ports – Shows the untagged VLAN port members.
Configuring the Switch 3-128 3 CLI – Current VLAN information can be di splayed with the followi ng command. Creating VLANs Use the VLAN S tatic List to create or remove VLAN group s. T o prop agate information abo ut VLAN groups used on this switch to externa l network devic es, you must specify a VLAN ID for each of thes e groups.
VLAN Configuration 3-129 3 Web – Click VLAN, 80 2.1Q VLAN, S tatic List. T o create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activa te the VLAN, and then click Add. Figure 3-74 Config uring a VLAN Static List CLI – This example creates a new VLAN.
Configuring the Switch 3-130 3 2. VLAN 1 is the default untagged VLAN containing all ports on the switch, and can only be modified by first reassigning the default po rt VLAN ID as described under “Configuring VLAN B ehavior for Interf aces” on page 3-132.
VLAN Configuration 3-131 3 Figure 3-75 Configuri ng a VLAN Static Table CLI – The following example adds t agged and untagged ports to VLAN 2. Adding Static Members to VLANs (Port Index) Use the VLAN S tatic Membership by Port menu to assign VLAN groups to the selected interfa ce as a tagged member .
Configuring the Switch 3-132 3 Configuring VLAN Behavior for Interfaces Y ou can configure VLAN behavi or for specific i nterfaces, incl uding the defaul t VLAN identifier (PVID), acce pted frame types, in gress filtering, GVRP status, and GARP timers.
Configuring IEEE 802.1Q Tunneling 3-133 3 Web – Click VLAN, 80 2.1Q VLAN, Port Configurat ion or T runk Configuration. Fill in the required sett ings for each i nterface, click Appl y .
Configuring the Switch 3-134 3 using a VLAN-in-VLAN h ierarchy , preserving the customer’s original t agged packets, and adding SPVLAN t ags to each frame (also cal led double tag ging). A port configured to support QinQ tu nneling must be set to tunnel port mode.
Configuring IEEE 802.1Q Tunneling 3-135 3 (SPVLAN) into the pack et based on the default VLAN ID and T ag Protocol Identifier (TPID, t hat is, the ether-type of the tag). This outer t ag is used for learning and switchi ng packet s. The priority of the inner t ag is copied t o the outer tag if it is a t agged or priority tagged pa cket.
Configuring the Switch 3-136 3 0x8100, a new VLAN t ag is added and it is al so treated as double-tag ged pack et. 5. If the destinatio n address lookup fails, t he packet i s sent to all member ports of the ou ter tag's V LAN.
Configuring IEEE 802.1Q Tunneling 3-137 3 “Adding an Interface to a QinQ T unnel” on page 3-138). 8. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (see “Adding S tatic Members to VLANs (VLAN Inde x)” on page 3-129).
Configuring the Switch 3-138 3 CLI – This example set s the switch to operate in QinQ mode. Adding an Interface to a QinQ Tunnel Follow the guid elines in th e preceding section to set up a QinQ tun nel on the swi tch. Use the VLAN Port Configuration or VLAN T runk Configuration screen to set the access port on the edge switch t o 802.
Configuring IEEE 802.1Q Tunneling 3-139 3 - 802.1Q Tunnel Uplink – Configures IEEE 802.1Q tunneling (Qin Q) for an uplink port to anothe r device within the service provi der network. Web – Click VLAN, 80 2.1Q VLAN, T unnel Configuration o r T unnel T runk Configuration.
Configuring the Switch 3-140 3 CLI – This example set s port 1 to tunnel access mode, indicat es that the TPID used for 802.1Q tagged f rames is 9100 hexadecimal, and sets port 2 to tunnel uplink mode.
Configuring IEEE 802.1Q Tunneling 3-141 3 Configuring Private VLANs Private VLANs provide port-based security and isolation b etween ports within the assigned VLAN. Dat a traffic on downlink port s can only be forwarded to, and from, uplink port s. (Note that private VLANs and normal VLANs can exist simul taneousl y within the sa me switch.
Configuring the Switch 3-142 3 Configuring Uplink and Downlink Ports Use the Private VLAN Link S tatus p age to set ports as do wnlink or uplink port s. Ports designat ed as downlink port s can not communicate wit h any other ports on the switch except for the up link ports.
Configuring IEEE 802.1Q Tunneling 3-143 3 • Protocol Type – The only option for the LLC Other frame type is IPX Raw. The options for a ll other frames t ypes include IP, ARP, or RARP.
Configuring the Switch 3-144 3 Class of Service Configuration Class of Service (CoS) allows you to specify whic h data p ackets have greate r precedence when traf fic is buffered in th e switch due to congesti on. This switch supports Co S with four priority queu es for each port.
Class of Service Conf iguration 3-145 3 Web – Click Priority , Default Port Priority or Defau lt T runk Priority . Modify the default priority for an y interface, then c lick Apply . Figure 3-84 Po rt Priority Configuration CLI – This example assigns a defau lt priority of 5 to port 3.
Configuring the Switch 3-146 3 The priority l evels recommended in the IEEE 802.1p standard for va rious network applications are shown i n the following table . However , you can map the priority levels to the switch’ s output queues in any way that benefi ts applica tion traf fic for your own network.
Class of Service Conf iguration 3-147 3 CLI – The following example sho ws how to change the CoS assignment s. Enabling CoS Enable or disable Class of Service (CoS). Command Attrib utes • Traffic Classes – Click to enabl e Class of Service. (Defaul t: Enabled) Web – Click Priority , T raffic Clas ses S tatus.
Configuring the Switch 3-148 3 Web – Click Priority , Queue Mode. Select S trict or WRR, then click Apply . Figure 3-87 Queue Mode CLI – The following set s the queue mode to WRR priority servi ce mode.
Class of Service Conf iguration 3-149 3 CLI – The following example sho ws how to display the WRR weight s assigned to each of the priority queues. Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports several common methods of prioritizing layer 3/4 traf fic to meet application requi rements.
Configuring the Switch 3-150 3 Web – Click Priority , IP Precedence/DSCP Prio rity S tatus. Select Disa bled, IP Precedence or IP DSCP from the scro ll-down menu, then click Ap ply . Figure 3-89 IP Precedence/DSCP Pr iority Status CLI – The following example enable s IP Precedence service on the switch.
Class of Service Conf iguration 3-151 3 Web – Click Priority , IP Precedence Priority . Select an ent ry from the IP Preceden ce Priority T able, enter a value in t he Class of Service V alue fiel d, and then cl ick Apply .
Configuring the Switch 3-152 3 Mapping DSCP Priority The DSCP is six bits wide , allowing coding for up to 64 dif ferent forwarding behaviors. The DSCP ret ains backward compati bility with the thre e precedence bits so that non-DSCP compliant wil l not conflict with the DSCP mappi ng.
Class of Service Conf iguration 3-153 3 CLI – The following example global ly enables DSCP Priority servi ce on the switch, maps DSCP value 0 t o CoS value 1 (on port 1), and then displays th e DSCP Priority settings.
Configuring the Switch 3-154 3 Click Priority , IP Port Priority . Enter the port number for a netwo rk application in the IP Port Number box and the new CoS value in the Cla ss of Service box, and then click Apply .
Quality of Service 3-155 3 All switches or routers tha t access the Internet rely on cl ass information t o provide the same forwarding treatment to packet s in the same class. Class information can be assigned by e nd hosts, or switches or rou ters along the p ath.
Configuring the Switch 3-156 3 based on an access l ist, a DSCP or IP Pre cedence value, or a VLAN, and click the Add button next to the field for the select ed traffi c criteria. Y ou can specify up to 16 items to match when assigni ng ingress traffic to a class map.
Quality of Service 3-157 3 Web – Click QoS, Diff Serv , then click Add Class to create a new class, or Edit Rules to change the rules of an exi sting class. Figure 3-94 Config uring Class Maps CLI - This example creates a class map call “rd-cl ass,” and sets it to match packet s marked for DSCP service value 3.
Configuring the Switch 3-158 3 Creating QoS Poli cies This function creates a pol icy map that can be att ached to multiple interfa ces. Command Usage • To configure a Policy Map, foll ow these steps: - Create a Class Map as described on page 3-155.
Quality of Service 3-159 3 Policy Rule Settings - Class Settings - • Class Name – Name of class map. • Action – Shows the service provi ded to ingress traf fic by setting a CoS, DSCP , or IP Precedence value i n a matching packet (as specifi ed in Match Class Sett ings on 3-155).
Configuring the Switch 3-160 3 Web – Click QoS, DiffServ , Poli cy Map to display the li st of existing policy m aps. T o add a new pol icy map clic k Add Policy .
Quality of Service 3-161 3 Attaching a Policy Map to Ingress Queu es This function binds a pol icy map to the ingress queue of a p articular interface. Command Usage • You must first def ine a class map, then defi ne a policy map, and finall y bind the service poli cy to the required interf ace.
Configuring the Switch 3-162 3 Multicast Filtering Multicasting i s used to support real-time applications such as videoconf erencing or streaming audio.
Multicast Filtering 3-163 3 Configuring IGMP Sn ooping and Query Parameters Y ou can configure the switch t o forward multicast t raffi c intelligently . Based on the IGMP query and report messages, th e switch forwards traf fic only to the port s that request multicast tr affic.
Configuring the Switch 3-164 3 Web – Click IGMP Snooping, IGMP Configu ration. Adjust the IGMP settings as required, and then clic k Apply . (The default settings are shown below .) Figure 3-97 IGMP Configura t ion CLI – This exampl e modifies the se ttings for mult icast filterin g, and then displ ays the current st atus.
Multicast Filtering 3-165 3 Command Attributes • VLAN ID – ID of configured VLAN (1-4094). • Immediate Leave – Enable or disable IGMP immediate leave for the selec ted VLAN.
Configuring the Switch 3-166 3 Web – Click IGMP Sno oping, Multicast Rout er Port Information. Se lect the require d VLAN ID from the scroll-down list to display the associated multicast routers.
Multicast Filtering 3-167 3 Web – Click IGMP Sno oping, S tatic Multic ast Router Port Configuration. S pecify the interfaces att ached to a multicast router , indicate the VLAN which will fo rward all the corresponding mult icast traf fic, and then click Add.
Configuring the Switch 3-168 3 Web – Click IGMP Snooping, IP Multi cast Registration T able. Select a VLAN ID and the IP address for a multicast servic e from the scroll-down list s. The switch will display all the interf aces that are prop agating this multica st service.
Multicast Filtering 3-169 3 Web – Click IGMP Snooping, IGMP Member Po rt T able. S pecify the interface attache d to a multicast service (via an I GMP-enabled switch or multica st router), indicate the VLAN that will propagate t he multicast service, speci fy the multicast IP address, and click Add.
Configuring the Switch 3-170 3 switch randomly re moves an existin g group and replace s it with t he new multicast group. Note: IGMP filtering and throttling only applies to dynamically learned multicast groups, it does not apply to statically configured groups.
Multicast Filtering 3-171 3 Configuring IGMP Filt ering and Throttli ng for Interfaces Once you have conf igured IGMP profile s, you can then a ssign them to interfaces on the switch. Also, you can set the IGMP thrott ling number to limit t he numb er o f multicast groups an interface can join at the same time.
Configuring the Switch 3-172 3 Web – Click IGMP Snooping, IGMP Filter/T hrott ling Port Confi guration or IGMP Filter/Throttl ing T runk Configuration. Select a profile to ass ign to an interface, then set the throttli ng number and action. Click Ap ply .
Multicast Filtering 3-173 3 deny, IGMP join report s are only processed when a multi cast group is not in the controlled range. Command Attributes • Profile ID – Selects an existing profile number to confi gure. After selecting an I D number, click the Query button to display the current configuration.
Configuring the Switch 3-174 3 CLI – This exampl e configures prof ile number 19 b y setting th e access mode to “permit” and t hen specifying a range of multi cast groups that a user c an join. The current profile con figuration is then di splayed.
Multicast Filtering 3-175 3 General Configuration Guidelines for MVR 1. Enable MVR globally on the swit ch, select the MVR VLAN, and add th e multicast group s that will stream traffic to at tached host s (see “Configuring Global MVR Settings” on page 3-175).
Configuring the Switch 3-176 3 Web – Click MVR, Con f iguration. Enabl e MVR globally on the switch, select the MVR VLAN, add the multicast groups that will stream traf fic to atta ched hosts, and then click Appl y .
Multicast Filtering 3-177 3 Web – Click MVR, Port or T r unk Informat ion. Figure 3-107 MVR Port Information CLI – This example shows informa tion about interfac es attached to the MVR VLAN.
Configuring the Switch 3-178 3 Displaying Port Members of Multicast Groups Y ou can display the multi cast groups ass igned to the MVR VLAN either thro ugh IGMP snooping or st atic configurati on. Field Attributes • Group IP – Multicast groups assigned to the MVR VLAN.
Multicast Filtering 3-179 3 Configuring MVR Interface Status Each interface that particip ates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one sub scriber attached to an i nterface is receiving multicas t services, you can enable the immediate leave functi on.
Configuring the Switch 3-180 3 Web – Click MVR, Po rt or T r unk Config uration. Figure 3-109 MVR Port Configur ation CLI – This example configures an MVR sou rce port and receiver port, and then enables immediate l eave on the receiver port.
Configuring Domain Nam e Service 3-181 3 Web – Click MVR, Grou p Member Configurati on. Sel ect a port or trunk from t he “Interface” field, and cl ick Query to display the assig ned multicast groups . Select a multicast address from t he displayed list s, and click the Add or Remove button to modify the Member list.
Configuring the Switch 3-182 3 • When an incomplete host name is received by the DNS servi ce on this switch and a domain name list ha s been specified, the switch will work thro ugh the domain lis t, appending each domain name in the list to the host name , and checking with the specified name serv ers for a match.
Configuring Domain Nam e Service 3-183 3 CLI - This example set s a default domain name and a domain l ist. However , remember that if a domain li st is specified, the defa ult domain name is not used.
Configuring the Switch 3-184 3 Web – Select DNS, S tatic Host T able. Enter a host n ame and one or more corresponding addresse s, then click Apply . Figure 3-112 DNS Static Host Table CLI - This example maps two addre ss to a host name, and then confi gures an alias host name for the same addresses.
Configuring Domain Nam e Service 3-185 3 Displaying the DNS Cache Y ou can display entries in th e DNS cache that have been learned via th e designated name servers. Field Attributes • No – The entry number for each resource record. • Flag – The flag is always “4” indicating a cache entry and therefo re unreliable.
Configuring the Switch 3-186 3 CLI - This example displays all the resour ce records learned from the desig nated name servers. DHCP Snooping DHCP snooping all ows a switch to protect a network from rog ue DHCP servers or other devices which sen d port-related informati on to a DHCP server .
DHCP Snooping 3-187 3 the packet wil l only be f orwarded if the c lient’s hardware address stored in the DHCP packet is t he same as the source MAC address i n the Ethernet header.
Configuring the Switch 3-188 3 DHCP Snooping VLAN Configuration Enables DHCP snooping on the specifie d VLAN. Command Attributes • VLAN ID – ID of a configured VLAN. (Range: 1-4094) • DHCP Snoo ping Status – Enables o r disables DHCP s nooping for the se lected VLAN.
DHCP Snooping 3-189 3 Command Attributes • DHCP Snooping I nformatio n Option Status – Enables or disab les DHCP Option 82 information rel ay. • DHCP Snoopi ng Information Option Policy – Sets the DHCP snooping information opti on policy for DHCP client pa ckets that include Option 82 informatio n.
Configuring the Switch 3-190 3 Web – Click DHCP Snoo ping, Information Option Configuratio n. Figure 3-117 DHCP Snoopin g Port Configu ration CLI – This examp le shows how to enabl e the DHCP Snoopi ng T rust S tatus for ports . DHCP Snooping Binding Information Displays the DHCP snooping binding information.
IP Source Guard 3-191 3 Web – Click DHCP Snoopin g, DHCP Snooping Binding Information. Figure 3-118 DHCP Sno oping Binding Information CLI – This example shows how to displa y the DHCP Snooping bi nding table entries .
Configuring the Switch 3-192 3 Command Attributes • Filter Type – Configures the switch to filter inbound t raffic base d source IP address, or source IP address and co rrespondi ng MAC address. (Default: None) • None – Disables IP source guard filt ering on the port.
IP Source Guard 3-193 3 Command Attributes • Static Binding Table Counts – The total number of st atic entries in the t able. • Port – Switch port number. (Rang e: 1-26/50) • VLAN ID – ID of a configu r ed VLAN (Range: 1-4094) • MAC Address – A valid u nicast MAC address.
Configuring the Switch 3-194 3 Web – Click IP Source Guard, Dynamic Info rmation. Figure 3-121 Dynamic IP Source Guar d Binding Informati on CLI – This example shows how to configure a static source-guard binding on port 5 .
Switch Clust ering 3-195 3 Once a switch ha s been configured to be a clu ster Commander , it automatically discovers other cluster-en abled switches in the network. These “Candidate” switches only become cluster Members when man ually selected by the administrator throug h the management station .
Configuring the Switch 3-196 3 Web – Click Clu ster , Configuration. Figure 3-123 Cluster Configuration CLI – This example first enables clu stering on the switch, set s the switch as the cluster Commander , and then configures the cluste r IP pool.
Switch Clust ering 3-197 3 Web – Click Clu ster , Member Configurat ion. Figure 3-124 Cluster Member Conf iguration CLI – This example creates a new cluste r Member by specifying the Ca ndidate switch MAC address and setting a Me mber ID. Cluster Member Information Displays current cluster Membe r switch information.
Configuring the Switch 3-198 3 CLI – This example shows informati on about cluster Member switches. Cluster Candidate Information Displays informati on about discovered swi tches in the network that are already cluster Members or are available to beco me cluster Members.
4-1 Chapter 4: Command Line Interface This chapter descri bes how to use t he Command Line Int erface (CLI). Using the Command Line Interface Accessing the CLI When accessing the manage ment interface.
Command Line Interfa ce 4-2 4 Telnet Connection T elne t operates over the IP tra nsport protocol. In thi s environment, your management st ation and any network device you want to man age over the network must have a valid IP address. V alid IP addresses consist of four numbers, 0 to 255, separated by peri ods.
Entering Commands 4-3 4 Entering Commands This section describes how to ent er CLI commands. Keywords and Arguments A CLI command is a series of keywords and argument s.
Command Line Interfa ce 4-4 4 Showing Commands If you enter a “?” at the command prompt, the system will displa y the first level of keywords for the current command class (Normal Exec or Privil eged Exec) or configuration cl ass (Global, ACL, Interface, Line or VL AN Database).
Entering Commands 4-5 4 Partial Keyword Lookup If you terminat e a parti al keyword with a question mark, alternatives that match the initial letters are provi ded. (Remember not to leave a space between th e command and question mark.) For exampl e “ s? ” shows all the keywords sta rting with “s.
Command Line Interfa ce 4-6 4 Exec Commands When you open a new console session on the swit ch with the user name and password “guest,” the system enters the Normal Exec command mod e (or guest mode), displaying th e “Console>” command prompt.
Entering Commands 4-7 4 Configuration Commands Configuration c ommands are privileg ed level comma nds used to modif y switch settings. These commands modify th e running configu r ation only an d are not saved when the switch is rebooted.
Command Line Interfa ce 4-8 4 Command Line Processing Commands are not case sensitive . Y ou can abbreviate commands and parameters as long as t hey conta in enough l etters to dif ferentiate them from any other currently available comma nds or p arameters.
Command Groups 4-9 4 Command Groups The system commands can be broken down into the functional group s shown below . T able 4-4 Command Groups Command Group Description Page Line Sets communication pa.
Command Line Interfa ce 4-10 4 The access mode shown in the followi ng tables is in dicated by these abbrev iations: ACL (Access Control List Configu ration) MST (Multiple S panning T ree) CM (Class M.
Line Comma nds 4-11 4 line This command identif ies a specific li ne for configuration, and to process subsequent line configu ration commands. Syntax line { console | vty } • console - Console termina l line. • vty - Virtual terminal for remote console access (i.
Command Line Interfa ce 4-12 4 - login selects authentication by a single global password as specified by the password line configuratio n command. When usin g this method, the management interface start s in Normal Exec (NE) mode. - login local selects authenti cation via the user name and password specified by the username command (i .
Line Comma nds 4-13 4 during system bootup or when d ownloading the configura tion file from a TFTP server. There is no need for you to manually configure encrypted passwords. Example Related Commands login (4-1 1) password-thresh (4-14) timeout login response This command sets th e interval that the system waits for a user to log in to the CLI.
Command Line Interfa ce 4-14 4 Syntax exec-timeout [ seconds ] no exec-timeout seconds - Integer that specifies the number of seconds. (Range: 0-65535 seconds; 0: no timeout) Default Setting CLI: No t.
Line Comma nds 4-15 4 Command Usage • When the logon attempt threshold is reached, the system interface becomes silent for a specified amou nt of time bef ore allowing th e next logon a ttempt. (Use the silent-time command to set this interval.) When this threshold i s reached for Telnet, the Telnet logon interface shuts down .
Command Line Interfa ce 4-16 4 Syntax da ta b i ts { 7 | 8 } no dat abits • 7 - Seven data bits per character. • 8 - Eight d ata bits per charact er.
Line Comma nds 4-17 4 Example T o specify no parity , ente r this command: speed This command sets th e terminal line’ s baud rate. This command sets both the transmit (to t erminal) and rec eive (from terminal) sp eeds. Use the no form to restore the default sett ing.
Command Line Interfa ce 4-18 4 Example T o specify 2 st op bits, enter thi s command: disconnect This command termina tes an SSH, T elnet, or console con nection. Syntax disconnec t session-id session-id – The session identifier for an SSH, T elnet or console connection.
General Comma nds 4-19 4 Example T o sh ow all lines, enter this command: General Commands enable This command activates Pri vileged Exec mode. In privileged mode , additional commands are avail able, and cert ain commands display addi tional informat ion.
Command Line Interfa ce 4-20 4 Default Setting Level 15 Command Mode Normal Exec Command Usage • “super” is the def ault password required t o change the comma nd mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command on p age 4-26.
General Comma nds 4-21 4 configure This command activates Globa l Configuration mod e. Y ou must enter this mode to modify any settings on the switch. Y ou must also enter Global Config uration mode prior to enabling some of the oth er configuration mode s, including Interface Configuration, Line Conf iguration, and VLAN Dat abase Configuration.
Command Line Interfa ce 4-22 4 The ! command repeats commands from the Execution command history buf fer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer whe n you are in any of the configuration modes.
General Comma nds 4-23 4 exit This command returns to the previous configuration mode or exit the conf iguration program. Default Setting None Command Mode Any Example This example shows how to return to the Pri vileged Exec mode from the Globa l Configuration mode, and then quit the CLI sess ion: quit This command exit s the configuration program.
Command Line Interfa ce 4-24 4 System Management Commands These commands are used to control system l ogs, passwords, user names, browser configuration options, and di splay or confi gure a variety of other system information. Device Designation Commands prompt This command customi zes the CLI promp t.
System Management Commands 4-25 4 Example hostname This command specifies or modif ies the host name for this dev ice. Use the no form to restore the de fault host n ame.
Command Line Interfa ce 4-26 4 • name - The name of the user . (Maximum length: 8 charact ers, case sensitive. Maximum users: 16) • access-level level - Specifies the user lev el. The device has two predefin ed privilege levels: 0 :N o r m a lE x e c , 15 : Privileged Exec.
System Management Commands 4-27 4 • password - password for this privil ege level. (Maximum length: 8 characters pl ain text, 32 encrypted, cas e sensitive) Default Setting • The default is leve l 15. • The default password is “supe r” Command Mode Global Configurat ion Command Usage • You cannot set a null password.
Command Line Interfa ce 4-28 4 • telnet-clie nt - Adds IP address(es) to the T elnet group. • start-address - A single IP address, or the st arting address of a range.
System Management Commands 4-29 4 Example Web Server Commands ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default p ort. Syntax ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
Command Line Interfa ce 4-30 4 Example Related Commands ip http server (4-30) ip http server This command allows this device to be moni tored or config ured from a browser .
System Management Commands 4-31 4 • When you start HTTPS, the connection is established in this way: - The client authenticates th e server using the server’s digita l certificate. - The client and server negotiate a set of sec urity protocols to use for the connection.
Command Line Interfa ce 4-32 4 • If you change the HTTPS port number, cl ients attempting to conn ect to the HTTPS server must specify the port number in the URL, in t his format: https:// device : .
System Management Commands 4-33 4 ip telnet server This command allows thi s device to be monitored or config ured from T elnet. Use the no form to d isable this f unction.
Command Line Interfa ce 4-34 4 The SSH server on this switch supp orts both p assword and public key authenticati on. If p assword authentication is spec ified by the SSH client, then the password can.
System Management Commands 4-35 4 firmware only accept s public key fi les based on st andard UNIX format as shown in the fo llowing e xample for an RSA V ersi on 1 ke y: 1024 35 13410816856098939 210.
Command Line Interfa ce 4-36 4 • The SSH server uses DS A or RSA for key exchange when the cli ent first establishes a connection with the swi tch, and then negotiates wit h the client to select either DES (56-bit ) or 3DES (168-bit) for data encryption.
System Management Commands 4-37 4 ip ssh authentication-retries This command configures the numb er of times the SSH server attempt s to reauthen ticate a user .
Command Line Interfa ce 4-38 4 delete p ublic-key This command deletes the speci fied user’s public key . Syntax delete publi c-key username [ dsa | rsa ] • username – Name of an SSH us er . (Range: 1-8 c haracters) • dsa – DSA public key type.
System Management Commands 4-39 4 Related Commands ip ssh crypto zeroize (4-39) ip ssh save host-key (4-39) ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [ dsa | rsa ] • dsa – DSA key type.
Command Line Interfa ce 4-40 4 Example Related Commands ip ssh crypto host-key generate (4-38) show ip ssh This command displays the conn ection settings used when authenticating clien t access to the SSH server . Command Mode Privileged Exec Example show ssh This command displays the current SSH server connect ions.
System Management Commands 4-41 4 show public-key This command shows the publi c key for the specified user or for the host. Syntax show public-key [ user [ username ]| host ] username – Name of an SSH user . (Range: 1-8 characters) Default Setting Shows all public keys.
Command Line Interfa ce 4-42 4 Example Console#show public-key host Host: RSA: 1024 35 156849954018676692593339467750546173253 1367489083654725415020245593199868 54435836165199992332978176606583095861.
System Management Commands 4-43 4 Event Logging Commands logging on This command controls logging of error messag es, sending debug or error messages to switch memory .
Command Line Interfa ce 4-44 4 logging history This command limi ts syslog messages saved to switch memory based on severity . The no form return s the logging of syslog messag es to the default level . Syntax logging histo ry { flash | ram } level no logging history { flash | ram } • flash - Event hist ory stored in flash memory (i.
System Management Commands 4-45 4 logging ho st This command adds a syslog server host IP address t hat will receive l ogging messages. Use the no form to remove a syslog server host. Syntax [ no ] logging host host_ip_address host_ip_address - The IP address of a syslog server .
Command Line Interfa ce 4-46 4 logging tra p This command enables the logging of system messages to a remote server , or limits the syslog messages saved to a remote server based on severity . Use this command without a specif ied level to enable re mote logging.
System Management Commands 4-47 4 Related Commands show logging (4-47) show logging This command displays the conf iguration settin gs for logging messages t o local switch memory , to an SMTP event handler , or to a remote syslog server .
Command Line Interfa ce 4-48 4 The following example dis plays settings for the tr ap function. Related Commands show logging s endmail (4-52) show log This command displays the system and event messages stored in memory . Syntax show log { flash | ram } [ lo gin ] [ tai l ] • flash - Event hist ory stored in flash memory (i.
System Management Commands 4-49 4 Example The following example shows sampl e messages stored in RAM. SMTP Alert Commands These commands configure SMTP event handl ing, and forwarding of alert messages to th e specified SMTP se rvers and email recipient s.
Command Line Interfa ce 4-50 4 Command Mode Global Configurat ion Command Usage • You can specify up to three SMTP servers for event han ding. However, you must enter a separate command to speci fy each server.
System Management Commands 4-51 4 logging sendmail source- email This command sets th e email address used for the “From” fiel d in alert messages. Use the no form to delet e the source email address. Syntax [no] logging se ndmail sour ce-email email-address email-address - The source email address used in alert messages.
Command Line Interfa ce 4-52 4 logging s endmail This command enables SMTP even t handling. Use the no form to disable this function. Syntax [ no ] logging se ndmail Default Setting Enabled Command Mode Global Configurat ion Example show logging sendmail This command displ ays the settings for the SMTP event handler .
System Management Commands 4-53 4 Time Commands The system clock can be dynamically set by polli ng a set of specified time servers (NTP or SNTP). Maintaini ng an accurate time on the swit ch enables the system log to record meaningful dates and t imes for event entries.
Command Line Interfa ce 4-54 4 Example Related Commands sntp server (4-54) sntp poll (4 -55) show sntp (4-55) sntp server This command sets th e IP address of the se rvers t o which SNTP time request s are issued. Use the this comman d with no argument s to clear all time servers from the current list.
System Management Commands 4-55 4 sntp poll This command sets th e interval between sending time request s when the switch is set to SN TP client mod e. Use the no form to restore to the default . Syntax sntp poll seconds no sntp poll seconds - Interval between time requests.
Command Line Interfa ce 4-56 4 clock timezone This command sets th e time zone for the switch’ s internal clock. Syntax clock timezone name hour hours mi nute minutes { before-utc | after-utc } • name - Name of timezone, usua lly an acronym. (Range: 1-29 charac ters) • hours - Number of hours before/after UTC.
System Management Commands 4-57 4 Default Setting None Command Mode Privileged Exec Example This example shows how to set the syste m clock to 15:12:34, April 1st , 2004.
Command Line Interfa ce 4-58 4 Command Usage • Use this command i n conjunction wi th the show runni ng-config command to compare the inf ormation in runni ng memory to the information stored in non-volatile me mory. • This command displays se ttings for key command mod es.
System Management Commands 4-59 4 Related Commands show running-confi g (4-59) show running-con fig This command displays the conf iguration information currently in use.
Command Line Interfa ce 4-60 4 Example Related Commands show startup-con fig (4-57) Console#show running-config building startup-config, please wait... .. ! phymap 00-12-cf-ce-2a-20 00-00-00-00-00 -00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00- 00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 ! SNTP server 0.
System Management Commands 4-61 4 show system This command displays system info rmation. Default Setting None Command Mode Normal Exec, Privileg ed Exec Command Usage • For a description of the items shown by this command, refer to “Displayi ng System Information” o n page 3-10.
Command Line Interfa ce 4-62 4 Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., sessi on) index number . Example show version This command displays hardware and sof tware version information fo r the system.
System Management Commands 4-63 4 Example Frame Size Commands jumbo frame This command enables suppo rt for jumbo frames. Use the no form to disable it.
Command Line Interfa ce 4-64 4 • Enabling jumbo frames will limit the maximum thre shold for broadcast storm control to 64 packets pe r second. (See the switchport broadcast command on page 4-122.) • The current settin g for jumbo frames c an be displayed wi th the show syste m command (page 4-61).
Flash/File Co mmands 4-65 4 • https-certificate - Copi es an HTTPS certificate from an TFTP server to the switch. • public-key - Keyword that allows you to copy a SSH key from a TFTP server. (“Secure Shel l Commands” o n page 4-33) • unit - Keyword that allows you to copy to/from a unit.
Command Line Interfa ce 4-66 4 Example The following example shows how to up load the configurati on settings to a file on the TFTP server: The following example shows how to cop y the running configur ation to a startup f ile.
Flash/File Co mmands 4-67 4 This example shows how to copy a public-ke y used by SSH from a TFTP server . Note that public key authen tication via SSH is only supported for users configured locally on the switch: delete This command deletes a file or image.
Command Line Interfa ce 4-68 4 dir This command displays a list of files in flash memory . Syntax dir [ unit :] {{ b oot-rom: | co nfig: | opcode: } [: file name ]} The type of file or image to dis play includes: • boot-rom - Boot ROM (or diagnostic) image file.
Flash/File Co mmands 4-69 4 whichboo t This command displ ays which files were booted when t he system powere d up. Syntax whichboot [ unit ] unit - St ac k unit. (Always unit 1) Default Setting None Command Mode Privileged Exec Example This example shows the informat ion displayed by the whichboot command.
Command Line Interfa ce 4-70 4 Command Usage • A colon (:) i s required af ter the specif ied unit number and file ty pe. • If the file c ontains an error, it cannot be set as the defa ult file.
Authentication Commands 4-71 4 authentication login This command define s the login aut hentication method and precedence. Use t he no form to restore the default. Syntax authentication log in {[ local ] [ radi us ] [ t acacs ]} no authentication login • local - Use local password.
Command Line Interfa ce 4-72 4 authentication enable This command defines the authent ication method and prece dence to use when changing from Exec command mode to Priv ileged Exec command mode with the enable command (see page 4- 19). Use the no form to restore t he defaul t.
Authentication Commands 4-73 4 Command Usage • RADIUS uses UDP while T ACACS+ uses TCP . UDP only offers best ef fort delivery , while TCP offers a connect ion-oriented transport. Also, note that RADIUS encrypts only the password in the acc ess-request packet from the client to the server, whi le TACACS+ encrypts the entire body of th e packet.
Command Line Interfa ce 4-74 4 radius-server host This command specifies primary an d backup RADIUS servers and authenticati on parameters that apply to each server .
Authentication Commands 4-75 4 Command Mode Global Configurat ion Example radius-server key This command sets th e RADIUS encryption key . Use the no form to restore the default. Syntax radius-server key key_string no radius-server key key_string - Encryption key used to authenticate log on access for client.
Command Line Interfa ce 4-76 4 radius-server timeout This command sets th e interval between transmitting authent ication request s to the RADIUS server .
Authentication Commands 4-77 4 TACACS+ Client T erminal Access Co ntroller Access Control System (T ACACS+) is a logon authenticati on protocol that uses sof tware running on a central server to control access to T ACACS-aware devices on the network.
Command Line Interfa ce 4-78 4 Command Mode Global Configurat ion Example tacacs-server key This command sets th e T ACACS+ encryption key . Use the no form to restore th e default. Syntax t acacs-server key key _string no t acacs-server key key_string - Encryption key used to authenticate log on access for the client.
Authentication Commands 4-79 4 Port Security Commands These commands can be used to enable port securi ty on a port. When using port security , the switch stops learning new MAC addresses on the specified port when it has reached a co nfigured maximum nu mber .
Command Line Interfa ce 4-80 4 Command Usage • If you enable po rt security, th e switch stop s learning new MAC addresses on the specified port when it has reached a configured maximum number. Onl y incoming traffi c with source addresses al ready stored in the dyna mic or static address table wi ll be accepted .
Authentication Commands 4-81 4 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authenticati on.
Command Line Interfa ce 4-82 4 dot1x default This command sets al l configurable dot1x global and port settings to thei r default values. Command Mode Global Configurat ion Example dot1x max-req This .
Authentication Commands 4-83 4 Default force-authorized Command Mode Interface Configur ation Example dot1x operation-mode This command allows singl e or multiple host s (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to resto re the default to single host.
Command Line Interfa ce 4-84 4 dot1x re-authenticate This command forces re-authenticat ion on all ports or a specific interface. Syntax dot1x re-authenticate [ inte rface ] interface • ethernet unit / port - unit - Stack unit. (Al ways unit 1) - port - Port number.
Authentication Commands 4-85 4 Command Mode Interface Configur ation Example dot1x timeout re-authperiod This command sets the time perio d after which a connected cl ient must be re-authenticated. Syntax dot1x timeout re-authperio d seconds no dot1x timeout re-aut hperiod seconds - The number of seconds.
Command Line Interfa ce 4-86 4 Example show dot1x This command shows general port aut hentication related set tings on the switch or a specific interface. Syntax show dot1x [ statistics ] [ interface interface ] • statistics - Displays dot1x status for each port.
Authentication Commands 4-87 4 • 802.1X Port Details – Displays the port access control parameters f or each interface, incl uding the following i tems: - reauth-enabled – Periodic re-authenticati on (page 4-84). - reauth-period – Time after which a connecte d client must be re-authenticated (pag e 4-85).
Command Line Interfa ce 4-88 4 Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mod e Mode Authorized 1/1 disabled Single-Host ForceAuthorized n/a 1/2 enabled Single-Host auto yes .
Access Contro l List Comm ands 4-89 4 Access Control List Commands Access Control List s (ACL) provide packet fi ltering for IP fr ames (based on add ress, protocol, or Laye r 4 protocol port numb er) or any frames (based on MAC address or Ethernet type).
Command Line Interfa ce 4-90 4 IP ACLs access-list ip This command adds an IP access list and enters configurat ion mode for st andard or extended IP ACLs.
Access Contro l List Comm ands 4-91 4 Related Commands permit, deny 4-91 ip access-group (4-93) show ip access-li st (4-93) permit , deny (Standard ACL) This command adds a rule to a S tandard IP ACL. The rule sets a filter conditio n for packet s emanating from the specified source.
Command Line Interfa ce 4-92 4 Syntax [ no ] { permit | deny } [ protocol - number | ud p ] { any | source address-bitmask | host source } { any | destination address-bit mask | host desti nation } [ .
Access Contro l List Comm ands 4-93 4 This allows TCP packet s from class C addresses 192.168.1.0 to any desti nation address when set for desti natio n TCP port 80 (i.e., HTTP). Related Commands access-list ip (4-90) show ip access-list This command displays the ru les for configured IP ACLs.
Command Line Interfa ce 4-94 4 Command Usage • A port can only be bound to one ACL. • If a port is already bou nd to an ACL and you bind it to a differen t ACL, the switch will rep lace the old binding with the new one. • You must configure a mask for an ACL rule bef ore you can bind it to a port.
Access Contro l List Comm ands 4-95 4 MAC ACLs The commands in this section configure ACLs based on hardware address es, packet f ormat, and Ethernet type.
Command Line Interfa ce 4-96 4 permit , deny (MAC ACL) This command adds a rule to a MAC ACL. The rul e filters p ackets matching a specified MAC source or destinat ion address (i.e., physical layer address), or Ethernet protocol ty pe. Use the no form to remove a rule.
Access Contro l List Comm ands 4-97 4 Default Setting None Command Mode MAC ACL Command Usage • New rules are added to the en d of the list. • The ethertype option can only be used to filt er Ethernet II forma t ted packets. • A detailed listi ng of Ethernet protocol types can be found in RFC 1060.
Command Line Interfa ce 4-98 4 mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this l ist applies to ingress pac kets.
Access Contro l List Comm ands 4-99 4 ACL Information show access-list This command shows all ACLs and associated rules, as wel l as all the us er-defined masks.
Command Line Interfa ce 4-100 4 SNMP Commands Controls access to thi s switch from management stations us ing the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers.
SNMP Commands 4-101 4 snmp-server This command enables the SNMPv3 engine and se rvices for all management cli ents (i.e., versions 1, 2c, 3). Use th e no form to disable the server .
Command Line Interfa ce 4-102 4 Example snmp-server community This command defines the SNMP v1 and v2c community access string. Use th e no form to remove the specified commun ity string.
SNMP Commands 4-103 4 • private - Read/write access. Authorize d management stations are able to bo th retrieve and modify MIB ob jects. Command Mode Global Configurat ion Example snmp-server contact This command set s the system contact string. Use the no form t o remove the system cont act informati on.
Command Line Interfa ce 4-104 4 Command Mode Global Configurat ion Example Related Commands snmp-server contact (4-103) snmp-server host This command specifies the recipient of a Simple Ne twork Management Protocol notificati on operation. Use the no form to remove the sp ecified host.
SNMP Commands 4-105 4 • SNMP Version: 1 • UDP Port: 162 Command Mode Global Configurat ion Command Usage • If you do not en ter an snmp-server host command, no notificati ons are sent. In order to conf igure the switch to sen d SNMP notification s, you must enter at least one snmp-s erver host command.
Command Line Interfa ce 4-106 4 supports. If t he snmp-server host command does not speci fy the SNMP version, the def ault is to send SNMP version 1 notif ications. • If you specify an SNMP Version 3 host , then the community stri ng is interpreted as an SNMP user name.
SNMP Commands 4-107 4 conjunction with the corresponding entries in the Noti fy View assigned by the snmp-server group command (page 4-110). Example Related Commands snmp-server host (4-104) snmp-server engine-id This command configures an ident ification string fo r the SNMPv3 engine.
Command Line Interfa ce 4-108 4 fill the octet . For example, enterin g the value “123456789 ” results in an engin e ID of “123456 7890.” • A local engine ID is automatical ly generated t hat is unique to the switch. This is referred to as th e default engine ID.
SNMP Commands 4-109 4 snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view . Syntax snmp-server view view-name oid-tr ee { included | excluded } no snmp-server view view-name • view-name - Name of an SNMP view.
Command Line Interfa ce 4-110 4 show snmp view This command shows information on t he SNMP views. Command Mode Privileged Exec Example snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP grou p.
SNMP Commands 4-111 4 Default Setting • Default groups: publ ic 17 (read only), private 18 (read/write) • readview - Every object belonging to the Internet OID space (1.3.6.1). • writeview - Nothin g is defined. • notifyvie w - Nothing is defined.
Command Line Interfa ce 4-112 4 show snmp group Four default group s are provided – SNMP v1 read-only access and read/wri te access, and SNMPv2c read-only access and read/write access.
SNMP Commands 4-113 4 snmp-server user This command adds a user to an SNMP g roup, restricting the user to a specific SNMP Read, W rite, or Notify V iew .
Command Line Interfa ce 4-114 4 Default Setting None Command Mode Global Configurat ion Command Usage • The SNMP engine ID is used to compu te the authenticat ion/privacy digest s from the password. You should theref ore configure the engine ID with the snmp-server engine-id command bef ore using this confi guration command.
SNMP Commands 4-115 4 show snmp user This command shows information on SNMP users. Command Mode Privileged Exec Example Console#show snmp user EngineId: 800000ca030030f1df9ca00000 User Name: steve Aut.
Command Line Interfa ce 4-116 4 Interface Commands These commands are used to display or set co mmunication pa rameters for an Ethernet port, aggregate d link, or VLAN. interface This command configures an in terface type and enter interface configuration mode .
Interface Commands 4-117 4 Command Mode Global Configurat ion Example T o speci fy port 24, enter t he following command: description This command adds a description t o an interface.
Command Line Interfa ce 4-118 4 Default Setting • Auto-negotiat ion is enabled by default . • When auto-negoti ation is disabl ed, the default speed-duplex setti ng is 100half for 100BASE-TX ports and 1000full for Gigabit Ethernet ports.
Interface Commands 4-119 4 • If autonegoti ation is disabled, au to-MDI/MDI-X pin signal confi guration will also be disabled for the RJ-45 ports. Example The following example conf igures port 1 1 to use autonegotiation.
Command Line Interfa ce 4-120 4 Example The following example configures Etherne t port 5 cap abilities to 10 0half, 100full and flow cont rol. Related Commands negotiation (4-1 18) speed-duplex (4 -1 17) flowcontrol (4-120 ) flowcontrol This command enable s flow control.
Interface Commands 4-121 4 Example The following example enab les flow control on port 5. Related Commands negotiation (4-1 18) capabilities (flowc ontrol, symmetri c) (4-1 19) shutdown This command disables an int erface. T o rest art a disabled interface, use the no form.
Command Line Interfa ce 4-122 4 switchport broad cast packet-rate This command confi gures broadcast storm co ntrol. Use the no form to disable broadcast storm contro l. Syntax switchport broadcast octet-rate rate no switchport broadcast rate - Threshold l evel as a ra te; i.
Interface Commands 4-123 4 Command Mode Privileged Exec Command Usage S tatistics are only in itialized for a power re set. This command sets t he base value for displayed st atistics to zero for the current management sess ion.
Command Line Interfa ce 4-124 4 Example show interfaces counters This command displays inte rface statistics. Syntax show interfaces counters [ interface ] interface • ethernet unit / port - unit - Stack unit.
Interface Commands 4-125 4 Example show interfaces switchport This command displays the admi nistrative and ope rational st atus of the specif ied interface s. Syntax show interfaces switchport [ interface ] interface • ethernet unit / port - unit - Stack unit.
Command Line Interfa ce 4-126 4 Example This example shows the configu ration setting for port 24. Console#show interfaces switchport ethe rnet 1/24 Broadcast threshold: Enabled , 500 packets/second L.
Mirror Port Commands 4-127 4 Mirror Port Commands This section describes how to mirror traf fic from a source port to a target port. port monitor This command configures a mirror sess ion.
Command Line Interfa ce 4-128 4 Example The following example conf igures the switch to mi rror received packet s from port 6 to 1 1: show port mo nitor This command displays mirror informa tion. Syntax show port monit or [ interf ace ] interface - ethernet unit / port (source port) • unit - Stack unit.
Rate Limit Co mmands 4-129 4 Rate Limit Commands This function allows th e network manager to cont rol the maximum rate for tr affic received on an interface. Rate limiting i s configured on interfaces at the edge of a network to limit traff ic into or out of t he network.
Command Line Interfa ce 4-130 4 Link Aggregation Commands Ports can b e statical ly grouped into an aggregate link (i.e., t runk) to increase the bandwidth of a network connection or to ensure fault recovery .
Link Aggregation Commands 4-131 4 Guidelines for Cre ating Trunks General Guidelines – • Finish configuri ng port trunks b efore you connect the correspond ing network cables between swit ches to avoid creating a loop. • A trunk can have up to eight port s.
Command Line Interfa ce 4-132 4 Example The following example creat es trunk 1 and then adds port 1 1: lacp This command enables 802.3ad Link Aggrega tion Control Prot ocol (LACP) for the current inte rface.
Link Aggregation Commands 4-133 4 Example The following shows LACP enabled on port s 1 1-13. Because LACP has also been enabled on the port s at the other end of the li nks, the show interfa ces status port-cha nnel 1 command shows that T runk 1 has been established.
Command Line Interfa ce 4-134 4 Command Mode Interface Configur ation (Eth ernet) Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined wit h the switch’s MAC address to form the LAG identifier.
Link Aggregation Commands 4-135 4 • Once the remote side of a link ha s been established, LACP operation al settings are already in use on that side.
Command Line Interfa ce 4-136 4 lacp port-priori ty This command configures LACP port priori ty . Use the no form to resto re the def ault setting. Syntax lacp { actor | pa r t n er } port-priority priority no lacp { actor | pa r t n e r } port-pri ority • actor - The local side an aggregat e link.
Link Aggregation Commands 4-137 4 Default Setting Port Channel: all Command Mode Privileged Exec Example Console#show lacp 1 counters Port channel : 1 --------------------------------------- ---------.
Command Line Interfa ce 4-138 4 T able 4-48 show lacp internal - display desc ription Field Description Oper Key Current operational value of the ke y for the aggregation port. Admin Key Current administrative valu e of the key for the aggregation port.
Link Aggregation Commands 4-139 4 T able 4-49 show lacp neighbors - display description Field Description Partner Admin System ID LAG partner’s system ID assign ed by the user . Partner Oper Syst em ID LAG partner’s sys tem ID assigned by the LACP protocol.
Command Line Interfa ce 4-140 4 Address Table Commands These commands are used to configure the addres s table for filtering specified addresses, displayi ng current entries, clearing the t able, or setting the aging time. mac-address-table static This command maps a static address to a destination port in a VLAN.
Address T able Commands 4-141 4 Command Usage The static add ress for a host device can be assig ned to a specific port within a specific VLAN. Use this co mmand to add static ad dresses to the MAC Address T abl e.
Command Line Interfa ce 4-142 4 • sort - Sort by address, vlan or interface. Default Setting None Command Mode Privileged Exec Command Usage • The MAC Address Table contai ns the MAC addresses associated with eac h interface.
Address T able Commands 4-143 4 Example show mac-address -table aging-time This command shows the aging time for entri es in the address ta ble. Default Setting None Command Mode Privileged Exec Example Console(config)#mac-address-table aging -time 100 Console(config)# Console#show mac-address-table aging-ti me Aging time: 100 sec.
Command Line Interfa ce 4-144 4 Spanning Tree Commands This section includes co mmands that configure the S panning T ree Algorithm (ST A) globally for the switch, and commands that configure ST A for the selected interface.
Spanning Tree Commands 4-145 4 spanning-tr ee This command enables the S panning T ree Algorithm globally for the switch. Use t he no form to disable it.
Command Line Interfa ce 4-146 4 - This creates one spanning tree instance f or the entire network. If mult iple VLANs are implemented on a netwo rk, the path between spec ific VLAN members may be inadvertently disabled to prevent network loops, thus isolating gro up members.
Spanning Tree Commands 4-147 4 Command Usage This command sets the maxi mum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay i s required because every device mu st receive informat ion about to pology changes before it st arts to forward frames.
Command Line Interfa ce 4-148 4 spanning-tr ee max-age This command configures the sp anning tree bridge maximum age globally for t his switch. Use the no form to restore the defaul t. Syntax sp anning-tree max-age second s no spanning-tree max-age seconds - T ime in seconds.
Spanning Tree Commands 4-149 4 Default Setting 32768 Command Mode Global Configurat ion Command Usage Bridge priority is used in sel ecting the root de vice, root port, and desi gnated port. The device with the highest priority (i.e., lower numeric value) becomes the ST A root device.
Command Line Interfa ce 4-150 4 spanning-tree tran smission-limit This command configures the min imum interval between the tra nsmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the def ault. Syntax sp anning-tree tr ansmission-li mit count no sp anning-tree tr ansmis sion-limit count - The transmission limit in seconds.
Spanning Tree Commands 4-151 4 mst vlan This command adds VLANs t o a spanning tree insta nce. Use the no fo rm to remove the specified VLANs. Usin g the no form wit hout any VLAN p a ramet ers to remove all VLANs. Syntax [ no ] mst instance_ id vlan vlan-ra nge • instance_id - Instance ident ifier of the s panning tree.
Command Line Interfa ce 4-152 4 Default Setting 32768 Command Mode MST Configuration Command Usage • MST priority is used in selecting the root bridge and al ternate bridge of the specified insta nce. The device with the highest priority (i. e., lowest numerical value) becomes the MSTI root device.
Spanning Tree Commands 4-153 4 revisi on This command confi gures the revisio n number for thi s multiple sp anning tree configurati on of this switch. Use the no form to restore th e default. Syntax revision number number - Revision number of the spanning tree.
Command Line Interfa ce 4-154 4 specify the maximum number of bri dges that will prop agate a BPDU. Each bridge decrement s the hop count by one before p assing on the BPDU.
Spanning Tree Commands 4-155 4 • Fast Ethernet – half duplex: 200,000; fu ll duplex: 10 0,000; trunk: 50,000 • Gigabit Ethern et – full duplex: 10,000; trunk: 5,000 • 10 Gigabit Eth ernet .
Command Line Interfa ce 4-156 4 Related Commands spanning-t ree cost (4-154) spanning-tr ee edge-port This command specifi es an interface as an edge port.
Spanning Tree Commands 4-157 4 Command Usage • This command is used to enable/di sable the fast spannin g-tree mode for the selected port. In this mode, ports skip the Discardi ng and Learning states, and proceed straight to Forwarding.
Command Line Interfa ce 4-158 4 • RSTP only works on point-to-point link s between two bridges. If you design ate a port as a shared link, RSTP is f orbidden.
Spanning Tree Commands 4-159 4 Example Related Commands spanning-t ree mst port-priority (4-159) spanning-tree mst po rt-priority This command configures the in terface priority on a span ning instan ce in the Multiple S panning T ree. Use the no form to restore the defaul t.
Command Line Interfa ce 4-160 4 spanning-tr ee protocol-migratio n This command re-checks the appropriate BPDU format to send on th e selected interface . Syntax sp anning-tree protoc ol-migration interface interface • ethernet unit / port - unit - Stack unit.
Spanning Tree Commands 4-161 4 Command Usage • Use the show spanning-tree command with no parameters t o display the spanning tree configuration for t he switch for the Common Spanning Tree (CST) and for every interface in the tree.
Command Line Interfa ce 4-162 4 show spanning-tree m st configuration This command shows the configurat ion of the multiple sp anning tree. Command Mode Privileged Exec Example -----------------------.
VLAN Commands 4-163 4 VLAN Commands A VLAN is a group of port s that can be located a nywhere in the net work, but communicate as though t hey belong to the same physical segment.
Command Line Interfa ce 4-164 4 bridge-e xt gvrp This command enables GVRP global ly for the switch. Use the no form to disabl e it. Syntax [ no ] bridge-ext gvrp Default Setting Disabled Command Mode.
VLAN Commands 4-165 4 switchport gvrp This command enables GVRP for a port . Use the no form to disable it. Syntax [ no ] switchport gvrp Default Setting Disabled Command Mode Interface Co nfiguration (Et hernet, Port Ch annel) Example show gvrp configuration This command shows if GVRP is enabled.
Command Line Interfa ce 4-166 4 garp timer This command sets th e values for the join, leave and leaveall timers. Use the no form to restore the timers’ defau lt values. Syntax garp timer { join | leave | leaveall } timer_value no garp tim er { join | leave | leaveall } •{ join | leav e | leaveall } - Which timer to set.
VLAN Commands 4-167 4 Syntax show garp timer [ int erface ] interface • ethernet unit / port - unit - Stack unit. (Al ways unit 1) - port - Port number. (Range: 1-26/50) • port-cha nnel channel-id (Range: 1-32) Default Setting Shows all GARP timers.
Command Line Interfa ce 4-168 4 Command Usage • Use the VLAN database command mode to add, change, and del ete VLANs. After finishing config uration changes, you can display the VLAN settings by entering the show vlan command. • Use the interface vlan command mode to define the port membershi p mode and add or remove ports from a VLAN.
VLAN Commands 4-169 4 Example The following example adds a VLAN, using VLAN ID 105 and na me RD5. The VLAN is activat ed by defaul t. Related Commands show vlan (4-175) Configuring VLAN Interfaces interface vlan This command enters interf ace configuration mode for VLANs, which is used to configur e VLAN parameters for a physical interface.
Command Line Interfa ce 4-170 4 Example The following example shows how to set the interface configurat ion mode to VLAN 1, and then assign an IP addres s to the VLAN: Related Commands shutdown (4 -121) switchport mode This command confi gures the VLAN membershi p mode for a p ort.
VLAN Commands 4-171 4 switchport acceptable-frame-types This command confi gures the accept able frame ty pes for a port. Use the no form to restore the default. Syntax switchport accept able-frame-types { all | ta g g e d } no switchport accept a ble-frame-types • all - The port accepts all frames, tagged or untagged.
Command Line Interfa ce 4-172 4 Command Mode Interface Co nfiguration (Et hernet, Po rt Channel) Command Usage • Ingress filterin g only affect s tagged frames. • With ingress filt ering enabled, a port will discard received frames tagg ed for VLANs for it which it is not a member.
VLAN Commands 4-173 4 switchport allowed vlan This command confi gures VLAN groups o n the selected interface. Use t he no form to restore the de fault. Note: Each port can only have one untagge d VLAN. If a second VLAN is defined for a port as untagged, the other VLAN that had untagged statu s will automatically be changed to tagged.
Command Line Interfa ce 4-174 4 Example The following example shows how to ad d VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: switchport forbidden vlan This command confi gures forbidden VLANs. Use the no form to remove the lis t of forbidden VLANs.
VLAN Commands 4-175 4 Displaying VLAN Information show vlan This command shows VLAN information. Syntax show vlan [ id vlan-id | name vlan-name | priv ate-vlan private-vlan-type ] • id - Keyword to be followed by t he VLAN ID. - vlan-id - ID of the configured VL AN.
Command Line Interfa ce 4-176 4 Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tun neling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs.
VLAN Commands 4-177 4 Default Setting Disabled Command Mode Global Configurat ion Command Usage QinQ tunnel mode must be enabled on the switch for QinQ interfa ce settings to be functional .
Command Line Interfa ce 4-178 4 switchport dot1q-tunn el tpid This command sets t he T ag Protocol Iden tifier (TPID) value of a tunnel po rt. Use the no form to restore the default setti ng. Syntax switchport dot1q-tunnel tpid tp id no switchport dot1q-tun nel tpid tpid – Sets the ethertype value for 802.
VLAN Commands 4-179 4 Example Related Commands switchport dot1q-tunnel mode (4-177) Configuring Private VLANs Private VLANs provide port-based security and isolation b etween ports within the assigned VLAN. This section desc r ibes commands used to confi gure private VlANs.
Command Line Interfa ce 4-180 4 • up-link - Sepcifies an uplink interface. • down-link - Sepcifies a downlink interface. Default Setting No private VLANs are defined. Command Mode Global Configurat ion Command Usage • A private VL AN provides port -based security and isolation between ports within the VLAN.
VLAN Commands 4-181 4 Configuring Protocol-based VLANs The network devices required to support mu lti ple protocols canno t be easily gr ouped into a common VLAN. This may require non -standard dev ices to pass traffic between dif ferent VLANs in order to encompa ss all the devices p articipati ng in a specific protocol .
Command Line Interfa ce 4-182 4 • protocol - Protocol t ype. The o nly option for t he llc_other f rame type is ipx_raw. The options for all other frames typ es include: ip, arp, rarp, and user-defined (0801-FFFF hexad ecimal). Default Setting No protocol group s are configured.
VLAN Commands 4-183 4 - If the frame is untagged but the protocol type doe s not match, the frame is forwarded to the de fault VLAN for thi s interface. Example The following example map s the traffic entering Port 1 which match es the protocol type specified in protocol group 1 to VLAN 2.
Command Line Interfa ce 4-184 4 Command Mode Privileged Exec Example This shows that traffi c entering Port 1 that matches the specificati ons for protoco l group 1 will b e mapped to VL AN 2: Priorit.
Priority Commands 4-185 4 queue mode This command sets th e queue mode to strict priori ty or Weight ed Round-Robin (WRR) for the class of service (CoS) priorit y queues.
Command Line Interfa ce 4-186 4 Default Setting The priority is not set, and the default value for untagged frames re ceived on the interface is zero. Command Mode Interface Co nfiguration (Et hernet, Po rt Channel) Command Usage • The precedence for priority mappin g is IP DSCP, and default switchport priority.
Priority Commands 4-187 4 Command Usage WRR controls bandwid th sharing at the egress port by defin ing scheduling weights. Example This example shows how to assign WRR weigh ts to priority qu eues 0 - 2: Related Commands show queue bandwid th (4-188) queue cos-map This command assigns class of servi ce (CoS) values to the priority queu es (i.
Command Line Interfa ce 4-188 4 Command Usage • CoS values assigned at the ingre ss port are also used at the egress port. Example The following example shows how to cha nge the CoS assignments: Related Commands show queue cos-map (4-189) show queue mode This command shows the current queue mode.
Priority Commands 4-189 4 Example show queue cos-map This command shows the class of se rvice priority map. Syntax show queue cos-map [ interfac e ] interface • ethernet unit / port - unit - Stack unit.
Command Line Interfa ce 4-190 4 Syntax [ no ] map ip dscp Default Setting Disabled Command Mode Global Configurat ion Command Usage • The precedence for priority mappin g is IP DSCP, and default switchport priority.
Priority Commands 4-191 4 Command Mode Interface Co nfiguration (Et hernet, Port Ch annel) Command Usage • The precedence for priority mappin g is IP DSCP, and default switchport priority. • DSCP priority valu es are mapped to def ault Class of Service values according to recommendations in t he IEEE 802.
Command Line Interfa ce 4-192 4 Example Related Commands map ip dscp (Global Conf iguration) (4-189) map ip dscp (Interface Config uration) (4-190) Quality of Service Commands The commands described in this sect ion are used to configure Dif ferentiated Services (Dif fServ) classification criteria and service policies.
Quality of Service Co mmands 4-193 4 T o create a service policy for a specific category of ingress traffic, follow t hese steps: 1. Use the class-map command to designate a class name for a spe cific category of traf fic, and enter the Class Map config uration mode.
Command Line Interfa ce 4-194 4 class-map This command creates a class map used for matchi ng packet s to the specified class, and enters Class Map conf iguration mode.
Quality of Service Co mmands 4-195 4 • vlan - A VLAN. (Range:1-4094) Default Setting None Command Mode Class Map Configuration Command Usage • First enter the class-ma p command to des ignate a class map and enter t he Class Map configurati on mode.
Command Line Interfa ce 4-196 4 Command Usage • Use the policy-map command to specify t he name of the policy map , and then use the class command to config ure policies for traffi c that matches criteria defined in a class map.
Quality of Service Co mmands 4-197 4 Example This example creates a policy called “rd_policy ,” uses the class command to specify the previously d efined “rd_class,” uses t he set command to c.
Command Line Interfa ce 4-198 4 police This command defines an poli cer for classified traf fic. Use the no form to re move a policer . Syntax [ no ] police rate-kbps burst-byte [ exceed-action { drop | set }] • rate-kbps - Rate in ki lobits per seco nd.
Quality of Service Co mmands 4-199 4 service-policy This command appli es a policy map defined b y the policy -map command to th e ingress queue of a parti cular interface. Use the no form to remove the policy map from this interface. Syntax [ no ] service-policy input policy-map-name • input - Apply to the input traffi c.
Command Line Interfa ce 4-200 4 Example show policy-map This command displays the QoS pol icy maps wh ich define classifi cation criteria for incoming traf fic, and may include policers for bandwi dth limit ations. Syntax show policy-map [ policy-map-name [ class class-map-name ]] • policy-map-name - Name of the policy map.
Example 4-201 4 Command Mode Privileged Exec Example Multicast Filtering Commands This switch uses IGMP (Internet Group Manage ment Protocol) to query for any attache d hosts that want to receive a specif ic multicast service. It identifies the ports containi ng hosts requesting a se rvice and sends d ata out to those port s only .
Command Line Interfa ce 4-202 4 ip igmp snoopi ng This command enables IGMP sno oping on this switch. Use the no form to disable it. Syntax [ no ] ip igmp snooping Default Setting Enabled Command Mode Global Configurat ion Example The following example enab les IGMP snooping.
Multicast Filter ing Commands 4-203 4 ip igmp snoo ping ver sion This command confi gures the IGMP snooping version. Use the no form to restore the default.
Command Line Interfa ce 4-204 4 • The leave-proxy f eature does not func tion when a switch is set as the querier. Example ip igmp snoopi ng immediate -leave This command enables IGMP immedi ate leave for specific VLAN. Use the no form to disable the feature f or a VLAN.
Multicast Filter ing Commands 4-205 4 Example The following s hows the current IGMP snooping conf iguration: show mac-address -table multicast This command shows kn own multicast addresse s.
Command Line Interfa ce 4-206 4 IGMP Query Commands (Layer 2) ip igmp snoopi ng querier This command enables the switch as an I GMP querier . Use the no form to disable it. Syntax [ no ] ip igmp snooping querier Default Setting Enabled Command Mode Global Configurat ion Command Usage If enabled, the switch will serve as querie r if elected.
Multicast Filter ing Commands 4-207 4 Default Setting 2 times Command Mode Global Configurat ion Command Usage The query count define s how long the querier waits for a response from a multicast cli ent before taki ng action.
Command Line Interfa ce 4-208 4 ip igmp snoopi ng qu ery-max-response-time This command configures the que ry report delay . Use the no form to resto re the default. Syntax ip igmp snoopi ng qu ery-max-response-time seconds no ip igmp snoo ping query-max-response-time seconds - The report delay advertised in IGMP querie s.
Multicast Filter ing Commands 4-209 4 Default Setting 300 seconds Command Mode Global Configurat ion Command Usage The switch must use IGMPv2 for this command to take ef fect.
Command Line Interfa ce 4-210 4 Command Usage Depending on your network connect ions, IGMP snooping may not always be able to locate the IGMP querier .
Multicast Filter ing Commands 4-211 4 IGMP Filtering and Throttling Commands In cert ain switch applica t ions, the administrator may want to control the multicast services that are avai lable to end users. Fo r example, an IP/TV service based on a specific subscri ption plan.
Command Line Interfa ce 4-212 4 • The IGMP filtering feature operate s in the same manner when MVR is used to forward multicas t traffic. Example ip igmp profile This command creates an IGMP filt er profile number and ente rs IGMP profile configurati on mode.
Multicast Filter ing Commands 4-213 4 • When the access mode is set to pe rmit, IGMP join report s are processed when a multicast group fal ls within the contro lled range. When the access mode is set to deny, IGMP joi n reports are only processed when a mult icast group is not in the controlled range.
Command Line Interfa ce 4-214 4 Command Mode Interface Configur ation Command Usage • The IGM P filtering pr ofile mu st first be crea ted with the ip igmp profi le command before being able t o assign it to an interfac e. • Only one profile can be assig ned to an interface.
Multicast Filter ing Commands 4-215 4 Example ip igmp max-grou ps action This command sets th e IGMP throttling action f or an interface on the switch. Syntax ip igmp ma x-group s action {replace | deny} • replace - The new multicast group replaces an existing group.
Command Line Interfa ce 4-216 4 Command Mode Privileged Exec Example show ip igmp p rofile This command displays IGMP filterin g profiles created on the swi tch. Syntax show ip igmp profil e [ profile-number ] profile-number - An existing IGMP filter profile number .
Multicast Filter ing Commands 4-217 4 - -port - Port number. (Range: 1-29) • port-cha nnel channel-id (Range: 1-32) Default Setting None Command Mode Privileged Exec Command Usage Using this command withou t specifying an int erface displays all in terfaces.
Command Line Interfa ce 4-218 4 mvr (Global Configuration) This command enables Multic ast VLAN Registration (MVR) globally on th e switch, static ally configures MVR multicast gr oup IP address(es) using the group keyword, or specifies th e MVR VLAN identifier u sing the vlan keyword.
Multicast Filter ing Commands 4-219 4 mvr (Interface Configuration) This command configures an int erface as an MVR receiver or source port using the type keyword, enables immediate l eave capabil ity using the immediate keyword, or configures an int erface as a static member of the MVR VLAN using the gr oup keyword.
Command Line Interfa ce 4-220 4 Command Usage • A port which is not configured as an MVR recei ver or source port can use IGMP snooping to joi n or leave multicast grou ps using the standard ru les for multicas t filterin g. • MVR receiver ports can not be members of a trunk.
Multicast Filter ing Commands 4-221 4 show mvr This command shows informatio n about the global MVR config uration settings when entered without any keywords, the interfaces at tached to the MVR VLAN using the interface keyword, or the multicast groups assign ed to the MVR VLAN using the members keyword.
Command Line Interfa ce 4-222 4 The following d isplays informat ion about the interfaces at tached to the MVR VLAN: The following s hows information a bout the int erfaces associate d with multica st.
IP Interface Commands 4-223 4 IP Interface Commands An IP addresses may be used for manage ment access to the switch over your network. The IP address for th is switch is obtained via DHCP by default. Y ou can manually configure a spe cific IP address, or direct the dev ice to obtain an address from a BOOTP or DHCP server when it is powered on.
Command Line Interfa ce 4-224 4 • If you select the bootp or dh cp option, IP i s enabled but will not fun ction until a BOOTP or DHCP reply has been rece ived. Requests will be br oadcast periodically b y this device in an effort t o learn its I P address.
IP Interface Commands 4-225 4 ip dhcp restart This command submit s a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has bee n set to BOOTP or DHCP mod e via the ip address command.
Command Line Interfa ce 4-226 4 show ip re directs This command shows the default gateway configure d for this device. Default Setting None Command Mode Privileged Exec Example Related Commands ip default-g ateway (4-2 24) ping This command sends ICMP echo reques t packet s to another node on th e network.
IP Source Guard Commands 4-227 4 Example Related Commands interface (4-1 16) IP Source Guard Commands IP Source Guard is a security featu re that filter s IP traf fic on network inte rfaces based on m.
Command Line Interfa ce 4-228 4 Syntax ip source-guard { sip | sip-mac } no ip source-guard • sip - Filters traf fic based on IP add resses stored in the binding t able. • sip-mac - Filt ers traffi c based on IP addresses and corresponding MAC addresses stored i n the binding table.
IP Source Guard Commands 4-229 4 is static IP source guard binding, stati c DHCP snooping binding or d ynamic DHCP snooping binding, th e packet will be forwarded.
Command Line Interfa ce 4-230 4 table, or st atic addresses co nfigured in th e source guard bind ing table wit h this command. • Static bindin gs are processed as follows: - If there is no entry with same VLAN ID and MAC address, a new entry is added to binding tabl e using the type of static I P source guard binding.
DHCP Snooping Commands 4-231 4 Example DHCP Snooping Commands DHCP snooping all ows a switch to protect a network from rog ue DHCP servers or other devices which sen d port-related informati on to a DHCP server . This information ca n be useful in tracking an IP address back to a physical port .
Command Line Interfa ce 4-232 4 firewall. When DHCP snooping is enabled globally by this comma nd, and enabled on a VLAN interfa ce by the ip dhcp snooping vlan command (page 4-233), DHCP messages rec.
DHCP Snooping Commands 4-233 4 receives an ACK message from a DHCP server. Al so, when the switch sends out DHCP client packets for itself, no filteri ng takes place. However, when the switch receives any messages from a DHCP server, any packets received from untruste d ports are dropped.
Command Line Interfa ce 4-234 4 Related Commands ip dhcp snoopi ng (4-231) ip dhcp snoopi ng trust (4 -234) ip dhcp snooping trust This command configures the spe cified interface as truste d.
DHCP Snooping Commands 4-235 4 ip dhcp snooping verify mac-a ddress This command verifies the client ’s hardware address st ored in the DHCP packet against the so urce MAC address in the Ethernet header .
Command Line Interfa ce 4-236 4 identified by t he switch port t o which they are connec ted rather than jus t their MAC address. DHCP client -server exchange me ssages are then forwarded directly between the server an d client with out having to flood them t o the entire VLAN.
Switch Cluster Comma nds 4-237 4 show ip dhcp snooping This command shows the DHCP snooping confi guration settings. Command Mode Privileged Exec Example show ip dhcp snooping binding This command shows the DHCP snooping bindi ng table entri es.
Command Line Interfa ce 4-238 4 cluster This command enables clus tering on the switch. Use the no form to disable clustering. Syntax [ no ] cluste r Default Setting Enabled Command Mode Global Config.
Switch Cluster Comma nds 4-239 4 cluster commander This command enable s the switch as a cluster Commande r . Use the no fo rm to disable the switch as clust er Commander .
Command Line Interfa ce 4-240 4 subnet. Cluster IP addre sses are assigned to switches when they become Members and are used for communication b etween Member switches and the Commander . • You cannot change the cluster IP pool when the switch is currently in Commander mode.
Switch Cluster Comma nds 4-241 4 Commander is not supported. • There is no need to enter the usern ame and password for access to the Member switch CLI . Example show cluster This command shows the switch clust ering configuration. Command Mode Privileged Exec Example show cluster members This command shows the current switch clus ter members.
Command Line Interfa ce 4-242 4 show cluster candidates This command shows the discove red Candidate swi tches in the network. Command Mode Privileged Exec Example Console#show cluster candidates Clus.
A-1 Appendix A: Software Specifications Software Features Authentication Local, RADIUS, T ACACS, Port (802. 1X), HTTPS, SSH, Port Security Access Control List s 128 ACLS (96 MAC rules, 96 IP rules) DH.
Software Specifications A-2 A Quality of Service DiffServ supp orts class map s, policy map s, and service policies Additional Featu r es BOOTP client SNTP (Simple Network T ime Protocol) SNMP (Simple.
Management Inform ation Bases A-3 A RMON (RFC 1757 groups 1,2,3,9) SNMP (RFC 1 157) SNMPv2 (RFC 2571) SNMPv3 (RFC DRAFT 3414, 3410, 2273, 341 1, 3415) SNTP (RFC 2030) SSH (V ersion 2.
Software Specifications A-4 A.
B-1 Appendix B: Troubleshooting Problems Accessing the Mana gement Interface T able B-1 T roubleshooting Chart Symptom Action Cannot connect us ing T elnet, web browser , or SNMP software • Be sure the switch is powered up. • Check network cabling between the management s tation and the s witch.
T roubleshooting B-2 B Using System Logs If a fault does occur , refer to the Installati on Guide to ensure that the problem you encountered is actual ly caused by the switch. If the problem app ears to be caused by the switch, follow these steps: 1. Enable logging.
Glossary-1 Glossary Access Control List (ACL) ACLs can limit netwo rk traffic and restrict access to certai n users or devices by checking each p acket for certain IP or MAC (i.
Glossary Glossary-2 GARP VLAN Registration Protocol (GVRP) Defines a way for switches to exchange VL AN information in order to register necessary VLAN members on p orts along the S panning T ree so that VL ANs defined in each switch can work automa tically over a S panning T ree network.
Glossary-3 Glossary IGMP Snooping Listening to IGMP Query and IGMP Re port packe ts transferred b etween IP Multicast Routers and IP Multicast host group s to identify IP Multicast group members.
Glossary Glossary-4 Multicast Switching A process whereby the switch filters incoming multicast fra mes for services for which no attache d host has registered, or forwards t hem to all ports cont ained within the designated mult icast VLAN group. Network Time Protocol (NTP) NTP provides the mechanisms to synch ronize time across the net work.
Glossary-5 Glossary Secure Shell (SSH) A secure replacement for remote access functions, includi ng T el net. SSH can authenticate use rs with a cryptographic key , and encrypt dat a connections between management clie nts and the switch.
Glossary Glossary-6 Virtual LAN (VLAN) A Virtual LAN is a collect ion of network nodes that share the same coll ision domain regardless of their physi cal location or connecti on point in the network.
Index-1 Numerics 802.1Q tunnel 3-133, 4-176 description 3-1 33 interface configurat ion 3-138, 4-177–4-178 mode selection 3-138 TPID 3-137, 4-178 802.
Index-2 Index F firmware displaying version 3-11, 4-62 upgrading 3-18, 4-64 G GARP VLAN Registration Protocol See GVRP gateway, defaul t 3-14, 4-224 GVRP global setting 3-125, 4-164 interface configurat ion 4-165 H hardware version, displaying 3-11, 4-62 HTTPS 3-52, 4-30 HTTPS, secure server 3-52, 4-30 I IEEE 802.
Index-3 Index P password, line 4-12, 4-13 passwords 2-4 administrator sett ing 3-46, 4-25 path cost 3-105, 3-112 method 3-109, 4-149 STA 3-105, 3-112, 4-149 port authenticat ion 3-60, 3-67 port priori.
Index-4 Index switchport mode dot 1q-tunnel 4-177 system clock, setti ng 3-31, 4-53 system logs 3-25 system mode, no rmal or QinQ 3-137, 4-176 system software, down loading from server 3-18 T TACACS+,.
.
20 Mason • Irvine, CA 92618 • Phn: 949 -679-8000 • www. smc.com 149100036100A R01 SMC812 6L2 SMC8150L2 TECHNICAL SUPPORT F rom U .S.A. and Can ada (2 4 hours a da y , 7 day s a week) Phn: 800- SMC-4 - Y OU / 949-6 79-8000 Fa x : 9 4 9 - 5 0 2 - 3 4 0 0 ENGLISH T echnic al Support in formation av ailable at www .
Un point important après l'achat de l'appareil (ou même avant l'achat) est de lire le manuel d'utilisation. Nous devons le faire pour quelques raisons simples:
Si vous n'avez pas encore acheté SMC Networks SMC8150L2 c'est un bon moment pour vous familiariser avec les données de base sur le produit. Consulter d'abord les pages initiales du manuel d'utilisation, que vous trouverez ci-dessus. Vous devriez y trouver les données techniques les plus importants du SMC Networks SMC8150L2 - de cette manière, vous pouvez vérifier si l'équipement répond à vos besoins. Explorant les pages suivantes du manuel d'utilisation SMC Networks SMC8150L2, vous apprendrez toutes les caractéristiques du produit et des informations sur son fonctionnement. Les informations sur le SMC Networks SMC8150L2 va certainement vous aider à prendre une décision concernant l'achat.
Dans une situation où vous avez déjà le SMC Networks SMC8150L2, mais vous avez pas encore lu le manuel d'utilisation, vous devez le faire pour les raisons décrites ci-dessus,. Vous saurez alors si vous avez correctement utilisé les fonctions disponibles, et si vous avez commis des erreurs qui peuvent réduire la durée de vie du SMC Networks SMC8150L2.
Cependant, l'un des rôles les plus importants pour l'utilisateur joués par les manuels d'utilisateur est d'aider à résoudre les problèmes concernant le SMC Networks SMC8150L2. Presque toujours, vous y trouverez Troubleshooting, soit les pannes et les défaillances les plus fréquentes de l'apparei SMC Networks SMC8150L2 ainsi que les instructions sur la façon de les résoudre. Même si vous ne parvenez pas à résoudre le problème, le manuel d‘utilisation va vous montrer le chemin d'une nouvelle procédure – le contact avec le centre de service à la clientèle ou le service le plus proche.