Edge-Core ES4524M-PoE Management Manual

Download

Page 1

ES4524M-PoE 24-Port Layer 2/4

Gigabit Ethernet Switch with PoE

Management Guide

Page 2

Page 3

Management Guide

ES4524M-PoE Gigabit Ethernet Switch with PoE

Layer 2/4 Switch with 22 10/100/1000BASE-T (RJ-45) Ports, and 2 Gigabit Combination Ports (RJ-45/SFP)

Page 4

ES4524M-PoE F1.0.0.5 E012008/ST-R01 149100037400A

Page 5

Contents

Chapter 1: Introduction 1-1

Key Features 1-1 Description of Software Features 1-2 System Defaults 1-5

Chapter 2: Initial Configuration 2-1

Connecting to the Switch 2-1

Configuration Options 2-1 Required Connections 2-2 Remote Connections 2-3

Basic Configuration 2-3

Console Connection 2-3 Setting Passwords 2-4 Setting an IP Address 2-4

Manual Configuration 2-4 Dynamic Configuration 2-5

Enabling SNMP Management Access 2-6

Community Strings (for SNMP version 1 and 2c clients) 2-6 Trap Receivers 2-7 Configuring Access for SNMP Version 3 Clients 2-8

Managing System Files 2-8

Saving Configuration Settings 2-9

Configuring Power over Ethernet 2-10

Chapter 3: Configuring the Switch 3-1

Using the Web Interface 3-1 Navigating the Web Browser Interface 3-2

Home Page 3-2

Configuration Options 3-3 Panel Display 3-3 Main Menu 3-4 Basic Configuration 3-11

Displaying System Information 3-11

Displaying Switch Hardware/Software Versions 3-13

Displaying Bridge Extension Capabilities 3-14

Setting the Switch’s IP Address 3-15

Manual Configuration 3-16 Using DHCP/BOOTP 3-17

Page 6

Contents

Enabling Jumbo Frames 3-19 Managing Firmware 3-20

Downloading System Software from a Server 3-21 Saving or Restoring Configuration Settings 3-23

Downloading Configuration Settings from a Server 3-24 Console Port Settings 3-25 Telnet Settings 3-27 Configuring Event Logging 3-29

System Log Configuration 3-29

Remote Log Configuration 3-30

Displaying Log Messages 3-32

Sending Simple Mail Transfer Protocol Alerts 3-32 Resetting the System 3-34 Setting the System Clock 3-35

Configuring SNTP 3-35

Setting the Time Zone 3-36

Simple Network Management Protocol 3-37

Enabling the SNMP Agent 3-38 Setting Community Access Strings 3-39 Specifying Trap Managers and Trap Types 3-40 Configuring SNMPv3 Management Access 3-43

Setting the Local Engine ID 3-43

Specifying a Remote Engine ID 3-44

Configuring SNMPv3 Users 3-45

Configuring Remote SNMPv3 Users 3-47

Configuring SNMPv3 Groups 3-49

Setting SNMPv3 Views 3-52

User Authentication 3-54

Configuring User Accounts 3-54 Configuring Local/Remote Logon Authentication 3-55 Configuring HTTPS 3-58 Configuring the Secu re Shell 3-61

Generating the Host Key Pair 3-63

Configuring Public Keys for Clien ts 3-65

Configuring the SSH Server 3-67 Configuring 802.1X Port Authentication 3-69

Displaying 802.1X Global Settings 3-70

Configuring 802.1X Global Settings 3-71

Configuring Port Settings for 802.1X 3-71

Displaying 802.1X Statistics 3-74 Filtering IP Addresses for Management Access 3-76

Client Security 3-78

Configuring Port Security 3-78 Access Contr ol Lists 3-81

Setting the ACL Name and Type 3-82

Page 7

Contents

Configuring a Standard IP ACL 3-82 Configuring an Extended IP ACL 3-83

Configuring a MAC ACL 3-86 Binding a Port to an Access Control List 3-87 DHCP Snooping 3-88

DHCP Snooping Configuration 3-90

DHCP Snooping VLAN Configuration 3-90

DHCP Snooping Information Option Configuration 3-91

DHCP Snooping Port Configuration 3-93

Displaying DHCP Snooping Binding Information 3-94 IP Source Guard 3-95

IP Source Guard Port Configuration 3-95

Static IP Source Guard Binding Configuration 3-96

Dynamic IP Source Guard Binding Information 3-98

Port Configuration 3-99

Displaying Connection Status 3-99 Configuring Interface Connections 3-102 Creating Trunk Groups 3-105

Statically Configuring a Trunk 3-106

Enabling LACP on Selected Ports 3-107

Configuring LACP Parameters 3-110

Displaying LACP Port Counters 3-113

Displaying LACP Settings and Status for the Local Side 3-114

Displaying LACP Settings and Status for the Remote Side 3-116 Setting Broadcast Storm Thresholds 3-118 Configuring Port Mirroring 3-120 Configuring Rate Limits 3-121

Rate Limit Configuration 3-121 Showing Port Statistics 3-122

Power over E thernet Settings 3-127

Switch Power Status 3-127 Setting a Switch Power Budget 3-129 Displaying Port Power Status 3-129 Configuring Port PoE Power 3-130

Address Table Settings 3-132

Setting Static Addresses 3-132 Displaying the Address Table 3-133 Changing the Aging Time 3-135

Spanning Tree Algorithm Configuration 3-136

Displaying Global Settings 3-138 Configuring Global Settings 3-141 Displaying Interface Settings 3-145 Configuring Interface Settings 3-148 Configuring Multiple Spanning Trees 3-151 Displaying Interface Settings for MSTP 3-154

iii

Page 8

Contents

Configuring Interface Settings for MSTP 3-155

VLAN Configuration 3-157

Overview 3-157

Assigning Ports to VLANs 3-157 Forwarding Tagged/Untagged Frames 3-159

Enabling or Disabling GVRP (Global Setting) 3-160 Displaying Basic VLAN Information 3-160 Displaying Current VLANs 3-161 Creating VLANs 3-162 Adding Static Members to VLANs (VLAN Index) 3-164 Adding Static Members to VLANs (Port Index) 3-165 Configuring VLAN Behavior for Interfaces 3-166 Configuring Private VLANs 3-168

Displaying Current Private VLANs 3-169 Configuring Private VLANs 3-170 Associating Private VLANs 3-171 Displaying Private VLAN Interface Information 3-172 Configuring Private VLAN Interfaces 3-173

Configuring Protocol VLANs 3-174

Configuring Basic Protocol VLAN Settings 3-174 Configuring the Protocol VLAN System 3-175

Link Layer Discovery Pro tocol 3-176

Setting LLDP Timing Attributes 3-176 Configuring LLDP Interface Attributes 3-178 Displaying LLDP Local Device Information 3-181 Displaying LLDP Remote Port Information 3-182 Displaying LLDP Remote Information Details 3-183 Displaying Device Statistics 3-184 Displaying Detailed Device Statistics 3-185

Class of Service Configuration 3-186

Layer 2 Queue Settings 3-186

Setting the Default Priority for Interfaces 3-186 Mapping CoS Values to Egress Queues 3-188 Selecting the Queue Mode 3-190 Setting the Service Weight for Traffic Classes 3-191

Layer 3/4 Priority Settings 3-192

Mapping Layer 3/4 Priorities to CoS Values 3-192

Selecting IP DSCP Priority 3-192 Mapping DSCP Priority 3-192

Quality of Service 3-194

Configuring Quality of Service Parameters 3-195 Configuring a Class Map 3-195 Creating QoS Policies 3-198 Attaching a Policy Map to Ingress Queues 3-201

Page 9

Contents

Multicast Filtering 3-202

Layer 2 IGMP (Snooping and Query) 3-203

Configuring IGMP Snooping and Query Parameters 3-204

Enabling IGMP Immediate Leave 3-206

Displaying Interfaces Attached to a Multicast Router 3-207

Specifying Static Interfaces for a Multicast Router 3-208

Displaying Port Members of Multicast Services 3-209

Assigning Ports to Multicast Services 3-210

Multicast VLAN Registration 3-211

Configuring Global MVR Settings 3-212 Displaying MVR Interface Status 3-214 Displaying Port Members of Multicast Groups 3- 215 Configuring MVR Interfaces 3-216 Assigning Static Multicast Groups to Interfaces 3-217

Switch Clus tering 3-219

Cluster Configuration 3-219 Cluster Member Configuration 3-221 Cluster Member Information 3-222 Cluster Candidate Information 3-223

UPnP 3-224

UPnP Configuration 3-225

Chapter 4: Command Line Interface 4-1

Using the Command Line Interface 4-1

Accessing the CLI 4-1 Console Connection 4-1 Telnet Connection 4-1

Entering Commands 4-3

Keywords and Arguments 4-3 Minimum Abbreviation 4-3 Command Completion 4-3 Getting Help on Commands 4-3

Showing Commands 4-4 Partial Keyword Lookup 4-5 Negating the Effect of Commands 4-5 Using Command History 4-5 Understanding Command Modes 4-6 Exec Commands 4-6 Configuration Commands 4-7 Command Line Processing 4-8

Command Groups 4-9 General Commands 4-10

enable 4-10 disable 4-11

Page 10

Contents

configure 4-12 show history 4-12 reload 4-13 prompt 4-13 end 4-14 exit 4-14 quit 4-14

System Management Commands 4-15

Device Designation Commands 4-15

hostname 4-16

System Status Commands 4-16

show startup-config 4-16 show running-config 4-18 show system 4-19 show users 4-20 show version 4-21

Frame Size Commands 4-22

jumbo frame 4-22

File Management Commands 4-23

copy 4-24 delete 4-26 dir 4-27 whichboot 4-28 boot system 4-28

Line Commands 4-29

line 4-30 login 4-30 password 4-31 timeout login response 4-32 exec-timeout 4-33 password-thresh 4-33 silent-time 4-34 databits 4-35 parity 4-35 speed 4-36 stopbits 4-37 disconnect 4-37 show line 4-38

Event Logging Commands 4-39

logging on 4-39 logging history 4-40 logging host 4-41 logging facility 4-41 logging trap 4-42 clear log 4-42

Page 11

Contents

show logging 4-43

show log 4-44 SMTP Alert Commands 4-45

logging sendmail host 4-45

logging sendmail level 4-46

logging sendmail source-email 4-46

logging sendmail destination-email 4-47

logging sendmail 4-47

show logging sendmail 4-48 Time Commands 4-48

sntp client 4-49

sntp server 4-50

sntp poll 4-50

show sntp 4-51

clock timezone 4-51

calendar set 4-52

show calendar 4-53 Switch Cluster Commands 4-53

cluster 4-54

cluster commander 4-54

cluster ip-pool 4-55

cluster member 4-56

rcommand 4-56

show cluster 4-57

show cluster members 4-57

show cluster candidates 4-57 UPnP Commands 4-58

upnp device 4-58

upnp device ttl 4-59

upnp device advertise duration 4-59

show upnp 4-60

SNMP Commands 4-60

snmp-server 4-61 show snmp 4-61 snmp-server community 4-62 snmp-server contact 4-63 snmp-server location 4-64 snmp-server host 4-64 snmp-server enable traps 4-66 snmp-server engine-id 4-67 show snmp engine-id 4-68 snmp-server view 4-69 show snmp view 4-70 snmp-server group 4-71 show snmp group 4-72

vii

Page 12

Contents

snmp-server user 4-73 show snmp user 4-74

Authentication Commands 4-75

User Account Commands 4-75

username 4-76 enable password 4-77

Authentication Sequence 4-78

authentication login 4-78 authentication enable 4-79

RADIUS Client 4-80

radius-server host 4-80 radius-server port 4-81 radius-server key 4-81 radius-server retransmi t 4-82 radius-server timeo ut 4-82 show radius-server 4-82

TACACS+ Client 4-83

tacacs-server host 4-83 tacacs-server port 4-84 tacacs-server key 4-84 show tacacs-server 4-85

Web Server Commands 4-85

ip http port 4-85 ip http server 4-86 ip http secure-server 4-86 ip http secure-port 4-87

Telnet Server Commands 4-88

ip telnet server 4-88

Secure Shell Commands 4-89

ip ssh server 4-91 ip ssh timeout 4-92 ip ssh authentication-retries 4-93 ip ssh server-key size 4-93 delete public-key 4-94 ip ssh crypto host-key generate 4-94 ip ssh crypto zeroize 4-95 ip ssh save host-key 4-95 show ip ssh 4-96 show ssh 4-96 show public-key 4-97

802.1X Port Authentication 4-98 dot1x system-auth-control 4-99 dot1x default 4-99 dot1x max-req 4-99 dot1x port-control 4-100

viii

Page 13

Contents

dot1x operation-mode 4-100 dot1x re-authenticate 4-101 dot1x re-authentication 4-102 dot1x timeout quiet-period 4-102 dot1x timeout re-authperiod 4-103 dot1x timeout tx-period 4-103 show dot1x 4-104

Management IP Filter Commands 4-107

management 4-107 show management 4-108

Client Security Commands 4-109

Port Security Commands 4-109

port security 4-110

IP Source Guard Commands 4-111

ip source-guard 4-111 ip source-guard binding 4-113 show ip source-guard 4-114 show ip source-guard binding 4-114

DHCP Snooping Commands 4-115

ip dhcp snooping 4-115 ip dhcp snooping vlan 4-11 7 ip dhcp snooping trust 4-118 ip dhcp snooping verify mac-address 4-119 ip dhcp snooping information option 4-120 ip dhcp snooping information policy 4-121 show ip dhcp snooping 4-121 show ip dhcp snooping binding 4-122

Access Control List Commands 4-122

IP ACLs 4-123

access-list ip 4-123 permit, deny (Standard ACL) 4-124 permit, deny (Extended ACL) 4-125 show ip access-list 4-127 ip access-group 4-127 show ip access-group 4- 128

MAC ACLs 4-128

access-list mac 4-128 permit, deny (MAC ACL) 4-129 show mac access-list 4-131 mac access-group 4-131 show mac acce ss-group 4-132

ACL Information 4-132

show access-list 4-132 show access-group 4-133

Page 14

Contents

Interface Commands 4-135

interface 4-135 description 4-136 speed-duplex 4-136 negotiation 4-137 capabilities 4-138 flowcontrol 4-139 media-type 4-140 shutdown 4-141 switchport packet-rate 4-141 clear counters 4-142 show interfaces status 4-143 show interfaces counters 4-144 show interfaces switchport 4-145

Link Aggregation Commands 4-147

channel-group 4-148 lacp 4-149 lacp system-priority 4-150 lacp admin-key (Ethernet Interface) 4-151 lacp admin-key (Port Channel) 4-152 lacp port-priority 4-153 show lacp 4-154

Mirror Port Commands 4-157

port monitor 4-157 show port monitor 4-158

Rate Limit Commands 4-159

rate-limit 4-159

Power over Ethernet Commands 4-160

power mainpower maxim um allocati on 4-160 power inline compatible 4-161 power inline 4-162 power inline maximum allocation 4-163 power inline priority 4-163 show power inline status 4-164 show power mainpower 4-165

Address Table Commands 4-166

mac-addr ess-table static 4-166 clear mac-address-tab le dyn am ic 4-167 show mac-address-table 4-167 mac-address-table aging-time 4-168 show mac-address-table aging-time 4-169

Spanning Tree Commands 4-169

spanning-tree 4-170 spanning-tree mode 4-171 spanning-tree forward-time 4-172

Page 15

Contents

spanning-tree hello-time 4-173 spanning-tree max-age 4-173 spanning-tree priority 4-174 spanning-tree pathcost method 4-175 spanning-tree transmission-limit 4-175 spanning-tree mst-configuration 4-176 mst vlan 4-176 mst priority 4-177 name 4-178 revision 4-178 max-hops 4-179 spanning-tree spanning-disabled 4-179 spanning-tree cost 4-180 spanning-tree port-priority 4-181 spanning-tree edge-port 4-182 spanning-tree portfast 4-183 spanning-tree link-type 4-184 spanning-tree mst cost 4-185 spanning-tree mst port-priority 4-186 spanning-tree protocol-migration 4-186 show spanning-tree 4-187 show spanning-tree mst configuration 4-189

VLAN Commands 4-189

GVRP and Bridge Extension Commands 4-190

bridge-ext gvrp 4-190 show bridge-ext 4-191 switchport gvrp 4-191 show gvrp configuration 4-192 garp timer 4-192 show garp timer 4-193

Editing VLAN Groups 4-194

vlan database 4-19 4 vlan 4-195

Configuring VLAN Interfaces 4-196

interface vlan 4-196 switchport mode 4-197 switchport acceptable-frame-types 4-197 switchport ingress-filtering 4-198 switchport native vlan 4-199 switchport allowed vlan 4-200 switchport forbidden vlan 4-201

Displaying VLAN Information 4-202

show vlan 4-202

Configuring Private VLANs 4-203

private-vlan 4-204

Page 16

Contents

private vlan association 4-205 switchport mode private-vlan 4-205 switchport private-vlan host-association 4-206 switchport private-vlan mapping 4-207 show vlan private-vlan 4-207

Configuring Protocol-based VLANs 4-208

protocol-vlan protocol-gro up 4-209 protocol- v lan proto c ol-group vlan 4-209 show protocol-vlan protocol-group 4-210 show protocol-vlan protocol-group-vid 4-211

LLDP Commands 4-212

lldp 4-214 lldp holdtime-multiplier 4-214 lldp medFastStartCount 4-215 lldp notification-interval 4-215 lldp refresh-interval 4-216 lldp reinit-delay 4-217 lldp tx-delay 4-217 lldp admin-status 4-218 lldp notification 4-218 lldp mednotification 4-219 lldp basic-tlv management-ip-address 4-220 lldp basic-tlv port-description 4-221 lldp basic-tlv system-c apabilities 4-221 lldp basic-tlv system-de scription 4-222 lldp basic-tlv system-name 4-222 lldp dot1-tlv proto-ident 4-223 lldp dot1-tlv proto-vid 4-223 lldp dot1-tlv pvid 4-224 lldp dot1-tlv vlan-name 4-224 lldp dot3-tlv link-agg 4-225 lldp dot3-tlv mac-phy 4-225 lldp dot3-tlv max-frame 4-226 lldp dot3-tlv poe 4-226 lldp medtl v extpoe 4-227 lldp medtlv inventory 4-227 lldp medtlv location 4-228 lldp medtlv med-cap 4-228 lldp medtlv network-policy 4-229 show lldp config 4-229 show lldp info local-device 4-231 show lldp info remote-device 4-232 show lldp info statistics 4-233

xii

Page 17

Contents

Class of Service Commands 4-234

Priority Commands (Layer 2) 4-234

queue mode 4-234 switchport priority default 4-235 queue bandwidth 4-236 queue cos-map 4-237 show queue mode 4-238 show queue bandwidth 4-238 show queue cos-map 4-239

Priority Commands (Layer 3 and 4) 4-240

map ip dscp (Global Configuration) 4-240 map ip dscp (Interface Configuration) 4-241 show map ip dscp 4-242

Quality of Service Commands 4-243

class-map 4-244 match 4-245 policy-map 4-246 class 4-246 set 4-247 police 4-248 service-policy 4-249 show class-map 4-250 show policy-map 4-250 show policy-map interface 4-251

Multicast F iltering Commands 4-252

IGMP Snooping Commands 4-252

ip igmp snooping 4-253 ip igmp snooping vlan static 4-253 ip igmp snooping version 4-254 ip igmp snooping immediate-leave 4-254 show ip igmp snooping 4-255 show mac-address-table multicast 4-256

IGMP Query Commands (Layer 2) 4-256

ip igmp snooping querier 4-257 ip igmp snooping query-count 4-257 ip igmp snooping query-interval 4-258 ip igmp snooping query-max-response-time 4-258 ip igmp snooping router-port-expire-time 4-259

Static Multicast Routing Commands 4-260

ip igmp snooping vlan mrouter 4-260 show ip igmp snooping mrouter 4-261

Multicast VLAN Registration Commands 4-261

mvr (Global Configuration) 4-262 mvr (Interface Configuration) 4-263 mvr immediate 4-264

xiii

Page 18

Contents

show mvr 4-265 show mvr interface 4-266 show mvr members 4-267

IP Interface Commands 4-268

Basic IP Configuration 4-268

ip address 4-268 ip default-gateway 4-269 ip dhcp restart 4-270 show ip interface 4-271 show ip redirect s 4-271 ping 4-272

Appendix A: Software Specifications A-1

Software Features A-1 Management Features A-2 Standards A-2 Management Informa tio n Bases A-3

Appendix B: Troubleshooting B-1

Problems Accessing the Management Interface B-1 Using System Logs B-2

Glossary

Index

xiv

Page 19

Tables

Table 1-1 Key Features 1-1 Table 1-2 System Defaults 1-5 Table 3-1 Configuration Options 3-3 Table 3-2 Main Menu 3-4 Table 3-3 Logging Levels 3-29 Table 3-1 SNMPv3 Security Models and Levels 3-38 Table 3-1 Supported Notification Messages 3-49 Table 3-2 HTTPS Support 3-59 Table 3-3 802.1X Statistics 3-74 Table 3-4 LACP Port Counters 3-113 Table 3-5 LACP Internal Configuration Information 3-114 Table 3-6 LACP Remote Side Settings 3-116 Table 3-7 Port Statistics 3-122 Table 3-1 Recommended STA Path Cost Range 3-149 Table 3-2 Recommended STA Path Costs 3-149 Table 3-3 Default STA Path Costs 3-150 Table 3-1 Mapping CoS Values to Egress Queues 3-188 Table 3-2 CoS Priority Levels 3-188 Table 3-3 Mapping DSCP Priority 3-193 Table 4-1 Command Modes 4-6 Table 4-2 Configuration Commands 4-7 Table 4-3 Keystroke Commands 4-8 Table 4-4 Command Group Index 4-9 Table 4-5 General Commands 4-10 Table 4-6 System Management Commands 4-15 Table 4-7 Device Designation Commands 4-15 Table 4-8 System Status Commands 4-16 Table 4-9 Frame Size Commands 4-22 Table 4-10 Flash/File Commands 4-23 Table 4-11 File Directory Information 4-27 Table 4-12 Line Command Syntax 4-29 Table 4-13 Event Logging Commands 4-39 Table 4-14 Logging Levels 4-40 Table 4-15 show logging flash/ram - display description 4-43 Table 4-16 show logging trap - display description 4-44 Table 4-17 SMTP Alert Commands 4-45 Table 4-18 Time Commands 4-48 Table 4-19 Switch Cluster Commands 4-53 Table 4-20 UPnP Commands 4-58 Table 4-21 SNMP Commands 4-60 Table 4-22 show snmp engine-id - display description 4-69

Page 20

Tables

Table 4-23 show snmp view - display description 4-70 Table 4-24 show snmp group - display description 4-72 Table 4-25 show snmp user - display description 4-74 Table 4-26 Authentication Commands 4-75 Table 4-27 User Access Commands 4-75 Table 4-28 Default Login Settings 4-76 Table 4-29 Authentication Sequence 4-78 Table 4-30 RADIUS Client Commands 4-80 Table 4-31 TACACS+ Client Commands 4-83 Table 4-32 Web Server Command 4-85 Table 4-33 HTTPS System Support 4-87 Table 4-34 Telnet Server Commands 4-88 Table 4-35 Secure Shell Commands 4-89 Table 4-36 show ssh - display description 4-96 Table 4-37 802.1X Port Authentication Commands 4-98 Table 4-38 IP Filter Commands 4-107 Table 4-1 Client Security Commands 4-109 Table 4-1 Port Security Commands 4-109 Table 4-2 IP Source Guard Commands 4-111 Table 4-3 DHCP Snooping Commands 4-115 Table 4-4 Access Control List Commands 4-122 Table 4-5 IP ACL Commands 4-123 Table 4-2 MAC ACL Commands 4-128 Table 4-1 ACL Information 4-132 Table 4-2 Interface Commands 4-135 Table 4-3 show interfaces switchport - display description 4-146 Table 4-4 Link Aggregation Commands 4-147 Table 4-5 show lacp counters - display description 4-154 Table 4-6 show lacp internal - display description 4-155 Table 4-7 show lacp neighbors - display description 4-156 Table 4-9 Mirror Port Commands 4-157 Table 4-8 show lacp sysid - display description 4-157 Table 4-10 Rate Limit Commands 4-159 Table 4-11 PoE Commands 4-160 Table 4-13 show power mainpower parameters 4-165 Table 4-12 show power inline status parameters 4-165 Table 4-14 Address Table Commands 4-166 Table 4-15 Spanning Tree Commands 4-169 Table 4-3 Recommended STA Path Cost Range 4-180 Table 4-4 Recommended STA Path Cost 4-180 Table 4-5 Default STA Path Costs 4-181 Table 4-1 VLAN Commands 4-189 Table 4-6 GVRP and Bridge Extension Commands 4-190 Table 4-1 Editing VLAN Groups 4-194 Table 4-2 Configuring VLAN Interfaces 4-196

xvi

Page 21

Tables

Table 4-3 Displaying VLAN Information 4-202 Table 4-4 Private VLAN Commands 4-203 Table 4-7 Protocol-based VLAN Commands 4-208 Table 4-1 LLDP Commands 4-212 Table 4-2 Priority Commands 4-234 Table 4-3 Priority Commands (Layer 2) 4-234 Table 3-4 Default CoS Priority Levels 4-237 Table 3-5 Priority Commands (Layer 3 and 4) 4-240 Table 3-6 Mapping IP DSCP to CoS Values 4-241 Table 3-7 Quality of Service Commands 4-243 Table 3-8 Multicast Filtering Commands 4-252 Table 3-9 IGMP Snooping Commands 4-252 Table 3-10 IGMP Query Commands (Layer 2) 4-256 Table 3-11 Static Multicast Routing Commands 4-260 Table 3-12 Multicast VLAN Registration Commands 4-261 Table 4-8 show mvr - display description 4-265 Table 4-1 show mvr interface - display description 4-266 Table 4-2 show mvr members - display description 4-267 Table 4-3 IP Interface Commands 4-268 Table B-1 Troubleshooting Chart B-1

xvii

Page 22

Tables

xviii

Page 23

Figures

Figure 3-1 Home Page 3-2 Figure 3-2 Panel Display 3-3 Figure 3-3 System Information 3-12 Figure 3-4 Switch Information 3-13 Figure 3-5 Displaying Bridge Extension Configuration 3-15 Figure 3-6 Manual IP Configuration 3-16 Figure 3-7 DHCP IP Configuration 3-17 Figure 3-8 Enabling Jumbo Frames 3-19 Figure 3-9 Copy Firmware 3-21 Figure 3-10 Setting the Startup Code 3-21 Figure 3-11 Deleting Files 3-22 Figure 3-12 Downloading Configuration Settings for Startup 3-24 Figure 3-13 Setting the Startup Configuration Settings 3-24 Figure 3-1 Configuring the Console Port 3-26 Figure 3-2 Configuring the Tel net Interface 3-2 8 Figure 3-14 System Logs 3-30 Figure 3-15 Remote Logs 3-31 Figure 3-16 Displaying Logs 3-32 Figure 3-17 Enabling and Configuring SMTP 3-33 Figure 3-18 Resetting the System 3-34 Figure 3-19 SNTP Configuration 3-35 Figure 3-20 Setting the Time Zone 3-36 Figure 3-21 Enabling the SNMP Agent 3-38 Figure 3-22 Configuring SNMP Community Strings 3-39 Figure 3-23 Configuring SNMP Trap Managers 3-42 Figure 3-24 Sett ing an Engi ne ID 3-43 Figure 3-25 Sett ing an Engi ne ID 3-44 Figure 3-26 Configuring SNMPv3 Users 3-46 Figure 3-27 Configuring Remote SNMPv3 Users 3-48 Figure 3-28 Configuring SNMPv3 Groups 3-51 Figure 3-29 Configuring SNMPv3 Views 3-52 Figure 3-1 User Accounts 3-55 Figure 3-30 Authentication Settings 3-57 Figure 3-31 HTTPS Settings 3-60 Figure 3-32 SSH Host-Key Settings 3-64 Figure 3-33 SSH User Public-Key Settings 3-66 Figure 3-34 SSH Server Settings 3-68 Figure 3-35 802.1X Global Information 3-70 Figure 3-36 802.1X Global Configuration 3-71 Figure 3-37 802.1X Port Configuration 3-72 Figure 3-38 Displaying 802.1X Port Statistics 3-75

xix

Page 24

Figures

Figure 3-39 Filtering Management Access 3-77 Figure 3-40 Configuring Port Security 3-80 Figure 3-41 Selecting ACL Type 3-82 Figure 3-42 Configuring Standard IP ACLs 3-83 Figure 3-43 Configuring Extended IP ACLs 3-85 Figure 3-44 Configuring MAC ACLs 3-87 Figure 3-45 Mapping ACLs to Port Ingress Queues 3-88 Figure 3-46 DHCP Snooping Configuration 3-90 Figure 3-47 DHCP Snooping VLAN Configuration 3-91 Figure 3-48 DHCP Snooping Information Option Configuration 3-92 Figure 3-49 DHCP Snooping Port Configuration 3-93 Figure 3-50 DHCP Snooping Binding Information 3-94 Figure 3-51 IP Source Guard Port Configuration 3-96 Figure 3-52 Static IP Source Guard Binding Configuration 3-97 Figure 3-53 Dynamic IP Source Guard Binding Information 3-98 Figure 3-54 Port Status Information 3-100 Figure 3-55 Configuring Port Attributes 3-104 Figure 3-56 Static Trunk Conf iguration 3-106 Figure 3-57 LACP Port Configuration 3-108 Figure 3-58 LACP Aggregati on Port Configuration 3-111 Figure 3-59 Displaying LACP Port Counters 3-113 Figure 3-60 Displaying Local LACP Port Information 3-115 Figure 3-61 Displaying Remote LACP Port Information 3-116 Figure 3-62 Port Broadcast Control 3-119 Figure 3-63 Configuring a Mirror Port 3-120 Figure 3-64 Configuring Port Rate Limits 3-121 Figure 3-65 Displaying Port Statistics 3-125 Figure 3-66 Displaying the Global PoE Status 3-128 Figure 3-67 Setting the Switch Power Budget 3-129 Figure 3-68 Displaying Port PoE Status 3-130 Figure 3-69 Configuring Port PoE Power 3-131 Figure 3-70 Mapping Static Addresses 3-132 Figure 3-71 Displaying the MAC Dynamic Address Table 3-134 Figure 3-72 Sett ing the Aging Time 3-135 Figure 3-73 STA Information 3-139 Figure 3-74 STA Global Configuration 3-144 Figure 3-75 Displaying STA Port Status Information 3-147 Figure 3-76 STA Port Configuration 3-151 Figure 3-2 MSTP VLAN Configurat ion 3-152 Figure 3-3 MSTP Port Information 3-154 Figure 3-4 MSTP Port Configuration 3-156 Figure 3-1 Globally Enabling GVRP 3-160 Figure 3-77 Displaying Basic VLAN Information 3-160 Figure 3-78 VLAN Current Table 3-161 Figure 3-79 Creating Virtual LANs 3-163

Page 25

Figures

Figure 3-80 VLAN Static Table - Adding Static Members 3-165 Figure 3-81 VLAN Static Membership by Port 3-166 Figure 3-82 Configuring VLAN Ports 3-168 Figure 3-83 Private VLAN Information 3-169 Figure 3-84 Private VLAN Configuration 3-170 Figure 3-85 Private VLAN Association 3-171 Figure 3-86 Private VLAN Port Information 3-172 Figure 3-87 Private VLAN Port Configuration 3-173 Figure 3-88 Protocol VLAN Configuration 3-175 Figure 3-89 Protocol VLAN System Configuration 3-175 Figure 3-90 LLDP Configuration 3-177 Figure 3-5 LLDP Port Configuration 3-180 Figure 3-91 LLDP Local Device Information 3-181 Figure 3-1 LLDP Remote Port Information 3-182 Figure 3-6 LLDP Remote Information Details 3-183 Figure 3-7 LLDP Device Statistics 3-184 Figure 3-8 LLDP Device Statistics Details 3-185 Figure 3-92 Default Port Priority 3-187 Figure 3-93 Configuring Traffic Classes 3-189 Figure 3-94 Setting the Queue Mode 3-190 Figure 3-95 Configuring Queue Scheduling 3-191 Figure 3-96 IP DSCP Priority Status 3-192 Figure 3-97 Mapping IP DSCP Priority to Class of Service Values 3-193 Figure 3-98 Configuring Class Maps 3-197 Figure 3-99 Configuring Policy Maps 3-200 Figure 3-100 Service Policy Settings 3-201 Figure 3-101 Configuring IGMP 3-205 Figure 3-102 IGMP Immediate Leave 3-206 Figure 3-103 Displaying Multicast Router Port Information 3-207 Figure 3-104 Static Multicast Router Port Configuration 3-208 Figure 3-105 Displaying Port Members of Multicast Services 3-209 Figure 3-106 Specifying Multicast Port Membership 3-210 Figure 3-107 MVR Global Configuration 3-213 Figure 3-108 MVR Port Information 3-214 Figure 3-109 MVR Group IP Information 3-215 Figure 3-110 MVR Port Configuration 3-217 Figure 3-111 MVR Group Member Configuration 3-218 Figure 3-112 Cluster Configuration 3-220 Figure 3-113 Cluster Member Configuration 3-221 Figure 3-114 Cluster Member Information 3-222 Figure 3-115 Cluster Candidate Information 3-223 Figure 3-116 UPnP Configuration 3-225

xxi

Page 26

Figures

xxii

Page 27

Chapter 1: Introduction

This switch provides a broa d r ange of features for Layer 2 swi tc hing. It includes a management agent th at allo w s you to configure the featur es list ed in thi s m anual. The default configurati on can be used for most of the feat ures provided by this switch. However, there are many options that you should conf i gur e t o m axi m i ze th e switch’s performance for your particular network en vi ro nm ent.

Key Features

Table 1-1 Key Features

Feature Description

Configuration Backup and Restore

Authentication Console, Telnet, web – User name / password, RADIUS, TACACS+

Access Control Lists Supports up to 256 ACLs, 60 rules per ACL DHCP Client Supported Port Configuration Speed, duplex mode and flow control Rate Limiting Input and output rate limiting per port Port Mirroring One port mirrored to single analysis port Port Trunking Supports up to 8 trunks using either static or dynamic trunking (LACP) Broadcast Storm

Control Static Address Up to 8K MAC addresses in the forwarding tab le IEEE 802.1D Bridge Supports dynamic data switching and addresses learning Store-and-Forward

Switching Spanning Tree

Algorithm Virtual LANs Up to 255 using IEEE 802.1Q, port-based, protocol-based, or private VLANs Traffic Prioritization Default port priority, traffic class map, queue scheduling, and Differentiated Services

Qualify of Service Supports Differentiated Services (DiffServ)

Backup to TFTP server

Web – HTTPS Telnet – SSH SNMP v1/v2c – Community strings SNMP version 3 – MD5 or SHA password Port – IEEE 802.1X, MAC address filtering

Supported

Supported to ensure wire-speed switching while eliminating bad frames

Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP)

Code Point (DSCP)

1-1

Page 28

Introduction

Table 1-1 Key Features (Continued)

Feature Description

Multicast Filtering Supports IGMP snooping and query LLDP Link Layer Discovery Protocol (LLDP) is used to discover basic information about

neighboring devices on the local broadcast domain

Description of Software Features

The switch provides a wide range of advanced performance enhancing features. Flow control eliminate s th e loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network. Untagg ed ( port-based), tagged, and protocol-based VLANs, plus support for automatic GVRP VLAN registration provide traffic security and efficient use of network bandw idth. C oS priority queueing ens ur es t he minimum delay for moving real-tim e multimedia data across t he network. While multi cast filtering provides supp or t for rea l-t ime network applications. Som e of the management features are briefly described below.

Configuration Backup and Restore – You can save the current configur at i on settings to a file on a TFTP server, and later downlo ad this f ile to rest ore the switch configuration setting s.

Authentication – This switch authenticates management access via the console port, Telnet or web browser. User names and passwords can be configured locally or can be verified via a remote authentication server (i.e., RADIUS or TACACS+). Port-based authentication is also supported via the IEEE 802.1X protocol. This protocol uses the Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 80 2. 1X cl ient, and then uses the EAP between the switch and the authentication ser ver to verify the client’s right to access the network via an authentication server (i.e., RADIUS server).

Other authentication options include HTTPS for secure management access via the web, SSH for secure man agement access over a Telnet-equivalent connection, SNMP Version 3, IP address filtering for SN M P/ w eb /Telnet management access, and MAC address filte ring for port access.

Access Control Lists – ACLs prov id e packe t filter ing for IP frames (based on address, protocol, TCP/U DP port number or TCP control co de) or any fra m es (based on MAC address or Ethernet type). ACLs can by used to improve performance by block ing unnecessary networ k t ra ffic or to im pl em ent security controls by restrictin g access to specific networ k r esources or protocols.

Port Configuration – You can manually configure the speed, duplex mode, and flow control used on spe ci fic p or ts, or use aut o- negotiation to detect th e connection settings used by the attache d device. Use the full-du plex mode on ports whenever possible to double the throughput of switch connections. Flow control should also be

1-2

Page 29

Description of Software Features

enabled to control networ k t ra ffic duri ng periods of congestion and prevent the loss of packets when port buffer threshold s ar e ex ceeded. The switch sup ports flow control based on the IEEE 802. 3x standard.

Rate Limiting – This feature controls the maximum rate for traffic transm it te d or received on an interface . Rate limiting is configured on i nt er fa ces at the edge of a network to limit traffic into or out of the network. Packets that exceed the acceptable amount of traffic are dropped.

Port Mirroring – The switch can unobtr usi vely mirror traffic from any port t o a monitor port. You can then attach a protocol analyzer or RMON probe to this port to perform traffic analysis and verify connection integrity.

Port Trunking – Ports can be combined into an aggregate connection. Trunks can be manually set up or dynam i ca lly configured using IEEE 802 . 3-2 005 (formerly IEEE 802.3ad) Link Agg re gati on Control Protocol (LACP). The additional ports dramatically increas e th e th ro ughput across any connection, and provide redundancy by taking over th e loa d i f a po rt in the tr unk should fail. The switch supports up to 8 trunks.

Broadcast Storm Control – Broadcast suppression prevents broadcast traffic from overwhelming the netw or k. W hen enabled on a port, the lev el of broadcast traffic passing through the port is rest r ic t ed. If broadcast traffic rises above a pr e- defined threshold, it will be throttle d unt i l the level fa lls back beneath the thresho ld .

Static Addresses – A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the add re ss tab le . Static addresses ca n be used to provide network security b y restricting access for a known host to a specific port.

IEEE 802.1D Bridge – The swit ch s upports IEEE 802.1D transparent br id ging. The address table facilitates data switch ing by learning addresses , and t he n fil te ring or forwarding traffic based on thi s in fo rmation. The address table su pp orts up to 8K addresses.

Store-and-Forward Switching – The switch copies each frame in to its memory before forwarding them to another port. This ensures that all frames are a standard Ethernet size and have bee n verified for accuracy wit h th e cy cl ic red undancy check (CRC). This prevents bad fram es from entering the netwo rk and w asting bandwidth.

To avoid dropping frames on cong est ed ports, the switch provides 1.5 M B fo r fram e buffering. This buffer can queue packets awaiting transmission on congested networks.

Spanning Tree Protocol – The switch sup ports these spanning tree protoc ol s: Spanning Tree Protocol (STP , IEEE 802.1D) – This protocol provides loop detection.

When there are multiple physical paths between segments, this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network. This prevents the creation of network loops. However, if

1-3

Page 30

Introduction

the chosen path should fail for any reason, an alternate path w ill be activated to maintain the connection.

Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol reduces the convergence time for network topology changes to about 3 to 5 seconds, compared to 30 seconds or more for the ol der IE EE 802.1D STP standard. It is intende d as a complete replacement for STP, but can still interoperate with swit ches running the older standard by automatic all y re configuring ports to STP-compli ant m ode if they detect STP protocol messages from attached devices.

Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is a direct extension of RSTP. It can provide an independent spanning tree for different VLANs. It simplifies network management, provides for even faster convergence than RSTP by limiting the size of each regi on, and prevents VLAN mem ber s f ro m bei ng segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP).

Virtual LANs – The switch supports up to 255 VLANs. A Virtual LAN i s a c ol lect i on of network nodes that sha re the same collision dom ai n r egardless of their physical location or connection poi nt in the net w ork. The switch supports tagged VLANs based on the IEEE 802.1Q standard. Members of VLAN groups can be dynamically learned via GVRP, or ports can be manually assigned to a specific set of VLANs. This allows the switch to restrict traffic to the VLAN groups to which a user has been assigned. By segment in g your network into VLANs, you can:

• Eliminate broadcast storms which severely degrade performance in a flat network.

• Simplify network mana gement for node change s/ m oves by remotely configuring VLAN membership for a ny port, rather than having to m anually change the network connection.

• Provide data security by restricting all traffic to the originating VLAN.

• Use private VLANs to restrict traffic to pass only between data ports and the uplink ports, thereby isolating adjacent ports within the same VLAN, and allowing you to limit the total number of VLAN s th at need to be configured.

• Use protocol VLANs to restrict traffic to specified interfaces based on protocol type.

Traffic Prioritization – This switch priorit iz es each packet based on the requi re d level of service, using fo ur prior i ty queues with strict or Weighted R ound Robin Queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station application. These functions can independent priorities for del ay - sensitive data and be st-effort data.

This switch also supports sev er al com m on methods of prioritizi ng layer 3/4 traffic to meet application requirements. Traffic can be prioritized based on the DSCP field in the IP frame. When these services are enabled, the priorities are mapped to a Class of Service value by the switch, and the traffic then sent to the cor r esponding output queue.

Quality of Service – Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizi ng network resources to meet the requirements of specific tr affic type s on a per-hop basis. Each pack et is classified upon entry into the networ k based on access lists, IP Prec ede nce or DSCP values,

be used to provide

1-4

Page 31

System Defaults

or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet. Based on network policies, different kinds of traffic can be marked for di fferen t kinds of forwarding.

Multicast Filtering – Multicast filtering is a system where network devices forward multicast traffic only to the ports that are registered with the multicast group. Without mulicast filtering the data packet wi ll be broadcast to all endstations within a LAN or VLAN. The purpose is to keep the non-multicast group members from receivi ng unsolicited packets and to prevent a possible reduction in network performance. The switch uses IGMP Snoo pi ng a nd Q uery to manage multicas t gr ou p re gi st r at io n.

System Defaults

The switch’s system defaults are pr ovi ded in the configuration file “Factory_Defau l t_ Config.cfg.” To reset the s witch defaults, this file shou ld be set as the startup configuration file (page 3-23).

The following table lists some of t he basic system defaults.

Table 1-2 System Defaults

Function Parameter Default

Console Port Connection

Authentication Privileged Exec Level Username “admin”

Baud Rate 9600 Data bits 8 Stop bits 1 Parity none Local Console Timeout 0 (disabled)

no password

Normal Exec Level Username “guest”

Enable Privileged Exec from Normal Exec Level

RADIUS Authentication Disabled TACACS Authentication Disabled

802.1X Port Authentication Disabled HTTPS Enabled SSH Disabled Port Security Disabled IP Filtering Disabled

Password “guest” Password “super”

1-5

Page 32

Introduction

Table 1-2 System Defaults (Continued)

Function Parameter Default

Web Management HTTP Server Enabled

HTTP Port Number 80 HTTP Secure Server Enabled HTTP Secure Port Number 443

SNMP Community Strings “public” (read only)

Traps Authentication traps: enabled

SNMP V3 View: defaultview

Port Configuration Admin Status Enabled

Auto-negotiation Enabled

Flow Control Disabled Rate Limiting Input and output limits Disabled Port Trunking Static Trunks None

LACP (all ports) Disabled Broadcast Storm

Protection

Spanning Tree Protocol

Address Table Aging Time 300 seconds Virtual LANs Default VLAN 1

Status Enabled (all ports)

Broadcast Limit Rate 500 packets per second

Status Enabled, RSTP

Fast Forwarding (Edge Port) Disabled

PVID 1

Acceptable Frame Type All

Ingress Filtering Enabled

Switchport Mode (Egress Mode) Hybrid: tagged/untagged frames

GVRP (global) Disabled

GVRP (port interface) Disabled

“private” (read/write)

Link-up-down events:

Group: public (read only); private (read/write)

(Defaults: All values based on IEEE 802.1w)

enabled

1-6

Page 33

System Defaults

Table 1-2 System Defaults (Continued)

Function Parameter Default

Traffic Prioritization Ingress Port Priority 0

Weighted Round Robin Queue: 0 1 2 3

Weight: 1 2 4 8

IP DSCP Priority Disabled

IP Settings IP Address 0.0.0.0

Subnet Mask 255.0.0.0 Default Gateway 0.0.0.0 DHCP Enabled BOOTP Disabled

Multicast Filtering IGMP Snooping Snooping: Enabled

Querier: Disabled

System Log Status Enabled

Messages Logged Levels 0-7 (all)

Messages Logged to Flash Levels 0-3 SMTP Email Alerts Event Handler Enabled (but no server defined) SNTP Clock Synchronization Disabled

1-7

Page 34

Introduction

1-8

Page 35

Chapter 2: Initial Configuration

Connecting to the Switch

Configuration Options

The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a Web-based interface. A PC may also be connected di re ct l y to the sw i t ch f or configuration and monitoring via a command line interface (CLI).

Note: The IP address for this switch is unassigned by default. To change this address,

see “Setting an IP Address” on page 22-4.

The switch’s HTTP web agen t all ows you to configure switch param e te rs , mo n i to r port connections, an d display statistics using a standard we b br ow ser such as Internet Explorer 5.x or above, Netscape 6.2 or above, and Mozilla Fi refox 2.0.0.0 or above. The switch’s web mana gement interface can be acc essed from any computer attached to the ne twork.

The CLI program can be ac cessed by a direct connec tion to the RS-232 serial console port on the switch, or remotely by a Telnet connection over the network.

The switch’s management ag ent al so supports SNMP (Simple Networ k Management Protocol ). This SN M P agent permits the switch to be managed from any system in the netwo rk usi ng network management software such as EdgeView.

The switch’s web interface, CLI conf iguration program, and SN M P agent allow you to perform the following management function s:

• Set user names and passwords

• Set an IP interface for a management VLAN

• Configure SNMP parameters

• Enable/disable any port

• Set the speed/duplex m ode for any port

• Configure the bandwidt h of any port by limiting input or output rates

• Control port access through IEEE 802.1X security or static address filtering

• Filter packets using Access Control Lists (ACLs)

• Configure up to 255 IEEE 802.1Q VLANs

• Enable GVRP automatic VLAN registration

• Configure IGMP multicast filtering

• Upload and download system firmware via TFTP

• Upload and download switch configuration files via TFTP

• Configure Spanning Tree parameters

2-1

Page 36

Initial Configuration

• Configure Class of Service (CoS) priority queuing

• Configure up to 8 static or LACP trunks

• Enable port mirroring

• Set broadcast storm control on any port

• Display system informa t i on and statistics

Required Connections

The switch provides an RS- 232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem conso le cable is provided with the switch .

Attach a VT100-compatible terminal, or a PC running a terminal em ul ati on pr ogram to the switch. You can use the console cable provided w i th th is package, or use a null-modem cable that complies with the wiring assignments shown in the Installation Guide.

To connect a terminal to the console port, complete the follo wi ng steps:

1. Connect the console cabl e t o t he se rial port on a terminal, or a PC run ning terminal emulation software, and tighten the captive retaining screws on the DB-9 connector.

2. Connect the other end of the cable to the RS-232 serial port on the switch.

3. Make sure the terminal emulation software is set as follows:

• Select the appropriate serial port (COM port 1 or COM port 2).

• Set to the baud rate to: 9600 bps

• Set the data format to 8 data bits, 1 st op bit, and no parity.

• Set flow control to none.

• Set the emulation mode to VT100.

• With HyperTermina l, select Terminal keys, not Windows keys.

Notes: 1. When using HyperTerminal with Microsoft® Windows® 2000, make sure that

For a description of how to use the CLI, see “Using the Command Line Interface” on page 44-1. For a list of all the CLI commands and detailed informat ion on using the CLI, refer to “Command Groups” on page 44-9.

you have Windows 2000 Service Pack 2 or later installed. Windows 2000 Service Pack 2 fixes the problem of arrow keys not functioning in HyperTerminal’s VT100 emulation. See www.microsoft.com for information on Windows 2000 service packs.

2. Refer to “Line Commands” on page 44-29 for a complete description of console configuration options.

3. Once you have set up the terminal correctly, the console login screen will be displayed.

2-2

Page 37

Basic Configuration

Remote Connections

Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DH C P or BO O T P pr otocol.

The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP , see “Setting an IP Addres s” on page 22-4.

Note: This switch supports four concurrent Telnet/SSH sessions.

After configuring the switch’s IP paramet er s, you can access the onboa rd configuration program from anywhere within the attached network. The onboard configuration program can be accessed using Telnet from any computer attached to the network. The switch can also be managed by an y com puter using a web browser (Internet Explorer 5.0 or above, Netscape 6.2 or ab ove, or Mozilla Firefox

2.0.0.0 or above), or from a net w ork computer using SNM P netw ork management software.

Note: The onboard program only provides access to basic configuration functions. To

access the full range of SNMP management functions, you must use SNMP-based network management software.

Basic Configuration

Console Connection

The CLI program provides two different command levels — normal access level (Normal Exec) and privilege d access level (Privileged Exec ). The commands available at the Normal Exe c l evel are a limited subset of thos e available at the Privileged Exec level an d only allow you to display infor m at ion and use basic utilities. To fully configure the swit ch parameters, you must access the CLI at the Privileged Exec level.

Access to both CLI level s ar e controlled by user name s and passwords. The switch has a default user name and pass w or d f or each level. To log into the CLI at the Privileged Exec level usin g t he de fa ul t user name and password, perform th ese steps:

1. To initiat e your console connection, pr ess <Enter>. The “User Access Ve r i f ication” procedure starts.

2. At the Username prompt, ent er “admin.”

3. At the Password prompt, press <Enter> since there is no default password.

4. The session is opened an d t he CLI displays the “Consol e#” pr om pt i ndicating you have access at the Privi le ged Exec level.

2-3

Page 38

Initial Configuration

Setting Passwords

Note: If this is your first time to log into the CLI program, you should define new

passwords for both default user names using the “username” command, record them and put them in a safe place.

Passwords can consist of up t o 8 alphanumeric charact er s and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows:

1. Open the console interface with the default user name and password “admin” to access the Privileged Exec level.

2. Type “configure” and press <Enter>.

3. Type “username guest password 0 password,” for the Normal Exec level, where password is your new password. Press <Enter>.

4. Type “username admin password 0 password,” for the Privilege d Exec level, where password is your new password. Press < Ent er >.

Username: admin Password:

CLI session with the ES4524M-PoE is opened. To end the CLI session, enter [Exit].

Console#configure 4-12 Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)#

Setting an IP Address

Yo u m ust establish IP address info rmation for the switch to obtain m an agement access through the network. This can be done in eit her of the following ways:

Manual — Y ou have to input the information, including IP address and subnet mask. If your management station is not in the same IP subnet as the switch, you will also need to specify the defaul t gat ew ay router.

Dynamic — The switch sends IP conf igur at io n re quests to BOOTP or DHCP address allocation ser ver s on the network.

Manual Configuration

You can manually assign an IP address to the switch. You may also need to specify a default gateway that res i des between this device a nd m anagement stations on another network segment. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the CLI program.

Note: The IP address for this switch is obtained via DHCP by default.

2-4

Page 39

Basic Configuration

Before you can assign an IP address to the switch, yo u m ust obtain the following information from your net w o rk administrator:

• IP address for the switch

• Default gateway for the ne twork

• Network mask for this network To assign an IP address to the sw itc h, com plete the following steps:

1. From the Global Configur at i on m ode prompt, type “interfa ce vlan 1” to access the interface-configurati on mo de. Pr ess <Enter>.

2. Type “ip address ip-address netmask,” where “ip-ad dress” is the switch IP address and “netmask” is th e net w ork mask for the network. Pr es s <Enter>.

3. Type “exit” to return to the global configuration mo de prompt. Press <Enter>.

4. To set the IP address of the default gateway for the network to which the switch belongs, type “ip default -g at ew ay gateway,” where “gateway” is the IP address of the default gateway. Press <Enter>.

Console(config)#interface vlan 1 4-135 Console(config-if)#ip address 192.168.1.5 255.255.255.0 4-268 Console(config-if)#exit Console(config)#ip default-gateway 192.168.1.254 4-269 Console(config)#

Dynamic Configuration

If you select the “bootp” or “dh cp” opt i on, the switch will immediat el y s tart broadcasting service requests. IP is enabled but will not function until a BOOTP or DHCP reply has been received. Requests are broadcast every few minutes using exponential backoff until IP con f igur at io n i nformation is obtained from a BOOT P or DHCP server. If the BOOTP or DHCP server is slow to respond, the “i p dhcp restart client” command can al so be used to start broadcasting ser vi ce requests. BOOTP and DHCP values can include the IP address, subnet mask, and default gateway.

If the “bootp” or “dhcp” option is saved to the sta rtup-config file (step 6), then the switch will start broadcasting service requests as soon as it is powered on.

To automatically configure the switch by communicating with BOOTP or DHCP address allocation ser ver s on the network, complet e t he following steps:

1. From the Global Configur at i on m ode prompt, type “interfa ce vlan 1” to access the interface-configurati on mo de. Pr ess <Enter>.

2. At the interface-configuration mode prompt, use one of the followi ng com m ands:

• To obtain IP settings via DH C P, typ e “ ip addr ess dhcp” and press <Ent er>.

• To obtain IP settings via BO OTP, type “ip address bootp” and press <Enter>.

3. Type “end” to return to the Privileged Exec mode. Pr ess <Enter>.

2-5

Page 40

Initial Configuration

4. Type “ip dhcp restart” to begin broadcasting servi ce requests. Press <Enter>.

5. Wait a few minutes, and then check t he I P configuration settings by t yping the “show ip interface” com m and. Press <Enter>.

6. Then save your config ur at ion changes by typing “copy running-config startup-config.” Enter the startup f i le nam e and press <Enter>.

Console(config)#interface vlan 1 4-135 Console(config-if)#ip address dhcp 4-268 Console(config-if)#end Console#ip dhcp restart client 4-270 Console#show ip interface 4-271 IP Address and Netmask: 192.168.0.192 255.255.255.0 on VLAN 1, Address Mode: DHCP Console#copy running-config startup-config 4-24 Startup configuration file name []: startup \Write to FLASH Programming.

\Write to FLASH finish. Success.

Enabling SNMP Management Access

The switch can be configu re d to acc ept m anagement command s f ro m Simple Network Managemen t Protocol (SNMP) application s su ch as EdgeView. You can configure the switch to (1) r espond to SNMP reques ts or (2) generate SNMP traps.

When SNMP management stations send requ ests to t he switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter. The switch can also be conf igured to send informatio n to SNMP managers (witho ut bei ng requested by the manager s) th ro ugh trap messages, which info rm t he manager that certain events ha ve occurred.

The switch in cludes an SNMP agent that supports SNMP version 1, 2c, and 3 clients. To provide management access for version 1 or 2c clients, you must specify a community string. The switch provides a default MIB View (i.e. , an SN M Pv3 construct) for the defaul t “pu bl ic ” co m m unity string that provides read access to the entire MIB tree, and a defau lt vi ew for the “private” community string that provides read/write access to the entire MIB tr ee. However, you may assign new views to version 1 or 2c commun ity st r in gs that suit your specific sec ur ity r equirements (see page 3-52).

Community Strings (for SNMP version 1 and 2c clients)

Community strings are used to control management access to SNMP version 1 and 2c stations, as well as to authori ze SNM P stations to receive trap messages from the switch. You therefore need to assign community strings to specified users, and set the access level.

2-6

Page 41

Basic Configuration

The default strings are:

• public - Specifies read-only acce ss. Aut horized managemen t stations are only able to retrieve MIB objects.

• private - Specifies read-write acce ss. Authorized management stations are able to both retrieve and modify MI B obj ects.

T o prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that yo u change the default comm unity strings.

To configure a community string, complete the following steps:

1. From the Privileged Exec le ve l global configuration mod e pr om pt , type

“snmp-server community string mode,” where “st ring” is the community acces s string and “mode” is rw (read/write) or ro (read only). Press <Enter>. (Note that the default mode is read onl y.)

2. To remove an existing string, sim pl y type “no snmp-serve r co m m u n ity string,”

where “string” is the community access string to remove. Press <Enter>.

Console(config)#snmp-server community admin rw 4-62 Console(config)#snmp-server community private Console(config)#

Note: If you do not intend to support access to SNMP version 1 and 2c clients, we

recommend that you delete both of the default community strings. If there are no community strings, then SNMP management access from SNMP v1 and v2c clients is disabled.

Trap Receivers

Yo u can also specify SNMP stations that are to receive traps from th e sw i tch. To configure a trap receiver, use the “snmp-server host” command. From the Privileged Exec level global configur at i on m ode prompt, type:

“snmp-server host host-address community-string

[version {1 | 2c | 3 {auth | noauth | pr iv }}] ”

where “host-address” is the IP address for the trap receiver, “community-string” specifies access rights for a version 1/2c host, or is th e us er name of a version 3 host, “version” indicat es the SNMP client vers io n, and “auth | noauth | priv” me ans that authentication, no aut he nt ic at i on, or authentication and pri vac y i s used for v3 clients. Then pres s <Enter>. For a more detailed description of these parameter s, see “snmp-server hos t” on page 44-64. The following exa m pl e cr eates a trap host for each type of SNMP client.

Console(config)#snmp-server host 10.1.19.23 batman 4-64 Console(config)#snmp-server host 10.1.19.98 robin version 2c Console(config)#snmp-server host 10.1.19.34 barbie version 3 auth Console(config)#

2-7

Page 42

Initial Configuration

Configuring Access for SNMP Version 3 Clients

To confi gu re management access for SN M P v 3 cl i en ts, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign th e user to a group. The following ex am pl e creates one view called “mib-2” that includes the entire MIB-2 tree branch, and then another view that includes the IEEE 802.1d bridge MIB. It assigns these respective read and read/ write views to a group call “r&d” and specifies group authentication via MD5 or SHA. In the last step, it assigns a v3 user to this grou p, indicating tha t MD5 will be used for authentication, provides the password “greenpeace” for authentication, and the password “einstie n” for encryption.

Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included 4-69 Console(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included Console(config)#snmp-server group r&d v3 auth mib-2 802.1d 4-71 Console(config)#snmp-server user steve group r&d v3 auth md5

greenpeace priv des56 einstien 4-7 3

Console(config)#

For a more detailed explanation on how to configure the switch for access from SNMP v3 clients, refer to “Simple Network Management Protocol” on page 33-37, or refer to the specific CLI co m m ands for SNMP starting on page 4-60.

Managing System Files

The switch ’ s fl ash memory su ppor ts thre e t ypes of s yste m fi le s tha t ca n be ma nag ed by the CLI program, Web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted , a nd set as a start-up file.

The three types of files are:

• Configuration — This file stores system configuration information and is created when configuration se tti ngs are saved. Saved con fig uration files can be selected as a system start-up file or can be uploaded via TFTP to a server for backup. A file named “Factory_De fa ul t_ Config.cfg” contains al l the s yst em default settings and cannot be deleted from the system. If the system is booted with the factory default settings, the master unit w ill als o cr eate a file named “startup1. cfg” that contains system settings for initialization, including information about the unit identifier, and MAC address. The configuration settings from the factory defaults configuration file are copied to this file, which is the n used to boot the switch. See “Saving or Restoring Configuration Settings” on page 33-23 for more information.

• Operation Code — System software that is executed after boot-up, also known as run-time code. This code runs the switch operations and provides the CLI and Web management interfaces. See “Managing Firmwar e” on page 33-20 for more information.

• Diagnostic Code — Softwar e t hat is ru n during system boot-up, al so known as POST (Power On Self-Test).

2-8

Page 43

Managing System Files

Due to the size limit of the flash memory , the switch supports only two operation code files. However, you can have as many diagnostic code files an d configuration files as available flash memory space allows. The switch has a total of 32 Mbytes of flash memory for system files.

In the system flash memory, one file of each type must be set as the start-up file. During a system boot, the diagnostic and operation code files set as the start-up file are run, and then the start-up co nf ig ur at i on f ile is loa ded.

Note that configuration files should be downloaded using a file name that reflects the contents or usage of the file sett i ngs. If you download directl y to th e running-config, the system will reboot, and the settings will have to be copied from the running-config to a permanent file.

Saving Configuration Settings

Configuration comma nds only modify the running configuration file and ar e not saved when the swit ch is rebooted. To save all your configuration changes in nonvolatile storage, you must copy the running configuration file to the start- up configuration file using t he “copy” command.

New startup configuration files must have a name specified. File names on the switch are case-sensitive, can be from 1 to 31 characters, must not contain slashes (\ or /), and the leading l ett er of the file name must not be a pe riod (.). (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

There can be more than one user-defined config ura t io n file saved in the switch’s flash memory, but only one is designated as the “startup” file that is loaded when the switch boots. The copy running-config startup-config command always sets the new file as the startup file. To select a previously saved configur at io n f ile, use the boot system config:<filename> command.

The maximum numbe r of saved configuration files depends on available fl ash memory, with each configuration file normally requiring less than 20 kbytes. The amount of available flash memory can be checked by using the dir command.

To save th e cur r ent configuration setting s, ent er th e fo llo w in g command:

1. From the Privileged Exec m ode prompt, type “copy running-config

startup-config” and press <Enter>.

2. Enter the name of the start-up fil e. P re ss <Enter>.

Console#copy running-config startup-config 4-24 Startup configuration file name []: startup \Write to FLASH Programming. \Write to FLASH finish. Success. Console#

2-9

Page 44

Initial Configuration

Configuring Power over Ethernet

The switch’s 24 10/100/1000 Mbps ports support the IEEE 802.3a f Power-over-Ethernet (PoE) standard that enables DC pow e r t o be s upplied to attached devices over the wire pai rs in the connecting Ethernet cable. Any 802.3af compliant device attached to a port can directly draw power from the switch over the Ethernet cable without requiring its own separate power source. This capability gives network administrators centralized power control for devices such as IP phones and wireless access points, w hi ch tr ans l at es i nt o gr eater network availabi lity.

A maximum PoE power bud get fo r the switch (power available to al l sw i tch por ts) can be defined so that power can be centrally mana ge d, pre venting overload conditions at the power source. If the power demand from devices connected to the switch exceeds the po w er budget setting, the switch uses port power priority settings to limit the supp lied pow er.

In the example below, the power mainpower maximum allocation CLI command is used to set the PoE power budget for the switch. (Range: 37 - 180 watts). If devices connected to the switch require more power than the switch budget, the port power priority settings are used to control the supplied power. See “Setting a Switch Power Budget” on page 33-129 fo r d etails.

Console(config)#power mainpower maximum allocation 180 4-160 Console(config)#

PoE is enabled for all ports by default. Power can be disabled for a port by using the no form of the power inline CLI command, as shown in the example below.

Console(config)#interface ethernet 1/2 4-135 Console(config-if)#no power inline 4-162 Console(config-if)#

2-10

Page 45

Chapter 3: Configuring the Switch

Using the Web Interface

This switch provides an embedded HTTP web agent. Using a Web browser you can configure the switch and view statistics to monitor net w or k ac t iv ity. The web agent can be accessed by any com puter on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).

You can also use the Command Line Interface (CLI) to manage the switch over a

Note:

serial connection to the console port or via Telnet. For more information on using the CLI, refer to Chapter 4: “Command Line Interface.”

Prior to accessing the switch fro m a Web browser, be sure you have first performed the following tasks:

1. Configure the switch w ith a v al id IP ad dr ess, subnet mask, and d ef ault gat ew ay

using an out-of-band serial connection, BOOTP or DHCP protocol . (See “Setting an IP Address” on page 2-4.)

2. Set user names and passwords using an out-of-band ser ial c onn ect i on. Access

to the Web agent is controlled by t he same user names and passwords as the onboard configuratio n pr ogram. (See “Setting Passwords” on page 2-4.)

3. After you enter a user name and password, you will have access to the system

configuration program.

Notes: 1.

You are allowed three attempts to enter the correct password; on the third failed attempt the current connection is terminated.

2. If you log into the Web interface as guest (Normal Exec level), you can view

the configuration settings or change the guest password. If you log in as “admin” (Privileged Exec level), you can change the settings on any page.

3. If the path between your management station and this switch does not pass

through any device that uses the Spanning Tree Algorithm, then you can set the switch port attached to your management station to fast forwarding (i.e., enable Admin Edge Port) to improve the switch’s response time to management commands issued through the web interface. See “Configuring Interface Settings” on page 3-148.

3-1

Page 46

Configuring the Switch

Navigating the Web Browser Interface

To acce ss the web-browser inte rface you must first enter a us er nam e and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.”

Home Page

When your web browse r co nnects with the switch’s web agent , the home page is displayed as shown below. The home page displays the Main Menu on t he l eft side of the screen and System Info rm ation on the right side. The M ai n M enu links are used to navigate to other m enus, and display confi gur at ion parameters and statistics.

3-2

Figure 3-1 Home Page

Page 47

Panel Display

Configuration Options

Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been mad e on a page, be sure to click on the “Appl y” button to confirm the new setting. The followi ng table summarizes the web page c onf igur at i on buttons.

Table 3-1 Configuration Options

Button Action

Revert Cancels specified values and restores current values prior to

Apply Sets specified values to the system. Help Links directly to web help.

pressing “Apply.”

Notes: 1. To ensure proper screen refresh, be sure t hat Internet Explorer 5.x is

configured as follows: Under the menu “Tools/Internet Options/General/ Temporary Internet Files/Settings,” the setting for item “Check for newer versions of stored pages” should be “Every visit to the page.”

2. When using Internet Explorer 5.0, you may have to manually refresh the

screen after making configuration changes by pressing the browser’s refresh button.

Panel Display

The web agent displays an i m age of the switch’s ports. The Mode can be set to display different information for the ports, including Active (i.e ., up or down), Duplex (i.e., half or full duplex, or Flow Control (i.e., with or without flow control). Clicking on the image of a port opens the Port Configuration page as de sc ribed on page 3-102.

Figure 3-2 Panel Display

3-3

Page 48

Configuring the Switch

Main Menu

Using the onboard web agent, you can define syst em param e t er s, ma nage and control the switch, and a ll its ports, or m oni tor network conditions. The f ol low i ng table briefly describes the sel ec t io ns available from this progr am .

Table 3-2 Main Menu

Menu Description Page

System 3-11

System Information Provides basic system description, including contact

Switch Information Shows the number of ports, hardware/firmware version

Bridge Extension Configuration

IP Configuration Sets the IP address for management access 3-15 Jumbo Frames Enables or disables jumbo frames 3-19 File Management 3-20

Copy Operation Allows the transfer and copying files 3-21 Delete Allows deletion of files from the flash memory 3-21 Set Start-Up Sets the start-up file 3-21

Line 3-25

Console Sets console port connection parameters 3-25 Telnet Sets Telnet connection parameters 3-27

Log 3-29

Logs Stores and displays error messages 3-32 System Logs Sends error messages to a logging process 3-29 Remote Logs Configures the logging of messages to a remote logging

SMTP Sends an SMTP client message to a participating server. 3-32

Reset Restarts the switch 3-34

SNTP Simple Network Time Protocol 3-35

Configur atio n Con figu res SN TP clie nt se ttin gs, in clud ing br oadc ast mo de or

Clock Time Zone Sets the local time zone for the system clock 3-36

SNMP Simple Network Management Protocol 3-37

Configuration Configures community strings and related trap functions 3-39 Agent Status Enables or disables SNMP Agent Status 3-38

information

numbers, and power status Shows the bridge extension parameters 3-14

process

a specified list of servers

3-11

3-13

3-30

3-35

3-4

Page 49

Main Menu

Table 3-2 Main Menu (Continued)

Menu Description Page

SNMPv3 Simple Network Management Protocol (Version 3) 3-43

Engine ID Sets SNMPv3 Engine ID 3-43 Remote Engine ID Adds a Remote Engine ID and IP Host 3-44 Users Creates or deletes user accounts 3-45 Remote Users Creates or deletes remote user accounts 3-47 Groups Creates or deletes SNMPv3 Groups 3-49 Views Creates or delete s SNMPv3 Views 3-52

Security 3-54

User Accounts Assigns a new password for the current user 3-54 Authentication Settings Configures authentication sequence, RADIUS and TACACS 3-55 HTTPS Settings Configures secure HTTP settings 3-58 SSH Secure Shell 3-61

Settings Configures Secure Shell server settings 3-67 Host-Key Settings Generates the host key pair (public and private) 3-63 User Public-Key Settings Copies the user key pair (public and private) 3-65

Port Security Configures per port security, including status, response for

security breach, and maximum allowed MAC addresses

802.1X Port authentication 3-69 Information Displays global configuration settings 3-70 Configuration Configures protocol parameters 3-71 Port Configuration Sets the authentication mode for individual ports 3-71 Statistics Displays protocol statistics for the selected port 3-74

ACL Access Control Lists 3-81

Configuration Configures packet filtering based on IP or MAC addresses 3-81 Port Binding Binds a port to the specified ACL 3-87

IP Filter Sets IP addresses of clients allowed management access 3-76

Port 3-99

Port Information Displays port connection status 3-99 Trunk Information Displays trunk connection status 3-99 Port Configuration Configures port connection settings 3-102 Trunk Configuration Configures trunk connection settings 3-102 Trunk Membership Specifies ports to group into static trunks 3-106

3-78

3-5

Page 50

Configuring the Switch

Table 3-2 Main Menu (Continued)

Menu Description Page

LACP Link Aggregation Control Protocol 3-107

Configuration Allows ports to dynamically join trunks 3-107 Aggregation Port Configures system priority, admin key, and port priority 3-110 Port Counters Information Displays statistics for LACP protocol messages 3-113 Port Internal Information Displays settings and operational state for local side 3-114

Port Neighbors Information Displays settings and operational state for remote side 3-116 Port Broadcast Control Sets the broadcast storm threshold for each port 3-118 Trunk Broadcast Control Sets the broadcast storm threshold for each trunk 3-118 Mirror Port Configuration Sets the source and target ports for mirroring 3-120 Rate Limit 3-121

Input Port Configuration Sets the input rate limit for each ports 3-121

Input Trunk Configuration Sets the input rate limit for each trunks 3-121

Output Port Configuration Sets the output rate limit for each ports 3-121

Output TrunkConfiguration Sets the output rate limit for each trunks 3-121 Port Statistics Lists Ethernet and RMON port statistics 3-122

PoE Power over Ethernet 3-127

Power Status Displays the status of global power parameters 3-127 Power Configuration Configures the power budget for the switch 3-129 Power Port Status Displays the status of port power parameters 3-129 Power Port Configuration Configures port power parameters 3-130

Address Table 3-132

Static Addresses Displays entries for interface, address or VLAN 3-132 Dynamic Addresses Displays or edits static entries in the Address Table 3-133 Address Aging Sets timeout for dynamically learned entries 3-135

Spanning Tree 3-136

STA Spanning Tree Algorithm 3-138

Information Displays STA values used for the bridge 3-138

Configuration Configures global bridge settings for STA, and RSTP 3-141

Port Information Displays individual port settings for STA 3-145

Trunk Information Displays individual trunk settings for STA 3-145

Port Configuration Configures individual port settings for STA 3-148

Trunk Configuration Configures individual trunk settings for STA 3-148

3-6

Page 51

Main Menu

Table 3-2 Main Menu (Continued)

Menu Description Page

MSTP Multiple Spanning Tree Protocol 3-151

VLAN Configuration Configures priority and VLANs for a spanning tree instance 3-151 Port Information Displays port settings for a specified MST instance 3-154 Trunk Information Displays trunk settings for a specified MST instance 3-154 Port Configuration Configures port settings for a specified MST instance 3-155 Trunk Configuration Configures trunk settings for a specified MST instance 3-155

VLAN 3-157

802.1Q VLAN 3-157 GVRP Status Enables GVRP VLAN registration protocol 3-160 Basic Information Displays information on the VLAN type supported by this

Current Table Shows the current port members of each VLAN and whether

Static List Used to create or remove VLAN groups 3-162 Static Table Modifies the settings for an existing VLAN 3-164 Static Memb er s hi p by Por t Conf i gu r es m em be r sh i p ty p e fo r i nt e r fa c es , i nc lud i n g t a gg e d,

Port Configuration Specifies default PVID and VLAN attributes 3-166 Trunk Configuration Specifies default trunk VID and VLAN attributes 3-166

Private VLAN 3-168

Information Shows private VLANs and associated ports 3-169 Configuration Creates/removes primary or community VLANs 3-170 Association Maps a secondary VLAN to a primary VLAN 3-171 Port Information Shows VLAN port type, and associated primary or secondary

Port Configuration Configures VLAN port type, and associated primary or

Trunk Information Shows VLAN trunk type, and associated primary or secondary

Trunk Configuration Configures VLAN trunk type, and associated primary

Protocol VLAN 3-174

Configuration Creates a protocol group, specifying the supported protocols 3-174 System Configuration Maps a protocol group to a VLAN 3-175

switch

or not the port is tagged or untagged

untagged or forbidden

VLANs

secondary VLANs

VLANs

or secondary VLANs

3-160

3-161

3-165

3-172

3-173

3-172

3-173

3-7

Page 52

Configuring the Switch

Table 3-2 Main Menu (Continued)

Menu Description Page

LLDP Link Layer Discovery Protocol 3-176

Configuration Configures basic LLDP time parameters 3-176 Port Configuration Configures a port for receive and, or transmit status, allows

Trunk Configuration Configures a trunk for receive and, or transmit status, allows

Local Information Displays information about the local device. 3-181 Remote Port Information Displays information about ports on a remote device 3-182 Remote Trunk Information Displays information about trunks on a remote device 3-182 Remote Information Details Sets the port and, or trunk to display information 3-183 Device Statistics Displays device statistics 3-184 Device Statistics Details Allows the user to select the port or trunk on which to display

Priority 3-186

Default Port Priority Sets the default priority for each port 3-186 Default Trunk Priority Sets the default priority for each trunk 3-186 Traffic Classes Maps IEEE 802.1p priority tags to output queues 3-188 Queue Mode Sets queue mode to strict priority or Weighted Round-Robin 3-190 Queue Scheduling Configures Weighted Round Robin queueing 3-191 IP DSCP Priority Status Globally selects IP DSCP Priority, or disables it. 3-192 IP DSCP Priority Sets IP Differentiated Services Code Point priority, mapping a

QoS Quality of Service 3-194

DiffServ Configures QoS classification criteria and service policies 3-194

Class Map Sets Class Maps 3-195 Policy Map Sets Policy Maps 3-198 Service Policy Defines service policy settings for ports 3-201

IGMP Snooping 3-202

IGMP Configuration Enables multicast filtering; configures parameters for

IGMP Immediate Leave Enables the immediate leave function 3-206 Multicast Router

Port Information

sending of SNMP notification messages, and configures TLV information.

statistical information

DSCP tag to a class-of-service value

multicast query

Displays the ports that are attached to a neighboring multicast router for each VLAN ID

3-178

3-185

3-192

3-204

3-207

3-8

Page 53

Main Menu

Table 3-2 Main Menu (Continued)

Menu Description Page

Static Multicast Router Port Configuration

IP Multicast Registration Table

IGMP Member PortTable Indicates multicast addresses associated with the selected

MVR Multicast VLAN Registration 3-211

Configuration Globally enables MVR, sets the MVR VLAN, adds multicast

Port Information Displays MVR interface type, MVR operational and activity

Trunk Information Displays MVR interface type, MVR operational and activity

Group IP Information Displays the ports attached to an MVR multicast stream 3-215 Port Configuration Configures MVR interface type and immediate leave status 3-216 Trunk Configuration Configures MVR interface type and immediate leave status 3-216 Group Member Configuration Statically assigns MVR multicast streams to an interface 3-217

DHCP Snooping 3-88

Configuration Enables DHCP Snooping and DHCP Snooping MAC-Address

VLAN Configuration Enables DHCP Snooping for a VLAN 3-90 Information Option

Configuration Port Configuration Selects the DHCP Snooping Information Option policy 3-93 Binding Information Displays the DHCP Snooping binding inform atio n 3-94

IP Source Guard 3-95

Port Configuration Enables IP source guard and selects filter type per port 3-95 Static Configuration Adds a static addresses to the source-guard binding table 3-96 Dynamic Information Displays the source-guard binding table for a selected

Cluster 3-219

Configuration Globally enables clustering for the switch 3-219 Member Configuration Adds switch Members to the cluster 3-221 Member Information Displays cluster Member switch information 3-222 Candidate Information Displays network Candidate switch information 3-223

Assigns ports that are attached to a neighboring multicast router

Displays all multicast groups active on this switch, including multicast IP addresses and VLAN ID

VLAN

stream addresses

status, and immediate leave status

Verification

Enables DHCP Snooping Information Option 3-91

interface

3-208

3-209

3-210

3-212

3-214

3-90

3-98

3-9

Page 54

Configuring the Switch

Table 3-2 Main Menu (Continued)

Menu Description Page

UPNP Universal Plug and Play 3-224

Configuration Configures basic UPnP parameters 3-225

3-10

Page 55

Basic Configuration

This section describes the basic functions required to set up management access to the switch, display or upgrade operating software, or reset the system.

Displaying System Information

Yo u can easily identify the sy st em by displaying the device nam e, location and contact information.

Field Attributes

• System Name – Name assigned to the switch system.

• Object ID – MIB II object ID for switch’s netw or k m anagement subsystem .

• Location – Specifies the sy st em l ocation.

• Contact – Administrato r r esp onsible for the system.

• System Up Time – Length of time the management agent has be en up. These additional parameter s ar e di splayed for the CLI.

• MAC Address – The physical layer address for this switch.

• Web Server – Shows if management access via HTTP is enabled.

• Web Server Port – Shows the TCP por t nu m ber used by the web interfac e.

• Web Secure Server – Shows if management access via HTT PS is ena bl ed.

• Web Secure Server Port – Shows the TCP por t used by the HTTPS interface.

• Telnet Server – Shows if management access via Telnet is enabled.

• Telnet Server Port – Shows the TCP port u sed by the Telnet interface.

• Jumbo Frame – Shows if jumbo f ra m es ar e enabled.

• POST Result – Shows resu lts of t he power-on self-test

3-11

Page 56

Configuring the Switch

Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.)

Figure 3-3 System Information

CLI – Specify the hostname, location and contact information.

Console(config)#hostname R&D 5 4-16 Console(config)#snmp-server location WC 9 4-64 Console(config)#snmp-server contact Geoff 4-63 Console(config)#exit Console#show system 4-19 System Description: 24-port 10/100/1000 + 2-port mini-GBIC

Gigabit PoE Switch System OID String: 1.3.6.1.4.1.259.8.1.7 System Information System Up Time: 0 days, 0 hours, 7 minutes, and 22.65 seconds System Name: R&D 5 System Location: WC 9 System Contact: Geoff MAC Address (Unit1): 00-00-35-28-00-03 Web Server: Enabled Web Server Port: 80 Web Secure Server: Enabled Web Secure Server Port: 443 Telnet Server: Enable Telnet Server Port: 23 Jumbo Frame: Disabled

POST Result:

DUMMY Test 1 ................. PASS

UART Loopback Test ........... PASS

DRAM Test .................... PASS

Timer Test ................... PASS

Done All Pass. Console#

3-12

Page 57

Basic Configuration

Displaying Switch Hardware/Software Versions

Use the Switch Informat io n page t o di sp la y hardware/firmware ve rsion numbers for

the main board and management software, as well as the power status of the system.

Field Attributes

Main Board

• Serial Number – The serial number of the switch.

• Number of Ports – Number of built-in RJ-45 ports and expan sion ports.

• Hardware Version – Hardware version of the main board.

• Internal Power Status – Displ a ys t he status of the internal pow er supply.

Management Software

• EPLD Version – Version number of the Electronically Programmable Logic Device code.

• Loader Version – Version nu m ber of loader code.

• Boot-ROM Version – Version of Power-On Self-Tes t (POS T) and boot code.

• Operation Code Version – Version number of runtime code.

• Role – Shows that this switch is operat i ng as Master.

Web – Click System, Switch Information.

Figure 3-4 Switch Information

3-13

Page 58

Configuring the Switch

CLI – Use the following command to display version inf or m at i on.

Console#show version 4-21 Unit 1 Serial Number: A622016012 Hardware Version: R01 EPLD Version: 11.09 Number of Ports: 24 Main Power Status: Up Redundant Power Status: Not present

Agent (Master) Unit ID: 1 Loader Version: 1.0.2.4 Boot ROM Version: 1.0.2.6 Operation Code Version: 1.0.0.5

Console#

Displaying Bridge Extension Capabilities

The Bridge MIB includes ex te ns io ns for managed devices tha t supp or t M ult i cas t Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display def ault settings for the key variables.

Field Attributes

• Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMR P (GARP Multicast Regi stration Protocol).

• Traffic Classes – This switch provides mapping of user priorities to multiple traffic classes. (Refer to “Displaying Private VLAN Interface Information” on page 3-172.)

• Static Entry Individual Port – This switc h al low s s ta tic filtering for unicast and multicast addresses. (R ef er to “Sett i ng St ati c Addresses” on page 3-1 32. )

• VLAN Learning – This switch uses Independent VLAN Learning (IVL), where each port maintains its own filtering database.

• Configurable PVID Tagging – This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Ref er to “VLAN Configuration” on page 3-157.)

• Local VLAN Capable – This switch does not support multiple local bridges outside of the scope of 802.1Q def ined VLANs.

• GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to register endstations with multicast groups. This switch does not support GMRP; it uses the Internet Group M anagement Protocol (IG M P) to pr ov id e aut omatic multicast filtering.

3-14

Page 59

Basic Configuration

Web – Click System, Bridge Extension Configuration.

Figure 3-5 Displaying Bridge Extension Configuration

CLI – Enter the following comm and.

Console#show bridge-ext 4-191 Max Support VLAN Numbers: 256 Max Support VLAN ID: 4094 Extended Multicast Filtering Services: No Static Entry Individual Port: Yes VLAN Learning: IVL Configurable PVID Tagging: Yes Local VLAN Capable: No Traffic Classes: Enabled GMRP: Disabled Console#

Setting the Switch’s IP Address

This secti on describes how to config ure an IP interface for management access over the network. The IP address for this switch is obtained via DHCP by default. To manually configure an addr ess, you need to change th e sw it ch’s de fa ult set tings to values that are compatible wi t h your network. You may also need to a establish a default gateway between the switch and management stations that exist on another network segment.

Yo u can manually configur e a specific IP address, or di rec t the device to obtain an address from a BOOTP or DHCP server. Val id IP addresses consist of four deci m al numbers, 0 to 255, separate d by periods. Anything outside thi s format will not be accepted by the CLI program.

3-15

Page 60

Configuring the Switch

Command Attributes

• Management VLAN – ID of the configured VLAN (1-4094). By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.

• IP Address Mode – Specifies whether IP fu nct ionality is enabled via man ual configuration (Static), D yn am i c Host Configuration Protoc ol (DH CP), or Boot Protocol (BOOTP). If DHCP/BOOTP is enabled, IP will not function until a reply has been received from the server. Requests will be bro adc ast periodically by the switch for an IP address. (DHCP/BOOTP values can include the IP address, subnet mask, and defau lt gateway.)

• IP Address – Address of the V LAN in terf ace t hat is al lowe d mana geme nt ac cess . Valid IP addresses consist of four numbers, 0 to 255, separated by periods. (Default: 0.0.0.0)

• Subnet Mask – This ma s k i dentifies the host address bits used for routing to specific subnets. (Def ault: 255.255.255.0)

• Gateway IP Address – IP address of the gateway router between this device and management stations that exist on other networ k segments. (Default: 0. 0. 0. 0)

• MAC Address – The physical layer address for this switch.

• Restart DHCP – Requests a new IP addres s fr om the D H CP server.

Manual Configuration

Web – Click Syst em , I P Configuration. Select the VLAN t hr oug h w hi c h th e

management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply.

3-16

Figure 3-6 Manual IP Configuration

Page 61

Basic Configuration

CLI – Specify the management interface, IP address and default gate w ay.

Console#config Console(config)#interface vlan 1 4-135 Console(config-if)#ip address 10.1.0.254 255.255.255.0 4-268 Console(config-if)#exit Console(config)#ip default-gateway 192.168.1.254 4-269 Console(config)#

Using DHCP/BOOTP

If your network provides DHCP/BOOTP services, you can configure the switch to be dynamical ly configured by these ser vices.

Web – Click Syst em , IP Configuration. Specify the VLAN to which the m anagement station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes. Then click Restart DHCP to immediately request a new address. Note that the sw itc h w i ll also broadcast a request for IP co nf i gur at i on settings on each powe r re set.

Figure 3-7 DHCP IP Configuration

Note: If you lose your management connection, use a console connection to the switch

and enter “show ip interface” to determine the new address.

CLI – Specify the management interfac e, and set the IP address mode to DHCP or BOOTP, and t hen enter the “ip dhcp restart” comm and.

Console#config Console(config)#interface vlan 1 4-135 Console(config-if)#ip address dhcp 4-268 Console(config-if)#end Console#ip dhcp restart 4-270 Console#show ip interface 4-271 IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, Address Mode: DHCP Console#

3-17

Page 62

Configuring the Switch

Renewing DCHP – DHCP may lease addr esses to clients indefinitely or fo r a specific period of time. If the address expires or the sw i tch i s m oved to another network segment, you will lose management access to the switch. In this case, you can reboot the switch or submit a client request to restart DHCP service via the CLI.

Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface. You can only restart DHCP service via the web interface if the current addre ss is st i ll av ai la bl e.

CLI – Enter the following command to restart DHCP service.

Console#ip dhcp restart 4-270 Console#

3-18

Page 63

Basic Configuration

Enabling Jumbo Frames

The switch provides mo re efficient t hro ughput for large sequent ia l d ata tran sf er s by supporting jumbo frames up to 9216 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using ju m bo f ra m es significantly reduces th e per - packe t overhead required to process protocol encapsul ati on f ie lds.

Yo u can enable jumbo frame s t o support data packets up to 9000 bytes in siz e.

Command Usage

To use jum bo frames, both the source and destination end nodes (such as a computer or server) must support this feature. Also, when the connection is operating at full duplex, all switches in the network between the two end nodes must be able to accept the extended frame size. And for hal f-duplex connections, all devices in the collision do m ai n w o ul d need to support jumbo frames.

Command Attributes

Jumbo Packet Status – Configures support for jumbo frames. (Default: Disabled)

Web – Click Syst em , Jum b o Fr am es. Enable or disable supp or t for jumbo frames,

and click Apply.

Figure3-8 Enabling Jumbo Frames

CLI – Specify the jumbo frame status.

Console(config)#jumbo frame 4-22 Console(config)#

3-19

Page 64

Configuring the Switch

Managing Firmware

Yo u can upload/download firm w ar e t o or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. You can also set the switch to use new f i rmw are without overwriting the previous version. You must specify the method of file transfer, along with the file type and file names as required.

Note:

Runtime code can also be upgraded by using Batch Upgrade. Batch Upgrade can discover switches on local, or other networks. After discovering the switches, Batch Upgrade can then be set to automatically upgrade the runtime code on all discovered switches. Batch Upgrade is provided in the Batch Upgrade folder in the CD provided with this switch. For details see the Batch Upgrade document in this Batch Upgrade folder.

Command Attributes

• File Transfer Method – The fir m w ar e copy operation includes th ese options.

- file to file – Copies a file w ithin the switch directory, ass igni ng it a new name.

- file to tftp – Copies a file from the switch to a TFTP server.

- tftp to file – Copies a file from a TFTP server to the switch.

• TFTP Server IP Address – The IP address of a TFTP server.

• File Type – Specify opcode (op er at i ona l c ode) to copy firmware.

• File Name – the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 char acter s or 31 characters for files on the s w itch . (Valid ch aracters: A -Z, a-z, 0-9, “.”, “-”, “_”)

Note: Up to two copies of the system software (i.e., the runtime firmware) can be stored

in the file directory on the switch. The currently designated startup version of this file cannot be deleted.

The file name should not contain slashes (\ or /),

the leading letter of

3-20

Page 65

Basic Configuration

Downloading System Software from a Server

When downloading ru nt im e code, you can specify the destination file name to replace the current image, or first download the file us in g a di fferen t nam e f ro m the current runtime code file, and then set the new file as the start up f i le.

Web – Click Syst em , File Management, Copy Operation. Select “tftp to file” as the file transfer method, enter th e IP address of the TFTP server, set the file type to “opcode,” enter the file name of the software to download, select a file on the switch to overwrite or specify a new file name, then click Apply. If you replaced the current firmware used for startup and want to start using the new operation code, reboot the system via the System/R eset menu.

Figure3-9 Copy Firmware

If you download to a new de st inat i on f ile , go to the System, File Management , Set Start-Up menu, mark the operation cod e fil e us ed at startup, and click Apply. To start the new firmware, reboot the system via the System/Reset menu.

Figure 3-10 Setting the Startup Code

3-21

Page 66

Configuring the Switch

To delete a f ile s el ect Sy st em , File M anagement, Delete. Sele ct th e file name from the given list by checking th e t ick box and click Apply. Note that the file currently designated as the startup co de cannot be deleted.

Figure 3-11 Deleting Files

CLI – Enter the IP address of the TFT P ser ver, select “config” or “opcode” file type, then enter the source and destination file names, set the new file to start up the system, and then restart the switch.

Console#copy tftp file 4-24 TFTP server ip address: 10.1.0.19 Choose file type:

1. config: 2. opcode: <1-2>: 2 Source file name: v1000-18.bix Destination file name: V1.0 \Write to FLASH Programming.

-Write to FLASH finish. Success. Console#config Console(config)#boot system opcode:V1.0 4-28 Console(config)#exit Console#reload 4-13

3-22

Page 67

Basic Configuration

Saving or Restoring Configuration Settings

Yo u can upload/download co nf i gur at i on s et ting s t o/ from a TFTP server. The configuration file can be la ter downloaded to restore the swi t ch’s setti ngs.

Command Attributes

• File Transfer Method – The fir m w ar e copy operation includes th ese options.

- file to file – Copies a file w ithin the switch directory, ass igni ng it a new name.

- file to running-con fig – Co pies a file in the switch to the runn in g configuration.

- file to startup-conf ig – C opies a file in the switch to the sta rtup configuration.

- file to tftp – Copies a file from the switch to a TFTP server.

- running-config to file – Copies th e r unning configuration t o a f ile.

- running-config to startup-config – Copies the running config to the startup config.

- running-config to tftp – Copies the r unning configuration to a TFTP serve r .

- startup-config to file – Copi es the startup configurat io n to a file on the switch.

- startup-config to running-config – Copies the startup config to the running config.

- startup-config to tftp – C opi e s th e st ar t up configuration to a TFTP serv er .

- tftp to file – Copies a file from a TFTP server to the switch.

- tftp to running-config – Copies a file from a TFTP serv er to the r unning config.

- tftp to startup-conf ig – C opi es a file from a TFTP server to the st ar tu p config.

• TFTP Server IP Address – The IP address of a TFTP server.

• File Type – Specify config (configuration) to copy configuration file.

File Name

•

leading letter of the file name should not be a period (.), and the m aximum length for file names on the TFTP serv er is 127 ch ar acters or 31 characters for fi les on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

Note: The maximum number of user-defined configuration files is limited only by

— The configuration file name should not contain slashes (\ or /),

available flash memory space.

the

3-23

Page 68

Configuring the Switch

Downloading Configuration Settings from a Server

You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Not e th at th e fil e “ Factory_Default_Con fig.cfg” can be copied to the TFTP server, but cannot be used as th e destination on the switch.

Web – Click Syst em , File Management, Copy Operation. Select “tftp to startup-config” o r “tftp to file” and enter t h e IP addres s of the TF T P server. Specify the name of the file to download and select a file on the switch to overwrite or specify a new file name, then click Ap ply.

Figure 3-12 Downloading Configuration Settings for Startup

If you download to a new file name using “tftp to startup-config” or “tftp to file,” the file is automatically set as the start-up configuration file. To use the new settings, reboot the system via the System/Reset menu. You can also select any configuration file as the start-up configuration by usi ng the System/File Management/Set Start-Up page.

Figure3-13 Setting the Startup Configuration Settings

3-24

Page 69

Basic Configuration

CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch.

Console#copy tftp startup-config 4-24 TFTP server ip address: 192.168.1.19 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming.

-Write to FLASH finish. Success.

Console#reload

To select another configuration f ile as the start-up configuratio n, use the boot system command a nd t hen res tar t the s w itch.

Console#config Console(config)#boot system config: startup-new 4-28 Console(config)#exit Console#reload 4-13

Console Port Settings

Yo u can access the onboard configuration program by at tach in g a VT1 00 compatible device to the sw itch’s serial console port. Mana gement access throug h the console port is controlled by various parameters, including a password, timeouts, and basic communication settings. These parameters can be configured via the web or CLI interface.

Command Attributes

• Login Timeout – Sets the interval that the system waits for a user to log into the

CLI. If a login attempt is not detected within the timeout interval, the connection is terminated for the sessi on . ( Range: 0-300 seconds; D ef ault: 0 seconds)

• Exec Timeout – Sets the interval that the system waits until user input is detected.

If user input is not detected w ith i n th e tim e out in t erv al , the current session is terminated. (Range: 0-6 5535 seconds; Defaul t: 60 0 seconds)

• Password Threshold – Sets the password intrus ion t hr eshold, which limits the

number of failed logon attempts. When the logon attempt threshold is reached, the system interface becomes silent for a specifie d am ount of time (set by the Silent Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3 attempts)

• Silent Time – Sets the am ount of time the managem ent console is inaccessible

after the number of unsuc cessful logon attempts ha s be en exceeded. (Range:0-65535; Default: 0)

• Data Bits – Sets the number of data bits per character that ar e int er pr et ed and

generated by the console port. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character. (Default: 8 bits)

• Parity – Defines t he generation of a parity bit. Commun i cation protocols provided

by some terminals can require a specific parity bit setting. Specify Even, Odd , or None. (Def ault: None)

3-25

Page 70

Configuring the Switch

• Speed – Sets the terminal line’s baud rate for transmit (to terminal) and rec eive (from terminal). Set the spe ed to match the baud rate of th e dev i ce connected to the serial port. (Range: 96 00, 19200, or 38400 baud; De fa ult : 96 00 bps)

• Stop Bits – Sets the number of the stop bits transmitted per byte. (Range: 1-2; Default: 1 stop bit)

• Password

– Specifies a password for the line connection. When a connection is started on a line with pass wo r d pr ot ec tion, the system prompts f or the password. If you enter the correct pa ss w or d, th e system shows a prom pt . (D efault: No password)

• Login – Enables passw or d checking at login. You can select authentication by a single global passwor d as configured for the Password parameter, or by passwords set up for sp ecific user-name acco unt s. (Default: Local)

Web – Click System, Line, Console. Specify the console port connection parameters as required, then click Apply.

1. CLI only.

3-26

Figure 3-1 Configuring the Console Port

Page 71

Basic Configuration

CLI – Enter Line Configuration m ode for the console, then specify the connection parameters as required. To display the current console port sett i ngs , u se t he show line command from the Normal Exec level.

Console(config)#line console 4-30 Console(config-line)#login local 4-30 Console(config-line)#password 0 secret 4-31 Console(config-line)#timeout login response 0 4-32 Console(config-line)#exec-timeout 0 4-33 Console(config-line)#password-thresh 3 4-33 Console(config-line)#silent-time 60 4-34 Console(config-line)#databits 8 4-35 Console(config-line)#parity none 4-35 Console(config-line)#speed 9600 4-36 Console(config-line)#stopbits 1 4-37 Console(config-line)#end Console#show line console 4-38 Console Configuration: Password Threshold: 3 times Interactive Timeout: Disabled Login Timeout: Disabled Silent Time: Disabled Baudrate: 9600 Databits: 8 Parity: None Stopbits: 1 Console#

Telnet Settings

Yo u can access the onboar d con figuration program over th e ne twork using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other various parameter s se t, in cl ud in g th e TC P port number, timeouts, and a password. These parameters can be configured via th e w eb or CLI interface.

Command Attributes

• Telnet Status – Enables or disabl es Telnet access to the swit ch.

(Default: Enabled)

• Telnet Port Number – Sets the TCP port number for Telnet on the switch.

(Default: 23)

• Login Timeout – Sets the interval that the system waits for a user to log into the

CLI. If a login attempt is not detected within the timeout interval, the connection is terminated for the sessi on . ( Range: 0-300 seconds; D ef ault: 300 seconds)

• Exec Timeout – Sets the interval that the system waits until user input is detected.

If user input is not detected w ith i n th e tim e out in t erv al , the current session is terminated. (Range: 0-6 5535 seconds; Defaul t: 60 0 seconds)

• Password Threshold – Sets the passwo rd in trusion threshold, which lim its the

3-27

Page 72

Configuring the Switch

• Password2 – Specifies a password for the line connecti on. W hen a connection is started on a line with password protection, the system prompts for the password. If you enter the correct passw or d, th e system shows a prompt . ( Def aul t : No password)

• Login – Enables password checking at login. You can select authentication by a single global password as configured for the Password parameter, or by passwords set up for specific user-name accounts. (Default : Lo cal)

Web – Click Syst em , Line, Telnet. Specify the connection parameters for Telnet access, then click Apply.

Figure 3-2 Configuring the Telnet Interface

CLI – Enter Line Configuration m ode for a virtual terminal, the n specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level.

Console(config)#line vty 4-30 Console(config-line)#login local 4-30 Console(config-line)#password 0 secret 4-31 Console(config-line)#timeout login response 300 4-32 Console(config-line)#exec-timeout 600 4-33 Console(config-line)#password-thresh 3 4-33 Console(config-line)#end Console#show line vty 4-38 VTY configuration: Password threshold: 3 times Interactive timeout: 600 sec Login timeout: 300 sec Console#

2. CLI only.

3-28

Page 73

Basic Configuration

Configuring Event Logging

The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event m es sages.

System Log Configuration

The system allows you to enable or disable event loggi ng, and specify which lev els are logged to RAM or flash m em ory.

Severe error messages th at are logged to flash memory are per m anently stored in the switch to assist in troubleshooting network problems. Up to 4096 log entries can be stored in t he fla sh memory, with the old est entr ies be ing over writ ten fir st when the available log memory (2 56 ki l ob yt es) has been exceeded.

The System Logs page allows you to configure and limit system messages that ar e logged to flash or RAM memory. The default is for event levels 0 to 3 to be logged to flash and levels 0 to 6 to be logg ed t o R AM .

Command Attributes

• System Log St atus – Enables/disables the logging of debug or error messages to

the logging process. (Def au l t: Enabled)

• Flash Level – Limits log messages saved to the switch’s permanent flash memory

for all levels up to the specified level. For example, if level 3 is specified, all messages from level 0 to level 3 will be logged to flash. (Ra nge: 0-7, Default: 3)

Table 3-3 Logging Levels

Level Severity Name Description

7 Debug Debugging messages 6 Informational Informational messages only 5 Notice Normal but significant condition, such as cold start 4 Warning Warning conditions (e.g., return false, unexpected return) 3 Error Error conditions (e.g., invalid input, default used) 2 Critical Critical conditions (e.g., memory allocation, or free memory

1 Alert Immediate action needed 0 Emergency System unusable * There are only Level 2, 5 and 6 error messages for the current firmware release.

• RAM Level – Limits log messages saved to the switch’s temporary RAM memory

for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7)

Note:

The Flash Level must be equal to or less than the RAM Level.

error - resource exhausted)

3-29

Page 74

Configuring the Switch

Web – Click System, Log, System Logs. Specify System Log Status, set the level of event messages to be log ged to RAM and flash memory, then click Apply.

Figure3-14 System Logs

CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings.

Console(config)#logging on 4-39 Console(config)#logging history ram 0 4-40 Console(config)#end Console#show logging flash 4-43 Syslog logging: Enabled History logging in FLASH: level emergencies Console#

Remote Log Configuration

The Remote Logs page allow s yo u t o configure the logging of m ess ages that are sent to syslog servers or other management stations. You can also limit the event messages sent to only those messages below a spec i fied level.

Command Attributes

• Remote Log Status – Enables/di sab l es t he l ogging of debug or error messages to the remote logging proc ess. (Default: Enabled)

• Logging Facility – Sets the facility type for remote logging of syslo g m es sages. There are eight facility types spe cified by values of 16 to 23. Th e facility t ype is used by the syslog server to dis patch log messages to an appropriate service.

• Logging Trap – Limits log messages that are sent to the remote syslog server for all levels up to the specified level. For example, if level 3 is specified, all messages from level 0 to level 3 will be sent to the re m ot e ser ver. (Range: 0-7, Defaul t : 7)

The attribute specifies the facility type tag sent in syslog messages. (See RFC

3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to process messages, such as sorting or storing messages in the corresponding database. (Range: 16-23, Default: 23)

• Host IP List – Displays the list of remote server I P addresses that receive t he syslog messages. The m aximum number of host IP addresses allowed is five.

• Host IP Address – Specifies a new server IP address to add to the Host IP List .

3-30

Page 75

Basic Configuration

Web – Click Syst em , Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the ent r y in th e H ost IP List, and then click Re move.

Figure3-15 Remote Logs

CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap.

Console(config)#logging host 192.168.1.15 4-41 Console(config)#logging facility 23 4-41 Console(config)#logging trap 4 4-42 Console(config)#end Console#show logging trap 4-43 Syslog logging: Enabled REMOTELOG status: Enabled REMOTELOG facility type: local use 7 REMOTELOG level type: Warning conditions REMOTELOG server ip address: 192.168.1.15 REMOTELOG server ip address: 0.0.0.0 REMOTELOG server ip address: 0.0.0.0 REMOTELOG server ip address: 0.0.0.0 REMOTELOG server ip address: 0.0.0.0 Console#

3-31

Page 76

Configuring the Switch

Displaying Log Messages

The Logs page allows you to scroll through the logged system and event messages. The switch can store up to 2 048 log entries in temporary r andom access memory (RAM; i.e., memory flus hed on power reset) and up to 4096 entries in permanent flash memory.

Web – Click Syst em , Log , Lo gs.

Figure3-16 Displaying Logs

CLI – This example shows the event message stored in RA M .

Console#show log ram 4-44 [1] 00:01:37 2001-01-01 "DHCP request failed - will retry later." level: 4, module: 9, function: 0, and event no.: 10 [0] 00:00:35 2001-01-01 "System coldStart notification." level: 6, module: 6, function: 1, and event no.: 1 Console#

Sending Simple Mail Transfer Protocol Alerts

To alert system administrators o f problems, the switch can us e SM TP (Simple Mail Transfer Protocol) to send email messages when triggered b y lo ggi n g events of a specified level. The mess ages are sent to specified SM TP s er ver s on the network and can be retrieved using POP or IMAP clients.

Command Attributes

• Admin Status – Enables/disa bles t he SMTP function. (Default: Enabled)

• Email Source Address – Sets the email address used for the “From” field in alert messages. You may use a symbolic email address that identifies the switch, or the address of an adminis trat or re sponsible for the switch.

• Severity – Sets the syslog severity threshold level (see table on page 3-29) used to trigger alert message s. Al l ev ents at thi s l eve l or higher will be sent to the configured email recipients. For example, using Level 7 will report all events from level 7 to level 0. (Default: L evel 7)

3-32

Page 77

Basic Configuration

• SMTP Server List – Specifies a list of up to three recipient SMTP servers. The

switch attempts to connect to the other listed servers if the first fails. Use the New SMTP Server text field and the Add/Remove buttons to co nf ig ur e the l ist.

• Email Destination Address Li st – Specifies th e email recipients of alert

messages. You can specify up to five recipients. Use the N ew Em ai l Dest i nation Address text field and the Add /Remove buttons to configure the list.

Web – Click System, Log, SMTP. To add an IP address to the Server IP List, type the new IP address in the Server IP Address box, and then click Add. To delete an IP address, click the entry in th e Ser ver IP List, and then click Remove.

Figure 3-17 Enabling and Configuring SMTP

3-33

Page 78

Configuring the Switch

CLI – Enter the host ip address, foll ow e d by the mail severity leve l, source and destination email addr esses and enter the sendm ai l command to complete t he action. Use the show logg ing command to display SM TP i nf or m at ion.

Console(config)#logging sendmail host 192.168.1.4 4-45 Console(config)#logging sendmail level 3 4-46 Console(config)#logging sendmail source-email

big-wheels@matel.com 4-46

Console(config)#logging sendmail destination-email

chris@matel.com 4-47 Console(config)#logging sendmail 4-47 Console(config)#exit Console#show logging sendmail 4-48 SMTP servers

-----------------------------------------------

1. 192.168.1.4

SMTP minimum severity level: 4

SMTP destination email addresses

-----------------------------------------------

1. chris@matel.com

SMTP source email address: big-wheels@matel.com

SMTP status: Enabled Console#

Resetting the System

Web – Click Syst em , R eset. Click the Reset button to reboot the switch. When

prompted, confirm that you want reset the switch.

Figure 3-18 Resetting the System

CLI – Use the reload command to restart the switch. When prompted, confirm t hat you want to reset the switch.

Console#reload 4-13 System will be restarted, continue <y/n>?

When restarting the system, it will always run the Power-On Self-Test.

Note:

3-34

Page 79

Basic Configuration

Setting the System Clock

Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or N TP) . Mai ntaining an accurate time on the switch enables the system lo g to rec or d m eaningful dates and times for event entries . You can also manually set the clock using the CLI. (See “calendar set” on page 4-52.) If the clock is not set, the switch will only record th e time from the factory default set at the last bootup.

When the SNTP client is enabled , the swi tc h per iodically sends a request for a time update to a configured time se rv er. You can configure up to three time server IP addresses. The switch will attempt to poll each server in the configured sequence.

Configuring SNTP

Yo u can configure the switch to send time synchroni za tion requests to specific time servers.

Command Attributes

• SNTP Client – Configures the switch to oper at e as an SNTP client. This requires at least one time server to be specified in the SNTP Server field. (Default: Disabled)

• SNTP Poll Interval – Sets the interval between sending requests for a time update from a time server. (Range: 16-16384 second s; Def ault: 16 seconds)

• SNTP Server – Sets the IP address for up to three time servers. The switch attempts to update the time from the first server, if this fails it attempts an update from the next server in the sequence.

Web – Select SNTP, Config urat ion . Modi fy an y of t he re quir ed p ara meter s, a nd cli ck Apply.

Figure 3-19 SNTP Configuration

3-35

Page 80

Configuring the Switch

CLI – This example configures t he switch to operate as an SNT P unicast client and then displays the curren t tim e and settings.

Console(config)#sntp client 4-49 Console(config)#sntp poll 60 4-50 Console(config)#sntp server 10.1.0.19 137.82.140.80

128.250.36.2 4-50

Console(config)#exit Console#show sntp Current time: Jan 6 14:56:05 2004 Poll interval: 60 Current mode: unicast SNTP status : Enabled SNTP server 10.1.0.19 137.82.140.80 128.250.36.2 Current server: 128.250.36.2 Console#

Setting the Time Zone

SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To display a time corresp onding to your local time, you must indicate the number of hours and minutes your tim e zone is east (before) or we st (after) of UT C.

Command Attributes

• Current Time – Displays the current time.

• Name – Assigns a name to the t ime zone. (Range: 1-29 characters)

• Hours (0-13) – The numb er of ho ur s before/after UTC.

• Minutes (0-59) – The num b er of m inut es before/after UTC.

• Direction – Configures the time zone to be before (east) or after (wes t) UT C. Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to

the UTC, and click Apply.

Figure 3-20 Setting the Time Zone

CLI - This example shows how to set th e tim e zone for the system clo ck.

Console(config)#clock timezone Dhaka hours 6 minute 0 after-UTC 4-51 Console#

3-36

Page 81

Simple Network Management Protocol

Simple Net w ork Management Protocol (SNMP) is a commu nication protocol designed specifically f or managing devices on a net w or k. Equipment commonly managed with SNMP in cludes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.

Managed devices sup por t in g SNM P contain software, which runs lo call y on the device and is referred to as an agent. A defined set of variables, known as managed objects, is maintained by the SNM P agent and used to manage th e de vi ce. These objects are defined in a Management Information Bas e (MI B ) th at provides a standard presentation of the information controlled by the agent. SNMP defines both the format of the MIB specifications and the protocol used to access this information over the network.

The switch includes an on boa rd agent that supports SNMP vers ions 1, 2c, and 3 clients. This agent continuously monitors the status of the swi t ch hardware, as well as the traffic passing through its ports. A netw ork m anagement station can acces s this information using softwar e such as EdgeView. Access to the onboard agent from clients using SNMP v1 and v 2c i s controlled by commun ity s tri ngs. To communicate with the swi tc h, th e m anagement station must firs t su bm it a val i d community string for au t hentication.

Access to the switch using f ro m clie nts us in g SNM P v 3 pr ovides additional secu rity features that cover mes sage integrity, authentication, and encryptio n; as well as controlling user access to specific areas of the MIB tree.

The SNMPv3 security structure consists of security models, with each model having it’s own security levels. There are three security models defined, SNMPv1, SNMPv2c, and SN M P v3. Users are assigned to “groups” that are defined by a security model and specified security levels. Each group also has a defined security access to set of MIB objects for re adi ng and writing, which are k nown as “views.” The switch has a default vie w (a ll MIB objects) and default groups defi ned for security models v1 an d v2c. The following table show s t he security models and levels available and the system default setting s.

3-37

Page 82

Configuring the Switch

Table3-1 SNMPv3 Security Models and Levels

Model Level Group Read View Write View Notify View Security

v1 noAuthNoPriv public

v1 noAuthNoPriv private

v1 noAuthNoPriv user defined user defined user defined user defined Community string only v2c noAuthNoPriv public

v2c noAuthNoPriv private

v2c noAuthNoPriv user defined user defined user defined user defined Community string only v3 noAuthNoPriv user defined user defined user defined user defined A user name mat ch only v3 AuthNoPriv user defined user defined user defined user defined Provides user

v3 AuthPriv user defined user defined user defined user defined Provides user

(read only)

(read/write)

(read only)

(read/write)

defaultview none none Community string only

defaultview defaultview none Community string only

defaultview none none Community string only

defaultview defaultview none Community string only

authentication via MD5 or SHA algorithms

authentication via MD5 or SHA algorithms and data privacy using DES 56-bit encryption

Note: The predefined default groups and view can be deleted from the system. You can

then define customized groups and views for the SNMP clients that require access.

Enabling the SNMP Agent

Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3).

Command Attributes

SNMP Agent Status – Enables SNMP on the switch.

Web – Click SNMP, Agent Sta tus. Enable the SNMP Agent by marking the Enabled

checkbox, and click Apply.

Figure 3-21 Enabling the SNMP Agent

CLI – The following example en abl es SNMP on the switch.

Console(config)#snmp-server 4-61 Console(config)#

3-38

Page 83

Simple Network Management Protocol

Setting Community Access Strings

Yo u m ay configure up to five commu ni t y st rings authorized for manag em ent access by clients using SNMP v1 and v2c. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings.

Command Attributes

• SNMP Community Capability – The switch supports up to five community strings.

• Current – Displays a list of the communi t y strings currently configured.

• Community String – A community string that acts like a password an d permits access to the SNMP proto col.

• Default strings: “public” (read-onl y access), “priva te” (read/write access)

• Range: 1-32 characters, case sensitive

• Access Mode – Specifies the access rights for the community string:

- Read-Only – Authorized management stations are only able to retrieve MIB

objects.

- Read/Write – Authorized manage m ent st at i ons are able to both retrieve and

modify MIB objects.

Web – Click SNMP, Configuration. Add new community strings as required, select the access rights from the Access Mod e drop-down list, then cl ick Add.

Figure 3-22 Configuring SNMP Community Strings

CLI – The following example adds the string “spiderm an” w i th rea d/ w rite access.

Console(config)#snmp-server community spiderman rw 4-62 Console(config)#

3-39

Page 84

Configuring the Switch

Specifying Trap Managers and Trap Types

Traps indicating status changes are issued by the switch to specified trap managers. Yo u m ust specify trap manage rs so t hat key events are reported by this switch to your management statio n (u si ng network managem en t platfor ms such as EdgeView). You can specify up to five management stations that will receive authenti cation failure messages and other notificati on messages from the switch.

Command Usage

• If you specify an SNMP Version 3 host, then the “Trap Manager Community String” is interpreted as an SNMP user nam e. If you use V3 authenticatio n or encryption options (authNoPriv or au t hPr iv ), t he user name must first be defined in the SNMPv3 Users page (page 3-45). Otherwise, the authentication password and/or privacy password will not exist, and the switc h will no t authorize SNMP access for the host. However, if you sp ecify a V3 host with the no authen tication (noAuth) option, an SNMP user account will be automatically generated, and the switch will authorize SNMP access for the host.

• Notifications are issue d by t he sw i tch as t ra p messages by default. Th e re ci pi ent of a trap message does not send a response to the switch. Traps are therefore not as reliable as inform me ssa ges, which include a request for acknowledgem ent of receipt. Informs can be used to ensure that critical information is received by the host. However, note tha t inf or m s consume more system r esources because the y must be kept in memory until a response is received. Informs also add to network traffic. You should con si der th es e ef fe ct s w hen deciding whether to i ssue notifications as traps or in forms.

To send an inform to a SNMP v2c host, complete these st eps:

1. Enable the SNMP agent (page 3-38).

2. Enable t ra p in fo rms as described in the follo win g pages.

3. Create a view with the required noti fic at io n m es sages (page 3-52).

4. Create a group that includes the req ui re d notify view (page 3-49). To send an inform to a SNMPv3 host, complete these steps:

1. Enable the SNMP agent (page 3-38).

2. Enable t ra p in fo rms as described in the follo win g pages.

3. Create a view with the required noti fic at io n m es sages (page 3-52).

4. Create a group that includes the req ui re d notify view (page 3-49).

5. Specify a remote engine ID where the user resides (page 3-44).

6. Then co nf ig ur e a r em ot e user (page 3-47).

Command Attributes

• Trap Manager Capability – This switch su pports up to five trap manag er s.

• Current – Displays a list of the trap manager s currently configured.

• Trap Manager IP Address – IP address of a new management station to receive notification messages .

• Trap Manager Community String – Specifies a val i d community string for the new trap manager entry. Though you can set this string in the Trap Managers table, we recommend that you def in e t his st ring in the SNMP Configurat io n page (for

3-40

Page 85

Simple Network Management Protocol

Version 1 or 2c clients), or def ine a corresponding “User Name” in the SNMPv3 Users page (for Version 3 cl ie nt s) . (R an ge: 1- 32 characters, case sen sitive)

• Trap UDP Port – Specifies the UDP port number used by the trap manager.

• Trap Version – Indicates if the user is running SNMP v1, v2c, or v3. ( Def ault: v1)

• Trap Security Level – When trap version 3 is sel ected, you must specify one of

the following security levels. (Default: noAuthN oPriv)

- noAuthNoPriv – There is no aut hentication or encryption used in SNMP communications.

- AuthNoPriv – SNMP communications use authent icat i on, but the data is not encrypted (only avai la ble f or t he SNMPv3 security model).

- AuthPriv – SNMP communications use both authentication and encryption (only available for the SNMPv3 security model).

• Trap Inform – Notifications are sent as inform messages. Note that this option is only avail able for version 2c and 3 hosts. (Default: trap s are used)

- Timeout – The number of seconds to wait for an acknow l edgment before

resending an inform me ssage. (Range: 0-2147483647 centiseconds; Default: 1500 cent iseconds)

- Retry times – The maximum number of tim es t o re send an inform messa ge if

the recipient does not ack nowledge receipt. (Ra ng e: 0-255; Default: 3)

• Enable Authentication Trap s

– Issues a notification mes sa ge t o specified IP trap managers whene ve r authentication of an SNMP r equest fails. (Default: Enabled)

• Enable Link-up and Link-down Traps – Issues a notification message whenever a port link is established or brok en. (Default: Enabled)

3. These are legacy notifications and therefore when used for SNMP Version 3 hosts, they must be enabled in conjunction with the corresponding entries in the Notification View (page 3-49).

3-41

Page 86

Configuring the Switch

Web – Click SNMP, Configuration. Enter the IP address and community string for each management station that will receive trap messages, specify the UDP port, trap version, trap se cur i ty le vel (f or v3 clients), trap inform settings (for v2c/v3 clients), and then click Add. Select the trap types required using the check boxes for Authentication and Link- up/ down traps, and then click Apply.

Figure 3-23 Configuring SNMP Trap Managers

CLI – This example adds a trap m anager and enables authentication traps.

Console(config)#snmp-server host 10.1.19.23 inform private

version 2c udp-port 160 4-64 Console(config)#snmp-server enable traps authentication 4-66 Console(config)#

3-42

Page 87

Simple Network Management Protocol

Configuring SNMPv3 Management Access

To configure SNMPv3 m anagement access to the switch, follow these step s:

1. If you want to change the def aul t engine ID, it must be chang ed firs t be f ore configuring other parameters.

2. Specify read and write access views f or the sw itc h M I B tree.

3. Configure SNMP user gr oups w ith th e re qui r ed s ecurity model (i.e., SNMP v1, v2c or v3) and security leve l (i. e. , au th entication and privacy).

4. Assign SNMP users to groups, along with their specific authentication and privacy passwords.

Setting the Local Engine ID

An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection. The engine I D is also used in combinatio n w i th user passwords to generate the security keys for authenti cating and encrypting SN M P v3 packets.

A local engine ID is automat ical l y gen er at ed that is unique to the switch. This i s referred to as the default e ngi ne ID. If th e l oca l engi ne ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users.

A new engine ID can be specified by entering 1 to 26 hexadecimal characters. If less than 26 characters are s pecified, trailing zeroes are added to the value. For example, the value “123 4” is e qui va l ent to “12 34” followed by 22 zeroes.

Web – Click SNMP, SNMPv3, Engine ID. Enter an ID of up to 26 hexadecimal characters and then clic k Save.

Figure 3-24 Setting an Engine ID

CLI – This example sets an SNMPv3 engine ID.

Console(config)#snmp-server engine-id local 12345abcdef 4-67 Console(config)#exit Console#show snmp engine-id 4-68 Local SNMP engineID: 12345abcdef000000000000000 Local SNMP engineBoots: 1 Console#

3-43

Page 88

Configuring the Switch

Specifying a Remote Engine ID

To send in form m essages to an SNMPv3 us er o n a re mote device, you must first specify the engine ident ifier fo r the SNMP agent on the remot e device where the user resides. The remot e engine ID is used to compute th e security digest for authenticating and encrypting packets sen t to a user on the remote host.

SNMP passwords are localized using the engine ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agen t. You therefore need to configure the remote ag en t’s SNMP engine ID before you can s end proxy requests or informs to it. (See “Specifying Trap Managers and Trap Types” on page 3-40 and “Configuring Rem ote SN M Pv3 Users” on page 3-47.)

The engine ID can be specified by entering 10 to 64 hexadecimal characters. If less than 64 characters are specified, trailing zeroes are added to the value. the value “01234567 89” is equivalent to “0123456789” followed by 54 zeroes.

Web – Click SNMP, SNMPv3, Remote Engine ID. Enter an ID of up to 64 hexadecimal characters and then click Sa ve.

Figure 3-25 Setting an Engine ID

For example,

CLI – This example specifies a re m ot e SNM P v 3 engine ID.

Console(config)#snmp-server engineID remote 54321 192.168.1.19 4-67 Console(config)#exit Console#show snmp engine-id 4-68 Local SNMP engineID: 8000002a8000000000e8666672 Local SNMP engineBoots: 1

Remote SNMP engineID IP address 80000000030004e2b316c54321 192.168.1.19 Console#

3-44

Page 89

Simple Network Management Protocol

Configuring SNMPv3 Users

Each SNMPv3 user is defin ed by a unique name. Users mu st be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and not i fy vi ew.

Command Attributes

• User Name – The name of user connecting to the SNMP agent. (Range: 1-32

characters)

• Group Name – The name of the SNMP gro up t o w hich the user is assigned.

(Range: 1- 32 characte rs)

• Security Model – The user security model; SNMP v1, v2 c or v3.

• Security Level – The security level used for the user:

- noAuthNoPriv – There is no authentication or encryption used in SNMP communications. (T hi s is th e default for SNMPv3.)

- AuthNoPriv – SNMP communications use aut hentication, but the data is not encrypted (only avai la ble f or t he SNMPv3 security model).

- AuthPriv – SNMP co mmunic ations use bo th aut henti catio n and en crypt ion (o nly available for the SNMPv3 security model).

• Authentication Protoc ol – The m et hod used for user authen tication. (Options: MD5, SHA; Default: MD5)

• Authentication Password – A minimum of eight plain text characters is required.

• Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available.

• Privacy Password – A minimum of eight plain text characters is required.

• Actions – Enables the us er to be assigned to another SNM P v3 group.

3-45

Page 90

Configuring the Switch

Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a nam e and assign it to a group, then cli ck A dd t o sa ve t he configuration and return to the User Name list. T o delete a user, check the box next to the user name, then click D el et e. To change the assigned group of a user, click Change Group in the Actions column of the users table an d select the new group.

Figure 3-26 Configuring SNMPv3 Users

CLI – Use the sn mp - server user command to configur e a new user name and assign it to a group.

Console(config)#snmp-server user chris group r&d v3 auth md5

greenpeace priv des56 einstien 4-73 Console(config)#exit Console#show snmp user 4-74 EngineId: 80000034030001f488f5200000 User Name: chris Authentication Protocol: md5 Privacy Protocol: des56 Storage Type: nonvolatile Row Status: active

Console#

3-46

Page 91

Simple Network Management Protocol

Configuring Remote SNMPv3 Users

Each SNMPv3 user is defin ed by a unique name. Users mu st be configured with a

specific security level and assigned to a group. The SNMPv3 group restricts users to

a specific read, write, and not i fy vi ew.

To send in form m essages to an SNMPv3 us er o n a re mote device, you must first

specify the engine ident ifier fo r the SNMP agent on the remot e device where the

user resides. The remote engine ID is used to comput e th e se cur i ty di ges t for

authenticating and encrypting packets sen t to a user on the remote host. (See

“Specifying Trap Man agers and Trap Types” on page 3-40 and “Specifying a

Remote Engine ID” on page 3-4 4. )

Command Attributes

• User Name – The name of user connecting to the SNMP agent. (Range: 1-32 characters)

• Group Name – The name of the SNMP gro up t o w hich the user is assigned. (Range: 1- 32 characte rs)

• Engine ID – The engine identifier for the SNMP agent on the remote device where the remote user resides . Note that the remote engin e i den tif i er must be specified before you configure a rem ote user. (See “Spec ify in g a Rem ote Engine ID” on page 3-44.)

• Remote IP – The Internet address of the rem ot e device where the user re sides.

• Security Model – The user security model; SNMP v1 , v2 c or v3. (D efault: v1)

• Security Level – The security level used for the user:

- noAuthNoPriv – There is no authentication or encryption used in SNMP

communications. (T hi s is th e default for SNMPv3.)

- AuthNoPriv – SNMP communications use aut hentication, but the data is not

encrypted (only avai la ble f or t he SNMPv3 security model).

- AuthPriv – SNMP co mmunic ations use bo th aut henti catio n and en crypt ion (o nly

available for the SNMPv3 security model).

• Authentication Protoc ol – The m et hod used for user authen tication. (Options: MD5, SHA; Default: MD5)

• Authentication Password – A minimum of eight plain text characters is required.

• Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available.

• Privacy Password – A minimum of eight plain text characters is required.

3-47

Page 92

Configuring the Switch

Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and ret ur n to the U ser N am e list. To de le te a user, check the box next to the user name, then click Delete.

Figure 3-27 Configuring Remote SNMPv3 Users

CLI – Use the sn mp - server user command to configur e a new user name and assign it to a group.

Console(config)#snmp-server user mark group r&d remote

192.168.1.19 v3 auth md5 greenpeace priv des56 einstien 4-73

Console(config)#exit Console#show snmp user 4-74 No user exist

SNMP remote user EngineId: 80000000030004e2b316c54321 User Name: mark Authentication Protocol: none Privacy Protocol: none Storage Type: nonvolatile Row Status: active

Console#

3-48

Page 93

Simple Network Management Protocol

Configuring SNMPv3 Groups

An SNMPv3 group sets th e access policy for its assigned users, restricting them t o specific read, write, and not ify vi ews. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP view s.

Command Attributes

• Group Name – The name of the SNMP gro up. (Range: 1-32 characte rs )

• Model – The group secur ity mo del; SNMP v1, v2c or v3.

• Level – The security level use d fo r the group:

- noAuthNoPriv – There is no authentication or encryption used in SNMP

communications.

- AuthNoPriv – SNMP communications use aut hentication, but the data is not

encrypted (only avai la ble f or t he SNMPv3 security model).

- AuthPriv – SNMP co mmunic ations use bo th aut henti catio n and en crypt ion (o nly

available for the SNMPv3 security model).

• Read View – The configured view for re ad access. (Range: 1-64 characters)

• Write View – The configured view for write access. (Range: 1-64 characters)

• Notify View – The configured view for notifica tion s. (Range: 1-64 character s)

Table 3-1 Supported Notification Messages

Object Label Object ID Description

RFC 1493 Traps

newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending

topologyChange 1.3.6.1.2.1.17.0.2 A topologyChange trap is sent by a bridge

SNMPv2 Traps

coldStart 1.3.6.1.6.3.1.1.5.1 A coldStart trap signifies that the SNMPv2

warmStart 1.3.6.1.6.3.1.1.5.2 A warmStart trap signifies that the SNMPv2

agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election.

when any of its configured ports transitio ns from the Learning state to the Forwarding state, or from the Forwarding state to the Discarding state. The trap is not sent if a newRoot trap is sent for the same transition.

entity, acting in an agent role, is reinitializing itself and that its configuration may have been altered.

entity, acting in an agent role, is reinitializing itself such that its configuration is unaltered.

3-49

Page 94

Configuring the Switch

Table 3-1 Supported Notification Messages (Continued)

Object Label Object ID Description

linkDown

linkUp

authenticationFailure

RMON Events (V2)

risingAlarm 1.3.6.1.2.1.16.0.1 The SNMP trap that is generated when an

fallingAlarm 1.3.6.1.2.1.16.0.2 The SNMP trap that is generated when an

Private Traps

swPowerStatus ChangeTrap

swIpFilterRejectTrap 1.3.6.1.4.1.259.8.1.7.1.0.40 This trap is sent when an incorrect IP address

1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state (but not from the notPresent state). This other state is indicated by the included value of ifOperStatus.

1.3.6.1.6.3.1.1.5.4 A linkUp trap signifies that the SNMP entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links left the down state and transitioned into some other state (but not into the notPresent state). This other state is indicated by the included value of ifOperStatus.

1.3.6.1.6.3.1.1.5.5 An authenticationFailure trap signifies that the SNMPv2 entity, acting in an agent role, has received a protocol message that is not properly authenticated. While all implementations of the SNMPv2 must be capable of generating this trap, the snmpEnableAuthen Traps object indi cate s whether this trap will be generated.

alarm entry crosses its rising threshold and generates an event that is configured for sending SNMP traps.

alarm entry crosses its falling threshold and generates an event that is configured for sending SNMP traps.

1.3.6.1.4.1.259.8 .1.7 .1.0 .1 This trap is sent when the pow er sta te changes.

is rejected by the IP Filter.

* These are legacy notifications and therefor e must be enabled in conjunction with the corresponding tra ps on the

SNMP Configuration menu (page3-42).

3-50

Page 95

Simple Network Management Protocol

Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read and write views. Click Add to save the new group and return to the Groups list. To delet e a gr oup, check the box next to th e gr oup name, then click Delete.

Figure 3-28 Configuring SNMPv3 Groups

CLI – Use the sn mp - server group command to configur e a ne w gr oup, specifying the security model and level, and restricting MIB a cce ss to defined read and write views.

Console(config)#snmp-server group secure-users v3 priv

read defaultview write defaultview notify defaultview 4-71 Console(config)#exit Console#show snmp group 4-72

. . .

Group Name: secure-users Security Model: v3 Read View: defaultview Write View: defaultview Notify View: defaultview Storage Type: nonvolatile Row Status: active

Console#

3-51

Page 96

Configuring the Switch

Setting SNMPv3 Views

SNMPv3 views are used to restrict user access to specified portions of the MIB tree. The predefined view “de fa ul tv iew ” inc ludes access to the entire M IB tree.

Command Attributes

• View Name – The name of the SNMP vie w. (Range: 1-64 characters)

• View OID Subtrees – Shows the currently configured object identifiers of branches within the MIB tree that define th e SN M P vi ew.

• Edit OID Subtrees – Allows you to configure th e object identifiers of branches within the MIB tree. Wild ca rds can be used to mask a spec i fic portion of the OID string.

• Type – Indicates if the object ident i f ier of a br anc h w i th in the MIB t re e is in cluded or excluded from the SNMP view .

Web – Click SNMP, SNMPv3, V ie ws. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the ne w vi ew and return to the SNMPv 3 Views list. For a specific view, click on View OID Subtrees to dis pl ay the cur rent configuration, or click on Edit OID Subtrees to make changes to the view settings. T o delete a view, check the box next to the view name, then click Delete.

3-52

Figure 3-29 Configuring SNMPv3 Views

Page 97

Simple Network Management Protocol

CLI – Use the sn mp-server view com m and to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries.

Console(config)#snmp-server view ifEntry.a

1.3.6.1.2.1.2.2.1.1.* included 4-69 Console(config)#exit Console#show snmp view 4-70 View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.* View Type: included Storage Type: nonvolatile Row Status: active

View Name: readaccess Subtree OID: 1.3.6.1.2 View Type: included Storage Type: nonvolatile Row Status: active

View Name: defaultview Subtree OID: 1 View Type: included Storage Type: nonvolatile Row Status: active

Console#

3-53

Page 98

Configuring the Switch

User Authentication

Yo u can configure this swit ch to authenticate users loggi ng into the system for management acces s us in g l oca l or re m ot e authentication method s. Por t -b ased authentication using IEEE 802.1X can also be con fig ur ed t o control either management acces s to th e uplink ports or client access to the data po rts. This switch provides secur e network manageme nt acc ess

• User Accounts – Manua lly configure management access rights for use rs .

• Authentication Settings – Use remote authent ication to configure acce ss rights.

• HTTPS Settings – Provide a secure web connection.

• SSH Settings – Provide a secure shell (for secure Telnet acces s).

• 802.1X – Use IEEE 802.1X po rt authentication to control acce ss to specific ports.

• IP Filter – Filters managem ent access to the web, SN M P or T elnet i nt er fa ce.

Configuring User Accounts

The guest only has read a cc ess for most configuration para m et er s. H ow ever, the administrator has write access for all parameters gove rn in g th e on board agent. You should therefore assign a new administrator passw or d as soon as possible, and store it in a safe place.

The default guest name is “guest” with the password “guest . ” Th e def ault administrator name is “admin” with the password “admin.”

Command Attributes

• Account List – Displays the current list of user accounts and associated access levels. (Default: admin, and guest)

• New Account – Displays configura tion settings for a new account.

- User Name – The name of the user.

- (Maximum leng th: 8 characters; maximum number of users: 16)

- Access Level – Specifies the user level.

(Options: Normal and Priv ileg ed)

- Password – Specifies the user password.

(Range: 0-8 characters plain text, case sensitive)

• Change Password – Sets a new pas sw ord for the specified user nam e.

using the following opti ons :

4. For other methods of controlling client access, see “Client Security” on page 7-1.

3-54

Page 99

User Authentication

Web – Click Secur i ty, User Accounts. To configure a new user account, specify a user name, select the user’s access leve l, th en enter a password and confi rm i t. Click Add to save the new user account and add it to the Account List. To change the password for a specific user, enter the user na m e and new password, confirm the password by entering it aga in, the n cl i ck A ppl y.

Figure 3-1 User Accounts

CLI – Assign a user name to access-level 15 (i.e., admi ni st r at or ), th en specify the password.

Console(config)#username bob access-level 15 4-76 Console(config)#username bob password 0 smith Console(config)#

Configuring Local/Remote Logon Authentication

Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure ac cess rights on the switch, or you can use a remote acces s authentic at ion se rver base d on RADIUS or TACACS+

Web Telnet

RADIUS/ TACACS+ server

1. Client attempts management access.

2. Switch contacts authentication server.

3. Authentication server challenges client.

4. Client responds with proper password or key.

5. Authentication server approves access.

6. Switch grants management access.

protocols. Remote Authentication Dial-in User Service (RADIUS) and Terminal Access

Controller Access Control System Plus (TACACS+) are logon authentication protocols that use softwar e ru nning on a central server to control access to RADIUS-aware or T ACACS-aware devices on the network. An authentication s erver

console

3-55

Page 100

Configuring the Switch

contains a database of multiple user name/password pairs with associated privilege levels for each user that req ui re s m anagement access to t he switch.

RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-or i ent ed transport. Also, note that RA DI U S encrypts only the password in the acce ss-request packet from the cl ient to the server, while T ACACS+ encrypts the entire body of th e packet.

Command Usage

• By default, management access is always checked against the auth ent ication database stored on the local switch. If a remote authentication server is used, you must specify the authen tication sequence and th e cor responding paramet er s f or the remote authentication protocol. Local and remote logon authentication control management acces s via t he console port, web brow ser , or Te ln et .

• RADIUS and TACACS+ log on authentication assign a specific privilege level for each user name/pass wor d pair. The user name, pass w or d, and privilege level must be configured on the authentication server. The encryption methods used for the authentication process must also be configured or negotiated betw een the authentication serve r an d lo gon client. This switch can pass authentication messages between th e server and client that have b een encrypted using MD5 (Message-Digest 5), TLS (Transport Layer Security), or TTLS (Tunneled Transport Layer Security).

• You can specify up to thre e authentication method s fo r an y user to indicate the authentication sequence. For example, if you select (1) RADIUS, (2) TACACS and (3) Local, the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentica tion is attempted using the TACACS+ server, and fin all y t he local user name and passwor d i s checked.

Command Attributes

• Authentication – Select the authentication, or authentication sequence required:

- Local – User authentication is performed only locally by the switch.

- Radius – User authentication is performed using a R AD I U S server only.

- TACACS – User authentication is performed using a TACACS+ server only.

- [authentication s equence] – User authentication is performed by up to th re e

authentication methods in the indicated seque nce.

• RADIUS Settings

- Global – Provides globally applicable RADIUS se ttings.

- Server Index – Specifies one of five RADIUS servers that ma y be configured.

The switch attempts authentication using the listed sequence of servers. The process ends when a se rv er either approves or deni es access to a user.

- Server IP Address – Address of authentication server. (Default: 10.1.0.1)

- Server Port Number – Network (UDP) port of authentication server used for

authentication messages. (Range: 1-65535; Default: 1812)

- Secret Text String – Encryption key used to authenticate logon access for

client. Do not use blank spa ces in the string. (Maximu m le ngt h: 48 characters)

3-56

Edge-Core ES4524M-PoE Management Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Chapter 1: Introduction

Key Features

Description of Software Features

System Defaults

Chapter 2: Initial Configuration

Connecting to the Switch

Configuration Options

Required Connections

Basic Configuration

Remote Connections

Console Connection

Setting Passwords

Setting an IP Address

Manual Configuration

Dynamic Configuration

Enabling SNMP Management Access

Community Strings (for SNMP version 1 and 2c clients)

Trap Receivers

Configuring Access for SNMP Version 3 Clients

Managing System Files

Saving Configuration Settings

Configuring Power over Ethernet

Chapter 3: Configuring the Switch

Using the Web Interface

Navigating the Web Browser Interface

Home Page

Panel Display

Configuration Options

Main Menu

Basic Configuration

Displaying System Information

Displaying Switch Hardware/Software Versions

Displaying Bridge Extension Capabilities

Setting the Switch’s IP Address

Manual Configuration

Using DHCP/BOOTP

Enabling Jumbo Frames

Managing Firmware

Downloading System Software from a Server

Saving or Restoring Configuration Settings

Downloading Configuration Settings from a Server

Console Port Settings

Telnet Settings

Configuring Event Logging

System Log Configuration

Remote Log Configuration

Displaying Log Messages

Sending Simple Mail Transfer Protocol Alerts

Resetting the System

Setting the System Clock

Configuring SNTP

Setting the Time Zone

Simple Network Management Protocol

Enabling the SNMP Agent

Setting Community Access Strings

Specifying Trap Managers and Trap Types

Configuring SNMPv3 Management Access

Setting the Local Engine ID

Specifying a Remote Engine ID

Configuring SNMPv3 Users

Configuring Remote SNMPv3 Users

Configuring SNMPv3 Groups

Setting SNMPv3 Views

User Authentication

Configuring User Accounts

Configuring Local/Remote Logon Authentication