LevelOne FGL-2870 User Manual

LevelOne

FGL-2870

Installation Guide

Installationsanleitung

24FE + 4GE Combo SFP

L2 SNMP Switch

User Manual

Version 1.0

Management Guide

Fast Ethernet Switch

Combo Layer 2 SNMP Switch
with 24 10/100BASE-T (RJ-45) Ports,
and 4 Combination Gigabit (RJ-45/SFP) Ports

FGL-2870
E122009-WM-R01
149100000059A

About This Guide

Purpose

This guide gives specific information on how to operate and use the management
functions of the switch.

Audience

The guide is intended for use by network administrators who are responsible for operating
and maintaining network equipment; consequently, it assumes a basic working
knowledge of general switch functions, the Internet Protocol (IP), and Simple Network
Management Protocol (SNMP).

Conventions

The following conventions are used throughout this guide to show information:

Note: Emphasizes important information or calls your attention to related features or

instructions.

Caution: Alerts you to a potential hazard that could cause loss of data, or damage the

system or equipment.

Warning: Alerts you to a potential hazard that could cause personal injury.

Related Publications

The following publication details the hardware features of the switch, including the
physical and performance-related characteristics, and how to install the switch:

The Installation Guide

Also, as part of the switch’s software, there is an online web-based help that describes all
management related features.

Revision History

This section summarizes the changes in each revision of this guide.

December 2009 Revision

This is the first revision of this guide.

v

vi

Contents

Chapter 1: Introduction 1-1

Key Features 1-1
Description of Software Features 1-2
System Defaults 1-6

Chapter 2: Initial Configuration 2-1

Connecting to the Switch 2-1

Configuration Options 2-1
Required Connections 2-2
Remote Connections 2-3

Basic Configuration 2-3

Console Connection 2-3
Setting Passwords 2-4
Setting an IP Address 2-4

Manual Configuration 2-4
Dynamic Configuration 2-5

Enabling SNMP Management Access 2-6

Community Strings (for SNMP version 1 and 2c clients) 2-6
Trap Receivers 2-7
Configuring Access for SNMP Version 3 Clients 2-8

Managing System Files 2-8

Saving Configuration Settings 2-9

Chapter 3: Configuring the Switch 3-1

Using the Web Interface 3-1
Navigating the Web Browser Interface 3-2

Home Page 3-2

Configuration Options 3-3
Panel Display 3-3
Main Menu 3-4
Basic Configuration 3-13

Displaying System Information 3-13

Displaying Switch Hardware/Software Versions 3-15

Displaying Bridge Extension Capabilities 3-17

Setting the Switch’s IP Address 3-18

Manual Configuration 3-19

Using DHCP/BOOTP 3-20
Enabling Jumbo Frames 3-21
Managing Firmware 3-22

Automatic Operation Code Upgrade 3-22

vii

Contents

Downloading System Software from a Server 3-26

Saving or Restoring Configuration Settings 3-28

Downloading Configuration Settings from a Server 3-29
Uploading and Downloading Files Using HTTP 3-30
Console Port Settings 3-32
Telnet Settings 3-34
Configuring Event Logging 3-36

System Log Configuration 3-36

Remote Log Configuration 3-37

Displaying Log Messages 3-39

Sending Simple Mail Transfer Protocol Alerts 3-39
Resetting the System 3-41
Setting the System Clock 3-42

Setting the Time Manually 3-43

Configuring SNTP 3-43

Configuring NTP 3-44

Setting the Time Zone 3-46

Configuring Summer Time 3-47

Simple Network Management Protocol 3-49

Enabling the SNMP Agent 3-51
Setting Community Access Strings 3-51
Specifying Trap Managers and Trap Types 3-52
Configuring SNMPv3 Management Access 3-55

Setting the Local Engine ID 3-55

Specifying a Remote Engine ID 3-56

Configuring SNMPv3 Users 3-57

Configuring Remote SNMPv3 Users 3-59

Configuring SNMPv3 Groups 3-61

Setting SNMPv3 Views 3-64

Sampling Traffic Flows 3-65

Configuring sFlow Global Parameters 3-66
Configuring sFlow Port Parameters 3-68

User Authentication 3-70

Configuring User Accounts 3-70
Configuring Local/Remote Logon Authentication 3-72
Configuring Encryption Keys 3-75
AAA Authorization and Accounting 3-76

Configuring AAA RADIUS Group Settings 3-77

Configuring AAA TACACS+ Group Settings 3-78

Configuring AAA Accounting 3-78

AAA Accounting Update 3-80

AAA Accounting 802.1X Port Settings 3-81

AAA Accounting Exec Command Privileges 3-82

AAA Accounting Exec Settings 3-83

AAA Accounting Summary 3-83

viii

Contents

Authorization Settings 3-85
Authorization EXEC Settings 3-86
Authorization Summary 3-87

Configuring HTTPS 3-88

Replacing the Default Secure-site Certificate 3-89

Configuring the Secure Shell 3-90

Generating the Host Key Pair 3-93
Importing User Public Keys 3-95
Configuring the SSH Server 3-97

Configuring 802.1X Port Authentication 3-99

Displaying 802.1X Global Settings 3-100
Configuring 802.1X Global Settings 3-101
Configuring Port Settings for 802.1X 3-101
Displaying 802.1X Statistics 3-105

Filtering IP Addresses for Management Access 3-107

General Security Measures 3-109

Configuring Port Security 3-110
Web Authentication 3-111

Configuring Web Authentication 3-112
Configuring Web Authentication for Ports 3-113
Displaying Web Authentication Port Information 3-114
Re-authenticating Web Authenticated Ports 3-114

Network Access (MAC Address Authentication) 3-115

Configuring the MAC Authentication Reauthentication Time 3-117
Configuring MAC Authentication for Ports 3-118
Configuring Port Link Detection 3-120
Displaying Secure MAC Address Information 3-121
MAC Filter Configuration 3-122

Access Control Lists 3-124

Setting the ACL Name and Type 3-125
Configuring a Standard IPv4 ACL 3-126
Configuring an Extended IPv4 ACL 3-127
Configuring a Standard IPv6 ACL 3-129
Configuring an Extended IPv6 ACL 3-130
Configuring a MAC ACL 3-131
Configuring an ARP ACL 3-133
Binding a Port to an Access Control List 3-135

ARP Inspection 3-136

Configuring ARP Inspection 3-136
Displaying ARP Inspection Port Information 3-141

DHCP Snooping 3-143

DHCP Snooping Configuration 3-144
DHCP Snooping VLAN Configuration 3-145
DHCP Snooping Information Option Configuration 3-146
Configuring Ports for DHCP Snooping 3-147

ix

Contents

Displaying DHCP Snooping Binding Information 3-149
IP Source Guard 3-150

Configuring Ports for IP Source Guard 3-150

Configuring Static Binding for IP Source Guard 3-152

Displaying Information for Dynamic IP Source Guard Bindings 3-154

Port Configuration 3-155

Displaying Connection Status 3-155
Configuring Interface Connections 3-157
Creating Trunk Groups 3-160

Statically Configuring a Trunk 3-161

Enabling LACP on Selected Ports 3-162

Configuring Parameters for LACP Group Members 3-164

Configuring Parameters for LACP Groups 3-166

Displaying LACP Port Counters 3-167

Displaying LACP Settings and Status for the Local Side 3-168

Displaying LACP Settings and Status for the Remote Side 3-170
Setting Broadcast Storm Thresholds 3-172
Setting Multicast Storm Thresholds 3-174
Setting Unknown Unicast Storm Thresholds 3-175
Configuring Port Mirroring 3-177
Configuring MAC Address Mirroring 3-178
Configuring Rate Limits 3-179

Rate Limit Configuration 3-179
Showing Port Statistics 3-180

Address Table Settings 3-185

Setting Static Addresses 3-185
Displaying the Address Table 3-186
Changing the Aging Time 3-187

Spanning Tree Algorithm Configuration 3-188

Configuring Port and Trunk Loopback Detection 3-190
Displaying Global Settings for STA 3-191
Configuring Global Settings for STA 3-194
Displaying Interface Settings for STA 3-198
Configuring Interface Settings for STA 3-201
Spanning Tree Edge Port Configuration 3-204

VLAN Configuration 3-206

IEEE 802.1Q VLANs 3-206

Enabling or Disabling GVRP (Global Setting) 3-209

Displaying Basic VLAN Information 3-210

Displaying Current VLANs 3-211

Creating VLANs 3-212

Adding Static Members to VLANs (VLAN Index) 3-214

Adding Static Members to VLANs (Port Index) 3-216

Configuring VLAN Behavior for Interfaces 3-217
Configuring IEEE 802.1Q Tunneling 3-219

x

Contents

Enabling QinQ Tunneling on the Switch 3-223
Adding an Interface to a QinQ Tunnel 3-224

Traffic Segmentation 3-226

Configuring Global Settings for Traffic Segmentation 3-226
Configuring Traffic Segmentation Sessions 3-227

Private VLANs 3-228

Displaying Current Private VLANs 3-228
Configuring Private VLANs 3-229
Associating VLANs 3-230
Displaying Private VLAN Interface Information 3-231
Configuring Private VLAN Interfaces 3-232

Protocol VLANs 3-233

Configuring Protocol VLAN Groups 3-234

Mapping Protocols to VLANs 3-235
Configuring VLAN Mirroring 3-236
Configuring IP Subnet VLANs 3-237
Configuring MAC-based VLANs 3-238

Link Layer Discovery Protocol 3-239

Setting LLDP Timing Attributes 3-239
Configuring LLDP Interface Attributes 3-241
Displaying LLDP Local Device Information 3-244
Displaying LLDP Remote Port Information 3-247
Displaying LLDP Remote Information Details 3-248
Displaying Device Statistics 3-250
Displaying Detailed Device Statistics 3-251

Class of Service Configuration 3-253

Layer 2 Queue Settings 3-253

Setting the Default Priority for Interfaces 3-253

Mapping CoS Values to Egress Queues 3-255

Selecting the Queue Mode 3-256

Displaying the Service Weight for Traffic Classes 3-257
Layer 3/4 Priority Settings 3-259

Mapping Layer 3/4 Priorities to CoS Values 3-259

Enabling IP DSCP Priority 3-259

Mapping DSCP Priority 3-260

Quality of Service 3-262

Configuring Quality of Service Parameters 3-262

Configuring a Class Map 3-263

Creating QoS Policies 3-265

Attaching a Policy Map to Ingress Queues 3-268
VoIP Traffic Configuration 3-269

Configuring VoIP Traffic 3-269

Configuring VoIP Traffic Ports 3-270

Configuring Telephony OUI 3-272

Multicast Filtering 3-274

xi

Contents

Layer 2 IGMP (Snooping and Query) 3-275

Configuring IGMP Snooping and Query Parameters 3-276
Enabling IGMP Immediate Leave 3-278
Displaying Interfaces Attached to a Multicast Router 3-280
Specifying Static Interfaces for a Multicast Router 3-281
Displaying Port Members of Multicast Services 3-282
Assigning Ports to Multicast Services 3-283

IGMP Filtering and Throttling 3-284

Enabling IGMP Filtering and Throttling 3-284
Configuring IGMP Filter Profiles 3-285
Configuring IGMP Filtering and Throttling for Interfaces 3-287

Multicast VLAN Registration 3-289

Configuring Global MVR Settings 3-290
Displaying MVR Interface Status 3-292
Displaying Port Members of Multicast Groups 3-293
Configuring MVR Interface Status 3-294
Assigning Static Multicast Groups to Interfaces 3-296
Configuring MVR Receiver VLAN and Group Addresses 3-297
Displaying MVR Receiver Groups 3-298
Configuring Static MVR Receiver Group Members 3-299

Domain Name Service 3-300

Configuring General DNS Service Parameters 3-300
Configuring Static DNS Host to Address Entries 3-302
Displaying the DNS Cache 3-304

Switch Clustering 3-305

Configuring General Settings for Clusters 3-305
Cluster Member Configuration 3-307
Displaying Information on Cluster Members 3-308
Cluster Candidate Information 3-309

UPnP 3-310

UPnP Configuration 3-311

Chapter 4: Command Line Interface 4-1

Using the Command Line Interface 4-1

Accessing the CLI 4-1
Console Connection 4-1
Telnet Connection 4-2

Entering Commands 4-3

Keywords and Arguments 4-3
Minimum Abbreviation 4-3
Command Completion 4-3
Getting Help on Commands 4-3
Showing Commands 4-4
Partial Keyword Lookup 4-5

xii

Contents

Negating the Effect of Commands 4-5
Using Command History 4-5
Understanding Command Modes 4-6
Exec Commands 4-6
Configuration Commands 4-7
Command Line Processing 4-9

Command Groups 4-10
General Commands 4-11

enable 4-12
disable 4-12
configure 4-13
show history 4-13
reload (Privileged Exec) 4-14
reload (Global Configuration) 4-14
show reload 4-16
prompt 4-16
end 4-16
exit 4-17
quit 4-17

System Management Commands 4-18

Device Designation Commands 4-18

hostname 4-18
Banner Information Commands 4-19

banner configure 4-20

banner configure company 4-21

banner configure dc-power-info 4-22

banner configure department 4-22

banner configure equipment-info 4-23

banner configure equipment-location 4-24

banner configure ip-lan 4-24

banner configure lp-number 4-25

banner configure manager-info 4-26

banner configure mux 4-26

banner configure note 4-27

show banner 4-28
System Status Commands 4-29

show startup-config 4-29

show running-config 4-30

show system 4-33

show users 4-33

show version 4-34
Frame Size Commands 4-35

jumbo frame 4-35
File Management Commands 4-36

copy 4-37

xiii

Contents

delete 4-40
dir 4-40
whichboot 4-41
boot system 4-42
upgrade opcode auto 4-42
upgrade opcode path 4-43

Line Commands 4-44

line 4-45
login 4-46
password 4-47
timeout login response 4-48
exec-timeout 4-48
password-thresh 4-49
silent-time 4-50
databits 4-50
parity 4-51
speed 4-52
stopbits 4-52
terminal length 4-53
terminal width 4-53
terminal escape-character 4-54
terminal terminal-type 4-54
terminal history 4-55
disconnect 4-55
show line 4-56

Event Logging Commands 4-57

logging on 4-57
logging history 4-58
logging host 4-59
logging facility 4-59
logging trap 4-60
clear log 4-60
show logging 4-61
show log 4-62

SMTP Alert Commands 4-63

logging sendmail host 4-63
logging sendmail level 4-64
logging sendmail source-email 4-64
logging sendmail destination-email 4-65
logging sendmail 4-65
show logging sendmail 4-65

Time Commands 4-67

sntp client 4-68
sntp server 4-69
sntp poll 4-69

xiv

Contents

show sntp 4-70

ntp client 4-70

ntp server 4-71

ntp authenticate 4-72

ntp authentication-key 4-73

show ntp 4-74

clock timezone-predefined 4-74

clock timezone 4-75

clock summer-time (date) 4-76

clock summer-time (predefined) 4-77

clock summer-time (recurring) 4-78

calendar set 4-79

show calendar 4-80
Switch Cluster Commands 4-80

cluster 4-81

cluster commander 4-81

cluster ip-pool 4-82

cluster member 4-83

rcommand 4-83

show cluster 4-84

show cluster members 4-84

show cluster candidates 4-84
UPnP Commands 4-84

upnp device 4-85

upnp device ttl 4-85

upnp device advertise duration 4-86

show upnp 4-86

SNMP Commands 4-87

snmp-server 4-88
show snmp 4-89
snmp-server community 4-90
snmp-server contact 4-90
snmp-server location 4-91
snmp-server host 4-92
snmp-server enable traps 4-94
snmp-server engine-id 4-95
show snmp engine-id 4-96
snmp-server view 4-96
show snmp view 4-97
snmp-server group 4-98
show snmp group 4-99
snmp-server user 4-100
show snmp user 4-101

Flow Sampling Commands 4-102

sflow 4-103

xv

Contents

sflow source 4-103
sflow sample 4-104
sflow polling-interval 4-104
sflow owner 4-105
sflow timeout 4-105
sflow destination 4-106
sflow max-header-size 4-106
sflow max-datagram-size 4-107
show sflow 4-107

Authentication Commands 4-108

User Account and Privilege Level Commands 4-109

username 4-109
enable password 4-110
privilege 4-111
privilege rerun 4-112
show privilege 4-112

Authentication Sequence 4-113

authentication login 4-113
authentication enable 4-114

RADIUS Client 4-115

radius-server host 4-115
radius-server acct-port 4-116
radius-server auth-port 4-116
radius-server key 4-117
radius-server retransmit 4-117
radius-server timeout 4-118
show radius-server 4-119

TACACS+ Client 4-119

tacacs-server host 4-120
tacacs-server port 4-120
tacacs-server key 4-121
tacacs-server retransmit 4-121
tacacs-server timeout 4-122
show tacacs-server 4-122

AAA Commands 4-123

aaa group server 4-123
server 4-124
aaa accounting dot1x 4-125
aaa accounting exec 4-126
aaa accounting commands 4-127
aaa accounting update 4-128
accounting dot1x 4-128
accounting exec 4-129
accounting commands 4-129
aaa authorization exec 4-130

xvi

Contents

authorization exec 4-131

show accounting 4-131
Web Server Commands 4-132

ip http port 4-132

ip http server 4-133

ip http secure-server 4-133

ip http secure-port 4-134
Telnet Server Commands 4-135

ip telnet server 4-135
Secure Shell Commands 4-136

ip ssh server 4-138

ip ssh timeout 4-139

ip ssh authentication-retries 4-139

ip ssh server-key size 4-140

delete public-key 4-140

ip ssh crypto host-key generate 4-141

ip ssh crypto zeroize 4-141

ip ssh save host-key 4-142

show ip ssh 4-142

show ssh 4-143

show public-key 4-144

802.1X Port Authentication 4-145

dot1x system-auth-control 4-145

dot1x default 4-146

dot1x max-req 4-146

dot1x port-control 4-146

dot1x operation-mode 4-147

dot1x re-authenticate 4-148

dot1x re-authentication 4-149

dot1x timeout quiet-period 4-149

dot1x timeout re-authperiod 4-150

dot1x timeout tx-period 4-150

dot1x timeout supp-timeout 4-151

dot1x intrusion-action 4-151

show dot1x 4-152
Management IP Filter Commands 4-155

management 4-155

show management 4-156

General Security Measures 4-157

Port Security Commands 4-158

port security 4-158
Network Access (MAC Address Authentication) 4-160

network-access aging 4-161

network-access mac-filter 4-161

network-access port-mac-filter 4-162

xvii

Contents

network-access max-mac-count 4-162
network-access mode 4-163
mac-authentication reauth-time 4-164
mac-authentication intrusion-action 4-165
mac-authentication max-mac-count 4-165
network-access dynamic-vlan 4-166
network-access guest-vlan 4-166
network-access dynamic-qos 4-167
network-access link-detection 4-168
network-access link-detection link-down 4-168
network-access link-detection link-up 4-169
network-access link-detection link-up-down 4-169
clear network-access 4-170
show network-access 4-170
show network-access mac-address-table 4-171
show network-access mac-filter 4-172

Web Authentication 4-173

web-auth login-attempts 4-173
web-auth quiet-period 4-174
web-auth session-timeout 4-174
web-auth system-auth-control 4-175
web-auth 4-175
web-auth re-authenticate (Port) 4-176
web-auth re-authenticate (IP) 4-176
show web-auth 4-177
show web-auth interface 4-177
show web-auth summary 4-178

DHCP Snooping Commands 4-178

ip dhcp snooping 4-179
ip dhcp snooping vlan 4-180
ip dhcp snooping trust 4-181
ip dhcp snooping verify mac-address 4-182
ip dhcp snooping information option 4-183
ip dhcp snooping information policy 4-184
ip dhcp snooping database flash 4-184
clear ip dhcp snooping database flash 4-185
show ip dhcp snooping 4-185
show ip dhcp snooping binding 4-185

IP Source Guard Commands 4-186

ip source-guard 4-186
ip source-guard binding 4-188
show ip source-guard 4-189
show ip source-guard binding 4-189

ARP Inspection Commands 4-190

ip arp inspection 4-190

xviii

Contents

ip arp inspection vlan 4-191

ip arp inspection filter 4-192

ip arp inspection validate 4-193

ip arp inspection log-buffer logs 4-194

ip arp inspection trust 4-195

ip arp inspection limit 4-195

show ip arp inspection configuration 4-196

show ip arp inspection interface 4-196

show ip arp inspection vlan 4-197

show ip arp inspection log 4-197

show ip arp inspection statistics 4-198

Access Control List Commands 4-198

IPv4 ACLs 4-199

access-list rule-mode 4-199

access-list ip 4-200

permit, deny (Standard IPv4 ACL) 4-201

permit, deny (Extended IPv4 ACL) 4-202

show ip access-list 4-204

ip access-group 4-204

show ip access-group 4-205
IPv6 ACLs 4-205

access-list ipv6 4-206

permit, deny (Standard IPv6 ACL) 4-207

permit, deny (Extended IPv6 ACL) 4-208

show ipv6 access-list 4-209

ipv6 access-group 4-209

show ipv6 access-group 4-210
ARP ACLs 4-210

access-list arp 4-211

permit, deny (ARP ACL) 4-212

show arp access-list 4-213
MAC ACLs 4-214

access-list mac 4-214

permit, deny (MAC ACL) 4-215

show mac access-list 4-216

mac access-group 4-217

show mac access-group 4-217
ACL Information 4-218

show access-list 4-218

show access-group 4-218

Interface Commands 4-219

interface 4-220
description 4-220
speed-duplex 4-221
negotiation 4-222

xix

Contents

capabilities 4-223
flowcontrol 4-224
media-type 4-225
giga-phy-mode 4-225
shutdown 4-226
switchport packet-rate 4-227
clear counters 4-228
show interfaces brief 4-228
show interfaces status 4-229
show interfaces counters 4-230
show interfaces switchport 4-231

Automatic Traffic Control Commands 4-233

auto-traffic-control apply-timer 4-236
auto-traffic-control release-timer 4-237
auto-traffic-control 4-238
auto-traffic-control alarm-fire-threshold 4-238
auto-traffic-control alarm-clear-threshold 4-239
auto-traffic-control action 4-240
auto-traffic-control control-release 4-241
auto-traffic-control auto-control-release 4-242
snmp-server enable port-traps atc broadcast-alarm-fire 4-242
snmp-server enable port-traps atc multicast-alarm-fire 4-243
snmp-server enable port-traps atc broadcast-alarm-clear 4-243
snmp-server enable port-traps atc multicast-alarm-clear 4-244
snmp-server enable port-traps atc broadcast-control-apply 4-244
snmp-server enable port-traps atc multicast-control-apply 4-245
snmp-server enable port-traps atc broadcast-control-release 4-245
snmp-server enable port-traps atc multicast-control-release 4-246
show auto-traffic-control 4-246
show auto-traffic-control interface 4-247

Link Aggregation Commands 4-248

channel-group 4-249
lacp 4-250
lacp system-priority 4-251
lacp admin-key (Ethernet Interface) 4-252
lacp admin-key (Port Channel) 4-253
lacp port-priority 4-254
lacp active/passive 4-255
show lacp 4-255

Mirror Port Commands 4-260

port monitor 4-260
show port monitor 4-261

Rate Limit Commands 4-263

rate-limit 4-263

Address Table Commands 4-264

xx

Contents

mac-address-table static 4-264
clear mac-address-table dynamic 4-265
show mac-address-table 4-266
mac-address-table aging-time 4-267
show mac-address-table aging-time 4-267

Spanning Tree Commands 4-268

spanning-tree 4-269
spanning-tree mode 4-270
spanning-tree forward-time 4-271
spanning-tree hello-time 4-271
spanning-tree max-age 4-272
spanning-tree priority 4-273
spanning-tree system-bpdu-flooding 4-273
spanning-tree pathcost method 4-274
spanning-tree transmission-limit 4-274
spanning-tree mst-configuration 4-275
mst vlan 4-275
mst priority 4-276
name 4-277
revision 4-277
max-hops 4-278
spanning-tree spanning-disabled 4-278
spanning-tree cost 4-279
spanning-tree port-priority 4-280
spanning-tree edge-port 4-281
spanning-tree portfast 4-282
spanning-tree bpdu-filter 4-283
spanning-tree bpdu-guard 4-284
spanning-tree port-bpdu-flooding 4-284
spanning-tree root-guard 4-285
spanning-tree link-type 4-286
spanning-tree loopback-detection 4-286
spanning-tree loopback-detection release-mode 4-287
spanning-tree loopback-detection trap 4-288
spanning-tree mst cost 4-288
spanning-tree mst port-priority 4-289
spanning-tree protocol-migration 4-290
show spanning-tree 4-291
show spanning-tree mst configuration 4-293

VLAN Commands 4-293

GVRP and Bridge Extension Commands 4-294

bridge-ext gvrp 4-294

show bridge-ext 4-295

switchport gvrp 4-295

show gvrp configuration 4-296

xxi

Contents

garp timer 4-296
show garp timer 4-297

Editing VLAN Groups 4-298

vlan database 4-298
vlan 4-299

Configuring VLAN Interfaces 4-300

interface vlan 4-300
switchport mode 4-301
switchport acceptable-frame-types 4-302
switchport ingress-filtering 4-302
switchport native vlan 4-303
switchport allowed vlan 4-304
switchport forbidden vlan 4-305
vlan-trunking 4-305

Displaying VLAN Information 4-307

show vlan 4-307

Configuring IEEE 802.1Q Tunneling 4-308

dot1q-tunnel system-tunnel-control 4-309
switchport dot1q-tunnel mode 4-309
switchport dot1q-tunnel tpid 4-310
show dot1q-tunnel 4-311

Configuring Port-based Traffic Segmentation 4-312

pvlan 4-312
pvlan uplink/downlink 4-313
pvlan session 4-314
pvlan up-to-up 4-315
show pvlan 4-315

Configuring Private VLANs 4-316

private-vlan 4-317
private vlan association 4-318
switchport mode private-vlan 4-318
switchport private-vlan host-association 4-319
switchport private-vlan mapping 4-320
show vlan private-vlan 4-320

Configuring Protocol-based VLANs 4-321

protocol-vlan protocol-group (Configuring Groups) 4-322
protocol-vlan protocol-group (Configuring VLANs) 4-322
show protocol-vlan protocol-group 4-323
show protocol-vlan protocol-group-vid 4-324

Configuring IP Subnet VLANs 4-324

subnet-vlan 4-325
show subnet-vlan 4-325

Configuring MAC Based VLANs 4-326

mac-vlan 4-326
show mac-vlan 4-327

xxii

Contents

Configuring Voice VLANs 4-328

voice vlan 4-328

voice vlan aging 4-329

voice vlan mac-address 4-330

switchport voice vlan 4-331

switchport voice vlan rule 4-331

switchport voice vlan security 4-332

switchport voice vlan priority 4-333

show voice vlan 4-333

LLDP Commands 4-335

lldp 4-337
lldp holdtime-multiplier 4-337
lldp medFastStartCount 4-338
lldp notification-interval 4-338
lldp refresh-interval 4-339
lldp reinit-delay 4-339
lldp tx-delay 4-340
lldp admin-status 4-341
lldp notification 4-341
lldp mednotification 4-342
lldp basic-tlv management-ip-address 4-343
lldp basic-tlv port-description 4-343
lldp basic-tlv system-capabilities 4-344
lldp basic-tlv system-description 4-344
lldp basic-tlv system-name 4-345
lldp dot1-tlv proto-ident 4-345
lldp dot1-tlv proto-vid 4-346
lldp dot1-tlv pvid 4-346
lldp dot1-tlv vlan-name 4-347
lldp dot3-tlv link-agg 4-347
lldp dot3-tlv mac-phy 4-348
lldp dot3-tlv max-frame 4-348
lldp dot3-tlv poe 4-349
lldp medtlv extpoe 4-349
lldp medtlv inventory 4-350
lldp medtlv location 4-350
lldp medtlv med-cap 4-351
lldp medtlv network-policy 4-351
show lldp config 4-352
show lldp info local-device 4-354
show lldp info remote-device 4-355
show lldp info statistics 4-356

Class of Service Commands 4-357

Priority Commands (Layer 2) 4-357

queue mode 4-357

xxiii

Contents

switchport priority default 4-358
queue cos-map 4-359
show queue mode 4-360
show queue bandwidth 4-360
show queue cos-map 4-361

Priority Commands (Layer 3 and 4) 4-362

map ip dscp (Global Configuration) 4-362
map ip dscp (Interface Configuration) 4-362
show map ip dscp 4-364

Quality of Service Commands 4-365

class-map 4-366
match 4-367
rename 4-368
description 4-368
policy-map 4-369
class 4-369
set 4-370
police 4-371
service-policy 4-372
show class-map 4-372
show policy-map 4-373
show policy-map interface 4-373

Multicast Filtering Commands 4-374

IGMP Snooping Commands 4-374

ip igmp snooping 4-375
ip igmp snooping vlan static 4-375
ip igmp snooping version 4-376
ip igmp snooping leave-proxy 4-377
ip igmp snooping immediate-leave 4-377
show ip igmp snooping 4-378
show mac-address-table multicast 4-379

IGMP Query Commands (Layer 2) 4-379

ip igmp snooping querier 4-380
ip igmp snooping query-count 4-380
ip igmp snooping query-interval 4-381
ip igmp snooping query-max-response-time 4-381
ip igmp snooping router-port-expire-time 4-382

Static Multicast Routing Commands 4-383

ip igmp snooping vlan mrouter 4-383
show ip igmp snooping mrouter 4-384

IGMP Filtering and Throttling Commands 4-385

ip igmp filter (Global Configuration) 4-385
ip igmp profile 4-386
permit, deny 4-386
range 4-387

xxiv

Contents

ip igmp filter (Interface Configuration) 4-387

ip igmp max-groups 4-388

ip igmp max-groups action 4-389

show ip igmp filter 4-389

show ip igmp profile 4-390

show ip igmp throttle interface 4-390
Multicast VLAN Registration Commands 4-391

mvr (Global Configuration) 4-392

mvr (Interface Configuration) 4-394

mvr immediate 4-395

show mvr 4-396

Domain Name Service Commands 4-399

ip host 4-399
clear host 4-400
ip domain-name 4-401
ip domain-list 4-401
ip name-server 4-402
ip domain-lookup 4-403
show hosts 4-404
show dns 4-404
show dns cache 4-405
clear dns cache 4-405

IP Interface Commands 4-406

ip address 4-406
ip default-gateway 4-407
ip dhcp restart 4-408
show ip interface 4-408
show ip redirects 4-409
show arp 4-409
ping 4-409

Appendix A: Software Specifications A-1

Software Features A-1
Management Features A-2
Standards A-2
Management Information Bases A-3

Appendix B: Troubleshooting B-1

Problems Accessing the Management Interface B-1
Using System Logs B-2

Glossary

Index

xxv

Contents

xxvi

Tables

Table 1-1 Key Features 1-1
Table 1-2 System Defaults 1-6
Table 3-1 Configuration Options 3-3
Table 3-2 Main Menu 3-4
Table 3-3 Logging Levels 3-36
Table 3-4 Supported Notification Messages 3-61
Table 3-5 HTTPS System Support 3-88
Table 3-6 802.1X Statistics 3-105
Table 3-7 Dynamic QoS Profiles 3-116
Table 3-8 LACP Port Counters 3-167
Table 3-9 LACP Internal Configuration Information 3-168
Table 3-10 LACP Neighbor Configuration Information 3-170
Table 3-11 Port Statistics 3-180
Table 3-12 Recommended STA Path Cost Range 3-202
Table 3-13 Recommended STA Path Costs 3-202
Table 3-14 Default STA Path Costs 3-203
Table 3-15 Chassis ID Subtype 3-244
Table 3-16 System Capabilities 3-245
Table 3-17 Port ID Subtype 3-248
Table 3-18 Mapping CoS Values to Egress Queues 3-255
Table 3-19 CoS Priority Levels 3-255
Table 3-20 Mapping DSCP Priority Values 3-260
Table 4-1 Command Modes 4-6
Table 4-2 Configuration Modes 4-8
Table 4-3 Command Line Processing 4-9
Table 4-4 Command Groups 4-10
Table 4-5 General Commands 4-11
Table 4-6 System Management Commands 4-18
Table 4-7 Device Designation Commands 4-18
Table 4-8 Banner Commands 4-19
Table 4-9 System Status Commands 4-29
Table 4-10 Frame Size Commands 4-35
Table 4-11 Flash/File Commands 4-36
Table 4-12 File Directory Information 4-41
Table 4-13 Line Commands 4-44
Table 4-14 Event Logging Commands 4-57
Table 4-15 Logging Levels 4-58
Table 4-16 show logging flash/ram - display description 4-61
Table 4-17 SMTP Alert Commands 4-63
Table 4-18 Time Commands 4-67
Table 4-19 Predefined Summer-Time Parameters 4-77
Table 4-20 Switch Cluster Commands 4-80

xxvii

Tables

Table 4-21 SNMP Commands 4-87
Table 4-22 show snmp engine-id - display description 4-96
Table 4-23 show snmp view - display description 4-97
Table 4-24 show snmp group - display description 4-100
Table 4-26 sFlow Commands 4-102
Table 4-25 show snmp user - display description 4-102
Table 4-27 Authentication Commands 4-108
Table 4-28 User Access Commands 4-109
Table 4-29 Default Login Settings 4-109
Table 4-30 Authentication Sequence 4-113
Table 4-31 RADIUS Client Commands 4-115
Table 4-32 TACACS Commands 4-119
Table 4-34 Web Server Commands 4-132
Table 4-35 HTTPS System Support 4-134
Table 4-36 Telnet Server Commands 4-135
Table 4-37 SSH Commands 4-136
Table 4-38 show ssh - display description 4-143
Table 4-39 802.1X Port Authentication 4-145
Table 4-40 IP Filter Commands 4-155
Table 4-41 General Security Commands 4-157
Table 4-42 Port Security Commands 4-158
Table 4-43 Network Access 4-160
Table 4-44 Dynamic QoS Profiles 4-167
Table 4-45 Web Authentication 4-173
Table 4-46 DHCP Snooping Commands 4-178
Table 4-47 IP Source Guard Commands 4-186
Table 4-48 ARP Inspection Commands 4-190
Table 4-49 Access Control Lists 4-198
Table 4-50 IPv4 ACL Commands 4-199
Table 4-52 ARP ACL Commands 4-210
Table 4-53 MAC ACL Commands 4-214
Table 4-54 ACL Information 4-218
Table 4-55 Interface Commands 4-219
Table 4-56 Interfaces Switchport Statistics 4-232
Table 4-57 ATC Commands 4-233
Table 4-58 Link Aggregation Commands 4-248
Table 4-59 show lacp counters - display description 4-256
Table 4-60 show lacp internal - display description 4-257
Table 4-61 show lacp neighbors - display description 4-258
Table 4-62 show lacp sysid - display description 4-259
Table 4-63 Mirror Port Commands 4-260
Table 4-64 Rate Limit Commands 4-263
Table 4-65 Address Table Commands 4-264
Table 4-66 Spanning Tree Commands 4-268
Table 4-69 Default STA Path Costs 4-280

xxviii

Ta bl e s

Table 4-70 VLAN Command Groups 4-293
Table 4-71 GVRP and Bridge Extension Commands 4-294
Table 4-72 Editing VLAN Groups 4-298
Table 4-73 Configuring VLAN Interfaces 4-300
Table 4-74 Show VLAN Commands 4-307
Table 4-75 IEEE 802.1Q Tunneling Commands 4-308
Table 4-76 Traffic Segmentation Commands 4-312
Table 4-77 Traffic Segmentation Forwarding 4-313
Table 4-78 Private VLAN Commands 4-316
Table 4-79 Protocol-based VLAN Commands 4-321
Table 4-80 IP Subnet VLAN Commands 4-324
Table 4-81 IP Subnet VLAN Commands 4-326
Table 4-82 Voice VLAN Commands 4-328
Table 4-83 LLDP Commands 4-335
Table 4-84 Priority Commands 4-357
Table 4-85 Priority Commands (Layer 2) 4-357
Table 4-86 Default CoS Values to Egress Queues 4-359
Table 4-87 Priority Commands (Layer 3 and 4) 4-362
Table 4-88 IP DSCP to CoS Vales 4-363
Table 4-89 Quality of Service Commands 4-365
Table 4-90 Multicast Filtering Commands 4-374
Table 4-91 IGMP Snooping Commands 4-374
Table 4-92 IGMP Query Commands (Layer 2) 4-379
Table 4-93 Static Multicast Routing Commands 4-383
Table 4-94 IGMP Filtering and Throttling Commands 4-385
Table 4-95 Multicast VLAN Registration Commands 4-391
Table 4-96 show mvr - display description 4-397
Table 4-97 show mvr interface - display description 4-397
Table 4-98 show mvr members - display description 4-398
Table 4-100 DNS Commands 4-399
Table 4-99 show mvr receiver members - display description 4-399
Table 4-101 show dns cache - display description 4-405
Table 4-102 IP Interface Commands 4-406
Table B-1 Troubleshooting Chart B-1

xxix

Tables

xxx

Figures

Figure 3-1 Home Page 3-2
Figure 3-2 Panel Display 3-3
Figure 3-3 System Information 3-14
Figure 3-4 Switch Information 3-15
Figure 3-5 Bridge Extension Configuration 3-17
Figure 3-6 Manual IP Configuration 3-19
Figure 3-7 DHCP IP Configuration 3-20
Figure 3-8 Jumbo Frames Configuration 3-21
Figure 3-9 Configuring Automatic Code Upgrade 3-25
Figure 3-10 Copy Firmware 3-26
Figure 3-11 Setting the Startup Code 3-27
Figure 3-12 Deleting Files 3-27
Figure 3-13 Downloading Configuration Settings for Startup 3-29
Figure 3-14 Setting the Startup Configuration Settings 3-29
Figure 3-15 Uploading Files Using HTTP 3-31
Figure 3-16 Downloading Files Using HTTP 3-31
Figure 3-17 Console Port Settings 3-33
Figure 3-18 Enabling Telnet 3-35
Figure 3-19 System Logs 3-37
Figure 3-20 Remote Logs 3-38
Figure 3-21 Displaying Logs 3-39
Figure 3-22 Enabling and Configuring SMTP 3-40
Figure 3-23 Resetting the System 3-42
Figure 3-24 Current Time Configuration 3-43
Figure 3-25 SNTP Configuration 3-44
Figure 3-26 NTP Client Configuration 3-45
Figure 3-27 Setting the System Clock 3-47
Figure 3-28 Summer Time 3-49
Figure 3-29 Enabling SNMP Agent Status 3-51
Figure 3-30 Configuring SNMP Community Strings 3-52
Figure 3-31 Configuring IP Trap Managers 3-54
Figure 3-32 Setting an Engine ID 3-55
Figure 3-33 Setting a Remote Engine ID 3-56
Figure 3-34 Configuring SNMPv3 Users 3-58
Figure 3-35 Configuring Remote SNMPv3 Users 3-60
Figure 3-36 Configuring SNMPv3 Groups 3-63
Figure 3-37 Configuring SNMPv3 Views 3-64
Figure 3-38 sFlow Global Configuration 3-67
Figure 3-39 sFlow Port Configuration 3-69
Figure 3-40 Access Levels 3-71
Figure 3-41 Authentication Settings 3-74
Figure 3-42 Encryption Key Settings 3-76

xxxi

Figures

Figure 3-43 AAA Radius Group Settings 3-77
Figure 3-44 AAA TACACS+ Group Settings 3-78
Figure 3-45 AAA Accounting Settings 3-79
Figure 3-46 AAA Accounting Update 3-80
Figure 3-47 AAA Accounting 802.1X Port Settings 3-81
Figure 3-48 AAA Accounting Exec Command Privileges 3-82
Figure 3-49 AAA Accounting Exec Settings 3-83
Figure 3-50 AAA Accounting Summary 3-84
Figure 3-51 AAA Authorization Settings 3-86
Figure 3-52 AAA Authorization Exec Settings 3-86
Figure 3-53 AAA Authorization Summary 3-87
Figure 3-54 HTTPS Settings 3-89
Figure 3-55 HTTPS Settings 3-90
Figure 3-56 SSH Host-Key Settings 3-94
Figure 3-57 SSH User Public-Key Settings 3-96
Figure 3-58 SSH Server Settings 3-98
Figure 3-59 802.1X Global Information 3-100
Figure 3-60 802.1X Global Configuration 3-101
Figure 3-61 802.1X Port Configuration 3-103
Figure 3-62 Displaying 802.1X Port Statistics 3-106
Figure 3-63 Creating an IP Filter List 3-108
Figure 3-64 Configuring Port Security 3-111
Figure 3-65 Web Authentication Configuration 3-112
Figure 3-66 Web Authentication Port Configuration 3-113
Figure 3-67 Web Authentication Port Information 3-114
Figure 3-68 Web Authentication Port Re-authentication 3-115
Figure 3-69 Network Access Configuration 3-118
Figure 3-70 Network Access Port Configuration 3-119
Figure 3-71 Network Access Port Link Detection Configuration 3-121
Figure 3-72 Network Access MAC Address Information 3-122
Figure 3-73 Network Access MAC Filter Configuration 3-123
Figure 3-74 Selecting ACL Type 3-125
Figure 3-75 ACL Configuration - Standard IPv4 3-126
Figure 3-76 ACL Configuration - Extended IPv4 3-128
Figure 3-77 ACL Configuration - Standard IPv6 3-129
Figure 3-78 ACL Configuration - Extended IPv6 3-130
Figure 3-79 ACL Configuration - MAC 3-132
Figure 3-80 ACL Configuration - ARP 3-134
Figure 3-81 Configuring ACL Port Binding 3-135
Figure 3-82 Configuring ARP Inspection 3-140
Figure 3-83 Displaying Statistics for ARP Inspection 3-142
Figure 3-84 DHCP Snooping Configuration 3-144
Figure 3-85 DHCP Snooping VLAN Configuration 3-145
Figure 3-86 DHCP Snooping Information Option Configuration 3-147
Figure 3-87 DHCP Snooping Port Configuration 3-148

xxxii

Figures

Figure 3-88 DHCP Snooping Binding Information 3-149
Figure 3-89 IP Source Guard Port Configuration 3-151
Figure 3-90 Static IP Source Guard Binding Configuration 3-153
Figure 3-91 Dynamic IP Source Guard Binding Information 3-154
Figure 3-92 Displaying Port/Trunk Information 3-155
Figure 3-93 Port/Trunk Configuration 3-159
Figure 3-94 Configuring Static Trunks 3-161
Figure 3-95 LACP Trunk Configuration 3-163
Figure 3-96 LACP Port Configuration 3-165
Figure 3-97 LACP Aggregation Group Configuration 3-167
Figure 3-98 LACP - Port Counters Information 3-168
Figure 3-99 LACP - Port Internal Information 3-169
Figure 3-100 LACP - Port Neighbors Information 3-171
Figure 3-101 Port Broadcast Control 3-173
Figure 3-102 Port Multicast Control 3-175
Figure 3-103 Port Unknown Unicast Control 3-176
Figure 3-104 Mirror Port Configuration 3-177
Figure 3-105 MAC Address Mirror Configuration 3-178
Figure 3-106 Input Rate Limit Port Configuration 3-179
Figure 3-107 Port Statistics 3-183
Figure 3-108 Configuring a Static Address Table 3-185
Figure 3-109 Configuring a Dynamic Address Table 3-186
Figure 3-110 Setting the Address Aging Time 3-187
Figure 3-111 Configuring Port Loopback Detection 3-191
Figure 3-112 Displaying Spanning Tree Information 3-193
Figure 3-113 Configuring Spanning Tree 3-197
Figure 3-114 Displaying Spanning Tree Port Information 3-200
Figure 3-115 Configuring Spanning Tree per Port 3-204
Figure 3-116 Configuring Edge Port Parameters 3-205
Figure 3-117 Globally Enabling GVRP 3-209
Figure 3-118 Displaying Basic VLAN Information 3-210
Figure 3-119 Displaying Current VLANs 3-211
Figure 3-120 Configuring a VLAN Static List 3-213
Figure 3-121 Configuring a VLAN Static Table 3-215
Figure 3-122 VLAN Static Membership by Port 3-216
Figure 3-123 Configuring VLANs per Port 3-218
Figure 3-124 802.1Q Tunnel Status and Ethernet Type 3-223
Figure 3-125 Tunnel Port Configuration 3-225
Figure 3-126 Traffic Segmentation Status Configuration 3-226
Figure 3-127 Traffic Segmentation Session Configuration 3-227
Figure 3-128 Private VLAN Information 3-229
Figure 3-129 Private VLAN Configuration 3-230
Figure 3-130 Private VLAN Association 3-230
Figure 3-131 Private VLAN Port Information 3-231
Figure 3-132 Private VLAN Port Configuration 3-233

xxxiii

Figures

Figure 3-133 Protocol VLAN Configuration 3-234
Figure 3-134 Protocol VLAN System Configuration 3-235
Figure 3-135 VLAN Mirror Configuration 3-236
Figure 3-136 IP Subnet VLAN Configuration 3-238
Figure 3-137 MAC-based VLAN Configuration 3-239
Figure 3-138 LLDP Configuration 3-241
Figure 3-139 LLDP Port Configuration 3-243
Figure 3-140 LLDP Local Device Information 3-246
Figure 3-141 LLDP Remote Port Information 3-247
Figure 3-142 LLDP Remote Information Details 3-249
Figure 3-143 LLDP Device Statistics 3-250
Figure 3-144 LLDP Device Statistics Details 3-252
Figure 3-145 Port Priority Configuration 3-254
Figure 3-146 Traffic Classes 3-256
Figure 3-147 Queue Mode 3-257
Figure 3-148 Displaying Queue Scheduling 3-258
Figure 3-149 IP DSCP Priority Status 3-259
Figure 3-150 Mapping IP DSCP Priority Values 3-261
Figure 3-151 Configuring Class Maps 3-264
Figure 3-152 Configuring Policy Maps 3-267
Figure 3-153 Service Policy Settings 3-268
Figure 3-154 Configuring VoIP Traffic 3-270
Figure 3-155 VoIP Traffic Port Configuration 3-271
Figure 3-156 Telephony OUI List 3-273
Figure 3-157 IGMP Configuration 3-277
Figure 3-158 IGMP Immediate Leave 3-279
Figure 3-159 Displaying Multicast Router Port Information 3-280
Figure 3-160 Static Multicast Router Port Configuration 3-281
Figure 3-161 IP Multicast Registration Table 3-282
Figure 3-162 IGMP Member Port Table 3-283
Figure 3-163 Enabling IGMP Filtering and Throttling 3-285
Figure 3-164 IGMP Profile Configuration 3-286
Figure 3-165 IGMP Filter and Throttling Port Configuration 3-288
Figure 3-166 MVR Global Configuration 3-291
Figure 3-167 MVR Port Information 3-292
Figure 3-168 MVR Group IP Information 3-293
Figure 3-169 MVR Port Configuration 3-295
Figure 3-170 MVR Group Member Configuration 3-296
Figure 3-171 MVR Receiver VLAN Configuration 3-297
Figure 3-172 MVR Receiver Group Address Table 3-298
Figure 3-173 Static MVR Receiver Group Member Configuration 3-299
Figure 3-174 DNS General Configuration 3-301
Figure 3-175 DNS Static Host Table 3-303
Figure 3-176 DNS Cache 3-304
Figure 3-177 Cluster Member Choice 3-305

xxxiv

Figures

Figure 3-178 Cluster Configuration 3-306
Figure 3-179 Cluster Member Configuration 3-307
Figure 3-180 Cluster Member Information 3-308
Figure 3-181 Cluster Candidate Information 3-309
Figure 3-182 UPnP Configuration 3-311

xxxv

Figures

xxxvi

Chapter 1: Introduction

This switch provides a broad range of features for Layer 2 switching. It includes a
management agent that allows you to configure the features listed in this manual.
The default configuration can be used for most of the features provided by this
switch. However, there are many options that you should configure to maximize the
switch’s performance for your particular network environment.

Key Features

Table 1-1 Key Features

Feature Description

Configuration Backup and
Restore

Authentication and
Security Measures

Access Control Lists Supports IP and MAC ACLs, 100 rules per system

DHCP Client

DNS Client and Proxy service

Port Configuration Speed, duplex mode and flow control

Rate Limiting Input rate limiting per port

Port Mirroring One port mirrored to a single analysis port

Port Trunking Supports up to 8 trunks using either static or dynamic trunking (LACP)

Storm Control Throttling for broadcast, multicast, and unknown unicast storms

Static Address Up to 8K MAC addresses in the forwarding table

IEEE 802.1D Bridge Supports dynamic data switching and addresses learning

Store-and-Forward Switching Supported to ensure wire-speed switching while eliminating bad frames

Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple

Backup to TFTP server

Console, Telnet, web – User name / password, RADIUS, TACACS+,

AAA, ARP inspection
Web – HTTPS
Telnet – SSH
SNMP v1/2c - Community strings
SNMP version 3 – MD5 or SHA password
Port Authentication – IEEE 802.1X,
Port Security – MAC address filtering
Private VLANs
Network Access – MAC Address Authentication
Web Authentication – Web access with RADIUS Authentication
DHCP Snooping (with Option 82 relay information)
IP Source Guard

Spanning Trees (MSTP)

1-1

Introduction

1

Table 1-1 Key Features (Continued)

Feature Description

Virtual LANs Up to 255 using IEEE 802.1Q, port-based, protocol-based, and private

Traffic Prioritization Default port priority, traffic class map, queue scheduling, or Differentiated

Quality of Service Supports Differentiated Services (DiffServ)

Link Layer Discovery Protocol Used to discover basic information about neighboring devices

Multicast Filtering Supports IGMP snooping and query, as well as Multicast VLAN Registration

Switch Clustering Supports up to 36 member switches in a cluster

Tunneling Supports IEEE 802.1Q tunneling (QinQ)

VLANs

Services Code Point (DSCP)

Description of Software Features

The switch provides a wide range of advanced performance enhancing features.
Flow control eliminates the loss of packets due to bottlenecks caused by port
saturation. Storm suppression prevents broadcast, multicast or unknow unicast
traffic storms from engulfing the network. Port-based, protocol based and private
VLANs, plus support for automatic GVRP VLAN registration provide traffic security
and efficient use of network bandwidth. CoS priority queueing ensures the minimum
delay for moving real-time multimedia data across the network. While multicast
filtering provides support for real-time network applications. Some of the
management features are briefly described below.

Configuration Backup and Restore – You can save the current configuration
settings to a file on an FTP/TFTP server or to a management station using a web
browser, and later download this file to restore the switch configuration settings.

Authentication – This switch authenticates management access via the console
port, Telnet or web browser. User names and passwords can be configured locally or
can be verified via a remote authentication server (i.e., RADIUS or TACACS+).
Port-based authentication is also supported via the IEEE 802.1X protocol. This
protocol uses the Extensible Authentication Protocol over LANs (EAPOL) to request
user credentials from the 802.1X client, and then verifies the client’s right to access
the network via an authentication server.

Other authentication options include HTTPS for secure management access via the
web, SSH for secure management access over a Telnet-equivalent connection,
SNMP Version 3, IP address filtering for SNMP/web/Telnet management access.
MAC address filtering and IP source guard also provide authenticated port access.
While DHCP snooping is provided to prevent malicious attacks from insecure ports.

1-2

Description of Software Features

Access Control Lists – ACLs provide packet filtering for IPv4 frames (based on
address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames
(based on address, next header type, or flow label), or any frames (based on MAC
address or Ethernet type). ACLs can be used to improve performance by blocking
unnecessary network traffic or to implement security controls by restricting access to
specific network resources or protocols.

Port Configuration – You can manually configure the speed, duplex mode, and
flow control used on specific ports, or use auto-negotiation to detect the connection
settings used by the attached device. Use full-duplex mode on ports whenever
possible to double the throughput of switch connections. Flow control should also be
enabled to control network traffic during periods of congestion and prevent the loss
of packets when port buffer thresholds are exceeded. The switch supports flow
control based on the IEEE 802.3x standard (now incorporated in IEEE 802.3-2002).

Rate Limiting – This feature controls the maximum rate for traffic transmitted or
received on an interface. Rate limiting is configured on interfaces at the edge of a
network to limit traffic into or out of the network. Packets that exceed the acceptable
amount of traffic are dropped.

Port Mirroring – The switch can unobtrusively mirror traffic from any port, VLAN or
packets with a specified MAC address to a monitor port. You can then attach a
protocol analyzer or RMON probe to this port to perform traffic analysis and verify
connection integrity.

Port Trunking – Ports can be combined into an aggregate connection. Trunks can
be manually set up or dynamically configured using Link Aggregation Control
Protocol (LACP). The additional ports dramatically increase the throughput across
any connection, and provide redundancy by taking over the load if a port in the trunk
should fail. The switch supports up to 8 trunks.

Storm Control – Broadcast, multicast and unknown unicast storm suppression
prevents traffic from overwhelming the network. When enabled on a port, the level of
traffic passing through the port is restricted. If traffic rises above a pre-defined
threshold, it will be throttled until the level falls back beneath the threshold.

Static Addresses – A static address can be assigned to a specific interface on this
switch. Static addresses are bound to the assigned interface and will not be moved.
When a static address is seen on another interface, the address will be ignored and
will not be written to the address table. Static addresses can be used to provide
network security by restricting access for a known host to a specific port.

IP Address Filtering – Access to insecure ports can be controlled using DHCP
Snooping which filters ingress traffic based on static IP addresses and addresses
stored in the DHCP Snooping table. Traffic can also be restricted to specific source
IP addresses or source IP/MAC address pairs based on static entries or entries
stored in the DHCP Snooping table.

IEEE 802.1D Bridge – The switch supports IEEE 802.1D transparent bridging. The
address table facilitates data switching by learning addresses, and then filtering or

1

1-3

Introduction

1

forwarding traffic based on this information. The address table supports up to 8K
addresses.

Store-and-Forward Switching – The switch copies each frame into its memory
before forwarding them to another port. This ensures that all frames are a standard
Ethernet size and have been verified for accuracy with the cyclic redundancy check
(CRC). This prevents bad frames from entering the network and wasting bandwidth.

To avoid dropping frames on congested ports, the switch provides 4 Mbits for frame
buffering. This buffer can queue packets awaiting transmission on congested
networks.

Spanning Tree Algorithm – The switch supports these spanning tree protocols:

Spanning Tree Protocol (STP, IEEE 802.1D) – This protocol provides loop detection
and recovery by allowing two or more redundant connections to be created between
a pair of LAN segments. When there are multiple physical paths between segments,
this protocol will choose a single path and disable all others to ensure that only one
route exists between any two stations on the network. This prevents the creation of
network loops. However, if the chosen path should fail for any reason, an alternate
path will be activated to maintain the connection.

Rapid Spanning Tree Protocol (RSTP, IEEE 802.1D-2004) – This protocol reduces
the convergence time for network topology changes to 3 to 5 seconds, compared to
30 seconds or more for the older IEEE 802.1D STP standard. It is intended as a
complete replacement for STP, but can still interoperate with switches running the
older standard by automatically reconfiguring ports to STP-compliant mode if they
detect STP protocol messages from attached devices.

Multiple Spanning Tree Protocol (MSTP, IEEE 802.1D-2004) – This protocol is a
direct extension of RSTP. It can provide an independent spanning tree for different
VLANs. It simplifies network management, provides for even faster convergence
than RSTP by limiting the size of each region, and prevents VLAN members from
being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D
STP).

Virtual LANs – The switch supports up to 255 VLANs. A Virtual LAN is a collection
of network nodes that share the same collision domain regardless of their physical
location or connection point in the network. The switch supports tagged VLANs
based on the IEEE 802.1Q standard. Members of VLAN groups can be dynamically
learned via GVRP, or ports can be manually assigned to a specific set of VLANs.
This allows the switch to restrict traffic to the VLAN groups to which a user has been
assigned. By segmenting your network into VLANs, you can:

• Eliminate broadcast storms which severely degrade performance in a flat network.

• Simplify network management for node changes/moves by remotely configuring
VLAN membership for any port, rather than having to manually change the network
connection.

• Provide data security by restricting all traffic to the originating VLAN.

1-4

Description of Software Features

• Use private VLANs to restrict traffic to pass only between data ports and the uplink

ports, thereby isolating adjacent ports within the same VLAN, and allowing you to
limit the total number of VLANs that need to be configured.

• Use protocol VLANs to restrict traffic to specified interfaces based on protocol type.

Note: The switch allows 255 user-manageable VLANs. One other VLAN (VLAN ID 4093)

is reserved for switch clustering.

Traffic Prioritization – This switch prioritizes each packet based on the required
level of service, using four priority queues with strict or Weighted Round Robin
Queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on
input from the end-station application. These functions can
independent priorities for delay-sensitive data and best-effort data.

This switch also supports several common methods of prioritizing layer 3/4 traffic to
meet application requirements. Traffic can be prioritized based on the DSCP field in
the IP frame. When these services are enabled, the priorities are mapped to a Class
of Service value by the switch, and the traffic then sent to the corresponding output
queue.

Quality of Service – Differentiated Services (DiffServ) provides policy-based
management mechanisms used for prioritizing network resources to meet the
requirements of specific traffic types on a per-hop basis. Each packet is classified
upon entry into the network based on access lists, IP Precedence or DSCP values,
or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3,
or Layer 4 information contained in each packet. Based on network policies, different
kinds of traffic can be marked for different kinds of forwarding.

Multicast Filtering – Specific multicast traffic can be assigned to its own VLAN to
ensure that it does not interfere with normal network traffic and to guarantee
real-time delivery by setting the required priority level for the designated VLAN. The
switch uses IGMP Snooping and Query to manage multicast group registration. It
also supports Multicast VLAN Registration (MVR) which allows common multicast
traffic, such as television channels, to be transmitted across a single network-wide
multicast VLAN shared by hosts residing in other standard or private VLAN groups,
while preserving security and data isolation for normal traffic.

be used to provide

1

IEEE 802.1Q Tunneling (QinQ) – This feature is designed for service providers
carrying traffic for multiple customers across their networks. QinQ tunneling is used
to maintain customer-specific VLAN and Layer 2 protocol configurations even when
different customers use the same internal VLAN IDs. This is accomplished by
inserting Service Provider VLAN (SPVLAN) tags into the customer’s frames when
they enter the service provider’s network, and then stripping the tags when the
frames leave the network.

1-5

Introduction

1

System Defaults

The switch’s system defaults are provided in the configuration file
“Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as
the startup configuration file (page 3-28).

The following table lists some of the basic system defaults.

Table 1-2 System Defaults

Function Parameter Default

Console Port
Connection

Authentication and
Security Measures

Web Management HTTP Server Enabled

Baud Rate 9600

Data bits 8

Stop bits 1

Parity none

Local Console Timeout 0 (disabled)

Privileged Exec Level Username “admin”

Normal Exec Level Username “guest”

Enable Privileged Exec from Normal
Exec Level

RADIUS Authentication Disabled

TACACS Authentication Disabled

802.1X Port Authentication Disabled

Web Authentication Disabled

MAC Authentication Disabled

HTTPS Enabled

SSH Disabled

Port Security Disabled

IP Filtering Disabled

DHCP Snooping Disabled

IP Source Guard Disabled (all ports)

HTTP Port Number 80

HTTP Secure Server Enabled

HTTP Secure Port Number 443

Password “admin”

Password “guest”

Password “super”

1-6

System Defaults

Table 1-2 System Defaults (Continued)

Function Parameter Default

SNMP SNMP Agent Enabled

Community Strings “public” (read only)

Traps Authentication traps: enabled

SNMP V3 View: defaultview

Port Configuration Admin Status Enabled

Auto-negotiation Enabled

Flow Control Disabled

Rate Limiting Input limits Disabled

Port Trunking Static Trunks None

LACP (all ports) Disabled

Storm Protection Status Broadcast: enabled (all ports)

Rate Limit Broadcast: 64 kbits per second

Spanning Tree
Algorithm

Address Table Aging Time 300 seconds

Virtual LANs Default VLAN 1

Traffic Prioritization Ingress Port Priority 0

Status Enabled, RSTP

Fast Forwarding (Edge Port) Disabled

PVID 1

Acceptable Frame Type All

Ingress Filtering Enabled

Switchport Mode (Egress Mode) Hybrid: tagged/untagged frames

GVRP (global) Disabled

GVRP (port interface) Disabled

Weighted Round Robin Queue: 0 1 2 3

IP DSCP Priority Disabled

“private” (read/write)

Link-up-down events: enabled

Group: public (read only); private (read/write)

Multicast: disabled
Unknown Unicast: disabled

(Defaults: Based on RSTP standard)

Weight: 1 2 4 8

1

1-7

Introduction

1

Table 1-2 System Defaults (Continued)

Function Parameter Default

IP Settings IP Address DHCP assigned

Subnet Mask 255.255.255.0

Default Gateway 0.0.0.0

DHCP Client: Enabled

DNS Client/Proxy service: Disabled

BOOTP Disabled

Multicast Filtering IGMP Snooping Snooping: Enabled

Querier: Enabled

Multicast VLAN Registration Disabled

System Log Status Enabled

Messages Logged Levels 0-7 (all)

Messages Logged to Flash Levels 0-3

SMTP Email Alerts Event Handler Enabled (but no server defined)

SNTP Clock Synchronization Disabled

NTP Clock Synchronization Disabled

Switch Clustering Status Enabled

Commander Disabled

1-8

Chapter 2: Initial Configuration

Connecting to the Switch

Configuration Options

The switch includes a built-in network management agent. The agent offers a variety
of management options, including SNMP, RMON (Groups 1, 2, 3, 9), and a
web-based interface. A PC may also be connected directly to the switch for
configuration and monitoring via a command line interface (CLI).

Note: The IP address for this switch is obtained via DHCP by default. To change this

address, see "Setting an IP Address" on page 2-4.

The switch’s HTTP web agent allows you to configure switch parameters, monitor
port connections, and display statistics using a standard web browser such as
Internet Explorer 5.x or above, Netscape 6.2 or above, and Mozilla Firefox 2.0.0.0
or above. The switch’s web management interface can be accessed from any
computer attached to the network.

The CLI program can be accessed by a direct connection to the RS-232 serial
console port on the switch, or remotely by a Telnet or Secure Shell (SSH)
connection over the network.

The switch’s management agent also supports SNMP (Simple Network
Management Protocol). This SNMP agent permits the switch to be managed from
any system in the network using network management software such as
HP OpenView.

The switch’s web interface, CLI configuration program, and SNMP agent allow you
to perform the following management functions:

• Set user names and passwords

• Set an IP interface for a management VLAN

• Configure SNMP parameters

• Enable/disable any port

• Set the speed/duplex mode for any port

• Configure the bandwidth of any port by limiting input rates

• Control port access through IEEE 802.1X security or static address filtering

• Filter packets using Access Control Lists (ACLs)

• Configure up to 255 IEEE 802.1Q VLANs

• Enable GVRP automatic VLAN registration

• Configure IGMP multicast filtering

• Upload and download system firmware via FTP/TFTP

• Upload and download switch configuration files via FTP/TFTP

• Configure Spanning Tree parameters

• Configure Class of Service (CoS) priority queuing

2-1

Initial Configuration

2

• Configure up to 8 static or LACP trunks

• Enable port mirroring

• Set broadcast, multicast or unknown unicast storm control on any port

• Display system information and statistics

Required Connections

The switch provides an RS-232 serial port that enables a connection to a PC or
terminal for monitoring and configuring the switch. A null-modem console cable is
provided with the switch.

Attach a VT100-compatible terminal, or a PC running a terminal emulation program
to the switch. You can use the console cable provided with this package, or use a
null-modem cable that complies with the wiring assignments shown in the
Installation Guide.

To connect a terminal to the console port, complete the following steps:

1. Connect the console cable to the serial port on a terminal, or a PC running

terminal emulation software, and tighten the captive retaining screws on the
DB-9 connector.

2. Connect the other end of the cable to the RS-232 serial port on the switch.

3. Make sure the terminal emulation software is set as follows:

• Select the appropriate serial port (COM port 1 or COM port 2).

• Set the baud rate to 9600 bps.

• Set the data format to 8 data bits, 1 stop bit, and no parity.

• Set flow control to none.

• Set the emulation mode to VT100.

• When using HyperTerminal, select Terminal keys, not Windows keys.

Notes: 1. Refer to "Line Commands" on page 4-44 for a complete description of

For a description of how to use the CLI, see "Using the Command Line Interface" on
page 4-1. For a list of all the CLI commands and detailed information on using the
CLI, refer to "Command Groups" on page 4-10.

console configuration options.

2. Once you have set up the terminal correctly, the console login screen will be
displayed.

2-2

Basic Configuration

2

Remote Connections

Prior to accessing the switch’s onboard agent via a network connection, you must
first configure it with a valid IP address, subnet mask, and default gateway using a
console connection, DHCP or BOOTP protocol.

The IP address for this switch is obtained via DHCP by default. To manually
configure this address or enable dynamic address assignment via DHCP or BOOTP,
see "Setting an IP Address" on page 2-4.

Note: This switch supports four concurrent Telnet/SSH sessions.

After configuring the switch’s IP parameters, you can access the onboard
configuration program from anywhere within the attached network. The switch’s
command-line interface can be accessed using Telnet or SSH from any computer
attached to the network. The switch can also be managed by any computer using a
web browser (Internet Explorer 5.x or above, or Netscape 6.2 or above, or Mozilla
Firefox 2.0.0.0), or from a network computer using SNMP network management
software.

Note: The onboard program only provides access to basic configuration functions. To

access the full range of SNMP management functions, you must use
SNMP-based network management software.

Basic Configuration

Console Connection

The CLI program provides two different command levels — normal access level
(Normal Exec) and privileged access level (Privileged Exec). The commands
available at the Normal Exec level are a limited subset of those available at the
Privileged Exec level and allow you to only display information and use basic
utilities. To fully configure the switch parameters, you must access the CLI at the
Privileged Exec level.

Access to both CLI levels are controlled by user names and passwords. The switch
has a default user name and password for each level. To log into the CLI at the
Privileged Exec level using the default user name and password, perform these
steps:

1. To initiate your console connection, press <Enter>. The “User Access
Verification” procedure starts.

2. At the Username prompt, enter “admin.”

3. At the Password prompt, also enter “admin.” (The password characters are not
displayed on the console screen.)

4. The session is opened and the CLI displays the “Console#” prompt indicating
you have access at the Privileged Exec level.

2-3

Initial Configuration

2

Setting Passwords

Note: If this is your first time to log into the CLI program, you should define new

passwords for both default user names using the “username” command, record
them and put them in a safe place.

Passwords can consist of up to 8 alphanumeric characters and are case sensitive.
To prevent unauthorized access to the switch, set the passwords as follows:

1. Open the console interface with the default user name and password “admin” to
access the Privileged Exec level.

2. Type “configure” and press <Enter>.

3. Type “username guest password 0 password,” for the Normal Exec level, where
password is your new password. Press <Enter>.

4. Type “username admin password 0 password,” for the Privileged Exec level,
where password is your new password. Press <Enter>.

Note: ‘0’ specifies a password in plain text, ‘7’ specifies a password in encrypted form.

Username: admin
Password:

CLI session with the FGL-2870 is opened.
To end the CLI session, enter [Exit].

Console#configure
Console(config)#username guest password 0 [password] 4-109

Console(config)#username admin password 0 [password]
Console(config)#

Setting an IP Address

You must establish IP address information for the stack to obtain management
access through the network. This can be done in either of the following ways:

Manual — You have to input the information, including IP address and subnet mask.
If your management station is not in the same IP subnet as the switch, you will also
need to specify the default gateway router.

Dynamic — The switch sends IP configuration requests to BOOTP or DHCP
address allocation servers on the network.

Manual Configuration

You can manually assign an IP address to the switch. You may also need to specify
a default gateway that resides between this device and management stations that
exist on another network segment. Valid IP addresses consist of four decimal
numbers, 0 to 255, separated by periods. Anything outside this format will not be
accepted by the CLI program.

Note: The IP address for this switch is obtained via DHCP by default.

2-4

Basic Configuration

Before you can assign an IP address to the switch, you must obtain the following
information from your network administrator:

• IP address for the switch

• Default gateway for the network

• Network mask for this network

To assign an IP address to the switch, complete the following steps:

1. From the Global Configuration mode prompt, type “interface vlan 1” to access
the interface-configuration mode. Press <Enter>.

2. Type “ip address ip-address netmask,” where “ip-address” is the switch IP
address and “netmask” is the network mask for the network. Press <Enter>.

3. Type “exit” to return to the global configuration mode prompt. Press <Enter>.

4. To set the IP address of the default gateway for the network to which the switch
belongs, type “ip default-gateway gateway,” where “gateway” is the IP address
of the default gateway. Press <Enter>.

Console(config)#interface vlan 1 4-220
Console(config-if)#ip address 192.168.1.5 255.255.255.0 4-406
Console(config-if)#exit
Console(config)#ip default-gateway 192.168.1.254 4-407

Console(config)#

2

Dynamic Configuration

If you select the “bootp” or “dhcp” option, IP will be enabled but will not function until
a BOOTP or DHCP reply has been received. Requests will be sent periodically in an
effort to obtain IP configuration information. BOOTP and DHCP values can include
the IP address, subnet mask, and default gateway. If the DHCP/BOOTP server is
slow to respond, you may need to use the “ip dhcp restart” command to re-start
broadcasting service requests.

If the “bootp” or “dhcp” option is saved to the startup-config file (step 6), then the
switch will start broadcasting service requests as soon as it is powered on.

To automatically configure the switch by communicating with BOOTP or DHCP
address allocation servers on the network, complete the following steps:

1. From the Global Configuration mode prompt, type “interface vlan 1” to access
the interface-configuration mode. Press <Enter>.

2. At the interface-configuration mode prompt, use one of the following commands:

• To obtain IP settings via DHCP, type “ip address dhcp” and press <Enter>.

• To obtain IP settings via BOOTP, type “ip address bootp” and press <Enter>.

3. Type “end” to return to the Privileged Exec mode. Press <Enter>.

2-5

Initial Configuration

2

4. If network connections are normaly slow, type “ip dhcp restart” to re-start
broadcasting service requests. Press <Enter>.

5. Wait a few minutes, and then check the IP configuration settings by typing the
“show ip interface” command. Press <Enter>.

6. Then save your configuration changes by typing “copy running-config
startup-config.” Enter the startup file name and press <Enter>.

Console(config)#interface vlan 1 4-220
Console(config-if)#ip address dhcp 4-406
Console(config-if)#end
Console#ip dhcp restart 4-408
Console#show ip interface 4-408

IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1,
and address mode: User specified.

Console#copy running-config startup-config 4-37

Startup configuration file name []: startup
\Write to FLASH Programming.

\Write to FLASH finish.
Success.

Enabling SNMP Management Access

The switch can be configured to accept management commands from Simple
Network Management Protocol (SNMP) applications such as HP OpenView. You
can configure the switch to (1) respond to SNMP requests or (2) generate SNMP
traps.

When SNMP management stations send requests to the switch (either to return
information or to set a parameter), the switch provides the requested data or sets the
specified parameter. The switch can also be configured to send information to
SNMP managers (without being requested by the managers) through trap
messages, which inform the manager that certain events have occurred.

The switch includes an SNMP agent that supports SNMP version 1, 2c, and 3
clients. To provide management access for version 1 or 2c clients, you must specify
a community string. The switch provides a default MIB View (i.e., an SNMPv3
construct) for the default “public” community string that provides read access to the
entire MIB tree, and a default view for the “private” community string that provides
read/write access to the entire MIB tree. However, you may assign new views to
version 1 or 2c community strings that suit your specific security requirements (see
page 3-64).

Community Strings (for SNMP version 1 and 2c clients)

Community strings are used to control management access to SNMP version 1
and 2c stations, as well as to authorize SNMP stations to receive trap messages
from the switch. You therefore need to assign community strings to specified users,
and set the access level.

2-6

Basic Configuration

2

The default strings are:

• public - with read-only access. Authorized management stations are only able to
retrieve MIB objects.

• private - with read/write access. Authorized management stations are able to both
retrieve and modify MIB objects.

To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is
recommended that you change the default community strings.

To configure a community string, complete the following steps:

1. From the Privileged Exec level global configuration mode prompt, type

“snmp-server community string mode,” where “string” is the community access
string and “mode” is rw (read/write) or ro (read only). Press <Enter>. (Note that
the default mode is read only.)

2. To remove an existing string, simply type “no snmp-server community string,”

where “string” is the community access string to remove. Press <Enter>.

Console(config)#snmp-server community admin rw 4-90
Console(config)#snmp-server community private
Console(config)#

Note: If you do not intend to support access to SNMP version 1 and 2c clients, we

recommend that you delete both of the default community strings. If there are no
community strings, then SNMP management access from SNMP v1 and v2c
clients is disabled.

Trap Receivers

You can also specify SNMP stations that are to receive traps from the switch. To
configure a trap receiver, use the “snmp-server host” command. From the Privileged
Exec level global configuration mode prompt, type:

“snmp-server host host-address community-string

[version {1 | 2c | 3 {auth | noauth | priv}}]”

where “host-address” is the IP address for the trap receiver, “community-string”
specifies access rights for a version 1/2c host, or is the user name of a version 3
host, “version” indicates the SNMP client version, and “auth | noauth | priv” means
that authentication, no authentication, or authentication and privacy is used for v3
clients. Then press <Enter>. For a more detailed description of these parameters,
see "snmp-server host" on page 4-92. The following example creates a trap host for
each type of SNMP client.

Console(config)#snmp-server host 10.1.19.23 batman 4-92
Console(config)#snmp-server host 10.1.19.98 robin version 2c
Console(config)#snmp-server host 10.1.19.34 barbie version 3 auth
Console(config)#

2-7

Initial Configuration

2

Configuring Access for SNMP Version 3 Clients

To configure management access for SNMPv3 clients, you need to first create a
view that defines the portions of MIB that the client can read or write, assign the view
to a group, and then assign the user to a group. The following example creates one
view called “mib-2” that includes the entire MIB-2 tree branch, and then another view
that includes the IEEE 802.1D bridge MIB. It assigns these respective read and
read/write views to a group call “r&d” and specifies group authentication via MD5 or
SHA. In the last step, it assigns a v3 user to this group, indicating that MD5 will be
used for authentication, provides the password “greenpeace” for authentication, and
the password “einstien” for encryption.

Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included 4-96
Console(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included
Console(config)#snmp-server group r&d v3 auth mib-2 802.1d 4-98
Console(config)#snmp-server user steve group r&d v3 auth md5

greenpeace priv des56 einstien 4-100

Console(config)#

For a more detailed explanation on how to configure the switch for access from
SNMPv3 clients, refer to "Simple Network Management Protocol" on page 3-49, or
refer to the specific CLI commands for SNMP starting on page 4-87.

Managing System Files

The switch’s flash memory supports three types of system files that can be managed
by the CLI program, web interface, or SNMP. The switch’s file system allows files to
be uploaded and downloaded, copied, deleted, and set as a start-up file.

The three types of files are:

• Configuration — This file type stores system configuration information and is
created when configuration settings are saved. Saved configuration files can be
selected as a system start-up file or can be uploaded via FTP/TFTP to a server for
backup. The file named “Factory_Default_Config.cfg” contains all the system
default settings and cannot be deleted from the system. If the system is booted with
the factory default settings, the switch will also create a file named “startup1.cfg”
that contains system settings for initialization, including information about the unit
identifier, MAC address, and installed module type. The configuration settings from
the factory defaults configuration file are copied to this file, which is then used to
boot the switch. See "Saving or Restoring Configuration Settings" on page 3-28 for
more information.

• Operation Code — System software that is executed after boot-up, also known as
run-time code. This code runs the switch operations and provides the CLI and web
management interfaces. See "Managing Firmware" on page 3-22 for more
information.

2-8

Managing System Files

• Diagnostic Code — Software that is run during system boot-up, also known as

POST (Power On Self-Test).

Due to the size limit of the flash memory, the switch supports only two operation
code files. However, you can have as many diagnostic code files and configuration
files as available flash memory space allows. The switch has a total of 16 Mbytes of
flash memory for system files.

In the system flash memory, one file of each type must be set as the start-up file.
During a system boot, the diagnostic and operation code files set as the start-up file
are run, and then the start-up configuration file is loaded.

Note that configuration files should be downloaded using a file name that reflects the
contents or usage of the file settings. If you download directly to the running-config,
the system will reboot, and the settings will have to be copied from the
running-config to a permanent file.

2

Saving Configuration Settings

Configuration commands only modify the running configuration file and are not
saved when the switch is rebooted. To save all your configuration changes in
non-volatile storage, you must copy the running configuration file to the start-up
configuration file using the “copy” command.

New startup configuration files must have a name specified. File names on the
switch are case-sensitive, can be from 1 to 31 characters, must not contain slashes
(\ or /), and the leading letter of the file name must not be a period (.).
(Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

There can be more than one user-defined configuration file saved in the switch’s
flash memory, but only one is designated as the “startup” file that is loaded when the
switch boots. The copy running-config startup-config command always sets the
new file as the startup file. To select a previously saved configuration file, use the
boot system config:<filename> command.

The maximum number of saved configuration files depends on available flash
memory, with each configuration file normally requiring less than 20 kbytes. The
amount of available flash memory can be checked by using the dir command.

To save the current configuration settings, enter the following command:

1. From the Privileged Exec mode prompt, type “copy running-config

startup-config” and press <Enter>.

2-9

Initial Configuration

2

2. Enter the name of the start-up file. Press <Enter>.

Console#copy running-config startup-config 4-37

Startup configuration file name []: startup
\Write to FLASH Programming.

\Write to FLASH finish.
Success.

Console#

2-10

Chapter 3: Configuring the Switch

Using the Web Interface

This switch provides an embedded HTTP web agent. Using a web browser you can
configure the switch and view statistics to monitor network activity. The web agent
can be accessed by any computer on the network using a standard web browser
(Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or
above).

Note:

You can also use the Command Line Interface (CLI) to manage the switch over a
serial connection to the console port or via Telnet. For more information on using
the CLI, refer to Chapter 4: Command Line Interface.”

Prior to accessing the switch from a web browser, be sure you have first performed
the following tasks:

1. Configure the switch with a valid IP address, subnet mask, and default gateway

using an out-of-band serial connection, BOOTP or DHCP protocol. (See "Setting
an IP Address" on page 2-4.)

2. Set user names and passwords using an out-of-band serial connection. Access

to the web agent is controlled by the same user names and passwords as the
onboard configuration program. (See "Setting Passwords" on page 2-4)

3. After you enter a user name and password, you will have access to the system

configuration program.

Notes: 1.

You are allowed three attempts to enter the correct password; on the third
failed attempt the current connection is terminated.

2. If you log into the web interface as guest (Normal Exec level), you can view

the configuration settings or change the guest password. If you log in as
“admin” (Privileged Exec level), you can change the settings on any page.

3. If the path between your management station and this switch does not pass

through any device that uses the Spanning Tree Algorithm, then you can set
the switch port attached to your management station to fast forwarding (i.e.,
enable Admin Edge Port) to improve the switch’s response time to
management commands issued through the web interface. See "Configuring
Interface Settings for STA" on page 3-201.

3-1

Configuring the Switch

3

Navigating the Web Browser Interface

To access the web-browser interface you must first enter a user name and
password. The administrator has Read/Write access to all configuration parameters
and statistics. The default user name and password for the administrator is “admin.”

Home Page

When your web browser connects with the switch’s web agent, the home page is
displayed as shown below. The home page displays the Main Menu on the left side
of the screen and System Information on the right side. The Main Menu links are
used to navigate to other menus, and display configuration parameters and
statistics.

3-2

Figure 3-1 Home Page

Panel Display

3

Configuration Options

Configurable parameters have a dialog box or a drop-down list. Once a configuration
change has been made on a page, be sure to click on the Apply button to confirm
the new setting. The following table summarizes the web page configuration
buttons.

Table 3-1 Configuration Options

Button Action

Revert Cancels specified values and restores current values prior to pressing Apply.

Apply Sets specified values to the system.

Help Links directly to webhelp.

Notes: 1.

To ensure proper screen refresh, be sure that Internet Explorer is configured
so that the setting “Check for newer versions of stored pages” reads “Every
visit to the page”.
Internet Explorer 6.x and earlier: This option is available under the menu
“Tools / Internet Options / General / Temporary Internet Files / Settings”.
Internet Explorer 7.x: This option is available under “Tools / Internet Options
/ General / Browsing History / Settings / Temporary Internet Files”.

2. You may have to manually refresh the screen after making configuration

changes by pressing the browser’s refresh button.

Panel Display

The web agent displays an image of the switch’s ports. The Mode can be set to
display different information for the ports, including Active (i.e., up or down), Duplex
(i.e., half or full duplex, or Flow Control (i.e., with or without flow control). Clicking on
the image of a port opens the Port Configuration page as described on page 3-157.

Figure 3-2 Panel Display

3-3

Configuring the Switch

3

Main Menu

Using the onboard web agent, you can define system parameters, manage and
control the switch, and all its ports, or monitor network conditions. The following
table briefly describes the selections available from this program.

Table 3-2 Main Menu

Menu Description Page

System 3-13

System Information Provides basic system description, including contact information 3-13

Switch Information Shows the number of ports, hardware/firmware version

Bridge Extension
Configuration

IP Configuration Sets the IP address for management access 3-18

Jumbo Frames Enables jumbo frame packets. 3-21

File Management 3-22

Auto Operation Code
Upgrade

Copy Operation Allows the transfer and copying of files 3-22

Delete Allows deletion of files from the flash memory 3-26

HTTP Upgrade Copies operation code or configuration files from management

HTTP Download Copies operation code or configuration files from the switch to

Set Start-Up Sets the startup file 3-26

Line 3-32

Console Sets console port connection parameters 3-32

Telnet Sets Telnet connection parameters 3-34

Log 3-36

Logs Stores and displays error messages 3-36

System Logs Sends error messages to a logging process 3-36

Remote Logs Configures the logging of messages to a remote logging process 3-37

SMTP Sends an SMTP client message to a participating server. 3-39

Reset Restarts the switch 3-41

SNTP Simple Network Time Protocol 3-42

Current Time Manually sets the current time 3-43

Configuration Configures SNTP and NTP client settings, including broadcast

numbers, and power status

Shows the bridge extension parameters 3-17

Automatically upgrades operation code if a newer version is
found on the server

station to the switch

the management station

mode, authentication parameters or a specified list of servers

3-15

3-22

3-30

3-30

3-43

3-4

Main Menu

Table 3-2 Main Menu (Continued)

Menu Description Page

Time Zone Sets the local time zone for the system clock 3-46

Summer Time Configures summer time settings 3-47

SNMP Simple Network Management Protocol 3-49

Configuration Configures community strings and related trap functions 3-51

Agent Status Enables or disables SNMP Agent Status 3-51

SNMPv3 3-55

Engine ID Sets the SNMP v3 engine ID on this switch 3-55

Remote Engine ID Sets the SNMP v3 engine ID for a remote device 3-56

Users Configures SNMP v3 users on this switch 3-57

Remote Users Configures SNMP v3 users from a remote device 3-59

Groups Configures SNMP v3 groups 3-61

Views Configures SNMP v3 views 3-64

sFlow Samples traffic flows, and forwards data to designated collector 3-65

Configuration Globally enables flow sampling, enables sampling per port, and

Port Configuration Sets destination parameters, payload parameters, and sampling

Security 3-70

User Accounts Assigns a new password for the current user 3-70

Authentication Settings Configures authentication sequence, RADIUS and TACACS 3-72

Encryption Key Configures RADIUS and TACACS encryption key settings 3-75

AAA Authentication, Authorization and Accounting 3-76

RADIUS Group Settings Defines the configured RADIUS servers to use for accounting 3-77

TACACS+ Group Settings Defines the configured TACACS+ servers to use for accounting 3-78

Accounting

Settings Configures accounting of requested services for billing or

Periodic Update Sets the interval at which accounting updates are sent to

802.1X Port Settings Applies the specified accounting method to an interface 3-81

Command Privileges Specifies a method name to apply to commands entered at

Exec Settings Specifies console or Telnet authentication method 3-83

Summary Displays accounting information and statistics 3-83

sets the sampling rate per port

interval

security purposes

RADIUS AAA servers

specific CLI privilege levels

3

3-66

3-68

3-78

3-80

3-82

3-5

Configuring the Switch

3

Table 3-2 Main Menu (Continued)

Menu Description Page

Authorization 3-85

Settings Configures authorization of requested services 3-85

EXEC Settings Specifies console or Telnet authorization method 3-86

Summary Displays authorization information 3-87

HTTPS Settings Configures secure HTTP settings 3-88

SSH Secure Shell 3-90

Settings Configures Secure Shell server settings 3-90

Host-Key Settings Generates the host key pair (public and private) 3-93

User Public-Key Settings Imports and manages user RSA and DSA public keys 3-95

Port Security Configures per port security, including status, response for

802.1X Port authentication 3-99

Information Displays global configuration settings 3-101

Configuration Configures the global configuration settings 3-101

Port Configuration Sets parameters for individual ports 3-101

Statistics Displays protocol statistics for the selected port 3-105

Web Authentication 3-111

Configuration Configures Web Authentication settings 3-112

Port Configuration Enables Web Authentication for individual ports 3-113

Port Information Displays status information for individual ports 3-114

Re-authentication Forces a host to re-authenticate itself immediately 3-114

Network Access 3-115

Configuration Configures global Network Access parameters 3-117

Port Configuration Configures Network Access parameters for individual ports 3-118

Port Link Detection
Configuration

MAC Address Information Displays Network Access statistics sorted by various attributes 3-121

MAC Filter Configuration Filters Network Access authentication by MAC address 3-122

ACL Access Control Lists 3-124

Configuration Configures packet filtering based on IP or MAC addresses 3-124

Port Binding Binds a port to the specified ACL 3-135

security breach, and maximum allowed MAC addresses

Configures Port Link Detection parameters 3-120

3-110

3-6

Main Menu

Table 3-2 Main Menu (Continued)

Menu Description Page

ARP Inspection Validates the MAC-to-IP address bindings in ARP packets 3-136

Configuration Enables inspection globally and per VLAN, specifies ACL filter

Information Displays information on results of inspection process 3-135

IP Filter Sets IP addresses of clients allowed management access via

Port 3-155

Port Information Displays port connection status 3-155

Trunk Information Displays trunk connection status 3-155

Port Configuration Configures port connection settings 3-157

Trunk Configuration Configures trunk connection settings 3-157

Trunk Membership Specifies ports to group into static trunks 3-161

LACP Link Aggregation Control Protocol 3-162

Configuration Allows ports to dynamically join trunks 3-162

Aggregation Port Configures parameters for link aggregation group members 3-164

Aggregator Configures the administration key for specific LACP groups 3-166

Port Counters Information Displays statistics for LACP protocol messages 3-167

Port Internal Information Displays settings and operational state for the local side 3-168

Port Neighbors Information Displays settings and operational state for the remote side 3-170

Port Broadcast Control Sets the broadcast storm threshold for each port 3-172

Trunk Broadcast Control Sets the broadcast storm threshold for each trunk 3-172

Port Multicast Control Sets the multicast storm threshold for each port 3-172

Trunk Multicast Control Sets the multicast storm threshold for each trunk 3-172

Port Unknown Unicast Control Sets the unknown unicast storm threshold for each port 3-172

Trunk Unknown Unicast Control

Mirror Port Configuration Sets the source and target ports for mirroring 3-177

MAC Mirror Configuration Sets a MAC address for packets to be mirrored from any source

Rate Limit 3-179

Input Port Configuration Sets the input rate limit for each port 3-179

Input Trunk Configuration Sets the input rate limit for each trunk 3-179

Output Port Configuration Sets the output rate limit for ports 3-179

containing address bindings, configures validation of additional
address components, sets trust mode for ports, and sets rate
limit for packet inspection

the web, SNMP, and Telnet

Sets the unknown unicast storm threshold for each trunk 3-172

port other thn the target port to the specified destination port

3

3-124

3-107

3-178

3-7

Configuring the Switch

3

Table 3-2 Main Menu (Continued)

Menu Description Page

Output Trunk Configuration Sets the output rate limit for trunks 3-179

Port Statistics Lists Ethernet and RMON port statistics 3-180

Address Table 3-185

Static Addresses Displays entries for interface, address or VLAN 3-185

Dynamic Addresses Displays or edits static entries in the Address Table 3-186

Address Aging Sets timeout for dynamically learned entries 3-187

Spanning Tree 3-188

Port Loopback Detection Configures Port Loopback Detection parameters 3-191

Trunk Loopback Detection Configures Trunk Loopback Detection parameters 3-191

STA Spanning Tree Algorithm 3-188

Information Displays STA values used for the bridge 3-191

Configuration Configures global bridge settings for STA and RSTP 3-194

Port Information Displays individual port settings for STA 3-198

Trunk Information Displays individual trunk settings for STA 3-198

Port Configuration Configures individual port settings for STA 3-201

Trunk Configuration Configures individual trunk settings for STA 3-201

Port Edge Port
Configuration

Trunk Edge Port
Configuration

VLAN Virtual LAN 3-206

802.1Q VLAN IEEE 802.1Q VLANs 3-206

GVRP Status Enables GVRP VLAN registration protocol 3-209

802.1Q Tunnel
Configuration

Basic Information Displays information on the VLAN type supported by this switch 3-210

Current Table Shows the current port members of each VLAN and whether or

Static List Used to create or remove VLAN groups 3-212

Static Table Modifies the settings for an existing VLAN 3-214

Static Membership by Port Configures membership type for interfaces, including tagged,

Port Configuration Specifies default PVID and VLAN attributes 3-217

Trunk Configuration Specifies default trunk VID and VLAN attributes 3-217

Sets an interface to function as an edge port, either manually or
by automatic configuration

Sets an interface to function as an edge port, either manually or
by automatic configuration

Enables 802.1Q (QinQ) Tunneling 3-223

not the port is tagged or untagged

untagged or forbidden

3-206

3-206

3-211

3-216

3-8

Main Menu

Table 3-2 Main Menu (Continued)

Menu Description Page

Tunnel Port Configuration Sets the tunnel mode for an interface 3-224

Tunnel Trunk Configuration Sets the tunnel mode for an interface 3-224

Traffic Segmentation Configures traffic segmentation for different client sessions

Status Enables traffic segmentation, and blocks or forwards traffic

Session Configuration Creates a client session, and assigns the downlink and uplink

Private VLAN 3-228

Information Displays Private VLAN feature information 3-228

Configuration This page is used to create/remove primary or community

Association Each community VLAN must be associated with a primary VLAN 3-230

Port Information Shows VLAN port type, and associated primary or secondary

Port Configuration Sets the private VLAN interface type, and associates the

Trunk Information Shows VLAN port type, and associated primary or secondary

Trunk Configuration Sets the private VLAN interface type, and associates the

Protocol VLAN 3-233

Configuration Creates a protocol group, specifying the supported protocols 3-234

System Configuration Configures protocol VLAN system parameters 3-235

IP Subnet VLAN 3-237

Configuration Maps IP subnet traffic to a VLAN 3-237

MAC Based VLAN 3-238

Configuration Maps traffic with specified source MAC address to a VLAN 3-238

VLAN Mirror Configuration Sets source VLANs and a target port for mirroring 3-236

LLDP Link Layer Discovery Protocol 3-239

Configuration Configures global LLDP timing parameters 3-239

Port Configuration Configures parameters for individual ports 3-241

Trunk Configuration Configures parameters for trunks 3-241

Local Information Displays LLDP information about the local device 3-244

Remote Port Information Displays LLDP information about a remote device connected to

based on specified downlink and uplink ports

between uplink ports assigned to different client sessions

ports to service the traffic

VLANs

VLANs

interfaces with a private VLAN

VLANs

interfaces with a private VLAN

a port on this switch

3

3-226

3-226

3-227

3-229

3-231

3-232

3-231

3-232

3-247

3-9

Configuring the Switch

3

Table 3-2 Main Menu (Continued)

Menu Description Page

Remote Trunk Information Displays LLDP information about a remote device connected to

Remote Information Details Displays detailed LLDP information about a remote device

Device Statistics Displays LLDP statistics for all connected remote devices 3-250

Device Statistics Details Displays LLDP statistics for remote devices on a selected port or

Priority 3-253

Default Port Priority Sets the default priority for each port 3-253

Default Trunk Priority Sets the default priority for each trunk 3-253

Traffic Classes Maps IEEE 802.1p priority tags to output queues 3-255

Traffic Classes Status Enables/disables traffic class priorities (not implemented) NA

Queue Mode Sets queue mode to strict priority or Weighted Round-Robin 3-256

Queue Scheduling Configures Weighted Round Robin queueing 3-257

IP DSCP Priority Status Globally selects DSCP Priority, or disables it. 3-259

IP DSCP Priority Sets IP Differentiated Services Code Point priority, mapping a

QoS Quality of Service 3-262

DiffServ Configure QoS classification criteria and service policies 3-262

Class Map Creates a class map for a type of traffic 3-263

Policy Map Creates a policy map for multiple interfaces 3-265

Service Policy Applies a policy map defined to an ingress port 3-268

VoIP Traffic Setting 3-269

Configuration VoIP Traffic Setting Configuration 3-269

Port Configuration Configures VoIP Traffic Settings for ports 3-270

OUI Configuration Defines OUI settings 3-272

IGMP Snooping 3-275

IGMP Configuration Enables multicast filtering; configures parameters for multicast

IGMP Filter Configuration Enables IGMP filtering for the switch 3-284

IGMP Immediate Leave Configures immediate leave for multicast services no longer

Multicast Router Port
Information

Static Multicast Router Port
Configuration

a trunk on this switch

connected to this switch

trunk

DSCP tag to a class-of-service value

query

required

Displays the ports that are attached to a neighboring multicast
router for each VLAN ID

Assigns ports that are attached to a neighboring multicast router 3-281

3-247

3-248

3-251

3-260

3-276

3-278

3-280

3-10

Main Menu

Table 3-2 Main Menu (Continued)

Menu Description Page

IP Multicast Registration
Table

IGMP Member Port Table Indicates multicast addresses associated with the selected

IGMP Filter Profile
Configuration

IGMP Filter/Throttling Port
Configuration

IGMP Filter/Throttling Trunk
Configuration

MVR 3-289

Configuration Globally enables MVR, sets the MVR VLAN, adds multicast

Port Information Displays MVR interface type, MVR operational and activity

Trunk Information Displays MVR interface type, MVR operational and activity

Group IP Information Displays the ports attached to an MVR multicast stream 3-293

Port Configuration Configures MVR interface type and immediate leave status 3-294

Trunk Configuration Configures MVR interface type and immediate leave status 3-294

Group Member Configuration Statically assigns MVR multicast streams to an interface 3-296

Receiver Configuration Permits forwarding of tagged multicast traffic by specifying MVR

Receiver Group IP
Information

Receiver Group Member
Configuration

DNS Domain Name Service 3-300

General Configuration Enables DNS; configures domain name and domain list; and

Static Host Table Configures static entries for domain name to address mapping 3-302

Cache Displays cache entries discovered by designated name servers 3-304

DHCP Snooping 3-143

Configuration Enables DHCP Snooping and DHCP Snooping MAC-Address

VLAN Configuration Enables DHCP Snooping for a VLAN 3-145

Information Option
Configuration

Displays all multicast groups active on this switch, including
multicast IP addresses and VLAN ID

VLAN

Configures IGMP filter profiles, controlling groups and access
mode

Assigns IGMP filter profiles to port interfaces and sets throttling
action

Assigns IGMP filter profiles to trunk interfaces and sets throttling
action

stream addresses

status, and immediate leave status

status, and immediate leave status

receiver VLAN and MVR receiver groups

Displays ports assigned to MVR receiver groups 3-298

Statically assigns MVR receiver groups to selected ports 3-299

specifies IP address of name servers for dynamic lookup

Verification

Enables DHCP Snooping Information Option 3-146

3

3-282

3-283

3-284

3-284

3-284

3-290

3-292

3-292

3-297

3-300

3-144

3-11

Configuring the Switch

3

Table 3-2 Main Menu (Continued)

Menu Description Page

Port Configuration Selects the DHCP Snooping Information Option policy 3-147

Binding Information Displays the DHCP Snooping binding information 3-149

IP Source Guard 3-150

Port Configuration Enables IP source guard and selects filter type per port 3-150

Static Configuration Adds a static addresses to the source-guard binding table 3-152

Dynamic Information Displays the source-guard binding table for a selected interface 3-154

Cluster 3-305

Configuration Globally enables clustering for the switch 3-305

Member Configuration Adds switch Members to the cluster 3-307

Member Information Displays cluster Member switch information 3-308

Candidate Information Displays network Candidate switch information 3-309

UPNP Universal Plug and Play 3-310

Configuration Enables UPNP and defines timeout values 3-311

3-12

Basic Configuration

3

Basic Configuration

This section describes the basic functions required to set up management access to
the switch, display or upgrade operating software, or reset the system.

Displaying System Information

You can easily identify the system by displaying the device name, location and
contact information.

Field Attributes

• System Name – Name assigned to the switch system.

• Object ID – MIB II object ID for switch’s network management subsystem.

• Location – Specifies the system location.

• Contact – Administrator responsible for the system.

• System Up Time – Length of time the management agent has been up.

These additional parameters are displayed for the CLI.

• MAC Address – The physical layer address for this switch.

• Web Server – Shows if management access via is enabled.

• Web Server Port – Shows the TCP port number used by the web interface.

• Web Secure Server – Shows if management access via HTTPS is enabled.

• Web Secure Server Port – Shows the TCP port used by the HTTPS interface.

• Telnet Server – Shows if management access via Telnet is enabled.

• Telnet Server Port – Shows the TCP port used by the Telnet interface.

• Authentication Login – Shows the user login authentication sequence.

• Jumbo Frame – Shows if jumbo frames are enabled.

• POST result – Shows results of the power-on self-test.

3-13

Configuring the Switch

3

Web – Click System, System Information. Specify the system name, location, and
contact information for the system administrator, then click Apply. (This page also
includes a Telnet button that allows access to the Command Line Interface via Telnet.)

Figure 3-3 System Information

CLI – Specify the hostname, location and contact information.

Console(config)#hostname R&D 5 4-18
Console(config)#snmp-server location WC 9 4-91
Console(config)#snmp-server contact Ted 4-90
Console(config)#exit
Console#show system 4-33
System Description: FGL-2870
System OID String: 1.3.6.1.4.1.22426.1.4.6
System Information
System Up Time: 0 days, 1 hours, 21 minutes, and 58.30 seconds
System Name: Level One
System Location: FGL-2870
System Contact: support@ddcasia.com.tw
MAC Address (Unit1): 00-12-CF-BE-21-DE
Web Server: Enabled
Web Server Port: 80
Web Secure Server: Enabled
Web Secure Server Port: 443
Telnet Server: Enable
Telnet Server Port: 23
Jumbo Frame: Disabled

DUMMY Test 1 ................. PASS

UART Loopback Test ........... PASS

DRAM Test .................... PASS

Timer Test ................... PASS

Console#

3-14

Basic Configuration

3

Displaying Switch Hardware/Software Versions

Use the Switch Information page to display hardware/firmware version numbers for
the main board and management software, as well as the power status of the system.

Field Attributes

Main Board

• Serial Number – The serial number of the switch.

• Number of Ports – Number of built-in RJ-45 ports.

• Hardware Version – Hardware version of the main board.

• Chip Device ID – Identifier for basic MAC/Physical Layer switch chip.

• Internal Power Status – Displays the status of the internal power supply.

Management Software

• EPLD Version – Version number of the Electronically Programmable Logic Device

code.

• Loader Version – Version number of loader code.

• Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code.

• Operation Code Version – Version number of run-time code.

• Role – Shows that this switch is operating as Master or Slave.

Web – Click System, Switch Information.

Figure 3-4 Switch Information

3-15

Configuring the Switch

3

CLI – Use the following command to display version information.

Console#show version 4-34
Serial Number: A842024475
Hardware Version: R01
Chip Device ID: Marvell 98DX106-B0, 88E6095[F]
EPLD Version: 0.07
Number of Ports: 28
Main Power Status: Up
Redundant Power Status: Not present

Agent (Master)
Unit ID: 1
Loader Version: 1.0.0.2
Boot ROM Version: 1.2.0.1
Operation Code Version: 1.3.4.0

Console#

3-16

Basic Configuration

3

Displaying Bridge Extension Capabilities

The Bridge MIB includes extensions for managed devices that support Multicast
Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to
display default settings for the key variables.

Field Attributes

• Extended Multicast Filtering Services – This switch does not support the filtering

of individual multicast addresses based on GMRP (GARP Multicast Registration
Protocol).

• Traffic Classes – This switch provides mapping of user priorities to multiple traffic

classes. (Refer to "Class of Service Configuration" on page 3-253.)

• Static Entry Individual Port – This switch allows static filtering for unicast and

multicast addresses. (Refer to "Setting Static Addresses" on page 3-185.)

• VLAN Learning – This switch uses Independent VLAN Learning (IVL), where each

port maintains its own filtering database.

• Configurable PVID Tagging – This switch allows you to override the default Port

VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or
Untagged) on each port. (Refer to "VLAN Configuration" on page 3-206.)

• Local VLAN Capable – This switch does not support multiple local bridges outside

of the scope of 802.1Q defined VLANs.

• GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to

register endstations with multicast groups. This switch does not support GMRP; it
uses the Internet Group Management Protocol (IGMP) to provide automatic
multicast filtering.

Web – Click System, Bridge Extension Configuration.

Figure 3-5 Bridge Extension Configuration

3-17

Configuring the Switch

3

CLI – Enter the following command.

Console#show bridge-ext 4-295
Max support VLAN numbers: 256
Max support VLAN ID: 4092
Extended multicast filtering services: No
Static entry individual port: Yes
VLAN learning: IVL
Configurable PVID tagging: Yes
Local VLAN capable: No
Traffic classes: Enabled
Global GVRP status: Disabled
GMRP: Disabled
Console#

Setting the Switch’s IP Address

This section describes how to configure an IP interface for management access
over the network. The IP address for the stack is obtained via DHCP by default. To
manually configure an address, you need to change the switch’s default settings to
values that are compatible with your network. You may also need to a establish a
default gateway between the stack and management stations that exist on another
network segment.

You can manually configure a specific IP address, or direct the device to obtain an
address from a BOOTP or DHCP server. Valid IP addresses consist of four decimal
numbers, 0 to 255, separated by periods. Anything outside this format will not be
accepted by the CLI program.

Command Attributes

• Management VLAN – ID of the configured VLAN (1-4094). By default, all ports on
the switch are members of VLAN 1. However, the management station can be
attached to a port belonging to any VLAN, as long as that VLAN has been assigned
an IP address.

• IP Address Mode – Specifies whether IP functionality is enabled via manual
configuration (Static), Dynamic Host Configuration Protocol (DHCP), or Boot
Protocol (BOOTP). If DHCP/BOOTP is enabled, IP will not function until a reply has
been received from the server. Requests will be broadcast periodically by the
switch for an IP address. (DHCP/BOOTP values can include the IP address,
subnet mask, and default gateway.)

• IP Address – Address of the VLAN that is allowed management access. Valid IP
addresses consist of four numbers, 0 to 255, separated by periods.
(Default: 0.0.0.0)

• Subnet Mask – This mask identifies the host address bits used for routing to
specific subnets. (Default: 255.0.0.0)

• Gateway IP Address – IP address of the gateway router between this device and

• management stations that exist on other network segments. (Default: 0.0.0.0)

• MAC Address – The physical layer address for this switch.

• Restart DHCP – Requests a new IP address from the DHCP server.

3-18

Basic Configuration

Manual Configuration

Web – Click System, IP Configuration. Select the VLAN through which the
management station is attached, set the IP Address Mode to “Static,” enter the IP
address, subnet mask and gateway, then click Apply.

Figure 3-6 Manual IP Configuration

CLI – Specify the management interface, IP address and default gateway.

Console#config
Console(config)#interface vlan 1 4-220
Console(config-if)#ip address 192.168.1.1 255.255.255.0 4-406
Console(config-if)#exit
Console(config)#ip default-gateway 0.0.0.0 4-407
Console(config)#

3

3-19

Configuring the Switch

3

Using DHCP/BOOTP

If your network provides DHCP/BOOTP services, you can configure the switch to be
dynamically configured by these services.

Web – Click System, IP Configuration. Specify the VLAN to which the management
station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to
save your changes. Then click Restart DHCP to immediately request a new
address. Note that the switch will also broadcast a request for IP configuration
settings on each power reset.

Figure 3-7 DHCP IP Configuration

Note: If you lose your management connection, use a console connection and enter

“show ip interface” to determine the new switch address.

CLI – Specify the management interface, and set the IP address mode to DHCP or
BOOTP, and then enter the “ip dhcp restart” command.

Console#config
Console(config)#interface vlan 1 4-220
Console(config-if)#ip address dhcp 4-406
Console(config-if)#end
Console#ip dhcp restart 4-408
Console#show ip interface 4-408
IP Address and Netmask: 192.168.1.1 255.255.255.0 on VLAN 1,
Address Mode: User specified
Console#

3-20

Basic Configuration

Renewing DHCP – DHCP may lease addresses to clients indefinitely or for a
specific period of time. If the address expires or the switch is moved to another
network segment, you will lose management access to the switch. In this case, you
can reboot the switch or submit a client request to restart DHCP service via the CLI.

Web – If the address assigned by DHCP is no longer functioning, you will not be
able to renew the IP settings via the web interface. You can only restart DHCP
service via the web interface if the current address is still available.

CLI – Enter the following command to restart DHCP service.

Console#ip dhcp restart 4-408
Console#

3

Enabling Jumbo Frames

The switch provides more efficient throughput for large sequential data transfers by
supporting jumbo frames up to 10 KB for the Gigabit Ethernet ports. Compared to
standard Ethernet frames that run only up to 1.5 KB, using jumbo frames
significantly reduces the per-packet overhead required to process protocol
encapsulation fields.

Command Usage

To use jumbo frames, both the source and destination end nodes (such as a
computer or server) must support this feature. Also, when the connection is
operating at full duplex, all switches in the network between the two end nodes must
be able to accept the extended frame size. And for half-duplex connections, all
devices in the collision domain would need to support jumbo frames.

Command Attributes

• Jumbo Packet Status – Check the box to enable jumbo frames.

(Default: Disabled)

Web – Click System, Jumbo Frames. Enable or disable support for jumbo frames,
and click Apply.

Figure 3-8 Jumbo Frames Configuration

CLI – This example enables jumbo frames globally for the switch.

Console#config
Console(config)#jumbo frame
Console(config)#

3-21

Configuring the Switch

3

Managing Firmware

You can upload/download firmware to or from an FTP or TFTP server. Just specify
the method of file transfer, along with the file type and file names as required. By
saving run-time code to a file on an FTP or TFTP server, that file can later be
downloaded to the switch to restore operation.

Note:

You can also download and upload files to the switch using HTTP, see "Uploading
and Downloading Files Using HTTP" on page 3-30.

Only two copies of the system software (i.e., the run-time firmware) can be stored in
the file directory on the switch. When downloading run-time code, the destination file
name can be specified to replace the current run-time code file, or the file can be
first downloaded using a different name from the current run-time code file, and then
the new file set as the startup file.

Command Attributes

• File Transfer Method – The firmware copy operation includes these options:

- file to file – Copies a file within the switch directory, assigning it a new name.

- file to tftp – Copies a file from the switch to a TFTP server.

- tftp to file – Copies a file from a TFTP server to the switch.

- file to ftp – Copies a file from the switch to an FTP server.

- ftp to file – Copies a file from an FTP server to the switch.

• TFTP/FTP Server IP Address – The IP address of an FTP or TFTP server.

• User Name – The user name for FTP server access.

• Password – The password for FTP server access.

• File Type – Specify opcode (operational code) to copy firmware.

• File Name –
the file name should not be a period (.), and the maximum length for file names on
the FTP/TFTP server is 127 characters or 31 characters for files on the switch.
(Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

Note:

Up to two copies of the system software (i.e., the run-time firmware) can be stored
in the file directory on the switch. The currently designated startup version of this
file cannot be deleted.

The file name should not contain slashes (\ or /),

the leading letter of

Automatic Operation Code Upgrade

The system can be configured to automatically download an operation code file
when a file newer than the currently installed one is discovered on the file server.
After the file is transferred from the server and successfully written to the file system,
it is automatically set as the startup file, and the switch is rebooted.

Command Usage

• If this feature is enabled, the switch searches the defined URL once during the
bootup sequence.

• FTP (port 21) and TFTP (port 69) are both supported. Note that the TCP/UDP port
bindings cannot be modified to support servers listening on non-standard ports.

3-22

Basic Configuration

• The host portion of the upgrade file location URL must be a valid IPv4 IP address.

DNS host names are not recognized. Valid IP addresses consist of four numbers,
0 to 255, separated by periods.

• The path to the directory must also be defined. If the file is stored in the root

directory for the FTP/TFTP service, then use the “/” to indicate this (e.g.,
ftp://192.168.0.1/).

• The file name must not be included in the upgrade file location URL. The file name

of the code stored on the remote server must be FGL-2870-OP-V1.3.4.0.bix (using
upper case and lower case letters exactly as indicated here).

• The FTP connection is made with PASV mode enabled. PASV mode is needed to

traverse some fire walls, even if FTP traffic is not blocked. PASV mode cannot be
disabled.

• The switch-based search function is case-insensitive in that it will accept a file

name in upper or lower case (i.e., the switch will accept FGL-2870-OP-V1.3.4.0.bix
from the server even though FGL-2870-OP-V1.3.4.0.bix was requested).
However, keep in mind that the file systems of many operating systems such as
Unix and most Unix-like systems (FreeBSD, NetBSD, OpenBSD, and most Linux
distributions, etc.) are case-sensitive, meaning that two files in the same directory,
FGL-2870-OP-V1.3.4.0.bix and FGL-2870-OP-V1.3.4.0.bix are considered to be
unique files. Thus, if the upgrade file is stored as FGL-2870-OP-V1.3.4.0.bix(or
even FGL-2870-OP-V1.3.4.0.bix) on a case-sensitive server, then the switch
(requesting FGL-2870-OP-V1.3.4.0.bix) will not be upgraded because the server
does not recognize the requested file name and the stored file name as being
equal. A notable exception in the list of case-sensitive Unix-like operating systems
is Mac OS X, which by default is case-insensitive. Please check the documentation
for your server’s operating system if you are unsure of its file system’s behavior.

Note that the switch itself does not distinguish between upper and lower-case file
names, and only checks to see if the file stored on the server is more recent than
the current runtime image.

• If two operation code image files are already stored on the switch’s file system,

then the non-startup image is deleted before the upgrade image is transferred.

• If the startup operation code file is named FGL-2870-OP-V1.3.4.0.bix, then the

upgrade image will be stored as op1.bix, and the next upgrade image as op2.bix.

• The automatic upgrade process will take place in the background without impeding

normal operations (data switching, etc.) of the switch.

• During the automatic search and transfer process, the administrator cannot

transfer or update another operation code image, configuration file, public key, or
HTTPS certificate (i.e., no other concurrent file management operations are
possible).

• The upgrade operation code image is set as the startup image after it has been

successfully written to the file system.

• The switch will send an SNMP trap and make a log entry upon all upgrade

successes and failures.

• The switch will immediately restart after the upgrade file is successfully written to

the file system and set as the startup image.

3

3-23

Configuring the Switch

3

Command Attributes

• Automatic Opcode Upgrade – Enables the switch to search for an upgraded
operation code file during the switch bootup process.

- Enabled check box – Defines the state of this feature. (Default: Disabled)

• Automatic Upgrade Location URL – Defines where the switch should search for
the operation code upgrade file. The last character of this URL must be a forward
slash (“/”). The FGL-2870-OP-V1.3.4.0.bix filename must not be included since it
is automatically appended by the switch. (Options: ftp, tftp)
The following syntax must be observed:

tftp://host[/filedir]/

tftp:// – Defines TFTP protocol for the server connection.

host – Defines the IP address of the TFTP server. Valid IP addresses
consist of four numbers, 0 to 255, separated by periods. DNS hostnames
are not recognized.
filedir – Defines the directory, relative to the TFTP server root, where the
upgrade file can be found. Nested directory structures are accepted. The
directory name must be separated from the host, and in nested directory
structures, from the parent directory, with a prepended forward slash “/”.
/ – The forward slash must be the last character of the URL.

ftp://[username[:password@]]host[/filedir]/

ftp:// – Defines FTP protocol for the server connection.

username – Defines the user name for the FTP connection. If the user
name is omitted, then “anonymous” is the assumed user name for the
connection.
password – Defines the password for the FTP connection. To differentiate
the password from the user name and host portions of the URL, a colon
(:) must precede the password, and an “at” symbol (@), must follow the
password. If the password is omitted, then “” (an empty string) is the
assumed password for the connection.
host – Defines the IP address of the FTP server. Valid IP addresses
consist of four numbers, 0 to 255, separated by periods. DNS hostnames
are not recognized.
filedir – Defines the directory, relative to the FTP server root, where the
upgrade file can be found. Nested directory structures are accepted. The
directory name must be separated from the host, and in nested directory
structures, from the parent directory, with a prepended forward slash “/”.
/ – The forward slash must be the last character of the URL.

Examples

• The following examples demonstrate the URL syntax for a TFTP server at IP
address 192.168.0.1 with the operation code image stored in various locations:

- tftp://192.168.0.1/

The image file is in the TFTP root directory.

- tftp://192.168.0.1/switch-opcode/

The image file is in the “switch-opcode” directory, relative to the TFTP root.

3-24

Basic Configuration

- tftp://192.168.0.1/switches/opcode/
The image file is in the “opcode” directory, which is within the “switches” parent
directory, relative to the TFTP root.

• The following examples demonstrate the URL syntax for an FTP server at IP
address 192.168.0.1 with various user name, password and file location options
presented:

- ftp://192.168.0.1/

The user name and password are empty, so “anonymous” will be the user name
and the password will be blank. The image file is in the FTP root directory.

- ftp://switches:upgrade@192.168.0.1/

The user name is “switches” and the password is “upgrade”. The image file is in
the FTP root.

- ftp://switches:upgrade@192.168.0.1/switches/opcode/

The user name is “switches” and the password is “upgrade”. The image file is in
the “opcode” directory, which is within the “switches” parent directory, relative to
the FTP root.

Web –Click System, File Management, Automatic Operation Code Upgrade. Check
the Automatic Opcode Upgrade box, enter the URL of the FTP or TFTP server, the
path and directory containing the operation code, and click Apply.

3

Figure 3-9 Configuring Automatic Code Upgrade

CLI – This example specifies the URL of a TFTP server, and the directory containing
the new operation code.

Console(config)#upgrade opcode auto 4-42
Console(config)#upgrade opcode path tftp://192.168.0.1/EC35/ 4-43
Console(config)#

3-25

Configuring the Switch

3

If a new image is found at the specified location, the following type of messages will
be displayed during bootup.

.
.
.

Automatic Upgrade is looking for a new image
New image detected: current version 1..1.0; new version 1.3.4.0
Image upgrade in progress
The switch will restart after upgrade succeeds
Downloading new image
Flash programming started
Flash programming completed
The switch will now restart

.
.
.

Downloading System Software from a Server

When downloading run-time code, you can specify the destination file name to
replace the current image, or first download the file using a different name from the
current run-time code file, and then set the new file as the startup file.

Web –Click System, File Management, Copy Operation. Select “tftp to file” as the file
transfer method, enter the IP address of the TFTP server, set the file type to
“opcode,” enter the file name of the software to download, select a file on the switch
to overwrite or specify a new file name, then click Apply. If you replaced the current
firmware used for startup and want to start using the new operation code, reboot the
system via the System/Reset menu.

3-26

Figure 3-10 Copy Firmware

Basic Configuration

If you download to a new destination file, go to the System/File/Set Start-Up menu,
mark the operation code file used at startup, and click Apply. To start the new
firmware, reboot the system via the System/Reset menu.

Figure 3-11 Setting the Startup Code

To delete a file, select System, File, Delete. Select the file name from the given list
by checking the tick box and click Apply. Note that t

startup code cannot be deleted.

Figure 3-12 Deleting Files

he file currently designated as the

3

CLI – To download new firmware form a TFTP server, enter the IP address of the
TFTP server, select “opcode” as the file type, then enter the source and destination
file names. When the file has finished downloading, set the new file to start up the
system, and then restart the switch.

To start the new firmware, enter the “reload” command or reboot the system.

Console#copy tftp file 4-37
TFTP server ip address: 192.168.1.23
Choose file type:

1. config: 2. opcode: 4. diag: 5. loader: <1,2,4,5>: 2
Source file name: FGL-2870-OP-V1.3.4.1.bix
Destination file name: V1341.F
\Write to FLASH Programming.

-Write to FLASH finish.
Success.
Console#config
Console(config)#boot system opcode:V1341.F 4-42
Console(config)#exit
Console#reload 4-14

3-27

Configuring the Switch

3

Saving or Restoring Configuration Settings

You can upload/download configuration settings to/from an FTP/TFTP server. The
configuration files can be later downloaded to restore the switch’s settings.

Command Attributes

• File Transfer Method – The configuration copy operation includes these options:

- file to file – Copies a file within the switch directory, assigning it a new name.

- file to ftp – Copies a file from the switch to an FTP server.

- file to running-config – Copies a file in the switch to the running configuration.

- file to startup-config – Copies a file in the switch to the startup configuration.

- file to tftp – Copies a file from the switch to a TFTP server.

- ftp to file – Copies a file from an FTP server to the switch.

- tftp to file – Copies a file from a TFTP server to the switch.

- ftp to running-config – Copies a file from an FTP server to the running config.

- ftp to startup-config – Copies a file from an FTP server to the startup config.

- running-config to file – Copies the running configuration to a file.

- running-config to ftp – Copies the running configuration to an FTP server.

- running-config to startup-config – Copies the running config to the startup config.

- running-config to tftp – Copies the running configuration to a TFTP server.

- startup-config to file – Copies the startup configuration to a file on the switch.

- startup-config to ftp – Copies the startup configuration to an FTP server.

- startup-config to running-config – Copies the startup config to the running config.

- startup-config to tftp – Copies the startup configuration to a TFTP server.

- ttftp to file – Copies a file from a TFTP server to the switch.

- tftp to running-config – Copies a file from a TFTP server to the running config.

- tftp to startup-config – Copies a file from a TFTP server to the startup config.

• FTP/TFTP Server IP Address – The IP address of an FTP or TFTP server.

• User Name – The user name for FTP server access.

• Password – The password for FTP server access.

• File Type – Specify config (configuration) to copy configuration settings.

•

File Name

the file name should not be a period (.), and the maximum length for file names on
the FTP/TFTP server is 127 characters or 31 characters for files on the switch.
(Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

Note:

— The file name should not contain slashes (\ or /),

The maximum number of user-defined configuration files is limited only by
available flash memory space.

the leading letter of

Command Usage

• FTP (port 21) and TFTP (port 69) are both supported.

• The server’s location must be specified as a valid IPv4 IP address. DNS
hostnames are not recognized. Valid IP addresses consist of four numbers, 0 to
255, separated by periods.

3-28

Basic Configuration

3

Downloading Configuration Settings from a Server

You can download the configuration file under a new file name and then set it as the
startup file, or you can specify the current startup configuration file as the destination
file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be
copied to the TFTP server, but cannot be used as the destination on the switch.

Web – Click System, File Management, Copy Operation. Select “tftp to
startup-config” or “tftp to file” and enter the IP address of the TFTP server. If you
download from an FTP server, enter the user name and password for an account on
the server. Specify the name of the file to download and select a file on the switch to
overwrite or specify a new file name, then click Apply.

Figure 3-13 Downloading Configuration Settings for Startup

If you download to a new file name using ftp/tftp to startup-config or ftp/tftp to file, the
file is automatically set as the start-up configuration file. To use the new settings,
reboot the system via the System/Reset menu.

Note:

You can also select any configuration file as the start-up configuration by using the
System/File/Set Start-Up page.

Figure 3-14 Setting the Startup Configuration Settings

3-29

Configuring the Switch

3

CLI – Enter the IP address of the TFTP server, specify the source file on the server,
set the startup file name on the switch, and then restart the switch.

Console#copy tftp startup-config 4-37
TFTP server ip address: 192.168.1.19
Source configuration file name: config-1
Startup configuration file name [] : startup
\Write to FLASH Programming.

-Write to FLASH finish.
Success.

Console#reload

To select another configuration file as the start-up configuration, use the boot
system command and then restart the switch.

Console#config
Console(config)#boot system config: startup-new 4-42
Console(config)#exit
Console#reload 4-14

Uploading and Downloading Files Using HTTP

In addition to performing copy operations to and from an FTP or TFTP server, the
switch can upload or download files to the web management station using HTTP.

Both switch operation code files and configuration files can be uploaded/
downloaded using HTTP.

Command Attributes

• File Type – Specify opcode (operation code) to copy a firmware file, or config
(configuration) to copy a switch configuration file.

• Source File Name –
management station. The file name should not contain slashes (\ or /),
letter of the file name should not be a period (.), and the maximum length for file
names on the FTP/TFTP server is 127 characters or 31 characters for files on the
switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

• Destination File Name – Select an existing file on the switch to overwrite, or
specify a new file name.

Use the Browse button to locate the file on the web

the leading

3-30

Basic Configuration

Web – To upload files using HTTP: Click System, File Management, HTTP Upgrade.
Select “opcode” or “config” as the file type and then use the Browse button to locate
the file on the local web management station. Specify the name of a file on the
switch to overwrite or specify a new file name, then click Apply.

Figure 3-15 Uploading Files Using HTTP

Web – To download files using HTTP: Click System, File Management, HTTP
Download. Select an operation code file or configuration file on the switch to
download to the web management station. Click Apply.

3

Figure 3-16 Downloading Files Using HTTP

3-31

Configuring the Switch

3

Console Port Settings

You can access the onboard configuration program by attaching a VT100
compatible device to the switch’s serial console port. Management access through
the console port is controlled by various parameters, including a password, timeouts,
and basic communication settings. These parameters can be configured via the web
or CLI interface.

Command Attributes

• Login Timeout – Sets the interval that the system waits for a user to log into the
CLI. If a login attempt is not detected within the timeout interval, the connection is
terminated for the session. (Range: 0-300 seconds; Default: 0 seconds)

• Exec Timeout – Sets the interval that the system waits until user input is detected.
If user input is not detected within the timeout interval, the current session is
terminated. (Range: 0-65535 seconds; Default: 600 seconds)

• Password Threshold – Sets the password intrusion threshold, which limits the
number of failed logon attempts. When the logon attempt threshold is reached, the
system interface becomes silent for a specified amount of time (set by the Silent
Time parameter) before allowing the next logon attempt.
(Range: 0-120; Default: 3 attempts)

• Silent Time – Sets the amount of time the management console is inaccessible
after the number of unsuccessful logon attempts has been exceeded.
(Range: 0-65535; Default: 0)

• Data Bits – Sets the number of data bits per character that are interpreted and
generated by the console port. If parity is being generated, specify 7 data bits per
character. If no parity is required, specify 8 data bits per character. (Default: 8 bits)

• Parity – Defines the generation of a parity bit. Communication protocols provided
by some terminals can require a specific parity bit setting. Specify Even, Odd, or
None. (Default: None)

• Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive
(from terminal). Set the speed to match the baud rate of the device connected to
the serial port. (Range: 9600, 19200, or 38400 baud; Default: 9600 baud)

• Stop Bits – Sets the number of the stop bits transmitted per byte.
(Range: 1-2; Default: 1 stop bit)

• Password
started on a line with password protection, the system prompts for the password.
If you enter the correct password, the system shows a prompt.
(Default: No password)

• Login
single global password as configured for the Password parameter, or by
passwords set up for specific user-name accounts. (Default: Local)

1

– Specifies a password for the line connection. When a connection is

1

– Enables password checking at login. You can select authentication by a

1. CLI only.

3-32

Basic Configuration

3

Web – Click System, Line, Console. Specify the console port connection parameters
as required, then click Apply.

Figure 3-17 Console Port Settings

CLI – Enter Line Configuration mode for the console, then specify the connection
parameters as required. To display the current console port settings, use the show
line command from the Normal Exec level.

Console(config)#line console 4-45
Console(config-line)#login local 4-46
Console(config-line)#password 0 secret 4-47
Console(config-line)#timeout login response 0 4-48
Console(config-line)#exec-timeout 0 4-48
Console(config-line)#password-thresh 3 4-49
Console(config-line)#silent-time 60 4-50
Console(config-line)#databits 8 4-50
Console(config-line)#parity none 4-51
Console(config-line)#speed 19200 4-52
Console(config-line)#stopbits 1 4-52
Console(config-line)#end
Console#show line console 4-56
Console Configuration:
Password Threshold: 3 times
Interactive Timeout: Disabled
Login Timeout: Disabled
Silent Time: Disabled
Baudrate: 9600
Databits: 8
Parity: None
Stopbits: 1
Console#

3-33

Configuring the Switch

3

Telnet Settings

You can access the onboard configuration program over the network using Telnet
(i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and
other various parameters set, including the TCP port number, timeouts, and a
password. These parameters can be configured via the web or CLI interface.

Command Attributes

• Telnet Status – Enables or disables Telnet access to the switch.

(Default: Enabled)

• Telnet Port Number – Sets the TCP port number for Telnet on the switch.
(Default: 23)

• Login Timeout – Sets the interval that the system waits for a user to log into the
CLI. If a login attempt is not detected within the timeout interval, the connection is
terminated for the session. (Range: 0-300 seconds; Default: 300 seconds)

• Exec Timeout – Sets the interval that the system waits until user input is detected.
If user input is not detected within the timeout interval, the current session is
terminated. (Range: 0-65535 seconds; Default: 600 seconds)

• Password Threshold – Sets the password intrusion threshold, which limits the
number of failed logon attempts. When the logon attempt threshold is reached, the
system interface becomes silent for a specified amount of time (set by the Silent
Time parameter) before allowing the next logon attempt.
(Range: 0-120; Default: 3 attempts)

• Password
started on a line with password protection, the system prompts for the password.
If you enter the correct password, the system shows a prompt.
(Default: No password)

• Login
single global password as configured for the Password parameter, or by
passwords set up for specific user-name accounts. (Default: Local)

2

– Specifies a password for the line connection. When a connection is

2

– Enables password checking at login. You can select authentication by a

2. CLI only.

3-34

Basic Configuration

Web – Click System, Line, Telnet. Specify the connection parameters for Telnet
access, then click Apply.

Figure 3-18 Enabling Telnet

CLI – Enter Line Configuration mode for a virtual terminal, then specify the
connection parameters as required. To display the current virtual terminal settings,
use the show line command from the Normal Exec level.

Console(config)#line vty 4-45
Console(config-line)#login local 4-46
Console(config-line)#password 0 secret 4-47
Console(config-line)#timeout login response 300 4-48
Console(config-line)#exec-timeout 600 4-48
Console(config-line)#password-thresh 3 4-49
Console(config-line)#end
Console#show line vty 4-56
VTY Configuration:
Password Threshold: 3 times
Interactive Timeout: 600 sec
Login Timeout: 300 sec
Console#

3

3-35

Configuring the Switch

3

Configuring Event Logging

The switch allows you to control the logging of error messages, including the type of
events that are recorded in switch memory, logging to a remote System Log (syslog)
server, and displays a list of recent event messages.

System Log Configuration

The system allows you to enable or disable event logging, and specify which levels
are logged to RAM or flash memory.

Severe error messages that are logged to flash memory are permanently stored in
the switch to assist in troubleshooting network problems. Up to 4096 log entries can
be stored in the flash memory, with the oldest entries being overwritten first when the
available log memory (256 kilobytes) has been exceeded.

The System Logs page allows you to configure and limit system messages that are
logged to flash or RAM memory. The default is for event levels 0 to 3 to be logged to
flash and levels 0 to 7 to be logged to RAM.

Command Attributes

• System Log Status – Enables/disables the logging of debug or error messages to
the logging process. (Default: Enabled)

• Flash Level – Limits log messages saved to the switch’s permanent flash memory
for all levels up to the specified level. For example, if level 3 is specified, all
messages from level 0 to level 3 will be logged to flash. (Range: 0-7, Default: 3)

Table 3-3 Logging Levels

Level Severity Name Description

7 Debug Debugging messages

6 Informational Informational messages only

5 Notice Normal but significant condition, such as cold start

4 Warning Warning conditions (e.g., return false, unexpected return)

3 Error Error conditions (e.g., invalid input, default used)

2 Critical Critical conditions (e.g., memory allocation, or free memory

1 Alert Immediate action needed

0 Emergency System unusable

* There are only Level 2, 5 and 6 error messages for the current firmware release.

error - resource exhausted)

• RAM Level – Limits log messages saved to the switch’s temporary RAM memory
for all levels up to the specified level. For example, if level 7 is specified, all
messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7)

Note:

The Flash Level must be equal to or less than the RAM Level.

3-36

Basic Configuration

3

Web – Click System, Log, System Logs. Specify System Log Status,
event messages to be logged to RAM and flash memory, then click Apply.

Figure 3-19 System Logs

CLI – Enable system logging and then specify the level of messages to be logged to
RAM and flash memory. Use the show logging command to display the current
settings.

Console(config)#logging on 4-57
Console(config)#logging history ram 0 4-58
Console(config)#end
Console#show logging flash 4-61
Syslog logging: Enabled
History logging in FLASH: level emergencies

set the level of

Remote Log Configuration

The Remote Logs page allows you to configure the logging of messages that are
sent to syslog servers or other management stations. You can also limit the event
messages sent to only those messages below a specified level.

Command Attributes

• Remote Log Status – Enables/disables the logging of debug or error messages

to the remote logging process. (Default: Disabled)

• Logging Facility – Sets the facility type for remote logging of syslog messages.

There are eight facility types specified by values of 16 to 23. The facility type is
used by the syslog server to dispatch log messages to an appropriate service.

The attribute specifies the facility type tag sent in syslog messages (see
RFC 3164). This type has no effect on the kind of messages reported by the switch.
However, it may be used by the syslog server to process messages, such as
sorting or storing messages in the corresponding database. (Range: 16-23,
Default: 23)

• Logging Trap – Limits log messages that are sent to the remote syslog server for

all levels up to the specified level. For example, if level 3 is specified, all messages
from level 0 to level 3 will be sent to the remote server. (Range: 0-7, Default: 7)

• Host IP List – Displays the list of remote server IP addresses that receive the

syslog messages. The maximum number of host IP addresses allowed is five.

• Host IP Address – Specifies a new server IP address to add to the Host IP List.

3-37

Configuring the Switch

3

Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List,
type the new IP address in the Host IP Address box, and then click Add. To delete
an IP address, click the entry in the Host IP List, and then click Remove.

Figure 3-20 Remote Logs

CLI – Enter the syslog server host IP address, choose the facility type and set the
logging trap.

Console(config)#logging host 192.168.1.15 4-59
Console(config)#logging facility 23 4-59
Console(config)#logging trap 4 4-60
Console(config)#end
Console#show logging trap 4-60
Syslog logging: Enabled
REMOTELOG status: Enabled
REMOTELOG facility type: local use 7
REMOTELOG level type: Warning conditions
REMOTELOG server ip address: 192.168.1.15
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
Console#

3-38

Basic Configuration

3

Displaying Log Messages

The Logs page allows you to scroll through the logged system and event messages.
The switch can store up to 2048 log entries in temporary random access memory
(RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent
flash memory.

Web – Click System, Log, Logs.

Figure 3-21 Displaying Logs

CLI – This example shows the event message stored in RAM.

Console#show log ram 4-61
[1] 00:00:27 2001-01-01
"VLAN 1 link-up notification."
level: 6, module: 5, function: 1, and event no.: 1
[0] 00:00:25 2001-01-01
"System coldStart notification."
level: 6, module: 5, function: 1, and event no.: 1
Console#

Sending Simple Mail Transfer Protocol Alerts

To alert system administrators of problems, the switch can use SMTP (Simple Mail
Transfer Protocol) to send email messages when triggered by logging events of a
specified level. The messages are sent to specified SMTP servers on the network
and can be retrieved using POP or IMAP clients.

Command Attributes

• Admin Status – Enables/disables the SMTP function. (Default: Enabled)

• Email Source Address – Sets the email address used for the “From” field in alert

messages. You may use a symbolic email address that identifies the switch, or the
address of an administrator responsible for the switch.

3-39

Configuring the Switch

3

• Severity – Sets the syslog severity threshold level (see table on page 3-36) used
to trigger alert messages. All events at this level or higher will be sent to the
configured email recipients. For example, using Level 7 will report all events from
level 7 to level 0. (Default: Level 7)

• SMTP Server List – Specifies a list of up to three recipient SMTP servers. The
switch attempts to connect to the other listed servers if the first fails. Use the New
SMTP Server text field and the Add/Remove buttons to configure the list.

• SMTP Server – Specifies a new SMTP server address to add to the SMTP Server
List.

• Email Destination Address List – Specifies the email recipients of alert
messages. You can specify up to five recipients. Use the New Email Destination
Address text field and the Add/Remove buttons to configure the list.

• Email Destination Address – This command specifies SMTP servers that may
receive alert messages.

Web – Click System, Log, SMTP. Enable SMTP, specify a source email address,
and select the minimum severity level. To add an IP address to the SMTP Server
List, type the new IP address in the SMTP Server field and click Add. To delete an IP
address, click the entry in the Server IP List and click Remove. Specify up to five
email addresses to receive the alert messages, and click Apply.

3-40

Figure 3-22 Enabling and Configuring SMTP

Basic Configuration

3

CLI – Enter the IP address of at least one SMTP server, set the syslog severity level
to trigger an email message, and specify the switch (source) and up to five recipient
(destination) email addresses. Enable SMTP with the logging sendmail command
to complete the configuration. Use the show logging sendmail command to display
the current SMTP configuration.

Console(config)#logging sendmail host 192.168.1.4 4-63
Console(config)#logging sendmail level 3 4-64
Console(config)#logging sendmail source-email

big-wheels@matel.com 4-64

Console(config)#logging sendmail destination-email

chris@matel.com 4-65

Console(config)#logging sendmail 4-65
Console(config)#exit
Console#show logging sendmail 4-65
SMTP servers

-----------------------------------------------

1. 192.168.1.4

SMTP minimum severity level: 4

SMTP destination email addresses

-----------------------------------------------

1. chris@matel.com

SMTP source email address: big-wheels@matel.com

SMTP status: Enabled
Console#

Resetting the System

This feature restarts the system. You can reboot the system immediately, or you can
configure the switch to reset after a specified amount of time.

Command Attributes

• Hours – Specifies the amount of hours to wait, combined with the minutes, before

the switch resets. (Range: 0-576; Default: 0)

• Minutes – Specifies the amount of minutes to wait, combined with the hours,

before the switch resets. (Range: 1-34560; Default: 0)

• Reset – Resets the switch after the specified time. If the hour and minute fields are

blank, then the switch will reset immediately.

• Refresh – Refreshes the countdown timer of a pending delayed reset.

• Cancel – Cancels a pending delayed reset.

Note:

To rimmediately restart the switch, enter “0” in both the Hours and Minutes fields,
and click Reset.

3-41

Configuring the Switch

3

Web – Click System, Reset. Enter the amount of time the switch should wait before
rebooting. Click the Reset button to reboot the switch or click the Cancel button to
cancel a configured reset. If prompted, confirm that you want reset the switch or
cancel a configured reset.

Figure 3-23 Resetting the System

CLI – Use the reload command to restart the switch. When prompted, confirm that
you want to reset the switch.

Console(config)#reload 4-14
***
*** --- Rebooting at January 1 23:53:44 2001 --­***

Are you sure to reboot the system at the specified time? <y/n> y

When restarting the system, it will always run the Power-On Self-Test. It will also

Note:

retain all configuration information stored in non-volatile memory (See ’Saving or
Restoring Configuration Settings" on page 3-28 or the copy running-config
startup-config command (See ’copy" on page 4-37).

Setting the System Clock

Simple Network Time Protocol (SNTP) allows the switch to set its internal clock
based on periodic updates from a time server (SNTP or NTP). Maintaining an
accurate time on the switch enables the system log to record meaningful dates and
times for event entries. You can also manually set the clock. If the clock is not set
manually or via SNTP, the switch will only record the time from the factory default set
at the last bootup.

When the SNTP client is enabled, the switch periodically sends a request for a time
update to a configured time server. You can configure up to three time server IP
addresses. The switch will attempt to poll each server in the configured sequence.

3-42

Basic Configuration

Setting the Time Manually

You can set the system time on the switch manually without using SNTP.

Command Attributes

• Hours – Sets the hour. (Range: 0-23; Default: 0)

• Minutes – Sets the minute value. (Range: 0-59; Default: 0)

• Seconds – Sets the second value. (Range: 0-59; Default: 0)

• Month – Sets the month. (Range: 1-12; Default: 1)

• Day – Sets the day of the month. (Range: 1-31; Default: 1)

• Year – Sets the year. (Range: 2001-2100; Default: 2001)

Web – Select SNTP, Current Time. Modify any of the required time and date
parameters, and click Apply.

Figure 3-24 Current Time Configuration

3

CLI – This example sets the system clock time and then displays the current time
and date

.

Console#calendar set 17 46 00 october 18 2008 4-79
Console#show calendar 4-80
Current Time : Oct 2 17:03:35 2008
Time Zone :

GMT-Greenwich-Mean-Time-Dublin,Edinburgh,Lisbon,London
Summer Time : Not configured
Summer Time in Effect : No
Console#

Configuring SNTP

You can configure the switch to send time synchronization requests to time servers.

Command Attributes

• SNTP Client – Configures the switch to operate as an SNTP client. This requires
at least one NTP or SNTP time server to be specified in the SNTP Server field.
(Default: Disabled)

• SNTP Poll Interval – Sets the interval between sending requests for a time update
from a time server. (Range: 16-16384 seconds; Default: 16 seconds)

• SNTP Server – Sets the IP address for up to three time servers. The switch
attempts to update the time from the first server, if this fails it attempts an update
from the next server in the sequence.

3-43

Configuring the Switch

3

Web – Select SNTP, Configuration. Modify any of the required SNTP parameters,
and click Apply.

Figure 3-25 SNTP Configuration

CLI – This example configures the switch to operate as an SNTP client and then
displays the current time and settings.

Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-69
Console(config)#sntp poll 60 4-69
Console(config)#sntp client 4-68
Console(config)#exit
Console#show sntp
Current time: Jan 6 14:56:05 2004
Poll interval: 60
Current mode: unicast
SNTP status : Enabled
SNTP server 10.1.0.19 137.82.140.80 128.250.36.2
Current server: 128.250.36.2
Console#

Configuring NTP

The NTP client allows you to configure up to 50 NTP servers to poll for time updates.
You can also enable authentication to ensure that reliable updates are received from
only authorized NTP servers. The authentication keys and their associated key
number must be centrally managed and manually distributed to NTP servers and
clients. The key numbers and key values must match on both the server and client.

Command Attributes

• NTP Client – Configures the switch to operate as an NTP client. This requires at
least one time server to be specified in the NTP Server list. (Default: Disabled)

• NTP Polling Interval – Sets the interval between sending requests for a time
update from NTP servers. (Fixed: 1024 seconds)

• NTP Authenticate – Enables authentication for time requests and updates
between the switch and NTP servers. (Default: Disabled)

• NTP Server – Sets the IP address for an NTP server to be polled. The switch
requests an update from all configured servers, then determines the most accurate
time update from the responses received.

3-44

Basic Configuration

• Version – Specifies the NTP version supported by the server. (Range: 1-3;

Default: 3)

• Authenticate Key – Specifies the number of the key in the NTP Authentication Key

List to use for authentication with the configured server. The authentication key
must match the key configured on the NTP server.

• Key Number – A number that specifies a key value in the NTP Authentication Key

List. Up to 255 keys can be configured in the NTP Authentication Key List. Note
that key numbers and values must match on both the server and client.
(Range: 1-65535)

• Key Context – Specifies an MD5 authentication key string. The key string can be

up to 32 case-sensitive printable ASCII characters (no spaces).

Note:

SNTP and NTP clients cannot both be enabled at the same time.

Web – Select SNTP, Configuration. Modify any of the required NTP parameters, and
click Apply.

3

Figure 3-26 NTP Client Configuration

3-45

Configuring the Switch

3

CLI – This example configures the switch to operate as an NTP client and then
displays the current settings.

Console(config)#ntp authentication-key 19 md5 thisiskey19 4-73
Console(config)#ntp authentication-key 30 md5 ntpkey30
Console(config)#ntp server 192.168.3.20 4-71
Console(config)#ntp server 192.168.3.21
Console(config)#ntp server 192.168.4.22 version 2
Console(config)#ntp server 192.168.5.23 version 3 key 19
Console(config)#ntp client 4-70
Console(config)#ntp authenticate 4-72
Console(config)#exit
Console#show ntp 4-74

Current Time : Jan 1 00:09:30 2001
Polling : 1024 seconds
Current Mode : unicast
NTP Status : Enabled
NTP Authenticate Status : Enabled
Last Update NTP Server : 0.0.0.0 Port: 0
Last Update Time : Dec 31 00:00:00 2000 UTC

NTP Server 192.168.3.20 version 3
NTP Server 192.168.3.21 version 3
NTP Server 192.168.4.22 version 2
NTP Server 192.168.5.23 version 3 key 19
NTP Authentication-Key 19 md5 Q33O16Q6338241J022S29Q731K7 7
NTP Authentication-Key 30 md5 D2V8777I51K1132K3552L26R6141O4 7
Console#

Setting the Time Zone

SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time,
or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude,
which passes through Greenwich, England. To display a time corresponding to your
local time, you must indicate the number of hours and minutes your time zone is
east (before) or west (after) of UTC. You can choose one of the 80 predefined time
zone definitions, or your can manually configure the parameters for your local time
zone.

Command Attributes

• Predefined Configuration – A drop-down box provides access to the 80

predefined time zone configurations. Each choice indicates it’s offset from UTC
and lists at least one major city or location covered by the time zone.

• User-defined Configuration – Allows the user to define all parameters of the local
time zone.

- Direction: Configures the time zone to be before (east of) or after (west of)
UTC.

- Name – Assigns a name to the time zone. (Range: 1-29 characters)

- Hours (0-13) – The number of hours before/after UTC. The maximum value
before UTC is 12. The maximum value after UTC is 13.

- Minutes (0-59) – The number of minutes before/after UTC.

3-46