Milan Technology MIL-SM24004TG manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of Milan Technology MIL-SM24004TG, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of Milan Technology MIL-SM24004TG one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of Milan Technology MIL-SM24004TG. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of Milan Technology MIL-SM24004TG should contain:
- informations concerning technical data of Milan Technology MIL-SM24004TG
- name of the manufacturer and a year of construction of the Milan Technology MIL-SM24004TG item
- rules of operation, control and maintenance of the Milan Technology MIL-SM24004TG item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of Milan Technology MIL-SM24004TG alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of Milan Technology MIL-SM24004TG, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the Milan Technology service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of Milan Technology MIL-SM24004TG.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the Milan Technology MIL-SM24004TG item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    8VHU0DQXDO 0,/607* 3RUW&RPER6)3 6ORWV *LJDELW(WKHUQHW0XOWL/DHU 0DQDJHPHQW6ZLWFK[...]

  • Page 2

    [...]

  • Page 3

    i Regulatory Approval - FCC Class A - UL 60950 - CSA C22.2 No. 60950 - EN60950-1 4 - CE - EN55022 Class A - EN55024 Canadian EMI Notice This Class A digital apparatus meet s all the requirements of the Canadian Interference-Causing Equipment Regulations. Cet appareil numerique de la classe A respecte toutes les exige nces du Reglement sur le materi[...]

  • Page 4

    ii Y ou can reach MiL AN T echnology technical support at: E-mail: support@milan.com T elephone: +1.408.744.2751 Fax: +1.408.744.2771 MiLAN T echnology 1329 Moffett Park Drive Sunnyvale, CA 94089 United S tates of America T elephone: +1.408.744.2775 Fax: +1.408.744.2793 http://www .milan.com info@milan.com © Copyright 2005 MiLAN T echnology P/N: 9[...]

  • Page 5

    iii Contents Chapter 1: Introd uction 1-1 Key Features 1-1 Description of Software Features 1-2 System Defaults 1-5 Chapter 2: Initial Configu ration 2-1 Connecting to the Switch 2-1 Configuration Options 2-1 Required Connections 2-2 Remote Connections 2-3 Basic Configuratio n 2-3 Console Connection 2-3 Setting Passwords 2-4 Setting an IP Address 2[...]

  • Page 6

    Contents iv System Log Configuration 3-19 Remote Log Configuration 3-20 Displaying Log Message s 3-22 Sending Simple Mail Transfe r Protocol Alerts 3-23 Resetting the System 3-25 Setting the System Clock 3-26 Configuring SNTP 3-26 Setting the Time Zone 3-27 Simple Network Managemen t Protocol 3-28 Setting Community Access Strings 3-28 Specifying Tr[...]

  • Page 7

    Contents v Displaying LACP Settings and Status for the Local Side 3-77 Displaying LACP Settings and Status for the Remote Side 3-79 Setting Broadcast Storm Threshol ds 3-80 Configuring Port Mirroring 3-82 Configuring Rate Limits 3-83 Showing Port Statistics 3-84 Address Table Settings 3-88 Setting Static Addresse s 3-88 Displaying the Address Tabl [...]

  • Page 8

    Contents vi Mapping CoS Values to ACLs 3-137 Changing Priorities Based on ACL Rules 3-138 Multicast Filtering 3-140 Layer 2 IGMP (Snooping and Query) 3-140 Configuring IGMP Snooping and Qu ery Parameters 3-141 Displaying Interfaces Attached to a Multicast Router 3-143 Specifying Static Interfaces for a Multicast Router 3-143 Displaying Port Members[...]

  • Page 9

    Contents vii disconnect 4-18 show line 4-19 General Commands 4-20 enable 4-20 disable 4-21 configure 4-21 show history 4-22 reload 4-22 end 4-23 exit 4-23 quit 4-24 System Management Comma nds 4-24 Device Designation Commands 4-25 prompt 4-25 hostname 4-25 User Access Commands 4-26 username 4-26 enable password 4-27 IP Filter Commands 4-28 manageme[...]

  • Page 10

    Contents viii logging facility 4-45 logging trap 4-46 clear logging 4 -46 show logging 4-47 SMTP Alert Commands 4-48 logging sendma il host 4-49 logging sendmail l evel 4-49 logging sendmail source-email 4-50 logging sendmail destination-email 4-50 logging sendmail 4-51 show logging sendmail 4-51 Time Commands 4-52 sntp client 4-52 sntp server 4-53[...]

  • Page 11

    Contents ix TACACS+ Client 4-74 tacacs-server host 4-74 tacacs-server port 4-74 tacacs-server key 4-75 show tacacs-server 4-75 Port Security Commands 4-76 port security 4-76 802.1X Port Authentication 4-78 dot1x system-auth-control 4-78 authentication dot1x default 4-79 dot1x default 4-79 dot1x max-req 4-79 dot1x port-control 4-80 dot1x operation-m[...]

  • Page 12

    Contents x show map access-list mac 4-109 match access-list mac 4-110 ACL Information 4-111 show access-list 4-111 show access-group 4-111 SNMP Commands 4-112 snmp-server community 4-112 snmp-server contact 4-113 snmp-server location 4-113 snmp-server host 4-114 snmp-server en able traps 4-115 show snmp 4-115 DNS Commands 4-117 ip host 4-117 clear [...]

  • Page 13

    Contents xi lacp system-priority 4-142 lacp admin-key (Ethernet Interface) 4-143 lacp admin-key (Port Channel) 4-144 lacp port-priority 4-144 show lacp 4-145 Address Table Commands 4-149 mac-address-table static 4-150 clear mac-address-table dynamic 4-151 show mac-address-table 4-151 mac-address-table aging-time 4-152 show mac-address-table aging-t[...]

  • Page 14

    Contents xii switchport ingress-filtering 4-176 switchport native vlan 4-177 switchport allowed vlan 4-178 switchport forbidden vlan 4-179 Displaying VLAN Informa tion 4-180 show vlan 4-180 Configuring Private VLANs 4-181 pvlan 4-181 show pvlan 4-182 Configuring Protocol-based VLANs 4-182 protocol-vlan protocol-group (Configuring Groups) 4-183 prot[...]

  • Page 15

    Contents xiii show ip igmp snooping 4-205 show mac-address-table mu lticast 4-206 IGMP Query Commands (Layer 2) 4-207 ip igmp snooping querier 4-207 ip igmp snooping query-count 4-207 ip igmp snooping query-interval 4-208 ip igmp snooping query-max-response -time 4-209 ip igmp snooping router-p ort-expire-time 4-209 Static Multicast Routing Command[...]

  • Page 16

    Contents xiv[...]

  • Page 17

    xv Tables Table 1-1. Key Features 1-1 Table 1-2. System Defaults 1-5 Table 3-1 Web Page Configurati on Buttons 3-3 Table 3-2 Switch Main Menu 3-4 Table 3-3 Logging Levels 3-19 Table 3-4 HTTPS System Support 3-35 Table 3-5 802.1X Statistics 3-48 Table 3-6 LACP Port Coun ters 3-76 Table 3-7 LACP Interna l Configuration Information 3-77 Table 3-8 LACP[...]

  • Page 18

    xvi T ables Table 4-27 Authentication Commands 4-68 Table 4-28 Authentication Sequence Commands 4-69 Table 4-29 RADIUS Client Commands 4-71 Table 4-30 TACACS+ Client Commands 4-74 Table 4-31 Port Security Commands 4-76 Table 4-32 802.1X Port Authentication Comma nds 4-78 Table 4-33 Access Control List Co mmands 4-87 Table 4-34 IP ACL Commands 4-87 [...]

  • Page 19

    xvii Figures Figure 3-1 Home Page 3-2 Figure 3-2 Front Panel Indicators 3-3 Figure 3-3 System Information 3-9 Figure 3-4 Switch Info rmation 3-11 Figure 3-5 Displ aying Bridge Extension Configuration 3-12 Figure 3-6 IP Interface Configu ration - Manual 3-14 Figure 3-7 IP Interface Configu ration - DHCP 3-15 Figure 3-8 Downloa ding Firmware to the S[...]

  • Page 20

    Figures xviii Figure 3-43 LACP - Aggregation Port 3-74 Figure 3-44 LACP - Port Counters Information 3-76 Figure 3-45 LACP - Port Internal Information 3-78 Figure 3-46 LACP - Port Neighbors Information 3-79 Figure 3-47 Port Broadcast Control 3-81 Figure 3-48 Mirror Port Configuration 3-82 Figure 3-49 Rate Limit Configura tion 3-83 Figure 3-50 Port S[...]

  • Page 21

    Figures xix Figure 3-88 DNS Ge neral Configuration 3-148 Figure 3-89 DNS Static Host Table 3-150 Figure 3-90 DNS Cache 3-151[...]

  • Page 22

    Figures xx[...]

  • Page 23

    1-1 Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includ es a management agent that all ows you to configure the features listed in this manual. The default configuration can be used for most of the fe atures provided by this switch. However , there are many options that you should configure to max[...]

  • Page 24

    Introduction 1-2 1 Description of Software Features The switch provides a wide range of ad vanced performance enhancing features. Flow control eliminates the loss of pa ckets due to bottlenecks caused by port saturation. Broadcast storm suppression preven ts broa dcast traffic storms from engulfing the network. Unt agged (port-based), tagge d, and [...]

  • Page 25

    Description of Softwa re Features 1-3 1 Port Mirroring – The switch can un obtrusively mirror traffic fro m any port to a monitor port. Y ou can then at tach a protoco l analyzer or RMON probe to this port to perform traf fic analysis and verify connection integrity . Port T runking – Ports can be combined into an agg regate connection. T runks[...]

  • Page 26

    Introduction 1-4 1 Multiple S panni ng Tree Protocol (MSTP , IEEE 802.1s) – This protocol is a direct extension of RSTP . It can provide an independent sp anning tree for different VLANs. It simplifies network managemen t, provides fo r even faster convergence than RSTP by limiting the size of each re gion, and prevents VLAN members from being se[...]

  • Page 27

    System Defaults 1-5 1 System Defaults The switch’s system de faults are provided in the configurati on file “Factory_Default_Config.cfg .” To reset the switch defaults, this fil e should be set as the startup configuration file (page 3-18 ). The following tabl e lists some of the basic system defaults. Table 1-2. System Defaults Function Para[...]

  • Page 28

    Introduction 1-6 1 Port Configuration Admin Status Enabled Auto-negotiation Enabled Flow Contro l Disabled Port Capability 1000BASE-T – 10 Mbps half duplex 10 Mbps full duplex 100 Mbps half duplex 100 Mbps full duplex 1000 Mbps full duplex Full-duplex flow control disabled Symmetric flow control disabled Module Port Capability 1000BASE-SX/LX/LH ?[...]

  • Page 29

    System Defaults 1-7 1 IP Settings IP Address 0.0.0.0 Subnet Mask 255.0.0.0 Default Gateway 0.0.0.0 DHCP Client: Enabled BOOTP Disabled DNS Server Lookup Disabled Multicast Filtering IGMP Snooping Snooping: Enabled Querier: Enab led System Log Status Enabled Messages Logged Levels 0-7 (all) Messages Logged to Flash Levels 0-3 SMTP Email Alerts Event[...]

  • Page 30

    Introduction 1-8 1[...]

  • Page 31

    2-1 Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management option s, including SNMP , RMON and a Web-based inte rface. A PC may also be co nnected directly to the sw i tch for configuration and monitoring via a command line int[...]

  • Page 32

    Initial Configura tion 2-2 2 • Enable port mirroring • Set broadcast storm cont rol on any port • Display system informat ion and statistics Required Connections The switch provides an RS-232 serial port t hat enables a connection to a PC or terminal for monitoring and configuri ng the switch. A null-modem console cable is provided with the s[...]

  • Page 33

    Basic Configuration 2-3 2 Remote Connections Prior to accessing the switch’ s onboard agent via a network connection, you must first config ure it with a valid I P address, subnet mask, and default gateway u sing a console connection, DHCP or BOOTP protocol . The IP address for thi s switch is obtaine d via DHCP by default. T o manually configure[...]

  • Page 34

    Initial Configura tion 2-4 2 Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 al phanumeric characters and are case sensi tive. T o prevent unauthoriz[...]

  • Page 35

    Basic Configuration 2-5 2 Before you can assign an IP address to t he switch, you must obt ain the following information from your net work administrator: • IP address for the switch • Default gateway for the network • Network mask for this network T o assign an IP address to the switch, complete th e following steps: 1. From the Privileged E[...]

  • Page 36

    Initial Configura tion 2-6 2 5. W ait a few minutes, and then check the IP configuration se ttings by typing the “show ip interface” command. Press <En ter>. 6. Then save your config uration changes by typing “copy run ning-config startup-confi g.” Enter the startup file name and press <Enter>. Enabling SNMP Management Access Th[...]

  • Page 37

    Basic Configuration 2-7 2 T o configure a community string, complete the following step s: 1. From the Privileged Exec leve l global configuration mode prompt, type “snmp-server community string mode ,” where “string” is the community ac cess string and “mode” is rw (read/write) or ro (read only). Press <Enter>. (Note that the def[...]

  • Page 38

    Initial Configura tion 2-8 2 2. Enter the name of the start-up file. Pre ss <Enter>. Managing System Files The switch’s flash memory suppo rts three types of system files that can be mana ged by the CLI program, Web interface, or SNMP . The switch’ s file system allows files to be uploaded an d downloaded, copied, deleted, and set as a st[...]

  • Page 39

    3-1 Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP Web agent. Using a Web browse r you can configure the switch and view st atistics to monitor network activity . The Web agent can be accessed by any computer on the network using a st andard Web browser (Internet Explorer 5.0 or abo ve, or Netscape N[...]

  • Page 40

    Configuring the Switch 3-2 3 Navigating the Web Browser Interface T o access the web-browser interface you must first enter a user name and password. The administra tor has Read/Write access to all confi guration parameters and statis tics. The default user name and p assword for the administrator is “admin.” Home Page When your web browser con[...]

  • Page 41

    Navigating the Web Browser Inte rface 3-3 3 Configuration Options Configurable p arameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the “Apply” bu tton to confirm the new setting. The following ta ble summarizes the web pag e configuration buttons. Notes: 1. To ensure proper[...]

  • Page 42

    Configuring the Switch 3-4 3 Main Menu Using the onboa rd web agent, you can define system parameters, man age and control the s witch, and all its p orts, or monitor network conditi ons. The following table brie fly describes the selections available from this program. T able 3-2 Switch Main Menu Menu Description Page System 3-9 System Information[...]

  • Page 43

    Navigating the Web Browser Inte rface 3-5 3 802.1X Port authentication 3-43 Information Displays global configu ration settings 3-44 Configuration Configures p rotocol parameters 3-46 Port Configuration Set s the authentication mode for individual ports 3-47 Statistics Displays protocol stat istics for the selected port 3-48 ACL 3-52 Configuration [...]

  • Page 44

    Configuring the Switch 3-6 3 Address T able 3-88 Static Addresses Displays entries for interface , address or VLAN 3-88 Dynamic Addresses Displa ys or edits static entries in the Address T able 3-89 Address Aging Sets timeout for dynamically learned entries 3-91 Spanning T ree 3-91 STA 3-91 Information Displays ST A values used for the bridge 3-92 [...]

  • Page 45

    Navigating the Web Browser Inte rface 3-7 3 Protocol VLAN 3-124 Configuration Creates a protocol group, spec ifying the supported protocols 3-124 Port Configuration Map s a protocol group to a VLAN 3-124 Priority 3-126 Default Port Priority Sets the default priority for each port 3-126 Default Trunk Prior ity Sets the default priority for each trun[...]

  • Page 46

    Configuring the Switch 3-8 3 DNS 3-146 General Configuration Enables DNS; configures domain name and domain list; and specifies IP address of name servers for dy namic lookup 3-147 Static Host Table Configures static entrie s for domain name to address mapping 3-149 Cache Displays cache entrie s discovered by designated name servers 3-151 T able 3-[...]

  • Page 47

    Basic Configuration 3-9 3 Basic Configuration Displaying System Information Y ou can easily identify the system by displaying the devi ce name, location and contact i nformation. Field Attributes • System Name – Name assigned to th e switch syst em. • Object ID – MIB II object ID for switch’s network management subs ystem. • Location ?[...]

  • Page 48

    Configuring the Switch 3-10 3 CLI – S pecify t he hostname, location and contact info rmation. Displaying Switch Hardware/Software Versions Use the Switch Information page to displ ay hardware/firmware version numbers for the main board and management software, as well as the power sta tus of the system. Field Attributes Main Board • Serial Num[...]

  • Page 49

    Basic Configuration 3-11 3 Web – Click System, Switch Information. Figure 3-4 Switch Information CLI – Use the following command to display version informatio n. Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for manag ed devices that support Multicast Filtering, T raffi c Classes, and Virtual LANs. Y ou can access [...]

  • Page 50

    Configuring the Switch 3-12 3 • Configurable PV ID Tagging – This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to “VLAN Configuration ” on page 3-111.) • Local VLAN Capa ble – This switch does not support mu ltiple local bridges outside [...]

  • Page 51

    Basic Configuration 3-13 3 Setting the Switch’s IP Address This section describes how to configure an IP interface for manage ment access over the network. The IP address fo r this switch is obtained vi a DHCP by default. T o manually configure an address, you need to change the switch’s default settin gs (IP address 0.0.0.0 and netmask 255.0.0[...]

  • Page 52

    Configuring the Switch 3-14 3 Manual Config uration Web – Click System, IP Configu ration. Select the VLAN through which the management st ation is attac hed, set the IP Address Mode to “S tatic,” enter the IP address, subnet mask and gateway , then click Apply . Figure 3-6 IP Interfa ce Configuration - Manual CLI – S pecify the management [...]

  • Page 53

    Basic Configuration 3-15 3 Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically con figured by these services. Web – Click Syste m, IP Configuration. S pecify the VLAN to which the management station is att ached, set the IP Address Mode to DHCP or BOOTP . Click Apply to save your changes. [...]

  • Page 54

    Configuring the Switch 3-16 3 CLI – Enter the following command to rest art DHCP service. Managing Firmware Y ou can upload/download fi rmware to or from a TFTP server . By saving runtime code to a file on a TFTP server , that fil e can later be downloaded to the switch to restore operation. Y ou can also set the switch to use new firmware withou[...]

  • Page 55

    Basic Configuration 3-17 3 If you download to a new de stination file, then select the file from the drop-down bo x for the operation code used at st artup, and click Apply Changes. T o start the new firmware, reboot the system via the System/Reset menu. Figure 3-9 Setting the Startup Code CLI – Enter the IP address of the TFTP server , select ?[...]

  • Page 56

    Configuring the Switch 3-18 3 Downloading Config uration Settings from a Server Y ou can download the configuration file un der a new file name and then set it as the startup file , or you can specify the current st a rtup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be c[...]

  • Page 57

    Basic Configuration 3-19 3 If you downloa d the startup configurat ion file under a new file name, you can set this file as the sta rtup file at a later time, and then restart the switch. Configuring Event Logging The switch allows yo u to control the logging of error messages, i ncluding the type of events th at are recorded in switch memory , log[...]

  • Page 58

    Configuring the Switch 3-20 3 • RAM Level – Limits log messages saved to the swi tch’s temporary RAM memory for all levels up to the specified level. For exampl e, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Defaul t: 7) Note: The Flash Level must be equal to or less than the RAM Level. We[...]

  • Page 59

    Basic Configuration 3-21 3 Command Attributes • Remote Log Status – Enables/disables the logg ing of debug or error messages to the remote l ogging process. (Default: Disabled ) • Logging Facility – Sets the facility type for remote logging of syslog messages. There are eight facility types specified by val ues of 16 to 23. The facility typ[...]

  • Page 60

    Configuring the Switch 3-22 3 CLI – Enter the sy slog server host IP address, choose the faci lity type and set the logging tr ap. Displaying Log Messages Use the Logs page to scro ll through the logged system and event messages. The switch can store up to 2048 log entries in temporary ra ndom access memory (RAM; i.e., memory flushe d on power re[...]

  • Page 61

    Basic Configuration 3-23 3 CLI – This example shows that syste m logging is enabled, the message level fo r flash memory is “errors” (i.e., default level 3 - 0), the message level for RAM is “debugging” (i.e., defau lt level 7 - 0), and lists one sample error . Sending Simple Mail Tra nsfer Protocol Alerts T o alert system administrators [...]

  • Page 62

    Configuring the Switch 3-24 3 Web – Click System, Log, SMTP . Enable SMTP , specify a source email address, and select the minimum sev erity level. T o add an IP address to the SMTP Server List, type the new IP address in the SMTP Server field and click Add. T o delete an IP address, click the entry in the SMTP Server Li st and cl ick Remove. S p[...]

  • Page 63

    Basic Configuration 3-25 3 CLI – Enter the IP address of at least one SMTP server , set the syslog severity level to trigger an email message, and specify t he switch (source) and up to fiv e recipient (destination) email addresses. Enable SMTP with the loggin g sendmail command to complete the configu ration. Use the show logging sendmail comma [...]

  • Page 64

    Configuring the Switch 3-26 3 Setting the System Clock Simple Network T ime Protocol (SNTP) allows the switch to set its internal clo ck based on periodic upda tes from a time server (SNTP or NTP). Maintaini ng an accurate time on the switch enables the system log to record meaningfu l dates and times for event entries. Y ou can also manua lly set [...]

  • Page 65

    Basic Configuration 3-27 3 CLI – This example configures the switch to op erate as an SNTP client and then displays the current time and settings. Setting the Time Zone SNTP uses Coordinated Universa l Time (or UTC, formerly Greenwich Mean T ime, or GMT) based on the time at the Earth’ s pri me meridian, zero degrees longitude. T o display a ti[...]

  • Page 66

    Configuring the Switch 3-28 3 CLI - This example shows how to set the time zone for the system clock. Simple Network Management Protocol Simple Network Management Protoc ol (SNMP) is a communication protocol designed specificall y for managing devices on a network. Equipment commonly managed with SNMP includes switc hes, routers and host computers.[...]

  • Page 67

    Simple Network Manag ement Protocol 3-29 3 Web – Click SNMP , Confi guration. Add new community strings as required, select the access rights fro m the Access Mode drop-down list, then cl ick Add. Figure 3-19 Configuring SNMP Community Strings CLI – The following example adds the string “spiderma n” with read/write access. Specifying Trap M[...]

  • Page 68

    Configuring the Switch 3-30 3 Web – Click SNMP , Configuration. Fill in the IP address and community string fo r each trap manager that will receive these messages, sp ecify the SNMP version, mark the trap types req uired, and then click Add . Figure 3-20 Configuring SNMP T rap Managers CLI – This exampl e adds a trap manager and enab les both [...]

  • Page 69

    User Authentication 3-31 3 Command Attributes • User Name* – The name of the user. (Maximum length: 8 chara cters) • Access Level* – Specifi es the user level. (Options: Normal and Privileged) • Password – Specifies the user pa ssword. (Range: 0-8 characters plain text, case sensitive) * CLI only . Web – Click Security , Passwords. T [...]

  • Page 70

    Configuring the Switch 3-32 3 RADIUS uses UDP while T ACACS+ uses TCP . UDP only offers best effort del ivery , while TCP of fers a connection-oriented tran sport. Also, note that RADIUS encrypts only the passwo rd in the access-request packet from the cl ient to the server , while T ACACS+ encrypts the entire body of the packet. Command Usage • [...]

  • Page 71

    User Authentication 3-33 3 Note: The local switch user database has to be set up by manually entering user n ames and passwords using the CLI. (See “username” on page 4-26.) Web – Click Security , Authenticati on Settings. T o configure local or remote authentication preferenc es, specify the aut hentication sequence (i.e., one to three metho[...]

  • Page 72

    Configuring the Switch 3-34 3 CLI – S pecify all the required parameters to enable logon authenticati on. Configuring HTTPS Y ou can configure the switch to enable the Secure Hypertex t Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’ s web interface. Command Us[...]

  • Page 73

    User Authentication 3-35 3 • The following web browsers and operating systems currently support HTTPS: • To specify a secure-si te certificate, see “Replacing the Default Secure-site Certificate” on page 3-35. Command Attributes • HTTPS Status – Allows you to enable/disa ble the HTTPS server feature on the switch. (Defa ult: Enabled) ?[...]

  • Page 74

    Configuring the Switch 3-36 3 Note: For maximum security, we recommend you obtain a unique Secure Sockets Layer certificate at the earliest opportunity. This is because the default certificate for the switch is not unique to the hardware you have purchased. When you have obtain ed these, place them on your TFTP server , and use the following comman[...]

  • Page 75

    User Authentication 3-37 3 T o use the SSH server , complete these steps: 1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a ho st public/private ke y pair . 2. Provide Host Public Ke y to Clients – Many SSH client prog rams automatically import the host public key during th e init ial connection setup with the switch. Ot[...]

  • Page 76

    Configuring the Switch 3-38 3 e. The switch comp ares the decrypted bytes to the origina l bytes it sent. If the two sets match, this means that the client's private key corresponds to an authorized publ ic key , and the client is authen ticated. Notes: 1. To use SSH with only password authentication, the host public key must still be given to[...]

  • Page 77

    User Authentication 3-39 3 Web – Click Security , SSH Host-Key Setting s. Select the host -key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key , and then click Generate. Figure 3-23 SSH Host-Key Settings CLI – This example generates a host-k ey pair using both th[...]

  • Page 78

    Configuring the Switch 3-40 3 Configuring the SSH Server The SSH server incl udes basic settings for authentication. Field Attributes • SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Disa bled) • Version – The Secure Shell vers ion number. Versi on 2.0 is displayed, but the switch supports managemen[...]

  • Page 79

    User Authentication 3-41 3 CLI – This exampl e enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the admini strator has made a connection via SHH, and then disables this con nection. Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more[...]

  • Page 80

    Configuring the Switch 3-42 3 • If a port is disabled (shut down) due to a security vio lation, it must be manually re-enabled from the Port/Port Configuration page (page 3-67). Command Attributes • Port – Port number. • Name – Descriptive text (page 4-124). • Action – Indicates th e action to be taken when a port securi ty violation [...]

  • Page 81

    User Authentication 3-43 3 CLI – This example select s the target port, sets the port security action to send a trap and disable the port, specifies a maximum address count, and then enables port security for the port. Configuring 802.1X Port Auth entication Network switches can prov ide open and easy access to network resources by simply att ach[...]

  • Page 82

    Configuring the Switch 3-44 3 The operation of 802.1X on the switch requires the fol lowing: • The switch must have an IP address assigned . • RADIUS authentication must be enabled on the switch and the IP address of the RADIUS server specified. • 802.1X must be enabled globally for the switch. • Each switch port that will be use d must be [...]

  • Page 83

    User Authentication 3-45 3 Web – Click Security , 802.1X, Information. Figure 3-26 802.1X Information CLI – This example shows the default protocol setting s for 802.1X. For a description of the additiona l entries displayed in the CLI, See “show dot 1x” on page 4-84. Console#show dot1x 4-84 Global 802.1X Parameters reauth-enabled: yes reau[...]

  • Page 84

    Configuring the Switch 3-46 3 Configuring 802.1X Global Settings The dot1x protocol includes global parameters tha t control the client authentication process that runs betwee n the client and the swi tch (i.e., authenticator), as well as the client identity lookup proc ess that runs between the switch and a uthentication server . The configura tio[...]

  • Page 85

    User Authentication 3-47 3 Web – Select Security , 802.1X, Configuration. Enable dot1x gl obally for the swi tch, modify any of the p arameters required, and then click Appl y . Figure 3-27 802.1X Configuration CLI – This enables re-authentication and set s all of the global parameters for 802.1X . Configuring Port Au thorization Mode When dot1[...]

  • Page 86

    Configuring the Switch 3-48 3 • Authorized – - Yes – Connected cl ient is authorized. - No – Connected cli ent is not authorized. - Blank – Displays nothing when dot1x is disabled on a port. • Supplicant – Indicates the MAC address of a connected client. • Trunk – I ndicates if the p ort is configured as a trunk port. Web – Clic[...]

  • Page 87

    User Authentication 3-49 3 Web – Select Security , 802.1X, S tatistics. Se lect the required port and then click Query . Click Refresh to update the st atistics. Figure 3-29 802.1X Port Statistics Rx EAP Resp/Oth The number of valid EAP Response frames (other than Resp/Id frames) that have be en received by this Aut henticator . Rx EAP LenError T[...]

  • Page 88

    Configuring the Switch 3-50 3 CLI – This example displays the 802.1X st atistics for port 4. Filtering IP Addresses for Management Access Y ou can create a list of up to 16 IP add resses or IP address group s that are allowed management access to the switch through the web interface, SNMP , or T elnet. Command Usage • The management interface s[...]

  • Page 89

    User Authentication 3-51 3 Web – Click Security , IP Filter . Enter the addresses that are allowed management access to an interface, and click Add IP Filtering Entry . Figure 3-30 IP Filter CLI – This example allows SNMP access for a specific cli ent. Console(config)#management snmp-c lient 10.1.2.3 4-28 Console(config)#end Console#show manage[...]

  • Page 90

    Configuring the Switch 3-52 3 Access Control Lists Access Control List s (ACL) provide packet filt ering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter incoming pa ckets, first create an access list, add the req uired rules, specify a mask[...]

  • Page 91

    Access Control Li sts 3-53 3 Setting the ACL Name and Type Use the ACL Configuration p age to designate the name and type of an ACL. Command Attributes • Name – Name of the ACL. (Maximum length: 16 characters) • Type – There are three filtering modes: - Standard: IP ACL mode that filters packets based o n the source IP address. - Extended: [...]

  • Page 92

    Configuring the Switch 3-54 3 with the address for each IP packet entering the port(s ) to which this ACL has been assigned. Web – S pecify the action (i.e., Permit or Deny). Select the addre ss type (Any , Host, or IP). If you select “Host,” enter a specific addres s. If you select “IP ,” enter a subnet address and the mask for an addres[...]

  • Page 93

    Access Control Li sts 3-55 3 • Protocol – Specifies the protocol type to match as TCP, UDP or Others, where others indicate s a specific protocol number (0-255). (Options: TCP, UDP, Others; Default: TCP) • Src/Dst Port – Source/destination port number f or the speci fied protocol type. (Range: 0-65535) • Src/Dst Port Bitmask – Decimal n[...]

  • Page 94

    Configuring the Switch 3-56 3 Web – S pecify the action (i.e., Permi t or Deny). S pecify the source and/or destination addresses. Sel ect the address type (Any , Host, or IP). If you select “Host,” enter a specific address. If you se lect “IP ,” enter a subnet address and the mask for an address range. Set any other requi red criteria, s[...]

  • Page 95

    Access Control Li sts 3-57 3 Configuring a MAC ACL Command Attributes • Action – An ACL can contain all permit rules or all deny rules. (Default: Permit rules) • Source/Destination MAC – Us e “Any” to include all possible add resses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range wi th the Addres[...]

  • Page 96

    Configuring the Switch 3-58 3 Web – S pecify the action (i.e., Permi t or Deny). S pecify the source and/or destination addresses. Sel ect the address type (Any , Host, or MAC). If you select “Host,” enter a specific a ddress (e.g., 1 1- 2 2-33-44-55-66). If you select “MAC,” enter a base address and a hexidecimal bitmask for an address r[...]

  • Page 97

    Access Control Li sts 3-59 3 Configuring ACL Masks Y ou can specify optional masks that control the o rder in which ACL rules are checked. The switch includes two system default masks that p ass/filter packets matching the permit/den y rules specified in an ingress ACL. Y ou can also configure up to seven user-defined masks for an ingress or egress[...]

  • Page 98

    Configuring the Switch 3-60 3 Configuring an IP ACL Mask This mask defines the fields to check in the IP header . Command Usage • Masks that include an entry for a Laye r 4 protocol source port or destination port can only be a pplied to packets with a header length of exactl y five bytes. Command Attributes • Src/Dst IP – Specifies the sourc[...]

  • Page 99

    Access Control Li sts 3-61 3 Web – Configure the mask to match the required rules in the IP ingress or egress ACLs. Set the mask to check for any source or destination address , a specific host address, or an address range. Include ot her criteri a to search for in the rule s, such as a protocol type or one of the servic e types. Or use a bitmask[...]

  • Page 100

    Configuring the Switch 3-62 3 Configuring a MAC ACL Mask This mask defines the fields to check in the p acket header . Command Usage Y ou must configure a mask for an ACL rule before you can bind it to a port. Command Attributes • Source/Destination MAC – Use “Any” to match any addre ss, “Host” to specify th e host address for a single [...]

  • Page 101

    Access Control Li sts 3-63 3 CLI – This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask. Binding a Port to an Access Control List After configuring the Access Co ntrol Lists (ACL), you can bind the ports that need to filter traffic to the appropri ate[...]

  • Page 102

    Configuring the Switch 3-64 3 Web – Click Security , ACL, Port Bindi ng. Mark the Enable field fo r the port you want to bind to an ACL for ingress or egress traf fic, select the require d ACL from the drop-down list, then click Ap ply . Figure 3-38 ACL Port Binding CLI – This examples ass igns an IP and MAC ingress ACL to port 1, and an IP ing[...]

  • Page 103

    Port Configuration 3-65 3 • Forced Mode 1 – Shows the forced/preferre d port type to use for combination ports 21-24. (Copper-Forced, Copper-Preferred-Au to, SFP-Forced, SFP-Preferred-Auto) • Trunk Member 1 – Shows if port is a trunk member. • Creation 2 – Shows if a trunk is manua lly configured or dynamically set via L ACP. Web – Cl[...]

  • Page 104

    Configuring the Switch 3-66 3 • Broadcast storm – Shows if broadcast storm control is enabled or dis abled. • Broadcast storm limit – Shows the broadcast storm threshold. (500 - 262143 pac kets per second) • Flow control – Shows if flow control is enabled or disabl ed. • LACP – Shows if LACP is enabled or disabled. • Port Security[...]

  • Page 105

    Port Configuration 3-67 3 Configuring Interface Connections Y ou can use the Port Configuratio n or Trunk Configuratio n page to enable/disab le an interface, set auto-negoti atio n and the interface capabilitie s to advertise, or manually fix the speed, duplex mode, and flow control. Command Attributes • Name – Allows you to label an int erfac[...]

  • Page 106

    Configuring the Switch 3-68 3 • Trunk – Indicates if a port is a member of a trunk. To create trunks and select port members, see “Creating Trunk Groups” on page 3-69. Note: Auto-negotiation must be disabled before you can configure or force the interface to use the Speed/Duplex Mode or Flow Control options. Web – Click Port, Port Configu[...]

  • Page 107

    Port Configuration 3-69 3 Creating Trunk Groups Y ou can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramati c increase in bandwidth for network segments where bottlenecks exist, as well as providi ng a fault-tolerant link between two switches. Y ou can create up to six trunks at a time. The[...]

  • Page 108

    Configuring the Switch 3-70 3 Statically Config uring a Trunk Command Usage • When configuring static trunks, you may not be able to link switches of different types, depending on t he manufacturer’s implementation. However, note that the s tatic trunks on this switc h are Cisco EtherChannel compatible. • To avoid creating a loop in the netwo[...]

  • Page 109

    Port Configuration 3-71 3 CLI – This example creates trunk 2 with port s 1 and 2. Just connect these ports to two stati c trunk ports on another switch to form a trunk. Enabling LACP on Selected Ports Command Usage • To avoid creating a loop in the network, be sure you enable LACP b efore connecting the ports, and also disconnec t the ports bef[...]

  • Page 110

    Configuring the Switch 3-72 3 Web – Click Port, LACP , Config uration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply . Figure 3-42 LACP T runk Configurati on CLI – The following example enables LACP for ports 1 to 6. Just connect these port s to[...]

  • Page 111

    Port Configuration 3-73 3 Configuring LACP Parameters Dynamically Creating a Port Channel – Ports assig ned to a common port channel must me et the following criteria: • Ports must have the same LACP System Priority . • Ports mus t have the same LACP port Admin Key. • However, if the “port channel” Admin Key is set (page 4-142), then th[...]

  • Page 112

    Configuring the Switch 3-74 3 Web – Click Port, LACP , Ag gregation Port. Set the System Priority , Admin Key , and Port Priority for the Port Actor . Y ou can optiona lly c onfigure thes e settings for the Port Partner . (Be aware that these settings only af fect the administrat ive st ate of the partne r , and will not take ef fect until the ne[...]

  • Page 113

    Port Configuration 3-75 3 CLI – The following example configures LACP p arameters for ports 1-6. Ports 1-4 are used as active members of the LAG; ports 5 and 6 are set to b ackup mode. Console(config)#interface ethe rnet 1/1 4-123 Console(config-if)#lacp actor system-priority 3 4-140 Console(config-if)#lacp actor admin-key 120 4-141 Console(confi[...]

  • Page 114

    Configuring the Switch 3-76 3 Displaying LACP Port Counters Y ou can display statistic s for LACP protocol messages. Web – Click Port, LACP , Port Counters Information . Select a member port to display the corresponding informa tion. Figure 3-44 LACP - Port Counters Infor mation CLI – The following example displ ays LACP counters for port chann[...]

  • Page 115

    Port Configuration 3-77 3 Displaying LACP Settings and Status for the Local Side Y ou can display configuration setti ngs and t he operational state for the loca l side of an link a ggregation. T able 3-7 LACP Internal Configuration Informati on Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Curr[...]

  • Page 116

    Configuring the Switch 3-78 3 Web – Click Port, LACP , Port Internal Informati on. Select a port channel to display the corresponding informa tion. Figure 3-45 LACP - Port Internal Information CLI – The following example displays th e LACP configuration settings and operational st ate for the local side of port channel 1. Console#show lacp 1 in[...]

  • Page 117

    Port Configuration 3-79 3 Displaying LACP Settings and Status for the Remote Side Y ou can display configuration setti ngs and t he operational state for the remote side of an link aggregat ion. Web – Click Port, L ACP , Port Ne ighbors Information. Select a port channel to display the corresponding in formation. Figure 3-46 LACP - Port Neighbors[...]

  • Page 118

    Configuring the Switch 3-80 3 CLI – The following example displays th e LACP configuration settings and operational st ate for the remote side of port channel 1. Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on yo ur network is malfunctioning, or if application programs are not we ll designed or properly configured. [...]

  • Page 119

    Port Configuration 3-81 3 Web – Click Port, Port/T runk Broadcast Control. Check the Enabled box for any interface, set the threshol d and click Apply . Figure 3-47 Port Broadcast Control CLI – S pecify any interface, and then enter the threshold. The followi ng disables broadcast storm contro l for port 1, and then sets broadcast suppression a[...]

  • Page 120

    Configuring the Switch 3-82 3 Configuring Port Mirroring Y ou can mirror traf fic from any source port to a target port for real-time analysis. Y ou can then attach a logic analyzer or RMON prob e to the target port an d study the traffic cross ing the source port in a completely unobtrusive manner . Command Usage • Monitor port speed should matc[...]

  • Page 121

    Port Configuration 3-83 3 Configuring Rate Limits This function allows th e network manager to control th e maximum rate for traffic transmitted or received on an interface. Rat e limiting is confi gured on interfaces at the edge of a network to limit traf fic coming out of the switch. T raffi c that falls wi thin the rate limit is transmitt ed, wh[...]

  • Page 122

    Configuring the Switch 3-84 3 Showing Port Statistics Y ou can display standa rd statistics on network traf fic from the Interfaces Group and Ethernet-like MIBs, as wel l as a detaile d breakdown of traffi c based on the RMON MIB. Interfaces and Ethernet-like st atistics display er rors on the traffi c passing through each port. This i nformation c[...]

  • Page 123

    Port Configuration 3-85 3 Tr ansmit Discarded Packets The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent th eir being transmitted. One possible reason for discarding such a packet could be to free up buffer space . Tr ansmit Errors The number of outbound pack ets t hat could not be tr[...]

  • Page 124

    Configuring the Switch 3-86 3 Received Frames The total number of frames (bad, b roadcast and multicast) received. Broadcast Frames Th e total number of good frames received that were directed to the broadcast addres s. Note that this does not include multicast packe ts. Multicast Frames The total number of good frames received that were directed t[...]

  • Page 125

    Port Configuration 3-87 3 Web – Click Port, Port S tatistics. Select th e required i nterface, and click Query . Y ou can also use the Refresh bu tton at the bottom of the page to upda te the screen. Figure 3-50 Port Statistics[...]

  • Page 126

    Configuring the Switch 3-88 3 CLI – This example shows statistic s for port 13. Address Table Settings Switches store th e addresses for all known devices. This i nformation is used to pass traffic directly be tween the inbound a nd outbound ports. All the addresses learned by monitoring traf fic are stored in the dynamic address table. Y ou can [...]

  • Page 127

    Address T able Settings 3-89 3 • VLAN – ID of configured VLAN (1-4094). Web – Click Address T able, St atic Addresses. S pecify the i nterface, the MAC address and VLAN, then click Add S tati c Address. Then set this as a permanent address or to be deleted on reset. Figure 3-51 Static A ddresses CLI – This exampl e adds an address to the s [...]

  • Page 128

    Configuring the Switch 3-90 3 Web – Click Addre ss T able, Dynamic Addresses . Sp ecify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and the n click Query . Figure 3-52 Dy namic Addresses CLI – This example also displays the address table entries for port 1. Con[...]

  • Page 129

    Spanning Tree Algorithm Configuration 3-91 3 Changing the Aging Time Y ou can set the aging time for entrie s in the dynamic address tab le. Command Attributes • Aging Status – Enables or disables the aging time. • Aging Time – The time after which a learned entry is discarded. (Range: 10-1000000 seconds; Default: 300 seco nds) Web – Clic[...]

  • Page 130

    Configuring the Switch 3-92 3 Once a st able network topology has been e stablished, all bridges listen for Hello BPDUs (Bridge Protocol Dat a Units) transmitted from the Ro ot Bridge. If a bridge does not get a Hello BPDU afte r a predefined interval (Maximum Age), the brid ge assumes that the link to the Root Bridge i s down. This bridge will the[...]

  • Page 131

    Spanning Tree Algorithm Configuration 3-93 3 • Hello Time – Interval (in seconds) at which the root device transmits a configurati on message. • Forward Delay – The maximum ti me (in seconds) the root dev ice will wait befo re changing states (i.e., discarding to learning to forwarding). This delay is required because every device must rece[...]

  • Page 132

    Configuring the Switch 3-94 3 information that would make it return to a di scarding state; otherwise, temporary data loops mi ght result. • Root Hold Time – The interval (in seconds) during whi ch no more than two bridge configurati on protocol data units shall be transmitted by this node. • Max hops – The max number of hop counts for the [...]

  • Page 133

    Spanning Tree Algorithm Configuration 3-95 3 CLI – This command displays global ST A settings, followed by settings for each port . Note: The current root port and current root cost display as zero when this device is not connected to the network. Console#show spanning-tree 4-1 68 Spanning-tree information ------------------------------ ---------[...]

  • Page 134

    Configuring the Switch 3-96 3 Configuring Global Settings Global setti ngs apply to the enti re switch. Command Usage • Spanning Tree Protoco l 6 Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for t he en tire network. If multiple VLANs are implemented on a network, the path between [...]

  • Page 135

    Spanning Tree Algorithm Configuration 3-97 3 • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The devi ce with the highest priority becomes the STA root device. However, if all d evices have the same priority, the device with the lowest MAC address will then become the root dev ice. (Not e that [...]

  • Page 136

    Configuring the Switch 3-98 3 • Transmission Limit – The maximum transmissi on rate for BPDUs is specified by setting the mi nimum interval between the transmission of consecutive protocol messages. (Range: 1-10; Default: 3) Configuration Settings for MSTP • Max Instance Numbers – The maximum numb er of MSTP instances to which this switch c[...]

  • Page 137

    Spanning Tree Algorithm Configuration 3-99 3 Web – Click S panning T ree, ST A, Configuration. Modify the required attributes, and click Apply . Figure 3-55 ST A Configuration[...]

  • Page 138

    Configuring the Switch 3-100 3 CLI – This example enables S pann ing Tree Protoco l, sets the mode to MST , and then configures the ST A and MSTP parameters. Displaying Interface Settings The ST A Port Information and ST A Trunk Informa tion pages display the current status of p orts and trunks in the S panning T ree. Field Attributes • Spannin[...]

  • Page 139

    Spanning Tree Algorithm Configuration 3-101 3 • Oper Link Type – The operational point-to-point status of the LAN segme nt attached to this interfac e. This parameter is determined by manual configurati on or by auto-detection, a s described for Admin Link Type in STA Port Configuration on page 3-103. • Oper Edge Port – This parameter is in[...]

  • Page 140

    Configuring the Switch 3-102 3 • Priority – Defines the priority used for this port in the Spanning Tree Al gorithm. If the path cost for al l ports on a switch is the same, the port with the highest priority (i.e., lowest value) will be configured as an activ e link in the Spanning Tree . This makes a port with higher priority less likely to b[...]

  • Page 141

    Spanning Tree Algorithm Configuration 3-103 3 CLI – This example shows the ST A attributes for port 5. Configuring Interface Settings Y ou can configure RSTP and MSTP attributes f or specific inte rfaces, including port priority , path cost, link type, and edge port. Y ou may use a different priority or p ath cost for port s of the same media typ[...]

  • Page 142

    Configuring the Switch 3-104 3 Protocol is detecting network loops. Where more than one port is assigned the highest priority, the port with lowest numeric identi fier will be enabled. • Default: 128 • Range: 0-240, in steps of 16 • Path Cost – This parameter is used by the STP to determine the best path between devices. Therefore, lo wer v[...]

  • Page 143

    Spanning Tree Algorithm Configuration 3-105 3 Web – Click S p anning Tree , ST A, Port Conf iguration or T runk Confi guration. Modify the required attributes, then click App ly . Figure 3-57 ST A Port Configuration CLI – This example sets ST A attributes for port 7. Configuring Multiple Spanning Trees MSTP generates a unique spanni ng tree for[...]

  • Page 144

    Configuring the Switch 3-106 3 Command Attributes • MST Instance – Instance ident ifier of this spanning tree. (Default: 0) • Priority – The priority of a spanning tre e instance. (Range: 0-61440 in steps of 4096; Options: 0 , 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36 864, 40960, 45056, 49152, 53248, 57344, 61440; Default: 32[...]

  • Page 145

    Spanning Tree Algorithm Configuration 3-107 3 CLI – This displays ST A settings for instance 1, followed by settings fo r each port. CLI – This example sets the priority for MSTI 1, and adds VLANs 1-5 to this MSTI. Console#show spanning-tree mst 1 4-168 Spanning-tree information --------------------------------- ------------------------------ S[...]

  • Page 146

    Configuring the Switch 3-108 3 Displaying Interface Settings for MSTP The MSTP Port Informati on and MSTP Trunk I nformation pages dis play the current status of p orts and trunks in th e selected MST instance . Field Attributes • MST Instance ID – Instance identifie r to c onfigure. (Range : 0-4094; Default: 0) The other attributes are describ[...]

  • Page 147

    Spanning Tree Algorithm Configuration 3-109 3 Configuring Interface Settings for MSTP Y ou can configure the ST A interface setti ngs for an MST Inst ance using the MSTP Port Configuration and MSTP T runk Configuration page s. Field Attributes The following a ttributes are read-only and cannot be changed: • STA State – Displays current state of[...]

  • Page 148

    Configuring the Switch 3-110 3 • MST Path Cost – This parameter i s used by the MSTP to determine the best path between devices. Therefore, lo wer values should be assigned to p orts attached to faster media, and higher values assi gned to ports with slower media. (Pa th cost takes precedence over port priority.) Note that when the Path Cost Me[...]

  • Page 149

    VLAN Configuration 3-111 3 VLAN Configuration IEEE 802.1Q VLANs In large networks, routers are used to isolate broadcast traf fic for each subnet into separate domai ns. This switch provides a similar s ervice at Layer 2 by using VLANs to organize any group of network nodes into sep arate broadcast domains. VLANs confine broadcast traf fic to the o[...]

  • Page 150

    Configuring the Switch 3-112 3 Note: VLAN-tagged frames can pass through VLAN-aware or VLAN-unaware network interconnection devices, but the VLAN tags should be stripped off before passing it on to any end-node host that does not support VLAN tag ging. VLAN Classification – When the switch receives a frame, it classifies the frame in one of two w[...]

  • Page 151

    VLAN Configuration 3-113 3 these host s, and core switches in t he network, enable GVRP on the links between these devices. Y ou should also determine security boundaries in the n etwork and disable GVRP on the boundary port s to prevent advertisements from being propagated, or forbid th ose ports from joining restricted VLANs. Note: If you have ho[...]

  • Page 152

    Configuring the Switch 3-114 3 Enabling or Disab ling GVRP (Global Setting) GARP VLAN Registration Protocol (GVRP) def ines a way for switches to exchange VLAN information in order to registe r VLAN members on ports across the network. VLANs are dynamically configured bas ed on join messages issued by host devices and propagated throughou t the net[...]

  • Page 153

    VLAN Configuration 3-115 3 CLI – Enter the following command. Displaying Current VLANs The VLAN Current T able shows the current port members of each VLAN and whether or not the port supports VLAN tag ging. Ports assigned to a large VLAN group that crosses several switches sh ould use VLAN tagging. However , if you just want to create a small por[...]

  • Page 154

    Configuring the Switch 3-116 3 Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4094, no leading zeroes). • Type – Shows how this VLAN was added to the switch. - Dynamic : Automatically le arned via GVRP. - Static : Added as a static entry. • Name – Name of the VLAN (1 to 32 characte rs). • Status – Shows if this VLAN is e[...]

  • Page 155

    VLAN Configuration 3-117 3 Web – Click VLAN, 802.1Q VLAN, S tatic List. T o create a new VLAN, en ter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 3-64 VLAN Static List - Creating VLANs CLI – This example creates a new VLAN. Adding Static Members to VLANs (VLAN Index) Use the VLAN S tatic [...]

  • Page 156

    Configuring the Switch 3-118 3 • Trunk – Trunk identifier . • Membership Type – Select VLAN membership for each interface by marking the appropriate radio button fo r a port or trunk: - Tagged : Interface is a member of the VLAN. Al l packets transmitted by the port will be tagged, that is, carry a t ag and therefore carry VLAN or CoS infor[...]

  • Page 157

    VLAN Configuration 3-119 3 Adding Static Members to VLANs (Port Index) Use the VLAN S tatic Membership by Port menu to assign VLAN group s to the selected interface as a t agged member . Command Attributes • Interface – Port or trunk identifier. • Member – VLANs for which the selected interface is a tagged member. • Non-Member – VLANs f[...]

  • Page 158

    Configuring the Switch 3-120 3 values for the GARP timers are in dependent of the media access method or data rate. These values should not be changed unless you are experien cing difficulties with GVRP registration/deregistratio n. Command Attributes • PVID – VLAN ID assigned to untagged frames received on the interface. (Default: 1) - If an i[...]

  • Page 159

    VLAN Configuration 3-121 3 • Mode – Indic ates VLAN membership mode for an interface. (Default: 1Q Trunk) - 1Q Trunk – Specifi es a port as an end-point f or a VL AN trunk. A trunk is a direct link between two switches, so the port tra nsmi ts tagged frames that identify the source VLAN. Note that frames belonging to the port’s default VLAN[...]

  • Page 160

    Configuring the Switch 3-122 3 Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Dat a traffic on downlink po rts can only be forwarded to , and from, uplink port s. (Note that private VLANs and normal VLANs can exist simult aneously within the same switch.) Enabling Private VL[...]

  • Page 161

    VLAN Configuration 3-123 3 Configuring Uplink and Downlink Ports Use the Private VLAN Link S tatus page to set ports as do wnlink or uplink ports. Ports designated as downlink port s can not communicate with any other ports on the switch except for the uplink po rts. Uplink ports can co mmunicate with any other ports on the switch and wi th any des[...]

  • Page 162

    Configuring the Switch 3-124 3 Configuring Proto col Groups Create a protocol group for one or more protocols. Command Attributes • Protocol Grou p ID – Group identifier of this protocol group. (Range: 1-2147483647) • Frame Type – Frame type used by this p rotocol. (Options: Ethernet, RFC_1042, LLC_other) • Protocol Type – The only opti[...]

  • Page 163

    VLAN Configuration 3-125 3 - If the frame is untagged and t he protocol type matches, the frame is f orwarded to the appropriate VLAN. - If the frame is untagged but the protoco l type does not match, the frame is forwarded to the default VLAN for thi s interface. Command Attributes • Interface – Port or trunk identifier. • Protocol Grou p ID[...]

  • Page 164

    Configuring the Switch 3-126 3 Class of Service Configuration Class of Service (CoS) allows you to specify which dat a packets have gre ater precedence when traf fic is buffered in the switch due to congestion. Thi s switch supports Co S with eight priority queues for each port. Dat a packets in a port’ s high-priority queue will be transmitted b[...]

  • Page 165

    Class of Service Configuration 3-127 3 Web – Click Priority , Default Port Priority or De fault T runk Priority . Modify the default priority for any i nterface, then click Apply . Figure 3-72 Default Port P riority CLI – This example assigns a default priori ty of 5 to port 3. Console(config)#interface ethe rnet 1/3 4-123 Console(config-if)#sw[...]

  • Page 166

    Configuring the Switch 3-128 3 Mapping CoS Values to Egress Queues This switch processe s Class of Service (CoS) priority tagged traffi c by using eight priority queues for each port, with service sched ules based on strict or Weighted Round Robin (WRR). Up to eight sep arate traffic priorities are defined in IEEE 802.1p. The default priority level[...]

  • Page 167

    Class of Service Configuration 3-129 3 Web – Click Priority , Traf fic Classes. Assign priorities to th e traf fic classes (i.e., output queues), the n click Apply . Figure 3-73 T raffic Classes CLI – The following example shows ho w to change the CoS assignments to a one-to-one mapping . * Mapping specific values for CoS priorities is implemen[...]

  • Page 168

    Configuring the Switch 3-130 3 • Strict - Services the egress queues in sequen tial order, transmitting all traffic in the higher priority queues before servicin g lower priority queues. Web – Click Priority , Queue Mode. Select S trict or WRR, then click Apply . Figure 3-74 Queue Mode CLI – The following sets the queue mode to strict priorit[...]

  • Page 169

    Class of Service Configuration 3-131 3 Web – Click Priority , Queue Scheduling. Select the interface, hig hlight a traffic class (i.e., output queue), e nter a weight, then click Apply . Figure 3-75 Queue Scheduli ng CLI – The following example sho ws how to assign WRR weights to each of the priority queues. Console(config)#interface ethe rnet [...]

  • Page 170

    Configuring the Switch 3-132 3 Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch support s several common methods of prioritizing layer 3/4 traffic to meet application requi rements. T raffic prioriti es can be spe cified in the IP header of a frame, using the priority bits in the T ype of Servic e (T oS) octet or t[...]

  • Page 171

    Class of Service Configuration 3-133 3 Mapping IP Precedence The T ype of Service (T oS) octet in the IPv4 header includes three pr ecedence bits defining eight di fferent priority levels ranging from highest prio rity for network control packet s to lowest priority for routine traffi c. The default IP Precedence values are mapped one-to-one to Cla[...]

  • Page 172

    Configuring the Switch 3-134 3 CLI – The fol lowing example globally enables IP Precedence service on the switch, maps IP Precedence value 1 to CoS value 0 (on port 1), and then displays the IP Precedence settings. * Mapping specific values for IP Precedence is implemented as an interface configuration command, but any changes will apply to the a[...]

  • Page 173

    Class of Service Configuration 3-135 3 Web – Click Priority , IP DSCP Priority . Select an entry from the DSCP table, enter a value in the Class of Service V alue field, then click Apply . Figure 3-78 IP DSCP Pr iority CLI – The following example globally e nables DSCP Priority service on the switch, maps DSCP value 0 to CoS va lue 1 (on port 1[...]

  • Page 174

    Configuring the Switch 3-136 3 Mapping IP Port Priority Y ou can also map network applications to Clas s of Service values based on the IP port number (i.e., TCP/UDP port number) in the frame header . Some of the more common TCP service port s include: HTTP: 80, FTP: 21, T elnet: 23 and POP3: 1 10. Command Attributes • IP Port Priori ty Status ?[...]

  • Page 175

    Class of Service Configuration 3-137 3 CLI – The following example globally enables IP Port Priority service on the switch, maps HTTP traffic on port 5 to CoS value 0, and then displays the IP Port Priority settings fo r that port. * Mapping specific values for IP Precedence is implemented as an interface configuration command, but any changes wi[...]

  • Page 176

    Configuring the Switch 3-138 3 Web – Click Priority , ACL CoS Priority . Enable mapping for any port, select an ACL from the scroll -down list, then click Apply . Figure 3-81 ACL CoS Priority CLI – This example assigns a CoS value of zero to pa ckets matching rules within the specified ACL on port 24. Changing Priorities Based on ACL Rules Y ou[...]

  • Page 177

    Class of Service Configuration 3-139 3 Command Attributes • Port – Port identifier. •N a m e 14 – Name of ACL. • Type – Type of ACL (IP or MAC). • Precedence – IP Precedence value. (Range: 0-7) • DSCP – Differentiated Services Code Point value. (Range: 0-63) • 802.1p Priority – Class of Service value in the IEEE 802.1p prior[...]

  • Page 178

    Configuring the Switch 3-140 3 Multicast Filtering Multicasting i s used to support real-time applications such as videoconferencing or streaming audio. A multica st server does not have to establ ish a separate connection with each client. It mere ly broadcasts its service to the network, and any hosts that want to receive the multicast register w[...]

  • Page 179

    Multicast Filtering 3-141 3 Configuring IGMP Snoo ping and Query Parameters Y ou can configure the switch to forward multicast traf fic intelligently . Based on the IGMP query and report messages, the switch forwards tra ffic only to the ports that request multicast traffic. This preven ts t he switch from broadcasting the traf fic to all ports and[...]

  • Page 180

    Configuring the Switch 3-142 3 Web – Click IGMP Snooping, IGMP Configurati on. Adj ust the IGMP settings as required, and then click Apply . (The default settings are shown below .) Figure 3-83 IGMP Configuration CLI – This exampl e modifies the settings for multicast filtering, and then displays th e current st atus. Console(config)#ip igmp sn[...]

  • Page 181

    Multicast Filtering 3-143 3 Displaying Interfaces Attached to a M ulticast Router Multicast routers that are att ached to port s on the swi tch use information obt ained from IGMP , along with a multicast routi ng protoco l such as DVMRP or PIM, to support IP multicasting across the Internet. These routers may be dynamically discovered by the switc[...]

  • Page 182

    Configuring the Switch 3-144 3 Command Attributes • Interface – Activates the Port or Trunk scroll down list. • VLAN ID – Selects the VLAN to propagate al l multicast traffic coming from the attached multicast router. • Port or Trunk – Specifies the interface att ached to a multicast router. Web – Click IGMP Snoopi ng, St atic Multica[...]

  • Page 183

    Multicast Filtering 3-145 3 Web – Click IGMP Snooping, IP Multicast Re gistration T able. Select a VLAN ID and the IP address for a multicast service fr om the scroll-down li sts. The switch will display all the interfaces that are prop agating this multicast service. Figure 3-86 IP Multicas t Registration T able CLI – This example displays all[...]

  • Page 184

    Configuring the Switch 3-146 3 • Multicast IP – The IP address for a specific multicas t service • Port or Trunk – Specifies the interface attache d to a multicast router/switch. Web – Click IGMP Snooping, IGMP Member Po rt T able. S pecify the interface attached to a multi cast service (via an IGMP-enabled switch or multicast router), in[...]

  • Page 185

    Configuring Domain Nam e Service 3-147 3 Configuring General DNS Server Parameters Command Usage • T o enable DNS service on this switch, first configure one or more name servers, and then enable domain l ookup status. • T o append domain names to incomplete host names received from a DNS cli ent (i.e., not formatted with dotted n otation), you[...]

  • Page 186

    Configuring the Switch 3-148 3 Web – Select DNS, General Configuration. Set t he default domain name or l ist of domain names, speci fy one or more name servers to use to use for addres s resolution, enable domain lo okup status, and click Apply . Figure 3-88 DNS General Confi guration CLI - This example set s a default domain name and a domain l[...]

  • Page 187

    Configuring Domain Nam e Service 3-149 3 Configuring Static DNS Host to Address Entries Y ou can manually configure st atic entries in the DNS table that are used to map domain names to IP addresses. Command Usage • Static entri es may be used for local devices connect ed directly to the attached network, or for commonly used resources located el[...]

  • Page 188

    Configuring the Switch 3-150 3 Web – Select DNS, S tatic Host T able. Enter a host name and one or more corresponding addresse s, then click Apply . Figure 3-89 DNS Static Host T able CLI - This example maps two addre ss to a host name, and then configures an alias host name for the same addresses. Console(config)#ip host rd5 19 2.168.1.55 10.1.0[...]

  • Page 189

    Configuring Domain Nam e Service 3-151 3 Displaying the DNS Cache Y ou can display entries in the DNS cache that hav e been learned via the designated name servers. Field Attributes •N o – The entry number for each resource record. • Flag – The flag is always “4” indicating a cache entry and therefore unreliable. • Type – This field[...]

  • Page 190

    Configuring the Switch 3-152 3 CLI - This example displays all the resource records le arned from the designated name servers. Console#show dns cache 4-123 NO FLAG TYPE IP TTL DOMAIN 0 4 CNAME 207.46 .134.222 51 www.microsoft.akadns.net 1 4 CNAME 207.46 .134.190 51 www.microsoft.akadns.net 2 4 CNAME 207.46 .134.155 51 www.microsoft.akadns.net 3 4 C[...]

  • Page 191

    4-1 Chapter 4: Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the manage ment interfa ce for the switch over a direct connection to the server’s console port, or via a T elnet connection, the switch can be managed by entering command keyw[...]

  • Page 192

    Command Line Interfa ce 4-2 4 T o access the switch through a T elnet session, you must first set the IP address for the switch, and set the d efault gateway if you are manag in g the switch from a different IP subnet. For example, If your corporate n etwork is connected to ano ther network outside your office or t o the Internet, you need to apply[...]

  • Page 193

    Entering Commands 4-3 4 Entering Commands This section describes how to enter CLI comman ds. Keywords and Arguments A CLI command is a s eries of keywords and argument s. Keywords identify a command, and argument s specify configurat ion parameters. For example, in the command “show interfaces st atus ethernet 1/5,” show interfaces and status a[...]

  • Page 194

    Command Line Interfa ce 4-4 4 Showing Commands If you enter a “?” at the command prompt, the system will disp lay the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configurati on class (Global, ACL, Int erface, Line, VLAN Databa se, or MSTP). Y ou can also display a list of valid keywords for a specif[...]

  • Page 195

    Entering Commands 4-5 4 Partial Keyword Lookup If you terminate a p artial keyword with a question mark, alternati ves that ma tch the initial letters are provided . (Remember not to leave a space between the command and question mark.) For example “ s? ” shows all the keywords st arting with “s.” Negating the Effect of Commands For many co[...]

  • Page 196

    Command Line Interfa ce 4-6 4 Understanding Command Modes The command set is divided into Exec and Co nfiguration classes. Exec command s generally display in formation on system status or clea r statistical counters. Configuration commands, on the other h and, modify interface parameters or e nable certai n switching functions. These classes are f[...]

  • Page 197

    Entering Commands 4-7 4 Configuration Commands Configuration commands a re privileged level commands used to modify switch settings. These commands modify the running configu ration only and are no t saved when the switch is rebooted. T o store the running configuration in non-volatile storage, use the copy running-config st artup-config command. T[...]

  • Page 198

    Command Line Interfa ce 4-8 4 T o enter the other modes, at the configurat ion prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode. For example, you can use the following c ommands to enter interface configuration mode, and then return to Privileged Exec mode T able 4-2 Configuration Command [...]

  • Page 199

    Entering Commands 4-9 4 Command Line Processing Commands are not case sensitive. Y ou can abbreviate commands and parameters as long as they conta in enough letters to diff erentiate them from any other currently available comman ds or parameters. Y ou can use the T ab key to complete partial commands, or enter a parti al command followed by the ?[...]

  • Page 200

    Command Line Interfa ce 4-10 4 Command Groups The system commands can be broken down into the functional groups shown bel ow . T able 4-4 Command Group Index Command Group De scription Page Line Sets communication parameters for the serial port and T elnet, including baud rate and console time-out 4-1 1 General Basic commands for entering privilege[...]

  • Page 201

    Line Comma nds 4-11 4 The access mode shown in the following t ables is indicated by these abbrev iations: NE (Normal Exec) IC (Interface Configuration) PE (Privileged Exec) LC (Line Configuration) GC (Global Configuratio n) VC (VLAN Database Configura tion) ACL (Access Control List Configu ration) MST (Multiple S panni ng Tree) Line Commands Y ou [...]

  • Page 202

    Command Line Interfa ce 4-12 4 line This command identifies a spe cific line f or configuration, and to process s ubsequent line configurati on commands. Syntax line { console | vty } • console - Console termina l line. • vty - Virtual terminal for remote cons ole access (i.e., Telnet). Default Setting There is no default line. Command Mode Glo[...]

  • Page 203

    Line Comma nds 4-13 4 Command Usage • There are three authentication modes provi ded by the switch itself at login: - login selects authentication by a single global password as specified by the password line configurat ion command. When using this method, the management interface starts in Normal Exec (NE) mode. - login local selects authenticat[...]

  • Page 204

    Command Line Interfa ce 4-14 4 number of times a user can enter an incorrec t password before the system terminates the lin e connection and returns the termina l to the idle state. • The encrypted p assword is required for compatibil ity with legacy password settings (i. e., plain text or encrypted) when re ading the configuration fil e during s[...]

  • Page 205

    Line Comma nds 4-15 4 password-thresh This command sets th e password intrusion threshold which limit s the number of failed logon attempt s. Use the no form to remove th e threshold value. Syntax p assword-thresh [ threshold ] no password-thresh threshold - The number of allowed password attempts. (Range: 1- 120; 0: no threshold) Default Setting T[...]

  • Page 206

    Command Line Interfa ce 4-16 4 Example T o set the silent time to 60 seconds, ent er this command: Related Commands password-thresh (4-15) databits This command sets th e number of data bits per character that are in terpreted and generated by the console port. Use the no form to restore the defaul t value. Syntax da ta b i ts { 7 | 8 } no dat abit[...]

  • Page 207

    Line Comma nds 4-17 4 parity This command defines the generation of a p arity bit. Use the no form to restore the default setti ng. Syntax p arity { no ne | even | odd } no parity • none - No parity • even - Even parity • odd - Odd parity Default Setting No parity Command Mode Line Configuration Command Usage Communication protocols prov ided[...]

  • Page 208

    Command Line Interfa ce 4-18 4 Command Usage Set the speed to match the baud rate of the d evice connected to the seri al port. Some baud rates avai lable on device s connected to the port might not be supported. The system indicates i f the speed you selected is not supported. If you select the “auto ” option, the switch will automatical ly de[...]

  • Page 209

    Line Comma nds 4-19 4 Command Usage S pecifying session id entifier “0” wil l disconnect the console connectio n. S pecifying any o ther identifiers for an active session will disconnect an SSH or T elnet connection. Example Related Commands show ssh (4-41) show users (4-61) show line This command displays the termi nal line’s p arameters. Sy[...]

  • Page 210

    Command Line Interfa ce 4-20 4 General Commands enable This command activates Privilege d Exec mode. In privileged mode, additional commands are avail able, and certain command s display additional information. See “Understandin g Command Modes” on page 4-6. Syntax enable [ level ] level - Privilege level to log into the device. The device has [...]

  • Page 211

    General Comma nds 4-21 4 Example Related Commands disable (4-21) enable password (4-27) disable This command returns to Normal Exec mode from privileged mod e. In normal access mode, you can only disp lay basic in formation on the swit ch's configurati on or Ethernet stati stics. T o gain access to all commands, you must use the privileged mod[...]

  • Page 212

    Command Line Interfa ce 4-22 4 Related Commands end (4-23) show hist ory This command shows the contents of the co mmand history buffer . Default Setting None Command Mode Normal Exec, Privileg ed Exec Command Usage The history buf fer size is fixed at 10 Execution commands and 10 Configuration commands. Example In this example, the show history co[...]

  • Page 213

    General Comma nds 4-23 4 Command Mode Privileged Exec Command Usage This command resets the en tire system. Example This example shows how to reset the switch: end This command returns to Privileged Exec mode. Default Setting None Command Mode Global Configuration, Interface Conf ig uration, Line Configuration, VLAN Database Co nfiguration, and Mul[...]

  • Page 214

    Command Line Interfa ce 4-24 4 quit This command exit s the configuration program. Default Setting None Command Mode Normal Exec, Privileg ed Exec Command Usage The quit and exit commands can both exit the configuration pr ogram. Example This example shows how to quit a CLI session: System Management Commands These commands are used to control syst[...]

  • Page 215

    System Management Comma nds 4-25 4 Device Designation Commands prompt This command customi zes the CLI prompt. Use the no form to restore the default prompt. Syntax prompt string no prompt string - Any alphanumeric string to use for the CLI prompt. (Maximum length: 255 characters) Default Setting Console Command Mode Global Configurat ion Example h[...]

  • Page 216

    Command Line Interfa ce 4-26 4 Example User Access Commands The basic commands required fo r management access are listed in this secti on. This switch also includes other options for p assword checking via the console or a T elnet connection (page 4-1 1), user authe nticati on via a remote authentication server (page 4-68), and host acces s authen[...]

  • Page 217

    System Management Comma nds 4-27 4 Command Mode Global Configurat ion Command Usage The encrypted p assword is required for comp atibility with leg acy password settings (i.e., plain te xt or encrypted) wh en reading the configurati on file during system bootup or when downlo ading the configuration file from a TFTP server . There is no need for yo[...]

  • Page 218

    Command Line Interfa ce 4-28 4 Example Related Commands enable (4-20) IP Filter Commands management This command specifi es the client IP addresses that a re allowed management access to the switch through various protocols. Use the no form to restore the default setti ng. Syntax [ no ] management { all-client | http-client | snmp-client | telnet-c[...]

  • Page 219

    System Management Comma nds 4-29 4 • When entering addres ses for the same grou p (i.e., SNMP, Web or Telnet), the switch will not accept ove rlapping address ranges. When entering addresses for different groups, the switc h will accept overlappi ng address ranges. • You cannot delete an individ ual address from a specified range. You must dele[...]

  • Page 220

    Command Line Interfa ce 4-30 4 Web Server Commands ip http port This command specifies the TCP port nu mber used by the W eb browser interface. Use the no form to use the default port. Syntax ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface. (Range: 1-65535) Default Setting 80 Command Mode Glob[...]

  • Page 221

    System Management Comma nds 4-31 4 Example Related Commands ip http port (4-3 0) ip http secure-server This command enables the secure hype rtext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure acc ess (i.e., an encrypted connection) to the switch’ s Web interface. Us e the no for m to disable this function. Syntax [...]

  • Page 222

    Command Line Interfa ce 4-32 4 Example Related Commands ip http secure-port (4-32) copy tf tp https-certificate (4-63) ip http secure-port This command specifies the UDP port n umber used for HTTPS/SSL connection to the switch’ s Web interface. Use the no form to restore the default port. Syntax ip http secure- port port_number no ip http secure-[...]

  • Page 223

    System Management Comma nds 4-33 4 Telnet Server Commands ip telnet port This command specifi es the TCP port number use d by the T elnet interface. Use the no form to use the defaul t port. Syntax ip telnet port port-number no ip telnet port port-number - The TCP port to be used by the browser interface. (Range: 1-65535) Default Setting 23 Command[...]

  • Page 224

    Command Line Interfa ce 4-34 4 Related Commands ip telnet port (4 -33) Secure Shell Commands The Berkley-st andard includes remote access tools originally desi gned for Unix systems. Some of these tools have also bee n implemented for Microsoft Windows and other envi ronments. These tools, incl uding commands such as rlogin (remote login), rsh (rem[...]

  • Page 225

    System Management Comma nds 4-35 4 The SSH server on this switch support s both password and public key authentication. If p assword authentication is specified by the SSH client, then the password can be authe nticated either locally or via a RADIUS or T ACACS+ remote authentication serve r , as specified by the authentication login command on pag[...]

  • Page 226

    Command Line Interfa ce 4-36 4 corresponding to the public keys stored o n the switch can gain a ccess. The following exchange s take place during this process: a. The client sends it s public key to the switc h. b. The switch compares the client's public key to those stored in memory . c. If a match is found, the switch uses the pub lic key t[...]

  • Page 227

    System Management Comma nds 4-37 4 ip ssh timeout Use this command to c onfigure the timeout for the SSH server . Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1- 120) Default Setting 10 seconds Command Mode Global Configura[...]

  • Page 228

    Command Line Interfa ce 4-38 4 Example Related Commands show ip ssh (4-40) ip ssh server-key s ize Use this command to set the SSH server key size. Use the no for m to restore the default setti ng. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server k ey . (Range: 512 -896 bits) Default Setting 768 bits [...]

  • Page 229

    System Management Comma nds 4-39 4 Example ip ssh crypto host-key generate Use this command to generate the host k ey p air (i.e., public and pri vate). Syntax ip ssh crypto host-key generate [ dsa | rsa ] • dsa – DSA (Version 2) key type. • rsa – RSA (Version 1) ke y type. Default Setting Generates both the DSA and RSA key pa irs. Command [...]

  • Page 230

    Command Line Interfa ce 4-40 4 Command Mode Privileged Exec Command Usage • This command clears the host key from vol atile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. • The SSH server must be di sabled before you can execute this command. Example Related Commands ip ssh crypto host-key generat[...]

  • Page 231

    System Management Comma nds 4-41 4 Example show ssh Use this command to display the current SSH server connecti ons. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 1.99 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# Console#show ssh Connection Version State Username Encryp[...]

  • Page 232

    Command Line Interfa ce 4-42 4 show public-key Use this command to show the public key f or the specified user or for the host. Syntax show public-key [ user [ username ]| host ] username – Name of an SSH user . (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage • If no pa rameters are ente[...]

  • Page 233

    System Management Comma nds 4-43 4 Event Logging Commands logging on This command controls loggin g of error messages, sending debug or error messages to switch memory . The no form disable s the logging process. Syntax [ no ] logging on Default Setting None Command Mode Global Configurat ion Command Usage The logging process controls erro r messag[...]

  • Page 234

    Command Line Interfa ce 4-44 4 logging history This command limi ts syslog messages sa ved to switch memory based on s everity . The no form returns the l ogging of syslog messages to the default level. Syntax logging history { flash | ram } level no logging history { flash | ram } • flash - Event history store d in flash memory (i.e., p ermanent[...]

  • Page 235

    System Management Comma nds 4-45 4 logging ho st This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [ no ] logging host host_ip_address host_ip_address - The IP address of a syslog server . Default Setting None Command Mode Global Configurat ion Command Usage [...]

  • Page 236

    Command Line Interfa ce 4-46 4 logging trap This command enables th e logging of system messages to a remote server , or limits the syslog messages saved to a remote server ba sed on severity . Use this command without a specif ied level to enable remote logg ing. Use the no form to disable remote logging. Syntax logging trap [ level ] no logging t[...]

  • Page 237

    System Management Comma nds 4-47 4 Related Commands show logging (4-47 ) show logging This command displays the loggin g configuration, along with any system and event messages stored in memory . Syntax show logging { flash | ram | sendmail | trap } • flash - Event history store d in flash memory (i.e., p ermanent memory). • ram - Event history[...]

  • Page 238

    Command Line Interfa ce 4-48 4 The following example dis plays settings for the trap function. Related Commands show logging s endmail (4-51) SMTP Alert Commands These commands configure SMTP event h andling, and forwarding of alert messages to the s pecified SMTP servers and emai l recipients. Console#show logging trap Syslog logging: Enable REMOT[...]

  • Page 239

    System Management Comma nds 4-49 4 logging sendmail ho st This command specifies SMTP servers that wi ll be sent alert messages. Use the no form to remove an SMTP server . Syntax [ no ] logging sendm ail host ip_address ip_address - IP address of an SMTP serve r that will be sent alert messages for ev ent handling. Default Setting None Command Mode[...]

  • Page 240

    Command Line Interfa ce 4-50 4 Command Usage The specified level indi cates an event thresh old. All events at this level or higher will be sent to the confi gured email recipients. (For example , using Level 7 will report all event s from level 7 to level 0.) Example This example will send ema il alerts for system errors from level 3 through 0. lo[...]

  • Page 241

    System Management Comma nds 4-51 4 Command Usage Y ou can specify u p to five recipients for a lert messages. However , you must enter a sep arate command to specify each recip ient. Example logging s endmail This command enables SMTP event handli ng. Use the no form to disable this function. Syntax [ no ] logging sendma il Default Setting Disabled[...]

  • Page 242

    Command Line Interfa ce 4-52 4 Time Commands The system clock can be dynamically set by polli ng a set of specified time servers (NTP or SNTP), or by using information broadcast by local time serve rs. sntp client This command enables SNTP client request s for time synchronization from NTP or SNTP time servers specified with the sntp servers comman[...]

  • Page 243

    System Management Comma nds 4-53 4 Example Related Commands sntp server (4-53) sntp poll (4 -54) show sntp (4-54) sntp server This command sets th e IP address of the servers to which SNTP time requests are issued. Use the this comman d with no arguments to clear all time servers from the current list. Syntax sntp server [ ip1 [ ip2 [ ip3 ]]] ip - [...]

  • Page 244

    Command Line Interfa ce 4-54 4 sntp poll This command sets th e interval between sending time request s when the switch is set to SNTP clie nt mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests. (Range: 16-16384 seconds) Default Setting 16 seconds Command Mode Global Confi[...]

  • Page 245

    System Management Comma nds 4-55 4 clock timezone This command sets th e time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes { before-ut c | after-utc } • name - Name of timezone, usually an acrony m. (Range: 1-29 characters) • hours - Number of hours before/after UTC. (Range: 0-12 hours) • minute[...]

  • Page 246

    Command Line Interfa ce 4-56 4 Default Setting None Command Mode Privileged Exec Example This example shows how to set the system clock to 15:12:34, February 1st, 2004. show cale ndar This command displays the system clock. Default Setting None Command Mode Normal Exec, Privileg ed Exec Example Console#calendar set 15 12 34 1 February 2004 Console#[...]

  • Page 247

    System Management Comma nds 4-57 4 System Status Commands show startup-config This command displays the configuration file stored in non-volatil e memory that is used to st art up the system. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conju nction with the show running-config command to compare the infor[...]

  • Page 248

    Command Line Interfa ce 4-58 4 Example Related Commands show running-config (4-58) show running-con fig This command displays the configuration information currently in us e. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjuncti on with the show startup-config command to compare the information in running[...]

  • Page 249

    System Management Comma nds 4-59 4 - VLAN configuration setti ngs for each interface - Multiple spanning tree instances (name and inte rfaces) - IP address configured for VLANs - Spanning tree settings - Any configured settings for the console port and Telnet Example Console#show running-config building running-config, pleas e wait..... ! phymap 00[...]

  • Page 250

    Command Line Interfa ce 4-60 4 Related Commands show startup-config (4-57) show system This command displays system info rmation. Default Setting None Command Mode Normal Exec, Privileg ed Exec Command Usage • For a description of the items shown by this comman d, refer to “Displaying System Information” on page 3-9. • The POST results shou[...]

  • Page 251

    System Management Comma nds 4-61 4 show users Shows all active console and T elnet sessions, includi ng user name, idle time, and IP address of T elnet client. Default Setting None Command Mode Normal Exec, Privileg ed Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index[...]

  • Page 252

    Command Line Interfa ce 4-62 4 Example Frame Size Commands jumbo frame This command enables support for jumbo frames. Use the no form to disable it. Syntax [ no ] jumbo frame Default Setting Disabled Command Mode Global Configurat ion Command Usage • This switch p rovides more efficient through put for large sequential data transfers by supportin[...]

  • Page 253

    Flash/File Comma nds 4-63 4 Example Flash/File Commands These commands are used to manage the system code or configuration files. copy This command moves (upload/download) a code image or configuration file between the switch ’s flash memory and a TFTP server . When you save the sy stem code or configuration settings to a file on a TFTP server , [...]

  • Page 254

    Command Line Interfa ce 4-64 4 Command Mode Privileged Exec Command Usage • The system prompts for data required to complete the copy command. • The destination fi le name should not contai n slashes ( or /), the leadi ng letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 charact[...]

  • Page 255

    Flash/File Comma nds 4-65 4 The following example shows how to do wnload a configuration file: This example shows how to copy a secure-site certificate from an TFTP server . It then reboot s the switch to activate the certificate: This example shows how to copy a public-ke y used by SSH from an TFTP server . Note that public key authenti cation vi [...]

  • Page 256

    Command Line Interfa ce 4-66 4 Command Usage • If the file type is used for system startup, the n this file cannot be deleted. • “Factory_Default_Config.cfg ” cannot be deleted. Example This example shows how to del ete the test2.cfg configuration file from flash memory . Related Commands dir (4-6 6) delete public-key (4-38) dir This comman[...]

  • Page 257

    Flash/File Comma nds 4-67 4 Example The following example shows how to di splay all file information: whichboo t This command displ ays which files were booted when the system powered up. Default Setting None Command Mode Privileged Exec Example This example shows the information disp layed by the whichboot command. See the table und er the dir com[...]

  • Page 258

    Command Line Interfa ce 4-68 4 Default Setting None Command Mode Global Configurat ion Command Usage • A colon (:) is required after the specified file type. • If the file cont ains an error, it cannot be set as th e default file. Example Related Commands dir (4-6 6) whichboot (4-67) Authentication Commands Y ou can configure this switch to aut[...]

  • Page 259

    Authentication Commands 4-69 4 Authentication Sequence authentication login This command defines the login authenti cation method and precedenc e. Use the no form to restore the default. Syntax authentication login {[ local ] [ radius ] [ t acacs ]} no authentication login • local - Use local password. • radius - Use RADIUS server password. •[...]

  • Page 260

    Command Line Interfa ce 4-70 4 authenticatio n enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privil eged Exec command mode with the enable command (see pag e 4-20). Use the no form to resto re the default. Syntax authentication enable {[ local ] [ radius ] [ taca cs ]} no authent[...]

  • Page 261

    Authentication Commands 4-71 4 RADIUS Client Remote Authenticati on Dial-in User Service (RADIUS) is a logon authentication protocol that uses sof tware running on a central server to control access to RADIUS-aware devices on the network. An authentication server cont ains a database of multip le user name/password pairs with associ ated privilege [...]

  • Page 262

    Command Line Interfa ce 4-72 4 Default Setting 1812 Command Mode Global Configurat ion Example radius-server key This command sets th e RADIUS encryption key . Use the no form to restore the default. Syntax radius-server key key_string no radius-server key key_string - Encryption key used to authenticate log on access for client. Do not use blank s[...]

  • Page 263

    Authentication Commands 4-73 4 Example radius-server timeout This command sets th e interval between transmitting authentication reque sts to the RADIUS server . Use the no form to restore the default. Syntax radius-server timeout number_of_ seconds no radius-server timeout number_of_seconds - Number of seconds the s witch waits for a reply before [...]

  • Page 264

    Command Line Interfa ce 4-74 4 TACACS+ Client T erminal Access Controll er Access Control System (T ACACS+) is a logon authentication protocol that uses software running on a central server to control access to T ACACS-aware devices on the network. An authentication server contain s a database of multi ple user name/password p airs with associated [...]

  • Page 265

    Authentication Commands 4-75 4 Command Mode Global Configurat ion Example tacacs-server key This command sets th e T ACACS+ encryption key . Use the no form to restore the default. Syntax t acacs-server key key_string no t acacs-server key key_string - Encryption key used to authenticate log on access for the client. Do not use blank spaces in the [...]

  • Page 266

    Command Line Interfa ce 4-76 4 Port Security Commands These commands can be used to enable port security on a port. Wh en using port security , the switch stops learning new MAC addresses on the specifi ed port when it has reached a co nfigured maximum number . Only incoming traffic with source addresses already s tored in the dynamic or static add[...]

  • Page 267

    Authentication Commands 4-77 4 Command Usage • If you enable po rt security, the switch sto ps learning new MAC addre sses on the specified port when it has reached a con figured maximum number. Only incoming traffic with source a ddresses already stored in the dyna mic or static address table will be accepted. • First use the port security max[...]

  • Page 268

    Command Line Interfa ce 4-78 4 802.1X Port Authentication The switch supports IEEE 802.1 X (dot1x) p ort-based access control that prevents unauthorized access to the network by requi ring users to first submit credenti als for authentication. Clie nt authentication is controlled centrall y by a RADIUS server using EAP (Extensible Authen tication P[...]

  • Page 269

    Authentication Commands 4-79 4 authentication dot1x default This command sets th e default authentication server type. Use the no form to restore the default. Syntax authentication dot1x default radius no authentication dot1x Default Setting RADIUS Command Mode Global Configurat ion Example dot1x default This command sets al l configurable dot1x gl[...]

  • Page 270

    Command Line Interfa ce 4-80 4 Command Mode Global Configurat ion Example dot1x port-control This command sets th e dot1x mode on a port interf ace. Use the no form to restore the default. Syntax dot1x port-control { auto | force-authorized | force-unauthorized } no dot1x port-control • auto – Requires a dot1x-aware connecte d client to be auth[...]

  • Page 271

    Authentication Commands 4-81 4 dot1x operation-mode This command allows singl e or multiple hosts (client s) to connect to an 802.1X-authorized p ort. Use the no form with no keywords to resto re the default to single host. Use the no form with the multi-host max -count keywords to restore the default maximum count. Syntax dot1x operation-mode { si[...]

  • Page 272

    Command Line Interfa ce 4-82 4 dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [ interface ] interface • ethernet unit / port - unit - This is device 1. - port - Port number. Command Mode Privileged Exec Example dot1x re-authentication This command enable s periodic re[...]

  • Page 273

    Authentication Commands 4-83 4 Command Mode Global Configurat ion Example dot1x timeout re-authperiod This command sets the time period after wh ich a connected client must be re-authenticated. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds. (Range: 1-65535) Default 3600 seconds Command Mod[...]

  • Page 274

    Command Line Interfa ce 4-84 4 show dot1x This command shows general port authenticat ion related settings on the switch or a specific interface. Syntax show dot1x [ statistics ] [ interface interface ] • statistics - Displays dot1x status for each port. • interface • ethernet unit / port - unit - This is device 1. - port - Port number. Comma[...]

  • Page 275

    Authentication Commands 4-85 4 • Backend State Machine - State – Current state (inc luding request, response, success, fail, tim eout, idle, initialize). - Request Count – Number of EAP Request packets sent to the Supplicant without rece iving a response. - Identifier(Server) – Identifi er carried in the most recent EAP Success, Failure or [...]

  • Page 276

    Command Line Interfa ce 4-86 4 Access Control List Commands Access Control List s (ACL) provide packet filt ering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filt er packets, first create an access list, add the required rules, specify a mask [...]

  • Page 277

    Access Control List Commands 4-87 4 • You must configure a mask for an ACL rule bef ore you can bind it to a port or set the queue or frame priorities associated with the rule. • The switch does not support the explici t “deny any any” rule for the egress IP ACL or the egress MAC ACLs. If these rules are i ncl uded in ACL, and you attempt t[...]

  • Page 278

    Command Line Interfa ce 4-88 4 access-list ip This command adds an IP access list and enters configuratio n mode for standard or extended IP ACLs. Us e the no form to remove the specified ACL. Syntax [ no ] access-list ip { st andard | extended } acl_name • standard – Specifies an ACL that filters packets based on the source IP address. • ext[...]

  • Page 279

    Access Control List Commands 4-89 4 Example Related Commands permit, deny 4-89 ip access-group (4-97) show ip access-li st (4-92) permit , deny (Standard ACL) This command adds a rule to a S tandard IP ACL. The rule sets a fi lter condition for packet s emanating from the specified source. Use the no form to remove a rule. Syntax [ no ]{ permit | d[...]

  • Page 280

    Command Line Interfa ce 4-90 4 permit , deny (Extende d ACL) This command adds a rule to an Extended IP ACL. The rule set s a filter condition for packet s with specific source or destinat ion IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule. Syntax [ no ] { permit | deny }[ [...]

  • Page 281

    Access Control List Commands 4-91 4 Command Usage • All new rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bi ts to indicate “match” and 0 bits to indicate “ignore .” The bitmask is bitwise ANDed with t[...]

  • Page 282

    Command Line Interfa ce 4-92 4 Related Commands access-list ip (4-88) show ip access-list This command displays the rule s for configured IP ACLs. Syntax show ip access-list { st andard | extended } [ acl_name ] • standard – Specifies a standard IP ACL. • extended – Specifies an extend ed IP ACL. • acl_name – Name of the ACL. (Max imum [...]

  • Page 283

    Access Control List Commands 4-93 4 Command Usage • A mask can onl y be used by all ingress ACLs or all egress ACLs. • The precedence of the ACL rules applied to a packet is not determined by order of the rules, but inst ead by the order of the masks; i .e., the first mask that matches a rule will determine the rule that is applied to a packet.[...]

  • Page 284

    Command Line Interfa ce 4-94 4 Command Mode IP Mask Command Usage • Packets crossing a port are checke d against all the rules in the ACL until a match is found. The order in wh ich these packets are checked is determined by the mask, and not the order in which the ACL rules were entered. • First create the required ACLs and in gress or egress [...]

  • Page 285

    Access Control List Commands 4-95 4 This shows how to create a standard ACL with an ingress mask to deny acc ess to the IP host 171.69.198.102, a nd permit access to any others . This shows how to create an extended ACL with an egress mask to drop packet s leaving network 171.69.198.0 when the Layer 4 source port is 23. Console(config)#access-list [...]

  • Page 286

    Command Line Interfa ce 4-96 4 This is a more comprehensive example. It denies any TCP pa ckets in which the SYN bit is ON, and permit s all other packets. It then set s the ingress mask to check the deny rule first, and finally binds port 1 to this ACL. Note that once the ACL is bound to an interface (i.e., t he ACL is active), the order i n which[...]

  • Page 287

    Access Control List Commands 4-97 4 Related Commands mask (IP ACL) (4-93) ip access-group This command binds a port to an IP ACL. Use the no form to remove the port. Syntax [ no ] ip access-group acl_name { in | out } • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this l ist applies to ingress packets. ?[...]

  • Page 288

    Command Line Interfa ce 4-98 4 Related Commands ip access-group (4-97) map access-list ip This command sets th e output queue for packets matching an ACL rule. The specified CoS value i s only used to map the matching pac ket to an output queue; it is not written to the packet itself. Use the no form to remove the CoS mapping. Syntax [ no ] map acc[...]

  • Page 289

    Access Control List Commands 4-99 4 show map access-list ip This command shows the CoS va lue mapped to an IP ACL for the current interface. (The CoS value determines th e output queue for packets matching an ACL rul e.) Syntax show map access-list ip [ interf ace ] interface • ethernet unit / port - unit - This is device 1. - port - Port number.[...]

  • Page 290

    Command Line Interfa ce 4-100 4 Command Usage • You must configure an ACL mask bef ore you can change frame prioritie s based on an ACL rule. • Traffic priori ties may be included in the IEEE 802.1p pri ority tag. This tag is also incorporated as p art of the overall IEEE 802.1Q VLAN tag. To specify this priority, use the set priority k eywords[...]

  • Page 291

    Access Control List Commands 4-101 4 MAC ACLs access-list mac This command adds a MAC access list a nd enters MAC ACL configuration mode. Use the no form to remove the specifi ed ACL. Syntax [ no ] access-list mac acl_name acl_name – Name of the ACL. (Maximum length: 16 characters) Default Setting None Command Mode Global Configurat ion Command U[...]

  • Page 292

    Command Line Interfa ce 4-102 4 Example Related Commands permit, deny 4-102 mac access-g roup (4-107) show mac access-l ist (4-103) permit , deny (MAC ACL) This command adds a rule to a MAC ACL. The rul e filters packet s matching a specified MAC source or destination address (i .e., physical layer address), or Ethernet protocol t ype. Use the no f[...]

  • Page 293

    Access Control List Commands 4-103 4 • destination – De stination MAC address range with bitmask. • address- bitmask* – Bitmask for MAC address (in hexidecimal format). • vid – VLAN ID. (Range: 1-4095) • vid-bitmask* – VLAN bitmask. (Range: 1-4095) • protocol – A specific Ethernet protocol number. (Range: 600-fff hex.) • proto[...]

  • Page 294

    Command Line Interfa ce 4-104 4 Example Related Commands permit, deny 4-102 mac access-g roup (4-107) access-list mac mask-pr ecedence This command changes to MAC Mask mode used to confi gure access control masks. Use the no form to delete the mask tab le. Syntax [ no ] access-list ip mask-precede nce { in | out } • in – Ingress mask for ingres[...]

  • Page 295

    Access Control List Commands 4-105 4 mask (MAC ACL) This command defines a mask for MAC ACLs. This mask d efines the fields to check in the p acket header . Use the no form to remove a mask. Syntax [ no ] mask [ pktformat ] { any | host | source-bitmask } { any | host | destination-bitmask } [ vid [ vid-bitmask ]] [ ethertype [ ethertype-bi tmask ][...]

  • Page 296

    Command Line Interfa ce 4-106 4 Example This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask. This example creates an Egress MAC ACL. Console(config)#access-list ma c M4 Console(config-mac-acl)#permit any any Console(config-mac-acl)#deny t agged-eth2 00[...]

  • Page 297

    Access Control List Commands 4-107 4 show access-list mac m ask-precedence This command shows the ingress or egress rule masks for MAC ACLs. Syntax show access-list mac mask-precedence [ in | out ] • in – Ingress mask precedence for ingress ACLs. • out – Egress mask precede nce for egress ACLs. Command Mode Privileged Exec Example Related C[...]

  • Page 298

    Command Line Interfa ce 4-108 4 Related Commands show mac access-l ist (4-103) show mac access-group This command shows the ports assigned to MAC ACLs. Command Mode Privileged Exec Example Related Commands mac access-g roup (4-107) map access-list mac This command sets th e output queue for packets matching an ACL rule. The specified CoS value i s [...]

  • Page 299

    Access Control List Commands 4-109 4 Example Related Commands queue cos-map (4-193) show map access-list mac (4-109) show map access-list mac This command shows the CoS value mapped to a MAC ACL for the current interface. (The CoS value determin es the output queue for packets matching an ACL rule.) Syntax show map access-list mac [ interface ] int[...]

  • Page 300

    Command Line Interfa ce 4-110 4 match access-list mac This command changes the IEEE 802.1p priorit y of a Layer 2 frame matching the defined ACL rul e. (This feature is commonly referred to as ACL packet marking.) Use the no form to remove the ACL marker. Syntax match access-lis t mac acl_name set priority priority no match access-list mac acl_name[...]

  • Page 301

    Access Control List Commands 4-111 4 ACL Information show access-list This command shows all ACLs and associated rules, as well as all the user-defi ned masks. Command Mode Privileged Exec Command Usage Once the ACL is bound to an interface (i.e., the ACL is active), the order i n which the rules are disp layed is determined by the associated mask.[...]

  • Page 302

    Command Line Interfa ce 4-112 4 SNMP Commands Controls access to this switch from management stations using th e Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. snmp-server community This command defines the community access string for the Simple Network Management Proto col. Use the no form to remove th[...]

  • Page 303

    SNMP Commands 4-113 4 Example snmp-server contact This command set s the system cont act string. Use the no form to remove the system cont act information. Syntax snmp-server cont act string no snmp-server cont act string - S tring that describes the system contact information. (Maximum length: 255 characters) Default Setting None Command Mode Glob[...]

  • Page 304

    Command Line Interfa ce 4-114 4 Related Commands snmp-server contact (4-1 13) snmp-server host This command specifies the recipi ent of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr community-string [ version { 1 | 2c }] no snmp-server host host-addr • [...]

  • Page 305

    SNMP Commands 4-115 4 Related Commands snmp-server enable traps (4-1 15) snmp-server enable traps This command enables this devi ce to send Simple Network Management Protocol traps (SNMP notifi cations). Use the no form to disable SNMP notifications. Syntax [ no ] snmp-serve r enable t raps [ authentication | link-up-down ] • authentication - Key[...]

  • Page 306

    Command Line Interfa ce 4-116 4 Command Usage This command provides information on t he community access strings, counter information for SNMP input and output protocol da ta units, and whether or not SNMP logging has been enable d with the snmp-server enable trap s command. Example Console#show snmp System Contact: Paul System Location: WC-19 SNMP[...]

  • Page 307

    DNS Commands 4-117 4 DNS Commands These commands are used to configure Domai n Naming System (DNS) services. Y ou can manually configu re entries in the DNS domai n name to IP address mapping table, configu re default domain names, or specify one or more name servers to use for domain name to address translation. Note that domain name services wil [...]

  • Page 308

    Command Line Interfa ce 4-118 4 Command Usage Servers or other network devices may support one or more connection s via multiple IP addresses. If more th an one IP address is associated with a host name using this command, a DNS cli ent can try each address in succession, until it est ablishes a connection with the targ et device. Example This exam[...]

  • Page 309

    DNS Commands 4-119 4 Default Setting None Command Mode Global Configurat ion Example Related Commands ip domain-list (4-1 19) ip name-server (4-120) ip domain-lookup (4-1 21) ip domain-list This command defines a list of domain name s that can be appended to incomplete host names (i.e., host names p assed from a cli ent that are not f ormatted with[...]

  • Page 310

    Command Line Interfa ce 4-120 4 Example This example adds two domain names to the current list and then displays the list. Related Commands ip domain-name (4 -1 18) ip name-server This command specifies the address of one or more domain name servers to use for name-to-address reso lution. Use the no form to remov e a name server from this list. Syn[...]

  • Page 311

    DNS Commands 4-121 4 Example This example adds two domain-name serve rs to the list and then displays the list. Related Commands ip domain-name (4 -1 18) ip domain-lookup (4-1 21) ip domain-lookup This command enables DNS host name -to-address translation. Use the no form to disable DNS. Syntax [ no ] ip domain- lookup Default Setting Disabled Comm[...]

  • Page 312

    Command Line Interfa ce 4-122 4 Example This example enables DNS and then displays the config uration. Related Commands ip domain-name (4 -1 18) ip name-server (4-120) show hosts This command displays the sta tic host name-to-address mapping table. Command Mode Privileged Exec Example Note that a host name will be displaye d as an alias if it is ma[...]

  • Page 313

    DNS Commands 4-123 4 show dns This command displays the configuration of the DNS server . Command Mode Privileged Exec Example show dns cache This command displays entries in th e DNS cache. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.[...]

  • Page 314

    Command Line Interfa ce 4-124 4 clear dns cache This command clears all entries in th e DNS cache. Command Mode Privileged Exec Example Console#clear dns cache Console#show dns cache NO FLAG TYPE IP TTL DOMAIN Console#[...]

  • Page 315

    Interface Commands 4-125 4 Interface Commands These commands are used to display or set co mmunication parameters for an Ethernet port, aggregated link, or VLAN. interface This command configure s an interface type and enter interface co nfiguration mode. Use the no form to remove a trunk. Syntax interface interface no interface port-channel channe[...]

  • Page 316

    Command Line Interfa ce 4-126 4 Command Mode Global Configuration Example T o specify port 24, enter the fo llowing command: description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a d escription to help you rememb er what is attached to thi[...]

  • Page 317

    Interface Commands 4-127 4 Default Setting • Auto-negotiat ion is enabled by de fault. • When auto-negotiati on is disabled, the default spe ed-duplex setting is 100half for 100BASE-TX ports and 1000full for Gigabit Ethernet ports. Command Mode Interface Co nfiguration (Ethernet, Po rt Channel) Command Usage • To force operation to the speed [...]

  • Page 318

    Command Line Interfa ce 4-128 4 • If autonegotiati on is disabled, auto-MDI /MDI-X pin signa l configuration will also be disab led for the RJ-45 ports. Example The following example config ures port 1 1 to use autonegotiation. Related Commands capabili ties (4-128) speed-duplex (4 -126) capabilities This command advertises the port cap abilities[...]

  • Page 319

    Interface Commands 4-129 4 Example The following example configures Ethernet port 5 cap abilities to 100half, 100full and flow contro l. Related Commands negotiation (4-127) speed-duplex (4 -126) flowcontrol (4-129) flowcontrol This command enable s flow control. Use the no form to disable flow control. Syntax [ no ] flowcontrol Default Setting Flo[...]

  • Page 320

    Command Line Interfa ce 4-130 4 Example The following example enab les flow control on port 5. Related Commands negotiation (4-127) capabili ties (flo wcontrol, symmetric) (4-128) combo-forced-mode This command forces the port type s elected for combination port s 21-24. Use the no form to restore the default mode. Syntax combo-forced-mode mode no [...]

  • Page 321

    Interface Commands 4-131 4 Default Setting All interfaces are enabled. Command Mode Interface Co nfiguration (Ethernet, Po rt Channel) Command Usage This command all ows you to disable a p ort due to abnormal behav ior (e.g., excessive collisi ons), and then reenable it after the problem has been resolved. Y ou may also want to disable a port for s[...]

  • Page 322

    Command Line Interfa ce 4-132 4 Example The following s hows how to configure broadcast storm control a t 600 packet s per second: clear counters This command clears statistics on an i nterface. Syntax clear counters interface interface • ethernet unit / port - unit - This is device 1. - port - Port number. • port-channe l channel-id (Range: 1-[...]

  • Page 323

    Interface Commands 4-133 4 show interfaces status This command displays the sta tus for an interface. Syntax show interfaces sta tus [ interface ] interface • ethernet unit / port - unit - This is device 1. - port - Port number. • port-channe l channel-id (Range: 1-6) • vlan vlan-id (Ra nge: 1-4094) Default Setting Shows the status for all in[...]

  • Page 324

    Command Line Interfa ce 4-134 4 show interfaces counters This command displays inte rface statisti cs. Syntax show interfaces counters [ interface ] interface • ethernet unit / port - unit - This is device 1. - port - Port number. • port-channe l channel-id (Range: 1-6) Default Setting Shows the counters for all interfaces. Command Mode Normal [...]

  • Page 325

    Interface Commands 4-135 4 show interfaces switchport This command displays the admi nistrative and operationa l status of the specified interfaces. Syntax show interfaces switchport [ interface ] interface • ethernet unit / port - unit - This is device 1. - port - Port number. • port-channe l channel-id (Range: 1-6) Default Setting Shows all i[...]

  • Page 326

    Command Line Interfa ce 4-136 4 Mirror Port Commands This section describes how to mirror traf fic from a source port to a target port. port monitor This command configures a mirror sess ion. Use the no form to clear a mirror session. Syntax port monitor interf ace [ rx | tx | both ] no port monitor interface • interface - ethernet unit / port (s[...]

  • Page 327

    Mirror Port Commands 4-137 4 Command Usage • You can mirror traffic from any source port to a destination port for re al-time analysis. Yo u can then attach a logic analyzer or RMON probe to the destination port an d study the traffic crossing the source port in a completely unobtrusive manner. • The destination port is set by specifying an Eth[...]

  • Page 328

    Command Line Interfa ce 4-138 4 Example The following s hows mirroring configured from port 6 to port 1 1: Rate Limit Commands This function allows th e network manager to control th e maximum rate for traffic transmitted or received on an interface. Rat e limiting is confi gured on interfaces at the edge of a network to limit traffic i nto or out [...]

  • Page 329

    Link Aggregation Co mmands 4-139 4 Example Link Aggregation Commands Ports can b e statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ens ure fault recovery . Or you c an use the Link Aggregation Control Prot ocol (LACP) to automatically negotiate a tr unk link between this switch and a n[...]

  • Page 330

    Command Line Interfa ce 4-140 4 • All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specifie d port-channel. • STP, VLAN, and IGMP setting s can only be made for the entire trunk via the specified port-channel . Dynamically Creating a Port Channel – Ports assigned to a common port [...]

  • Page 331

    Link Aggregation Co mmands 4-141 4 lacp This command enables 802.3ad Link Aggrega tion Control Protocol (LACP) for the current inte rface. Use the no form to disable it. Syntax [ no ] lacp Default Setting Disabled Command Mode Interface Conf iguration (Ethernet) Command Usage • The ports on both ends of an LACP tr unk must be configured for full [...]

  • Page 332

    Command Line Interfa ce 4-142 4 lacp system-priority This command configures a port's LACP system priority . Use the no form to restore the default sett ing. Syntax lacp { actor | partner } system-priority priority no lacp { actor | pa r t n er } system-priority • actor - The local side an aggregate li nk. • partner - The remote side of an[...]

  • Page 333

    Link Aggregation Co mmands 4-143 4 lacp admin-key (Ethernet Interface) This command confi gures a port's LACP administration key . Use the no form to restore the default setting. Syntax lacp { actor | partner } admin-key key [ no ] lacp { actor | partner } admi n-key • actor - The local side an aggregate li nk. • partner - The remote side [...]

  • Page 334

    Command Line Interfa ce 4-144 4 lacp admin-key (Po rt Channel) This command configures a port channel's LACP administration key string. Use the no form to restore the default setting. Syntax lacp admin-key key [ no ] lacp admin-key key - The port channel admin key is u sed to identify a specific link aggregation group (LAG) during local LACP s[...]

  • Page 335

    Link Aggregation Co mmands 4-145 4 Command Mode Interface Conf iguration (Ethernet) Command Usage • Setting a lower value indicates a high er effective priority . • If an active port link goes down, the backup port with the high est priority is selected to replace the downed link. However, if two or more ports have the same LACP port priority, [...]

  • Page 336

    Command Line Interfa ce 4-146 4 Example Console#show lacp 1 counters Port Channel : 1 ------------------------------ ------------------------------------------- Eth 1/ 1 ------------------------------ ------------------------------------------- LACPDUs Sent : 21 LACPDUs Received : 21 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACP[...]

  • Page 337

    Link Aggregation Co mmands 4-147 4 Console#show lacp 1 internal Port Channel : 1 ------------------------------ ------------------------------------------- Oper Key : 4 Admin Key : 0 Eth 1/1 ------------------------------ ------------------------------------------- LACPDUs Internal : 30 sec LACP System Priority : 32768 LACP Port Priority : 32768 Ad[...]

  • Page 338

    Command Line Interfa ce 4-148 4 Console#show lacp 1 neighbors Port Channel 1 neighbors ------------------------------ ------------------------------------------- Eth 1/1 ------------------------------ ------------------------------------------- Partner Admin System ID : 32 768, 00-00-00-00-00-00 Partner Oper System ID : 327 68, 00-00-00-00-00-01 Pa[...]

  • Page 339

    Address T able Commands 4-149 4 Address Table Commands These commands are used to configure the addres s table for filtering specified addresses, displayi ng current entries, clearing t he table, or setting the aging time. Console#show lacp sysid Port Channel System Priori ty System MAC Address ------------------------------ -----------------------[...]

  • Page 340

    Command Line Interfa ce 4-150 4 mac-address-table static This command maps a st atic address to a destination port in a VLAN. Use the no form to remove an address. Syntax mac-address-t able static mac-address interface interface vlan vlan-id [ action ] no mac-address-t able static mac-address vlan vlan-id • mac-address - MAC a ddress. • interfa[...]

  • Page 341

    Address T able Commands 4-151 4 clear mac-address-table dynamic This command removes any learned entries from the forwarding dat abase and clears the transmit and receive counts for any st atic or system configured entries. Default Setting None Command Mode Privileged Exec Example show mac-address-table This command shows classes of entries in th e[...]

  • Page 342

    Command Line Interfa ce 4-152 4 means to match a bit and “1” means to ignore a bit. For example, a mask of 00-00-00-00-00-00 mean s an exact match, and a mask of FF-FF-FF-FF -FF-FF means “any.” • The maximum number of address entri es is 8191. Example mac-address-table aging-time This command sets th e aging time for entries in the addres[...]

  • Page 343

    Spanning Tree Commands 4-153 4 Spanning Tree Commands This section includes co mmands that configu re the S panning T ree Algorithm (ST A) globally for the switch, and commands tha t configure ST A for the selected interface. Table 4-52 Spanning Tree Commands Command Function Mode Page spanning-tree Enables the spanning tree protocol GC 4-154 spann[...]

  • Page 344

    Command Line Interfa ce 4-154 4 spanning-tr ee This command enables the S p anning Tree Alg orithm globally for the switch. Use the no form to disable it. Syntax [ no ] sp anning-tree Default Setting S panning tree is enabl ed. Command Mode Global Configurat ion Command Usage The S panning T ree Algorithm (ST A) can be used to detect and dis able n[...]

  • Page 345

    Spanning Tree Commands 4-155 4 Command Usage • Spanning Tree Protoco l Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. - This creates one spannin g tree instance f or the entire network. If multiple VLANs are implemented on a network, the path betwe en specific VLAN members may be inadvertently disabled to prevent network l[...]

  • Page 346

    Command Line Interfa ce 4-156 4 Default Setting 15 seconds Command Mode Global Configurat ion Command Usage This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., disca rding to learning to forwardi ng). This delay is required because every device must receive i nformation about topology changes befo[...]

  • Page 347

    Spanning Tree Commands 4-157 4 spanning-tree max -age This command configures the span ning tree bridge maximum age globally for this switch. Use the no form to resto re the default. Syntax sp anning-tree max-age seconds no spanning-tree max-age seconds - T ime in sec onds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-t[...]

  • Page 348

    Command Line Interfa ce 4-158 4 Command Mode Global Configurat ion Command Usage Bridge priority is used in sel ecting the root device, root port, and designa ted port. The device with the highe st priority becomes the ST A root device. However , if all devices have th e same priority , the device with the lowes t MAC address will then become the r[...]

  • Page 349

    Spanning Tree Commands 4-159 4 spanning-tree transmission-limit This command configures the minimum i nterval between the transmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the defaul t. Syntax sp anning-tree transmission-limit count no spanning-tree transmission-li mit count - The transmission limit in seconds. (Range: 1-10) D[...]

  • Page 350

    Command Line Interfa ce 4-160 4 mst vlan This command adds VLANs to a spanning tree inst ance. Use the no form to remove the specified VLANs. Using th e no form without any VLAN parameters to remove all VLANs. Syntax [ no ] mst inst ance_id vlan vlan-range • instance_id - Instance id entifier of th e spanning tree. (Range: 0-4094) • vlan-range [...]

  • Page 351

    Spanning Tree Commands 4-161 4 mst priority This command configures the priority of a sp anning tree instance . Use the no form to restore the default. Syntax mst inst ance_id priority priority no mst instance_i d priority • instance_id - Instance id entifier of th e spanning tree. (Range: 0-4094) • priority - Priority of th e a spanning tree i[...]

  • Page 352

    Command Line Interfa ce 4-162 4 Command Usage The MST region name and revis ion number (page 4-162) are used to designate a uniqu e MST region. A bridge (i.e., sp anning-tree compliant device such as this switch) can only bel ong to one MST region. And all bridges in the same region must be configured with the same MST in stances. Example Related C[...]

  • Page 353

    Spanning Tree Commands 4-163 4 max-hops This command configures the maximum numbe r of hops in the region before a BPDU is discarded. Use the no form to restor e the default. Syntax max-hop s hop-number hop-number - Maximum hop nu mber for multiple spanning tree. (Range: 1-40) Default Setting 20 Command Mode MST Configuration Command Usage A MSTI r[...]

  • Page 354

    Command Line Interfa ce 4-164 4 spanning-tree co st This command configures the span ning tree pa th cost for the spe cifie d interface. Use the no form to restore the default. Syntax sp anning-tree cost cost no sp anning-tree cost cost - The path cost for the port. (Range: 1-200,000,000)) The recommended range is: • Ethernet: 200,0 00-20,000,000[...]

  • Page 355

    Spanning Tree Commands 4-165 4 Default Setting 128 Command Mode Interface Co nfiguration (Ethernet, Po rt Channel) Command Usage • This command defines the priori ty for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (th at is, lowest value) will be con[...]

  • Page 356

    Command Line Interfa ce 4-166 4 Example Related Commands spanning-tree port fast (4-166) spanning-tree portfast This command sets an in terface to fast forward ing. Use the no form to disable fast forwarding. Syntax [ no ] sp anning-tree portfast Default Setting Disabled Command Mode Interface Co nfiguration (Ethernet, Port Channel) Command Usage ?[...]

  • Page 357

    Spanning Tree Commands 4-167 4 spanning-tree link-type This command configures the link type fo r Rapid Sp anning T ree and Multiple S panning T ree. Use the no form to restore the default. Syntax sp anning-tree link-type { auto | point-to-poi nt | shared } no spanning-tree link-type • auto - Automatically derived from the duplex mode setting. ?[...]

  • Page 358

    Command Line Interfa ce 4-168 4 Default Setting • Ethernet – ha lf duplex: 2,000,000; full duplex: 1,000 ,000; trunk: 500,000 • Fast Ethernet – half dupl ex: 200,000; full d upl ex: 100,000; trunk: 50,000 • Gigabit Ethern et – full duplex: 10,000; trunk: 5,000 Command Mode Interface Co nfiguration (Ethernet, Port Channel) Command Usage [...]

  • Page 359

    Spanning Tree Commands 4-169 4 interface with the highest priority (that is, lowes t value) will be configured as an active link in the spanning tree. • Where more than one interface is assi gned the highest priority, the interface with lowest numeric identifi er will be enabled. Example Related Commands spanning-tree mst cost (4-167) spanning-tr[...]

  • Page 360

    Command Line Interfa ce 4-170 4 show spanning-tree This command shows the configuration for the common sp anning tree (CST) or for an instanc e within the multiple spanning tree (MST). Syntax show sp anning-tree [ interface | mst instance_id ] • interface • ethernet unit / port - unit - This is device 1. - port - Port number. • port-channe l [...]

  • Page 361

    Spanning Tree Commands 4-171 4 Example show spanning-tree mst configuration This command shows the configuratio n of the multiple spanning tree. Syntax show sp anning-tree mst configuration Command Mode Privileged Exec Console#show spanning-tree Spanning-tree information ------------------------------ --------------------------------- Spanning tree[...]

  • Page 362

    Command Line Interfa ce 4-172 4 Example VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN group s, add port members, specify how VLAN tagging is used, and enable automa tic VLAN registration for[...]

  • Page 363

    VLAN Commands 4-173 4 Command Mode Global Configurat ion Command Usage • Use the VLAN database command mode to add, ch ange, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. • Use the interface vlan command mode to define the port membership mode and add or remove port[...]

  • Page 364

    Command Line Interfa ce 4-174 4 • no vlan vlan-id state returns the VLAN to the default state (i.e ., active). • You can configure up to 255 VL ANs on the switch. Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activat ed by defaul t. Related Commands show vlan (4-180) Configuring VLAN Interfaces interface[...]

  • Page 365

    VLAN Commands 4-175 4 Example The following example shows how to set th e interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Related Commands shutdown (4 -130) switchport mode This command confi gures the VLAN membership mode for a p ort. Use the no form to restore the default. Syntax switchport mode { trunk | hybrid[...]

  • Page 366

    Command Line Interfa ce 4-176 4 switchport acceptable-frame-types This command confi gures the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport accept able-frame-types { all | ta g g e d } no switchport accept able-frame-types • all - The port accepts all frames, tagged or untagged. • tagged - The por[...]

  • Page 367

    VLAN Commands 4-177 4 Command Usage • Ingress filtering o nly affects tagged frames. • If ingress filtering is disabled and a port recei ves frames tagged for VLANs for which it is not a member, these frames wil l be flooded to all other ports (exce pt for those VLANs explicitly fo rbidden on this port). • If ingress filtering is enabled and [...]

  • Page 368

    Command Line Interfa ce 4-178 4 Example The following example shows how to set the PVID for port 1 to VLAN 3: switchport allowed vlan This command confi gures VLAN groups on t he se lected interface. Use the no form to restore the default. Syntax switchport allowed vlan { add vlan-list [ ta g g e d | unt agged ] | remove vlan-list } no switch port [...]

  • Page 369

    VLAN Commands 4-179 4 Example The following example shows how to ad d VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: switchport forbidden vlan This command confi gures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. Syntax switchport forb idden vlan { add vlan-list | remove vlan-list } no switchport forb[...]

  • Page 370

    Command Line Interfa ce 4-180 4 Displaying VL AN Information show vlan This command shows VLAN information. Syntax show vlan [ id vlan-id | name vlan-name ] • id - Keyword to be foll owed by the VLA N ID. - vlan-id - ID of the configured VLAN. (Range: 1-4094, no leading zeroes ) • name - Keyword to be followed by the VLAN name. - vlan-name - AS[...]

  • Page 371

    VLAN Commands 4-181 4 Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within th e assigned VLAN. This section describes comma nds used to configure private VlANs. pvlan This command enables or configures a private VLAN. Us e the no form to disable the private VLAN. Synt ax pvlan [ up-link interf ace-l[...]

  • Page 372

    Command Line Interfa ce 4-182 4 show pvlan This command displays the configured priv ate VLAN. Command Mode Privileged Exec Example Configuring Protoco l-based VLANs The network devices requi red to support multiple protocols c annot be easily grouped into a common VLAN. This may require non-s tandard devices to pass traf fic between diff erent VLA[...]

  • Page 373

    VLAN Commands 4-183 4 protocol-vlan protocol-grou p (Configuring Grou ps) This command creates a protoco l group, or to add specific protocols to a group. Use the no form to remo ve a protocol group. Syntax protocol -vlan protocol-group group-id [{ add | remove } frame_ty pe frame protocol -type protocol ] no protocol-vlan protocol-gro up group-id [...]

  • Page 374

    Command Line Interfa ce 4-184 4 Command Usage • When creating a p rotocol-based VLAN, only assig n interfaces via this command. If you assign in terfaces using any of the other VLAN commands (such as vlan on page 4-173), these interfaces will admit traffic of any protocol type into the associated VLAN. • When a frame enters a port that has been[...]

  • Page 375

    VLAN Commands 4-185 4 show interfaces protoco l-vlan proto col-group This command shows the mapping from protocol groups to VLANs for the sel ected interfaces. Syntax show interfaces protocol-vlan protocol-group [ interface ] interface • ethernet unit / port - unit - This is device 1. - port - Port number. • port-channe l channel-id (Range: 1-6[...]

  • Page 376

    Command Line Interfa ce 4-186 4 GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN memb ers on interfaces across the network. This section describes how to enable GVRP for individual interface s and globally for the switch, as well as h o[...]

  • Page 377

    GVRP and Bridge Extension Comma nds 4-187 4 show bridge-ext This command shows the configuratio n for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See “Displaying Basic VLAN Information” on p age 3-1 14 and “Displayi ng Bridge Extension Cap abilities” on page 3-1 1 for a description of the displ[...]

  • Page 378

    Command Line Interfa ce 4-188 4 show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configurati on [ interface ] interface • ethernet unit / port - unit - This is device 1. - port - Port number. • port-channe l channel-id (Range: 1-6) Default Setting Shows both global and interface-spec ific configuration. Command Mo[...]

  • Page 379

    GVRP and Bridge Extension Comma nds 4-189 4 Command Usage • Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for cl ien t services within a bridged LAN. The default values fo r the GARP timers are independent of the media acc ess method or data rate. These values should not be c hanged unles[...]

  • Page 380

    Command Line Interfa ce 4-190 4 Related Commands garp timer (4-188) Priority Commands The commands described in this secti on allow you to specify which data p ackets have greater precedence when traf fic is buffered in the switch due to congestion. This switch support s CoS with eight priority queues for eac h port. Data pa ckets in a port’s hi [...]

  • Page 381

    Priority Commands 4-191 4 queue mode This command sets th e queue mode to strict priority or Weighted Round-Rob in (WRR) for the class of se rvice (CoS) priority queues. Use the no form to resto re the default value. Syntax queue mode { strict | wrr } no queue mo de • strict - Services the egress queues in seq uential order, transmitting all traf[...]

  • Page 382

    Command Line Interfa ce 4-192 4 switchport priority default This command sets a prio rity for incoming untagged frames. Use the no form to restore the default value. Syntax switchport prio rity default default-priority-id no switchport priority default default-priority-id - The priority number for untagged ingress traffic. The priority is a number [...]

  • Page 383

    Priority Commands 4-193 4 queue bandwidth This command assign s weighted round-robin (WRR) weight s to the eight class of service (CoS) priority queues. Use the no form to restore the default weight s. Syntax queue bandwidth wei ght1...weight8 no queue bandwidth weight1...weight8 - The ratio of weights for queues 0 - 7 determines the weights used b[...]

  • Page 384

    Command Line Interfa ce 4-194 4 Default Setting This switch supports Cla ss of Service by using eight priority queues, with Weighted Roun d Robin queuing for each port. Eight separate traf fic classes are defined in IEEE 802.1p. The default priority levels are assi gned according to recommendations in the IEEE 802.1p st andard as shown below . Comm[...]

  • Page 385

    Priority Commands 4-195 4 Example show queue bandwidth This command displays the weigh ted round-robin (WRR) bandwidth all ocation for the eight priority queues. Default Setting None Command Mode Privileged Exec Example show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [ interface ] interface • eth[...]

  • Page 386

    Command Line Interfa ce 4-196 4 Example Priority Commands (Layer 3 and 4) map ip port (Global Configuration) This command enable s IP port mapping (i .e., class of service mapping for TCP/UDP sockets). Use th e no form to disable IP port mapping . Syntax [ no ] map ip port Default Setting Disabled Command Mode Global Configurat ion Command Usage Th[...]

  • Page 387

    Priority Commands 4-197 4 Example The following example shows how to en able TCP/UDP port mapping globally: map ip port (Interface Configuration) This command enables IP port mapping (i.e., TCP/UDP port priority). Use the no form to remove a specific setting. Syntax map ip port port number cos cos-va lue no map ip port port-number • port-number -[...]

  • Page 388

    Command Line Interfa ce 4-198 4 Command Usage • The precedence for priority mappin g is IP Port, IP Precedence or IP DSCP, and default switchport priority. • IP Precedence and IP DSCP cannot bo th be enabled. Enabling one of these priority types will automatical ly disable the other type. Example The following example shows how to en able IP pr[...]

  • Page 389

    Priority Commands 4-199 4 map ip dscp (Global Configuration) This command enables IP DSCP mapping (i.e., Dif ferentiated Services Code Point mapping). Use the no form to disable IP DSCP mapping. Syntax [ no ] map ip dscp Default Setting Disabled Command Mode Global Configurat ion Command Usage • The precedence for priority mappin g is IP Port, IP[...]

  • Page 390

    Command Line Interfa ce 4-200 4 Default Setting The DSCP default values are defined in the fo llowing table. Note that all the DSCP values that are not specifi ed are mapped to CoS value 0. Command Mode Interface Co nfiguration (Ethernet, Port Channel) Command Usage • The precedence for priority mappin g is IP Port, IP Precedence or IP DSCP, and [...]

  • Page 391

    Priority Commands 4-201 4 Default Setting None Command Mode Privileged Exec Example The following shows that HTTP traf fic has been mapped to CoS value 0: Related Commands map ip port (Global Configura tion) (4-196) map ip port (Interfa ce Configuration) (4-197) show map ip precedence This command shows the IP precedence priority map. Syntax show m[...]

  • Page 392

    Command Line Interfa ce 4-202 4 Example Related Commands map ip port (Global Configura tion) (4-196) map ip precedence (Interface Configuration) (4-198) show map ip dscp This command shows the IP DSCP priority map. Syntax show map ip dscp [ interf ace ] interface • ethernet unit / port - unit - This is device 1. - port - Port number. • port-cha[...]

  • Page 393

    Multicast Filtering Commands 4-203 4 Example Related Commands map ip dscp (Global Co nfiguration) (4-199) map ip dscp (Interface Configuration) (4-199 ) Multicast Filtering Commands This switch uses IGMP (Internet Group Management Proto col) to query for any attached hos ts that want to receive a specif ic mul ticast service. It identifies the port[...]

  • Page 394

    Command Line Interfa ce 4-204 4 IGMP Snooping Com mands ip igmp snoopi ng This command enables IGMP snoopi ng on this switch. Use the no form to disable it. Syntax [ no ] ip igmp snoo ping Default Setting Enabled Command Mode Global Configurat ion Example The following example enab les IGMP snooping. ip igmp snoopin g vlan static This command adds [...]

  • Page 395

    Multicast Filtering Commands 4-205 4 Command Mode Global Configurat ion Example The following s hows how to statically configure a multicast group on a port: ip igmp snooping version This command confi gures the IGMP snooping version . Use the no form to restore the default. Syntax ip igmp snoopi ng version { 1 | 2 } no ip igmp snoopi ng version ?[...]

  • Page 396

    Command Line Interfa ce 4-206 4 Command Usage See “Configuring IGMP Snooping an d Query Parameters” on page 3-141 for a description of the disp layed items. Example The following s hows the current IGMP snooping configuration: show mac-address-table multicast This command shows kn own multicast addresses. Syntax show mac-address-t able multicas[...]

  • Page 397

    Multicast Filtering Commands 4-207 4 IGMP Query Commands (Layer 2) ip igmp snoopi ng querier This command enables the switch as an IGMP querier . Use the no form to disable it. Syntax [ no ] ip igmp snoo ping querier Default Setting Enabled Command Mode Global Configurat ion Command Usage If enabled, the switch wi ll serve as querier if elected. Th[...]

  • Page 398

    Command Line Interfa ce 4-208 4 Default Setting 2 times Command Mode Global Configurat ion Command Usage The query count defines how long the querier waits for a response from a multicast client before t aking action. If a querier has sent a numb er of queries defined by thi s command, but a client has not responded, a count down timer is star ted [...]

  • Page 399

    Multicast Filtering Commands 4-209 4 ip igmp snooping query-max-response-time This command configures the que ry report delay . Use the no form to restore the default. Syntax ip igmp snoo ping query-max-response-time seconds no ip igmp snoo ping query-max-response-time seconds - The report delay advertised in IGMP querie s. (Range: 5- 25) Default S[...]

  • Page 400

    Command Line Interfa ce 4-210 4 Default Setting 300 seconds Command Mode Global Configurat ion Command Usage The switch must use IGMPv2 for this command to t ake effect. Example The following shows how to configure the defaul t timeout to 300 seconds: Related Commands ip igmp snooping version (4-205) Static Multicast Routing Commands ip igmp snoopi[...]

  • Page 401

    Multicast Filtering Commands 4-211 4 Command Usage Depending on your network connecti ons, IGMP snooping may not always be able to locate the IGMP querier . Therefore, if the IGMP querier i s a known multicast router/switch con nected over the network to an in terface (port or trunk) on your router , you can manual ly confi gure that interface to j[...]

  • Page 402

    Command Line Interfa ce 4-212 4 IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this swi tch is obtained via DHCP by default. Y ou can manually configure a spe cific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on. Y o[...]

  • Page 403

    IP Interface Commands 4-213 4 • If you select the bootp or dhcp option, IP is enabled b ut will not functi on until a BOOTP or DHCP reply has been received. Requests will be broadcast periodically b y this device in an effort to lea rn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask ). • You c[...]

  • Page 404

    Command Line Interfa ce 4-214 4 ip default-gateway This command establ ishes a static route between this switch an d management stations th at exist on another network segment. Use the no form to remove the static route. Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default ga teway Default Setting No static ro[...]

  • Page 405

    IP Interface Commands 4-215 4 show ip re directs This command shows the default gatewa y configured for this device. Default Setting None Command Mode Privileged Exec Example Related Commands ip default-gate way (4-214) ping This command sends ICMP echo reques t packets to another node on th e network. Syntax ping host [ size size ] [ count coun t [...]

  • Page 406

    Command Line Interfa ce 4-216 4 Example Related Commands interface (4-125) Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 0 ms Ping statistics for 10.1.0.9: 5 packets transmitted, 5 p[...]

  • Page 407

    A-1 Appendix A: Software Specifications Software Features Authentication Local, RADIUS, T ACACS, Port (802.1x), HTTPS, SSH, Port Security Access Control Lists IP , MAC (up to 32 lists) DHCP Client DNS Server Port Configuration 1000BASE-T : 10/100 Mbps at half/full dupl ex, 1000 Mbps at full duplex 1000BASE-SX/LX/LH: 1000 Mbps, full duplex Flow Cont[...]

  • Page 408

    Software Specifications A-2 A Additional Fe atures BOOTP client SNTP (Simple Network T ime Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1, 2, 3, 9) SMTP Email Alerts Management Features In-Band Management T elnet, Web-based HTTP or HTTPS, SNMP manager , or Secure Shell Out-of-Band Management RS-232 DB-9 consol[...]

  • Page 409

    Management Inform ation Bases A-3 A RMON (RFC 1757 groups 1,2,3,9) SNMP (RFC 1 157) SNMPv2 (RFC 1907) SNTP (RFC 2030) SSH (V ersion 2.0) TFTP (RFC 1350) Management Information Bases Bridge MIB (RFC 1493) Entity MIB (RFC 2737) Ether-like MIB (RFC 2665) Extended Bridge MIB (RFC 2674 ) Extensible SNMP Agent s MIB (RFC 2742) Forwarding T able MIB (RFC [...]

  • Page 410

    Software Specifications A-4 A[...]

  • Page 411

    B-1 Appendix B: Troubleshooting Problems Accessing the Mana gement Interface T able B-1 T roubleshooting Chart Symptom Action Cannot connect us ing T elnet, web browser , or SNMP software • Be sure the switch is powered up. • Check network cablin g between the management station an d the switch. • Check that you have a valid network connect i[...]

  • Page 412

    Troubleshooting B-2 B Using System Logs If a fault does occur , refer to the Instal lation Guide to ensure that the problem you encountered is actually ca used by the switch. If the problem appears to b e caused by the switch, foll ow these steps: 1. Enable logging. 2. Set the error messages re ported to include all categories. 3. Designate the SNM[...]

  • Page 413

    Glossary-1 Glossary Access Control List (ACL) ACLs can limit network traf fic and restrict access to certain users or devices by checking each p acket for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide boot up information for network devices , including IP address informati on, the address of the TFTP [...]

  • Page 414

    Glossary Glossary-2 GARP VLAN Registrati on Protocol (GVRP) Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on p orts along the S p anning Tr ee so that VLANs defined in each switch can work automatically over a S panning T ree netwo rk. Generic Attribute Re gistration Protocol (GARP) GARP is a pr[...]

  • Page 415

    Glossary-3 Glossary IEEE 802.3x Defines Ethernet frame st art/stop request s and timers used for flow control on full-duplex lin ks. IGMP Snooping Listening to IGMP Query and IGMP Report p ackets transferred between IP Multi cast Routers and IP Multicast host groups to identify IP Mult icast group members. IGMP Query On each subnetwork, one IGMP-ca[...]

  • Page 416

    Glossary Glossary-4 Management Information Base (MIB) An acronym for Management Information Base. It is a set of database obj ects that contain s information about a specific devi ce. Multicast Switching A process whereby the switch filters incoming multicast fra mes for services for which no attached host has regi stered, or forwards them to all p[...]

  • Page 417

    Glossary-5 Glossary Rapid Spanning Tree Protocol (RSTP) RSTP reduces the convergence time for network topology changes to about 10 % of that require d by the older IEEE 802.1D STP st andard. Secure Shell (SSH) A secure replacement for remote access functions, including T elnet. SSH can authenticate users with a cryptogra phic key , and encrypt dat [...]

  • Page 418

    Glossary Glossary-6 User Datagram Protocol (UDP) UDP provides a datagram mode fo r packet-switched communications. It uses IP as the underlying transport mechanis m to provide access to IP-like services. UDP packet s are delivered just like IP packe ts – connection-less datagrams th at may be discarded before reaching their target s. UDP is usefu[...]

  • Page 419

    Index-1 Numerics 802.1x, port authen tication 3-43, 4-78 A acceptable frame type 3-120, 4-176 Access Control List See AC L ACL Extended IP 3-53, 4-86, 4-87, 4-90 MAC 3-53, 4-86, 4-101, 4-101–4-103 Standard IP 3-53, 4-86, 4-87, 4-89 address table 3-88, 4-149 aging time 3-91, 4-152 B BOOTP 3-15 , 4-212 BPDU 3-92 broadcast storm, threshold 3-80, 4 -[...]

  • Page 420

    Index-2 Index HTTPS 3-34, 4-31 HTTPS, secure server 3-34, 4-31 I IEEE 802.1D 3-91, 4-154 IEEE 802.1s 4-154 IEEE 802.1w 3- 91, 4-154 IEEE 802.1x 3-43, 4-78 IGMP groups, displaying 3-144, 4-206 Layer 2 3-140, 4-204 query 3-140, 4-207 query, Layer 2 3-141, 4-207 snooping 3-140, 4-204 snooping, configuring 3-141, 4-204 ingress filtering 3-120, 4-176 IP[...]

  • Page 421

    Index-3 Index R RADIUS, logon authentic ation 3-31, 4-71 rate limits, setting 3-83, 4-138 restarting the system 3-25, 4-22 RSTP 3-91, 4-154 global configuratio n 3-92, 4-154 S Secure Shell 3-36, 4-34 configur ation 3- 36, 4-37 Secure Shell configuration 4-37 serial port configur ing 4-11 Simple Network Ma nagement Protocol See SNMP SNMP 3-28 commun[...]

  • Page 422

    Index-4 Index[...]

  • Page 423

    [...]

  • Page 424

    P/N: 90000441 REV.A MIL-SM24004TG[...]