Alcatel-Lucent OMNISTACK 6300 User Manual

Download

Page 1

Part No. 060191-10, Rev. B April 2004

OmniStack® 6300-24

Users Guide

Page 2

An Alcatel service agreement brings your company the assurance of 7x24 no-excuses technical support. You’ll also receive regular software updates to maintain and maximize your Alcatel product’s features and functionality and on-site hardware replacement through our global network of highly qualified service delivery partners. Additionally, with 24-hour-a-day access to Alcatel’s Service and Support web page, you’ll be able to view and update any case (open or closed) that you have reported to Alcatel’s technical support, open a new case or access helpful release notes, technical bulletins, and manuals. For more information on Alcatel’s Service Programs, see our web page at www.ind.alcatel.com, call us at 1-800-995-2696, or email us at support@ind.alcatel.com.

This Manual documents OmniStack 6300-24 hardware and software.

The functionality described in this Manual is subject to change without notice.

Alcatel France. OmniSwitch Omni Switch/Router™, SwitchExpert Inc. All other brand and product names are trademarks of their respective companies.

and the Alcatel logo are registered trademarks of Compagnie Financiére Alcatel, Paris,

and OmniStack® are registered trademarks of Alcatel Internetworking, Inc.

, the Xylan logo are trademarks of Alcatel Internetworking,

26801 West Agoura Road

Calabasas, CA 91301

(818) 880-3500 FAX (818) 880-3505

info@ind.alcatel.com

US Customer Support-(800) 995-2696

International Customer Support-(818) 878-4507

Internet-http://eservice.ind.alcatel.com

Page 3

This equipment has been tested and found to comply with the limits for Class A digital

Warning

device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions in this guide, may cause interference to radio communications. Operation of this equipment in a residential area is likely to cause interference, in which case the user will be required to correct the interference at his own expense.

The user is cautioned that changes and modifications made to the equipment without approval of the manufacturer could void the user’s authority to operate this equipment. It is suggested that the user use only shielded and grounded cables to ensure compliance with FCC Rules.

This digital apparatus does not exceed the Class A limits for radio noise emissions from digital apparatus set out in the radio interference regulations of the Canadian department of communications.

Le present appareil numerique níemet pas de bruits radioelectriques depassant les limites applicables aux appareils numeriques de la Class A prescrites dans le reglement sur le brouillage radioelectrique edicte par le ministere des communications du Canada.

Page 4

Page 5

Chapter 1: Introduction 1-1

Key Features 1-1 Description of Software Features 1-2 System Defaults 1-5

Chapter 2: Initial Configuration 2-1

Connecting to the Switch 2-1

Configuration Options 2-1 Required Connections 2-2 Remote Connections 2-3

Basic Configuration 2-3

Console Connection 2-3 Setting Passwords 2-4 Setting an IP Address 2-4

Manual Configuration 2-4 Dynamic Configuration 2-5

Enabling SNMP Management Access 2-6

Community Strings 2-6 Trap Receivers 2-7

Saving Configuration Settings 2-7

Managing System Files 2-8

Chapter 3: Configuring the Switch 3-1

Using the Web Interface 3-1 Navigating the Web Browser Interface 3-2

Home Page 3-2 Configuration Options 3-2 Panel Display 3-3 Main Menu 3-3

Basic Configuration 3-8

Displaying System Information 3-8 Displaying Switch Hardware/Software Versions 3-10 Displaying Bridge Extension Capabilities 3-11 Setting the Switch’s IP Address 3-12

Manual Configuration 3-13

Using DHCP/BOOTP 3-14 Enabling Jumbo Frames 3-15 Managing Firmware 3-15

Downloading System Software from a Server 3-16 Saving or Restoring Configuration Settings 3-17

Downloading Configuration Settings from a Server 3-17 Console Port Settings 3-18

Page 6

Contents

Telnet Settings 3-21

Configuring Event Logging 3-23

System Logs 3-23 System Logs Configuration 3-24 Remote Logs Configuration 3-25 Sending Simple Mail Transfer Protocol Alerts 3-27 Resetting the System 3-29 Setting the System Clock 3-29

Configuring SNTP 3-30 Setting the Time Zone 3-31

Simple Network Management Protocol 3-31

Enabling SNMP 3-33 Setting Community Access Strings 3-33 Specifying Trap Managers and Trap Types 3-34 Configuring SNMPv3 Management Access 3-35

Setting an Engine ID 3-35 Configuring SNMPv3 Users 3-36 Configuring SNMPv3 Groups 3-38 Setting SNMPv3 Views 3-40

User Authentication 3-41

Configuring the Logon Password 3-41 Configuring Local/Remote Logon Authentication 3-42 Configuring HTTPS 3-45

Replacing the Default Secure-site Certificate 3-46

Configuring the Secure Shell 3-47

Generating the Host Key Pair 3-49

Configuring the SSH Server 3-51 Configuring Port Security 3-52 Configuring 802.1x Port Authentication 3-54

Displaying 802.1x Global Settings 3-55

Configuring 802.1x Global Settings 3-57

Configuring Port Authorization Mode 3-58

Displaying 802.1x Statistics 3-59

Access Control Lists 3-61

Configuring Access Control Lists 3-61

Setting the ACL Name and Type 3-62

Configuring a Standard IP ACL 3-62

Configuring an Extended IP ACL 3-63

Configuring a MAC ACL 3-66 Configuring ACL Masks 3-68

Specifying the Mask Type 3-68

Configuring an IP ACL Mask 3-69

Configuring a MAC ACL Mask 3-71 Binding a Port to an Access Control List 3-72

Filtering IP Addresses for Management Access 3-73

Page 7

Contents

Port Configuration 3-75

Displaying Connection Status 3-75 Configuring Interface Connections 3-77 Creating Trunk Groups 3-79

Statically Configuring a Trunk 3-80 Enabling LACP on Selected Ports 3-81 Configuring LACP Parameters 3-83 Displaying LACP Port Counters 3-85 Displaying LACP Settings and Status for the Local Side 3-86

Displaying LACP Settings and Status for the Remote Side 3-88 Setting Broadcast Storm Thresholds 3-90 Configuring Port Mirroring 3-91 Configuring Rate Limits 3-92 Showing Port Statistics 3-93

Alcatel Mapping Adjacency Protocol (AMAP) 3-98

Configuring AMAP 3-98 Displaying AMAP Detected Devices 3-99

Address Table Settings 3-100

Setting Static Addresses 3-100 Displaying the Address Table 3-101 Changing the Aging Time 3-102

Spanning Tree Algorithm Configuration 3-103

Displaying Global Settings 3-104 Configuring Global Settings 3-107 Displaying Interface Settings 3-111 Configuring Interface Settings 3-114 Configuring Multiple Spanning Trees 3-116 Displaying Interface Settings for MSTP 3-119 Configuring Interface Settings for MSTP 3-121

VLAN Configuration 3-122

Overview 3-122

Assigning Ports to VLANs 3-123

Forwarding Tagged/Untagged Frames 3-125 Enabling or Disabling GVRP (Global Setting) 3-125 Displaying Basic VLAN Information 3-126 Displaying Current VLANs 3-127 Creating VLANs 3-129 Adding Static Members to VLANs (VLAN Index) 3-130 Adding Static Members to VLANs (Port Index) 3-132 Configuring VLAN Behavior for Interfaces 3-133 Configuring Private VLANs 3-135

Enabling Private VLANs 3-135

Configuring Uplink and Downlink Ports 3-136 Configuring Protocol-Based VLANs 3-136

Configuring Protocol Groups 3-137

vii

Page 8

Contents

Mapping Protocols to VLANs 3-137

Class of Service Configuration 3-139

Setting the Default Priority for Interfaces 3-139 Mapping CoS Values to Egress Queues 3-141 Selecting the Queue Mode 3-143 Setting the Service Weight for Traffic Classes 3-143 Mapping Layer 3/4 Priorities to CoS Values 3-145 Selecting IP Precedence/DSCP Priority 3-145 Mapping IP Precedence 3-146 Mapping DSCP Priority 3-147 Mapping IP Port Priority 3-149 Mapping CoS Values to ACLs 3-150 Changing Priorities Based on ACL Rules 3-151

Quality of Service 3-153

Configuring Quality of Service Parameters 3-153 Configuring a Class Map 3-154 Creating QoS Policies 3-156 Attaching a Policy Map to Ingress and Egress Queues 3-159

Multicast Filtering 3-160

Layer 2 IGMP (Snooping and Query) 3-160

Configuring IGMP Snooping and Query Parameters 3-161 Displaying Interfaces Attached to a Multicast Router 3-162 Specifying Static Interfaces for a Multicast Router 3-163 Displaying Port Members of Multicast Services 3-164 Assigning Ports to Multicast Services 3-165

Configuring Domain Name Service 3-166

Configuring General DNS Server Parameters 3-167 Configuring Static DNS Host to Address Entries 3-169 Displaying the DNS Cache 3-171

Chapter 4: Command Line Interface 4-1

Using the Command Line Interface 4-1

Accessing the CLI 4-1 Console Connection 4-1 Telnet Connection 4-1

Entering Commands 4-3

Keywords and Arguments 4-3 Minimum Abbreviation 4-3 Command Completion 4-3 Getting Help on Commands 4-3

Showing Commands 4-4 Partial Keyword Lookup 4-5 Negating the Effect of Commands 4-5 Using Command History 4-5

viii

Page 9

Contents

Understanding Command Modes 4-5 Exec Commands 4-6 Configuration Commands 4-6

Command Line Processing 4-7 Command Groups 4-9 Line Commands 4-10

line 4-10

password 4-12

timeout login response 4-13

exec-timeout 4-14

password-thresh 4-14

silent-time 4-15

databits 4-16

parity 4-16

speed 4-17

stopbits 4-17

disconnect 4-18

show line 4-18 General Commands 4-19

enable 4-19

disable 4-20

configure 4-20

show history 4-21

reload 4-22

end 4-22

exit 4-22

quit 4-23 System Management Commands 4-23

Device Designation Commands 4-24

prompt 4-24 hostname 4-25

User Access Commands 4-25

username 4-25 enable password 4-26

IP Filter Commands 4-27

management 4-27 show management 4-28

Web Server Commands 4-29

ip http port 4-29 ip http server 4-30 ip http secure-server 4-30 ip http secure-port 4-31

Secure Shell Commands 4-32

ip ssh server 4-34

Page 10

Contents

ip ssh timeout 4-35 ip ssh authentication-retries 4-36 ip ssh server-key size 4-36 delete public-key 4-37 ip ssh crypto host-key generate 4-37 ip ssh crypto zeroize 4-38 ip ssh save host-key 4-38 show ip ssh 4-39 show ssh 4-39 show public-key 4-40

Event Logging Commands 4-41

logging on 4-41 logging history 4-42 logging host 4-43 logging facility 4-43 logging trap 4-44 clear logging 4-44 show logging 4-45

SMTP Alert Commands 4-46

logging sendmail host 4-47 logging sendmail level 4-47 logging sendmail source-email 4-48 logging sendmail destination-email 4-48 logging sendmail 4-49 show logging sendmail 4-49

Time Commands 4-50

sntp client 4-50 sntp server 4-51 sntp poll 4-52 show sntp 4-52 clock timezone 4-53 calendar set 4-53 show calendar 4-54

System Status Commands 4-54

show startup-config 4-54 show running-config 4-57 show system 4-59 show users 4-60 show version 4-60

Frame Size Commands 4-61

jumbo frame 4-61

Flash/File Commands 4-62

copy 4-62 delete 4-64 dir 4-65

Page 11

Contents

whichboot 4-66

boot system 4-66 Authentication Commands 4-67

Authentication Sequence 4-67

authentication login 4-68 authentication enable 4-69

RADIUS Client 4-70

radius-server host 4-70 radius-server port 4-70 radius-server key 4-71 radius-server retransmit 4-71 radius-server timeout 4-72 show radius-server 4-72

TACACS+ Client 4-73

tacacs-server host 4-73 tacacs-server port 4-73 tacacs-server key 4-74 show tacacs-server 4-74

Port Security Commands 4-75

port security 4-75

802.1x Port Authentication 4-76 authentication dot1x default 4-77 dot1x default 4-77 dot1x max-req 4-78 dot1x port-control 4-78 dot1x operation-mode 4-79 dot1x re-authenticate 4-79 dot1x re-authentication 4-80 dot1x timeout quiet-period 4-80 dot1x timeout re-authperiod 4-80 dot1x timeout tx-period 4-81 show dot1x 4-81

Access Control List Commands 4-83

IP ACLs 4-85

access-list ip 4-85 permit, deny (Standard ACL) 4-86 permit, deny (Extended ACL) 4-87 show ip access-list 4-89 access-list ip mask-precedence 4-89 mask (IP ACL) 4-90 show access-list ip mask-precedence 4-93 ip access-group 4-94 show ip access-group 4-94 map access-list ip 4-95 show map access-list ip 4-96

Page 12

Contents

match access-list ip 4-96 show marking 4-97

MAC ACLs 4-98

access-list mac 4-98 permit, deny (MAC ACL) 4-99 show mac access-list 4-100 access-list mac mask-precedence 4-101 mask (MAC ACL) 4-102 show access-list mac mask-precedence 4-104 mac access-group 4-104 show mac access-group 4-105 map access-list mac 4-105 show map access-list mac 4-106 match access-list mac 4-106

ACL Information 4-107

show access-list 4-107 show access-group 4-108

SNMP Commands 4-108

snmp-server community 4-109 snmp-server contact 4-110 snmp-server location 4-110 snmp-server host 4-111 snmp-server enable traps 4-112 show snmp 4-113 snmp-server 4-114 snmp-server engine-id 4-114 show snmp engine-id 4-115 snmp-server view 4-115 show snmp view 4-116 snmp-server group 4-117 show snmp group 4-117 snmp-server user 4-119 show snmp user 4-119

DHCP Commands 4-120

DHCP Client 4-120

ip dhcp client-identifier 4-120 ip dhcp restart client 4-121

DNS Commands 4-122

ip host 4-122 clear host 4-123 ip domain-name 4-123 ip domain-list 4-124 ip name-server 4-125 ip domain-lookup 4-126 show hosts 4-127

xii

Page 13

Contents

show dns 4-127 show dns cache 4-128 clear dns cache 4-128

Interface Commands 4-129

interface 4-130 description 4-131 speed-duplex 4-131 negotiation 4-132 capabilities 4-133 flowcontrol 4-134 combo-forced-mode 4-135 shutdown 4-135 switchport broadcast packet-rate 4-136 clear counters 4-137 show interfaces status 4-138 show interfaces counters 4-139 show interfaces switchport 4-140

Mirror Port Commands 4-141

port monitor 4-141 show port monitor 4-142

AMAP Configuration 4-143

amap enable 4-144 amap run 4-144 amap discovery timer 4-144 amap common timer 4-145 show amap 4-145

Rate Limit Commands 4-146

rate-limit 4-146

Link Aggregation Commands 4-147

channel-group 4-148 lacp 4-149 lacp system-priority 4-150 lacp admin-key (Ethernet Interface) 4-151 lacp admin-key (Port Channel) 4-152 lacp port-priority 4-153 show lacp 4-153

Address Table Commands 4-157

mac-address-table static 4-157 clear mac-address-table dynamic 4-158 show mac-address-table 4-158 mac-address-table aging-time 4-159 show mac-address-table aging-time 4-160

Spanning Tree Commands 4-160

spanning-tree 4-161 spanning-tree mode 4-162

xiii

Page 14

Contents

spanning-tree forward-time 4-163 spanning-tree hello-time 4-164 spanning-tree max-age 4-164 spanning-tree priority 4-165 spanning-tree pathcost method 4-166 spanning-tree transmission-limit 4-166 spanning-tree mst-configuration 4-167 mst vlan 4-167 mst priority 4-168 name 4-169 revision 4-169 max-hops 4-170 spanning-tree spanning-disabled 4-171 spanning-tree cost 4-171 spanning-tree port-priority 4-172 spanning-tree edge-port 4-172 spanning-tree portfast 4-173 spanning-tree link-type 4-174 spanning-tree mst cost 4-175 spanning-tree mst port-priority 4-176 spanning-tree protocol-migration 4-176 show spanning-tree 4-177 show spanning-tree mst configuration 4-178

VLAN Commands 4-179

Editing VLAN Groups 4-179

vlan database 4-180 vlan 4-180

Configuring VLAN Interfaces 4-181

interface vlan 4-181 switchport mode 4-182 switchport acceptable-frame-types 4-183 switchport ingress-filtering 4-183 switchport native vlan 4-184 switchport allowed vlan 4-185 switchport forbidden vlan 4-186

Displaying VLAN Information 4-187

show vlan 4-187

Configuring Protocol-based VLANs 4-187

protocol-vlan protocol-group (Configuring Groups) 4-188 protocol-vlan protocol-group (Configuring Interfaces) 4-189 show protocol-vlan protocol-group 4-190 show interfaces protocol-vlan protocol-group 4-190

Configuring Private VLANs 4-191

pvlan 4-191 show pvlan 4-192

xiv

Page 15

Contents

GVRP and Bridge Extension Commands 4-192

bridge-ext gvrp 4-193 show bridge-ext 4-193 switchport gvrp 4-194 show gvrp configuration 4-194 garp timer 4-195 show garp timer 4-196

Priority Commands 4-197

Priority Commands (Layer 2) 4-197

switchport priority default 4-197 queue mode 4-198 queue bandwidth 4-199 queue cos-map 4-200 show queue mode 4-201 show queue bandwidth 4-201 show queue cos-map 4-202

Priority Commands (Layer 3 and 4) 4-202

map ip port (Global Configuration) 4-203 map ip port (Interface Configuration) 4-203 map ip precedence (Global Configuration) 4-204 map ip precedence (Interface Configuration) 4-204 map ip dscp (Global Configuration) 4-205 map ip dscp (Interface Configuration) 4-206 map access-list ip 4-207 show map ip port 4-208 show map ip precedence 4-208 show map ip dscp 4-209

Quality of Service Commands 4-210

class-map 4-211 match 4-212 policy-map 4-213 class 4-214 set 4-214 police 4-215 service-policy 4-216 show class-map 4-216 show policy-map 4-217 show policy-map interface 4-217

Multicast Filtering Commands 4-218

IGMP Snooping Commands 4-218

ip igmp snooping 4-218 ip igmp snooping vlan static 4-219 ip igmp snooping version 4-220 show ip igmp snooping 4-220 show mac-address-table multicast 4-221

Page 16

Contents

IGMP Query Commands (Layer 2) 4-222

ip igmp snooping querier 4-222 ip igmp snooping query-count 4-222 ip igmp snooping query-interval 4-223 ip igmp snooping query-max-response-time 4-224 ip igmp snooping router-port-expire-time 4-224

Static Multicast Routing Commands 4-225

ip igmp snooping vlan mrouter 4-225 show ip igmp snooping mrouter 4-226

IP Interface Commands 4-227

Basic IP Configuration 4-227

ip address 4-227 ip default-gateway 4-228 ip dhcp restart 4-229 show ip interface 4-229 show ip redirects 4-230 ping 4-230

Appendix A: Software Specifications A-1

Software Features A-1 Management Features A-2 Standards A-2 Management Information Bases A-3

Appendix B: Troubleshooting B-1

Glossary

Index

xvi

Page 17

Tables

Table 1-1. Key Features 1-1 Table 1-2. System Defaults 1-5 Table 3-4. Main Menu 3-3 Table 3-2. Configuration Options 3-3 Table 3-1. SNMPv3 Security Models and Levels 3-32 Table 3-22. Compatible Operating Systems 3-45 Table 3-30. 802.1X Statistics 3-59 Table 3-45. LACP Port Counters Information 3-85 Table 3-47. LACP Settings - Local Side 3-86 Table 3-49. LACP Settings - Remote Side 3-88 Table 3-54. Displaying Port Statistics 3-94 Table 3-85. Mapping CoS Values to Egress Queues 3-141 Table 3-86. Priority Levels 3-141 Table 3-91. Mapping IP Precedence 3-146 Table 3-93. Mapping DSCP Priority 3-147 Table 3-95. Mapping CoS Values to ACLs 3-150 Table 4-1. Command Modes 4-5 Table 4-2. Configuration Command Modes 4-7 Table 4-3. Keystroke Commands 4-7 Table 4-4. Command Groups 4-9 Table 4-5. Line Commands 4-10 Table 4-6. General Commands 4-19 Table 4-7. System Management Commands 4-23 Table 4-8. Device Designation Commands 4-24 Table 4-9. User Access Commands 4-25 Table 4-10. User Access Levels 4-26 Table 4-11. IP Filter Commands 4-27 Table 4-12. Web Server Commands 4-29 Table 4-13. Compatible Operating Systems 4-31 Table 4-14. Secure Shell Commands 4-32 Table 4-15. Secure Shell Information 4-39 Table 4-16. Event Logging Commands 4-41 Table 4-17. Logging Messages 4-42 Table 4-19. Remote Logging Parameters 4-46 Table 4-20. SMTP Alert Commands 4-46 Table 4-18. System Logging Parameters 4-46 Table 4-21. Time Commands 4-50 Table 4-22. System Status Commands 4-54 Table 4-23. Frame Size Commands 4-61 Table 4-24. Flash/File Commands 4-62 Table 4-25. File Directory 4-65 Table 4-26. Authentication Commands 4-67

xvii

Page 18

Tables

Table 4-27. Authentication Sequence 4-67 Table 4-28. RADIUS Commands 4-70 Table 4-29. TACACS+ Commands 4-73 Table 4-30. Port Security Commands 4-75 Table 4-31. 802.1X Port Authentication Commands 4-76 Table 4-32. ACL Information 4-84 Table 4-33. IP ACLs 4-85 Table 4-34. Priority Queue Mapping 4-95 Table 4-35. MAC ACLs 4-98 Table 4-36. Priority Queue Mapping 4-105 Table 4-37. ACL Information 4-107 Table 4-38. SNMP Commands 4-108 Table 4-1. SNMP Engine ID 4-115 Table 4-2. SNMP View 4-116 Table 4-3. SNMP Group 4-118 Table 4-4. SNMP User 4-120 Table 4-39. DHCP Clients 4-120 Table 4-40. DNS Commands 4-122 Table 4-41. DNS Cache 4-128 Table 4-42. Interface Commands 4-129 Table 4-43. Interfaces Switchport Parameters 4-140 Table 4-44. Mirror Port Commands 4-141 Table 4-45. AMAP Commands 4-143 Table 4-46. Rate Limit Commands 4-146 Table 4-47. Linnk Aggregation Commands 4-147 Table 4-48. LACP Counters 4-154 Table 4-49. LACPDUs 4-155 Table 4-50. LACP Neighbours Information 4-156 Table 4-51. LACP System ID 4-156 Table 4-52. Address Table Commands 4-157 Table 4-53. Spanning Tree Commands 4-160 Table 4-54. VLAN Commands 4-179 Table 4-55. Editing VLAN Groups 4-179 Table 4-56. Configuring VLAN Interfaces 4-181 Table 4-57. Displaying VLAN Information 4-187 Table 4-58. Protocol VLANs 4-188 Table 4-59. Configuring Private VLAN Groups 4-191 Table 4-60. GVRP and Bridge Extension Commands 4-192 Table 4-61. Priority Commands 4-197 Table 4-62. Priority Commands (Layer 2) 4-197 Table 4-63. Priority Queue Mapping 4-200 Table 4-64. Priority Commands (Layer 3 and 4) 4-202 Table 4-65. Mapping IP Precedence 4-205 Table 4-66. Mapping IP DSCP Precedence 4-206 Table 4-5. Mapping CoS Values to ACL Rules 4-207

xviii

Page 19

Table 4-67. Quality of Service Commands 4-210 Table 4-68. Multicast Filtering Commands 4-218 Table 4-69. IGMP Snooping Commands 4-218 Table 4-70. IGMP Query Commands (Layer 2) 4-222 Table 4-71. Static Multicast Routing Commands 4-225 Table 4-72. IP Configuration 4-227 Table B-1. Troubleshooting Chart B-1

xix

Page 20

Tables

Page 21

Figures

Figure 3-1. Home Page 3-2 Figure 3-3. Ports Panel 3-3 Figure 3-5. System Information 3-9 Figure 3-6. Switch Information 3-10 Figure 3-7. Bridge Exentsion Configuration 3-12 Figure 3-8. IP Configuration 3-13 Figure 3-9. Selecting DHCP Mode 3-14 Figure 3-10. Enabling Jumbo Frame Support 3-15 Figure 3-11. Transfering an Operation Code Image File from a Server 3-16 Figure 3-12. Selecting the Start-up Operation Code Image File 3-16 Figure 3-13. Transfering a Configuration File from a Server 3-17 Figure 3-14. Setting the Start-up Configuration File 3-18 Figure 3-1. Console Port Settings 3-20 Figure 3-2. Telnet Settings 3-22 Figure 3-3. Logging Information 3-24 Figure 3-4. Enabling System Logging 3-25 Figure 3-5. Enabling Remote Logging and Adding Host IP Addresses 3-26 Figure 3-6. Enabling and Configuring SMTP Alerts 3-28 Figure 3-15. Resetting the System 3-29 Figure 3-16. SNTP Configuration 3-30 Figure 3-17. Clock Time Zone 3-31 Figure 3-7. Enabling the SNMP Agent 3-33 Figure 3-18. SNMP Configuration 3-34 Figure 3-19. Configuring SNMP Trap Managers 3-35 Figure 3-8. Setting an Engine ID 3-36 Figure 3-9. Configuring SNMPv3 Users 3-37 Figure 3-10. Configuring SNMPv3 Groups 3-39 Figure 3-11. Configuring SNMPv3 Views 3-40 Figure 3-20. Setting Passwords 3-42 Figure 3-21. Authentication Settings 3-44 Figure 3-23. HTTPS Settings 3-46 Figure 3-24. Secure Shell Host-Key Settings 3-50 Figure 3-25. Secure Shell Server Settings 3-51 Figure 3-26. Configuring Port Security 3-53 Figure 3-27. 802.1X Information 3-55 Figure 3-28. 802.1X Configuration 3-57 Figure 3-29. 802.1X Port Configuration 3-59 Figure 3-31. 802.1X Statistics 3-60 Figure 3-32. ACL Configuration 3-62 Figure 3-33. Configuring a Standard ACL 3-63 Figure 3-34. Configuring an Extended ACL 3-65 Figure 3-35. Configuring a MAC ACL 3-67

xxi

Page 22

Figures

Figure 3-36. ACL Mask Configuration 3-68 Figure 3-37. ACL IP Mask Configuration 3-70 Figure 3-38. ACL MAC Mask Configuration 3-71 Figure 3-39. ACL Port Binding 3-73 Figure 3-12. Filtering IP Addresses 3-74 Figure 3-40. Port Information 3-75 Figure 3-41. Port Configuration 3-78 Figure 3-42. Trunk Membership 3-80 Figure 3-43. LACP Configuration 3-82 Figure 3-44. LACP Aggregation Port Settings 3-84 Figure 3-46. LACP Port Counters Information 3-86 Figure 3-48. LACP Settings - Local Side 3-87 Figure 3-50. LACP Port Settings - Remote Side 3-89 Figure 3-51. Port Broadcast Control 3-90 Figure 3-52. Mirror Port Configuration 3-92 Figure 3-53. Output Rate Limit Port Configuration 3-93 Figure 3-55. Displaying Port Statistics 3-97 Figure 3-56. AMAP Settings 3-99 Figure 3-57. AMAP Information 3-100 Figure 3-58. Setting a Static Address Table 3-101 Figure 3-59. Setting a Dynamic Address Table 3-102 Figure 3-60. Address Aging 3-103 Figure 3-61. Spanning Tree BPDUs 3-103 Figure 3-62. STA Information 3-106 Figure 3-63. STA Configuration 3-110 Figure 3-64. STA Port Roles 3-112 Figure 3-65. STA Port Information 3-113 Figure 3-66. STA Port Configuration 3-116 Figure 3-67. MSTP Vlan Configuration 3-117 Figure 3-68. MSTP Port Information 3-119 Figure 3-69. MSTP Port Configuration 3-122 Figure 3-70. Tagged and Untagged Frames 3-123 Figure 3-71. Port Based VLANs 3-125 Figure 3-72. GVRP Status 3-126 Figure 3-73. Basic VLAN Information 3-126 Figure 3-74. VLAN Current Table 3-128 Figure 3-75. VLAN Static List 3-129 Figure 3-76. VLAN Static Table 3-131 Figure 3-77. VLAN Static Membership by Port 3-132 Figure 3-78. VLAN Port Configuration 3-134 Figure 3-79. Configuring PVLANs 3-135 Figure 3-80. PVLAN Status 3-135 Figure 3-81. PVLAN Link Status 3-136 Figure 3-82. Protocol VLAN Configuration 3-137 Figure 3-83. Protocol VLAN Port Configuration 3-138

xxii

Page 23

Figures

Figure 3-84. Port Priority Configuration 3-140 Figure 3-87. Traffic Classes 3-142 Figure 3-88. Selecting the Queue Mode 3-143 Figure 3-89. Queue Scheduling 3-144 Figure 3-90. IP Precedence/DSCP Priority Status 3-145 Figure 3-92. Assigning CoS Values to IP Precedence 3-146 Figure 3-94. Mapping IP DSCP Priority 3-148 Figure 3-13. Globally Enabling the IP Port Priority Status 3-149 Figure 3-14. Mapping Switch Ports and Trunks to IP TCP/UDP Priority 3-149 Figure 3-96. ACL CoS Priority 3-151 Figure 3-97. ACL Marker 3-152 Figure 3-98. Configuring Class Maps 3-155 Figure 3-99. Configuring Policy Maps 3-158 Figure 3-100. Service Policy Settings 3-159 Figure 3-101. IGMP Configuration 3-162 Figure 3-102. Multicast Router Port Information 3-163 Figure 3-103. Static Multicast Router Port Configuration 3-164 Figure 3-104. IP Multicast Registration Table 3-165 Figure 3-105. IGMP Member Port Table 3-166 Figure 3-106. DNS Configuration 3-168 Figure 3-107. DNS Static Host Table 3-170 Figure 3-108. Displaying the DNS Cache 3-171

xxiii

Page 24

Figures

xxiv

Page 25

Chapter 1: Introduction

This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.

Key Features

Table 1-1. Key Features

Feature Description

Configuration Backup and Restore

Authentication Console, Telnet, web – User name / password, RADIUS, TACACS+

Access Control Lists Supports up to 32 IP or MAC ACLs DHCP Client Supported DNS Server Supported Port Configuration Speed, duplex mode and flow control Rate Limiting Input and output rate limiting per port Port Mirroring One or more ports mirrored to single analysis port Port Trunking Supports up to 6 trunks using either static or dynamic trunking (LACP) Broadcast Storm

Control Static Address Up to 16K MAC addresses in the forwarding table IEEE 802.1D Bridge Supports dynamic data switching and addresses learning Store-and-Forward

Switching Spanning Tree

Protocol Virtual LANs Up to 255 using IEEE 802.1Q, port-based, protocol-based, or private VLANs Traffic Prioritization Default port priority, traffic class map, queue scheduling, IP Precedence, or

QoS Supports Quality of Service (QoS) Multicast Filtering Supports IGMP snooping and query

Backup to TFTP server

Web – HTTPS; Telnet – SSH SNMP version 3 – MD5 or SHA password Port – IEEE 802.1x, MAC address filtering

Supported

Supported to ensure wire-speed switching while eliminating bad frames

Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP)

Differentiated Services Code Point (DSCP)

1-1

Page 26

Introduction

Table 1-1. Key Features

Feature Description

AMAP Configures Alcatel Mapping Adjacency Protocol (AMAP) parameters and displays

information on attached AMAP-aware devices

Description of Software Features

The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network. Port-based and protocol-based VLANs, plus support for automatic GVRP VLAN registration provide traffic security and efficient use of network bandwidth. CoS priority queueing ensures the minimum delay for moving real-time multimedia data across the network. While multicast filtering provides support for real-time network applications. Some of the management features are briefly described below.

Configuration Backup and Restore – You can save the current configuration settings to a file on a TFTP server, and later download this file to restore the switch configuration settings.

Authentication – This switch authenticates management access via the console port, Telnet or web browser. User names and passwords can be configured locally or can be verified via a remote authentication server (i.e., RADIUS or TACACS+). Port-based authentication is also supported via the IEEE 802.1x protocol. This protocol uses the Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.1x client, and then verifies the client’s right to access the network via an authentication server.

Other authentication options include HTTPS for secure management access via the web, SSH for secure management access over a Telnet-equivalent connection, IP address filtering for SNMP/web/Telnet management access, and MAC address filtering for port access.

Access Control Lists – ACLs provide packet filtering for IP frames (based on address, protocol, TCP/UDP port number or TCP control code) or any frames (based on MAC address or Ethernet type). ACLs can by used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols.

Port Configuration – You can manually configure the speed, duplex mode, and flow control used on specific ports, or use auto-negotiation to detect the connection settings used by the attached device. Use the full-duplex mode on ports whenever possible to double the throughput of switch connections. Flow control should also be enabled to control network traffic during periods of congestion and prevent the loss of packets when port buffer thresholds are exceeded. The switch supports flow control based on the IEEE 802.3x standard.

1-2

Page 27

Description of Software Features

Rate Limiting – This feature controls the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.

Port Mirroring – The switch can unobtrusively mirror traffic from any port to a monitor port. You can then attach a protocol analyzer or RMON probe to this port to perform traffic analysis and verify connection integrity.

Port Trunking – Ports can be combined into an aggregate connection. Trunks can be manually set up or dynamically configured using IEEE 802.3ad Link Aggregation Control Protocol (LACP). The additional ports dramatically increase the throughput across any connection, and provide redundancy by taking over the load if a port in the trunk should fail. The switch supports up to 6 trunks.

Broadcast Storm Control – Broadcast suppression prevents broadcast traffic from overwhelming the network. When enabled on a port, the level of broadcast traffic passing through the port is restricted. If broadcast traffic rises above a pre-defined threshold, it will be throttled until the level falls back beneath the threshold.

Static Addresses – A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table. Static addresses can be used to provide network security by restricting access for a known host to a specific port.

IEEE 802.1D Bridge – The switch supports IEEE 802.1D transparent bridging. The address table facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information. The address table supports up to 16K addresses.

Store-and-Forward Switching – The switch copies each frame into its memory before forwarding them to another port. This ensures that all frames are a standard Ethernet size and have been verified for accuracy with the cyclic redundancy check (CRC). This prevents bad frames from entering the network and wasting bandwidth.

To avoid dropping frames on congested ports, the switch provides 1 MB for frame buffering. This buffer can queue packets awaiting transmission on congested networks.

Spanning Tree Protocol – The switch supports these spanning tree protocols:

Spanning Tree Protocol (STP, IEEE 802.1D) – This protocol adds a level of fault tolerance by allowing two or more redundant connections to be created between a pair of LAN segments. When there are multiple physical paths between segments, this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network. This prevents the creation of network loops. However, if the chosen path should fail for any reason, an alternate path will be activated to maintain the connection.

Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol reduces the convergence time for network topology changes to about 10% of that required by the

1-3

Page 28

Introduction

older IEEE 802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices.

Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is a direct extension of RSTP. It can provide an independent spanning tree for different VLANs. It simplifies network management, provides for even faster convergence than RSTP by limiting the size of each region, and prevents VLAN members from being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP).

Virtual LANs – The switch supports up to 255 VLANs. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. The switch supports tagged VLANs based on the IEEE 802.1Q standard. Members of VLAN groups can be dynamically learned via GVRP, or ports can be manually assigned to a specific set of VLANs. This allows the switch to restrict traffic to the VLAN groups to which a user has been assigned. By segmenting your network into VLANs, you can:

• Eliminate broadcast storms which severely degrade performance in a flat network.

• Simplify network management for node changes/moves by remotely configuring VLAN membership for any port, rather than having to manually change the network connection.

• Provide data security by restricting all traffic to the originating VLAN.

• Use private VLANs to restrict traffic to pass only between data ports and the uplink ports, thereby isolating adjacent ports within the same VLAN, and allowing you to limit the total number of VLANs that need to be configured.

Traffic Prioritization – This switch prioritizes each packet based on the required level of service, using eight priority queues with strict or Weighted Round Robin Queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station application. These functions can independent priorities for delay-sensitive data and best-effort data.

This switch also supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic can be prioritized based on the priority bits in the IP frame’s Type of Service (ToS) octet. When these services are enabled, the priorities are mapped to a Class of Service value by the switch, and the traffic then sent to the corresponding output queue.

Quality of Service – Differentiated Services (DiffServ) provides policy-based

management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence or DSCP values, or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding.

be used to provide

1-4

Page 29

System Defaults

Multicast Filtering – Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN. The switch uses IGMP Snooping and Query to manage multicast group registration.

AMAP – The AMAP protocol enables a switch to discover the topology of other AMAP-aware devices in the network. The protocol allows each switch to determine if other AMAP-aware switches are adjacent to it.

System Defaults

The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-18).

The following table lists some of the basic system defaults.

Table 1-2. System Defaults

Function Parameter Default

Console Port Connection

Authentication Privileged Exec Level Username “admin”

Web Management HTTP Server Enabled

Baud Rate auto Data bits 8 Stop bits 1 Parity none Local Console Timeout 0 (disabled)

Password “admin”

Normal Exec Level Username “guest”

Enable Privileged Exec from Normal Exec Level

RADIUS Authentication Disabled TACACS Authentication Disabled

802.1x Port Authentication Disabled HTTPS Enabled SSH Enabled Port Security Disabled

HTTP Port Number 80 HTTP Secure Server Enabled HTTP Secure Port Number 443

Password “guest” Password “super”

1-5

Page 30

Introduction

Table 1-2. System Defaults

Function Parameter Default

SNMP Community Strings “public” (read only)

Traps Authentication traps: enabled

IP Filtering Dis abl ed

Port Configuration Admin Status Enabled

Auto-negotiation Enabled Flow Control Disabled Port Capability 1000BASE-T –

AMAP Status Enabled

Common Phase Timeout Interval 300 seconds

Discovery Phase Timeout Interval 30 seconds Rate Limiting Input and output limits Disabled Port Trunking Static Trunks None

LACP (all ports) Disabled Broadcast Storm

Protection

Spanning Tree Protocol

Address Table Aging Time 300 seconds

Status Enabled (all ports)

Broadcast Limit Rate 500 packets per second

Status Enabled, MSTP

Fast Forwarding (Edge Port) Disabled

“private” (read/write)

Link-up-down events: enabled

10 Mbps half duplex 10 Mbps full duplex 100 Mbps half duplex 100 Mbps full duplex 1000 Mbps full duplex Full-duplex flow control disabled Symmetric flow control disabled

1000BASE-SX/LX/LH – 1000 Mbps full duplex Full-duplex flow control disabled Symmetric flow control disabled

(Defaults: All values based on IEEE 802.1s)

1-6

Page 31

Table 1-2. System Defaults

Function Parameter Default

Virtual LANs Default VLAN 1

PVID 1 Acceptable Frame Type All Ingress Filtering Disabled Switchport Mode (Egress Mode) Hybrid: tagged/untagged frames GVRP (global) Disabled GVRP (port interface) Disabled

Traffic Prioritization Ingress Port Priority 0

Weighted Round Robin Queue: 0 1 2 3 4 5 6 7

Priority: 2 0 1 3 4 5 6 7 IP Precedence Priority Disabled IP DSCP Priority Disabled

IP Settings IP Address 0.0.0.0

Subnet Mask 255.0.0.0 Default Gateway 0.0.0.0 DHCP Client: Disabled BOOTP Disabled

DNS Server Lookup Disabled Multicast Filtering IGMP Snooping Snooping: Enabled

Querier: Enabled

System Log Status Enabled

Messages Logged Levels 0-7 (all) Messages Logged to Flash Levels 0-3

SMTP Email Alerts Event Handler Disabled SNTP Clock Synchronization Disabled

System Defaults

1-7

Page 32

Introduction

1-8

Page 33

Chapter 2: Initial Configuration

Connecting to the Switch

Configuration Options

The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a Web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).

Note: The IP address for this switch is unassigned by default. To change this address,

see “Setting an IP Address” on page 2-4.

The switch’s HTTP Web agent allows you to configure switch parameters, monitor port connections, and display statistics using a standard Web browser such as Netscape Navigator version 6.2 and higher or Microsoft IE version 5.0 and higher. The switch’s Web management interface can be accessed from any computer attached to the network.

The CLI program can be accessed by a direct connection to the RS-232 serial console port on the switch, or remotely by a Telnet connection over the network.

The switch’s management agent also supports SNMP (Simple Network Management Protocol). This SNMP agent permits the switch to be managed from any system in the network using network management software such as HP OpenView.

The switch’s Web interface, CLI configuration program, and SNMP agent allow you to perform the following management functions:

• Set user names and passwords for up to 16 users

• Set an IP interface for a management VLAN

• Configure SNMP parameters

• Enable/disable any port

• Set the speed/duplex mode for any port

• Configure the bandwidth of any port by limiting input or output rates

• Configure up to 255 IEEE 802.1Q VLANs

• Enable GVRP automatic VLAN registration

• Configure IGMP multicast filtering

• Upload and download system firmware via TFTP

• Upload and download switch configuration files via TFTP

• Configure Spanning Tree parameters

• Configure Class of Service (CoS) priority queuing

• Configure up to 6 static or LACP trunks

• Enable port mirroring

2-1

Page 34

Initial Configuration

• Set broadcast storm control on any port

• Display system information and statistics

Required Connections

The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch.

Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch. You can use the console cable provided with this package, or use a null-modem cable that complies with the wiring assignments shown in the Installation Guide.

To connect a terminal to the console port, complete the following steps:

1. Connect the console cable to the serial port on a terminal, or a PC running terminal emulation software, and tighten the captive retaining screws on the DB-9 connector.

2. Connect the other end of the cable to the RS-232 serial port on the switch.

3. Make sure the terminal emulation software is set as follows:

• Select the appropriate serial port (COM port 1 or COM port 2).

• Set to any of the following baud rates: 9600, 19200, 38400, 57600, 115200

(Note: Set to 9600 baud if want to view all the system initialization messages.)

• Set the data format to 8 data bits, 1 stop bit, and no parity.

• Set flow control to none.

• Set the emulation mode to VT100.

• When using HyperTerminal, select Terminal keys, not Windows keys.

Notes: 1. When using HyperTerminal with Microsoft® Windows® 2000, make sure that

you have Windows 2000 Service Pack 2 or later installed. Windows 2000 Service Pack 2 fixes the problem of arrow keys not functioning in HyperTerminal’s VT100 emulation. See www.microsoft.com for information on Windows 2000 service packs.

2. Refer to “Line Commands” on page 4-10 for a complete description of console configuration options.

3. Once you have set up the terminal correctly, the console login screen will be displayed.

For a description of how to use the CLI, see “Using the Command Line Interface” on page 4-1. For a list of all the CLI commands and detailed information on using the CLI, refer to “Command Groups” on page 4-9.

2-2

Page 35

Basic Configuration

Remote Connections

Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol.

The IP address for this switch is unassigned by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address” on page 2-4.

Note: This switch supports four concurrent Telnet or SSH sessions.

After configuring the switch’s IP parameters, you can access the onboard configuration program from anywhere within the attached network. The onboard configuration program can be accessed using Telnet from any computer attached to the network. The switch can also be managed by any computer using a web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above), or from a network computer using SNMP network management software.

Note: The onboard program only provides access to basic configuration functions. To

access the full range of SNMP management functions, you must use SNMP-based network management software.

Basic Configuration

Console Connection

The CLI program provides two different command levels — normal access level (Normal Exec) and privileged access level (Privileged Exec). The commands available at the Normal Exec level are a limited subset of those available at the Privileged Exec level and allow you to only display information and use basic utilities. To fully configure the switch parameters, you must access the CLI at the Privileged Exec level.

Access to both CLI levels are controlled by user names and passwords. The switch has a default user name and password for each level. To log into the CLI at the Privileged Exec level using the default user name and password, perform these steps:

1. To initiate your console connection, press <Enter>. The “User Access Verification” procedure starts.

2. At the Username prompt, enter “admin.”

3. At the Password prompt, enter “switch.” (The password characters are not displayed on the console screen.)

4. The session is opened and the CLI displays the “Console#” prompt indicating you have access at the Privileged Exec level.

2-3

Page 36

Initial Configuration

Setting Passwords

Note: If this is your first time to log into the CLI program, you should define new

passwords for both default user names using the “username” command, record them and put them in a safe place.

Passwords can consist of up to 8 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows:

1. Open the console interface with the default user name “admin” and password “switch” to access the Privileged Exec level.

2. Type “configure” and press <Enter>.

3. Type “username guest password 0 password,” for the Normal Exec level, where password is your new password. Press <Enter>.

4. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press <Enter>.

Username: admin Password: switch

CLI session with the OmniStack 6300 is opened.

To end the CLI session, enter [Exit].

Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)#

Setting an IP Address

You must establish IP address information for the switch to obtain management access through the network. This can be done in either of the following ways:

Manual — You have to input the information, including IP address and subnet mask. If your management station is not in the same IP subnet as the switch, you will also need to specify the default gateway router.

Dynamic — The switch sends IP configuration requests to BOOTP or DHCP address allocation servers on the network.

Manual Configuration

You can manually assign an IP address to the switch. You may also need to specify a default gateway that resides between this device and management stations that exist on another network segment. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the CLI program.

Note: The IP address for this switch is unassigned by default.

2-4

Page 37

Basic Configuration

Before you can assign an IP address to the switch, you must obtain the following information from your network administrator:

• IP address for the switch

• Default gateway for the network

• Network mask for this network

To assign an IP address to the switch, complete the following steps:

1. From the Privileged Exec level global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>.

2. Type “ip address ip-address netmask,” where “ip-address” is the switch IP address and “netmask” is the network mask for the network. Press <Enter>.

3. Type “exit” to return to the global configuration mode prompt. Press <Enter>.

4. To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway,” where “gateway” is the IP address of the default gateway. Press <Enter>.

Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 192.168.1.254 Console(config)#

Dynamic Configuration

If you select the “bootp” or “dhcp” option, IP will be enabled but will not function until a BOOTP or DHCP reply has been received. You therefore need to use the “ip dhcp restart client” command to start broadcasting service requests. Requests will be sent periodically in an effort to obtain IP configuration information. (BOOTP and DHCP values can include the IP address, subnet mask, and default gateway.)

If the “bootp” or “dhcp” option is saved to the startup-config file (step 6), then the switch will start broadcasting service requests as soon as it is powered on.

To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps:

1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>.

2. At the interface-configuration mode prompt, use one of the following commands:

• To obtain IP settings via DHCP, type “ip address dhcp” and press <Enter>.

• To obtain IP settings via BOOTP, type “ip address bootp” and press <Enter>.

3. Type “end” to return to the Privileged Exec mode. Press <Enter>.

4. Type “ip dhcp restart client” to begin broadcasting service requests. Press <Enter>.

2-5

Page 38

Initial Configuration

5. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press <Enter>.

6. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press <Enter>.

Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#ip dhcp restart client Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: User specified. Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming.

\Write to FLASH finish. Success.

Enabling SNMP Management Access

The switch can be configured to accept management commands from Simple Network Management Protocol (SNMP) applications such as HP OpenView. You can configure the switch to (1) respond to SNMP requests or (2) generate SNMP traps.

When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter. The switch can also be configured to send information to SNMP managers (without being requested by the managers) through trap messages, which inform the manager that certain events have occurred.

Community Strings

Community strings are used to control management access to SNMP stations, as well as to authorize SNMP stations to receive trap messages from the switch. You therefore need to assign community strings to specified users or user groups, and set the access level.

The default strings are:

• public - with read-only access. Authorized management stations are only able to

retrieve MIB objects.

• private - with read-write access. Authorized management stations are able to both

retrieve and modify MIB objects.

Note: If you do not intend to utilize SNMP, we recommend that you delete both of the

default community strings. If there are no community strings, then SNMP management access to the switch is disabled.

To prevent unauthorized access to the switch via SNMP, it is recommended that you change the default community strings.

2-6

Page 39

Basic Configuration

To configure a community string, complete the following steps:

1. From the Privileged Exec level global configuration mode prompt, type “snmp-server community string mode,” where “string” is the community access string and “mode” is rw (read/write) or ro (read only). Press <Enter>. (Note that the default mode is read only.)

2. To remove an existing string, simply type “no snmp-server community string,” where “string” is the community access string to remove. Press <Enter>.

Console(config)#snmp-server community admin rw Console(config)#snmp-server community private Console(config)#

Trap Recei vers

You can also specify SNMP stations that are to receive traps from the switch.

To configure a trap receiver, complete the following steps:

1. From the Privileged Exec level global configuration mode prompt, type “snmp-server host host-address community-string,” where “host-address” is the IP address for the trap receiver and “community-string” is the string associated with that host. Press <Enter>.

2. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server enable traps command. Type “snmp-server enable traps type,” where “type” is either authentication or link-up-down. Press <Enter>.

Console(config)#snmp-server enable traps link-up-down Console(config)#

Saving Configuration Settings

Configuration commands only modify the running configuration file and are not saved when the switch is rebooted. To save all your configuration changes in nonvolatile storage, you must copy the running configuration file to the start-up configuration file using the “copy” command.

To save the current configuration settings, enter the following command:

1. From the Privileged Exec mode prompt, type “copy running-config startup-config” and press <Enter>.

2-7

Page 40

Initial Configuration

2. Enter the name of the start-up file. Press <Enter>.

Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming.

\Write to FLASH finish. Success.

Console#

Managing System Files

The switch’s flash memory supports three types of system files that can be managed by the CLI program, Web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.

The three types of files are:

• Configuration — This file stores system configuration information and is created when configuration settings are saved. Saved configuration files can be selected as a system start-up file or can be uploaded via TFTP to a server for backup. A file named “Factory_Default_Config.cfg” contains all the system default settings and cannot be deleted from the system. See “Saving or Restoring Configuration Settings” on page 3-17 for more information.

• Operation Code — System software that is executed after boot-up, also known as run-time code. This code runs the switch operations and provides the CLI and Web management interfaces. See “Managing Firmware” on page 3-15 for more information.

• Diagnostic Code — Software that is run during system boot-up, also known as POST (Power On Self-Test).

Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows.

In the system flash memory, one file of each type must be set as the start-up file. During a system boot, the diagnostic and operation code files set as the start-up file are run, and then the start-up configuration file is loaded.

Note that configuration files should be downloaded using a file name that reflects the contents or usage of the file settings. If you download directly to the running-config, the system will reboot, and the settings will have to be copied from the running-config to a permanent file.

2-8

Page 41

Chapter 3: Configuring the Switch

Using the Web Interface

This switch provides an embedded HTTP Web agent. Using a Web browser you can configure the switch and view statistics to monitor network activity. The Web agent can be accessed by any computer on the network using a standard Web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above).

Note: You can also use the Command Line Interface (CLI) to manage the switch over a

serial connection to the console port or via Telnet. For more information on using the CLI, refer to Chapter 4: “Command Line Interface.”

Prior to accessing the switch from a Web browser, be sure you have first performed the following tasks:

1. Configure the switch with a valid IP address, subnet mask, and default gateway

using an out-of-band serial connection, BOOTP or DHCP protocol. (See “Setting an IP Address” on page 2-4.)

2. Set user names and passwords using an out-of-band serial connection. Access

to the Web agent is controlled by the same user names and passwords as the onboard configuration program. (See “Setting Passwords” on page 2-4.)

3. After you enter a user name and password, you will have access to the system

configuration program.

Notes: 1. You are allowed three attempts to enter the correct password; on the third

failed attempt the current connection is terminated.

2. If you log into the Web interface as guest (Normal Exec level), you can view

the configuration settings or change the guest password. If you log in as “admin” (Privileged Exec level), you can change the settings on any page.

3. If the path between your management station and this switch does not pass

through any device that uses the Spanning Tree Algorithm, then you can set the switch port attached to your management station to fast forwarding (i.e., enable Admin Edge Port) to improve the switch’s response time to management commands issued through the web interface. See “Configuring Interface Settings” on page 3-114.

3-1

Page 42

Configuring the Switch

Navigating the Web Browser Interface

To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.”

Home Page

When your web browser connects with the switch’s web agent, the home page is displayed as shown below. The home page displays the Main Menu on the left side of the screen and System Information on the right side. The Main Menu links are used to navigate to other menus, and display configuration parameters and statistics.

Figure 3-1. Home Page

Configuration Options

Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the “Apply” or “Apply Changes” button to confirm the new setting. The following table summarizes the web page configuration buttons.

3-2

Page 43

Navigating the Web Browser Interface

Table 3-2. Configuration Options

Button Action

Revert Cancels specified values and restores current values prior to

pressing “Apply” or “Apply Changes.” Refresh Immediately updates values for the current page. Apply S ets specified values to the system. Apply Changes Sets specified values to the system.

Notes: 1. To ensure proper screen refresh, be sure that Internet Explorer 5.x is

configured as follows: Under the menu “Tools / Internet Options / General / Temporary Internet Files / Settings,” the setting for item “Check for newer versions of stored pages” should be “Every visit to the page.”

2. When using Internet Explorer 5.0, you may have to manually refresh the

screen after making configuration changes by pressing the browser’s refresh button.

Panel Display

The web agent displays an image of the switch’s ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex, or Flow Control (i.e., with or without flow control). Clicking on the image of a port opens the Port Configuration page as described on page 3-77.

Figure 3-3. Ports Panel

Main Menu

Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.

Table 3-4. Main Menu

Menu Description Page

System 3-8

System Information Provides basic system description, including contact information 3-8 Switch Information Shows the number of ports, hardware/firmware version

numbers, and power status Bridge Extension Shows the bridge extension parameters 3-11 IP Configuration Sets the IP address for management access 3-12

3-10

3-3

Page 44

Configuring the Switch

Table 3-4. Main Menu

Menu Description Page

Jumbo Frame Enables jumbo frame support 3-15

File 3-16

Firmware Manages code image files 3-16 Configuration Manages switch configuration files 3-17

Line 3-18

Console Sets console port connection parameters 3-18 Telnet Sets telnet connection parameters 3-21

Log 3-23

Logs Stores and displays error messages 3-24 System Logs Sends error messages to a logging process 3-24 Remote Logs Configures the logging of messages to a remote logging process 3-25 SMTP Sends an SMTP client message to a participating server 3-27

Reset Restarts the switch 3-29

SNTP 3-29

Configuration Configures SNTP client settings, including broadcast mode or a

Clock Time Zone Sets the local time zone for the system clock 3-31

SNMP 3-31

Configuration Configures community strings and related trap functions 3-33 Agent Status Allows SNMP to be enabled or disabled 3-34 SNMPv3 3-35

Engine ID Sets the SNMP v3 engine ID 3-35 Users Configures SNMP v3 users 3-36 Groups Configures SNMP v3 groups 3-38 Views Configures SNMP v3 views 3-40

Security 3-25

Passwords Assigns a new password for the current user 3-41 Authentication Settings Configures authentication sequence, RADIUS and TACACS 3-42 HTTPS Settings Configures secure HTTP settings 3-45 SSH 3-47

Settings Configures Secure Shell server settings 3-51 Host-Key Settings Generates the host key pair (public and private) 3-49

specified list of servers

3-30

3-4

Page 45

Navigating the Web Browser Interface

Table 3-4. Main Menu

Menu Description Page

Port Security Configures per port security, including status, response for

security breach, and maximum allowed MAC addresses

802.1x Port authentication 3-54 Information Displays global configuration settings 3-55 Configuration Configures protocol parameters 3-57 Port Configuration Sets the authentication mode for individual ports 3-58 Statistics Displays protocol statistics for the selected port 3-59

ACL 3-61

Configuration Configures packet filtering based on IP or MAC addresses 3-61 Mask Configuration Controls the order in which ACL rules are checked 3-68 Port Binding Binds a port to the specified ACL 3-72

IP Filtering Sets IP addresses of clients allowed management access via

the Web, SNMP, and Telnet

Port 3-75

Port Information Displays port connection status 3-75 Trunk Information Displays trunk connection status 3-75 Port Configuration Configures port connection settings 3-77 Trunk Configuration Configures trunk connection settings 3-77 Trunk Membership Specifies ports to group into static trunks 3-80 LACP 3-81

Configuration Allows ports to dynamically join trunks 3-81 Aggregation Port Configures system priority, admin key, and port priority 3-83 Port Counters Information Displays statistics for LACP protocol messages 3-85 Port Internal Information Displays settings and operational state for local side 3-86 Port Neighbors Information Displays settings and operational state for remote side 3-88

Port Broadcast Control Sets the broadcast storm threshold for each port 3-90 Trunk Broadcast Control Sets the broadcast storm threshold for each trunk 3-90 Mirror Port Configuration Sets the source and target ports for mirroring 3-91 Rate Limit 3-92

Input Port Configuration Sets the input rate limit for each port 3-92 Input Trunk Configuration Sets the input rate limit for each trunk 3-92 Output Port Configuration Sets the output rate limit for each port 3-92 Output TrunkConfiguration Sets the output rate limit for each trunk 3-92

3-52

3-73

3-5

Page 46

Configuring the Switch

Table 3-4. Main Menu

Menu Description Page

Port Statistics Lists Ethernet and RMON port statistics 3-93

Alcatel 3-98

AMAP Alcatel Mapping Adjacency Protocol (AMAP) 3-98

Settings Configures AMAP parameters 3-98 Information Displays information on attached AMAP-aware devices 3-99

Address Table 3-80

Static Addresses Displays entries for interface, address or VLAN 3-100 Dynamic Addresses Displays or edits static entries in the Address Table 3-101 Address Aging Sets timeout for dynamically learned entries 3-102

Spanning Tree 3-103

STA 3-103

Information Displays STA values used for the bridge 3-104 Configuration Configures global bridge settings for STA, RSTP and MSTP 3-107 Port Information Displays individual port settings for STA 3-111 Trunk Information Displays individual trunk settings for STA 3-111 Port Configuration Configures individual port settings for STA 3-114 Trunk Configuration Configures individual trunk settings for STA 3-114

MSTP 3-116

VLAN Configuration Configures priority and VLANs for a spanning tree instance 3-116 Port Information Displays port settings for a specified MST instance 3-119 Trunk Information Displays trunk settings for a specified MST instance 3-119 Port Configuration Configures port settings for a specified MST instance 3-121 Trunk Configuration Configures trunk settings for a specified MST instance 3-121

VLAN 3-122

802.1Q VLAN 3-122 GVRP Status Enables GVRP VLAN registration protocol 3-125 Basic Information Displays information on the VLAN type supported by this switch 3-126 Current Table Shows the current port members of each VLAN and whether or

Static List Used to create or remove VLAN groups 3-129 Static Table Modifies the settings for an existing VLAN 3-130 Static Membership Configures membership type for interfaces, including tagged,

not the port is tagged or untagged

untagged or forbidden

3-127

3-132

3-6

Page 47

Navigating the Web Browser Interface

Table 3-4. Main Menu

Menu Description Page

Port Configuration Specifies default PVID and VLAN attributes 3-133 Trunk Configuration Specifies default trunk VID and VLAN attributes 3-133

Private VLAN 3-135

Status Enables or disables the private VLAN 3-135 Link Status Configures the private VLAN 3-136

Protocol VLAN 3-136

Configuration Creates a protocol group, specifying the supported protocols 3-137 Port Configuration Maps a protocol group to a VLAN 3-137

Priority 3-139

Default Port Priority Sets the default priority for each port 3-139 Default Trunk Priority Sets the default priority for each trunk 3-139 Traffic Classes Maps IEEE 802.1p priority tags to output queues 3-141 Traffic Classes Status Enables/disables traffic class priorities (not implemented) NA Queue Mode Sets queue mode to strict priority or Weighted Round-Robin 3-143 Queue Scheduling Configures Weighted Round Robin queueing 3-143 IP Precedence/

DSCP Priority Status IP Precedence Priority Sets IP Type of Service priority, mapping the precedence tag to

IP DSCP Priority Sets IP Differentiated Services Code Point priority, mapping a

IP Port Priority Status Globally enables or disabl es IP Port Priority 3-149 IP Port Priority Sets TCP/UDP port priority, defining the socket number and

ACL CoS Priority Sets the CoS value and corresponding output queue for packets

ACL Marker Change traffic priorities for frames matching an ACL rule 3-151

QoS 3-153

DiffServ Configure QoS classification criteria and se rvice policies 3-153

Class Map Creat es a class map for a type of traffic 3-154 Policy Map Creates a policy map for multiple interfaces 3-156 Service Policy Applies a policy map defined to the input or output of a particular

Globally selects IP Precedence or DSCP Priority, or disables both.

a class-of-service value

DSCP tag to a class-of-service value

associated class-of-service value

matching an ACL rule

interface

3-145

3-146

3-147

3-149

3-133

3-159

3-7

Page 48

Configuring the Switch

Table 3-4. Main Menu

Menu Description Page

IGMP Snooping 3-160

IGMP Configuration Enables multicast filtering; configures parameters for multicast

Multicast Router Port Information

Static Multicast Router Port Configuration

IP Multicast Registration Table

IGMP Member PortTable Indicates multicast addresses associated with the selected

DNS 3-166

General Configuration Enables DNS; configures domain name and domain list; and

Static Host Table Configures static entries for domain name to address mapping 3-169 Cache Displays cache entries discovered by designated name servers 3-171

query Displays the ports that are attached to a neighboring multicast

router for each VLAN ID Assigns ports that are attached to a neighboring multicast router 3-163

Displays all multicast groups active on this switch, including multicast IP addresses and VLAN ID

VLAN

specifies IP address of name servers for dynamic lookup

Basic Configuration

3-161

3-162

3-164

3-165

3-167

Displaying System Information

You can easily identify the system by displaying the device name, location and contact information.

Field Attributes

• System Name – Name assigned to the switch system.

• Object ID – MIB II object ID for switch’s network management subsystem.

• Location – Specifies the system location.

• Contact – Administrator responsible for the system.

• System Up Time – Length of time the management agent has been up.

These additional parameters are displayed for the CLI.

• MAC Address – The physical layer address for this switch.

• Web server – Shows if management access via HTTP is enabled.

• Web server port – Shows the TCP port number used by the web interface.

• Web secure server – Shows if management access via HTTPS is enabled.

• Web secure server port – Shows the TCP port used by the HTTPS interface.

• POST result – Shows results of the power-on self-test

3-8

Page 49

Basic Configuration

Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.)

Figure 3-5. System Information

CLI – Specify the hostname, location and contact information.

Console(config)#hostname R&D 5 4-25 Console(config)#snmp-server location WC 9 4-110 Console(config)#snmp-server contact Ted 4-110 Console(config)#end Console#show system 4-59 System description: OmniStack*24 10/100/1000 System OID string: 1.3.6.1.4.1.6486.800.1.1.2.1.5.1.1 System information System Up time: 0 days, 0 hours, 23 minutes, and 26.59 seconds System Name : R&D 5 System Location : WC 9 System Contact : Ted MAC address : 00-30-F1-99-B3-DB Web server : enable Web server port : 80 Web secure server : enable Web secure server port : 443 POST result

UART LOOP BACK Test..........PASS

DRAM Test....................PASS

Timer Test...................PASS

PCI Device 1 Test............PASS

PCI Device 2 Test............PASS

Switch Int Loopback test.....PASS

Done All Pass. Console#

3-9

Page 50

Configuring the Switch

Displaying Switch Hardware/Software Versions

Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system.

Field Attributes

Main Board

• Serial Number – The serial number of the switch.

• Number of Ports – Number of built-in RJ-45 ports and expansion ports.

• Hardware Version – Hardware version of the main board.

• Internal Power Status – Displays the status of the internal power supply.

• Redundant Power Status* – Displays the status of the redundant power supply.

* CLI only.

Management Software

• Loader Version – Version number of loader code.

• Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code.

• Operation Code Version – Version number of runtime code.

• Role – Shows that this switch is operating as Master (i.e., operating stand-alone).

Web – Click System, Switch Information.

3-10

Figure 3-6. Switch Information

Page 51

Basic Configuration

CLI – Use the following command to display version information.

Console#show version 4-60 Unit1 Serial number :A329025054 Hardware version :R01 Number of ports :24 Main power status :up Redundant power status :not present Agent(Primary) Unit id :1 Loader version :2.0.2.2 Boot rom version :2.0.2.2 Operation code version :10.31.23.17 Console#

Displaying Bridge Extension Capabilities

The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables.

Field Attributes

• Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).

• Traffic Classes – This switch provides mapping of user priorities to multiple traffic classes. (Refer to “Class of Service Configuration” on page 3-139.)

• Static Entry Individual Port – This switch allows static filtering for unicast and multicast addresses. (Refer to “Setting Static Addresses” on page 3-100.)

• VLAN Learning – This switch uses Independent VLAN Learning (IVL), where each port maintains its own filtering database.

• Configurable PVID Tagging – This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to “VLAN Configuration” on page 3-122.)

• Local VLAN Capable – This switch supports multiple local bridges; i.e., multiple spanning trees. (Refer to “Configuring Multiple Spanning Trees” on page 3-116.)

• GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to register endstations with multicast groups. This switch does not support GMRP; it uses the Internet Group Management Protocol (IGMP) to provide automatic multicast filtering.

3-11

Page 52

Configuring the Switch

Web – Click System, Bridge Extension.

Figure 3-7. Bridge Exentsion Configuration

CLI – Enter the following command.

Console#show bridge-ext 4-193 Max support vlan numbers: 255 Max support vlan ID: 4094 Extended multicast filtering services: No Static entry individual port: Yes VLAN learning: IVL Configurable PVID tagging: Yes Local VLAN capable: Yes Traffic classes: Enabled Global GVRP status: Disabled GMRP: Disabled Console#

Setting the Switch’s IP Address

This section describes how to configure an IP interface for management access over the network. The IP address for this switch is unassigned by default. To manually configure an address, you need to change the switch’s default settings (IP address 0.0.0.0 and netmask 255.0.0.0) to values that are compatible with your network. You may also need to a establish a default gateway between the switch and management stations that exist on another network segment.

You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the CLI program.

Command Attributes

• Management VLAN – ID of the configured VLAN (1-4094, no leading zeroes). By

default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.

3-12

Page 53

Basic Configuration

• IP Address Mode – Specifies whether IP functionality is enabled via manual configuration (Static), Dynamic Host Configuration Protocol (DHCP), or Boot Protocol (BOOTP). If DHCP/BOOTP is enabled, IP will not function until a reply has been received from the server. Requests will be broadcast periodically by the switch for an IP address. (DHCP/BOOTP values can include the IP address, subnet mask, and default gateway.)

• IP Address – Address of the VLAN interface that is allowed management access. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. (Default: 0.0.0.0)

• Subnet Mask – This mask identifies the host address bits used for routing to specific subnets. (Default: 255.0.0.0)

• Default Gateway – IP address of the gateway router between this device and management stations that exist on other network segments. (Default: 0.0.0.0)

• MAC Address – The physical layer address for this switch.

Manual Configuration

Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply.

Figure 3-8. IP Configuration

CLI – Specify the management interface, IP address and default gateway.

Console#config Console(config)#interface vlan 1 4-181 Console(config-if)#ip address 10.1.0.254 255.255.255.0 4-227 Console(config-if)#exit Console(config)#ip default-gateway 192.168.1.254 4-228 Console(config)#

3-13

Page 54

Configuring the Switch

Using DHCP/BOOTP

If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services.

Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes. Then click Restart DHCP to immediately request a new address. Note that the switch will also broadcast a request for IP configuration settings on each power reset.

Figure 3-9. Selecting DHCP Mode

Note: If you lose your management connection, use a console connection and enter

“show ip interface” to determine the new switch address.

CLI – Specify the management interface, and set the IP address mode to DHCP or BOOTP, and then enter the “ip dhcp restart client” command.

Console#config Console(config)#interface vlan 1 4-130 Console(config-if)#ip address dhcp 4-227 Console(config-if)#end Console#ip dhcp restart client 4-121 Console#show ip interface 4-223 IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: User specified. Console#

Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the switch is moved to another network segment, you will lose management access to the switch. In this case, you can reboot the switch or submit a client request to restart DHCP service via the CLI.

Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface. You can only restart DHCP service via the web interface if the current address is still available.

3-14

Page 55

Basic Configuration

CLI – Enter the following command to restart DHCP service.

Console#ip dhcp restart client 4-121 Console#

Enabling Jumbo Frames

The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 9000 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields.

To use jumbo frames, both the source and destination end nodes (such as a computer or server) must support this feature. Also, when the connection is operating at full duplex, all switches in the network between the two end nodes must be able to accept the extended frame size. And for half-duplex connections, all devices in the collision domain would need to support jumbo frames.

Enabling jumbo frames limits the maximum threshold for broadcast storm control to 64 packets per second.

Command Attributes

Jumbo Packet Status – Enables or disables support for jumbo frames.

Web – Click System, Jumbo Frame Configuration. Check the box and click Apply Changes to enable jumbo frame support.

Figure 3-10. Enabling Jumbo Frame Support

CLI – In global configuration mode enter jumbo-frame to enable jumbo frame

support.

Console(config)#jumbo-frame 4-61 Console(config)#

Managing Firmware

You can upload/download firmware to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. You can set the switch to use new firmware without overwriting the previous version.

Command Attributes

• TFTP Server IP Address – The IP address of a TFTP server.

3-15

Page 56

Configuring the Switch

• File Name – the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

• Source/Destination Unit – Specifies the switch stack unit number.

• File Type – Allows you to specify either an operational code file (opcode), or a configuration file (config).

• Destination/Startup File Name – Allows specification of filenames already in memory, or the creation of a new filename. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

• Source File Name – Allows you to specify the name of the chosen source file.

Note: Up to two copies of the system software (i.e., the runtime firmware) can be stored

in the file directory on the switch. The currently designated startup version of this file cannot be deleted.

The file name should not contain slashes (\ or /),

the leading letter of

Downloading System Software from a Server

When downloading runtime code, you can specify the Destination File Name to replace the current image, or first download the file using a different name from the current runtime code file, and then set the new file as the startup file.

Web – Click System, File, Firmware. Enter the IP address of the TFTP server and the source and destination file names. Click Transfer from Server.

Figure 3-11. Transfering an Operation Code Image File from a Server

If you download to a new destination file, then select the file from the drop-down box for the operation code used at startup, and click Apply Changes. To start the new firmware, reboot the system via the System/Reset menu.

Figure 3-12. Selecting the Start-up Operation Code Image File

3-16

Page 57

Basic Configuration

CLI – Enter the IP address of the TFTP server, select “config” or “opcode” file type, then enter the source and destination file names, set the new file to start up the system, and then restart the switch.

Console#copy tftp file 4-62 TFTP server ip address: 10.1.0.19 Choose file type:

1. config: 2. opcode: <1-2>: 2 Source file name: M100000.bix Destination file name: V1.0 \Write to FLASH Programming.

-Write to FLASH finish. Success. Console#config Console(config)#boot system opcode:V1.0 4-66 Console(config)#exit Console#reload 4-22

Saving or Restoring Configuration Settings

You can upload/download configuration settings to/from a TFTP server. The configuration file can be later downloaded to restore the switch’s settings.

Command Attributes

• TFTP Server IP Address – The IP address of a TFTP server.

•

File Name

leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

Note:

— The configuration file name should not contain slashes (\ or /),

The maximum number of user-defined configuration files is limited only by available flash memory space.

the

Downloading Configuration Settings from a Server

You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch.

Web – Click System, File, Configuration. Enter the IP address of the TFTP server, enter the name of the file to download, select a file on the switch to overwrite or specify a new file name, and then click Transfer from Server.

Figure 3-13. Transfering a Configuration File from a Server

3-17

Page 58

Configuring the Switch

If you download to a new file name, then select the new file from the drop-down box for Startup Configuration File, and press Apply Changes. To use the new settings, reboot the system via the System/Reset menu.

Figure 3-14. Setting the Start-up Configuration File

CLI – Enter the IP address of the TFTP server, specify the source file on the server,

set the startup file name on the switch, and then restart the switch.

Console#copy tftp startup-config 4-62 TFTP server ip address: 192.168.1.19 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming.

-Write to FLASH finish. Success.

Console#reload

If you download the startup configuration file under a new file name, you can set this file as the startup file at a later time, and then restart the switch.

Console#config Console(config)#boot system config: startup-new 4-66 Console(config)#exit Console#reload 4-22

Console Port Settings

You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port. Management access through the console port is controlled by various parameters, including a password, timeouts, and basic communication settings. These parameters can be configured via the Web or CLI interface.

Command Attributes

• Login Timeout – Sets the interval that the system waits for a user to log into the CLI. If a login attempt is not detected within the timeout interval, the connection is terminated for the session. (Range: 0 - 300 seconds; Default: 0)

• Exec Timeout – Sets the interval that the system waits until user input is detected. If user input is not detected within the timeout interval, the current session is terminated. (Range: 0 - 65535 seconds; Default: 600 seconds)

3-18

Page 59

Basic Configuration

• Password Threshold – Sets the password intrusion threshold, which limits the

number of failed logon attempts. When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3 attempts)

• Silent Time – Sets the amount of time the management console is inaccessible

after the number of unsuccessful logon attempts has been exceeded. (Range: 0-65535; Default: 0)

• Data Bits – Sets the number of data bits per character that are interpreted and

generated by the console port. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character. (Default: 8 bits)

• Parity – Defines the generation of a parity bit. Communication protocols provided

by some terminals can require a specific parity bit setting. Specify Even, Odd, or None. (Default: None)

• Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive

(from terminal). Set the speed to match the baud rate of the device connected to the serial port or specify “Auto.” (Default: 9600 bps)

• Stop Bits – Sets the number of the stop bits transmitted per byte. (Default: 1 stop

bit)

• Password* – Specifies a password for the line connection. When a connection is

started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. (Default: No password)

• Login* – Enables password checking at login. You can select authentication by a

single global password as configured for the Password parameter, or by passwords set up for specific user-name accounts (the default).

* CLI only.

3-19

Page 60

Configuring the Switch

Web – Click System, Line, Console. Specify the console port connection parameters as required, then click Apply.

Figure 3-1. Console Port Settings

CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level.

Console(config)#line console 4-10 Console(config-line)#login local 4-11 Console(config-line)#password 0 secret 4-12 Console(config-line)#timeout login response 0 4-13 Console(config-line)#exec-timeout 0 4-14 Console(config-line)#password-thresh 5 4-14 Console(config-line)#silent-time 60 4-15 Console(config-line)#databits 8 4-16 Console(config-line)#parity none 4-16 Console(config-line)#speed auto 4-17 Console(config-line)#stopbits 1 4-17 Console(config-line)#end Console#show line 4-18 Console configuration: Password threshold: 5 times Interactive timeout: Disabled Login timeout: Disabled Silent time: 60 Baudrate: auto Databits: 8 Parity: none Stopbits: 1

VTY configuration: Password threshold: 3 times Interactive timeout: 600 sec Login timeout: 300 sec Console#

3-20

Page 61

Basic Configuration

Telnet Settings

You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other various parameters set, including the TCP port number, timeouts, and a password. These parameters can be configured via the Web or CLI interface.

Command Attributes

• Telnet Status – Enables or disables Telnet access to the switch.

(Default: Enabled)

• Telnet Port Number – Sets the TCP port number for Telnet on the switch.

(Default: 23)

• Login Timeout – Sets the interval that the system waits for a user to log into the

CLI. If a login attempt is not detected within the timeout interval, the connection is terminated for the session. (Range: 0 - 300 seconds; Default: 300 seconds)

• Exec Timeout – Sets the interval that the system waits until user input is detected.

If user input is not detected within the timeout interval, the current session is terminated. (Range: 0 - 65535 seconds; Default: 600 seconds)

• Password Threshold – Sets the password intrusion threshold, which limits the

• Password* – Specifies a password for the line connection. When a connection is

started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. (Default: No password)

• Login* – Enables password checking at login. You can select authentication by a

single global password as configured for the Password parameter, or by passwords set up for specific user-name accounts (the default).

* CLI only.

3-21

Page 62

Configuring the Switch

Web – Click System, Line, Telnet. Specify the connection parameters for Telnet access, then click Apply.

Figure 3-2. Telnet Settings

CLI – Enter Line Configuration mode for a virtual terminal, then specify the

connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level.

Console(config)#line vty 4-10 Console(config-line)#login local 4-11 Console(config-line)#password 0 secret 4-12 Console(config-line)#timeout login response 300 4-13 Console(config-line)#exec-timeout 600 4-14 Console(config-line)#password-thresh 3 4-14 Console(config-line)#end Console#show line 4-18 Console configuration: Password threshold: 5 times Interactive timeout: Disabled Login timeout: Disabled Silent time: 60 Baudrate: auto Databits: 8 Parity: none Stopbits: 1

VTY configuration: Password threshold: 3 times Interactive timeout: 600 sec Login timeout: 300 sec Console#

3-22

Page 63

Configuring Event Logging

The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages.

System Logs

The system can be configured to send debug and error messages to a logging process. This logging process controls the type of error messages that are stored in switch memory or sent to a remote syslog server.

System log messages are categorized by severity into eight levels, as detailed in the following table.

Level Severity Name Description

7 Debug Debugging messages 6 Informational Informational messages only 5 Notice Normal but significant condition, such as cold start 4 Warning Warning conditions (e.g., return false, unexpected return) 3 Error Error conditions (e.g., invalid input, default used) 2 Critical Critical conditions (e.g., memory allocation, or free memory

1 Alert Immediate action needed 0 Emergency System unusable

* There are only Level 2, 5 and 6 error messages for the current firmware release.

error - resource exhausted)

The switch allows you to specify which levels are logged to RAM or flash memory.

Severe error messages that are logged to flash memory are permanently stored in the switch to assist in troubleshooting network problems. Up to 4096 log entries can be stored in the flash memory, with the oldest entries being overwritten first when the available log memory (256 kilobytes) has been exceeded.

The Logs page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory.

3-23

Page 64

Configuring the Switch

Web – Click System, Log, Logs.

Figure 3-3. Logging Information

CLI – Type "show logging ram" to display log messages in the RAM buffer.

Console#show logging ram 4-45 Syslog logging: Enable History logging in RAM: level debugging [3] 0:0:58 1/1/1 "VLAN 1 link-up notification." level: 6, module: 6, function: 1, and event no.: 1 [2] 0:0:58 1/1/1 "STP topology change notification." level: 6, module: 6, function: 1, and event no.: 1 [1] 0:0:28 1/1/1 "Unit 1, Port 23 link-up notification." level: 6, module: 6, function: 1, and event no.: 1 [0] 0:0:28 1/1/1 "System coldStart notification." level: 6, module: 6, function: 1, and event no.: 1 Console#

System Logs Configuration

The System Logs page allows you to configure and limit system messages that are logged to flash or RAM memory. The default is for levels 0 to 3 to be logged to flash and levels 0 to 7 to be logged to RAM.

The level of messages logged to flash must be equal to or less than the level of

Note:

messages logged to RAM.

Command Attributes

• System Log Status – Enables/disables the logging of debug or error messages to the logging process. (Default: Enabled)

• Flash Level – Limits log messages saved to the switch’s permanent flash memory for all levels up to the specified level. For example, if level 3 is specified, all messages from level 0 to level 3 will be logged to flash. (Default: 3)

3-24

Page 65

Configuring Event Logging

• RAM Level – Limits log messages saved to the switch’s temporary RAM memory

for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Default: 6)

Web – Click System, Log, System Logs. Specify the System Log Status, level of messages to be logged

Figure 3-4. Enabling System Logging

CLI – Enable system logging and then specify the level of messages to be logged to

RAM and flash memory. Use the show logging command to display the current settings.

Console(config)#logging on 4-41 Console(config)#logging history ram 6 4-42 Console(config)# Console#show logging flash 4-45 Syslog logging: Enabled History logging in FLASH: level errors Console#

to RAM and flash memory

, and then click Apply.

modify the

Remote Logs Configuration

The Remote Logs page allows you to configure the logging of messages that are sent to syslog servers. You can also limit the error messages sent to only those messages below a specified level.

Command Attributes

• Remote Log Status – Enables/disables the logging of debug or error messages

to the remote logging process. (Default: Enabled)

• Logging Facility – Sets the facility type for remote logging of syslog messages.

There are eight facility types specified by values of 16 to 23. The facility type is used by the syslog server to dispatch log messages to an appropriate service. (Default: 23)

• Logging Trap – Limits log messages that are sent to the remote syslog server for

all levels up to the specified level. For example, if level 3 is specified, all messages from level 0 to level 3 will be sent to the remote server. (Default: 3)

3-25

Page 66

Configuring the Switch

• Host IP List – Displays the list of remote server IP addresses that receive the syslog messages. The maximum number of host IP addresses allowed is five.

• Host IP Address – Specifies a new server IP address to add to the Host IP List.

Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove.

Figure 3-5. Enabling Remote Logging and Adding Host IP Addresses

CLI – Enter the syslog server host IP address, choose the facility type and set the

minimum level of messages to be logged.

Console(config)#logging host 192.168.1.7 4-43 Console(config)#logging facility 23 4-43 Console(config)#logging trap 4 4-44 Console(config)# Console#show logging trap 4-45 Syslog logging: Enabled REMOTELOG status: Enabled REMOTELOG facility type: local use 7 REMOTELOG level type: Warning conditions REMOTELOG server IP address: 192.168.1.7 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 Console#

3-26

Page 67

Configuring Event Logging

Sending Simple Mail Transfer Protocol Alerts

To alert system administrators of problems, the switch can use SMTP (Simple Mail Transfer Protocol) to send email messages when triggered by logging events of a specified level. The messages are sent to specified SMTP servers on the network and can be retrieved using POP or IMAP clients.

Command Attributes

• Admin Status – Enables/disables the SMTP function. (Default: Disabled)

• Email Source Address – Sets the email address used for the “From” field in alert

messages. You may use a symbolic email address that identifies the switch, or the address of an administrator responsible for the switch.

• Severity – Sets the syslog severity threshold level (see table on page 3-23) used

to trigger alert messages. All events at this level or higher will be sent to the configured email recipients. For example, using Level 7 will report all events from level 7 to level 0. (Default : Level 7)

• SMTP Server List – Specifies a list of up to three recipient SMTP servers. The

switch attempts to connect to the other listed servers if the first fails. Use the New SMTP Server text field and the Add/Remove buttons to configure the list.

• Email Destination Address List – Specifies the email recipients of alert

messages. You can specify up to five recipients. Use the New Email Destination Address text field and the Add/Remove buttons to configure the list.

3-27

Page 68

Configuring the Switch

Web – Click System, Log, SMTP. Enable SMTP, specify a source email address, and select the minimum severity level. To add an IP address to the SMTP Server List, type the new IP address in the SMTP Server text box and then click Add. To delete an IP address, click the entry in the SMTP Server List and then click Remove. Specify up to five email addresses to receive the alert messages, and then click Apply.

Figure 3-6. Enabling and Configuring SMTP Alerts

CLI – Enter the IP address of at least one SMTP server, set the syslog severity level

to trigger an email message, and specify the switch (source) and up to five recipient (destination) email addresses. Enable SMTP with the logging sendmail command

3-28

Page 69

Configuring Event Logging

to complete the configuration. Use the show logging sendmail command to display the current SMTP configuration.

Console(config)#logging sendmail host 192.168.1.4 4-47 Console(config)#logging sendmail level 3 4-47 Console(config)#logging sendmail source-email

Matrix-V-Series@this-company.com 4-48

Console(config)#logging sendmail destination-email

chris@this-company.com 4-48 Console(config)#logging sendmail 4-49 Console(config)#exit Console#show logging sendmail 4-49 SMTP servers

-----------------------------------------------

Active SMTP server: 0.0.0.0

SMTP minimum severity level: 4

SMTP destination email addresses

-----------------------------------------------

1. chris@this-company.com

SMTP source email address: AlcatelOS6300PhaseII@this-company.com

SMTP status: Enabled Console#

Resetting the System

Web – Click System, Reset. Click the Reset button to restart the switch.

Figure 3-15. Resetting the System

CLI – Use the reload command to restart the switch.

Console#reload 4-22 System will be restarted, continue <y/n>?

When restarting the system, it will always run the Power-On Self-Test.

Note:

Setting the System Clock

Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. You can also manually set the clock using the CLI. (See “calendar set” on page 4-53.) If the clock is not set, the switch will only record the time from the factory default set at the last bootup.

3-29

Page 70

Configuring the Switch

This switch acts as an SNTP client in unicast mode:

Unicast – The switch periodically sends a request for a time update to a configured time server. You can configure up to three time server IP addresses. The switch will attempt to poll each server in the configured sequence.

Configuring SNTP

You can configure the switch to send time synchronization requests to specific time servers (i.e., client mode).

Command Attributes

• SNTP Client – Configures the switch to operate as an SNTP unicast client. This mode requires at least one time server to be specified in the SNTP Server field.

• SNTP Poll Interval – Sets the interval between sending requests for a time update from a time server when set to SNTP Client mode. (Range: 16-16284 seconds; Default: 16 seconds)

• SNTP Server – In unicast mode, sets the IP address for up to three time servers. The switch attempts to update the time from the first server, if this fails it attempts an update from the next server in the sequence.

Web – Select SNTP, Configuration. Modify any of the required parameters, and click Apply.

Figure 3-16. SNTP Configuration

CLI – This example configures the switch to operate as an SNTP broadcast client.

Console(config)#sntp client 4-50 Console(config)#sntp poll 16 4-52 Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-51 Console(config)#

3-30

Page 71

Simple Network Management Protocol

Setting the Time Zone

SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.

Command Attributes

• Current Time – Displays the current time.

• Name – Assigns a name to the time zone.

• Hours (0-12) – The number of hours before/after UTC.

• Minutes (0-59) – The number of minutes before/after UTC.

• Direction – Configures the time zone to be before (east) or after (west) UTC.

Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to the UTC, and click Apply.

Figure 3-17. Clock Time Zone

CLI - This example shows how to set the time zone for the system clock.

Console(config)#clock timezone Dhaka hours 6 minute 0 after-UTC 4-53 Console#

Simple Network Management Protocol

Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.

Managed devices supporting SNMP contain software, which runs locally on the device and is referred to as an agent. A defined set of variables, known as managed objects, is maintained by the SNMP agent and used to manage the device. These objects are defined in a Management Information Base (MIB) that provides a

3-31

Page 72

Configuring the Switch

standard presentation of the information controlled by the agent. SNMP defines both the format of the MIB specifications and the protocol used to access this information over the network.

The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3. This agent continuously monitors the status of the switch hardware, as well as the traffic passing through its ports. A network management station can access this information using software such as HP OpenView. Access to the onboard agent using SNMP v1 and v2c is controlled by community strings. To communicate with the switch, the management station must first submit a valid community string for authentication.

Access to the switch using SNMPv3 provides additional security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.

The SNMPv3 security structure consists of security models, with each model having it’s own security levels. There are three security models defined, SNMPv1, SNMPv2c, and SNMPv3. Users are assigned to “groups” that are defined by a security model and specified security levels. Each group also has a defined security access to set of MIB objects for reading and writing, which are known as “views.” The switch has a default view (all MIB objects) and default groups defined for security models v1 and v2c. The following table shows the security models and levels available and the system default settings.

Table 3-1. SNMPv3 Security Models and Levels

Model Level Group Read View Write View Security

v1 noAuthNoPriv DefaultROGroup defaultview none Community string only v1 noAuthNoPriv DefaultRWG roup defa ultv iew defau ltvie w Commun ity strin g only v1 noAuthNoPriv user defined user defined user defined Community string only v2c noAuthNoPriv DefaultROGroup defaultview none Community string only v2c noAuthNoPriv Defau ltRWG roup defa ultv iew defau ltvie w Community strin g only v2c noAuthNoPriv user defined user defined user defined Community string only v3 noAuthNoPriv user defined user defined user defined A user name match only v3 AuthNoPriv user defined user defined user defined Provides user authentication

v3 AuthPriv user defined user defined user defined Provides user authentication

via MD5 or SHA algorithms

via MD5 or SHA algorithms and data privacy using DES 56-bit encryption

The predefined default groups and view can be deleted from the system.

Note:

3-32

Page 73

Simple Network Management Protocol

Enabling SNMP

Enables the SNMP agent on the switch for all versions (1, 2c, and 3).

Command Attributes

• SNMP Agent Status – Enables SNMP on the switch.

Figure 3-7. Enabling the SNMP Agent

CLI – The following example enalbes SNMP on the switch.

Console(config)#snmp-server 4-114 Console(config)#

Setting Community Access Strings

You may configure up to five community strings authorized for management access using SNMP v1 and v2c. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings.

Command Attributes

• SNMP Community Capability – Indicates that the switch supports up to five

community strings.

• Community String – A community string that acts like a password and permits

access to the SNMP protocol. Default strings: “public” (read-only access), “private” (read/write access) Range: 1-32 characters, case sensitive

• Access Mode

- Read-Only – Specifies read-only access. Authorized management stations are only able to retrieve MIB objects.

- Read/Write – Specifies read-write access. Authorized management stations are able to both retrieve and modify MIB objects.

3-33

Page 74

Configuring the Switch

Web – Click SNMP, Configuration. Add new community strings as required, select the access rights from the Access Mode drop-down list, then click Add.

Figure 3-18. SNMP Configuration

CLI – The following example adds the string “spiderman” with read/write access.

Console(config)#snmp-server community spiderman rw 4-109 Console(config)#

Specifying Trap Managers and Trap Types

Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView). You can specify up to five management stations that will receive authentication failure messages and other trap messages from the switch.

Command Attributes

• Trap Manager Capability – Indicates that the switch supports up to five trap managers.

• Current – Displays a list of the trap managers currently configured.

• Trap Manager IP Address – IP address of a new management station to receive trap messages.

• Trap Manager Community String – Specifies a valid community string for the new trap manager entry. Though you can set this string in the Trap Managers table, we recommend that you define this string in the SNMP Protocol table as well. (Range: 1-32 characters, case sensitive)

• Trap UDP Port – Specifies the UDP port number used by the trap manager.

• Trap Version – Indicates if the user is running SNMP v1, v2c, or v3.

• Enable Authentication Traps – Issues a trap message to specified IP trap managers whenever authentication of an SNMP request fails. (Default: Enabled)

• Enable Link-up and Link-down Traps – Issues a trap message whenever a port link is established or broken. (Default: Enabled)

3-34

Page 75

Simple Network Management Protocol

Web – Click SNMP, Configuration. Enter the IP address and community string for each managment station that will receive trap messages, specify the UDP port and SNMP version, and then click Add. Select the trap types required using the check boxes for Authentication and Link-up/down traps, and then click Apply.

Figure 3-19. Configuring SNMP Trap Managers

CLI – This example adds a trap manager and enables both authentication and

link-up, link-down traps.

Console(config)#snmp-server host 192.168.1.19 private version 2c 4-111 Console(config)#snmp-server enable traps authentication 4-112

Configuring SNMPv3 Management Access

To configure SNMPv3 management access to the switch, follow these steps:

1. If you want to change the default engine ID, it must be changed first before

configuring other parameters.

2. Specify read and write access views for the switch MIB tree.

3. Configure SNMP user groups with the required security model (i.e., SNMP v1,

v2c or v3) and security level (i.e., authentication and privacy).

4. Assign SNMP users to groups, along with their specific authentication and

privacy passwords.

Setting an Engine ID

An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets.

3-35

Page 76

Configuring the Switch

A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users.

A new engine ID can be specified by entering 1 to 26 hexadecimal characters. If less than 26 characters are specified, trailing zeroes are added to the value. For example, the value “1234” is equivalent to “1234” followed by 22 zeroes.

Web – Click SNMP, SNMPv3, Engine ID. Enter an ID of up to 26 hexadecimal characters and then click Save.

Figure 3-8. Setting an Engine ID

CLI – This example sets an SNMPv3 engine ID.

Console(config)#snmp-server engine-id local 12345abcdef 4-114 Console(config)#exit Console#show snmp engine-id 4-115 Local SNMP engineID: 12345abcdef000000000000000 Local SNMP engineBoots: 1 Console#

Configuring SNMPv3 Users

Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read and a write view.

Command Attributes

• User Name – The name of user connecting to the SNMP agent. (Range: 1-32 characters)

• Group Name – The name of the SNMP group to which the user is assigned. (Range: 1-32 characters)

• Model – The user security model; SNMP v1, v2c or v3.

3-36

Page 77

Simple Network Management Protocol

• Level – The security level used for the user:

- noAuthNoPriv – There is no authentication or encryption used in SNMP communications.

- AuthNoPriv – SNMP communications use authentication, but the data is not encrypted (only available for the SNMPv3 security model).

- AuthPriv – SNMP communications use both authentication and encryption (only available for the SNMPv3 security model).

• Authentication – The method used for user authentication; MD5 only.

• Privacy – The encryption algorithm use for data privacy; only 56-bit encryption is currently available

• Actions – Enables the user to be assigned to another SNMPv3 group.

Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete. To change the assigned group of a user, click Change Group in the Actions column of the users table and select the new group.

Figure 3-9. Configuring SNMPv3 Users

3-37

Page 78

Configuring the Switch

CLI – Use the snmp-server user command to configure a new user name and assign it to a group.

Console(config)#snmp-server user chris group r&d v3 auth md5 greenpeace

priv des56 einstien 3-132

Console(config)#exit Console#show snmp user 3-132 EngineId: 80000034030001f488f5200000 User Name: chris Authentication Protocol: md5 Privacy Protocol: des56 Storage Type: nonvolatile Row Status: active

Console#

Configuring SNMPv3 Groups

An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read and write views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.

Command Attributes

• Group Name – The name of the SNMP group. (Range: 1-32 characters)

• Model – The group security model; SNMP v1, v2c or v3.

• Level – The security level used for the group:

- noAuthNoPriv – There is no authentication or encryption used in SNMP communications.

- AuthNoPriv – SNMP communications use authentication, but the data is not encrypted (only available for the SNMPv3 security model).

- AuthPriv – SNMP communications use both authentication and encryption (only available for the SNMPv3 security model).

• Read View – The configured view for read access. (Range: 1-64 characters)

• Write View – The configured view for write access. (Range: 1-64 characters)

3-38

Page 79

Simple Network Management Protocol

Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read and write views. Click Add to save the new group and return to the Groups list. To delete a group, check the box next to the group name, then click Delete.

Figure 3-10. Configuring SNMPv3 Groups

CLI – Use the snmp-server group command to configure a new group, specifying

the security model and level, and restricting MIB access to defined read and write views.

Console(config)#snmp-server group v3secure v3 priv read defaultview write

defaultview 3-130 Console(config)#exit Console#show snmp group 3-130 Group Name: v3secure Security Model: v3 Read View: defaultview Write View: defaultview Notify View: none Storage Type: nonvolatile Row Status: active

Console#

3-39

Page 80

Configuring the Switch

Setting SNMPv3 Views

SNMPv3 views are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree.

Command Attributes

• View Name – The name of the SNMP view. (Range: 1-64 characters)

• View OID Subtrees – Shows the currently configured object identifiers of branches within the MIB tree that define the SNMP view.

• Edit OID Subtrees – Allows you to configure the object identifiers of branches within the MIB tree. Wildcards can be used to mask a specific portion of the OID string.

• Type – Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view.

Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list. For a specific view, click on View OID Subtrees to display the current configuration, or click on Edit OID Subtrees to make changes to the view settings. To delete a view, check the box next to the view name, then click Delete.

3-40

Figure 3-11. Configuring SNMPv3 Views

Page 81

User Authentication

CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries.

Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included

Console(config)#exit Console#show snmp view 3-129 View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.* View Type: included Storage Type: nonvolatile Row Status: active

View Name: readaccess Subtree OID: 1.3.6.1.2 View Type: included Storage Type: nonvolatile Row Status: active

View Name: defaultview Subtree OID: 1 View Type: included Storage Type: nonvolatile Row Status: active

Console#

3-128

User Authentication

You can restrict management access to this switch using the following options:

• Passwords – Manually configure access rights on the switch for specified users.

• Authentication Settings – Use remote authentication to configure access rights.

• HTTPS Settings – Provide a secure web connection.

• SSH Settings – Provide a secure shell (for secure Telnet access).

• Port Security – Configure secure addresses for individual ports.

• 802.1x – Use IEEE 802.1x port authentication to control access to specific ports.

• IP Filter – Fillters management access to the web, SNMP or Telnet interface.

Configuring the Logon Password

The guest only has read access for most configuration parameters. However, the administrator has write access for all parameters governing the onboard agent. You should therefore assign a new administrator password as soon as possible, and store it in a safe place.

The default guest name is “guest” with the password “guest.” The default administrator name is “admin” with the password “admin.” Note that user names can only be assigned via the CLI.

3-41

Page 82

Configuring the Switch

Command Attributes

• User Name* – The name of the user. (Maximum length: 8 characters)

• Access Level* – Specifies the user level. (Options: Normal and Privileged)

• Password – Specifies the user password. (Range: 0-8 characters plain text, case sensitive)

* CLI only.

Web – Click Security, Passwords. To change the password for the current user, enter the old password, the new password, confirm it by entering it again, then click Apply.

Figure 3-20. Setting Passwords

CLI – Assign a user name to access-level 15 (i.e., administrator), then specify the

password.

Console(config)#username bob access-level 15 4-25 Console(config)#username bob password 0 smith Console(config)#

Configuring Local/Remote Logon Authentication

Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.

Remote Authentication Dial-in User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) are logon authentication protocols that use software running on a central server to control access to RADIUS-aware or TACACSaware devices on the network. An authentication server contains

3-42

Web Telnet

RADIUS/ TACACS+ server

1. Client attempts management access.

2. Switch contacts authentication server.

3. Authentication server challenges client.

4. Client responds with proper password or key.

5. Authentication server approves access.

6. Switch grants management access.

console

Page 83

User Authentication

a database of multiple user name/password pairs with associated privilege levels for each user that requires management access to the switch.

RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.

Command Usage

• By default, management access is always checked against the authentication

database stored on the local switch. If a remote authentication server is used, you must specify the authentication sequence and the corresponding parameters for the remote authentication protocol. Local and remote logon authentication control management access via the console port, web browser, or Telnet.

• RADIUS and TACACS+ logon authentication assign a specific privilege level for

each user name/password pair. The user name, password, and privilege level must be configured on the authentication server.

• You can specify up to three authentication methods for any user to indicate the

authentication sequence. For example, if you select (1) RADIUS, (2) TACACS and (3) Local, the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted using the TACACS+ server, and finally the local user name and password is checked.

Command Attributes

• Authentication – Select the authentication, or authentication sequence required:

- Local – User authentication is performed only locally by the switch.

- Radius – User authentication is performed using a RADIUS server only.

- TACACS – User authentication is performed using a TACACS+ server only.

- [authentication sequence] – User authentication is performed by up to three authentication methods in the indicated sequence.

• RADIUS Settings

- Server IP Address – Address of authentication server. (Default: 10.1.0.1)

- Server Port Number – Network (UDP) port of authentication server used for authentication messages. (Range: 1-65535; Default: 1812)

- Secret Text String – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 20 characters)

- Number of Server Transmits – Number of times the switch tries to authenticate logon access via the authentication server. (Range: 1-30; Default: 2)

- Timeout for a reply – The number of seconds the switch waits for a reply from the RADIUS server before it resends the request. (Range: 1-65535; Default: 5)

3-43

Page 84

Configuring the Switch

• TACACS Settings

- Server IP Address – Address of the TACACS+ server. (Default: 10.11.12.13)

- Server Port Number – Network (TCP) port of TACACS+ server used for authentication messages. (Range: 1-65535; Default: 49)

- Secret Text String – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 20 characters)

The local switch user database has to be set up by manually entering user names

Note:

and passwords using the CLI. (See “username” on page 4-25.)

Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply.

3-44

Figure 3-21. Authentication Settings

Page 85

User Authentication

CLI – Specify all the required parameters to enable logon authentication.

Console(config)#authentication login radius 4-68 Console(config)#radius-server host 192.168.1.25 4-70 Console(config)#radius-server port 181 4-70 Console(config)#radius-server key green 4-71 Console(config)#radius-server retransmit 5 4-71 Console(config)#radius-server timeout 10 4-72 Console#show radius-server 4-72 Server IP address: 192.168.1.25 Communication key with radius server: Server port number: 181 Retransmit times: 5 Request timeout: 10 Console(config)#authentication login tacacs 4-68 Console(config)#tacacs-server host 10.20.30.40 4-73 Console(config)#tacacs-server port 200 4-73 Console(config)#tacacs-server key green 4-74 Console#show tacacs-server 4-74 Server IP address: 10.20.30.40 Communication key with tacacs server: green Server port number: 200 Console(config)#

Configuring HTTPS

You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface.

Command Usage

• Both the HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure both services to use the same UDP port.

• If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number]

• When you start HTTPS, the connection is established in this way:

- The client authenticates the server using the server’s digital certificate.

- The client and server negotiate a set of security protocols to use for the

connection.

- The client and server generate session keys for encrypting and decrypting data.

• The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 5.x or above and Netscape Navigator 4.x or above.

• The following web browsers and operating systems currently support HTTPS:

Table 3-22. Compatible Operating Systems

Web Browser Operating System

Internet Explorer 5.0 or later Windows 98,Windows NT (with service pack 6a),

Netscape Navigator 4.76 or later Windows 98,Windows NT (with service pack 6a),

Windows 2000, Windows XP

Windows 2000, Windows XP, Solaris 2.6

3-45

Page 86

Configuring the Switch

• To specify a secure-site certificate, see “Replacing the Default Secure-site Certificate” on page 3-46.

Command Attributes

• HTTPS Status – Allows you to enable/disable the HTTPS server feature on the switch.

(Default: Enabled)

•

Change HTTPS Port Number – Specifies the UDP port number used for HTTPS/ SSL connection to the switch’s web interface. (Default: Port 443)

Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply.

Figure 3-23. HTTPS Settings

CLI – This example enables the HTTP secure server and modifies the port number.

Console(config)#ip http secure-server 4-30 Console(config)#ip http secure-port 441 4-31 Console(config)#

Replacing the Default Secure-site Certificate

When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that Netscape and Internet Explorer display will be associated with a warning that the site is not recognized as a secure site. This is because the certificate has not been signed by an approved certification authority. If you want this warning to be replaced by a message confirming that the connection to the switch is secure, you must obtain a unique certificate and a private key and password from a recognized certification authority.

Caution: For maximum security, we recommend you obtain a unique Secure Sockets

Layer certificate at the earliest opportunity. This is because the default certificate for the switch is not unique to the hardware you have purchased.

3-46

Page 87

User Authentication

When you have obtained these, place them on your TFTP server, and use the following command at the switch's command-line interface to replace the default (unrecognized) certificate with an authorized one:

Console#copy tftp https-certificate 4-62 TFTP server ip address: <server ip-address> Source certificate file name: <certificate file name> Source private file name: <private key file name> Private password: <password for private key>

The switch must be reset for the new certificate to be activated. To reset the

Note:

switch, type:

Console#reload

Configuring the Secure Shell

The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.

The Secure Shell (SSH) includes server/client applications intended as a secure replacement for the older Berkley remote access tools. SSH can also provide remote management access to this switch as a secure replacement for Telnet. When the client contacts the switch via the SSH protocol, the switch generates a public-key that the client uses along with a local user name and password for access authentication. SSH also encrypts all data transfers passing between the switch and SSH-enabled management station clients, and ensures that data traveling over the network arrives unaltered.

Note that you need to install an SSH client on the management station to access the switch for management via the SSH protocol.

The switch supports both SSH Version 1.5 and 2.0.

Note:

Command Usage

The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified on the Authentication Settings page (page 3-42). If public key authentication is specified by the client, then you must configure authentication keys on both the client and the switch as described in the following section. Note that regardless of whether you use public key or password authentication, you still have to generate authentication keys on the switch (SSH Host Key Settings) and enable the SSH server (Authentication Settings).

To use the SSH server, complete these steps:

1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a host

public/private key pair.

2. Provide Host Public Key to Clients – Many SSH client programs automatically

import the host public key during the initial connection setup with the switch.

3-47

Page 88

Configuring the Switch

Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it. An entry for a public key in the known hosts file would appear similar to the following example:

10.1.0.54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 10825913212890233 76546801726272571413428762941301196195566782 59566410486957427888146206 51941746772984865468615717739390164779355942303577413098022737087794545 24083971752646358058176716709574804776117

3. Import Client’s Public Key to the Switch – Use the copy tftp public-key

command (page 4-62) to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch via the User Accounts page as described on page 4-25.) The clients are subsequently authenticated using these keys. The current firmware only accepts public key files based on standard UNIX format as shown in the following example:

1024 35 1341081685609893921040944920155425347631641921872958921143173880 05553616163105177594083868631109291232226828519254374603100937187721199 69631781366277414168985132049117204830339254324101637997592371449011938 00609025394840848271781943722884025331159521348610229029789827213532671 31629432532818915045306393916643 steve@192.168.1.19

4. Set the Optional Parameters – On the SSH Settings page, configure the

optional parameters, including the authentication timeout, the number of retries, and the server key size.

5. Enable SSH Service – On the SSH Settings page, enable the SSH server on

the switch.

6. Challenge-Response Authentication – When an SSH client attempts to contact

the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access. The following exchanges take place during this process:

a. The client sends its public key to the switch. b. The switch compares the client's public key to those stored in memory. c. If a match is found, the switch uses the public key to encrypt a random

sequence of bytes, and sends this string to the client.

d. The client uses its private key to decrypt the bytes, and sends the

decrypted bytes back to the switch.

e. The switch compares the decrypted bytes to the original bytes it sent. If the

two sets match, this means that the client's private key corresponds to an authorized public key, and the client is authenticated.

Notes: 1.

To use SSH with only password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the known host file. However, you do not need to configure the client’s keys.

3-48

Page 89

User Authentication

2. The SSH server supports up to four client sessions. The maximum number

of client sessions includes both current Telnet sessions and SSH sessions.

Generating the Host Key Pair

A host public/private key pair is used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the proceeding section (Command Usage).

Field Attributes

• Public-Key of Host-Key – The public key for the host.

- RSA: The first field indicates the size of the host key (e.g., 1024), the second field is the encoded public exponent (e.g., 65537), and the last string is the encoded modulus.

- DSA: The first field indicates that the encryption method used by SSH is based on the Digital Signature Standard (DSS). The last string is the encoded modulus.

• Host-Key Type – The key type used to generate the host key pair (i.e., public and private keys). (Range: RSA, DSA, Both: Default: RSA) The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.

• Save Host-Key from Memory to Flash – Saves the host key from RAM (i.e., volatile memory to flash memory. Otherwise, the host key pair is stored to RAM by default. Note that you must select this item prior to generating the host-key pair.

• Generate – This button is used to generate the host key pair. Note that you must first generate the host key pair before you can enable the SSH server on the SSH Server Settings page.

3-49

Page 90

Configuring the Switch

Web – Click Security, SSH Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate.

Figure 3-24. Secure Shell Host-Key Settings

CLI – This example generates a host-key pair using both the RSA and DSA

algorithms, stores the keys to flash memory, and then displays the host’s public keys.

Console#ip ssh crypto host-key generate 4-34 Console#ip ssh save host-key 4-34 Console#show public-key host 4-34 Host: RSA: 1024 65537 127250922544926402131336514546131189679055192360076028653006761 82409690947448320102524878965977592168322225584652387791546479807396314033 86925793105105765212243052807865885485789272602937866089236841423275912127 60325919683697053439336438445223335188287173896894511729290510813919642025 190932104328579045764891 DSA: ssh-dss AAAAB3NzaC1kc3MAAACBAN6zwIqCqDb3869jYVXlME1sHL0EcE/Re6hlasfEthIwmj hLY4O0jqJZpcEQUgCfYlum0Y2uoLka+Py9ieGWQ8f2gobUZKIICuKg6vjO9XTs7XKc05xfzkBi KviDa+2OrIz6UK+6vFOgvUDFedlnixYTVo+h5v8r0ea2rpnO6DkZAAAAFQCNZn/x17dwpW8RrV DQnSWw4Qk+6QAAAIEAptkGeB6B5hwagH4gUOCY6i1TmrmSiJgfwO9OqRPUMbCAkCC+uzxatOo7 drnIZypMx+Sx5RUdMGgKS+9ywsa1cWqHeFY5ilc3lDCNBueeLykZzVS+RS+azTKIk/zrJh8GLG Nq375R55yRxFvmcGIn/Q7IphPqyJ3o9MK8LFDfmJEAAACAL8A6tESiswP2OFqX7VGoEbzVDSOI RTMFy3iUXtvGyQAOVSy67Mfc3lMtgqPRUOYXDiwIBp5NXgilCg5z7VqbmRm28mWc5a//f8TUAg PNWKV6W0hqmshQdotVzDR1e+XKNTZj0uTwWfjO5Kytdn4MdoTHgrbl/DMdAfjnte8MZZs=

Console#

3-50

Page 91

User Authentication

Configuring the SSH Server

The SSH server includes basic settings for authentication.

Field Attributes

• SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Enabled)

• Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.

• SSH Authentication Timeout – Specifies the time interval in seconds that the SSH server waits for a response from a client during an authentication attempt. (Range: 1 to 120 seconds; Default: 120 seconds)

• SSH Authentication Retries – Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process. (Range: 1-5 times; Default: 3)

• SSH Server-Key Size – Specifies the SSH server key size. (Range: 512-896 bits)

- The server key is a private key that is never shared outside the switch.

- The host key is shared with the SSH client, and is fixed at 1024 bits.

Web – Click Security, SSH, Settings. Enable SSH and adjust the authentication parameters as required, then click Apply. Note that you must first generate the host key pair on the SSH Host-Key Settings page before you can enable the SSH server.

Figure 3-25. Secure Shell Server Settings

3-51

Page 92

Configuring the Switch

CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection.

Console(config)#ip ssh server 4-34 Console(config)#ip ssh timeout 100 4-35 Console(config)#ip ssh authentication-retries 5 4-36 Console(config)#ip ssh server-key size 512 4-36 Console(config)#end Console#show ip ssh 4-39 SSH Enabled - version 2.0 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console#show ssh 4-39 Connection Version State Username Encryption 0 2.0 Session-Started admin ctos aes128-cbc-hmac-md5 stoc aes128-cbc-hmac-md5 Console#disconnect 0 4-18 Console#

Configuring Port Security

Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port.

When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted as authorized to access the network through that port. If a device with an unauthorized MAC address attempts to use the switch port, the intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message.

To use port security, first allow the switch to dynamically learn the <source MAC address, VLAN> pair for frames received on a port for an initial training period, and then enable port security to stop address learning. Be sure you enable the learning function long enough to ensure that all valid VLAN members have been registered on the selected port. Note that you can also restrict the maximum number of addresses that can be learned by a port.

To add new VLAN members at a later time, you can manually add secure addresses with the Static Address Table (page 3-100), or turn off port learning function long enough for new VLAN members may then be disabled again, if desired, for security.

Command Usage

• A secure port has the following restrictions:

- Cannot use port monitoring.

- Cannot be a multi-VLAN port.

- It cannot be used as a member of a static or dynamic trunk.

- It should not be connected to a network interconnection device.

• If a port is disabled (shut down) due to a security violation, it must be manually re-enabled from the Port/Port Configuration page (page 3-77).

security to reenable the

to be registered. Learning

3-52

Page 93

User Authentication

Command Attributes

•Port – Port number.

•Name – Descriptive text (page 4-131).

• Action – Indicates the action to be taken when a port security violation is detected:

- None: No action should be taken. (This is the default.)

- Trap: Send an SNMP trap message.

- Shutdown: Disable the port.

- Trap and Shutdown: Send an SNMP trap message and disable the port.

• Security Status – Enables or disables port security on the port. (Default: Disabled)

• Max MAC Count – The maximum number of MAC addresses that can be learned

on a port. (Range: 0 - 20)

• Trunk – Trunk number if port is a member (page 3-80 and 3-81).

Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply.

Figure 3-26. Configuring Port Security

CLI – This example sets the command mode to Port 5, sets the port security action

to send a trap and disable the port, and then enables port security for the switch.

Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap-and-shutdown 4-75 Console(config-if)#port security Console(config-if)#

3-53

Page 94

Configuring the Switch

Configuring 802.1x Port Authentication

Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.

The IEEE 802.1x (dot1x) standard defines a port-based access control procedure that prevents unauthorized access to a network by requiring users to first submit credentials for authentication. Access to all switch ports in a network can be centrally controlled from a server, which means that authorized users can use the same credentials for authentication from any point within the network.

This switch uses the Extensible Authentication Protocol over LANs (EAPOL) to exchange authentication protocol messages with the client, and a remote RADIUS authentication server to verify user identity and access rights. When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an EAPOL identity request. The client provides its identity (such as a user name) in an EAPOL response to the switch, which it forwards to the RADIUS server. The RADIUS server verifies the client identity and sends an access challenge back to the client. The EAP packet from the RADIUS server contains not only the challenge, but the authentication method to be used. The client can reject the authentication method and request another, depending on the configuration of the client software and the RADIUS server. The authentication method can be MD5 only. The client responds to the appropriate method with its credentials, such as a password or certificate. The RADIUS server verifies the client credentials and responds with an accept or reject packet. If authentication is successful, the switch allows the client to access the network. Otherwise, network access is denied and the port remains blocked.

The operation of 802.1x on the switch requires the following:

• The switch must have an IP address assigned.

• RADIUS authentication must be enabled on the switch and the IP address of the RADIUS server specified.

• Each switch port that will be used must be set to dot1x “Auto” mode.

• Each client that needs to be authenticated must have dot1x client software installed and properly configured.

• The RADIUS server and 802.1x client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.)

802.1x client

RADIUS server

1. Client attempts to access a switch port.

2. Switch sends client an identity request.

3. Client sends back identity information.

4. Switch forwards this to authentication server.

5. Authentication server challenges client.

6. Client responds with proper credentials.

7. Authentication server approves access.

8. Switch grants client access to this port.

3-54

Page 95

User Authentication

• The RADIUS server and client also have to support the same EAP authentication

type – MD5. (Some clients have native support in Windows, otherwise the dot1x client must support it.)

Displaying 802.1x Global Settings

The dot1x protocol includes global parameters that control the client authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server. These parameters are described in this section.

Command Attributes

• dot1x Re-authentication – Indicates if switch port requires a client to be

re-authenticated after a certain period of time.

• dot1x Max Request Count – The maximum number of times the switch port will

retransmit an EAP request packet to the client before it times out the authentication session.

• Timeout for Quiet Period – Indicates the time that a switch port waits after the

Max Request Count has been exceeded before attempting to acquire a new client.

• Timeout for Re-authentication Period – Indicates the time period after which a

connected client must be re-authenticated.

• Timeout for TX Period – The time period during an authentication session that the

switch waits before re-transmitting an EAP packet.

• Supplicant timeout – The time the switch waits for a client response to an EAP

request.

• Server timeout – The time the switch waits for a response from the authentication

server (RADIUS) to an authentication request.

• Re-authentication Max Count – The number of times the switch will attempt to

re-authenticate a connected client before the port becomes unauthorized.

Web – Click Security, 802.1x, Information.

Figure 3-27. 802.1X Information

3-55

Page 96

Configuring the Switch

CLI – This example shows the default protocol settings for 802.1x. For a description of the additional entries displayed in the CLI, See “show dot1x” on page 4-81.

Console#show dot1x 4-81 Global 802.1X Parameters reauth-enabled: yes reauth-period: 300 quiet-period: 350 tx-period: 300 supp-timeout: 30 server-timeout: 30 reauth-max: 2 max-req: 2

802.1X Port Summary Port Name Status Operation Mode Mode Authorized 1/1 disabled Single-Host ForceAuthorized n/a 1/2 disabled Single-Host ForceAuthorized n/a .

1/23 disabled Single-Host ForceAuthorized yes 1/24 enabled Single-Host Auto ye s

802.1X Port Details

802.1X is disabled on port 1 .

802.1X is enabled on port 24 Status Unauthorized Operation mode Single-Host Max count 5 Port-control Auto Supplicant 00-00-00-00-00-00 Current Identifier 0

Authenticator State Machine State Connecting Reauth Count 3

Backend State Machine State Idle Request Count 0 Identifier(Server) 0

Reauthentication State Machine State Initialize Console#

3-56

Page 97

User Authentication

Configuring 802.1x Global Settings

Command Attributes

• dot1X Re-authentication – Sets the client to be re-authenticated after the interval

specified by the Timeout for Re-authentication Period. Re-authentication can be used to detect if a new device is plugged into a switch port. (Default: Disabled)

• dot1X Max Request Count – Sets the maximum number of times the switch port

will retransmit an EAP request packet to the client before it times out the authentication session. (Range: 1-10; Default 2)

• Timeout for Quiet Period – Sets the time that a switch port waits after the dot1X

Max Request Count has been exceeded before attempting to acquire a new client. (Range: 1-65535 seconds; Default: 60 seconds)

• Timeout for Re-authentication Period – Sets the time period after which a

connected client must be re-authenticated. (Range: 1-65535 seconds; Default: 3600 seconds)

• Timeout for TX Period – Sets the time period during an authentication session

that the switch waits before re-transmitting an EAP packet. (Range: 1-65535; Default: 30 seconds)

• authentication dot1x default* – Sets the default authentication server type. Note

that the specified authentication server type must be enabled and properly configured for dot1x to function properly. (Options: radius).

* CLI only.

Web – Select Security, 802.1x, Configuration. Enable dot1x globally for the switch, modify any of the parameters required, and then click Apply.

Figure 3-28. 802.1X Configuration

3-57

Page 98

Configuring the Switch

CLI

– This enables re-authentication and sets all of the global parameters for 802.1x

Console(config)#dot1x re-authentication 4-80 Console(config)#dot1x max-req 5 4-78 Console(config)#dot1x timeout quiet-period 40 4-80 Console(config)#dot1x timeout re-auth 5 4-80 Console(config)#dot1x timeout tx-period 40 4-81 Console(config)#authentication dot1x default radius 4-77 Console(config)#

Configuring Port Authorization Mode

When dot1x is enabled, you need to specify the dot1x authentication mode configured for each port.

Command Attributes

• Status – Indicates if authentication is enabled or disabled on the port.

• Operation Mode – Allows single or multiple hosts (clients) to connect to an

802.1X-authorized port. (Range: Single-Host, Multi-Host; Default: Single-Host)

• Max Count – The maximum number of hosts that can connect to a port when the Multi-Host operation mode is selected. (Range: 1-20; Default: 5)

• Mode – Sets the authentication mode to one of the following options:

- Auto – Requires a dot1x-aware client to be authorized by the authentication

server. Clients that are not dot1x-aware will be denied access.

- Force-Authorized – Forces the port to grant access to all clients, either

dot1x-aware or otherwise.

- Force-Unauthorized – Forces the port to deny access to all clients, either

dot1x-aware or otherwise.

• Authorized –

- Yes – Connected client is authorized.

- No – Connected client is not authorized.

- Blank – Displays nothing when dot1x is disabled on a port.

• Supplicant – Indicates the MAC address of a connected client.

• Trunk – Indicates if the port is configured as a trunk port.

3-58

Page 99

User Authentication

Web – Click Security, 802.1x, Port Configuration. Select the authentication mode from the drop-down box and click Apply.

Figure 3-29. 802.1X Port Configuration

CLI – This example sets the authentication mode to enable 802.1x on port 2, and

allows up to ten clients to connect to this port.

Console(config)#interface ethernet 1/2 4-130 Console(config-if)#dot1x port-control auto 4-78 Console(config-if)#dot1x operation-mode multi-host max-count 10 4-79 Console(config-if)#

Displaying 802.1x Statistics

This switch can display statistics for dot1x protocol exchanges for any port.

Statistical Values

Table 3-30. 802.1X Statistics

Parameter Description

Rx EXPOL Start The number of EAPOL Start frames that have been received by this

Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this

Rx EAPOL Invalid The number of EAPOL frames that have been received by this

Rx EAPOL Total The number of valid EAPOL frames of any type that have been received

Rx EAP Resp/Id The number of EAP Resp/Id frames that have been received by this

Rx EAP Resp/Oth The number of valid EAP Response frames (other than Resp/Id frames)

Rx EAP LenError The number of EAPOL frames that have been received by this

Rx Last EAPOLVer The protocol version number carried in the most recently received EAPOL

Authenticator.

Authenticator in which the frame type is not recogn ize d.

by this Authenticator.

Authenticator.

that have been received by this Authenticator.

Authenticator in which the Packet Body Length field is invalid.

frame.

3-59

Page 100

Configuring the Switch

Table 3-30. 802.1X Statistics

Parameter Description

Rx Last EAPOLSrc The source MAC address carried in the most recently received EAPOL

frame.

Tx EAPOL Total The number of EAPOL frames of any type that have been transmitted by

this Authenticator.

Tx EAP Req/Id The number of EAP Req/Id frames that have been transmitted by this

Authenticator.

Tx EAP Req/Oth The number of EAP Request frames (other than Rq/Id frames) that have

been transmitted by this Authenticator.

Web – Select Security, 802.1x, Statistics. Select the required port and then click Query. Click Refresh to update the statistics.

Figure 3-31. 802.1X Statistics

CLI – This example displays the 802.1x statistics for port 4.

Console#show dot1x statistics interface ethernet 1/4 4-81

Eth 1/4 Rx: EXPOL EAPOL EAPOL EAPOL EAP EAP EAP Start Logoff Invalid Total Resp/Id Resp/Oth LenError 2 0 0 1007 672 0 0

Last Last EAPOLVer EAPOLSrc 1 00-00-E8-98-73-21

Tx: EAPOL EAP EAP Total Req/Id Req/Oth 2017 1005 0 Console#

3-60