Digisol DG-GS1550 Management Manual

ta

Azteca 1000 Web Managed Switch Series

DG-GS1550

Layer 2 Gigabit Ethernet Web Managed Switch

MANAGEMENT GUIDE

v1.0

08-02-2012

As our products undergo continuous development the specifications are subject to change without prior notice

COPYRIGHT

Copyright © 2010 by SNSL. All rights reserved. No part of this publication may be
reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any
language or computer language, in any form or by any means, electronic, mechanical,
magnetic, optical, chemical, manual or otherwise, without the prior written permission
of SNSL.

SNSL makes no representations or warranties, either expressed or implied, with respect
to the contents hereof and specifically disclaims any warranties, merchantability or
fitness for any particular purpose. Any software described in this manual is sold or
licensed “as is”. Should the programs prove defective following their purchase, the
buyer (and not SNSL, its distributor, or its dealer) assumes the entire cost of all
necessary servicing, repair, and any incidental or consequential damages resulting from
any defect in the software. Further, SNSL reserves the right to revise this publication
and to make changes from time to time in the contents thereof without obligation to
notify any person of such revision or changes.

SNSL is an abbreviation of Smartlink Network Systems Ltd.

MANAGEMENT GUIDE

DG-GS1550 Gigabit Ethernet Switch

Layer 2 Workgroup Switch
with 46 10/100/1000BASE-T (RJ-45) Ports
and 4 Combination Gigabit (RJ-45/SFP) Ports

About This Guide

Purpose

This guide details the hardware features of the switch, including the physical and
performance-related characteristics, and how to install the switch.

Audience

The guide is intended for use by network administrators who are responsible for installing and setting
up network equipment; consequently, it assumes a basic working knowledge of LANs (Local Area
Networks).

Conventions

The following conventions are used throughout this guide to show information:
Note: Emphasizes important information or calls your attention to related features or

instructions.

Caution: Alerts you to a potential hazard that could cause loss of data, or damage the

system or equipment.

Warning: Alerts you to a potential hazard that could cause personal injury.

Related Publications

The following publication gives specific information on how to operate and use the
management functions of the switch:

Installation Guide

Also, as part of the switch’s software, there is an online web-based help that describes all
management related features.

Revision History

This section summarizes the changes in each revision of this guide.

February 2012 Revision

This is the first revision of this guide.

Contents

Chapter 1: Introduction 1-1

Key Features 1-1
Description of Software Features 1-2
System Defaults 1-6

Chapter 2: Initial Configuration 2-1

Connecting to the Switch 2-1

Configuration Options 2-1
Required Connections 2-2
Remote Connections 2-3

Basic Configuration 2-3

Console Connection 2-3
Setting Passwords 2-4
Setting an IP Address 2-4

Manual Configuration 2-4
Dynamic Configuration 2-5

Enabling SNMP Management Access 2-6

Community Strings (for SNMP version 1 and 2c clients) 2-6
Trap Receivers 2-7
Configuring Access for SNMP Version 3 Clients 2-8

Managing System Files 2-8

Saving Configuration Settings 2-9

Chapter 3: Configuring the Switch 3-1

Using the Web Interface 3-1
Navigating the Web Browser Interface 3-2

Home Page 3-2
Configuration Options 3-3
Panel Display 3-3
Main Menu 3-4

Basic Configuration 3-11

Displaying System Information 3-11
Displaying Switch Hardware/Software Versions 3-13
Displaying Bridge Extension Capabilities 3-15
Setting the Switch’s IP Address 3-16

Manual Configuration 3-17

Using DHCP/BOOTP 3-18
Enabling Jumbo Frames 3-19
Managing Firmware 3-20

Downloading System Software from a Server 3-20

xi

Contents

Saving or Restoring Configuration Settings 3-22

Downloading Configuration Settings from a Server 3-23
Console Port Settings 3-24
Telnet Settings 3-26
Configuring Event Logging 3-28

System Log Configuration 3-28

Remote Log Configuration 3-29

Displaying Log Messages 3-31

Simple Mail Transfer Protocol 3-31
Resetting the System 3-33
Setting the System Clock 3-34

Setting the Time Manually 3-34

Configuring SNTP 3-34

Setting the Time Zone 3-35

Simple Network Management Protocol 3-36

Enabling the SNMP Agent 3-38
Setting Community Access Strings 3-38
Specifying Trap Managers and Trap Types 3-39
Configuring SNMPv3 Management Access 3-42

Setting the Local Engine ID 3-42

Specifying a Remote Engine ID 3-43

Configuring SNMPv3 Users 3-44

Configuring Remote SNMPv3 Users 3-46

Configuring SNMPv3 Groups 3-48

Setting SNMPv3 Views 3-51

User Authentication 3-53

Configuring User Accounts 3-53
Configuring Local/Remote Logon Authentication 3-55
Configuring Encryption Keys 3-58
AAA Authorization and Accounting 3-60

Configuring AAA RADIUS Group Settings 3-61

Configuring AAA TACACS+ Group Settings 3-62

Configuring AAA Accounting 3-62

AAA Accounting Update 3-64

AAA Accounting 802.1X Port Settings 3-65

AAA Accounting Exec Command Privileges 3-66

AAA Accounting Exec Settings 3-67

AAA Accounting Summary 3-67

Authorization Settings 3-69

Authorization EXEC Settings 3-70

Authorization Summary 3-71
Configuring HTTPS 3-72

Replacing the Default Secure-site Certificate 3-73
Configuring the Secure Shell 3-74

Generating the Host Key Pair 3-76

xii

Contents

Configuring the SSH Server 3-78

Configuring 802.1X Port Authentication 3-79

Displaying 802.1X Global Settings 3-80
Configuring 802.1X Global Settings 3-81
Configuring Port Settings for 802.1X 3-82
Displaying 802.1X Statistics 3-85

Filtering IP Addresses for Management Access 3-86

General Security Measures 3-88

Configuring Port Security 3-89
Network Access (MAC Address Authentication) 3-90

Configuring the MAC Authentication Reauthentication Time 3-91
Configuring MAC Authentication for Ports 3-92
Displaying Secure MAC Address Information 3-93

MAC Authentication 3-95

Configuring MAC Authentication Parameters for Ports 3-95

Access Control Lists 3-96

Setting the ACL Name and Type 3-96
Configuring a Standard IP ACL 3-98
Configuring an Extended IP ACL 3-99
Configuring a MAC ACL 3-101
Binding a Port to an Access Control List 3-103

DHCP Snooping 3-104

DHCP Snooping Configuration 3-105
DHCP Snooping VLAN Configuration 3-106
DHCP Snooping Information Option Configuration 3-107
DHCP Snooping Port Configuration 3-108
DHCP Snooping Binding Information 3-109

IP Source Guard 3-110

Configuring Ports for IP Source Guard 3-110
Configuring Static Binding for IP Source Guard 3-112
Displaying Information for Dynamic IP Source Guard Bindings 3-114

Port Configuration 3-115

Displaying Connection Status 3-115
Configuring Interface Connections 3-117
Creating Trunk Groups 3-119

Statically Configuring a Trunk 3-120
Enabling LACP on Selected Ports 3-122
Configuring Parameters for LACP Group Members 3-123
Displaying LACP Port Counters 3-125
Displaying LACP Settings and Status for the Local Side 3-127

Displaying LACP Settings and Status for the Remote Side 3-129
Setting Broadcast Storm Thresholds 3-130
Setting Multicast Storm Thresholds 3-132
Setting Unknown Unicast Storm Thresholds 3-133
Configuring Local Port Mirroring 3-134

xiii

Contents

Configuring Remote Port Mirroring 3-136
Configuring Rate Limits 3-140

Rate Limit Configuration 3-140

Showing Port Statistics 3-141

Address Table Settings 3-146

Setting Static Addresses 3-146
Displaying the Address Table 3-147
Changing the Aging Time 3-148

Spanning Tree Algorithm Configuration 3-149

Displaying Global Settings for STA 3-151
Configuring Global Settings for STA 3-154
Displaying Interface Settings for STA 3-158
Configuring Interface Settings for STA 3-161
Configuring Multiple Spanning Trees 3-165
Displaying Interface Settings for MSTP 3-168
Configuring Interface Settings for MSTP 3-170

VLAN Configuration 3-171

IEEE 802.1Q VLANs 3-171

Enabling or Disabling GVRP (Global Setting) 3-174
Displaying Basic VLAN Information 3-175
Displaying Current VLANs 3-176
Creating VLANs 3-177
Adding Static Members to VLANs (VLAN Index) 3-180
Adding Static Members to VLANs (Port Index) 3-182
Configuring VLAN Behavior for Interfaces 3-183

Configuring IEEE 802.1Q Tunneling 3-185

Enabling QinQ Tunneling on the Switch 3-188
Adding an Interface to a QinQ Tunnel 3-189

Traffic Segmentation 3-192

Configuring Global Settings for Traffic Segmentation 3-192
Configuring Traffic Segmentation Uplinks and Downlinks 3-193

Private VLANs 3-194

Displaying Current Private VLANs 3-194
Configuring Private VLANs 3-195
Associating VLANs 3-196
Displaying Private VLAN Interface Information 3-197
Configuring Private VLAN Interfaces 3-198

Protocol VLANs 3-199

Configuring Protocol VLAN Groups 3-200
Mapping Protocols to VLANs 3-201

Class of Service Configuration 3-203

Layer 2 Queue Settings 3-203

Setting the Default Priority for Interfaces 3-203
Mapping CoS Values to Egress Queues 3-205
Selecting the Queue Mode 3-207

xiv

Contents

Setting the Service Weight for Traffic Classes 3-208
Layer 3/4 Priority Settings 3-209

Mapping Layer 3/4 Priorities to CoS Values 3-209

Selecting IP Precedence/DSCP Priority 3-209

Mapping IP Precedence 3-210

Mapping DSCP Priority 3-211

Mapping IP Port Priority 3-213

Quality of Service 3-214

Configuring Quality of Service Parameters 3-215

Configuring a Class Map 3-215

Creating QoS Policies 3-218

Attaching a Policy Map to Ingress Queues 3-221

Multicast Filtering 3-222

Layer 2 IGMP (Snooping and Query) 3-223

Configuring IGMP Snooping and Query Parameters 3-224

Enabling IGMP Immediate Leave 3-226

Displaying Interfaces Attached to a Multicast Router 3-228

Specifying Static Interfaces for a Multicast Router 3-229

Displaying Port Members of Multicast Services 3-230

Assigning Ports to Multicast Services 3-231
IGMP Filtering and Throttling 3-232

Enabling IGMP Filtering and Throttling 3-232

Configuring IGMP Filter Profiles 3-233

Configuring IGMP Filtering and Throttling for Interfaces 3-235
Multicast VLAN Registration 3-237

Configuring Global MVR Settings 3-238

Displaying MVR Interface Status 3-240

Displaying Port Members of Multicast Groups 3-241

Configuring MVR Interface Status 3-242

Assigning Static Multicast Groups to Interfaces 3-244

Configuring Domain Name Service 3-245

Configuring General DNS Service Parameters 3-245
Configuring Static DNS Host to Address Entries 3-247
Displaying the DNS Cache 3-249

Switch Clustering 3-250

Cluster Configuration 3-250
Cluster Member Configuration 3-252
Displaying Information on Cluster Members 3-253
Cluster Candidate Information 3-254

Chapter 4: Command Line Interface 4-1

Using the Command Line Interface 4-1

Accessing the CLI 4-1
Console Connection 4-1

xv

Contents

Telnet Connection 4-2

Entering Commands 4-3

Keywords and Arguments 4-3
Minimum Abbreviation 4-3
Command Completion 4-3
Getting Help on Commands 4-3
Showing Commands 4-4
Partial Keyword Lookup 4-5
Negating the Effect of Commands 4-5
Using Command History 4-5
Understanding Command Modes 4-6
Exec Commands 4-6
Configuration Commands 4-7

Command Line Processing 4-9
Command Groups 4-10
General Commands 4-11

enable 4-12

disable 4-12

configure 4-13

show history 4-13

reload (Privileged Exec) 4-14

reload (Global Configuration) 4-14

show reload 4-16

prompt 4-16

end 4-16

exit 4-17

quit 4-17
System Management Commands 4-18

Device Designation Commands 4-18

hostname 4-18

Banner Information Commands 4-19

banner configure 4-20
banner configure company 4-21
banner configure dc-power-info 4-21
banner configure department 4-22
banner configure equipment-info 4-23
banner configure equipment-location 4-23
banner configure ip-lan 4-24
banner configure lp-number 4-25
banner configure manager-info 4-25
banner configure mux 4-26
banner configure note 4-27
show banner 4-27

System Status Commands 4-28

show startup-config 4-28

xvi

Contents

show running-config 4-30
show system 4-32
show users 4-32
show version 4-33

Frame Size Commands 4-34

jumbo frame 4-34

File Management Commands 4-35

copy 4-36
delete 4-39
dir 4-39
whichboot 4-40
boot system 4-41

Line Commands 4-42

line 4-42
login 4-43
password 4-44
timeout login response 4-45
exec-timeout 4-45
password-thresh 4-46
silent-time 4-47
databits 4-47
parity 4-48
speed 4-49
stopbits 4-49
disconnect 4-50
show line 4-50

Event Logging Commands 4-51

logging on 4-52
logging history 4-53
logging host 4-54
logging facility 4-54
logging trap 4-55
clear log 4-55
show logging 4-56
show log 4-57

SMTP Alert Commands 4-58

logging sendmail host 4-58
logging sendmail level 4-59
logging sendmail source-email 4-60
logging sendmail destination-email 4-60
logging sendmail 4-61
show logging sendmail 4-61

Time Commands 4-62

sntp client 4-62
sntp server 4-63

xvii

Contents

sntp poll 4-64
show sntp 4-64
clock timezone 4-65
calendar set 4-66
show calendar 4-66

Switch Cluster Commands 4-67

cluster 4-67
cluster commander 4-68
cluster ip-pool 4-69
cluster member 4-69
rcommand 4-70
show cluster 4-70
show cluster members 4-71
show cluster candidates 4-71

SNMP Commands 4-72

snmp-server 4-73

show snmp 4-73

snmp-server community 4-74

snmp-server contact 4-75

snmp-server location 4-75

snmp-server host 4-76

snmp-server enable traps 4-78

snmp-server engine-id 4-79

show snmp engine-id 4-80

snmp-server view 4-80

show snmp view 4-81

snmp-server group 4-82

show snmp group 4-83

snmp-server user 4-84

show snmp user 4-85
Authentication Commands 4-86

User Account and Privilege Level Commands 4-87

username 4-87
enable password 4-88
privilege 4-89
privilege rerun 4-89
show privilege 4-90

Authentication Sequence 4-91

authentication login 4-91
authentication enable 4-92

RADIUS Client 4-93

radius-server host 4-93
radius-server port 4-94
radius-server key 4-94
radius-server retransmit 4-95

xviii

Contents

radius-server timeout 4-95
show radius-server 4-95

TACACS+ Client 4-96

tacacs-server host 4-97
tacacs-server port 4-97
tacacs-server key 4-98
tacacs-server retransmit 4-98
tacacs-server timeout 4-99
show tacacs-server 4-99

AAA Commands 4-100

aaa group server 4-100
server 4-101
aaa accounting dot1x 4-102
aaa accounting exec 4-103
aaa accounting commands 4-104
aaa accounting update 4-105
accounting dot1x 4-105
accounting exec 4-106
accounting commands 4-106
aaa authorization exec 4-107
authorization exec 4-108
show accounting 4-108

Web Server Commands 4-109

ip http port 4-109
ip http server 4-110
ip http secure-server 4-110
ip http secure-port 4-111

Telnet Server Commands 4-112

ip telnet server 4-112

Secure Shell Commands 4-113

ip ssh server 4-115
ip ssh timeout 4-116
ip ssh authentication-retries 4-116
ip ssh server-key size 4-117
delete public-key 4-117
ip ssh crypto host-key generate 4-118
ip ssh crypto zeroize 4-118
ip ssh save host-key 4-119
show ip ssh 4-119
show ssh 4-120
show public-key 4-121

802.1X Port Authentication 4-122
dot1x system-auth-control 4-122
dot1x eapol-pass-through 4-123
dot1x default 4-123

xix

Contents

dot1x max-req 4-124
dot1x port-control 4-124
dot1x operation-mode 4-125
dot1x re-authenticate 4-125
dot1x re-authentication 4-126
dot1x timeout quiet-period 4-127
dot1x timeout re-authperiod 4-127
dot1x timeout tx-period 4-128
dot1x timeout supp-timeout 4-128
dot1x intrusion-action 4-129
show dot1x 4-129

Management IP Filter Commands 4-132

management 4-132
show management 4-133

General Security Measures 4-134

Port Security Commands 4-135

port security 4-135

Network Access (MAC Address Authentication) 4-137

network-access max-mac-count 4-137
network-access mode 4-138
network-access dynamic-qos 4-139
network-access guest-vlan 4-140
mac-authentication reauth-time 4-140
mac-authentication intrusion-action 4-141
mac-authentication max-mac-count 4-141
show network-access 4-142
show network-access mac-address-table 4-143

DHCP Snooping Commands 4-144

ip dhcp snooping 4-144
ip dhcp snooping vlan 4-146
ip dhcp snooping trust 4-147
ip dhcp snooping verify mac-address 4-148
ip dhcp snooping information option 4-148
ip dhcp snooping information policy 4-149
show ip dhcp snooping 4-150
show ip dhcp snooping binding 4-150

IP Source Guard Commands 4-151

ip source-guard 4-151
ip source-guard binding 4-153
show ip source-guard 4-154
show ip source-guard binding 4-154

Access Control List Commands 4-155

IP ACLs 4-155

access-list ip 4-156
permit, deny (Standard ACL) 4-157

xx

Contents

permit, deny (Extended ACL) 4-158
show ip access-list 4-160
ip access-group 4-160
show ip access-group 4-161

MAC ACLs 4-161

access-list mac 4-162
permit, deny (MAC ACL) 4-162
show mac access-list 4-164
mac access-group 4-164
show mac access-group 4-165

ACL Information 4-166

show access-list 4-166
show access-group 4-166

Interface Commands 4-167

interface 4-167
description 4-168
speed-duplex 4-169
negotiation 4-170
capabilities 4-170
flowcontrol 4-171
media-type 4-172
shutdown 4-173
switchport packet-rate 4-173
clear counters 4-174
show interfaces brief 4-175
show interfaces status 4-175
show interfaces counters 4-176
show interfaces switchport 4-177

Link Aggregation Commands 4-180

channel-group 4-181
lacp 4-182
lacp system-priority 4-183
lacp admin-key (Ethernet Interface) 4-184
lacp admin-key (Port Channel) 4-185
lacp port-priority 4-186
show lacp 4-187

Mirror Port Commands 4-191

port monitor 4-191
show port monitor 4-192

RSPAN Mirroring Commands 4-193

rspan source 4-194
rspan destination 4-195
rspan remote vlan 4-196
no rspan session 4-197
show rspan 4-197

xxi

Contents

Rate Limit Commands 4-198

rate-limit 4-198

Address Table Commands 4-199

mac-address-table static 4-199
clear mac-address-table dynamic 4-200
show mac-address-table 4-201
mac-address-table aging-time 4-202
show mac-address-table aging-time 4-202

Spanning Tree Commands 4-203

spanning-tree 4-204
spanning-tree mode 4-204
spanning-tree forward-time 4-206
spanning-tree hello-time 4-206
spanning-tree max-age 4-207
spanning-tree priority 4-208
spanning-tree pathcost method 4-208
spanning-tree transmission-limit 4-209
spanning-tree mst-configuration 4-209
mst vlan 4-210
mst priority 4-211
name 4-211
revision 4-212
max-hops 4-212
spanning-tree spanning-disabled 4-213
spanning-tree cost 4-214
spanning-tree port-priority 4-215
spanning-tree edge-port 4-216
spanning-tree portfast 4-217
spanning-tree link-type 4-218
spanning-tree loopback-detection 4-219
spanning-tree loopback-detection release-mode 4-219
spanning-tree loopback-detection trap 4-220
spanning-tree mst cost 4-221
spanning-tree mst port-priority 4-222
spanning-tree protocol-migration 4-223
show spanning-tree 4-223
show spanning-tree mst configuration 4-225

VLAN Commands 4-226

GVRP and Bridge Extension Commands 4-226

bridge-ext gvrp 4-227
show bridge-ext 4-227
switchport gvrp 4-228
show gvrp configuration 4-228
garp timer 4-229
show garp timer 4-230

xxii

Contents

Editing VLAN Groups 4-230

vlan database 4-230
vlan 4-231

Configuring VLAN Interfaces 4-232

interface vlan 4-232
switchport mode 4-233
switchport acceptable-frame-types 4-234
switchport ingress-filtering 4-234
switchport native vlan 4-235
switchport allowed vlan 4-236
switchport forbidden vlan 4-237

Displaying VLAN Information 4-238

show vlan 4-238

Configuring IEEE 802.1Q Tunneling 4-239

dot1q-tunnel system-tunnel-control 4-240
switchport dot1q-tunnel mode 4-240
switchport dot1q-tunnel tpid 4-241
show dot1q-tunnel 4-242

Configuring Port-based Traffic Segmentation 4-243

pvlan 4-243
pvlan up-link/down-link 4-244
show pvlan 4-244

Configuring Private VLANs 4-245

private-vlan 4-246
private vlan association 4-247
switchport mode private-vlan 4-248
switchport private-vlan host-association 4-248
switchport private-vlan mapping 4-249
show vlan private-vlan 4-249

Configuring Protocol-based VLANs 4-250

protocol-vlan protocol-group (Configuring Groups) 4-251
protocol-vlan protocol-group (Configuring Interfaces) 4-251
show protocol-vlan protocol-group 4-252
show interfaces protocol-vlan protocol-group 4-253

Configuring Voice VLANs 4-254

voice vlan 4-254
voice vlan aging 4-255
voice vlan mac-address 4-256
switchport voice vlan 4-257
switchport voice vlan rule 4-257
switchport voice vlan security 4-258
switchport voice vlan priority 4-259
show voice vlan 4-259

LLDP Commands 4-260

lldp 4-262

xxiii

Contents

lldp holdtime-multiplier 4-262
lldp med-fast-start-count 4-263
lldp notification-interval 4-263
lldp refresh-interval 4-264
lldp reinit-delay 4-265
lldp tx-delay 4-265
lldp admin-status 4-266
lldp notification 4-266
lldp med-notification 4-267
lldp basic-tlv management-ip-address 4-268
lldp basic-tlv port-description 4-269
lldp basic-tlv system-capabilities 4-269
lldp basic-tlv system-description 4-270
lldp basic-tlv system-name 4-270
lldp dot1-tlv proto-ident 4-271
lldp dot1-tlv proto-vid 4-271
lldp dot1-tlv pvid 4-272
lldp dot1-tlv vlan-name 4-272
lldp dot3-tlv link-agg 4-273
lldp dot3-tlv mac-phy 4-273
lldp dot3-tlv max-frame 4-274
lldp med-tlv inventory 4-274
lldp med-tlv location 4-275
lldp med-tlv med-cap 4-275
lldp med-tlv network-policy 4-276
show lldp config 4-276
show lldp info local-device 4-278
show lldp info remote-device 4-279
show lldp info statistics 4-281

Class of Service Commands 4-282

Priority Commands (Layer 2) 4-282

queue mode 4-283
switchport priority default 4-283
queue bandwidth 4-284
queue cos-map 4-285
show queue mode 4-286
show queue bandwidth 4-287
show queue cos-map 4-287

Priority Commands (Layer 3 and 4) 4-288

map ip port (Global Configuration) 4-288
map ip port (Interface Configuration) 4-289
map ip precedence (Global Configuration) 4-289
map ip precedence (Interface Configuration) 4-290
map ip dscp (Global Configuration) 4-290
map ip dscp (Interface Configuration) 4-291

xxiv

Contents

show map ip port 4-292
show map ip precedence 4-293
show map ip dscp 4-293

Quality of Service Commands 4-295

class-map 4-296
match 4-297
rename 4-298
description 4-298
policy-map 4-299
class 4-299
set 4-300
police 4-301
service-policy 4-302
show class-map 4-303
show policy-map 4-303
show policy-map interface 4-304

Multicast Filtering Commands 4-305

IGMP Snooping Commands 4-305

ip igmp snooping 4-306
ip igmp snooping vlan static 4-306
ip igmp snooping version 4-307
ip igmp snooping leave-proxy 4-307
ip igmp snooping immediate-leave 4-308
show ip igmp snooping 4-309
show mac-address-table multicast 4-309

IGMP Query Commands (Layer 2) 4-310

ip igmp snooping querier 4-310
ip igmp snooping query-count 4-311
ip igmp snooping query-interval 4-312
ip igmp snooping query-max-response-time 4-312
ip igmp snooping router-port-expire-time 4-313

Static Multicast Routing Commands 4-314

ip igmp snooping vlan mrouter 4-314
show ip igmp snooping mrouter 4-315

IGMP Filtering and Throttling Commands 4-316

ip igmp filter (Global Configuration) 4-316
ip igmp profile 4-317
permit, deny 4-317
range 4-318
ip igmp filter (Interface Configuration) 4-318
ip igmp max-groups 4-319
ip igmp max-groups action 4-320
show ip igmp filter 4-320
show ip igmp profile 4-321
show ip igmp throttle interface 4-322

xxv

Contents

Multicast VLAN Registration Commands 4-323

mvr (Global Configuration) 4-323
mvr (Interface Configuration) 4-325
show mvr 4-326

Domain Name Service Commands 4-329

ip host 4-329
clear host 4-330
ip domain-name 4-330
ip domain-list 4-331
ip name-server 4-332
ip domain-lookup 4-333
show hosts 4-334
show dns 4-334
show dns cache 4-335
clear dns cache 4-335

IP Interface Commands 4-336

ip address 4-336
ip default-gateway 4-337
ip dhcp restart 4-338
show ip interface 4-338
show ip redirects 4-339
ping 4-339
show arp 4-340
clear arp-cache 4-341

Appendix A: Software Specifications A-1

Software Features A-1
Management Features A-2
Standards A-2
Management Information Bases A-3

Appendix B: Troubleshooting B-1

Problems Accessing the Management Interface B-1
Using System Logs B-2

Glossary

Index

xxvi

Tables

Table 1-1 Key Features 1-1
Table 1-2 System Defaults 1-6
Table 3-1 Configuration Options 3-3
Table 3-2 Main Menu 3-4
Table 3-3 Logging Levels 3-28
Table 3-5 Supported Notification Messages 3-48
Table 3-6 HTTPS System Support 3-72
Table 3-7 802.1X Statistics 3-85
Table 3-8 LACP Port Counters 3-125
Table 3-9 LACP Internal Configuration Information 3-127
Table 3-10 LACP Neighbor Configuration Information 3-129
Table 3-11 Port Statistics 3-141
Table 3-12 Recommended STA Path Cost Range 3-162
Table 3-13 Recommended STA Path Costs 3-162
Table 3-14 Default STA Path Costs 3-163
Table 3-15 Traffic Segmentation Forwarding 3-192
Table 3-16 Mapping CoS Values to Egress Queues 3-205
Table 3-17 CoS Priority Levels 3-205
Table 3-18 Mapping IP Precedence 3-210
Table 3-19 Mapping DSCP Priority Values 3-211
Table 4-1 Command Modes 4-6
Table 4-2 Configuration Modes 4-8
Table 4-3 Command Line Processing 4-9
Table 4-4 Command Groups 4-10
Table 4-5 General Commands 4-11
Table 4-6 System Management Commands 4-18
Table 4-7 Device Designation Commands 4-18
Table 4-8 Banner Commands 4-19
Table 4-9 System Status Commands 4-28
Table 4-10 Frame Size Commands 4-34
Table 4-11 Flash/File Commands 4-35
Table 4-12 File Directory Information 4-40
Table 4-13 Line Commands 4-42
Table 4-14 Event Logging Commands 4-51
Table 4-15 Logging Levels 4-53
Table 4-16 show logging flash/ram - display description 4-56
Table 4-17 show logging trap - display description 4-57
Table 4-18 SMTP Alert Commands 4-58
Table 4-19 Time Commands 4-62
Table 4-20 Switch Cluster Commands 4-67
Table 4-21 SNMP Commands 4-72
Table 4-22 show snmp engine-id - display description 4-80

xxvii

Tables

Table 4-23 show snmp view - display description 4-81
Table 4-24 show snmp group - display description 4-84
Table 4-26 Authentication Commands 4-86
Table 4-25 show snmp user - display description 4-86
Table 4-27 User Access Commands 4-87
Table 4-28 Default Login Settings 4-87
Table 4-29 Authentication Sequence 4-91
Table 4-30 RADIUS Client Commands 4-93
Table 4-31 TACACS Commands 4-96
Table 4-33 Web Server Commands 4-109
Table 4-34 HTTPS System Support 4-111
Table 4-35 Telnet Server Commands 4-112
Table 4-36 SSH Commands 4-113
Table 4-37 show ssh - display description 4-120
Table 4-38 802.1X Port Authentication 4-122
Table 4-39 IP Filter Commands 4-132
Table 4-40 Client Security Commands 4-134
Table 4-41 Port Security Commands 4-135
Table 4-42 Network Access 4-137
Table 4-43 Dynamic QoS Profiles 4-139
Table 4-44 DHCP Snooping Commands 4-144
Table 4-45 IP Source Guard Commands 4-151
Table 4-46 Access Control Lists 4-155
Table 4-47 IP ACLs 4-155
Table 4-48 MAC ACL Commands 4-161
Table 4-49 ACL Information 4-166
Table 4-50 Interface Commands 4-167
Table 4-51 Interfaces Switchport Statistics 4-178
Table 4-52 Link Aggregation Commands 4-180
Table 4-53 show lacp counters - display description 4-187
Table 4-54 show lacp internal - display description 4-188
Table 4-55 show lacp neighbors - display description 4-189
Table 4-56 show lacp sysid - display description 4-190
Table 4-57 Mirror Port Commands 4-191
Table 4-58 RSPAN Commands 4-193
Table 4-59 Rate Limit Commands 4-198
Table 4-60 Address Table Commands 4-199
Table 4-61 Spanning Tree Commands 4-203
Table 4-64 Default STA Path Costs 4-215
Table 4-65 VLANs 4-226
Table 4-66 GVRP and Bridge Extension Commands 4-226
Table 4-67 Editing VLAN Groups 4-230
Table 4-68 Configuring VLAN Interfaces 4-232
Table 4-69 Show VLAN Commands 4-238
Table 4-71 Traffic Segmentation Commands 4-243

xxviii

Ta bl e s

Table 4-72 Traffic Segmentation Forwarding 4-243
Table 4-73 Private VLAN Commands 4-245
Table 4-74 Protocol-based VLAN Commands 4-250
Table 4-75 Voice VLAN Commands 4-254
Table 4-76 LLDP Commands 4-260
Table 4-77 Priority Commands 4-282
Table 4-78 Priority Commands (Layer 2) 4-282
Table 4-79 Default CoS Values to Egress Queues 4-286
Table 4-80 Priority Commands (Layer 3 and 4) 4-288
Table 4-82 IP DSCP to CoS Vales 4-291
Table 4-83 Quality of Service Commands 4-295
Table 4-84 Multicast Filtering Commands 4-305
Table 4-85 IGMP Snooping Commands 4-305
Table 4-86 IGMP Query Commands (Layer 2) 4-310
Table 4-87 Static Multicast Routing Commands 4-314
Table 4-88 IGMP Filtering and Throttling Commands 4-316
Table 4-89 Multicast VLAN Registration Commands 4-323
Table 4-90 show mvr - display description 4-327
Table 4-91 show mvr interface - display description 4-327
Table 4-92 show mvr members - display description 4-328
Table 4-95 IP Interface Commands 4-336
Table B-1 Troubleshooting Chart B-1

xxix

Tables

xxx

Figures

Figure 3-1 Home Page 3-2
Figure 3-2 Panel Display 3-3
Figure 3-3 System Information 3-12
Figure 3-4 Switch Information 3-13
Figure 3-5 Bridge Extension Configuration 3-15
Figure 3-6 Manual IP Configuration 3-17
Figure 3-7 DHCP IP Configuration 3-18
Figure 3-8 Bridge Extension Configuration 3-19
Figure 3-9 Copy Firmware 3-21
Figure 3-10 Setting the Startup Code 3-21
Figure 3-11 Deleting Files 3-21
Figure 3-12 Downloading Configuration Settings for Startup 3-23
Figure 3-13 Setting the Startup Configuration Settings 3-23
Figure 3-14 Console Port Settings 3-25
Figure 3-15 Enabling Telnet 3-27
Figure 3-16 System Logs 3-29
Figure 3-17 Remote Logs 3-30
Figure 3-18 Displaying Logs 3-31
Figure 3-19 Enabling and Configuring SMTP 3-32
Figure 3-20 Resetting the System 3-33
Figure 3-21 SNTP Configuration 3-35
Figure 3-22 Setting the System Clock 3-36
Figure 3-23 Enabling SNMP Agent Status 3-38
Figure 3-24 Configuring SNMP Community Strings 3-39
Figure 3-25 Configuring IP Trap Managers 3-41
Figure 3-26 Setting an Engine ID 3-42
Figure 3-27 Setting a Remote Engine ID 3-43
Figure 3-28 Configuring SNMPv3 Users 3-45
Figure 3-29 Configuring Remote SNMPv3 Users 3-47
Figure 3-30 Configuring SNMPv3 Groups 3-50
Figure 3-31 Configuring SNMPv3 Views 3-51
Figure 3-32 Access Levels 3-54
Figure 3-33 Authentication Settings 3-57
Figure 3-34 Encryption Key Settings 3-59
Figure 3-35 AAA Radius Group Settings 3-61
Figure 3-36 AAA TACACS+ Group Settings 3-62
Figure 3-37 AAA Accounting Settings 3-63
Figure 3-38 AAA Accounting Update 3-64
Figure 3-39 AAA Accounting 802.1X Port Settings 3-65
Figure 3-40 AAA Accounting Exec Command Privileges 3-66
Figure 3-41 AAA Accounting Exec Settings 3-67
Figure 3-42 AAA Accounting Summary 3-68

xxxi

Figures

Figure 3-43 AAA Authorization Settings 3-70
Figure 3-44 AAA Authorization Exec Settings 3-70
Figure 3-45 AAA Authorization Summary 3-71
Figure 3-46 HTTPS Settings 3-73
Figure 3-47 SSH Host-Key Settings 3-77
Figure 3-48 SSH Server Settings 3-78
Figure 3-49 802.1X Global Information 3-80
Figure 3-50 802.1X Global Configuration 3-81
Figure 3-51 802.1X Port Configuration 3-83
Figure 3-52 Displaying 802.1X Port Statistics 3-85
Figure 3-53 Creating an IP Filter List 3-87
Figure 3-54 Configuring Port Security 3-90
Figure 3-55 Network Access Configuration 3-92
Figure 3-56 Network Access Port Configuration 3-93
Figure 3-57 Network Access MAC Address Information 3-94
Figure 3-58 MAC Authentication Port Configuration 3-95
Figure 3-59 Selecting ACL Type 3-97
Figure 3-60 Configuring Standard IP ACLs 3-98
Figure 3-61 Configuring Extended IP ACLs 3-100
Figure 3-62 Configuring MAC ACLs 3-102
Figure 3-63 Configuring ACL Port Binding 3-103
Figure 3-64 DHCP Snooping Configuration 3-105
Figure 3-65 DHCP Snooping VLAN Configuration 3-106
Figure 3-66 DHCP Snooping Information Option Configuration 3-108
Figure 3-67 DHCP Snooping Port Configuration 3-109
Figure 3-68 DHCP Snooping Binding Information 3-110
Figure 3-69 IP Source Guard Port Configuration 3-112
Figure 3-70 Static IP Source Guard Binding Configuration 3-113
Figure 3-71 Dynamic IP Source Guard Binding Information 3-114
Figure 3-72 Displaying Port/Trunk Information 3-115
Figure 3-73 Port/Trunk Configuration 3-119
Figure 3-74 Configuring Static Trunks 3-121
Figure 3-75 LACP Trunk Configuration 3-122
Figure 3-76 LACP Port Configuration 3-124
Figure 3-77 LACP - Port Counters Information 3-126
Figure 3-78 LACP - Port Internal Information 3-128
Figure 3-79 LACP - Port Neighbors Information 3-129
Figure 3-80 Port Broadcast Control 3-131
Figure 3-81 Port Multicast Control 3-132
Figure 3-82 Port Unknown Unicast Control 3-134
Figure 3-83 Mirror Port Configuration 3-135
Figure 3-84 RSPAN Configuration 3-139
Figure 3-85 Input Rate Limit Port Configuration 3-140
Figure 3-86 Port Statistics 3-144
Figure 3-87 Configuring a Static Address Table 3-146

xxxii

Figures

Figure 3-88 Configuring a Dynamic Address Table 3-147
Figure 3-89 Setting the Address Aging Time 3-148
Figure 3-90 Displaying Spanning Tree Information 3-153
Figure 3-91 Configuring Spanning Tree 3-157
Figure 3-92 Displaying Spanning Tree Port Information 3-160
Figure 3-93 Configuring Spanning Tree per Port 3-164
Figure 3-94 Configuring Multiple Spanning Trees 3-166
Figure 3-95 Displaying MSTP Interface Settings 3-168
Figure 3-96 Displaying MSTP Interface Settings 3-171
Figure 3-97 Globally Enabling GVRP 3-174
Figure 3-98 Displaying Basic VLAN Information 3-175
Figure 3-99 Displaying Current VLANs 3-176
Figure 3-100 Configuring a VLAN Static List 3-178
Figure 3-101 Configuring a VLAN Static Table 3-181
Figure 3-102 VLAN Static Membership by Port 3-182
Figure 3-103 Configuring VLANs per Port 3-184
Figure 3-104 .1Q Tunnel Status and Ethernet Type 3-189
Figure 3-105 Tunnel Port Configuration 3-190
Figure 3-106 Traffic Segmentation Status Configuration 3-192
Figure 3-107 Traffic Segmentation Link Status 3-193
Figure 3-108 Private VLAN Information 3-195
Figure 3-109 Private VLAN Configuration 3-196
Figure 3-110 Private VLAN Association 3-196
Figure 3-111 Private VLAN Port Information 3-197
Figure 3-112 Private VLAN Port Configuration 3-199
Figure 3-113 Protocol VLAN Configuration 3-200
Figure 3-114 Protocol VLAN Port Configuration 3-202
Figure 3-115 Port Priority Configuration 3-204
Figure 3-116 Traffic Classes 3-206
Figure 3-117 Queue Mode 3-207
Figure 3-118 Configuring Queue Scheduling 3-208
Figure 3-119 IP Precedence/DSCP Priority Status 3-209
Figure 3-120 Mapping IP Precedence Priority Values 3-210
Figure 3-121 Mapping IP DSCP Priority Values 3-212
Figure 3-122 IP Port Priority Status 3-213
Figure 3-123 IP Port Priority 3-213
Figure 3-124 Configuring Class Maps 3-217
Figure 3-125 Configuring Policy Maps 3-220
Figure 3-126 Service Policy Settings 3-221
Figure 3-127 IGMP Configuration 3-225
Figure 3-128 IGMP Immediate Leave 3-227
Figure 3-129 Displaying Multicast Router Port Information 3-228
Figure 3-130 Static Multicast Router Port Configuration 3-229
Figure 3-131 IP Multicast Registration Table 3-230
Figure 3-132 IGMP Member Port Table 3-231

xxxiii

Figures

Figure 3-133 Enabling IGMP Filtering and Throttling 3-233
Figure 3-134 IGMP Profile Configuration 3-234
Figure 3-135 IGMP Filter and Throttling Port Configuration 3-236
Figure 3-136 MVR Global Configuration 3-239
Figure 3-137 MVR Port Information 3-240
Figure 3-138 MVR Group IP Information 3-241
Figure 3-139 MVR Port Configuration 3-243
Figure 3-140 MVR Group Member Configuration 3-244
Figure 3-141 DNS General Configuration 3-246
Figure 3-142 DNS Static Host Table 3-248
Figure 3-143 DNS Cache 3-249
Figure 3-144 Cluster Member Choice 3-250
Figure 3-145 Cluster Configuration 3-251
Figure 3-146 Cluster Member Configuration 3-252
Figure 3-147 Cluster Member Information 3-253
Figure 3-148 Cluster Candidate Information 3-254

xxxiv

Chapter 1: Introduction

This switch provides a broad range of features for Layer 2 switching. It includes a
management agent that allows you to configure the features listed in this manual.
The default configuration can be used for most of the features provided by this
switch. However, there are many options that you should configure to maximize the
switch’s performance for your particular network environment.

Key Features

Table 1-1 Key Features

Feature Description

Configuration Backup and
Restore

Authentication Console, Telnet, web – User name / password, RADIUS, TACACS+

General Security Measures AAA

Access Control Lists Supports up to 128 ACLs, 96 MAC rules, and 96 IP rules

DHCP Client

DNS Client and Proxy service

Port Configuration Speed, duplex mode and flow control

Port Trunking Supports up to 32 trunks using either static or dynamic trunking (LACP)

Port Mirroring One or more port mirrored to a single analysis port

RSPAN Mirroring Mirrors traffic from remote switches over a dedicated VLAN

Congestion Control Rate Limiting

Static Address Up to 8K MAC addresses in the forwarding table

IEEE 802.1D Bridge Supports dynamic data switching and addresses learning

Store-and-Forward Switching Supported to ensure wire-speed switching while eliminating bad frames

Spanning Tree Algorithm Supports standard STP, and Rapid Spanning Tree Protocol (RSTP) and

Backup to TFTP server

Port – IEEE 802.1X, MAC address filtering
SNMP v1/2c - Community strings
SNMP version 3 – MD5 or SHA password
Telnet – SSH
Web – HTTPS

DHCP Snooping (with Option 82 relay information)
IP Source Guard
Network Access – MAC Address Authentication
Port Authentication – IEEE 802.1X,
Port Security – MAC address filtering
Private VLANs

Throttling for broadcast, multicast, unknown unicast storms

Multiple Spanning Trees (MSTP)

1-1

Introduction

1

Table 1-1 Key Features (Continued)

Feature Description

Virtual LANs Up to 256 using IEEE 802.1Q, port-based, protocol-based or private VLANs,

Traffic Prioritization Default port priority, traffic class map, queue scheduling, IP Precedence, or

Qualify of Service Supports Differentiated Services (DiffServ)

Link Layer Discovery Protocol Used to discover basic information about neighboring devices

Multicast Filtering Supports IGMP snooping and query, profile filtering, as well as Multicast

Switch Clustering Supports up to 16 Member switches in a cluster

Tunneling Supports IEEE 802.1Q tunneling (QinQ)

and voice VLANs

Differentiated Services Code Point (DSCP), and TCP/UDP Port

VLAN Registration

Description of Software Features

The switch provides a wide range of advanced performance enhancing features.
Flow control eliminates the loss of packets due to bottlenecks caused by port
saturation. Storm suppression prevents broadcast, multicast or unknown unicast
traffic storms from engulfing the network. Port-based, protocol based and private
VLANs, plus support for automatic GVRP VLAN registration provide traffic security
and efficient use of network bandwidth. CoS priority queueing ensures the minimum
delay for moving real-time multimedia data across the network. While multicast
filtering provides support for real-time network applications. Some of the
management features are briefly described below.

Configuration Backup and Restore – You can save the current configuration
settings to a file on a TFTP server, and later download this file to restore the switch
configuration settings.

Authentication – This switch authenticates management access via the console
port, Telnet or web browser. User names and passwords can be configured locally or
can be verified via a remote authentication server (i.e., RADIUS or TACACS+).
Port-based authentication is also supported via the IEEE 802.1X protocol. This
protocol uses the Extensible Authentication Protocol over LANs (EAPOL) to request
user credentials from the 802.1X client, and then verifies the client’s right to access
the network via an authentication server.

Other authentication options include HTTPS for secure management access via the
web, SSH for secure management access over a Telnet-equivalent connection,
SNMP Version 3, IP address filtering for SNMP/web/Telnet management access.
MAC address filtering and IP source guard also provide authenticated port access.
While DHCP snooping is provided to prevent malicious attacks from insecure ports.

Access Control Lists – ACLs provide packet filtering for IP frames (based on
address, protocol, Layer 4 protocol port number or TCP control code) or any frames

1-2

Description of Software Features

(based on MAC address or Ethernet type). ACLs can be used to improve
performance by blocking unnecessary network traffic or to implement security
controls by restricting access to specific network resources or protocols.

Port Configuration – You can manually configure the speed, duplex mode, and
flow control used on specific ports, or use auto-negotiation to detect the connection
settings used by the attached device. Use the full-duplex mode on ports whenever
possible to double the throughput of switch connections. Flow control should also be
enabled to control network traffic during periods of congestion and prevent the loss
of packets when port buffer thresholds are exceeded. The switch supports flow
control based on the IEEE 802.3x standard (now incorporated in IEEE 802.3-2002).

Rate Limiting – This feature controls the maximum rate for traffic transmitted or
received on an interface. Rate limiting is configured on interfaces at the edge of a
network to limit traffic into or out of the network. Packets that exceed the acceptable
amount of traffic are dropped.

Port Mirroring – The switch can unobtrusively mirror traffic from any port to a
monitor port. You can then attach a protocol analyzer or RMON probe to this port to
perform traffic analysis and verify connection integrity.

RSPAN Mirroring – You can configure the switch to mirror traffic from remote
switches over a dedicated VLAN. The traffic mirrored can be analyzed in the same
way you would when mirroring traffic locally on a switch.

Port Trunking – Ports can be combined into an aggregate connection. Trunks can
be manually set up or dynamically configured using Link Aggregation Control
Protocol (LACP – IEEE 802.3-2005). The additional ports dramatically increase the
throughput across any connection, and provide redundancy by taking over the load if
a port in the trunk should fail. The switch supports up to 25 on the DG-GS1550.

Storm Control – Broadcast, multicast and unknown unicast storm suppression
prevents traffic from overwhelming the network. When enabled on a port, the level of
traffic passing through the port is restricted. If traffic rises above a pre-defined
threshold, it will be throttled until the level falls back beneath the threshold.

Static Addresses – A static address can be assigned to a specific interface on this
switch. Static addresses are bound to the assigned interface and will not be moved.
When a static address is seen on another interface, the address will be ignored and
will not be written to the address table. Static addresses can be used to provide
network security by restricting access for a known host to a specific port.

IP Address Filtering – Access to insecure ports can be controlled using DHCP
Snooping which filters ingress traffic based on static IP addresses and addresses
stored in the DHCP Snooping table. Traffic can also be restricted to specific source
IP addresses or source IP/MAC address pairs based on static entries or entries
stored in the DHCP Snooping table.

IEEE 802.1D Bridge – The switch supports IEEE 802.1D transparent bridging. The
address table facilitates data switching by learning addresses, and then filtering or
forwarding traffic based on this information. The address table supports up to 8K
addresses.

1

1-3

Introduction

1

Store-and-Forward Switching – The switch copies each frame into its memory
before forwarding them to another port. This ensures that all frames are a standard
Ethernet size and have been verified for accuracy with the cyclic redundancy check
(CRC). This prevents bad frames from entering the network and wasting bandwidth.

To avoid dropping frames on congested ports, the switch provides 4 Mbits for frame
buffering. This buffer can queue packets awaiting transmission on congested
networks.

Spanning Tree Algorithm – The switch supports these spanning tree protocols:

Spanning Tree Protocol (STP, IEEE 802.1D) – This protocol provides loop detection
and recovery by allowing two or more redundant connections to be created between
a pair of LAN segments. When there are multiple physical paths between segments,
this protocol will choose a single path and disable all others to ensure that only one
route exists between any two stations on the network. This prevents the creation of
network loops. However, if the chosen path should fail for any reason, an alternate
path will be activated to maintain the connection.

Rapid Spanning Tree Protocol (RSTP, IEEE 802.1D-2004) – This protocol reduces
the convergence time for network topology changes to 3 to 5 seconds, compared to
30 seconds or more for the older IEEE 802.1D STP standard. It is intended as a
complete replacement for STP, but can still interoperate with switches running the
older standard by automatically reconfiguring ports to STP-compliant mode if they
detect STP protocol messages from attached devices.

Multiple Spanning Tree Protocol (MSTP, IEEE 802.1D-2004) – This protocol is a
direct extension of RSTP. It can provide an independent spanning tree for different
VLANs. It simplifies network management, provides for even faster convergence
than RSTP by limiting the size of each region, and prevents VLAN members from
being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D
STP).

Virtual LANs – The switch supports up to 256 VLANs. A Virtual LAN is a collection
of network nodes that share the same collision domain regardless of their physical
location or connection point in the network. The switch supports tagged VLANs
based on the IEEE 802.1Q standard. Members of VLAN groups can be dynamically
learned via GVRP, or ports can be manually assigned to a specific set of VLANs.
This allows the switch to restrict traffic to the VLAN groups to which a user has been
assigned. By segmenting your network into VLANs, you can:

• Eliminate broadcast storms which severely degrade performance in a flat network.

• Simplify network management for node changes/moves by remotely configuring
VLAN membership for any port, rather than having to manually change the network
connection.

• Provide data security by restricting all traffic to the originating VLAN.

• Use private VLANs to restrict traffic to pass only between data ports and the uplink
ports, thereby isolating adjacent ports within the same VLAN, and allowing you to
limit the total number of VLANs that need to be configured.

• Use protocol VLANs to restrict traffic to specified interfaces based on protocol type.

1-4

Description of Software Features

Note: The switch allows 255 user-manageable VLANs. One other VLAN (VLAN ID 4093)

is reserved for switch clustering.

Traffic Prioritization – This switch prioritizes each packet based on the required
level of service, using four priority queues with strict or Weighted Round Robin
Queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on
input from the end-station application. These functions can
independent priorities for delay-sensitive data and best-effort data.

This switch also supports several common methods of prioritizing layer 3/4 traffic to
meet application requirements. Traffic can be prioritized based on the priority bits in
the IP frame’s Type of Service (ToS) octet or the number of the TCP/UDP port.
When these services are enabled, the priorities are mapped to a Class of Service
value by the switch, and the traffic then sent to the corresponding output queue.

Quality of Service – Differentiated Services (DiffServ) provides policy-based
management mechanisms used for prioritizing network resources to meet the
requirements of specific traffic types on a per-hop basis. Each packet is classified
upon entry into the network based on access lists, IP Precedence or DSCP values,
or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3,
or Layer 4 information contained in each packet. Based on network policies, different
kinds of traffic can be marked for different kinds of forwarding.

Multicast Filtering – Specific multicast traffic can be assigned to its own VLAN to
ensure that it does not interfere with normal network traffic and to guarantee
real-time delivery by setting the required priority level for the designated VLAN. The
switch uses IGMP Snooping and Query to manage multicast group registration. It
also supports Multicast VLAN Registration (MVR) which allows common multicast
traffic, such as television channels, to be transmitted across a single network-wide
multicast VLAN shared by hosts residing in other standard or private VLAN groups,
while preserving security and data isolation for normal traffic.

be used to provide

1

IEEE 802.1Q Tunneling (QinQ) – This feature is designed for service providers
carrying traffic for multiple customers across their networks. QinQ tunneling is used
to maintain customer-specific VLAN and Layer 2 protocol configurations even when
different customers use the same internal VLAN IDs. This is accomplished by
inserting Service Provider VLAN (SPVLAN) tags into the customer’s frames when
they enter the service provider’s network, and then stripping the tags when the
frames leave the network.

1-5

Introduction

1

System Defaults

The switch’s system defaults are provided in the configuration file
“Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as
the startup configuration file (page 3-22).

The following table lists some of the basic system defaults.

Table 1-2 System Defaults

Function Parameter Default

Console Port
Connection

Authentication and
Security Measures

Web Management HTTP Server Enabled

Baud Rate auto

Data bits 8

Stop bits 1

Parity none

Local Console Timeout 0 (disabled)

Privileged Exec Level Username “admin”, Password “admin”

Normal Exec Level Username “guest”, Password “guest”

Enable Privileged Exec from Normal
Exec Level

RADIUS Authentication Disabled

TACACS Authentication Disabled

802.1X Port Authentication Disabled

MAC Authentication Disabled

HTTPS Enabled

SSH Disabled

Port Security Disabled

IP Filtering Disabled

DHCP Snooping Disabled

IP Source Guard Disabled (all ports)

HTTP Port Number 80

HTTP Secure Server Enabled

HTTP Secure Port Number 443

Password “super”

1-6

Table 1-2 System Defaults (Continued)

Function Parameter Default

SNMP SNMP Agent Enabled

Community Strings “public” (read only), “private” (read/write)

Traps Authentication traps: enabled

Link-up-down events: enabled

SNMP V3 View: default view

Port Configuration Admin Status Enabled

Auto-negotiation Enabled

Flow Control Disabled

Port Trunking Static Trunks None

LACP (all ports) Disabled

Congestion Control Rate Limiting Disabled

Storm Control Broadcast: enabled (all ports)

Address Table Aging Time 300 seconds

Spanning Tree
Algorithm

LLDP Status Enabled

Virtual LANs Default VLAN 1

Status Enabled, RSTP

Fast Forwarding (Edge Port) Disabled

PVID 1

Acceptable Frame Type All

Ingress Filtering Enabled

Switchport Mode (Egress Mode) Hybrid: tagged/untagged frames

GVRP (global) Disabled

GVRP (port interface) Disabled

QinQ Tunneling Disabled

Group: public (read only) private (read/write)

Multicast: disabled
Unknown Unicast: disabled

(Defaults: Based on RSTP standard)

System Defaults

1

1-7

Introduction

1

Table 1-2 System Defaults (Continued)

Function Parameter Default

Traffic Prioritization Ingress Port Priority 0

Weighted Round Robin Queue: 0 1 2 3

IP Precedence Priority Disabled

IP DSCP Priority Disabled

IP Port Priority Disabled

IP Settings IP Address DHCP assigned

Subnet Mask 255.255.255.0

Default Gateway 0.0.0.0

DHCP Client: Enabled

DNS Client/Proxy service: Disabled

BOOTP Disabled

Multicast Filtering IGMP Snooping Snooping: Enabled

Multicast VLAN Registration Disabled

System Log Status Enabled

Messages Logged to RAM Levels 0-7 (all)

Messages Logged to Flash Levels 0-3

SMTP Email Alerts Event Handler Enabled (but no server defined)

SNTP Clock Synchronization Disabled

DHCP Snooping Status Disabled

IP Source Guard Status Disabled (all ports)

Switch Clustering Status Enabled

Commander Disabled

Weight: 1 2 4 8

Querier: Enabled

1-8

Chapter 2: Initial Configuration

Connecting to the Switch

Configuration Options

The switch includes a built-in network management agent. The agent offers a variety
of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a
web-based interface. A PC may also be connected directly to the switch for
configuration and monitoring via a command line interface (CLI).

Note: The IP address for this switch is obtained via DHCP by default. To change this

address, see "Setting an IP Address" on page 2-4.

The switch’s HTTP web agent allows you to configure switch parameters, monitor
port connections, and display statistics using a standard web browser such as
Internet Explorer 5.x or above, Netscape 6.2 or above, and Mozilla Firefox 2.0.0.0
or above. The switch’s web management interface can be accessed from any
computer attached to the network.

The CLI program can be accessed by a direct connection to the RS-232 serial
console port on the switch, or remotely by a Telnet or Secure Shell (SSH)
connection over the network.

The switch’s management agent also supports SNMP (Simple Network
Management Protocol). This SNMP agent permits the switch to be managed from
any system in the network using network management software such as
HP OpenView.

The switch’s web interface, CLI configuration program, and SNMP agent allow you
to perform the following management functions:

• Set user names and passwords

• Set an IP interface for a management VLAN

• Configure SNMP parameters

• Enable/disable any port

• Set the speed/duplex mode for any port

• Configure the bandwidth of any port by limiting input rates

• Control port access through IEEE 802.1X security or static address filtering

• Filter packets using Access Control Lists (ACLs)

• Configure up to 255 IEEE 802.1Q VLANs

• Enable GVRP automatic VLAN registration

• Configure IGMP multicast filtering

• Upload and download system firmware via TFTP

• Upload and download switch configuration files via TFTP

• Configure Spanning Tree parameters

• Configure Class of Service (CoS) priority queuing

2-1

Initial Configuration

2

• Configure trunks up to 25 on the DG-GS1550

• Enable port mirroring

• Set broadcast, multicast or unknown unicast storm control on any port

• Display system information and statistics

Required Connections

The switch provides an RS-232 serial port that enables a connection to a PC or
terminal for monitoring and configuring the switch. A null-modem console cable is
provided with the switch.

Attach a VT100-compatible terminal, or a PC running a terminal emulation program
to the switch. You can use the console cable provided with this package, or use a
null-modem cable that complies with the wiring assignments shown in the
Installation Guide.

To connect a terminal to the console port, complete the following steps:

1. Connect the console cable to the serial port on a terminal, or a PC running

terminal emulation software, and tighten the captive retaining screws on the
RS-232 connector.

2. Connect the other end of the cable to the RS-232 serial port on the switch.

3. Make sure the terminal emulation software is set as follows:

• Select the appropriate serial port (COM port 1 or COM port 2).

• Set to any of the following baud rates: 9600, 19200, 38400, 57600, 115200
(Note: Set to 9600 baud if want to view all the system initialization messages.).

• Set the data format to 8 data bits, 1 stop bit, and no parity.

• Set flow control to none.

• Set the emulation mode to VT100.

• When using HyperTerminal, select Terminal keys, not Windows keys.

Notes: 1. Refer to "Line Commands" on page 4-42 for a complete description of

console configuration options.

2. Once you have set up the terminal correctly, the console login screen will be
displayed.

For a description of how to use the CLI, see "Using the Command Line Interface" on
page 4-1. For a list of all the CLI commands and detailed information on using the
CLI, refer to "Command Groups" on page 4-10.

2-2

Basic Configuration

2

Remote Connections

Prior to accessing the switch’s onboard agent via a network connection, you must
first configure it with a valid IP address, subnet mask, and default gateway using a
console connection, DHCP or BOOTP protocol.

The IP address for this switch is obtained via DHCP by default. To manually
configure this address or enable dynamic address assignment via DHCP or BOOTP,
see "Setting an IP Address" on page 2-4.

Note: This switch supports four concurrent Telnet/SSH sessions.

After configuring the switch’s IP parameters, you can access the onboard
configuration program from anywhere within the attached network. The switch’s
command-line interface can be accessed using Telnet or SSH from any computer
attached to the network. The switch can also be managed by any computer using a
web browser (Internet Explorer 5.x or above, or Netscape 6.2 or above, or Mozilla
Firefox 2.0.0.0), or from a network computer using SNMP network management
software.

Note: The onboard program only provides access to basic configuration functions. To

access the full range of SNMP management functions, you must use
SNMP-based network management software.

Basic Configuration

Console Connection

The CLI program provides two different command levels — normal access level
(Normal Exec) and privileged access level (Privileged Exec). The commands
available at the Normal Exec level are a limited subset of those available at the
Privileged Exec level and allow you to only display information and use basic
utilities. To fully configure the switch parameters, you must access the CLI at the
Privileged Exec level.

Access to both CLI levels are controlled by user names and passwords. The switch
has a default user name and password for each level. To log into the CLI at the
Privileged Exec level using the default user name and password, perform these
steps:

1. To initiate your console connection, press <Enter>. The “User Access
Verification” procedure starts.

2. At the Username prompt, enter “admin.”

3. At the Password prompt, also enter “admin.” (The password characters are not
displayed on the console screen.)

4. The session is opened and the CLI displays the “Console#” prompt indicating
you have access at the Privileged Exec level.

2-3

Initial Configuration

2

Setting Passwords

Note: If this is your first time to log into the CLI program, you should define new

passwords for both default user names using the “username” command, record
them and put them in a safe place.

Passwords can consist of up to 8 alphanumeric characters and are case sensitive.
To prevent unauthorized access to the switch, set the passwords as follows:

1. Open the console interface with the default user name and password “admin” to
access the Privileged Exec level.

2. Type “configure” and press <Enter>.

3. Type “username guest password 0 password,” for the Normal Exec level, where
password is your new password. Press <Enter>.

4. Type “username admin password 0 password,” for the Privileged Exec level,
where password is your new password. Press <Enter>.

Note: ‘0’ specifies a password in plain text, ‘7’ specifies the password in encrypted form.

Username: admin
Password:

CLI session with the DIGISOL 10/100/1000 is opened.
To end the CLI session, enter [Exit].

Console#configure
Console(config)#username guest password 0 [password]
Console(config)#username admin password 0 [password]
Console(config)#

Setting an IP Address

You must establish IP address information for the stack to obtain management
access through the network. This can be done in either of the following ways:

Manual — You have to input the information, including IP address and subnet mask.
If your management station is not in the same IP subnet as the stack’s master unit,
you will also need to specify the default gateway router.

Dynamic — The switch sends IP configuration requests to BOOTP or DHCP
address allocation servers on the network.

Manual Configuration

You can manually assign an IP address to the switch. You may also need to specify
a default gateway that resides between this device and management stations that
exist on another network segment. Valid IP addresses consist of four decimal
numbers, 0 to 255, separated by periods. Anything outside this format will not be
accepted by the CLI program.

Note: The IP address for this switch is obtained via DHCP by default.

2-4

Basic Configuration

Before you can assign an IP address to the switch, you must obtain the following
information from your network administrator:

• IP address for the switch

• Default gateway for the network

• Network mask for this network

To assign an IP address to the switch, complete the following steps:

1. From the Global Configuration mode prompt, type “interface vlan 1” to access
the interface-configuration mode. Press <Enter>.

2. Type “ip address ip-address netmask,” where “ip-address” is the switch IP
address and “netmask” is the network mask for the network. Press <Enter>.

3. Type “exit” to return to the global configuration mode prompt. Press <Enter>.

4. To set the IP address of the default gateway for the network to which the switch
belongs, type “ip default-gateway gateway,” where “gateway” is the IP address
of the default gateway. Press <Enter>.

Console(config)#interface vlan 1
Console(config-if)#ip address 192.168.1.5 255.255.255.0
Console(config-if)#exit
Console(config)#ip default-gateway 192.168.1.254
Console(config)#

2

Dynamic Configuration

If you select the “bootp” or “dhcp” option, IP will be enabled but will not function until
a BOOTP or DHCP reply has been received. Requests will be sent periodically in an
effort to obtain IP configuration information. BOOTP and DHCP values can include
the IP address, subnet mask, and default gateway. If the DHCP/BOOTP server is
slow to respond, you may need to use the “ip dhcp restart” command to re-start
broadcasting service requests.

If the “bootp” or “dhcp” option is saved to the startup-config file (step 6), then the
switch will start broadcasting service requests as soon as it is powered on.

To automatically configure the switch by communicating with BOOTP or DHCP
address allocation servers on the network, complete the following steps:

1. From the Global Configuration mode prompt, type “interface vlan 1” to access
the interface-configuration mode. Press <Enter>.

2. At the interface-configuration mode prompt, use one of the following commands:

• To obtain IP settings via DHCP, type “ip address dhcp” and press <Enter>.

• To obtain IP settings via BOOTP, type “ip address bootp” and press <Enter>.

3. Type “end” to return to the Privileged Exec mode. Press <Enter>.

2-5

Initial Configuration

2

4. If network connections are normally slow, type “ip dhcp restart” to re-start
broadcasting service requests. Press <Enter>.

5. Wait a few minutes, and then check the IP configuration settings by typing the
“show ip interface” command. Press <Enter>.

6. Then save your configuration changes by typing “copy running-config
startup-config.” Enter the startup file name and press <Enter>.

Console(config)#interface vlan 1 4-167
Console(config-if)#ip address dhcp 4-336
Console(config-if)#end
Console#ip dhcp restart
Console#show ip interface 4-338
IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1,
and address mode: User specified.
Console#copy running-config startup-config 4-36
Startup configuration file name []: startup
\Write to FLASH Programming.

\Write to FLASH finish.
Success.

Enabling SNMP Management Access

The switch can be configured to accept management commands from Simple
Network Management Protocol (SNMP) applications. You can configure the switch
to (1) respond to SNMP requests or (2) generate SNMP traps.

When SNMP management stations send requests to the switch (either to return
information or to set a parameter), the switch provides the requested data or sets the
specified parameter. The switch can also be configured to send information to
SNMP managers (without being requested by the managers) through trap
messages, which inform the manager that certain events have occurred.

The switch includes an SNMP agent that supports SNMP version 1, 2c, and 3
clients. To provide management access for version 1 or 2c clients, you must specify
a community string. The switch provides a default MIB View (i.e., an SNMPv3
construct) for the default “public” community string that provides read access to the
entire MIB tree, and a default view for the “private” community string that provides
read/write access to the entire MIB tree. However, you may assign new views to
version 1 or 2c community strings that suit your specific security requirements (see
page 3-51).

Community Strings (for SNMP version 1 and 2c clients)

Community strings are used to control management access to SNMP version 1
and 2c stations, as well as to authorize SNMP stations to receive trap messages
from the switch. You therefore need to assign community strings to specified users,
and set the access level.

2-6

Basic Configuration

2

The default strings are:

• public - with read-only access. Authorized management stations are only able to
retrieve MIB objects.

• private - with read-write access. Authorized management stations are able to both
retrieve and modify MIB objects.

To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is
recommended that you change the default community strings.

To configure a community string, complete the following steps:

1. From the Privileged Exec level global configuration mode prompt, type

“snmp-server community string mode,” where “string” is the community access
string and “mode” is rw (read/write) or ro (read only). Press <Enter>. (Note that
the default mode is read only.)

2. To remove an existing string, simply type “no snmp-server community string,”

where “string” is the community access string to remove. Press <Enter>.

Console(config)#snmp-server community admin rw 4-74
Console(config)#snmp-server community private
Console(config)#

Note: If you do not intend to support access to SNMP version 1 and 2c clients, we

recommend that you delete both of the default community strings. If there are no
community strings, then SNMP management access from SNMP v1 and v2c
clients is disabled.

Trap Receivers

You can also specify SNMP stations that are to receive traps from the switch. To
configure a trap receiver, use the “snmp-server host” command. From the Privileged
Exec level global configuration mode prompt, type:

“snmp-server host host-address community-string

[version {1 | 2c | 3 {auth | noauth | priv}}]”

where “host-address” is the IP address for the trap receiver, “community-string”
specifies access rights for a version 1/2c host, or is the user name of a version 3
host, “version” indicates the SNMP client version, and “auth | noauth | priv” means
that authentication, no authentication, or authentication and privacy is used for v3
clients. Then press <Enter>. For a more detailed description of these parameters,
see "snmp-server host" on page 4-76. The following example creates a trap host for
each type of SNMP client.

Console(config)#snmp-server host 10.1.19.23 batman 4-76
Console(config)#snmp-server host 10.1.19.98 robin version 2c
Console(config)#snmp-server host 10.1.19.34 barbie version 3 auth
Console(config)#

2-7

Initial Configuration

2

Configuring Access for SNMP Version 3 Clients

To configure management access for SNMPv3 clients, you need to first create a
view that defines the portions of MIB that the client can read or write, assign the view
to a group, and then assign the user to a group. The following example creates one
view called “mib-2” that includes the entire MIB-2 tree branch, and then another view
that includes the IEEE 802.1d bridge MIB. It assigns these respective read and
read/write views to a group call “r&d” and specifies group authentication via MD5 or
SHA. In the last step, it assigns a v3 user to this group, indicating that MD5 will be
used for authentication, provides the password “greenpeace” for authentication, and
the password “einstien” for encryption.

Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included 4-80
Console(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included
Console(config)#snmp-server group r&d v3 auth mib-2 802.1d 4-82
Console(config)#snmp-server user steve group r&d v3 auth md5

greenpeace priv des56 einstien 4-84

Console(config)#

For a more detailed explanation on how to configure the switch for access from
SNMP v3 clients, refer to "Simple Network Management Protocol" on page 3-36, or
refer to the specific CLI commands for SNMP starting on page 4-72.

Managing System Files

The switch’s flash memory supports three types of system files that can be managed
by the CLI program, web interface, or SNMP. The switch’s file system allows files to
be uploaded and downloaded, copied, deleted, and set as a start-up file.

The three types of files are:

• Configuration — This file type stores system configuration information and is
created when configuration settings are saved. Saved configuration files can be
selected as a system start-up file or can be uploaded via TFTP to a server for
backup. The file named “Factory_Default_Config.cfg” contains all the system
default settings and cannot be deleted from the system. If the system is booted with
the factory default settings, the switch will also create a file named “startup1.cfg”
that contains system settings for initialization, including information about the unit
identifier, MAC address, and installed module type. The configuration settings from
the factory defaults configuration file are copied to this file, which is then used to
boot the switch. See "Saving or Restoring Configuration Settings" on page 3-22 for
more information.

• Operation Code — System software that is executed after boot-up, also known as
run-time code. This code runs the switch operations and provides the CLI and web
management interfaces. See "Managing Firmware" on page 3-20 for more
information.

• Diagnostic Code — Software that is run during system boot-up, also known as
POST (Power On Self-Test).

2-8

Managing System Files

Due to the size limit of the flash memory, the switch supports only two operation
code files. However, you can have as many diagnostic code files and configuration
files as available flash memory space allows. The switch has a total of 16 Mbytes of
flash memory for system files.

In the system flash memory, one file of each type must be set as the start-up file.
During a system boot, the diagnostic and operation code files set as the start-up file
are run, and then the start-up configuration file is loaded.

Note that configuration files should be downloaded using a file name that reflects the
contents or usage of the file settings. If you download directly to the running-config,
the system will reboot, and the settings will have to be copied from the
running-config to a permanent file.

2

Saving Configuration Settings

Configuration commands only modify the running configuration file and are not
saved when the switch is rebooted. To save all your configuration changes in
nonvolatile storage, you must copy the running configuration file to the start-up
configuration file using the “copy” command.

New startup configuration files must have a name specified. File names on the
switch are case-sensitive, can be from 1 to 31 characters, must not contain slashes
(\ or /), and the leading letter of the file name must not be a period (.).
(Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

There can be more than one user-defined configuration file saved in the switch’s
flash memory, but only one is designated as the “startup” file that is loaded when the
switch boots. The copy running-config startup-config command always sets the
new file as the startup file. To select a previously saved configuration file, use the
boot system config:<filename> command.

The maximum number of saved configuration files depends on available flash
memory, with each configuration file normally requiring less than 20 kbytes. The
amount of available flash memory can be checked by using the dir command.

To save the current configuration settings, enter the following command:

1. From the Privileged Exec mode prompt, type “copy running-config

startup-config” and press <Enter>.

2. Enter the name of the start-up file. Press <Enter>.

Console#copy running-config startup-config 4-36
Startup configuration file name []: startup
\Write to FLASH Programming.

\Write to FLASH finish.
Success.

Console#

2-9

Initial Configuration

2

2-10

Chapter 3: Configuring the Switch

Using the Web Interface

This switch provides an embedded HTTP web agent. Using a web browser you can
configure the switch and view statistics to monitor network activity. The web agent
can be accessed by any computer on the network using a standard web browser
(Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or
above).

Note:

You can also use the Command Line Interface (CLI) to manage the switch over a
serial connection to the console port or via Telnet. For more information on using
the CLI, refer to Chapter 4: Command Line Interface.”

Prior to accessing the switch from a web browser, be sure you have first performed
the following tasks:

1. Configure the switch with a valid IP address, subnet mask, and default gateway

using an out-of-band serial connection, BOOTP or DHCP protocol. (See "Setting
an IP Address" on page 2-4.)

2. Set user names and passwords using an out-of-band serial connection. Access

to the web agent is controlled by the same user names and passwords as the
onboard configuration program. (See "Setting Passwords" on page 2-4.)

3. After you enter a user name and password, you will have access to the system

configuration program.

Notes: 1.

You are allowed three attempts to enter the correct password; on the third
failed attempt the current connection is terminated.

2. If you log into the web interface as guest (Normal Exec level), you can view

the configuration settings or change the guest password. If you log in as
“admin” (Privileged Exec level), you can change the settings on any page.

3. If the path between your management station and this switch does not pass

through any device that uses the Spanning Tree Algorithm, then you can set
the switch port attached to your management station to fast forwarding (i.e.,
enable Admin Edge Port) to improve the switch’s response time to
management commands issued through the web interface. See "Configuring
Interface Settings for STA" on page 3-161.

3-1

Configuring the Switch

3

Navigating the Web Browser Interface

To access the web-browser interface you must first enter a user name and
password. The administrator has Read/Write access to all configuration parameters
and statistics. The default user name and password for the administrator is “admin.”

Home Page

When your web browser connects with the switch’s web agent, the home page is
displayed as shown below. The home page displays the Main Menu on the left side
of the screen and System Information on the right side. The Main Menu links are
used to navigate to other menus, and display configuration parameters and
statistics.

Figure 3-1 Home Page

3-2

Navigating the Web Browser Interface

3

Configuration Options

Configurable parameters have a dialog box or a drop-down list. Once a configuration
change has been made on a page, be sure to click on the Apply button to confirm
the new setting. The following table summarizes the web page configuration
buttons.

Table 3-1 Configuration Options

Button Action

Revert Cancels specified values and restores current values prior to pressing Apply.

Apply Sets specified values to the system.

Help Links directly to webhelp.

Notes: 1.

To ensure proper screen refresh, be sure that Internet Explorer is configured
so that the setting “Check for newer versions of stored pages” reads “Every
visit to the page”.
Internet Explorer 6.x and earlier: This option is available under the menu
“Tools / Internet Options / General / Temporary Internet Files / Settings”.
Internet Explorer 7.x: This option is available under “Tools / Internet Options
/ General / Browsing History / Settings / Temporary Internet Files”.

2. When using Internet Explorer 5.0, you may have to manually refresh the

screen after making configuration changes by pressing the browser’s refresh
button.

Panel Display

The web agent displays an image of the switch’s ports. The Mode can be set to
display different information for the ports, including Active (i.e., up or down), Duplex
(i.e., half or full duplex, or Flow Control (i.e., with or without flow control). Clicking on
the image of a port opens the Port Configuration page as described on page 3-117.

DG-GS1550

Figure 3-2 Panel Display

3-3

Configuring the Switch

3

Main Menu

Using the onboard web agent, you can define system parameters, manage and
control the switch, and all its ports, or monitor network conditions. The following
table briefly describes the selections available from this program.

Table 3-2 Main Menu

Menu Description Page

System 3-11

System Information Provides basic system description, including contact information 3-11

Switch Information Shows the number of ports, hardware/firmware version

Bridge Extension
Configuration

IP Configuration Sets the IP address for management access 3-16

Jumbo Frames Enables jumbo frame packets. 3-19

File Management 3-20

Copy Operation Allows the transfer and copying files 3-20

Delete Allows deletion of files from the flash memory 3-20

Set Start-Up Sets the startup file 3-20

Line 3-24

Console Sets console port connection parameters 3-24

Telnet Sets Telnet connection parameters 3-26

Log 3-28

Logs Stores and displays error messages 3-28

System Logs Sends error messages to a logging process 3-28

Remote Logs Configures the logging of messages to a remote logging process 3-29

SMTP Sends an SMTP client message to a participating server. 3-31

Reset Restarts the switch 3-33

SNTP Simple Network Time Protocol 3-34

Configuration Configures SNTP client settings, including broadcast mode or a

Clock Time Zone Sets the local time zone for the system clock 3-35

SNMP Simple Network Management Protocol 3-36

Configuration Configures community strings and related trap functions 3-38

Agent Status Enables or disables SNMP Agent Status 3-38

SNMPv3 3-42

Engine ID Sets the SNMP v3 engine ID on this switch 3-42

numbers, and power status

Shows the bridge extension parameters 3-15

specified list of servers

3-13

3-34

3-4

Navigating the Web Browser Interface

Table 3-2 Main Menu (Continued)

Menu Description Page

Remote Engine ID Sets the SNMP v3 engine ID for a remote device 3-43

Users Configures SNMP v3 users on this switch 3-44

Remote Users Configures SNMP v3 users from a remote device 3-46

Groups Configures SNMP v3 groups 3-48

Views Configures SNMP v3 views 3-51

Security 3-53

User Accounts Assigns a new password for the current user 3-53

Authentication Settings Configures authentication sequence, RADIUS and TACACS 3-55

Encryption Key Configures RADIUS and TACACS encryption key settings 3-58

AAA Authentication, Authorization and Accounting 3-60

RADIUS Group Settings Defines the configured RADIUS servers to use for accounting 3-61

TACACS+ Group Settings Defines the configured TACACS+ servers to use for accounting 3-62

Accounting 3-62

Settings Configures accounting of requested services for billing or

Periodic Update Sets the interval at which accounting updates are sent to

802.1X Port Settings Applies the specified accounting method to an interface 3-65

Command Privileges Specifies a method name to apply to commands entered at

Exec Settings Specifies console or Telnet authentication method 3-67

Summary Displays accounting information and statistics 3-67

Authorization 3-69

Settings Configures authorization of requested services 3-69

EXEC Settings Specifies console or Telnet authorization method 3-70

Summary Displays authorization information 3-71

HTTPS Settings Configures secure HTTP settings 3-72

SSH Secure Shell 3-74

Settings Configures Secure Shell server settings 3-89

Host-Key Settings Generates the host key pair (public and private) 3-76

Port Security Configures per port security, including status, response for

802.1X Port authentication 3-79

Information Displays global configuration settings 3-81

security purposes

RADIUS AAA servers

specific CLI privilege levels

security breach, and maximum allowed MAC addresses

3

3-62

3-64

3-66

3-89

3-5

Configuring the Switch

3

Table 3-2 Main Menu (Continued)

Menu Description Page

Configuration Configures the global configuration setting 3-81

Port Configuration Sets parameters for individual ports 3-82

Statistics Displays protocol statistics for the selected port 3-85

Network Access 3-90

Configuration Configures global Network Access parameters 3-91

Port Configuration Configures Network Access parameters for individual ports 3-92

MAC Address Information Displays Network Access statistics sorted by various attributes 3-93

MAC Authentication 3-95

Port Configuration Configures MAC Authentication parameters for ports 3-95

ACL Access Control Lists 3-96

Configuration Configures packet filtering based on IP or MAC addresses 3-96

Port Binding Binds a port to the specified ACL 3-103

IP Filter Sets IP addresses of clients allowed management access via

Port 3-115

Port Information Displays port connection status 3-115

Trunk Information Displays trunk connection status 3-115

Port Configuration Configures port connection settings 3-117

Trunk Configuration Configures trunk connection settings 3-117

Trunk Membership Specifies ports to group into static trunks 3-120

LACP Link Access Control Protocol 3-121

Configuration Allows ports to dynamically join trunks 3-121

Aggregation Port Configures parameters for link aggregation group members 3-123

Port Counters Information Displays statistics for LACP protocol messages 3-125

Port Internal Information Displays settings and operational state for the local side 3-127

Port Neighbors Information Displays settings and operational state for the remote side 3-129

Port Broadcast Control Sets the broadcast storm threshold for each port 3-130

Trunk Broadcast Control Sets the broadcast storm threshold for each trunk 3-130

Port Multicast Control Sets the multicast storm threshold for each port 3-132

Trunk Multicast Control Sets the multicast storm threshold for each trunk 3-132

Port Unknown Unicast Control Sets the unknown unicast storm threshold for each port 3-133

Trunk Unknown Unicast Control

Mirror Port Configuration Sets the source and target ports for local mirroring 3-134

the web, SNMP, and Telnet

Sets the unknown unicast storm threshold for each trunk 3-133

3-86

3-6

Navigating the Web Browser Interface

Table 3-2 Main Menu (Continued)

Menu Description Page

RSPAN Configuration Mirrors data from remote switches over a dedicated VLAN 3-136

Rate Limit 3-140

Input Port Configuration Sets the input rate limit for each port 3-140

Input Trunk Configuration Sets the input rate limit for each trunk 3-140

Output Port Configuration Sets the output rate limit for ports 3-140

Output Trunk Configuration Sets the output rate limit for trunks 3-140

Port Statistics Lists Ethernet and RMON port statistics 3-141

Address Table 3-146

Static Addresses Displays entries for interface, address or VLAN 3-146

Dynamic Addresses Displays or edits static entries in the Address Table 3-147

Address Aging Sets timeout for dynamically learned entries 3-148

Spanning Tree 3-149

STA Spanning Tree Algorithm 3-149

Information Displays STA values used for the bridge 3-151

Configuration Configures global bridge settings for STA and RSTP 3-154

Port Information Displays individual port settings for STA 3-158

Trunk Information Displays individual trunk settings for STA 3-158

Port Configuration Configures individual port settings for STA 3-161

Trunk Configuration Configures individual trunk settings for STA 3-161

MSTP Multiple Spanning Tree Protocol 3-165

VLAN Configuration Configures priority and VLANs for a spanning tree instance 3-165

Port Information Displays port settings for a specified MST instance 3-168

Trunk Information Displays trunk settings for a specified MST instance 3-168

Port Configuration Configures port settings for a specified MST instance 3-170

Trunk Configuration Configures trunk settings for a specified MST instance 3-170

VLAN Virtual LAN 3-171

802.1Q VLAN IEEE 802.1Q VLANs 3-171

GVRP Status Enables GVRP VLAN registration protocol 3-174

802.1Q Tunnel
Configuration

Basic Information Displays information on the VLAN type supported by this switch 3-175

Current Table Shows the current port members of each VLAN and whether or

Enables QinQ Tunneling on the switch 3-175

not the port is tagged or untagged

3

3-176

3-7

Configuring the Switch

3

Table 3-2 Main Menu (Continued)

Menu Description Page

Static List Used to create or remove VLAN groups 3-177

Static Table Modifies the settings for an existing VLAN 3-180

Static Membership by Port Configures membership type for interfaces, including tagged,

Port Configuration Specifies default PVID and VLAN attributes 3-183

Trunk Configuration Specifies default trunk VID and VLAN attributes 3-183

Tunnel Port Configuration Adds ports to a QinQ tunnel 3-189

Tunnel Trunk Configuration Adds trunks to a QinQ tunnel 3-189

Traffic Segmentation Provides strict isolation between downlink ports 3-192

Status Enables traffic segmentation 3-192

Link Status Assigns uplink ports and downlink to service traffic 3-194

Private VLAN Provides isolation between client groups 3-194

Information Displays Private VLAN feature information 3-194

Configuration This page is used to create/remove primary or community

Association Each community VLAN must be associated with a primary VLAN 3-196

Port Information Shows VLAN port type, and associated primary or secondary

Port Configuration Sets the private VLAN interface type, and associates the

Trunk Information Shows VLAN port type, and associated primary or secondary

Trunk Configuration Sets the private VLAN interface type, and associates the

Protocol VLAN 3-200

Configuration Configures protocol VLANs 3-200

Port Configuration Configures protocol VLAN port type, and associated protocol

Priority 3-203

Default Port Priority Sets the default priority for each port 3-203

Default Trunk Priority Sets the default priority for each trunk 3-203

Traffic Classes Maps IEEE 802.1p priority tags to output queues 3-205

Traffic Classes Status Enables/disables traffic class priorities (not implemented) NA

Queue Mode Sets queue mode to strict priority or Weighted Round-Robin 3-207

Queue Scheduling Configures Weighted Round Robin queueing 3-208

untagged or forbidden

VLANs

VLANs

interfaces with a private VLAN

VLANs

interfaces with a private VLAN

VLANs

3-182

3-195

3-197

3-198

3-197

3-198

3-201

3-8

Navigating the Web Browser Interface

Table 3-2 Main Menu (Continued)

Menu Description Page

IP Precedence/DSCP Priority
Status

IP Precedence Priority Sets IP Type of Service priority, mapping the precedence tag to

IP DSCP Priority Sets IP Differentiated Services Code Point priority, mapping a

IP Port Priority Status Globally enables or disables IP Port Priority 3-213

IP Port Priority Sets TCP/UDP port priority, defining the socket number and

QoS Quality of Service 3-214

DiffServ Differentiated Services 3-214

Class Map Sets Class Maps 3-215

Policy Map Sets Policy Maps 3-218

Service Policy Defines service policy settings for ports 3-221

IGMP Snooping 3-223

IGMP Configuration Enables multicast filtering; configures parameters for multicast

IGMP Filter Configuration Enables IGMP filtering for the switch 3-232

IGMP Immediate Leave Enables the immediate leave function 3-226

Multicast Router
Port Information

Static Multicast Router Port
Configuration

IP Multicast Registration
Table

IGMP Member Port Table Indicates multicast addresses associated with the selected

IGMP Filter Profile
Configuration

IGMP Filter/Throttling Port
Configuration

IGMP Filter/Throttling Trunk
Configuration

MVR Multicast VLAN Registration 3-237

Configuration Globally enables MVR, sets the MVR VLAN, adds multicast

Port Information Displays MVR interface type, MVR operational and activity

Globally selects IP Precedence or DSCP Priority, or disables
both.

a class-of-service value

DSCP tag to a class-of-service value

associated class-of-service value

query

Displays the ports that are attached to a neighboring multicast
router for each VLAN ID

Assigns ports that are attached to a neighboring multicast router 3-229

Displays all multicast groups active on this switch, including
multicast IP addresses and VLAN ID

VLAN

Configures IGMP filter profiles, controlling groups and access
mode

Assigns IGMP filter profiles to port interfaces and sets throttling
action

Assigns IGMP filter profiles to trunk interfaces and sets throttling
action

stream addresses

status, and immediate leave status

3

3-209

3-210

3-211

3-213

3-224

3-228

3-230

3-231

3-232

3-235

3-235

3-238

3-240

3-9

Configuring the Switch

3

Table 3-2 Main Menu (Continued)

Menu Description Page

Trunk Information Displays MVR interface type, MVR operational and activity

Group IP Information Displays the ports attached to an MVR multicast stream 3-241

Port Configuration Configures MVR interface type and immediate leave status 3-242

Trunk Configuration Configures MVR interface type and immediate leave status 3-242

Group Member Configuration Statically assigns MVR multicast streams to an interface 3-244

DNS Domain Name Service

General Configuration Enables DNS; configures domain name and domain list; and

Static Host Table Configures static entries for domain name to address mapping 3-247

Cache Displays cache entries discovered by designated name servers 3-249

DHCP Snooping 3-104

Configuration Enables DHCP Snooping and DHCP Snooping MAC-Address

VLAN Configuration Enables DHCP Snooping for a VLAN 3-106

Information Option
Configuration

Port Configuration Selects the DHCP Snooping Information Option policy 3-108

Binding Information Displays the DHCP Snooping binding information 3-109

IP Source Guard 3-110

Port Configuration Enables IP source guard and selects filter type per port 3-110

Static Configuration Adds a static addresses to the source-guard binding table 3-112

Dynamic Information Displays the source-guard binding table for a selected interface 3-114

Cluster 3-250

Configuration Globally enables clustering for the switch 3-250

Member Configuration Adds switch Members to the cluster 3-252

Member Information Displays cluster Member switch information 3-253

Candidate Information Displays network Candidate switch information 3-254

status, and immediate leave status

specifies IP address of name servers for dynamic lookup

Verification

Enables DHCP Snooping Information Option 3-107

3-240

3-245

3-105

3-10

Basic Configuration

3

Basic Configuration

This section describes the basic functions required to set up management access to
the switch, display or upgrade operating software, or reset the system.

Displaying System Information

You can easily identify the system by displaying the device name, location and
contact information.

Field Attributes

• System Name – Name assigned to the switch system.

• Object ID – MIB II object ID for switch’s network management subsystem.

• Location – Specifies the system location.

• Contact – Administrator responsible for the system.

• System Up Time – Length of time the management agent has been up.

These additional parameters are displayed for the CLI.

• MAC Address – The physical layer address for this switch.

• Web Server – Shows if management access via is enabled.

• Web Server Port – Shows the TCP port number used by the web interface.

• Web Secure Server – Shows if management access via HTTPS is enabled.

• Web Secure Server Port – Shows the TCP port used by the HTTPS interface.

• Telnet Server – Shows if management access via Telnet is enabled.

• Telnet Server Port – Shows the TCP port used by the Telnet interface.

• Authentication Login – Shows the user login authentication sequence.

• Jumbo Frame – Shows if jumbo frames are enabled.

• POST result – Shows results of the power-on self-test.

3-11

Configuring the Switch

3

Web – Click System, System Information. Specify the system name, location, and
contact information for the system administrator, then click Apply. (This page also
includes a Telnet button that allows access to the Command Line Interface via Telnet.)

Figure 3-3 System Information

CLI – Specify the hostname, location and contact information.

Console(config)#hostname R&D 5 4-18
Console(config)#snmp-server location WC 9 4-75
Console(config)#snmp-server contact Ted 4-75
Console(config)#exit
Console#show system
System Description: DG-GS1550
System OID String: 1.3.6.1.4.1.36293.1.1.1.15
System Information
System Up Time: 0 days, 0 hours, 46 minutes, and 39.91 seconds
System Name: [NONE]
System Location: [NONE]
System Contact: [NONE]
MAC Address (Unit1): 00-17-7C-0C-8F-EE
Web Server: Enabled
Web Server Port: 80
Web Secure Server: Enabled
Web Secure Server Port: 443
Telnet Server: Enable
Telnet Server Port: 23
Jumbo Frame: Disabled

POST Result:

DUMMY Test 1 ................. PASS

UART Loopback Test ........... PASS

DRAM Test .................... PASS

Timer Test ................... PASS

PCI Device 1 Test ............ PASS

Done All Pass.

3-12

Basic Configuration

3

Displaying Switch Hardware/Software Versions

Use the Switch Information page to display hardware/firmware version numbers for
the main board and management software, as well as the power status of the system.

Field Attributes

Main Board

• Serial Number – The serial number of the switch.

• Number of Ports – Number of built-in RJ-45 ports.

• Hardware Version – Hardware version of the main board.

• Internal Power Status – Displays the status of the internal power supply.

Management Software

•EPLD Version – Version number of the Electronically Programmable Logic Device

code.

• Loader Version – Version number of loader code.

• Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code.

• Operation Code Version – Version number of runtime code.

• Role – Shows that this switch is operating as Master or Slave.

Web – Click System, Switch Information.

Figure 3-4 Switch Information

3-13

Configuring the Switch

3

CLI – Use the following command to display version information.

Console#show version
Unit 1
Serial Number: AA16002532
Hardware Version: R01
EPLD Version: 3.02
Number of Ports: 50
Main Power Status: Up
Redundant Power Status: Not present

Agent (Master)
Unit ID: 1
Loader Version: 1.0.0.4
Boot ROM Version: 1.0.0.5
Operation Code Version: 112.2.14.2
Console#

3-14

Basic Configuration

3

Displaying Bridge Extension Capabilities

The Bridge MIB includes extensions for managed devices that support Multicast
Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to
display default settings for the key variables.

Field Attributes

• Extended Multicast Filtering Services – This switch does not support the filtering

of individual multicast addresses based on GMRP (GARP Multicast Registration
Protocol).

• Traffic Classes – This switch provides mapping of user priorities to multiple traffic

classes. (Refer to "Class of Service Configuration" on page 3-203.)

• Static Entry Individual Port – This switch allows static filtering for unicast and

multicast addresses. (Refer to "Setting Static Addresses" on page 3-146.)

• VLAN Learning – This switch uses Independent VLAN Learning (IVL), where all

VLANs share the same address table.

• Configurable PVID Tagging – This switch allows you to override the default Port

VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or
Untagged) on each port. (Refer to "VLAN Configuration" on page 3-171.)

• Local VLAN Capable – This switch does not support multiple local bridges outside

of the scope of 802.1Q defined VLANs.

Web – Click System, Bridge Extension Configuration.

Figure 3-5 Bridge Extension Configuration

3-15

Configuring the Switch

3

CLI – Enter the following command.

Console#show bridge-ext 4-227
Max support VLAN numbers: 256
Max support VLAN ID: 4094
Extended multicast filtering services: No
Static entry individual port: Yes
VLAN learning: IVL
Configurable PVID tagging: Yes
Local VLAN capable: No
Traffic classes: Enabled
Global GVRP status: Disabled
GMRP: Disabled
Console#

Setting the Switch’s IP Address

This section describes how to configure an IP interface for management access
over the network. The IP address for the stack is obtained via DHCP by default. To
manually configure an address, you need to change the switch’s default settings to
values that are compatible with your network. You may also need to a establish a
default gateway between the stack and management stations that exist on another
network segment.

You can manually configure a specific IP address, or direct the device to obtain an
address from a BOOTP or DHCP server. Valid IP addresses consist of four decimal
numbers, 0 to 255, separated by periods. Anything outside this format will not be
accepted by the CLI program.

Command Attributes

• Management VLAN – ID of the configured VLAN (1-4094). By default, all ports on
the switch are members of VLAN 1. However, the management station can be
attached to a port belonging to any VLAN, as long as that VLAN has been assigned
an IP address.

• IP Address Mode – Specifies whether IP functionality is enabled via manual
configuration (Static), Dynamic Host Configuration Protocol (DHCP), or Boot
Protocol (BOOTP). If DHCP/BOOTP is enabled, IP will not function until a reply has
been received from the server. Requests will be broadcast periodically by the
switch for an IP address. (DHCP/BOOTP values can include the IP address,
subnet mask, and default gateway.)

• IP Address – Address of the VLAN that is allowed management access. Valid IP
addresses consist of four numbers, 0 to 255, separated by periods.
(Default: 0.0.0.0)

• Subnet Mask – This mask identifies the host address bits used for routing to
specific subnets. (Default: 255.0.0.0)

• Gateway IP address – IP address of the gateway router between this device and
management stations that exist on other network segments. (Default: 0.0.0.0)

• MAC Address – The physical layer address for this switch.

• Restart DHCP – Requests a new IP address from the DHCP server.

3-16

Basic Configuration

3

Manual Configuration

Web – Click System, IP Configuration. Select the VLAN through which the
management station is attached, set the IP Address Mode to “Static,” enter the IP
address, subnet mask and gateway, then click Apply.

Figure 3-6 Manual IP Configuration

CLI – Specify the management interface, IP address and default gateway.

Console#config
Console(config)#interface vlan 1 4-167
Console(config-if)#ip address 192.168.226.232 255.255.255.0 4-336
Console(config-if)#exit
Console(config)#ip default-gateway 192.168.226.254 4-337
Console(config)#

3-17

Configuring the Switch

3

Using DHCP/BOOTP

If your network provides DHCP/BOOTP services, you can configure the switch to be
dynamically configured by these services.

Web – Click System, IP Configuration. Specify the VLAN to which the management
station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to
save your changes. Then click Restart DHCP to immediately request a new
address. Note that the switch will also broadcast a request for IP configuration
settings on each power reset.

Figure 3-7 DHCP IP Configuration

Note: If you lose your management connection, use a console connection and enter

“show ip interface” to determine the new switch address.

CLI – Specify the management interface, and set the IP address mode to DHCP or
BOOTP, and then enter the “ip dhcp restart” command.

Console#config
Console(config)#interface vlan 1 4-167
Console(config-if)#ip address dhcp 4-336
Console(config-if)#end
Console#ip dhcp restart 4-338
Console#show ip interface 4-338
IP Address and Netmask: 192.168.1.1 255.255.255.0 on VLAN 1,

Address Mode: DHCP

Console#

3-18

Basic Configuration

Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a
specific period of time. If the address expires or the switch is moved to another
network segment, you will lose management access to the switch. In this case, you
can reboot the switch or submit a client request to restart DHCP service via the CLI.

Web – If the address assigned by DHCP is no longer functioning, you will not be
able to renew the IP settings via the web interface. You can only restart DHCP
service via the web interface if the current address is still available.

CLI – Enter the following command to restart DHCP service.

Console#ip dhcp restart 4-338
Console#

3

Enabling Jumbo Frames

The switch provides more efficient throughput for large sequential data transfers by
supporting jumbo frames up to 10 KB for the Gigabit Ethernet ports. Compared to
standard Ethernet frames that run only up to 1.5 KB, using jumbo frames
significantly reduces the per-packet overhead required to process protocol
encapsulation fields.

Command Usage

• To use jumbo frames, both the source and destination end nodes (such as a

computer or server) must support this feature. Also, when the connection is
operating at full duplex, all switches in the network between the two end nodes
must be able to accept the extended frame size. And for half-duplex connections,
all devices in the collision domain would need to support jumbo frames.

• Enabling jumbo frames will limit the maximum threshold for broadcast storm

control to 64 packets per second. (See "Setting Broadcast Storm Thresholds" on
page 3-130.)

Command Attributes

Jumbo Packet Status – Check the box to enable jumbo frames.

Web – Click System, Jumbo Frames. Enable or disable support for jumbo frames,

and click Apply.

Figure 3-8 Bridge Extension Configuration

CLI – Enter the following command.

Console#config
Console(config)#jumbo frame
Console(config)#

3-19

Configuring the Switch

3

Managing Firmware

Just specify the method of file transfer, along with the file type and file names as
required. By saving run-time code to a file on a TFTP server, that file can later be
downloaded to the switch to restore operation.

Only two copies of the system software (i.e., the run-time firmware) can be stored in
the file directory on the switch. When downloading run-time code, the destination file
name can be specified to replace the current run-time code file, or the file can be
first downloaded using a different name from the current run-time code file, and then
the new file set as the startup file.

Command Attributes

• File Transfer Method – The firmware copy operation includes these options:

- file to file – Copies a file within the switch directory, assigning it a new name.

- file to tftp – Copies a file from the switch to a TFTP server.

- tftp to file – Copies a file from a TFTP server to the switch.

• TFTP Server IP Address – The IP address of a TFTP server.

• File Type – Specify opcode (operational code) to copy firmware.

• File Name –
the file name should not be a period (.), and the maximum length for file names on
the TFTP server is 127 characters or 31 characters for files on the switch.
(Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

Note:

Up to two copies of the system software (i.e., the runtime firmware) can be stored
in the file directory on the switch. The currently designated startup version of this
file cannot be deleted.

The file name should not contain slashes (\ or /),

the leading letter of

Downloading System Software from a Server

When downloading runtime code, you can specify the destination file name to
replace the current image, or first download the file using a different name from the
current runtime code file, and then set the new file as the startup file.

3-20

Basic Configuration

Web –Click System, File Management, Copy Operation. Select “tftp to file” as the file
transfer method, enter the IP address of the TFTP server, set the file type to
“opcode,” enter the file name of the software to download, select a file on the switch
to overwrite or specify a new file name, then click Apply. If you replaced the current
firmware used for startup and want to start using the new operation code, reboot the
system via the System/Reset menu.

Figure 3-9 Copy Firmware

If you download to a new destination file, go to the System/File/Set Start-Up menu,
mark the operation code file used at startup, and click Apply. To start the new
firmware, reboot the system via the System/Reset menu.

3

Figure 3-10 Setting the Startup Code

To delete a file select System, File, Delete. Select the file name from the given list by
checking the tick box and click Apply. Note that t

startup code cannot be deleted.

Figure 3-11 Deleting Files

he file currently designated as the

3-21

Configuring the Switch

3

CLI – To download new firmware form a TFTP server, enter the IP address of the
TFTP server, select “opcode” as the file type, then enter the source and destination
file names. When the file has finished downloading, set the new file to start up the
system, and then restart the switch.

To start the new firmware, enter the “reload” command or reboot the system.

Console#copy tftp file 4-36
TFTP server ip address: 192.168.1.23
Choose file type:

1. config: 2. opcode: <1-2>: 2
Source file name: V2.2.7.1.bix
Destination file name: V2271.F
\Write to FLASH Programming.

-Write to FLASH finish.
Success.
Console#config
Console(config)#boot system opcode:V2271.F 4-41
Console(config)#exit
Console#reload 4-14

Saving or Restoring Configuration Settings

You can upload/download configuration settings to/from a TFTP server. The
configuration files can be later downloaded to restore the switch’s settings.

Command Attributes

• File Transfer Method – The configuration copy operation includes these options:

- file to file – Copies a file within the switch directory, assigning it a new name.

- file to running-config – Copies a file in the switch to the running configuration.

- file to startup-config – Copies a file in the switch to the startup configuration.

- file to tftp – Copies a file from the switch to a TFTP server.

- running-config to file – Copies the running configuration to a file.

- running-config to startup-config – Copies the running config to the startup config.

- running-config to tftp – Copies the running configuration to a TFTP server.

- startup-config to file – Copies the startup configuration to a file on the switch.

- startup-config to running-config – Copies the startup config to the running config.

- startup-config to tftp – Copies the startup configuration to a TFTP server.

- tftp to file – Copies a file from a TFTP server to the switch.

- tftp to running-config – Copies a file from a TFTP server to the running config.

- tftp to startup-config – Copies a file from a TFTP server to the startup config.

• TFTP Server IP Address – The IP address of a TFTP server.

• File Type – Specify config (configuration) to copy configuration settings.

•

File Name

— The file name should not contain slashes (\ or /),

the leading letter of
the file name should not be a period (.), and the maximum length for file names on
the TFTP server is 127 characters or 31 characters for files on the switch. (Valid
characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

Note:

The maximum number of user-defined configuration files is limited only by
available flash memory space.

3-22

Basic Configuration

3

Downloading Configuration Settings from a Server

You can download the configuration file under a new file name and then set it as the
startup file, or you can specify the current startup configuration file as the destination
file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be
copied to the TFTP server, but cannot be used as the destination on the switch.

Web – Click System, File, Copy Operation. Select “tftp to startup-config” or “tftp to
file” and enter the IP address of the TFTP server. Specify the name of the file to
download and select a file on the switch to overwrite or specify a new file name, then
click Apply.

Figure 3-12 Downloading Configuration Settings for Startup

If you download to a new file name using “tftp to startup-config” or “tftp to file,” the file
is automatically set as the start-up configuration file. To use the new settings, reboot
the system via the System/Reset menu.

Note:

You can also select any configuration file as the start-up configuration by using the
System/File/Set Start-Up page.

Figure 3-13 Setting the Startup Configuration Settings

3-23

Configuring the Switch

3

CLI – Enter the IP address of the TFTP server, specify the source file on the server,
set the startup file name on the switch, and then restart the switch.

Console#copy tftp startup-config 4-36
TFTP server ip address: 192.168.1.23
Source configuration file name: config-1
Startup configuration file name [] : startup
\Write to FLASH Programming.

-Write to FLASH finish.
Success.

Console#reload

To select another configuration file as the start-up configuration, use the boot
system command and then restart the switch.

Console#config
Console(config)#boot system config: startup-new 4-41
Console(config)#exit
Console#reload 4-14

Console Port Settings

You can access the onboard configuration program by attaching a VT100
compatible device to the switch’s serial console port. Management access through
the console port is controlled by various parameters, including a password, timeouts,
and basic communication settings. These parameters can be configured via the web
or CLI interface.

Command Attributes

• Login Timeout – Sets the interval that the system waits for a user to log into the
CLI. If a login attempt is not detected within the timeout interval, the connection is
terminated for the session. (Range: 0-300 seconds; Default: 0 seconds)

• Exec Timeout – Sets the interval that the system waits until user input is detected.
If user input is not detected within the timeout interval, the current session is
terminated. (Range: 0-65535 seconds; Default: 600 seconds)

• Password Threshold – Sets the password intrusion threshold, which limits the
number of failed logon attempts. When the logon attempt threshold is reached, the
system interface becomes silent for a specified amount of time (set by the Silent
Time parameter) before allowing the next logon attempt.
(Range: 0-120; Default: 3 attempts)

• Silent Time – Sets the amount of time the management console is inaccessible
after the number of unsuccessful logon attempts has been exceeded.
(Range: 0-65535; Default: 0)

• Data Bits – Sets the number of data bits per character that are interpreted and
generated by the console port. If parity is being generated, specify 7 data bits per
character. If no parity is required, specify 8 data bits per character. (Default: 8 bits)

• Parity – Defines the generation of a parity bit. Communication protocols provided
by some terminals can require a specific parity bit setting. Specify Even, Odd, or
None. (Default: None)

3-24

Basic Configuration

• Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive

(from terminal). Set the speed to match the baud rate of the device connected to
the serial port. (Range: 9600, 19200, 38400 baud, or Auto; Default: Auto)

• Stop Bits – Sets the number of the stop bits transmitted per byte.

(Range: 1-2; Default: 1 stop bit)

• Password

started on a line with password protection, the system prompts for the password.
If you enter the correct password, the system shows a prompt.
(Default: No password)

• Login

single global password as configured for the Password parameter, or by
passwords set up for specific user-name accounts. (Default: Local)

Web – Click System, Line, Console. Specify the console port connection parameters
as required, then click Apply.

1

– Specifies a password for the line connection. When a connection is

1

– Enables password checking at login. You can select authentication by a

3

Figure 3-14 Console Port Settings

1. CLI only.

3-25

Configuring the Switch

3

CLI – Enter Line Configuration mode for the console, then specify the connection
parameters as required. To display the current console port settings, use the show
line command from the Normal Exec level.

Console(config)#line console 4-42
Console(config-line)#login local 4-43
Console(config-line)#password 0 secret 4-44
Console(config-line)#timeout login response 0 4-45
Console(config-line)#exec-timeout 0 4-45
Console(config-line)#password-thresh 3 4-46
Console(config-line)#silent-time 60 4-47
Console(config-line)#databits 8 4-47
Console(config-line)#parity none 4-48
Console(config-line)#speed 19200 4-49
Console(config-line)#stopbits 1 4-49
Console(config-line)#end
Console#show line console 4-50
Console configuration:
Password threshold: 3 times
Interactive timeout: Disabled
Login timeout: Disabled
Silent time: 60
Baudrate: 19200
Databits: 8
Parity: none
Stopbits: 1
Console#

Telnet Settings

You can access the onboard configuration program over the network using Telnet
(i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and
other various parameters set, including the TCP port number, timeouts, and a
password. These parameters can be configured via the web or CLI interface.

Command Attributes

• Telnet Status – Enables or disables Telnet access to the switch.

(Default: Enabled)

•Telnet Port Number – Sets the TCP port number for Telnet on the switch.
(Default: 23)

• Login Timeout – Sets the interval that the system waits for a user to log into the
CLI. If a login attempt is not detected within the timeout interval, the connection is
terminated for the session. (Range: 0-300 seconds; Default: 300 seconds)

• Exec Timeout – Sets the interval that the system waits until user input is detected.
If user input is not detected within the timeout interval, the current session is
terminated. (Range: 0-65535 seconds; Default: 600 seconds)

• Password Threshold – Sets the password intrusion threshold, which limits the
number of failed logon attempts. When the logon attempt threshold is reached, the
system interface becomes silent for a specified amount of time (set by the Silent
Time parameter) before allowing the next logon attempt.
(Range: 0-120; Default: 3 attempts)

3-26

Basic Configuration

3

• Password2 – Specifies a password for the line connection. When a connection is

started on a line with password protection, the system prompts for the password.
If you enter the correct password, the system shows a prompt.
(Default: No password)

• Login

2

– Enables password checking at login. You can select authentication by a

single global password as configured for the Password parameter, or by
passwords set up for specific user-name accounts. (Default: Local)

Web – Click System, Line, Telnet. Specify the connection parameters for Telnet
access, then click Apply.

Figure 3-15 Enabling Telnet

CLI – Enter Line Configuration mode for a virtual terminal, then specify the
connection parameters as required. To display the current virtual terminal settings,
use the show line command from the Normal Exec level.

Console(config)#line vty 4-42
Console(config-line)#login local 4-43
Console(config-line)#password 0 secret 4-44
Console(config-line)#timeout login response 300 4-45
Console(config-line)#exec-timeout 600 4-45
Console(config-line)#password-thresh 3 4-46
Console(config-line)#end
Console#show line vty 4-50
VTY configuration:
Password threshold: 3 times
Interactive timeout: 600 sec
Login timeout: 300 sec
Console#

2. CLI only.

3-27

Configuring the Switch

3

Configuring Event Logging

The switch allows you to control the logging of error messages, including the type of
events that are recorded in switch memory, logging to a remote System Log (syslog)
server, and displays a list of recent event messages.

System Log Configuration

The system allows you to enable or disable event logging, and specify which levels
are logged to RAM or flash memory.

Severe error messages that are logged to flash memory are permanently stored in
the switch to assist in troubleshooting network problems. Up to 4096 log entries can
be stored in the flash memory, with the oldest entries being overwritten first when the
available log memory (256 kilobytes) has been exceeded.

The System Logs page allows you to configure and limit system messages that are
logged to flash or RAM memory. The default is for event levels 0 to 3 to be logged to
flash and levels 0 to 7 to be logged to RAM.

Command Attributes

• System Log Status – Enables/disables the logging of debug or error messages to
the logging process. (Default: Enabled)

• Flash Level – Limits log messages saved to the switch’s permanent flash memory
for all levels up to the specified level. For example, if level 3 is specified, all
messages from level 0 to level 3 will be logged to flash. (Range: 0-7, Default: 3)

Table 3-3 Logging Levels

Level Severity Name Description

7 Debug Debugging messages

6 Informational Informational messages only

5 Notice Normal but significant condition, such as cold start

4 Warning Warning conditions (e.g., return false, unexpected return)

3 Error Error conditions (e.g., invalid input, default used)

2 Critical Critical conditions (e.g., memory allocation, or free memory

1 Alert Immediate action needed

0 Emergency System unusable

* There are only Level 2, 5 and 6 error messages for the current firmware release.

error - resource exhausted)

• RAM Level – Limits log messages saved to the switch’s temporary RAM memory
for all levels up to the specified level. For example, if level 7 is specified, all
messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7)

Note:

The Flash Level must be equal to or less than the RAM Level.

3-28

Basic Configuration

3

Web – Click System, Log, System Logs. Specify System Log Status,
event messages to be logged to RAM and flash memory, then click Apply.

Figure 3-16 System Logs

CLI – Enable system logging and then specify the level of messages to be logged to
RAM and flash memory. Use the show logging command to display the current
settings.

Console(config)#logging on 4-52
Console(config)#logging history ram 0 4-53
Console(config)#end
Console#show logging flash 4-56
Syslog logging: Enabled
History logging in FLASH: level emergencies
Console#

set the level of

Remote Log Configuration

The Remote Logs page allows you to configure the logging of messages that are
sent to syslog servers or other management stations. You can also limit the error
messages sent to only those messages below a specified level.

Command Attributes

• Remote Log Status – Enables/disables the logging of debug or error messages

to the remote logging process. (Default: Disabled)

• Logging Facility – Sets the facility type for remote logging of syslog messages.

There are eight facility types specified by values of 16 to 23. The facility type is
used by the syslog server to dispatch log messages to an appropriate service.

The attribute specifies the facility type tag sent in syslog messages. (See
RFC 3164.) This type has no effect on the kind of messages reported by the switch.
However, it may be used by the syslog server to process messages, such as
sorting or storing messages in the corresponding database. (Range: 16-23,
Default: 23)

• Logging Trap – Limits log messages that are sent to the remote syslog server for

all levels up to the specified level. For example, if level 3 is specified, all messages
from level 0 to level 3 will be sent to the remote server. (Range: 0-7, Default: 7)

• Host IP List – Displays the list of remote server IP addresses that receive the

syslog messages. The maximum number of host IP addresses allowed is five.

3-29

Configuring the Switch

3

• Host IP Address – Specifies a new server IP address to add to the Host IP List.

Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List,

type the new IP address in the Host IP Address box, and then click Add. To delete
an IP address, click the entry in the Host IP List, and then click Remove.

Figure 3-17 Remote Logs

CLI – Enter the syslog server host IP address, choose the facility type and set the
logging trap.

Console(config)#logging host 192.168.1.15 4-54
Console(config)#logging facility 23 4-54
Console(config)#logging trap 4 4-55
Console(config)#end
Console#show logging trap 4-55
Syslog logging: Enabled
REMOTELOG status: Enabled
REMOTELOG facility type: local use 7
REMOTELOG level type: Warning conditions
REMOTELOG server ip address: 192.168.1.15
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
Console#

3-30

Basic Configuration

3

Displaying Log Messages

The Logs page allows you to scroll through the logged system and event messages.
The switch can store up to 2048 log entries in temporary random access memory
(RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent
flash memory.

Web – Click System, Log, Logs.

Figure 3-18 Displaying Logs

CLI – This example shows the event message stored in RAM.

Console#show log ram 4-56
[1] 00:00:27 2001-01-01
"VLAN 1 link-up notification."
level: 6, module: 5, function: 1, and event no.: 1
[0] 00:00:25 2001-01-01
"System coldStart notification."
level: 6, module: 5, function: 1, and event no.: 1
Console#

Simple Mail Transfer Protocol

To alert system administrators of problems, the switch can use SMTP (Simple Mail
Transfer Protocol) to send email messages when triggered by logging events of a
specified level. The messages are sent to specified SMTP servers on the network
and can be retrieved using POP or IMAP clients.

Command Attributes

• Admin Status – Enables/disables the SMTP function. (Default: Enabled)

• Email Source Address – Sets the email address used for the “From” field in alert

messages. You may use a symbolic email address that identifies the switch, or the
address of an administrator responsible for the switch.

• Severity – Sets the syslog severity threshold level (see table on page 3-28) used

to trigger alert messages. All events at this level or higher will be sent to the
configured email recipients. For example, using Level 7 will report all events from
level 7 to level 0. (Default: Level 7)

• SMTP Server List – Specifies a list of up to three recipient SMTP servers. The

switch attempts to connect to the other listed servers if the first fails. Use the New
SMTP Server text field and the Add/Remove buttons to configure the list.

3-31

Configuring the Switch

3

• SMTP Server – Specifies a new SMTP server address to add to the SMTP Server
List.

• Email Destination Address List – Specifies the email recipients of alert
messages. You can specify up to five recipients. Use the New Email Destination
Address text field and the Add/Remove buttons to configure the list.

• Email Destination Address – This command specifies SMTP servers that may
receive alert messages.

Web – Click System, Log, SMTP. Enable SMTP, specify a source email address,
and select the minimum severity level. To add an IP address to the SMTP Server
List, type the new IP address in the SMTP Server field and click Add. To delete an IP
address, click the entry in the Server IP List and click Remove. Specify up to five
email addresses to receive the alert messages, and click Apply.

Figure 3-19 Enabling and Configuring SMTP

3-32

Basic Configuration

3

CLI – Enter the IP address of at least one SMTP server, set the syslog severity level
to trigger an email message, and specify the switch (source) and up to five recipient
(destination) email addresses. Enable SMTP with the logging sendmail command
to complete the configuration. Use the show logging sendmail command to display
the current SMTP configuration.

Console(config)#logging sendmail host 192.168.1.4 4-58
Console(config)#logging sendmail level 3 4-59
Console(config)#logging sendmail source-email

a.b@cd.com 4-60

Console(config)#logging sendmail destination-email

e.f@cd.com 4-60
Console(config)#logging sendmail 4-61
Console(config)#exit
Console#show logging sendmail 4-61
SMTP servers

-----------------------------------------------

1. 192.168.1.4

SMTP minimum severity level: 4

SMTP destination email addresses

-----------------------------------------------

1. e.f@cd.com

SMTP source email address: a.b@cd.com

SMTP status: Enabled
Console#

Resetting the System

Web – Click System, Reset. Click the Reset button to reboot the switch. When
prompted, confirm that you want reset the switch.

Figure 3-20 Resetting the System

CLI – Use the reload command to restart the switch. When prompted, confirm that
you want to reset the switch.

Console#reload 4-14
System will be restarted, continue <y/n>? y

Note:

When restarting the system, it will always run the Power-On Self-Test. It will also
retain all configuration information stored in non-volatile memory (see "Saving or
Restoring Configuration Settings" on page 3-22).

3-33

Configuring the Switch

3

Setting the System Clock

Simple Network Time Protocol (SNTP) allows the switch to set its internal clock
based on periodic updates from a time server (SNTP or NTP). Maintaining an
accurate time on the switch enables the system log to record meaningful dates and
times for event entries. You can also manually set the clock using the CLI. (See
"calendar set" on page 4-66) If the clock is not set, the switch will only record the
time from the factory default set at the last bootup.

When the SNTP client is enabled, the switch periodically sends a request for a time
update to a configured time server. You can configure up to three time server IP
addresses. The switch will attempt to poll each server in the configured sequence.

Setting the Time Manually

You can set the system time on the switch manually without using SNTP.

CLI – This example sets the system clock time and then displays the current time
and date

Configuring SNTP

You can configure the switch to send time synchronization requests to time servers.

Command Attributes

• SNTP Client – Configures the switch to operate as an SNTP client. This requires

• SNTP Poll Interval – Sets the interval between sending requests for a time update

• SNTP Server – Sets the IP address for up to three time servers. The switch

.

Console#calendar set 17 46 00 october 18 2008 4-66
Console#show calendar 4-66
17:46:11 October 18 2008
Console#

at least one NTP or SNTP time server to be specified in the SNTP Server field.
(Default: Disabled)

from a time server. (Range: 16-16384 seconds; Default: 16 seconds)

attempts to update the time from the first server, if this fails it attempts an update
from the next server in the sequence.

3-34

Basic Configuration

3

Web – Select SNTP, Configuration. Modify any of the required parameters, and click
Apply.

Figure 3-21 SNTP Configuration

CLI – This example configures the switch to operate as an SNTP unicast client and
then displays the current time and settings.

Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-63
Console(config)#sntp poll 60 4-64
Console(config)#sntp client 4-62
Console(config)#exit
Console#show sntp
Current time: Jan 6 14:56:05 2004
Poll interval: 16
Current mode: unicast
SNTP status : Enabled
SNTP server 10.1.0.19 137.82.140.80 128.250.36.2
Current server: 128.250.36.2
Console#

Setting the Time Zone

SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time,
or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To
display a time corresponding to your local time, you must indicate the number of
hours and minutes your time zone is east (before) or west (after) of UTC.

Command Attributes

• Current Time – Displays the current time.

• Name – Assigns a name to the time zone. (Range: 1-29 characters)

• Hours (0-12) – The number of hours before/after UTC.

• Minutes (0-59) – The number of minutes before/after UTC.

• Direction – Configures the time zone to be before (east) or after (west) UTC.

3-35

Configuring the Switch

3

Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to
the UTC, and click Apply.

Figure 3-22 Setting the System Clock

CLI - This example shows how to set the time zone for the system clock.

Console(config)#clock timezone Atlantic hours 4 minute 0

before-UTC 4-65

Console(config)#

Simple Network Management Protocol

Simple Network Management Protocol (SNMP) is a communication protocol
designed specifically for managing devices on a network. Equipment commonly
managed with SNMP includes switches, routers and host computers. SNMP is
typically used to configure these devices for proper operation in a network
environment, as well as to monitor them to evaluate performance or detect potential
problems.

Managed devices supporting SNMP contain software, which runs locally on the
device and is referred to as an agent. A defined set of variables, known as managed
objects, is maintained by the SNMP agent and used to manage the device. These
objects are defined in a Management Information Base (MIB) that provides a
standard presentation of the information controlled by the agent. SNMP defines both
the format of the MIB specifications and the protocol used to access this information
over the network.

The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3.
This agent continuously monitors the status of the switch hardware, as well as the
traffic passing through its ports. A network management station can access this
information. Access to the onboard agent from clients using SNMP v1 and v2c is
controlled by community strings. To communicate with the switch, the management
station must first submit a valid community string for authentication.

3-36

Simple Network Management Protocol

3

Access to the switch using from clients using SNMPv3 provides additional security
features that cover message integrity, authentication, and encryption; as well as
controlling user access to specific areas of the MIB tree.

The SNMPv3 security structure consists of security models, with each model having
it’s own security levels. There are three security models defined, SNMPv1,
SNMPv2c, and SNMPv3. Users are assigned to “groups” that are defined by a
security model and specified security levels. Each group also has a defined security
access to set of MIB objects for reading and writing, which are known as “views.”
The switch has a default view (all MIB objects) and default groups defined for
security models v1 and v2c. The following table shows the security models and
levels available and the system default settings.

Table 3-4 SNMPv3 Security Models and Levels

Model Level Group Read View Write View Notify View Security

v1 noAuthNoPriv public

v1 noAuthNoPriv private

v1 noAuthNoPriv user defined user defined user defined user defined Community string only

v2c noAuthNoPriv public

v2c noAuthNoPriv private

v2c noAuthNoPriv user defined user defined user defined user defined Community string only

v3 noAuthNoPriv user defined user defined user defined user defined A user name match only

v3 AuthNoPriv user defined user defined user defined user defined Provides user

v3 AuthPriv user defined user defined user defined user defined Provides user

(read only)

(read/write)

(read only)

(read/write)

defaultview none none Community string only

defaultview defaultview none Community string only

defaultview none none Community string only

defaultview defaultview none Community string only

authentication via MD5 or
SHA algorithms

authentication via MD5 or
SHA algorithms and data
privacy using DES 56-bit
encryption

Note:

The predefined default groups and view can be deleted from the system. You can
then define customized groups and views for the SNMP clients that require access.

3-37

Configuring the Switch

3

Enabling the SNMP Agent

Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3).

Command Attributes

SNMP Agent Status – Enables SNMP on the switch.

Web – Click SNMP, Agent Status.

Figure 3-23 Enabling SNMP Agent Status

CLI – The following example enables SNMP on the switch.

Console(config)#snmp-server 4-73
Console(config)#

Setting Community Access Strings

You may configure up to five community strings authorized for management access
by clients using SNMP v1 and v2c. All community strings used for IP Trap Managers
should be listed in this table. For security reasons, you should consider removing the
default strings.

Command Attributes

• SNMP Community Capability – The switch supports up to five community strings.

• Current – Displays a list of the community strings currently configured.

• Community String – A community string that acts like a password and permits
access to the SNMP protocol.
Default strings: “public” (read-only), “private” (read/write)
Range: 1-32 characters, case sensitive

• Access Mode

- Read-Only – Authorized management stations are only able to retrieve MIB

objects.

- Read/Write – Authorized management stations are able to both retrieve and

modify MIB objects.

3-38

Simple Network Management Protocol

Web – Click SNMP, Configuration. Add new community strings as required, select
the access rights from the Access Mode drop-down list, then click Add.

Figure 3-24 Configuring SNMP Community Strings

CLI – The following example adds the string “spiderman” with read/write access.

Console(config)#snmp-server community spiderman rw 4-74
Console(config)#

3

Specifying Trap Managers and Trap Types

Traps indicating status changes are issued by the switch to specified trap managers.
You must specify trap managers so that key events are reported by this switch to
your management station. You can specify up to five management stations that will
receive authentication failure messages and other trap messages from the switch.

Command Usage

• If you specify an SNMP Version 3 host, then the “Trap Manager Community String”

is interpreted as an SNMP user name. If you use V3 authentication or encryption
options (authNoPriv or authPriv), the user name must first be defined in the
SNMPv3 Users page (page 3-44). Otherwise, the authentication password and/or
privacy password will not exist, and the switch will not authorize SNMP access for
the host. However, if you specify a V3 host with the no authentication (noAuth)
option, an SNMP user account will be automatically generated, and the switch will
authorize SNMP access for the host.

• Notifications are issued by the switch as trap messages by default. The recipient

of a trap message does not send a response to the switch. Traps are therefore not
as reliable as inform messages, which include a request for acknowledgement of
receipt. Informs can be used to ensure that critical information is received by the
host. However, note that informs consume more system resources because they
must be kept in memory until a response is received. Informs also add to network
traffic. You should consider these effects when deciding whether to issue
notifications as traps or informs.

3-39

Configuring the Switch

3

To send an inform to a SNMPv2c host, complete these steps:

1. Enable the SNMP agent (page 3-38).

2. Enable trap informs as described in the following pages.

3. Create a view with the required notification messages (page 3-51).

4. Create a group that includes the required notify view (page 3-48).

To send an inform to a SNMPv3 host, complete these steps:

1. Enable the SNMP agent (page 3-38).

2. Enable trap informs as described in the following pages.

3. Create a view with the required notification messages (page 3-51).

4. Create a group that includes the required notify view (page 3-48).

5. Specify a remote engine ID where the user resides (page 3-43).

6. Then configure a remote user (page 3-46).

Command Attributes

• Trap Manager Capability – This switch supports up to five trap managers.

• Current – Displays a list of the trap managers currently configured.

• Trap Manager IP Address – IP address of a new management station to receive
notification message (i.e., the targeted recipient).

• Trap Manager Community String – Specifies a valid community string for the
new trap manager entry. Though you can set this string in the Trap Managers table,
we recommend that you define this string in the SNMP Community section at the
top of the SNMP Configuration page (for Version 1 or 2c clients), or define a
corresponding “User Name” in the SNMPv3 Users page (for Version 3 clients).
(Range: 1-32 characters, case sensitive)

• Trap UDP Port – Specifies the UDP port number used by the trap manager.
(Default: 162)

• Trap Version – Specifies whether to send notifications as SNMP v1, v2c, or v3
traps. (Default: v1)

• Trap Security Level – When trap version 3 is selected, you must specify one of
the following security levels. (Default: noAuthNoPriv)

- noAuthNoPriv – There is no authentication or encryption used in SNMP

communications.

- AuthNoPriv – SNMP communications use authentication, but the data is not

encrypted (only available for the SNMPv3 security model).

- AuthPriv – SNMP communications use both authentication and encryption (only

available for the SNMPv3 security model).

• Trap Inform – Notifications are sent as inform messages. Note that this option is
only available for version 2c and 3 hosts. (Default: traps are used)

- Timeout – The number of seconds to wait for an acknowledgment before

resending an inform message. (Range: 0-2147483647 centiseconds;
Default: 1500 centiseconds)

- Retry times – The maximum number of times to resend an inform message if

the recipient does not acknowledge receipt. (Range: 0-255; Default: 3)

3-40

Simple Network Management Protocol

• Enable Authentication Traps3 – Issues a notification message to specified IP

trap managers whenever an invalid community string is submitted during the
SNMP access authentication process. (Default: Enabled)

• Enable Link-up and Link-down Traps

whenever a port link is established or broken. (Default: Enabled)

Web – Click SNMP, Configuration. Enter the IP address and community string for
each management station that will receive trap messages, specify the UDP port,
trap version, trap security level (for v3 clients), trap inform settings (for v2c/v3
clients), and then click Add. Select the trap types required using the check boxes for
Authentication and Link-up/down traps, and then click Apply.

3

– Issues a notification message

3

Figure 3-25 Configuring IP Trap Managers

CLI – This example adds a trap manager and enables both authentication and
link-up, link-down traps.

Console(config)#snmp-server host 192.168.1.19 private version 2c 4-76
Console(config)#snmp-server enable traps 4-78

3. These are legacy notifications and therefore when used for SNMP Version 3 hosts, they must be

enabled in conjunction with the corresponding entries in the Notification View (page 3-51).

3-41

Configuring the Switch

3

Configuring SNMPv3 Management Access

To configure SNMPv3 management access to the switch, follow these steps:

1. If you want to change the default engine ID, it must be changed first before

configuring other parameters.

2. Specify read and write access views for the switch MIB tree.

3. Configure SNMP user groups with the required security model (i.e., SNMP v1,

v2c or v3) and security level (i.e., authentication and privacy).

4. Assign SNMP users to groups, along with their specific authentication and

privacy passwords.

Setting the Local Engine ID

An SNMPv3 engine is an independent SNMP agent that resides on the switch. This
engine protects against message replay, delay, and redirection. The engine ID is
also used in combination with user passwords to generate the security keys for
authenticating and encrypting SNMPv3 packets.

A local engine ID is automatically generated that is unique to the switch. This is
referred to as the default engine ID. If the local engine ID is deleted or changed, all
SNMP users will be cleared. You will need to reconfigure all existing users.

A new engine ID can be specified by entering 10 to 64 hexadecimal characters.

Web – Click SNMP, SNMPv3, Engine ID. Enter an ID of a least 10 hexadecimal
characters and then click Save.

Figure 3-26 Setting an Engine ID

CLI – This example sets an SNMPv3 engine ID.

Console(config)#snmp-server engine-id local 12345abcdef0 4-79
Console(config)#exit
Console#show snmp engine-id4-114
Local SNMP engineID: 12345abcdef0
Local SNMP engineBoots: 1
Console#

3-42

Simple Network Management Protocol

3

Specifying a Remote Engine ID

To send inform messages to an SNMPv3 user on a remote device, you must first
specify the engine identifier for the SNMP agent on the remote device where the
user resides. The remote engine ID is used to compute the security digest for
authenticating and encrypting packets sent to a user on the remote host.

SNMP passwords are localized using the engine ID of the authoritative agent. For
informs, the authoritative SNMP agent is the remote agent. You therefore need to
configure the remote agent’s SNMP engine ID before you can send proxy requests
or informs to it. (See "Specifying Trap Managers and Trap Types" on page 3-39 and
"Configuring Remote SNMPv3 Users" on page 3-46.)

A new engine ID can be specified by entering 10 to 64 hexadecimal characters.

Web – Click SNMP, SNMPv3, Remote Engine ID.

Figure 3-27 Setting a Remote Engine ID

CLI – This example specifies a remote SNMPv3 engine ID.

Console(config)
Console(config)#exit
Console#show snmp engine-id
Local SNMP engineID: 8000002a8000000000e8666672
Local SNMP engineBoots: 1

Remote SNMP engineID IP address
80000000030004e2b316c54321 192.168.1.19
Console#

#snmp-server engineID remote 192.168.1.19 54321fedcba0 4-79

4-79

3-43

Configuring the Switch

3

Configuring SNMPv3 Users

Each SNMPv3 user is defined by a unique name. Users must be configured with a
specific security level and assigned to a group. The SNMPv3 group restricts users to
a specific read, write, and notify view.

Command Attributes

• User Name – The name of user connecting to the SNMP agent.
(Range: 1-32 characters)

• Group Name – The name of the SNMP group to which the user is assigned.
(Range: 1-32 characters)

• Security Model – The user security model; SNMP v1, v2c or v3.

• Security Level – The security level used for the user:

- noAuthNoPriv – There is no authentication or encryption used in SNMP

communications. (This is the default for SNMPv3.)

- AuthNoPriv – SNMP communications use authentication, but the data is not

encrypted (only available for the SNMPv3 security model).

- AuthPriv – SNMP communications use both authentication and encryption (only

available for the SNMPv3 security model).

• Authentication Protocol – The method used for user authentication.
(Options: MD5, SHA; Default: MD5)

• Authentication Password – A minimum of eight plain text characters is required.

• Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES
is currently available.

• Privacy Password – A minimum of eight plain text characters is required.

• Actions – Enables the user to be assigned to another SNMPv3 group.

3-44

Simple Network Management Protocol

3

Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the
New User page, define a name and assign it to a group, then click Add to save the
configuration and return to the User Name list. To delete a user, check the box next
to the user name, then click Delete. To change the assigned group of a user, click
Change Group in the Actions column of the users table and select the new group.

Figure 3-28 Configuring SNMPv3 Users

CLI – Use the snmp-server user command to configure a new user name and
assign it to a group.

Console(config)#snmp-server user chris group r&d v3 auth md5

greenpeace priv des56 einstien
Console(config)#exit
Console#show snmp user
EngineId: 83010000030000352810030000
User Name: chris
Authentication Protocol: md5Privacy Protocol: des56
Storage Type: nonvolatile
Row Status: active

Console#

4-84

4-84

3-45

Configuring the Switch

3

Configuring Remote SNMPv3 Users

Each SNMPv3 user is defined by a unique name. Users must be configured with a
specific security level and assigned to a group. The SNMPv3 group restricts users to
a specific read, write, and notify view.

To send inform messages to an SNMPv3 user on a remote device, you must first
specify the engine identifier for the SNMP agent on the remote device where the
user resides. The remote engine ID is used to compute the security digest for
authenticating and encrypting packets sent to a user on the remote host. (See
"Specifying Trap Managers and Trap Types" on page 3-39 and "Specifying a
Remote Engine ID" on page 3-43.)

Command Attributes

• User Name – The name of user connecting to the SNMP agent.
(Range: 1-32 characters)

• Group Name – The name of the SNMP group to which the user is assigned.
(Range: 1-32 characters)

• Engine ID – The engine identifier for the SNMP agent on the remote device where
the remote user resides. Note that the remote engine identifier must be specified
before you configure a remote user. (See "Specifying a Remote Engine ID" on
page 3-43.)

• Remote IP – The Internet address of the remote device where the user resides.

• Security Model – The user security model; SNMP v1, v2c or v3. (Default: v3)

• Security Level – The security level used for the user:

- noAuthNoPriv – There is no authentication or encryption used in SNMP

communications. (This is the default for SNMPv3.)

- AuthNoPriv – SNMP communications use authentication, but the data is not

encrypted (only available for the SNMPv3 security model).

- AuthPriv – SNMP communications use both authentication and encryption (only

available for the SNMPv3 security model).

• Authentication Protocol – The method used for user authentication.
(Options: MD5, SHA; Default: MD5)

• Authentication Password – A minimum of eight plain text characters is required.

• Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES
is currently available.

• Privacy Password – A minimum of eight plain text characters is required.

3-46

Simple Network Management Protocol

3

Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name.
In the New User page, define a name and assign it to a group, then click Add to save
the configuration and return to the User Name list. To delete a user, check the box
next to the user name, then click Delete.

Figure 3-29 Configuring Remote SNMPv3 Users

CLI – Use the snmp-server user command to configure a new user name and
assign it to a group.

Console(config)#snmp-server user mark group r&d remote

192.168.1.19 v3 auth md5 greenpeace priv des56 einstien
Console(config)#exit
Console#show snmp user
No user exist.
SNMP remote user
EngineId: 80000000030004e2b316c54321
User Name: mark
Authentication Protocol: none
Privacy Protocol: none
Storage Type: nonvolatile
Row Status: active

Console#

4-84

4-84

3-47

Configuring the Switch

3

Configuring SNMPv3 Groups

An SNMPv3 group sets the access policy for its assigned users, restricting them to
specific read, write, and notify views. You can use the pre-defined default groups or
create new groups to map a set of SNMP users to SNMP views.

Command Attributes

• Group Name – The name of the SNMP group to which the user is assigned.
(Range: 1-32 characters)

• Model – The user security model; SNMP v1, v2c or v3.

• Level – The security level used for the group:

- noAuthNoPriv – There is no authentication or encryption used in SNMP

communications. (This is the default for SNMPv3.)

- AuthNoPriv – SNMP communications use authentication, but the data is not

encrypted (only available for the SNMPv3 security model).

- AuthPriv – SNMP communications use both authentication and encryption (only

available for the SNMPv3 security model).

• Read View – The configured view for read access. (Range: 1-64 characters)

• Write View – The configured view for write access. (Range: 1-64 characters)

• Notify View – The configured view for notifications. (Range: 1-64 characters)

Table 3-5 Supported Notification Messages

Object Label Object ID Description

RFC 1493 Traps

newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending

topologyChange 1.3.6.1.2.1.17.0.2 A topologyChange trap is sent by a bridge when

SNMPv2 Traps

coldStart 1.3.6.1.6.3.1.1.5.1 A coldStart trap signifies that the SNMPv2 entity,

warmStart 1.3.6.1.6.3.1.1.5.2 A warmStart trap signifies that the SNMPv2

agent has become the new root of the Spanning
Tree; the trap is sent by a bridge soon after its
election as the new root, e.g., upon expiration of
the Topology Change Timer immediately
subsequent to its election.

any of its configured ports transitions from the
Learning state to the Forwarding state, or from
the Forwarding state to the Discarding state. The
trap is not sent if a newRoot trap is sent for the
same transition.

acting in an agent role, is reinitializing itself and
that its configuration may have been altered.

entity, acting in an agent role, is reinitializing itself
such that its configuration is unaltered.

3-48

Simple Network Management Protocol

Table 3-5 Supported Notification Messages (Continued)

Object Label Object ID Description

*

linkDown

**

linkUp

authenticationFailure

RMON Events (V2)

risingAlarm 1.3.6.1.2.1.16.0.1 The SNMP trap that is generated when an alarm

fallingAlarm 1.3.6.1.2.1.16.0.2 The SNMP trap that is generated when an alarm

* These are legacy notifications and therefore must be enabled in conjunction with the corresponding traps on the

SNMP Configuration menu.

1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP entity,

1.3.6.1.6.3.1.1.5.4 A linkUp trap signifies that the SNMP entity,

**

1.3.6.1.6.3.1.1.5.5 An authenticationFailure trap signifies that the

acting in an agent role, has detected that the
ifOperStatus object for one of its communication
links is about to enter the down state from some
other state (but not from the notPresent state).
This other state is indicated by the included value
of ifOperStatus.

acting in an agent role, has detected that the
ifOperStatus object for one of its communication
links left the down state and transitioned into
some other state (but not into the notPresent
state). This other state is indicated by the
included value of ifOperStatus.

SNMPv2 entity, acting in an agent role, has
received a protocol message that is not properly
authenticated. While all implementations of the
SNMPv2 must be capable of generating this trap,
the snmpEnableAuthenTraps object indicates
whether this trap will be generated.

entry crosses its rising threshold and generates
an event that is configured for sending SNMP
traps.

entry crosses its falling threshold and generates
an event that is configured for sending SNMP
traps.

3

3-49

Configuring the Switch

3

Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the
New Group page, define a name, assign a security model and level, and then select
read and write views. Click Add to save the new group and return to the Groups list.
To delete a group, check the box next to the group name, then click Delete.

Figure 3-30 Configuring SNMPv3 Groups

CLI – Use the snmp-server group command to configure a new group, specifying
the security model and level, and restricting MIB access to defined read, write, and
notify views.

Console(config)#snmp-server group secure-users v3 priv

read defaultview write defaultview notify defaultview 4-82

Console(config)#exit
Console#show snmp group 4-83

.
.
.

Group Name: secure-users
Security Model: v3
Read View: defaultview
Write View: defaultview
Notify View: defaultview
Storage Type: nonvolatile
Row Status: active

Console#

3-50

Simple Network Management Protocol

3

Setting SNMPv3 Views

SNMPv3 views are used to restrict user access to specified portions of the MIB tree.
The predefined view “defaultview” includes access to the entire MIB tree.

Command Attributes

• View Name – The name of the SNMP view. (Range: 1-64 characters)

• View OID Subtrees – Shows the currently configured object identifiers of branches

within the MIB tree that define the SNMP view.

• Edit OID Subtrees – Allows you to configure the object identifiers of branches

within the MIB tree. Wild cards can be used to mask a specific portion of the OID
string.

• Type – Indicates if the object identifier of a branch within the MIB tree is included

or excluded from the SNMP view.

Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New
View page, define a name and specify OID subtrees in the switch MIB to be included
or excluded in the view. Click Back to save the new view and return to the SNMPv3
Views list. For a specific view, click on View OID Subtrees to display the current
configuration, or click on Edit OID Subtrees to make changes to the view settings.
To delete a view, check the box next to the view name, then click Delete.

Figure 3-31 Configuring SNMPv3 Views

3-51

Configuring the Switch

3

CLI – Use the snmp-server view command to configure a new view. This example
view includes the MIB-2 interfaces table, and the wildcard mask selects all index
entries.

Console(config)#snmp-server view ifEntry.a

1.3.6.1.2.1.2.2.1.1.* included 4-80

Console(config)#exit
Console#show snmp view 4-81
View Name: ifEntry.a
Subtree OID: 1.3.6.1.2.1.2.2.1.1.*
View Type: included
Storage Type: nonvolatile
Row Status: active

View Name: readaccess
Subtree OID: 1.3.6.1.2
View Type: included
Storage Type: nonvolatile
Row Status: active

View Name: defaultview
Subtree OID: 1
View Type: included
Storage Type: nonvolatile
Row Status: active

Console#

3-52

User Authentication

3

User Authentication

You can configure this switch to authenticate users logging into the system for
management access using local or remote authentication methods. Port-based
authentication using IEEE 802.1X can also be configured to control either
management access to the uplink ports or client access to the data ports. This

switch provides secure network management access

• User Accounts – Manually configure access rights on the switch for specified users.

• Authentication Settings – Use remote authentication to configure access rights.

• Encryption Key – Configures RADIUS and TACACS+ encryption keys.

• AAA – Provides a framework for configuring access control on the switch.

• HTTPS Settings – Provide a secure web connection.

• SSH Settings – Provide a secure shell (for secure Telnet access).

• Port Security – Configure secure addresses for individual ports.

• 802.1X – Use IEEE 802.1X port authentication to control access to specific ports.

• IP Filter – Filters management access to the web, SNMP or Telnet interface.

Configuring User Accounts

The guest only has read access for most configuration parameters. However, the
administrator has write access for all parameters governing the onboard agent. You
should therefore assign a new administrator password as soon as possible, and
store it in a safe place.

The default guest name is “guest” with the password “guest.” The default
administrator name is “admin” with the password “admin.”

Command Attributes

• Account List – Displays the current list of user accounts and associated access

levels. (Defaults: admin, and guest)

• New Account – Displays configuration settings for a new account.

- User Name – The name of the user.
(Maximum length: 32 characters; maximum number of users: 16)

- Access Level – Specifies the user level.
(Options: Normal and Privileged)

Normal privilege level provides access to a limited number of the commands
which display the current status of the switch, as well as several database clear
and reset functions. Privileged level provides full access to all commands.

- Password – Specifies the user password.
(Range: 0-32 characters plain text, case sensitive)

• Change Password – Sets a new password for the specified user name.

• Add/Remove – Adds or removes an account from the list.

4

using the following options:

4. For other methods of controlling client access, see "General Security Measures" on page 3-88.

3-53

Configuring the Switch

3

Web – Click Security, User Accounts. To configure a new user account, specify a
user name, select the user’s access level, then enter a password and confirm it.
Click Add to save the new user account and add it to the Account List. To change the
password for a specific user, enter the user name and new password, confirm the
password by entering it again, then click Apply.

Figure 3-32 Access Levels

CLI – Assign a user name to access-level 15 (i.e., administrator), then specify the
password.

Console(config)#username bob access-level 15 4-87
Console(config)#username bob password 0 smith
Console(config)#

3-54