Community Strings (for SNMP version 1 and 2c clients) 2-6
Trap Receivers 2-7
Configuring Access for SNMP Version 3 Clients 2-8
Saving Configuration Settings 2-8
Managing System Files 2-9
Chapter 3: Configuring the Switch 3-1
Using the Web Interface 3-1
Navigating the Web Browser Interface 3-2
Home Page 3-2
Configuration Options 3-3
Panel Display 3-3
Main Menu 3-4
Basic Configuration 3-9
Displaying System Information 3-9
Displaying Switch Hardware/Software Versions 3-10
Displaying Bridge Extension Capabilities 3-12
Setting the Switch’s IP Address 3-13
Manual Configuration 3-14
Using DHCP/BOOTP 3-15
Configuring Support for Jumbo Frames 3-16
Managing Firmware 3-17
Downloading System Software from a Server 3-18
v
Contents
Saving or Restoring Configuration Settings 3-20
Downloading Configuration Settings from a Server 3-21
Console Port Settings 3-22
Telnet Settings 3-24
Configuring Event Logging 3-26
System Log Configuration 3-26
Remote Log Configuration 3-27
Displaying Log Messages 3-29
Sending Simple Mail Transfer Protocol Alerts 3-29
Resetting the System 3-31
Setting the System Clock 3-32
Configuring SNTP 3-32
Setting the Time Zone 3-33
Simple Network Management Protocol 3-34
Enabling the SNMP Agent 3-35
Setting Community Access Strings 3-36
Specifying Trap Managers and Trap Types 3-37
Configuring SNMPv3 Management Access 3-39
Replacing the Default Secure-site Certificate 3-56
Configuring the Secure Shell 3-57
Generating the Host Key Pair 3-58
Configuring the SSH Server 3-60
Configuring Port Security 3-62
Configuring 802.1X Port Authentication 3-64
Displaying 802.1X Global Settings 3-65
Configuring 802.1X Global Settings 3-66
Configuring Port Settings for 802.1X 3-66
Displaying 802.1X Statistics 3-69
Filtering IP Addresses for Management Access 3-71
Access Control Lists 3-73
Configuring Access Control Lists 3-73
Setting the ACL Name and Type 3-74
Configuring a Standard IP ACL 3-74
Configuring an Extended IP ACL 3-75
Configuring a MAC ACL 3-78
vi
Contents
Configuring ACL Masks 3-80
Specifying the Mask Type 3-80
Configuring an IP ACL Mask 3-81
Configuring a MAC ACL Mask 3-83
Binding a Port to an Access Control List 3-84
Port Configuration 3-85
Displaying Connection Status 3-85
Configuring Interface Connections 3-88
Creating Trunk Groups 3-90
Statically Configuring a Trunk 3-91
Enabling LACP on Selected Ports 3-92
Configuring LACP Parameters 3-94
Displaying LACP Port Counters 3-97
Displaying LACP Settings and Status for the Local Side 3-98
Displaying LACP Settings and Status for the Remote Side 3-100
Setting Broadcast Storm Thresholds 3-101
Configuring Port Mirroring 3-103
Configuring Rate Limits 3-104
Showing Port Statistics 3-105
Address Table Settings 3-109
Setting Static Addresses 3-109
Displaying the Address Table 3-110
Changing the Aging Time 3-112
Spanning Tree Algorithm Configuration 3-112
Displaying Global Settings 3-113
Configuring Global Settings 3-116
Displaying Interface Settings 3-120
Configuring Interface Settings 3-123
Configuring Multiple Spanning Trees 3-125
Displaying Interface Settings for MSTP 3-129
Configuring Interface Settings for MSTP 3-130
VLAN Configuration 3-132
IEEE 802.1Q VLANs 3-132
Enabling or Disabling GVRP (Global Setting) 3-135
Displaying Basic VLAN Information 3-135
Displaying Current VLANs 3-136
Creating VLANs 3-137
Adding Static Members to VLANs (VLAN Index) 3-138
Adding Static Members to VLANs (Port Index) 3-140
Configuring VLAN Behavior for Interfaces 3-141
Configuring Private VLANs 3-143
Enabling Private VLANs 3-143
Configuring Uplink and Downlink Ports 3-144
Configuring Protocol-Based VLANs 3-144
Configuring Protocol Groups 3-145
vii
Contents
Mapping Protocols to VLANs 3-146
Class of Service Configuration 3-147
Layer 2 Queue Settings 3-147
Setting the Default Priority for Interfaces 3-147
Mapping CoS Values to Egress Queues 3-149
Selecting the Queue Mode 3-151
Setting the Service Weight for Traffic Classes 3-151
Layer 3/4 Priority Settings 3-153
Mapping Layer 3/4 Priorities to CoS Values 3-153
Selecting IP Precedence/DSCP Priority 3-153
Mapping IP Precedence 3-154
Mapping DSCP Priority 3-155
Mapping IP Port Priority 3-157
Mapping CoS Values to ACLs 3-158
Multicast Filtering 3-159
IGMP Protocol 3-160
Layer 2 IGMP (Snooping and Query) 3-160
Configuring IGMP Snooping and Query Parameters 3-161
Displaying Interfaces Attached to a Multicast Router 3-163
Specifying Static Interfaces for a Multicast Router 3-164
Displaying Port Members of Multicast Services 3-165
Assigning Ports to Multicast Services 3-166
Configuring Domain Name Service 3-167
Configuring General DNS Service Parameters 3-167
Configuring Static DNS Host to Address Entries 3-169
Displaying the DNS Cache 3-171
Chapter 4: Command Line Interface 4-1
Using the Command Line Interface 4-1
Accessing the CLI 4-1
Console Connection 4-1
Telnet Connection 4-1
Entering Commands 4-3
Keywords and Arguments 4-3
Minimum Abbreviation 4-3
Command Completion 4-3
Getting Help on Commands 4-3
Showing Commands 4-4
Partial Keyword Lookup 4-5
Negating the Effect of Commands 4-5
Using Command History 4-5
Understanding Command Modes 4-5
Exec Commands 4-6
Configuration Commands 4-6
viii
Contents
Command Line Processing 4-7
Command Groups 4-8
Line Commands 4-9
line 4-10
login 4-11
password 4-12
timeout login response 4-12
exec-timeout 4-13
password-thresh 4-14
silent-time 4-14
databits 4-15
parity 4-16
speed 4-16
stopbits 4-17
disconnect 4-17
show line 4-18
General Commands 4-19
enable 4-19
disable 4-20
configure 4-20
show history 4-21
reload 4-21
end 4-22
exit 4-22
quit 4-23
System Management Commands 4-23
Device Designation Commands 4-24
prompt 4-24
hostname 4-24
User Access Commands 4-25
username 4-25
enable password 4-26
IP Filter Commands 4-27
management 4-27
show management 4-28
Web Server Commands 4-29
ip http port 4-29
ip http server 4-29
ip http secure-server 4-30
ip http secure-port 4-31
Telnet Server Commands 4-32
ip telnet server 4-32
Secure Shell Commands 4-32
ip ssh server 4-35
ip ssh timeout 4-35
ix
Contents
ip ssh authentication-retries 4-36
ip ssh server-key size 4-36
delete public-key 4-37
ip ssh crypto host-key generate 4-37
ip ssh crypto zeroize 4-38
ip ssh save host-key 4-39
show ip ssh 4-39
show ssh 4-39
show public-key 4-40
Event Logging Commands 4-41
logging on 4-42
logging history 4-42
logging host 4-43
logging facility 4-44
logging trap 4-44
clear log 4-45
show logging 4-46
show log 4-47
access-list ip 4-88
access-list ip extended fragment-auto-mask 4-89
permit, deny (Standard ACL) 4-89
permit, deny (Extended ACL) 4-90
show ip access-list 4-92
access-list ip mask-precedence 4-92
mask (IP ACL) 4-93
show access-list ip mask-precedence 4-96
ip access-group 4-97
show ip access-group 4-97
map access-list ip 4-98
xi
Contents
show map access-list ip 4-98
match access-list ip 4-99
show marking 4-100
MAC ACLs 4-100
access-list mac 4-101
permit, deny (MAC ACL) 4-102
show mac access-list 4-103
access-list mac mask-precedence 4-104
mask (MAC ACL) 4-104
show access-list mac mask-precedence 4-106
mac access-group 4-107
show mac access-group 4-107
map access-list mac 4-108
show map access-list mac 4-108
match access-list mac 4-109
ACL Information 4-110
show access-list 4-110
show access-group 4-110
SNMP Commands 4-111
snmp-server 4-111
show snmp 4-112
snmp-server community 4-113
snmp-server contact 4-113
snmp-server location 4-114
snmp-server host 4-114
snmp-server enable traps 4-116
snmp-server engine-id 4-117
show snmp engine-id 4-118
snmp-server view 4-119
show snmp view 4-120
snmp-server group 4-120
show snmp group 4-121
snmp-server user 4-122
show snmp user 4-124
Interface Commands 4-125
interface 4-125
description 4-126
speed-duplex 4-126
negotiation 4-127
capabilities 4-128
shutdown 4-129
switchport broadcast packet-rate 4-129
clear counters 4-130
show interfaces status 4-130
show interfaces counters 4-131
protocol-vlan protocol-group (Configuring Groups) 4-179
protocol-vlan protocol-group (Configuring Interfaces) 4-179
show protocol-vlan protocol-group 4-180
show interfaces protocol-vlan protocol-group 4-181
GVRP and Bridge Extension Commands 4-181
bridge-ext gvrp 4-182
show bridge-ext 4-182
switchport gvrp 4-183
show gvrp configuration 4-183
garp timer 4-184
show garp timer 4-185
Priority Commands 4-185
Priority Commands (Layer 2) 4-186
queue mode 4-186
switchport priority default 4-187
queue bandwidth 4-188
queue cos-map 4-188
show queue mode 4-189
show queue bandwidth 4-190
show queue cos-map 4-190
Priority Commands (Layer 3 and 4) 4-191
map ip port (Global Configuration) 4-191
map ip port (Interface Configuration) 4-191
map ip precedence (Global Configuration) 4-192
map ip precedence (Interface Configuration) 4-193
map ip dscp (Global Configuration) 4-193
xiv
Contents
map ip dscp (Interface Configuration) 4-194
show map ip port 4-195
show map ip precedence 4-196
show map ip dscp 4-196
Multicast Filtering Commands 4-197
IGMP Snooping Commands 4-198
ip igmp snooping 4-198
ip igmp snooping vlan static 4-198
ip igmp snooping version 4-199
show ip igmp snooping 4-199
show mac-address-table multicast 4-200
IGMP Query Commands (Layer 2) 4-201
ip igmp snooping querier 4-201
ip igmp snooping query-count 4-201
ip igmp snooping query-interval 4-202
ip igmp snooping query-max-response-time 4-202
ip igmp snooping router-port-expire-time 4-203
Static Multicast Routing Commands 4-204
ip igmp snooping vlan mrouter 4-204
show ip igmp snooping mrouter 4-205
IP Interface Commands 4-205
Basic IP Configuration 4-205
ip address 4-206
ip default-gateway 4-207
ip dhcp restart 4-207
show ip interface 4-208
show ip redirects 4-208
ping 4-209
DNS Commands 4-210
ip host 4-210
clear host 4-211
ip domain-name 4-211
ip domain-list 4-212
ip name-server 4-213
ip domain-lookup 4-214
show hosts 4-215
show dns 4-215
show dns cache 4-216
clear dns cache 4-216
xv
Contents
Appendix A: Software Specifications A-1
Software Features A-1
Management Features A-2
Standards A-2
Management Information Bases A-3
Appendix B: Troubleshooting B-1
Problems Accessing the Management Interface B-1
Using System Logs B-2
Figure 3-1Home Page 3-2
Figure 3-2Front Panel Indicators 3-3
Figure 3-3System Information 3-9
Figure 3-4Switch Information 3-11
Figure 3-5Displaying Bridge Extension Configuration 3-12
Figure 3-6IP Interface Configuration - Manual 3-14
Figure 3-7Default Gateway 3-14
Figure 3-8IP Interface Configuration - DHCP 3-15
Figure 3-9Configuring Support for Jumbo Frames 3-16
Figure 3-10Copy Firmware 3-18
Figure 3-11Setting the Startup Code 3-18
Figure 3-12Deleting Files 3-19
Figure 3-13Downloading Configuration Settings for Start-Up 3-21
Figure 3-14Setting the Startup Configuration Settings 3-21
Figure 3-15Configuring the Console Port 3-23
Figure 3-16Configuring the Telnet Interface 3-25
Figure 3-17System Logs 3-27
Figure 3-18Remote Logs 3-28
Figure 3-19Displaying Logs 3-29
Figure 3-20Enabling and Configuring SMTP Alerts 3-30
Figure 3-21Resetting the System 3-31
Figure 3-22SNTP Configuration 3-32
Figure 3-23Clock Time Zone 3-33
Figure 3-24Enabling the SNMP Agent 3-35
Figure 3-25Configuring SNMP Community Strings 3-36
Figure 3-26Configuring SNMP Trap Managers 3-39
Figure 3-27Setting the SNMPv3 Engine ID 3-40
Figure 3-28Setting an Engine ID 3-41
Figure 3-29Configuring SNMPv3 Users 3-42
Figure 3-30Configuring Remote SNMPv3 Users 3-44
Figure 3-31Configuring SNMPv3 Groups 3-48
Figure 3-32Configuring SNMPv3 Views 3-49
Figure 3-33User Accounts 3-51
Figure 3-34Authentication Server Settings 3-54
Figure 3-35HTTPS Settings 3-56
Figure 3-36SSH Host-Key Settings 3-59
Figure 3-37SSH Server Settings 3-61
Figure 3-38Port Security 3-63
Figure 3-39802.1X Global Information 3-65
Figure 3-40802.1X Global Configuration 3-66
Figure 3-41802.1X Port Configuration 3-67
xxi
Figures
Figure 3-42802.1X Port Statistics 3-70
Figure 3-43IP Filter 3-72
Figure 3-44Selecting ACL Type 3-74
Figure 3-45ACL Configuration - Standard IP 3-75
Figure 3-46ACL Configuration - Extended IP 3-77
Figure 3-47ACL Configuration - MAC 3-79
Figure 3-48Selecting ACL Mask Types 3-80
Figure 3-49ACL Mask Configuration - IP 3-82
Figure 3-50ACL Mask Configuration - MAC 3-83
Figure 3-51ACL Port Binding 3-85
Figure 3-52Port - Port Information 3-86
Figure 3-53Port - Port Configuration 3-89
Figure 3-54Static Trunk Configuration 3-91
Figure 3-55LACP Trunk Configuration 3-93
Figure 3-56LACP - Aggregation Port 3-95
Figure 3-57LACP - Port Counters Information 3-97
Figure 3-58LACP - Port Internal Information 3-99
Figure 3-59LACP - Port Neighbors Information 3-100
Figure 3-60Port Broadcast Control 3-102
Figure 3-61Mirror Port Configuration 3-103
Figure 3-62Rate Limit Configuration 3-104
Figure 3-63Port Statistics 3-108
Figure 3-64Static Addresses 3-110
Figure 3-65Dynamic Addresses 3-111
Figure 3-66Address Aging 3-112
Figure 3-67STA Information 3-115
Figure 3-68STA Global Configuration 3-119
Figure 3-69STA Port Information 3-122
Figure 3-70STA Port Configuration 3-125
Figure 3-71MSTP VLAN Configuration 3-127
Figure 3-72MSTP Port Information 3-129
Figure 3-73MSTP Port Configuration 3-131
Figure 3-74Globally Enabling GVRP 3-135
Figure 3-75VLAN Basic Information 3-135
Figure 3-76VLAN Current Table 3-136
Figure 3-77VLAN Static List - Creating VLANs 3-138
Figure 3-78VLAN Static Table - Adding Static Members 3-139
Figure 3-79VLAN Static Membership by Port 3-140
Figure 3-80VLAN Port Configuration 3-142
Figure 3-81Private VLAN Status 3-143
Figure 3-82Private VLAN Link Status 3-144
Figure 3-83Protocol VLAN Configuration 3-145
Figure 3-84Protocol VLAN Port Configuration 3-146
Figure 3-85Default Port Priority 3-148
Figure 3-86Traffic Classes 3-150
xxii
Figures
Figure 3-87Queue Mode 3-151
Figure 3-88Queue Scheduling 3-152
Figure 3-89IP Precedence/DSCP Priority Status 3-153
Figure 3-90IP Precedence Priority 3-154
Figure 3-91IP DSCP Priority 3-156
Figure 3-92IP Port Priority Status 3-157
Figure 3-93IP Port Priority 3-157
Figure 3-94ACL CoS Priority 3-159
Figure 3-95IGMP Configuration 3-162
Figure 3-96Multicast Router Port Information 3-163
Figure 3-97Static Multicast Router Port Configuration 3-164
Figure 3-98Displaying Port Members of Multicast Services 3-165
Figure 3-99Specifying Multicast Port Membership 3-166
Figure 3-100 DNS General Configuration 3-168
Figure 3-101 DNS Static Host Table 3-170
Figure 3-102 DNS Cache 3-171
xxiii
Figures
xxiv
Chapter 1: Introduction
This switch provides a broad range of features for Layer 2 switching. It includes a
management agent that allows you to configure the features listed in this manual.
The default configuration can be used for most of the features provided by this
switch. However, there are many options that you should configure to maximize the
switch’s performance for your particular network environment.
Key Features
Table 1-1 Key Features
FeatureDescription
Configuration Backup
and Restore
AuthenticationConsole, Telnet, web – User name / password, RADIUS, TACACS+
Access Control ListsSupports up to 32 IP or MAC ACLs
DHCP ClientSupported
DNS Client and proxy service
Port ConfigurationSpeed and duplex mode
Rate LimitingInput and output rate limiting per port
Port MirroringOne or more ports mirrored to single analysis port
Port TrunkingSupports up to 4 trunks using either static or dynamic trunking (LACP)
Broadcast Storm
Control
Address TableUp to 16K MAC addresses in forwarding table
IEEE 802.1D BridgeSupports dynamic data switching and addresses learning
Store-and-Forward
Switching
Spanning Tree
Algorithm
Virtual LANsUp to 255 using IEEE 802.1Q, port-based, protocol-based, or private VLANs
Traffic PrioritizationDefault port priority, traffic class map, queue scheduling, IP Precedence, or
Multicast FilteringSupports IGMP snooping and query
Backup to TFTP server
Web – SSL/HTTPS; Telnet – SSH
SNMP v1/2c - Community strings
SNMP version 3 – MD5 or SHA password
Port – IEEE 802.1X, MAC address filtering
Supported
Supported to ensure wire-speed switching while eliminating bad frames
Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple
Spanning Trees (MSTP)
Differentiated Services Code Point (DSCP), and TCP/UDP Port
1-1
Introduction
1
Description of Software Features
The switch provides a wide range of advanced performance enhancing features.
Broadcast storm suppression prevents broadcast traffic storms from engulfing the
network. Untagged (port-based), tagged, and protocol-based VLANs, plus support
for automatic GVRP VLAN registration provide traffic security and efficient use of
network bandwidth. CoS priority queueing ensures the minimum delay for moving
real-time multimedia data across the network. While multicast filtering provides
support for real-time network applications. Some of the management features are
briefly described below.
Configuration Backup and Restore – You can save the current configuration
settings to a file on a TFTP server, and later download this file to restore the switch
configuration settings.
Authentication – This switch authenticates management access via the console
port, Telnet or web browser. User names and passwords can be configured locally or
can be verified via a remote authentication server (i.e., RADIUS or TACACS+).
Port-based authentication is also supported via the IEEE 802.1X protocol. This
protocol uses Extensible Authentication Protocol over LANs (EAPOL) to request
user credentials from the 802.1X client, and then uses the EAP between the switch
and the authentication server to verify the client’s right to access the network via an
authentication server (i.e., RADIUS server).
Other authentication options include HTTPS for secure management access via the
web, SSH for secure management access over a Telnet-equivalent connection,
SNMP Version 3, IP address filtering for SNMP/web/Telnet management access,
and MAC address filtering for port access.
Access Control Lists – ACLs provide packet filtering for IP frames (based on
address, protocol, TCP/UDP port number or TCP control code) or any frames
(based on MAC address or Ethernet type). ACLs can by used to improve
performance by blocking unnecessary network traffic or to implement security
controls by restricting access to specific network resources or protocols.
Rate Limiting – This feature controls the maximum rate for traffic transmitted or
received on an interface. Rate limiting is configured on interfaces at the edge of a
network to limit traffic into or out of the network. Traffic that falls within the rate limit is
transmitted, while packets that exceed the acceptable amount of traffic are dropped.
Port Mirroring – The switch can unobtrusively mirror traffic from any port to a
monitor port. You can then attach a protocol analyzer or RMON probe to this port to
perform traffic analysis and verify connection integrity.
Port Trunking – Ports can be combined into an aggregate connection. Trunks can
be manually set up or dynamically configured using IEEE 802.3-2002 (formerly
IEEE 802.3ad) Link Aggregation Control Protocol (LACP). The additional ports
dramatically increase the throughput across any connection, and provide
redundancy by taking over the load if a port in the trunk should fail. The switch
supports up to 4 trunks.
1-2
Description of Software Features
Broadcast Storm Control – Broadcast suppression prevents broadcast traffic from
overwhelming the network. When enabled on a port, the level of broadcast traffic
passing through the port is restricted. If broadcast traffic rises above a pre-defined
threshold, it will be throttled until the level falls back beneath the threshold.
Static Addresses – A static address can be assigned to a specific interface on this
switch. Static addresses are bound to the assigned interface and will not be moved.
When a static address is seen on another interface, the address will be ignored and
will not be written to the address table. Static addresses can be used to provide
network security by restricting access for a known host to a specific port.
IEEE 802.1D Bridge – The switch supports IEEE 802.1D transparent bridging. The
address table facilitates data switching by learning addresses, and then filtering or
forwarding traffic based on this information. The address table supports up to 16K
addresses.
Store-and-Forward Switching – The switch copies each frame into its memory
before forwarding them to another port. This ensures that all frames are a standard
Ethernet size and have been verified for accuracy with the cyclic redundancy check
(CRC). This prevents bad frames from entering the network and wasting bandwidth.
To avoid dropping frames on congested ports, the switch provides 256 KB for frame
buffering. This buffer can queue packets awaiting transmission on congested
networks.
Spanning Tree Algorithm – The switch supports these spanning tree protocols:
Spanning Tree Protocol (STP, IEEE 802.1D) – This protocol provides loop detection
and recovery by allowing two or more redundant connections to be created between
a pair of LAN segments. When there are multiple physical paths between segments,
this protocol will choose a single path and disable all others to ensure that only one
route exists between any two stations on the network. This prevents the creation of
network loops. However, if the chosen path should fail for any reason, an alternate
path will be activated to maintain the connection.
Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol reduces the
convergence time for network topology changes to about 3 to 5 seconds, compared
to 30 seconds or more for the older IEEE 802.1D STP standard. It is intended as a
complete replacement for STP, but can still interoperate with switches running the
older standard by automatically reconfiguring ports to STP-compliant mode if they
detect STP protocol messages from attached devices.
Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is a direct
extension of RSTP. It can provide an independent spanning tree for different VLANs.
It simplifies network management, provides for even faster convergence than RSTP
by limiting the size of each region, and prevents VLAN members from being
segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP).
Virtual LANs – The switch supports up to 255 VLANs. A Virtual LAN is a collection
of network nodes that share the same collision domain regardless of their physical
location or connection point in the network. The switch supports tagged VLANs
based on the IEEE 802.1Q standard. Members of VLAN groups can be dynamically
1
1-3
Introduction
1
learned via GVRP, or ports can be manually assigned to a specific set of VLANs.
This allows the switch to restrict traffic to the VLAN groups to which a user has been
assigned. By segmenting your network into VLANs, you can:
• Eliminate broadcast storms which severely degrade performance in a flat network.
• Simplify network management for node changes/moves by remotely configuring
VLAN membership for any port, rather than having to manually change the network
connection.
• Provide data security by restricting all traffic to the originating VLAN.
• Use private VLANs to restrict traffic to pass only between data ports and the uplink
ports, thereby isolating adjacent ports within the same VLAN, and allowing you to
limit the total number of VLANs that need to be configured.
• Use protocol VLANs to restrict traffic to specified interfaces based on protocol type.
Traffic Prioritization – This switch prioritizes each packet based on the required
level of service, using eight priority queues with strict or Weighted Round Robin
Queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on
input from the end-station application. These functions can
independent priorities for delay-sensitive data and best-effort data.
This switch also supports several common methods of prioritizing layer 3/4 traffic to
meet application requirements. Traffic can be prioritized based on the priority bits in
the IP frame’s Type of Service (ToS) octet or the number of the TCP/UDP port.
When these services are enabled, the priorities are mapped to a Class of Service
value by the switch, and the traffic then sent to the corresponding output queue.
Multicast Filtering – Specific multicast traffic can be assigned to its own VLAN to
ensure that it does not interfere with normal network traffic and to guarantee
real-time delivery by setting the required priority level for the designated VLAN. The
switch uses IGMP Snooping and Query to manage multicast group registration.
be used to provide
System Defaults
The switch’s system defaults are provided in the configuration file
“Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as
the startup configuration file (page 3-21).
The following table lists some of the basic system defaults.
IP SettingsManagement. VLANAny VLAN configured with an IP address
IP Address0.0.0.0
Subnet Mask255.0.0.0
Default Gateway0.0.0.0
DHCPClient: Enabled
DNS
BOOTPDisabled
Multicast FilteringIGMP SnoopingSnooping: Enabled
System LogStatusEnabled
Messages LoggedLevels 0-7 (all)
Messages Logged to FlashLevels 0-3
SMTP Email AlertsEvent HandlerEnabled (but no server defined)
SNTP Clock SynchronizationDisabled
Weight: 1 2 4 6 8 10 12 14
Querier: Disabled
* There are interoperability problems between Flow Control and Head-of-Line (HOL) blocking for the switch ASIC;
Flow Control is therefore not supported for this switch.
1-6
Chapter 2: Initial Configuration
Connecting to the Switch
Configuration Options
The switch includes a built-in network management agent. The agent offers a variety
of management options, including SNMP, RMON and a web-based interface. A PC
may also be connected directly to the switch for configuration and monitoring via a
command line interface (CLI).
Note: The IP address for this switch is obtained via DHCP by default. To change this
address, see “Setting an IP Address” on page 2-4.
The switch’s HTTP web agent allows you to configure switch parameters, monitor
port connections, and display statistics using a standard web browser such as
Netscape Navigator version 6.2 and higher or Microsoft IE version 5.0 and higher.
The switch’s web management interface can be accessed from any computer
attached to the network.
The CLI program can be accessed by a direct connection to the RS-232 serial
console port on the switch, or remotely by a Telnet connection over the network.
The switch’s management agent also supports SNMP (Simple Network
Management Protocol). This SNMP agent permits the switch to be managed from
any system in the network using network management software such as
HP OpenView.
The switch’s web interface, CLI configuration program, and SNMP agent allow you
to perform the following management functions:
• Set user names and passwords
• Set an IP interface for any VLAN
• Configure SNMP parameters
• Enable/disable any port
• Configure the bandwidth of any port by limiting input or output rates
• Control port access through IEEE 802.1X security or static address filtering
• Filter packets using Access Control Lists (ACLs)
• Configure up to 255 IEEE 802.1Q VLANs
• Enable GVRP automatic VLAN registration
• Configure IGMP multicast filtering
• Upload and download system firmware via TFTP
• Upload and download switch configuration files via TFTP
• Configure Spanning Tree parameters
• Configure Class of Service (CoS) priority queuing
• Configure up to 4 static or LACP trunks
2-1
Initial Configuration
2
• Enable port mirroring
• Set broadcast storm control on any port
• Display system information and statistics
Required Connections
The switch provides an RS-232 serial port that enables a connection to a PC or
terminal for monitoring and configuring the switch. A null-modem console cable is
provided with the switch.
Attach a VT100-compatible terminal, or a PC running a terminal emulation program
to the switch. You can use the console cable provided with this package, or use a
null-modem cable that complies with the wiring assignments shown in the
Installation Guide.
To connect a terminal to the console port, complete the following steps:
1.Connect the console cable to the serial port on a terminal, or a PC running
terminal emulation software, and tighten the captive retaining screws on the
DB-9 connector.
2.Connect the other end of the cable to the RS-232 serial port on the switch.
3.Make sure the terminal emulation software is set as follows:
• Select the appropriate serial port (COM port 1 or COM port 2).
• Set to any of the following baud rates: 9600, 19200, 38400, 57600, 115200
(Note: Set to 9600 baud if want to view all the system initialization messages.).
• Set the data format to 8 data bits, 1 stop bit, and no parity.
• Set flow control to none.
• Set the emulation mode to VT100.
• When using HyperTerminal, select Terminal keys, not Windows keys.
Notes: 1. When using HyperTerminal with Microsoft® Windows® 2000, make sure that
you have Windows 2000 Service Pack 2 or later installed. Windows 2000
Service Pack 2 fixes the problem of arrow keys not functioning in
HyperTerminal’s VT100 emulation. See www.microsoft.com for information
on Windows 2000 service packs.
2. Refer to “Line Commands” on page 4-9 for a complete description of console
configuration options.
3. Once you have set up the terminal correctly, the console login screen will be
displayed.
For a description of how to use the CLI, see “Using the Command Line Interface” on
page 4-1. For a list of all the CLI commands and detailed information on using the
CLI, refer to “Command Groups” on page 4-8.
2-2
Basic Configuration
2
Remote Connections
Prior to accessing the switch’s onboard agent via a network connection, you must
first configure it with a valid IP address, subnet mask, and default gateway using a
console connection, DHCP or BOOTP protocol.
The IP address for this switch is obtained via DHCP by default. To manually
configure this address or enable dynamic address assignment via DHCP or BOOTP,
see “Setting an IP Address” on page 2-4.
Note: You can manage the switch through the same IP address using any of the
10 Gigabit data ports (Ports 1-8) or though the Fast Ethernet management port
(Port 9). The management port allows you to build a separate network for
management tasks. It acn also provide faster management access when the data
ports are heavily loaded.
Note: This switch supports four concurrent Telnet/SSH sessions.
After configuring the switch’s IP parameters, you can access the onboard
configuration program from anywhere within the attached network. The onboard
configuration program can be accessed using Telnet from any computer attached to
the network. The switch can also be managed by any computer using a web
browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above), or
from a network computer using SNMP network management software.
Note: The onboard program only provides access to basic configuration functions. To
access the full range of SNMP management functions, you must use
SNMP-based network management software.
Basic Configuration
Console Connection
The CLI program provides two different command levels — normal access level
(Normal Exec) and privileged access level (Privileged Exec). The commands
available at the Normal Exec level are a limited subset of those available at the
Privileged Exec level and allow you to only display information and use basic
utilities. To fully configure the switch parameters, you must access the CLI at the
Privileged Exec level.
Access to both CLI levels are controlled by user names and passwords. The switch
has a default user name and password for each level. To log into the CLI at the
Privileged Exec level using the default user name and password, perform these
steps:
1.To initiate your console connection, press <Enter>. The “User Access
Verification” procedure starts.
2.At the Username prompt, enter “admin.”
3.At the Password prompt, also enter “admin.” (The password characters are not
displayed on the console screen.)
2-3
Initial Configuration
2
4.The session is opened and the CLI displays the “Console#” prompt indicating
you have access at the Privileged Exec level.
Setting Passwords
Note: If this is your first time to log into the CLI program, you should define new
passwords for both default user names using the “username” command, record
them and put them in a safe place.
Passwords can consist of up to 8 alphanumeric characters and are case sensitive.
To prevent unauthorized access to the switch, set the passwords as follows:
1.Open the console interface with the default user name and password “admin” to
access the Privileged Exec level.
2.Type “configure” and press <Enter>.
3.Type “username guest password 0 password,” for the Normal Exec level, where
password is your new password. Press <Enter>.
4.Type “username admin password 0 password,” for the Privileged Exec level,
where password is your new password. Press <Enter>.
Username: admin
Password:
CLI session with the 8*10GE L2 Switch is opened.
To end the CLI session, enter [Exit].
You must establish IP address information for the switch to obtain management
access through the network. This can be done in either of the following ways:
Manual — You have to input the information, including IP address and subnet mask.
If your management station is not in the same IP subnet as the switch, you will also
need to specify the default gateway router.
Dynamic — The switch sends IP configuration requests to BOOTP or DHCP
address allocation servers on the network.
Manual Configuration
You can manually assign an IP address to the switch. You may also need to specify
a default gateway that resides between this device and management stations that
exist on another network segment. Valid IP addresses consist of four decimal
numbers, 0 to 255, separated by periods. Anything outside this format will not be
accepted by the CLI program.
Note: The IP address for this switch is obtained via DHCP by default.
2-4
Basic Configuration
Before you can assign an IP address to the switch, you must obtain the following
information from your network administrator:
• IP address for the switch
• Default gateway for the network
• Network mask for this network
To assign an IP address to the switch, complete the following steps:
1.From the Global Configuration mode prompt, type “interface vlan 1” to access
the interface-configuration mode. Press <Enter>.
2.Type “ip address ip-address netmask,” where “ip-address” is the switch IP
address and “netmask” is the network mask for the network. Press <Enter>.
3.Type “exit” to return to the global configuration mode prompt. Press <Enter>.
4.To set the IP address of the default gateway for the network to which the switch
belongs, type “ip default-gateway gateway,” where “gateway” is the IP address
of the default gateway. Press <Enter>.
If you select the “bootp” or “dhcp” option, IP will be enabled but will not function until
a BOOTP or DHCP reply has been received. You therefore need to use the “ip dhcp
restart client” command to start broadcasting service requests. Requests will be sent
periodically in an effort to obtain IP configuration information. (BOOTP and DHCP
values can include the IP address, subnet mask, and default gateway.)
If the “bootp” or “dhcp” option is saved to the startup-config file (step 6), then the
switch will start broadcasting service requests as soon as it is powered on.
To automatically configure the switch by communicating with BOOTP or DHCP
address allocation servers on the network, complete the following steps:
1.From the Global Configuration mode prompt, type “interface vlan 1” to access
the interface-configuration mode. Press <Enter>.
2.At the interface-configuration mode prompt, use one of the following commands:
• To obtain IP settings via DHCP, type “ip address dhcp” and press <Enter>.
• To obtain IP settings via BOOTP, type “ip address bootp” and press <Enter>.
3.Type “end” to return to the Privileged Exec mode. Press <Enter>.
4.Type “ip dhcp restart client” to begin broadcasting service requests.
Press <Enter>.
2-5
Initial Configuration
2
5.Wait a few minutes, and then check the IP configuration settings by typing the
“show ip interface” command. Press <Enter>.
6.Then save your configuration changes by typing “copy running-config
startup-config.” Enter the startup file name and press <Enter>.
Console(config)#interface vlan 1
Console(config-if)#ip address dhcp
Console(config-if)#end
Console#ip dhcp restart client
Console#show ip interface
IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1,
and address mode: User specified.
Console#copy running-config startup-config
Startup configuration file name []: startup
\Write to FLASH Programming.
\Write to FLASH finish.
Success.
Enabling SNMP Management Access
The switch can be configured to accept management commands from Simple
Network Management Protocol (SNMP) applications such as HP OpenView. You
can configure the switch to (1) respond to SNMP requests or (2) generate SNMP
traps.
When SNMP management stations send requests to the switch (either to return
information or to set a parameter), the switch provides the requested data or sets the
specified parameter. The switch can also be configured to send information to
SNMP managers (without being requested by the managers) through trap
messages, which inform the manager that certain events have occurred.
The switch includes an SNMP agent that supports SNMP version 1, 2c, and 3
clients. To provide management access for version 1 or 2c clients, you must specify
a community string. The switch provides a default MIB View (i.e., an SNMPv3
construct) for the default “public” community string that provides read access to the
entire MIB tree, and a default view for the “private” community string that provides
read/write access to the entire MIB tree. However, you may assign new views to
version 1 or 2c community strings that suit your specific security requirements (see
page 3-49).
Community Strings (for SNMP version 1 and 2c clients)
Community strings are used to control management access to SNMP version 1 and
2c stations, as well as to authorize SNMP stations to receive trap messages from
the switch. You therefore need to assign community strings to specified users, and
set the access level.
2-6
Basic Configuration
2
The default strings are:
• public - with read-only access. Authorized management stations are only able to
retrieve MIB objects.
• private - with read-write access. Authorized management stations are able to both
retrieve and modify MIB objects.
To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is
recommended that you change the default community strings.
To configure a community string, complete the following steps:
1.From the Privileged Exec level global configuration mode prompt, type
“snmp-server community string mode,” where “string” is the community access
string and “mode” is rw (read/write) or ro (read only). Press <Enter>. (Note that
the default mode is read only.)
2.To remove an existing string, simply type “no snmp-server community string,”
where “string” is the community access string to remove. Press <Enter>.
Console(config)#snmp-server community admin rw
Console(config)#snmp-server community private
Console(config)#
Note: If you do not intend to support access to SNMP version 1 and 2c clients, we
recommend that you delete both of the default community strings. If there are no
community strings, then SNMP management access from SNMP v1 and v2c
clients is disabled.
Trap Receivers
You can also specify SNMP stations that are to receive traps from the switch. To
configure a trap receiver, use the “snmp-server host” command. From the Privileged
Exec level global configuration mode prompt, type:
“snmp-server host host-address community-string
[version {1 | 2c | 3 {auth | noauth | priv}}]”
where “host-address” is the IP address for the trap receiver, “community-string”
specifies access rights for a version 1/2c host, or is the user name of a version 3
host, “version” indicates the SNMP client version, and “auth | noauth | priv” means
that authentication, no authentication, or authentication and privacy is used for v3
clients. Then press <Enter>. For a more detailed description of these parameters,
see “snmp-server host” on page 4-114. The following example creates a trap host
for each type of SNMP client.
Console(config)#snmp-server host 10.1.19.23 batman
Console(config)#snmp-server host 10.1.19.98 robin version 2c
Console(config)#snmp-server host 10.1.19.34 barbie version 3 auth
Console(config)#
2-7
Initial Configuration
2
Configuring Access for SNMP Version 3 Clients
To configure management access for SNMPv3 clients, you need to first create a
view that defines the portions of MIB that the client can read or write, assign the view
to a group, and then assign the user to a group. The following example creates one
view called “mib-2” that includes the entire MIB-2 tree branch, and then another view
that includes the IEEE 802.1d bridge MIB. It assigns these respective read and read/
write views to a group call “r&d” and specifies group authentication via MD5 or SHA.
In the last step, it assigns a v3 user to this group, indicating that MD5 will be used for
authentication, provides the password “greenpeace” for authentication, and the
password “einstien” for encryption.
Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included
Console(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included
Console(config)#snmp-server group r&d v3 auth mib-2 802.1d
Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace
priv des56 einstien
Console(config)#
For a more detailed explanation on how to configure the switch for access from
SNMP v3 clients, refer to “Simple Network Management Protocol” on page 3-34, or
refer to the specific CLI commands for SNMP starting on page 4-111.
Saving Configuration Settings
Configuration commands only modify the running configuration file and are not
saved when the switch is rebooted. To save all your configuration changes in
nonvolatile storage, you must copy the running configuration file to the start-up
configuration file using the “copy” command.
To save the current configuration settings, enter the following command:
1.From the Privileged Exec mode prompt, type “copy running-config
startup-config” and press <Enter>.
2.Enter the name of the start-up file. Press <Enter>.
Console#copy running-config startup-config
Startup configuration file name []: startup
\Write to FLASH Programming.
\Write to FLASH finish.
Success.
Console#
2-8
Managing System Files
2
Managing System Files
The switch’s flash memory supports three types of system files that can be managed
by the CLI program, web interface, or SNMP. The switch’s file system allows files to
be uploaded and downloaded, copied, deleted, and set as a start-up file.
The three types of files are:
• Configuration — This file type stores system configuration information and is
created when configuration settings are saved. Saved configuration files can be
selected as a system start-up file or can be uploaded via TFTP to a server for
backup. The file named “Factory_Default_Config.cfg” contains all the system
default settings and cannot be deleted from the system. If the system is booted with
the factory default settings, the switch will also create a file named “startup1.cfg”
that contains all system settings, including information about the unit identifier and
MAC address. The configuration settings from the factory defaults configuration
file are copied to this file, which is then used to boot the switch. See “Saving or
Restoring Configuration Settings” on page 3-22 for more information. See “Saving
or Restoring Configuration Settings” on page 3-20 for more information.
• Operation Code — System software that is executed after boot-up, also known as
run-time code. This code runs the switch operations and provides the CLI and web
management interfaces. See “Managing Firmware” on page 3-17 for more
information.
• Diagnostic Code — Software that is run during system boot-up, also known as
POST (Power On Self-Test).
Due to the size limit of the flash memory, the switch supports only two operation
code files. However, you can have as many diagnostic code files and configuration
files as available flash memory space allows.
In the system flash memory, one file of each type must be set as the start-up file.
During a system boot, the diagnostic and operation code files set as the start-up file
are run, and then the start-up configuration file is loaded.
Note that configuration files should be downloaded using a file name that reflects the
contents or usage of the file settings. If you download directly to the running-config,
the system will reboot, and the settings will have to be copied from the
running-config to a permanent file.
2-9
Initial Configuration
2
2-10
Chapter 3: Configuring the Switch
Using the Web Interface
This switch provides an embedded HTTP web agent. Using a web browser you can
configure the switch and view statistics to monitor network activity. The web agent
can be accessed by any computer on the network using a standard web browser
(Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above).
Note: You can also use the Command Line Interface (CLI) to manage the switch over a
serial connection to the console port or via Telnet.For more information on using
the CLI, refer to Chapter 4: “Command Line Interface.”
Prior to accessing the switch from a web browser, be sure you have first performed
the following tasks:
1. Configure the switch with a valid IP address, subnet mask, and default gateway
using an out-of-band serial connection, BOOTP or DHCP protocol. (See“Setting
an IP Address” on page 2-4.)
2. Set user names and passwords using an out-of-band serial connection. Access
to the web agent is controlled by the same user names and passwords as the
onboard configuration program. (See “Setting Passwords” on page 2-4.)
3. After you enter a user name and password, you will have access to the system
configuration program.
Notes: 1.
You are allowed three attempts to enter the correct password; on the third
failed attempt the current connection is terminated.
2. If you log into the web interface as guest (Normal Exec level), you can view
the configuration settings or change the guest password. If you log in as
“admin” (Privileged Exec level), you can change the settings on any page.
3. If the path between your management station and this switch does not pass
through any device that uses the Spanning Tree Algorithm, then you can set
the switch port attached to your management station to fast forwarding (i.e.,
enable Admin Edge Port) to improve the switch’s response time to
management commands issued through the web interface. See “Configuring
Interface Settings” on page 3-123.
3-1
Configuring the Switch
3
Navigating the Web Browser Interface
To access the web-browser interface you must first enter a user name and
password. The administrator has Read/Write access to all configuration parameters
and statistics. The default user name and password for the administrator is “admin.”
Home Page
When your web browser connects with the switch’s web agent, the home page is
displayed as shown below. The home page displays the Main Menu on the left side
of the screen and System Information on the right side. The Main Menu links are
used to navigate to other menus, and display configuration parameters and
statistics.
3-2
Figure 3-1 Home Page
Navigating the Web Browser Interface
3
Configuration Options
Configurable parameters have a dialog box or a drop-down list. Once a configuration
change has been made on a page, be sure to click on the Apply button to confirm
the new setting. The following table summarizes the web page configuration
buttons.
Table 3-1 Web Page Configuration Buttons
ButtonAction
ApplySets specified values to the system.
RevertCancels specified values and restores current values prior to
HelpLinks directly to web help.
Notes: 1. To ensure proper screen refresh, be sure that Internet Explorer 5.x is
configured as follows: Under the menu “Tools / Internet Options / General /
Temporary Internet Files / Settings,” the setting for item “Check for newer
versions of stored pages” should be “Every visit to the page.”
2. When using Internet Explorer 5.0, you may have to manually refresh the
screen after making configuration changes by pressing the browser’s refresh
button.
pressing “Apply.”
Panel Display
The web agent displays an image of the switch’s ports. The Mode can be set to
display different information for the ports, including Active (i.e., up or down), Duplex
(i.e., half or full duplex), or Flow Control
Port Configuration page as described on page 3-88.
1
. Clicking on the image of a port opens the
Figure 3-2 Front Panel Indicators
1. There are interoperability problems between Flow Control and Head-of-Line (HOL)
blocking for the switch ASIC; Flow Control is therefore not supported for this switch.
3-3
Configuring the Switch
3
Main Menu
Using the onboard web agent, you can define system parameters, manage and
control the switch, and all its ports, or monitor network conditions. The following
table briefly describes the selections available from this program.
Table 3-2 Switch Main Menu
MenuDescriptionPage
System3-9
System InformationProvides basic system description, including contact information3-9
Switch InformationShows the number of ports, hardware/firmware version
Bridge ExtensionShows the bridge extension parameters3-12
IP ConfigurationSets the IP address for management access3-13
Jumbo FramesEnables support for jumbo frames3-16
File Management3-17
Copy OperationAllows the transfer and copying files3-17
DeleteAllows deletion of files from the flash memory3-17
Set StartupSets the startup file3-17
Line3-22
ConsoleSets console port connection parameters3-22
TelnetSets Telnet connection parameters3-24
Log 3-26
Logs Sends error messages to a logging process3-26
System Logs Stores and displays error messages3-29
Remote Logs Configures the logging of messages to a remote logging process3-27
SMTPSends an SMTP client message to a participating server3-29
ResetRestarts the switch3-31
SNTP3-32
ConfigurationConfigures SNTP client settings, including a specified list of
Clock Time ZoneSets the local time zone for the system clock3-33
SNMP3-34
ConfigurationConfigures community strings and related trap functions3-36
Agent StatusEnables or disables SNMP 3-35
numbers, and power status
servers
3-10
3-32
3-4
Navigating the Web Browser Interface
Table 3-2 Switch Main Menu (Continued)
MenuDescriptionPage
SNMPv33-39
Engine IDSets the SNMP v3 engine ID3-40
Remote Engine IDSets the SNMP v3 engine ID on a remote device3-40
UsersConfigures SNMP v3 users3-41
Remote UsersConfigures SNMP v3 users on a remote device3-43
GroupsConfigures SNMP v3 groups3-45
ViewsConfigures SNMP v3 views3-49
Security3-35
User AccountsConfigures user names, passwords, and access levels3-50
Authentication SettingsConfigures authentication sequence, RADIUS and TACACS3-52
Basic InformationDisplays information on the VLAN type supported by this switch3-135
Current Table Shows the current port members of each VLAN and whether or
Static List Used to create or remove VLAN groups3-137
Static Table Modifies the settings for an existing VLAN3-138
Static Membership by Port Configures membership type for interfaces, including tagged,
Port ConfigurationSpecifies default PVID and VLAN attributes3-141
Trunk Configuration Specifies default trunk VID and VLAN attributes3-141
Private VLAN
Status Enables or disables the private VLAN 3-143
Link Status Configures the private VLAN3-144
Protocol VLAN
ConfigurationCreates a protocol group, specifying the supported protocols 3-145
Port ConfigurationMaps a protocol group to a VLAN3-146
Priority3-147
Default Port PrioritySets the default priority for each port3-147
Default Trunk PrioritySets the default priority for each trunk3-147
Traffic ClassesMaps IEEE 802.1p priority tags to output queues3-149
Traffic Classes StatusEnables/disables traffic class priorities (not implemented)NA
Queue ModeSets queue mode to strict priority or Weighted Round-Robin3-151
Queue SchedulingConfigures Weighted Round Robin queueing 3-151
IP Precedence/
DSCP Priority Status
IP Precedence PrioritySets IP Type of Service priority, mapping the precedence tag to
IP DSCP PrioritySets IP Differentiated Services Code Point priority, mapping a
IP Port Priority Status Globally enables or disables IP Port Priority3-157
IP Port Priority Sets TCP/UDP port priority, defining the socket number and
not the port is tagged or untagged
untagged or forbidden
Globally selects IP Precedence or DSCP Priority, or disables
both.
a class-of-service value
DSCP tag to a class-of-service value
associated class-of-service value
3
3-136
3-140
3-153
3-154
3-155
3-157
3-7
Configuring the Switch
3
Table 3-2 Switch Main Menu (Continued)
MenuDescriptionPage
ACL CoS PrioritySets the CoS value and corresponding output queue for packets
IGMP Snooping3-159
IGMP Configuration Enables multicast filtering; configures parameters for multicast
Multicast Router
Port Information
Static Multicast Router
Port Configuration
IP Multicast Registration
Table
IGMP Member Port TableIndicates multicast addresses associated with the selected
DNS3-166
General ConfigurationEnables DNS; configures domain name and domain list; and
Static Host TableConfigures static entries for domain name to address mapping3-169
CacheDisplays cache entries discovered by designated name servers3-171
matching an ACL rule
query
Displays the ports that are attached to a neighboring multicast
router for each VLAN ID
Assigns ports that are attached to a neighboring multicast router3-164
Displays all multicast groups active on this switch, including
multicast IP addresses and VLAN ID
VLAN
specifies IP address of name servers for dynamic lookup
3-158
3-161
3-163
3-165
3-166
3-167
3-8
Basic Configuration
Basic Configuration
Displaying System Information
You can easily identify the system by displaying the device name, location and
contact information.
Field Attributes
• System Name – Name assigned to the switch system.
• Object ID – MIB II object ID for switch’s network management subsystem.
• Location – Specifies the system location.
• Contact – Administrator responsible for the system.
• System Up Time – Length of time the management agent has been up.
These additional parameters are displayed for the CLI.
• MAC Address – The physical layer address for this switch.
• Web server – Shows if management access via HTTP is enabled.
• Web server port – Shows the TCP port number used by the web interface.
• Web secure server – Shows if management access via HTTPS is enabled.
• Web secure server port – Shows the TCP port used by the HTTPS interface.
• Telnet server – Shows if management access via Telnet is enabled.
• Telnet server port – Shows the TCP port used by the Telnet interface.
• Authentication login – Shows the user login authentication sequence.
• Jumbo Frame – Shows if jumbo frames are enabled.
• POST result – Shows results of the power-on self-test
3
Web – Click System, System Information. Specify the system name, location, and
contact information for the system administrator, then click Apply. (This page also
includes a Telnet button that allows access to the Command Line Interface via Telnet.)
Figure 3-3 System Information
3-9
Configuring the Switch
3
CLI – Specify the hostname, location and contact information.
Console(config)#hostname R&D 54-24
Console(config)#snmp-server location WC 94-114
Console(config)#snmp-server contact Ted4-113
Console(config)#exit
Console#show system4-60
System Description: 8*10GE L2 Switch
System OID String: 1.3.6.1.4.1.259.6.10.76
System Information
System Up Time:0 days, 4 hours, 5 minutes, and 56.31 seconds
System Name:[NONE]
System Location:[NONE]
System Contact:[NONE]
MAC Address (Unit1):00-0C-DB-21-11-33
Web Server:Enabled
Web Server Port:80
Web Secure Server:Enabled
Web Secure Server Port: 443
Telnet Server:Enable
Telnet Server Port:23
Authentication login:local RADIUS none
Jumbo Frame:Disabled
POST Result:
DUMMY Test 1 ................. PASS
UART Loopback Test ........... PASS
DRAM Test .................... PASS
Timer Test ................... PASS
PCI Device 1 Test ............ PASS
I2C Bus Initialization ....... PASS
Switch Int Loopback Test ..... PASS
Done All Pass.
Console#
Displaying Switch Hardware/Software Versions
Use the Switch Information page to display hardware/firmware version numbers for
the main board and management software, as well as the power status of the
system.
Field Attributes
Main Board
• Serial Number – The serial number of the switch.
• Number of Ports – Number of built-in ports.
• Hardware Version – Hardware version of the main board.
• Internal Power Status – Displays the status of the internal power supply.
Management Software
• EPLD Version – Version number of EEPROM Programmable Logic Device.
• Loader Version – Version number of loader code.
• Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code.
• Operation Code Version – Version number of runtime code.
• Role – Shows that this switch is operating as Master (i.e., stand alone).
3-10
Basic Configuration
3
These additional parameters are displayed for the CLI.
• Unit ID – Unit number in stack.
• Redundant Power Status – Displays the status of the redundant power supply.
Web – Click System, Switch Information.
Figure 3-4 Switch Information
CLI – Use the following command to display version information.
Console#show version4-61
Unit 1
Serial Number:A000000022
Hardware Version:R01
EPLD Version:1.00
Number of Ports:9
Main Power Status:Up
Redundant Power Status: Not present
Agent (Master)
Unit ID:1
Loader Version:3.0.0.2
Boot ROM Version:3.0.0.6
Operation Code Version: 3.0.0.2
Console#
3-11
Configuring the Switch
3
Displaying Bridge Extension Capabilities
The Bridge MIB includes extensions for managed devices that support Multicast
Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to
display default settings for the key variables.
Field Attributes
• Extended Multicast Filtering Services – This switch does not support the filtering
of individual multicast addresses based on GMRP (GARP Multicast Registration
Protocol).
• Traffic Classes – This switch provides mapping of user priorities to multiple traffic
classes. (Refer to “Class of Service Configuration” on page 3-147.)
• Static Entry Individual Port – This switch allows static filtering for unicast and
multicast addresses. (Refer to “Setting Static Addresses” on page 3-109.)
• VLAN Learning – This switch uses Independent VLAN Learning (IVL), where each
port maintains its own filtering database.
• Configurable PVID Tagging – This switch allows you to override the default Port
VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or
Untagged) on each port. (Refer to “VLAN Configuration” on page 3-132.)
• Local VLAN Capable – This switch does not support multiple local bridges outside
of the scope of 802.1Q defined VLANs.
• GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to
register endstations with multicast groups. This switch does not support GMRP; it
uses the Internet Group Management Protocol (IGMP) to provide automatic
multicast filtering.
Max support VLAN numbers:256
Max support VLAN ID:4094
Extended multicast filtering services: No
Static entry individual port:Yes
VLAN learning:IVL
Configurable PVID tagging:Yes
Local VLAN capable:No
Traffic classes:Enabled
Global GVRP status:Disabled
GMRP:Disabled
Console#
Setting the Switch’s IP Address
An IP address may be used for management access to the switch over your
network. By default, the switch uses DHCP to assign IP settings to VLAN 1 on the
switch. If you wish to manually configure IP settings, you need to set an IP address
and subnet mask that is compatible with your network. You may also need to
establish a default gateway between the switch and management stations that exist
on another network segment.
You can manually configure a specific IP address, or direct the device to obtain an
address from a BOOTP or DHCP server. Valid IP addresses consist of four decimal
numbers, 0 to 255, separated by periods. Anything outside this format will not be
accepted by the CLI program.
Command Attributes
• Management VLAN – ID of the configured VLAN (1-4093). This is the only VLAN
through which you can gain management access to the switch. By default, all ports
on the switch are members of VLAN 1, so a management station can be connected
to any port on the switch. However, if other VLANs are configured and you change
the Management VLAN, you may lose management access to the switch. In this
case, you should reconnect the management station to a port that is a member of
the Management VLAN.
• IP Address Mode – Specifies whether IP functionality is enabled via manual
configuration (Static), Dynamic Host Configuration Protocol (DHCP), or Boot
Protocol (BOOTP). If DHCP/BOOTP is enabled, IP will not function until a reply has
been received from the server. Requests will be broadcast periodically by the
switch for an IP address. (DHCP/BOOTP values can include the IP address,
subnet mask, and default gateway.)
• IP Address – Address of the VLAN to which the management station is attached.
(Note you can manage the switch through any configured IP interface.) Valid IP
addresses consist of four numbers, 0 to 255, separated by periods.
(Default: 0.0.0.0)
• Subnet Mask – This mask identifies the host address bits used for routing to
specific subnets. (Default: 255.0.0.0)
• Gateway IP address – IP address of the gateway router between this device and
management stations that exist on other network segments. (Default: 0.0.0.0)
3-13
Configuring the Switch
3
• MAC Address – The MAC address of this switch.
• Restart DHCP – Requests a new IP address from the DHCP server.
Manual Configuration
Web – Click System, IP Configuration. Select the VLAN through which the
management station is attached, set the IP Address Mode to “Static.” Enter the IP
address, subnet mask and gateway, then click Apply.
Figure 3-6 IP Interface Configuration - Manual
Figure 3-7 Default Gateway
CLI – Specify the management interface, IP address and default gateway.
If your network provides DHCP/BOOTP services, you can configure the switch to be
dynamically configured by these services.
Web – Click System, IP Configuration. Specify the VLAN to which the management
station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to
save your changes. Then click Restart DHCP to immediately request a new
address. Note that the switch will also broadcast a request for IP configuration
settings on each power reset.
Figure 3-8 IP Interface Configuration - DHCP
Note: If you lose your management connection, make a console connection to the switch
and enter “show ip interface” to determine the new switch address.
CLI – Specify the management interface, and set the IP address mode to DHCP or
BOOTP, and then enter the “ip dhcp restart client” command.
IP Address and Netmask: 192.168.1.58 255.255.255.0 on VLAN 1,
Address Mode:DHCP
Console#
Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a
specific period of time. If the address expires or the switch is moved to another
network segment, you will lose management access to the switch. In this case, you
can reboot the switch or submit a client request to restart DHCP service via the CLI.
3-15
Configuring the Switch
3
Web – If the address assigned by DHCP is no longer functioning, you will not be
able to renew the IP settings via the web interface. You can only restart DHCP
service via the web interface if the current address is still available.
CLI – Enter the following command to restart DHCP service.
Console#ip dhcp restart4-207
Console#
Configuring Support for Jumbo Frames
The switch provides more efficient throughput for large sequential data transfers by
supporting jumbo frames up to 9000 bytes. Compared to standard Ethernet frames
that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet
overhead required to process protocol encapsulation fields.
Command Usage
To use jumbo frames, both the source and destination end nodes (such as a
computer or server) must support this feature. Also, when the connection is
operating at full duplex, all switches in the network between the two end nodes must
be able to accept the extended frame size. And for half-duplex connections, all
devices in the collision domain would need to support jumbo frames.
Command Attributes
Jumbo Packet Status – Configures support for jumbo frames. (Default: Disabled)
Web – Click System, Jumbo Frames. Enable or disable support for jumbo frames,
and click Apply.
Figure 3-9 Configuring Support for Jumbo Frames
CLI – This example enables jumbo frames globally for the switch.
Console(config)#jumbo frame4-62
Console(config)#
3-16
Basic Configuration
3
Managing Firmware
You can upload/download firmware to or from a TFTP server, or copy files to and
from switch units in a stack. By saving runtime code to a file on a TFTP server, that
file can later be downloaded to the switch to restore operation. You can also set the
switch to use new firmware without overwriting the previous version. You must
specify the method of file transfer, along with the file type and file names as required.
Command Attributes
• File Transfer Method – The firmware copy operation includes these options:
- file to file – Copies a file within the switch directory, assigning it a new name.
- file to tftp – Copies a file from the switch to a TFTP server.
- tftp to file – Copies a file from a TFTP server to the switch.
2
- file to unit
- unit to file2 – Copies a file from another unit in the stack to this switch.
• TFTP Server IP Address – The IP address of a TFTP server.
• File Type – Specify opcode (operational code) to copy firmware.
• File Name –
the file name should not be a period (.), and the maximum length for file names on
the TFTP server is 127 characters or 31 characters for files on the switch.
(Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)
• Source/Destination Unit2 – Stack unit.
Note:
Up to two copies of the system software (i.e., the runtime firmware) can be stored
in the file directory on the switch. The currently designated startup version of this
file cannot be deleted.
– Copies a file from this switch to another unit in the stack.
The file name should not contain slashes (\ or /),
the leading letter of
2. Stacking is not supported by this switch.
3-17
Configuring the Switch
3
Downloading System Software from a Server
When downloading runtime code, you can specify the destination file name to
replace the current image, or first download the file using a different name from the
current runtime code file, and then set the new file as the startup file.
Web – Click System, File Management, Copy Operation. Select “tftp to file” as the
file transfer method, enter the IP address of the TFTP server, set the file type to
“opcode,” enter the file name of the software to download, select a file on the switch
to overwrite or specify a new file name, then click Apply. If you replaced the current
firmware used for startup and want to start using the new operation code, reboot the
system via the System/Reset menu.
Figure 3-10 Copy Firmware
If you download to a new destination file, go to the File Management, Set Start-Up
menu, mark the operation code file used at startup, and click Apply. To start the new
firmware, reboot the system via the System/Reset menu.
Figure 3-11 Setting the Startup Code
3-18
Basic Configuration
3
To delete a file select System, File Management, Delete. Select the file name from
the given list by checking the tick box and click Apply. Note that the file currently
designated as the startup code cannot be deleted.
Figure 3-12 Deleting Files
CLI – To download new firmware form a TFTP server, enter the IP address of the
TFTP server, select “config” as the file type, then enter the source and destination
file names. When the file has finished downloading, set the new file to start up the
system, and then restart the switch.
To start the new firmware, enter the “reload” command or reboot the system.
Console#copy tftp file4-63
TFTP server ip address: 10.1.0.19
Choose file type:
-Write to FLASH finish.
Success.
Console#config
Console(config)#boot system opcode:V30024-67
Console(config)#exit
Console#reload4-21
3-19
Configuring the Switch
3
Saving or Restoring Configuration Settings
You can upload/download configuration settings to/from a TFTP server, or copy files
to and from switch units in a stack. The configuration file can be later downloaded to
restore the switch’s settings.
Command Attributes
• File Transfer Method – The configuration copy operation includes these options:
- file to file – Copies a file within the switch directory, assigning it a new name.
- file to running-config – Copies a file in the switch to the running configuration.
- file to startup-config – Copies a file in the switch to the startup configuration.
- file to tftp – Copies a file from the switch to a TFTP server.
- running-config to file – Copies the running configuration to a file.
- running-config to startup-config – Copies the running config to the startup config.
- running-config to tftp – Copies the running configuration to a TFTP server.
- startup-config to file – Copies the startup configuration to a file on the switch.
- startup-config to running-config – Copies the startup config to the running config.
- startup-config to tftp – Copies the startup configuration to a TFTP server.
- tftp to file – Copies a file from a TFTP server to the switch.
- tftp to running-config – Copies a file from a TFTP server to the running config.
- tftp to startup-config – Copies a file from a TFTP server to the startup config.
3
- file to unit
- unit to file3 – Copies a file from another unit in the stack to this switch.
• TFTP Server IP Address – The IP address of a TFTP server.
• File Type – Specify config (configuration) to copy configuration settings.
•
File Name
leading letter of the file name should not be a period (.), and the maximum length
for file names on the TFTP server is 127 characters or 31 characters for files on
the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)
• Source/Destination Unit
Note: The maximum number of user-defined configuration files is limited only by
available flash memory space.
– Copies a file from this switch to another unit in the stack.
— The configuration file name should not contain slashes (\ or /),
3
– Stack unit.
the
3. Stacking is not supported by this switch.
3-20
Basic Configuration
3
Downloading Configuration Settings from a Server
You can download the configuration file under a new file name and then set it as the
startup file, or you can specify the current startup configuration file as the destination
file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be
copied to the TFTP server, but cannot be used as the destination on the switch.
Web – Click System, File Management, Copy Operation. Choose “tftp to
startup-config” or “tftp to file,” and enter the IP address of the TFTP server. Specify
the name of the file to download, select a file on the switch to overwrite or specify a
new file name, and then click Apply.
Figure 3-13 Downloading Configuration Settings for Start-Up
If you download to a new file name using “tftp to startup-config” or “tftp to file,” the file
is automatically set as the start-up configuration file. To use the new settings, reboot
the system via the System/Reset menu. You can also select any configuration file as
the start-up configuration by using the System/File Management/Set Start-Up page.
Figure 3-14 Setting the Startup Configuration Settings
3-21
Configuring the Switch
3
CLI – Enter the IP address of the TFTP server, specify the source file on the server,
set the startup file name on the switch, and then restart the switch.
Console#copy tftp startup-config4-63
TFTP server ip address: 192.168.1.19
Source configuration file name: config-1
Startup configuration file name [] : startup
\Write to FLASH Programming.
-Write to FLASH finish.
Success.
Console#reload
To select another configuration file as the start-up configuration, use the boot
system command and then restart the switch.
Console#config
Console(config)#boot system config: startup4-67
Console(config)#exit
Console#reload4-21
Console Port Settings
You can access the onboard configuration program by attaching a VT100
compatible device to the switch’s serial console port. Management access through
the console port is controlled by various parameters, including a password, timeouts,
and basic communication settings. These parameters can be configured via the web
or CLI interface.
Command Attributes
• Login Timeout – Sets the interval that the system waits for a user to log into the
CLI. If a login attempt is not detected within the timeout interval, the connection is
terminated for the session. (Range: 0 - 300 seconds; Default: 0)
• Exec Timeout – Sets the interval that the system waits until user input is detected.
If user input is not detected within the timeout interval, the current session is
terminated. (Range: 0 - 65535 seconds; Default: 0 seconds)
• Password Threshold – Sets the password intrusion threshold, which limits the
number of failed logon attempts. When the logon attempt threshold is reached, the
system interface becomes silent for a specified amount of time (set by the Silent
Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3
attempts)
• Silent Time – Sets the amount of time the management console is inaccessible
after the number of unsuccessful logon attempts has been exceeded.
(Range: 0-65535; Default: 0)
• Data Bits – Sets the number of data bits per character that are interpreted and
generated by the console port. If parity is being generated, specify 7 data bits per
character. If no parity is required, specify 8 data bits per character. (Default: 8 bits)
• Parity – Defines the generation of a parity bit. Communication protocols provided
by some terminals can require a specific parity bit setting. Specify Even, Odd, or
None. (Default: None)
3-22
Basic Configuration
• Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive
(from terminal). Set the speed to match the baud rate of the device connected to
the serial port. (Range: 9600, 19200, 38400, 57600, or 115200 baud, Auto;
Default: Auto)
• Stop Bits – Sets the number of the stop bits transmitted per byte.
(Range: 1-2; Default: 1 stop bit)
• Password4 – Specifies a password for the line connection. When a connection is
started on a line with password protection, the system prompts for the password.
If you enter the correct password, the system shows a prompt. (Default: No
password)
• Login4 – Enables password checking at login. You can select authentication by a
single global password as configured for the Password parameter, or by
passwords set up for specific user-name accounts. (Default: Local)
Web – Click System, Line, Console. Specify the console port connection parameters
as required, then click Apply.
3
4. CLI only.
Figure 3-15 Configuring the Console Port
3-23
Configuring the Switch
3
CLI – Enter Line Configuration mode for the console, then specify the connection
parameters as required. To display the current console port settings, use the show line command from the Normal Exec level.
You can access the onboard configuration program over the network using Telnet
(i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and
other various parameters set, including the TCP port number, timeouts, and a
password. These parameters can be configured via the web or CLI interface.
Command Attributes
• Telnet Status – Enables or disables Telnet access to the switch.
(Default: Enabled)
• Telnet Port Number – Sets the TCP port number for Telnet on the switch.
(Default: 23)
• Login Timeout – Sets the interval that the system waits for a user to log into the
CLI. If a login attempt is not detected within the timeout interval, the connection is
terminated for the session. (Range: 0 - 300 seconds; Default: 300 seconds)
• Exec Timeout – Sets the interval that the system waits until user input is detected.
If user input is not detected within the timeout interval, the current session is
terminated. (Range: 0 - 65535 seconds; Default: 600 seconds)
• Password Threshold – Sets the password intrusion threshold, which limits the
number of failed logon attempts. When the logon attempt threshold is reached, the
system interface becomes silent for a specified amount of time (set by the Silent
Time parameter) before allowing the next logon attempt.
(Range: 0-120; Default: 3 attempts)
3-24
Basic Configuration
3
• Password5 – Specifies a password for the line connection. When a connection is
started on a line with password protection, the system prompts for the password.
If you enter the correct password, the system shows a prompt. (Default: No
password)
• Login
5
– Enables password checking at login. You can select authentication by a
single global password as configured for the Password parameter, or by
passwords set up for specific user-name accounts. (Default: Local)
Web – Click System, Line, Telnet. Specify the connection parameters for Telnet
access, then click Apply.
Figure 3-16 Configuring the Telnet Interface
CLI – Enter Line Configuration mode for a virtual terminal, then specify the
connection parameters as required. To display the current virtual terminal settings,
use the show line command from the Normal Exec level.
The switch allows you to control the logging of error messages, including the type of
events that are recorded in switch memory, logging to a remote System Log (syslog)
server, and displays a list of recent event messages.
System Log Configuration
The system allows you to enable or disable event logging, and specify which levels
are logged to RAM or flash memory.
Severe error messages that are logged to flash memory are permanently stored in
the switch to assist in troubleshooting network problems. Up to 4096 log entries can
be stored in the flash memory, with the oldest entries being overwritten first when the
available log memory (256 kilobytes) has been exceeded.
The System Logs page allows you to configure and limit system messages that are
logged to flash or RAM memory. The default is for event levels 0 to 3 to be logged to
flash and levels 0 to 7 to be logged to RAM.
Command Attributes
• System Log Status – Enables/disables the logging of debug or error messages to
the logging process. (Default: Enabled)
• Flash Level – Limits log messages saved to the switch’s permanent flash memory
for all levels up to the specified level. For example, if level 3 is specified, all
messages from level 0 to level 3 will be logged to flash. (Range: 0-7, Default: 3)
Table 3-3 Logging Levels
LevelSeverity NameDescription
7DebugDebugging messages
6InformationalInformational messages only
5NoticeNormal but significant condition, such as cold start
2CriticalCritical conditions (e.g., memory allocation, or free memory
1AlertImmediate action needed
0EmergencySystem unusable
* There are only Level 2, 5 and 6 error messages for the current firmware release.
error - resource exhausted)
• RAM Level – Limits log messages saved to the switch’s temporary RAM memory
for all levels up to the specified level. For example, if level 7 is specified, all
messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7)
The Flash Level must be equal to or less than the RAM Level.
Note:
3-26
Basic Configuration
3
Web – Click System, Logs, System Logs. Specify System Log Status, set
event messages to be logged to RAM and flash memory, then click Apply.
Figure 3-17 System Logs
CLI – Enable system logging and then specify the level of messages to be logged to
RAM and flash memory. Use the show logging command to display the current
settings.
Console(config)#logging on4-42
Console(config)#logging history ram 04-42
Console(config)#
Console#show logging ram4-46
Syslog logging:Disabled
History logging in RAM: level emergencies
Console#
the level of
Remote Log Configuration
The Remote Logs page allows you to configure the logging of messages that are
sent to syslog servers or other management stations. You can also limit the event
messages sent to only those messages at or above a specified level.
Command Attributes
• Remote Log Status – Enables/disables the logging of debug or error messages
to the remote logging process. (Default: Disabled)
• Logging Facility – Sets the facility type for remote logging of syslog messages.
There are eight facility types specified by values of 16 to 23. The facility type is
used by the syslog server to dispatch log messages to an appropriate service.
The attribute specifies the facility type tag sent in syslog messages. (See RFC
3164.) This type has no effect on the kind of messages reported by the switch.
However, it may be used by the syslog server to process messages, such as sorting
or storing messages in the corresponding database. (Range: 16-23, Default: 23)
• Logging Trap – Limits log messages that are sent to the remote syslog server for
all levels up to the specified level. For example, if level 3 is specified, all messages
from level 0 to level 3 will be sent to the remote server. (Range: 0-7, Default: 7)
• Host IP List – Displays the list of remote server IP addresses that will receive
syslog messages. The maximum number of host IP addresses allowed is five.
• Host IP Address – Specifies a new server IP address to add to the Host IP List.
3-27
Configuring the Switch
3
Web – Click System, Logs, Remote Logs. To add an IP address to the Host IP List,
type the new IP address in the Host IP Address box, and then click Add. To delete
an IP address, click the entry in the Host IP List, and then click Remove.
Figure 3-18 Remote Logs
CLI – Enter the syslog server host IP address, choose the facility type and set the
logging trap.
Console(config)#logging host 10.1.0.94-43
Console(config)#logging facility 234-44
Console(config)#logging trap 44-44
Console(config)#logging trap
Console(config)#exit
Console#show logging trap4-46
Syslog logging:Enabled
REMOTELOG status:Disabled
REMOTELOG facility type:local use 7
REMOTELOG level type:Warning conditions
REMOTELOG server ip address: 10.1.0.9
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
Console#
3-28
Basic Configuration
3
Displaying Log Messages
Use the Logs page to scroll through the logged system and event messages. The
switch can store up to 2048 log entries in temporary random access memory (RAM;
i.e., memory flushed on power reset) and up to 4096 entries in permanent flash
memory.
Web – Click System, Log, Logs.
Figure 3-19 Displaying Logs
CLI – This example shows the event message stored in RAM.
"Unit 1, Port 1 link-up notification."
level: 6, module: 5, function: 1, and event no.: 1
Console#
Sending Simple Mail Transfer Protocol Alerts
To alert system administrators of problems, the switch can use SMTP (Simple Mail
Transfer Protocol) to send email messages when triggered by logging events of a
specified level. The messages are sent to specified SMTP servers on the network
and can be retrieved using POP or IMAP clients.
Command Attributes
• Admin Status – Enables/disables the SMTP function. (Default: Enabled)
• Email Source Address – Sets the email address used for the “From” field in alert
messages. You may use a symbolic email address that identifies the switch, or the
address of an administrator responsible for the switch.
• Severity – Sets the syslog severity threshold level (see table on page 3-26) used
to trigger alert messages. All events at this level or higher will be sent to the
configured email recipients. For example, using Level 7 will report all events from
level 7 to level 0. (Default: Level 7)
3-29
Configuring the Switch
3
• SMTP Server List – Specifies a list of up to three recipient SMTP servers. The
switch attempts to connect to the other listed servers if the first fails. Use the New
SMTP Server text field and the Add/Remove buttons to configure the list.
• Email Destination Address List – Specifies the email recipients of alert
messages. You can specify up to five recipients. Use the New Email Destination
Address text field and the Add/Remove buttons to configure the list.
Web – Click System, Log, SMTP. Enable SMTP, specify a source email address,
and select the minimum severity level. To add an IP address to the SMTP Server
List, type the new IP address in the SMTP Server field and click Add. To delete an IP
address, click the entry in the SMTP Server List and click Remove. Specify up to five
email addresses to receive the alert messages, and click Apply.
3-30
Figure 3-20 Enabling and Configuring SMTP Alerts
Basic Configuration
3
CLI – Enter the IP address of at least one SMTP server, set the syslog severity level
to trigger an email message, and specify the switch (source) and up to five recipient
(destination) email addresses. Enable SMTP with the logging sendmail command
to complete the configuration. Use the show logging sendmail command to display
the current SMTP configuration.
Web – Click System, Reset. Click the Reset button to restart the switch. When
prompted, confirm that you want reset the switch.
Figure 3-21 Resetting the System
CLI – Use the reload command to restart the switch.
Console#reload4-21
System will be restarted, continue <y/n>?
When restarting the system, it will always run the Power-On Self-Test.
Note:
3-31
Configuring the Switch
3
Setting the System Clock
Simple Network Time Protocol (SNTP) allows the switch to set its internal clock
based on periodic updates from a time server (SNTP or NTP). Maintaining an
accurate time on the switch enables the system log to record meaningful dates and
times for event entries. You can also manually set the clock using the CLI. (See
“calendar set” on page 4-55.) If the clock is not set, the switch will only record the
time from the factory default set at the last bootup.
When the SNTP client is enabled, the switch periodically sends a request for a time
update to a configured time server. You can configure up to three time server IP
addresses. The switch will attempt to poll each server in the configured sequence.
Configuring SNTP
You can configure the switch to send time synchronization requests to time servers.
Command Attributes
• SNTP Client – Configures the switch to operate as an SNTP client. This requires
at least one time server to be specified in the SNTP Server field. (Default: Disabled)
• SNTP Poll Interval – Sets the interval between sending requests for a time update
from a time server. (Range: 16-16384 seconds; Default: 16 seconds)
• SNTP Server – Sets the IP address for up to three time servers. The switch
attempts to update the time from the first server, if this fails it attempts an update
from the next server in the sequence.
Web – Select SNTP, Configuration. Modify any of the required parameters, and click
Apply.
3-32
Figure 3-22 SNTP Configuration
Basic Configuration
3
CLI – This example configures the switch to operate as an SNTP client and then
displays the current time and settings.
Console(config)#sntp client4-52
Console(config)#sntp poll 164-53
Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.24-52
Console(config)#exit
Console#show sntp4-54
Current time: Jan 6 14:56:05 2004
Poll interval: 60
Current mode: unicast
SNTP status : Enabled
SNTP server 10.1.0.19 137.82.140.80 128.250.36.2
Current server: 128.250.36.2
Console#
Setting the Time Zone
SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time,
or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To
display a time corresponding to your local time, you must indicate the number of
hours and minutes your time zone is east (before) or west (after) of UTC.
Command Attributes
• Current Time – Displays the current time.
• Name – Assigns a name to the time zone. (Range: 1-29 characters)
• Hours (0-13) – The number of hours before/after UTC.
• Minutes (0-59) – The number of minutes before/after UTC.
• Direction – Configures the time zone to be before (east) or after (west) UTC.
Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to
the UTC, and click Apply.
Figure 3-23 Clock Time Zone
CLI - This example shows how to set the time zone for the system clock.
Simple Network Management Protocol (SNMP) is a communication protocol
designed specifically for managing devices on a network. Equipment commonly
managed with SNMP includes switches, routers and host computers. SNMP is
typically used to configure these devices for proper operation in a network
environment, as well as to monitor them to evaluate performance or detect potential
problems.
Managed devices supporting SNMP contain software, which runs locally on the
device and is referred to as an agent. A defined set of variables, known as managed
objects, is maintained by the SNMP agent and used to manage the device. These
objects are defined in a Management Information Base (MIB) that provides a
standard presentation of the information controlled by the agent. SNMP defines both
the format of the MIB specifications and the protocol used to access this information
over the network.
The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3.
This agent continuously monitors the status of the switch hardware, as well as the
traffic passing through its ports. A network management station can access this
information using software such as HP OpenView. Access to the onboard agent
from clients using SNMP v1 and v2c is controlled by community strings. To
communicate with the switch, the management station must first submit a valid
community string for authentication.
Access to the switch using from clients using SNMPv3 provides additional security
features that cover message integrity, authentication, and encryption; as well as
controlling user access to specific areas of the MIB tree.
The SNMPv3 security structure consists of security models, with each model having
it’s own security levels. There are three security models defined, SNMPv1,
SNMPv2c, and SNMPv3. Users are assigned to “groups” that are defined by a
security model and specified security levels. Each group also has a defined security
access to set of MIB objects for reading and writing, which are known as “views.”
The switch has a default view (all MIB objects) and default groups defined for
3-34
Simple Network Management Protocol
security models v1 and v2c. The following table shows the security models and
levels available and the system default settings.
Table 3-4 SNMPv3 Security Models and Levels
Model LevelGroupRead View Write View Notify View Security
v1noAuthNoPriv public
v1noAuthNoPriv private
v1noAuthNoPriv user defined user defined user defined user defined Community string only
v2cnoAuthNoPriv public
v2cnoAuthNoPriv private
v2cnoAuthNoPriv user defined user defined user defined user defined Community string only
v3noAuthNoPriv user defined user defined user defined user defined A user name match only
v3AuthNoPrivuser defined user defined user defined user defined Provides user
v3AuthPrivuser defined user defined user defined user defined Provides user
(read only)
(read/write)
(read only)
(read/write)
defaultview nonenoneCommunity string only
defaultview defaultview noneCommunity string only
defaultview nonenoneCommunity string only
defaultview defaultview noneCommunity string only
authentication via MD5 or
SHA algorithms
authentication via MD5 or
SHA algorithms and data
privacy using DES 56-bit
encryption
3
Note:
The predefined default groups and view can be deleted from the system. You can
then define customized groups and views for the SNMP clients that require access.
Enabling the SNMP Agent
Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3).
Command Attributes
SNMP Agent Status – Enables SNMP on the switch.
Web – Click SNMP, Agent Status. Enable the SNMP Agent by marking the Enabled
checkbox, and click Apply.
Figure 3-24 Enabling the SNMP Agent
3-35
Configuring the Switch
3
CLI – The following example enables SNMP on the switch.
Console(config)#snmp-server4-111
Console(config)#
Setting Community Access Strings
You may configure up to five community strings authorized for management access
by clients using SNMP v1 and v2c. All community strings used for IP Trap Managers
should be listed in this table. For security reasons, you should consider removing the
default strings.
Command Attributes
• SNMP Community Capability – The switch supports up to five community strings.
• Current – Displays a list of the community strings currently configured.
• Community String – A community string that acts like a password and permits
access to the SNMP protocol.
• Access Mode – Specifies the access rights for the community string:
- Read-Only – Authorized management stations are only able to retrieve MIB
objects.
- Read/Write – Authorized management stations are able to both retrieve and
modify MIB objects.
Web – Click SNMP, Configuration. Add new community strings as required, select
the access rights from the Access Mode drop-down list, then click Add.
Figure 3-25 Configuring SNMP Community Strings
CLI – The following example adds the string “spiderman” with read/write access.
Console(config)#snmp-server community spiderman rw
Console(config)#
4-113
3-36
Simple Network Management Protocol
3
Specifying Trap Managers and Trap Types
Traps indicating status changes are issued by the switch to specified trap managers.
You must specify trap managers so that key events are reported by this switch to
your management station (using network management platforms such as HP
OpenView). You can specify up to five management stations that will receive
authentication failure messages and other trap messages from the switch.
Command Usage
• If you specify an SNMP Version 3 host, then the “Trap Manager Community String”
is interpreted as an SNMP user name. If you use V3 authentication or encryption
options (authNoPriv or authPriv), the user name must first be defined in the
SNMPv3 Users page (page 3-41). Otherwise, the authentication password and/or
privacy password will not exist, and the switch will not authorize SNMP access for
the host. However, if you specify a V3 host with the no authentication (noAuth)
option, an SNMP user account will be automatically generated, and the switch will
authorize SNMP access for the host.
• Notifications are issued by the switch as trap messages by default. The recipient
of a trap message does not send a response to the switch. Traps are therefore not
as reliable as inform messages, which include a request for acknowledgement of
receipt. Informs can be used to ensure that critical information is received by the
host. However, note that informs consume more system resources because they
must be kept in memory until a response is received. Informs also add to network
traffic. You should consider these effects when deciding whether to issue
notifications as traps or informs.
To send an inform to a SNMPv2c host, complete these steps:
1. Enable the SNMP agent (page 3-35).
2. Enable trap informs as described in the following pages.
3. Create a view with the required notification messages (page 3-49).
4. Create a group that includes the required notify view (page 3-45).
To send an inform to a SNMPv3 host, complete these steps:
1. Enable the SNMP agent (page 3-35).
2. Enable trap informs as described in the following pages.
3. Create a view with the required notification messages (page 3-49).
4. Create a group that includes the required notify view (page 3-45).
5. Specify a remote engine ID where the user resides (page 3-40).
6. Then configure a remote user (page 3-43).
Command Attributes
• Trap Manager Capability – This switch supports up to five trap managers.
• Current – Displays a list of the trap managers currently configured.
• Trap Manager IP Address – IP address of a new management station to receive
notification messages.
• Trap Manager Community String – Specifies a valid community string for the
new trap manager entry. Though you can set this string in the Trap Managers table,
we recommend that you define this string in the SNMP Configuration page (for
3-37
Configuring the Switch
3
Version 1 or 2c clients), or define a corresponding “User Name” in the SNMPv3
Users page (for Version 3 clients). (Range: 1-32 characters, case sensitive)
• Trap UDP Port – Specifies the UDP port number used by the trap manager.
• Trap Version – Indicates if the user is running SNMP v1, v2c, or v3. (Default: v1)
• Trap Security Level – When trap version 3 is selected, you must specify one of
the following security levels. (Default: noAuthNoPriv)
- noAuthNoPriv – There is no authentication or encryption used in SNMP
communications.
- AuthNoPriv – SNMP communications use authentication, but the data is not
encrypted (only available for the SNMPv3 security model).
- AuthPriv – SNMP communications use both authentication and encryption (only
available for the SNMPv3 security model).
• Trap Inform – Notifications are sent as inform messages. Note that this option is
only available for version 2c and 3 hosts. (Default: traps are used)
- Timeout – The number of seconds to wait for an acknowledgment before
resending an inform message. (Range: 0-2147483647 centiseconds;
Default: 1500 centiseconds)
- Retry times – The maximum number of times to resend an inform message if
the recipient does not acknowledge receipt. (Range: 0-255; Default: 3)
• Enable Authentication Traps
trap managers whenever authentication of an SNMP request fails.
(Default: Enabled)
• Enable Link-up and Link-down Traps
whenever a port link is established or broken. (Default: Enabled)
6
– Issues a notification message to specified IP
6
– Issues a notification message
6. These are legacy notifications and therefore when used for SNMP Version 3 hos ts, they must
be enabled in conjunction with the corresponding entries in the Notification View (page 3-45).
3-38
Simple Network Management Protocol
Web – Click SNMP, Configuration. Enter the IP address and community string for
each management station that will receive trap messages, specify the UDP port,
SNMP version, trap security level (for v3 clients), trap inform settings (for v2c/v3
clients), and then click Add. Select the trap types required using the check boxes for
Authentication and Link-up/down traps, and then click Apply.
Figure 3-26 Configuring SNMP Trap Managers
CLI – This example adds a trap manager and enables authentication traps.
Console(config)#snmp-server host 10.1.19.23 private version 2c
To configure SNMPv3 management access to the switch, follow these steps:
1. If you want to change the default engine ID, do so before configuring other
SNMP parameters.
2. Specify read and write access views for the switch MIB tree.
3. Configure SNMP user groups with the required security model (i.e., SNMP v1,
v2c or v3) and security level (i.e., authentication and privacy).
4. Assign SNMP users to groups, along with their specific authentication and
privacy passwords.
3-39
Configuring the Switch
3
Setting a Local Engine ID
An SNMPv3 engine is an independent SNMP agent that resides on the switch. This
engine protects against message replay, delay, and redirection. The engine ID is
also used in combination with user passwords to generate the security keys for
authenticating and encrypting SNMPv3 packets.
A local engine ID is automatically generated that is unique to the switch. This is
referred to as the default engine ID. If the local engineID is deleted or changed, all
SNMP users will be cleared. You will need to reconfigure all existing users.
A new engine ID can be specified by entering 10 to 64 hexadecimal characters. If
less than 26 characters are specified, trailing zeroes are added to the value. For
example, the value “1234” is equivalent to “1234” followed by 60 zeroes.
Web – Click SNMP, SNMPv3, Engine ID. Enter an ID of up to 64 hexadecimal
characters and then click Save.
Figure 3-27 Setting the SNMPv3 Engine ID
CLI – This example sets an SNMPv3 engine ID.
Console(config)#snmp-server engine-id local 12345abcdef4-117
Console(config)#exit
Console#show snmp engine-id4-118
Local SNMP engineID: 8000002a8000000000e8666672
Local SNMP engineBoots: 1
Console#
Specifying a Remote Engine ID
To send inform messages to an SNMPv3 user on a remote device, you must first
specify the engine identifier for the SNMP agent on the remote device where the
user resides. The remote engine ID is used to compute the security digest for
authenticating and encrypting packets sent to a user on the remote host.
SNMP passwords are localized using the engine ID of the authoritative agent. For
informs, the authoritative SNMP agent is the remote agent. You therefore need to
configure the remote agent’s SNMP engine ID before you can send proxy requests
or informs to it. (See “Specifying Trap Managers and Trap Types” on page 3-37 and
“Configuring Remote SNMPv3 Users” on page 3-43.)
3-40
Simple Network Management Protocol
3
The engine ID can be specified by entering 10 to 64 hexadecimal characters. If less
than 26 characters are specified, trailing zeroes are added to the value. For
example, the value “1234” is equivalent to “1234” followed by 60 zeroes.
Web – Click SNMP, SNMPv3, Remote Engine ID. Enter an ID of up to 64
hexadecimal characters and then click Save.
Figure 3-28 Setting an Engine ID
CLI – This example specifies a remote SNMPv3 engine ID.
Console(config)#snmp-server engineID remote 54321 192.168.1.194-117
Console(config)#exit
Console#show snmp engine-id4-118
Local SNMP engineID: 8000002a8000000000e8666672
Local SNMP engineBoots: 1
Each SNMPv3 user is defined by a unique name. Users must be configured with a
specific security level and assigned to a group. The SNMPv3 group restricts users to
a specific read, write, or notify view.
Command Attributes
• User Name – The name of user connecting to the SNMP agent. (Range: 1-32
characters)
• Group Name – The name of the SNMP group to which the user is assigned.
(Range: 1-32 characters)
• Security Model – The user security model; SNMP v1, v2c or v3.
• Security Level – The security level used for the user:
- noAuthNoPriv – There is no authentication or encryption used in SNMP
communications. (This is the default for SNMPv3.)
- AuthNoPriv – SNMP communications use authentication, but the data is not
encrypted (only available for the SNMPv3 security model).
- AuthPriv – SNMP communications use both authentication and encryption (only
available for the SNMPv3 security model).
• AuthenticationProtocol – The method used for user authentication. (Options:
MD5, SHA; Default: MD5)
• AuthenticationPassword – A minimum of eight plain text characters is required.
3-41
Configuring the Switch
3
• PrivacyProtocol – The encryption algorithm use for data privacy; only 56-bit DES
is currently available.
• PrivacyPassword – A minimum of eight plain text characters is required.
• Actions – Enables the user to be assigned to another SNMPv3 group.
Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the
New User page, define a name and assign it to a group, then click Add to save the
configuration and return to the User Name list. To delete a user, check the box next
to the user name, then click Delete. To change the assigned group of a user, click
Change Group in the Actions column of the users table and select the new group.
3-42
Figure 3-29 Configuring SNMPv3 Users
Simple Network Management Protocol
3
CLI – Use the snmp-server user command to configure a new user name and
assign it to a group.
Console(config)#snmp-server user chris group r&d v3 auth md5
greenpeace priv des56 einstien4-122
Console(config)#exit
Console#show snmp user4-124
EngineId: 80000034030001f488f5200000
User Name: chris
Authentication Protocol: md5
Privacy Protocol: des56
Storage Type: nonvolatile
Row Status: active
Console#
Configuring Remote SNMPv3 Users
Each SNMPv3 user is defined by a unique name. Users must be configured with a
specific security level and assigned to a group. The SNMPv3 group restricts users to
a specific read and a write view.
To send inform messages to an SNMPv3 user on a remote device, you must first
specify the engine identifier for the SNMP agent on the remote device where the
user resides. The remote engine ID is used to compute the security digest for
authenticating and encrypting packets sent to a user on the remote host. (See
“Specifying Trap Managers and Trap Types” on page 3-37 and “Specifying a
Remote Engine ID” on page 3-40.)
Command Attributes
• User Name – The name of user connecting to the SNMP agent. (Range: 1-32
characters)
• Group Name – The name of the SNMP group to which the user is assigned.
(Range: 1-32 characters)
• Engine ID – The engine identifier for the SNMP agent on the remote device where
the remote user resides. Note that the remote engine identifier must be specified
before you configure a remote user. (See “Specifying a Remote Engine ID” on
page 3-40.)
• Remote IP – The Internet address of the remote device where the user resides.
• Security Model – The user security model; SNMP v1, v2c or v3. (Default: v1)
• Security Level – The security level used for the user:
- noAuthNoPriv – There is no authentication or encryption used in SNMP
communications. (This is the default for SNMPv3.)
- AuthNoPriv – SNMP communications use authentication, but the data is not
encrypted (only available for the SNMPv3 security model).
- AuthPriv – SNMP communications use both authentication and encryption (only
available for the SNMPv3 security model).
• AuthenticationProtocol – The method used for user authentication. (Options:
MD5, SHA; Default: MD5)
• AuthenticationPassword – A minimum of eight plain text characters is required.
3-43
Configuring the Switch
3
• PrivacyProtocol – The encryption algorithm use for data privacy; only 56-bit DES
is currently available.
• PrivacyPassword – A minimum of eight plain text characters is required.
Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name.
In the New User page, define a name and assign it to a group, then click Add to save
the configuration and return to the User Name list. To delete a user, check the box
next to the user name, then click Delete.
3-44
Figure 3-30 Configuring Remote SNMPv3 Users
Simple Network Management Protocol
3
CLI – Use the snmp-server user command to configure a new user name and
assign it to a group.
Console(config)#snmp-server user mark group r&d remote 192.168.1.19 v3
auth md5 greenpeace priv des56 einstien4-122
Console(config)#exit
Console#show snmp user4-124
No user exist.
SNMP remote user
EngineId: 80000000030004e2b316c54321
User Name: mark
Authentication Protocol: none
Privacy Protocol: none
Storage Type: nonvolatile
Row Status: active
Console#
Configuring SNMPv3 Groups
An SNMPv3 group sets the access policy for its assigned users, restricting them to
specific read, write, and notify views. You can use the pre-defined default groups or
create new groups to map a set of SNMP users to SNMP views.
Command Attributes
• Group Name – The name of the SNMP group. (Range: 1-32 characters)
• Model – The group security model; SNMP v1, v2c or v3.
• Level – The security level used for the group:
- noAuthNoPriv – There is no authentication or encryption used in SNMP
communications.
- AuthNoPriv – SNMP communications use authentication, but the data is not
encrypted (only available for the SNMPv3 security model).
- AuthPriv – SNMP communications use both authentication and encryption (only
available for the SNMPv3 security model).
• Read View – The configured view for read access. (Range: 1-64 characters)
• Write View – The configured view for write access. (Range: 1-64 characters)
• Notify View – The configured view for notifications. (Range: 1-64 characters)
3-45
Configuring the Switch
3
Table 3-5 Supported Notification Messages
Object LabelObject IDDescription
RFC 1493 Traps
newRoot1.3.6.1.2.1.17.0.1The newRoot trap indicates that the sending
topologyChange1.3.6.1.2.1.17.0.2A topologyChange trap is sent by a bridge when
SNMPv2 Traps
coldStart1.3.6.1.6.3.1.1.5.1A coldStart trap signifies that the SNMPv2 entity,
warmStart1.3.6.1.6.3.1.1.5.2A warmStart trap signifies that the SNMPv2
*
linkDown
*
linkUp
authenticationFailure
RMON Events (V2)
risingAlarm1.3.6.1.2.1.16.0.1The SNMP trap that is generated when an alarm
fallingAlarm1.3.6.1.2.1.16.0.2The SNMP trap tha t is generated when an alarm
1.3.6.1.6.3.1.1.5.3A linkDown trap signifies that the SNMP entity,
1.3.6.1.6.3.1.1.5.4A linkUp trap signifies that the SNMP entity,
*
1.3.6.1.6.3.1.1.5.5An authenticationFailure trap signifies that the
agent has become the new root of the Spanning
Tree; the trap is sent by a bridge soon after its
election as the new root, e.g., upon expiration of
the Topology Change Timer immediately
subsequent to its election.
any of its configured ports transitions from the
Learning state to the Forwarding state, or from
the Forwarding state to the Disca rding state. The
trap is not sent if a newRoot trap is sent for the
same transition.
acting in an agent role, is reinitializing itself and
that its configuration may have been altered.
entity, acting in an agent role, is reinitializing
itself such that its configuration is unaltered.
acting in an agent role, has detected that the
ifOperStatus object for one of its communication
links is about to enter the down state from some
other state (but not from the notPresent state).
This other state is indicated by the included
value of ifOperStatus.
acting in an agent role, has detected that the
ifOperStatus object for one of its communication
links left the down state and transitioned into
some other state (but not into the notPresent
state). This other state is indicated by the
included value of ifOperStatus.
SNMPv2 entity, acting in an agent role, has
received a protocol message that is not properly
authenticated. While all implementations of the
SNMPv2 must be capable of generating this
trap, the snmpEnableAuthenTraps object
indicates whether this trap will be generated.
entry crosses its rising threshold and generates
an event that is configured for sending SNMP
traps.
entry crosses its falling threshold and generates
an event that is configured for sending SNMP
traps.
swFanFailureTrap1.3.6.1.4.1.259.6.10.76.2.1.0.17 This trap is sent when the fan fails.
swFanRecoverTrap1.3.6.1.4.1.259.6.10.76.2.1.0.18 This trap is sent when the fan failure has
swIpFilterRejectTrap1.3.6.1.4.1.259.6.10.76.2.1.0.40 This trap is sent when an incorrect IP address is
swSmtpConnFailure
Trap
swMainBoardVer
MismatchNotificaiton
swModuleVer
MismatchNotificaiton
swThermalRising
Notification
swThermalFalling
Notification
swModuleInsertion
Notificaiton
swModuleRemoval
Notificaiton
* These are legacy notifications and therefore must be enabled in conjunction with the corresponding traps on the
SNMP Configuration menu (page 3-39).
1.3.6.1.4.1.259.6.10.76.2.1.0.1 This trap is sent when the power state changes.
recovered.
rejected by the IP Filter.
1.3.6.1.4.1.259.6.10.76.2.1.0.41 This trap is triggered if the SMTP system cannot
1.3.6.1.4.1.259.6.10.76.2.1.0.56 This trap is sent when the slave board version is
1.3.6.1.4.1.259.6.10.76.2.1.0.57 This trap is sent when the slide-in module
1.3.6.1.4.1.259.6.10.76.2.1.0.58 This trap is sent when the temperature exceeds
1.3.6.1.4.1.259.6.1 0.76.2.1.0.59 This trap is sent whe n the temperature falls below
1.3.6.1.4.1.259.6.10.76.2.1.0.60 This trap is sent when a module is inserted.
1.3.6.1.4.1.259.6.10.76.2.1.0.61 This trap is sent when a module is removed.
open a connection to the mail server
successfully.
mismatched with the master board version. This
trap binds two objects, the first object indicates
the master version, whereas the second
represents the slave version.
version is mismatched with the main board
version.
the switchThermalActionRisingThreshold.
the switchThermalActionFallingThreshold.
3
3-47
Configuring the Switch
3
Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the
New Group page, define a name, assign a security model and level, and then select
read, write, and notify views. Click Add to save the new group and return to the
Groups list. To delete a group, check the box next to the group name, then click
Delete.
Figure 3-31 Configuring SNMPv3 Groups
CLI – Use the snmp-server group command to configure a new group, specifying
the security model and level, and restricting MIB access to defined read and write
views.
Console(config)#snmp-server group secure-users v3 priv read defaultview
SNMPv3 views are used to restrict user access to specified portions of the MIB tree.
The predefined view “defaultview” includes access to the entire MIB tree.
Command Attributes
• View Name – The name of the SNMP view. (Range: 1-64 characters)
• View OID Subtrees – Shows the currently configured object identifiers of branches
within the MIB tree that define the SNMP view.
• Edit OID Subtrees – Allows you to configure the object identifiers of branches
within the MIB tree. Wild cards can be used to mask a specific portion of the OID
string.
• Type – Indicates if the object identifier of a branch within the MIB tree is included
or excluded from the SNMP view.
Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New
View page, define a name and specify OID subtrees in the switch MIB to be included
or excluded in the view. Click Back to save the new view and return to the SNMPv3
Views list. For a specific view, click on View OID Subtrees to display the current
configuration, or click on Edit OID Subtrees to make changes to the view settings. To
delete a view, check the box next to the view name, then click Delete.
Figure 3-32 Configuring SNMPv3 Views
3-49
Configuring the Switch
3
CLI – Use the snmp-server view command to configure a new view. This example
view includes the MIB-2 interfaces table, and the wildcard mask selects all index
entries.
included4-119
Console(config)#exit
Console#show snmp view4-120
View Name: ifEntry.a
Subtree OID: 1.3.6.1.2.1.2.2.1.1.*
View Type: included
Storage Type: nonvolatile
Row Status: active
View Name: readaccess
Subtree OID: 1.3.6.1.2
View Type: included
Storage Type: nonvolatile
Row Status: active
View Name: defaultview
Subtree OID: 1
View Type: included
Storage Type: nonvolatile
Row Status: active
Console#
User Authentication
You can restrict management access to this switch and provide secure network
access using the following options:
• User Accounts – Manually configure management access rights for users.
• Authentication Settings – Use remote authentication to configure access rights.
• HTTPS Settings – Provide a secure web connection.
• SSH Settings – Provide a secure shell (for secure Telnet access).
• Port Security – Configure secure addresses for individual ports.
• 802.1X – Use IEEE 802.1X port authentication to control access to specific ports.
• IP Filter – Filters management access to the web, SNMP or Telnet interface.
Configuring User Accounts
The guest only has read access for most configuration parameters. However, the
administrator has write access for all parameters governing the onboard agent. You
should therefore assign a new administrator password as soon as possible, and
store it in a safe place.
The default guest name is “guest” with the password “guest.” The default
administrator name is “admin” with the password “admin.”
3-50
User Authentication
Command Attributes
• Account List – Displays the current list of user accounts and associated access
levels. (Defaults: admin, and guest)
• New Account – Displays configuration settings for a new account.
- User Name – The name of the user.
(Maximum length: 8 characters; maximum number of users: 16)
- Access Level – Specifies the user level.
(Options: Normal and Privileged)
- Password – Specifies the user password.
(Range: 0-8 characters plain text, case sensitive)
• Change Password – Sets a new password for the specified user.
Web – Click Security, User Accounts. To configure a new user account, enter the
user name, access level, and password, then click Add. To change the password for
a specific user, enter the user name and new password, confirm the password by
entering it again, then click Apply.
3
Figure 3-33 User Accounts
CLI – Assign a user name to access-level 15 (i.e., administrator), then specify the
password.
Console(config)#username bob access-level 154-25
Console(config)#username bob password 0 smith
Console(config)#
3-51
Configuring the Switch
3
Configuring Local/Remote Logon Authentication
Use the Authentication Settings menu to restrict management access based on
specified user names and passwords. You can manually configure access rights on
the switch, or you can use a remote access authentication server based on RADIUS
or TACACS+ protocols.
Remote Authentication Dial-in
User Service (RADIUS) and
Terminal Access Controller
Access Control System Plus
(TACACS+) are logon
Web
Telnet
authentication protocols that use
software running on a central
server to control access to
RADIUS-aware or TACACSaware devices on the network.
RADIUS/
TACACS+
server
1. Client attempts management access.
2. Switch contacts authentication server.
3. Authentication server challenges client.
4. Client responds with proper password or key.
5. Authentication server approves access.
6. Switch grants management access.
An authentication server contains
a database of multiple user name/password pairs with associated privilege levels for
each user that requires management access to the switch.
RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery,
while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts
only the password in the access-request packet from the client to the server, while
TACACS+ encrypts the entire body of the packet.
Command Usage
• By default, management access is always checked against the authentication
database stored on the local switch. If a remote authentication server is used, you
must specify the authentication sequence and the corresponding parameters for
the remote authentication protocol. Local and remote logon authentication control
management access via the console port, web browser, or Telnet.
• RADIUS and TACACS+ logon authentication assign a specific privilege level for
each user name/password pair. The user name, password, and privilege level
must be configured on the authentication server.
• You can specify up to three authentication methods for any user to indicate the
authentication sequence. For example, if you select (1) RADIUS, (2) TACACS and
(3) Local, the user name and password on the RADIUS server is verified first. If the
RADIUS server is not available, then authentication is attempted using the
TACACS+ server, and finally the local user name and password is checked.
Command Attributes
• Authentication – Select the authentication, or authentication sequence required:
- Local – User authentication is performed only locally by the switch.
- Radius – User authentication is performed using a RADIUS server only.
- TACACS – User authentication is performed using a TACACS+ server only.
- [authentication sequence] – User authentication is performed by up to three
authentication methods in the indicated sequence.
console
3-52
User Authentication
• RADIUSSettings
- Global – Provides globally applicable RADIUS settings.
- ServerIndex – Specifies one of five RADIUS servers that may be configured.
The switch attempts authentication using the listed sequence of servers. The
process ends when a server either approves or denies access to a user.
- Server IP Address – Address of authentication server. (Default: 10.1.0.1)
- Server Port Number – Network (UDP) port of authentication server used for
authentication messages. (Range: 1-65535; Default: 1812)
- Secret Text String – Encryption key used to authenticate logon access for
client. Do not use blank spaces in the string. (Maximum length: 20 characters)
- Number of Server Transmits – Number of times the switch tries to authenticate
logon access via the authentication server. (Range: 1-30; Default: 2)
- Timeout for a reply – The number of seconds the switch waits for a reply from
the RADIUS server before it resends the request. (Range: 1-65535; Default: 5)
• TACACSSettings
- Server IP Address – Address of the TACACS+ server. (Default: 10.11.12.13)
- Server Port Number – Network (TCP) port of TACACS+ server used for
authentication messages. (Range: 1-65535; Default: 49)
- Secret Text String – Encryption key used to authenticate logon access for
client. Do not use blank spaces in the string. (Maximum length: 20 characters)
The local switch user database has to be set up by manually entering user names
Note:
and passwords using the CLI. (See “username” on page 4-25.)
3
3-53
Configuring the Switch
3
Web – Click Security, Authentication Settings. To configure local or remote
authentication preferences, specify the authentication sequence (i.e., one to three
methods), fill in the parameters for RADIUS or TACACS+ authentication if selected,
and click Apply.
Figure 3-34 Authentication Server Settings
CLI – Specify all the required parameters to enable logon authentication.
Communication key with RADIUS server: *****
Server port number:181
Retransmit times:5
Request timeout:10
Server 1:
Server IP address: 192.168.1.25
Communication key with RADIUS server: *****
Server port number: 181
Retransmit times: 5
Request timeout: 10
3-54
User Authentication
Console#config
Console(config)#authentication login tacacs4-69
Console(config)#tacacs-server host 10.20.30.404-74
Console(config)#tacacs-server port 2004-75
Console(config)#tacacs-server key green4-75
Console(config)#exit
Console#show tacacs-server4-76
Server IP address:10.20.30.40
Communication key with tacacs server: *****
Server port number:200
Console(config)#
3
Configuring HTTPS
You can configure the switch to enable the Secure Hypertext Transfer Protocol
(HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an
encrypted connection) to the switch’s web interface.
Command Usage
• Both the HTTP and HTTPS service can be enabled independently on the switch.
However, you cannot configure both services to use the same UDP port.
• If you enable HTTPS, you must indicate this in the URL that you specify in your
browser: https://device[:port_number]
• When you start HTTPS, the connection is established in this way:
- The client authenticates the server using the server’s digital certificate.
- The client and server negotiate a set of security protocols to use for the
connection.
- The client and server generate session keys for encrypting and decrypting data.
• The client and server establish a secure encrypted connection.
A padlock icon should appear in the status bar for Internet Explorer 5.x or above
and Netscape Navigator 6.2 or above.
• The following web browsers and operating systems currently support HTTPS:
Table 3-6 HTTPS System Support
Web BrowserOperating System
Internet Explorer 5.0 or laterWindows 98,Windows NT (with service pack 6a),
Netscape Navigator 6.2 or laterWindows 98,Windows NT (with service pack 6a),
• To specify a secure-site certificate, see “Replacing the Default Secure-site
Certificate” on page 3-56.
Command Attributes
• HTTPS Status – Allows you to enable/disable the HTTPS server feature on the
switch.
(Default: Enabled)
•
Change HTTPS Port Number – Specifies the UDP port number used for HTTPS/
SSL connection to the switch’s web interface. (Default: Port 443)
Windows 2000, Windows XP
Windows 2000, Windows XP, Solaris 2.6
3-55
Configuring the Switch
3
Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number,
then click Apply.
Figure 3-35 HTTPS Settings
CLI – This example enables the HTTP secure server and modifies the port number.
When you log onto the web interface using HTTPS (for secure access), a Secure
Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that
Netscape and Internet Explorer display will be associated with a warning that the
site is not recognized as a secure site. This is because the certificate has not been
signed by an approved certification authority. If you want this warning to be replaced
by a message confirming that the connection to the switch is secure, you must
obtain a unique certificate and a private key and password from a recognized
certification authority.
Note: For maximum security, we recommend you obtain a unique Secure Sockets Layer
certificate at the earliest opportunity. This is because the default certificate for the
switch is not unique to the hardware you have purchased.
When you have obtained these, place them on your TFTP server, and use the
following command at the switch's command-line interface to replace the default
(unrecognized) certificate with an authorized one:
Console#copy tftp https-certificate4-63
TFTP server ip address: <server ip-address>
Source certificate file name: <certificate file name>
Source private file name: <private key file name>
Private password: <password for private key>
Note: The switch must be reset for the new certificate to be activated. To reset the
switch, type “reload” at the command prompt:
Console#reload
3-56
User Authentication
3
Configuring the Secure Shell
The Berkley-standard includes remote access tools originally designed for Unix
systems. Some of these tools have also been implemented for Microsoft Windows
and other environments. These tools, including commands such as rlogin (remote
login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
The Secure Shell (SSH) includes server/client applications intended as a secure
replacement for the older Berkley remote access tools. SSH can also provide
remote management access to this switch as a secure replacement for Telnet.
When the client contacts the switch via the SSH protocol, the switch generates a
public-key that the client uses along with a local user name and password for access
authentication. SSH also encrypts all data transfers passing between the switch and
SSH-enabled management station clients, and ensures that data traveling over the
network arrives unaltered.
Note that you need to install an SSH client on the management station to access the
switch for management via the SSH protocol.
The switch supports both SSH Version 1.5 and 2.0 clients.
Note:
Command Usage
The SSH server on this switch supports both password and public key
authentication. If password authentication is specified by the SSH client, then the
password can be authenticated either locally or via a RADIUS or TACACS+ remote
authentication server, as specified on the Authentication Settings page
(page 3-52). If public key authentication is specified by the client, then you must
configure authentication keys on both the client and the switch as described in the
following section. Note that regardless of whether you use public key or password
authentication, you still have to generate authentication keys on the switch (SSH
Host Key Settings) and enable the SSH server (Authentication Settings).
To use the SSH server, complete these steps:
1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a host
public/private key pair.
2. Provide Host Public Key to Clients – Many SSH client programs automatically
import the host public key during the initial connection setup with the switch.
Otherwise, you need to manually create a known hosts file on the management
station and place the host public key in it. An entry for a public key in the known
hosts file would appear similar to the following example:
3. Import Client’s Public Key to the Switch – Use the copy tftp public-key
command (page 4-63) to copy a file containing the public key for all the SSH
client’s granted management access to the switch. (Note that these clients must
3-57
Configuring the Switch
3
be configured locally on the switch via the User Accounts page as described on
page 3-50.) The clients are subsequently authenticated using these keys. The
current firmware only accepts public key files based on standard UNIX format as
shown in the following example for an RSA Version 1 key:
4. Set the Optional Parameters – On the SSH Settings page, configure the optional
parameters, including the authentication timeout, the number of retries, and the
server key size.
5. Enable SSH Service – On the SSH Settings page, enable the SSH server on the
switch.
6. Challenge-Response Authentication – When an SSH client attempts to contact
the switch, the SSH server uses the host key pair to negotiate a session key and
encryption method. Only clients that have a private key corresponding to the
public keys stored on the switch can access it. The following exchanges take
place during this process:
a. The client sends its public key to the switch.
b. The switch compares the client's public key to those stored in memory.
c. If a match is found, the switch uses the public key to encrypt a random
sequence of bytes, and sends this string to the client.
d. The client uses its private key to decrypt the bytes, and sends the decrypted
bytes back to the switch.
e. The switch compares the decrypted bytes to the original bytes it sent. If the
two sets match, this means that the client's private key corresponds to an
authorized public key, and the client is authenticated.
Notes: 1.
To use SSH with only password authentication, the host public key must still
be given to the client, either during initial connection or manually entered into
the known host file. However, you do not need to configure the client’s keys.
2. The SSH server supports up to four client sessions. The maximum number
of client sessions includes both current Telnet sessions and SSH sessions.
Generating the Host Key Pair
A host public/private key pair is used to provide secure communications between an
SSH client and the switch. After generating this key pair, you must provide the host
public key to SSH clients and import the client’s public key to the switch as
described in the preceding section (Command Usage).
3-58
User Authentication
Field Attributes
• Public-Key of Host-Key – The public key for the host.
- RSA (Version 1): The first field indicates the size of the host key (e.g., 1024), the
second field is the encoded public exponent (e.g., 65537), and the last string is
the encoded modulus.
- DSA (Version 2): The first field indicates that the encryption method used by
SSH is based on the Digital Signature Standard (DSS). The last string is the
encoded modulus.
• Host-Key Type – The key type used to generate the host key pair (i.e., public and
private keys). (Range: RSA (Version 1), DSA (Version 2), Both: Default: Both)
The SSH server uses RSA or DSA for key exchange when the client first
establishes a connection with the switch, and then negotiates with the client to
select either DES (56-bit) or 3DES (168-bit) for data encryption.
• Save Host-Key from Memory to Flash – Saves the host key from RAM (i.e.,
volatile memory to flash memory). Otherwise, the host key pair is stored to RAM
by default. Note that you must select this item prior to generating the host-key pair.
• Generate – This button is used to generate the host key pair. Note that you must
first generate the host key pair before you can enable the SSH server on the SSH
Server Settings page.
• Clear – This button clears the host key from both volatile memory (RAM) and
non-volatile memory (Flash).
Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the
drop-down box, select the option to save the host key from memory to flash (if
required) prior to generating the key, and then click Generate.
3
Figure 3-36 SSH Host-Key Settings
3-59
Configuring the Switch
3
CLI – This example generates a host-key pair using both the RSA and DSA
algorithms, stores the keys to flash memory, and then displays the host’s public keys.
The SSH server includes basic settings for authentication.
Field Attributes
• SSH Server Status – Allows you to enable/disable the SSH server on the switch.
(Default: Disabled)
• Version – The Secure Shell version number. Version 2.0 is displayed, but the
switch supports management access via either SSH Version 1.5 or 2.0 clients.
• SSH Authentication Timeout – Specifies the time interval in seconds that the
SSH server waits for a response from a client during an authentication attempt.
(Range: 1 to 120 seconds; Default: 120 seconds)
• SSH Authentication Retries – Specifies the number of authentication attempts
that a client is allowed before authentication fails and the client has to restart the
authentication process. (Range: 1-5 times; Default: 3)
• SSH Server-Key Size – Specifies the SSH server key size. (Range: 512-896 bits;
Default: 768)
- The server key is a private key that is never shared outside the switch.
- The host key is shared with the SSH client, and is fixed at 1024 bits.
3-60
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.