Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and
its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such
changes have been made.
The hardware, firmware, or software described in this document is subject to change without notice.
IN NO EVENT SHALL ENTERASYS NETWORKS BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, OR
CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF
OR RELATED TO THIS DOCUMENT, WEB SITE, OR THE INFORMATION CONTAINED IN THEM, EVEN IF
ENTERASYS NETWORKS HAS BEEN ADVISED OF, KNEW OF, OR SHOULD HAVE KNOWN OF, THE POSSIBILITY OF
SUCH DAMAGES.
Enterasys Networks, Inc.
50 Minuteman Road
Andover, MA 01810
2012 Enterasys Networks, Inc. All rights reserved.
Part Number: 9034662-02 October 2012
ENTERASYS, ENTERASYS NETWORKS, ENTERASYS SECURE NETWORKS, NETSIGHT, ENTERASYS NETSIGHT, and any
logos associated therewith, are trademarks or registered trademarks of Enterasys Networks, Inc., in the United States and/or
other countries. For a complete list of Enterasys trademarks, see http://www.enterasys.com/company/trademarks.aspx.
All other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies.
Enterasys Networks, Inc. Firmware License Agreement
BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT,
CAREFULLY READ THIS LICENSE AGREEMENT.
This document is an agreement (“Agreement”) between the end user (“You”) and Enterasys Networks, Inc., on behalf of itself
and its Affiliates (as hereinafter defined) (“Enterasys”) that sets forth Your rights and obligations with respect to the Enterasys
software program/firmware (including any accompanying documentation, hardware or media) (“Program”) in the package
and prevails over any additional, conflicting or inconsistent terms and conditions appearing on any purchase order or other
document submitted by You. “Affiliate” means any person, partnership, corporation, limited liability company, other form of
enterprise that directly or indirectly through one or more intermediaries, controls, or is controlled by, or is under common
control with the party specified. This Agreement constitutes the entire understanding between the parties, with respect to the
subject matter of this Agreement. The Program may be contained in firmware, chips or other media.
BY INSTALLING OR OTHERWISE USING THE PROGRAM, YOU REPRESENT THAT YOU ARE AUTHORIZED TO ACCEPT
THESE TERMS ON BEHALF OF THE END USER (IF THE END USER IS AN ENTITY ON WHOSE BEHALF YOU ARE
AUTHORIZED TO ACT, “YOU” AND “YOUR” SHALL BE DEEMED TO REFER TO SUCH ENTITY) AND THAT YOU
AGREE THAT YOU ARE BOUND BY THE TERMS OF THIS AGREEMENT, WHICH INCLUDES, AMONG OTHER
PROVISIONS, THE LICENSE, THE DISCLAIMER OF WARRANTY AND THE LIMITATION OF LIABILITY. IF YOU DO NOT
AGREE TO THE TERMS OF THIS AGREEMENT OR ARE NOT AUTHORIZED TO ENTER INTO THIS AGREEMENT,
ENTERASYS IS UNWILLING TO LICENSE THE PROGRAM TO YOU AND YOU AGREE TO RETURN THE UNOPENED
PRODUCT TO ENTERASYS OR YOUR DEALER, IF ANY, WITHIN TEN (10) DAYS FOLLOWING THE DATE OF RECEIPT
FOR A FULL REFUND.
IF YOU HAVE ANY QUESTIONS ABOUT THIS AGREEMENT, CONTACT ENTERASYS NETWORKS, LEGAL
DEPARTMENT AT (978) 684-1000.
You and Enterasys agree as follows:
1.LICENSE. You have the non-exclusive and non-transferable right to use only the one (1) copy of the Program provided in
this package subject to the terms and conditions of this Agreement.
2.RESTRICTIONS. Except as otherwise authorized in writing by Enterasys, You may not, nor may You permit any third
party to:
(a) Reverse engineer, decompile, disassemble or modify the Program, in whole or in part, including for reasons of error
correction or interoperability, except to the extent expressly permitted by applicable law and to the extent the parties
shall not be permitted by that applicable law, such rights are expressly excluded. Information necessary to achieve
interoperability or correct errors is available from Enterasys upon request and upon payment of Enterasys’ applicable
fee.
(b) Incorporate the Program in whole or in part, in any other product or create derivative works based on the Program, in
whole or in part.
(c) Publish, disclose, copy reproduce or transmit the Program, in whole or in part.
(d) Assign, sell, license, sublicense, rent, lease, encumber by way of security interest, pledge or otherwise transfer the
Program, in whole or in part.
(e) Remove any copyright, trademark, proprietary rights, disclaimer or warning notice included on or embedded in any
part of the Program.
3.APPLICABLE LAW. This Agreement shall be interpreted and governed under the laws and in the state and federal courts
of the Commonwealth of Massachusetts without regard to its conflicts of laws provisions. You accept the personal jurisdiction
and venue of the Commonwealth of Massachusetts courts. None of the 1980 United Nations Convention on the Limitation Period
in the International Sale of Goods, and the Uniform Computer Information Transactions Act shall apply to this Agreement.
4.EXPORT RESTRICTIONS. You understand that Enterasys and its Affiliates are subject to regulation by agencies of the
U.S. Government, including the U.S. Department of Commerce, which
to certain countries, unless a license to export the product is obtained from the U.S. Government or an exception from obtaining
such license may be relied upon by the exporting party.
If the Program is exported from the United States pursuant to the License Exception CIV under the U.S. Export
Administration Regulations, You agree that You are a civil end user of the Program and agree that You will use the Program for
civil end uses only and not for military purposes.
If the Program is exported from the United States pursuant to the License Exception TSR under the U.S. Export
Administration Regulations, in addition to the restriction on transfer set forth in Section 1 or 2 of this Agreement, You agree not
to (i) reexport or release the Program, the source code for the Program or technology to a national of a country in Country
Groups D:1 or E:2 (Albania, Armenia, Azerbaijan, Belarus, Cambodia, Cuba, Georgia, Iraq, Kazakhstan, Laos, Libya, Macau,
prohibit export or diversion of certain technical products
ii
Moldova, Mongolia, North Korea, the People’s Republic of China, Russia, Tajikistan, Turkmenistan, Ukraine, Uzbekistan,
Vietnam, or such other countries as may be designated by the United States Government), (ii) export to Country Groups D:1 or
E:2 (as defined herein) the direct product of the Program or the technology, if such foreign produced direct product is subject to
national security controls as identified on the U.S. Commerce Control List, or (iii) if the direct product of the technology is a
complete plant or any major component of a plant, export to Country Groups D:1 or E:2 the direct product of the plant or a
major component thereof, if such foreign produced direct product is subject to national security controls as identified on the
U.S. Commerce Control List or is subject to State Department controls under the U.S. Munitions List.
5.UNITED STATES GOVERNMENT RESTRICTED RIGHTS. The enclosed Program (i) was developed solely at private
expense; (ii) contains “restricted computer software” submitted with restricted rights in accordance with section 52.227-19 (a)
through (d) of the Commercial Computer Software-Restricted Rights Clause and its successors, and (iii) in all respects is
proprietary data belonging to Enterasys and/or its suppliers. For Department of Defense units, the Program is considered
commercial computer software in accordance with DFARS section 227.7202-3 and its successors, and use, duplication, or
disclosure by the U.S. Government is subject to restrictions set forth herein.
6.DISCLAIMER OF WARRANTY. EXCEPT FOR THOSE WARRANTIES EXPRESSLY PROVIDED TO YOU IN WRITING
BY ENTERASYS, ENTERASYS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR
PURPOSE, TITLE AND NON-INFRINGEMENT WITH RESPECT TO THE PROGRAM. IF IMPLIED WARRANTIES MAY NOT
BE DISCLAIMED BY APPLICABLE LAW, THEN ANY IMPLIED WARRANTIES ARE LIMITED IN DURATION TO THIRTY
(30) DAYS AFTER DELIVERY OF THE PROGRAM TO YOU.
7.LIMITATION OF LIABILITY. IN NO EVENT SHALL ENTERASYS OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS, PROFITS,
BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR
RELIANCE DAMAGES, OR OTHER LOSS) ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM, EVEN IF
ENTERASYS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS FOREGOING LIMITATION SHALL
APPLY REGARDLESS OF THE CAUSE OF ACTION UNDER WHICH DAMAGES ARE SOUGHT.
THE CUMULATIVE LIABILITY OF ENTERASYS TO YOU FOR ALL CLAIMS RELATING TO THE PROGRAM, IN
CONTRACT, TORT OR OTHERWISE, SHALL NOT EXCEED THE TOTAL AMOUNT OF FEES PAID TO ENTERASYS BY
YOU FOR THE RIGHTS GRANTED HEREIN.
8.AUDIT RIGHTS. You hereby acknowledge that the intellectual property rights associated with the Program are of critical
value to Enterasys, and, accordingly, You hereby agree to maintain complete books, records and accounts showing (i) license
fees due and paid, and (ii) the use, copying and deployment of the Program. You also grant to Enterasys and its authorized
representatives, upon reasonable notice, the right to audit and examine during Your normal business hours, Your books, records,
accounts and hardware devices upon which the Program may be deployed to verify compliance with this Agreement, including
the verification of the license fees due and paid Enterasys and the use, copying and deployment of the Program. Enterasys’ right
of examination shall be exercised reasonably, in good faith and in a manner calculated to not unreasonably interfere with Your
business. In the event such audit discovers non-compliance with this Agreement, including copies of the Program made, used
or deployed in breach of this Agr
the right, to be exercised in its sole discretion and without prior notice, to terminate this license, effective immediately, for failure
to comply with this Agreement. Upon any such termination, You shall immediately cease all use of the Program and shall return
to Enterasys the Program and all copies of the Program.
9.OWNERSHIP. This is a license agreement and not an agreement for sale. You acknowledge and agree that the Program
constitutes trade secrets and/or copyrighted material of Enterasys and/or its suppliers. You agree to implement reasonable
security measures to protect such trade secrets and copyrighted material. All right, title and interest in and to the Program shall
remain with Enterasys and/or its suppliers. All rights not specifically granted to You shall be reserved to Enterasys.
10. ENFORCEMENT. You acknowledge and agree that any breach of Sections 2, 4, or 9 of this Agreement by You may cause
Enterasys irreparable damage for which recovery of money damages would be inadequate, and that Enterasys may be entitled
to seek timely injunctive relief to protect Enterasys’ rights under this Agreement in addition to any and all remedies available at
law.
11. ASSIGNMENT. You may not assign, transfer or sublicense this Agreement or any of Your rights or obligations under this
Agreement, except that You may assign this Agreement to any person or entity which acquires substantially all of Your stock
assets. Enterasys may assign this Agreement in its sole discretion. This Agreement shall be binding upon and inure to the benefit
of the parties, their legal representatives, permitted transferees, successors and assigns as permitted by this Agreement. Any
attempted assignment, transfer or sublicense in violation of the terms of this Agreement shall be void and a breach of this
Agreement.
12. WAIVER. A waiver by Enterasys of a breach of any of the terms and conditions of this Agreement must be in writing and
will not be construed as a waiver of any subsequent breach of such term or condition. Enterasys’ failure to enforce a term upon
Your breach of such term shall not be construed as a waiver of Your breach or prevent enforcement on any other occasion.
eement, You shall promptly pay to Enterasys the appropriate license fees. Enterasys reserves
iii
13. SEVERABILITY. In the event any provision of this Agreement is found to be invalid, illegal or unenforceable, the validity,
legality and enforceability of any of the remaining provisions shall not in any way be affected or impaired thereby, and that
provision shall be reformed, construed and enforced to the maximum extent permissible. Any such invalidity, illegality, or
unenforceability in any jurisdiction shall not invalidate or render illegal or unenforceable such provision in any other
jurisdiction.
14. TERMINATION. Enterasys may terminate this Agreement immediately upon Your breach of any of the terms and
conditions of this Agreement. Upon any such termination, You shall immediately cease all use of the Program and shall return
to Enterasys the Program and all copies of the Program.
iv
v
Contents
Chapter 1: Setting Up a Switch for the First Time
Before You Begin ...........................................................................................................................................1-1
Connecting to the Switch .............................. ... ... ... ... .... ... ... ... .... ... ... ... ............................................................1-2
Downloading New Firmware ........................................................................................................................... 1-3
Deleting a Backup Image File .................................................................................................................. 1-5
Saving the Configuration and Connecting Devices ........................................................................................ 1-7
Configuring a Stack of New Switches ............................................................................................................. 1-8
Where to Go Next ...........................................................................................................................................1-9
Getting Help ..................................................................................................................................................1-10
Downloading Firmware via the Serial Port ................................................................................................... 1-10
Chapter 2: Configuring Switches in a Stack
About Switch Operation in a Stack ................................................................................................................. 2-1
Creating a Virtual Switch Configuration .......................................................................................................... 2-4
Example ...................................................................................................................................................2-5
Considerations About Using “clear config” in a Stack ............................... ... ... ... .... ... ... ... .... ...........................2-5
Logging In ................................................................................................................................................3-3
Using a Default User Account ............................................................................................................3-3
Using an Administratively Configured User Account..........................................................................3-3
Clearing and Closing the CLI ................................................................................................................... 3-3
Navigating the Command Line Interface ..................................................................................................3-3
Getting Help with CLI Syntax..............................................................................................................3-3
DHCP Server .........................................................................................................................................4-16
MAC Address Settings .................................................................................................................................4-24
Age Time ................................................................................................................................................4-24
Limiting MAC Addresses to Specific VLANs ..........................................................................................4-25
Port Configuration Overview ..................... ......................................................................................................8-1
Port String Syntax Used in the CLI ........... ... ... ... .... ... ... ... .... ... ... ... .... ... ... ..................................................8-1
Console Port Settings .............................................................................................................................. 8-2
Port Name or Alias .................................... ... .... ... ... ....................................... ... ... .... ... ... .....................8-3
Auto-Negotiation and Advertised Ability .............................................................................................8-4
Port Speed and Duplex Mode ................................... .... ... ... ... .... ... ... ... ... .... ... ... ..................................8-4
Protected Port Mode...........................................................................................................................8-6
Displaying Port Status ..............................................................................................................................8-6
vii
Displaying Cable Status .....................................................................................................................8-7
Configuring SFP Ports for 100BASE-FX ..................................................................................................8-7
Configuring Port Link Flap Detection ..............................................................................................................8-8
Basic Link Flap Detection Configuration .................................................................................................. 8-9
Example .................................................................................................................................................8-10
Link Flap Detection Display Commands ................................................................................................8-11
Mirroring Features ..................................................................................................................................8-12
Configuring Port Mirroring ................................................................................................................8-13
Remote Port Mirroring ............................................................................................................................8-13
Configuring Remote Port Mirroring...................................................................................................8-14
Configuring SMON MIB Port Mirroring ................................................................................................... 8-15
Example of a VLAN Switch in Operation .................................................................................................. 9-5
VLAN Support on Enterasys Switches ...........................................................................................................9-6
Maximum Active VLANs ...........................................................................................................................9-6
Configurable Range .................................................................................................................................9-6
Terms and Definitions ................................................................................................................................... 9-14
Enabling RADIUS On the Switch ......................................................................................................... 10-26
Creating RADIUS User Accounts on the Authentication Server .......................................................... 10-26
Configuring the Engineering Group 802.1x End-User Stations ............................................................10-26
Configuring the Printer Cluster for MAC-Based Authentication ...........................................................10-27
Configuring the Public Area PWA Station .......... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... ...........................10-28
Terms and Definitions ................................................................................................................................. 10-28
Flexible Link Aggregation Groups ..........................................................................................................11-8
Configuring Link Aggregation .......................................................................................................................11-9
Link Aggregation Configuration Example ...................................................................................................11-11
Configuring the S8 Distribution Switch ............. ... ... ... .... .................................................................11-14
Configuring the Fixed Switch Stack 1.............................................................................................11-14
Configuring the Fixed Switch Stack 2.............................................................................................11-14
Configuring the Server....................................................................................................................11-15
Terms and Definitions ................................................................................................................................. 11-15
SNMPv3 User-Based Security Model (USM) Enhancements ..........................................................12-4
Terms and Definitions ............................................................................................................................12-5
Security Models and Levels ...................................................................................................................12-6
Access Control .......................................................................................................................................12-6
System Logging Overview ............................................................................................................................ 14-1
Example .................................................................................................................................................14-6
x
About Security Audit Logging .......................................................................................................................14-6
Disabling Spanning Tree ........................................................................................................................ 15-7
STP Features .........................................................................................................................................15-7
Spanning Tree Basics ..................................................................................................................................15-9
Spanning Tree Bridge Protocol Data Units ......................................... ... ... ............................................. 15-9
Paths to Root .......................................................................................................................................15-10
Identifying Designated, Alternate, and Backup Port Roles ..................................................................15-12
Assigning Port States ...........................................................................................................................15-13
Adjusting Spanning Tree Parameters ..................................................................................................15-20
Setting Bridge Priority Mode and Priority........................................................................................15-21
xi
Setting a Port Priority................................................. .... ... ... ... .... ....................................................15-21
Assigning Port Costs ......................................................................................................................15-22
Adjusting Bridge Protocol Data Unit (BPDU) Intervals ...................................................................15-22
Enabling the Backup Root Function .....................................................................................................15-23
Terms and Definitions ................................................................................................................................. 15-36
Chapter 16: Configuring Policy
Using Policy in Your Network ....................................................................................................................... 16-1
Standard and Enhanced Policy on Enterasys Platforms ........................................................................16-2
Policy Configuration Example ..................................................................................................................... 16-12
Configuring Guest Policy on Edge Platforms .................................................................................16-15
Configuring Policy for the Edge Student Fixed Switch ...................................................................16-15
Configuring PhoneFS Policy for the Edge Fixed Switch.................................................................16-16
Configuring Policy for the Edge Faculty Fixed Switch....................................................................16-17
Terms and Definitions ................................................................................................................................. 16-18
Chapter 17: Configuring Quality of Service
Quality of Service Overview ............................... ... ... .... ... ... ... .... ... ... ... ..........................................................17-1
Quality of Service Operation .................................. ... ... ... .... ...................................... .... ... ... ...................17-2
Class of Service (CoS) .................................... ... .... ... ... ... .... ...................................... .... ... ......................17-2
CoS Settings ..........................................................................................................................................17-3
CoS Hardware Resource Reference................................................................................................17-3
CoS Flood Control State...................................................................................................................17-3
CoS Priority and ToS Rewrite...........................................................................................................17-3
CoS Reference .......................................................................................................................................17-4
Port Group and Type........................................................................................................................17-4
CoS Settings Reference to Port Resource Mapping ........................................................................17-5
Port Traffic Rate Limiting ............................................................................................................................17-17
Using Multicast in Your Network ................................................................................................................... 19-1
Enabling the Switch for Routing ................................................................................................................... 20-1
Example .................................................................................................................................................20-3
The ARP Table ............................................................................................................................................. 20-6
Terms and Definitions ................................................................................................................................. 20-10
Configuring OSPF Areas .............................................................................................................................. 22-8
Configuring Area Range ......................................................................................................................... 22-8
Terms and Definitions ................................................................................................................................... 23-8
Chapter 24: Configuring Access Control Lists
Using Access Control Lists (ACLs) in Your Network ....................................................................................24-1
Access Control Lists on the A4 ................................................................................................................... 24-11
About IPsec ............................................................................................................................................ 26-4
Example .................................................................................................................................................26-7
MAC Locking ................................................................................................................................................26-7
First Arrival Configuration .......................................................................................................................26-8
MAC Locking Notifications ..................................................................................................................... 26-8
xvii
Disabling and Enabling Ports ................................................................................................................. 26-9
Service ACLs ..............................................................................................................................................26-16
Restricting Management Access to the Console Port ............................... ... .... ... ... ... .... ... ... .................26-17
Configuring a Service Access Control List ...........................................................................................26-17
This guide provides basic configuration information for the Enterasys Networks Fixed Switch
platforms using the Command Line Interface (CLI0, including procedures and code examples.
For detailed information about the CLI commands used in this book, refer to the CLI Reference for
your Fixed Switch platform.
How to Use This Guide
Read through this guide completely to familiarize yourself with its contents and to gain an
understanding of the features and capabilities of the Enterasys Networks Fixed Switches. A
general working knowledge of data communications networks is helpful when setting up these
switches.
Related Documents
The CLI Reference manuals and Hardware Installation Guides for each platform can be obtained from
the World Wide Web in Adobe Acrobat Portable Document Format (PDF) at the following site:
http://extranet.enterasys.com/downloads/
Conventions Used in This Guide
The following conventions are used in the text of this document:
Important Notice
Depending on the firmware version used on your Fixed Switch platform, some features described in this
document may not be supported. Refer to the most recent Release Notes for your product to determine which
features are supported. Release Notes are available at this link: https://extranet.enterasys.com/downloads
ConventionDescription
Bold fontIndicates mandatory keywords, parameters or keyboard keys.
italic fontIndicates complete document titles.
Courier fontUsed for examples of information displayed on the screen.
Courier font in italicsIndicates a user-supplied value, either required or optional.
[ ]Square brackets indicate an optional value.
{ }Braces indicate required values. One or more values may be required.
|A vertical bar indicates a choice in values.
[x | y | z]Square brackets with a vertical bar indicates a choice of a value.
{x | y | z} Braces with a vertical bar indicate a choice of a required value.
[x {y | z} ]A combination of square brackets with braces and vertical bars indicates a
required choice of an optional value.
Getting Help
xxiv About This Guide
The following icons are used in this guide:
Getting Help
For additional support related to the product or this document, contact Enterasys Networks using
one of the following methods:
Before contacting Enterasys Networks for technical support, have the following data ready:
•Your Enterasys Networks service contract number
•A description of the failure
•A description of any action(s) already taken to resolve the problem (for example, changing
mode switches or rebooting the unit)
•The serial and revision numbers of all involved Enterasys Networks products in the network
•A description of your network environment (such as layout, cable type, other relevant
environmental information)
•Network load and frame size at the time of trouble (if known)
•The device history (for example, if you have returned the device before, or if this is a recurring
problem)
•Any previous Return Material Authorization (RMA) numbers
Note: Calls the reader’s attention to any item of information that may be of special importance.
Router: Calls the reader’s attention to router-specific commands and information.
Caution: Contains information essential to avoid damage to the equipment.
Precaución: Contiene información esencial para prevenir dañar el equipo.
Achtung: Verweißt auf wichtige Informationen zum Schutz gegen Beschädigungen.
World Wide Webwww.enterasys.com/support
Phone1-800-872-8440 (toll-free in U.S. and Canada)
or 1-978-684-1000
To find the Enterasys Networks Support toll-free number in your country:
www.enterasys.com/support
Emailsupport@enterasys.com
To expedite your message, type [insert correct indicator here] in the subject line.
Fixed Switch Configuration Guide 1-1
1
Setting Up a Switch for the First Time
This chapter describes how to configure an Enterasys stackable or standalone Fixed Switch
received from the factory that has not been previously configured. Most of the procedures assume
that you are configuring a single switch that has not been connected to a network, and they
require that you have physical access to the console port on the switch.
If you are configuring multiple new switches in a stack, review the procedures that apply to a
single switch first, then refer to “Configuring a Stack of New Switches” on page 1-8.
Before You Begin
The procedures in this chapter assume that:
•You have installed a terminal emulation program on the PC or laptop computer that you will
use to configure the switch. Commonly used (and often free) terminal emulation programs
available on the Internet include:
–HyperTeminal
–Tera Term
–PuTTY
•You can connect your PC or laptop to the (DB9 male) console port on the switch.
If your PC or laptop has a DB9 communications port, use the DB9 female-to-DB9 female cable
that was shipped with the switch to connect your computer to the switch console port.
If your PC or laptop does not have a DB9 communications port but does provide a USB port:
–Obtain a USB to RS 232 DB9 (Male) Serial Interface adapter cable.
For information about...Refer to page...
Before You Begin1-1
Connecting to the Switch1-2
Downloading New Firmware1-3
Additional Configuration Tasks1-5
Saving the Configuration and Connecting Devices1-7
Configuring a Stack of New Switches1-8
Where to Go Next1-9
Getting Help1-10
Downloading Firmware via the Serial Port1-10
Connecting to the Switch
1-2 Setting Up a Switch for the First Time
If the adapter cable requires a driver, install the driver on your computer. (These drivers
are usually provided by the vendor of the adapter cable.)
–Connect the adapter cable’s USB connector to a USB port on your PC or laptop and
determine which COM port has been assigned to that USB port.
(On Windows 7, this information is displayed in the Device Manager window.)
–Connect the adapter cable’s DB9 male connector to the DB9 female-to-DB9 female cable
shipped with the switch.
–Connect the free end of the DB9 female-to-DB9 female cable to the switch console port.
•You have access to a TFTP server. Since this procedure assumes that the switch is not
connected to a network, the TFTP server application should be locally installed on your PC or
laptop. TFTP servers are available on the Internet for purchase or free download.
Review your TFTP server documentation for information about how to configure the server.
In particular, you must configure the upload/download directory used by the TFTP server.
•You have downloaded the latest firmware for the switch from the Enterasys web site to your
computer, unzipped/uncompressed the firmware, and copied the firmware to the upload/
download directory configured for your TFTP server (see previous bullet). The firmware is
available at this Enterasys location:
https://extranet.enterasys.com/downloads
Review the Release Notes for the downloaded firmware to check for any upgrade notices or
limitations that may apply to your switch.
Connecting to the Switch
Follow these steps to connect to the switch and set its IP address:
1.Connect your PC or laptop to the console port of the switch, as described above.
2.On your computer, start your terminal emulation program and set the serial session
parameters, including the following:
–Transmit speed or baud rate = 9600
–Data bits = 8
–Parity = None
–Stop bits = 1
–Mode = 7 bit control, if available
–Specify the appropriate COM port
3.Open the terminal emulation session, then power up the switch.
4.In the window of the terminal emulation session, you will see switch boot up output.
5.When the boot up output is complete, the system prints a Username prompt.
6.Log in to the system by typing the default username admin, then pressing the Enter key at the
Password prompt. You will see a Welcome screen similar to the following.
Username:admin
Password:
Note: Using TFTP to copy the latest firmware to the switch is recommended because it is faster.
However, if you cannot use a TFTP server, you can download the firmware over the console port.
That procedure is described in “Downloading Firmware via the Serial Port” on page 1-10 .
Downloading New Firmware
Fixed Switch Configuration Guide 1-3
Enterasys C5
Command Line Interface
Enterasys Networks, Inc.
50 Minuteman Rd.
Andover, MA 01810-1008 U.S.A.
Last successful login : WED DEC 07 20:23:20 2011
Failed login attempts since last login : 0
C5(su)->
7.Note the firmware version displayed in the Welcome screen — it is most likely earlier than the
latest version you downloaded from the Enterasys web site, so you will need to upgrade the
firmware on the switch.
8.Set a static system IP address on the switch to be used to download the new firmware. For
example:
C5(su)->set ip address 192.168.1.1 mask 255.255.255.0
Setting a mask and gateway address are optional. If they are not specified, mask will be set to
the natural mask of the address and gateway will stay at the default value of 0.0.0.0.
9.On your computer, set an IP address in the same subnet you gave to the switch. For example:
192.168.1.2.
10. Set up in-band access between your computer and the switch by connecting an Ethernet cable
from the network port on your computer to one of the front panel fixed ports on the switch.
(Pings and the TFTP transfer will occur via this in-band connection.)
11. From within the switch session, ping the IP address you gave to your computer, to ensure
connectivity between the switch and your computer. For example:
C5(su)->ping 192.168.1.2
Then, from your computer, ping the switch.
Downloading New Firmware
On stackable and standalone switches, the system Flash can store up to two firmware images at a
time. A new switch should have only one firmware image installed, which allows you to
download the new firmware image as described below. If you are installing a replacement switch
Note: If the pings are unsuccessful, there may be fire wall or other configuration issues on your
computer. As a first step, try disabling the fire wall on your computer. If that does not resolve the
problem, contact your IT group for assistance.
Downloading New Firmware
1-4 Setting Up a Switch for the First Time
or just want to verify the contents of the images directory, refer to “Deleting a Backup Image File”
on page 1-5 for more information.
After you have established your connection to the switch, follow these steps to download the
latest firmware:
1.Start the TFTP application.
2.In the terminal emulation session window, use the copy command to TFTP transfer the
firmware file from the TFTP server location to the images directory on the switch. For
example:
3.Set the new firmware to be active and reboot the system with the set boot system command.
When the command asks if you want to reset the system now, reply y. For example:
C5(su)->set boot system c5-series_06.61.01.0031
This command can optionally reset the system to boot the new image.
Do you want to reset now (y/n) [n]y
Resetting system ...
4.After the switch reboots, log in again and use the dir command to confirm that the new
firmware is the “active” and “boot” firmware. For example:
Note: If this switch will be added to an existing stack, you should install the primary and backup
firmware versions that are currently installed on the stack units.
Note: If you receive the error message “Error: No space left on the device. Please remove backup
file.”, refer to “Deleting a Backup Image File” on page 1-5 before proceeding.
current.log
Deleting a Backup Image File
Since the stackable and standalone switches can store only two firmware images at a time, you
may have to delete a backup image, if one exists, before you can manually download a new
firmware image.
1.Use the dir command to display the contents of the images directory. For example:
2.Use the delete command to delete the firmware version that is not chosen as Active. For
example:
C5(su)->delete c5-series_06.42.06.0008
3.If desired, use the dir command again to confirm that the backup firmware image has been
removed.
4.Continue downloading the latest firmware image, as described in “Downloading New
Firmware” on page 1-3.
Additional Configuration Tasks
After loading the latest firmware and resetting the switch, you may wish to perform the following
configuration tasks before connecting the switch to your network or connecting devices to the
switch.
If the switch will be added to an existing stack, no further configuration is needed. Refer to
“Adding a New Unit to an Existing Stack” on page 2-3.
Fixed Switch Configuration Guide 1-5
Additional Configuration Tasks
Setting User Accounts and Passwords
Enterasys switches are shipped with three default user accounts:
•A super-user access account with a username of admin and no password
•A read-write access account with a username of rw and no password
•A read-only access account with a username of ro and no password
Enterasys recommends that, for security purposes, you set up one or more unique user accounts
with passwords and disable the default login accounts.
1.Create a new super-user account. This example uses username “NewAdmin”:
C5(su)->set system login NewAdmin super-user enable
2.Set the password for the new super-user account. By default, passwords must be at least 8
characters in length. The interface does not echo the password characters as you enter them.
C5(su)->set password NewAdmin
Please enter new password:
Please re-enter new password:
Password Changed.
3.Verify the new super-user account with the show system login command.
C5(su)->show system login
Username Access State Aging Simul Local Login Access Allowed
Login Only? Start End Days
admin super-user enabled 0 0 no ***access always allowed***
ro read-only enabled 0 0 no ***access always allowed ***
rw read-write enabled 0 0 no ***access always allowed***
NewAdmin super-user enabled 0 0 no 00:00 24:00 sun mon tue
wed thu fri sat
4.Repeat steps 1 and 2 to create additional read-write and read-only user accounts as desired. To
create read-write or read-only accounts, use these commands:
set system login <user-name> read-write enable
set system login <user-name> read-only enable
Use the set password command to set passwords for the new accounts.
5.Disable the default login accounts.
C5(su)->set system login admin super-user disable
C5(su)->set system login rw read-write disable
C5(su)->set system login ro read-only disable
For more information about configuring user accounts and passwords, refer to Chapter 5, User
Account and Password Management.
Controlling In-band Access to the Switch
By default, SSH is disabled and Telnet is enabled. You may want to require that SSH be used for
in-band access to the switch. In addition, WebView, the Enterasys embedded web-server for
switch configuration, is enabled on TCP port 80 by default. You may want to disable this browser
access also.
1.Enable SSH and show the current state.
C5(su)->set ssh enable
1-6 Setting Up a Switch for the First Time
C5(su)->show ssh
SSH Server status: Enabled
2.Disable Telnet inbound while leaving Telnet outbound enabled, and show the current state.
C5(su)->set telnet disable inbound
C5(su)->show telnet
Telnet inbound is currently: DISABLED
Telnet outbound is currently: ENABLED
3.Disable WebView and show the current state.
C5(su)->set webview disable
C5(su)->show webview
WebView is Disabled.
4.Set the time (in minutes) an idle console, Telnet, or SSH CLI session will remain connected
before timing out. The default idle timeout is 5 minutes.
C5(su)->set logout 20
C5(su)->show logout
Logout currently set to: 20 minutes.
Changing SNMP Defaults
Saving the Configuration and Connecting Devices
By default, SNMP Version 1 (SNMPv1) is configured on Enterasys switches. The default
configuration includes a single community name “public” which grants read-write access to the
whole MIB tree for both SNMPv1 and SNMPv2c.
For security reasons, you should plan to change the default SNMP settings to ones suitable for
your network. Refer to Chapter 12, Configuring SNMP for detailed information.
As a minimum step, Enterasys recommends that you remove the default community name
“public” from the switch’s configuration.
1.Remove the “public” community name.
C5(su)->clear snmp community public
2.Map a new community name to the security name of “public.”
C5(su)->set snmp community <new-community-name> securityname public
This step allows you to keep the public view group and group access, and therefore ensure
SNMP access to the switch, until you are ready to change all the default SNMP settings to
more appropriate values.
Saving the Configuration and Connecting Devices
When you enter CLI configuration commands, the configuration is saved to NVRAM on the
switch automatically at the following intervals:
•On a standalone unit, the configuration is checked every two minutes and saved if there has
been a change.
•On a stack, the configuration is saved across the stack every 5 minutes if there has been a
change.
To save a running configuration to NVRAM more often than the automatic intervals, execute the
save config command and wait for the system prompt to return. After the prompt returns, the
configuration will be persistent.
When you have completed your initial configuration:
Fixed Switch Configuration Guide 1-7
Configuring a Stack of New Switches
1.Save the running configuration.
C5(su)save config
Saving Configuration to stacking members
Configuration saved
C5(su)->
2.Optionally, save the configuration to a backup file named “myconfig” in the configs directory
and copy the file to your computer using TFTP. You can use this backup configuration file to
quickly restore the configuration if you need to replace the switch or change to a different
firmware version.
3.Connect the switch ports to the network or to user devices, following the instructions in the
Installation Guide for your switch.
Configuring a Stack of New Switches
For more information about configuring a stack of switches, refer to Chapter 2, Configuring
Switches in a Stack.
To set up multiple new stackable switches in a stack:
1.Before applying power to the switches, connect the stacking cables, as described in your
products’ Installation Guide.
2.Power on the switches one at a time, starting with the switch you want to be the manager
switch.
3.Connect to the console port of the manager unit, as described in “Before You Begin” on
page 1-1, and “Connecting to the Switch” on page 1-2 and log in to the CLI.
4.Check that the stacking process has completed as you expected it to, using the show switch
command.
5.If necessary, renumber the stack units, as described in Chapter 2, Configuring Switches in a
Stack.
6.Set the IP address of the stack as described in “Connecting to the Switch” on page 1-2.
7.Connect the network port on your computer to a front panel port on the manager unit with an
Ethernet cable (described in Connecting to the Switch) and use TFTP to download the
firmware to the manager unit, as described in “Downloading New Firmware” on page 1-3.
The manager unit copies the new firmware to the members of the stack automatically as part
of the download process.
8.Set the new firmware to be active and reboot the entire system with the set boot system
command. When the command asks if you want to reset the system now, reply y.
9.After the switches in the stack reboot, log back in and confirm that the new firmware has been
applied, using the show switch command.
10. Apply any advanced feature licenses, if required. Refer to “Licensing Advanced Features” on
page 4-8 for more information.
11. Refer to “Additional Configuration Tasks” on page 1-5.
1-8 Setting Up a Switch for the First Time
Where to Go Next
For information about...Refer to ...
Configuring switches in a stackChapter 2, Configuring Switches in a
User accounts and passwordsChapter 5, User Account and Password
Setting up authenticationChapter 10, Configuring User
Where to Go Next
Stack
Management
Authentication
Configuring system services, including licensing of advanced
features, SNTP, DHCP, Telnet, SSH, MAC address settings,
and node aliases
How to use the command line interfaceChapter 3, CLI Basics
Firmware and file management, including how to upgrade the
firmware, how to create and save configuration backup files,
and how to revert to a saved configuration
Configuring system power and PoEChapter 7, Configuring System Power
Port configurationChapter 8, Port Configuration
Configuring VLANsChapter 9, Configuring VLANs
Configuring link aggregationChapter 11, Configuring Li nk
Configuring system loggingChapter 14, Configuring Syslog
Configuring spanning tree Chapter 15, Configuring Spanning Tree
Configuring policy using the CLIChapter 16, Configuring Policy
Chapter 4, System Configuration
Chapter 6, Firmware Image and File
Management
and PoE
Aggregation
Discovery
Configuring multicast protocols, including IGMP , DVMRP, and
PIM-SM
Enabling router configuration modes, configuring IPv4
addresses and static routes
Configuring RIP and IRDPChapter 21, IPv4 Basic Ro uting
Configuring OSPFv2 and VRRPChapter 22, Configuring OSPFv2
Configuring access control lists (ACLs)Chapter 24, Configuring Access Control
Managing IPv6 at the switch level, configuring IPv6 routing
and Neighbor Discovery, and configuring DHCPv6
Configuring security features, including the security mode of
the switch, IPsec, RADIUS management authentication, MAC
locking, TACAC+, and service ACLs
Chapter 19, Configuring Multicast
Chapter 20, IP Configuration
Protocols
Chapter 23, Configuring VRRP
Lists
ter 25, Configuring and Managing
Chap
IPv6
Chapter 26, Configuring Security
Features
Fixed Switch Configuration Guide 1-9
Getting Help
Getting Help
For additional support, contact Enterasys Networks using one of the following methods:
World Wide Webwww.enterasys.com/support
Phone1-800-872-8440 (toll-free in U.S. and Canada)
or 1-978-684-1000
To find the Enterasys Networks Support toll-free number in your country:
www.enterasys.com/support
Emailsupport@enterasys.com
To expedite your message, type [switching] in the subject line.
Enterasys provides an extensive online Knowledge base that can be accessed from the corporate
Support page:
http://www.enterasys.com/support/
Downloading Firmware via the Serial Port
This procedure describes how to download switch firmware via the serial (console) port, instead
of using TFTP. This procedure assumes that you are using either HyperTerminal or TeraTerm
(which support XMODEM transfer) as your terminal emulation software and that you have
downloaded the latest firmware for the switch from the Enterasys web site to your computer, and
unzipped/uncompressed the firmware.
1.Connect your PC or laptop to the console port of the switch, as described above in “Before You
Begin” on page 1-1.
2.On your computer, start your terminal emulation program and set the serial session
parameters, including the following:
–Transmit speed or baud rate = 9600
–Data bits = 8
–Parity = None
–Stop bits = 1
–Mode = 7 bit control, if available
–Serial line to connect to = COM1 typically
3.Open the terminal emulation session, then power up the switch.
4.In the window of the terminal emulation session, you will see switch boot up output. A
message similar to the following displays.
Within 2 seconds, type 2 to select “Start Boot Menu”. Use “administrator” for the Password.
Version 06.61.xx 12-09-2011
Computing MD5 Checksum of operational code...
Select an option. If no selection in 2 seconds then
operational code will start.
VPD - rel 6 ver 61 maint_lvl xx
Timestamp - Wed Jul 27 12:24:04 2011
File - c5-series_06.61.xx
Operational code update completed successfully.
Verifying Operational Code CRC..... CRC is OK.
12. Press ENTER so the switch will complete the file transfer operation, displaying a fresh
prompt.
[Boot Menu] 2
13. Type 2 to display the baud rate selection screen again.
14. Type 4 to set the switch baud rate to 9600. The following message displays:
Setting baud rate to 9600, you must change your terminal baud rate.
15. In your terminal emulation program, set the terminal baud rate to 9600.
–HyperTerminal: File > Properties > Configure > Bits per Second > Apply > OK > OK
–TeraTerm: Setup > Serial port > Baud rate > OK
16. Press ENTER so the switch will complete the baud rate change and display a fresh prompt.
[Boot Menu] 1
17. Type 1 to start the new operational code. A message similar to the following displays:
Operational Code Date: Tue Jun 29 08:34:05 2011
Uncompressing.....
18. After the switch comes back up, log in and confirm that the new image has been detected and
is now running. You can use either the “show boot system” command or the “dir” command.
C5(rw)->show boot system
Current system image to boot: c5-series_06.61.xx
C5(rw)->
1-12 Setting Up a Switch for the First Time
Fixed Switch Configuration Guide 2-1
2
Configuring Switches in a Stack
This chapter provides information about configuring Enterasys switches in a stack. For
information about upgrading firmware on a new stack, refer to “Configuring a Stack of New
Switches” on page 1-8.
About Switch Operation in a Stack
Enterasys stackable switches can be adapted and scaled to help meet your network needs. These
switches provide a management platform and uplink to a network backbone for a stacked group
of up to eight switches.
Once installed in a stack, the switches behave and perform as a single switch product. As such,
you can start with a single unit and add more units as your network expands. You can also mix
different products in the family in a single stack to provide a desired combination of port types
and functions to match the requirements of individual applications. In all cases, a stack of units
performs as one large product, and is managed as a single network entity.
Stack Initialization
When switches are installed and connected as described in your products’ Installation Guide, the
following occurs during initialization:
•The switch that will manage the stack is automatically established. This is known as the
manager switch. The manager switch organizes all the reachability information for bridging
and routing, including keeping the address tables in the stack units (including itself) coherent.
•All other switches are established as members in the stack. Each individual stack member
processes its own packets, rather than pushing them to the manager for processing.
For information about...Refer to page...
About Switch Operation in a Stack2-1
Installing a New Stackable System of Up to Eight Units2-2
Installing Previously-Configured Systems in a Stack2-3
Adding a New Unit to an Existing Stack2-3
Removing Units from an Existing Stack2-4
Creating a Virtual Switch Configuration2-4
Considerations About Using “clear config” in a Stack2-5
Configuring Standalone A4 Stack Ports2-6
Removing Units from an Existing Stack
2-2 Configuring Switches in a Stack
•The hierarchy of the switches that will assume the function of backup manager is also
determined in case the current manager malfunctions, is powered down, or is disconnected
from the stack.
•The console port on the manager switch remains active for out-of-band (local) switch
management, but the console port on each member switch is deactivated. This enables you to
set the IP address and system password using a single console port. Each switch can be
configured locally using only the manager’s console port, or inband using the stack’s IP
address from a remote device.
Once a stack is created (more than one switch is interconnected), the following procedure occurs:
1.By default, unit IDs are arbitrarily assigned on a first-come, first-served basis.
2.Unit IDs are saved against each module. Then, every time a board is power-cycled, it will
initialize with the same unit ID. This is important for port-specific information (for example:
ge.4.12 is the 12th Gigabit Ethernet port on Unit # 4).
3.The management election process uses the following precedence to assign a management
switch:
a.Previously assigned / elected management unit
b.Management assigned priority (values 1-15)
c.Hardware preference level
d. Highest MAC Address
The management designation is written to the manager unit. Thereafter, every time the
manager is power-cycled, it will initialize with that role.
Configuration Management
When switches are stacked, the only file structure and configuration information that is viewable
or configurable is that of the manager unit, which pushes its configuration to the member units
every 5 minutes if there has been a change. To avoid possible configuration loss in the event of
manager unit failure after a configuration change, execute the save config command and wait for
the system prompt to return. After the prompt returns, the configuration will be persistent.
Installing a New Stackable System of Up to Eight Units
Use the following procedure for installing a new stack of up to eight units out of the box.
1.Before applying power, make all physical connections with the stack cables as described in
your product’s Installation Guide.
2.Once all of the stack cables have been connected, individually power on each unit, starting
with the switch you want to be the manager switch.
Ensure that each switch is fully operational before applying power to the next switch. Since
unit IDs are assigned on a first-come, first-served basis, this will ensure that unit IDs are
ordered sequentially.
3.Establish a CLI session on the manager unit and use the show switch command to display
stacking information.
Note: The following procedure assumes that all units have a clean configuration from
manufacturing, all units are running the same primary and backup firmware image versions, and all
units are in the same licensing state.
Considerations About Using “clear config” in a Stack
4.(Optional) If desired, change the management unit using the set switch movemanagement
command, and/or change the unit numbering with the set switch member command.
5.Once the desired master unit has been selected, reset the system using the reset command.
6.After the stack has been configured, you can use the show switchunit command to physically
identify each unit. When you enter the command with a unit number, the MGR LED of the
specified switch will blink for 10 seconds. The normal state of this LED is off for member units
and steady green for the manager unit.
Installing Previously-Configured Systems in a Stack
If member units in a stack have been previous members of a different stack, you may need to
configure the renumbering of the stack. All units must be running the same primary and backup
firmware images.
1.Power down the switches in the existing stack.
2.Stack the units in the method desired, and connect the stack cables.
3.Power up only the unit you wish to be manager.
4.Once the management unit is powered up, log into the CLI, and use the show switch
command to display stacking information.
5.Clear any switches which are listed as “unassigned” using the clear switch member
command.
6.Power up the member of the stack you wish to become unit 2. Once the second unit is fully
powered, the COM session of the CLI will state that a new CPU was added.
7.Use the show switch command to redisplay stacking information.
a.If the new member displays as unit 2, you can proceed to repeat this step with the next
unit.
b. If the new member displays a different unit number, you must:
(1) Renumber the stack using the set switch renumber command, then
(2) Clear the original unit number using the clear switch member command.
Avoid directly reassigning a different unit number to the stack manager, or by design, the
stack configuration will revert to defaults.
8.Repeat Step 7 until all members have been renumbered in the order you desire.
9.After the stack has been reconfigured, you can use the show switchunit command to
physically confirm the identity of each unit. When you enter the command with a unit
number, the MGR LED of the specified switch will blink for 10 seconds. The normal state of
this LED is off for member units and steady green for the manager unit.
Adding a New Unit to an Existing Stack
Use the following procedure for installing a new unit into an existing stack configuration. This
procedure assumes that the new unit being added has a clean configuration from manufacturing
and is running the same primary and backup firmware image versions as other units in the stack.
1.Ensure that power is off on the new unit being installed.
2.Use one of the following methods to complete stack cable connections:
Fixed Switch Configuration Guide 2-3
Removing Units from an Existing Stack
2-4 Configuring Switches in a Stack
–If the running stack uses a daisy chain topology, make the stack cable connections from
the bottom of the stack to the new unit (that is, STACK DOWN port from the bottom unit
of the running stack to the STACK UP port on the new unit).
–If the running stack uses a ring stack topology, break the ring and make the stack cable
connections to the new unit to close the ring.
3.Apply power to the new unit.
4.Log into the CLI through the management unit and use the show switch command to display
stacking information.
5.If the stacking setup does not appear to be correct, use the commands described in the
previous procedure to readjust the configuration.
Insertion of new units into a stack is handled dynamically. Normally, the integration is a fairly
rapid process. However, be aware that integration is a background task. If the stack is extremely
busy handling user traffic, integrating the new unit into the stack could take a long time (possibly
hours).
Removing Units from an Existing Stack
Use the following procedure to remove one or more units from an existing stack.
1.Use the save config command to ensure that all units have full configuration knowledge.
2.Remove the stacking cables associated with the switches you want to remove.
a.Operation of the sub-stack that retains the previous manager unit will be disrupted for 2
to 3 seconds.
b. Operation of any sub-stacks that now lack a manager unit will be disrupted for 30 to 40
seconds while a new manager unit is elected and comes online.
c.In all cases, units will retain their unit numbers.
3.You can power down one or more units either before or after removing stacking cables.
Disruption times will be as described in Stack Disruption Times below.
4.After removal of stack units, you can optionally use the clear switch member command to
remove any “Unassigned” units.
Stack Disruption Times
Upon manager unit failure, removal, or reassignment (with the set switch movemanagement
command), the operation of the stack, including the Ethernet link state of all ports, will be
interrupted for about 30 to 40 seconds.
Upon member unit failure or removal, the operation of the stack will be interrupted for about 2 to
3 seconds.
Creating a Virtual Switch Configuration
You can create a configuration for a stackable switch before adding the actual physical device to a
stack. This preconfiguration feature includes configuring protocols on the ports of the “virtual
switch.”
Note: S tacking cables are hot-swappable. In most cases, it is not necessary to power down stacked
units before attaching or detaching cables.
Considerations About Using “clear config” in a Stack
Fixed Switch Configuration Guide 2-5
To create a virtual switch configuration in a stack environment:
1.Display the types of switches supported in the stack, using the show switch switchtype
command.
2.Using the output of the show switch switchtype command, determine the switch index (SID)
of the model of switch being configured.
3.Add the virtual switch to the stack using the set switch member command. Use the SID of the
switch model, determined in the previous step, and the unit ID that you want to assign to this
switch member.
4.Proceed to configure the ports of the virtual switch as you would do for physically present
devices.
Example
The following example adds a virtual switch configuration to a stack of C5 switches. The switch
type being added is a C5G124-24 (SID 1), and it is being added as member unit 4. Port number 1 of
the virtual switch (ge.4.1) is then configured in the same way that a physically present port would
be configured.
C5(su)->show switch switchtype
Mgmt Code
SID Switch Model ID Pref Version
C5(su)->set switch member 4 1
C5(su)->set vlan create 555
C5(su)->set port vlan ge.4.1 555 modify-egress
C5(su)->show port vlan ge.4.1
ge.4.1 is set to 555
Considerations About Using “clear config” in a Stack
When using the clear config command to clear configuration parameters in a stack, it is important
to remember the following:
•Use clear config to clear configuration parameters without clearing stack unit IDs. This
command WILL NOT clear stack parameters or the IP address and avoids the process of
renumbering the stack.
•Use clear config all when it is necessary to clear all configuration parameters, including stack
unit IDs and switch priority values. This command will not clear the IP address nor will it
remove an applied advanced feature license.
Note: If you preconfigure a virtual switch and then add a physical switch of a different type to the
stack as that unit number, any configured functionality that cannot be supporte d on th e ph ysi ca l
switch will cause a configuration mismatch status for that device and the ports of the new device will
join detached. You must clear the mismatch before the new device will properly join the stack.
Removing Units from an Existing Stack
•Use clear ip address to remove the IP address of the stack.
•Use clear license to remove an applied license from a switch.
Configuration parameters and stacking information can also be cleared on the master unit only
by selecting the “restore configuration to factory defaults” option from the boot menu on switch
startup. This selection will leave stacking priorities on all other units.
Configuring Standalone A4 Stack Ports
It is possible on a standalone A4 switch to configure the two stack ports as standard gigabit
Ethernet ports with the set switch stack-port command. By default, the two front panel uplink
ports are in stack mode. Changing the mode causes the switch to reset.
This command should be used only on standalone (non-stacked) A4 switches. Do not stack A4
switches with uplink ports that are in Ethernet mode.
To change front panel uplink ports to Ethernet mode:
A4(su)->set switch stack-port ethernet
This command will reset the entire system.
Do you want to continue (y/n) [n]
When Uplink Ports are Configured as Ethernet Ports
When using the clear config command to clear configuration parameters on a standalone A4
switch with the uplink ports configured as standard Ethernet ports, it is important to remember
the following:
•The clear config command WILL NOT set the front panel uplink ports back to stack ports.
•The clear config all command WILL set the front panel uplink ports back to stack ports.
2-6 Configuring Switches in a Stack
Fixed Switching Configuration Guide 3-1
3
CLI Basics
This chapter provides information about CLI conventions for stackable and standalone switches
and CLI properties that you can configure.
Switch Management Methods
The Enterasys fixed switches can be managed using the following methods:
•Locally using a VT type terminal or computer running a terminal emulation program
connected to the switch’s console port. See Chapter 1, Setting Up a Switch for the First Time
for information about setting up this type of connection.
•Remotely using a VT type terminal or computer running a terminal emulation program
connected through a modem. Refer to the Installation Guide for your product for information
about setting up this type of connection.
•Remotely using an SNMP management station.
•In-band through a Telnet or SSH connection.
•In-band using the Enterasys NetSight
®
management application.
•Remotely using WebView™, Enterasys Networks’ embedded web server application.
When you connect to the console port or connect through a Telnet connection, you use the
Command Line Interface (CLI) to manage the switch.
Using the Command Line Interface
This section describes how to start a CLI session, how to log in, and how to navigate the CLI.
Starting a CLI Session
There are two ways to start a CLI session — an out-of-band connection through the console port or
an in-band connection using Telnet or SSH.
For information about...Refer to page...
Switch Management Methods3-1
Using the Command Line Interface3-1
Configuring CLI Properties3-6
Using the Command Line Interface
3-2 CLI Basics
Connecting Using the Console Port
Connect a terminal to the local console port as described in “Connecting to the Switch” on
page 1-2. When the boot up output is complete, the system prints a Username prompt. You can
now log in to the Command Line Interface (CLI) by
•using a default user account, as described in “Using a Default User Account” on page 3-3, or
•using an administratively-assigned user account as described in “Using an Administratively
Configured User Account” on page 3-3.
Connecting Using Telnet or SSH
Once the switch has a valid IP address, you can establish a Telnet or SSH session from any TCP/IP
based node on the network. For information about setting the switch’s IP address, refer to the set ip address command in the CLI Reference for your product.
To establish a Telnet or SSH session:
1.Telnet or SSH to the switch’s IP address.
2.Enter login (user name) and password information in one of the following ways:
–If the switch’s default login and password settings have not been changed, follow the
steps listed in “Using a Default User Account” on page 3-3, or
–Enter an administratively-configured user name and password.
3.The startup screen, Figure 3-1, will display on the terminal. The notice of authorization and
the prompt displays as shown in Figure 3-1.
Figure 3-1 CLI Startup Screen
Note: By default on the fixed switches, T e lnet is enabled and SSH is disabled. Refer to “Controlling
In-band Access to the Switch” on page 1-6 for information about enabling SSH.
Username:admin
Password:
Enterasys C5
Command Line Interface
Enterasys Networks, Inc.
50 Minuteman Rd.
Andover, MA 01810-1008 U.S.A.
Chassis Serial Number: 041800249041
Chassis Firmware Revision: x.xx.xx
C5(su)->
Using the Command Line Interface
Fixed Switching Configuration Guide 3-3
Logging In
By default, the switch is configured with three user login accounts—ro for Read-Only access, rw
for Read-Write access, and admin for super-user access to all modifiable parameters. The default
password is set to a blank string. For information on changing these default settings, refer to
Chapter 5, User Account and Password Management.
Using a Default User Account
If this is the first time you are logging in to the switch, or if the default user accounts have not been
administratively changed, proceed as follows:
1.At the login prompt, enter one of the following default user names:
–ro for Read-Only access.
–rw for Read-Write access.
–admin for Super User access.
2.Press ENTER. The Password prompt displays.
3.Leave this string blank and press ENTER. The switch information and prompt displays as
shown in Figure 3-1.
Using an Administratively Configured User Account
If the switch’s default user account settings have been changed, proceed as follows:
1.At the login prompt, enter your administratively-assigned user name and press ENTER.
2.At the Password prompt, enter your password and press ENTER.
The notice of authorization and the prompt displays as shown in Figure 3-1 on page 3-2.
Clearing and Closing the CLI
Use the cls command to clear the session screen.
Use the exit command to leave a CLI session. This command is also used to move to a lower router
mode.
Navigating the Command Line Interface
Getting Help with CLI Syntax
The switch allows you to display usage and syntax information for individual commands by
typing help or ? after the command.
CLI Command Defaults Descriptions
Each command description in the CLI Reference Guide for your product includes a section
entitled “Defaults” which contains different information from the factory default settings on the
switch described in Chapter 4, System Configuration. The section defines CLI behavior if the user
enters a command without typing optional parameters (indicated by square brackets [ ]). For
Note: Users with read-write and read-only access can use the set password command (page 4-9)
to change their own account passwords. Administrators with Super User (su) access can use the
set system login command (page 4-6) to create and change user accounts, and the set password
command to change any local account password.
Using the Command Line Interface
commands without optional parameters, the defaults section lists “None”. For commands with
optional parameters, this section describes how the CLI responds if the user opts to enter only the
keywords of the command syntax. Figure 3-2 provides an example.
Figure 3-2 Sample CLI Defaults Description
Syntax
show port status [port-string]
Defaults
If port-string is not specified, status information for all ports will be displayed.
CLI Command Modes
Each command description in this guide includes a section entitled “Mode” which states whether
the command is executable in Admin (Super User), Read-Write, or Read-Only mode. Users with
Read-Only access will only be permitted to view Read-Only (show) commands. Users with ReadWrite access will be able to modify all modifiable parameters in set and show commands, as well
as view Read-Only commands. Administrators or Super Users will be allowed all Read-Write and
Read-Only privileges, and will be able to modify local user accounts. The A4 switch indicates
which mode a user is logged in as by displaying one of the following prompts:
•Admin: A4(su)->
•Read-Write: A4(rw)->
•Read-Only: A4(ro)->
Performing Keyword Lookups
Entering a space and a question mark (?) after a keyword will display all commands beginning
with the keyword. Figure 3-3 shows how to perform a keyword lookup for the show snmp
command. In this case, four additional keywords are used by the show snmp command. Entering
a space and a question mark (?) after any of these parameters (such as show snmp community)
will display additional parameters nested within the syntax.
Figure 3-3 Performing a Keyword Lookup
A4(su)->show snmp ?
community SNMP v1/v2c community name configuration
notify SNMP notify configuration
targetaddr SNMP target address configuration
targetparams SNMP target parameters configuration
Entering a question mark (?) without a space after a partial keyword will display a list of
commands that begin with the partial keyword. Figure 3-4 shows how to use this function for all
commands beginning with co:
3-4 CLI Basics
Figure 3-4 Performing a Partial Keyword Lookup
A4(rw)->co?
configure copy
A4(su)->co
Using the Command Line Interface
Fixed Switching Configuration Guide 3-5
Displaying Scrolling Screens
If the CLI screen length has been set using the set length command, CLI output requiring more
than one screen will display --More-- to indicate continuing screens. To display additional
screen output:
•Press any key other than ENTER to advance the output one screen at a time.
•Press ENTER to advance the output one line at a time.
The example in Figure 3-5 shows how the show mac command indicates that output continues on
more than one screen.
Figure 3-5 Scrolling Screen Output
Abbreviating and Completing Commands
The switch allows you to abbreviate CLI commands and keywords down to the number of
characters that will allow for a unique abbreviation. Figure 3-6 shows how to abbreviate the show netstat command to sh net.
Figure 3-6 Abbreviating a Command
Note: At the end of the lookup display, the system will repeat the command you entered without the
The CLI supports EMACs-like line editing commands. Ta ble 3 -1 lists some commonly used
commands.
Table 3-1 Basic Line Editing Commands
Key SequenceCommand
Ctrl+AMove cursor to beginning of line.
Ctrl+BMove cursor back one character.
Ctrl+DDelete a character.
Ctrl+EMove cursor to end of line.
Ctrl+FMove cursor forward one character.
Ctrl+HDelete character to left of cursor.
Ctrl+I or TABComplete word.
Ctrl+KDelete all characters after cursor.
Ctrl+NScroll to next command in command history (use the CLI history command to
Ctrl+PScroll to previous command in command history.
display the history).
Ctr1+QResume the CLI process.
Ctr1+SPause the CLI process (for scrolling).
Ctrl+TTranspose characters.
Ctrl+U or Ctrl+XDelete all characters before cursor.
Ctrl+WDelete word to the left of cursor.
Ctrl+YRestore the most recently deleted item.
Configuring CLI Properties
CLI properties are options that you can configure and customize in the CLI, such as the command
prompt, command completion, banner messages, and session idle timeout.
Tab le 3 -2 lists CLI properties configuration commands.
Table 3-2 CLI Properties Configuration Commands
TaskCommand
Modify the command promptset prompt prompt-string
Set the banner message for pre- and post-session
login.
Clear the banner message displayed at pre- and
post-session login to a blank string.
set banner {login message| motd message}
clear banner {login | motd}
3-6 CLI Basics
Set the number of columns for the terminal
connected to the device’s console port.
Set the number of lines the CLI will display before
pausing with a “----More ----” prompt.
Table 4-1 Default Settings for Basic Switch Operation
FeatureDefault Setting
Switch Mode Defaults
CDP discovery protocolAuto enabled on all ports.
CDP authentication codeSet to 00-00-00-00-00-00-00-00
CDP hold timeSet to 180 seconds.
CDP intervalTransmit frequency of CDP messages set to 60 seconds.
Cisco discovery protocolAuto enabled on all ports.
Cisco DP hold timeSet to 180 seconds.
Cisco DP interval timerSet to 60 seconds.
Community namePublic.
Factory Default Settings
Table 4-1 Default Settings for Basic Switch Operation (continued)
mode
GARP timerJoin timer set to 20 centiseconds; leave timer set to 60 centiseconds; leaveall
GVRPGlobally enabled. Disabled per port.
History buffer size20 lines.
IEEE 802.1 authenticationDisabled.
IGMP snoopingDisabled. When enabled, query interval is set to 260 seconds and response
IP mask and gatewaySubnet mask set to 0.0.0.0; default gateway set to 0.0.0.0.
IP routesNo static routes configured.
Jumbo frame supportEnabled on all ports. (Not supported on I-Series switches.)
Link aggregation control
protocol (LACP)
Link aggregation admin
key
Link aggregation flow
regeneration
Link aggregation system
priority
Link aggregation outport
algorithm
LockoutSet to disable Read-Write and Read-Only users, and to lockout the default
LoggingSyslog port set to UDP port number 514. Logging severity level set to 6
MAC aging timeSet to 300 seconds.
MAC lockingDisabled (globally and on all ports).
Globally enabled.
Disabled per port on B5 and C5 switches.
Enabled per port on A4, B3, C3, G-Series, and I-Series switches.
Set to 32768 for all ports.
Disabled.
Set to 32768 for all ports.
Set to DIP-SIP.
admin (Super User) account for 15 minutes, after 3 failed login attempts.
(significant conditions) for all applications.
PasswordsSet to an empty string for all default user accounts. User must press ENTER
Password agingDisabled.
4-2 System Configuration
at the password prompt to access CLI.
Factory Default Settings
Table 4-1 Default Settings for Basic Switch Operation (continued)
FeatureDefault Setting
Password historyNo passwords are checked for duplication.
Policy classificationClassification rules are automatically enabled when created.
Port auto-negotiationEnabled on all ports.
Port advertised abilityMaximum ability advertised on all ports.
Port broadcast suppression Enabled and set to limit broadcast packets to 14,881 per second on all switch
ports.
Port duplex modeSet to half duplex, except for 100BASE-FX and 1000BASE-X, which is set to
full duplex.
Port enable/disableEn abled.
Port prioritySet to 0.
Port speedSet to 10 Mbps, except for 1000BASE-X, which is set to 1000 Mbps, and
100BASE-FX, which is set to 100 Mbps.
Port trapAll ports are enabled to send link traps.
Power over Ethernet port
admin state
Priority classificationClassification rules are automatically enabled when created.
RADIUS clientDisabled.
RADIUS retriesWhen the client is enabled, set to 3.
RADIUS timeoutWhen the client is enabled, set to 20 seconds.
Rate limitingDisabled globally and on all ports. (Available only on A4 switches.)
Security modeNormal.
SNMPEnabled.
SNTPDisabled.
Spanning TreeGlobally enabled and enabled on all ports.
Spanning Tree edge port
administrative status
Spanning Tree edge port
delay
Spanning Tree forward
delay
Administrative state is on (auto).
Supported only on switches with PoE.
Edge port administrative status begins with the value set to false initially after
the device is powered up. If a Spanning Tree BDPU is not received on the
port within a few seconds, the status setting changes to true.
Enabled.
Set to 15 seconds.
Spanning Tree hello
interval
Spanning Tree ID (SID)Set to 0.
Spanning Tree maximum
aging time
Spanning Tree port priorityAll ports with bridge priority are set to 128 (medium priority).
Spanning Tree priorityBridge priority is set to 32768.
Set to 2 seconds.
Set to 20 seconds.
Fixed Switch Configuration Guide 4-3
Factory Default Settings
Table 4-1 Default Settings for Basic Switch Operation (continued)
FeatureDefault Setting
Spanning Tree topology
change trap suppression
Spanning Tree versionSet to mstp (Multiple Spanning Tree Protocol).
SSH Disabled.
System baud rateSet to 9600 baud.
System contactSet to empty string.
System locationSet to empty string.
System nameSet to empty string.
TelnetEnabled inbound and outbound.
Telnet port (IP)Set to port number 23.
TerminalCLI display set to 80 columns and 24 rows.
TimeoutSet to 5 minutes.
User namesLogin accounts set to ro for Read-Only access; rw for Read-Write access;
VLAN dynamic egressDisabled on all VLANs.
VLAN ID All ports use a VLAN identifier of 1.
Host VLANDefault host VLAN is 1.
Enabled.
and admin for Super User access.
Not all of the following routing features are available on all platforms. Some routing protocols
require a separate license to become operable. Check the Release Notes for your specific platforms
for details.
Table 4-2 Default Settings for Router Operation
FeatureDefault Setting
Access groups (IP security)None configured.
Access control lists None configured.
Area authentication (OSPF)Disabled.
Area default cost (OSPF)Set to 1.
Area NSSA (OSPF)None configured.
Area range (OSPF)None configured.
ARP tableNo permanent entries configured.
ARP timeoutSet to 14,400 seconds.
Authentication key (RIP and OSPF)None configured.
Authentication mode (RIP and OSPF)N one configured.
Dead interval (OSPF)Set to 40 seconds.
Disable triggered updates (RIP)Triggered updates allowed.
Distribute list (RIP)No filters applied.
DVMRPDisabled. Metric set to 1.
4-4 System Configuration
Initial Configuration Overview
Table 4-2 Default Settings for Router Operation (continued)
FeatureDefault Setting
Hello interval (OSPF)Set to 10 seconds for broadcast and point-to-point networks. Set
to 30 seconds for non-broadcast networks.
ICMPEnabled for echo-reply and mask-reply modes.
IP-directed broadcastsDisabled.
IP forward-protocolEnabled with no port specified.
IP interfacesDisabled with no IP addresses specified.
IRDPDisabled on all interfa c es. When enabled, maximum
advertisement interval is set to 600 seconds, minimum
advertisement interval is set to 450 seconds, holdtime is set to
1800 seconds, and address preference is set to 0.
MD5 authentication (OSPF)Disabled with no password set.
MTU sizeSet to 1500 bytes on all interfaces.
OSPFDisabled.
OSPF costSet to 10 for all interfaces.
OSPF networkNone configured.
OSPF prioritySet to 1.
Passive interfaces (RIP)None configured.
Proxy ARPEnabled on all interfaces.
Receive interfaces (RIP)Enabled on all interfaces.
Retransmit delay (OSPF)Set to 1 second.
Retransmit interval (OSPF)Set to 5 seconds.
RIP receive versionSet to accept both version 1 and version 2.
RIP send versionSet to version 1.
RIP offsetNo value applied.
SNMPEnabled.
Split horizo nEnabled for RIP packets withou t po i s o n reverse.
Stub area (OSPF)None configured.
Timers (OSPF)SPF delay set to 5 seconds. SPF holdtime set to 10 seconds.
Transmit delay (OSPF)Set to 1 second.
VRRPDisabled.
Initial Configuration Overview
To configure your stackable or standalone switch for the first time, see Chapter 1, Setting Up a
Switch for the First Time. That chapter includes information about how to directly connect to the
switch via the console port and an Ethernet cable to set the switch’s IP address and to download
the latest firmware. The procedures in this chapter assume an in-band connection over the
network to the switch using Telnet or SSH to establish a CLI session on the switch.
Fixed Switch Configuration Guide 4-5
Advanced Configuration Overview
4-6 System Configuration
Procedure 4-1 contains the steps to assign an IP address and configure basic system parameters.
Some of these steps are also covered in Chapter 1, Setting Up a Switch for the First Time. For
information on the command syntax and parameters, refer to the online help or the CLL Reference
for your platform.
Advanced Configuration Overview
The switch can be configured to provide various system services, Layer 2 switching, Layer 3
routing, and security. Tabl e 4-3 provides an overview of configuring the switch for each area.
Note: When configuring any string or name parameter input for any command, do not use any
letters with diacritical marks (an ancillary glyph added to a letter). Diacritical marked letters are not
supported by SNMP.
Procedure 4-1 Initial Setup
StepTaskCommand
1.Log in as an administrator.• At the login prompt, enter admin.
• Press Enter for the password (no
password string by default).
2For security, change the password.set password
3Optionally, check the version of the firmware image
then check the Enterasys Networks web site to
verify that you have the latest version.
show version
4Optionally, define a name for the system, the
location of the system, and contact information for
system issues.
set system name [string]
set system location [string]
set system contact [string]
5Optionally , define a pre- or post-login message to be
displayed.
set banner {motd | login}message
6Optionally, change the default prompt.set prompt “prompt_string”
7Display the system’s setting for the date and time. If
necessary, change the setting.
NOTE: Instead of manually setting the time, you can
configure the system as an SNTP client, as
described in “SNTP Overview” on page 7-10.
show time
set time [mm/dd/yyyy] [hh:mm:ss]
8Assign a switch IP address.set ip address
9If desired, configure additional user accounts and
passwords. Up to 32 user accounts may be
registered with the local database.
set system loginusername
set
Note: Though it is possible to configure policy by using the CLI, Enterasys Networks recommends
that you use NetSight instead.
Table 4-3 Advanced Configuration
TaskRefer to ...
System Services
Configure the Simple Network Time Protocol (SNTP) client. “SNTP Configuration” on
page 4-11
Advanced Configuration Overview
Table 4-3 Advanced Configuration (continued)
TaskRefer to ...
Configure the Telnet client and server. (Telnet client is enabled by default.)
Note: For security, you may wish to disable Telnet and only use SSH.
Configure the Secure Shell V2 (SSHv2) client and server.“SSH Overview” on
Configure the Dynamic Host Configuration Protocol (DHCP) server. “DHCP Configuration” on
Configure the port parameters, such as speed and duplex mode.“Port Configuration
Enable SNMP and create a community string.z“Configuring SNMP” on
Configure RMON to provide comprehensive network fault diagnosis, planning,
and performance tuning information, and allow for interoperability between
SNMP management stations and monitoring agents.
Change the interactive login authentication method, from local to remote
(RADIUS authentication).
If RADIUS authentication is configured, configure the remote RADIUS servers
to be used by the RADIUS client on th e sw itch
Layer 2 Switching
Set port configurations and port-based Virtual Local Area Networks (VLANs).
VLANs can be created statically or dynamically.
Configure ports to prioritize traffic based on Class of Service. “Port Priority and
“Telnet Overview” on
page 4-23
page 4-24
page 4-16
Overview” on page 8-1
page 12-7
Chapter 18,
Configuring Network
Monitoring
“User Authentication
Overview” on page 10-1
“Configuring RADIUS”
on page 10-21
Chapter 9, Configuring
VLANs
Transmit Queue
Configuration” on
page 17-15
Configure Spanning Trees using STP, RSTP, or MSTP.Chapter 15,
Configuring Spanning
Tree
Configure LLDP or CDP.Chapter 13,
Configuring Neighbor
Discovery
Layer 3 Routing
Configure the router id.
Refer to the router id command in your platform’s CLI Reference.
Configure interfaces for IP routing.“Routing Interfaces” on
page 20-3
Configure the ARP table.“The ARP Table” on
page 20-6
Configure UDP broadcast forwarding, including DHCP/BOOTP relay agent.“IP Broadcast Settings”
on page 20-7
Configure static routes.“IP Static Routes” on
page 20-4
Configure ICMP Router Discovery Protocol (IRDP).“Configuring IRDP” on
page 21-5
Fixed Switch Configuration Guide 4-7
Licensing Advanced Features
Table 4-3 Advanced Configuration (continued)
TaskRefer to ...
Configure RIP.“Configuring RIP” on
Configure OSPFv2.Chapter 22,
page 21-1
Configuring OSPFv2
Configure multicast protocols IGMP, DVMRP, and PIM, and general multicast
parameters.
Configure VRRP.Chapter 23,
Configure IPv6 Chapter 25,
Security and General Management
Configure Access Control Lists (ACLs).Chapter 24,
Manage user accounts and passwords.Chapter 5, User
Configure system logging.Chapter 14,
Configure the switch using text files.“Managing Switch
Upgrade system firmware.“Managing the Firmware
Chapter 19,
Configuring Multicast
Configuring VRRP
Configuring and
Managing IPv6
Configuring Access
Control Lists
Account and Password
Management
Configuring Syslog
Configuration and Files”
on page 6-4
Image” on page 6-1
Configure QoS features.Chapter 17,
Configure policy.Chapter 16,
Licensing Advanced Features
In order to enable certain advanced features on some of the Fixed Switching platforms, you must
purchase and activate a license key. If you have purchased a license, follow the instructions on
Licensed Product Entitlement ID sheet to obtain the license activation key from the Enterasys
customer site.
If you wish to obtain a license, contact the Enterasys Networks Sales Department.
This section describes how to apply advanced feature licenses to Fixed Switching platforms.
License Implementation Differences
Licensing is implemented differently on the C5 platform from the previous implementation that is
used on the C3, B3, and G3 platforms.
Configuring Quality of
Service
Configuring Policy
4-8 System Configuration
Licensing Advanced Features
Fixed Switch Configuration Guide 4-9
Node-Locked Licensing
On the C3, B3, and G3 platforms, licenses are locked to the serial number of the switch to which
the license applies. Therefore, you must know the serial number of the switch to be licensed when
you activate the license on the Enterasys customer site, and also when you apply the license to the
switch as described below. Each switch to be licensed must have its own license and key and all
members of a stack must be licensed in order to support licensed features in a stack environment.
If you need to move a license from one hardware platform to another, you must contact Enterasys
Customer Support to arrange for re-hosting of the license.
Node-Locked License Key Fields
When Enterasys supplies a license, it will be sent to you as a character string similar to the
following:
The contents of the six fields, from the left, indicate:
•Type—the type of license. The value in this field is always “INCREMENT.”
•Feature—description of the feature being licensed. For example, ”advrouter” as shown in the
character string above.
•Date-based version (DBV)—a date-related string. The value in this field is not significant.
•Expiration type—indicates whether the license is a permanent or an evaluation license. If the
license is an evaluation license, this field will contain the expiration date of the license. If the
license is a permanent license, this field will contain the word “permanent.”
•Key—the license key.
•Host ID—the serial number of the switch to which this license applies.
When activating licenses on stackable devices, we recommend that you copy and paste the license
character string, rather than entering the text manually.
Non-Node-Locked Licensing
On the C5 platform, licenses are not locked to individual switches. When you activate your
licenses on the Enterasys customer site, the key that is generated contains information about how
many licenses you have purchased and therefore, how many switches the license key can be
applied to. For example, if you buy 8 C5 licenses, when you activate your licenses on the Enterasys
customer site, one key is generated that can enable the licensed feature on up to 8 C5 switches.
If you apply a license to a stack that has more members than the license key allows, applying the
license will fail on the extra members. For example, if you buy 6 C5 licenses and apply that key to
a stack of 8 C5 switches, licensing will fail on members 7 and 8.
Licensing in a Stack Environment
All members of a stack must be licensed in order to support licensed features in a stack
environment. If the master unit in a stack has an activated license, all member units also must have
an activated license in order to operate. If the master unit in a stack does not have an activated
license, then the licensed functionality will not be available to member units, even if they have
licenses installed.
Note: Multi-node non-node-locked licenses are not currently available. You should buy individual
licenses for all switches on which you want to enable the advanced features.
Licensing Advanced Features
4-10 System Configuration
When adding a new unit to an existing stack, the ports on a switch lacking a licensed feature that
has been enabled on the master will not pass traffic until the license has been enabled on the
added switch. (The ports are in the “ConfigMismatch” state.)
If you clear a license from a member unit in a stack while the master unit has a activated license,
the status of the member will change to “ConfigMismatch” and its ports will be detached from the
stack. If you clear a license from the master unit of a stack, the member units will remain attached
to the stack, but the licensed functionality will no longer be available.
Applying Node-Locked Licenses in a Stack
The licenses for all members of an operating stack can be activated during a single CLI session, by
following these steps:
1.Obtain valid licenses for all members of the stack from the Enterasys customer site.
2.Optionally, note the serial numbers of the switches in the stack. You can use the show system hardware command to display the switch serial numbers.
3.Enable the licenses on the stack members first, before enabling the master unit, using the set license command. For example:
4.Enable the license on the switch master unit last, using the set license command.
Applying Non-Node-Locked Licenses in a Stack
When applying non-node-locked licenses, ensure that you have purchased enough licenses for all
members of the stack. All members of the stack do not need to use the same license key, but all
switches in the stack must have a license applied in order to support the licensed feature. Note
that the license key itself contains information about how many switches the license key can be
applied to.
1.Obtain valid license keys for all members of the stack from the Enterasys customer site.
2.Activate one or more licenses on the stack.
a.If you have a license with a license quantity that is equal to or greater than the number of
switches in the stack, use the set license command with no optional unit number. For
example:
C5(su)->set license advrouter "0001:C5L3-LIC:2:4a76f2c8:0:Your
Company Name Here:000E0C0973C5:150a9501:bec749e9ec095844d727a2db8
8a31514"
Validating license on unit 1
License successfully validated and set on unit 1
Validating license on unit 2
License successfully validated and set on unit 2
Validating license on unit 3
License successfully validated and set on unit 3
Caution: Since license keys are applied to the correct stack member switch automatically, based
on the switch serial number that is part of the license string, you should know the serial numbers of
the switches in order to enable the licenses of the member switches first, before the master unit.
SNTP Configuration
b. If you need to use multiple license keys on members of a stack, use the optional unit
number parameter with the set license command. The following example applies two
different license keys to members of the stack.
C5(su)->set license advrouter "0001:C5L3-LIC:2:4a76f2c8:0: Entera
sys Networks:000E0C0973C5:150a9501:bec749e9ec095844d727a2db88a315
14" unit 1
Validating license on unit 1
License successfully validated and set on unit 1
C5(su)->set license advrouter "0001:C5L3-LIC:2:4a76f2c8:A:
Enterasys Networks:A00E0C0973D9:150a9501:098749e9ec095844
d727a2db88a31514" unit 2
Validating license on unit 2
License successfully validated and set on unit 2
Adding a New Member to a Licensed Stack
When adding a new unit to an existing stack, the ports on a switch lacking a licensed feature that
has been enabled on the master will not pass traffic until the license has been enabled on the
added switch. (The ports are in the “ConfigMismatch” state.)
1.For B3 or C3 switches, obtain a node-locked license for the new switch. For C5 switches, check
that you have a non-node-locked license that can be applied to the new switch.
2.Add the new unit to the stack, following the procedure in “Adding a New Unit to an Existing
Stack” on page 2-3.
3.Use the set license command to install and activate the new switch’s license. The new switch
will then join the stack and its ports will be attached.
Alternatively, you can install and activate the new switch’s license first, before adding the switch
to the stack.
Displaying and Clearing Licenses
Licenses can be displayed and cleared only with the show license and clear license commands.
General configuration commands such as show config or clear config do not apply to licenses.
If you clear a license from a member unit in a stack while the master unit has an activated license,
the status of the member will change to “ConfigMismatch” and its ports will be detached from the
stack
If you clear a license from the master unit of a stack, the member units will remain attached to the
stack but the licensed functionality will no longer be available.
SNTP Configuration
Simple Network Time Protocol (SNTP) provides for the synchronizing of system time for
managed devices across a network. The Fixed Switch implementation supports unicast polling
and broadcast listening modes of operation to obtain the time from an SNTP server. SNTP is a
subset of the Network Time Protocol (NTP) as specified in RFC 1305. The most recent version of
SNTP is specified in RFC 2030. Since SNTP is a subset of NTP, all NTP servers are capable of
servicing SNTP clients. The SNTP mode is set on the client using the set sntp client command.
Fixed Switch Configuration Guide 4-11
SNTP Configuration
Unicast Polling Mode
When an SNTP client is operating in unicast mode, SNTP update requests are made directly to a
server, configured using the set sntp server command. The client queries these configured SNTP
servers at a fixed poll-interval configured using the set sntp poll-interval command. The order in
which servers are queried is based on a precedence value optionally specified when you configure
the server. The lower the configured precedence value, the higher the precedence for that server.
The default is for all servers to have the same precedence. In this case, the server ordering is based
upon the indexing of the server table.
The SNTP client makes a request to the SNTP server. The client waits a period of time configured
using the set sntp poll-timeout command for a response from the server. If the poll timeout timer
expires, the client will resend another request, up to the number of retries specified by the set sntp poll-retry command. If the retries have been exhausted, the client request is sent to the next server
with the lowest configured precedence value or the next server in the server table, if precedence
values are the same. If no server responds, the client waits the configured poll-interval time period
and the process starts over again.
Broadcast Listening Mode
With SNTP configured for broadcast listening mode, the client is passive and it is the broadcast
server that broadcasts the time to the client. Broadcast listening uses the same poll-interval,
poll-timeout and poll-retry values as unicast polling.
SNTP Authentication
The Simple Network Time Protocol (SNTP) is used to provide a precise time reference for time
critical applications. Therefore, SNTP can pose a security risk if malicious users attempt to corrupt
a SNTP timestamp to create a false time on network equipment. SNTP security mechanisms
ensure that only authorized servers are allowed to distribute time samples to the SNTP clients.
SNTP provides increased security in the form of authentication. Authentication is intended to
overcome security risks by ensuring that any response received from an SNTP time server has
come from the intended reference. The user defines a key on the switch and enables
authentication. The same key must be defined on the server in order for the switch to accept
timestamp information from the server.
The client sends a request for time to an SNTP server. The server then responds to the client with a
time sample, along with the encrypted keys configured on the SNTP server. Upon receipt of the
time sample, the client un-encrypts the key and verifies the key against the trusted key configured
on the switch for a specified SNTP server. The client can then be sure that the received time sample
was indeed transmitted from the authorized SNTP server.
SNTP utilizes MD5 authentication (Message Digest Encryption 5), which safeguards device
synchronization paths to SNTP servers. MD5 is 128-bit cryptographic hash function, which
outputs a fingerprint of the key. MD5 verifies the integrity of the communication and
authenticates the origin of the communication.
Authentication Key and Trusted Key List
The SNTP authentication key specifies the authentication instance to be used by the SNTP client
when authenticating with the SNTP server. The SNTP client supports the configuration of up to 5
authentication keys. The authentication key instance ID is a numeric value. Each authentication
key instance specifies the authentication type and password. SNTP authentication supports the
MD5 authentication algorithm. The password is known to both the SNTP client and server. The
password consists of an ASCII string of up to 32 non-white characters.
4-12 System Configuration
Use the set sntp authentication key command to configure an authentication key instance.
The SNTP authentication key is associated with an SNTP server using the set sntp server
command.
An authentication key has to be trusted to be used with an SNTP server. Use the set sntp trusted-key command to add an authentication key to the trusted key list.
Refer to Procedure 4-3 on page 4-14 to configure the switch SNTP client for authentication.
SNTP Defaults
Tab le 4 -4 lists SNTP parameters and their default values.
Table 4-4 Default SNTP Parameters
ParameterDescriptionDefault Value
SNTP Configuration
SNTP client modeSpecifies whether the current SNTP
state is broadcast, unicast, or disabled.
unicast server
precedence
poll-intervalSpecifies the interval between unicast
poll-retrySpecifies the number of times the
poll-timeoutSpecifies the amount of time a client
timezone offsetSpecifies the offset in hours and
SNTP authentication
mode
Specifies a value that determines the
order in which SNTP servers are
polled if the precedence values are not
the same.
SNTP requests by the client to the
server.
client will resend the SNTP request to
the server before moving on to the
next server.
will wait for a response from the the
SNTP server before retrying.
minutes from UTC for this device
Specifies whether authentication for all
SNTP client communications is
enabled or disabled.
disabled
1 (highest precedence)
512 seconds
1
5 seconds
0 hours, 0 minutes
disabled
Configuring SNTP
Procedure 4-2 describes how to configure general SNTP parameters. Procedure 4-3 describes how
to configure SNTP authentication. Refer to the CLI Reference for your platform for details about the
commands listed.
Procedure 4-2 Configuring SNTP
StepTaskCommand(s)
1.Set the SNTP opera tion mode on the client.set sntp client {broadcast | unicast |
2.When operating in unicast mode, set the SNTP
server(s) for this client, optionally specifying a
precedence value per server.
disable}
set sntp server ip-address [precedence
precedence] [key key-id]
Fixed Switch Configuration Guide 4-13
SNTP Configuration
Procedure 4-2 Configuring SNTP (continued)
StepTaskCommand(s)
3.When operating in unicast mo de, optionally
change the poll interval between SNTP unicast
requests.
The poll interval is 2 to the power of value in
seconds, where value can range from 6 to 10.
4.When operating in unicast mo de, optionally
change the number of poll retries to a unicast
SNTP server.
5.When operating in unicast mo de, optionally
change the poll timeout for a response to a
unicast SNTP request.
6.Optionally, set the SNTP time zone name and
the hours and minutes it is offset from
Coordinated Universal Time (UTC).
Note: The daylight savings time function can be
enabled and associated with the timezone set
here using the set summertime command.
7.Optionally, specify the interface used for the
source IP address of the SNTP client. If no
interface is specified, then the IP address of the
Host interface is used.
set sntp poll-interval value
set sntp poll-retry retry
set sntp poll-timeout timeout
set timezone name [hours] [minutes]
set sntp interface {loopback loop-ID | vlan
vlan-ID}
Procedure 4-3 describes how to configure SNTP authentication. Refer to the CLI Reference for your
platform for details about the commands listed.
Procedure 4-3 Configuring SNTP Authentication
StepTaskCommand(s)
1.Configure up to five authentication keys. set sntp authentication-key key-id md5 key-
value
2.Add the configured authentication keys to the
trusted key list.
3.Enable authentication on the switch.set sntp authenticate enable
4.Add the keys to the switch’s NTP/SNTP server
configurations.
5.Ensure that the key information configured on
the switch is added to the “ntp.keys” file on the
NTP/SNTP servers.
set sntp trusted-key key-id
set sntp server ip-address [precedence
precedence] [keykey-id]
N/A
Tab le 4 -5 describes how to manage and display SNTP information.
Table 4-5 Managing and Displaying SNTP
TaskCommand(s)
To display SNTP client, server, and time zone settings:show sntp
To set the SNTP client’s operational mode to disable:clear sntp client
To remove one or all servers from the SNTP server list:clear sntp server {ip-address | all}
4-14 System Configuration
Table 4-5 Managing and Displaying SNTP (continued)
TaskCommand(s)
SNTP Configuration
To reset the poll interval between unicast SNTP requests
to its default value:
To reset the number of poll retries to a unicast SNTP
server to its default value:
To reset the SNTP poll timeout to its default value:clear sntp poll-timeout
To clear an SNTP authentication key:clear sntp authentication-keykey-id
To remove an authentication key from the trusted key list:clear sntp trusted-keykey-id
SNTP Configuration Example
The following example configures the SNTP client for unicast mode, generates two authentication
keys and adds them to the trusted key list, enables authentication, and configures two SNTP
servers with different precedence and authentication keys for the SNTP client to contact.
All the rest of the SNTP parameters are left at their default values. The show sntp command
displays the current settings.
Dynamic Host Configuration Protocol (DHCP) for IPv4 is a network layer protocol that
implements automatic or manual assignment of IP addresses and other configuration information
to client devices by servers. A DHCP server manages a user-configured pool of IP addresses from
which it can make assignments upon client requests. A relay agent passes DHCP messages
between clients and servers which are on different physical subnets.
DHCP Relay Agent
The DHCP/BOOTP relay agent function can be configured on all of the switch ’s routing
interfaces. The relay agent can forward a DHCP client’s request to a DHCP server located on a
different network if the address of the server is configured as a helper address on the receiving
interface. The relay agent interface must be a VLAN which is configured with an IP address. Refer
to the ip helper-address command in the CLI Reference for your platform for more information.
DHCP Server
DHCP server functionality allows the switch to provide basic IP configuration information to a
client on the network who requests such information using the DHCP protocol.
DHCP provides the following mechanisms for IP address allocation by a DHCP server:
•Automatic—DHCP server assigns an IP address to a client for a limited period of time (or
until the client explicitly relinquishes the address) from a defined pool of IP addresses
configured on the server.
•Manual—A client’s IP address is assigned by the network administrator, and DHCP is used
simply to convey the assigned address to the client. This is managed by means of “static”
address pools configured on the server.
The amount of time that a particular IP address is valid for a system is called a lease. The switch
maintains a lease database which contains information about each assigned IP address, the MAC
address to which it is assigned, the lease expiration, and whether the address assignment is
dynamic (automatic) or static (manual). The DHCP lease database is stored in flash memory.
In addition to assigning IP addresses, the DHCP server can also be configured to assign the
following to requesting clients:
•Default router(s)
•DNS server(s) and domain name
•NetBIOS WINS server(s) and node name
•Boot file
•DHCP options as defined by RFC 2132
Note: DHCP Relay Agent is not supported on the I-Series platform because the I-Series does not
support routing.
Note: A total of 16 address pools, dynamic and/or static, and a maximum of 256 addresses for the
entire switch, can be configured on the Fixed Switch platforms
.
DHCP Configuration
Fixed Switch Configuration Guide 4-17
IP Address Pools
IP address pools must be configured for both automatic and manual IP address allocation by a
DHCP server.
Automatic IP Address Pools
When configuring an IP address pool for dynamic IP address assignment, the only required steps
are to name the pool and define the network number and mask for the pool using the set dhcp pool network command. Note that:
•When the switch is configured for routing and the IP address pool is associated with a routing
interface, the pool has to be in the same subnet as the routed interface and use the same mask
configured on the routed interface
•When the switch is not configured for routing, the pool has to be in the same subnet and use
the same mask as the system host port IP address.
•You can limit the scope of addresses assigned to a pool for dynamic address assignment with
the set dhcp exclude command. Up to 128 non-overlapping address ranges can be excluded
on the Fixed Switches. For example:
set dhcp exclude 192.0.0.1 192.0.0.10
For more information about configuring automatic IP address pools, see “Configuring DHCP IP
Address Pools” on page 4-21.
Manual IP Address Pools
When you are configuring static address pools for manual address assignment with set dhcp pool
commands, the only required steps are to name the pool, configure either the hardware address of
the client or the client identifier, and configure the IP address and mask for the manual binding.
For more information about configuring manual IP address pools, see “Configuring DHCP IP
Address Pools” on page 4-21.
Configuring a DHCP Server
On Fixed Switch platforms that support basic routing, there are two ways to configure a DHCP
server: one is to associate the DHCP address pool with the switch’s host port IP address, and the
other is to associate the DHCP address pool with a routed interface.
Since on a Fixed Switch platform that supports routing, the host port IP address cannot fall within
a configured routed interface on the system, a typical system configured with routing interfaces
will not have a host port IP address. Therefore, all DHCP pools would be associated with routed
interfaces.
On the I-Series, which does not support routing, the DHCP address pool must be associated with
the switch’s host port IP address.
Refer to Tab le 4 -7 on page 4-20 for a list of default DHCP server settings.
Note: The IP address of the system’s host port or the routed interface is automatically
excluded.
DHCP Configuration
DHCP Configuration on a Non-Routing System
The following procedure provides basic DHCP server functionality when the DHCP pool is
associated with the system’s host IP address. This procedure would typically be used when the
system is NOT configured for routing.
Refer to the CLI Reference for your platform for details about the commands listed below.
Procedure 4-4 DHCP Server Configuration on a Non-Routing System
StepTaskCommand(s)
1.Configure the system (or stack) host port IP
address.
2.Enable DHCP server functionality on the
system.
3.Configure an IP address pool for dynamic IP
address assignment. Note that the pool has to
be in the same subnet and use the same mask
as the system host port IP address.
Refer to “Manual IP Pool Configuration” on
page 4 -2 1 for information about configuring a
manual pool and for additional IP address pool
configuration.
4.Optionally, limit the scope of addresses
assigned to the pool.
Remove address exclusions with the clear dhcp exclude command.
5.Optionally, set other DHCP ser v er parameters.set dhcp conflict logging
set ip address ip-address [mask ipmask] [gateway ip-gateway]
set dhcp enable
set dhcp pool poolname network
subnet {mask | prefix-length}
set dhcp exclude low-ipaddr [high-
ipaddr]
clear dhcp exclude low-ipaddr [high-
ipaddr]
set dhcp bootp {enable | disable}
set dhcp ping packets number
Example
The following example configures the switch’s host port IP address, enables DHCP, and creates a
dynamic IP address pool named “autopool1” in the same subnet as the host port IP address. All
DHCP clients served by this switch must be in the same VLAN as the system’s host port.
The following procedure provides basic DHCP server functionality when the DHCP pool is
associated with a routed interface.
Refer to the CLI Reference for your platform for details about the commands listed below.
4-18 System Configuration
Procedure 4-5 DHCP Server Configuration on a Routing System
StepTaskCommand(s)
DHCP Configuration
1.Create a VLAN and add ports to the VLAN. Only
DHCP clients associated with this VLAN will be
served IP addresses from the DHCP address
pool associated with this routed interface
(VLAN).
2.Create a routed interface for the VLAN in router
configuration mode.
3.Enable DHCP server functionality in switch
mode.
4.Configure an IP address pool for dynamic IP
address assignment. Note that the pool has to
be in the same subnet as the routed interface
and use the same mask configured on the
routed interface.
Refer to “Manual IP Pool Configuration” on
page 4 -2 1 for information about configuring a
manual pool and for additional IP address pool
configuraiton.
5.Optionally, limit the scope of addresses
assigned to the dynamic pool.
Remove address exclusions with the clear dhcp exclude command.
set vlan create vlan-id
set port vlan port-string vlan-id
interface vlan vlan-id
no shutdown
ip address ip-addr ip-mask
set dhcp enable
set dhcp pool poolname network
subnet {mask | prefix-length}
set dhcp exclude low-ipaddr [high-
ipaddr]
clear dhcp exclude low-ipaddr [high-
ipaddr]
6.Optionally, set other DHCP ser v er parameters.set dhcp conflict logging
set dhcp bootp {enable | disable}
set dhcp ping packets number
Example
In this example, VLAN 6 is created and ports ge.1.1 through ge.1.10 are added to VLAN 6. An IP
address is associated with routed interface VLAN 6 in router configuration mode. Returning to
switch mode, DHCP is enabled and a dynamic IP address pool is configured in the same subnet as
the routed interface. DHCP clients in VLAN 6 will be served IP addresses from this DHCP address
pool.
C5(su)->set vlan create 6
C5(su)->set port vlan ge.1.1-10 6
C5(su)->router
C5(su)->router>enable
C5(su)->router#configure
Enter configuration commands:
Tab le 4 -6 lists additional DHCP server tasks. Refer to Table 4 -7 on page 4-20 for default DHCP
server settings.
Table 4-6 Managing and Displaying DHCP Server
TaskCommands
To enable or disable automatic address allocation
for BOOTP clients
To enable logging of address conflict informationset dhcp conflict logging
To disable logging of address conflict informationclear dhcp conflict logging
To display conflict info rma ti on fo r one or al l
addresses
To clear conflict information for one or all addressesclear dhcp conflict {ip-address | *}
To set the number of ping packets sent by the DHCP
server to an IP address before assigning that
address to a requesting client.
To return the number of ping packets sent to the
default of 2
To display binding information for one or all IP
addresses
To delete one or all dynamic (automatic) address
bindings
To display DHCP server statisticsshow dhcp server statistics
To clear all DHCP server countersclear dhcp server statistics
set dhcp bootp {enable | disable}
show dhcp conflict [ip-address]
set dhcp ping packets number
clear dhcp ping packets
show dhcp binding [ip-address]
clear dhcp binding {ip-addr | *}
DHCP Server Defaults
Table 4-7 Default DHCP Server Parameters
ParameterDescriptionDefault Value
DHCP serverWhether DHCP server functionality is
BOOTP clientsWhether automatic address allocation for
Conflict loggingWhether address conflict information
4-20 System Configuration
Disabled
enabled or disabled on the switch
Disabled
BOOTP clients is enabled or disabled.
Enabled
should be logged.
DHCP Configuration
Fixed Switch Configuration Guide 4-21
Configuring DHCP IP Address Pools
This section provides procedures for the basic configuration of automatic (dynamic) and manual
(static) IP address pools, as well as a list of the commands to configure other optional pool
parameters.
Pool names can be up to 31 characters in length.
Automatic IP Address Pool Configuration
The only required steps to configure an automatic pool for dynamic address allocation is to give
the pool a name and define the network number and mask for the pool. As noted previously (page
4-17):
•When the switch is configured for routing and the IP address pool is associated with a routing
interface, the pool has to be in the same subnet as the routed interface and use the same mask
configured on the routed interface
•When the switch is not configured for routing, the pool has to be in the same subnet and use
the same mask as the system host port IP address.
Refer to the CLI Reference for your platform for details about the commands listed below.
Manual IP Pool Configuration
The only required steps to configure a manual pool for static address allocation are to name the
pool, configure either the hardware address of the client or the client identifier, and configure the
IP address and mask for the manual binding.
Number of ping packetsSpecifies the number of ping packets the
DHCP server sends to an IP address
before assigning the address to a
requesting client
2 packets
Table 4-7 Default DHCP Server Parameters
ParameterDescriptionDefault Value
Note: A total of 16 address pools, dynamic and/or static, and a maximum of 256 addresses for the
entire switch, can be configured on the Fixed Switch platforms
.
Procedure 4-6 Automatic IP Address Pool Configuration
StepTaskCommand(s)
1.Create the IP address pool and specify the
subnet and mask (or prefix length) to be used by
the pool.
set dhcp pool poolname network
subnet {mask | prefix-length}
2.If desired, specify the duration of the lease for an
IP address assigned from this address pool.
If not specified, the default lease time is one day.
set dhcp poolpoolname lease {days
[hours [minutes]] | infinite}
3.Optionally, configure other pool parametersSee Table 4-8 on page 4-23
4.Display the pool configuration.show dhcp pool configuration
{poolname | all}
DHCP Configuration
•The subnet of the IP address being issued should be on the same subnet as the ingress
interface (that is, the subnet of the host IP address of the switch, or if routing interfaces are
configured, the subnet of the routing interface).
•A manual pool can be configured using either the client’s hardware address (set dhcp pool hardware-address) or the client’s client-identifier (set dhcp pool client-identifier), but using
both is not recommended.
•If the incoming DHCP request packet contains a client-identifier, then a manual pool
configured with that client-identifier must exist on the switch in order for the request to be
processed. The hardware address is not checked.
•A hardware address and type (Ethernet or IEEE 802) configured in a manual pool is checked
only when a client-identifier is not also configured for the pool and the incoming DHCP
request packet does not include a client-identifier option.
Refer to the CLI Reference for your platform for details about the commands listed below.
Procedure 4-7 Manual IP Address Pool Configuration
StepTaskCommand(s)
1.Create the pool using either the client’s
hardware address or client-identifier.
Hardware address = the MAC address of client’s
hardware platform
Client identifier = concatenation of media type
and MAC address of client’s hardware platform
For a list of media type codes, refer to the
“Address Resolution Protocol Parameters”
section of RFC 1700, Assigned Numbers.
2.Specify the IP address and mask to be assigned
to that client.
3.If desired, assign a name to the client.set dhcp pool poolname client-name
4.If desired, specify the duration of the lease for an
IP address assigned from this address pool.
If not specified, the default lease time is one day.
5.Optionally, configure other pool parametersSee Table 4-8 on page 4-23
6.Display the pool configuration.show dhcp pool configuration
set dhcp pool poolname hardwareaddress mac-addr [type]
or
set dhcp pool poolname clientidentifier id
set dhcp pool poolname host ip-
address [mask | prefix-length]
name
set dhcp poolpoolname lease {days
[hours [minutes]] | infinite}
{poolname | all}
Examples
This example configures a manual pool using 0001.f401.2710 as the Ethernet MAC address for the
manual address pool named “manual2.” Alternatively, the MAC address could have be entered as
00:01:f4:01:27:10. The default type of 1, Ethernet, is accepted.
The IP address that is to be assigned to this client is then configured, and a lease duration of 12
hours is specified, by entering 0 for days and 12 for hours.
B5(su)->set dhcp pool manual2 hardware-address 0001.f401.2710
B5(su)->set dhcp pool manual2 host 192.0.0.200 255.255.255.0
B5(su)->set dhcp pool manual2 lease 0 12
This example configures a manual pool using a client identifier for a client whose client hardware
type is Ethernet and MAC address is 00:01:22:33:44:55. Concatenating these two values, the client
4-22 System Configuration
identifier configured in this example must be 01:00:01:22:33:44:55. We then set the lease duration
to infinite.
C5(rw)->set dhcp pool manual3 client-identifier 01:00:01:22:33:44:55
C5(rw)->set dhcp pool manual3 host 10.12.1.10 255.255.255.0
C5(rw)->set dhcp pool manual3 lease infinite
Configuring Additional Pool Parameters
Tab le 4 -8 lists the commands that can be used to configure additional IP address pool parameters.
Table 4-8 Configuring Pool Parameters
TaskCommands
Telnet Overview
To specify a default boot image for the clients served
by the pool, and specify the file server from which
the default boot image can be loaded.
To specify a default router list for the clients served
by the pool. Up to 8 routers can be configured.
To specify one or more DNS servers for the clients
served by the pool. Up to 8 DNS servers can be
configured.
To specify a domain name to be assigned to the
clients served by the pool.
To specify up to 8 NetBIOS name servers and the
NetBIOS node type for the clients served by the
pool.
To configure DHCP options, described in RFC 2132. set dhcp pool poolname option code
Telnet Overview
set dhcp pool poolname bootfile
filename
set dhcp pool poolname next-server ipaddress
set dhcp pool poolname default-router
address [address2 ... address8]
set dhcp pool poolname dns-server
address [address2 ... address8]
set dhcp pool poolname domain-name
domain
set dhcp pool poolname netbios-nameserver address [address2 ... address8]
set dhcp pool poolname netbios-nodetype {b-node | h-node | p-node | m-node}
{asciistring | hexstring-list | ip
dresslist
ad
Telnet provides an unsecured communications method between a client and the switch.
Telnet is activated by enabling Telnet on the device, using the set telnet enable command in
switch mode. By default, Telnet is enabled both inbound and outbound. Use the show telnet
command to display whether Telnet is currently enabled or disabled.
The Enterasys fixed switches allow a total of four inbound and / or outbound Telnet session to run
simultaneously.
Fixed Switch Configuration Guide 4-23
SSH Overview
Configuring Telnet
Procedure 4-8 Configuring Telnet
StepTaskCommand(s)
1.Enable or disable Telnet services, inbound,
2.Display Telnet statusshow telnet
3.Start a Telnet connection to another devicetelnet host-ip [port]
SSH Overview
The Secure Shell (SSH) protocol provides secure Telnet between a client and the switch. By
default, SSH is disabled on the switch.
The switch can support up to two concurrent SSH sessions.
Configuring SSH
Procedure 4-9 Configuring SSH
StepTaskCommand(s)
1.Enable, disable, or reinitialize the SSH server on
outbound, or all.
Inbound = Telnet to the switch from a remote
device
Outbound = Telnet to other devices from the
switch
the switch.
set telnet {enable | disable}
[inbound | outbound | all]
set ssh {enabled | disabled |
reinitialize}
2.Display SSH server statusshow ssh status
3.Reinitialize new SSH authentication keys.set ssh hostkey reinitialize
MAC Address Settings
MAC address settings configuration provides for the ability to:
•Configure a timeout period for aging learned MAC addresses
•Limit specified layer two multicast addresses to specific ports within a VLAN
•Enable the ability to treat static unicast MAC addresses as a multicast address
Age Time
Learned MAC addresses can be assigned an age in seconds after which they will be flushed from
the FID. The default value is 300 seconds.
Use the set mac agetime command to configure the MAC age-time for MAC addresses.
The following example sets the age-time for MAC addresses on this device to 600 seconds:
C5(rw)->set mac agetime 600
C5(rw)->show mac agetime
4-24 System Configuration
Aging time: 600 seconds
Limiting MAC Addresses to Specific VLANs
Use the set mac multicast command to define on what ports within a VLAN a multicast address
can be dynamically learned on, or on what ports a frame with the specified MAC address can be
flooded. Also, use this command to append ports to or clear ports from the egress ports list.
This example configures multicast MAC address 01-01-22-33-44-55 for VLAN 24, enabling this
MAC address to be learned on or flooded out on this VLAN’s ports, with the exception of ports
ge.1.1 through ge.1.3.
C5(su)->set mac multicast 01-01-22-33-44-55 24 clear ge.1.1-3
Setting the MAC Algorithm Mode
You can set the MAC algorithm mode, which determines the hash mechanism used by the device
when performing Layer 2 lookups on received frames. Four modes are available:
•MAC CRC 16 lower bits algorithm
•MAC CRC 16 upper bits algorithm (default value)
•MAC CRC 32 lower bits algorithm
MAC Address Settings
•MAC CRC 32 upper bits algorithm
Each algorithm is optimized for a different spread of MAC addresses. When changing this mode,
the switch will display a warning message and prompt you to restart the device.
Use the set mac algorithm command to change the algorithm from the default, and the clear mac algorithm command to return to the default value. The show mac algorithm command displays
the currently selected algorithm.
New MAC Address Detection
You can configure the fixed switches to enable SNMP trap messaging globally or per port to send
notifications when a new MAC address is first detected. The default is disabled globally and per
port.
Use the set newaddrtrap command to enable SNMP trap messaging to report the detection of a
new MAC address either globally on the device or on a specified port basis. The new MAC
address trap feature is disabled by default. If a port is a CDP port, however, traps for new source
MAC addresses will not be sent.
The following example enables trap notification globally, then configures SNMP trap messaging to
send a notification when a new MAC address is detected on port ge.1.1:
Procedure 4-10 describes how to configure MAC address settings. All commands for this feature
can be set in any command mode.
Fixed Switch Configuration Guide 4-25
Configuring Node Aliases
Procedure 4-10 Configuring MAC Address Settings
StepTaskCommand(s)
1.Display th e MAC addresses in the switch’s
filtering database (FID).
2.Display the current timeout period for aging
learned MAC entries/
3.Optionally, set the timeout period for aging
learned MAC entries.
4.Optionally, define on what ports within a VLAN a
multicast address can be dynamically learned
on, or on what ports a frame with the specified
MAC address can be flooded.
Optionally, use this command to append ports to
or clear ports from the egress ports list.
5.Optionally, change the MAC algorithm. Default is
MAC CRC 16 upper bits.
6.Optionally, remove a multicast MAC address
from the FID.
7.Optionally, enable SNMP trap messaging to
report the detection of new MAC addresses for
the specified port or all ports.
show mac [address mac-address]
[fid fid] [port port-string] [type
{other | learned | self | mgmt |
mcast}]
show mac agetime
set mac agetime time
set mac multicast mac-address vlan-id [port-string] [{append |
clear} port-string]
set mac algorithm {mac-crc16lowerbits | mac-crc16-upperbits |
mac-crc32-lowerbits | mac-crc32upperbits}
clear mac address mac-address
[vlan-id]
set newaddrtrap [port-string]
{enable | disable}
Configuring Node Aliases
The node alias feature enables administrators to determine the MAC address and location of a
given end-station (or node) using the node’s Layer 3 alias information (IP address) as a key. With
this method, it is possible to determine that, for instance, IP address 123.145.2.23 is located on
switch 5 port 3.
The passive accumulation of a network's node/alias information is accomplished by “snooping”
on the contents of network traffic as it passes through the switch fabric.
Upon packet reception, node aliases are dynamically assigned to ports enabled with an alias
agent, which is the default setting on fixed switches. Node aliases cannot be statically created, but
can be deleted using the command clear nodealias config.
In the fixed switches, node data is automatically accumulated into the ct-alias mib. The NetSight
Console Compass utility and Automated Security Manager (ASM) use the information in the
node/alias MIB table.
It's important to make sure that inter-switch links are not learning node/alias information, as it
would slow down searches by the NetSight Compass and ASM tools and give inaccurate results.
Use the set nodealias disable command to disable the node alias agent on a port. The set nodealias enable command will re-enable the agent.
The maximum number of node alias entries is configured with the set nodealias maxentries
command. The default is 32 entries per port.
Use the clear nodealias config command to return all values to the default for one or more ports.
The following command displays the nodealias configuration for port ge.1.1:
The following command disables the node alias agent on port ge.1.8:
C5(su)->set nodealias disable ge.1.8
Fixed Switch Configuration Guide 4-27
Configuring Node Aliases
4-28 System Configuration
Fixed Switch Configuration Guide 5-1
5
User Account and Password Management
This chapter describes user account and password management features, which allow enhanced
control of password usage and provide additional reporting of usage.
Account and password feature behavior and defaults differ depending on the security mode of the
switch. For information about security modes and profiles, see Chapter 26, Configuring Security
Features.
User Account Overview
Enterasys switches are shipped with three default user accounts:
•A super-user access account with a username of admin and no password
•A read-write access account with a username of rw and no password
•A read-only access account with a username of ro and no password
A user with super-user access has access to all the functionality on the switch while read-write and
read-only accounts have less access to functionality. Command descriptions in the CLI Reference
indicate the user access level required for each command.
Users with super-user access can create user accounts and passwords. Read-write and read-only
accounts can change their own account passwords. User accounts are created, disabled, and
enabled with the set system login command. Passwords are created and changed with the set password command. User accounts are deleted with the clear system login command.
The Enterasys Fixed Switch platforms support up to 16 user accounts. When creating a new or
editing an existing login account, use the following syntax:
set system loginusername { super-user | read-write | read-only} {enable | disable}
•The start and end hour and minute time period for which access will be allowed for this user
•The days of the week for which access will be allowed for this user. (Not applicable for super
•The authentication scope for this user — authentication is only by way of the local user
•The number of days to age the password. A non-zero value supercedes the aging configured
•The number of simultaneous logins allowed from the user. The switch is capable of verifying
Use the clear system login command to remove a local user account or to reset any configured
parameters to their default values. If none of the optional parameters shown indented below are
entered, the user account is deleted.
clear system login username
based upon 24 hour time. (Not applicable for super user accounts.)
user accounts.)
database even with RADIUS or TACACS+ configured, or authentication is by way of
configured methods, which is the default value.
in set system password, for this user.
that a specified user is only connected to the product a configurable number of times. Any
attempt for a specified user to exceed the configured limit results in a trap.
For example, if simultaneous logins is set to 1, a specific user would not be able to Telnet to the
switch, and then simultaneously try to SSH to the switch or access local management via the
console port.
User account access to features is affected by the security mode of the switch. Differences in access
on a command basis are described in the CLI Reference for your platform.
For information about security modes and profiles, see Chapter 26, Configuring Security
Features. See Tab le 5 -1 on page 5-7 for a list of account and password defaults by security mode.
See “User Account Configuration” on page 5-3 for procedures and examples for creating user
accounts.
Emergency Access User Account
The fixed switches support the ability to identify an emergency access user with the set system
lockout emergency-access <username> command. An emergency access user account is allowed
emergency access to the switch through the console port.
Before identifying an emergency access user with the set system lockout command, the user
account must be configured with super-user access rights with the set system login and set password commands.
•A user account cannot be deleted while it is the emergency access account.
•Only one EA user is supported at a time and one shall always exist. The default admin user is
the default EA user.
•EA status can only be removed by replacing it with another account.
•EA user access not made through the console port will be subject to normal password
handling.
•When the password reset button is enabled, it will restore the default admin account as the
EA user.
5-2 User Account and Password Management
•The emergency access user is still subject to the system lockout interval even on the console
port.
Account Lockout
User accounts can be locked out based on the number of failed login attempts or a period of
inactivity. Lockout is configured at the system level, not at the user account level. Use the set system lockout command to:
•Set the number of failed login attempts allowed before disabling a read-write or read-only
user account or locking out a super-user account.
–When a read-only or read-write user makes the configured number of failed attempts,
that user is disabled, and cannot log back in until re-enabled by a super-user with the set system login command.
–When a super-user makes the configured number of failed attempts, that user is locked
out for the configured lockout period. The configurable lockout period for super-user
accounts is 0 to 65535 minutes.
Note that only super-user accounts are temporarily locked out for a configured period. Readonly and read-write accounts are disabled and must be enabled by a super-user.
•Configure lockout based on a period of inactivity. Valid values for the period of inactivity are 0
to 65535 days. A value of 0 indicates no inactivity checking.
User Account Overview
–When a read-only or read-write user session is inactive for the configured period of time,
that user is disabled, and cannot log back in until re-enabled by a super-user with the set system login command.
–Super-user accounts are not affected by inactivity checking.
Port Lockout
The account lockout functionality also supports a “port lockout” mechanism (set system lockout
port {enable|disable}). When enabled, the system monitors the results of all login attempts,
including via RADIUS, SSH, or Telnet, and on the console port. Separate counts are maintained for
each interface — local and network/remote (SSH, Telnet, or WebView).
When the number of sequential failed attempts equals the maximum configured attempts for any
user, the lockout will be applied (as configured) to all login attempts made through the given
interface (SSH, Telnet, or the console port). Any successful login will restart the count. By default,
port lockout is disabled.
If the default admin super user account has been locked out, and if the password reset button
functionality is enabled, you can press the reset button on the switch to re-enable the admin
account with its default values. The emergency-access user is restored as the default, the admin
account.
If the password reset button functionality has been disabled, you can wait until the lock out time
has expired or you can reboot the switch in order to re-enable the admin account.
See “Password Reset Button Functionality” on page 5-9 for more information about password
reset button functionality.
User Account Configuration
Procedure 5-1 on page 5-4 shows how a super-user creates a new read-write or read-only user
account and sets the password for the account. All other optional parameters are not shown.
Fixed Switch Configuration Guide 5-3
User Account Overview
5-4 User Account and Password Management
Procedure 5-2 on page 5-4 shows how a super-user creates a new super-user account and assigns
it as the emergency access account.
Refer to the CLI Reference for your platform for details about the commands listed below.
This example enables a new user account named “guest” with read-only privileges and allows
access only between 8:00 am and 5:00 pm on Mondays through Wednesdays. The password for
this account is then set, and the configured login accounts are displayed.
C5(su)->set system login guest read-only enable allowed-interval 08:00 17:00
allowed-days Mon Tue Wed
C5(su)->set password guest
Please enter new password: ********
Please re-enter new password: ********
Password changed.
C5(su)->show system login
Username Access State Aging Simul Local Login Access Allowed
Login Only? Start End Days
admin super-user enabled 0 0 no ***access always allowed***
ro read-only enabled 0 0 no ***access always allowed***
rw read-write enabled 0 0 no ***access always allowed***
guest read-only enabled 0 0 no 08:00 17:00 mon tue wed
Procedure 5-2 creates a new super-user account and assigns it as the emergency access user
account. In addition, the default super-user account, admin, is disabled as a security measure.
Procedure 5-1 Creating a New Read-Write or Read-Only User Account
StepTaskCommand(s)
1.Create a new read-write or read-only user login
account and enable it.
(All other parameters are optional.)
set system login username {readwrite|read-only} enable
2.Set the password for the new account.
Respond appropriately to the system prompts.
set password username
3.Display the new user account.show system login
4.Remove a local login user account
or
Disable an existing account
clear system login username
set system login username disable
Note: You can delete the default admin account, but deletion of the last remaining super-user
account is prevented (that is, a super-us er ac count must be created before the admin account can
be deleted).
If the security mode is C2, the last remaining super-user account must also be set as the
emergency access user in order to allow the default admin account to be deleted.
Procedure 5-2 Configuring a New Super-User / Emergency Access User Account
StepTaskCommand(s)
1.Create a new super-user login account and
enable it.
(All other parameters are optional.)
set system login username super-user
enable
2.Set the password for this account.set password username
3.Display the login user accountsshow system login
User Account Overview
Procedure 5-2 Configuring a New Super-User / Emergency Access User Account
StepTaskCommand(s)
4.Assign the new super-user account as the
emergency access account.
5.Display the system lockout settingsshow system lockout
6.Disable the default super-user account, adminset system login admin super-user
set system lockout emergency-access
username
disable
This example creates a new super-user account named “usersu” and enables it. The password for
this account is set and the configured login accounts are displayed. The new account is assigned
as the emergency access account and the system lockout settings are displayed. Then, the default
super-user account named “admin” is disabled.
C5(su)->set system login usersu super-user enable
C5(su)->set password usersu
Please enter new password: ********
Please re-enter new password: ********
Password changed.
C5(su)->show system login
Username Access State Aging Simul Local Login Access Allowed
Login Only? Start End Days
admin super-user enabled 0 0 no ***access always allowed***
ro read-only enabled 0 0 no ***access always allowed***
rw read-write enabled 0 0 no ***access always allowed***
usersu super-user enabled 0 0 no 00:00 24:00 sun mon tue wed
thu fri sat
guest read-only enabled 0 0 no 00:00 24:00 mon tue wed
C5(su)->set system lockout emergency-access usersu
C5(su)->show system lockout
Unsuccessful login attempts before lockout : 3
Duration of lockout : 15 minutes.
Period of inactivity before account lockout : 0 days
Lockout entire port upon failed logins : disabled
Ports currently locked out due to failed logins : none
Account assigned emergency-access from the console: usersu
C5(su)->set system login admin super-user disable
C5(su)->show system login
Username Access State Aging Simul Local Login Access Allowed
Login Only? Start End Days
admin super-user disabled 0 0 no ***access always allowed***
ro read-only enabled 0 0 no ***access always allowed***
rw read-write enabled 0 0 no ***access always allowed***
usersu super-user enabled 0 0 no 00:00 24:00 sun mon tue wed
Individual user account passwords are configured with the set password command. Configured
passwords are transmitted and stored in a one-way encrypted form, using a FIPS 140-2 compliant
algorithm.
When passwords are entered on the switch using the CLI, the switch automatically suppresses the
clear text representation of the password. In addition, the switch ensures that passwords are not
available in clear text to any user, including administrators.
The switch ensures that the password does not contain, repeat, or reverse the associated
username.
All password changes are logged by the switch.
System Level Password Settings
At the system level, you can configure password requirements with the set system password
command. Among other characteristics, the set system password command allows you to
configure password length, repetition, character usage, password sharing, and aging.
The following list describes in detail the system level password requirements that can be
configured:
•Whether the switch maintains and verifies a password history (from 0 to 10) per account (set system password history). The previously used passwords for a user account stored in the
password history are checked for duplication when a new password is configured for that
account with the set password command.
•Whether the switch enforces a minimum period of waiting before an existing password can be
updated (set system passwordchange-frequency). An exception to this requirement is the
first time update, which if configured, requires a new user logging in for the first time to
change their password (set system password change-first-login).
–A password change-frequency interval of zero means there is no restriction on the
frequency of password changes.
–A configured minimum change-frequency interval applies only to users without super-
user privileges attempting to change their own passwords. Users with super-user
privileges may change their passwords at any time.
•Whether the switch allows multiple accounts to share the same password. (set system
passwordallow-duplicates.)
•Whether the switch enforces a minimum number of characters required for passwords (set
system passwordlength).
•Whether the switch allows the same character to appear consecutively in the same password
(set system passwordallow-repeatingchars).
•Whether the switch enforces a configurable minimum number of characters of a specific type
that must be present in a user account password (set system passwordmin-requiredchars).
The following types are supported:
–Upper case characters (default 0)
–Lower case characters (default 0)
–Numeric characters (default 0)
5-6 User Account and Password Management
Password Management Overview
–Special characters (default 0)
The set of special characters recognized is: ! @ # $ % ^ & * () ? = [ ] \ ; ? , ./ `.
•Whether the switch enforces aging of system passwords.
–The switch can enforce a system-wide default for password aging (set system password
aging).
–The switch can enforce a password aging interval on a per-user basis (set system login
aging).
–The switch can notify users at login that their password will expire in a given number of
days (set system passwordwarning-period).
–The switch can notify a user upon password expiration, but allow a specified additional
number of subsequent logins (1 to 3) within a specified time period (1 to 30 days) before
requiring a new password (set system passwordgrace-period and grace-limit).
•Whether the switch requires that a password be specified at the time of user account creation
(set system password require-at-creation).
–If the option is enabled, the set system logincommand will interactively prompt for a
password upon creation of a new user account.
It will be as if a set passwordusername command was implicitly executed. The new
account will not be successfully created until a valid password has been specified.
•Whether the switch performs substring matching to prevent any substring present in previous
account passwords from being used in a new password (set system password substring-match-len).
–Requires a non-zero password history length.
–0 to 40 characters are supported.
–If a substring-match-len option is set to zero, no substring matching will be performed
when validating new passwords.
If the substring-match-len option is configured with a nonzero length, any substring of
the specified length appearing in the current password for this user may not appear in a
new password.
If the configured history size is nonzero, then all historical passwords up to that size will
also be compared with the input of the new password. Any substring of the configured
length appearing in any of the historical passwords may not be used in the new password.
Password feature behavior and defaults differ depending on the security mode of the switch. For
information about security modes and profiles, see Chapter 26, Configuring Security Features.
See Tab le 5 -1 on page 5-7 for a list of account and password defaults by security mode.
Procedure 5-3 on page 5-8 describes the commands used to configure system password settings.
Defaults
The default values for user account and password parameters are listed in the following table by
the security mode of the switch.
Table 5-1 User Account and Password Parameter Defaults by Security Mode
ParameterNormal Mode DefaultC2 Mode Default
Password history0 (no history)8 previous passwords
Password change frequency0 (no waiting)1440 minute s (24 hours)
Fixed Switch Configuration Guide 5-7
Password Management Overview
Table 5-1 User Account and Password Parameter Defaults by Security Mode (continued)
ParameterNormal Mode DefaultC2 Mode Default
Minimum number of characters in password89
Allow consecutively repeating characters in
password
Aging of system passwordsdisabled90 days
Password required at time of new user account
creation
Substring matching at password validation0 (no checking)0 (no checking)
New users required to change password at first
log in
Lockout based on inactivity0 (no activity checking)90 days of inactivity
Lockout based on failed login attempts3 failed attempts3 failed attempts
Lockout period duration after unsuccessful logins15 minutes1 minute
Grace period after password expiration030 days
Grace login limit03
Warning period20 days20 days
yes2 characters
noyes
noyes
System Password Settings Configuration
Refer to the CLI Reference for your platform for detailed information about the commands listed
below in Procedure 5-3.
Procedure 5-3 Configuring System Password Settings
StepTaskCommand(s)
1.Configure system level password settings.
All parameters are optional but at least one must
When the password reset button functionality is enabled with the set system passwordresetbutton enable command, pressing the password reset button causes the admin account, with
its default values, to be restored on the switch.
•If the admin account has been disabled, it will be re-enabled.
•If the admin account has been deleted, it will be restored on the switch with default values.
When the password reset button functionality is disabled by means of the set system password-resetbuttondisable command, pressing the reset button will have no effect. The password reset
button is enabled by default.
Management authentication notification MIB functionality includes enabling/disabling the
sending of SNMP notifications when a user login authentication event occurs for various
authentication notification types.
SNMP must be correctly configured in order to send these notifications. Refer to Chapter 12,
Configuring SNMP, for more information about SNMP.
Use the set mgmt-auth-notify command to enable or disable notifications for the authentication
notification types specified in the Enterasys Management Authentication Notification MIB.
You can specifically enable or disable a single authentication notification type, multiple
authentication notification types or all the authentication notification types. The default setting is
that all Management Authentication Notification types are enabled for authentication
notifications.
When enabled for console, SSH, Telnet, or Webview, the switch will send an SNMP notification for
every successful and failed login attempt.
Use the clear mgmt-auth-notify to return all current settings to the default state of enabled.
C5(su)->set mgmt-auth-notify disable web inactiveUser
5-10 User Account and Password Management
Fixed Switch Configuration Guide 6-1
6
Firmware Image and File Management
This chapter describes how to download and install a firmware image file and how to save and
display the system configuration as well as manage files on the switch.
Managing the Firmware Image
This section describes how to download a firmware image, set the firmware to be used at system
startup, revert to a previous image, and set TFTP parameters.
Downloading a Firmware Image
You can upgrade the operational firmware in the stackable or standalone switch without
physically opening the switch or being in the same location. There are two ways to download
firmware to the switch:
•Via TFTP or SFTP download. This procedure uses a TFTP or SFTP server connected to the
network and downloads the firmware using the TFTP or SFTP protocol. For details on how to
perform a TFTP or SFTP download using the copy command, refer to “Downloading from a
TFTP or SFTP Server” on page 6-2. For information on setting TFTP timeout and retry
parameters, refer to “Setting TFTP Parameters” on page 6-4.
•Via the serial (console) port. This procedure is an out-of-band operation that copies the
firmware through the serial port to the switch using an XMODEM transfer. It should be used
in cases when you cannot connect to the switch to perform the in-band copy download
procedure via TFTP. Serial console download has been successfully tested with the following
applications which support XMODEM transfer:
–HyperTerminal
–Tera Term Pro
Any other terminal applications may work but are not explicitly supported.
Refer to “Downloading Firmware via the Serial Port” on page 1-10 for instructions.
The stackable and standalone fixed switches allow you to download and store dual images. The
backup image can be downloaded and selected as the startup image by using the commands
described in this section.
For information about...Refer to page...
Managing the Firmware Image6-1
Managing Switch Configuration and Files6-4
Managing the Firmware Image
Downloading from a TFTP or SFTP Server
This procedure assumes that the switch or stack of switches has been assigned an IP address and
that it is connected to the network. It also assumes that the network has a TFTP or SFTP server to
which you have access. If these assumptions are not true, please refer to Chapter 1, Setting Up a
Switch for the First Time for more information.
To perform a TFTP or SFTP download:
1.Download to your computer the latest firmware for the switch from the Enterasys web site
Unzip/uncompress the firmware, and copy the firmware to the upload/download directory
configured for your TFTP server. The firmware is available at this Enterasys location:
https://extranet.enterasys.com/downloads
2.Review the Release Notes for the downloaded firmware to check for any upgrade notices or
limitations that may apply to your switch.
3.Using Telnet or SSH, establish a CLI session on the switch and log in.
4.From the CLI session, use the copy command to download the new image file from the TFTP
or SFTP server to the switch. For example:
If you receive the error message “Error: No space left on the device. Please remove backup
file.”, refer to “Deleting a Backup Image File” on page 1-5 before proceeding.
5.After the copy is complete, use the dir command to confirm that the new image file has been
copied. The following example shows that the firmware image “a4-series_06.61.03.0007” was
copied to the switch but that firmware image “a4-series_06.61.00.0026” is still the active and
boot image.
6.To set the new image to the boot image, refer to “Setting the Boot Firmware” on page 6-3
below.
6-2 Firmware Image and File Management
Managing the Firmware Image
Fixed Switch Configuration Guide 6-3
Setting the Boot Firmware
Use the show boot system command to display the image file currently configured to be loaded at
startup. For example:
A4(su)->show boot system
Current system image to boot: a4-series_06.61.00.0026
Use the set boot system command to set the firmware image to be loaded at startup. You can
choose to reset the system to use the new firmware image immediately, or you can choose to only
specify the new image to be loaded the next time the switch is rebooted. For example:
A4(su)->set boot system a4-series_06.61.03.0007
This command can optionally reset the system to boot the new image.
Do you want to reset now (y/n) [n]
If you respond y (yes), the system will reboot immediately using the new image, and the new
image will be the active image. If you respond n (no), the new image will be set as the Boot image
but the currently Active image will remain active.
You can use the dir command to display the “Active” image and the “Boot” image, which will be
the image loaded at the next system reboot.
Reverting to a Previous Image
In the event that you need to downgrade to a previous version of code, you can do so by
completing the steps described below.
1.Save your running configuration with the save config command.
2.Make a copy of the current configuration with the show config outfile configs/filename
command. Use the dir command to confirm that the file was created.
3.If desired, copy the file to a remote TFTP server with the copy command:
4.If necessary, load the previous version of code on the device, as described in “Downloading a
Firmware Image” (page 6-1).
5.Set this older version of code to be the boot code with the set boot system command. When
the system asks if you want to reset the device, specify no (n).
6.Reload the saved configuration onto the device with the configure command. Do not use the
append parameter. You will be prompted to respond whether you want to reset the system.
Enter y (yes).
configure configs/<filename>
This command will reset the system and clear current configuration.
Are you sure you want to continue (y/n) [n]? y
7.After the system resets, establish a new CLI session with the switch and log in.
Note: If you are changing the firmware image to a version earlier than the current version, refer to
“Reverting to a Previous Image” on page 6-3 for the correct steps to follow.
Caution: Before reverting to a previous image, always back up your configuration by saving it to a
file with the show config outfile command. You can then copy the file to a remote location with the
copy command. Refer to “Creating a Backup Configuration File” on page 6-6 for more information.
Managing Switch Configuration and Files
6-4 Firmware Image and File Management
Setting TFTP Parameters
You can configure some of the settings used by the switch during data transfers using TFTP.
Use the show tftp settings command to display current settings.
Use the set tftp timeout command to configure how long TFTP will wait for a reply of either an
acknowledgement packet or a data packet during a data transfer. The default value is 2 seconds.
Use the set tftp retry command to configure how many times TFTP will resend a packet, either an
acknowledgement packet or a data packet. The default value is 5 retries.
Use the clear tftp timeout and clear tftp retry commands to reset configured values back to their
defaults.
Managing Switch Configuration and Files
Configuration Persistence Mode
The default state of configuration persistence mode is “auto,” which means that when CLI
configuration commands are entered, or when a configuration file stored on the switch is
executed, the configuration is saved to NVRAM automatically at the following intervals:
•On a standalone unit, the configuration is checked every two minutes and saved if there has
been a change.
•On a stack, the configuration is saved across the stack every 5 minutes if there has been a
change.
If you want to save a running configuration to NVRAM more often than the automatic intervals,
execute the save config command and wait for the system prompt to return. After the prompt
returns, the configuration will be persistent.
Use the show snmp persistmode command to display the current persistence mode. You can
change the persistence mode from “auto” to “manual” with the set snmp persistmode command.
If the persistence mode is set to “manual,” configuration commands will not be automatically
written to NVRAM. Although the configuration commands will actively modify the running
configuration, they will not persist across a reset unless the save config command has been
executed.
Caution: If you do not follow the steps above, you may lose remote connectivity to the switch.
Note: When your device is configured for manual SNMP persistence mode, and you attempt to
change the boot system image, the device will not prompt you to save changes or warn you that
changes will be lost.
Note: If a memory card is installed on an I-Series switch, “auto” persistence mode is not supported.
Refer to Using an I-Series Memory Card below for more information.
Managing Switch Configuration and Files
Fixed Switch Configuration Guide 6-5
Using an I-Series Memory Card
The I3H-4FX-MEM and I3H-6TX-MEM IOMs provide a memory card slot where a small,
separately-purchased memory card (I3H-MEM) may be inserted. The memory card provides a
removable, non-volatile means for storing the system configuration and IP address only, and may
be used to move the system’s configuration to another switch.
The memory card is hot-swappable. If a card is already installed in the switch, when the memory
slot cover plate is removed, power is automatically removed from the slot. Once power has been
removed from the slot, power will not be returned until the switch is rebooted with a memory
card in the slot.
Refer to your I-Series Installation Guide for information about inserting and removing memory
cards.
Memory Card Operation
When an I-Series switch is initialized (booted up), the configuration stored on an installed
memory card will overwrite the configuration saved in NVRAM. If no configuration is contained
on an installed memory card, the activity LED will flash briefly and the boot up will continue
without overwriting the configuration in NVRAM.
If a memory card is inserted into a running system (hot swapped), the configuration stored on the
memory card will not be applied until the system is rebooted.
When a memory card is installed:
•The save config command must be used to save the current configuration to both NVRAM
and to the memory card, since “‘auto” persistence mode is not supported when a card is
present.
•The clear config command will simultaneously delete the current configuration from both
NVRAM and the memory card.
•The show config command can display the configuration on the memory card or on NVRAM.
Note that only the system configuration can be stored on the memory card—no files can be stored
on the card. The copy command should be used to upload files to the switch.
Displaying and Saving the Configuration and Creating a Backup
Use the save config command to save the running configuration. On a stacked system, this
command will save the configuration to all switch members in a stack.
Use the show config command to
•Display the system configuration
•Write the configuration to a file
Note: Only one IOM containing a memory card slot may be installed in an I-Series switch.
Note: The I-Series memory card is not interchangeable with a standard Compact Flash card. A
standard Compact Flash card will not work in the I-Series switch, and the I-Series memory card
cannot be used in place of a Compact Flash card in other systems.
Managing Switch Configuration and Files
6-6 Firmware Image and File Management
Displaying the Configuration
Executing show config without any parameters will display all the non-default configuration
settings. Using the all parameter will display all default and non-default configuration settings.
To display non-default information about a particular section of the configuration, such as port or
system configuration, use the name of the section (or facility) with the command. For example, to
show the configuration of the “system” facility:
C5(su)->show config system
This command shows non-default configurations only.
Use 'show config all' to show both default and non-default configurations.
#system
set system name "LAB C5"
set system location "Second Floor South"
set system contact "John Smith"
!
!
end
On the I-Series, you can display the configuration information on a memory card with the show
config memcard command. If a memory card is not installed, a message indicating that the
memory card could not be accessed is displayed.
Creating a Backup Configuration File
You can create a copy of the system configuration using the show config outfile command. This
configuration file can then be copied to a remote location to be used as a backup configuration file
if needed.
This example:
•Saves the currently running configuration,
•Saves the configuration to a file named “myconfig” in the “configs” directory on the switch,
•Verifies the location of the file with the dir command,
•Then copies that file to a remote TFTP server on the network.
When saving a configuration to a file, save only the non-default values — that is, do not use the all
parameter with show config outfile. Including default values is unnecessary and will make the
configuration file very large.
You can write only a section of a system configuration to a file by using the facility parameter with
show config outfile.
To use a backup configuration file, refer to “Reverting to a Previous Image” on page 6-3 and
“Applying a Saved Configuration” on page 6-7 below.
Applying a Saved Configuration
Use the configure command to execute a configuration file stored on the switch. You can append
the file to the current configuration, to make incremental adjustments to the current configuration,
or you can replace the current configuration with the contents of the file. When you replace the
current configuration, an automatic reset of the system is required.
This example appends the file “myconfig” located in the configs directory to the current running
configuration:
B5(su)->configure configs/myconfig append
This example replaces the current configuration with the contents of the “myconfig” file. After the
system resets, you will have to establish another CLI session and log in to the system again.
B5(su)->configure configs/myconfig
This command will reset the system and clear current configuration.
Are you sure you want to continue (y/n) [n]? y
Fixed Switch Configuration Guide 6-7
Managing Switch Configuration and Files
Managing Files
Tab le 6 -1 lists the tasks and commands used to manage files.
Table 6-1 File Management Commands
TaskCommand
List all the files stored on the system,
or only a specific file.
Display the system configuration.
On I-Series only, display contents of
memory card.
Display the contents of a file located in
the configs or logs directory.
Delete a file. Can be used to delete
image files as well as files in the
configs and logs directories.
Copy the configuration or sections of
the configuration to a file.
dir [filename]
show config [all | facility | memcard]
show file directory/filename
delete directory/filename
show config [facility] outfile configs/filename
6-8 Firmware Image and File Management
Fixed Switch Configuration Guide 7-1
7
Configuring System Power and PoE
This chapter describes how to configure Redundant Power Supply mode on the C5 and G-Series
switches, and how to configure Power over Ethernet (PoE) on platforms that support PoE.
The information about Power over Ethernet (PoE) applies only to fixed switching platforms that
provide PoE support. PoE is not supported on the I-Series switches.
Configuring Redundant Power Supplies
When a C5 or G-Series switch is connected to a redundant power supply, two modes of power
supply operation are supported:
•Redundant mode, in which the power made available to the system is equal to the maximum
output of the lowest rated supply. (This is the default mode.) When two supplies are installed
in redundant mode, system power redundancy is guaranteed if one supply is lost.
•Non-redundant, or additive, mode, in which the combined output of both supplies is made
available to the system. In this mode, the loss of a single supply may result in a system reset.
Power supply redundancy mode can be configured with the set system power command.
On G-Series switches, power supply LEDs visible on the front panel of the switch indicate
whether the power supplies are present and, if two are present, whether they are in redundant or
additive (non-redundant) mode. Refer to your G-Series Hardware Installation Guide for more
information.
Power over Ethernet Overview
PoE, defined in IEEE standards 802.3af and 802.3at, refers to the ability to provide 48 Vdc (for
802.3af) or 54 Vdc (for 802.3at) operational power through an Ethernet cable from a switch or
other device that can provide a PoE-compliant port connection to a powered device (PD).
Examples of PDs are the following:
•Voice over IP devices such as PoE-compliant digital telephones
For information about...Refer to page...
Configuring Redundant Power Supplies7-1
Power over Ethernet Overview7-1
Configuring PoE7-4
Note: This feature is supported by the C5 and G-Series switches only
Power over Ethernet Overview
7-2 Configuring System Power and PoE
•Pan/Tilt/Zoom (PTZ) IP surveillance cameras
•Devices that support Wireless Application Protocol (WAP) such as wireless access points
Ethernet implementations employ differential signals over twisted pair cables. This requires a
minimum of two twisted pairs for a single physical link. Both ends of the cable are isolated with
transformers blocking any DC or common mode voltage on the signal pair. PoE exploits this fact
by using two twisted pairs as the two conductors to supply a direct current to a PD. One pair
carries the power supply current and the other pair provides a path for the return current.
Using PoE allows you to operate PDs in locations without local power (that is, without AC
outlets). Having such a network setup can reduce the costs associated with installing electrical
wiring and AC outlets to power the various devices.
Implementing PoE
You can configure PoE on your PoE-compliant Enterasys device through the CLI-based
procedures presented in the section “Configuring PoE” on page 7-4. As part of your plan to
implement PoE in your network, you should ensure the following:
•The power requirements of your PDs are within the limits of the PoE standards.
•Your PoE-compliant Enterasys device can supply enough power to run your PDs. See
Tab le 7 -1 for power ranges based on each device class.
If SNMP traps are enabled, the Enterasys device generates a trap to notify the network
administrator if any of the following occur:
•If the power needed or requested exceeds the power available
•If a power state occurs on a PD (for example, when a PD is powered up or unplugged)
If insufficient power is available for an attached PD, the corresponding port LED on the Enterasys
device turns amber. The LED also turns amber if a PoE fault occurs (for example, a short in the
Ethernet cable).
Allocation of PoE Power to Modules
The switch firmware determines the power available for PoE based on hardware configuration,
power supply status, and power supply redundancy mode. The system calculates and reserves the
correct amount of power required by the installed hardware components and then makes the
Table 7-1 PoE Powered Device Classes
ClassPower Output at PortPower Range Used by Device
015.4 watts0.44 to 12.95 watts
14.0 watts0.44 to 3.84 watts
27.0 watts3.84 to 6.49 watts
315.4 watts6.49 to 12.95 watts
434 watts (802.3at)
Reserved (802.3af)
12.95 to 25.5 watts (802.3at)
Treat as class 0 (802.3af)
Note: This feature is available only on the G-Series.
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.