LevelOne GSW-2692 User Manual

LevelOne

GSW-2692

24-Port 10/100M + 2G Combo

L2 Stackable Switch

User Manual

Version 1.0-0608

Contents

Chapter 1: Introduction 1-1

Key Features 1-1
Description of Software Features 1-2
System Defaults 1-5

Chapter 2: Initial Configuration 2-1

Connecting to the Switch 2-1

Configuration Options 2-1
Required Connections 2-2
Remote Connections 2-3

Stack Operations 2-3

Selecting the Stack Master 2-3
Recovering from Stack Failure or Topology Change 2-4

Resilient IP Interface for Management Access 2-4

Basic Configuration 2-4

Console Connection 2-4
Setting Passwords 2-5
Setting an IP Address 2-5

Manual Configuration 2-5
Dynamic Configuration 2-6

Enabling SNMP Management Access 2-7

Community Strings 2-7
Trap Receivers 2-8

Saving Configuration Settings 2-8

Managing System Files 2-9

Chapter 3: Configuring the Switch 3-1

Using the Web Interface 3-1
Navigating the Web Browser Interface 3-2

Home Page 3-2

Configuration Options 3-3
Panel Display 3-3
Main Menu 3-4
Basic Configuration 3-8

Displaying System Information 3-8

Displaying Switch Hardware/Software Versions 3-9

Displaying Bridge Extension Capabilities 3-11

Setting the Switch’s IP Address 3-12

Manual Configuration 3-13
Using DHCP/BOOTP 3-14

i

Contents

Managing Firmware 3-15

Downloading System Software from a Server 3-16

Saving or Restoring Configuration Settings 3-18

Downloading Configuration Settings from a Server 3-19
Console Port Settings 3-20
Telnet Settings 3-22
Configuring Event Logging 3-24

System Log Configuration 3-24

Remote Log Configuration 3-26

Displaying Log Messages 3-27

Sending Simple Mail Transfer Protocol Alerts 3-28
Resetting the System 3-30
Setting the System Clock 3-31

Configuring SNTP 3-31

Setting the Time Zone 3-32

Simple Network Management Protocol 3-33

Setting Community Access Strings 3-33
Specifying Trap Managers and Trap Types 3-34

User Authentication 3-35

Configuring User Accounts 3-35
Configuring Local/Remote Logon Authentication 3-37
Configuring HTTPS 3-40

Replacing the Default Secure-site Certificate 3-41
Configuring the Secure Shell 3-42

Generating the Host Key Pair 3-44

Configuring the SSH Server 3-46
Configuring Port Security 3-47
Configuring 802.1X Port Authentication 3-49

Displaying 802.1X Global Settings 3-50

Configuring 802.1X Global Settings 3-51

Configuring Port Settings for 802.1X 3-51

Displaying 802.1X Statistics 3-54
Filtering IP Addresses for Management Access 3-55

Access Control Lists 3-57

Configuring Access Control Lists 3-57

Setting the ACL Name and Type 3-58

Configuring a Standard IP ACL 3-59

Configuring an Extended IP ACL 3-60

Configuring a MAC ACL 3-62
Binding a Port to an Access Control List 3-63

Port Configuration 3-64

Displaying Connection Status 3-64
Configuring Interface Connections 3-66
Creating Trunk Groups 3-68

Statically Configuring a Tru nk 3-69

ii

Contents

Enabling LACP on Selected Ports 3-70
Configuring LACP Parameters 3-73
Displaying LACP Port Counters 3-75
Displaying LACP Settings and Status for the Local Side 3-77

Displaying LACP Settings and Status for the Remote Side 3-79
Setting Broadcast Storm Thresholds 3-81
Configuring Port Mirroring 3-82
Configuring Rate Limits 3-83

Rate Limit Granularity 3-84

Rate Limit Configuration 3-84
Showing Port Statistics 3-85

Address Table Settings 3-90

Setting Static Addresses 3-90
Displaying the Address Table 3-91
Changing the Aging Time 3-93

Spanning Tree Algorithm Configuration 3-93

Displaying Global Settings 3-94
Configuring Global Settings 3-97
Displaying Interface Settings 3-100
Configuring Interface Settings 3-103

VLAN Configuration 3-105

IEEE 802.1Q VLANs 3-105

Enabling or Disabling GVRP (Global Setting) 3-108

Displaying Basic VLAN Information 3-108

Displaying Current VLANs 3-109

Creating VLANs 3-111

Adding Static Members to VLANs (VLAN Index) 3-112

Adding Static Members to VLANs (Port Index) 3-114

Configuring VLAN Behavior for Interfaces 3-115
Private VLANs 3-117

Displaying Current Private VLANs 3-118

Configuring Private VLANs 3-119

Associating VLANs 3-119

Displaying Private VLAN Interface Information 3-120

Configuring Private VLAN Interfaces 3-121

Class of Service Configuration 3-123

Layer 2 Queue Settings 3-123

Setting the Default Priority for Interfaces 3-123

Mapping CoS Values to Egress Queues 3-125

Selecting the Queue Mode 3-127

Setting the Service Weight for Traffic Classes 3-127
Layer 3/4 Priority Settings 3-128

Mapping Layer 3/4 Priorities to CoS Values 3-128

Selecting IP Precedence/DSCP Priority 3-129

Mapping IP Precedence 3-129

iii

Contents

Mapping DSCP Priority 3-131
Mapping IP Port Priority 3-132
Mapping CoS Values to ACLs 3-133

Multicast Filtering 3-135

Layer 2 IGMP (Snooping and Query) 3-135

Configuring IGMP Snooping and Query Parameters 3-136
Displaying Interfaces Attached to a Multicast Router 3-137
Specifying Static Interfaces for a Multicast Router 3-138
Displaying Port Members of Multicast Services 3-140
Assigning Ports to Multicast Services 3-141

Chapter 4: Command Line Interface 4-1

Using the Command Line Interface 4-1

Accessing the CLI 4-1
Console Connection 4-1
Telnet Connection 4-1

Entering Commands 4-3

Keywords and Arguments 4-3
Minimum Abbreviation 4-3
Command Completion 4-3
Getting Help on Commands 4-3
Showing Commands 4-4
Partial Keyword Lookup 4-5
Negating the Effect of Commands 4-5
Using Command History 4-5
Understanding Command Modes 4-5
Exec Commands 4-6
Configuration Commands 4-6

Command Line Processing 4-8
Command Groups 4-9
Line Commands 4-10

line 4-10

login 4-11

password 4-12

timeout login response 4-13

exec-timeout 4-13

password-thresh 4-14

silent-time 4-15

databits 4-15

parity 4-16

speed 4-17

stopbits 4-17

disconnect 4-18

show line 4-18

iv

Contents

General Commands 4-19

enable 4-19
disable 4-20
configure 4-21
show history 4-21
reload 4-22
end 4-22
exit 4-23
quit 4-23

System Management Commands 4-24

Device Designation Commands 4-24

prompt 4-24
hostname 4-25

User Access Commands 4-25

username 4-26
enable password 4-27

IP Filter Commands 4-28

management 4-28
show management 4-29

Web Server Commands 4-30

ip http port 4-30
ip http server 4-30
ip http secure-server 4-31
ip http secure-port 4-32

Telnet Server Commands 4-33

ip telnet port 4-33
ip telnet server 4-33

Secure Shell Commands 4-34

ip ssh server 4-36
ip ssh timeout 4-37
ip ssh authentication-retries 4-37
ip ssh server-key size 4-38
delete public-key 4-38
ip ssh crypto host-key generate 4-39
ip ssh crypto zeroize 4-39
ip ssh save host-key 4-40
show ip ssh 4-40
show ssh 4-41
show public-key 4-42

Event Logging Commands 4-43

logging on 4-43
logging history 4-44
logging host 4-45
logging facility 4-45
logging trap 4-46

v

Contents

clear logging 4-46
show logging 4-47
show log 4-48

SMTP Alert Commands 4-49

logging sendmail host 4-49
logging sendmail level 4-50
logging sendmail source-email 4-51
logging sendmail destination-email 4-51
logging sendmail 4-52
show logging sendmail 4-52

Time Commands 4-53

sntp client 4-53
sntp server 4-54
sntp poll 4-55
show sntp 4-55
clock timezone 4-56
calendar set 4-56
show calendar 4-57

System Status Commands 4-57

light unit 4-57
show startup-config 4-58
show running-config 4-60
show system 4-62
show users 4-62
show version 4-63

Frame Size Commands 4-64

jumbo frame 4-64

Flash/File Commands 4-65

copy 4-65

delete 4-68

dir 4-68

whichboot 4-69

boot system 4-70
Authentication Commands 4-71

Authentication Sequence 4-71

authentication login 4-71
authentication enable 4-72

RADIUS Client 4-73

radius-server host 4-73
radius-server port 4-74
radius-server key 4-74
radius-server retransmit 4-75
radius-server timeout 4-75
show radius-server 4-76

vi

Contents

TACACS+ Client 4-76

tacacs-server host 4-77
tacacs-server port 4-77
tacacs-server key 4-78
show tacacs-server 4-78

Port Security Commands 4-79

port security 4-79

802.1X Port Authentication 4-81
dot1x system-auth-control 4-81
dot1x default 4-82
dot1x max-req 4-82
dot1x port-control 4-82
dot1x operation-mode 4-83
dot1x re-authenticate 4-84
dot1x re-authentication 4-84
dot1x timeout quiet-period 4-84
dot1x timeout re-authperiod 4-85
dot1x timeout tx-period 4-85
show dot1x 4-86

Access Control List Commands 4-89

IP ACLs 4-90

access-list ip 4-90
permit, deny (Standard ACL) 4-91
permit, deny (Extended ACL) 4-92
show ip access-list 4-94
ip access-group 4-94
show ip access-group 4-95
map access-list ip 4-95
show map access-list ip 4-96

MAC ACLs 4-97

access-list mac 4-97
permit, deny (MAC ACL) 4-98
show mac access-list 4-99
mac access-group 4-99
show mac access-group 4-100
map access-list mac 4-100
show map access-list mac 4-101

ACL Information 4-102

show access-list 4-102
show access-group 4-102

SNMP Commands 4-103

snmp-server community 4-103
snmp-server contact 4-104
snmp-server location 4-104
snmp-server host 4-105

vii

Contents

snmp-server enable traps 4-106
show snmp 4-107

Interface Commands 4-108

interface 4-108
description 4-109
speed-duplex 4-109
negotiation 4-110
capabilities 4-111
flowcontrol 4-112
shutdown 4-113
switchport broadcast packet-rate 4-114
clear counters 4-114
show interfaces status 4-115
show interfaces counters 4-116
show interfaces switchport 4-117

Mirror Port Commands 4-119

port monitor 4-119
show port monitor 4-120

Rate Limit Commands 4-121

rate-limit 4-121
rate-limit granularity 4-122
show rate-limit 4-122

Link Aggregation Commands 4-123

channel-group 4-124
lacp 4-125
lacp system-priority 4-126
lacp admin-key (Ethernet Interface) 4-127
lacp admin-key (Port Channel) 4-128
lacp port-priority 4-129
show lacp 4-129

Address Table Commands 4-133

mac-address-table static 4-134
clear mac-address-table dynamic 4-135
show mac-address-table 4-135
mac-address-table aging-time 4-136
show mac-address-table aging-time 4-136

Spanning Tree Commands 4-137

spanning-tree 4-137
spanning-tree mode 4-138
spanning-tree forward-time 4-139
spanning-tree hello-time 4-139
spanning-tree max-age 4-140
spanning-tree priority 4-141
spanning-tree pathcost method 4-141
spanning-tree transmission-limit 4-142

viii

Contents

spanning-tree cost 4-142
spanning-tree port-priority 4-143
spanning-tree edge-port 4-144
spanning-tree portfast 4-145
spanning-tree link-type 4-145
spanning-tree protocol-migration 4-146
show spanning-tree 4-147

VLAN Commands 4-149

Editing VLAN Groups 4-149

vlan database 4-149
vlan 4-150

Configuring VLAN Interfaces 4-151

interface vlan 4-151
switchport mode 4-152
switchport acceptable-frame-types 4-152
switchport ingress-filtering 4-153
switchport native vlan 4-154
switchport allowed vlan 4-155
switchport forbidden vlan 4-156

Displaying VLAN Information 4-156

show vlan 4-157

Configuring Private VLANs 4-158

private-vlan 4-159
private vlan association 4-160
switchport mode private-vlan 4-161
switchport private-vlan host-association 4-161
switchport private-vlan isolated 4-162
switchport private-vlan mapping 4-163
show vlan private-vlan 4-163

GVRP and Bridge Extension Commands 4-164

bridge-ext gvrp 4-164
show bridge-ext 4-165
switchport gvrp 4-165
show gvrp configuration 4-166
garp timer 4-166
show garp timer 4-167

Priority Commands 4-168

Priority Commands (Layer 2) 4-168

queue mode 4-169
switchport priority default 4-169
queue bandwidth 4-170
queue cos-map 4-171
show queue mode 4-172
show queue bandwidth 4-172
show queue cos-map 4-173

ix

Contents

Priority Commands (Layer 3 and 4) 4-174

map ip port (Global Configuration) 4-174
map ip port (Interface Configuration) 4-175
map ip precedence (Global Configuration) 4-175
map ip precedence (Interface Configuration) 4-176
map ip dscp (Global Configuration) 4-177
map ip dscp (Interface Configuration) 4-177
show map ip port 4-178
show map ip precedence 4-179
show map ip dscp 4-1 80

Multicast Filtering Commands 4-181

IGMP Snooping Commands 4-181

ip igmp snooping 4-182
ip igmp snooping vlan static 4-182
ip igmp snooping version 4-183
show ip igmp snooping 4-183
show mac-address-table multicast 4-184

IGMP Query Commands (Layer 2) 4-185

ip igmp snooping querier 4-185
ip igmp snooping query-count 4-185
ip igmp snooping query-interval 4-186
ip igmp snooping query-max-response-time 4-187
ip igmp snooping router-port-expire-time 4-187

Static Multicast Routing Commands 4-188

ip igmp snooping vlan mrouter 4-188
show ip igmp snooping mrouter 4-189

IP Interface Commands 4-190

ip address 4-190
ip default-gateway 4-191
ip dhcp restart 4-192
show ip interface 4-1 92
show ip redirects 4-193
ping 4-193

x

Contents

Appendix A: Software Specifications A-1

Software Features A-1
Management Features A-2
Standards A-2
Management Information Bases A-3

Appendix B: Troubleshooting B-1

Problems Accessing the Management Interface B-1
Using System Logs B-2

Glossary

Index

xi

Contents

xii

Tables

Table 1-1 Key Features 1-1
Table 1-2 System Defaults 1-5
Table 3-1 Configuration Options 3-3
Table 3-2 Main Menu 3-4
Table 3-3 Logging Levels 3-25
Table 3-4 HTTPS System Support 3-40
Table 3-5 802.1X Statistics 3-54
Table 3-6 LACP Port Counters 3-75
Table 3-7 LACP Internal Configuration Information 3-77
Table 3-8 LACP Neighbor Configuration Information 3-79
Table 3-9 Port Statistics 3-86
Table 3-10 Mapping CoS Values to Egress Queues 3-125
Table 3-11 CoS Priority Levels 3-125
Table 3-12 Mapping IP Precedence 3-129
Table 3-13 Mapping DSCP Priority Values 3-131
Table 3-14 Egress Queue Priority Mapping 3-133
Table 4-1 Command Modes 4-5
Table 4-2 Configuration Modes 4-7
Table 4-3 Command Line Processing 4-8
Table 4-4 Command Groups 4-9
Table 4-5 Line Commands 4-10
Table 4-6 General Commands 4-19
Table 4-7 System Management Commands 4-24
Table 4-8 Device Designation Commands 4-24
Table 4-9 User Access Commands 4-25
Table 4-10 Default Login Settings 4-26
Table 4-11 IP Filter Commands 4-28
Table 4-12 Web Server Commands 4-30
Table 4-13 HTTPS System Support 4-31
Table 4-14 Telnet Server Commands 4-33
Table 4-15 SSH Commands 4-34
Table 4-16 show ssh - display description 4-41
Table 4-17 Event Logging Commands 4-43
Table 4-18 Logging Levels 4-44
Table 4-19 show logging flash/ram - display description 4-47
Table 4-20 show logging trap - display description 4-48
Table 4-21 SMTP Alert Commands 4-49
Table 4-22 Time Commands 4-53
Table 4-23 System Status Commands 4-57
Table 4-24 Frame Size Commands 4-64
Table 4-25 Flash/File Commands 4-65
Table 4-26 File Directory Information 4-6 9

xiii

Tables

Table 4-27 Authentication Commands 4-71
Table 4-28 Authentication Sequence 4-71
Table 4-29 RADIUS Client Commands 4-73
Table 4-30 TACACS Commands 4-76
Table 4-31 Port Security Commands 4-79
Table 4-32 802.1X Port Authentication 4-81
Table 4-34 IP ACLs 4-90
Table 4-33 Access Control Lists 4-90
Table 4-35 Egress Queue Priority Mapping 4-96
Table 4-36 MAC ACLs 4-97
Table 4-37 Egress Queue Priority Mapping 4-101
Table 4-38 ACL Information 4-102
Table 4-39 SNMP Commands 4-103
Table 4-40 Interface Commands 4-108
Table 4-41 Interfaces Switchport Statistics 4-118
Table 4-42 Mirror Port Commands 4-119
Table 4-43 Rate Limit Commands 4-121
Table 4-44 Link Aggregation Commands 4-123
Table 4-45 show lacp counters - display description 4-130
Table 4-46 show lacp internal - display description 4-131
Table 4-47 show lacp neighbors - display description 4-132
Table 4-49 Address Table Commands 4-133
Table 4-48 show lacp sysid - display description 4-133
Table 4-50 Spanning Tree Commands 4- 137
Table 4-51 VLANs 4-149
Table 4-52 Editing VLAN Groups 4-149
Table 4-53 Configuring VLAN Interfaces 4-151
Table 4-54 Show VLAN Commands 4-156
Table 4-55 Private VLAN Commands 4-158
Table 4-56 GVRP and Bridge Extension Commands 4-164
Table 4-57 Priority Commands 4-168
Table 4-58 Priority Commands (Layer 2) 4-168
Table 4-59 Default CoS Priority Levels 4-171
Table 4-60 Priority Commands (Layer 3 and 4) 4-174
Table 4-61 Mapping IP Precedence Values 4-176
Table 4-62 IP DSCP to CoS Vales 4-178
Table 4-63 Multicast Filtering Commands 4-181
Table 4-64 IGMP Snooping Commands 4-181
Table 4-65 IGMP Query Commands (Layer 2) 4-185
Table 4-66 Static Multicast Routing Commands 4-188
Table 4-67 IP Interface Commands 4-190
Table B-1 Troubleshooting Chart B-1

xiv

Figures

Figure 3-1 Home Page 3-2
Figure 3-2 Panel Display 3-3
Figure 3-3 System Information 3-8
Figure 3-4 Switch Information 3-10
Figure 3-5 Bridge Extension Configuration 3-11
Figure 3-6 Manual IP Configuration 3-13
Figure 3-7 DHCP IP Configuration 3-14
Figure 3-8 Copy Firmware 3-16
Figure 3-9 Setting the Startup Code 3-16
Figure 3-10 Deleting Files 3-17
Figure 3-11 Downloading Configuration Settings for Startup 3-19
Figure 3-12 Setting the Startup Configuration Settings 3-19
Figure 3-13 Console Port Settings 3-21
Figure 3-14 Enabling Telnet 3-23
Figure 3-15 System Logs 3-25
Figure 3-16 Remote Logs 3-26
Figure 3-17 Displaying Logs 3-27
Figure 3-18 Enabling and Configuring SMTP Alerts 3-29
Figure 3-19 Resetting the System 3-30
Figure 3-20 SNTP Configuration 3-31
Figure 3-21 Setting the System Clock 3-32
Figure 3-22 Configuring SNMP 3-34
Figure 3-23 Configuring IP Trap Managers 3-35
Figure 3-24 Access Levels 3-36
Figure 3-25 Authentication Settings 3-39
Figure 3-26 HTTPS Settings 3-41
Figure 3-27 SSH Host-Key Settings 3-45
Figure 3-28 SSH Server Settings 3-46
Figure 3-29 Configuring Port Security 3-48
Figure 3-30 802.1X Global Information 3-50
Figure 3-31 802.1X Global Configuration 3-51
Figure 3-32 802.1X Port Configuration 3-52
Figure 3-33 802.1X Port Statistics 3-55
Figure 3-34 IP Filter 3-56
Figure 3-35 Selecting ACL Type 3-58
Figure 3-36 ACL Configuration - Standard IP 3-59
Figure 3-37 ACL Configuration - Extended IP 3-61
Figure 3-38 ACL Configuration - MAC 3-62
Figure 3-39 Binding a Port to an ACL 3-63
Figure 3-40 Displaying Port/Trunk Information 3-65
Figure 3-41 Port/Trunk Configuration 3-67
Figure 3-42 Configuring Port Trunks 3-69

xv

Figures

Figure 3-43 LACP Configuration 3-71
Figure 3-44 LACP Port Configuration 3-74
Figure 3-45 LACP - Port Counters Information 3-76
Figure 3-46 LACP - Port Internal Information 3-78
Figure 3-47 LACP - Port Neighbors Information 3-79
Figure 3-48 Port Broadcast Control 3-81
Figure 3-49 Mirror Port Configuration 3-83
Figure 3-50 Rate Limit Granularity Configuration 3-84
Figure 3-51 Output Rate Limit Port Configuration 3-85
Figure 3-52 Port Statistics 3-89
Figure 3-53 Configuring a Static Address Table 3-91
Figure 3-54 Configuring a Dynamic Address Table 3-92
Figure 3-55 Setting the Address Aging Time 3-93
Figure 3-56 Displaying Spanning Tree Information 3-96
Figure 3-57 Configuring Spanning Tree 3-99
Figure 3-58 Displaying Spanning Tree Information 3-102
Figure 3-59 Configuring Spanning Tree per Port 3-104
Figure 3-60 Enabling GVRP 3-108
Figure 3-61 Displaying Basic VLAN Information 3-108
Figure 3-62 Displaying Current VLANs 3-110
Figure 3-63 Configuring a VLAN Static List 3-111
Figure 3-64 Configuring a VLAN Static Table 3-113
Figure 3-65 VLAN Static Membership by Port 3-114
Figure 3-66 Configuring VLANs per Port 3-116
Figure 3-67 Private VLAN Information 3-118
Figure 3-68 Private VLAN Configuration 3-119
Figure 3-69 Private VLAN Association 3-120
Figure 3-70 Private VLAN Port Information 3-121
Figure 3-71 Private VLAN Port Configuration 3-122
Figure 3-72 Port Priority Configuration 3-124
Figure 3-73 Traffic Classes 3-126
Figure 3-74 Queue Mode 3-127
Figure 3-75 Configuring Queue Scheduling 3-128
Figure 3-76 IP Precedence/DSCP Priority Status 3-129
Figure 3-77 IP Precedence Priority 3-130
Figure 3-78 IP DSCP Priority 3-131
Figure 3-79 IP Port Priority Status 3-132
Figure 3-80 IP Port Priority 3-133
Figure 3-81 ACL CoS Priority 3-134
Figure 3-82 IGMP Configuration 3-137
Figure 3-83 Multicast Router Port Information 3-138
Figure 3-84 Static Multicast Router Port Configuration 3-139
Figure 3-85 IP Multicast Registration Table 3 - 140
Figure 3-86 IGMP Member Port Table 3-141

xvi

Chapter 1: Introduction

This switch provides a broad range of features for Layer 2 switching. It includes a
management agent that allows you to configure the features listed in this manual.
The default configuration can be used for most of the features provided by t his
switch. However, there are many options that you should configure to maximize the
switch’s performance for your particular network environment.

Key Features

Table1-1 Key Features

Feature Description

Configuration Backup
and Restore

Authentication Console, Telnet, web – User name / password, RADIUS, TACACS+

Access Control Lists Supports up to 88 IP or MAC ACLs
DHCP Client Supported
Port Configuration Speed, duplex mode and flow control
Rate Limiting Input and output rate limiting per port
Port Mirroring One port mirrored to a single analysis port
Port Trunking Supports up to 4 trunks using either static or dynamic trunking (LACP)
Broadcast Storm

Control
Static Address Up to 8K MAC addresses in the forwarding table
IEEE 802.1D Bridge Supports dynamic data switching and addresses learning
Store-and-Forward

Switching
Spanning Tree

Algorithm
Virtual LANs Up to 255 using IEEE 802.1Q, port-based, or private VLANs
Traffic Prioritization Default port priority, traffic class map, queue scheduling, IP Precedence or

Multicast Filtering Supports IGMP snooping and query

Backup to TFTP server

Web – SSL/HTTPS; Telnet – SSH
SNMP v1/2c – Community strin g s
Port – IEEE 802.1X, MAC address filtering

Supported

Supported to ensure wire-speed switching while eliminating bad frames

Supports standard STP and Rapid Spanning Tree Protocol (RSTP)

Differentiated Services Code Point (DSCP), and TCP/UDP Port

1-1

Introduction

1

Description of Software Features

The switch provides a wide range of advanced performance enhancing features.
Flow control eliminates the loss of packets due to bottlenecks caused by port
saturation. Broadcast storm suppression prevents broadcast traffic storms from
engulfing the network. Port-based and private VLANs, plus support for automatic
GVRP VLAN registration provide traffic security and efficient use of network
bandwidth. CoS priority queueing ensures the minimum delay for moving real-time
multimedia data across the network. While multicast filteri ng provides support for
real-time network applications. Some of the management features are briefly
described below .

Configuration Backup and Restore – You can save the current configuration
settings to a file on a TFTP server, and later download this file to restore the switch
configuration settings.

Authentication – This switch authenticates management access via the console
port, T eln et or web browser . User names and p asswords can be configured locally or
can be verified via a remote authentication server (i.e., RADIUS or TACACS+).
Port-based authentication is also supported via the IEEE 802.1X protocol. This
protocol uses the Extensible Authentication Protocol over L ANs (EAPOL) to request
user credentials from the 802.1X client, and then verifies the client’s right to access
the network via an authentication server.

Other authentication options include HTTPS for secure management ac cess via t he
web, SSH for secure management access over a Telnet-equivalent connection, IP
address filtering for SNMP/web/Telnet management access, and MAC address
filtering for port access.

Access Control Lists – ACLs provide packet filtering for IP frames (based on
address, protocol, TCP/UDP port number or TCP control code) or any frames
(based on MAC address or Ethernet type). ACLs can be used to improve
performance by blocking unnecessary network traffic or to implement security
controls by restricting access to specific network resources or protocols.

Port Configuration – You can manually configure the speed, duplex mode, and
flow control used on specific ports, or use auto-negotiation to detect the connection
settings used by the attached device. Use the full-duplex mode on ports whenever
possible to double the throughput of switch connecti ons. Flow control should also be
enabled to control network traffic during periods of congestion and prevent the loss
of packets when port buff er thresholds are exceeded. The switch supports flow
control based on the IEEE 802.3x standard.

Rate Limiting – This feature controls the maximum rate for traffic transmitted or
received on an interface. Rate limiting is configured on interfaces at the edge of a
network to limit traffic into o r out of the network. T r affic th at falls within t he rate limit is
transmitted, while packets that exceed the acceptable amount of traffic are dropped.

1-2

Description of Software Features

Port Mirroring – The switch can unobtrusively mirror traffic from any port to a
monitor port. You can then attach a protocol analyzer or RMON probe to this port to
perform traffic analysis and verify connection integrity.

Port Trunking – Ports can be combined into an aggregate connection. Trunks can
be manually set up or dynamically configured using I EEE 802. 3ad Lin k Ag gregatio n
Control Protocol (LACP). The additional ports dramatically increase the throughput
across any connection, and provide redundancy by taking over the load if a port in
the trunk should fail. The switch supports up to four trunks.

Broadcast Storm Control – Broadcast s uppress ion preve nts broadcast traffic from
overwhelming the network. When enabled on a port, the level of broadcast traffic
passing through the port is restricted. If broadcast traffic rises above a pre-defined
threshold, it will be throttled until the level falls back beneath the threshold.

Static Addresses – A static address can be assigned to a specific interface on this
switch. Static addresses are bound to the assigned interface and will not be moved.
When a static address is seen on another interface, the address will be igno red and
will not be written to the address table. Static addresses can be used to provide
network security by restricting access for a known host to a specific port.

IEEE 802.1D Bridge – The switch supports IEEE 802.1D transparent bridging. The
address table facilitates data switching by learning addresses, and then filtering or
forwarding traffic based on this information. The address table supports up to 8K
addresses.

Store-and-Forward Switching – The switch copies each frame into its memory
before forwarding them to another port. This ensures that all frames are a standard
Ethernet size and have been verified for accuracy with the cyclic redun dancy check
(CRC). This prevents bad frames from entering the network and wasting bandwidth.

To avoid dropping frames on congested ports, the switch provides 8 MB for frame
buffering. This buffer can queue packets awaiting transmission on congested
networks.

Spanning Tree Algorithm – The switch supports these spanning tree protocols:
Spanning Tree Protocol (STP, IEEE 802.1D) – This protocol provides loop detection

and recovery by allowing two or more redundant connect ions to be crea ted between
a pair of LAN segments. When there are multip le physical p ath s between se gments,
this protocol will choose a single path and disable all others to ensure that only one
route exists between any two stations on the network. This prevents the creation of
network loops. However, if the chosen path should fail for any reason, an alternate
path will be activated to maintain the connection.

Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol reduces the
convergence time for network topology changes to 3 to 5 seconds, compared to 30
seconds or more for the older IEEE 802.1D STP standard. It is intended as a
complete replacement for STP, but can still interoperate with switches running the
older standard by automatically reconfiguring ports to STP-compliant mode if they
detect STP protocol messages from attached devices.

1

1-3

Introduction

1

Virtual LANs – The switch supports up to 255 VLANs. A Virtual LAN is a collection
of network nodes that share the same collision domain regardless of their physical
location or connection point in the network. The switch supports tagged VLANs
based on the IEEE 802.1Q standard. Members of VLAN groups can be dynamically
learned via GVRP, or ports can be manually assigned to a specific set of VLANs.
This allows the switch to restrict traffic to the VLAN groups to which a user has been
assigned. By segmenting your network into VLANs, you can:

• Eliminate broadcast storms which severely degrade performance in a flat network.

• Simplify network management for node changes/moves by remotely configurin g
VLAN membership for any port, rather than having to manually change the network
connection.

• Provide data security by restricting all traffic to the originating VLAN.

• Use private VLANs to restrict traffic to pass only between data ports and the uplink
ports, thereby isolating adjacent ports within the s ame VLAN, and al lowing you t o
limit the total number of VLANs that need to be configured.

Traffic Prioritization – This switch prioritizes each packet based on the requi red
level of service, using four priority queues with strict or Weighted Round Robin
Queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize inc oming traffic based on
input from the end-station application. These functions can
independent priorities for delay-sensitive data and best-effort data.

This switch also supports several common methods of prioritizing layer 3/4 traffic to
meet application requirements. Traffic can be prioritized based on the priority bits in
the IP frame’s Type of Service (ToS) octet or the number of the TCP/UDP port.
When these services are enabled, the priorities are mapped to a Class of Service
value by the switch, and the traffic then sent to the corresponding output queue.

Multicast Filtering – Specific mul ticast traffic can be assigned to its own VLAN to
ensure that it does not interfere with normal network traffic and to guarantee
real-time delivery by setting the required priority level for the designated VLAN. The
switch uses IGMP Snooping and Query to manage multicast group registration.

be used to provide

1-4

System Defaults

1

System Defaults

The switch’s system defaults are provided in the configuration file
“Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as
the startup configuration file (page 3-20).

The following table lists some of the basic system defaults.

Table1-2 System Defaults

Function Parameter Default

Console Port
Connection

Authentication Privileged Exec Level Username “admin”

Web Management HTTP Server Enabled

SNMP Community Strings “public” (read only)

Baud Rate 9600
Data bits 8
Stop bits 1
Parity none
Local Console Timeout 0 (disabled)

Password “admin”

Normal Exec Level Username “guest”

Enable Privileged Exec from Normal
Exec Level

RADIUS Authentication Disabled
TACACS Authentication Disabled

802.1X Port Authentication Disabled
HTTPS Enabled
SSH Disabled
Port Security Disabled
IP Filtering Disabled

HTTP Port Number 80
HTTP Secure Server Enabled
HTTP Secure Port Number 443

Traps Authentication traps: enabled

Password “guest”
Password “super”

“private” (read/write)

Link-up-down events: enabled

1-5

Introduction

1

Table1-2 System Defaults (Continued)

Function Parameter Default

Port Configuration Admin Status Enabled

Auto-negotiation Enabled

Flow Control Disabled
Rate Limiting Input and output limits Disabled
Port Trunking Static Trunks None

LACP (all ports) Disabled
Broadcast Storm

Protection

Spanning Tree
Algorithm

Address Table Aging Time 300 seconds
Virtual LANs Default VLAN 1

Traffic Prioritization Ingress Port Priority 0

IP Settings IP Address 0.0.0.0

Multicast Filtering IGMP Snooping Snooping: Enabled

Status Disabled (all ports)

Broadcast Limit Rate 32,000 octets per second

Status Enabled

(Defaults: All values based on IEEE 802.1w)

Fast Forwarding (Edge Port) Disabled

PVID 1

Acceptable Frame Type All

Ingress Filtering Disabled

Switchport Mode (Egress Mode) Hybrid: tagged/untagged frames

GVRP (global) Disabled

GVRP (port interface) Disabled

Weighted Round Robin Queue: 0 1 2 3

Weight: 1 2 4 6
IP Precedence Priority Disabled
IP DSCP Priority Disabled
IP Port Priority Disabled

Subnet Mask 255.0.0.0
Default Gateway 0.0.0.0
DHCP Client: Enabled
BOOTP Disabled

Querier: Enabled

1-6

System Defaults

Table1-2 System Defaults (Continued)

Function Parameter Default

System Log Status Enabled

Messages Logged Levels 0-7 (all)

Messages Logged to Flash Levels 0-3
SMTP Email Alerts Event Handler Enabled (but no server defined)
SNTP Clock Synchronization Disabled

1

1-7

1

Introduction

1-8

Chapter 2: Initial Configuration

Connecting to the Switch

Configuration Options

The switch includes a built-in network management agent. The agent off ers a variety
of management options, including SNMP, RMON and a web-based interface. A PC
may also be connected directly to the switch for configuration and monitoring via a
command line interface (CLI).

Note: The IP address for this switch is obtained via DHCP by default. To change this

address, see “Setting an IP Address” on page 2-5.

The switch’s HTTP Web agent allows you to configure switch parameters, monitor
port connections, and display statistics using a standard Web browser such as
Netscape Navigator version 6.2 and higher or Microsoft IE version 5.0 and higher.
The switch’s Web management interf ace can be accessed from any computer
attached to the network.

The CLI program can be accessed by a direct connection to the RS-232 serial
console port on the switch, or remotely by a Telnet connection over the network.

The switch’s management agent also supports SNMP (Simple Network
Management Protocol). This SNMP agent permits the switch to be managed from
any system in the network using network management software such as
HP OpenView.

The switch’s Web interface, CLI configu ration program, and SNMP agent allow you
to perform the following management functions:

• Set user names and passwords for up to 16 users

• Set an IP interface for any VLAN

• Configure SNMP parameters

• Enable/disable any port

• Set the speed/duplex mode for any port

• Configure the bandwidth of any port by limiting input or output rates

• Control port access through IEEE 802.1X security or static address filtering

• Filter packets using Access Control Lists (ACLs)

• Configure up to 255 IEEE 802.1Q VLANs

• Enable GVRP automatic VLAN registration

• Configure IP routing for unicast traffic.

• Configure IGMP multicast filtering

• Upload and download system firmware via TFTP

• Upload and download switch configuration files via TFTP

• Configure Spanning Tree parameters

2-1

Initial Configuration

2

• Configure Class of Service (CoS) priority queuing

• Configure up to 4 static or LACP trunks

• Enable port mirroring

• Set broadcast storm control on any port

• Display system information and statistics

• Configure any stack unit through the same IP address

Required Connections

The switch provides an RS-232 serial port that enables a connection to a PC or
terminal for monitoring and configuring the switch. A null-modem console cable is
provided with the switch.

Note: When configuring a stack, connect to the console port on the Master unit.

Attach a VT100-compatible terminal, or a PC running a terminal emulation program
to the switch. You can use the console cable provided with this package, or use a
null-modem cable that complies with the wiring assignments shown in the
Installation Guide.

To connect a terminal to the console port, complete the following steps:

1. Connect the console cable to the serial port on a terminal, or a PC running
terminal emulation software, and tighten the captive retaining screws on the
DB-9 connector.

2. Connect the other end of the cable to the RS-232 serial port on the switch.

3. Make sure the terminal emulation software is set as follows:

• Select the appropriate serial port (COM port 1 or COM port 2).

• Set the baud rate to 9600 bps.

• Set the data format to 8 data bits, 1 stop bit, and no parity.

• Set flow control to none.

• Set the emulation mode to VT100.

• When using HyperTerminal, select Terminal keys, not Windows keys.

Notes: 1. When using HyperTerminal with Microsoft® Windows® 2000, make sure that

you have Windows 2000 Service Pack 2 or later installed. Windows 2000
Service Pack 2 fixes the problem of arrow keys not functioning in
HyperTerminal’s VT100 emulation. See www.microsoft.com for information
on Windows 2000 service packs.

2. Refer to “Line Commands” on page 4-10 for a complete description of
console configuration options.

3. Once you have set up the terminal correctly, the console login screen will be
displayed.

For a description of how to use the CLI, see “Using the Command Line Interface” on
page 4-1. For a list of all the CLI commands and detailed information on using the
CLI, refer to “Command Groups” on page 4-9.

2-2

Stack Operations

2

Remote Connections

Prior to accessing the switch’s onboard agent via a network connection, you must
first configure it with a valid IP address, subnet mask, and default gateway using a
console connection, DHCP or BOOTP protocol.

The IP address for this switch is obtained via DHCP by default. To manually
configure this address or enable dynamic address assignment via DHCP or BOOTP,
see “Setting an IP Address” on page 2-5.

Note: This switch supports four concurrent Telnet/SSH sessions.

After configuring the switch’s IP parameters, you can access the onboard
configuration program from anywhere within the attached network. The onboard
configuration program can be accessed usin g Telnet from any c omput er a ttached to
the network. The switch can also be managed by any computer using a web
browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above), or
from a network computer using SNMP network management software.

Note: The onboard program only provides access to basic configuration functions. To

access the full range of SNMP management functions, you must use
SNMP-based network management software.

Stack Operations

Up to eight switches can be stacked together as described in the Installation Guide.
One unit in the stack acts as the Master for configuration tasks and firmware
upgrade. All of the other units function in Slave mode.

To configure any unit in the stack, first verify the unit number by co unt ing down fr om
the Master unit, and then select the appropriate unit number from the web or
console management interface.

Selecting the Stack Master

Note the following points about unit numbering:

• When the stack is initially powere d on, the Master unit is designated as un it 1. The
stack is simply numbered from top to bottom, with the first unit in the stack
designated at unit 1. This unit identificati on number can be selected on the front
panel graphic of the web interface, or from the CLI.

• If more than one stack Master is selected using the Master push button on the
switch’s front panel, the stack will not function.

• If any unit fails, the stack will not function. You must replace the failed unit, and
reconnect the stacking cables to restore a ring topology.

• If a unit in the stack fails or is removed from the stack, the unit numbers will not
change. This means that when you replace a unit in the stack, the original
configuration for the failed unit will be restored to the replacement unit.

2-3

Initial Configuration

2

Recovering from Stack Failure or Topology Change

When a link or unit in the stack fails, a trap message is sent and a failure event is
logged. The stack will be rebooted after any system failure or topology change. It
takes two to three minutes for the stack to reboot. Also note that powering down a
unit or inserting a new unit in the stack will cause the stack to reboot.

Resilient IP Interface for Management Access

The stack functions as one integral system for management and configuration
purposes. You can therefore manage the stack through any port in the VLAN that
has been assigned an IP address. The Master unit d oes not even have t o include an
active port member in the VLAN interface used for ma nagement access. Howeve r , if
the unit to which you normally connect for management access fails, and there are
no active port members on the other units within this VLAN interface, then this IP
address will no longer be available. To retain a c onst ant IP addre ss for manage ment
access across fail over events, you should include port members on several units
within the primary VLAN used for stack management.

Basic Configuration

Console Connection

The CLI program provides two different command levels — normal access level
(Normal Exec) and privileged access level (Privileged Exec). The commands
available at the Normal Exec level are a limited subset of those available at the
Privileged Exec level and allow you to only display information and use basic
utilities. To fully configure the switch parameters, you must access the CLI at the
Privileged Exec level.

Access to both CLI levels are controlled by user names and passwords. The switch
has a default user name and password for each level. To log into the CLI at the
Privileged Exec level using the default user name and pas sword, perform these
steps:

1. To initiate your console connection, press <Enter>. The “User Access
Verification” procedure starts.

2. At the Username prompt, enter “admin.”

3. At the Password prompt, also enter “admin.” (The password characters are not
displayed on the console screen.)

4. The session is opened and the CLI displays the “Console#” prompt indicating
you have access at the Privileged Exec level.

2-4

Basic Configuration

2

Setting Passwords

Note: If this is your first time to log into the CLI program, you should define new

passwords for both default user names using the “username” command, record
them and put them in a safe place.

Passwords can consist of up to 8 alphanumeric characters and are case sensitive.
To prevent unauthorized access to the switch, set the passwords as follows:

1. Open the console interface with the def ault user name and password “admin” t o
access the Privileged Exec level.

2. Type “configure” and press <Enter>.

3. Type “username gu est password 0 password, ” for the Normal Exec level, wh ere
password is your new password. Press <Enter>.

4. Type “username admin password 0 password,” for the Privileged Exec level,
where password is your new password. Press <Enter>.

Note: ‘0’ specifies the password in plain text, ‘7’ specifies the password in encrypted

form.

Username: admin
Password:

CLI session with the GSW-2692 24-Port 10/100M + 2G Combo L2
Stackable Switchis opened.
To end the CLI session, enter [Exit].

Console#configure
Console(config)#username guest password 0 [password]
Console(config)#username admin password 0 [password]
Console(config)#

Setting an IP Address

You must establish IP address information for the switch to obtain management
access through the network. This can be done in either of the following ways:

Manual — Y ou have to inpu t the information, incl uding IP address and subnet mask.
If your management station is not in the same IP subnet as the switch, you will also
need to specify the default gateway router.

Dynamic — The switch sends IP configuration requests to BOOTP or DHCP
address allocation servers on the network.

Manual Configuration

You can manually assign an IP address to the switch. You may also need to specify
a default gateway that resides between this device and management stations that
exist on another network segment. Valid IP addresses consist of four decimal
numbers, 0 to 255, separated by periods. Anything outside this format will not be
accepted by the CLI program.

2-5

Initial Configuration

2

Note: The IP address for this switch is obtained via DHCP by default.

Before you can assign an IP address to the switch, you must obtain the following
information from your network administrator:

• IP address for the switch

• Default gateway for the network

• Network mask for this network
To assign an IP address to the switch, complete the following steps:

1. From the Privileged Exec level global configuration mode prompt, type
“interface vlan 1” to access the interface-configuration mode. Press <Enter>.

2. Type “ip address ip-address netmask,” where “ip-address” is the switch IP
address and “netmask” is the network mask for the network. Press <Enter>.

3. Type “exit” to return to the global configuration mode prompt. Press <Enter>.

4. To set the IP address of the default gateway for the network to which the switch
belongs, type “ip default-gateway gateway,” where “gateway” is the IP address
of the default gateway. Press <Enter>.

Console(config)#interface vlan 1
Console(config-if)#ip address 192.168.1.5 255.255.255.0
Console(config-if)#exit
Console(config)#ip default-gateway 192.168.1.254
Console(config)#

Dynamic Configuration

If you select the “bootp” or “dhcp” option, IP will be enabled but will not function until
a BOOTP or DHCP reply has been received. You therefore need to use the “ip dhcp
restart” command to start broadcasting service requests. Requests will be sent
periodically in an effort to obtain IP configuration information. (BOOTP and DHCP
values can include the IP address, subnet mask, and default ga teway.)

If the “bootp” or “dhcp” option is saved to the startup-config file (step 6), then the
switch will start broadcasting service requests as soon as it is powered on.

To automatically configure the switch by communicating with BOOTP or DHCP
address allocation servers on the network, complete the following steps:

1. From the Global Configuration mode prompt, type “interface vlan 1” to access
the interface-configuration mode. Press <Enter>.

2. At the interface-configuration mode prompt, use one of the following commands:

• To obtain IP settings via DHCP, type “ip address dhcp” and press <Enter>.

• To obtain IP settings via BOOTP, type “ip add ress bo otp ” and press < Ent er>.

3. Type “end” to return to the Privileged Exec mode. Press <Enter>.

4. Type “ip dhcp restart” to begin broadcasting service requests. Press <Enter>.

2-6

Basic Configuration

2

5. Wait a few minutes, and then check the IP configuration settings by typing the
“show ip interface” command. Press <Enter>.

6. Then save your configuration changes by typing “copy running-config
startup-config.” Enter the startup file name and press <Enter>.

Console(config)#interface vlan 1
Console(config-if)#ip address dhcp
Console(config-if)#end
Console#ip dhcp restart
Console#show ip interface
IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1,
and address mode: User specified.
Console#copy running-config startup-config
Startup configuration file name []: startup
\Write to FLASH Programming.

\Write to FLASH finish.
Success.

Enabling SNMP Management Access

The switch can be configured to accept management commands from Simple
Network Management Protocol (SNMP) applications such as HP OpenView. You
can configure the switch to (1) respond to SNMP requests or (2) generate SNMP
traps.

When SNMP management stations send requests to the switch (either to return
information or to set a parameter), t he switch provides t he requested dat a or set s the
specified parameter. The switch can also be configured to send information to
SNMP managers (without being requested by the managers) through trap
messages, which inform the manager that certain events have occurred.

Community Strings

Community strings are used to control management access to SNMP stations, as
well as to authorize SNMP stations to receive trap messages from the swi tch. You
therefore need to assign community strings to specified users or user groups, and
set the access level.

The default strings are:

• public - with read-only access. Authorized management stations are only able to

retrieve MIB objects.

• private - with read-write access. Authorized management stations are able t o both

retrieve and modify MIB objects.

Note: If you do not intend to utilize SNMP, we recommend that you delete both of the

default community strings. If there are no community strings, then SNMP
management access to the switch is disabled.

To prevent unauthorized access to the switch via SNMP, it is recommended that you
change the default community strings.

2-7

Initial Configuration

2

To configure a community string, complete the following steps:

1. From the Privileged Exec level global configuration mode prompt, type
“snmp-server community string mode,” where “string” is the community access
string and “mode” is rw (read/write) or ro (read only). Press <Enter>. (Note that
the default mode is read only.)

2. To remove an existing string, simply type “no snmp-server community string,”
where “string” is the community access string to remove. Press <Enter>.

Console(config)#snmp-server community admin rw
Console(config)#snmp-server community private
Console(config)#

Trap Receivers

You can also specify SNMP stations that are to receive traps from the switch.
To configure a trap receiver, complete the following steps:

1. From the Privileged Exec level global configuration mode prompt, type
“snmp-server host host-address community-string,” where “host-address” is the
IP address for the trap receiver and “community-string” is the string associated
with that host. Press <Enter>.

2. In order to configure the switch to send SNMP notifications, you must enter at
least one snmp-server enable traps command. Type “snmp-server enable traps
type,” where “type” is either authentication or link-up-down. Press <Enter>.

Console(config)#snmp-server enable traps link-up-down
Console(config)#

Saving Configuration Settings

Configuration commands only modify the running configuration file and are not
saved when the switch is rebooted. To save all your configuration changes in
nonvolatile storage, you must copy the running configurat ion file to the start-up
configuration file using the “copy” command.

To save the current configuration settings, enter the following command:

1. From the Privileged Exec mode prompt, type “copy running-config
startup-config” and press <Enter>.

2-8

2. Enter the name of the start-up file. Press <Enter>.

Console#copy running-config startup-config
Startup configuration file name []: startup
\Write to FLASH Programming.

\Write to FLASH finish.
Success.

Console#

Managing System Files

2

Managing System Files

The switch’s flash memory supports three types of system files that can be mana ged
by the CLI program, Web interface, or SNMP. The switch’s file system al lows files to
be uploaded and downloaded, copied, deleted, and set as a start-up file.

The three types of files are:

• Configuration — This file stores system configuration information and is created
when configuration settings are saved. Saved configuration files can be selected
as a system start-up file or can be uploaded via TFTP to a server for backup. A file
named “Factory_Default_Config.cfg” contains all the syst em default settings and
cannot be deleted from the system. See “Saving or Restoring Configuration
Settings” on page 3-18 for more information.

• Operation Code — System software that is executed after boot -up, also known as
run-time code. This code runs the switch operations and provides the CLI and Web
management interfaces. See “Managing Firmware” on page 3-15 for more
information.

• Diagnostic Code — Software that is run during system boot-up, also known as
POST (Power On Self-Test).

Due to the size limit of the flash memory, the switch supports only two operation
code files. However, you can have as many diagnostic code files and configuration
files as available flash memory space allows.

In the system flash memory, one file of each type must be set as the start-up file.
During a system boot, the diagnostic and operation code files set as the start-up file
are run, and then the start-up configuration file is loa ded.

Note that configuration files should be d ownloaded using a f ile name that reflect s the
contents or usage of the file settings. If you downl oad directly to the running-config,
the system will reboot, and the settings will have to be copied from the
running-config to a permanent file.

2-9

Initial Configuration

2

2-10

Chapter 3: Configuring the Switch

Using the Web Interface

This switch provides an embedded HTTP Web agent. Using a We b browser you can
configure the switch and view statistics to monitor network activity. The Web agent
can be accessed by any computer on the network using a standard Web browser
(Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above).

Note:

You can also use the Command Line Interface (CLI) to manage the switch over a
serial connection to the console port or via Telnet. For more information on using
the CLI, refer to Chapter 4: “Command Line Interface.”

Prior to accessing the switch from a Web browser, be sure you have first performed
the following tasks:

1. Configure the switch with a valid IP address, subnet mask, and default gateway

using an out-of-band serial connection, BOOTP or DHCP protocol. (See
“Setting an IP Address” on page 2-5.)

2. Set user names and passwords using an out-of-band serial connect ion. Access

to the Web agent is controlled by the same user names and passwords as the
onboard configuration program. (See “Setting Passwords” on page 2-5.)

3. After you enter a user name and password, you will have access to the system

configuration program.

Notes: 1.

You are allowed three attempts to enter the correct password; on the third
failed attempt the current connection is terminated.

2. If you log into the Web interface as guest (Normal Exec level), you can view

the configuration settings or change the guest password. If you log in as
“admin” (Privileged Exec level), you can change the settings on any page.

3. If the path between your management station and this switch does not pass

through any device that uses the Spanning Tree Algorithm, then you can set
the switch port attached to your management station to fast forwarding (i.e.,
enable Admin Edge Port) to improve the switch’s response time to
management commands issued through the web interface. See “Configuring
Interface Settings” on page 3-103.

3-1

Configuring the Switch

3

Navigating the Web Browser Interface

To access the web-browser interface you must first enter a user name and
password. The administrator has Read/Write access to all co nfigurat i on p arame ters
and statistics. The default use r name and password for the administrator is “admin.”

Home Page

When your web browser connects with the switch’s web agent, the home page is
displayed as shown below. The home page displays the Main Menu on the left side
of the screen and System Information on the right side. The Main Menu links are
used to navigate to other menus, and display configuration parameters and
statistics.

3-2

Figure 3-1 Home Page

Panel Display

3

Configuration Options

Configurable parameters have a dialog box or a drop-down list. Once a conf iguration
change has been made on a page, be sure to click on the Apply button to confirm
the new setting. The following table summarizes the web page configuration
buttons.

Table 3-1 Configuration Options

Button Action

Revert Cancels specified values and restores current values prior to pressing Apply.
Apply Sets specified values to the system.
Help Links directly to webhelp.

Notes: 1.

To ensure proper screen refresh, be sure that Internet Explorer 5.x is
configured as follows: Under the menu “Tools / Internet Options / General /
Temporary Internet Files / Settings,” the setting for item “Check for newer
versions of stored pages” should be “Every visit to the page.”

2. When using Internet Explorer 5.0, you may have to manually refresh the

screen after making configuration changes by pressing the browser’s refresh
button.

Panel Display

The web agent displays an image of the switch’s ports. The Mode can be set to
display different information for the ports, including Active (i.e., up or down), Duplex
(i.e., half or full duplex, or Flow Control (i.e., with or without flow control). Cli cking on
the image of a port opens the Port Configuration page as described on page 3-66.

Figure 3-2 Panel Display

3-3

Configuring the Switch

3

Main Menu

Using the onboard web agent, you can define system parameters, manage and
control the switch, and all its ports, or monitor network conditions. The following
table briefly describes the selections available from this program.

Table 3-2 Main Menu

Menu Description Page

System 3-8

System Information Provides basic system description, including contact information 3-8
Switch Information Shows the number of ports, hardware/firmware version

Bridge Extension Shows the bridge extension parameters 3-11
IP Configuration Sets the IP address for management access 3-12
File 3-15

Copy Allows the transfer and copying files 3-15
Delete Allows deletion of files from the flash memory 3-16
Set Startup Sets the startup file 3-16

Line 3-20

Console Sets console port connection parameters 3-20
Telnet Sets Telnet connection parameters. 3-22

Log 3-24

Logs Stores and displays error messages 3-24
System Logs Sends error messages to a logging process 3-24
Remote Logs Configures the logging of messages to a remote logging process 3-26
SMTP Logs Sends an SMTP client message to a participating server 3-28

Reset Restarts the switch 3-30

SNTP 3-31

Configuration Configures SNTP client settings, including broadcast mode or a

Clock Time Zone Sets the local time zone for the system clock 3-32

SNMP 3-33

Configuration Configures community strings and related trap functions 3-33

Security 3-35

User Accounts Assigns a new password for the current user 3-35
Authentication Settings Configures authentication sequence, RADIUS and TACACS 3-37
HTTPS Settings Configures secure HTTP settings 3-40

numbers, and power status

specified list of servers

3-9

3-31

3-4

Main Menu

3

Table 3-2 Main Menu

Menu Description Page

SSH 3-42

Host-Key Settings Generates the host key pair (public and private) 3-44
Settings Configures Secure Shell server settings 3-46

Port Security Configures per port security, including status, respo n s e fo r

802.1X Port authentication 3-49
Information Displays global configuration settings 3-51
Configuration Configures the global configuration setting 3-51
Port Configuration Sets parameters for individual ports 3-51
Statistics Displays protocol statistics for the selected port 3-54

ACL 3-57

Configuration Configures packet filtering based on IP or MAC addresses 3-57
Port Binding Binds a port to the specified ACL 3-63

IP Filter Sets IP addresses of clients allowed management access via

Port 3-64

Port Information Displays port connection status 3-64
Trunk Information Displays trunk connection status 3-64
Port Configuration Configures port connection settings 3-66
Trunk Configuration Configures trunk connection settings 3-66
Trunk Membership Specifies ports to group into static trunks 3-69
LACP 3-68

Configuration Allows ports to dynamically join trunks 3-70
Aggregation Port Configures parameters for link aggregation group members 3-73
Port Counters Displays statistics for LACP protocol messages 3-75
Port Internal Information Displays settings and operational state for the local side 3-77
Port Neighbors Information Displays settings and operational state for the remo te side 3-79

Port Broadcast Control Sets the broadcast storm threshold for each port 3-81
Trunk Broadcast Control Sets the broadcast storm threshold for each trunk 3-81
Mirror Port Configuration Sets the source and target ports for mirroring 3-82
Rate Limit 3-83

Granularity Enables or disables the rate limit feature 3-84
Input Port Configuration Sets the input rate limit for each port 3-84

security breach, and maximum allowed MAC addresses

the Web, SNMP, and Telnet

(Continued)

3-47

3-55

3-5

Configuring the Switch

3

Table 3-2 Main Menu

Menu Description Page

Input Trunk Configuration Sets the input rate limit for each trunk 3-84
Output Port Configuration Sets the output rate limit for each port 3-84
Output Trunk Configuration Sets the output rate limit for each trunk 3-84

Port Statistics Lists Ethernet and RMON port statistics 3-85

Address Table 3-90

Static Addresses Displays entries for interface, address or VLAN 3-90
Dynamic Addresses Displays or edits static entries in the Address Table 3-91
Address Aging Sets timeout for dynamically learned entries 3-93

Spanning Tree 3-93

STA

Information Displays STA values used for the bridge 3-94
Configuration Configures global bridge settings for STA and RSTP 3-97
Port Information Displays individual port settings for STA 3-100
Trunk Information Displays individual trunk settings for STA 3-100
Port Configuration Configures individual port settings for STA 3-103
Trunk Configuration Configures individual trunk settings for STA 3-103

VLAN 3-105

802.1Q VLAN
GVRP Status Enables GVRP VLAN registration protocol 3-108
Basic Information Displays information on the VLAN type supported by this switch 3-108
Current Table Shows the current port members of each VLAN and whether or

Static List Used to crea te or remove VLAN groups 3-111
Static Table Modifies the settings for an existing VLAN 3-112
Static Membership by Port Configures membership type for interfaces, including tagged,

Port Configuration Specifies default PVID and VLAN attributes 3-115
Trunk Configuration Specifies default trunk VID and VLAN attributes 3-115

Private VLAN 3-117

Information Displays Private VLAN feature information 3-1 18
Configuration This page is used to create/remove primary or community

Association Each community VLAN must be associated with a primary VLAN 3-119

not the port is tagged or untagged

untagged or forbidden

VLANs

(Continued)

3-109

3-114

3-119

3-6

Main Menu

3

Table 3-2 Main Menu

Menu Description Page

Port Information Shows VLAN port type, and associated primary or secondary

Port Configuration Sets the private VLAN interface type, and as sociates the

Trunk Information Shows VLAN port type, and associated primary or secondary

Trunk Configuration Sets the private VLAN interface type, and associates the

Priority 3-123

Default Port Priority Sets the default priority for each port 3-123
Default Trunk Priority Sets the default priority for each trunk 3-123
Traffic Classes Maps IEEE 802.1p priority tags to output queues 3-125
Traffic Classes Status Enables/disables traffic class priorities (not implemented) NA
Queue Mode Sets queue mode to strict priority or Weighted Round-Robin 3-127
Queue Scheduling Configures Weighted Round Robin queueing 3-127
IP Precedence/

DSCP Priority Status
IP Precedence Priority Sets IP Type of Service priority, mapping the precedence tag to

IP DSCP Priority Sets IP Differentiated Services Code Point priority, mapping a

IP Port Priority Status Globally enables or disables IP Port Priority 3-129
IP Port Priority Sets TCP/UDP port priority, defining the socket number and

ACL CoS Priority Sets the CoS value and corresponding output queue for packets

IGMP Snooping 3-135

IGMP Configuration Enables multicast filtering; configures parameters for multicast

Multicast Router
Port Information

Static Multicast Router Port
Configuration

IP Multicast Registration
Table

IGMP Member PortTable Indicates multicast addresses associated with the selected

VLANs

interfaces with a private VLAN

VLANs

interfaces with a private VLAN

Globally selects IP Precedence or DSCP Priority, or disables
both.

a class-of-service value

DSCP tag to a class-of-service value

associated class-of-service value

matching an ACL rule

query
Displays the ports that are attached to a neighboring multicas t

router for each VLAN ID
Assigns ports that are attached to a neighborin g multicast rout er 3-138

Displays all multicast groups active on this switch, including
multicast IP addresses and VLAN ID

VLAN

(Continued)

3-120

3-121

3-120

3-121

3-129

3-129

3-131

3-132

3-133

3-136

3-137

3-140

3-141

3-7

Configuring the Switch

3

Basic Configuration

Displaying System Information

You can easily identify the system by displaying the device name, location and
contact information.

Field Attributes

• System Name – Name assigned to the switch system.

• Object ID – MIB II object ID for switch’s network management subsystem.

• Location – Specifies the system location.

• Contact – Administrator responsible for the system.

• System Up Time – Length of time the management agent has been up.
These additional parameters are displayed for the CLI.

• MAC Address – The physical layer address for this switch.

• Web server – Shows if management access via HTTP is enabled.

• Web server port – Shows the TCP port number used by the web interface.

• Web secure server – Shows if management access via HTTPS is enabled.

• Web secure server port – Shows the TCP port used by the HTTPS interface.

• Telnet server – Shows if management access via Telnet is enabled.

• Telnet port – Shows the TCP port used by the Telnet interface.

• Jumbo Frame – Shows if jumbo frames are enabled.

• POST result – Shows results of the power-on self-test.
Web – Click System, System Information. Specify the system name, location, and

contact information for the system administrator, then click Apply. (This page also
includes a Telnet button that allows access to the Command Line Interface via Telnet.)

Figure 3-3 System Information

3-8

Basic Configuration

CLI – Specify the hostname, location and contact information.

Console(config)#hostname R&D 5 4-25
Console(config)#snmp-server location WC 9 4-104
Console(config)#snmp-server contact Ted 4-104
Console(config)#exit
Console#show system 4-62
System description: GSW-2692 Layer2 Stackable Intelligent Switch
System OID string: 1.3.6.1.4.1.22426.1.4.2
System information
System Up time: 0 days, 2 hours, 4 minutes, and 7.13 seconds
System Name: R&D 5
System Location: WC 9
System Contact Ted
MAC address 00-30-F1-OC-2E-C0
Web server: enabled
Web server port: 80
Web secure server: enabled
Web secure server port: 443
Telnet server: enabled
Telnet port: 23
Jumbo Frame: Disabled
POST result

DUMMY Test 1.................PASS

UART LOOP BACK Test..........PASS

DRAM Test....................PASS

Timer Test...................PASS

RTC Initialization...........PASS

Switch Int Loopback test.....PASS

Done All Pass.
Console#

3

Displaying Switch Hardware/Software Versions

Use the Switch Information page to display hardware/firmware version numbers for
the main board and management software, as well as the power status of the system.

Field Attributes

Main Board

• Serial Number – The serial number of the switch.

• Number of Ports – Number of built-in RJ-45 ports.

• Hardware Version – Hardware version of the main board.

• Internal Power Status – Displays the status of the internal power supply.

Management Software

• Loader Version – Version number of loader code.

• Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code.

• Operation Code Version – Version number of runtime code.

• Role – Shows that this switch is operating as Master or Slave.

Expansion Slot

• Expansion Slot 1/2 – Combination RJ-45/SFP ports.

3-9

Configuring the Switch

3

These additional parameters are displayed for the CLI.

• Unit ID – Unit number in stack.

• Redundant Power Status – Displays the status of the redundant power supply.
Web – Click System, Switch Information.

Figure 3-4 Switch Information

CLI – Use the following command to display version information.

Console#show version 4-63
Unit 1
Serial number: S416000949
Service tag:
Hardware version: R01
Module A type: 1000BaseT
Module B type: 1000BaseT
Number of ports: 28
Main power status: up
Redundant power status :not present

Agent (master)
Unit ID: 1
Loader version: 2.2.1.4
Boot ROM version: 2.2.1.8
Operation code version: 2.2.8.3

Console#

3-10

Basic Configuration

3

Displaying Bridge Extension Capabilities

The Bridge MIB includes extensions for managed devices that support Multicast
Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to
display default settings for the key variables.

Field Attributes

• Extended Multicast Filtering Services – This switch does not support the filtering
of individual multicast addresses based on GMRP (GARP Multicast Registration
Protocol).

• Traffic Classes – This switch provides mapping of user priorities to multiple traff ic
classes. (Refer to “Class of Service Configuration” on page 3-123.)

• Static Entry Individual Port – This switch allows static filtering for unicast and
multicast addresses. (Refer to “Setting Static Addresses” on page 3-90.)

• VLAN Learning – This switch uses Independent VLAN Learning (IVL), where each
port maintains its own filtering database.

• Configurable PVID Tagging – This switch allows you to override the default Port
VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or
Untagged) on each port. (Refer to “VLAN Configuration” on page 3-105.)

• Local VLAN Capable – This switch does not support multiple local bridges outside
of the scope of 802.1Q defined VLANs.

• GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to
register endstations with multicast groups. This switch do es not support GMRP; it
uses the Internet Group Management Protocol (IGMP) to provide automatic
multicast filtering.

Web – Click System, Bridge Extension Configuration.

Figure 3-5 Bridge Extension Configuration

3-11

Configuring the Switch

3

CLI – Enter the following command.

Console#show bridge-ext 4-165
Max support VLAN numbers: 255
Max support VLAN ID: 4094
Extended multicast filtering services: No
Static entry individual port: Yes
VLAN learning: IVL
Configurable PVID tagging: Yes
Local VLAN capable: No
Traffic classes: Enabled
Global GVRP status: Disabled
GMRP: Disabled
Console#

Setting the Switch’s IP Address

This section describes how to configure an IP interface for management access
over the network. The IP address for this switch is obt ained vi a DHCP by defa ult. To
manually configure an address, you need to change the switch’s default settings
(IP address 0.0.0.0 and netmask 255.0.0.0) to values that are compatible with your
network. You may also need to a establish a default gateway between the switch
and management stations that exist on another net work segment.

You can manually configure a specific IP address, or direct the device to obtain an
address from a BOOTP or DHCP server. Valid IP addresses consist of four decimal
numbers, 0 to 255, separated by periods. Anything outside this format will not be
accepted by the CLI program.

Command Attributes

• Management VLAN – ID of the configured VLAN (1-4094, no leading ze roes). By

default, all ports on the switch are members of VLAN 1. However, the mana gement
station can be attached to a port belonging to any VLAN, as long as that VLAN ha s
been assigned an IP address.

• IP Address Mode – Specifies whether IP functionality is enabled via manual
configuration (Static), Dynamic Host Configuration Protocol (DHCP), or Boot
Protocol (BOOTP). If DHCP/BOOTP is enabled, IP will not functi on until a reply has
been received from the server. Requests will be broadcast periodically by the
switch for an IP address. (DHCP/BOOTP values can include the IP address,
subnet mask, and default gateway.)

• IP Address – Address of the VLAN interface that is allowed management access.
Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
(Default: 0.0.0.0)

• Subnet Mask – This mask identifies the host address bits used for routing to
specific subnets. (Default: 255.0.0.0)

• Gateway IP address – IP address of the gateway router between this device and
management stations that exist on other network segments. (Default: 0.0.0.0)

• MAC Address – The physical layer address for this switch.

• Restart DHCP – Requests a new IP address from the DHCP server.

3-12

Basic Configuration

Manual Configuration

Web – Click System, IP Configuration. Select the VLAN through which the
management station is attached, set the IP Address Mode to “Static,” enter the IP
address, subnet mask and gateway, then click Apply.

Figure 3-6 Manual IP Configuration

CLI – Specify the managemen t interface, IP address and default gateway.

Console#config
Console(config)#interface vlan 1 4-108
Console(config-if)#ip address 192.168.1.57 255.255.255.0 4-190
Console(config-if)#exit
Console(config)#ip default-gateway 192.168.1.250 4-191
Console(config)#

3

3-13

Configuring the Switch

3

Using DHCP/BOOTP

If your network provides DHCP/BOOTP services, you can configure the switch to be
dynamically configured by these services.

Web – Click System, IP Configuration. Specify the VLAN to which the management
station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to
save your changes. Then click Restart DHCP to immediately request a new
address. Note that the switch will also broadcast a request for IP configuration
settings on each power reset.

Figure 3-7 DHCP IP Configuration

Note: If you lose your management connection, use a console connection and enter

“show ip interface” to determine the new switch address.

CLI – Specify the management interface, and set the IP address mode to DHCP or
BOOTP, and then enter the “ip dhcp restart” command.

Console#config
Console(config)#interface vlan 1 4-108
Console(config-if)#ip address dhcp 4-190
Console(config-if)#end
Console#ip dhcp restart 4-192
Console#show ip interface 4-192
IP address and netmask: 192.168.1.57 255.255.255.0 on VLAN 1,
and address mode: User specified.
Console#

Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a
specific period of time. If the address expires or the switch is moved to another
network segment, you will lose management access to the switch. In this case, you
can reboot the switch or submit a client request to restart DHCP service via the CLI.

3-14

Basic Configuration

Web – If the address assigned by DHCP is no longer functioning, you will not be
able to renew the IP settings via the web interface. You can only restart DHCP
service via the web interface if the current address is still available.

CLI – Enter the following command to restart DHCP service.

Console#ip dhcp restart 4-192
Console#

3

Managing Firmware

You can upload/download firmware to or from a TFTP server, or copy files to and
from switch units in a stack. By saving runtime code to a file on a TFTP server, that
file can later be downloaded to the switch to restore operation. You can also set the
switch to use new firmware without overwriting the previous version. You must
specify the method of file transfer , along with th e file type and file names as required.

Command Attributes

• File Transfer Method – The firmware copy operation includes these options:

- file to file – Copies a file within the switch directory, assigning it a new name.

- file to tftp – Copies a file from the switch to a TFTP server.

- tftp to file – Copies a file from a TFTP server to the switch.

- file to unit – Copies a file from this switch to another unit in the stack.

- unit to file – Copies a file from another unit in the stack to this switch.

• TFTP Server IP Address – The IP address of a TFTP server.

• File Type – Specify opcode (operational code) to copy firmware.

• File Name –

the file name should not be a period (.), and the maximu m length for fi le names on
the TFTP server is 127 characters or 31 charact ers for files on the switch.
(Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

• Source/Destination Unit – Specifies the switch stack unit number.

Note:

Up to two copies of the system software (i.e., the runtime firmware) can be stored
in the file directory on the switch. The currently designated startup version of this
file cannot be deleted.

The file name should not contain slashes (\ or /),

the leading letter of

3-15

Configuring the Switch

3

Downloading System Software from a Server

When downloading runtime code, you can specify the destination file name to
replace the current image, or first download the file using a different name from the
current runtime code file, and then set the new file as the startup file.

Web –Click System, File Management, Copy Operation. Select “tftp to fil e” as the file
transfer method, enter the IP address of the TFTP server, set the file type to
“opcode,” enter the file name of the software to downl oad , s ele ct a fi le on t he s witch
to overwrite or specify a new file name, then click Apply. If you replaced the current
firmware used for startup and want to s tart usi ng the n ew operat ion code, reboot t he
system via the System/Reset menu.

Figure 3-8 Copy Firmware

If you download to a new destination file, go to the System/File/Set Start-Up menu,
mark the operation code file used at startup, and click Apply. To start the new
firmware, reboot the system via the System/Reset menu.

Figure 3-9 Setting the Startup Code

3-16

Basic Configuration

3

To delete a file select System, File, Delete. Select the file name fro m the given list by
checking the tick box and click Apply. Note that t

startup code cannot be deleted.

Figure 3-10 Deleting Files

he file currently designated as the

CLI – To download new firmware form a TFTP server, enter the IP address of the
TFTP server, select “opcode” as the file type, then enter the source and destination
file names. When the file has finished downloading, set the new file to start up the
system, and then restart the switch.

To start the new firmware, enter the “reload” command or reboot the system.

Console#copy tftp file 4-65
TFTP server ip address: 192.168.1.23
Choose file type:

1. config: 2. opcode: <1-2>: 2
Source file name: V2.2.6.4.bix
Destination file name: V2264
\Write to FLASH Programming.

-Write to FLASH finish.
Success.
Console#config
Console(config)#boot system opcode:V2264 4-70
Console(config)#exit
Console#reload 4-22

3-17

Configuring the Switch

3

Saving or Restoring Configuration Settings

You can upload/download configuration settings to/from a TFTP server or copy files
to and from switch units in a stack. The configuration files can be later downloaded
to restore the switch’s settings.

Command Attributes

• File Transfer Method – The configuration copy operation includes these options:

- file to file – Copies a file within the switch directory, assigning it a new name.

- file to running-config – Copies a file in the switch to the running configurat ion.

- file to startup-config – Copies a file in the switch to the startup configuration.

- file to tftp – Copies a file from the switch to a TFTP server.

- running-config to file – Copies the running configuration to a file.

- running-config to startup-config – Copies the running config to the startup conf ig.

- running-config to tftp – Copies the running configuration to a TFTP server.

- startup-config to file – Copies the startup configuration to a file on the switch.

- startup-config to running-config – Copies the startup config to the running config.

- startup-config to tftp – Copies the startup configuration to a TFTP server.

- tftp to file – Copies a file from a TFTP server to the switch.

- tftp to running-config – Copies a file from a TFTP server to the running config.

- tftp to startup-config – Copies a file from a TFTP server to the startup config.

- file to unit – Copies a file from this switch to another unit in the stack.

- unit to file – Copies a file from another unit in the stack to this switch.

• TFTP Server IP Address – The IP address of a TFTP server.

• File Type – Specify config (configuration) to copy configuration settings.

•

File Name

the file name should not be a period (.), and the maximu m length for fi le names on
the TFTP server is 127 characters or 31 characters for files on the switch. (Valid
characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

• Source/Destination Unit – Specifies the switch stack unit number.

Note:

— The file name should not contain slashes (\ or /),

The maximum number of user-defined configuration files is limited only by
available flash memory space.

the leading letter of

3-18

Basic Configuration

3

Downloading Configuration Settings from a Server

You can download the configuration file under a new file name and then set it as the
startup file, or you can specify the current startup configuration file as the destin ation
file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be
copied to the TFTP server, but cannot be used as the destination on the switch.

Web – Click System, File, Copy. Select “tftp to startup-config” or “tftp to file” and
enter the IP address of the TFTP server. Specify the name of the file to download
and select a file on the switch to overwrite or specify a new file name, then click
Apply.

Figure 3-11 Downloading Configuration Settings for Startup

If you download to a new file name using “tf tp to startup-con fig” or “tf tp to file,” the file
is automatically set as the st art-up con figurati on file. To use the new settings, reboot
the system via the System/Reset menu.

Note that you can also select any configuration file as the start-up configuration by
using the System/File/Set Start-Up page.

Figure 3-12 Setting the Startup Configuration Settings

3-19

Configuring the Switch

3

CLI – Enter the IP address of the TFTP server , spe cify th e source f ile on th e server,
set the startup file name on the switch, and then restart the switch.

Console#copy tftp startup-config 4-65
TFTP server ip address: 192.168.1.19
Source configuration file name: config-startup
Startup configuration file name [] : startup
\Write to FLASH Programming.

-Write to FLASH finish.
Success.

Console#reload

To select another configuration file as the start-up configuration, use the boot
system command and then restart the switch.

Console#config
Console(config)#boot system config: startup 4-70
Console(config)#exit
Console#reload 4-22

Console Port Settings

You can access the onboard configuration program by attaching a VT100
compatible device to the switch’s serial console port. Management access through
the console port is controlled by various parameters, including a p assword, timeouts,
and basic communication settings. These parameters can be configured via the
Web or CLI interface.

Command Attributes

• Login Timeout – Sets the interval that the system waits for a user to log into the
CLI. If a login attempt is not det ected wi thi n the t imeout in te rv al, t he conn ection i s
terminated for the session. (Range: 0-300 seconds; Default: 0)

• Exec Timeout – Sets the interval that t he system waits until user input is detected.
If user input is not detected within the timeout interval, the current session is
terminated. (Range: 0-65535 seconds; Default: 0 seconds)

• Password Threshold – Sets the password intrusion threshold, which limits the
number of failed logon attempts. When the logon attempt threshold is reached , the
system interface becomes silent for a specified amount of time (set by the Silent
Time parameter) before allowing the next logon attempt.
(Range: 0-120; Default: 3 attempts)

• Silent Time – Sets the amount of time the management console is inaccessible
after the number of unsuccessful logon attempts has been exceeded.
(Range: 0-65535; Default: 0)

• Data Bits – Sets the number of data bits per character that are interpreted and
generated by the console port. If p arity is being generated, specify 7 data bits per
character. If n o pari ty is req uired, sp ecify 8 data bits per character. (Default: 8 bit s)

• Parity – Defines the generation of a parit y bit . Communica ti on protocol s provi ded
by some terminals can require a specific parity bit settin g. Specify Even, Odd, or
None. (Default: None)

3-20

Basic Configuration

• Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive

(from terminal). Set the speed to match the baud rate of the device connected to
the serial port. (Range: 9600, 19200, 38400, 57600, or 115200 baud;
Default: 9600 bps)

• Stop Bits – Sets the number of the stop bits transmitted per byte.

(Range: 1-2; Default: 1 stop bit)

• Password

started on a line with password protection, the system prompts for the password.
If you enter the correct password, the system shows a promp t.
(Default: No password)

• Login

single global password as configured for the Password parameter, or by
passwords set up for specific user-name accounts. (Default: Local)

Web – Click System, Line, Console. S pecify the console port connection p arameters
as required, then click Apply.

1

– Specifies a pa ssword f or the line con nect ion. When a conne ction i s

1

– Enables password checking at login. You can select authentication by a

3

1. CLI only.

Figure 3-13 Console Port Settings

3-21

Configuring the Switch

3

CLI – Enter Line Configuration mode for the console, then specify the connection
parameters as required. To display the current console port settings, use the show
line command from the Normal Exec level.

Console(config)#line console 4-10
Console(config-line)#login local 4-11
Console(config-line)#password 0 secret 4-12
Console(config-line)#timeout login response 0 4-13
Console(config-line)#exec-timeout 0 4-13
Console(config-line)#password-thresh 3 4-14
Console(config-line)#silent-time 60 4-15
Console(config-line)#databits 8 4-15
Console(config-line)#parity none 4-16
Console(config-line)#speed 115200 4-17
Console(config-line)#stopbits 1 4-17
Console(config-line)#end
Console#show line 4-18
Console configuration:
Password threshold: 3 times
Interactive timeout: Disabled
Login timeout: Disabled
Silent time: 60
Baudrate: 115200
Databits: 8
Parity: none
Stopbits: 1

VTY configuration:
Password threshold: 3 times
Interactive timeout: 600 sec
Login timeout: 300 sec
Console#

Telnet Settings

You can access the onboard configuration program over the network using Telnet
(i.e., a virtual terminal). Management access via Telnet can be enabled/ disabled and
other various parameters set, including the TCP port number, timeouts, and a
password. These parameters can be configured via the Web or CLI interface.

Command Attributes

• Telnet Status – Enables or disables Telnet access to the switch.

(Default: Enabled)

• Telnet Port Number – Sets the TCP port number for Telnet on the switch.
(Default: 23)

• Login Timeout – Sets the interval that the system waits for a user to log into the
CLI. If a login attempt is not det ected wi thi n the t imeout in te rv al, t he conn ection i s
terminated for the session. (Range: 0-300 seconds; Default: 300 seconds)

• Exec Timeout – Sets the interval that t he system waits until user input is detected.
If user input is not detected within the timeout interval, the current session is
terminated. (Range: 0-65535 seconds; Default: 600 seconds)

3-22

Basic Configuration

• Password Threshold – Sets the password intrusion threshold, which limits the

number of failed logon attempts. When the logon attempt threshold is reached, the
system interface becomes silent for a specified amount of time (set by the Silent
Time parameter) before allowing the next logon attempt.
(Range: 0-120; Default: 3 attempts)

• Password

started on a line with password protection, the system prompts for the password.
If you enter the correct password, the system shows a prompt. (Def a ul t: No
password)

• Login

single global password as configured for the Password parameter, or by
passwords set up for specific user-name accounts. (Default: Local)

Web – Click System, Line, Telnet. Specify the connection parameters for Telnet
access, then click Apply.

2

– Specifies a pa ssword f or the line con nect ion. When a conne ction i s

2

– Enables password checking at login. You can select authentication by a

3

2. CLI only.

Figure 3-14 Enabling Telnet

3-23

Configuring the Switch

3

CLI – Enter Line Configuration mode for a virtual terminal, then specify the
connection parameters as required. To display the current virtual terminal settings,
use the show line command from the Normal Exec level.

Console(config)#line vty 4-10
Console(config-line)#login local 4-11
Console(config-line)#password 0 secret 4-12
Console(config-line)#timeout login response 300 4-13
Console(config-line)#exec-timeout 600 4-13
Console(config-line)#password-thresh 3 4-14
Console(config-line)#end
Console#show line 4-18
Console configuration:
Password threshold: 3 times
Interactive timeout: Disabled
Login timeout: Disabled
Silent time: Disabled
Baudrate: 9600
Databits: 8
Parity: none
Stopbits: 1

VTY configuration:
Password threshold: 3 times
Interactive timeout: 600 sec
Login timeout: 300 sec
Console#

Configuring Event Logging

The switch allows you to control the loggi ng of error messages, i ncludi ng th e type of
events that are recorded in switch memory, logging to a remote System Log (syslog)
server, and di splays a list of recent event messages.

System Log Configuration

The system allows you to enable or disable event logging, and specify which levels
are logged to RAM or flash memory.

Severe error messages that are logged to flash memory are permanently stored in
the switch to assist in troubleshooting network problems. Up to 4096 log entries can
be stored in the flash memory , with the ol dest entries being overwri tten first when the
available log memory (256 kilobytes) has been exceeded.

The System Logs page allows you to configure and limit system messages that are
logged to flash or RAM memory. The default is for event levels 0 to 3 to be logged to
flash and levels 0 to 7 to be logged to RAM.

Command Attributes

• System Log Status – Enables/disables the logging of debug or error messages to
the logging process. (Default: Enabled)

• Flash Level – Limits log messages saved to the switch’s permanent fl ash memory
for all levels up to the specified level. For example, if level 3 is specified, all
messages from level 0 to level 3 will be logged to flash. (Range: 0-7, Default: 3)

3-24

Basic Configuration

Table 3-3 Logging Levels

3

Level Severity Name Description

7 Debug Debugging messages
6 Informational Informational messages only
5 Notice Normal but significant condition, such as cold start
4 Warning W arning conditions (e.g., return false, unexpected return)
3 Error Error conditions (e.g., invalid input, default used)
2 Critical Critical conditions (e.g., memory allocatio n, or free memory

1 Alert Immediate action needed
0 Emergency System unusable
* There are only Level 2, 5 and 6 error messages for the current firmware release.

error - resource exhausted)

• RAM Level – Limits log messages saved to the switch’s temporary RAM memory

for all levels up to the specified level. For example, if level 7 is specified, all
messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 6)

Note:

The Flash Level must be equal to or less than the RAM Level.

Web – Click System, Log, System Logs. Specify System Log Status, then

change

the level of messages to be logged to RAM and flash memory, then click Apply.

Figure 3-15 System Logs

CLI – Enable system logging and then specify the level of messa ges to be logged to
RAM and flash memory. Use the show logging command to display the current
settings.

Console(config)#logging on 4-43
Console(config)#logging history ram 0 4-44
Console(config)#end
Console#show logging flash 4-47
Syslog logging: Enabled
History logging in FLASH: level emergencies
Console#

3-25

Configuring the Switch

3

Remote Log Configuration

The Remote Logs page allows you to configure the logging of messages that are
sent to syslog servers or other management stations. You can also limit the error
messages sent to only those messages below a specified level.

Command Attributes

• Remote Log Status – Enables/disables the logging of debug or error messages
to the remote logging process. (Default: Enabled)

• Logging Facility – Sets the facility type for remote logging of syslog messages.
There are eight facility types specified by values of 16 to 23. The facility type is
used by the syslog server to dispatch log messages to an appropriate service.

The attribute specifies the facility type tag sent in syslog messages. (See RFC

3164.) This type has no effect on the kind of messages reported by the switch.
However, it may be used by the syslog server to process messages, such as
sorting or storing messages in the corresponding database. (Range: 16-23,
Default: 23)

• Logging Trap – Limits log messages that are sent to the remote syslog server for
all levels up to the specified level. For example, if level 3 is specif ied, all messages
from level 0 to level 3 will be sent to the remote server. (Range: 0-7, Default: 6)

• Host IP List – Displays the list of remote server IP addresses that receive the
syslog messages. The maximum number of host IP addresses allowed is five.

• Host IP Address – Specifies a new server IP address to add to the Host IP List.

Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List,
type the new IP address in the Host IP Address box, and then click Add. To delete
an IP address, click the entry in the Host IP List, and then click Remove.

3-26

Figure 3-16 Remote Logs

Basic Configuration

3

CLI – Enter the syslog server host IP address, choose the facility type and set the
logging trap.

Console(config)#logging host 192.168.1.15 4-45
Console(config)#logging facility 23 4-45
Console(config)#logging trap 4 4-46
Console(config)#end
Console#show logging trap 4-46
Syslog logging: Enabled
REMOTELOG status: Enabled
REMOTELOG facility type: local use 7
REMOTELOG level type: Warning conditions
REMOTELOG server ip address: 192.168.1.15
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
Console#

Displaying Log Messages

The Logs page allows you to scroll through the logged sy stem and e vent messages.
The switch can store up to 2048 log entries in temporary random access memory
(RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent
flash memory.

Web – Click System, Log, Logs.

Figure 3-17 Displaying Logs

CLI – This example shows the event message stored in RAM.

Console#show log ram 4-47
[1] 00:01:37 2001-01-01
"DHCP request failed - will retry later."
level: 4, module: 9, function: 0, and event no.: 10
[0] 00:00:35 2001-01-01
"System coldStart notification."
level: 6, module: 6, function: 1, and event no.: 1
Console#

3-27

Configuring the Switch

3

Sending Simple Mail Transfer Protocol Alerts

To alert system administrators of problems, the switch can use SMTP (Simple Mail
Transfer Protocol) to send email messa ges when triggered by logging events of a
specified level. The messages are sent to specified SMTP servers on the network
and can be retrieved using POP or IMAP clients.

Command Attributes

• Admin Status – Enables/disables the SMTP function. (Default: Enabled)

• Email Source Address – Sets the email address used for the “Fro m” field i n alert
messages. Y ou may use a symbolic email address that identifies the switch, or the
address of an administrator responsible for the switch.

• Severity – Sets the syslog severity threshold level (see table on page 3-25) used
to trigger alert messages. All events at this level or higher will be sent to the
configured email recipients. For example, using Level 7 will report all events from
level 7 to level 0. (Default: Level 7)

• SMTP Server List – Specifies a list of up to three recipient SMTP servers. The
switch attempts to connect to the other listed se rvers if the first fai ls. Use th e New
SMTP Server text field and the Add/Remove buttons to configure the list.

• Email Destination Address List – Specifies the email recipients of alert
messages. You can specify up to five recipients. Use the New Email Destination
Address text field and the Add/Remove buttons to configure the list.

3-28

Basic Configuration

Web – Click System, Log, SMTP. Enable SMTP, specify a source email address,
and select the minimum severity level. To add an IP address to the SMTP Server
List, type the new IP address in the SMTP Server field and click Add. To delete an IP
address, click the entry in the SMTP Server List and click Remove. S p ecify up to five
email addresses to receive the alert messages, and click Apply.

3

Figure 3-18 Enabling and Configuring SMTP Alerts

3-29

Configuring the Switch

3

CLI – Enter the IP address of at least one SMTP server, set the syslog severity level
to trigger an email message, and specify the switch (s ource) a nd u p to f iv e recipi ent
(destination) email addresses. Enable SMTP with the logging sendmail command
to complete the configuration. Use the show logging sendmail command to display
the current SMTP configuration.

Console(config)#logging sendmail host 192.168.1.200 4-49
Console(config)#logging sendmail level 4 4-50
Console(config)#logging sendmail source-email john@acme.com 4-51
Console(config)##logging sendmail destination-email geoff@acme.com 4-51
Console(config)#logging sendmail 4-52
Console(config)#exit
Console#show logging sendmail 4-52
SMTP servers

-----------------------------------------------

1. 192.168.1.200

SMTP minimum severity level: 4

SMTP destination email addresses

-----------------------------------------------

1. geoff@acme.com

SMTP source email address: john@acme.com

SMTP status: Enabled
Console#

Resetting the System

Web – Click System, Reset to reboot the switch. When prompted, confirm that you
want reset the switch.

Figure 3-19 Resetting the System

CLI – Use the reload command to restart the switch. When prompted, confirm that
you want to reset the switch.

Console#reload 4-22
System will be restarted, continue <y/n>? y

Note:

When restarting the system, it will always run the Power-On Self-Test.

3-30

Basic Configuration

3

Setting the System Clock

Simple Network Time Protocol (SNTP) allows the switch to set its internal clock
based on periodic updates from a time server (SNTP or NTP). Maintaining an
accurate time on the switch enables the system log to record meaningful dates and
times for event entries. You can also manually set the clock using the CLI. (See
“calendar set” on page 4-56.) If the clock is not set, the switch will only record the
time from the factory default set at the last bootup.

When the SNTP client is enabled, the switch periodically sends a request for a time
update to a configured time server. You can configure up to three t ime server IP
addresses. The switch will attempt to poll each server in the configured sequence.

Configuring SNTP

You can configure the switch to send time synchronization requests to time servers.

Command Attributes

• SNTP Client – Configures the switch to operate as an SNTP client. This requires

at least one time server to be specifie d in the SNTP Server field. (Default: Disabled)

• SNTP Poll Interval – Sets the interval between sending requests for a time updat e

from a time server. (Range: 16-16284 seconds; Default: 16 seconds)

• SNTP Server – Sets the IP address for up to three time servers. The switch

attempts to update the time from the first server, if this fails it attempts an update
from the next server in the sequence.

Web – Select SNTP, Configuration. Modify any of the required parameters, and c lick
Apply.

Figure 3-20 SNTP Configuration

3-31

Configuring the Switch

3

CLI – This example configures the switch to operate as an SNTP unicast client and
then displays the current time and settings.

Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-54
Console(config)#sntp poll 60 4-55
Console(config)#sntp client 4-53
Console(config)#exit
Console#show sntp
Current time: Jan 6 14:56:05 2004
Poll interval: 60
Current mode: unicast
SNTP status : Enabled
SNTP server 10.1.0.19 137.82.140.80 128.250.36.2
Current server: 128.250.36.2
Console#

Setting the Time Zone

SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time,
or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To
display a time corresponding to your local time, you must indicate the number of
hours and minutes your time zone is east (before) or west (after) of UTC.

Command Attributes

• Current Time – Displays the current tim e .

• Name – Assigns a name to the time zone. (Range: 1-29 characters)

• Hours (0-12) – The number of hours before/after UTC.

• Minutes (0-59) – The number of minutes before/after UTC.

• Direction – Configures the time zone to be before (east) or after (west) UTC.

Web – Select SNTP , Clock Time Zone. Set the offset for your time zone relative to
the UTC, and click Apply.

Figure 3-21 Setting the System Clock

CLI - This example shows how to set the time zone for the system clock.

Console(config)#clock timezone Taiwan hours 6 minute 0 after-UTC 4-56
Console(config)#

3-32

Simple Network Management Protocol

3

Simple Network Management Protocol

Simple Network Management Protocol (SNMP) is a communication protocol
designed specifically for managing devices on a network. Equipmen t commonly
managed with SNMP includes switches, routers and host computers. SNMP is
typically used to configure these devices for proper operation in a network
environment, as well as to monitor them to evaluate performance or detect poten tial
problems.

The switch includes an onboard SNMP agent that continuously monitors the status
of its hardware, as well as the traffic passing through its ports. A network
management station can access this information using software such as HP
OpenView. Access rights to the onboard agent are controlled by community strings.
To communicate with the switch, the management station must first submit a valid
community string for authentication. The options for configuring community strings,
trap functions, and restricting access to clients with specified IP addresses are
described in the following sections.

Setting Community Access Strings

Y ou ma y configure up t o five co mmunity stri ngs authorized for management access.
All community strings used for IP Trap Managers should be listed in this table. For
security reasons, you should consider removing the default strings.

Command Attributes

• SNMP Community Capability – Indicates that the switch supports up to five

community strings.

• Community String – A community string that acts like a password and permits

access to the SNMP protocol.
Default str ings: “public” (read-only access), “private” (read/write access)
Range: 1-32 characters, case sensitive

• Access Mode

- Read-Only – Specifies read-only access. Authorized management stations are
only able to retrieve MIB objects.

- Read/Write – Specifies read-write access. Authorized management stati ons are
able to both retrieve and modify MIB objects.

3-33

Configuring the Switch

3

Web – Click SNMP, Configuration. Add new community strings as required, select
the access rights from the Access Mode drop-down list, then click Add.

Figure 3-22 Configuring SNMP

CLI – The following example adds the string “spiderman” with read/write access.

Console(config)#snmp-server community spiderman rw 4-103
Console(config)#

Specifying Trap Managers and Trap Types

Traps indicati ng status change s are issued by the swit ch to specified trap man agers.
You must specify trap managers so that key events are reported by this switch to
your management station (using network management platforms such as HP
OpenView). You can specify up to five management stations that will receive
authentication failure messages and other trap messages from the switch.

Command Attributes

• Trap Manager Capability – This switch supports up to five trap managers.

• Current – Displays a list of the trap managers currently configured.

• Trap Manager IP Address – IP address of the host (the targeted recipient).

• Trap Manager Community String – Community string sent with the notification
operation. (Range: 1-32 characters, case sensitive)

• Trap Version – Specifies whether to send notifications as SNMP v1 or v2c traps.
(The default is version 1.)

• Enable Authentication Traps – Issues a trap message whenever an invalid
community string is submitted during the SNMP access authentication process.
(Default: Enabled)

• Enable Link-up and Link-down Traps – Issues a trap messa ge whenever a port
link is established or broken. (Default: Enabled)

3-34

User Authentication

Web – Click SNMP, Configuration. Fill in the IP address and community string for
each trap manager that will receive these messages, specify the SNMP version,
mark the trap types required, and then click Add.

Figure 3-23 Configuring IP Trap Managers

CLI – This example adds a trap manager and enables both authentication and
link-up, link-down traps.

Console(config)#snmp-server host 192.168.1.19 private version 2c 4-105
Console(config)#snmp-server enable traps 4-106

User Authentication

3

You can restrict management access to this switch using the following options:

• User Accounts – Manually configure access rights on the switch for specified users.

• Authentication Settings – Use remote authentication to configure access rights.

• HTTPS Settings – Provide a secure web connection.

• SSH Settings – Provide a secure shell (for secure Telnet access).

• Port Security – Configure secure addresses for individual ports.

• 802.1X – Use IEEE 802.1X port authentication to control access to specific ports.

• IP Filter – Filters management access to the web, SNMP or Telnet i nterface.

Configuring User Accounts

The guest only has read access for most configuration parameters. However, the
administrator has write access for all parameters governing the onboard agent. You
should therefore assign a new administrator password as soon as possible, and
store it in a safe place.

The default guest name is “guest” with the password “guest .” The default
administrator name is “admin” with the password “admin.”

3-35

Configuring the Switch

3

Command Attributes

• Account List – Displays the current list of user accounts and associated access
levels. (Defaults: admin, and guest)

• New Account – Displays configuration settings for a new account.

- User Name – The name of the user.

(Maximum length: 8 characters)

- Access Level – Specifies the user level.

(Options: Normal and Privileged)

- Password – Specifies the user password.

(Range: 0-8 characters plain text, case sensitive)

• Change Password – Sets a new password for the specified user name.

• Add/Remove – Adds or removes an account from the list.

Web – Click Security, User Accounts. To configure a new user account, specify a
user name, select the user’s access level, then enter a password and confirm it.
Click Add to save the new user account and add it to the Account List. To change the
password for a specific user, enter the user name and new password, confirm the
password by entering it again, then click Apply.

Figure 3-24 Access Levels

CLI – Assign a user name to access-level 15 (i.e., administrator), then specify the
password.

Console(config)#username bob access-level 15 4-26
Console(config)#username bob password 0 smith
Console(config)#

3-36

User Authentication

3

Configuring Local/Remote Logon Authentication

Use the Authentication Settings menu to restrict management access based on
specified user names and passwords. You can manually configure access rights on
the switch, or you can use a remote access authentication server based on RADIUS
or TACACS+ protocols.

Remote Authentication Dial-in
User Service (RADIUS) and
Terminal Access Controller
Access Control System Plus
(TACACS+) are logon

Web
Telnet

authentication protocols that
use software running on a
central server to control
access to RADIUS-aware or
TA CACS-aware devices on the
network. An authentication

RADIUS/
TACACS+
server

1. Client attempts management access.

2. Switch contacts authentication server.

3. Authentication server challenges client.

4. Client responds with proper password or key.

5. Authentication server approves access.

6. Switch grants management access.

server contains a database of
multiple user name/password pairs with associate d privilege levels for each user
that requires management access to the switch.

RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery,
while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts
only the password in the access-request packet from the client to the server, while
TACACS+ encrypts the entire body of the packet.

Command Usage

• By default, management access is always checked against the authentication

database stored on the local switch. If a remote authentica tion server is used, you
must specify the authentication sequence and the corresponding parameters for
the remote authentication protocol. Lo cal and remot e logon authenti cation control
management access via the console port, web browser, or Telnet.

• RADIUS and TACACS+ logon authentication assign a specific privilege level for

each user name/password pair. The user name, password, and privilege level
must be configured on the authentication server.

• You can specify up to three authentication methods for any user to indicate the

authentication sequence. For example, if you select (1) RADIUS, (2) TACACS and
(3) Local, the user name and password on the RADIUS server is verifie d first. If the
RADIUS server is not available, then authentication is attempted using the
TACACS+ server, and finally the local user name and password is checked.

console

3-37

Configuring the Switch

3

Command Attributes

• Authentication – Select the authentication, or authentication sequence required:

- Local – User authentication is performed only locally by the switch.

- Radius – User authentication is performed using a RADIUS server only.

- TACACS – User authentication is performed using a TACACS+ server only.

- [authentication sequence] – User authentication is performed by up to three

authentication methods in the indicated sequenc e.

• RADIUS Settings

- Global – Provides globally applicable RADIUS settings.

- ServerIndex – Specifies one of five RADIUS servers that may be configured.

The switch attempts authentication using the listed sequence of servers. The
process ends when a server either approves or denies access to a user.

- Server IP Address – Address of authentication server. (Default: 10.1.0.1)

- Server Port Number – Network (UDP) port of authentication server used for

authentication messages. (Range: 1-65535; Default: 1812)

- Secret Text String – Encryption key used to authenticate logon access for

client. Do not use blank spaces in the string. (Maximum length: 20 characters)

- Number of Server Transmits – Number of times the switch tries to authenticate

logon access via the authentication server. (Range: 1-30; Default: 2)

- Timeout for a reply – The number of seconds the switch waits for a reply from

the RADIUS server before it resends the request. (Range: 1-65535; Default: 5)

• TACACS Settings

- Server IP Address – Address of the TACACS+ server. (Default: 10.11.12.13)

- Server Port Number – Network (TCP) port of TACACS+ server used for

authentication messages. (Range: 1-65535; Default: 49)

- Secret Text String – Encryption key used to authenticate logon access for

client. Do not use blank spaces in the string. (Maximum length: 20 characters)

Note:

The local switch user database has to be set up by manually entering user names
and passwords using the CLI. (See “username” on page 4-26.)

3-38

User Authentication

3

Web – Click Security, Authentication Settings. To configure local or remote
authentication preferences, specify the authentication sequence (i.e., one to three
methods), fill in the parameters for RADIUS or TACACS+ authentication if selected,
and click Apply.

Figure 3-25 Authentication Settings

CLI – Specify all the required parameters to enable logon authentication.

Console(config)#authentication login radius 4-71
Console(config)#radius-server port 181 4-74
Console(config)#radius-server key green 4-74
Console(config)#radius-server retransmit 5 4-75
Console(config)#radius-server timeout 10 4-75
Console(config)#radius-server 1 host 192.168.1.25 4-73
Console(config)#end
Console#show radius-server 4-76

Remote RADIUS server configuration:

Global settings:
Communication key with RADIUS server: *****
Server port number: 181
Retransmit times: 5
Request timeout: 10

Server 1:
Server IP address: 192.168.1.25
Communication key with RADIUS server: *****
Server port number: 1812
Retransmit times: 2
Request timeout: 5

3-39

Configuring the Switch

3

Console#configure
Console(config)#authentication login tacacs 4-71
Console(config)#tacacs-server host 10.20.30.40 4-77
Console(config)#tacacs-server port 200 4-77
Console(config)#tacacs-server key green 4-78
Console#show tacacs-server 4-78
Server IP address: 10.20.30.40
Communication key with tacacs server: green
Server port number: 200
Console(config)#

Configuring HTTPS

You can configure the switch to enable the Secure Hypertext Transfer Protocol
(HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an
encrypted connection) to the switch’s web interface.

Command Usage

• Both the HTTP and HTTPS service can be enabled independently on the switch.
However, you cannot configure both services to use the same UDP port.

• If you enable HTTPS, you must indicate this in the URL that you specify in your
browser: https://device[:port_number]

• When you start HTTPS, the connection is established in this way:

- The client authenticates the server using the server’s digital certificate.

- The client and server negotiate a set of security protocols to use for the

connection.

- The client and server generate session keys for encrypting and decrypting data.

• The client and server establish a secure encrypted connection.
A padlock icon should appear in the status bar for Internet Explorer 5.x or above
and Netscape Navigator 6.2 or above.

• The following web browsers and operating systems currently support HTTPS:

Table 3-4 HTTPS System Support

Web Browser Operating System

Internet Explorer 5.0 or later Windows 98,Windows NT (with service pack 6a),

Netscape Navigator 6.2 or later Windows 98,Windows NT (with service pack 6a),

Windows 2000, Windows XP

Windows 2000, Windows XP, Solaris 2.6

• To specify a secure-site certificate, see “Replacing the Default Secure-site
Certificate” on page 3-41.

Command Attributes

• HTTPS Status – Allows you to enable/disable the HTTPS server feature on the
switch.

(Default: Enabled)

•

Change HTTPS Port Number – Specifies the UDP port number used for HTTPS/
SSL connection to the switch’s web interface. (Default: Port 443)

3-40

User Authentication

3

Web – Click Security, HTTPS Se ttin gs. Enabl e HTTPS and s pecify the po rt number,
then click Apply.

Figure 3-26 HTTPS Settings

CLI – This example enables the HTTP secure server and modifies the port number.

Console(config)#ip http secure-server 4-31
Console(config)#ip http secure-port 443 4-32
Console(config)#

Replacing the Default Secure-site Certificate

When you log onto the web interface using HTTPS (for secure access), a Secure
Sockets Layer (SSL) certificate appears for the switch. By default, t he certificate that
Netscape and Internet Explorer display will be associated with a warning that the
site is not recognized as a secure site. This is because the certificate has not been
signed by an approved certification authority. If you want this warning to be replaced
by a message confirming that the connection to the switch is secure, you must
obtain a unique certificate and a private key and password from a recognized
certification authority.

Caution:

For maximum security, we recommend you obtain a unique Secure Sockets
Layer certificate at the earliest opportunity. This is because the default
certificate for the switch is not unique to the hardware you have purchased.

When you have obtained these, place them on your TFTP server, and use the
following command at the switch's command-line interface to replace the default
(unrecognized) certificate with an authorized one:

Console#copy tftp https-certificate 4-65
TFTP server ip address: <server ip-address>
Source certificate file name: <certificate file name>
Source private file name: <private key file name>
Private password: <password for private key>

Note:

The switch must be reset for the new certificate to be activated. To reset the
switch, type:

Console#reload

3-41

Configuring the Switch

3

Configuring the Secure Shell

The Berkley-standard includes remote access tools orig inally designed for Unix
systems. Some of these tools have also been implemented for Microsof t Windows
and other environments. These tools, including commands such as rlogin (remote
login), rsh (remot e shell), and rcp (remote copy), a re not secure from hostile att acks.

The Secure Shell (SSH) includes server/client applications intended as a secure
replacement for the older Berkley remote access tools. SSH can also provide
remote management access to this switch as a secure replacement for Telnet.
When the client contacts the switch via the SSH protocol, the switch generates a
public-key that the client uses along with a local user name and p assword for access
authentication. SSH also encrypts all dat a t ransfers p assing bet ween the swit ch and
SSH-enabled management station clients, and ensures that data traveling over the
network arrives unaltered.

Note that you need to install an SSH client on the ma nagement sta tion to access the
switch for management via the SSH protocol.

Note:

The switch supports both SSH Version 1.5 and 2.0.

Command Usage

The SSH server on this switch supports both password and public key
authentication. If password authentication is specified by the SSH client, then the
password can be authenticated either locally or via a RADIUS or TACACS+ remote
authentication server, as specified on the Authentication Settings page
(page 3-37). If public key authentication is specified by the client, then you must
configure authentication keys on both the client and the switch as described in the
following section. Note that regardless of whether you use public key or password
authentication, you still have to generate authentication keys on the switch (SSH
Host Key Settings) and enable the SSH server (Authentication Settings).

To use the SSH server, complete these steps :

1. Generate a Host Key Pair – On the SSH Host Ke y Setti ngs p a ge, create a ho st

public/private key pair.

2. Provide Host Public Key to Clients – Many SSH client programs automatically

import the host public key during the initial connection setup with the switch.
Otherwise, you need to manually create a k nown host s file on t he management
station and place the host public ke y in it. An entry for a publi c key in the kn own
hosts file would appear similar to the following example:

10.1.0.54 1024 35 15684995401867669259333946775054617325313674890836547254
15020245593199868544358361651999923329781766065830956 10825913212890233
76546801726272571413428762941301196195566782 59566410486957427888146206
51941746772984865468615717739390164779355942303577413098022737087794545
24083971752646358058176716709574804776117

3-42

User Authentication

3. Import Client’s Public Key to the Switch – Use the copy tftp public-key

command (page 4-65) to copy a file containing the public key for all the SSH
client’s granted management access to the swi tch. (Note that these clients
must be configured locally on the switch via the User Accounts page as
described on page 3-35.) The clients are subsequently authenticated using
these keys. The current firmware only accepts public key files based on
standard UNIX format as shown in the following example for an RSA Version 1
key:

1024 35 1341081685609893921040944920155425347631641921872958921143173880
05553616163105177594083868631109291232226828519254374603100937187721199
69631781366277414168985132049117204830339254324101637997592371449011938
00609025394840848271781943722884025331159521348610229029789827213532671
31629432532818915045306393916643 steve@192.168.1.19

4. Set the Optional Parameters – On the SSH Settings page, configure the

optional parameters, including t he authentication time out, the number of retries,
and the server key size.

5. Enable SSH Service – On the SSH Settings page, enable the SSH server on

the switch.

6. Challenge-Response Authentication – When an SSH client attempts to contact

the switch, the SSH server uses the host key pair to negotiate a session key
and encryption method. Only clients that have a private key corresponding to
the public keys stored on the switch can access. The follo wing ex chang es take
place during this process :

a. The client sends its public key to the switch.
b. The switch compares the client's public key to those stored in memory.
c. If a match is found, the switch uses the public key to encrypt a random

sequence of bytes, and sends this string to the client.

d. The client uses its private key to decrypt the bytes, and sends th e

decrypted bytes back to the switch.

e. The switch compares the decrypted bytes t o the original byt es it sent. If the

two sets match, this means that the client's private key corresponds to an
authorized public key, and the client is authenticated.

Notes: 1.

To use SSH with only password authentication, the host public key must still
be given to the client, either during initial connection or manually entered into
the known host file. However, you do not need to configure the client’s keys.

2. The SSH server supports up to four client sessions. The maximum number

of client sessions includes both current Telnet sessions and SSH sessions.

3

3-43

Configuring the Switch

3

Generating the Host Key Pair

A host public/private key pair is used to provide secure communications between a n
SSH client and the switch. After generating this key pair, you must provide the host
public key to SSH clients and import the client’s public key to the switch as
described in the proceeding section (Command Usage).

Field Attributes

• Public-Key of Host-Key – The public key for the host.

- RSA (Version 1): The first field indicates the size of the host key (e .g., 1024), the

second field is the encoded public exponent (e.g., 655 37), and t he l ast st ri ng i s
the encoded modulus.

- DSA (Version 2): The first field indicates that the encryption method used by

SSH is based on the Digital Signature Standard (DSS). The last string is the
encoded modulus.

• Host-Key Type – The key type used to generate the host key pair (i.e., public and
private keys). (Range: RSA (Version 1), DSA (Version 2), Both: Default: RSA)

The SSH server uses RSA or DSA for key exchange when the client first
establishes a connection with the switch, and then negotiates with the client to
select either DES (56-bit) or 3DES (168-bit) for data encryption.

• Save Host-Key from Memory to Flash – Saves the host key from RAM (i.e.,
volatile memory to flash memory. Otherwise, the host key pai r is stored to RAM by
default. Note that you must select this item prior to generating the host-key pair.

• Generate – This button is used to generate the host key pair. Note that you must
first generate the host key pair before you can enable the SSH server on th e SSH
Server Settings page.

• Clear – This button clears the host key from both volatile memory (RAM) and
non-volatile memory (Flash).

3-44

User Authentication

3

Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the
drop-down box, select the option to save the host key from memory to flash (if
required) prior to generating the key, and then click Generate.

Figure 3-27 SSH Host-Key Settings

CLI – This example generates a host-key pair using both the RSA and DSA
algorithms, stores the keys to flash memory, and then displays the host’s public keys.

Console#ip ssh crypto host-key generate 4-36
Console#ip ssh save host-key 4-36
Console#show public-key host 4-36
Host:
RSA:
1024 65537 127250922544926402131336514546131189679055192360076028653006761
82409690947448320102524878965977592168322225584652387791546479807396314033
86925793105105765212243052807865885485789272602937866089236841423275912127
60325919683697053439336438445223335188287173896894511729290510813919642025
190932104328579045764891
DSA:
ssh-dss AAAAB3NzaC1kc3MAAACBAN6zwIqCqDb3869jYVXlME1sHL0EcE/Re6hlasfEthIwmj
hLY4O0jqJZpcEQUgCfYlum0Y2uoLka+Py9ieGWQ8f2gobUZKIICuKg6vjO9XTs7XKc05xfzkBi
KviDa+2OrIz6UK+6vFOgvUDFedlnixYTVo+h5v8r0ea2rpnO6DkZAAAAFQCNZn/x17dwpW8RrV
DQnSWw4Qk+6QAAAIEAptkGeB6B5hwagH4gUOCY6i1TmrmSiJgfwO9OqRPUMbCAkCC+uzxatOo7
drnIZypMx+Sx5RUdMGgKS+9ywsa1cWqHeFY5ilc3lDCNBueeLykZzVS+RS+azTKIk/zrJh8GLG
Nq375R55yRxFvmcGIn/Q7IphPqyJ3o9MK8LFDfmJEAAACAL8A6tESiswP2OFqX7VGoEbzVDSOI
RTMFy3iUXtvGyQAOVSy67Mfc3lMtgqPRUOYXDiwIBp5NXgilCg5z7VqbmRm28mWc5a//f8TUAg
PNWKV6W0hqmshQdotVzDR1e+XKNTZj0uTwWfjO5Kytdn4MdoTHgrbl/DMdAfjnte8MZZs=

Console#

3-45

Configuring the Switch

3

Configuring the SSH Server

The SSH server includes basic settings for authentication.

Field Attributes

• SSH Server Status – Allows you to enable/di sable the SSH serve r on the swit ch.
(Default: Disabled)

• Version – The Secure Shell version number. Version 2.0 is displayed, but the
switch supports management access via either SSH Version 1.5 or 2.0 clients.

• SSH Authentication Timeout – Specifies the time interval in seconds that the
SSH server waits for a response from a client during an authentication attempt.
(Range: 1-120 seconds; Default: 120 seconds)

• SSH Authentication Retries – Specifies the number of authentication attempts
that a client is allowed before authentication fails and the client has to restart the
authentication process. (Range: 1-5 times; Default: 3)

• SSH Server-Key Size – Specifies the SSH server key size.
(Range: 512-896 bits; Default:768)

- The server key is a private key that is never shared outside the switch.

- The host key is shared with the SSH client, and is fixed at 1024 bits.

Web – Click Security, SSH, Settings. Enable SSH and adjust the authentication
parameters as required, then click Apply. Note that you must first generate the host
key pair on the SSH Host-Key Settings page before you can enable the SSH server.

3-46

Figure 3-28 SSH Server Settings

User Authentication

3

CLI – This example enables SSH, sets the authentication parameters, and displays
the current configuration. It shows that the administrator has made a connection via
SHH, and then disables this connection.

Console(config)#ip ssh server 4-36
Console(config)#ip ssh timeout 100 4-37
Console(config)#ip ssh authentication-retries 5 4-37
Console(config)#ip ssh server-key size 512 4-38
Console(config)#end
Console#show ip ssh 4-40
SSH Enabled - version 2.0
Negotiation timeout: 120 secs; Authentication retries: 5
Server key size: 512 bits
Console#show ssh 4-41
Connection Version State Username Encryption
0 2.0 Session-Started admin ctos aes128-cbc-hmac-md5
stoc aes128-cbc-hmac-md5
Console#disconnect 0 4-18
Console#

Configuring Port Security

Port security is a feature that allows you to configure a switch port with one or more
device MAC addresses that are authorized to access the network through that port.

When port security is enabled on a port, the switch stops learning new MAC
addresses on the specified port when it has reached a configured maximum
number. Only inco ming traffic with source addresses already stored in the dynamic
or static address table will be acc epted as au thorized to acc ess the net work through
that port. If a device with an unauthorized MAC address attempts to use the switch
port, the intrusion will be detected and the switch can automati cally take action by
disabling the port and sending a trap message.

To use port security, specify a maximum number of addresses to allow on the port
and then let the switch dynamically learn t he <source MAC a ddress , VLAN> pair for
frames received on the port. Note that you can also manually add secure addresses
to the port using the Static Address Table (page 3-90). When the port has reached
the maximum number of MAC addresses the selected port will stop learning. The
MAC addresses already in the address table will be retained and will not age out.
Any other device that attempts to use the port will be prevented from accessing the
switch.

Command Usage

• A secure port has the following restrictions:

- Cannot use port monitoring.

- Cannot be a multi-VLAN port.

- It cannot be used as a member of a static or dynamic trunk.

- It should not be connected to a network interconnection device.

• The default maximum number of MAC addresses allowed on a secure po rt is zero.

You must configure a maximum address count from 1 - 1024 for the port to allow
access.

3-47

Configuring the Switch

3

• If a port is disabled (shut down) due to a security violation, it must be manuall y
re-enabled from the Port/Port Configuration page (page 3-66).

Command Attributes

•Port – Port number.

• Name – Descriptive text (page 4-109).

• Action – Indicates the actio n to be taken when a port securi ty violation is detect ed:

- None: No action should be taken. (This is the default.)

- Trap: Send an SNMP trap message.

- Shutdown: Disable the port.

- Trap and Shutdown: Send an SNMP trap message and disable the port.

• Security Status – Enables or disables port security on the port. (Default: Disabled)

• Max MAC Count – The maximum number of MAC addresses that can be learned
on a port. (Range: 0 - 1024, where 0 means disabled)

• Trunk – Trunk number if port is a member (page 3-69 and 3-70).

Web – Click Security, Port Security. Mark the checkbox in the Status column to
enable security for a port, set the maximum number of MAC addresses al lowed on a
port, and click Apply.

Figure 3-29 Configuring Port Security

CLI – This example selects the target port, sets the port security action to send a
trap and disable the port and sets the maximum MAC addresses allowed on the
port, and then enables port security for the port.

Console(config)#interface ethernet 1/5
Console(config-if)#port security action trap-and-shutdown 4-79
Console(config-if)#port security max-mac-count 20 4-79
Console(config-if)#port security 4-79
Console(config-if)#

3-48

User Authentication

3

Configuring 802.1X Port Authentication

Network switches can provide open and easy access to network resources by
simply attaching a client PC. Although th is automatic configuration and access is a
desirable feature, it also allows unauthorized personnel to easily intrude and
possibly gain access to sensitive network data.

The IEEE 802.1X (dot1X) standard defines a port-based access control procedure
that prevents unauthorized access to a network by requiring users to fi rst submit
credentials for authentication. Access to all switch ports in a network can be
centrally controlled from a server, which means that authorized users can use the
same credentials for authentication from any point within the network.

This switch uses the
Extensible Authentication
Protocol over LANs (EAPOL)
to exchange authentication
protocol messages with the
client, and a remote RADIUS
authentication server to verify
user identity and access
rights. When a client (i.e.,
Supplicant) connects to a
switch port, the switch (i.e.,
Authenticator) responds with an EAPOL identity request. The client provides its
identity (such as a user name) in an EAPOL response to the switch, which it
forwards to the RADIUS server. The RADIUS server verifies the client identity and
sends an access challenge back to the client. The EAP packet fr om the RADIUS
server contains not only the challenge, but the authentication method to be used.
The client can reject the authentication method and request another, depending on
the configuration of the client software and the RADIUS server. The authentication
method must be MD5. The client responds to the appropriate method with its
credentials, such as a password or certificate. The RADIUS server verifies the client
credentials and responds with an accept or reject packet. If authentication is
successful, the switch allows the client to access the network. Otherwise, network
access is denied and the port remains blocked.

The operation of 802.1X on the switch requires the following:

• The switch must have an IP address assigned.

• RADIUS authentication must be enabled on the switch and th e IP address of the

RADIUS server specified.

• 802.1X must be enabled globally for the switch.

• Each switch port that will be used must be set to dot1X “Auto” mode.

• Each client that needs to be authenticated must have dot1X client software

installed and properly configured.

• The RADIUS server and 802.1X client support EAP. (The switch only supports

EAPOL in order to pass the EAP packets from the server to the client.)

802.1x
client

RADIUS
server

1. Client attempts to access a switch port.

2. Switch sends client an identity request.

3. Client sends back identity information.

4. Switch forwards this to authentication server.

5. Authentication server challenges client.

6. Client responds with proper credentials.

7. Authentication server approves access.

8. Switch grants client access to this port.

3-49

Configuring the Switch

3

• The RADIUS server and client also have to support the same EAP authe nticat i on
type – MD5. (Some clients have native support in Windows, otherwise the dot1x
client must support it.)

Displaying 802.1X Global Settings

The 802.1X protocol provides client authentication.

Command Attributes

• 802.1X System Authentication Control – The global setting for 802.1X.

Web – Click Security, 802.1X, Information.

Figure 3-30 802.1X Global Information

CLI – This example shows the default global setting for 802.1X.

Console#show dot1x 4-86
Global 802.1X Parameters
system-auth-control: enable

802.1X Port Summary

Port Name Status Operation Mode Mode Authorized
1/1 disabled Single-Host ForceAuthorized n/a
1/2 disabled Single-Host ForceAuthorized n/a

.
.
.

802.1X Port Details

802.1X is disabled on port 1/1
.

.
.

802.1X is disabled on port 1/26
Console#

3-50

User Authentication

3

Configuring 802.1X Global Settings

The 802.1X protocol provides client authentication.

Command Attributes

• 802.1X System Authentication Control – Sets the global setting for 802.1X.

(Default: Disabled)

Web – Select Security , 802.1X, Con figuration. Enabl e 802.1X globally f or the switch,
and click Apply.

Figure 3-31 802.1X Global Configuration

CLI – This example enables 802.1X globally for the switch.

Console(config)#dot1x system-auth-control 4-81
Console(config)#

Configuring Port Settings for 802.1X

When 802.1X is enabled, you need to configure the parameters for the
authentication process that runs between the client and the switch (i.e.,
authenticator), as well as the client identity lookup process that runs between the
switch and authentication server. These parameters are described in this section.

Command Attributes

• Port – Port number.

• Status – Indicates if authentication is enabled or disabled on th e port.

(Default: Disabled)

• Operation Mode – Allows single or multiple hosts (clients) to connect to an

802.1X-authorized port. (Options: Single-Host, Multi-Host; Default: Single-Host)

• Max Count – The maximum number of hosts that can connect to a port when th e

Multi-Host operation mode is selected. (Range: 1-1024; Default: 5)

• Mode – Sets the authentication mode to one of the following options:

- Auto – Requires a dot1x-aware client to be authorized by the authentication
server. Clients that are not dot1x-aware will be denied access.

- Force-Authorized – Forces the port to grant access to all clients, either
dot1x-aware or otherwise. (This is the default setting.)

- Force-Unauthorized – Forces the port to deny access to all clients, either
dot1x-aware or otherwise.

• Re-authen – Sets the client to be re-authenticated after the interval specified by
the Re-authentication Period. Re-authentication can be used to detect if a new
device is plugged into a switch port. (Default: Disabled)

3-51

Configuring the Switch

3

• Max-Req – Sets the maximum number of times the switch port will retransmit an
EAP request packet to the client before it times out the authentication session.
(Range: 1-10; Default 2)

• Quiet Period – Sets the time that a switch po rt waits after the Max Requ est Count
has been exceeded before attempting to acquire a new client.
(Range: 1-65535 seconds; Default: 60 seconds)

• Re-authen Period – Sets the time period after which a connected client must be
re-authenticated. (Range: 1-65535 seconds; Default: 3600 seconds)

• TX Period – Sets the time period during an authentication sess ion th at the swi tch
waits before re-transmitting an EAP packet. (Range: 1-65535; Default: 30 seconds)

• Authorized –

- Yes – Connected client is authorized.

- No – Connected client is not authorized.

- Blank – Displays nothing when dot1x is disabled on a port.

• Supplicant – Indicates the MAC address of a connected client.

• Trunk – Indicates if the port is configured as a trunk port.

Web – Click Security, 802.1X, Port Configuration. Modify the parameters required,
and click Apply.

3-52

Figure 3-32 802.1X Port Configuration

User Authentication

CLI – This example sets the 802.1X parameters on port 2. For a description of the
additional fields displayed in this example, see “show dot1x” on page 4-86.

Console(config)#interface ethernet 1/2 4-108
Console(config-if)#dot1x port-control auto 4-82
Console(config-if)#dot1x re-authentication 4-84
Console(config-if)#dot1x max-req 5 4-82
Console(config-if)#dot1x timeout quiet-period 30 4-84
Console(config-if)#dot1x timeout re-authperiod 1800 4-85
Console(config-if)#dot1x timeout tx-period 40 4-85
Console(config-if)#exit
Console(config)#exit
Console#show dot1x 4-86
Global 802.1X Parameters
system-auth-control: enable

802.1X Port Summary

Port Name Status Operation Mode Mode Authorized
1/1 disabled Single-Host ForceAuthorized n/a
1/2 enabled Single-Host auto yes

.
.
.

1/26 disabled Single-Host ForceAuthorized n/a

802.1X Port Details

802.1X is disabled on port 1/1

802.1X is enabled on port 1/2
reauth-enabled: Enable
reauth-period: 1800
quiet-period: 30
tx-period: 40
supplicant-timeout: 30
server-timeout: 10
reauth-max: 2
max-req: 5
Status Authorized
Operation mode Single-Host
Max count 5
Port-control Auto
Supplicant 00-90-cc-49-5e-dc
Current Identifier 3

Authenticator State Machine
State Authenticated
Reauth Count 0

Backend State Machine
State Idle
Request Count 0
Identifier(Server) 2

Reauthentication State Machine
State Initialize

.
.
.

802.1X is disabled on port 1/26
Console#

3

3-53

Configuring the Switch

3

Displaying 802.1X Statistics

This switch can display statistics for dot1x protocol exchanges for any port.

Table 3-5 802.1X Statistics

Parameter Description

Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator.
Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.
Rx EAPOL Invalid The number of EAPOL frames that have been received by this Authenticator in which

Rx EAPOL Total The number of valid EAPOL frames of any type that have been received by this

Rx EAP Resp/Id The number of EAP Resp/Id frames that have been received by this Authenticator.
Rx EAP Resp/Oth The number of valid EAP Response frames (other than Resp/Id frames) that have

Rx EAP LenError The number of EAPOL frames that have been received by this Authenticator in which

Rx Last EAPOLVer The protocol version number carried in the most recently received EAPOL frame.
Rx Last EAPOLSrc The source MAC address carried in the most recently received EAPOL frame.
Tx EAPOL Total The number of EAPOL frames of any type that have been transmitted by this

Tx EAP Req/Id The number of EAP Req/Id frames that have been transmitted by this Authenticator.
Tx EAP Req/Oth The number of EAP Request frames (other than Rq/Id frames) that have been

the frame type is not recognized .

Authenticator.

been received by this Authenticator.

the Packet Body Length field is invalid.

Authenticator.

transmitted by this Authenticator.

3-54

User Authentication

Web – Select Security, 802.1X, Statistics. Select the required port and then click
Query. Click Refresh to update the statistics.

Figure 3-33 802.1X Port Statistics

CLI – This example displays the 802.1X statistics for port 4.

Console#show dot1x statistics interface ethernet 1/4 4-86

Eth 1/4
Rx: EAPOL EAPOL EAPOL EAPOL EAP EAP EAP
Start Logoff Invalid Total Resp/Id Resp/Oth LenError
2 0 0 1007 672 0 0

Last Last
EAPOLVer EAPOLSrc
1 00-90-CC-98-73-21

Tx: EAPOL EAP EAP
Total Req/Id Req/Oth
2017 1005 0
Console#

3

Filtering IP Addresses for Management Access

You create a list of up to 16 IP addresses or IP address groups that are allowed
management access to the switch through the web interface, SNMP, or Telnet.

Command Usage

• The management interfaces are open to all IP addresses by default. Once you add

an entry to a filter list, access to that interface is restricted to the specified
addresses.

• If anyone tries to access a management interface on the switch fr om an invalid

address, the switch will reject the connection, enter an event message in the
system log, and send a trap message to the trap manager.

3-55

Configuring the Switch

3

• IP address can be configured for SNMP, web and Telnet access respectively. Each
of these groups can include up to five diff erent sets of ad dresses, either i ndividual
addresses or address ranges.

• When entering addresses for the same group (i.e., SNMP, web or Telnet), the
switch will not accept overlapping address ranges. When entering addresses for
different groups, the switch will accept overlapping address ranges.

• You cannot delete an individual address from a specified range . You must delete
the entire range, and reenter the addresses.

• You can delete an address range just by specifying the start address, or by
specifying both the start address and end address.

Command Attributes

• Web IP Filter – Configures IP address(es) for the web group.

• SNMP IP Filter – Configures IP address(es) for the SNMP group.

• Telnet IP Filter – Configures IP address(es) for the Telnet group.

• IP Filter List – IP address which are allowed management access to this interface.

• Start IP Address – A single IP address, or the starting address of a range.

• End IP Address – The end address of a range.

• Add/Remove Filtering Entry – Adds/removes an IP address from the list.

Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that
are allowed management access to an interface, and click Add IP Filtering Entry.

3-56

Figure 3-34 IP Filter

Access Control Lists

3

CLI – This example allows SNMP access for a specific client.

Console(config)#management snmp-client 10.1.2.3 4-28
Console(config)#end
Console#show management all-client
Management IP Filter
HTTP-Client:
Start IP address End IP address

-----------------------------------------------

SNMP-Client:
Start IP address End IP address

-----------------------------------------------

1. 10.1.2.3 10.1.2.3

TELNET-Client:
Start IP address End IP address

-----------------------------------------------

Console#

Access Control Lists

Access Control Lists (ACL) provide packe t fi ltering f or IP fr ames (b ased on add ress,
protocol, Layer 4 protocol port number or TCP control code) or any frames (based
on MAC address or Ethernet type). To filter incoming pa ckets, first create an a ccess
list, add the required rules and then bind the list to a specific port.

Configuring Access Control Lists

An ACL is a sequential list of permit or deny conditions that apply to IP addresses,
MAC addresses, or other more specific criteria. This switch tests ingress or egress
packets against the conditions in an ACL one by one. A packet will be accepted as
soon as it matches a permit rule, or dropped as soon as it mat ches a deny rule . If no
rules match for a list of all permit rules, the packet is dropped; and if no rules match
for a list of all deny rules, the packet is accepted.

Command Usage

The following restrictions apply to ACLs:

• Each ACL can have up to 32 rules.

• The maximum number of ACLs is 88.

• However, due to resource restrictions, the average number of rules bound to the

ports should not exceed 20.

• This switch supports ACLs for ingress filtering only. However, you can only bind

one IP ACL to any port and one MAC ACL globally for ingress filtering. In other
words, only two ACLs can be bound to an interface - Ingress IP ACL and Ingress
MAC ACL.

The order in which active ACLs are checked is as follows:

1. User-defined rules in the Ingress MAC ACL for ingress ports.

2. User-defined rules in the Ingress IP ACL for ingress ports.

3-57

Configuring the Switch

3

3. Explicit default rule (permit any any) in the ingress IP ACL for ingress ports.

4. Explicit default rule (permit any any) in the ingress MAC ACL for ingress ports.

5. If no explicit rule is matched, the implicit default is permit all.

Setting the ACL Name and Type

Use the ACL Configuration page to designate the name and type of an ACL.

Command Attributes

• Name – Name of the ACL. (Maximum length: 16 characters)

• Type – There are three filtering modes:

- Standard: IP ACL mode that filters packets based on the source IP address.

- Extended: IP ACL mode that filters packets based on source or destination IP
address, as well as protocol type and protocol port number. If the “TCP” protocol
is specified, then you can also filter packets based on the TCP control code.

- MAC: MAC ACL mode that filters packets based on the source or destination
MAC address and the Ethernet frame type (RFC 1060).

Web – Click Security, ACL, Configuration. Enter an ACL name in the Name field,
select the list type (IP Standard, IP Extended, or MAC), and click Add to open the
configuration page for the new list .

Figure 3-35 Selecting ACL Type

CLI – This example creates a standard IP ACL named david.

Console(config)#access-list ip standard david 4-90
Console(config-std-acl)#

3-58

Access Control Lists

3

Configuring a Standard IP ACL

Command Attributes

• Action – An ACL can contain any combination of permit or deny rules.

• Address Type – Specifies the source IP address. Use “Any” to include all possible
addresses, “Host” to specify a specific host address in the Add ress field, or “IP” to
specify a range of addresses with the Address and SubMask fields.
(Options: Any, Host, IP; Default: Any)

• IP Address – Source IP address.

• Subnet Mask – A subnet mask containing four integers from 0 to 255, each
separated by a period. The mask uses 1 bits to indicate “match” and 0 bits to
indicate “ignore.” The mask is bitwise ANDed with the specified source IP address,
and compared with the address for each IP packet entering the po rt(s) to which this
ACL has been assigned.

Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host,
or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet
address and the mask for an address range. Then click Add.

Figure 3-36 ACL Configuration - Standard IP

CLI – This example configures one permit rule for the specific address 10.1.1.21
and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask.

Console(config-std-acl)#permit host 10.1.1.21 4-91
Console(config-std-acl)#permit 168.92.16.0 255.255.240.0
Console(config-std-acl)#

3-59

Configuring the Switch

3

Configuring an Extended IP ACL

Command Attributes

• Action – An ACL can contain any combination of permit or deny rules.

• Source/Destination Address Type – Specifies the source or destination IP
address. Use “Any” to include all possible addresses, “Host” to specify a specific
host address in the Address field, or “IP” to specify a range of addresses with the
Address and SubMask fields. (Options: Any, Host, IP; Default: Any)

• Source/Destination Address – Source or destination IP address.

• Source/Destination Subnet Mask – Subnet mask for source or destination
address. (See the description for Subnet Mask on page 3-59.)

• Service Type – Packet priority settings based on the following criteria:

- Precedence – IP precedence level. (Range: 0-7)

- TOS – Type of Service level. (Range: 0-15)

- DSCP – DSCP priority level. (Range: 0-63)

• Protocol – Specifies the protocol type to match as TCP, UDP or Others, where
others indicates a specific protocol number (0 -2 55). (Op tions: TCP, UDP, Others;
Default: TCP)

• Source/Destination Port – Source/destination port number for the specified
protocol type. (Range: 0-65535)

• Control Code – Decimal number (representing a bit string) that speci fies flag bit s
in byte 14 of the TCP header. (Range: 0-63)

• Control Code Bitmask – Decimal number representing the code bits to match.
The control bitmask is a decimal number (for an equivalent binary bit mask) that is
applied to the control code. Enter a decimal nu mber, where the equivalent binary
bit “1” means to match a bit and “0” means to ignore a bit. The following bits may
be specified:

- 1 (fin) – Finish

- 2 (syn) – Synchronize

- 4 (rst) – Reset

- 8 (psh) – Push

- 16 (ack) – Acknowledgement

- 32 (urg) – Urgent pointer

For example, use the code value and mask below to catch packets with the
following flags set:

- SYN flag valid, use control-code 2, control bitmask 2

- Both SYN and ACK valid, use control-code 18, control bitmask 18

- SYN valid and ACK invalid, use control-code 2, control bitmask 18

3-60

Access Control Lists

Web – Specify the action (i.e., Permit or Deny). Specify the source and/or
destination addresses. Select the address type (Any, Host, or IP). If you select
“Host,” enter a specific address. If you select “IP,” enter a subnet address and the
mask for an address range. Set any other required criteria, such as service type,
protocol type, or TCP control code. Then click Add.

Figure 3-37 ACL Configuration - Extended IP

CLI – This example adds two rules:
(1) Accept any incoming packets if the source address is in subnet 10.7.1.x. For

example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals
the masked address (10.7.1.2 & 255.255.255.0), the packet passes through.

(2) Allow TCP packets from class C addresses 192.168.1.0 to any destination

address when set for destination TCP port 80 (i.e., HTTP).

(3) Permit all TCP packets from class C addresses 192.168.1.0 with the TCP control

code set to “SYN.”

Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any 4-92
Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any

destination-port 80

Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any

control-flag 2 2

Console(config-std-acl)#

3

3-61

Configuring the Switch

3

Configuring a MAC ACL

Command Attributes

• Action – An ACL can contain any combination of permit or deny rules.

• Source/Destination Address Type – Use “Any” to include all possible addresses ,
“Host” to indicate a specific MAC address, or “MAC” to specify an address range
with the Address and Bitmask fields. (Options: Any, Host, MAC; Default: Any)

• Source/Destination MAC Address – Source or destination MAC address.

• Source/Destination Bitmask – Hexidecimal mask for source or destination MAC
address.

• VID – VLAN ID. (Range: 1-4094)

• Ethernet Type – This option can only be used to filter Ethernet II formatted
packets. (Range: 0-65535)
A detailed listing of Ethernet protocol typ es can be found in RFC 1060. A few of th e
more common types include 0800 (IP), 0806 (ARP), 8137 (IPX).

Web – Specify the action (i.e., Permit or Deny). Specify the source and/or
destination addresses. Select the address type (Any, Host, or MAC). If you select
“Host,” enter a specific address (e.g., 00-90-CC-44-55-66). If you select “MAC,”
enter a base address and a hexidecimal bitmask for an address range . Set any
other required criteria, such as VID or Ethernet type. Then click Add.

Figure 3-38 ACL Configuration - MAC

CLI – This rule permits packets from any source MAC address to the destination
address 00-90-cc-94-34-de where the Ethernet type is 0800.

Console(config-mac-acl)#permit any host 00-90-cc-94-34-de

ethertype 0800 4-98

Console(config-mac-acl)#

3-62

Access Control Lists

3

Binding a Port to an Access Control List

After configuring Access Control Lists (ACL), you should bind them to the ports that
need to filter traffic. You can assign one IP access list to any port, but you can only
assign one MAC access list to all the ports on th e switch.

Command Usage

• You must configure a mask for an ACL rule before you can bind it to a port.

• This switch only supports ACLs for ingress filtering. You can only bind one IP ACL

to any port, and one MAC ACL globally, for ingress filtering.

Command Attributes

• Port – Fixed port or SFP module. (Range: 1-26)

• IP – Specifies the IP Access List to enable for a port.

• MAC – Specifies the MAC Access List to enable globally.

• IN – ACL for ingress packets.

• ACL Name – Name of the ACL.
Web – Click Security, ACL, Port Binding. Mark the Enabled field for the port you

want to bind to an ACL, select the required ACL from the drop-down list, then click
Apply.

Figure 3-39 Binding a Port to an ACL

3-63

Configuring the Switch

3

CLI – This example assigns an IP and MAC access list to port 1, and an IP access
list to port 3.

Console(config)#interface ethernet 1/1 4-108
Console(config-if)#ip access-group david in 4-94
Console(config-if)#mac access-group jerry in 4-99
Console(config-if)#exit
Console(config)#interface ethernet 1/3
Console(config-if)#ip access-group david in
Console(config-if)#

Port Configuration

Displaying Connection Status

You can use the Port Information or Trunk Information pages to display the current
connection status, including link state, speed/duplex mode, flow control, and
auto-negotiation.

Field Attributes (Web)

• Name – Interface label.

• Type – Indicates the port type. (100BASE-TX, 1000BASE-T, or SFP)

• Admin Status – Shows if the interface is enabled or disabled.

• Oper Status – Indicates if the link is Up or Down.

• Speed Duplex Status – Shows the current speed and duplex mode.
(Auto, or fixed choice)

• Flow Control Status – Indicates the type of flow control currently in use.
(IEEE 802.3x, Back-Pressure or None)

• Autonegotiation – Shows if auto-negotiation is enabled or disabled.

• Trunk Member

• Creation

3

– Shows if port is a trunk member.

4

– Shows if a trunk is manually configured or dynamically set via LACP.

3. Port information only.

4. Trunk information only .

3-64