Accton Technology ES4548C, ES4524C, ES4512C User Manual

Download

ES4512C ES4524C

ES4548C 12/24/48-Port Gigabit Intelligent Switch

Management Guide

www.edge-core.com

Installation Guide

ES4512C 12-Port Gigabit Intelligent Switch

Layer 2 Workgroup Switch with 12 1000BASE-T (RJ-45) Ports, and 4 Combination (RJ-45/SFP) Ports

ES4524C 24-Port Gigabit Intelligent Switch

Layer 2 Workgroup Switch with 24 1000BASE-T (RJ-45) Ports, and 4 Combination (RJ-45/SFP) Ports

ES4548C 48-Port Gigabit Intelligent Switch

Layer 2 Workgroup Switch with 48 1000BASE-T (RJ-45) Ports, and 4 Combination (RJ-45/SFP) Ports

ES4512C ES4524C ES4548C E052005-R02

Contents

Chapter 1: Introduction 1-1

Key Features 1-1 Description of Software Features 1-2 System Defaults 1-5

Chapter 2: Initial Configuration 2-1

Connecting to the Switch 2-1

Configuration Options 2-1 Required Connections 2-2 Remote Connections 2-3

Basic Configuration 2-3

Console Connection 2-3 Setting Passwords 2-4 Setting an IP Address 2-4

Manual Configuration 2-4 Dynamic Configuration 2-5

Enabling SNMP Management Access 2-6

Community Strings 2-6 Trap Receivers 2-7

Saving Configuration Settings 2-7

Managing System Files 2-8

Chapter 3: Configuring the Switch 3-1

Using the Web Interface 3-1 Navigating the Web Browser Interface 3-2

Home Page 3-2 Configuration Options 3-3 Panel Display 3-3 Main Menu 3-4

Basic Configuration 3-9

Displaying System Information 3-9 Displaying Switch Hardware/Software Versions 3-10 Displaying Bridge Extension Capabilities 3-11 Setting the Switch’s IP Address 3-13

Manual Configuration 3-14 Using DHCP/BOOTP 3-15

Managing Firmware 3-16

Downloading System Software from a Server 3-16

Saving or Restoring Configuration Settings 3-17

Downloading Configuration Settings from a Server 3-18

Configuring Event Logging 3-19

Contents

System Log Configuration 3-19 Remote Log Configuration 3-20 Displaying Log Messages 3-22

Sending Simple Mail Transfer Protocol Alerts 3-23 Resetting the System 3-25 Setting the System Clock 3-26

Configuring SNTP 3-26

Setting the Time Zone 3-27

Simple Network Management Protocol 3-28

Setting Community Access Strings 3-28 Specifying Trap Managers and Trap Types 3-29

User Authentication 3-30

Configuring the Logon Password 3-30 Configuring Local/Remote Logon Authentication 3-31 Configuring HTTPS 3-34

Replacing the Default Secure-site Certificate 3-35 Configuring the Secure Shell 3-36

Generating the Host Key Pair 3-38

Configuring the SSH Server 3-40 Configuring Port Security 3-41 Configuring 802.1x Port Authentication 3-43

Displaying 802.1x Global Settings 3-44

Configuring 802.1x Global Settings 3-46

Configuring Port Authorization Mode 3-47

Displaying 802.1x Statistics 3-48 Filtering IP Addresses for Management Access 3-50

Access Control Lists 3-52

Configuring Access Control Lists 3-52

Setting the ACL Name and Type 3-53

Configuring a Standard IP ACL 3-53

Configuring an Extended IP ACL 3-55

Configuring a MAC ACL 3-57 Configuring ACL Masks 3-59

Specifying the Mask Type 3-59

Configuring an IP ACL Mask 3-60

Configuring a MAC ACL Mask 3-62 Binding a Port to an Access Control List 3-63

Port Configuration 3-64

Displaying Connection Status 3-64 Configuring Interface Connections 3-67 Creating Trunk Groups 3-69

Statically Configuring a Trunk 3-70

Enabling LACP on Selected Ports 3-71

Configuring LACP Parameters 3-73

Displaying LACP Port Counters 3-76

Contents

Displaying LACP Settings and Status for the Local Side 3-77

Displaying LACP Settings and Status for the Remote Side 3-79 Setting Broadcast Storm Thresholds 3-80 Configuring Port Mirroring 3-82 Configuring Rate Limits 3-83 Showing Port Statistics 3-84

Address Table Settings 3-88

Setting Static Addresses 3-88 Displaying the Address Table 3-89 Changing the Aging Time 3-91

Spanning Tree Algorithm Configuration 3-91

Displaying Global Settings 3-92 Configuring Global Settings 3-95 Displaying Interface Settings 3-99 Configuring Interface Settings 3-102 Configuring Multiple Spanning Trees 3-104 Displaying Interface Settings for MSTP 3-107 Configuring Interface Settings for MSTP 3-108

VLAN Configuration 3-110

IEEE 802.1Q VLANs 3-110

Enabling or Disabling GVRP (Global Setting) 3-113

Displaying Basic VLAN Information 3-113

Displaying Current VLANs 3-114

Creating VLANs 3-115

Adding Static Members to VLANs (VLAN Index) 3-116

Adding Static Members to VLANs (Port Index) 3-118

Configuring VLAN Behavior for Interfaces 3-119 Configuring Private VLANs 3-121

Enabling Private VLANs 3-121

Configuring Uplink and Downlink Ports 3-122 Configuring Protocol-Based VLANs 3-122

Configuring Protocol Groups 3-123

Mapping Protocols to VLANs 3-123

Class of Service Configuration 3-125

Layer 2 Queue Settings 3-125

Setting the Default Priority for Interfaces 3-125

Mapping CoS Values to Egress Queues 3-127

Selecting the Queue Mode 3-129

Setting the Service Weight for Traffic Classes 3-129 Layer 3/4 Priority Settings 3-131

Mapping Layer 3/4 Priorities to CoS Values 3-131

Selecting IP Precedence/DSCP Priority 3-131

Mapping IP Precedence 3-132

Mapping DSCP Priority 3-133

Mapping IP Port Priority 3-135

iii

Contents

Mapping CoS Values to ACLs 3-136 Changing Priorities Based on ACL Rules 3-137

Multicast Filtering 3-139

Layer 2 IGMP (Snooping and Query) 3-139

Configuring IGMP Snooping and Query Parameters 3-140 Displaying Interfaces Attached to a Multicast Router 3-142 Specifying Static Interfaces for a Multicast Router 3-143 Displaying Port Members of Multicast Services 3-144 Assigning Ports to Multicast Services 3-145

Configuring Domain Name Service 3-146

Configuring General DNS Server Parameters 3-146 Configuring Static DNS Host to Address Entries 3-148 Displaying the DNS Cache 3-150

Chapter 4: Command Line Interface 4-1

Using the Command Line Interface 4-1

Accessing the CLI 4-1 Console Connection 4-1 Telnet Connection 4-1

Entering Commands 4-3

Keywords and Arguments 4-3 Minimum Abbreviation 4-3 Command Completion 4-3 Getting Help on Commands 4-3

Showing Commands 4-4 Partial Keyword Lookup 4-5 Negating the Effect of Commands 4-5 Using Command History 4-5 Understanding Command Modes 4-6 Exec Commands 4-6 Configuration Commands 4-7 Command Line Processing 4-9

Command Groups 4-10 Line Commands 4-11

line 4-12 login 4-12 password 4-13 exec-timeout 4-14 password-thresh 4-15 silent-time 4-15 databits 4-16 parity 4-17 speed 4-17 stopbits 4-18

Contents

disconnect 4-18 show line 4-19

General Commands 4-20

enable 4-20 disable 4-21 configure 4-21 show history 4-22 reload 4-22 end 4-23 exit 4-23 quit 4-24

System Management Commands 4-24

Device Designation Commands 4-25

prompt 4-25 hostname 4-25

User Access Commands 4-26

username 4-26 enable password 4-27

IP Filter Commands 4-28

management 4-28 show management 4-29

Web Server Commands 4-30

ip http port 4-30 ip http server 4-30 ip http secure-server 4-31 ip http secure-port 4-32

Telnet Server Commands 4-33

ip telnet port 4-33 ip telnet server 4-33

Secure Shell Commands 4-34

ip ssh server 4-36 ip ssh timeout 4-37 ip ssh authentication-retries 4-37 ip ssh server-key size 4-38 delete public-key 4-38 ip ssh crypto host-key generate 4-39 ip ssh crypto zeroize 4-39 ip ssh save host-key 4-40 show ip ssh 4-40 show ssh 4-41 show public-key 4-42

Event Logging Commands 4-43

logging on 4-43 logging history 4-44 logging host 4-45

Contents

logging facility 4-45

logging trap 4-46

clear logging 4-46

show logging 4-47 SMTP Alert Commands 4-48

logging sendmail host 4-49

logging sendmail level 4-49

logging sendmail source-email 4-50

logging sendmail destination-email 4-50

logging sendmail 4-51

show logging sendmail 4-51 Time Commands 4-52

sntp client 4-52

sntp server 4-53

sntp poll 4-54

show sntp 4-54

clock timezone 4-55

calendar set 4-55

show calendar 4-56 System Status Commands 4-57

show startup-config 4-57

show running-config 4-58

show system 4-60

show users 4-61

show version 4-61 Frame Size Commands 4-62

jumbo frame 4-62

Flash/File Commands 4-63

copy 4-63 delete 4-65 dir 4-66 whichboot 4-67 boot system 4-67

Authentication Commands 4-68

Authentication Sequence 4-69

authentication login 4-69

authentication enable 4-70 RADIUS Client 4-71

radius-server host 4-71

radius-server port 4-71

radius-server key 4-72

radius-server retransmit 4-72

radius-server timeout 4-73

show radius-server 4-73 TACACS+ Client 4-74

Contents

tacacs-server host 4-74 tacacs-server port 4-74 tacacs-server key 4-75 show tacacs-server 4-75

Port Security Commands 4-76

port security 4-76

802.1x Port Authentication 4-78 authentication dot1x default 4-78 dot1x default 4-79 dot1x max-req 4-79 dot1x port-control 4-80 dot1x operation-mode 4-80 dot1x re-authenticate 4-81 dot1x re-authentication 4-81 dot1x timeout quiet-period 4-82 dot1x timeout re-authperiod 4-82 dot1x timeout tx-period 4-83 show dot1x 4-83

Access Control List Commands 4-86

IP ACLs 4-87

access-list ip 4-88 permit, deny (Standard ACL) 4-89 permit, deny (Extended ACL) 4-90 show ip access-list 4-92 access-list ip mask-precedence 4-92 mask (IP ACL) 4-93 show access-list ip mask-precedence 4-96 ip access-group 4-97 show ip access-group 4-97 map access-list ip 4-98 show map access-list ip 4-99 match access-list ip 4-99 show marking 4-100

MAC ACLs 4-101

access-list mac 4-101 permit, deny (MAC ACL) 4-102 show mac access-list 4-103 access-list mac mask-precedence 4-104 mask (MAC ACL) 4-105 show access-list mac mask-precedence 4-107 mac access-group 4-107 show mac access-group 4-108 map access-list mac 4-108 show map access-list mac 4-109 match access-list mac 4-110

vii

Contents

ACL Information 4-111

show access-list 4-111 show access-group 4-111

SNMP Commands 4-112

snmp-server community 4-112 snmp-server contact 4-113 snmp-server location 4-113 snmp-server host 4-114 snmp-server enable traps 4-115 show snmp 4-115

DNS Commands 4-117

ip host 4-117 clear host 4-118 ip domain-name 4-118 ip domain-list 4-119 ip name-server 4-120 ip domain-lookup 4-121 show hosts 4-122 show dns 4-123 show dns cache 4-123 clear dns cache 4-124

Interface Commands 4-123

interface 4-123 description 4-124 speed-duplex 4-124 negotiation 4-125 capabilities 4-126 flowcontrol 4-127 combo-forced-mode 4-128 shutdown 4-128 switchport broadcast packet-rate 4-129 clear counters 4-130 show interfaces status 4-131 show interfaces counters 4-132 show interfaces switchport 4-133

Mirror Port Commands 4-134

port monitor 4-134 show port monitor 4-135

Rate Limit Commands 4-136

rate-limit 4-136

Link Aggregation Commands 4-137

channel-group 4-138 lacp 4-139 lacp system-priority 4-140 lacp admin-key (Ethernet Interface) 4-141

viii

Contents

lacp admin-key (Port Channel) 4-142 lacp port-priority 4-142 show lacp 4-143

Address Table Commands 4-147

mac-address-table static 4-148 clear mac-address-table dynamic 4-149 show mac-address-table 4-149 mac-address-table aging-time 4-150 show mac-address-table aging-time 4-150

Spanning Tree Commands 4-151

spanning-tree 4-152 spanning-tree mode 4-152 spanning-tree forward-time 4-153 spanning-tree hello-time 4-154 spanning-tree max-age 4-155 spanning-tree priority 4-155 spanning-tree pathcost method 4-156 spanning-tree transmission-limit 4-157 spanning-tree mst configuration 4-157 mst vlan 4-158 mst priority 4-159 name 4-159 revision 4-160 max-hops 4-161 spanning-tree spanning-disabled 4-161 spanning-tree cost 4-162 spanning-tree port-priority 4-162 spanning-tree edge-port 4-163 spanning-tree portfast 4-164 spanning-tree link-type 4-165 spanning-tree mst cost 4-165 spanning-tree mst port-priority 4-166 spanning-tree protocol-migration 4-167 show spanning-tree 4-168 show spanning-tree mst configuration 4-170

VLAN Commands 4-170

Editing VLAN Groups 4-171

vlan database 4-171 vlan 4-172

Configuring VLAN Interfaces 4-173

interface vlan 4-173 switchport mode 4-174 switchport acceptable-frame-types 4-174 switchport ingress-filtering 4-175 switchport native vlan 4-176

Contents

switchport allowed vlan 4-177 switchport forbidden vlan 4-178

Displaying VLAN Information 4-179

show vlan 4-179

Configuring Private VLANs 4-180

pvlan 4-180 show pvlan 4-181

Configuring Protocol-based VLANs 4-181

protocol-vlan protocol-group (Configuring Groups) 4-182 protocol-vlan protocol-group (Configuring Interfaces) 4-182 show protocol-vlan protocol-group 4-183 show interfaces protocol-vlan protocol-group 4-184

GVRP and Bridge Extension Commands 4-185

bridge-ext gvrp 4-185 show bridge-ext 4-186 switchport gvrp 4-186 show gvrp configuration 4-187 garp timer 4-187 show garp timer 4-188

Priority Commands 4-189

Priority Commands (Layer 2) 4-189

queue mode 4-190 switchport priority default 4-191 queue bandwidth 4-192 queue cos-map 4-192 show queue mode 4-193 show queue bandwidth 4-194 show queue cos-map 4-194

Priority Commands (Layer 3 and 4) 4-195

map ip port (Global Configuration) 4-195 map ip port (Interface Configuration) 4-196 map ip precedence (Global Configuration) 4-196 map ip precedence (Interface Configuration) 4-197 map ip dscp (Global Configuration) 4-198 map ip dscp (Interface Configuration) 4-198 show map ip port 4-199 show map ip precedence 4-200 show map ip dscp 4-201

Multicast Filtering Commands 4-202

IGMP Snooping Commands 4-202

ip igmp snooping 4-203 ip igmp snooping vlan static 4-203 ip igmp snooping version 4-204 show ip igmp snooping 4-204 show mac-address-table multicast 4-205

Contents

IGMP Query Commands (Layer 2) 4-206

ip igmp snooping querier 4-206 ip igmp snooping query-count 4-206 ip igmp snooping query-interval 4-207 ip igmp snooping query-max-response-time 4-208 ip igmp snooping router-port-expire-time 4-208

Static Multicast Routing Commands 4-209

ip igmp snooping vlan mrouter 4-209 show ip igmp snooping mrouter 4-210

IP Interface Commands 4-211

ip address 4-211 ip dhcp restart 4-212 ip default-gateway 4-213 show ip interface 4-213 show ip redirects 4-214 ping 4-214

Appendix A: Software Specifications A-1

Software Features A-1 Management Features A-2 Standards A-2 Management Information Bases A-3

Appendix B: Troubleshooting B-1

Problems Accessing the Management Interface B-1 Using System Logs B-2

Glossary

Index

Contents

xii

Tables

Table 1-1. Key Features 1-1 Table 1-2. System Defaults 1-5 Table 3-1. Web Page Configuration Buttons 3-3 Table 3-2. Switch Main Menu 3-4 Table 3-3. Logging Levels 3-19 Table 3-4. HTTPS System Support 3-35 Table 3-5. 802.1x Statistics 3-48 Table 3-6. LACP Port Counters 3-76 Table 3-7. LACP Internal Configuration Information 3-77 Table 3-8. LACP Neighbor Configuration Information 3-79 Table 3-9. Port Statistics 3-84 Table 3-10. Mapping CoS Values to Egress Queues 3-127 Table 3-11. CoS Priority Levels 3-127 Table 3-12. Mapping IP Precedence 3-132 Table 3-13. Mapping DSCP Priority 3-133 Table 3-14. Mapping CoS Values to IP ACLs 3-136 Table 4-1. General Command Modes 4-6 Table 4-2. Configuration Command Modes 4-8 Table 4-3. Keystroke Commands 4-9 Table 4-4. Command Group Index 4-10 Table 4-5. Line Commands 4-11 Table 4-6. General Commands 4-20 Table 4-7. System Management Commands 4-24 Table 4-8. Device Designation Commands 4-25 Table 4-9. User Access Commands 4-26 Table 4-10. Default Login Settings 4-26 Table 4-11. IP Filter Commands 4-28 Table 4-12. Web Server Commands 4-30 Table 4-13. HTTPS System Support 4-31 Table 4-14. re Shell Commands 4-34 Table 4-15. show ssh - display description 4-41 Table 4-16. Event Logging Commands 4-43 Table 4-17. Logging Levels 4-44 Table 4-18. show logging flash/ram- display description 4-47 Table 4-19. show logging trap - display description 4-48 Table 4-20. SMTP Alert Commands 4-48 Table 4-21. Time Commands 4-52 Table 4-22. System Status Commands 4-57 Table 4-23. Frame Size Commands 4-62 Table 4-24. Flash/File Commands 4-63 Table 4-25. File Directory Information 4-66 Table 4-26. Authentication Commands 4-68

xiii

Ta bl e s

Table 4-27. Authentication Sequence Commands 4-69 Table 4-28. RADIUS Client Commands 4-71 Table 4-29. TACACS+ Client Commands 4-74 Table 4-30. Port Security Commands 4-76 Table 4-31. 802.1x Port Authentication Commands 4-78 Table 4-32. Access Control List Commands 4-87 Table 4-33. IP ACL Commands 4-87 Table 4-34. Mapping CoS Values to IP ACLs 4-98 Table 4-35. MAC ACL Commands 4-101 Table 4-36. Mapping CoS Values to MAC ACLs 4-108 Table 4-37. ACL Information Commands 4-111 Table 4-38. SNMP Commands 4-112 Table 4-39. DNS Commands 4-117 Table 4-40. show dns cache - display description 4-123 Table 4-41. Interface Commands 4-125 Table 4-42. interfaces switchport - display description 4-135 Table 4-43. Mirror Port Commands 4-136 Table 4-44. Rate Limit Commands 4-138 Table 4-45. Link Aggregation Commands 4-139 Table 4-46. show lacp counters - display description 4-146 Table 4-47. show lacp internal - display description 4-147 Table 4-48. show lacp neighbors - display description 4-148 Table 4-49. show lacp sysid - display description 4-149 Table 4-50. Address Table Commands 4-149 Table 4-51. Spanning Tree Commands 4-153 Table 4-52. VLAN Commands 4-172 Table 4-53. Editing VLAN Groups 4-173 Table 4-54. Configuring VLAN Interfaces 4-175 Table 4-55. Show VLAN Commands 4-181 Table 4-56. Private VLAN Commands 4-182 Table 4-57. Protocol VLAN Commands 4-183 Table 4-58. GVRP and Bridge Extension Commands 4-187 Table 4-59. Priority Commands 4-191 Table 4-60. Priority Commands (Layer 2) 4-191 Table 4-61. Default CoS Priority Levels 4-195 Table 4-62. Priority Commands (Layer 3 and 4) 4-197 Table 4-63. Mapping IP Precedence to CoS Values 4-199 Table 4-64. Mapping IP DSCP to CoS Values 4-201 Table 4-65. Multicast Filtering Commands 4-204 Table 4-66. IGMP Snooping Commands 4-204 Table 4-67. IGMP Query Commands (Layer 2) 4-208 Table 4-68. Static Multicast Routing Commands 4-211 Table 4-69. IP Interface Commands 4-213 Table B-1 Troubleshooting Chart B-1

xiv

Figures

Figure 3-1. Home Page 3-2 Figure 3-2. Front Panel Indicators 3-3 Figure 3-3. System Information 3-9 Figure 3-4. Switch Information 3-11 Figure 3-5. Displaying Bridge Extension Configuration 3-12 Figure 3-6. IP Interface Configuration - Manual 3-14 Figure 3-7. IP Interface Configuration - DHCP 3-15 Figure 3-8. Downloading Firmware to the Switch 3-16 Figure 3-9. Setting the Startup Code 3-17 Figure 3-10. Downloading Configuration Settings 3-18 Figure 3-11. Setting the Startup Configuration Settings 3-18 Figure 3-12. System Logs 3-20 Figure 3-13. Remote Logs 3-21 Figure 3-14. Displaying Logs 3-22 Figure 3-15. Enabling and Configuring SMTP Alerts 3-24 Figure 3-16. Resetting the System 3-25 Figure 3-17. Configuring SNTP 3-26 Figure 3-18. Clock Time Zone 3-27 Figure 3-19. Configuring SNMP Community Strings 3-29 Figure 3-20. Configuring SNMP Trap Managers 3-30 Figure 3-21. Authentication Server Settings 3-33 Figure 3-22. HTTPS Settings 3-35 Figure 3-23. SSH Host-Key Settings 3-39 Figure 3-24. SSH Server Settings 3-40 Figure 3-25. Port Security 3-42 Figure 3-26. 802.1x Information 3-45 Figure 3-27. 802.1X Configuration 3-47 Figure 3-28. 802.1x Port Configuration 3-48 Figure 3-29. 802.1x Port Statistics 3-49 Figure 3-30. IP Filter 3-51 Figure 3-31. Selecting ACL Type 3-53 Figure 3-32. ACL Configuration - Standard IP 3-54 Figure 3-33. ACL Configuration - Extended IP 3-56 Figure 3-34. ACL Configuration - MAC 3-58 Figure 3-35. Selecting ACL Mask Types 3-59 Figure 3-36. ACL Mask Configuration - IP 3-61 Figure 3-37. ACL Mask Configuration - MAC 3-62 Figure 3-38. ACL Port Binding 3-64 Figure 3-39. Port - Port Information 3-65 Figure 3-40. Port - Port Configuration 3-68 Figure 3-41. Static Trunk Configuration 3-70 Figure 3-42. LACP Trunk Configuration 3-72

Figures

Figure 3-43. LACP - Aggregation Port 3-74 Figure 3-44. LACP - Port Counters Information 3-76 Figure 3-45. LACP - Port Internal Information 3-78 Figure 3-46. LACP - Port Neighbors Information 3-79 Figure 3-47. Port Broadcast Control 3-81 Figure 3-48. Mirror Port Configuration 3-82 Figure 3-49. Rate Limit Configuration 3-83 Figure 3-50. Port Statistics 3-87 Figure 3-51. Static Addresses 3-89 Figure 3-52. Dynamic Addresses 3-90 Figure 3-53. Address Aging 3-91 Figure 3-54. STA Information 3-94 Figure 3-55. STA Configuration 3-98 Figure 3-56. STA Port Information 3-101 Figure 3-57. STA Port Configuration 3-104 Figure 3-58. MSTP VLAN Configuration 3-105 Figure 3-59. MSTP Port Information 3-107 Figure 3-60. MSTP Port Configuration 3-109 Figure 3-61. Globally Enabling GVRP 3-113 Figure 3-62. VLAN Basic Information 3-113 Figure 3-63. VLAN Current Table 3-114 Figure 3-64. VLAN Static List - Creating VLANs 3-116 Figure 3-65. VLAN Static Table - Adding Static Members 3-117 Figure 3-66. VLAN Static Membership by Port 3-118 Figure 3-67. VLAN Port Configuration 3-120 Figure 3-68. Private VLAN Status 3-121 Figure 3-69. Private VLAN Link Status 3-122 Figure 3-70. Protocol VLAN Configuration 3-123 Figure 3-71. Protocol VLAN Port Configuration 3-124 Figure 3-72. Default Port Priority 3-126 Figure 3-73. Traffic Classes 3-128 Figure 3-74. Queue Mode 3-129 Figure 3-75. Queue Scheduling 3-130 Figure 3-76. IP Precedence/DSCP Priority Status 3-131 Figure 3-77. IP Precedence Priority 3-132 Figure 3-78. IP DSCP Priority 3-134 Figure 3-79. IP Port Priority Status 3-135 Figure 3-80. IP Port Priority 3-135 Figure 3-81. ACL CoS Priority 3-137 Figure 3-82. ACL Marker 3-138 Figure 3-83. IGMP Configuration 3-141 Figure 3-84. Multicast Router Port Information 3-142 Figure 3-85. Static Multicast Router Port Configuration 3-143 Figure 3-86. IP Multicast Registration Table 3-144 Figure 3-87. IGMP Member Port Table 3-145

xvi

Figures

Figure 3-88. DNS General Configuration 3-147 Figure 3-89. DNS Static Host Table 3-149 Figure 3-90. DNS Cache 3-150

xvii

Figures

xviii

Chapter 1: Introduction

This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.

Key Features

Table 1-1. Key Features

Feature Description

Configuration Backup and Restore

Authentication Console, Telnet, web – User name / password, RADIUS, TACACS+

Access Control Lists Supports up to 32 IP or MAC ACLs

DHCP Client Supported

DNS Server Supported

Port Configuration Speed, duplex mode and flow control

Rate Limiting Input and output rate limiting per port

Port Mirroring One or more ports mirrored to single analysis port

Port Trunking Supports up to 6 trunks using either static or dynamic trunking (LACP)

Broadcast Storm Control

Static Address Up to 16K MAC addresses in the forwarding table

IEEE 802.1D Bridge Supports dynamic data switching and addresses learning

Store-and-Forward Switching

Spanning Tree Protocol

Virtual LANs Up to 255 using IEEE 802.1Q, port-based, protocol-based, or private VLANs

Traffic Prioritization Default port priority, traffic class map, queue scheduling, IP Precedence, or

Multicast Filtering Supports IGMP snooping and query

Backup to TFTP server

Web – HTTPS; Telnet – SSH SNMP – Community strings, IP address filtering Port – IEEE 802.1x, MAC address filtering

Supported

Supported to ensure wire-speed switching while eliminating bad frames

Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP)

Differentiated Services Code Point (DSCP), and TCP/UDP Port

1-1

Introduction

Description of Software Features

The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network. Untagged (port-based), tagged, and protocol-based VLANs, plus support for automatic GVRP VLAN registration provide traffic security and efficient use of network bandwidth. CoS priority queueing ensures the minimum delay for moving real-time multimedia data across the network. While multicast filtering provides support for real-time network applications. Some of the management features are briefly described below.

Configuration Backup and Restore – You can save the current configuration settings to a file on a TFTP server, and later download this file to restore the switch configuration settings.

Authentication – This switch authenticates management access via the console port, Telnet or web browser. User names and passwords can be configured locally or can be verified via a remote authentication server (i.e., RADIUS or TACACS+). Port-based authentication is also supported via the IEEE 802.1x protocol. This protocol uses the Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.1x client, and then verifies the client’s right to access the network via an authentication server.

Other authentication options include HTTPS for secure management access via the web, SSH for secure management access over a Telnet-equivalent connection, IP address filtering for SNMP/web/Telnet management access, and MAC address filtering for port access.

Access Control Lists – ACLs provide packet filtering for IP frames (based on address, protocol, TCP/UDP port number or TCP control code) or any frames (based on MAC address or Ethernet type). ACLs can by used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols.

Port Configuration – You can manually configure the speed, duplex mode, and flow control used on specific ports, or use auto-negotiation to detect the connection settings used by the attached device. Use the full-duplex mode on ports whenever possible to double the throughput of switch connections. Flow control should also be enabled to control network traffic during periods of congestion and prevent the loss of packets when port buffer thresholds are exceeded. The switch supports flow control based on the IEEE 802.3x standard.

Rate Limiting – This feature controls the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.

1-2

Description of Software Features

Port Mirroring – The switch can unobtrusively mirror traffic from any port to a monitor port. You can then attach a protocol analyzer or RMON probe to this port to perform traffic analysis and verify connection integrity.

Port Trunking – Ports can be combined into an aggregate connection. Trunks can be manually set up or dynamically configured using IEEE 802.3ad Link Aggregation Control Protocol (LACP). The additional ports dramatically increase the throughput across any connection, and provide redundancy by taking over the load if a port in the trunk should fail. The switch supports up to 6 trunks.

Broadcast Storm Control – Broadcast suppression prevents broadcast traffic from overwhelming the network. When enabled on a port, the level of broadcast traffic passing through the port is restricted. If broadcast traffic rises above a pre-defined threshold, it will be throttled until the level falls back beneath the threshold.

Static Addresses – A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table. Static addresses can be used to provide network security by restricting access for a known host to a specific port.

IEEE 802.1D Bridge – The switch supports IEEE 802.1D transparent bridging. The address table facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information. The address table supports up to 16K addresses.

Store-and-Forward Switching – The switch copies each frame into its memory before forwarding them to another port. This ensures that all frames are a standard Ethernet size and have been verified for accuracy with the cyclic redundancy check (CRC). This prevents bad frames from entering the network and wasting bandwidth.

To avoid dropping frames on congested ports, the switch provides 1 MB for frame buffering for the ES4512/24C and 2 MB for the ES4548C. This buffer can queue packets awaiting transmission on congested networks.

Spanning Tree Protocol – The switch supports these spanning tree protocols:

Spanning Tree Protocol (STP, IEEE 802.1D) – This protocol adds a level of fault tolerance by allowing two or more redundant connections to be created between a pair of LAN segments. When there are multiple physical paths between segments, this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network. This prevents the creation of network loops. However, if the chosen path should fail for any reason, an alternate path will be activated to maintain the connection.

Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol reduces the convergence time for network topology changes to about 10% of that required by the older IEEE 802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices.

1-3

Introduction

Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is a direct extension of RSTP. It can provide an independent spanning tree for different VLANs. It simplifies network management, provides for even faster convergence than RSTP by limiting the size of each region, and prevents VLAN members from being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP).

Virtual LANs – The switch supports up to 255 VLANs. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. The switch supports tagged VLANs based on the IEEE 802.1Q standard. Members of VLAN groups can be dynamically learned via GVRP, or ports can be manually assigned to a specific set of VLANs. This allows the switch to restrict traffic to the VLAN groups to which a user has been assigned. By segmenting your network into VLANs, you can:

• Eliminate broadcast storms which severely degrade performance in a flat network.

• Simplify network management for node changes/moves by remotely configuring VLAN membership for any port, rather than having to manually change the network connection.

• Provide data security by restricting all traffic to the originating VLAN.

• Use private VLANs to restrict traffic to pass only between data ports and the uplink ports, thereby isolating adjacent ports within the same VLAN, and allowing you to limit the total number of VLANs that need to be configured.

• Use protocol VLANs to restrict traffic to specified interfaces based on protocol type

Traffic Prioritization – This switch prioritizes each packet based on the required level of service, using eight priority queues with strict or Weighted Round Robin Queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station application. These functions can independent priorities for delay-sensitive data and best-effort data.

This switch also supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic can be prioritized based on the priority bits in the IP frame’s Type of Service (ToS) octet or the number of the TCP/UDP port. When these services are enabled, the priorities are mapped to a Class of Service value by the switch, and the traffic then sent to the corresponding output queue.

Multicast Filtering – Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN. The switch uses IGMP Snooping and Query to manage multicast group registration.

be used to provide

1-4

System Defaults

The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-18).

The following table lists some of the basic system defaults.

Table 1-2. System Defaults

Function Parameter Default

Console Port Connection

Authentication Privileged Exec Level Username “admin”

Web Management HTTP Server Enabled

SNMP Community Strings “public” (read only)

Baud Rate auto

Data bits 8

Stop bits 1

Parity none

Local Console Timeout 0 (disabled)

Password “admin”

Normal Exec Level Username “guest”

Enable Privileged Exec from Normal Exec Level

RADIUS Authentication Disabled

TACACS Authentication Disabled

802.1x Port Authentication Disabled

HTTPS Enabled

SSH Disabled

Port Security Disabled

IP Filtering Disabled

HTTP Port Number 80

HTTP Secure Server Enabled

HTTP Secure Port Number 443

Traps Authentication traps: enabled

Password “guest”

Password “super”

“private” (read/write)

Link-up-down events: enabled

1-5

Introduction

Table 1-2. System Defaults

Function Parameter Default

Port Configuration Admin Status Enabled

Auto-negotiation Enabled

Flow Control Disabled

Port Capability 1000BASE-T –

Module Port Capability 1000BASE-SX/LX/LH –

Rate Limiting Input and output limits Disabled

Port Trunking Static Trunks None

LACP (all ports) Disabled

Broadcast Storm Protection

Spanning Tree Protocol

Address Table Aging Time 300 seconds

Virtual LANs Default VLAN 1

Traffic Prioritization Ingress Port Priority 0

Status Enabled (all ports)

Broadcast Limit Rate 500 packets per second

Status Enabled, MSTP

Fast Forwarding (Edge Port) Disabled

PVID 1

Acceptable Frame Type All

Ingress Filtering Disabled

Switchport Mode (Egress Mode) Hybrid: tagged/untagged frames

GVRP (global) Disabled

GVRP (port interface) Disabled

Weighted Round Robin Queue: 0 1 2 3 4 5 6 7

IP Precedence Priority Disabled

IP DSCP Priority Disabled

10 Mbps half duplex 10 Mbps full duplex 100 Mbps half duplex 100 Mbps full duplex 1000 Mbps full duplex Full-duplex flow control disabled Symmetric flow control disabled

1000 Mbps full duplex Full-duplex flow control disabled Symmetric flow control disabled

(Defaults: All values based on IEEE 802.1s)

Weight: 1 2 4 6 8 10 12 14

1-6

Table 1-2. System Defaults

Function Parameter Default

IP Settings IP Address 0.0.0.0

Subnet Mask 255.0.0.0

Default Gateway 0.0.0.0

DHCP Client: Enabled

BOOTP Disabled

DNS Server Lookup Disabled

Multicast Filtering IGMP Snooping Snooping: Enabled

Querier: Enabled

System Log Status Enabled

Messages Logged Levels 0-7 (all)

Messages Logged to Flash Levels 0-3

SMTP Email Alerts Event Handler Disabled

SNTP Clock Synchronization Disabled

System Defaults

1-7

Introduction

1-8

Chapter 2: Initial Configuration

Connecting to the Switch

Configuration Options

The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a Web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).

Note: The IP address for this switch is obtained via DHCP by default. To change this

address, see “Setting an IP Address” on page 2-4.

The switch’s HTTP Web agent allows you to configure switch parameters, monitor port connections, and display statistics using a standard Web browser such as Netscape Navigator version 6.2 and higher or Microsoft IE version 5.0 and higher. The switch’s Web management interface can be accessed from any computer attached to the network.

The CLI program can be accessed by a direct connection to the RS-232 serial console port on the switch, or remotely by a Telnet connection over the network.

The switch’s management agent also supports SNMP (Simple Network Management Protocol). This SNMP agent permits the switch to be managed from any system in the network using network management software such as HP OpenView.

The switch’s Web interface, CLI configuration program, and SNMP agent allow you to perform the following management functions:

• Set user names and passwords

• Set an IP interface for a management VLAN

• Configure SNMP parameters

• Enable/disable any port

• Set the speed/duplex mode for any port

• Configure the bandwidth of any port by limiting input or output rates

• Control port access through IEEE 802.1x security or static address filtering

• Filter packets using Access Control Lists (ACLs)

• Configure up to 255 IEEE 802.1Q VLANs

• Enable GVRP automatic VLAN registration

• Configure IGMP multicast filtering

• Upload and download system firmware via TFTP

• Upload and download switch configuration files via TFTP

• Configure Spanning Tree parameters

• Configure Class of Service (CoS) priority queuing

• Configure up to 6 static or LACP trunks

2-1

Initial Configuration

• Enable port mirroring

• Set broadcast storm control on any port

• Display system information and statistics

Required Connections

The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch.

Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch. You can use the console cable provided with this package, or use a null-modem cable that complies with the wiring assignments shown in the Installation Guide.

To connect a terminal to the console port, complete the following steps:

1. Connect the console cable to the serial port on a terminal, or a PC running

terminal emulation software, and tighten the captive retaining screws on the DB-9 connector.

2. Connect the other end of the cable to the RS-232 serial port on the switch.

3. Make sure the terminal emulation software is set as follows:

• Select the appropriate serial port (COM port 1 or COM port 2).

• Set to any of the following baud rates: 9600, 19200, 38400, 57600, 115200 (Note: Set to 9600 baud if want to view all the system initialization messages.)

• Set the data format to 8 data bits, 1 stop bit, and no parity.

• Set flow control to none.

• Set the emulation mode to VT100.

• When using HyperTerminal, select Terminal keys, not Windows keys.

Notes: 1. When using HyperTerminal with Microsoft® Windows® 2000, make sure that

you have Windows 2000 Service Pack 2 or later installed. Windows 2000 Service Pack 2 fixes the problem of arrow keys not functioning in HyperTerminal’s VT100 emulation. See www.microsoft.com for information on Windows 2000 service packs.

2. Refer to “Line Commands” on page 4-11 for a complete description of console configuration options.

3. Once you have set up the terminal correctly, the console login screen will be displayed.

For a description of how to use the CLI, see “Using the Command Line Interface” on page 4-1. For a list of all the CLI commands and detailed information on using the CLI, refer to “Command Groups” on page 4-10.

2-2

Basic Configuration

Remote Connections

Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol.

The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address” on page 2-4.

Note: This switch supports four concurrent Telnet/SSH sessions.

After configuring the switch’s IP parameters, you can access the onboard configuration program from anywhere within the attached network. The onboard configuration program can be accessed using Telnet from any computer attached to the network. The switch can also be managed by any computer using a web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above), or from a network computer using SNMP network management software.

Note: The onboard program only provides access to basic configuration functions. To

access the full range of SNMP management functions, you must use SNMP-based network management software.

Basic Configuration

Console Connection

The CLI program provides two different command levels — normal access level (Normal Exec) and privileged access level (Privileged Exec). The commands available at the Normal Exec level are a limited subset of those available at the Privileged Exec level and allow you to only display information and use basic utilities. To fully configure the switch parameters, you must access the CLI at the Privileged Exec level.

Access to both CLI levels are controlled by user names and passwords. The switch has a default user name and password for each level. To log into the CLI at the Privileged Exec level using the default user name and password, perform these steps:

1. To initiate your console connection, press <Enter>. The “User Access Verification” procedure starts.

2. At the Username prompt, enter “admin.”

3. At the Password prompt, also enter “admin.” (The password characters are not displayed on the console screen.)

4. The session is opened and the CLI displays the “Console#” prompt indicating you have access at the Privileged Exec level.

2-3

Initial Configuration

Setting Passwords

Note: If this is your first time to log into the CLI program, you should define new

passwords for both default user names using the “username” command, record them and put them in a safe place.

Passwords can consist of up to 8 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows:

1. Open the console interface with the default user name and password “admin” to access the Privileged Exec level.

2. Type “configure” and press <Enter>.

3. Type “username guest password 0 password,” for the Normal Exec level, where password is your new password. Press <Enter>.

4. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press <Enter>.

Username: admin Password:

CLI session with the 44 10/100/1000 ports + 4 Gigabit Combo

ports L2/L4 managed standalone switch is opened.

To end the CLI session, enter [Exit].

Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)#

Setting an IP Address

You must establish IP address information for the switch to obtain management access through the network. This can be done in either of the following ways:

Manual — You have to input the information, including IP address and subnet mask. If your management station is not in the same IP subnet as the switch, you will also need to specify the default gateway router.

Dynamic — The switch sends IP configuration requests to BOOTP or DHCP address allocation servers on the network.

Manual Configuration

You can manually assign an IP address to the switch. You may also need to specify a default gateway that resides between this device and management stations that exist on another network segment. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the CLI program.

Note: The IP address for this switch is obtained via DHCP by default.

2-4

Basic Configuration

Before you can assign an IP address to the switch, you must obtain the following information from your network administrator:

• IP address for the switch

• Default gateway for the network

• Network mask for this network

To assign an IP address to the switch, complete the following steps:

1. From the Privileged Exec level global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>.

2. Type “ip address ip-address netmask,” where “ip-address” is the switch IP address and “netmask” is the network mask for the network. Press <Enter>.

3. Type “exit” to return to the global configuration mode prompt. Press <Enter>.

4. To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway,” where “gateway” is the IP address of the default gateway. Press <Enter>.

Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 192.168.1.254 Console(config)#

Dynamic Configuration

If you select the “bootp” or “dhcp” option, IP will be enabled but will not function until a BOOTP or DHCP reply has been received. You therefore need to use the “ip dhcp restart” command to start broadcasting service requests. Requests will be sent periodically in an effort to obtain IP configuration information. (BOOTP and DHCP values can include the IP address, subnet mask, and default gateway.)

If the “bootp” or “dhcp” option is saved to the startup-config file (step 6), then the switch will start broadcasting service requests as soon as it is powered on.

To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps:

1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>.

2. At the interface-configuration mode prompt, use one of the following commands:

• To obtain IP settings via DHCP, type “ip address dhcp” and press <Enter>.

• To obtain IP settings via BOOTP, type “ip address bootp” and press <Enter>.

3. Type “end” to return to the Privileged Exec mode. Press <Enter>.

4. Type “ip dhcp restart” to begin broadcasting service requests. Press <Enter>.

2-5

Initial Configuration

5. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press <Enter>.

6. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press <Enter>.

Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#ip dhcp restart Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: User specified. Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming.

\Write to FLASH finish. Success.

Enabling SNMP Management Access

The switch can be configured to accept management commands from Simple Network Management Protocol (SNMP) applications such as HP OpenView. You can configure the switch to (1) respond to SNMP requests or (2) generate SNMP traps.

When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter. The switch can also be configured to send information to SNMP managers (without being requested by the managers) through trap messages, which inform the manager that certain events have occurred.

Community Strings

Community strings are used to control management access to SNMP stations, as well as to authorize SNMP stations to receive trap messages from the switch. You therefore need to assign community strings to specified users or user groups, and set the access level.

The default strings are:

• public - with read-only access. Authorized management stations are only able to

retrieve MIB objects.

• private - with read-write access. Authorized management stations are able to both

retrieve and modify MIB objects.

Note: If you do not intend to utilize SNMP, we recommend that you delete both of the

default community strings. If there are no community strings, then SNMP management access to the switch is disabled.

To prevent unauthorized access to the switch via SNMP, it is recommended that you change the default community strings.

2-6

Basic Configuration

To configure a community string, complete the following steps:

1. From the Privileged Exec level global configuration mode prompt, type “snmp-server community string mode,” where “string” is the community access string and “mode” is rw (read/write) or ro (read only). Press <Enter>. (Note that the default mode is read only.)

2. To remove an existing string, simply type “no snmp-server community string,” where “string” is the community access string to remove. Press <Enter>.

Console(config)#snmp-server community admin rw Console(config)#snmp-server community private Console(config)#

Trap Receivers

You can also specify SNMP stations that are to receive traps from the switch.

To configure a trap receiver, complete the following steps:

1. From the Privileged Exec level global configuration mode prompt, type “snmp-server host host-address community-string,” where “host-address” is the IP address for the trap receiver and “community-string” is the string associated with that host. Press <Enter>.

2. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server enable traps command. Type “snmp-server enable traps type,” where “type” is either authentication or link-up-down. Press <Enter>.

Console(config)#snmp-server enable traps link-up-down Console(config)#

Saving Configuration Settings

Configuration commands only modify the running configuration file and are not saved when the switch is rebooted. To save all your configuration changes in nonvolatile storage, you must copy the running configuration file to the start-up configuration file using the “copy” command.

To save the current configuration settings, enter the following command:

1. From the Privileged Exec mode prompt, type “copy running-config startup-config” and press <Enter>.

2-7

Initial Configuration

2. Enter the name of the start-up file. Press <Enter>.

Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming.

\Write to FLASH finish. Success.

Console#

Managing System Files

The switch’s flash memory supports three types of system files that can be managed by the CLI program, Web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.

The three types of files are:

• Configuration — This file stores system configuration information and is created when configuration settings are saved. Saved configuration files can be selected as a system start-up file or can be uploaded via TFTP to a server for backup. A file named “Factory_Default_Config.cfg” contains all the system default settings and cannot be deleted from the system. See “Saving or Restoring Configuration Settings” on page 3-17 for more information.

• Operation Code — System software that is executed after boot-up, also known as run-time code. This code runs the switch operations and provides the CLI and Web management interfaces. See “Managing Firmware” on page 3-16 for more information.

• Diagnostic Code — Software that is run during system boot-up, also known as POST (Power On Self-Test).

Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows.

In the system flash memory, one file of each type must be set as the start-up file. During a system boot, the diagnostic and operation code files set as the start-up file are run, and then the start-up configuration file is loaded.

Note that configuration files should be downloaded using a file name that reflects the contents or usage of the file settings. If you download directly to the running-config, the system will reboot, and the settings will have to be copied from the running-config to a permanent file.

2-8

Chapter 3: Configuring the Switch

Using the Web Interface

This switch provides an embedded HTTP Web agent. Using a Web browser you can configure the switch and view statistics to monitor network activity. The Web agent can be accessed by any computer on the network using a standard Web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above).

Note:

You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet. For more information on using the CLI, refer to Chapter 4: “Command Line Interface.”

Prior to accessing the switch from a Web browser, be sure you have first performed the following tasks:

1. Configure the switch with a valid IP address, subnet mask, and default gateway

using an out-of-band serial connection, BOOTP or DHCP protocol. (See “Setting an IP Address” on page 2-4.)

2. Set user names and passwords using an out-of-band serial connection. Access

to the Web agent is controlled by the same user names and passwords as the onboard configuration program. (See “Setting Passwords” on page 2-4.)

3. After you enter a user name and password, you will have access to the system

configuration program.

Notes: 1.

You are allowed three attempts to enter the correct password; on the third failed attempt the current connection is terminated.

2. If you log into the Web interface as guest (Normal Exec level), you can view

the configuration settings or change the guest password. If you log in as “admin” (Privileged Exec level), you can change the settings on any page.

3. If the path between your management station and this switch does not pass

through any device that uses the Spanning Tree Algorithm, then you can set the switch port attached to your management station to fast forwarding (i.e., enable Admin Edge Port) to improve the switch’s response time to management commands issued through the web interface. See “Configuring Interface Settings” on page 3-102.

3-1

Configuring the Switch

Navigating the Web Browser Interface

To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.”

Home Page

When your web browser connects with the switch’s web agent, the home page is displayed as shown below. The home page displays the Main Menu on the left side of the screen and System Information on the right side. The Main Menu links are used to navigate to other menus, and display configuration parameters and statistics.

Note:

The screen captures used in this manual are based on either the ES4512C ES4524C or ES4548C, but are all the same for both switches except for the port count.

Figure 3-1. Home Page

Most of the examples in this chapter are based on the ES4524C. Other than the

Note:

number of fixed ports, there are no major differences between the ES4512C, ES4524C and ES4548C.

3-2

Navigating the Web Browser Interface

Configuration Options

Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the “Apply” button to confirm the new setting. The following table summarizes the web page configuration buttons.

Table 3-1. Web Page Configuration Buttons

Button Action

Revert Cancels specified values and restores current values prior to pressing

Apply Sets specified values to the system.

Help Links directly to web help.

Apply.

Notes: 1.

To ensure proper screen refresh, be sure that Internet Explorer 5.x is configured as follows: Under the menu “Tools / Internet Options / General / Temporary Internet Files / Settings,” the setting for item “Check for newer versions of stored pages” should be “Every visit to the page.”

2. When using Internet Explorer 5.0, you may have to manually refresh the

screen after making configuration changes by pressing the browser’s refresh button.

Panel Display

The web agent displays an image of the switch’s ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex, or Flow Control (i.e., with or without flow control). Clicking on the image of a port opens the Port Configuration page as described on page 3-67.

Figure 3-2. Front Panel Indicators

3-3

Configuring the Switch

Main Menu

Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.

Table 3-2. Switch Main Menu

Menu Description Page

System 3-9

System Information Provides basic system description, including contact information 3-9

Switch Information Shows the number of ports, hardware/firmware version

Bridge Extension Shows the bridge extension parameters 3-12

IP Configuration Sets the IP address for management access 3-13

File 3-16

Firmware Manages code image files 3-16

Configuration Manages switch configuration files 3-17

Log 3-19

Logs Sends error messages to a logging process 3-22

System Logs Stores and displays error messages 3-19

Remote Logs Configures the logging of messages to a remote logging process 3-20

SMTP Sends an SMTP client message to a participating server 3-23

Reset Restarts the switch 3-25

SNTP 3-26

Configuration Configures SNTP client settings, including broadcast mode or a

Clock Time Zone Sets the local time zone for the system clock 3-27

SNMP 3-28

Configuration Configures community strings and related trap functions 3-28

Security 3-30

Passwords Assigns a new password for the current user 3-30

Authentication Settings Configures authentication sequence, RADIUS and TACACS 3-31

HTTPS Settings Configures secure HTTP settings 3-34

SSH 3-36

Settings Configures Secure Shell server settings 3-40

Host-Key Settings Generates the host key pair (public and private) 3-38

Port Security Configures per port security, including status, response for

numbers, and power status

specified list of servers

security breach, and maximum allowed MAC addresses

3-10

3-26

3-41

3-4

Navigating the Web Browser Interface

Table 3-2. Switch Main Menu

Menu Description Page

802.1x Port authentication 3-43

Information Displays global configuration settings 3-44

Configuration Configures protocol parameters 3-46

Port Configuration Sets the authentication mode for individual ports 3-47

Statistics Displays protocol statistics for the selected port 3-48

ACL 3-52

Configuration Configures packet filtering based on IP or MAC addresses 3-52

Mask Configuration Controls the order in which ACL rules are checked 3-59

Port Binding Binds a port to the specified ACL 3-63

IP Filter Configures IP addresses that are allowed management access 3-50

Port 3-64

Port Information Displays port connection status 3-64

Trunk Information Displays trunk connection status 3-64

Port Configuration Configures port connection settings 3-67

Trunk Configuration Configures trunk connection settings 3-67

Trunk Membership Specifies ports to group into static trunks 3-70

LACP 3-71

Configuration Allows ports to dynamically join trunks 3-71

Aggregation Port Configures system priority, admin key, and port priority 3-73

Port Counters Information Displays statistics for LACP protocol messages 3-76

Port Internal Information Displays settings and operational state for local side 3-77

Port Neighbors Information Displays settings and operational state for remote side 3-79

Port Broadcast Control Sets the broadcast storm threshold for each port 3-80

Trunk Broadcast Control Sets the broadcast storm threshold for each trunk 3-80

Mirror Port Configuration Sets the source and target ports for mirroring 3-82

Rate Limit 3-83

Input Port Configuration Sets the input rate limit for each port 3-83

Input Trunk Configuration Sets the input rate limit for each trunk 3-83

Output Port Configuration Sets the output rate limit for each port 3-83

Output Trunk Configuration Sets the output rate limit for each trunk 3-83

Port Statistics Lists Ethernet and RMON port statistics 3-84

3-5

Configuring the Switch

Table 3-2. Switch Main Menu

Menu Description Page

Address Table 3-88

Static Addresses Displays entries for interface, address or VLAN 3-88

Dynamic Addresses Displays or edits static entries in the Address Table 3-89

Address Aging Sets timeout for dynamically learned entries 3-91

Spanning Tree 3-91

STA 3-91

Information Displays STA values used for the bridge 3-92

Configuration Configures global bridge settings for STA, RSTP and MSTP 3-95

Port Information Displays individual port settings for STA 3-99

Trunk Information Displays individual trunk settings for STA 3-99

Port Configuration Configures individual port settings for STA 3-102

Trunk Configuration Configures individual trunk settings for STA 3-102

MSTP 3-104

VLAN Configuration Configures priority and VLANs for a spanning tree instance 3-104

Port Information Displays port settings for a specified MST instance 3-107

Trunk Information Displays trunk settings for a specified MST instance 3-107

Port Configuration Configures port settings for a specified MST instance 3-108

Trunk Configuration Configures trunk settings for a specified MST instance 3-108

VLAN 3-110

802.1Q VLAN 3-110

GVRP Status Enables GVRP VLAN registration protocol 3-113

Basic Information Displays information on the VLAN type supported by this switch 3-113

Current Table Shows the current port members of each VLAN and whether or

Static List Used to create or remove VLAN groups 3-115

Static Table Modifies the settings for an existing VLAN 3-116

Static Membership Configures membership type for interfaces, including tagged,

Port Configuration Specifies default PVID and VLAN attributes 3-119

Trunk Configuration Specifies default trunk VID and VLAN attributes 3-119

Private VLAN 3-121

Status Enables or disables the private VLAN 3-121

Link Status Configures the private VLAN 3-122

not the port is tagged or untagged

untagged or forbidden

3-114

3-118

3-6

Navigating the Web Browser Interface

Table 3-2. Switch Main Menu

Menu Description Page

Protocol VLAN 3-123

Configuration Creates a protocol group, specifying the supported protocols 3-123

Port Configuration Maps a protocol group to a VLAN 3-123

Priority 3-125

Default Port Priority Sets the default priority for each port 3-125

Default Trunk Priority Sets the default priority for each trunk 3-125

Traffic Classes Maps IEEE 802.1p priority tags to output queues 3-127

Traffic Classes Status Enables/disables traffic class priorities (not implemented) NA

Queue Mode Sets queue mode to strict priority or Weighted Round-Robin 3-129

Queue Scheduling Configures Weighted Round Robin queueing 3-129

IP Precedence/ DSCP Priority Status

IP Precedence Priority Sets IP Type of Service priority, mapping the precedence tag to

IP DSCP Priority Sets IP Differentiated Services Code Point priority, mapping a

IP Port Priority Status Globally enables or disables IP Port Priority 3-135

IP Port Priority Sets TCP/UDP port priority, defining the socket number and

ACL CoS Priority Sets the CoS value and corresponding output queue for packets

ACL Marker Change traffic priorities for frames matching an ACL rule 3-137

IGMP Snooping 3-139

IGMP Configuration Enables multicast filtering; configures parameters for multicast

Multicast Router Port Information

Static Multicast Router Port Configuration

IP Multicast Registration Table

IGMP Member Port Table Indicates multicast addresses associated with the selected

Globally selects IP Precedence or DSCP Priority, or disables both.

a class-of-service value

DSCP tag to a class-of-service value

associated class-of-service value

matching an ACL rule

query

Displays the ports that are attached to a neighboring multicast router for each VLAN ID

Assigns ports that are attached to a neighboring multicast router 3-143

Displays all multicast groups active on this switch, including multicast IP addresses and VLAN ID

VLAN

3-131

3-132

3-133

3-135

3-140

3-142

3-144

3-145

3-7

Configuring the Switch

Table 3-2. Switch Main Menu

Menu Description Page

DNS 3-146

General Configuration Enables DNS; configures domain name and domain list; and

Static Host Table Configures static entries for domain name to address mapping 3-148

Cache Displays cache entries discovered by designated name servers 3-150

specifies IP address of name servers for dynamic lookup

3-146

3-8

Basic Configuration

Displaying System Information

You can easily identify the system by displaying the device name, location and contact information.

Field Attributes

• System Name – Name assigned to the switch system.

• Object ID – MIB II object ID for switch’s network management subsystem.

• Location – Specifies the system location.

• Contact – Administrator responsible for the system.

• System Up Time – Length of time the management agent has been up.

These additional parameters are displayed for the CLI.

• MAC Address – The physical layer address for this switch.

• Web server – Shows if management access via HTTP is enabled.

• Web server port – Shows the TCP port number used by the web interface.

• Web secure server – Shows if management access via HTTPS is enabled.

• Web secure server port – Shows the TCP port used by the HTTPS interface.

• Telnet server – Shows if management access via Telnet is enabled.

• Telnet server port – Shows the TCP port used by the Telnet interface.

• Authentication login – Shows the user login authentication sequence.

• POST result – Shows results of the power-on self-test

Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.)

Figure 3-3. System Information

3-9

Configuring the Switch

CLI – Specify the hostname, location and contact information.

Console(config)#hostname R&D 5 4-25 Console(config)#snmp-server location WC 9 4-113 Console(config)#snmp-server contact Ted 4-113 Console(config)#exit Console#show version 4-61 Unit1 Serial number : Hardware version : Number of ports :24 Main power status :up Redundant power status :not present Agent(master) Unit id :1 Loader version :2.1.0.3 Boot rom version :2.0.2.11 Operation code version :1.4.0.0 Console#show system 4-60 System description: 20 10/100/1000 ports + 4 Gigabit Combo ports L2/L4 managed standalone switch System OID string: 1.3.6.1.4.1.259.6.10.51 System information System Up time: 0 days, 0 hours, 46 minutes, and 20.53 seconds System Name : [NONE] System Location : [NONE] System Contact : [NONE] MAC address : 00-12-12-34-12-34 Web server : enable Web server port : 80 Web secure server : enable Web secure server port : 443 Telnet server : enable Telnet port : 23 POST result

UART LOOP BACK Test..........PASS

DRAM Test....................PASS

Timer Test...................PASS

PCI Device 1 Test............PASS

PCI Device 2 Test............PASS

Switch Int Loopback test.....PASS

Done All Pass. Console#

Displaying Switch Hardware/Software Versions

Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system.

Field Attributes

Main Board

• Serial Number – The serial number of the switch.

• Number of Ports – Number of built-in RJ-45 ports and SFP slots.

• Hardware Version – Hardware version of the main board.

• Internal Power Status – Displays the status of the internal power supply.

3-10

Basic Configuration

• Redundant Power Status* – Displays the status of the redundant power supply.

* CLI only.

Management Software

• Loader Version – Version number of loader code.

• Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code.

• Operation Code Version – Version number of runtime code.

• Role – Shows that this switch is operating as Master (i.e., operating stand-alone).

Web – Click System, Switch Information.

Figure 3-4. Switch Information

CLI – Use the following command to display version information.

Console#show version 4-61 Unit1 Serial number : Hardware version : Number of ports :24 Main power status :up Redundant power status :not present Agent(master) Unit id :1 Loader version :2.1.0.3 Boot rom version :2.0.2.11 Operation code version :1.4.0.0 Console#

3-11

Configuring the Switch

Displaying Bridge Extension Capabilities

The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables.

Field Attributes

• Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).

• Traffic Classes – This switch provides mapping of user priorities to multiple traffic classes. (Refer to “Class of Service Configuration” on page 3-125.)

• Static Entry Individual Port – This switch allows static filtering for unicast and multicast addresses. (Refer to “Setting Static Addresses” on page 3-88.)

• VLAN Learning – This switch uses Independent VLAN Learning (IVL), where each port maintains its own filtering database.

• Configurable PVID Tagging – This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to “VLAN Configuration” on page 3-110.)

• Local VLAN Capable – This switch does not support multiple local bridges outside of the scope of 802.1Q defined VLANs.

• GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to register endstations with multicast groups. This switch does not support GMRP; it uses the Internet Group Management Protocol (IGMP) to provide automatic multicast filtering.

Web – Click System, Bridge Extension.

Figure 3-5. Displaying Bridge Extension Configuration

3-12

Basic Configuration

CLI – Enter the following command.

Console#show bridge-ext 4-188 Max support vlan numbers: 255 Max support vlan ID: 4094 Extended multicast filtering services: No Static entry individual port: Yes VLAN learning: IVL Configurable PVID tagging: Yes Local VLAN capable: No Traffic classes: Enabled Global GVRP status: Disabled GMRP: Disabled Console#

Setting the Switch’s IP Address

This section describes how to configure an IP interface for management access over the network. The IP address for this switch is obtained via DHCP by default. To manually configure an address, you need to change the switch’s default settings (IP address 0.0.0.0 and netmask 255.0.0.0) to values that are compatible with your network. You may also need to a establish a default gateway between the switch and management stations that exist on another network segment.

You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the CLI program.

Command Attributes

• Management VLAN – ID of the configured VLAN (1-4094, no leading zeroes). By

default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.

• IP Address Mode – Specifies whether IP functionality is enabled via manual

configuration (Static), Dynamic Host Configuration Protocol (DHCP), or Boot Protocol (BOOTP). If DHCP/BOOTP is enabled, IP will not function until a reply has been received from the server. Requests will be broadcast periodically by the switch for an IP address. (DHCP/BOOTP values can include the IP address, subnet mask, and default gateway.)

• IP Address – Address of the VLAN to which the management station is attached.

Valid IP addresses consist of four numbers, 0 to 255, separated by periods. (Default: 0.0.0.0)

• Subnet Mask – This mask identifies the host address bits used for routing to

specific subnets. (Default: 255.0.0.0)

• Gateway IP Address – IP address of the gateway router between this device and

management stations that exist on other network segments. (Default: 0.0.0.0)

• MAC Address – The physical layer address for this switch.

3-13

Configuring the Switch

Manual Configuration

Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply.

Figure 3-6. IP Interface Configuration - Manual

CLI – Specify the management interface, IP address and default gateway.

Console#config Console(config)#interface vlan 1 4-125 Console(config-if)#ip address 10.1.0.254 255.255.255.0 4-213 Console(config-if)#exit Console(config)#ip default-gateway 192.168.1.254 4-215 Console(config)#

3-14

Basic Configuration

Using DHCP/BOOTP

If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services.

Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes. Then click Restart DHCP to immediately request a new address. Note that the switch will also broadcast a request for IP configuration settings on each power reset.

Figure 3-7. IP Interface Configuration - DHCP

Note:

If you lose your management connection, use a console connection and enter “show ip interface” to determine the new switch address.

CLI – Specify the management interface, and set the IP address mode to DHCP or BOOTP, and then enter the “ip dhcp restart” command.

Console#config Console(config)#interface vlan 1 4-125 Console(config-if)#ip address dhcp 4-213 Console(config-if)#end Console#ip dhcp restart 4-214 Console#show ip interface 4-215 IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: DHCP. Console#

Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the switch is moved to another network segment, you will lose management access to the switch. In this case, you can reboot the switch or submit a client request to restart DHCP service via the CLI.

Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface. You can only restart DHCP service via the web interface if the current address is still available.

3-15

Configuring the Switch

CLI – Enter the following command to restart DHCP service.

Console#ip dhcp restart 4-214 Console#

Managing Firmware

You can upload/download firmware to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. You can also set the switch to use new firmware without overwriting the previous version.

Command Attributes

• TFTP Server IP Address – The IP address of a TFTP server.

• File Name – the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

Note:

Up to two copies of the system software (i.e., the runtime firmware) can be stored in the file directory on the switch. The currently designated startup version of this file cannot be deleted.

Downloading System Software from a Server

When downloading runtime code, you can specify the destination file name to replace the current image, or first download the file using a different name from the current runtime code file, and then set the new file as the startup file.

Web – Click System, File, Firmware. Enter the IP address of the TFTP server, enter the file name of the software to download, select a file on the switch to overwrite or specify a new file name, then click Transfer from Server. To start the new firmware, reboot the system via the System/Reset menu.

The file name should not contain slashes (\ or /),

the leading letter of

3-16

Figure 3-8. Downloading Firmware to the Switch

Basic Configuration

If you download to a new destination file, then select the file from the drop-down box for the operation code used at startup, and click Apply Changes. To start the new firmware, reboot the system via the System/Reset menu.

Figure 3-9. Setting the Startup Code

CLI – Enter the IP address of the TFTP server, select “config” or “opcode” file type,

then enter the source and destination file names, set the new file to start up the system, and then restart the switch.

Console#copy tftp file 4-63 TFTP server ip address: 10.1.0.19 Choose file type:

1. config: 2. opcode: <1-2>: 2 Source file name: M100000.bix Destination file name: V1.0 \Write to FLASH Programming.

-Write to FLASH finish. Success. Console#config Console(config)#boot system opcode:V1.0 4-67 Console(config)#exit Console#reload 4-22

Saving or Restoring Configuration Settings

You can upload/download configuration settings to/from a TFTP server. The configuration file can be later downloaded to restore the switch’s settings.

Command Attributes

• TFTP Server IP Address – The IP address of a TFTP server.

•

File Name

leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

Note:

— The configuration file name should not contain slashes (\ or /),

The maximum number of user-defined configuration files is limited only by available flash memory space.

the

3-17

Configuring the Switch

Downloading Configuration Settings from a Server

You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch.

Web – Click System, File, Configuration. Enter the IP address of the TFTP server, enter the name of the file to download, select a file on the switch to overwrite or specify a new file name, and then click Transfer from Server.

Figure 3-10. Downloading Configuration Settings

If you download to a new file name, then select the new file from the drop-down box for Startup Configuration File, and press Apply Changes. To use the new settings, reboot the system via the System/Reset menu.

Figure 3-11. Setting the Startup Configuration Settings

CLI – Enter the IP address of the TFTP server, specify the source file on the server,

set the startup file name on the switch, and then restart the switch.

Console#copy tftp startup-config 4-63 TFTP server ip address: 192.168.1.19 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming.

-Write to FLASH finish. Success.

Console#reload

3-18

Basic Configuration

If you download the startup configuration file under a new file name, you can set this file as the startup file at a later time, and then restart the switch.

Console#config Console(config)#boot system config: startup-new 4-67 Console(config)#exit Console#reload 4-22

Configuring Event Logging

The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages.

System Log Configuration

The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.

Severe error messages that are logged to flash memory are permanently stored in the switch to assist in troubleshooting network problems. Up to 4096 log entries can be stored in the flash memory, with the oldest entries being overwritten first when the available log memory (256 kilobytes) has been exceeded.

The System Logs page allows you to configure and limit system messages that are logged to flash or RAM memory. The default is for event levels 0 to 3 to be logged to flash and levels 0 to 7 to be logged to RAM.

Command Attributes

• System Log Status – Enables/disables the logging of debug or error messages to

the logging process. (Default: Enabled)

• Flash Level – Limits log messages saved to the switch’s permanent flash memory

for all levels up to the specified level. For example, if level 3 is specified, all

messages from level 0 to level 3 will be logged to flash. (Range: 0-7, Default: 3)

Table 3-3. Logging Levels

Level Severity Name Description

7 Debug Debugging messages

6 Informational Informational messages only

5 Notice Normal but significant condition, such as cold start

4 Warning Warning conditions (e.g., return false, unexpected return)

3 Error Error conditions (e.g., invalid input, default used)

2 Critical Critical conditions (e.g., memory allocation, or free memory

1 Alert Immediate action needed

0 Emergency System unusable

* There are only Level 2, 5 and 6 error messages for the current firmware release.

error - resource exhausted)

3-19

Configuring the Switch

• RAM Level – Limits log messages saved to the switch’s temporary RAM memory for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7)

Note:

The Flash Level must be equal to or less than the RAM Level.

Web – Click System, Logs, System Logs. Specify System Log Status, set event messages to be logged to RAM and flash memory, then click Apply.

Figure 3-12. System Logs

CLI – Enable system logging and then specify the level of messages to be logged to

RAM and flash memory. Use the show logging command to display the current settings.

Console(config)#logging on 4-43 Console(config)#logging history ram 0 4-44 Console(config)# Console#show logging flash 4-47 Syslog logging: Disable History logging in FLASH: level errors Console#

the level of

Remote Log Configuration

The Remote Logs page allows you to configure the logging of messages that are sent to syslog servers or other management stations. You can also limit the event messages sent to only those messages at or above a specified level.

Command Attributes

• Remote Log Status – Enables/disables the logging of debug or error messages to the remote logging process. (Default: Disabled)

• Logging Facility – Sets the facility type for remote logging of syslog messages. There are eight facility types specified by values of 16 to 23. The facility type is used by the syslog server to dispatch log messages to an appropriate service.

The attribute specifies the facility type tag sent in syslog messages. (See RFC

3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to process messages, such as sorting or storing messages in the corresponding database. (Range: 16-23, Default: 23)

3-20

Basic Configuration

• Logging Trap – Limits log messages that are sent to the remote syslog server for

all levels up to the specified level. For example, if level 3 is specified, all messages from level 0 to level 3 will be sent to the remote server. (Range: 0-7, Default: 7)

• Host IP List – Displays the list of remote server IP addresses that will receive

syslog messages. The maximum number of host IP addresses allowed is five.

• Host IP Address – Specifies a new server IP address to add to the Host IP List.

Web – Click System, Logs, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove.

Figure 3-13. Remote Logs

3-21

Configuring the Switch

CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap.

Console(config)#logging host 10.1.0.9 4-45 Console(config)#logging facility 23 4-45 Console(config)#logging trap 4 4-46 Console(config)#logging trap Console(config)# Console#show logging trap 4-47 Syslog logging: Enabled REMOTELOG status: Disabled REMOTELOG facility type: local use 7 REMOTELOG level type: Warning conditions REMOTELOG server ip address: 10.1.0.9 REMOTELOG server ip address: 0.0.0.0 REMOTELOG server ip address: 0.0.0.0 REMOTELOG server ip address: 0.0.0.0 REMOTELOG server ip address: 0.0.0.0 Console#

Displaying Log Messages

Use the Logs page to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory.

Web – Click System, Log, Logs.

3-22

Figure 3-14. Displaying Logs

Basic Configuration

CLI – This example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., default level 3 - 0), the message level for RAM is “debugging” (i.e., default level 7 - 0), and lists one sample error.

Console#show logging flash 4-47 Syslog logging: Enable History logging in FLASH: level errors [0] 0:0:5 1/1/1 "PRI_MGR_InitDefault function fails." level: 3, module: 13, function: 0, and event no.: 0 Console#show logging ram 4-47 Syslog logging: Enable History logging in RAM: level debugging [0] 0:0:5 1/1/1 PRI_MGR_InitDefault function fails." level: 3, module: 13, function: 0, and event no.: 0 Console#

Sending Simple Mail Transfer Protocol Alerts

To alert system administrators of problems, the switch can use SMTP (Simple Mail Transfer Protocol) to send email messages when triggered by logging events of a specified level. The messages are sent to specified SMTP servers on the network and can be retrieved using POP or IMAP clients.

Command Attributes

• Admin Status – Enables/disables the SMTP function. (Default: Enabled)

• Email Source Address – Sets the email address used for the “From” field in alert

messages. You may use a symbolic email address that identifies the switch, or the address of an administrator responsible for the switch.

• Severity – Sets the syslog severity threshold level (see table on page 4-48) used

to trigger alert messages. All events at this level or higher will be sent to the configured email recipients. For example, using Level 7 will report all events from level 7 to level 0. (Default: Level 7)

• SMTP Server List – Specifies a list of up to three recipient SMTP servers. The

switch attempts to connect to the other listed servers if the first fails. Use the New SMTP Server text field and the Add/Remove buttons to configure the list.

• Email Destination Address List – Specifies the email recipients of alert

messages. You can specify up to five recipients. Use the New Email Destination Address text field and the Add/Remove buttons to configure the list.

3-23

Configuring the Switch

Web – Click System, Log, SMTP. Enable SMTP, specify a source email address, and select the minimum severity level. To add an IP address to the SMTP Server List, type the new IP address in the SMTP Server field and click Add. To delete an IP address, click the entry in the SMTP Server List and click Remove. Specify up to five email addresses to receive the alert messages, and click Apply.

3-24

Figure 3-15. Enabling and Configuring SMTP Alerts

Basic Configuration

CLI – Enter the IP address of at least one SMTP server, set the syslog severity level to trigger an email message, and specify the switch (source) and up to five recipient (destination) email addresses. Enable SMTP with the logging sendmail command to complete the configuration. Use the show logging sendmail command to display the current SMTP configuration.

Console(config)#logging sendmail host 192.168.1.4 4-49 Console(config)#logging sendmail level 3 4-49 Console(config)#logging sendmail source-email

big-wheels@matel.com 4-50

Console(config)#logging sendmail destination-email

chris@matel.com 4-50 Console(config)#logging sendmail 4-51 Console(config)#exit Console#show logging sendmail 4-47 SMTP servers

-----------------------------------------------

Active SMTP server: 0.0.0.0

SMTP minimum severity level: 4

SMTP destination email addresses

-----------------------------------------------

1. chris@this-company.com

SMTP source email address: big-wheels@matel.com

SMTP status: Enabled Console#

Resetting the System

Web – Click System, Reset. Click the Reset button to restart the switch. When prompted, confirm that you want reset the switch.

Figure 3-16. Resetting the System

CLI – Use the reload command to restart the switch.

Console#reload 4-22 System will be restarted, continue <y/n>?

Note: When restarting the system, it will always run the Power-On Self-Test.

3-25

Configuring the Switch

Setting the System Clock

Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. You can also manually set the clock using the CLI. (See “calendar set” on page 4-55.) If the clock is not set, the switch will only record the time from the factory default set at the last bootup.

When the SNTP client is enabled, the switch periodically sends a request for a time update to a configured time server. You can configure up to three time server IP addresses. The switch will attempt to poll each server in the configured sequence.

Configuring SNTP

You can configure the switch to send time synchronization requests to time servers.

Command Attributes

• SNTP Client – Configures the switch to operate as an SNTP client. This requires at least one time server to be specified in the SNTP Server field. (Default: Disabled)

• SNTP Poll Interval – Sets the interval between sending requests for a time update from a time server. (Range: 16-16384 seconds; Default: 16 seconds)

• SNTP Server – Sets the IP address for up to three time servers. The switch attempts to update the time from the first server, if this fails it attempts an update from the next server in the sequence.

Web – Select SNTP, Configuration. Modify any of the required parameters, and click Apply.

3-26

Figure 3-17. Configuring SNTP

Basic Configuration

CLI – This example configures the switch to operate as an SNTP client and then displays the current time and settings.

Console(config)#sntp client 4-52 Console(config)#sntp poll 16 4-54 Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-53 Console(config)#exit Console#show sntp 4-54 Current time: Jan 6 14:56:05 2004 Poll interval: 60 Current mode: unicast SNTP status : Enabled SNTP server 10.1.0.19 137.82.140.80 128.250.36.2 Current server: 128.250.36.2 Console(config)#

Setting the Time Zone

SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.

Command Attributes

• Current Time – Displays the current time.

• Name – Assigns a name to the time zone. (Range: 1-29 characters)

• Hours (0-12) – The number of hours before/after UTC.

• Minutes (0-59) – The number of minutes before/after UTC.

• Direction – Configures the time zone to be before (east) or after (west) UTC.

Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to the UTC, and click Apply.

Figure 3-18. Clock Time Zone

3-27

Configuring the Switch

CLI - This example shows how to set the time zone for the system clock.

Console(config)#clock timezone Dhaka hours 6 minute 0 after-UTC 4-55 Console#

Simple Network Management Protocol

Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.

The switch includes an onboard SNMP agent that continuously monitors the status of its hardware, as well as the traffic passing through its ports. A network management station can access this information using software such as HP OpenView. Access rights to the onboard agent are controlled by community strings. To communicate with the switch, the management station must first submit a valid community string for authentication. The options for configuring community strings, trap functions, and restricting access to clients with specified IP addresses are described in the following sections.

Setting Community Access Strings

You may configure up to five community strings authorized for management access. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings.

Command Attributes

• SNMP Community Capability – Indicates that the switch supports up to five community strings.

• Community String – A community string that acts like a password and permits access to the SNMP protocol. Default strings: “public” (read-only access), “private” (read/write access) Range: 1-32 characters, case sensitive

• Access Mode

- Read-Only – Specifies read-only access. Authorized management stations are

only able to retrieve MIB objects.

- Read/Write – Specifies read-write access. Authorized management stations are

able to both retrieve and modify MIB objects.

3-28

Simple Network Management Protocol

Web – Click SNMP, Configuration. Add new community strings as required, select the access rights from the Access Mode drop-down list, then click Add.

Figure 3-19. Configuring SNMP Community Strings

CLI – The following example adds the string “spiderman” with read/write access.

Console(config)#snmp-server community spiderman rw 4-112 Console(config)#

Specifying Trap Managers and Trap Types

Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView). You can specify up to five management stations that will receive authentication failure messages and other trap messages from the switch.

Command Attributes

• Trap Manager Capability – This switch supports up to five trap managers.

• Trap Manager IP Address – IP address of a new management station to receive

trap messages.

• Trap Manager Community String – Community string sent with the notification

operation. (Range: 1-32 characters, case sensitive)

• Trap Version – Specifies whether to send notifications as SNMP v1 or v2c traps.

(Default: v1)

• Enable Authentication Traps – Issues a trap message whenever an invalid

community string is submitted during the SNMP access authentication process. (Default: Enabled)

• Enable Link-up and Link-down Traps – Issues link-up or link-down traps.

(Default: Enabled)

3-29

Configuring the Switch

Web – Click SNMP, Configuration. Fill in the IP address and community string for each trap manager that will receive these messages, specify the SNMP version, mark the trap types required, and then click Add.

Figure 3-20. Configuring SNMP Trap Managers

CLI – This example adds a trap manager and enables both authentication and

link-up, link-down traps.

Console(config)#snmp-server host 192.168.1.19 private version 2c 4-114 Console(config)#snmp-server enable traps 4-115

User Authentication

You can restrict management access to this switch using the following options:

• Passwords – Configures the password for the current user.

• Authentication Settings – Use remote authentication to configure access rights.

• HTTPS Settings – Provide a secure web connection.

• SSH Settings – Provide a secure shell (for secure Telnet access).

• Port Security – Configure secure addresses for individual ports.

• 802.1x – Use IEEE 802.1x port authentication to control access to specific ports.

• IP Filter – Filters management access to the web, SNMP or Telnet interface.

Configuring the Logon Password

The guest only has read access for most configuration parameters. However, the administrator has write access for all parameters governing the onboard agent. You should therefore assign a new administrator password as soon as possible, and store it in a safe place.

The default guest name is “guest” with the password “guest.” The default administrator name is “admin” with the password “admin.” Note that user names can only be assigned via the CLI.

3-30

User Authentication

Command Attributes

• User Name* – The name of the user.

(Maximum length: 8 characters)

• Access Level* – Specifies the user level.

(Options: Normal and Privileged)

• Password – Specifies the user password.

(Range: 0-8 characters plain text, case sensitive)

* CLI only.

Web – Click Security, Passwords. To change the password for the current user, enter the old password, the new password, confirm it by entering it again, then click Apply.

CLI – Assign a user name to access-level 15 (i.e., administrator), then specify the password.

Console(config)#username bob access-level 15 4-26 Console(config)#username bob password 0 smith Console(config)#

Configuring Local/Remote Logon Authentication

Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.

Remote Authentication Dial-in User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) are logon

Web Telnet

authentication protocols that use software running on a central server to control access to RADIUS-aware or TACACS-aware devices on the network. An authentication

RADIUS/ TACACS+ server

1. Client attempts management access.

2. Switch contacts authentication server.

3. Authentication server challenges client.

4. Client responds with proper password or key.

5. Authentication server approves access.

6. Switch grants management access.

server contains a database of multiple user name/password pairs with associated privilege levels for each user that requires management access to the switch.

console

3-31

Configuring the Switch

RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.

Command Usage

• By default, management access is always checked against the authentication database stored on the local switch. If a remote authentication server is used, you must specify the authentication sequence and the corresponding parameters for the remote authentication protocol. Local and remote logon authentication control management access via the console port, web browser, or Telnet.

• RADIUS and TACACS+ logon authentication assign a specific privilege level for each user name/password pair. The user name, password, and privilege level must be configured on the authentication server.

• You can specify up to three authentication methods for any user to indicate the authentication sequence. For example, if you select (1) RADIUS, (2) TACACS and (3) Local, the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted using the TACACS+ server, and finally the local user name and password is checked.

Command Attributes

• Authentication – Select the authentication, or authentication sequence required:

- Local – User authentication is performed only locally by the switch.

- Radius – User authentication is performed using a RADIUS server only.

- TACACS – User authentication is performed using a TACACS+ server only.

- [authentication sequence] – User authentication is performed by up to three

authentication methods in the indicated sequence.

• RADIUS Settings

- Server IP Address – Address of authentication server. (Default: 10.1.0.1)

- Server Port Number – Network (UDP) port of authentication server used for

authentication messages. (Range: 1-65535; Default: 1812)

- Secret Text String – Encryption key used to authenticate logon access for

client. Do not use blank spaces in the string. (Maximum length: 20 characters)

- Number of Server Transmits – Number of times the switch tries to authenticate

logon access via the authentication server. (Range: 1-30; Default: 2)

- Timeout for a reply – The number of seconds the switch waits for a reply from

the RADIUS server before it resends the request. (Range: 1-65535; Default: 5)

• TACACS Settings

- Server IP Address – Address of the TACACS+ server. (Default: 10.11.12.13)

- Server Port Number – Network (TCP) port of TACACS+ server used for

authentication messages. (Range: 1-65535; Default: 49)

- Secret Text String – Encryption key used to authenticate logon access for

client. Do not use blank spaces in the string. (Maximum length: 20 characters)

3-32

User Authentication

Note: The local switch user database has to be set up by manually entering user names

and passwords using the CLI. (See “username” on page 4-26.)

Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply.

Figure 3-21. Authentication Server Settings

3-33

Configuring the Switch

CLI – Specify all the required parameters to enable logon authentication.

Console(config)#authentication login radius 4-69 Console(config)#radius-server host 192.168.1.25 4-71 Console(config)#radius-server port 181 4-71 Console(config)#radius-server key green 4-72 Console(config)#radius-server retransmit 5 4-72 Console(config)#radius-server timeout 10 4-73 Console#show radius-server 4-73 Remote radius server configuration: Server IP address: 192.168.1.25 Communication key with radius server: Server port number: 1812 Retransmit times: 5 Request timeout: 10 Console(config)#authentication login tacacs 4-69 Console(config)#tacacs-server host 10.20.30.40 4-74 Console(config)#tacacs-server port 200 4-74 Console(config)#tacacs-server key green 4-75 Console(config)#end Console#show tacacs-server 4-75 Remote TACACS server configuration: Server IP address: 10.20.30.40 Communication key with tacacs server: green Server port number: 200 Console#

Configuring HTTPS

You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface.

Command Usage

• Both the HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure both services to use the same UDP port.

• If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number]

• When you start HTTPS, the connection is established in this way:

- The client authenticates the server using the server’s digital certificate.

- The client and server negotiate a set of security protocols to use for the

connection.

- The client and server generate session keys for encrypting and decrypting data.

• The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 5.x or above and Netscape Navigator 4.x or above.

3-34

User Authentication

• The following web browsers and operating systems currently support HTTPS:

Table 3-4. HTTPS System Support

Web Browser Operating System

Internet Explorer 5.0 or later Windows 98,Windows NT (with service pack 6a),

Netscape Navigator 4.76 or later Windows 98,Windows NT (with service pack 6a),

• To specify a secure-site certificate, see “Replacing the Default Secure-site

Certificate” on page 3-35.

Command Attributes

• HTTPS Status – Allows you to enable/disable the HTTPS server feature on the

switch.

(Default: Enabled)

•

Change HTTPS Port Number – Specifies the UDP port number used for HTTPS/ SSL connection to the switch’s web interface. (Default: Port 443)

Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply.

Windows 2000, Windows XP

Windows 2000, Windows XP, Solaris 2.6

Figure 3-22. HTTPS Settings

CLI – This example enables the HTTP secure server and modifies the port number.

Console(config)#ip http secure-server 4-31 Console(config)#ip http secure-port 441 4-32 Console(config)#

Replacing the Default Secure-site Certificate

When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that Netscape and Internet Explorer display will be associated with a warning that the site is not recognized as a secure site. This is because the certificate has not been signed by an approved certification authority. If you want this warning to be replaced by a message confirming that the connection to the switch is secure, you must obtain a unique certificate and a private key and password from a recognized certification authority.

3-35

Configuring the Switch

Caution: For maximum security, we recommend you obtain a unique Secure Sockets

Layer certificate at the earliest opportunity. This is because the default certificate for the switch is not unique to the hardware you have purchased.

When you have obtained these, place them on your TFTP server, and use the following command at the switch's command-line interface to replace the default (unrecognized) certificate with an authorized one:

Console#copy tftp https-certificate 4-63 TFTP server ip address: <server ip-address> Source certificate file name: <certificate file name> Source private file name: <private key file name> Private password: <password for private key>

Note:

The switch must be reset for the new certificate to be activated. To reset the switch, type:

Console#reload

Configuring the Secure Shell

The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.

The Secure Shell (SSH) includes server/client applications intended as a secure replacement for the older Berkley remote access tools. SSH can also provide remote management access to this switch as a secure replacement for Telnet. When the client contacts the switch via the SSH protocol, the switch generates a public-key that the client uses along with a local user name and password for access authentication. SSH also encrypts all data transfers passing between the switch and SSH-enabled management station clients, and ensures that data traveling over the network arrives unaltered.

Note that you need to install an SSH client on the management station to access the switch for management via the SSH protocol.

Note:

The switch supports both SSH Version 1.5 and 2.0.

Command Usage

The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified on the Authentication Settings page (page 3-31). If public key authentication is specified by the client, then you must configure authentication keys on both the client and the switch as described in the following section. Note that regardless of whether you use public key or password authentication, you still have to generate authentication keys on the switch (SSH Host Key Settings) and enable the SSH server (Authentication Settings).

3-36

User Authentication

To use the SSH server, complete these steps:

1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a host

public/private key pair.

2. Provide Host Public Key to Clients – Many SSH client programs automatically

import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it. An entry for a public key in the known hosts file would appear similar to the following example:

10.1.0.54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 10825913212890233 76546801726272571413428762941301196195566782 59566410486957427888146206 51941746772984865468615717739390164779355942303577413098022737087794545 24083971752646358058176716709574804776117

3. Import Client’s Public Key to the Switch – Use the copy tftp public-key

command (page 4-63) to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch via the User Accounts page as described on page 3-30.) The clients are subsequently authenticated using these keys. The current firmware only accepts public key files based on standard UNIX format as shown in the following example for an RSA Version 1 key:

1024 35 1341081685609893921040944920155425347631641921872958921143173880 05553616163105177594083868631109291232226828519254374603100937187721199 69631781366277414168985132049117204830339254324101637997592371449011938 00609025394840848271781943722884025331159521348610229029789827213532671 31629432532818915045306393916643 steve@192.168.1.19

4. Set the Optional Parameters – On the SSH Settings page, configure the

optional parameters, including the authentication timeout, the number of retries, and the server key size.

5. Enable SSH Service – On the SSH Settings page, enable the SSH server on

the switch.

6. Challenge-Response Authentication – When an SSH client attempts to contact

the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access. The following exchanges take place during this process:

a. The client sends its public key to the switch. b. The switch compares the client's public key to those stored in memory. c. If a match is found, the switch uses the public key to encrypt a random

sequence of bytes, and sends this string to the client.

d. The client uses its private key to decrypt the bytes, and sends the

decrypted bytes back to the switch.

3-37

Configuring the Switch

e. The switch compares the decrypted bytes to the original bytes it sent. If the

two sets match, this means that the client's private key corresponds to an authorized public key, and the client is authenticated.

Notes: 1.

To use SSH with only password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the known host file. However, you do not need to configure the client’s keys.

2. The SSH server supports up to four client sessions. The maximum number

of client sessions includes both current Telnet sessions and SSH sessions.

Generating the Host Key Pair

A host public/private key pair is used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the proceeding section (Command Usage).

Field Attributes

• Public-Key of Host-Key – The public key for the host.

- RSA (Version 1): The first field indicates the size of the host key (e.g., 1024), the

second field is the encoded public exponent (e.g., 65537), and the last string is the encoded modulus.

- DSA (Version 2): The first field indicates that the encryption method used by

SSH is based on the Digital Signature Standard (DSS). The last string is the encoded modulus.

• Host-Key Type – The key type used to generate the host key pair (i.e., public and private keys). (Range: RSA (Version 1), DSA (Version 2), Both: Default: RSA) The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.

• Save Host-Key from Memory to Flash – Saves the host key from RAM (i.e., volatile memory to flash memory. Otherwise, the host key pair is stored to RAM by default. Note that you must select this item prior to generating the host-key pair.

• Generate – This button is used to generate the host key pair. Note that you must first generate the host key pair before you can enable the SSH server on the SSH Server Settings page.

3-38

User Authentication

Web – Click Security, SSH Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate.

Figure 3-23. SSH Host-Key Settings

CLI – This example generates a host-key pair using both the RSA and DSA

algorithms, stores the keys to flash memory, and then displays the host’s public keys.

Console#ip ssh crypto host-key generate 4-39 Console#ip ssh save host-key 4-40 Console#show public-key host 4-42 Host: RSA: 1024 65537 127250922544926402131336514546131189679055192360076028653006761 82409690947448320102524878965977592168322225584652387791546479807396314033 86925793105105765212243052807865885485789272602937866089236841423275912127 60325919683697053439336438445223335188287173896894511729290510813919642025 190932104328579045764891 DSA: ssh-dss AAAAB3NzaC1kc3MAAACBAN6zwIqCqDb3869jYVXlME1sHL0EcE/Re6hlasfEthIwmj hLY4O0jqJZpcEQUgCfYlum0Y2uoLka+Py9ieGWQ8f2gobUZKIICuKg6vjO9XTs7XKc05xfzkBi KviDa+2OrIz6UK+6vFOgvUDFedlnixYTVo+h5v8r0ea2rpnO6DkZAAAAFQCNZn/x17dwpW8RrV DQnSWw4Qk+6QAAAIEAptkGeB6B5hwagH4gUOCY6i1TmrmSiJgfwO9OqRPUMbCAkCC+uzxatOo7 drnIZypMx+Sx5RUdMGgKS+9ywsa1cWqHeFY5ilc3lDCNBueeLykZzVS+RS+azTKIk/zrJh8GLG Nq375R55yRxFvmcGIn/Q7IphPqyJ3o9MK8LFDfmJEAAACAL8A6tESiswP2OFqX7VGoEbzVDSOI RTMFy3iUXtvGyQAOVSy67Mfc3lMtgqPRUOYXDiwIBp5NXgilCg5z7VqbmRm28mWc5a//f8TUAg PNWKV6W0hqmshQdotVzDR1e+XKNTZj0uTwWfjO5Kytdn4MdoTHgrbl/DMdAfjnte8MZZs=

Console#

3-39

Configuring the Switch

Configuring the SSH Server

The SSH server includes basic settings for authentication.

Field Attributes

• SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Disabled)

• Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.

• SSH Authentication Timeout – Specifies the time interval in seconds that the SSH server waits for a response from a client during an authentication attempt. (Range: 1 to 120 seconds; Default: 120 seconds)

• SSH Authentication Retries – Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process. (Range: 1-5 times; Default: 3)

• SSH Server-Key Size – Specifies the SSH server key size. (Range: 512-896 bits)

- The server key is a private key that is never shared outside the switch.

- The host key is shared with the SSH client, and is fixed at 1024 bits.

Web – Click Security, SSH, Settings. Enable SSH and adjust the authentication parameters as required, then click Apply. Note that you must first generate the host key pair on the SSH Host-Key Settings page before you can enable the SSH server.

3-40

Figure 3-24. SSH Server Settings

User Authentication

CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection.

Console(config)#ip ssh server 4-36 Console(config)#ip ssh timeout 100 4-37 Console(config)#ip ssh authentication-retries 5 4-37 Console(config)#ip ssh server-key size 512 4-38 Console(config)#end Console#show ip ssh 4-40 SSH Enabled - version 2.0 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console#show ssh 4-41 Information of secure shell Session Username Version Encrypt method Negotiation state

------- -------- ------- -------------- ---------------- 0 admin 2.0 cipher-3des session-started Console#disconnect 0 4-18 Console#

Configuring Port Security

Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port.

When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted as authorized to access the network through that port. If a device with an unauthorized MAC address attempts to use the switch port, the intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message.

To use port security, specify a maximum number of addresses to allow on the port and then let the switch dynamically learn the <source MAC address, VLAN> pair for frames received on the port. Note that you can also manually add secure addresses to the port using the Static Address Table (page 3-88). When the port has reached the maximum number of MAC addresses the selected port will stop learning. The MAC addresses already in the address table will be retained and will not age out. Any other device that attempts to use the port will be prevented from accessing the switch.

Command Usage

• A secure port has the following restrictions:

- It cannot use port monitoring.

- It cannot be a multi-VLAN port.

- It cannot be used as a member of a static or dynamic trunk.

- It should not be connected to a network interconnection device.

• The default maximum number of MAC addresses allowed on a secure port is zero.

You must configure a maximum address count from 1 - 20 for the port to allow access.

3-41

Configuring the Switch

• If a port is disabled (shut down) due to a security violation, it must be manually re-enabled from the Port/Port Configuration page (page 3-67).

Command Attributes

• Port – Port number.

• Name – Descriptive text (page 4-126).

• Action – Indicates the action to be taken when a port security violation is detected:

- None: No action should be taken. (This is the default.)

- Trap: Send an SNMP trap message.

- Shutdown: Disable the port.

- Trap and Shutdown: Send an SNMP trap message and disable the port.

• Security Status – Enables or disables port security on the port. (Default: Disabled)

• Max MAC Count – The maximum number of MAC addresses that can be learned on a port. (Range: 0 - 20)

• Trunk – Trunk number if port is a member (page 3-70 and 3-71).

Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply.

3-42

Figure 3-25. Port Security

User Authentication

CLI – This example selects the target port, sets the port security action to send a trap and disable the port, specifies a maximum address count, and then enables port security for the port.

Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap-and-shutdown 4-76 Console(config-if)#port security max-mac-count 20 Console(config-if)#port security Console(config-if)#

Configuring 802.1x Port Authentication

Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.

The IEEE 802.1x (dot1x) standard defines a port-based access control procedure that prevents unauthorized access to a network by requiring users to first submit credentials for authentication. Access to all switch ports in a network can be centrally controlled from a server, which means that authorized users can use the same credentials for authentication from any point within the network.

This switch uses the Extensible Authentication Protocol over LANs (EAPOL) to exchange authentication protocol messages with the client, and a remote RADIUS authentication server to verify user identity and access rights. When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an EAPOL identity request. The client provides its identity (such as a user name) in an EAPOL response to the switch, which it forwards to the RADIUS server. The RADIUS server verifies the client identity and sends an access challenge back to the client. The EAP packet from the RADIUS server contains not only the challenge, but the authentication method to be used. The client can reject the authentication method and request another, depending on the configuration of the client software and the RADIUS server. The authentication method currently supported is MD5 only. The client responds to the appropriate method with its password. The RADIUS server verifies the client credentials and responds with an accept or reject packet. If authentication is successful, the switch allows the client to access the network. Otherwise, network access is denied and the port remains blocked.

802.1x client

RADIUS server

1. Client attempts to access a switch port.

2. Switch sends client an identity request.

3. Client sends back identity information.

4. Switch forwards this to authentication server.

5. Authentication server challenges client.

6. Client responds with proper credentials.

7. Authentication server approves access.

8. Switch grants client access to this port.

3-43

Configuring the Switch

The operation of 802.1x on the switch requires the following:

• The switch must have an IP address assigned.

• RADIUS authentication must be enabled on the switch and the IP address of the RADIUS server specified.

• Each switch port that will be used must be set to dot1x “Auto” mode.

• Each client that needs to be authenticated must have dot1x client software installed and properly configured.

• The RADIUS server and 802.1x client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.)

• The RADIUS server and client also have to support the same EAP authentication type – MD5, (Some clients have native support in Windows, otherwise the dot1x client must support it.)

Displaying 802.1x Global Settings

The dot1x protocol includes global parameters that control the client authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server. These parameters are described in this section.

Command Attributes

• 802.1X Re-authentication – Indicates if switch port requires a client to be re-authenticated after a certain period of time.

• 802.1X Max Request Count – The maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session.

• Timeout For Quiet Period – Indicates the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client.

• Timeout For Re-authentication Period – Indicates the time period after which a connected client must be re-authenticated.

• Timeout For Tx Period – The time period during an authentication session that the switch waits before re-transmitting an EAP packet.

• Supplicant Timeout – The time the switch waits for a client response to an EAP request.

• Server Timeout – The time the switch waits for a response from the authentication server (RADIUS) to an authentication request.

• Re-authentication Max Count – The number of times the switch will attempt to re-authenticate a connected client before the port becomes unauthorized.

3-44

User Authentication

Web – Click Security, 802.1x, Information.

Figure 3-26. 802.1x Information

CLI – This example shows the default protocol settings for 802.1x. For a description

of the additional entries displayed in the CLI, See “show dot1x” on page 4-83.

Console#show dot1x 4-83 Global 802.1X Parameters reauth-enabled: yes reauth-period: 3600 quiet-period: 60 tx-period: 30 supp-timeout: 30 server-timeout: 30 reauth-max: 2 max-req: 2

802.1X Port Summary Port Name Status Operation Mode Mode Authorized 1/1 disabled Single-Host ForceAuthorized n/a 1/2 disabled Single-Host ForceAuthorized n/a .

. . 1/47 disabled Single-Host ForceA uthorized n/a

1/48 enabled Single-Host Auto yes

802.1X Port Details

802.1X is disabled on port 1/1

802.1X is disabled on port 1/2 .

. . .

802.1X is disabled on port 1/47

3-45

Configuring the Switch

802.1X is enabled on port 1/48 Status Authorized Operation mode Single-Host Max count 5 Port-control Auto Supplicant 00-00-e8-49-5e-dc Current Identifier 3

Authenticator State Machine State Authenticated Reauth Count 0

Backend State Machine State Idle Request Count 0 Identifier(Server) 2

Reauthentication State Machine State Initialize Console#

Configuring 802.1x Global Settings

Command Attributes

• 802.1X Re-authentication – Sets the client to be re-authenticated after the interval specified by the Timeout for Re-authentication Period. Re-authentication can be used to detect if a new device is plugged into a switch port. (Default: Disabled)

• 802.1X Max Request Count – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session. (Range: 1-10; Default 2)

• Timeout For Quiet Period – Sets the time that a switch port waits after the dot1X Max Request Count has been exceeded before attempting to acquire a new client. (Range: 1-65535 seconds; Default: 60 seconds)

• Timeout For Re-authentication Period – Sets the time period after which a connected client must be re-authenticated. (Range: 1-65535 seconds; Default: 3600 seconds)

• Timeout For Tx Period – Sets the time period during an authentication session that the switch waits before re-transmitting an EAP packet. (Range: 1-65535; Default: 30 seconds)

• authentication dot1x default* – Sets the default authentication server type. Note that the specified authentication server type must be enabled and properly configured for dot1x to function properly. (Options: radius).

* CLI only.

3-46

User Authentication

Web – Select Security, 802.1x, Configuration. Enable dot1x globally for the switch, modify any of the parameters required, and then click Apply.

Figure 3-27. 802.1X Configuration

CLI

– This enables re-authentication and sets all of the global parameters for 802.1x

Console(config)#dot1x re-authentication 4-81 Console(config)#dot1x max-req 5 4-79 Console(config)#dot1x timeout quiet-period 40 4-82 Console(config)#dot1x timeout re-authperiod 5 4-82 Console(config)#dot1x timeout tx-period 40 4-83 Console(config)#authentication dot1x default radius 4-79 Console(config)#

Configuring Port Authorization Mode

When dot1x is enabled, you need to specify the dot1x authentication mode configured for each port.

Command Attributes

• Status – Indicates if authentication is enabled or disabled on the port.

• Operation Mode – Allows single or multiple hosts (clients) to connect to an

802.1X-authorized port. (Range: Single-Host, Multi-Host; Default: Single-Host)

• Max Count – The maximum number of hosts that can connect to a port when the

Multi-Host operation mode is selected. (Range: 1-20; Default: 5)

• Mode – Sets the authentication mode to one of the following options:

- Auto – Requires a dot1x-aware client to be authorized by the authentication server. Clients that are not dot1x-aware will be denied access.

- Force-Authorized – Forces the port to grant access to all clients, either dot1x-aware or otherwise.

- Force-Unauthorized – Forces the port to deny access to all clients, either dot1x-aware or otherwise.

3-47

Configuring the Switch

• Authorized –

- Yes – Connected client is authorized.

- No – Connected client is not authorized.

- Blank – Displays nothing when dot1x is disabled on a port.

• Supplicant – Indicates the MAC address of a connected client.

• Trunk – Indicates if the port is configured as a trunk port.

Web – Click Security, 802.1x, Port Configuration. Select the authentication mode from the drop-down box and click Apply.

Figure 3-28. 802.1x Port Configuration

CLI – This example sets the authentication mode to enable 802.1x on port 2, and

allows up to ten clients to connect to this port.

Console(config)#interface ethernet 1/2 4-125 Console(config-if)#dot1x port-control auto 4-80 Console(config-if)#dot1x operation-mode multi-host max-count 10 4-80 Console(config-if)#

Displaying 802.1x Statistics

This switch can display statistics for dot1x protocol exchanges for any port.

Table 3-5. 802.1x Statistics

Parameter Description

Rx EAPOL Start The number of EAPOL Start frames that have been received by this

Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this

Rx EAPOL Invalid The number of EAPOL frames that have been received by this

Rx EAPOL Total The number of valid EAPOL frames of any type that have been received

Rx EAP Resp/Id The number of EAP Resp/Id frames that have been received by this

Authenticator.

Authenticator in which the frame type is not recognized.

by this Authenticator.

Authenticator.

3-48

User Authentication

Table 3-5. 802.1x Statistics

Parameter Description

Rx EAP Resp/Oth The number of valid EAP Response frames (other than Resp/Id frames)

Rx EAP LenError The number of EAPOL frames that have been received by this

Rx Last EAPOLVer The protocol version number carried in the most recently received EAPOL

Rx Last EAPOLSrc The source MAC address carried in the most recently received EAPOL

Tx EAPOL Total The number of EAPOL frames of any type that have been transmitted by

Tx EAP Req/Id The number of EAP Req/Id frames that have been transmitted by this

Tx EAP Req/Oth The number of EAP Request frames (other than Rq/Id frames) that have

that have been received by this Authenticator.

Authenticator in which the Packet Body Length field is invalid.

frame.

this Authenticator.

Authenticator.

been transmitted by this Authenticator.

Web – Select Security, 802.1x, Statistics. Select the required port and then click Query. Click Refresh to update the statistics.

Figure 3-29. 802.1x Port Statistics

3-49

Configuring the Switch

CLI – This example displays the 802.1x statistics for port 4.

Console#show dot1x statistics interface ethernet 1/4 4-83

Eth 1/4 Rx: EAPOL EAPOL EAPOL EAPOL EAP EAP EAP Start Logoff Invalid Total Resp/Id Resp/Oth LenError 2 0 0 1007 672 0 0

Last Last EAPOLVer EAPOLSrc 1 00-00-E8-98-73-21

Tx: EAPOL EAP EAP Total Req/Id Req/Oth 2017 1005 0 Console#

Filtering IP Addresses for Management Access

You can create a list of up to 16 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet.

Command Usage

• The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.

• If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.

• IP address can be configured for SNMP, web and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges.

• When entering addresses for the same group (i.e., SNMP, web or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges.

• You cannot delete an individual address from a specified range. You must delete the entire range, and reenter the addresses.

• You can delete an address range just by specifying the start address, or by specifying both the start address and end address.

Command Attributes

• Web IP Filter – Configures IP address(es) for the web group.

• SNMP IP Filter – Configures IP address(es) for the SNMP group.

• Telnet IP Filter – Configures IP address(es) for the Telnet group.

• IP Filter List – IP address which are allowed management access to this interface.

• Start IP Address – A single IP address, or the starting address of a range.

• End IP Address – The end address of a range.

3-50

User Authentication

Web – Click Security, IP Filter. Enter the addresses that are allowed management access to an interface, and click Add IP Filtering Entry.

Figure 3-30. IP Filter

CLI – This example allows SNMP access for a specific client.

Console(config)#management snmp-client 10.1.2.3 4-28 Console(config)#end Console#show management all-client Management Ip Filter Http-Client: Start ip address End ip address

-----------------------------------------------

Snmp-Client: Start ip address End ip address

-----------------------------------------------

1. 10.1.2.3 10.1.2.3 Telnet-Client: Start ip address End ip address

-----------------------------------------------

Console#

3-51

Configuring the Switch

Access Control Lists

Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port.

Configuring Access Control Lists

An ACL is a sequential list of permit or deny conditions that apply to IP addresses, MAC addresses, or other more specific criteria. This switch tests ingress or egress packets against the conditions in an ACL one by one. A packet will be accepted as soon as it matches a permit rule, or dropped as soon as it matches a deny rule. If no rules match for a list of all permit rules, the packet is dropped; and if no rules match for a list of all deny rules, the packet is accepted.

You must configure a mask for an ACL rule before you can bind it to a port or set the queue or frame priorities associated with the rule. This is done by specifying masks that control the order in which ACL rules are checked. The switch includes two system default masks that pass/filter packets matching the permit/deny rules specified in an ingress ACL. You can also configure up to seven user-defined masks for an ingress or egress ACL.

Command Usage

The following restrictions apply to ACLs:

• Each ACL can have up to 32 rules.

• The maximum number of ACLs is also 32.

• However, due to resource restrictions, the average number of rules bound to the ports should not exceed 20.

• You must configure a mask for an ACL rule before you can bind it to a port or set the queue or frame priorities associated with the rule.

• When an ACL is bound to an interface as an egress filter, all entries in the ACL must be deny rules. Otherwise, the bind operation will fail.

• The switch does not support the explicit “deny any any” rule for the egress IP ACL or the egress MAC ACLs. If these rules are included in ACL, and you attempt to bind the ACL to an interface for egress checking, the bind operation will fail.

The order in which active ACLs are checked is as follows:

1. User-defined rules in the Egress MAC ACL for egress ports.

2. User-defined rules in the Egress IP ACL for egress ports.

3. User-defined rules in the Ingress MAC ACL for ingress ports.

4. User-defined rules in the Ingress IP ACL for ingress ports.

5. Explicit default rule (permit any any) in the ingress IP ACL for ingress ports.

6. Explicit default rule (permit any any) in the ingress MAC ACL for ingress ports.

7. If no explicit rule is matched, the implicit default is permit all.

3-52

Access Control Lists

Setting the ACL Name and Type

Use the ACL Configuration page to designate the name and type of an ACL.

Command Attributes

• Name – Name of the ACL. (Maximum length: 16 characters)

• Type – There are three filtering modes:

- Standard: IP ACL mode that filters packets based on the source IP address.

- Extended: IP ACL mode that filters packets based on source or destination IP address, as well as protocol type and protocol port number. If the “TCP” protocol is specified, then you can also filter packets based on the TCP control code.

- MAC: MAC ACL mode that filters packets based on the source or destination MAC address and the Ethernet frame type (RFC 1060).

Web – Click Security, ACL, Configuration. Enter an ACL name in the Name field, select the list type (IP Standard, IP Extended, or MAC), and click Add to open the configuration page for the new list.

Figure 3-31. Selecting ACL Type

CLI – This example creates a standard IP ACL named bill.

Console(config)#access-list ip standard bill 4-88 Console(config-std-acl)#

Configuring a Standard IP ACL

Command Attributes

• Action – An ACL can contain all permit rules or all deny rules. (Default: Permit rules)

• IP – Specifies the source IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and SubMask fields. (Options: Any, Host, IP; Default: Any)

• Address – Source IP address.

• SubMask – A subnet mask containing four integers from 0 to 255, each separated by a period. The mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.”

3-53

Configuring the Switch

The mask is bitwise ANDed with the specified source IP address, and compared with the address for each IP packet entering the port(s) to which this ACL has been assigned.

Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Then click Add.

Figure 3-32. ACL Configuration - Standard IP

CLI – This example configures one permit rule for the specific address 10.1.1.21

and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask.

Console(config-std-acl)#permit host 10.1.1.21 4-89 Console(config-std-acl)#permit 168.92.16.0 255.255.240.0 Console(config-std-acl)#

3-54

Access Control Lists

Configuring an Extended IP ACL

Command Attributes

• Action – An ACL can contain either all permit rules or all deny rules. (Default: Permit rules)

• Src/Dst IP – Specifies the source or destination IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and SubMask fields. (Options: Any, Host, IP; Default: Any)

• Src/Dst Address – Source or destination IP address.

• Src/Dst SubMask – Subnet mask for source or destination address. (See the description for SubMask on page 3-53.)

• Service Type – Packet priority settings based on the following criteria:

- Precedence – IP precedence level. (Range: 0-7)

- TOS – Type of Service level. (Range: 0-15)

- DSCP – DSCP priority level. (Range: 0-64)

• Protocol – Specifies the protocol type to match as TCP, UDP or Others, where others indicates a specific protocol number (0-255). (Options: TCP, UDP, Others; Default: TCP)

• Src/Dst Port – Source/destination port number for the specified protocol type. (Range: 0-65535)

• Src/Dst Port Bitmask – Decimal number representing the port bits to match. (Range: 0-65535)

• Control Code – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63)

• Control Bitmask – Decimal number representing the code bits to match. The control bitmask is a decimal number (for an equivalent binary bit mask) that is applied to the control code. Enter a decimal number, where the equivalent binary bit “1” means to match a bit and “0” means to ignore a bit. The following bits may be specified:

- 1 (fin) – Finish

- 2 (syn) – Synchronize

- 4 (rst) – Reset

- 8 (psh) – Push

- 16 (ack) – Acknowledgement

- 32 (urg) – Urgent pointer

For example, use the code value and mask below to catch packets with the following flags set:

- SYN flag valid, use control-code 2, control bitmask 2

- Both SYN and ACK valid, use control-code 18, control bitmask 18

- SYN valid and ACK invalid, use control-code 2, control bitmask 18

3-55

Configuring the Switch

Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Set any other required criteria, such as service type, protocol type, or TCP control code. Then click Add.

Figure 3-33. ACL Configuration - Extended IP

CLI – This example adds three rules:

(1) Accept any incoming packets if the source address is in subnet 10.7.1.x. For

example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through.

(2) Allow TCP packets from class C addresses 192.168.1.0 to any destination

address when set for destination TCP port 80 (i.e., HTTP).

(3) Permit all TCP packets from class C addresses 192.168.1.0 with the TCP control

code set to “SYN”.

Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any 4-90 Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any

destination-port 80 Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any control-flag 2 2 Console(config-ext-acl)#

3-56

Access Control Lists

Configuring a MAC ACL

Command Attributes

• Action – An ACL can contain all permit rules or all deny rules. (Default: Permit rules)

• Source/Destination MAC – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields. (Options: Any, Host, MAC; Default: Any)

• Source/Destination MAC Address – Source or destination MAC address.

• Source/Destination MAC Bitmask – Hexidecimal mask for source or destination MAC address.

• VID – VLAN ID. (Range: 1-4095)

• VID Mask – VLAN bitmask. (Range: 1-4095)

• Ethernet Type – This option can only be used to filter Ethernet II formatted packets. (Range: 600-fff hex.)

A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include 0800 (IP), 0806 (ARP), 8137 (IPX).

• Ethernet Type Mask – Protocol bitmask. (Range: 600-fff hex.)

• Packet Format – This attribute includes the following packet types:

- Any – Any Ethernet packet type.

- Untagged-eth2 – Untagged Ethernet II packets.

- Untagged-802.3 – Untagged Ethernet 802.3 packets.

- Tagged-eth2 – Tagged Ethernet II packets.

- Tagged-802.3 – Tagged Ethernet 802.3 packets.

Command Usage

• Egress MAC ACLs only work for destination-mac-known packets, not for multicast, broadcast, or destination-mac-unknown packets.

3-57

Configuring the Switch

Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexidecimal bitmask for an address range. Set any other required criteria, such as VID, Ethernet type, or packet format. Then click Add.

Figure 3-34. ACL Configuration - MAC

CLI – This rule permits packets from any source MAC address to the destination

address 00-e0-29-94-34-de where the Ethernet type is 0800.

Console(config-mac-acl)#permit any host 00-e0-29-94-34-de

ethertype 0800 4-102

Console(config-mac-acl)#

3-58

Access Control Lists

Configuring ACL Masks

You can specify optional masks that control the order in which ACL rules are checked. The switch includes two system default masks that pass/filter packets matching the permit/deny rules specified in an ingress ACL. You can also configure up to seven user-defined masks for an ingress or egress ACL. A mask must be bound exclusively to one of the basic ACL types (i.e., Ingress IP ACL, Egress IP ACL, Ingress MAC ACL or Egress MAC ACL), but a mask can be bound to up to four ACLs of the same type.

Command Usage

• Up to seven entries can be assigned to an ACL mask.

• Packets crossing a port are checked against all the rules in the ACL until a match is found. The order in which these packets are checked is determined by the mask, and not the order in which the ACL rules are entered.

• First create the required ACLs and the ingress or egress masks before mapping an ACL to an interface.

• You must configure a mask for an ACL rule before you can bind it to a port or set the queue or frame priorities associated with the rule.

Specifying the Mask Type

Use the ACL Mask Configuration page to edit the mask for the Ingress IP ACL, Egress IP ACL, Ingress MAC ACL or Egress MAC ACL.

Web – Click Security, ACL, ACL Mask Configuration. Click Edit for one of the basic mask types to open the configuration page.

Figure 3-35. Selecting ACL Mask Types

CLI – This example creates an IP ingress mask, and then adds two rules. Each rule

is checked in order of precedence to look for a match in the ACL entries. The first entry matching a mask is applied to the inbound packet.

Console(config)#access-list ip mask-precedence in 4-92 Console(config-ip-mask-acl)#mask host any 4-93 Console(config-ip-mask-acl)#mask 255.255.255.0 any Console(config-ip-mask-acl)#

3-59

Configuring the Switch

Configuring an IP ACL Mask

This mask defines the fields to check in the IP header.

Command Usage

• Masks that include an entry for a Layer 4 protocol source port or destination port can only be applied to packets with a header length of exactly five bytes.

Command Attributes

• Src/Dst IP – Specifies the source or destination IP address. Use “Any” to match any address, “Host” to specify a host address (not a subnet), or “IP” to specify a range of addresses. (Options: Any, Host, IP; Default: Any)

• Src/Dst IP Bitmask – Source or destination address of rule must match this bitmask. (See the description for SubMask on page 3-53.)

• Protocol Bitmask – Check the protocol field.

• Service Type – Check the rule for the specified priority type. (Options: Precedence, TOS, DSCP; Default: TOS)

• Src/Dst Port Bitmask – Protocol port of rule must match this bitmask. (Range: 0-65535)

• Control Bitmask – Control flags of rule must match this bitmask. (Range: 0-63)

3-60

Access Control Lists

Web – Configure the mask to match the required rules in the IP ingress or egress ACLs. Set the mask to check for any source or destination address, a specific host address, or an address range. Include other criteria to search for in the rules, such as a protocol type or one of the service types. Or use a bitmask to search for specific protocol port(s) or TCP control code(s). Then click Add.

Figure 3-36. ACL Mask Configuration - IP

CLI – This shows that the entries in the mask override the precedence in which the

rules are entered into the ACL. In the following example, packets with the source address 10.1.1.1 are dropped because the “deny 10.1.1.1 255.255.255.255” rule has the higher precedence according the “mask host any” entry.

Console(config)#access-list ip standard A2 4-88 Console(config-std-acl)#permit 10.1.1.0 255.255.255.0 4-89 Console(config-std-acl)#deny 10.1.1.1 255.255.255.255 Console(config-std-acl)#exit Console(config)#access-list ip mask-precedence in 4-92 Console(config-ip-mask-acl)#mask host any 4-93 Console(config-ip-mask-acl)#mask 255.255.255.0 any Console(config-ip-mask-acl)#

3-61

Configuring the Switch

Configuring a MAC ACL Mask

This mask defines the fields to check in the packet header.

Command Usage

You must configure a mask for an ACL rule before you can bind it to a port.

Command Attributes

• Source/Destination MAC – Use “Any” to match any address, “Host” to specify the host address for a single node, or “MAC” to specify a range of addresses. (Options: Any, Host, MAC; Default: Any)

• Source/Destination MAC Bitmask – Address of rule must match this bitmask.

• VID Bitmask – VLAN ID of rule must match this bitmask.

• Ethernet Type Bitmask – Ethernet type of rule must match this bitmask.

• Packet Format Bitmask – A packet format must be specified in the rule.

Web – Configure the mask to match the required rules in the MAC ingress or egress ACLs. Set the mask to check for any source or destination address, a host address, or an address range. Use a bitmask to search for specific VLAN ID(s) or Ethernet type(s). Or check for rules where a packet format was specified. Then click Add.

3-62

Figure 3-37. ACL Mask Configuration - MAC

Accton Technology ES4548C, ES4524C, ES4512C User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Chapter 1: Introduction

Key Features

Description of Software Features

System Defaults

Chapter 2: Initial Configuration

Connecting to the Switch

Configuration Options

Required Connections

Basic Configuration

Remote Connections

Console Connection

Setting Passwords

Setting an IP Address

Enabling SNMP Management Access

Saving Configuration Settings

Managing System Files

Chapter 3: Configuring the Switch

Using the Web Interface

Navigating the Web Browser Interface

Home Page

Configuration Options

Panel Display

Main Menu

Basic Configuration

Displaying System Information

Displaying Switch Hardware/Software Versions

Displaying Bridge Extension Capabilities

Setting the Switch’s IP Address

Managing Firmware

Saving or Restoring Configuration Settings

Configuring Event Logging

Resetting the System

Setting the System Clock

Simple Network Management Protocol

Setting Community Access Strings

Specifying Trap Managers and Trap Types

User Authentication

Configuring the Logon Password

Configuring Local/Remote Logon Authentication

Configuring HTTPS

Configuring the Secure Shell

Configuring Port Security

Configuring 802.1x Port Authentication

Filtering IP Addresses for Management Access

Access Control Lists

Configuring Access Control Lists

Configuring ACL Masks