Enterasys C5G124-24 Configuration manual

®
Enterasys
Fixed Switching
Configuration Guide
Firmware 6.61.xx and Higher
P/N 9034662-02
Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made.
The hardware, firmware, or software described in this document is subject to change without notice.
IN NO EVENT SHALL ENTERASYS NETWORKS BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF OR RELATED TO THIS DOCUMENT, WEB SITE, OR THE INFORMATION CONTAINED IN THEM, EVEN IF ENTERASYS NETWORKS HAS BEEN ADVISED OF, KNEW OF, OR SHOULD HAVE KNOWN OF, THE POSSIBILITY OF SUCH DAMAGES.
Enterasys Networks, Inc. 50 Minuteman Road Andover, MA 01810
2012 Enterasys Networks, Inc. All rights reserved.
Part Number: 9034662-02 October 2012
ENTERASYS, ENTERASYS NETWORKS, ENTERASYS SECURE NETWORKS, NETSIGHT, ENTERASYS NETSIGHT, and any logos associated therewith, are trademarks or registered trademarks of Enterasys Networks, Inc., in the United States and/or other countries. For a complete list of Enterasys trademarks, see http://www.enterasys.com/company/trademarks.aspx.
All other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies.
Documentation URL: https://extranet.enterasys.com/downloads/
i
Enterasys Networks, Inc. Firmware License Agreement
BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT,
CAREFULLY READ THIS LICENSE AGREEMENT.
This document is an agreement (“Agreement”) between the end user (“You”) and Enterasys Networks, Inc., on behalf of itself and its Affiliates (as hereinafter defined) (“Enterasys”) that sets forth Your rights and obligations with respect to the Enterasys software program/firmware (including any accompanying documentation, hardware or media) (“Program”) in the package and prevails over any additional, conflicting or inconsistent terms and conditions appearing on any purchase order or other document submitted by You. “Affiliate” means any person, partnership, corporation, limited liability company, other form of enterprise that directly or indirectly through one or more intermediaries, controls, or is controlled by, or is under common control with the party specified. This Agreement constitutes the entire understanding between the parties, with respect to the subject matter of this Agreement. The Program may be contained in firmware, chips or other media.
BY INSTALLING OR OTHERWISE USING THE PROGRAM, YOU REPRESENT THAT YOU ARE AUTHORIZED TO ACCEPT THESE TERMS ON BEHALF OF THE END USER (IF THE END USER IS AN ENTITY ON WHOSE BEHALF YOU ARE AUTHORIZED TO ACT, “YOU” AND “YOUR” SHALL BE DEEMED TO REFER TO SUCH ENTITY) AND THAT YOU AGREE THAT YOU ARE BOUND BY THE TERMS OF THIS AGREEMENT, WHICH INCLUDES, AMONG OTHER PROVISIONS, THE LICENSE, THE DISCLAIMER OF WARRANTY AND THE LIMITATION OF LIABILITY. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT OR ARE NOT AUTHORIZED TO ENTER INTO THIS AGREEMENT, ENTERASYS IS UNWILLING TO LICENSE THE PROGRAM TO YOU AND YOU AGREE TO RETURN THE UNOPENED PRODUCT TO ENTERASYS OR YOUR DEALER, IF ANY, WITHIN TEN (10) DAYS FOLLOWING THE DATE OF RECEIPT FOR A FULL REFUND.
IF YOU HAVE ANY QUESTIONS ABOUT THIS AGREEMENT, CONTACT ENTERASYS NETWORKS, LEGAL DEPARTMENT AT (978) 684-1000.
You and Enterasys agree as follows:
1. LICENSE. You have the non-exclusive and non-transferable right to use only the one (1) copy of the Program provided in this package subject to the terms and conditions of this Agreement.
2. RESTRICTIONS. Except as otherwise authorized in writing by Enterasys, You may not, nor may You permit any third party to:
(a) Reverse engineer, decompile, disassemble or modify the Program, in whole or in part, including for reasons of error
correction or interoperability, except to the extent expressly permitted by applicable law and to the extent the parties shall not be permitted by that applicable law, such rights are expressly excluded. Information necessary to achieve interoperability or correct errors is available from Enterasys upon request and upon payment of Enterasys’ applicable fee.
(b) Incorporate the Program in whole or in part, in any other product or create derivative works based on the Program, in
whole or in part.
(c) Publish, disclose, copy reproduce or transmit the Program, in whole or in part.
(d) Assign, sell, license, sublicense, rent, lease, encumber by way of security interest, pledge or otherwise transfer the
Program, in whole or in part.
(e) Remove any copyright, trademark, proprietary rights, disclaimer or warning notice included on or embedded in any
part of the Program.
3. APPLICABLE LAW. This Agreement shall be interpreted and governed under the laws and in the state and federal courts of the Commonwealth of Massachusetts without regard to its conflicts of laws provisions. You accept the personal jurisdiction and venue of the Commonwealth of Massachusetts courts. None of the 1980 United Nations Convention on the Limitation Period in the International Sale of Goods, and the Uniform Computer Information Transactions Act shall apply to this Agreement.
4. EXPORT RESTRICTIONS. You understand that Enterasys and its Affiliates are subject to regulation by agencies of the U.S. Government, including the U.S. Department of Commerce, which to certain countries, unless a license to export the product is obtained from the U.S. Government or an exception from obtaining such license may be relied upon by the exporting party.
If the Program is exported from the United States pursuant to the License Exception CIV under the U.S. Export Administration Regulations, You agree that You are a civil end user of the Program and agree that You will use the Program for civil end uses only and not for military purposes.
If the Program is exported from the United States pursuant to the License Exception TSR under the U.S. Export Administration Regulations, in addition to the restriction on transfer set forth in Section 1 or 2 of this Agreement, You agree not to (i) reexport or release the Program, the source code for the Program or technology to a national of a country in Country Groups D:1 or E:2 (Albania, Armenia, Azerbaijan, Belarus, Cambodia, Cuba, Georgia, Iraq, Kazakhstan, Laos, Libya, Macau,
prohibit export or diversion of certain technical products
ii
Moldova, Mongolia, North Korea, the People’s Republic of China, Russia, Tajikistan, Turkmenistan, Ukraine, Uzbekistan, Vietnam, or such other countries as may be designated by the United States Government), (ii) export to Country Groups D:1 or E:2 (as defined herein) the direct product of the Program or the technology, if such foreign produced direct product is subject to national security controls as identified on the U.S. Commerce Control List, or (iii) if the direct product of the technology is a complete plant or any major component of a plant, export to Country Groups D:1 or E:2 the direct product of the plant or a major component thereof, if such foreign produced direct product is subject to national security controls as identified on the U.S. Commerce Control List or is subject to State Department controls under the U.S. Munitions List.
5. UNITED STATES GOVERNMENT RESTRICTED RIGHTS. The enclosed Program (i) was developed solely at private expense; (ii) contains “restricted computer software” submitted with restricted rights in accordance with section 52.227-19 (a) through (d) of the Commercial Computer Software-Restricted Rights Clause and its successors, and (iii) in all respects is proprietary data belonging to Enterasys and/or its suppliers. For Department of Defense units, the Program is considered commercial computer software in accordance with DFARS section 227.7202-3 and its successors, and use, duplication, or disclosure by the U.S. Government is subject to restrictions set forth herein.
6. DISCLAIMER OF WARRANTY. EXCEPT FOR THOSE WARRANTIES EXPRESSLY PROVIDED TO YOU IN WRITING BY ENTERASYS, ENTERASYS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT WITH RESPECT TO THE PROGRAM. IF IMPLIED WARRANTIES MAY NOT BE DISCLAIMED BY APPLICABLE LAW, THEN ANY IMPLIED WARRANTIES ARE LIMITED IN DURATION TO THIRTY (30) DAYS AFTER DELIVERY OF THE PROGRAM TO YOU.
7. LIMITATION OF LIABILITY. IN NO EVENT SHALL ENTERASYS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS, PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR RELIANCE DAMAGES, OR OTHER LOSS) ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM, EVEN IF ENTERASYS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS FOREGOING LIMITATION SHALL APPLY REGARDLESS OF THE CAUSE OF ACTION UNDER WHICH DAMAGES ARE SOUGHT.
THE CUMULATIVE LIABILITY OF ENTERASYS TO YOU FOR ALL CLAIMS RELATING TO THE PROGRAM, IN CONTRACT, TORT OR OTHERWISE, SHALL NOT EXCEED THE TOTAL AMOUNT OF FEES PAID TO ENTERASYS BY YOU FOR THE RIGHTS GRANTED HEREIN.
8. AUDIT RIGHTS. You hereby acknowledge that the intellectual property rights associated with the Program are of critical value to Enterasys, and, accordingly, You hereby agree to maintain complete books, records and accounts showing (i) license fees due and paid, and (ii) the use, copying and deployment of the Program. You also grant to Enterasys and its authorized representatives, upon reasonable notice, the right to audit and examine during Your normal business hours, Your books, records, accounts and hardware devices upon which the Program may be deployed to verify compliance with this Agreement, including the verification of the license fees due and paid Enterasys and the use, copying and deployment of the Program. Enterasys’ right of examination shall be exercised reasonably, in good faith and in a manner calculated to not unreasonably interfere with Your business. In the event such audit discovers non-compliance with this Agreement, including copies of the Program made, used or deployed in breach of this Agr the right, to be exercised in its sole discretion and without prior notice, to terminate this license, effective immediately, for failure to comply with this Agreement. Upon any such termination, You shall immediately cease all use of the Program and shall return to Enterasys the Program and all copies of the Program.
9. OWNERSHIP. This is a license agreement and not an agreement for sale. You acknowledge and agree that the Program constitutes trade secrets and/or copyrighted material of Enterasys and/or its suppliers. You agree to implement reasonable security measures to protect such trade secrets and copyrighted material. All right, title and interest in and to the Program shall remain with Enterasys and/or its suppliers. All rights not specifically granted to You shall be reserved to Enterasys.
10. ENFORCEMENT. You acknowledge and agree that any breach of Sections 2, 4, or 9 of this Agreement by You may cause Enterasys irreparable damage for which recovery of money damages would be inadequate, and that Enterasys may be entitled to seek timely injunctive relief to protect Enterasys’ rights under this Agreement in addition to any and all remedies available at law.
11. ASSIGNMENT. You may not assign, transfer or sublicense this Agreement or any of Your rights or obligations under this Agreement, except that You may assign this Agreement to any person or entity which acquires substantially all of Your stock assets. Enterasys may assign this Agreement in its sole discretion. This Agreement shall be binding upon and inure to the benefit of the parties, their legal representatives, permitted transferees, successors and assigns as permitted by this Agreement. Any attempted assignment, transfer or sublicense in violation of the terms of this Agreement shall be void and a breach of this Agreement.
12. WAIVER. A waiver by Enterasys of a breach of any of the terms and conditions of this Agreement must be in writing and will not be construed as a waiver of any subsequent breach of such term or condition. Enterasys’ failure to enforce a term upon Your breach of such term shall not be construed as a waiver of Your breach or prevent enforcement on any other occasion.
eement, You shall promptly pay to Enterasys the appropriate license fees. Enterasys reserves
iii
13. SEVERABILITY. In the event any provision of this Agreement is found to be invalid, illegal or unenforceable, the validity, legality and enforceability of any of the remaining provisions shall not in any way be affected or impaired thereby, and that provision shall be reformed, construed and enforced to the maximum extent permissible. Any such invalidity, illegality, or unenforceability in any jurisdiction shall not invalidate or render illegal or unenforceable such provision in any other jurisdiction.
14. TERMINATION. Enterasys may terminate this Agreement immediately upon Your breach of any of the terms and conditions of this Agreement. Upon any such termination, You shall immediately cease all use of the Program and shall return to Enterasys the Program and all copies of the Program.
iv
v
Contents
Chapter 1: Setting Up a Switch for the First Time
Before You Begin ...........................................................................................................................................1-1
Connecting to the Switch .............................. ... ... ... ... .... ... ... ... .... ... ... ... ............................................................1-2
Downloading New Firmware ........................................................................................................................... 1-3
Deleting a Backup Image File .................................................................................................................. 1-5
Additional Configuration Tasks ........................... ... ... .... ... ... ... .... ... ... ... .... ... ... ... ...............................................1-5
Setting User Accounts and Passwords ........... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ..................................... 1-5
Controlling In-band Access to the Switch .................................................................................................1-6
Changing SNMP Defaults ........................................................................................................................1-7
Saving the Configuration and Connecting Devices ........................................................................................ 1-7
Configuring a Stack of New Switches ............................................................................................................. 1-8
Where to Go Next ...........................................................................................................................................1-9
Getting Help ..................................................................................................................................................1-10
Downloading Firmware via the Serial Port ................................................................................................... 1-10
Chapter 2: Configuring Switches in a Stack
About Switch Operation in a Stack ................................................................................................................. 2-1
Stack Initialization ........ ... ... ... .... ... ... ... .... ... ... ... ... ....................................... ... .... ... ... ... .... ...........................2-1
Configuration Management ... .... ... ....................................... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ........................2-2
Installing a New Stackable System of Up to Eight Units ................................................................................ 2-2
Installing Previously-Configured Systems in a Stack .....................................................................................2-3
Adding a New Unit to an Existing Stack .........................................................................................................2-3
Removing Units from an Existing Stack ......................................................................................................... 2-4
Stack Disruption Times ............................................. ... ... .... ... ... ... .... ........................................................2-4
Creating a Virtual Switch Configuration .......................................................................................................... 2-4
Example ...................................................................................................................................................2-5
Considerations About Using “clear config” in a Stack ............................... ... ... ... .... ... ... ... .... ...........................2-5
Configuring Standalone A4 Stack Ports .........................................................................................................2-6
When Uplink Ports are Configured as Ethernet Ports ............ .... ... ... ... ... .... ... ... ..................................2-6
Chapter 3: CLI Basics
Switch Management Methods ............................... ... .... ... ... ............................................................................3-1
Using the Command Line Interface ................................................................................................................3-1
Starting a CLI Session ............................................................................................................................. 3-1
Connecting Using the Console Port ...................................................................................................3-2
Connecting Using Telnet or SSH............ ... ... .... ... ... ....................................... ... ... .... ... ... ... ... .... ... ........3-2
Logging In ................................................................................................................................................3-3
Using a Default User Account ............................................................................................................3-3
Using an Administratively Configured User Account..........................................................................3-3
Clearing and Closing the CLI ................................................................................................................... 3-3
Navigating the Command Line Interface ..................................................................................................3-3
Getting Help with CLI Syntax..............................................................................................................3-3
CLI Command Defaults Descriptions .................................................................................................3-3
CLI Command Modes.........................................................................................................................3-4
Performing Keyword Lookups ................................ ... .... ... ... ... .... ... ... ..................................................3-4
Displaying Scrolling Screens..............................................................................................................3-5
Abbreviating and Completing Commands..........................................................................................3-5
Basic Line Editing Commands............................................................................................................3-6
Configuring CLI Properties ............................................................................................................................. 3-6
Example CLI Properties Configuration ..................................................................................................... 3-7
CLI Properties Display Commands ..........................................................................................................3-7
Chapter 4: System Configuration
Factory Default Settings ................................................................................................................................. 4-1
Initial Configuration Overview .........................................................................................................................4-5
Advanced Configuration Overview .................................................................................................................4-6
Licensing Advanced Features ............................ ... ... .... ... ... ... .... ... ... ...............................................................4-8
License Implementation Differences ...................... ................................................................ ..................4-8
Node-Locked Licensing......................................................................................................................4-9
Non-Node-Locked Licensing ..............................................................................................................4-9
Licensing in a Stack Environment ... ... .... ... ... ... .........................................................................................4-9
Applying Node-Locked Licenses in a Stack .....................................................................................4-10
Applying Non-Node-Locked Licenses in a Stack..............................................................................4-10
Adding a New Member to a Licensed Stack.....................................................................................4-11
Displaying and Clearing Licenses ..........................................................................................................4-11
SNTP Configuration ...................................................................................................................................... 4-11
Unicast Polling Mode ......... ... .... ... ... ... .... ...................................... .... ... ... ... ... .......................................... 4-12
Broadcast Listening Mode ......................................................................................................................4-12
SNTP Authentication ..............................................................................................................................4-12
Authentication Key and Trusted Key List..........................................................................................4-12
SNTP Defaults .......................................................................................................................................4-13
Configuring SNTP ..................................................................................................................................4-13
SNTP Configuration Example ................................................................................................................ 4-15
DHCP Configuration ..................................................................................................................................... 4-16
DHCP Relay Agent ................................................................................................................................ 4-16
DHCP Server .........................................................................................................................................4-16
IP Address Pools .................................... ... ... ... ....................................... ... ... .... ... ... ... .............................4-17
Automatic IP Address Pools.............................................................................................................4-17
Manual IP Address Pools .................................................................................................................4-17
Configuring a DHCP Server ...................................................................................................................4-17
DHCP Configuration on a Non-Routing System...............................................................................4-18
DHCP Configuration on a Routing System.......................................................................................4-18
Managing and Displaying DHCP Server Parameters ..... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ...... ... .... ... ... ... 4-20
DHCP Server Defaults ...........................................................................................................................4-20
Configuring DHCP IP Address Pools .....................................................................................................4-21
Automatic IP Address Pool Configuration ........................................................................................4-21
Manual IP Pool Configuration...........................................................................................................4-21
Configuring Additional Pool Parameters .....................................................................................4-23
Telnet Overview ............................................................................................................................................4-23
Configuring Telnet ..................................................................................................................................4-24
SSH Overview .......................... ... .... ... ....................................... ... ... ... ..........................................................4-24
Configuring SSH ....................................................................................................................................4-24
MAC Address Settings .................................................................................................................................4-24
Age Time ................................................................................................................................................4-24
Limiting MAC Addresses to Specific VLANs ..........................................................................................4-25
Setting the MAC Algorithm Mode . ... ... .... ... ... ... ... .... ... ... ... .... ... ....................................... ... ... ... ... .............4-25
New MAC Address Detection .................................................................................................................4-25
Configuring Node Aliases ............................................................................................................................. 4-26
Chapter 5: User Account and Password Management
User Account Overview ......................................................... .... ...................................... .... ...........................5-1
Emergency Access User Account ... ... .... ... ... ... ... .... .................................................................................. 5-2
Account Lockout ....................................................................................................................................... 5-3
Port Lockout ..................................... ... ... ... ... .... ...................................... .... ... ... ... .... ... ........................5-3
User Account Configuration ......................................... ... .... ... ... ... .... ... ... ..................................................5-3
vi
Password Management Overview ..................................................................................................................5-6
System Level Password Settings ............................................................................................................. 5-6
Defaults ..............................................................................................................................................5-7
System Password Settings Configuration .................... ................................................................. ...........5-8
Password Reset Button Functionality .............................................................................................................5-9
Management Authentication Notification MIB Functionality ...........................................................................5-9
Chapter 6: Firmware Image and File Management
Managing the Firmware Image ................................. .... ... ... ... .... ... ... .......................................... .....................6-1
Downloading a Firmware Image ..............................................................................................................6-1
Downloading from a TFTP or SFTP Server........................................................................................6-2
Setting the Boot Firmware .................................. .... ... ... ... .... ... ... ... ....................................... .....................6-3
Reverting to a Previous Image ................................................................................................................. 6-3
Setting TFTP Parameters ......... ... ... ... .... ... ... ....................................... ... ... ... .... ... ... ... .... ... ... ... ..................6-4
Managing Switch Configuration and Files ......................................................................................................6-4
Configuration Persistence Mode ........ ....... ... ... .........................................................................................6-4
Using an I-Series Memory Card ...............................................................................................................6-5
Memory Card Operation................................................... ... ... .... ... ... ... ... .... ... ... ... .... ...........................6-5
Displaying and Saving the Configuration and Creating a Backup ............................................................ 6-5
Displaying the Configuration...............................................................................................................6-6
Creating a Backup Configuration File.................................................................................................6-6
Applying a Saved Configuration ............................................................................................................... 6-7
Managing Files ...... ....................................... ... ... .... ... ... ... ....................................... ... .... ...........................6-8
Chapter 7: Configuring System Power and PoE
Configuring Redundant Power Supplies .........................................................................................................7-1
Power over Ethernet Overview ........................... ... ... .... ... ... ... .... ... ..................................................................7-1
Implementing PoE ....................................................................................................................................7-2
Allocation of PoE Power to Modules ............................ ............................................................................7-2
When Manual Mode is Configured .....................................................................................................7-3
Management of PoE Power to PDs .........................................................................................................7-3
Configuring PoE .............................................................................................................................................7-4
Stackable A4, B3, and C3 Devices ..........................................................................................................7-5
Stackable B5 and C5 Devices .................................................................................................................. 7-6
G-Series Devices .....................................................................................................................................7-7
Example PoE Configuration ................................................................................................................... 7-10
PoE Display Commands ........................................................................................................................7-10
Chapter 8: Port Configuration
Port Configuration Overview ..................... ......................................................................................................8-1
Port String Syntax Used in the CLI ........... ... ... ... .... ... ... ... .... ... ... ... .... ... ... ..................................................8-1
Examples............................................................................................................................................8-2
Console Port Settings .............................................................................................................................. 8-2
VT100 Terminal Mode........................................................................................................................8-3
Port Settings .............................. ... ... ....................................... ... ... .... ........................................................8-3
Port Status....................... .... ... ... ... ....................................... ... .... ... ... ... ... ............................................8-3
Port Name or Alias .................................... ... .... ... ... ....................................... ... ... .... ... ... .....................8-3
Auto-Negotiation and Advertised Ability .............................................................................................8-4
Port Speed and Duplex Mode ................................... .... ... ... ... .... ... ... ... ... .... ... ... ..................................8-4
MDI / MDIX Cable Type......................................................................................................................8-4
Port Flow Control....................... ... .... ...................................... .... ... ... ... ... .... ........................................8-5
Jumbo Frame Support........................................................................................................................8-5
Broadcast Suppression Threshold .....................................................................................................8-5
Protected Port Mode...........................................................................................................................8-6
Displaying Port Status ..............................................................................................................................8-6
vii
Displaying Cable Status .....................................................................................................................8-7
Configuring SFP Ports for 100BASE-FX ..................................................................................................8-7
Example..............................................................................................................................................8-8
Configuring Port Link Flap Detection ..............................................................................................................8-8
Basic Link Flap Detection Configuration .................................................................................................. 8-9
Example .................................................................................................................................................8-10
Link Flap Detection Display Commands ................................................................................................8-11
Transmit Queue Monitoring .......................................................................................................................... 8-11
Port Mirroring ............................... .... ... ... ... .... ... ....................................... ... ... ... ... .... ... ................................... 8-12
Mirroring Features ..................................................................................................................................8-12
Configuring Port Mirroring ................................................................................................................8-13
Remote Port Mirroring ............................................................................................................................8-13
Configuring Remote Port Mirroring...................................................................................................8-14
Configuring SMON MIB Port Mirroring ................................................................................................... 8-15
Procedures.......................................................................................................................................8-15
Chapter 9: Configuring VLANs
VLAN Overview .............................................................................................................................................. 9-1
Using VLANs to Partition Your Network ................................................................................................... 9-1
Implementing VLANs ...................................................................................................................................... 9-2
Preparing for VLAN Configuration ............................................................................................................ 9-3
Understanding How VLANs Operate ........................ ................................................. .....................................9-3
Learning Modes and Filtering Databases ................................................................................................9-3
VLAN Assignment and Forwarding .......................................................................................................... 9-4
Receiving Frames from VLAN Ports...................................................................................................9-4
Forwarding Decisions.........................................................................................................................9-5
Example of a VLAN Switch in Operation .................................................................................................. 9-5
VLAN Support on Enterasys Switches ...........................................................................................................9-6
Maximum Active VLANs ...........................................................................................................................9-6
Configurable Range .................................................................................................................................9-6
VLAN Types .............................................................................................................................................9-6
Static and Dynamic VLANs ................................................................................................................9-6
Port-Based VLANs .............................................................................................................................9-6
Policy-Based VLANs ..........................................................................................................................9-7
GARP VLAN Registration Protocol (GVRP) Support ...............................................................................9-7
How It Works ......................................................................................................................................9-7
Configuring VLANs ......................................................................................................................................... 9-8
Default Settings ........................................................................................................................................9-9
Configuring Static VLANs .........................................................................................................................9-9
Example Configuration .....................................................................................................................9-11
Creating a Secure Management VLAN .. ... ... ... ... .... ... ... .......................................................................... 9-11
Configuring Dynamic VLANs ..................................................................................................................9-12
Configuring Protocol-Based VLAN Classification ...................................................................................9-13
Example Configuration .....................................................................................................................9-13
Monitoring VLANs ..................................... ... ... ... ....................................... ... .... ... ... ... .... .........................9-14
Terms and Definitions ................................................................................................................................... 9-14
Chapter 10: Configuring User Authentication
User Authentication Overview ......................... ....................................... ... ... ... ... .... ... ... ... .... ... ......................10-1
Implementing User Authentication ......................................................................................................... 10-2
Authentication Methods ................................... ... .... ... ... ... .... ... ....................................... ... ... ...................10-2
IEEE 802.1x Using EAP ...................................................................................................................10-2
MAC-Based Authentication (MAC)...................................................................................................10-2
Port Web Authentication (PWA) .......................................................................................................10-3
Multi-User And MultiAuth Authentication..........................................................................................10-3
viii
Remote Authentication Dial-In Service (RADIUS) .................................... ... .... ... ...................................10-7
How RADIUS Data Is Used..............................................................................................................10-8
The RADIUS Filter-ID.......................................................................................................................10-8
RFC 3580 — VLAN Authorization ....................................................................................................10-8
Policy Maptable Response.............................................................................................................10-10
Configuring Authentication .........................................................................................................................10-12
Configuring IEEE 802.1x ...................................................................................................................... 10-14
Configuring MAC-based Authentication ............................................................................................... 10-15
Configuring Port Web Authentication (PWA) .......................................................................................10-16
Optionally Enable Guest Network Privileges.......................................... .... ... ... ... ...........................10-17
Configuring MultiAuth Authentication ...................................................................................................10-17
Setting MultiAuth Authentication Mode...........................................................................................10-17
Setting MultiAuth Authentication Precedence ................................................................................10-18
Setting MultiAuth Authentication Port Properties............................................................................10-18
Setting MultiAuth Authentication Timers.........................................................................................10-19
Displaying MultiAuth Configuration Information..............................................................................10-20
Configuring VLAN Authorization ..........................................................................................................10-20
Configuring RADIUS ............................................................................................................................10-21
Configuring the Authentication Server.................... ... .... ... ... ... .... ... ... ... ... .... ... ... ..............................10-21
Configuring User + IP Phone Authentication .......................................................................................10-22
Example..........................................................................................................................................10-23
Authentication Configuration Example ............................................ ... .... ... ... ... ... .... ... ................................. 10-25
Configuring MultiAuth Authentication ...................................................................................................10-26
Enabling RADIUS On the Switch ......................................................................................................... 10-26
Creating RADIUS User Accounts on the Authentication Server .......................................................... 10-26
Configuring the Engineering Group 802.1x End-User Stations ............................................................10-26
Configuring the Printer Cluster for MAC-Based Authentication ...........................................................10-27
Configuring the Public Area PWA Station .......... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... ...........................10-28
Terms and Definitions ................................................................................................................................. 10-28
Chapter 11: Configuring Link Aggregation
Link Aggregation Overview .................... ... .... ... ... ....................................... ... ... ... .... ... ... ... .... .........................11-1
Using Link Aggregation in a Network ..................................................................................................... 11-1
Implementing Link Aggregation ..............................................................................................................11-2
LACP Operation .....................................................................................................................................11-2
How a LAG Forms ..................................................................................................................................11-3
Attached Ports ................................. ... .... ... ... ... ... .... ... ....................................... ... ... ... .... .........................11-5
Single Port Attached State Rules .....................................................................................................11-7
LAG Port Parameters .............................................................................................................................11-7
Static Port Assignment .... ... ... ....................................... ... .... ... ... ... .... ... ... ... ... .......................................... 11-8
Flexible Link Aggregation Groups ..........................................................................................................11-8
Configuring Link Aggregation .......................................................................................................................11-9
Link Aggregation Configuration Example ...................................................................................................11-11
Configuring the S8 Distribution Switch ............. ... ... ... .... .................................................................11-14
Configuring the Fixed Switch Stack 1.............................................................................................11-14
Configuring the Fixed Switch Stack 2.............................................................................................11-14
Configuring the Server....................................................................................................................11-15
Terms and Definitions ................................................................................................................................. 11-15
Chapter 12: Configuring SNMP
SNMP Overview ...........................................................................................................................................12-1
Implementing SNMP .............................................................................................................................. 12-1
SNMP Concepts ...........................................................................................................................................12-2
Manager/Agent Model Components ......................................................................................................12-2
Message Functions ................................................................................................................................ 12-2
ix
Trap Versus Inform Messages ................................................................... ... ... ... .... ... ... ... ... .... ... ......12-3
Access to MIB Objects ...........................................................................................................................12-3
Community Name Strings.................................................................................................................12-3
User-Based.......................................................................................................................................12-3
SNMP Support on Enterasys Switches ........................................................................................................12-3
Versions Supported ................................................................................................................................12-4
SNMPv1 andv2c Network Management Components .....................................................................12-4
SNMPv3 User-Based Security Model (USM) Enhancements ..........................................................12-4
Terms and Definitions ............................................................................................................................12-5
Security Models and Levels ...................................................................................................................12-6
Access Control .......................................................................................................................................12-6
Configuring SNMP ........................................................................................................................................ 12-7
Configuration Basics .................................... ... ... .... ... ... ... .... ... ... ... ..........................................................12-7
How SNMP Processes a Notification Configuration ............................................................................... 12-7
SNMP Defaults ....................................................................................................................................... 12-8
Device Start Up Configuration..........................................................................................................12-8
Configuring SNMPv1/SNMPv2c .............................................................................................................12-9
Creating a New Configuration ..........................................................................................................12-9
Adding to or Modifying the Default Configuration...........................................................................12-10
Configuring SNMPv3 ............................................................................................................................12-10
Configuring an SNMPv3 Inform or Trap Engine ID ........................................................................12-13
Configuring an SNMP View............................................................................................................12-14
Configuring Secure SNMP Community Names ...................................................................................12-15
Example..........................................................................................................................................12-17
Reviewing SNMP Settings .......................................................................................................................... 12-18
Chapter 13: Configuring Neighbor Discovery
Neighbor Discovery Overview ...................................................................................................................... 13-1
Neighbor Discovery Operation ...............................................................................................................13-1
LLDP-MED ...................................... .................................................................... ...................................13-3
LLDPDU Frames ....................................................................................................................................13-5
Configuring LLDP ......................................................................................................................................... 13-7
LLDP Configuration Commands .. .......................................................................................................... 13-7
Basic LLDP Configuration ...................................................................................................................... 13-9
Example LLDP Configuration: Time to Live......................................................................................13-9
Example LLDP Configuration: Location Information.........................................................................13-9
LLDP Display Commands ............ ... ... .... ... ....................................... ... ... ... ... .... ... ... ... .... ... ....................13-10
Configuring Enterasys Discovery Protocol .................................................................................................13-10
Enterasys Discovery Protocol Configuration Commands .................................................................... 13-10
Example Enterasys Discovery Protocol Configuration .........................................................................13-11
Enterasys Discovery Protocol Show Commands ................................... ... ... .... ... ... ... .... ... ... ... ... .... ... ... . 1 3-11
Configuring Cisco Discovery Protocol ........................................................................................................13-11
Cisco Discovery Protocol Configuration Commands ...........................................................................13-12
Example Cisco Discovery Protocol Configuration ................................................................................13-12
Cisco Discovery Protocol Configuration Commands ...........................................................................13-12
Chapter 14: Configuring Syslog
System Logging Overview ............................................................................................................................ 14-1
Syslog Operation .......................................................................................................................................... 14-2
Syslog Operation on Enterasys Devices ................................................................................................ 14-2
Filtering by Severity and Facility ........ .... ... ... ... ... .... ... ... ... .... ... ... ... .... ... ...................................................14-2
Syslog Components and Their Use ..............................................................................................................14-3
Basic Syslog Scenario ........................................................................................................................... 14-5
Interpreting Messages .................................................................................................................................. 14-6
Example .................................................................................................................................................14-6
x
About Security Audit Logging .......................................................................................................................14-6
Security Events Logged .........................................................................................................................14-7
Trap Generation .............. ... ... .... ... ... ... ....................................... ... .... ... ... ... ... .... ... ... ... .............................14-7
Format Examples ............ ... ... .... ...................................... .... ... ... ... .... ... ...................................................14-8
Configuring Syslog ....................................................................................................................................... 14-8
Syslog Command Precedence ...............................................................................................................14-8
About Server and Application Severity Levels ....................................................................................... 14-9
Configuring Syslog Server(s) .................................................................................................................14-9
Example............................................................................................................................................14-9
Modifying Syslog Server Defaults ........................................................................................................ 14-10
Displaying System Logging Defaults..............................................................................................14-10
Modifying Default Settings..............................................................................................................14-10
Reviewing and Configuring Logging for Applications ...........................................................................14-10
Displaying Current Application Severity Levels..............................................................................14-11
Enabling Console Logging and File Storage ............................. ... .... ... ... ... ... .... .................................... 14-11
Displaying to the Console and Saving to a File............................................................. ... ... .... .......14-11
Configuration Examples ........ .... ... ... ... .... ...................................... .... ... ... ... ... .... ... ... ... .... .......................14-12
Enabling a Server and Console Logging........................................................................................14-12
Adjusting Settings to Allow for Logging at the Debug Level ...........................................................14-12
Chapter 15: Configuring Spanning Tree
Spanning Tree Protocol Overview ................................................................................................................15-1
Why Use Spanning Trees? ....................................................................................................................15-2
Spanning Tree on Enterasys Platforms .................................................................................................15-2
STP Operation .............................................................................................................................................. 15-3
Rapid Spanning Tree Operation ............................................................................................................15-4
Multiple Spanning Tree Operation ......................................................................................................... 15-4
Functions and Features Supported on Enterasys Devices ..........................................................................15-6
Spanning Tree Versions ..................................... .... ... ... ... .... ... ... ... ....................................... ...................15-6
Maximum SID Capacities .......................................................................................................................15-6
Network Diameter ..................................................................................................................................15-6
Port Forwarding ...................................... ... ... ... ... .... ... ... ... .... ...................................... .... .........................15-6
Disabling Spanning Tree ........................................................................................................................ 15-7
STP Features .........................................................................................................................................15-7
SpanGuard.......................................................................................................................................15-7
Loop Protect.................... .... ... ... ... .... ... ... ... ....................................... ... ... .... ... ... ... .............................15-7
Updated 802.1t.................................................................................................................................15-8
Multisource Detection................................................................................. ... ... ... .... ... ... ...................15-8
Spanning Tree Basics ..................................................................................................................................15-9
Spanning Tree Bridge Protocol Data Units ......................................... ... ... ............................................. 15-9
Electing the Root Bridge ........... ... ... ... .... ... ... ... ... .... ...................................... .... ... ... ... .... ... ... ...................15-9
Assigning Path Costs ............................................................................................................................. 15-9
Paths to Root .......................................................................................................................................15-10
Identifying Designated, Alternate, and Backup Port Roles ..................................................................15-12
Assigning Port States ...........................................................................................................................15-13
RSTP Operation ...................................................................................................................................15-14
MSTP Operation ..................................................................................................................................15-14
Common and Internal Spanning Tree (CIST).................................................................................15-14
MST Region............... ... ... .... ... ... ....................................... ... ... .... ... ... ..............................................15-15
Multiple Spanning Tree Instances (MSTI) ......................................................................................15-16
Configuring STP and RSTP ........................................................................................................................ 15-19
Reviewing and Enabling Spanning Tree ..............................................................................................15-20
Example..........................................................................................................................................15-20
Adjusting Spanning Tree Parameters ..................................................................................................15-20
Setting Bridge Priority Mode and Priority........................................................................................15-21
xi
Setting a Port Priority................................................. .... ... ... ... .... ....................................................15-21
Assigning Port Costs ......................................................................................................................15-22
Adjusting Bridge Protocol Data Unit (BPDU) Intervals ...................................................................15-22
Enabling the Backup Root Function .....................................................................................................15-23
Adjusting RSTP Parameters ................................................................................................................15-23
Defining Edge Port Status ..............................................................................................................1 5-24
Configuring MSTP ...................................................................................................................................... 15-24
Example 1: Configuring MSTP for Traffic Segregation ........................................................................15-25
Example 2: Configuring MSTP for Maximum Bandwidth Utilization ..................................................... 15-27
Adjusting MSTP Parameters ................................................................................................................ 15-28
Monitoring MSTP ..... ....................................... ... .... ... ....................................... ... ... ... ...........................15-29
Understanding and Configuring SpanGuard ..............................................................................................15-29
What Is SpanGuard? ............................................................................................................................15-29
How Does It Operate? ..........................................................................................................................15-30
Configuring SpanGuard ....................................................................................................................... 15-30
Reviewing and Setting Edge Port Status................ ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... .......................15-30
Enabling and Adjusting SpanGuard ...............................................................................................15-30
Monitoring SpanGuard Status and Settings..................... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ....15-31
Understanding and Configuring Loop Protect ............................................................................................15-31
What Is Loop Protect? ..........................................................................................................................15-31
How Does It Operate? ..........................................................................................................................15-31
Port Modes and Event Triggers......................................................................................................15-32
Example: Basic Loop Protect Configuration...................................................................................15-32
..................................................................................................................... Configuring Loop Protect 15-33
Enabling or Disabling Loop Protect ................................................................................................15-34
Specifying Loop Protect Partners...................................................................................................15-34
Setting the Loop Protect Event Threshold and Window................................................ ... ... .... ... ... .15-34
Enabling or Disabling Loop Protect Event Notifications .................................................................15-35
Setting the Disputed BPDU Threshold...........................................................................................15-35
Monitoring Loop Protect Status and Settings......................... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... .15-35
Terms and Definitions ................................................................................................................................. 15-36
Chapter 16: Configuring Policy
Using Policy in Your Network ....................................................................................................................... 16-1
Standard and Enhanced Policy on Enterasys Platforms ........................................................................16-2
Implementing Policy ............................................................................................................................... 16-2
Policy Configuration Overview ...................................................................................................................... 16-2
Using the Enterasys NetSight Policy Manager ......................................................................................16-2
Understanding Roles in a Secure Network ............................................................................................ 16-3
The Policy Role ................................................................................................................................16-3
Defining Policy Roles .............................................................................................................................16-3
Setting a Default VLAN for a Role....................................................................................................16-4
Adding Tagged, Untagged, and Forbidden Ports to the VLAN Egress Lists....................................16-4
Assigning a Class of Service to a Role.............................................................................................16-4
Defining Policy Rules .............................................................................................................................16-5
Admin Rules.....................................................................................................................................16-5
Traffic Classification Rules ...............................................................................................................16-5
Applying Policy .......................................................................................................................................16-7
Applying a Default Policy..................................................................................................................16-8
Applying Policies Dynamically..........................................................................................................16-8
Blocking Non-Edge Protocols at the Edge Network Layer ...............................................................16-8
Configuring Policy ......................................................................................................................................... 16-9
Policy Configuration Example ..................................................................................................................... 16-12
Roles .................................. .............................................................. ....................................................16-13
Policy Domains ....................................................................................................................................16-13
xii
Basic Edge .....................................................................................................................................16-13
Standard Edge................................................................................................................................16-14
Premium Edge................................................................................................................................16-14
Premium Distribution ......................................................................................................................16-14
Platform Configuration ......................................................................................................................... 16-14
Configuring Guest Policy on Edge Platforms .................................................................................16-15
Configuring Policy for the Edge Student Fixed Switch ...................................................................16-15
Configuring PhoneFS Policy for the Edge Fixed Switch.................................................................16-16
Configuring Policy for the Edge Faculty Fixed Switch....................................................................16-17
Terms and Definitions ................................................................................................................................. 16-18
Chapter 17: Configuring Quality of Service
Quality of Service Overview ............................... ... ... .... ... ... ... .... ... ... ... ..........................................................17-1
Implementing QoS ................................................................................................................................. 17-1
Quality of Service Operation .................................. ... ... ... .... ...................................... .... ... ... ...................17-2
Class of Service (CoS) .................................... ... .... ... ... ... .... ...................................... .... ... ......................17-2
CoS Settings ..........................................................................................................................................17-3
CoS Hardware Resource Reference................................................................................................17-3
CoS Flood Control State...................................................................................................................17-3
CoS Priority and ToS Rewrite...........................................................................................................17-3
CoS Reference .......................................................................................................................................17-4
Port Group and Type........................................................................................................................17-4
CoS Settings Reference to Port Resource Mapping ........................................................................17-5
Port Resources ........ .... ... ... ... .... ...................................... .... ... ... ... .... ......................................................17-5
Port Configuration ........................................ ... ... .... ... ... ... .... ... ... ... ..........................................................17-5
Preferential Queue Treatment for Packet Forwarding ........................................................................... 17-6
Strict Priority Queuing.......... ... ... ... .... ... ... ... ....................................... ... ... .... ... ... ... .............................17-6
Weighted Fair Queuing.............. ... .... ... ... ... ... .... ... ... ... .... ... ....................................... ... ... ... ... .............17-6
Hybrid Queuing.................................................................................................................................17-7
Rate Limiting ..........................................................................................................................................17-8
Flood Control ................................... ... .... ...................................... .... ... ... ................................................17-9
CoS Hardware Resource Configuration ....................................................................................................... 17-9
IRL Configuration ...................................................................................................................................17-9
CoS Port Configuration Layer...........................................................................................................17-9
CoS Port Resource Layer...............................................................................................................17-10
CoS Reference Layer.....................................................................................................................17-10
CoS Settings Layer.........................................................................................................................17-10
Enable CoS State...................................................... .... ... ... ....................................... ... ... ..............17-10
IRL Configuration Example Show Command Output .....................................................................17-10
Flood Control Configuration ......................................... ... .... ... ... ... .... ... ... .............................................. 17-12
CoS Port Configuration Layer.........................................................................................................17-12
CoS Port Resource Layer...............................................................................................................17-12
CoS Reference Layer.....................................................................................................................17-12
CoS Settings Layer.........................................................................................................................17-12
Enable CoS State...................................................... .... ... ... ....................................... ... ... ..............17-12
Flood Control Configuration Example Show Command Output .... ... ... ... .... ... ... ... .... ... ... .................17-12
Enabling CoS State ..............................................................................................................................17-13
The QoS CLI Command Flow ....................................................................................................................17-14
Port Priority and Transmit Queue Configuration .........................................................................................17-15
Setting Port Priority ...................................... ... ... .... ... ... ... .... ... ... ...........................................................17-15
Example..........................................................................................................................................17-15
Mapping Port Priority to Transmit Queues ........................................................................................... 17-15
Example..........................................................................................................................................17-16
Setting Transmit Queue Arbitration ...................................................................................................... 17-16
Port Traffic Rate Limiting ............................................................................................................................17-17
xiii
Examples ............................................................................................................................................. 17-18
Chapter 18: Configuring Network Monitoring
Basic Network Monitoring Features ..............................................................................................................18-1
Console/Telnet History Buffer ................................................................................................................18-1
Network Diagnostics .............................................................................................................................. 18-2
Switch Connection Statistics . ....................................... ... .... ... ... ... ....................................... ...................18-2
Users .................................. ............................. ................................. ......................................................18-3
RMON .................................... ................ ................ ................ ................. ................ ......................................18-3
RMON Design Considerations ...............................................................................................................18-4
Configuring RMON .................................................................................................................................18-5
sFlow ............................................................................................................................................................18-9
Using sFlow in Your Network ............................. .................................................................... ..............18-10
Definitions ............................................................................................................................................18-10
sFlow Agent Functionality ....................................................................................................................18-11
Sampling Mechanisms ......................................................................................................................... 18-11
Packet Flow Sampling....................................................................................................................18-11
Counter Sampling................... ... ... .... ... ... ... ... ....................................... ... .... ... ... ... .... .......................18-11
Sampling Implementation Notes.....................................................................................................1 8-12
Configuring sFlow ................................................................................................................................18-12
Overview.........................................................................................................................................18-12
Procedure.......................................................................................................................................18-14
Chapter 19: Configuring Multicast
Using Multicast in Your Network ................................................................................................................... 19-1
Implementing Multicast .......................................................................................................................... 19-1
Multicast Operation ................................................................................................................................ 19-2
Internet Group Management Protocol (IGMP) .......................................................................................19-2
Overview...........................................................................................................................................19-2
IGMP Support on Enterasys Devices...............................................................................................19-3
Example: Sending a Multicast Stream..............................................................................................19-4
Distance Vector Multicast Routing Protocol (DVMRP) ........................................................................... 19-5
Overview...........................................................................................................................................19-5
DVMRP Support on Enterasys Devices ...........................................................................................19-5
Protocol Independent Multicast (PIM) .................................................................................................. 19-11
Overview.........................................................................................................................................19-11
PIM Support on Enterasys Devices................................................................................................19-13
PIM Terms and Definitions.............................................................................................................19-14
Configuring IGMP .......................................................................................................................................19-15
Basic IGMP Configuration ....................................................................................................................19-17
Example IGMP Configuration on Layer 3.......................................................................................19-17
IGMP Display Commands ....................................................................................................................19-18
Configuring DVMRP ................................................................................................................................... 19-18
DVMRP Configuration Commands ........... ... ... ... ..................................................................................19-18
Basic DVMRP Configuration ................................................................................................................19-19
Example DVMRP Configuration .....................................................................................................19-19
Displaying DVMRP Information ............................................................................................................19-20
Configuring PIM-SM ................................................................................................................................... 19-21
Design Considerations .......... .... ... ... ... .... ...................................... .... ... ... ... ... .... ... ... ... .... .......................19-21
PIM-SM Configuration Commands .... .... ... ... ... ... .... ... ... ........................................................................ 19-21
Basic PIM-SM Configuration ................................................................................................................19-22
Example Configuration ...................................................................................................................19-22
PIM-SM Display Commands ........................................ ... .... ... ... ... .... ... ... ... ... .... .................................... 19-24
xiv
Chapter 20: IP Configuration
Enabling the Switch for Routing ................................................................................................................... 20-1
Router Configuration Modes .................................................................................................................. 20-1
Entering Router Configuration Modes .... ... .............................................................................................20-2
Example .................................................................................................................................................20-3
Routing Interfaces ........................................................................................................................................ 20-3
IPv4 Interface Addresses .......................................................................................................................20-3
IP Static Routes ............................... ... ... ... .... ... ... ....................................... ... ... ... .... ... ... ................................ 20-4
Configuring Static Routes ...................................................................................................................... 20-5
Testing Network Connectivity ....................................................................................................................... 20-5
The ARP Table ............................................................................................................................................. 20-6
Proxy ARP .............................................................................................................................................. 20-7
ARP Configuration .......... ... ... .... ... ... ... .... ... ....................................... ... ... ... ... .... ... ... ... .... ... ......................20-7
IP Broadcast Settings ............................................................ ....................................... ... ............................. 20-7
Directed Broadcast .................................................................................................................................20-7
UDP Broadcast Forwarding ...... ... ... ... .... ... ... ... ... .... ... ... ....................................... ... ... .... ... ... ... ................20-8
DHCP and BOOTP Relay ......................................................................................................................20-9
IP Broadcast Configuration ....................................... ... ....................................... ... ... .... ... ... ...................20-9
Configuring ICMP Redirects ....................................................................................................................... 20-10
Terms and Definitions ................................................................................................................................. 20-10
Chapter 21: IPv4 Basic Routing Protocols
Configuring RIP ............................................................................................................................................ 21-1
Using RIP in Your Network .................................................................................................................... 21-1
RIP Configuration Overview ...................................................................................................................21-1
RIP Router Configuration .................................................................................................................21-1
RIP Interface Configuration ..............................................................................................................21-2
RIP Configuration Example ....................................................................................................................21-3
Configuring IRDP ..........................................................................................................................................21-5
Using IRDP in Your Network ..................................................................................................................21-5
IRDP Configuration Overview ................................................................................................................21-5
IRDP Configuration Example ................................................................................................................. 21-5
Chapter 22: Configuring OSPFv2
OSPF Overview ..................... ... ... .... ... ... ... .... ... ....................................... ... ... ... ............................................. 22-1
OSPF Areas .... ... ... ... .... ... ... ... .... ...................................... .... ... ....................................... .........................22-2
OSPF Router Types . .... ... ... ... ....................................... ... .... ... ....................................... ... ... ...................22-3
Designated Router ....................................... ... ... .... ... ... ... .... ... ... ... ..........................................................22-3
Authentication ........................................................................................................................................22-3
Basic OSPF Topology Configuration ............................ ................................................ ................................22-3
Configuring the Router ID ...................................................................................................................... 22-4
Configuring the Designated Router ........ ... ... ... ... .... ... ... ... .... ... .......................................... ... ... ... .............22-5
Configuring Router Priority ...............................................................................................................22-6
Example............................................................................................................................................22-6
Configuring the Administrative Distance for OSPF Routes .............. ...................................... ................22-7
Configuring SPF Timers ......................................................................................................................... 22-7
Configuring OSPF Areas .............................................................................................................................. 22-8
Configuring Area Range ......................................................................................................................... 22-8
Example............................................................................................................................................22-8
Configuring a Stub Area ........ .... ... ... ....................................... ... ... .... ... ... ... ... .... ... ... ................................ 22-9
Stub Area Default Route Cost ........................................................................................................22-10
Example..........................................................................................................................................22-10
Configuring a Not So Stubby Area (NSSA) ..........................................................................................22-11
Example..........................................................................................................................................22-12
Configuring Area Virtual-Links ............................................................................................................. 22-12
xv
Configuring Area Virtual-Link Authentication..................................................................................22-14
Configuring Area Virtual-Link Timers..............................................................................................22-14
Configuring Route Redistribution .........................................................................................................22-14
Configuring Passive Interfaces ............................................................................................................22-14
Configuring OSPF Interfaces ...................................................................................................................... 22-15
Configuring Interface Cost ...................................................................................................................22-15
Configuring Interface Priority ................................................................................................................ 22-15
Configuring Authentication ................................................................................................................... 22-15
Configuring OSPF Interface Timers ..................................................................................................... 22-16
Default Settings .......................................................................................................................................... 22-16
Configuration Procedures ......................... .... ... ... ... ... .... ... ... ... .... ... ....................................... .......................22-17
Basic OSPF Router Configuration .......................................................................................................22-17
OSPF Interface Configuration ......... ... ................................................................................. .................22-18
OSPF Area Configuration ......... ... ... ... .... ... ... ........................................................................................ 22-18
Managing and Displaying OSPF Configuration and Statistics .............................................................22-19
Chapter 23: Configuring VRRP
VRRP Overview ............................................................................................................................................23-1
VRRP Virtual Router Creation ................................................................................................................23-2
VRRP Master Election ........................................................................................................................... 23-2
Enabling Master Preemption .................................................................................................................. 23-3
Enabling ICMP Replies ..........................................................................................................................23-3
Configuring VRRP Authentication ..........................................................................................................23-3
Enabling the VRRP Virtual Router ......................................................................................................... 23-3
Configuring VRRP ........................................................................................................................................ 23-3
Configuration Examples ........ .... ... ... ... .... ...................................... .... ... ... ... ... .... ... ... ... .... .........................23-4
Basic VRRP Configuration ...............................................................................................................23-4
Multiple Backup VRRP Configuration...............................................................................................23-6
Terms and Definitions ................................................................................................................................... 23-8
Chapter 24: Configuring Access Control Lists
Using Access Control Lists (ACLs) in Your Network ....................................................................................24-1
Implementing ACLs ...................................................................................................................................... 24-1
ACL Configuration Overview ........................................................................................................................24-2
Creating IPv4 ACLs ................................... ... ....................................... ... ... ... .... ... ... ................................ 24-2
Creating IPv6 and MAC ACLs ................................................................................................................24-2
Creating ACL Rules ........... ... .... ... ... ... .... ... ... ....................................... ... ... ... .... ... ... ... .... ... ......................24-3
IPv4 Rules ........................................................................................................................................24-3
IPv6 Rules ........................................................................................................................................24-4
MAC Rules .......................................................................................................................................24-4
Managing ACLs ...................................... ... ... ... ... .... ...................................... .... ... ... ... .... ... ......................24-4
Deleting ACLs and Rules .................................................................................................................24-4
Moving ACL Rules............................................................................................................................24-5
Replacing ACL Rules .......................................................................................................................24-5
Inserting ACL Rules..........................................................................................................................24-6
Applying ACLs ........................................................................................................................................24-6
Configuring ACLs .........................................................................................................................................24-7
Configuring IPv4 ACLs ...........................................................................................................................24-7
Example............................................................................................................................................24-8
Configuring IPv6 ACLs ...........................................................................................................................24-8
Example............................................................................................................................................24-9
Configuring MAC ACLs ........................................................................................................................24-10
Example..........................................................................................................................................24-10
Access Control Lists on the A4 ................................................................................................................... 24-11
Configuring A4 ACLs ............................................................................................................................24-12
xvi
Extended IPv4 ACL Configuration..................................................................................................24-12
MAC ACL Configuration .................................................................................................................24-13
Chapter 25: Configuring and Managing IPv6
Managing IPv6 .......................... ... .... ... ....................................... ... ... ... .... ... ... ................................................ 25-1
Configuring IPv6 Management ......................................................................................................... ......25-2
Example............................................................................................................................................25-2
Monitoring Network Connections ........................................ ... ... ... .... ......................................................25-3
IPv6 Routing Configuration ........................................................................................................................... 25-3
Overview ................................................................................................................................................ 25-3
Defaults ................................. .............................................................. ...................................................25-4
Setting Routing General Parameters ..................................................................................................... 25-5
Configuring Routing Interfaces ...............................................................................................................25-5
IPv6 Addressing ...............................................................................................................................25-5
Enabling an Interface for IPv6 Routing.............................................................................................25-6
Configuration Examples ............................... .... ... ... ... .... ... ... ....................................... ... ... ... .............25-6
Creating Tunnel Interfaces .... .... ... ... ... .... ... .............................................................................................25-7
Configuring Static Routes ...................................................................................................................... 25-9
Viewing Routing Information ................................................................................................................ 25-10
Testing Network Connectivity ...............................................................................................................25-11
IPv6 Neighbor Discovery ............................................................................................................................25-11
Duplicate Address Detection ................................................................................................................25-11
Neighbor Solicitation Messages ........................................................................................................... 25-12
Router Advertisements .........................................................................................................................25-12
Cache Management ..... ... ....................................... ... ... ... .... ... ... ....................................... ... .................25-12
Neighbor Discovery Configuration .......................................................................................................25-13
DHCPv6 Configuration ...............................................................................................................................25-14
DHCPv6 Relay Agent Configuration .................................................................................................... 25-14
DHCPv6 Server Configuration ............................................................................................................. 25-15
Pool Configuration..........................................................................................................................25-15
Server Configuration............ ... ... ... .... ... ....................................... ... ... ... ... .... ....................................25-15
Default Conditions ................................................................................................................................25-16
Configuration Examples ........ .... ... ... ... .... ...................................... .... ... ... ... ... .... ... ... ... .... .......................25-16
Viewing DHCPv6 Statistics ..................................................................................................................25-18
Chapter 26: Configuring Security Features
Security Mode Configuration ........................ ... ... ... ... .... ... ... ... .... ... ... ... .... ......................................................26-1
About the Security Mode ........................................................................................................................ 26-1
Configuring the Security Mode .................. ... .... ... ... ... .... ... ................................................................26-2
Security Mode and SNMP ...................................................................................................................... 26-2
Security Mode and User Authentication and Passwords .......................................................................26-3
Security Mode and System Logging ...................................................................................................... 26-3
Security Mode and File Management ....................................................................................................26-4
IPsec Configuration ..................... .... ... ... ... .... ... ... ... ... .... ...................................... .... ... ... ... .............................26-4
About IPsec ............................................................................................................................................ 26-4
IPsec Defaults ....... ... .... ...................................... .... ... ... ....................................... ... ... .... .........................26-5
IPsec Configuration .. .... ...................................... .... ... ... ... .... ... ....................................... ... ......................26-5
RADIUS Management Authentication .......................................................................................................... 26-6
Request Transmission ........................................................................................................................... 26-6
Response Validation .............................................................................................................................. 26-7
Password Changing ............................................................................................................................... 26-7
Example .................................................................................................................................................26-7
MAC Locking ................................................................................................................................................26-7
First Arrival Configuration .......................................................................................................................26-8
MAC Locking Notifications ..................................................................................................................... 26-8
xvii
Disabling and Enabling Ports ................................................................................................................. 26-9
MAC Locking Defaults ..................................... ... .... ... ... ... .... ... ... ....................................... ... ...................26-9
MAC Locking Configuration ................................................................................................................. 26-10
TACACS+ ................................. .......................................................... ........................................................ 26-11
TACACS+ Client Functionality .............................................................................................................26-12
Session Authorization and Accounting...........................................................................................26-12
Command Authorization and Accounting .......................................................................................26-12
Configuring the Source Address............. ... ... .... ... ... ........................................................................26-13
Default Settings ....................................................................................................................................26-13
Basic TACACS+ Configuration ............................................................................................................26-14
Example TACACS+ Configuration .......................................................................................................26-15
TACACS+ Display Commands ............................................................................................................26-15
Service ACLs ..............................................................................................................................................26-16
Restricting Management Access to the Console Port ............................... ... .... ... ... ... .... ... ... .................26-17
Configuring a Service Access Control List ...........................................................................................26-17
DHCP Snooping ........................................................................................................................................ 26-18
DHCP Message Processing .................................................................................................................26-18
Building and Maintaining the Database ........................... ....................................... ... .... .......................26-19
Rate Limiting ........................................................................................................................................26-19
Basic Configuration .............................................................................................................................. 26-19
Configuration Notes................... ... .... ... ....................................... ... ... ... ... .... ... .................................26-20
Default Parameter Values ..............................................................................................................26-20
Managing DHCP Snooping ............. ... ................................................................................. .................26-21
Dynamic ARP Inspection ........................................................................................................................... 26-22
Functional Description .................................. ... ... .... ... ... ... .... ...................................... .... ... ....................26-22
Static Mappings...................................................... ... .... ... ....................................... ... ... .................26-22
Optional ARP Packet Validation.....................................................................................................26-22
Logging Invalid Packets..................................................................................................................26-23
Packet Forwarding..........................................................................................................................26-23
Rate Limiting...................................................................................................................................26-23
Eligible Interfaces ...........................................................................................................................26-23
Interaction with Other Functions.....................................................................................................26-23
Basic Configuration .............................................................................................................................. 26-24
Default Parameter Values ..............................................................................................................26-24
Managing Dynamic ARP Inspection ............................. ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... .......................26-24
Example Configuration ......................................................................................................................... 26-25
Non-Routing Example ....................................................................................................................26-25
Routing Example ............................................................................................................................26-26
Figures
3-1 CLI Startup Screen............................................................................................................................. 3-2
3-2 Sample CLI Defaults Description........................................................................................................3-4
3-3 Performing a Keyword Lookup .................. ... .... ... ... ... .... ... ... ... .... ... .....................................................3-4
3-4 Performing a Partial Keyword Lookup................................................................................................3-4
3-5 Scrolling Screen Output......................................................................................................................3-5
3-6 Abbreviating a Command...................................................................................................................3-5
9-1 VLAN Business Scenario ...................................................................................................................9-2
9-2 Inside the Switch ................................. ... ... ....................................... ... ... .... ... ... ... ...............................9-5
9-3 Example of VLAN Propagation Using GVRP ..................................................................................... 9-8
10-1 Applying Policy to Multiple Users on a Single Port........................ ... ... ... .... ... ... ... ............................. 10-5
10-2 Authenticating Multiple Users With Different Methods on a Single Port........................................... 10-6
10-3 Selecting Authentication Method When Multiple Methods are Validated ......................................... 10-7
10-4 Stackable Fixed Switch Authentication Configuration Example Overview ..................................... 10-25
11-1 LAG Formation ................................................................................................................................. 11-4
11-2 LAGs Moved to Attached State ........................................................................................................11-6
xviii
11-3 Link Aggregation Example............ .... ... ... ........................................................................................11-12
13-1 Communication between LLDP-enabled Devices ............................................................................ 13-3
13-2 LLDP-MED .......................................................................................................................................13-5
13-3 Frame Format................................................................................................................................... 13-6
14-1 Basic System Scenario..................................................................................................................... 14-5
15-1 Redundant Link Causes a Loop in a Non-STP Network .................................................................. 15-2
15-2 Loop Avoided When STP Blocks a Duplicate Path .......................................................................... 15-2
15-3 Multiple Spanning Tree Overview.....................................................................................................15-5
15-4 Root Port Selection Based On Lowest Cost or Bridge ID............................................................... 15-10
15-5 Root Port Selection Based On Lowest Port ID...............................................................................15-11
15-6 Spanning Tree Port Role Overview.................................................. ... ... .... ... ... ... .... ... ... .................15-12
15-7 Example of an MST Region............................................................................................................15-15
15-8 MSTI 1 in a Region.........................................................................................................................15-18
15-9 MSTI2 in the Same Region ............................................................................................................ 15-18
15-10 Example of Multiple Regions and MSTIs........................................................................................15-19
15-11 Traffic Segregation in a Single STP Network Configuration........................................................... 15-25
15-12 Traffic Segregation in an MSTP Network Configuration.................................................................15-26
15-13 Maximum Bandwidth Utilization in a Single STP Network Configuration .......................................15-27
15-14 Maximum Bandwidth in an MSTP Network Configuration..............................................................15-28
15-15 Basic Loop Protect Scenario ..........................................................................................................15-33
15-16 Spanning Tree Without Loop Protect ..................................... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ....... 15-33
15-17 Spanning Tree with Loop Protect ...................................................................................................15-33
16-1 College-Based Policy Configuration...............................................................................................16-12
17-1 Assigning and Marking Traffic with a Priority....................................................................................17-4
17-2 Strict Priority Queuing Packet Behavior ........................................................................................... 17-6
17-3 Weighted Fair Queuing Packet Behavior ......................................................................................... 17-7
17-4 Hybrid Queuing Packet Behavior ..................................................................................................... 17-8
17-5 Rate Limiting Clipping Behavior ....................................................................................................... 17-9
19-1 IGMP Querier Determining Group Membership ............................................................................... 19-3
19-2 Sending a Multicast Stream with No Directly Attached Hosts ..........................................................19-4
19-3 DVMRP Pruning and Grafting ........................................................................................................ 19-11
19-4 PIM Traffic Flow.............................................................................................................................. 19-12
19-5 DVMRP Configuration on Two Routers..........................................................................................19-19
19-6 PIM-SM Configuration ............... ... .... ... ... ... ... .... ... ... ... .... ... ... ...........................................................19-23
22-1 Basic OSPF Topology ...................................................................................................................... 22-4
22-2 OSPF Designated Router Topology................................................. ... ... .... ... ... ... .... ... ... ... ... .... ... ...... 22-6
22-3 OSPF Summarization Topology.................................................... ... ... ... .... ... ... ... .... ... ... ... ... .... ......... 22-9
22-4 OSPF Stub Area Topology..................................................... .... ... ... ... ... .... ... ... ..............................22-10
22-5 OSPF NSSA Topology................................................................................................................... 22-12
22-6 Virtual Link Topology...................................................................................................................... 22-13
23-1 Basic VRRP Topology.........................................................................................................
23-2 Basic Configuration Example ........................................................................................................... 23-5
23-3 Multi-Backup VRRP Configuration Example ....................................................................................23-6
25-1 Basic IPv6 Over IPv4 Tunnel............................................................................................................ 25-8
.............23-2
Tables
3-1 Basic Line Editing Commands............................................................................................................ 3-6
3-2 CLI Properties Configuration Commands...........................................................................................3-6
3-3 CLI Properties Show Commands ................. .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ..................3-7
4-1 Default Settings for Basic Switch Operation.......................................................................................4-1
4-2 Default Settings for Router Operation ................................................................................................ 4-4
4-3 Advanced Configuration .....................................................................................................................4-6
4-4 Default SNTP Parameters................................................................................................................ 4-13
4-5 Managing and Displaying SNTP............. ... ....... ... ............................................................................. 4-14
4-6 Managing and Displaying DHCP Server ..........................................................................................4-20
xix
4-7 Default DHCP Server Parameters....................................................................................................4-20
4-8 Configuring Pool Parameters ........................................................................................................... 4-23
5-1 User Account and Password Parameter Defaults by Security Mode .................................................5-7
6-1 File Management Commands ............................. ... ... .... ... ... ... .... ... ... ... ... ............................................6-8
7-1 PoE Powered Device Classes............................................................................................................7-2
7-2 PoE Settings Supported on Enterasys Devices ................................................................................. 7-4
7-3 PoE Show Commands .....................................................................................................................7-10
8-1 Displaying Port Status ....................................................................................................................... 8-7
8-2 Linkflap Default Parameters ...............................................................................................................8-9
8-3 Link Flap Detection Show Commands ............................................................................................. 8-11
8-4 Transmit Queue Monitoring Tasks ................................................................................................... 8-11
9-1 Default VLAN Parameters ..................................................................................................................9-9
9-2 Displaying VLAN Information............................................................................................................ 9-14
9-3 VLAN Terms and Definitions ............................................................................................................9-14
10-1 Default Authentication Parameters...................................................... ... .... ... ... ... .... .......................10-12
10-2 PWA Guest Networking Privileges Configuration........................................................................... 10-17
10-3 Displaying MultiAuth Authentication Configuration.........................................................................10-20
10-4 Authentication Configuration Terms and Definitions ......................................................................10-28
11-1 LAG2 Port Priority Assignments....................................................................................................... 11-5
11-2 LAG Port Parameters ....................................................................................................................... 11-7
11-3 Default Link Aggregation Parameters...............................................................................................11-9
11-4 Managing Link Aggregation................. ... ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... ...........................11-10
11-5 Displaying Link Aggregation Information and Statistics.................................................................. 11-11
11-6 LAG and Physical Port Admin Key Assignments ........................................................................... 11-13
11-7 Link Aggregation Configuration Terms and Definitions ..................................................................11-15
12-1 SNMP Message Functions...............................................................................................................12-2
12-2 SNMP Terms and Definitions...........................................................................................................12-5
12-3 SNMP Security Models and Levels ..................................................................................................12-6
12-4 Default Enterasys SNMP Configuration ........................................................................................... 12-8
12-5 Commands to Review SNMP Settings...........................................................................................12-18
13-1 LLDP Configuration Commands.......................................................................................................13-7
13-2 LLDP Show Commands...................... ... ... ... .... .............................................................................. 13-10
13-3 Enterasys Discovery Protocol Configuration Commands...............................................................13-10
13-4 Enterasys Discovery Protocol Show Commands ........................................................................... 13-11
13-5 Cisco Discovery Protocol Configuration Commands......................................................................13-12
13-6 Cisco Discovery Protocol Show Commands ..................................................................................13-12
14-1 Syslog Terms and Definitions...........................................................................................................14-3
14-2 Syslog Message Components..........................................................................................................14-6
14-3 Syslog Command Precedence.........................................................................................................14-8
14-4 Syslog Server Default Settings.............................................................................................
15-1
15-2 Spanning Tree Port Roles...................... ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... .................15-13
15-3 Spanning Tree Port States........................... .... ... ... ... .... .......................................... ... ... ... ..............15-13
15-4 Multiple Spanning Tree Instance Support ......................................................................................15-16
15-5 MSTI Characteristics for Figure 15-10............................................................................................ 15-19
15-6 Spanning Tree Port Default Settings................................................... ... ........................................ 15-21
15-7 BPDU Interval Defaults................................................................................................................... 15-22
15-8 Commands for Monitoring MSTP ...................................................................................................15-29
15-9 Commands for Monitoring SpanGuard...........................................................................................15-31
15-10 Commands for Monitoring Loop Protect.........................................................................................15-35
15-11 Spanning Tree Terms and Definitions............................................................................................15-36
16-1 Admin Rule Parameters ................................................................................................................... 16-5
16-2 Policy Rule Traffic Descriptions/Classifications................................................................................16-6
16-3 Valid Data Values for Traffic Classification Rules ............................................................................16-6
16-4 Non-Edge Protocols .........................................................................................................................16-8
16-5 Displaying Policy Configuration and Statistics................................................................................ 16-11
Maximum SID Capacities Per Platform ............................................................................................15-6
..........14-10
xx
16-6 Policy Configuration Terms and Definitions....................................................................................16-18
17-1 CoS Configuration Terminology ....................................................................................................... 17-3
18-1 RMON Monitoring Group Functions and Commands....................................................................... 18-3
18-2 Default RMON Parameters...............................................................................................................18-5
18-3 Managing RMON.................... ....................................... ... ... ... .... ... ... ... ... .... ... ................................... 18-9
18-4 Displaying RMON Information and Statistics....................................................................................18-9
18-5 sFlow Definitions ............................................................................................................................18-10
18-6 Default sFlow Parameters ..............................................................................................................18-13
18-7 Displaying sFlow Information..........................................................................................................18-15
18-8 Managing sFlow .................................. ... ....................................... ... ... ... .... ... ... ... .... ... ... .................18-15
19-1 PIM-SM Message Types ........... ... ....................................... ... .... ... ... ... ... .... ... ... ... ...........................19-13
19-2 PIM Terms and Definitions.............................................................................................................19-14
19-3 Layer 2 IGMP Configuration Commands........................................................................................19-16
19-4 Layer 3 IGMP Configuration Commands........................................................................................19-16
19-5 Layer 2 IGMP Show Commands....................................................................................................19-18
19-6 Layer 3 IGMP Show Commands....................................................................................................19-18
19-7 DVMRP Configuration Commands...................... ........................................................................... 19-18
19-8 DVMRP Show Commands .................. ... ... ... .... ... ... ... .... ... ... ...........................................................19-21
19-9 PIM-SM Set Commands............... ....................................... ... .... ... ... ... ... .... ... ... ... ...........................19-21
19-10 PIM-SM Show Commands ........... .... ... ... ... ... .... ... ... ....................................... ... ... .... ... ... ... ... ...........19-24
20-1 Router CLI Configuration Modes......................................................................................................20-2
20-2 UDP Broadcast Forwarding Port Default..........................................................................................20-8
20-3 IP Routing Terms and Definitions................................................................................................... 20-10
21-1 Routing Protocol Route Preferences................................................................................................21-2
21-2 RIP Default Values ........................................................................................................................... 21-3
21-3 IRDP Default Values......................................................................................................................... 21-5
22-1 Default OSPF Parameters.............................................................................................................. 22-16
22-2 OSPF Management Tasks. .............. ... ... ... ... .................................................................................. 22-19
23-1 Default VRRP Parameters................................................................................................................23-3
23-2 VRRP Configuration Terms and Definitions ..................................................................................... 23-8
24-1 ACL Rule Precedence....................................................................................................................24-11
25-1 Monitoring Network Connections at the Switch Level ......................................................................25-3
25-2 IPv6 Default Conditions.................................................................................................................... 25-4
25-3 Setting Routing General Parameters................................................................................................25-5
25-4 Displaying Routing Information.......................................................................................................25-10
25-5 Testing Network Connectivity......................................................................................................... 25-11
25-6 Displaying DHCPv6 Statistics ....................................................................................................... 25-18
26-1 SNMP Commands Affected by Security Mode Settings...................................................................26-2
26-2 User Account and Password Parameter Defaults by Security Mode ...............................................26-3
26-3 Logging Commands Affected by Security Mode Settings ................................................................26-4
26-4 File Management Commands
26-5 IPsec Defaults .............................. .... ...................................... .... ... ... ... ... .... ...................................... 26-5
26-6 MAC Locking Defaults...................................................................................................................... 26-9
26-7 TACACS+ Parameters ................................................................................................................... 26-13
26-8 TACACS+ Show Commands..........................................................................................................26-15
26-9 DHCP Snooping Default Parameters .............................................................................................26-20
26-10 Displaying DHCP Snooping Information.........................................................................................26-21
26-11 Managing DHCP Snooping ............................................................................................................26-21
26-12 Dynamic ARP Inspection Default Parameters................................................................................26-24
26-13 Displaying Dynamic ARP Inspection Information ........................................................................... 26-24
26-14 Managing Dynamic ARP Inspection...............................................................................................26-25
Affected by Security Mode Settings .............................. ... ... .... ... ... ... 26-4
xxi
xxii
Technical Publications Style Guide xxiii
About This Guide
This guide provides basic configuration information for the Enterasys Networks Fixed Switch platforms using the Command Line Interface (CLI0, including procedures and code examples.
For detailed information about the CLI commands used in this book, refer to the CLI Reference for your Fixed Switch platform.
How to Use This Guide
Read through this guide completely to familiarize yourself with its contents and to gain an understanding of the features and capabilities of the Enterasys Networks Fixed Switches. A general working knowledge of data communications networks is helpful when setting up these switches.
Related Documents
The CLI Reference manuals and Hardware Installation Guides for each platform can be obtained from the World Wide Web in Adobe Acrobat Portable Document Format (PDF) at the following site:
http://extranet.enterasys.com/downloads/
Conventions Used in This Guide
The following conventions are used in the text of this document:
Important Notice
Depending on the firmware version used on your Fixed Switch platform, some features described in this document may not be supported. Refer to the most recent Release Notes for your product to determine which features are supported. Release Notes are available at this link: https://extranet.enterasys.com/downloads
Convention Description
Bold font Indicates mandatory keywords, parameters or keyboard keys.
italic font Indicates complete document titles.
Courier font Used for examples of information displayed on the screen.
Courier font in italics Indicates a user-supplied value, either required or optional. [ ] Square brackets indicate an optional value. { } Braces indicate required values. One or more values may be required. | A vertical bar indicates a choice in values. [x | y | z] Square brackets with a vertical bar indicates a choice of a value. {x | y | z} Braces with a vertical bar indicate a choice of a required value. [x {y | z} ] A combination of square brackets with braces and vertical bars indicates a
required choice of an optional value.
Getting Help
xxiv About This Guide
The following icons are used in this guide:
Getting Help
For additional support related to the product or this document, contact Enterasys Networks using one of the following methods:
Before contacting Enterasys Networks for technical support, have the following data ready:
Your Enterasys Networks service contract number
A description of the failure
A description of any action(s) already taken to resolve the problem (for example, changing mode switches or rebooting the unit)
The serial and revision numbers of all involved Enterasys Networks products in the network
A description of your network environment (such as layout, cable type, other relevant environmental information)
Network load and frame size at the time of trouble (if known)
The device history (for example, if you have returned the device before, or if this is a recurring problem)
Any previous Return Material Authorization (RMA) numbers
Note: Calls the reader’s attention to any item of information that may be of special importance.
Router: Calls the reader’s attention to router-specific commands and information.
Caution: Contains information essential to avoid damage to the equipment. Precaución: Contiene información esencial para prevenir dañar el equipo. Achtung: Verweißt auf wichtige Informationen zum Schutz gegen Beschädigungen.
World Wide Web www.enterasys.com/support Phone 1-800-872-8440 (toll-free in U.S. and Canada)
or 1-978-684-1000 To find the Enterasys Networks Support toll-free number in your country:
www.enterasys.com/support
Email support@enterasys.com
To expedite your message, type [insert correct indicator here] in the subject line.
Fixed Switch Configuration Guide 1-1
1
Setting Up a Switch for the First Time
This chapter describes how to configure an Enterasys stackable or standalone Fixed Switch received from the factory that has not been previously configured. Most of the procedures assume that you are configuring a single switch that has not been connected to a network, and they require that you have physical access to the console port on the switch.
If you are configuring multiple new switches in a stack, review the procedures that apply to a single switch first, then refer to “Configuring a Stack of New Switches” on page 1-8.
Before You Begin
The procedures in this chapter assume that:
You have installed a terminal emulation program on the PC or laptop computer that you will use to configure the switch. Commonly used (and often free) terminal emulation programs available on the Internet include:
–HyperTeminal
–Tera Term
PuTTY
You can connect your PC or laptop to the (DB9 male) console port on the switch.
If your PC or laptop has a DB9 communications port, use the DB9 female-to-DB9 female cable that was shipped with the switch to connect your computer to the switch console port.
If your PC or laptop does not have a DB9 communications port but does provide a USB port:
Obtain a USB to RS 232 DB9 (Male) Serial Interface adapter cable.
For information about... Refer to page...
Before You Begin 1-1 Connecting to the Switch 1-2 Downloading New Firmware 1-3 Additional Configuration Tasks 1-5 Saving the Configuration and Connecting Devices 1-7 Configuring a Stack of New Switches 1-8 Where to Go Next 1-9 Getting Help 1-10 Downloading Firmware via the Serial Port 1-10
Connecting to the Switch
1-2 Setting Up a Switch for the First Time
If the adapter cable requires a driver, install the driver on your computer. (These drivers are usually provided by the vendor of the adapter cable.)
Connect the adapter cable’s USB connector to a USB port on your PC or laptop and
determine which COM port has been assigned to that USB port.
(On Windows 7, this information is displayed in the Device Manager window.)
Connect the adapter cable’s DB9 male connector to the DB9 female-to-DB9 female cable
shipped with the switch.
Connect the free end of the DB9 female-to-DB9 female cable to the switch console port.
You have access to a TFTP server. Since this procedure assumes that the switch is not connected to a network, the TFTP server application should be locally installed on your PC or laptop. TFTP servers are available on the Internet for purchase or free download.
Review your TFTP server documentation for information about how to configure the server. In particular, you must configure the upload/download directory used by the TFTP server.
You have downloaded the latest firmware for the switch from the Enterasys web site to your computer, unzipped/uncompressed the firmware, and copied the firmware to the upload/ download directory configured for your TFTP server (see previous bullet). The firmware is available at this Enterasys location:
https://extranet.enterasys.com/downloads
Review the Release Notes for the downloaded firmware to check for any upgrade notices or limitations that may apply to your switch.
Connecting to the Switch
Follow these steps to connect to the switch and set its IP address:
1. Connect your PC or laptop to the console port of the switch, as described above.
2. On your computer, start your terminal emulation program and set the serial session parameters, including the following:
Transmit speed or baud rate = 9600
Data bits = 8
Parity = None
Stop bits = 1
Mode = 7 bit control, if available
Specify the appropriate COM port
3. Open the terminal emulation session, then power up the switch.
4. In the window of the terminal emulation session, you will see switch boot up output.
5. When the boot up output is complete, the system prints a Username prompt.
6. Log in to the system by typing the default username admin, then pressing the Enter key at the Password prompt. You will see a Welcome screen similar to the following.
Username:admin Password:
Note: Using TFTP to copy the latest firmware to the switch is recommended because it is faster. However, if you cannot use a TFTP server, you can download the firmware over the console port. That procedure is described in “Downloading Firmware via the Serial Port” on page 1-10 .
Downloading New Firmware
Fixed Switch Configuration Guide 1-3
Enterasys C5 Command Line Interface
Enterasys Networks, Inc. 50 Minuteman Rd. Andover, MA 01810-1008 U.S.A.
Phone: +1 978 684 1000 E-mail: support@enterasys.com WWW: http://www.enterasys.com
(c) Copyright Enterasys Networks, Inc. 2011
Chassis Serial Number: 093103209001
Chassis Firmware Revision: 06.61.01.0017
Last successful login : WED DEC 07 20:23:20 2011 Failed login attempts since last login : 0
C5(su)->
7. Note the firmware version displayed in the Welcome screen — it is most likely earlier than the latest version you downloaded from the Enterasys web site, so you will need to upgrade the firmware on the switch.
8. Set a static system IP address on the switch to be used to download the new firmware. For example:
C5(su)->set ip address 192.168.1.1 mask 255.255.255.0
Setting a mask and gateway address are optional. If they are not specified, mask will be set to the natural mask of the address and gateway will stay at the default value of 0.0.0.0.
9. On your computer, set an IP address in the same subnet you gave to the switch. For example:
192.168.1.2.
10. Set up in-band access between your computer and the switch by connecting an Ethernet cable from the network port on your computer to one of the front panel fixed ports on the switch. (Pings and the TFTP transfer will occur via this in-band connection.)
11. From within the switch session, ping the IP address you gave to your computer, to ensure connectivity between the switch and your computer. For example:
C5(su)->ping 192.168.1.2
Then, from your computer, ping the switch.
Downloading New Firmware
On stackable and standalone switches, the system Flash can store up to two firmware images at a time. A new switch should have only one firmware image installed, which allows you to download the new firmware image as described below. If you are installing a replacement switch
Note: If the pings are unsuccessful, there may be fire wall or other configuration issues on your computer. As a first step, try disabling the fire wall on your computer. If that does not resolve the problem, contact your IT group for assistance.
Downloading New Firmware
1-4 Setting Up a Switch for the First Time
or just want to verify the contents of the images directory, refer to “Deleting a Backup Image File” on page 1-5 for more information.
After you have established your connection to the switch, follow these steps to download the latest firmware:
1. Start the TFTP application.
2. In the terminal emulation session window, use the copy command to TFTP transfer the firmware file from the TFTP server location to the images directory on the switch. For example:
C5(su)->copy tftp://192.168.1.2/c5-series_06.61.01.0031 system:image
3. Set the new firmware to be active and reboot the system with the set boot system command. When the command asks if you want to reset the system now, reply y. For example:
C5(su)->set boot system c5-series_06.61.01.0031 This command can optionally reset the system to boot the new image. Do you want to reset now (y/n) [n]y
Resetting system ...
4. After the switch reboots, log in again and use the dir command to confirm that the new firmware is the “active” and “boot” firmware. For example:
C5(su)->dir Images: ================================================================== Filename: c5-series_06.42.06.0008 Version: 06.42.06.0008 Size: 6862848 (bytes) Date: Thu Apr 14 18:46:53 2011 CheckSum: 120a983d5fe5d1514553b585557b32cd Compatibility: C5G124-24, C5G124-24P2, C5G124-48, C5G124-48P2, C5K125-24 C5K125-24P2, C5K125-48, C5K125-48P2, C5K175-24
Filename: c5-series_06.61.01.0031 (Active) (Boot) Version: 06.61.01.0031 Size: 7213056 (bytes) Date: Thu Dec 22 18:19:16 2011 CheckSum: 7d7e4851337db5088094764c7ba2b05a Compatibility: C5G124-24, C5G124-24P2, C5G124-48, C5G124-48P2, C5K125-24 C5K125-24P2, C5K125-48, C5K125-48P2, C5K175-24
Files: Size ================================ ======== configs: logs:
Note: If this switch will be added to an existing stack, you should install the primary and backup firmware versions that are currently installed on the stack units.
Note: If you receive the error message “Error: No space left on the device. Please remove backup file.”, refer to “Deleting a Backup Image File” on page 1-5 before proceeding.
current.log
Deleting a Backup Image File
Since the stackable and standalone switches can store only two firmware images at a time, you may have to delete a backup image, if one exists, before you can manually download a new firmware image.
1. Use the dir command to display the contents of the images directory. For example:
C5(su)->dir Images: ================================================================== Filename: c5-series_06.42.06.0008 Version: 06.42.06.0008 Size: 6862848 (bytes) Date: Thu Apr 14 18:46:53 2011 CheckSum: 120a983d5fe5d1514553b585557b32cd Compatibility: C5G124-24, C5G124-24P2, C5G124-48, C5G124-48P2, C5K125-24 C5K125-24P2, C5K125-48, C5K125-48P2, C5K175-24
Filename: c5-series_06.42.10.0016 (Active) (Boot) Version: 06.42.10.0016 Size: 7213056 (bytes) Date: Thu Dec 15 18:19:16 2011 CheckSum: 7d7e4851337db5088094764c7ba2b05a Compatibility: C5G124-24, C5G124-24P2, C5G124-48, C5G124-48P2, C5K125-24 C5K125-24P2, C5K125-48, C5K125-48P2, C5K175-24
Additional Configuration Tasks
Files: Size ================================ ======== configs: logs: current.log
2. Use the delete command to delete the firmware version that is not chosen as Active. For
example:
C5(su)->delete c5-series_06.42.06.0008
3. If desired, use the dir command again to confirm that the backup firmware image has been
removed.
4. Continue downloading the latest firmware image, as described in “Downloading New
Firmware” on page 1-3.
Additional Configuration Tasks
After loading the latest firmware and resetting the switch, you may wish to perform the following configuration tasks before connecting the switch to your network or connecting devices to the switch.
If the switch will be added to an existing stack, no further configuration is needed. Refer to “Adding a New Unit to an Existing Stack” on page 2-3.
Fixed Switch Configuration Guide 1-5
Additional Configuration Tasks
Setting User Accounts and Passwords
Enterasys switches are shipped with three default user accounts:
A super-user access account with a username of admin and no password
A read-write access account with a username of rw and no password
A read-only access account with a username of ro and no password
Enterasys recommends that, for security purposes, you set up one or more unique user accounts with passwords and disable the default login accounts.
1. Create a new super-user account. This example uses username “NewAdmin”:
C5(su)->set system login NewAdmin super-user enable
2. Set the password for the new super-user account. By default, passwords must be at least 8 characters in length. The interface does not echo the password characters as you enter them.
C5(su)->set password NewAdmin Please enter new password: Please re-enter new password: Password Changed.
3. Verify the new super-user account with the show system login command.
C5(su)->show system login Username Access State Aging Simul Local Login Access Allowed Login Only? Start End Days
admin super-user enabled 0 0 no ***access always allowed*** ro read-only enabled 0 0 no ***access always allowed *** rw read-write enabled 0 0 no ***access always allowed*** NewAdmin super-user enabled 0 0 no 00:00 24:00 sun mon tue
wed thu fri sat
4. Repeat steps 1 and 2 to create additional read-write and read-only user accounts as desired. To create read-write or read-only accounts, use these commands:
set system login <user-name> read-write enable set system login <user-name> read-only enable
Use the set password command to set passwords for the new accounts.
5. Disable the default login accounts.
C5(su)->set system login admin super-user disable C5(su)->set system login rw read-write disable C5(su)->set system login ro read-only disable
For more information about configuring user accounts and passwords, refer to Chapter 5, User
Account and Password Management.
Controlling In-band Access to the Switch
By default, SSH is disabled and Telnet is enabled. You may want to require that SSH be used for in-band access to the switch. In addition, WebView, the Enterasys embedded web-server for switch configuration, is enabled on TCP port 80 by default. You may want to disable this browser access also.
1. Enable SSH and show the current state.
C5(su)->set ssh enable
1-6 Setting Up a Switch for the First Time
C5(su)->show ssh SSH Server status: Enabled
2. Disable Telnet inbound while leaving Telnet outbound enabled, and show the current state.
C5(su)->set telnet disable inbound C5(su)->show telnet Telnet inbound is currently: DISABLED Telnet outbound is currently: ENABLED
3. Disable WebView and show the current state.
C5(su)->set webview disable C5(su)->show webview WebView is Disabled.
4. Set the time (in minutes) an idle console, Telnet, or SSH CLI session will remain connected before timing out. The default idle timeout is 5 minutes.
C5(su)->set logout 20 C5(su)->show logout Logout currently set to: 20 minutes.
Changing SNMP Defaults
Saving the Configuration and Connecting Devices
By default, SNMP Version 1 (SNMPv1) is configured on Enterasys switches. The default configuration includes a single community name “public” which grants read-write access to the whole MIB tree for both SNMPv1 and SNMPv2c.
For security reasons, you should plan to change the default SNMP settings to ones suitable for your network. Refer to Chapter 12, Configuring SNMP for detailed information.
As a minimum step, Enterasys recommends that you remove the default community name “public” from the switch’s configuration.
1. Remove the “public” community name.
C5(su)->clear snmp community public
2. Map a new community name to the security name of “public.”
C5(su)->set snmp community <new-community-name> securityname public
This step allows you to keep the public view group and group access, and therefore ensure SNMP access to the switch, until you are ready to change all the default SNMP settings to more appropriate values.
Saving the Configuration and Connecting Devices
When you enter CLI configuration commands, the configuration is saved to NVRAM on the switch automatically at the following intervals:
On a standalone unit, the configuration is checked every two minutes and saved if there has
been a change.
On a stack, the configuration is saved across the stack every 5 minutes if there has been a
change.
To save a running configuration to NVRAM more often than the automatic intervals, execute the save config command and wait for the system prompt to return. After the prompt returns, the configuration will be persistent.
When you have completed your initial configuration:
Fixed Switch Configuration Guide 1-7
Configuring a Stack of New Switches
1. Save the running configuration.
C5(su)save config Saving Configuration to stacking members Configuration saved C5(su)->
2. Optionally, save the configuration to a backup file named “myconfig” in the configs directory and copy the file to your computer using TFTP. You can use this backup configuration file to
quickly restore the configuration if you need to replace the switch or change to a different firmware version.
C5(su)->show config outfile configs/myconfig C5(su)->copy configs/myconfig tftp://192.168.1.2/myconfig
3. Connect the switch ports to the network or to user devices, following the instructions in the
Installation Guide for your switch.
Configuring a Stack of New Switches
For more information about configuring a stack of switches, refer to Chapter 2, Configuring
Switches in a Stack.
To set up multiple new stackable switches in a stack:
1. Before applying power to the switches, connect the stacking cables, as described in your products’ Installation Guide.
2. Power on the switches one at a time, starting with the switch you want to be the manager switch.
3. Connect to the console port of the manager unit, as described in “Before You Begin” on page 1-1, and “Connecting to the Switch” on page 1-2 and log in to the CLI.
4. Check that the stacking process has completed as you expected it to, using the show switch command.
5. If necessary, renumber the stack units, as described in Chapter 2, Configuring Switches in a
Stack.
6. Set the IP address of the stack as described in “Connecting to the Switch” on page 1-2.
7. Connect the network port on your computer to a front panel port on the manager unit with an Ethernet cable (described in Connecting to the Switch) and use TFTP to download the firmware to the manager unit, as described in “Downloading New Firmware” on page 1-3.
The manager unit copies the new firmware to the members of the stack automatically as part of the download process.
8. Set the new firmware to be active and reboot the entire system with the set boot system command. When the command asks if you want to reset the system now, reply y.
9. After the switches in the stack reboot, log back in and confirm that the new firmware has been applied, using the show switch command.
10. Apply any advanced feature licenses, if required. Refer to “Licensing Advanced Features” on page 4-8 for more information.
11. Refer to “Additional Configuration Tasks” on page 1-5.
1-8 Setting Up a Switch for the First Time
Where to Go Next
For information about... Refer to ...
Configuring switches in a stack Chapter 2, Configuring Switches in a
User accounts and passwords Chapter 5, User Account and Password
Setting up authentication Chapter 10, Configuring User
Where to Go Next
Stack
Management
Authentication
Configuring system services, including licensing of advanced features, SNTP, DHCP, Telnet, SSH, MAC address settings, and node aliases
How to use the command line interface Chapter 3, CLI Basics Firmware and file management, including how to upgrade the
firmware, how to create and save configuration backup files, and how to revert to a saved configuration
Configuring system power and PoE Chapter 7, Configuring System Power
Port configuration Chapter 8, Port Configuration Configuring VLANs Chapter 9, Configuring VLANs Configuring link aggregation Chapter 11, Configuring Li nk
Configuring SNMP Chapter 12, Configuring SNMP Configuring neighbor discovery protocols Chapter 13, Configuring Neighbor
Configuring system logging Chapter 14, Configuring Syslog Configuring spanning tree Chapter 15, Configuring Spanning Tree Configuring policy using the CLI Chapter 16, Configuring Policy
Chapter 4, System Configuration
Chapter 6, Firmware Image and File
Management
and PoE
Aggregation
Discovery
Configuring multicast protocols, including IGMP , DVMRP, and PIM-SM
Enabling router configuration modes, configuring IPv4 addresses and static routes
Configuring RIP and IRDP Chapter 21, IPv4 Basic Ro uting
Configuring OSPFv2 and VRRP Chapter 22, Configuring OSPFv2
Configuring access control lists (ACLs) Chapter 24, Configuring Access Control
Managing IPv6 at the switch level, configuring IPv6 routing and Neighbor Discovery, and configuring DHCPv6
Configuring security features, including the security mode of the switch, IPsec, RADIUS management authentication, MAC locking, TACAC+, and service ACLs
Chapter 19, Configuring Multicast
Chapter 20, IP Configuration
Protocols
Chapter 23, Configuring VRRP
Lists
ter 25, Configuring and Managing
Chap
IPv6 Chapter 26, Configuring Security
Features
Fixed Switch Configuration Guide 1-9
Getting Help
Getting Help
For additional support, contact Enterasys Networks using one of the following methods:
World Wide Web www.enterasys.com/support Phone 1-800-872-8440 (toll-free in U.S. and Canada)
or 1-978-684-1000 To find the Enterasys Networks Support toll-free number in your country:
www.enterasys.com/support
Email support@enterasys.com
To expedite your message, type [switching] in the subject line.
Enterasys provides an extensive online Knowledge base that can be accessed from the corporate Support page:
http://www.enterasys.com/support/
Downloading Firmware via the Serial Port
This procedure describes how to download switch firmware via the serial (console) port, instead of using TFTP. This procedure assumes that you are using either HyperTerminal or TeraTerm (which support XMODEM transfer) as your terminal emulation software and that you have downloaded the latest firmware for the switch from the Enterasys web site to your computer, and unzipped/uncompressed the firmware.
1. Connect your PC or laptop to the console port of the switch, as described above in “Before You
Begin” on page 1-1.
2. On your computer, start your terminal emulation program and set the serial session parameters, including the following:
Transmit speed or baud rate = 9600
Data bits = 8
Parity = None
Stop bits = 1
Mode = 7 bit control, if available
Serial line to connect to = COM1 typically
3. Open the terminal emulation session, then power up the switch.
4. In the window of the terminal emulation session, you will see switch boot up output. A message similar to the following displays.
Within 2 seconds, type 2 to select “Start Boot Menu”. Use “administrator” for the Password.
Version 06.61.xx 12-09-2011
Computing MD5 Checksum of operational code... Select an option. If no selection in 2 seconds then operational code will start.
1 - Start operational code. 2 - Start Boot Menu. Select (1, 2):2
Password: *************
1-10 Setting Up a Switch for the First Time
Downloading Firmware via the Serial Port
Boot Menu Version 06.61.xx 12-09-2011
Options available 1 - Start operational code 2 - Change baud rate 3 - Retrieve event log using XMODEM (64KB). 4 - Load new operational code using XMODEM 5 - Display operational code vital product data 6 - Run Flash Diagnostics 7 - Update Boot Code 8 - Delete operational code 9 - Reset the system 10 - Restore Configuration to factory defaults (delete config files) 11 - Set new Boot Code password [Boot Menu] 2
5. Type 2. The following baud rate selection screen displays:
1 - 1200 2 - 2400 3 - 4800 4 - 9600 5 - 19200 6 - 38400 7 - 57600 8 - 115200 0 - no change
6. Type 8 to set the switch baud rate to 115200. The following message displays:
Setting baud rate to 115200, you must change your terminal baud rate.
7. In your terminal emulation program, set the terminal baud rate to 115200:
HyperTerminal: File > Properties > Configure > Bits per Second > Apply > OK > OK
TeraTerm: Setup > Serial port > Baud rate > OK
8. Press ENTER. The switch will complete the baud rate change, displaying a new boot menu prompt.
9. From the boot menu options screen, type 4 to load new operational code using XMODEM.
10. Set up for XMODEM file transmission:
HyperTerminal: Transfer > Send File > Browse > Open > Protocol Xmodem > Send > bps/
cps
TeraTerm: File > Transfer > XMODEM > Send > Browse > Open
11. Progress messages will indicate the status of the file transfer.
[Boot Menu] 4
Ready to receive the file with XMODEM/CRC....
Ready to RECEIVE File xcode.bin in binary mode Send several Control-X characters to cCKCKCKCKCKCKCK
XMODEM transfer complete, checking CRC....
Verified operational code CRC.
The following Enterasys Header is in the image:
MD5 Checksum....................fe967970996c4c8c43a10cd1cd7be99a
Boot File Identifier............0x0517
Fixed Switch Configuration Guide 1-11
Downloading Firmware via the Serial Port
Header Version..................0x0100
Image Type......................0x82
Image Offset....................0x004d
Image length....................0x006053b3
Ident Strings Length............0x0028
Ident Strings...................
<platform specific>
Image Version Length............0x8
Image Version Bytes.............0x30 0x2e 0x35 0x2e 0x30 0x2e 0x34 (x.xx.xx)
The following secondary header is in the image:
CRC............................................0xe6aa (59050)
Target Device..................................0x00a08245
Size...........................................0x58f210 (5829136)
Number of Components...........................2
Operational Code Size..........................0x51d5b8 (5363128)
Operational Code Offset........................0x0 (0)
Operational Code CRC...........................0x1FC1
Boot Code Version..............................29
Boot Code Size.................................0x71a08 (465416)
Boot Code Offset...............................0x51d5b8 (5363128)
Boot Code CRC..................................0x4CCD
VPD - rel 6 ver 61 maint_lvl xx Timestamp - Wed Jul 27 12:24:04 2011 File - c5-series_06.61.xx
Operational code update completed successfully.
Verifying Operational Code CRC..... CRC is OK.
12. Press ENTER so the switch will complete the file transfer operation, displaying a fresh
prompt.
[Boot Menu] 2
13. Type 2 to display the baud rate selection screen again.
14. Type 4 to set the switch baud rate to 9600. The following message displays:
Setting baud rate to 9600, you must change your terminal baud rate.
15. In your terminal emulation program, set the terminal baud rate to 9600.
HyperTerminal: File > Properties > Configure > Bits per Second > Apply > OK > OK
TeraTerm: Setup > Serial port > Baud rate > OK
16. Press ENTER so the switch will complete the baud rate change and display a fresh prompt.
[Boot Menu] 1
17. Type 1 to start the new operational code. A message similar to the following displays:
Operational Code Date: Tue Jun 29 08:34:05 2011
Uncompressing.....
18. After the switch comes back up, log in and confirm that the new image has been detected and is now running. You can use either the “show boot system” command or the “dir” command.
C5(rw)->show boot system Current system image to boot: c5-series_06.61.xx C5(rw)->
1-12 Setting Up a Switch for the First Time
Fixed Switch Configuration Guide 2-1
2
Configuring Switches in a Stack
This chapter provides information about configuring Enterasys switches in a stack. For information about upgrading firmware on a new stack, refer to “Configuring a Stack of New
Switches” on page 1-8.
About Switch Operation in a Stack
Enterasys stackable switches can be adapted and scaled to help meet your network needs. These switches provide a management platform and uplink to a network backbone for a stacked group of up to eight switches.
Once installed in a stack, the switches behave and perform as a single switch product. As such, you can start with a single unit and add more units as your network expands. You can also mix different products in the family in a single stack to provide a desired combination of port types and functions to match the requirements of individual applications. In all cases, a stack of units performs as one large product, and is managed as a single network entity.
Stack Initialization
When switches are installed and connected as described in your products’ Installation Guide, the following occurs during initialization:
The switch that will manage the stack is automatically established. This is known as the manager switch. The manager switch organizes all the reachability information for bridging and routing, including keeping the address tables in the stack units (including itself) coherent.
All other switches are established as members in the stack. Each individual stack member processes its own packets, rather than pushing them to the manager for processing.
For information about... Refer to page...
About Switch Operation in a Stack 2-1 Installing a New Stackable System of Up to Eight Units 2-2 Installing Previously-Configured Systems in a Stack 2-3 Adding a New Unit to an Existing Stack 2-3 Removing Units from an Existing Stack 2-4 Creating a Virtual Switch Configuration 2-4 Considerations About Using “clear config” in a Stack 2-5 Configuring Standalone A4 Stack Ports 2-6
Removing Units from an Existing Stack
2-2 Configuring Switches in a Stack
The hierarchy of the switches that will assume the function of backup manager is also determined in case the current manager malfunctions, is powered down, or is disconnected from the stack.
The console port on the manager switch remains active for out-of-band (local) switch management, but the console port on each member switch is deactivated. This enables you to set the IP address and system password using a single console port. Each switch can be configured locally using only the manager’s console port, or inband using the stack’s IP address from a remote device.
Once a stack is created (more than one switch is interconnected), the following procedure occurs:
1. By default, unit IDs are arbitrarily assigned on a first-come, first-served basis.
2. Unit IDs are saved against each module. Then, every time a board is power-cycled, it will initialize with the same unit ID. This is important for port-specific information (for example: ge.4.12 is the 12th Gigabit Ethernet port on Unit # 4).
3. The management election process uses the following precedence to assign a management switch:
a. Previously assigned / elected management unit
b. Management assigned priority (values 1-15)
c. Hardware preference level
d. Highest MAC Address
The management designation is written to the manager unit. Thereafter, every time the manager is power-cycled, it will initialize with that role.
Configuration Management
When switches are stacked, the only file structure and configuration information that is viewable or configurable is that of the manager unit, which pushes its configuration to the member units every 5 minutes if there has been a change. To avoid possible configuration loss in the event of manager unit failure after a configuration change, execute the save config command and wait for the system prompt to return. After the prompt returns, the configuration will be persistent.
Installing a New Stackable System of Up to Eight Units
Use the following procedure for installing a new stack of up to eight units out of the box.
1. Before applying power, make all physical connections with the stack cables as described in your product’s Installation Guide.
2. Once all of the stack cables have been connected, individually power on each unit, starting with the switch you want to be the manager switch.
Ensure that each switch is fully operational before applying power to the next switch. Since unit IDs are assigned on a first-come, first-served basis, this will ensure that unit IDs are ordered sequentially.
3. Establish a CLI session on the manager unit and use the show switch command to display stacking information.
Note: The following procedure assumes that all units have a clean configuration from manufacturing, all units are running the same primary and backup firmware image versions, and all units are in the same licensing state.
Considerations About Using “clear config” in a Stack
4. (Optional) If desired, change the management unit using the set switch movemanagement command, and/or change the unit numbering with the set switch member command.
5. Once the desired master unit has been selected, reset the system using the reset command.
6. After the stack has been configured, you can use the show switch unit command to physically identify each unit. When you enter the command with a unit number, the MGR LED of the specified switch will blink for 10 seconds. The normal state of this LED is off for member units and steady green for the manager unit.
Installing Previously-Configured Systems in a Stack
If member units in a stack have been previous members of a different stack, you may need to configure the renumbering of the stack. All units must be running the same primary and backup firmware images.
1. Power down the switches in the existing stack.
2. Stack the units in the method desired, and connect the stack cables.
3. Power up only the unit you wish to be manager.
4. Once the management unit is powered up, log into the CLI, and use the show switch
command to display stacking information.
5. Clear any switches which are listed as “unassigned” using the clear switch member
command.
6. Power up the member of the stack you wish to become unit 2. Once the second unit is fully powered, the COM session of the CLI will state that a new CPU was added.
7. Use the show switch command to redisplay stacking information.
a. If the new member displays as unit 2, you can proceed to repeat this step with the next
unit.
b. If the new member displays a different unit number, you must:
(1) Renumber the stack using the set switch renumber command, then
(2) Clear the original unit number using the clear switch member command.
Avoid directly reassigning a different unit number to the stack manager, or by design, the stack configuration will revert to defaults.
8. Repeat Step 7 until all members have been renumbered in the order you desire.
9. After the stack has been reconfigured, you can use the show switch unit command to physically confirm the identity of each unit. When you enter the command with a unit number, the MGR LED of the specified switch will blink for 10 seconds. The normal state of this LED is off for member units and steady green for the manager unit.
Adding a New Unit to an Existing Stack
Use the following procedure for installing a new unit into an existing stack configuration. This procedure assumes that the new unit being added has a clean configuration from manufacturing and is running the same primary and backup firmware image versions as other units in the stack.
1. Ensure that power is off on the new unit being installed.
2. Use one of the following methods to complete stack cable connections:
Fixed Switch Configuration Guide 2-3
Removing Units from an Existing Stack
2-4 Configuring Switches in a Stack
If the running stack uses a daisy chain topology, make the stack cable connections from
the bottom of the stack to the new unit (that is, STACK DOWN port from the bottom unit of the running stack to the STACK UP port on the new unit).
If the running stack uses a ring stack topology, break the ring and make the stack cable
connections to the new unit to close the ring.
3. Apply power to the new unit.
4. Log into the CLI through the management unit and use the show switch command to display
stacking information.
5. If the stacking setup does not appear to be correct, use the commands described in the previous procedure to readjust the configuration.
Insertion of new units into a stack is handled dynamically. Normally, the integration is a fairly rapid process. However, be aware that integration is a background task. If the stack is extremely busy handling user traffic, integrating the new unit into the stack could take a long time (possibly hours).
Removing Units from an Existing Stack
Use the following procedure to remove one or more units from an existing stack.
1. Use the save config command to ensure that all units have full configuration knowledge.
2. Remove the stacking cables associated with the switches you want to remove.
a. Operation of the sub-stack that retains the previous manager unit will be disrupted for 2
to 3 seconds.
b. Operation of any sub-stacks that now lack a manager unit will be disrupted for 30 to 40
seconds while a new manager unit is elected and comes online.
c. In all cases, units will retain their unit numbers.
3. You can power down one or more units either before or after removing stacking cables. Disruption times will be as described in Stack Disruption Times below.
4. After removal of stack units, you can optionally use the clear switch member command to remove any “Unassigned” units.
Stack Disruption Times
Upon manager unit failure, removal, or reassignment (with the set switch movemanagement command), the operation of the stack, including the Ethernet link state of all ports, will be interrupted for about 30 to 40 seconds.
Upon member unit failure or removal, the operation of the stack will be interrupted for about 2 to 3 seconds.
Creating a Virtual Switch Configuration
You can create a configuration for a stackable switch before adding the actual physical device to a stack. This preconfiguration feature includes configuring protocols on the ports of the “virtual switch.”
Note: S tacking cables are hot-swappable. In most cases, it is not necessary to power down stacked units before attaching or detaching cables.
Considerations About Using “clear config” in a Stack
Fixed Switch Configuration Guide 2-5
To create a virtual switch configuration in a stack environment:
1. Display the types of switches supported in the stack, using the show switch switchtype command.
2. Using the output of the show switch switchtype command, determine the switch index (SID) of the model of switch being configured.
3. Add the virtual switch to the stack using the set switch member command. Use the SID of the switch model, determined in the previous step, and the unit ID that you want to assign to this switch member.
4. Proceed to configure the ports of the virtual switch as you would do for physically present devices.
Example
The following example adds a virtual switch configuration to a stack of C5 switches. The switch type being added is a C5G124-24 (SID 1), and it is being added as member unit 4. Port number 1 of the virtual switch (ge.4.1) is then configured in the same way that a physically present port would be configured.
C5(su)->show switch switchtype Mgmt Code SID Switch Model ID Pref Version
--- -------------------------------- ---- ---------
1 C5G124-24 1 0xa08245 2 C5K125-24 1 0xa08245 3 C5K175-24 1 0xa08245 4 C5K125-24P2 1 0xa08245 5 C5G124-24P2 1 0xa08245 6 C5G124-48 1 0xa08245 7 C5K125-48 1 0xa08245 8 C5K125-48P2 1 0xa08245 9 C5G124-48P2 1 0xa08245
C5(su)->set switch member 4 1 C5(su)->set vlan create 555
C5(su)->set port vlan ge.4.1 555 modify-egress C5(su)->show port vlan ge.4.1 ge.4.1 is set to 555
Considerations About Using “clear config” in a Stack
When using the clear config command to clear configuration parameters in a stack, it is important to remember the following:
•Use clear config to clear configuration parameters without clearing stack unit IDs. This command WILL NOT clear stack parameters or the IP address and avoids the process of renumbering the stack.
•Use clear config all when it is necessary to clear all configuration parameters, including stack unit IDs and switch priority values. This command will not clear the IP address nor will it remove an applied advanced feature license.
Note: If you preconfigure a virtual switch and then add a physical switch of a different type to the stack as that unit number, any configured functionality that cannot be supporte d on th e ph ysi ca l switch will cause a configuration mismatch status for that device and the ports of the new device will join detached. You must clear the mismatch before the new device will properly join the stack.
Removing Units from an Existing Stack
•Use clear ip address to remove the IP address of the stack.
•Use clear license to remove an applied license from a switch.
Configuration parameters and stacking information can also be cleared on the master unit only by selecting the “restore configuration to factory defaults” option from the boot menu on switch startup. This selection will leave stacking priorities on all other units.
Configuring Standalone A4 Stack Ports
It is possible on a standalone A4 switch to configure the two stack ports as standard gigabit Ethernet ports with the set switch stack-port command. By default, the two front panel uplink ports are in stack mode. Changing the mode causes the switch to reset.
This command should be used only on standalone (non-stacked) A4 switches. Do not stack A4 switches with uplink ports that are in Ethernet mode.
To change front panel uplink ports to Ethernet mode:
A4(su)->set switch stack-port ethernet This command will reset the entire system. Do you want to continue (y/n) [n]
When Uplink Ports are Configured as Ethernet Ports
When using the clear config command to clear configuration parameters on a standalone A4 switch with the uplink ports configured as standard Ethernet ports, it is important to remember the following:
•The clear config command WILL NOT set the front panel uplink ports back to stack ports.
•The clear config all command WILL set the front panel uplink ports back to stack ports.
2-6 Configuring Switches in a Stack
Fixed Switching Configuration Guide 3-1
3
CLI Basics
This chapter provides information about CLI conventions for stackable and standalone switches and CLI properties that you can configure.
Switch Management Methods
The Enterasys fixed switches can be managed using the following methods:
Locally using a VT type terminal or computer running a terminal emulation program connected to the switch’s console port. See Chapter 1, Setting Up a Switch for the First Time for information about setting up this type of connection.
Remotely using a VT type terminal or computer running a terminal emulation program connected through a modem. Refer to the Installation Guide for your product for information about setting up this type of connection.
Remotely using an SNMP management station.
In-band through a Telnet or SSH connection.
In-band using the Enterasys NetSight
®
management application.
Remotely using WebView™, Enterasys Networks’ embedded web server application.
When you connect to the console port or connect through a Telnet connection, you use the Command Line Interface (CLI) to manage the switch.
Using the Command Line Interface
This section describes how to start a CLI session, how to log in, and how to navigate the CLI.
Starting a CLI Session
There are two ways to start a CLI session — an out-of-band connection through the console port or an in-band connection using Telnet or SSH.
For information about... Refer to page...
Switch Management Methods 3-1 Using the Command Line Interface 3-1 Configuring CLI Properties 3-6
Using the Command Line Interface
3-2 CLI Basics
Connecting Using the Console Port
Connect a terminal to the local console port as described in “Connecting to the Switch” on page 1-2. When the boot up output is complete, the system prints a Username prompt. You can now log in to the Command Line Interface (CLI) by
using a default user account, as described in “Using a Default User Account” on page 3-3, or
using an administratively-assigned user account as described in “Using an Administratively
Configured User Account” on page 3-3.
Connecting Using Telnet or SSH
Once the switch has a valid IP address, you can establish a Telnet or SSH session from any TCP/IP based node on the network. For information about setting the switch’s IP address, refer to the set ip address command in the CLI Reference for your product.
To establish a Telnet or SSH session:
1. Telnet or SSH to the switch’s IP address.
2. Enter login (user name) and password information in one of the following ways:
If the switch’s default login and password settings have not been changed, follow the
steps listed in “Using a Default User Account” on page 3-3, or
Enter an administratively-configured user name and password.
3. The startup screen, Figure 3-1, will display on the terminal. The notice of authorization and the prompt displays as shown in Figure 3-1.
Figure 3-1 CLI Startup Screen
Note: By default on the fixed switches, T e lnet is enabled and SSH is disabled. Refer to “Controlling
In-band Access to the Switch” on page 1-6 for information about enabling SSH.
Username:admin Password:
Enterasys C5
Command Line Interface
Enterasys Networks, Inc. 50 Minuteman Rd. Andover, MA 01810-1008 U.S.A.
Phone: +1 978 684 1000 E-mail: support@enterasys.com WWW: http://www.enterasys.com
(c) Copyright Enterasys Networks, Inc. 2012
Chassis Serial Number: 041800249041 Chassis Firmware Revision: x.xx.xx
C5(su)->
Using the Command Line Interface
Fixed Switching Configuration Guide 3-3
Logging In
By default, the switch is configured with three user login accounts—ro for Read-Only access, rw for Read-Write access, and admin for super-user access to all modifiable parameters. The default password is set to a blank string. For information on changing these default settings, refer to
Chapter 5, User Account and Password Management.
Using a Default User Account
If this is the first time you are logging in to the switch, or if the default user accounts have not been administratively changed, proceed as follows:
1. At the login prompt, enter one of the following default user names:
ro for Read-Only access.
rw for Read-Write access.
admin for Super User access.
2. Press ENTER. The Password prompt displays.
3. Leave this string blank and press ENTER. The switch information and prompt displays as shown in Figure 3-1.
Using an Administratively Configured User Account
If the switch’s default user account settings have been changed, proceed as follows:
1. At the login prompt, enter your administratively-assigned user name and press ENTER.
2. At the Password prompt, enter your password and press ENTER.
The notice of authorization and the prompt displays as shown in Figure 3-1 on page 3-2.
Clearing and Closing the CLI
Use the cls command to clear the session screen.
Use the exit command to leave a CLI session. This command is also used to move to a lower router mode.
Navigating the Command Line Interface
Getting Help with CLI Syntax
The switch allows you to display usage and syntax information for individual commands by typing help or ? after the command.
CLI Command Defaults Descriptions
Each command description in the CLI Reference Guide for your product includes a section entitled “Defaults” which contains different information from the factory default settings on the switch described in Chapter 4, System Configuration. The section defines CLI behavior if the user enters a command without typing optional parameters (indicated by square brackets [ ]). For
Note: Users with read-write and read-only access can use the set password command (page 4-9) to change their own account passwords. Administrators with Super User (su) access can use the
set system login command (page 4-6) to create and change user accounts, and the set password
command to change any local account password.
Using the Command Line Interface
commands without optional parameters, the defaults section lists “None”. For commands with optional parameters, this section describes how the CLI responds if the user opts to enter only the keywords of the command syntax. Figure 3-2 provides an example.
Figure 3-2 Sample CLI Defaults Description
Syntax
show port status [port-string]
Defaults
If port-string is not specified, status information for all ports will be displayed.
CLI Command Modes
Each command description in this guide includes a section entitled “Mode” which states whether the command is executable in Admin (Super User), Read-Write, or Read-Only mode. Users with Read-Only access will only be permitted to view Read-Only (show) commands. Users with Read­Write access will be able to modify all modifiable parameters in set and show commands, as well as view Read-Only commands. Administrators or Super Users will be allowed all Read-Write and Read-Only privileges, and will be able to modify local user accounts. The A4 switch indicates which mode a user is logged in as by displaying one of the following prompts:
Admin: A4(su)->
Read-Write: A4(rw)->
Read-Only: A4(ro)->
Performing Keyword Lookups
Entering a space and a question mark (?) after a keyword will display all commands beginning with the keyword. Figure 3-3 shows how to perform a keyword lookup for the show snmp command. In this case, four additional keywords are used by the show snmp command. Entering a space and a question mark (?) after any of these parameters (such as show snmp community) will display additional parameters nested within the syntax.
Figure 3-3 Performing a Keyword Lookup
A4(su)->show snmp ?
community SNMP v1/v2c community name configuration notify SNMP notify configuration targetaddr SNMP target address configuration targetparams SNMP target parameters configuration
Entering a question mark (?) without a space after a partial keyword will display a list of commands that begin with the partial keyword. Figure 3-4 shows how to use this function for all commands beginning with co:
3-4 CLI Basics
Figure 3-4 Performing a Partial Keyword Lookup
A4(rw)->co? configure copy A4(su)->co
Using the Command Line Interface
Fixed Switching Configuration Guide 3-5
Displaying Scrolling Screens
If the CLI screen length has been set using the set length command, CLI output requiring more than one screen will display --More-- to indicate continuing screens. To display additional screen output:
Press any key other than ENTER to advance the output one screen at a time.
Press ENTER to advance the output one line at a time.
The example in Figure 3-5 shows how the show mac command indicates that output continues on more than one screen.
Figure 3-5 Scrolling Screen Output
Abbreviating and Completing Commands
The switch allows you to abbreviate CLI commands and keywords down to the number of characters that will allow for a unique abbreviation. Figure 3-6 shows how to abbreviate the show netstat command to sh net.
Figure 3-6 Abbreviating a Command
Note: At the end of the lookup display, the system will repeat the command you entered without the
?.
A4(su)->show mac
MAC Address FID Port Type
---------------------------------------------------------­ 00-00-1d-67-68-69 1 host Management 00-00-02-00-00-00 1 fe.1.2 Learned 00-00-02-00-00-01 1 fe.1.3 Learned 00-00-02-00-00-02 1 fe.1.4 Learned 00-00-02-00-00-03 1 fe.1.5 Learned 00-00-02-00-00-04 1 fe.1.6 Learned 00-00-02-00-00-05 1 fe.1.7 Learned 00-00-02-00-00-06 1 fe.1.8 Learned 00-00-02-00-00-07 1 fe.1.9 Learned 00-00-02-00-00-08 1 fe.1.10 Learned
--More--
A4(su)->sh net Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address State
----- ------ ------ --------------------- --------------------- ------- TCP 0 0 10.21.73.13.23 134.141.190.94.51246 ESTABLISHED TCP 0 275 10.21.73.13.23 134.141.192.119.4724 ESTABLISHED TCP 0 0 *.80 *.* LISTEN TCP 0 0 *.23 *.* LISTEN UDP 0 0 10.21.73.13.1030 134.141.89.113.514 UDP 0 0 *.161 *.* UDP 0 0 *.1025 *.* UDP 0 0 *.123 *.*
Configuring CLI Properties
Basic Line Editing Commands
The CLI supports EMACs-like line editing commands. Ta ble 3 -1 lists some commonly used commands.
Table 3-1 Basic Line Editing Commands
Key Sequence Command
Ctrl+A Move cursor to beginning of line. Ctrl+B Move cursor back one character. Ctrl+D Delete a character. Ctrl+E Move cursor to end of line. Ctrl+F Move cursor forward one character. Ctrl+H Delete character to left of cursor. Ctrl+I or TAB Complete word. Ctrl+K Delete all characters after cursor. Ctrl+N Scroll to next command in command history (use the CLI history command to
Ctrl+P Scroll to previous command in command history.
display the history).
Ctr1+Q Resume the CLI process. Ctr1+S Pause the CLI process (for scrolling). Ctrl+T Transpose characters. Ctrl+U or Ctrl+X Delete all characters before cursor. Ctrl+W Delete word to the left of cursor. Ctrl+Y Restore the most recently deleted item.
Configuring CLI Properties
CLI properties are options that you can configure and customize in the CLI, such as the command prompt, command completion, banner messages, and session idle timeout.
Tab le 3 -2 lists CLI properties configuration commands.
Table 3-2 CLI Properties Configuration Commands
Task Command
Modify the command prompt set prompt prompt-string Set the banner message for pre- and post-session
login. Clear the banner message displayed at pre- and
post-session login to a blank string.
set banner {login message | motd message}
clear banner {login | motd}
3-6 CLI Basics
Set the number of columns for the terminal connected to the device’s console port.
Set the number of lines the CLI will display before pausing with a “----More ----” prompt.
set width screenwidth [default]
set length screenlength
Table 3-2 CLI Properties Configuration Commands (continued)
Task Command
Configuring CLI Properties
Set the time (in minutes) an idle console or Telnet CLI session will remain connected before timing out.
Refer to the CLI Reference for your switch model for more information about each command.
Example CLI Properties Configuration
In this example, the prompt is changed and a login banner is added.
C5(rw)->set prompt “Switch 1” Switch 1(rw)-> Switch 1(rw)->set banner login “There is nothing more important than our
customers.”
CLI Properties Display Commands
Tab le 3 -3 lists CLI properties show commands.
Table 3-3 CLI Properties Show Commands
Task Command
Display the banner message that will display at pre and post session login.
set logout timeout
show banner
Display the number of columns for the terminal connected to the device’s console port.
Display the current screen length. show length Display the time (in seconds) an idle console or
Telnet CLI session will remain connected before timing out.
show width
show logout
Refer to the CLI Reference for your switch model for a description of the output of each command.
Fixed Switching Configuration Guide 3-7
Configuring CLI Properties
3-8 CLI Basics
Fixed Switch Configuration Guide 4-1
4
System Configuration
This chapter provides basic system configuration information in the following areas:
Factory Default Settings
The following tables list factory default settings available on the Enterasys fixed switches.
For information about... Refer to page...
Factory Default Settings 4-1 Initial Configuration Overview 4-5 Advanced Configuration Overview 4-6 Licensing Advanced Features 4-8 SNTP Configuration 4-11 DHCP Configuration 4-16 Telnet Overview 4-23 SSH Overview 4-24 MAC Address Settings 4-24 Configuring Node Aliases 4-26
Table 4-1 Default Settings for Basic Switch Operation
Feature Default Setting Switch Mode Defaults
CDP discovery protocol Auto enabled on all ports. CDP authentication code Set to 00-00-00-00-00-00-00-00 CDP hold time Set to 180 seconds. CDP interval Transmit frequency of CDP messages set to 60 seconds. Cisco discovery protocol Auto enabled on all ports. Cisco DP hold time Set to 180 seconds. Cisco DP interval timer Set to 60 seconds. Community name Public.
Factory Default Settings
Table 4-1 Default Settings for Basic Switch Operation (continued)
Feature Default Setting
Console (serial) port required settings
DHCP server Disabled. Diffserv Disabled. (B3 platforms only) EAPOL Disabled. EAPOL authentication
mode GARP timer Join timer set to 20 centiseconds; leave timer set to 60 centiseconds; leaveall
GVRP Globally enabled. Disabled per port. History buffer size 20 lines. IEEE 802.1 authentication Disabled. IGMP snooping Disabled. When enabled, query interval is set to 260 seconds and response
IP mask and gateway Subnet mask set to 0.0.0.0; default gateway set to 0.0.0.0.
Baud rate: 9600 Data bits: 8 Flow control: disabled Stop bits: 1 Parity: none
When enabled, set to auto for all ports.
timer set to 1000 centiseconds.
time is set to 10 seconds.
IP routes No static routes configured. Jumbo frame support Enabled on all ports. (Not supported on I-Series switches.) Link aggregation control
protocol (LACP)
Link aggregation admin key
Link aggregation flow regeneration
Link aggregation system priority
Link aggregation outport algorithm
Lockout Set to disable Read-Write and Read-Only users, and to lockout the default
Logging Syslog port set to UDP port number 514. Logging severity level set to 6
MAC aging time Set to 300 seconds. MAC locking Disabled (globally and on all ports).
Globally enabled. Disabled per port on B5 and C5 switches. Enabled per port on A4, B3, C3, G-Series, and I-Series switches.
Set to 32768 for all ports.
Disabled.
Set to 32768 for all ports.
Set to DIP-SIP.
admin (Super User) account for 15 minutes, after 3 failed login attempts.
(significant conditions) for all applications.
Passwords Set to an empty string for all default user accounts. User must press ENTER
Password aging Disabled.
4-2 System Configuration
at the password prompt to access CLI.
Factory Default Settings
Table 4-1 Default Settings for Basic Switch Operation (continued)
Feature Default Setting
Password history No passwords are checked for duplication. Policy classification Classification rules are automatically enabled when created. Port auto-negotiation Enabled on all ports. Port advertised ability Maximum ability advertised on all ports. Port broadcast suppression Enabled and set to limit broadcast packets to 14,881 per second on all switch
ports.
Port duplex mode Set to half duplex, except for 100BASE-FX and 1000BASE-X, which is set to
full duplex. Port enable/disable En abled. Port priority Set to 0. Port speed Set to 10 Mbps, except for 1000BASE-X, which is set to 1000 Mbps, and
100BASE-FX, which is set to 100 Mbps. Port trap All ports are enabled to send link traps. Power over Ethernet port
admin state Priority classification Classification rules are automatically enabled when created.
RADIUS client Disabled. RADIUS retries When the client is enabled, set to 3. RADIUS timeout When the client is enabled, set to 20 seconds. Rate limiting Disabled globally and on all ports. (Available only on A4 switches.) Security mode Normal. SNMP Enabled. SNTP Disabled. Spanning Tree Globally enabled and enabled on all ports. Spanning Tree edge port
administrative status
Spanning Tree edge port delay
Spanning Tree forward delay
Administrative state is on (auto).
Supported only on switches with PoE.
Edge port administrative status begins with the value set to false initially after
the device is powered up. If a Spanning Tree BDPU is not received on the
port within a few seconds, the status setting changes to true.
Enabled.
Set to 15 seconds.
Spanning Tree hello interval
Spanning Tree ID (SID) Set to 0. Spanning Tree maximum
aging time Spanning Tree port priority All ports with bridge priority are set to 128 (medium priority). Spanning Tree priority Bridge priority is set to 32768.
Set to 2 seconds.
Set to 20 seconds.
Fixed Switch Configuration Guide 4-3
Factory Default Settings
Table 4-1 Default Settings for Basic Switch Operation (continued)
Feature Default Setting
Spanning Tree topology change trap suppression
Spanning Tree version Set to mstp (Multiple Spanning Tree Protocol). SSH Disabled. System baud rate Set to 9600 baud. System contact Set to empty string. System location Set to empty string. System name Set to empty string. Telnet Enabled inbound and outbound. Telnet port (IP) Set to port number 23. Terminal CLI display set to 80 columns and 24 rows. Timeout Set to 5 minutes. User names Login accounts set to ro for Read-Only access; rw for Read-Write access;
VLAN dynamic egress Disabled on all VLANs. VLAN ID All ports use a VLAN identifier of 1. Host VLAN Default host VLAN is 1.
Enabled.
and admin for Super User access.
Not all of the following routing features are available on all platforms. Some routing protocols require a separate license to become operable. Check the Release Notes for your specific platforms for details.
Table 4-2 Default Settings for Router Operation
Feature Default Setting
Access groups (IP security) None configured. Access control lists None configured. Area authentication (OSPF) Disabled. Area default cost (OSPF) Set to 1. Area NSSA (OSPF) None configured. Area range (OSPF) None configured. ARP table No permanent entries configured. ARP timeout Set to 14,400 seconds. Authentication key (RIP and OSPF) None configured. Authentication mode (RIP and OSPF) N one configured. Dead interval (OSPF) Set to 40 seconds. Disable triggered updates (RIP) Triggered updates allowed. Distribute list (RIP) No filters applied. DVMRP Disabled. Metric set to 1.
4-4 System Configuration
Initial Configuration Overview
Table 4-2 Default Settings for Router Operation (continued)
Feature Default Setting
Hello interval (OSPF) Set to 10 seconds for broadcast and point-to-point networks. Set
to 30 seconds for non-broadcast networks. ICMP Enabled for echo-reply and mask-reply modes. IP-directed broadcasts Disabled. IP forward-protocol Enabled with no port specified. IP interfaces Disabled with no IP addresses specified. IRDP Disabled on all interfa c es. When enabled, maximum
advertisement interval is set to 600 seconds, minimum
advertisement interval is set to 450 seconds, holdtime is set to
1800 seconds, and address preference is set to 0. MD5 authentication (OSPF) Disabled with no password set. MTU size Set to 1500 bytes on all interfaces. OSPF Disabled. OSPF cost Set to 10 for all interfaces. OSPF network None configured. OSPF priority Set to 1. Passive interfaces (RIP) None configured. Proxy ARP Enabled on all interfaces. Receive interfaces (RIP) Enabled on all interfaces. Retransmit delay (OSPF) Set to 1 second. Retransmit interval (OSPF) Set to 5 seconds. RIP receive version Set to accept both version 1 and version 2. RIP send version Set to version 1. RIP offset No value applied. SNMP Enabled. Split horizo n Enabled for RIP packets withou t po i s o n reverse. Stub area (OSPF) None configured. Timers (OSPF) SPF delay set to 5 seconds. SPF holdtime set to 10 seconds. Transmit delay (OSPF) Set to 1 second. VRRP Disabled.
Initial Configuration Overview
To configure your stackable or standalone switch for the first time, see Chapter 1, Setting Up a
Switch for the First Time. That chapter includes information about how to directly connect to the
switch via the console port and an Ethernet cable to set the switch’s IP address and to download the latest firmware. The procedures in this chapter assume an in-band connection over the network to the switch using Telnet or SSH to establish a CLI session on the switch.
Fixed Switch Configuration Guide 4-5
Advanced Configuration Overview
4-6 System Configuration
Procedure 4-1 contains the steps to assign an IP address and configure basic system parameters.
Some of these steps are also covered in Chapter 1, Setting Up a Switch for the First Time. For information on the command syntax and parameters, refer to the online help or the CLL Reference for your platform.
Advanced Configuration Overview
The switch can be configured to provide various system services, Layer 2 switching, Layer 3 routing, and security. Tabl e 4-3 provides an overview of configuring the switch for each area.
Note: When configuring any string or name parameter input for any command, do not use any letters with diacritical marks (an ancillary glyph added to a letter). Diacritical marked letters are not supported by SNMP.
Procedure 4-1 Initial Setup
Step Task Command
1. Log in as an administrator. • At the login prompt, enter admin.
• Press Enter for the password (no password string by default).
2 For security, change the password. set password 3 Optionally, check the version of the firmware image
then check the Enterasys Networks web site to verify that you have the latest version.
show version
4 Optionally, define a name for the system, the
location of the system, and contact information for system issues.
set system name [string] set system location [string] set system contact [string]
5 Optionally , define a pre- or post-login message to be
displayed.
set banner {motd | login} message
6 Optionally, change the default prompt. set prompt “prompt_string” 7 Display the system’s setting for the date and time. If
necessary, change the setting. NOTE: Instead of manually setting the time, you can
configure the system as an SNTP client, as described in “SNTP Overview” on page 7-10.
show time set time [mm/dd/yyyy] [hh:mm:ss]
8 Assign a switch IP address. set ip address 9 If desired, configure additional user accounts and
passwords. Up to 32 user accounts may be registered with the local database.
set system login username set
Note: Though it is possible to configure policy by using the CLI, Enterasys Networks recommends that you use NetSight instead.
Table 4-3 Advanced Configuration
Task Refer to ... System Services
Configure the Simple Network Time Protocol (SNTP) client. SNTP Configuration” on
page 4-11
Advanced Configuration Overview
Table 4-3 Advanced Configuration (continued)
Task Refer to ...
Configure the Telnet client and server. (Telnet client is enabled by default.) Note: For security, you may wish to disable Telnet and only use SSH.
Configure the Secure Shell V2 (SSHv2) client and server. SSH Overview” on
Configure the Dynamic Host Configuration Protocol (DHCP) server. DHCP Configuration” on
Configure the port parameters, such as speed and duplex mode. Port Configuration
Enable SNMP and create a community string.z Configuring SNMP” on
Configure RMON to provide comprehensive network fault diagnosis, planning, and performance tuning information, and allow for interoperability between SNMP management stations and monitoring agents.
Change the interactive login authentication method, from local to remote (RADIUS authentication).
If RADIUS authentication is configured, configure the remote RADIUS servers to be used by the RADIUS client on th e sw itch
Layer 2 Switching
Set port configurations and port-based Virtual Local Area Networks (VLANs). VLANs can be created statically or dynamically.
Configure ports to prioritize traffic based on Class of Service. Port Priority and
Telnet Overview” on page 4-23
page 4-24
page 4-16
Overview” on page 8-1
page 12-7
Chapter 18,
Configuring Network Monitoring
User Authentication
Overview” on page 10-1
Configuring RADIUS” on page 10-21
Chapter 9, Configuring
VLANs
Transmit Queue Configuration” on
page 17-15
Configure Spanning Trees using STP, RSTP, or MSTP. Chapter 15,
Configuring Spanning Tree
Configure LLDP or CDP. Chapter 13,
Configuring Neighbor Discovery
Layer 3 Routing
Configure the router id. Refer to the router id command in your platform’s CLI Reference.
Configure interfaces for IP routing. Routing Interfaces” on
page 20-3
Configure the ARP table. The ARP Table” on
page 20-6
Configure UDP broadcast forwarding, including DHCP/BOOTP relay agent. IP Broadcast Settings
on page 20-7
Configure static routes. IP Static Routes” on
page 20-4
Configure ICMP Router Discovery Protocol (IRDP). Configuring IRDP” on
page 21-5
Fixed Switch Configuration Guide 4-7
Licensing Advanced Features
Table 4-3 Advanced Configuration (continued)
Task Refer to ...
Configure RIP. Configuring RIP” on
Configure OSPFv2. Chapter 22,
page 21-1
Configuring OSPFv2
Configure multicast protocols IGMP, DVMRP, and PIM, and general multicast parameters.
Configure VRRP. Chapter 23,
Configure IPv6 Chapter 25,
Security and General Management
Configure Access Control Lists (ACLs). Chapter 24,
Manage user accounts and passwords. Chapter 5, User
Configure system logging. Chapter 14,
Configure the switch using text files. Managing Switch
Upgrade system firmware. Managing the Firmware
Chapter 19,
Configuring Multicast
Configuring VRRP
Configuring and Managing IPv6
Configuring Access Control Lists
Account and Password Management
Configuring Syslog
Configuration and Files
on page 6-4
Image” on page 6-1
Configure QoS features. Chapter 17,
Configure policy. Chapter 16,
Licensing Advanced Features
In order to enable certain advanced features on some of the Fixed Switching platforms, you must purchase and activate a license key. If you have purchased a license, follow the instructions on Licensed Product Entitlement ID sheet to obtain the license activation key from the Enterasys customer site.
If you wish to obtain a license, contact the Enterasys Networks Sales Department.
This section describes how to apply advanced feature licenses to Fixed Switching platforms.
License Implementation Differences
Licensing is implemented differently on the C5 platform from the previous implementation that is used on the C3, B3, and G3 platforms.
Configuring Quality of Service
Configuring Policy
4-8 System Configuration
Licensing Advanced Features
Fixed Switch Configuration Guide 4-9
Node-Locked Licensing
On the C3, B3, and G3 platforms, licenses are locked to the serial number of the switch to which the license applies. Therefore, you must know the serial number of the switch to be licensed when you activate the license on the Enterasys customer site, and also when you apply the license to the switch as described below. Each switch to be licensed must have its own license and key and all members of a stack must be licensed in order to support licensed features in a stack environment.
If you need to move a license from one hardware platform to another, you must contact Enterasys Customer Support to arrange for re-hosting of the license.
Node-Locked License Key Fields
When Enterasys supplies a license, it will be sent to you as a character string similar to the following:
INCREMENT advrouter 2010.0127 permanent 0123456789AB 0123456789AB
The contents of the six fields, from the left, indicate:
Type—the type of license. The value in this field is always “INCREMENT.”
Feature—description of the feature being licensed. For example, ”advrouter” as shown in the character string above.
Date-based version (DBV)—a date-related string. The value in this field is not significant.
Expiration type—indicates whether the license is a permanent or an evaluation license. If the license is an evaluation license, this field will contain the expiration date of the license. If the license is a permanent license, this field will contain the word “permanent.”
Key—the license key.
Host ID—the serial number of the switch to which this license applies.
When activating licenses on stackable devices, we recommend that you copy and paste the license character string, rather than entering the text manually.
Non-Node-Locked Licensing
On the C5 platform, licenses are not locked to individual switches. When you activate your licenses on the Enterasys customer site, the key that is generated contains information about how many licenses you have purchased and therefore, how many switches the license key can be applied to. For example, if you buy 8 C5 licenses, when you activate your licenses on the Enterasys customer site, one key is generated that can enable the licensed feature on up to 8 C5 switches.
If you apply a license to a stack that has more members than the license key allows, applying the license will fail on the extra members. For example, if you buy 6 C5 licenses and apply that key to a stack of 8 C5 switches, licensing will fail on members 7 and 8.
Licensing in a Stack Environment
All members of a stack must be licensed in order to support licensed features in a stack environment. If the master unit in a stack has an activated license, all member units also must have an activated license in order to operate. If the master unit in a stack does not have an activated license, then the licensed functionality will not be available to member units, even if they have licenses installed.
Note: Multi-node non-node-locked licenses are not currently available. You should buy individual licenses for all switches on which you want to enable the advanced features.
Licensing Advanced Features
4-10 System Configuration
When adding a new unit to an existing stack, the ports on a switch lacking a licensed feature that has been enabled on the master will not pass traffic until the license has been enabled on the added switch. (The ports are in the “ConfigMismatch” state.)
If you clear a license from a member unit in a stack while the master unit has a activated license, the status of the member will change to “ConfigMismatch” and its ports will be detached from the stack. If you clear a license from the master unit of a stack, the member units will remain attached to the stack, but the licensed functionality will no longer be available.
Applying Node-Locked Licenses in a Stack
The licenses for all members of an operating stack can be activated during a single CLI session, by following these steps:
1. Obtain valid licenses for all members of the stack from the Enterasys customer site.
2. Optionally, note the serial numbers of the switches in the stack. You can use the show system hardware command to display the switch serial numbers.
3. Enable the licenses on the stack members first, before enabling the master unit, using the set license command. For example:
B3(rw)->set license INCREMENT policy 2006.0127 permanent 0123456789AB 0123456789AB
4. Enable the license on the switch master unit last, using the set license command.
Applying Non-Node-Locked Licenses in a Stack
When applying non-node-locked licenses, ensure that you have purchased enough licenses for all members of the stack. All members of the stack do not need to use the same license key, but all switches in the stack must have a license applied in order to support the licensed feature. Note that the license key itself contains information about how many switches the license key can be applied to.
1. Obtain valid license keys for all members of the stack from the Enterasys customer site.
2. Activate one or more licenses on the stack.
a. If you have a license with a license quantity that is equal to or greater than the number of
switches in the stack, use the set license command with no optional unit number. For example:
C5(su)->set license advrouter "0001:C5L3-LIC:2:4a76f2c8:0:Your Company Name Here:000E0C0973C5:150a9501:bec749e9ec095844d727a2db8 8a31514"
Validating license on unit 1 License successfully validated and set on unit 1
Validating license on unit 2 License successfully validated and set on unit 2
Validating license on unit 3 License successfully validated and set on unit 3
Caution: Since license keys are applied to the correct stack member switch automatically, based on the switch serial number that is part of the license string, you should know the serial numbers of the switches in order to enable the licenses of the member switches first, before the master unit.
SNTP Configuration
b. If you need to use multiple license keys on members of a stack, use the optional unit
number parameter with the set license command. The following example applies two different license keys to members of the stack.
C5(su)->set license advrouter "0001:C5L3-LIC:2:4a76f2c8:0: Entera sys Networks:000E0C0973C5:150a9501:bec749e9ec095844d727a2db88a315 14" unit 1
Validating license on unit 1 License successfully validated and set on unit 1
C5(su)->set license advrouter "0001:C5L3-LIC:2:4a76f2c8:A: Enterasys Networks:A00E0C0973D9:150a9501:098749e9ec095844 d727a2db88a31514" unit 2
Validating license on unit 2 License successfully validated and set on unit 2
Adding a New Member to a Licensed Stack
When adding a new unit to an existing stack, the ports on a switch lacking a licensed feature that has been enabled on the master will not pass traffic until the license has been enabled on the added switch. (The ports are in the “ConfigMismatch” state.)
1. For B3 or C3 switches, obtain a node-locked license for the new switch. For C5 switches, check that you have a non-node-locked license that can be applied to the new switch.
2. Add the new unit to the stack, following the procedure in “Adding a New Unit to an Existing
Stack” on page 2-3.
3. Use the set license command to install and activate the new switch’s license. The new switch
will then join the stack and its ports will be attached.
Alternatively, you can install and activate the new switch’s license first, before adding the switch to the stack.
Displaying and Clearing Licenses
Licenses can be displayed and cleared only with the show license and clear license commands. General configuration commands such as show config or clear config do not apply to licenses.
If you clear a license from a member unit in a stack while the master unit has an activated license, the status of the member will change to “ConfigMismatch” and its ports will be detached from the stack
If you clear a license from the master unit of a stack, the member units will remain attached to the stack but the licensed functionality will no longer be available.
SNTP Configuration
Simple Network Time Protocol (SNTP) provides for the synchronizing of system time for managed devices across a network. The Fixed Switch implementation supports unicast polling and broadcast listening modes of operation to obtain the time from an SNTP server. SNTP is a subset of the Network Time Protocol (NTP) as specified in RFC 1305. The most recent version of SNTP is specified in RFC 2030. Since SNTP is a subset of NTP, all NTP servers are capable of servicing SNTP clients. The SNTP mode is set on the client using the set sntp client command.
Fixed Switch Configuration Guide 4-11
SNTP Configuration
Unicast Polling Mode
When an SNTP client is operating in unicast mode, SNTP update requests are made directly to a server, configured using the set sntp server command. The client queries these configured SNTP servers at a fixed poll-interval configured using the set sntp poll-interval command. The order in which servers are queried is based on a precedence value optionally specified when you configure the server. The lower the configured precedence value, the higher the precedence for that server. The default is for all servers to have the same precedence. In this case, the server ordering is based upon the indexing of the server table.
The SNTP client makes a request to the SNTP server. The client waits a period of time configured using the set sntp poll-timeout command for a response from the server. If the poll timeout timer expires, the client will resend another request, up to the number of retries specified by the set sntp poll-retry command. If the retries have been exhausted, the client request is sent to the next server with the lowest configured precedence value or the next server in the server table, if precedence values are the same. If no server responds, the client waits the configured poll-interval time period and the process starts over again.
Broadcast Listening Mode
With SNTP configured for broadcast listening mode, the client is passive and it is the broadcast server that broadcasts the time to the client. Broadcast listening uses the same poll-interval, poll-timeout and poll-retry values as unicast polling.
SNTP Authentication
The Simple Network Time Protocol (SNTP) is used to provide a precise time reference for time critical applications. Therefore, SNTP can pose a security risk if malicious users attempt to corrupt a SNTP timestamp to create a false time on network equipment. SNTP security mechanisms ensure that only authorized servers are allowed to distribute time samples to the SNTP clients.
SNTP provides increased security in the form of authentication. Authentication is intended to overcome security risks by ensuring that any response received from an SNTP time server has come from the intended reference. The user defines a key on the switch and enables authentication. The same key must be defined on the server in order for the switch to accept timestamp information from the server.
The client sends a request for time to an SNTP server. The server then responds to the client with a time sample, along with the encrypted keys configured on the SNTP server. Upon receipt of the time sample, the client un-encrypts the key and verifies the key against the trusted key configured on the switch for a specified SNTP server. The client can then be sure that the received time sample was indeed transmitted from the authorized SNTP server.
SNTP utilizes MD5 authentication (Message Digest Encryption 5), which safeguards device synchronization paths to SNTP servers. MD5 is 128-bit cryptographic hash function, which outputs a fingerprint of the key. MD5 verifies the integrity of the communication and authenticates the origin of the communication.
Authentication Key and Trusted Key List
The SNTP authentication key specifies the authentication instance to be used by the SNTP client when authenticating with the SNTP server. The SNTP client supports the configuration of up to 5 authentication keys. The authentication key instance ID is a numeric value. Each authentication key instance specifies the authentication type and password. SNTP authentication supports the MD5 authentication algorithm. The password is known to both the SNTP client and server. The password consists of an ASCII string of up to 32 non-white characters.
4-12 System Configuration
Use the set sntp authentication key command to configure an authentication key instance.
The SNTP authentication key is associated with an SNTP server using the set sntp server command.
An authentication key has to be trusted to be used with an SNTP server. Use the set sntp trusted- key command to add an authentication key to the trusted key list.
Refer to Procedure 4-3 on page 4-14 to configure the switch SNTP client for authentication.
SNTP Defaults
Tab le 4 -4 lists SNTP parameters and their default values.
Table 4-4 Default SNTP Parameters
Parameter Description Default Value
SNTP Configuration
SNTP client mode Specifies whether the current SNTP
state is broadcast, unicast, or disabled.
unicast server precedence
poll-interval Specifies the interval between unicast
poll-retry Specifies the number of times the
poll-timeout Specifies the amount of time a client
timezone offset Specifies the offset in hours and
SNTP authentication mode
Specifies a value that determines the order in which SNTP servers are polled if the precedence values are not the same.
SNTP requests by the client to the server.
client will resend the SNTP request to the server before moving on to the next server.
will wait for a response from the the SNTP server before retrying.
minutes from UTC for this device Specifies whether authentication for all
SNTP client communications is enabled or disabled.
disabled
1 (highest precedence)
512 seconds
1
5 seconds
0 hours, 0 minutes
disabled
Configuring SNTP
Procedure 4-2 describes how to configure general SNTP parameters. Procedure 4-3 describes how
to configure SNTP authentication. Refer to the CLI Reference for your platform for details about the commands listed.
Procedure 4-2 Configuring SNTP
Step Task Command(s)
1. Set the SNTP opera tion mode on the client. set sntp client {broadcast | unicast |
2. When operating in unicast mode, set the SNTP server(s) for this client, optionally specifying a precedence value per server.
disable} set sntp server ip-address [precedence
precedence] [key key-id]
Fixed Switch Configuration Guide 4-13
SNTP Configuration
Procedure 4-2 Configuring SNTP (continued)
Step Task Command(s)
3. When operating in unicast mo de, optionally change the poll interval between SNTP unicast requests.
The poll interval is 2 to the power of value in seconds, where value can range from 6 to 10.
4. When operating in unicast mo de, optionally change the number of poll retries to a unicast SNTP server.
5. When operating in unicast mo de, optionally change the poll timeout for a response to a unicast SNTP request.
6. Optionally, set the SNTP time zone name and the hours and minutes it is offset from Coordinated Universal Time (UTC).
Note: The daylight savings time function can be enabled and associated with the timezone set here using the set summertime command.
7. Optionally, specify the interface used for the source IP address of the SNTP client. If no interface is specified, then the IP address of the Host interface is used.
set sntp poll-interval value
set sntp poll-retry retry
set sntp poll-timeout timeout
set timezone name [hours] [minutes]
set sntp interface {loopback loop-ID | vlan
vlan-ID}
Procedure 4-3 describes how to configure SNTP authentication. Refer to the CLI Reference for your
platform for details about the commands listed.
Procedure 4-3 Configuring SNTP Authentication
Step Task Command(s)
1. Configure up to five authentication keys. set sntp authentication-key key-id md5 key-
value
2. Add the configured authentication keys to the
trusted key list.
3. Enable authentication on the switch. set sntp authenticate enable
4. Add the keys to the switch’s NTP/SNTP server
configurations.
5. Ensure that the key information configured on
the switch is added to the “ntp.keys” file on the NTP/SNTP servers.
set sntp trusted-key key-id
set sntp server ip-address [precedence
precedence] [key key-id] N/A
Tab le 4 -5 describes how to manage and display SNTP information.
Table 4-5 Managing and Displaying SNTP
Task Command(s)
To display SNTP client, server, and time zone settings: show sntp To set the SNTP client’s operational mode to disable: clear sntp client To remove one or all servers from the SNTP server list: clear sntp server {ip-address | all}
4-14 System Configuration
Table 4-5 Managing and Displaying SNTP (continued)
Task Command(s)
SNTP Configuration
To reset the poll interval between unicast SNTP requests to its default value:
To reset the number of poll retries to a unicast SNTP server to its default value:
To reset the SNTP poll timeout to its default value: clear sntp poll-timeout To clear an SNTP authentication key: clear sntp authentication-key key-id To remove an authentication key from the trusted key list: clear sntp trusted-key key-id
SNTP Configuration Example
The following example configures the SNTP client for unicast mode, generates two authentication keys and adds them to the trusted key list, enables authentication, and configures two SNTP servers with different precedence and authentication keys for the SNTP client to contact.
All the rest of the SNTP parameters are left at their default values. The show sntp command displays the current settings.
B3(su)->set sntp authentication-key 1 md5 mykey B3(su)->set sntp trusted-key 1 B3(su)->set sntp authentication-key 2 md5 keytwo B3(su)->set sntp trusted-key 2 B3(su)->set sntp authenticate enable B3(su)->set sntp client unicast B3(su)->set sntp server 192.168.10.10 precedence 1 key 1 B3(su)->set sntp server 192.168.10.20 precedence 2 key 2
clear sntp poll-interval
clear sntp poll-retry
B3(su)->show sntp SNTP Version: 3 Current Time: SAT JUN 29 17:16:38 2002 Timezone: '' offset from UTC is 0 hours and 0 minutes Client Mode: unicast Trusted Keys : 1 2 Broadcast Count: 2 Poll Interval: 9 (512 seconds) Poll Retry: 1 Poll Timeout: 5 seconds SNTP Poll Requests: 4 Last SNTP Update: THU JAN 01 00:00:00 1970 Last SNTP Request: SAT JUN 29 17:16:36 2002 Last SNTP Status: Timed Out
SNTP-Server Precedence Key Status
----------------------------------------------------
192.168.10.20 2 2 Active
Fixed Switch Configuration Guide 4-15
DHCP Configuration
4-16 System Configuration
192.168.10.10 1 1 Active
DHCP Configuration
Dynamic Host Configuration Protocol (DHCP) for IPv4 is a network layer protocol that implements automatic or manual assignment of IP addresses and other configuration information to client devices by servers. A DHCP server manages a user-configured pool of IP addresses from which it can make assignments upon client requests. A relay agent passes DHCP messages between clients and servers which are on different physical subnets.
DHCP Relay Agent
The DHCP/BOOTP relay agent function can be configured on all of the switch ’s routing interfaces. The relay agent can forward a DHCP client’s request to a DHCP server located on a different network if the address of the server is configured as a helper address on the receiving interface. The relay agent interface must be a VLAN which is configured with an IP address. Refer to the ip helper-address command in the CLI Reference for your platform for more information.
DHCP Server
DHCP server functionality allows the switch to provide basic IP configuration information to a client on the network who requests such information using the DHCP protocol.
DHCP provides the following mechanisms for IP address allocation by a DHCP server:
Automatic—DHCP server assigns an IP address to a client for a limited period of time (or until the client explicitly relinquishes the address) from a defined pool of IP addresses configured on the server.
Manual—A client’s IP address is assigned by the network administrator, and DHCP is used simply to convey the assigned address to the client. This is managed by means of “static” address pools configured on the server.
The amount of time that a particular IP address is valid for a system is called a lease. The switch maintains a lease database which contains information about each assigned IP address, the MAC address to which it is assigned, the lease expiration, and whether the address assignment is dynamic (automatic) or static (manual). The DHCP lease database is stored in flash memory.
In addition to assigning IP addresses, the DHCP server can also be configured to assign the following to requesting clients:
Default router(s)
DNS server(s) and domain name
NetBIOS WINS server(s) and node name
Boot file
DHCP options as defined by RFC 2132
Note: DHCP Relay Agent is not supported on the I-Series platform because the I-Series does not support routing.
Note: A total of 16 address pools, dynamic and/or static, and a maximum of 256 addresses for the entire switch, can be configured on the Fixed Switch platforms
.
DHCP Configuration
Fixed Switch Configuration Guide 4-17
IP Address Pools
IP address pools must be configured for both automatic and manual IP address allocation by a DHCP server.
Automatic IP Address Pools
When configuring an IP address pool for dynamic IP address assignment, the only required steps are to name the pool and define the network number and mask for the pool using the set dhcp pool network command. Note that:
When the switch is configured for routing and the IP address pool is associated with a routing interface, the pool has to be in the same subnet as the routed interface and use the same mask configured on the routed interface
When the switch is not configured for routing, the pool has to be in the same subnet and use the same mask as the system host port IP address.
You can limit the scope of addresses assigned to a pool for dynamic address assignment with the set dhcp exclude command. Up to 128 non-overlapping address ranges can be excluded on the Fixed Switches. For example:
set dhcp exclude 192.0.0.1 192.0.0.10
For more information about configuring automatic IP address pools, see “Configuring DHCP IP
Address Pools” on page 4-21.
Manual IP Address Pools
When you are configuring static address pools for manual address assignment with set dhcp pool commands, the only required steps are to name the pool, configure either the hardware address of the client or the client identifier, and configure the IP address and mask for the manual binding.
For more information about configuring manual IP address pools, see “Configuring DHCP IP
Address Pools” on page 4-21.
Configuring a DHCP Server
On Fixed Switch platforms that support basic routing, there are two ways to configure a DHCP server: one is to associate the DHCP address pool with the switch’s host port IP address, and the other is to associate the DHCP address pool with a routed interface.
Since on a Fixed Switch platform that supports routing, the host port IP address cannot fall within a configured routed interface on the system, a typical system configured with routing interfaces will not have a host port IP address. Therefore, all DHCP pools would be associated with routed interfaces.
On the I-Series, which does not support routing, the DHCP address pool must be associated with the switch’s host port IP address.
Refer to Tab le 4 -7 on page 4-20 for a list of default DHCP server settings.
Note: The IP address of the system’s host port or the routed interface is automatically excluded.
DHCP Configuration
DHCP Configuration on a Non-Routing System
The following procedure provides basic DHCP server functionality when the DHCP pool is associated with the system’s host IP address. This procedure would typically be used when the system is NOT configured for routing.
Refer to the CLI Reference for your platform for details about the commands listed below.
Procedure 4-4 DHCP Server Configuration on a Non-Routing System
Step Task Command(s)
1. Configure the system (or stack) host port IP address.
2. Enable DHCP server functionality on the system.
3. Configure an IP address pool for dynamic IP address assignment. Note that the pool has to be in the same subnet and use the same mask as the system host port IP address.
Refer to “Manual IP Pool Configuration” on page 4 -2 1 for information about configuring a manual pool and for additional IP address pool configuration.
4. Optionally, limit the scope of addresses assigned to the pool.
Remove address exclusions with the clear dhcp exclude command.
5. Optionally, set other DHCP ser v er parameters. set dhcp conflict logging
set ip address ip-address [mask ip­mask] [gateway ip-gateway]
set dhcp enable
set dhcp pool poolname network
subnet {mask | prefix-length}
set dhcp exclude low-ipaddr [high- ipaddr]
clear dhcp exclude low-ipaddr [high- ipaddr]
set dhcp bootp {enable | disable} set dhcp ping packets number
Example
The following example configures the switch’s host port IP address, enables DHCP, and creates a dynamic IP address pool named “autopool1” in the same subnet as the host port IP address. All DHCP clients served by this switch must be in the same VLAN as the system’s host port.
B3(su)->set ip address 192.0.0.50 mask 255.255.255.0 B3(su)->set dhcp enable B3(su)->set dhcp pool autopool1 network 192.0.0.0 255.255.255.0 B3(su)->set dhcp exclude 192.0.0.20 192.0.0.28
DHCP Configuration on a Routing System
The following procedure provides basic DHCP server functionality when the DHCP pool is associated with a routed interface.
Refer to the CLI Reference for your platform for details about the commands listed below.
4-18 System Configuration
Procedure 4-5 DHCP Server Configuration on a Routing System
Step Task Command(s)
DHCP Configuration
1. Create a VLAN and add ports to the VLAN. Only DHCP clients associated with this VLAN will be served IP addresses from the DHCP address pool associated with this routed interface (VLAN).
2. Create a routed interface for the VLAN in router configuration mode.
3. Enable DHCP server functionality in switch mode.
4. Configure an IP address pool for dynamic IP address assignment. Note that the pool has to be in the same subnet as the routed interface and use the same mask configured on the routed interface.
Refer to “Manual IP Pool Configuration” on page 4 -2 1 for information about configuring a manual pool and for additional IP address pool configuraiton.
5. Optionally, limit the scope of addresses assigned to the dynamic pool.
Remove address exclusions with the clear dhcp exclude command.
set vlan create vlan-id set port vlan port-string vlan-id
interface vlan vlan-id no shutdown ip address ip-addr ip-mask
set dhcp enable
set dhcp pool poolname network
subnet {mask | prefix-length}
set dhcp exclude low-ipaddr [high- ipaddr]
clear dhcp exclude low-ipaddr [high- ipaddr]
6. Optionally, set other DHCP ser v er parameters. set dhcp conflict logging
set dhcp bootp {enable | disable} set dhcp ping packets number
Example
In this example, VLAN 6 is created and ports ge.1.1 through ge.1.10 are added to VLAN 6. An IP address is associated with routed interface VLAN 6 in router configuration mode. Returning to switch mode, DHCP is enabled and a dynamic IP address pool is configured in the same subnet as the routed interface. DHCP clients in VLAN 6 will be served IP addresses from this DHCP address pool.
C5(su)->set vlan create 6 C5(su)->set port vlan ge.1.1-10 6
C5(su)->router C5(su)->router>enable C5(su)->router#configure Enter configuration commands:
C5(su)->router(Config)#interface vlan 6 C5(su)->router(Config-if(Vlan 6))#no shutdown C5(su)->router(Config-if(Vlan 6))#ip address 6.6.1.1 255.255.0.0
C5(su)->router(Config-if(Vlan 6))#exit
Fixed Switch Configuration Guide 4-19
DHCP Configuration
C5(su)->router(Config)#exit C5(su)->router#exit C5(su)->router>exit C5(su)->set dhcp enable C5(su)->set dhcp pool autopool2 network 6.6.0.0 255.255.0.0
Managing and Displaying DHCP Server Parameters
Tab le 4 -6 lists additional DHCP server tasks. Refer to Table 4 -7 on page 4-20 for default DHCP
server settings.
Table 4-6 Managing and Displaying DHCP Server
Task Commands
To enable or disable automatic address allocation for BOOTP clients
To enable logging of address conflict information set dhcp conflict logging To disable logging of address conflict information clear dhcp conflict logging To display conflict info rma ti on fo r one or al l
addresses To clear conflict information for one or all addresses clear dhcp conflict {ip-address | *} To set the number of ping packets sent by the DHCP
server to an IP address before assigning that address to a requesting client.
To return the number of ping packets sent to the default of 2
To display binding information for one or all IP addresses
To delete one or all dynamic (automatic) address bindings
To display DHCP server statistics show dhcp server statistics To clear all DHCP server counters clear dhcp server statistics
set dhcp bootp {enable | disable}
show dhcp conflict [ip-address]
set dhcp ping packets number
clear dhcp ping packets
show dhcp binding [ip-address]
clear dhcp binding {ip-addr | *}
DHCP Server Defaults
Table 4-7 Default DHCP Server Parameters
Parameter Description Default Value
DHCP server Whether DHCP server functionality is
BOOTP clients Whether automatic address allocation for
Conflict logging Whether address conflict information
4-20 System Configuration
Disabled
enabled or disabled on the switch
Disabled
BOOTP clients is enabled or disabled.
Enabled
should be logged.
DHCP Configuration
Fixed Switch Configuration Guide 4-21
Configuring DHCP IP Address Pools
This section provides procedures for the basic configuration of automatic (dynamic) and manual (static) IP address pools, as well as a list of the commands to configure other optional pool parameters.
Pool names can be up to 31 characters in length.
Automatic IP Address Pool Configuration
The only required steps to configure an automatic pool for dynamic address allocation is to give the pool a name and define the network number and mask for the pool. As noted previously (page 4-17):
When the switch is configured for routing and the IP address pool is associated with a routing interface, the pool has to be in the same subnet as the routed interface and use the same mask configured on the routed interface
When the switch is not configured for routing, the pool has to be in the same subnet and use the same mask as the system host port IP address.
Refer to the CLI Reference for your platform for details about the commands listed below.
Manual IP Pool Configuration
The only required steps to configure a manual pool for static address allocation are to name the pool, configure either the hardware address of the client or the client identifier, and configure the IP address and mask for the manual binding.
Number of ping packets Specifies the number of ping packets the
DHCP server sends to an IP address before assigning the address to a requesting client
2 packets
Table 4-7 Default DHCP Server Parameters
Parameter Description Default Value
Note: A total of 16 address pools, dynamic and/or static, and a maximum of 256 addresses for the
entire switch, can be configured on the Fixed Switch platforms
.
Procedure 4-6 Automatic IP Address Pool Configuration
Step Task Command(s)
1. Create the IP address pool and specify the subnet and mask (or prefix length) to be used by the pool.
set dhcp pool poolname network subnet {mask | prefix-length}
2. If desired, specify the duration of the lease for an IP address assigned from this address pool.
If not specified, the default lease time is one day.
set dhcp pool poolname lease {days [hours [minutes]] | infinite}
3. Optionally, configure other pool parameters See Table 4-8 on page 4-23
4. Display the pool configuration. show dhcp pool configuration
{poolname | all}
DHCP Configuration
The subnet of the IP address being issued should be on the same subnet as the ingress interface (that is, the subnet of the host IP address of the switch, or if routing interfaces are configured, the subnet of the routing interface).
A manual pool can be configured using either the client’s hardware address (set dhcp pool hardware-address) or the client’s client-identifier (set dhcp pool client-identifier), but using both is not recommended.
If the incoming DHCP request packet contains a client-identifier, then a manual pool configured with that client-identifier must exist on the switch in order for the request to be processed. The hardware address is not checked.
A hardware address and type (Ethernet or IEEE 802) configured in a manual pool is checked only when a client-identifier is not also configured for the pool and the incoming DHCP request packet does not include a client-identifier option.
Refer to the CLI Reference for your platform for details about the commands listed below.
Procedure 4-7 Manual IP Address Pool Configuration
Step Task Command(s)
1. Create the pool using either the client’s hardware address or client-identifier.
Hardware address = the MAC address of client’s hardware platform
Client identifier = concatenation of media type and MAC address of client’s hardware platform
For a list of media type codes, refer to the “Address Resolution Protocol Parameters” section of RFC 1700, Assigned Numbers.
2. Specify the IP address and mask to be assigned
to that client.
3. If desired, assign a name to the client. set dhcp pool poolname client-name
4. If desired, specify the duration of the lease for an
IP address assigned from this address pool. If not specified, the default lease time is one day.
5. Optionally, configure other pool parameters See Table 4-8 on page 4-23
6. Display the pool configuration. show dhcp pool configuration
set dhcp pool poolname hardware­address mac-addr [type]
or
set dhcp pool poolname client­identifier id
set dhcp pool poolname host ip-
address [mask | prefix-length]
name
set dhcp pool poolname lease {days [hours [minutes]] | infinite}
{poolname | all}
Examples
This example configures a manual pool using 0001.f401.2710 as the Ethernet MAC address for the manual address pool named “manual2.” Alternatively, the MAC address could have be entered as 00:01:f4:01:27:10. The default type of 1, Ethernet, is accepted.
The IP address that is to be assigned to this client is then configured, and a lease duration of 12 hours is specified, by entering 0 for days and 12 for hours.
B5(su)->set dhcp pool manual2 hardware-address 0001.f401.2710 B5(su)->set dhcp pool manual2 host 192.0.0.200 255.255.255.0 B5(su)->set dhcp pool manual2 lease 0 12
This example configures a manual pool using a client identifier for a client whose client hardware type is Ethernet and MAC address is 00:01:22:33:44:55. Concatenating these two values, the client
4-22 System Configuration
identifier configured in this example must be 01:00:01:22:33:44:55. We then set the lease duration to infinite.
C5(rw)->set dhcp pool manual3 client-identifier 01:00:01:22:33:44:55 C5(rw)->set dhcp pool manual3 host 10.12.1.10 255.255.255.0 C5(rw)->set dhcp pool manual3 lease infinite
Configuring Additional Pool Parameters
Tab le 4 -8 lists the commands that can be used to configure additional IP address pool parameters.
Table 4-8 Configuring Pool Parameters
Task Commands
Telnet Overview
To specify a default boot image for the clients served by the pool, and specify the file server from which the default boot image can be loaded.
To specify a default router list for the clients served by the pool. Up to 8 routers can be configured.
To specify one or more DNS servers for the clients served by the pool. Up to 8 DNS servers can be configured.
To specify a domain name to be assigned to the clients served by the pool.
To specify up to 8 NetBIOS name servers and the NetBIOS node type for the clients served by the pool.
To configure DHCP options, described in RFC 2132. set dhcp pool poolname option code
Telnet Overview
set dhcp pool poolname bootfile filename
set dhcp pool poolname next-server ip­address
set dhcp pool poolname default-router address [address2 ... address8]
set dhcp pool poolname dns-server address [address2 ... address8]
set dhcp pool poolname domain-name domain
set dhcp pool poolname netbios-name­server address [address2 ... address8]
set dhcp pool poolname netbios-node­type {b-node | h-node | p-node | m-node}
{ascii string | hex string-list | ip
dresslist
ad
Telnet provides an unsecured communications method between a client and the switch.
Telnet is activated by enabling Telnet on the device, using the set telnet enable command in switch mode. By default, Telnet is enabled both inbound and outbound. Use the show telnet command to display whether Telnet is currently enabled or disabled.
The Enterasys fixed switches allow a total of four inbound and / or outbound Telnet session to run simultaneously.
Fixed Switch Configuration Guide 4-23
SSH Overview
Configuring Telnet
Procedure 4-8 Configuring Telnet
Step Task Command(s)
1. Enable or disable Telnet services, inbound,
2. Display Telnet status show telnet
3. Start a Telnet connection to another device telnet host-ip [port]
SSH Overview
The Secure Shell (SSH) protocol provides secure Telnet between a client and the switch. By default, SSH is disabled on the switch.
The switch can support up to two concurrent SSH sessions.
Configuring SSH
Procedure 4-9 Configuring SSH
Step Task Command(s)
1. Enable, disable, or reinitialize the SSH server on
outbound, or all. Inbound = Telnet to the switch from a remote
device Outbound = Telnet to other devices from the
switch
the switch.
set telnet {enable | disable} [inbound | outbound | all]
set ssh {enabled | disabled | reinitialize}
2. Display SSH server status show ssh status
3. Reinitialize new SSH authentication keys. set ssh hostkey reinitialize
MAC Address Settings
MAC address settings configuration provides for the ability to:
Configure a timeout period for aging learned MAC addresses
Limit specified layer two multicast addresses to specific ports within a VLAN
Enable the ability to treat static unicast MAC addresses as a multicast address
Age Time
Learned MAC addresses can be assigned an age in seconds after which they will be flushed from the FID. The default value is 300 seconds.
Use the set mac agetime command to configure the MAC age-time for MAC addresses.
The following example sets the age-time for MAC addresses on this device to 600 seconds:
C5(rw)->set mac agetime 600 C5(rw)->show mac agetime
4-24 System Configuration
Aging time: 600 seconds
Limiting MAC Addresses to Specific VLANs
Use the set mac multicast command to define on what ports within a VLAN a multicast address can be dynamically learned on, or on what ports a frame with the specified MAC address can be flooded. Also, use this command to append ports to or clear ports from the egress ports list.
This example configures multicast MAC address 01-01-22-33-44-55 for VLAN 24, enabling this MAC address to be learned on or flooded out on this VLAN’s ports, with the exception of ports ge.1.1 through ge.1.3.
C5(su)->set mac multicast 01-01-22-33-44-55 24 clear ge.1.1-3
Setting the MAC Algorithm Mode
You can set the MAC algorithm mode, which determines the hash mechanism used by the device when performing Layer 2 lookups on received frames. Four modes are available:
MAC CRC 16 lower bits algorithm
MAC CRC 16 upper bits algorithm (default value)
MAC CRC 32 lower bits algorithm
MAC Address Settings
MAC CRC 32 upper bits algorithm
Each algorithm is optimized for a different spread of MAC addresses. When changing this mode, the switch will display a warning message and prompt you to restart the device.
Use the set mac algorithm command to change the algorithm from the default, and the clear mac algorithm command to return to the default value. The show mac algorithm command displays the currently selected algorithm.
New MAC Address Detection
You can configure the fixed switches to enable SNMP trap messaging globally or per port to send notifications when a new MAC address is first detected. The default is disabled globally and per port.
Use the set newaddrtrap command to enable SNMP trap messaging to report the detection of a new MAC address either globally on the device or on a specified port basis. The new MAC address trap feature is disabled by default. If a port is a CDP port, however, traps for new source MAC addresses will not be sent.
The following example enables trap notification globally, then configures SNMP trap messaging to send a notification when a new MAC address is detected on port ge.1.1:
C5(rw)->set newaddrtrap enable C5(rw)->set newaddrtrap ge.1.1 enable
Procedure 4-10 describes how to configure MAC address settings. All commands for this feature
can be set in any command mode.
Fixed Switch Configuration Guide 4-25
Configuring Node Aliases
Procedure 4-10 Configuring MAC Address Settings
Step Task Command(s)
1. Display th e MAC addresses in the switch’s
filtering database (FID).
2. Display the current timeout period for aging
learned MAC entries/
3. Optionally, set the timeout period for aging
learned MAC entries.
4. Optionally, define on what ports within a VLAN a
multicast address can be dynamically learned on, or on what ports a frame with the specified MAC address can be flooded.
Optionally, use this command to append ports to or clear ports from the egress ports list.
5. Optionally, change the MAC algorithm. Default is
MAC CRC 16 upper bits.
6. Optionally, remove a multicast MAC address
from the FID.
7. Optionally, enable SNMP trap messaging to
report the detection of new MAC addresses for the specified port or all ports.
show mac [address mac-address] [fid fid] [port port-string] [type {other | learned | self | mgmt |
mcast}] show mac agetime
set mac agetime time
set mac multicast mac-address vlan-id [port-string] [{append | clear} port-string]
set mac algorithm {mac-crc16­lowerbits | mac-crc16-upperbits | mac-crc32-lowerbits | mac-crc32­upperbits}
clear mac address mac-address
[vlan-id] set newaddrtrap [port-string]
{enable | disable}
Configuring Node Aliases
The node alias feature enables administrators to determine the MAC address and location of a given end-station (or node) using the node’s Layer 3 alias information (IP address) as a key. With this method, it is possible to determine that, for instance, IP address 123.145.2.23 is located on switch 5 port 3.
The passive accumulation of a network's node/alias information is accomplished by “snooping” on the contents of network traffic as it passes through the switch fabric.
Upon packet reception, node aliases are dynamically assigned to ports enabled with an alias agent, which is the default setting on fixed switches. Node aliases cannot be statically created, but can be deleted using the command clear nodealias config.
In the fixed switches, node data is automatically accumulated into the ct-alias mib. The NetSight Console Compass utility and Automated Security Manager (ASM) use the information in the node/alias MIB table.
It's important to make sure that inter-switch links are not learning node/alias information, as it would slow down searches by the NetSight Compass and ASM tools and give inaccurate results. Use the set nodealias disable command to disable the node alias agent on a port. The set nodealias enable command will re-enable the agent.
The maximum number of node alias entries is configured with the set nodealias maxentries command. The default is 32 entries per port.
Use the clear nodealias config command to return all values to the default for one or more ports.
The following command displays the nodealias configuration for port ge.1.1:
4-26 System Configuration
Configuring Node Aliases
C5(su)->show nodealias config ge.1.1
Port Number Max Entries Used Entries Status
----------- ----------- ------------ ---------­ge.1.1 32 32 Enable
The following command disables the node alias agent on port ge.1.8:
C5(su)->set nodealias disable ge.1.8
Fixed Switch Configuration Guide 4-27
Configuring Node Aliases
4-28 System Configuration
Fixed Switch Configuration Guide 5-1
5
User Account and Password Management
This chapter describes user account and password management features, which allow enhanced control of password usage and provide additional reporting of usage.
Account and password feature behavior and defaults differ depending on the security mode of the switch. For information about security modes and profiles, see Chapter 26, Configuring Security
Features.
User Account Overview
Enterasys switches are shipped with three default user accounts:
A super-user access account with a username of admin and no password
A read-write access account with a username of rw and no password
A read-only access account with a username of ro and no password
A user with super-user access has access to all the functionality on the switch while read-write and read-only accounts have less access to functionality. Command descriptions in the CLI Reference indicate the user access level required for each command.
Users with super-user access can create user accounts and passwords. Read-write and read-only accounts can change their own account passwords. User accounts are created, disabled, and enabled with the set system login command. Passwords are created and changed with the set password command. User accounts are deleted with the clear system login command.
The Enterasys Fixed Switch platforms support up to 16 user accounts. When creating a new or editing an existing login account, use the following syntax:
set system login username { super-user | read-write | read-only} {enable | disable}
[allowed-interval HH:MM HH:MM] [allowed-days {[Sun] [Mon] [Tue] [Wed] [Thu] [Fri] [Sat]}] [local-only {yes|no}] [aging days] [simultaneous-logins logins]
The optional parameters shown indented above allow you to configure:
For information about... Refer to page...
User Account Overview 5-1 Password Management Overview 5-6 Password Reset Button Functionality 5 -9 Management Authentication Notification MIB Functionality 5-9
User Account Overview
The start and end hour and minute time period for which access will be allowed for this user
The days of the week for which access will be allowed for this user. (Not applicable for super
The authentication scope for this user — authentication is only by way of the local user
The number of days to age the password. A non-zero value supercedes the aging configured
The number of simultaneous logins allowed from the user. The switch is capable of verifying
Use the clear system login command to remove a local user account or to reset any configured parameters to their default values. If none of the optional parameters shown indented below are entered, the user account is deleted.
clear system login username
based upon 24 hour time. (Not applicable for super user accounts.)
user accounts.)
database even with RADIUS or TACACS+ configured, or authentication is by way of configured methods, which is the default value.
in set system password, for this user.
that a specified user is only connected to the product a configurable number of times. Any attempt for a specified user to exceed the configured limit results in a trap.
For example, if simultaneous logins is set to 1, a specific user would not be able to Telnet to the switch, and then simultaneously try to SSH to the switch or access local management via the console port.
[allowed-interval] [allowed-days] [local-only] [aging] [simultaneous-logins]
User account access to features is affected by the security mode of the switch. Differences in access on a command basis are described in the CLI Reference for your platform.
For information about security modes and profiles, see Chapter 26, Configuring Security
Features. See Tab le 5 -1 on page 5-7 for a list of account and password defaults by security mode.
See “User Account Configuration” on page 5-3 for procedures and examples for creating user accounts.
Emergency Access User Account
The fixed switches support the ability to identify an emergency access user with the set system lockout emergency-access <username> command. An emergency access user account is allowed
emergency access to the switch through the console port.
Before identifying an emergency access user with the set system lockout command, the user account must be configured with super-user access rights with the set system login and set password commands.
A user account cannot be deleted while it is the emergency access account.
Only one EA user is supported at a time and one shall always exist. The default admin user is
the default EA user.
EA status can only be removed by replacing it with another account.
EA user access not made through the console port will be subject to normal password handling.
When the password reset button is enabled, it will restore the default admin account as the EA user.
5-2 User Account and Password Management
The emergency access user is still subject to the system lockout interval even on the console port.
Account Lockout
User accounts can be locked out based on the number of failed login attempts or a period of inactivity. Lockout is configured at the system level, not at the user account level. Use the set system lockout command to:
Set the number of failed login attempts allowed before disabling a read-write or read-only user account or locking out a super-user account.
When a read-only or read-write user makes the configured number of failed attempts,
that user is disabled, and cannot log back in until re-enabled by a super-user with the set system login command.
When a super-user makes the configured number of failed attempts, that user is locked
out for the configured lockout period. The configurable lockout period for super-user accounts is 0 to 65535 minutes.
Note that only super-user accounts are temporarily locked out for a configured period. Read­only and read-write accounts are disabled and must be enabled by a super-user.
Configure lockout based on a period of inactivity. Valid values for the period of inactivity are 0 to 65535 days. A value of 0 indicates no inactivity checking.
User Account Overview
When a read-only or read-write user session is inactive for the configured period of time,
that user is disabled, and cannot log back in until re-enabled by a super-user with the set system login command.
Super-user accounts are not affected by inactivity checking.
Port Lockout
The account lockout functionality also supports a “port lockout” mechanism (set system lockout port {enable|disable}). When enabled, the system monitors the results of all login attempts,
including via RADIUS, SSH, or Telnet, and on the console port. Separate counts are maintained for each interface — local and network/remote (SSH, Telnet, or WebView).
When the number of sequential failed attempts equals the maximum configured attempts for any user, the lockout will be applied (as configured) to all login attempts made through the given interface (SSH, Telnet, or the console port). Any successful login will restart the count. By default, port lockout is disabled.
If the default admin super user account has been locked out, and if the password reset button functionality is enabled, you can press the reset button on the switch to re-enable the admin account with its default values. The emergency-access user is restored as the default, the admin account.
If the password reset button functionality has been disabled, you can wait until the lock out time has expired or you can reboot the switch in order to re-enable the admin account.
See “Password Reset Button Functionality” on page 5-9 for more information about password reset button functionality.
User Account Configuration
Procedure 5-1 on page 5-4 shows how a super-user creates a new read-write or read-only user
account and sets the password for the account. All other optional parameters are not shown.
Fixed Switch Configuration Guide 5-3
User Account Overview
5-4 User Account and Password Management
Procedure 5-2 on page 5-4 shows how a super-user creates a new super-user account and assigns
it as the emergency access account.
Refer to the CLI Reference for your platform for details about the commands listed below.
This example enables a new user account named “guest” with read-only privileges and allows access only between 8:00 am and 5:00 pm on Mondays through Wednesdays. The password for this account is then set, and the configured login accounts are displayed.
C5(su)->set system login guest read-only enable allowed-interval 08:00 17:00 allowed-days Mon Tue Wed C5(su)->set password guest Please enter new password: ******** Please re-enter new password: ******** Password changed. C5(su)->show system login Username Access State Aging Simul Local Login Access Allowed Login Only? Start End Days
admin super-user enabled 0 0 no ***access always allowed*** ro read-only enabled 0 0 no ***access always allowed*** rw read-write enabled 0 0 no ***access always allowed*** guest read-only enabled 0 0 no 08:00 17:00 mon tue wed
Procedure 5-2 creates a new super-user account and assigns it as the emergency access user
account. In addition, the default super-user account, admin, is disabled as a security measure.
Procedure 5-1 Creating a New Read-Write or Read-Only User Account
Step Task Command(s)
1. Create a new read-write or read-only user login account and enable it.
(All other parameters are optional.)
set system login username {read­write|read-only} enable
2. Set the password for the new account. Respond appropriately to the system prompts.
set password username
3. Display the new user account. show system login
4. Remove a local login user account or Disable an existing account
clear system login username
set system login username disable
Note: You can delete the default admin account, but deletion of the last remaining super-user account is prevented (that is, a super-us er ac count must be created before the admin account can be deleted).
If the security mode is C2, the last remaining super-user account must also be set as the emergency access user in order to allow the default admin account to be deleted.
Procedure 5-2 Configuring a New Super-User / Emergency Access User Account
Step Task Command(s)
1. Create a new super-user login account and enable it.
(All other parameters are optional.)
set system login username super-user enable
2. Set the password for this account. set password username
3. Display the login user accounts show system login
User Account Overview
Procedure 5-2 Configuring a New Super-User / Emergency Access User Account
Step Task Command(s)
4. Assign the new super-user account as the emergency access account.
5. Display the system lockout settings show system lockout
6. Disable the default super-user account, admin set system login admin super-user
set system lockout emergency-access
username
disable
This example creates a new super-user account named “usersu” and enables it. The password for this account is set and the configured login accounts are displayed. The new account is assigned as the emergency access account and the system lockout settings are displayed. Then, the default super-user account named “admin” is disabled.
C5(su)->set system login usersu super-user enable C5(su)->set password usersu Please enter new password: ******** Please re-enter new password: ******** Password changed. C5(su)->show system login
Username Access State Aging Simul Local Login Access Allowed Login Only? Start End Days
admin super-user enabled 0 0 no ***access always allowed*** ro read-only enabled 0 0 no ***access always allowed*** rw read-write enabled 0 0 no ***access always allowed*** usersu super-user enabled 0 0 no 00:00 24:00 sun mon tue wed
thu fri sat guest read-only enabled 0 0 no 00:00 24:00 mon tue wed
C5(su)->set system lockout emergency-access usersu C5(su)->show system lockout Unsuccessful login attempts before lockout : 3 Duration of lockout : 15 minutes. Period of inactivity before account lockout : 0 days Lockout entire port upon failed logins : disabled Ports currently locked out due to failed logins : none Account assigned emergency-access from the console: usersu
C5(su)->set system login admin super-user disable C5(su)->show system login Username Access State Aging Simul Local Login Access Allowed Login Only? Start End Days
admin super-user disabled 0 0 no ***access always allowed*** ro read-only enabled 0 0 no ***access always allowed*** rw read-write enabled 0 0 no ***access always allowed*** usersu super-user enabled 0 0 no 00:00 24:00 sun mon tue wed
thu fri sat
Fixed Switch Configuration Guide 5-5
Password Management Overview
guest read-only enabled 0 0 no 00:00 24:00 mon tue wed
Password Management Overview
Individual user account passwords are configured with the set password command. Configured passwords are transmitted and stored in a one-way encrypted form, using a FIPS 140-2 compliant algorithm.
When passwords are entered on the switch using the CLI, the switch automatically suppresses the clear text representation of the password. In addition, the switch ensures that passwords are not available in clear text to any user, including administrators.
The switch ensures that the password does not contain, repeat, or reverse the associated username.
All password changes are logged by the switch.
System Level Password Settings
At the system level, you can configure password requirements with the set system password command. Among other characteristics, the set system password command allows you to configure password length, repetition, character usage, password sharing, and aging.
The following list describes in detail the system level password requirements that can be configured:
Whether the switch maintains and verifies a password history (from 0 to 10) per account (set system password history). The previously used passwords for a user account stored in the password history are checked for duplication when a new password is configured for that account with the set password command.
Whether the switch enforces a minimum period of waiting before an existing password can be updated (set system password change-frequency). An exception to this requirement is the first time update, which if configured, requires a new user logging in for the first time to change their password (set system password change-first-login).
A password change-frequency interval of zero means there is no restriction on the
frequency of password changes.
A configured minimum change-frequency interval applies only to users without super-
user privileges attempting to change their own passwords. Users with super-user privileges may change their passwords at any time.
Whether the switch allows multiple accounts to share the same password. (set system
password allow-duplicates.)
Whether the switch enforces a minimum number of characters required for passwords (set
system password length).
Whether the switch allows the same character to appear consecutively in the same password
(set system password allow-repeatingchars).
Whether the switch enforces a configurable minimum number of characters of a specific type
that must be present in a user account password (set system password min-requiredchars). The following types are supported:
Upper case characters (default 0)
Lower case characters (default 0)
Numeric characters (default 0)
5-6 User Account and Password Management
Password Management Overview
Special characters (default 0)
The set of special characters recognized is: ! @ # $ % ^ & * () ? = [ ] \ ; ? , ./ `.
Whether the switch enforces aging of system passwords.
The switch can enforce a system-wide default for password aging (set system password
aging).
The switch can enforce a password aging interval on a per-user basis (set system login
aging).
The switch can notify users at login that their password will expire in a given number of
days (set system password warning-period).
The switch can notify a user upon password expiration, but allow a specified additional
number of subsequent logins (1 to 3) within a specified time period (1 to 30 days) before requiring a new password (set system password grace-period and grace-limit).
Whether the switch requires that a password be specified at the time of user account creation
(set system password require-at-creation).
If the option is enabled, the set system login command will interactively prompt for a
password upon creation of a new user account.
It will be as if a set password username command was implicitly executed. The new account will not be successfully created until a valid password has been specified.
Whether the switch performs substring matching to prevent any substring present in previous
account passwords from being used in a new password (set system password substring- match-len).
Requires a non-zero password history length.
0 to 40 characters are supported.
–If a substring-match-len option is set to zero, no substring matching will be performed
when validating new passwords.
If the substring-match-len option is configured with a nonzero length, any substring of the specified length appearing in the current password for this user may not appear in a new password.
If the configured history size is nonzero, then all historical passwords up to that size will also be compared with the input of the new password. Any substring of the configured length appearing in any of the historical passwords may not be used in the new password.
Password feature behavior and defaults differ depending on the security mode of the switch. For information about security modes and profiles, see Chapter 26, Configuring Security Features. See Tab le 5 -1 on page 5-7 for a list of account and password defaults by security mode.
Procedure 5-3 on page 5-8 describes the commands used to configure system password settings.
Defaults
The default values for user account and password parameters are listed in the following table by the security mode of the switch.
Table 5-1 User Account and Password Parameter Defaults by Security Mode
Parameter Normal Mode Default C2 Mode Default
Password history 0 (no history) 8 previous passwords Password change frequency 0 (no waiting) 1440 minute s (24 hours)
Fixed Switch Configuration Guide 5-7
Password Management Overview
Table 5-1 User Account and Password Parameter Defaults by Security Mode (continued)
Parameter Normal Mode Default C2 Mode Default
Minimum number of characters in password 8 9 Allow consecutively repeating characters in
password Aging of system passwords disabled 90 days Password required at time of new user account
creation Substring matching at password validation 0 (no checking) 0 (no checking) New users required to change password at first
log in Lockout based on inactivity 0 (no activity checking) 90 days of inactivity Lockout based on failed login attempts 3 failed attempts 3 failed attempts Lockout period duration after unsuccessful logins 15 minutes 1 minute Grace period after password expiration 0 30 days Grace login limit 0 3 Warning period 20 days 20 days
yes 2 characters
no yes
no yes
System Password Settings Configuration
Refer to the CLI Reference for your platform for detailed information about the commands listed below in Procedure 5-3.
Procedure 5-3 Configuring System Password Settings
Step Task Command(s)
1. Configure system level password settings. All parameters are optional but at least one must
be entered with the command.
set system password
[aging {days | disable}] [allow-duplicates {yes | no}] [allow-repeating-chars {num | yes}] [change-first-login {yes | no}] [change-frequency minutes] [grace-limit {logins}] [grace-period {days}] [history {size}] [length {#ofChars}] [min-required-chars
{[uppercase #ofChars] [lowercase #ofChars] [numeric #ofChars]
[special #ofChars]}] [require-at-creation {yes | no}] [substring-match-len #ofChars] [warning-period {days}]
5-8 User Account and Password Management
Password Reset Button Functionality
Procedure 5-3 Configuring System Password Settings (continued)
Step Task Command(s)
2. Display the current password s et ting s. show system password
3. Reset password settings to default values. clear system password
[aging] [allow-duplicates] [allow-repeating-chars] [change-first-login] [change-frequency] [grace-limit] [grace-period] [history] [length] [min-required-chars
{[uppercase]
[lowercase]
[numeric]
[special]}] [require-at-creation] [substring-match-len] [warning-period]
Password Reset Button Functionality
When the password reset button functionality is enabled with the set system password­resetbutton enable command, pressing the password reset button causes the admin account, with
its default values, to be restored on the switch.
•If the admin account has been disabled, it will be re-enabled.
•If the admin account has been deleted, it will be restored on the switch with default values.
When the password reset button functionality is disabled by means of the set system password- resetbutton disable command, pressing the reset button will have no effect. The password reset button is enabled by default.
Management Authentication Notification MIB Functionality
Management authentication notification MIB functionality includes enabling/disabling the sending of SNMP notifications when a user login authentication event occurs for various authentication notification types.
SNMP must be correctly configured in order to send these notifications. Refer to Chapter 12,
Configuring SNMP, for more information about SNMP.
Use the set mgmt-auth-notify command to enable or disable notifications for the authentication notification types specified in the Enterasys Management Authentication Notification MIB.
You can specifically enable or disable a single authentication notification type, multiple authentication notification types or all the authentication notification types. The default setting is that all Management Authentication Notification types are enabled for authentication notifications.
When enabled for console, SSH, Telnet, or Webview, the switch will send an SNMP notification for every successful and failed login attempt.
Use the clear mgmt-auth-notify to return all current settings to the default state of enabled.
Fixed Switch Configuration Guide 5-9
Management Authentication Notification MIB Functionality
Refer to the CLI Reference for your platform for detailed information about the commands listed below in Procedure 5-4.
Procedure 5-4 Configuring Management Authentication Notification MIB Settings
Step Task Command(s)
1. Display the current settings for the Management Authentication Notification MIB.
2. Enable or disable notifications for one or more authentication notification types.
3. Return all settings to the default of enabled clear mgmt-auth-notify
show mgmt-auth-notify
set mgmt-auth-notify {enable | disable}
[console] [ssh] [telnet] [webview] [inactiveUser] [maxUserAttempt] [maxUserFail]
The following example displays the current MIB settings, then disables notifications for inactive users and WebView connections.
C5(su)->show mgmt-auth-notify
Management Type Status
--------------- -------­console Enabled ssh Enabled telnet Enabled webview Enabled inactiveUser Enabled maxUserAttempt Enabled maxUserFail Enabled
C5(su)->set mgmt-auth-notify disable web inactiveUser
5-10 User Account and Password Management
Fixed Switch Configuration Guide 6-1
6
Firmware Image and File Management
This chapter describes how to download and install a firmware image file and how to save and display the system configuration as well as manage files on the switch.
Managing the Firmware Image
This section describes how to download a firmware image, set the firmware to be used at system startup, revert to a previous image, and set TFTP parameters.
Downloading a Firmware Image
You can upgrade the operational firmware in the stackable or standalone switch without physically opening the switch or being in the same location. There are two ways to download firmware to the switch:
Via TFTP or SFTP download. This procedure uses a TFTP or SFTP server connected to the network and downloads the firmware using the TFTP or SFTP protocol. For details on how to perform a TFTP or SFTP download using the copy command, refer to “Downloading from a
TFTP or SFTP Server” on page 6-2. For information on setting TFTP timeout and retry
parameters, refer to “Setting TFTP Parameters” on page 6-4.
Via the serial (console) port. This procedure is an out-of-band operation that copies the firmware through the serial port to the switch using an XMODEM transfer. It should be used in cases when you cannot connect to the switch to perform the in-band copy download procedure via TFTP. Serial console download has been successfully tested with the following applications which support XMODEM transfer:
–HyperTerminal
–Tera Term Pro
Any other terminal applications may work but are not explicitly supported.
Refer to “Downloading Firmware via the Serial Port” on page 1-10 for instructions.
The stackable and standalone fixed switches allow you to download and store dual images. The backup image can be downloaded and selected as the startup image by using the commands described in this section.
For information about... Refer to page...
Managing the Firmware Image 6-1 Managing Switch Configuration and Files 6-4
Managing the Firmware Image
Downloading from a TFTP or SFTP Server
This procedure assumes that the switch or stack of switches has been assigned an IP address and that it is connected to the network. It also assumes that the network has a TFTP or SFTP server to which you have access. If these assumptions are not true, please refer to Chapter 1, Setting Up a
Switch for the First Time for more information.
To perform a TFTP or SFTP download:
1. Download to your computer the latest firmware for the switch from the Enterasys web site Unzip/uncompress the firmware, and copy the firmware to the upload/download directory configured for your TFTP server. The firmware is available at this Enterasys location:
https://extranet.enterasys.com/downloads
2. Review the Release Notes for the downloaded firmware to check for any upgrade notices or limitations that may apply to your switch.
3. Using Telnet or SSH, establish a CLI session on the switch and log in.
4. From the CLI session, use the copy command to download the new image file from the TFTP or SFTP server to the switch. For example:
copy tftp://<TFTP-server-IPaddr>/<path-to-firmware-file> system:image
If you receive the error message “Error: No space left on the device. Please remove backup file.”, refer to “Deleting a Backup Image File” on page 1-5 before proceeding.
5. After the copy is complete, use the dir command to confirm that the new image file has been copied. The following example shows that the firmware image “a4-series_06.61.03.0007” was copied to the switch but that firmware image “a4-series_06.61.00.0026” is still the active and boot image.
A4(su)->dir Images: ================================================================== Filename: a4-series_06.61.00.0026 (Active)(Boot) Version: 06.61.00.0026 Size: 9405440 (bytes) Date: Fri Dec 16 12:48:35 2011 CheckSum: f1626ccf10d8f48cd6c3e79ab602342a Compatibility: <platform specific>
Filename: a4-series_06.61.03.0007 Version: 06.61.03.0007 Size: 8290304 (bytes) Date: Fri Jan 27 11:35:27 2012 CheckSum: 9f820d79239f10890442f8ff1f2bc914 Compatibility: <platform specific>
6. To set the new image to the boot image, refer to “Setting the Boot Firmware” on page 6-3 below.
6-2 Firmware Image and File Management
Managing the Firmware Image
Fixed Switch Configuration Guide 6-3
Setting the Boot Firmware
Use the show boot system command to display the image file currently configured to be loaded at startup. For example:
A4(su)->show boot system Current system image to boot: a4-series_06.61.00.0026
Use the set boot system command to set the firmware image to be loaded at startup. You can choose to reset the system to use the new firmware image immediately, or you can choose to only specify the new image to be loaded the next time the switch is rebooted. For example:
A4(su)->set boot system a4-series_06.61.03.0007 This command can optionally reset the system to boot the new image. Do you want to reset now (y/n) [n]
If you respond y (yes), the system will reboot immediately using the new image, and the new image will be the active image. If you respond n (no), the new image will be set as the Boot image but the currently Active image will remain active.
You can use the dir command to display the “Active” image and the “Boot” image, which will be the image loaded at the next system reboot.
Reverting to a Previous Image
In the event that you need to downgrade to a previous version of code, you can do so by completing the steps described below.
1. Save your running configuration with the save config command.
2. Make a copy of the current configuration with the show config outfile configs/filename command. Use the dir command to confirm that the file was created.
3. If desired, copy the file to a remote TFTP server with the copy command:
copy configs/<filename> tftp://server_ipaddr/<filename>
4. If necessary, load the previous version of code on the device, as described in “Downloading a
Firmware Image” (page 6-1).
5. Set this older version of code to be the boot code with the set boot system command. When the system asks if you want to reset the device, specify no (n).
6. Reload the saved configuration onto the device with the configure command. Do not use the append parameter. You will be prompted to respond whether you want to reset the system. Enter y (yes).
configure configs/<filename> This command will reset the system and clear current configuration. Are you sure you want to continue (y/n) [n]? y
7. After the system resets, establish a new CLI session with the switch and log in.
Note: If you are changing the firmware image to a version earlier than the current version, refer to Reverting to a Previous Image” on page 6-3 for the correct steps to follow.
Caution: Before reverting to a previous image, always back up your configuration by saving it to a file with the show config outfile command. You can then copy the file to a remote location with the copy command. Refer to “Creating a Backup Configuration File” on page 6-6 for more information.
Managing Switch Configuration and Files
6-4 Firmware Image and File Management
Setting TFTP Parameters
You can configure some of the settings used by the switch during data transfers using TFTP.
Use the show tftp settings command to display current settings.
A4(ro)->show tftp settings TFTP packet timeout (seconds): 2 TFTP max retry: 5
Use the set tftp timeout command to configure how long TFTP will wait for a reply of either an acknowledgement packet or a data packet during a data transfer. The default value is 2 seconds.
Use the set tftp retry command to configure how many times TFTP will resend a packet, either an acknowledgement packet or a data packet. The default value is 5 retries.
Use the clear tftp timeout and clear tftp retry commands to reset configured values back to their defaults.
Managing Switch Configuration and Files
Configuration Persistence Mode
The default state of configuration persistence mode is “auto,” which means that when CLI configuration commands are entered, or when a configuration file stored on the switch is executed, the configuration is saved to NVRAM automatically at the following intervals:
On a standalone unit, the configuration is checked every two minutes and saved if there has been a change.
On a stack, the configuration is saved across the stack every 5 minutes if there has been a change.
If you want to save a running configuration to NVRAM more often than the automatic intervals, execute the save config command and wait for the system prompt to return. After the prompt returns, the configuration will be persistent.
Use the show snmp persistmode command to display the current persistence mode. You can change the persistence mode from “auto” to “manual” with the set snmp persistmode command. If the persistence mode is set to “manual,” configuration commands will not be automatically written to NVRAM. Although the configuration commands will actively modify the running configuration, they will not persist across a reset unless the save config command has been executed.
Caution: If you do not follow the steps above, you may lose remote connectivity to the switch.
Note: When your device is configured for manual SNMP persistence mode, and you attempt to
change the boot system image, the device will not prompt you to save changes or warn you that changes will be lost.
Note: If a memory card is installed on an I-Series switch, “auto” persistence mode is not supported. Refer to Using an I-Series Memory Card below for more information.
Managing Switch Configuration and Files
Fixed Switch Configuration Guide 6-5
Using an I-Series Memory Card
The I3H-4FX-MEM and I3H-6TX-MEM IOMs provide a memory card slot where a small, separately-purchased memory card (I3H-MEM) may be inserted. The memory card provides a removable, non-volatile means for storing the system configuration and IP address only, and may be used to move the system’s configuration to another switch.
The memory card is hot-swappable. If a card is already installed in the switch, when the memory slot cover plate is removed, power is automatically removed from the slot. Once power has been removed from the slot, power will not be returned until the switch is rebooted with a memory card in the slot.
Refer to your I-Series Installation Guide for information about inserting and removing memory cards.
Memory Card Operation
When an I-Series switch is initialized (booted up), the configuration stored on an installed memory card will overwrite the configuration saved in NVRAM. If no configuration is contained on an installed memory card, the activity LED will flash briefly and the boot up will continue without overwriting the configuration in NVRAM.
If a memory card is inserted into a running system (hot swapped), the configuration stored on the memory card will not be applied until the system is rebooted.
When a memory card is installed:
•The save config command must be used to save the current configuration to both NVRAM and to the memory card, since “‘auto” persistence mode is not supported when a card is present.
•The clear config command will simultaneously delete the current configuration from both NVRAM and the memory card.
•The show config command can display the configuration on the memory card or on NVRAM.
Note that only the system configuration can be stored on the memory card—no files can be stored on the card. The copy command should be used to upload files to the switch.
Displaying and Saving the Configuration and Creating a Backup
Use the save config command to save the running configuration. On a stacked system, this command will save the configuration to all switch members in a stack.
Use the show config command to
Display the system configuration
Write the configuration to a file
Note: Only one IOM containing a memory card slot may be installed in an I-Series switch.
Note: The I-Series memory card is not interchangeable with a standard Compact Flash card. A
standard Compact Flash card will not work in the I-Series switch, and the I-Series memory card cannot be used in place of a Compact Flash card in other systems.
Managing Switch Configuration and Files
6-6 Firmware Image and File Management
Displaying the Configuration
Executing show config without any parameters will display all the non-default configuration settings. Using the all parameter will display all default and non-default configuration settings.
To display non-default information about a particular section of the configuration, such as port or system configuration, use the name of the section (or facility) with the command. For example, to show the configuration of the “system” facility:
C5(su)->show config system This command shows non-default configurations only. Use 'show config all' to show both default and non-default configurations.
begin ! #***** NON-DEFAULT CONFIGURATION ***** ! ! # Firmware Revision: 06.61.01.0032 !
#system set system name "LAB C5" set system location "Second Floor South" set system contact "John Smith" ! ! end
On the I-Series, you can display the configuration information on a memory card with the show config memcard command. If a memory card is not installed, a message indicating that the
memory card could not be accessed is displayed.
Creating a Backup Configuration File
You can create a copy of the system configuration using the show config outfile command. This configuration file can then be copied to a remote location to be used as a backup configuration file if needed.
This example:
Saves the currently running configuration,
Saves the configuration to a file named “myconfig” in the “configs” directory on the switch,
Verifies the location of the file with the dir command,
Then copies that file to a remote TFTP server on the network.
B5(su)->save config B5(su)->show config outfile configs/myconfig B5(su)->dir
Notes:
When saving a configuration to a file, save only the non-default values — that is, do not use the all parameter with show config outfile. Including default values is unnecessary and will make the configuration file very large.
You can write only a section of a system configuration to a file by using the facility parameter with show config outfile.
Managing Switch Configuration and Files
Images: ================================================================== Filename: b5-series_06.42.03.0001 Version: 06.42.03.0001 Size: 6856704 (bytes) Date: Tue Dec 14 14:12:21 2010 CheckSum: 043637a2fb61d8303273e16050308927 Compatibility: B5G124-24, B5G124-24P2, B5G124-48, B5G124-48P2, B5K125-24 B5K125-24P2, B5K125-48, B5K125-48P2
Filename: b5-series_06.61.01.0032 (Active) (Boot) Version: 06.61.01.0032 Size: 7314432 (bytes) Date: Fri Jan 6 11:20:00 2012 CheckSum: c0ae0ef322317f79309bc64e4c3beca4 Compatibility: B5G124-24, B5G124-24P2, B5G124-48, B5G124-48P2, B5K125-24 B5K125-24P2, B5K125-48, B5K125-48P2
Files: Size ================================ ======== configs: myconfig 4237 logs: current.log 512017 secure: secure/logs:
B5(su)->copy configs/myconfig tftp://192.168.10.1/myconfig
To use a backup configuration file, refer to “Reverting to a Previous Image” on page 6-3 and “Applying a Saved Configuration” on page 6-7 below.
Applying a Saved Configuration
Use the configure command to execute a configuration file stored on the switch. You can append the file to the current configuration, to make incremental adjustments to the current configuration, or you can replace the current configuration with the contents of the file. When you replace the current configuration, an automatic reset of the system is required.
This example appends the file “myconfig” located in the configs directory to the current running configuration:
B5(su)->configure configs/myconfig append
This example replaces the current configuration with the contents of the “myconfig” file. After the system resets, you will have to establish another CLI session and log in to the system again.
B5(su)->configure configs/myconfig This command will reset the system and clear current configuration. Are you sure you want to continue (y/n) [n]? y
Fixed Switch Configuration Guide 6-7
Managing Switch Configuration and Files
Managing Files
Tab le 6 -1 lists the tasks and commands used to manage files.
Table 6-1 File Management Commands
Task Command
List all the files stored on the system, or only a specific file.
Display the system configuration. On I-Series only, display contents of memory card.
Display the contents of a file located in the configs or logs directory.
Delete a file. Can be used to delete image files as well as files in the configs and logs directories.
Copy the configuration or sections of the configuration to a file.
dir [filename]
show config [all | facility | memcard]
show file directory/filename
delete directory/filename
show config [facility] outfile configs/filename
6-8 Firmware Image and File Management
Fixed Switch Configuration Guide 7-1
7
Configuring System Power and PoE
This chapter describes how to configure Redundant Power Supply mode on the C5 and G-Series switches, and how to configure Power over Ethernet (PoE) on platforms that support PoE.
The information about Power over Ethernet (PoE) applies only to fixed switching platforms that provide PoE support. PoE is not supported on the I-Series switches.
Configuring Redundant Power Supplies
When a C5 or G-Series switch is connected to a redundant power supply, two modes of power supply operation are supported:
Redundant mode, in which the power made available to the system is equal to the maximum output of the lowest rated supply. (This is the default mode.) When two supplies are installed in redundant mode, system power redundancy is guaranteed if one supply is lost.
Non-redundant, or additive, mode, in which the combined output of both supplies is made available to the system. In this mode, the loss of a single supply may result in a system reset.
Power supply redundancy mode can be configured with the set system power command.
On G-Series switches, power supply LEDs visible on the front panel of the switch indicate whether the power supplies are present and, if two are present, whether they are in redundant or additive (non-redundant) mode. Refer to your G-Series Hardware Installation Guide for more information.
Power over Ethernet Overview
PoE, defined in IEEE standards 802.3af and 802.3at, refers to the ability to provide 48 Vdc (for
802.3af) or 54 Vdc (for 802.3at) operational power through an Ethernet cable from a switch or
other device that can provide a PoE-compliant port connection to a powered device (PD). Examples of PDs are the following:
Voice over IP devices such as PoE-compliant digital telephones
For information about... Refer to page...
Configuring Redundant Power Supplies 7-1 Power over Ethernet Overview 7-1 Configuring PoE 7-4
Note: This feature is supported by the C5 and G-Series switches only
Power over Ethernet Overview
7-2 Configuring System Power and PoE
Pan/Tilt/Zoom (PTZ) IP surveillance cameras
Devices that support Wireless Application Protocol (WAP) such as wireless access points
Ethernet implementations employ differential signals over twisted pair cables. This requires a minimum of two twisted pairs for a single physical link. Both ends of the cable are isolated with transformers blocking any DC or common mode voltage on the signal pair. PoE exploits this fact by using two twisted pairs as the two conductors to supply a direct current to a PD. One pair carries the power supply current and the other pair provides a path for the return current.
Using PoE allows you to operate PDs in locations without local power (that is, without AC outlets). Having such a network setup can reduce the costs associated with installing electrical wiring and AC outlets to power the various devices.
Implementing PoE
You can configure PoE on your PoE-compliant Enterasys device through the CLI-based procedures presented in the section “Configuring PoE” on page 7-4. As part of your plan to implement PoE in your network, you should ensure the following:
The power requirements of your PDs are within the limits of the PoE standards.
Your PoE-compliant Enterasys device can supply enough power to run your PDs. See
Tab le 7 -1 for power ranges based on each device class.
If SNMP traps are enabled, the Enterasys device generates a trap to notify the network administrator if any of the following occur:
If the power needed or requested exceeds the power available
If a power state occurs on a PD (for example, when a PD is powered up or unplugged)
If insufficient power is available for an attached PD, the corresponding port LED on the Enterasys device turns amber. The LED also turns amber if a PoE fault occurs (for example, a short in the Ethernet cable).
Allocation of PoE Power to Modules
The switch firmware determines the power available for PoE based on hardware configuration, power supply status, and power supply redundancy mode. The system calculates and reserves the correct amount of power required by the installed hardware components and then makes the
Table 7-1 PoE Powered Device Classes
Class Power Output at Port Power Range Used by Device
0 15.4 watts 0.44 to 12.95 watts 1 4.0 watts 0.44 to 3.84 watts 2 7.0 watts 3.84 to 6.49 watts 3 15.4 watts 6.49 to 12.95 watts 4 34 watts (802.3at)
Reserved (802.3af)
12.95 to 25.5 watts (802.3at) Treat as class 0 (802.3af)
Note: This feature is available only on the G-Series.
Loading...