Microsoft ES4612 User Manual

Download

Gigabit Ethernet Switch

Management Guide

Gigabit Ethernet Switch

Layer 3 Workgroup Switch with 8 SFP Ports, and 4 Gigabit Combination (RJ-45/SFP) Ports

ES4612 F1.0.2.5 E092004-R01 150000046400A

Contents

Chapter 1: Introduction 1-1

Key Features 1-1 Description of Software Features 1-2 System Defaults 1-6

Chapter 2: Initial Configuration 2-1

Connecting to the Switch 2-1

Configuration Options 2-1 Required Connections 2-2 Remote Connections 2-3

Basic Configuration 2-3

Console Connection 2-3 Setting Passwords 2-4 Setting an IP Address 2-4

Manual Configuration 2-4 Dynamic Configuration 2-5

Enabling SNMP Management Access 2-6

Community Strings (for SNMP version 1 and 2c clients) 2-6 Trap Receivers 2-7 Configuring Access for SNMP Version 3 Clients 2-8

Saving Configuration Settings 2-8

Managing System Files 2-9

Chapter 3: Configuring the Switch 3-1

Using the Web Interface 3-1 Navigating the Web Browser Interface 3-2

Home Page 3-2 Configuration Options 3-3 Panel Display 3-3 Main Menu 3-4

Basic Configuration 3-11

Displaying System Information 3-11 Displaying Switch Hardware/Software Versions 3-12 Displaying Bridge Extension Capabilities 3-14 Setting the Switch’s IP Address 3-15

Manual Configuration 3-16 Using DHCP/BOOTP 3-18

Managing Firmware 3-19

Downloading System Software from a Server 3-20

Saving or Restoring Configuration Settings 3-22

Downloading Configuration Settings from a Server 3-23

Contents

Console Port Settings 3-24 Telnet Settings 3-26 Configuring Event Logging 3-28

System Log Configuration 3-28 Remote Log Configuration 3-30

Displaying Log Messages 3-32 Resetting the System 3-32 Setting the System Clock 3-33

Configuring SNTP 3-33

Setting the Time Zone 3-34

Simple Network Management Protocol 3-35

Enabling the SNMP Agent 3-36 Setting Community Access Strings 3-36 Specifying Trap Managers and Trap Types 3-37 Configuring SNMPv3 Management Access 3-38

Setting an Engine ID 3-38

Configuring SNMPv3 Users 3-39

Configuring SNMPv3 Groups 3-41

Setting SNMPv3 Views 3-43

User Authentication 3-44

Configuring User Accounts 3-44 Configuring Local/Remote Logon Authentication 3-46 Configuring HTTPS 3-48

Replacing the Default Secure-site Certificate 3-49 Configuring the Secure Shell 3-50

Generating the Host Key Pair 3-52

Configuring the SSH Server 3-54 Configuring Port Security 3-55 Configuring 802.1x Port Authentication 3-57

Displaying 802.1x Global Settings 3-58

Configuring 802.1x Global Settings 3-60

Configuring Port Authorization Mode 3-61

Displaying 802.1x Statistics 3-62 Filtering IP Addresses for Management Access 3-64

Access Control Lists 3-66

Configuring Access Control Lists 3-66

Setting the ACL Name and Type 3-67

Configuring a Standard IP ACL 3-67

Configuring an Extended IP ACL 3-69

Configuring a MAC ACL 3-71 Configuring ACL Masks 3-73

Specifying the Mask Type 3-73

Configuring an IP ACL Mask 3-74

Configuring a MAC ACL Mask 3-76 Binding a Port to an Access Control List 3-77

Contents

Port Configuration 3-78

Displaying Connection Status 3-78 Configuring Interface Connections 3-81 Creating Trunk Groups 3-83

Statically Configuring a Trunk 3-84 Enabling LACP on Selected Ports 3-85 Configuring LACP Parameters 3-87 Displaying LACP Port Counters 3-89 Displaying LACP Settings and Status for the Local Side 3-90

Displaying LACP Settings and Status for the Remote Side 3-92 Setting Broadcast Storm Thresholds 3-93 Configuring Port Mirroring 3-95 Configuring Rate Limits 3-96 Showing Port Statistics 3-97

Address Table Settings 3-101

Setting Static Addresses 3-101 Displaying the Address Table 3-102 Changing the Aging Time 3-104

Spanning Tree Algorithm Configuration 3-104

Displaying Global Settings 3-105 Configuring Global Settings 3-108 Displaying Interface Settings 3-112 Configuring Interface Settings 3-115 Configuring Multiple Spanning Trees 3-117 Displaying Interface Settings for MSTP 3-120 Configuring Interface Settings for MSTP 3-121

VLAN Configuration 3-123

Configuring IEEE 802.1Q VLANs 3-123

Enabling or Disabling GVRP (Global Setting) 3-126

Displaying Basic VLAN Information 3-126

Displaying Current VLANs 3-127

Creating VLANs 3-128

Adding Static Members to VLANs (VLAN Index) 3-129

Adding Static Members to VLANs (Port Index) 3-131

Configuring VLAN Behavior for Interfaces 3-132 Configuring Private VLANs 3-134

Enabling Private VLANs 3-134

Configuring Uplink and Downlink Ports 3-135 Configuring Protocol-Based VLANs 3-135

Configuring Protocol Groups 3-136

Mapping Protocols to VLANs 3-136

Class of Service Configuration 3-138

Layer 2 Queue Settings 3-138

Setting the Default Priority for Interfaces 3-138

Mapping CoS Values to Egress Queues 3-140

vii

Contents

Selecting the Queue Mode 3-142 Setting the Service Weight for Traffic Classes 3-142

Layer 3/4 Priority Settings 3-144

Mapping Layer 3/4 Priorities to CoS Values 3-144 Selecting IP Precedence/DSCP Priority 3-144 Mapping IP Precedence 3-145 Mapping DSCP Priority 3-146 Mapping IP Port Priority 3-148 Mapping CoS Values to ACLs 3-149 Changing Priorities Based on ACL Rules 3-150

Multicast Filtering 3-152

IGMP Protocol 3-152 Layer 2 IGMP (Snooping and Query) 3-153

Configuring IGMP Snooping and Query Parameters 3-154 Displaying Interfaces Attached to a Multicast Router 3-156 Specifying Static Interfaces for a Multicast Router 3-157 Displaying Port Members of Multicast Services 3-158 Assigning Ports to Multicast Services 3-159

Layer 3 IGMP (Query used with Multicast Routing) 3-160

Configuring IGMP Interface Parameters 3-160 Displaying Multicast Group Information 3-163

Configuring Domain Name Service 3-164

Configuring General DNS Server Parameters 3-164 Configuring Static DNS Host to Address Entries 3-166 Displaying the DNS Cache 3-168

Dynamic Host Configuration Protocol 3-169

Configuring DHCP Relay Service 3-169 Configuring the DHCP Server 3-171

Enabling the Server, Setting Excluded Addresses 3-171 Configuring Address Pools 3-173 Displaying Address Bindings 3-177

Configuring Router Redundancy 3-178

Virtual Router Redundancy Protocol 3-179

Configuring VRRP Groups 3-179 Displaying VRRP Global Statistics 3-184 Displaying VRRP Group Statistics 3-185

Hot Standby Router Protocol 3-186

Configuring HSRP Groups 3-186

IP Routing 3-193

Overview 3-193

Initial Configuration 3-193

IP Switching 3-194

Routing Path Management 3-195 Routing Protocols 3-195

Basic IP Interface Configuration 3-196

viii

Contents

Configuring IP Routing Interfaces 3-197 Address Resolution Protocol 3-199

Proxy ARP 3-199

Basic ARP Configuration 3-200

Configuring Static ARP Addresses 3-201

Displaying Dynamically Learned ARP Entries 3-202

Displaying Local ARP Entries 3-203

Displaying ARP Statistics 3-204 Displaying Statistics for IP Protocols 3-205

IP Statistics 3-205

ICMP Statistics 3-207

UDP Statistics 3-209

TCP Statistics 3-210 Configuring Static Routes 3-211 Displaying the Routing Table 3-212 Configuring the Routing Information Protocol 3-213

Configuring General Protocol Settings 3-214

Specifying Network Interfaces for RIP 3-216

Configuring Network Interfaces for RIP 3-217

Displaying RIP Information and Statistics 3-220 Configuring the Open Shortest Path First Protocol 3-223

Configuring General Protocol Settings 3-224

Configuring OSPF Areas 3-227

Configuring Area Ranges (Route Summarization for ABRs) 3-230

Configuring OSPF Interfaces 3-232

Configuring Virtual Links 3-236

Configuring Network Area Addresses 3-238

Configuring Summary Addresses (for External AS Routes) 3-241

Redistributing External Routes 3-242

Configuring NSSA Settings 3-243

Displaying Link State Database Information 3-245

Displaying Information on Border Routers 3-247

Displaying Information on Neighbor Routers 3-248

Multicast Routing 3-249

Configuring Global Settings for Multicast Routing 3-249 Displaying the Multicast Routing Table 3-250 Configuring DVMRP 3-253

Configuring Global DVMRP Settings 3-253

Configuring DVMRP Interface Settings 3-256

Displaying Neighbor Information 3-258

Displaying the Routing Table 3-259 Configuring PIM-DM 3-260

Configuring Global PIM-DM Settings 3-260

Configuring PIM-DM Interface Settings 3-261

Displaying Interface Information 3-264

Contents

Displaying Neighbor Information 3-264

Chapter 4: Command Line Interface 4-1

Using the Command Line Interface 4-1

Accessing the CLI 4-1 Console Connection 4-1 Telnet Connection 4-1

Entering Commands 4-3

Keywords and Arguments 4-3 Minimum Abbreviation 4-3 Command Completion 4-3 Getting Help on Commands 4-3

Showing Commands 4-4 Partial Keyword Lookup 4-5 Negating the Effect of Commands 4-5 Using Command History 4-5 Understanding Command Modes 4-6 Exec Commands 4-6 Configuration Commands 4-7 Command Line Processing 4-9

Command Groups 4-10 Line Commands 4-11

line 4-12 login 4-12 password 4-13 timeout login response 4-14 exec-timeout 4-15 password-thresh 4-15 silent-time 4-16 databits 4-17 parity 4-17 speed 4-18 stopbits 4-18 disconnect 4-19 show line 4-19

General Commands 4-20

enable 4-21 disable 4-21 configure 4-22 show history 4-22 reload 4-23 end 4-24 exit 4-24 quit 4-24

Contents

System Management Commands 4-25

Device Designation Commands 4-25

prompt 4-26 hostname 4-26

User Access Commands 4-27

username 4-27 enable password 4-28

IP Filter Commands 4-29

management 4-29 show management 4-30

Web Server Commands 4-31

ip http port 4-31 ip http server 4-31 ip http secure-server 4-32 ip http secure-port 4-33

Telnet Server Commands 4-34

ip telnet port 4-34 ip telnet server 4-34

Secure Shell Commands 4-35

ip ssh server 4-37 ip ssh timeout 4-38 ip ssh authentication-retries 4-38 ip ssh server-key size 4-39 delete public-key 4-39 ip ssh crypto host-key generate 4-40 ip ssh crypto zeroize 4-40 ip ssh save host-key 4-41 show ip ssh 4-41 show ssh 4-42 show public-key 4-43

Event Logging Commands 4-44

logging on 4-44 logging history 4-45 logging host 4-46 logging facility 4-46 logging trap 4-47 clear logging 4-47 show logging 4-48

SMTP Alert Commands 4-49

logging sendmail host 4-50 logging sendmail level 4-50 logging sendmail source-email 4-51 logging sendmail destination-email 4-51 logging sendmail 4-52 show logging sendmail 4-52

Contents

Time Commands 4-53

sntp client 4-53

sntp server 4-54

sntp poll 4-55

show sntp 4-55

clock timezone 4-56

calendar set 4-57

show calendar 4-57 System Status Commands 4-58

show startup-config 4-58

show running-config 4-59

show system 4-61

show users 4-62

show version 4-62 Frame Size Commands 4-63

jumbo frame 4-63

Flash/File Commands 4-64

copy 4-64 delete 4-67 dir 4-67 whichboot 4-68 boot system 4-69

Authentication Commands 4-70

Authentication Sequence 4-70

authentication login 4-70

authentication enable 4-71 RADIUS Client 4-72

radius-server host 4-72

radius-server port 4-73

radius-server key 4-73

radius-server retransmit 4-74

radius-server timeout 4-74

show radius-server 4-74 TACACS+ Client 4-75

tacacs-server host 4-75

tacacs-server port 4-76

tacacs-server key 4-76

show tacacs-server 4-77 Port Security Commands 4-77

port security 4-78

802.1x Port Authentication 4-79

authentication dot1x default 4-80

dot1x default 4-80

dot1x max-req 4-80

dot1x port-control 4-81

xii

Contents

dot1x operation-mode 4-82 dot1x re-authenticate 4-82 dot1x re-authentication 4-83 dot1x timeout quiet-period 4-83 dot1x timeout re-authperiod 4-84 dot1x timeout tx-period 4-84 show dot1x 4-85

Access Control List Commands 4-87

IP ACLs 4-88

access-list ip 4-89 permit, deny (Standard ACL) 4-90 permit, deny (Extended ACL) 4-91 show ip access-list 4-93 access-list ip mask-precedence 4-93 mask (IP ACL) 4-94 show access-list ip mask-precedence 4-97 ip access-group 4-98 show ip access-group 4-98 map access-list ip 4-99 show map access-list ip 4-100 match access-list ip 4-100 show marking 4-101

MAC ACLs 4-102

access-list mac 4-102 permit, deny (MAC ACL) 4-103 show mac access-list 4-104 access-list mac mask-precedence 4-105 mask (MAC ACL) 4-106 show access-list mac mask-precedence 4-108 mac access-group 4-108 show mac access-group 4-109 map access-list mac 4-109 show map access-list mac 4-110 match access-list mac 4-111

ACL Information 4-112

show access-list 4-112 show access-group 4-112

SNMP Commands 4-113

snmp-server 4-113 show snmp 4-114 snmp-server community 4-115 snmp-server contact 4-115 snmp-server location 4-116 snmp-server host 4-117 snmp-server enable traps 4-118

xiii

Contents

snmp-server engine-id 4-119 show snmp engine-id 4-119 snmp-server view 4-120 show snmp view 4-121 snmp-server group 4-121 show snmp group 4-123 snmp-server user 4-124 show snmp user 4-125 snmp ip filter 4-125

DHCP Commands 4-126

DHCP Client 4-126

ip dhcp client-identifier 4-127

ip dhcp restart client 4-127 DHCP Relay 4-128

ip dhcp restart relay 4-128

ip dhcp relay server 4-129 DHCP Server 4-130

service dhcp 4-130

ip dhcp excluded-address 4-131

ip dhcp pool 4-131

network 4-132

default-router 4-133

domain-name 4-133

dns-server 4-134

next-server 4-134

bootfile 4-135

netbios-name-server 4-135

netbios-node-type 4-136

lease 4-136

host 4-137

client-identifier 4-138

hardware-address 4-139

clear ip dhcp binding 4-139

show ip dhcp binding 4-140

DNS Commands 4-141

ip host 4-141

clear host 4-142

ip domain-name 4-142

ip domain-list 4-143

ip name-server 4-144

ip domain-lookup 4-145

show hosts 4-146

show dns 4-147

show dns cache 4-147

clear dns cache 4-148

xiv

Contents

Interface Commands 4-149

interface 4-149 description 4-150 speed-duplex 4-150 negotiation 4-151 capabilities 4-152 media-type 4-154 shutdown 4-154 switchport broadcast packet-rate 4-155 clear counters 4-156 show interfaces status 4-157 show interfaces counters 4-158 show interfaces switchport 4-159

Mirror Port Commands 4-160

port monitor 4-160 show port monitor 4-161

Rate Limit Commands 4-162

rate-limit 4-162

Link Aggregation Commands 4-163

channel-group 4-164 lacp 4-164

Address Table Commands 4-166

mac-address-table static 4-166 clear mac-address-table dynamic 4-167 show mac-address-table 4-167 mac-address-table aging-time 4-168 show mac-address-table aging-time 4-169

Spanning Tree Commands 4-169

spanning-tree 4-170 spanning-tree mode 4-171 spanning-tree forward-time 4-172 spanning-tree hello-time 4-173 spanning-tree max-age 4-173 spanning-tree priority 4-174 spanning-tree pathcost method 4-174 spanning-tree transmission-limit 4-175 spanning-tree mst-configuration 4-175 mst vlan 4-176 mst priority 4-177 name 4-177 revision 4-178 max-hops 4-179 spanning-tree spanning-disabled 4-179 spanning-tree cost 4-180 spanning-tree port-priority 4-180

Contents

spanning-tree edge-port 4-181 spanning-tree portfast 4-182 spanning-tree link-type 4-183 spanning-tree mst cost 4-183 spanning-tree mst port-priority 4-184 spanning-tree protocol-migration 4-185 show spanning-tree 4-186 show spanning-tree mst configuration 4-188

VLAN Commands 4-188

Editing VLAN Groups 4-189

vlan database 4-189

vlan 4-190 Configuring VLAN Interfaces 4-191

interface vlan 4-191

switchport mode 4-192

switchport acceptable-frame-types 4-192

switchport ingress-filtering 4-193

switchport native vlan 4-194

switchport allowed vlan 4-195

switchport forbidden vlan 4-196 Displaying VLAN Information 4-197

show vlan 4-197 Configuring Private VLANs 4-198

pvlan 4-198

show pvlan 4-199 Configuring Protocol-based VLANs 4-199

protocol-vlan protocol-group (Configuring Groups) 4-200

protocol-vlan protocol-group (Configuring Interfaces) 4-200

show protocol-vlan protocol-group 4-201

show interfaces protocol-vlan protocol-group 4-202

GVRP and Bridge Extension Commands 4-203

bridge-ext gvrp 4-203

show bridge-ext 4-204

switchport gvrp 4-204

show gvrp configuration 4-205

garp timer 4-205

show garp timer 4-206

Priority Commands 4-207

Priority Commands (Layer 2) 4-207

queue mode 4-208

switchport priority default 4-209

queue bandwidth 4-210

queue cos-map 4-210

show queue mode 4-211

show queue bandwidth 4-212

xvi

Contents

show queue cos-map 4-212

Priority Commands (Layer 3 and 4) 4-213

map ip port (Global Configuration) 4-213 map ip port (Interface Configuration) 4-214 map ip precedence (Global Configuration) 4-214 map ip precedence (Interface Configuration) 4-215 map ip dscp (Global Configuration) 4-216 map ip dscp (Interface Configuration) 4-216 show map ip port 4-217 show map ip precedence 4-218 show map ip dscp 4-219

Multicast Filtering Commands 4-220

IGMP Snooping Commands 4-221

ip igmp snooping 4-221 ip igmp snooping vlan static 4-221 ip igmp snooping version 4-222 show ip igmp snooping 4-222 show mac-address-table multicast 4-223

IGMP Query Commands (Layer 2) 4-224

ip igmp snooping querier 4-224 ip igmp snooping query-count 4-224 ip igmp snooping query-interval 4-225 ip igmp snooping query-max-response-time 4-226 ip igmp snooping router-port-expire-time 4-226

Static Multicast Routing Commands 4-227

ip igmp snooping vlan mrouter 4-227 show ip igmp snooping mrouter 4-228

IGMP Commands (Layer 3) 4-229

ip igmp 4-229 ip igmp robustval 4-230 ip igmp query-interval 4-231 ip igmp max-resp-interval 4-231 ip igmp last-memb-query-interval 4-232 ip igmp version 4-233 show ip igmp interface 4-233 clear ip igmp group 4-234 show ip igmp groups 4-235

IP Interface Commands 4-236

Basic IP Configuration 4-236

ip address 4-236 ip default-gateway 4-238 show ip interface 4-239 show ip redirects 4-239 ping 4-239

Address Resolution Protocol (ARP) 4-241

xvii

Contents

arp 4-241

arp-timeout 4-242

clear arp-cache 4-242

show arp 4-242

ip proxy-arp 4-243

IP Routing Commands 4-244

Global Routing Configuration 4-244

ip routing 4-244

ip route 4-245

clear ip route 4-246

show ip route 4-246

show ip host-route 4-247

show ip traffic 4-248 Routing Information Protocol (RIP) 4-248

router rip 4-249

timers basic 4-249

network 4-250

neighbor 4-251

version 4-252

ip rip receive version 4-253

ip rip send version 4-254

ip split-horizon 4-255

ip rip authentication key 4-255

ip rip authentication mode 4-256

show rip globals 4-257

show ip rip 4-257 Open Shortest Path First (OSPF) 4-259

router ospf 4-260

router-id 4-260

compatible rfc1583 4-261

default-information originate 4-262

timers spf 4-263

area range 4-264

area default-cost 4-264

summary-address 4-265

redistribute 4-266

network area 4-267

area stub 4-268

area nssa 4-269

area virtual-link 4-270

ip ospf authentication 4-272

ip ospf authentication-key 4-273

ip ospf message-digest-key 4-274

ip ospf cost 4-275

ip ospf dead-interval 4-275

xviii

Contents

ip ospf hello-interval 4-276 ip ospf priority 4-276 ip ospf retransmit-interval 4-277 ip ospf transmit-delay 4-278 show ip ospf 4-278 show ip ospf border-routers 4-279 show ip ospf database 4-280 show ip ospf interface 4-288 show ip ospf neighbor 4-289 show ip ospf summary-address 4-290 show ip ospf virtual-links 4-290

Multicast Routing Commands 4-291

Static Multicast Routing Commands 4-291

ip igmp snooping vlan mrouter 4-291 show ip igmp snooping mrouter 4-292

General Multicast Routing Commands 4-293

ip multicast-routing 4-293 show ip mroute 4-293

DVMRP Multicast Routing Commands 4-295

router dvmrp 4-295 probe-interval 4-296 nbr-timeout 4-297 report-interval 4-297 flash-update-interval 4-298 prune-lifetime 4-298 default-gateway 4-299 ip dvmrp 4-299 ip dvmrp metric 4-300 clear ip dvmrp route 4-301 show router dvmrp 4-301 show ip dvmrp route 4-302 show ip dvmrp neighbor 4-303 show ip dvmrp interface 4-303

PIM-DM Multicast Routing Commands 4-304

router pim 4-304 ip pim dense-mode 4-305 ip pim hello-interval 4-306 ip pim hello-holdtime 4-306 ip pim trigger-hello-interval 4-307 ip pim join-prune-holdtime 4-307 ip pim graft-retry-interval 4-308 ip pim max-graft-retries 4-309 show router pim 4-309 show ip pim interface 4-309 show ip pim neighbor 4-310

xix

Contents

Router Redundancy Commands 4-311

Virtual Router Redundancy Protocol Commands 4-311

vrrp ip 4-312

vrrp authentication 4-313

vrrp priority 4-313

vrrp timers advertise 4-314

vrrp preempt 4-315

show vrrp 4-316

show vrrp interface 4-318

show vrrp router counters 4-318

show vrrp interface counters 4-319

clear vrrp router counters 4-319

clear vrrp interface counters 4-319 Hot Standby Router Protocol Commands 4-320

standby ip 4-321

standby priority 4-322

standby preempt 4-323

standby authentication 4-324

standby timers 4-325

standby track 4-326

show standby 4-327

show standby interface 4-329

Appendix A: Software Specifications A-1

Software Features A-1 Management Features A-2 Standards A-2 Management Information Bases A-3

Appendix B: Troubleshooting B-1

Problems Accessing the Management Interface B-1 Using System Logs B-2

Glossary

Index

Tables

Table 1-1 Key Features 1-1 Table 1-2 System Defaults 1-6 Table 3-1 Web Page Configuration Buttons 3-3 Table 3-2 Switch Main Menu 3-4 Table 3-3 Logging Levels 3-29 Table 3-4 SNMPv3 Security Models and Levels 3-35 Table 3-5 HTTPS System Support 3-49 Table 3-6 802.1x Statistics 3-62 Table 3-7 LACP Port Counters 3-89 Table 3-8 Internal Configuration Information 3-90 Table 3-9 Neighbor Configuration Information 3-92 Table 3-10 Port Statistics 3-97 Table 3-11 Mapping CoS Values to Egress Queues 3-140 Table 3-12 CoS Priority Levels 3-140 Table 3-13 Mapping IP Precedence 3-145 Table 3-14 Mapping DSCP Priority 3-146 Table 3-15 Mapping CoS Values to IP ACLs 3-149 Table 3-16 Address Resolution Protocol 3-199 Table 3-17 ARP Statistics 3-204 Table 3-18 IP Statistics 3-205 Table 3-19 ICMP Statistics 3-207 Table 3-20 USP Statistics 3-209 Table 3-21 TCP Statistics 3-210 Table 3-22 RIP Information and Statistics 3-220 Table 4-1 General Command Modes 4-6 Table 4-2 Configuration Command Modes 4-8 Table 4-3 Keystroke Commands 4-9 Table 4-4 Command Group Index 4-10 Table 4-5 Line Commands 4-11 Table 4-6 General Commands 4-20 Table 4-7 System Management Commands 4-25 Table 4-8 Device Designation Commands 4-25 Table 4-9 User Access Commands 4-27 Table 4-10 Default Login Settings 4-27 Table 4-11 IP Filter Commands 4-29 Table 4-12 Web Server Commands 4-31 Table 4-13 HTTPS System Support 4-32 Table 4-14 Secure Shell Commands 4-35 Table 4-15 show ssh - display description 4-42 Table 4-16 Event Logging Commands 4-44 Table 4-17 Logging Levels 4-45

xxi

Tables

Table 4-18 show logging flash - display description 4-48 Table 4-19 show logging trap - display description 4-49 Table 4-20 SMTP Alert Commands 4-49 Table 4-21 Time Commands 4-53 Table 4-22 System Status Commands 4-58 Table 4-23 Frame Size Commands 4-63 Table 4-24 Flash/File Commands 4-64 Table 4-25 File Directory Information 4-68 Table 4-26 Authentication Commands 4-70 Table 4-27 Authentication Sequence Commands 4-70 Table 4-28 RADIUS Client Commands 4-72 Table 4-29 TACACS+ Client Commands 4-75 Table 4-30 Port Security Commands 4-77 Table 4-31 802.1x Port Authentication Commands 4-79 Table 4-32 Access Control List Commands 4-88 Table 4-33 IP ACL Commands 4-88 Table 4-34 Mapping CoS Values to IP ACLs 4-99 Table 4-35 MAC ACL Commands 4-102 Table 4-36 Mapping CoS Values to MAC ACLs 4-109 Table 4-37 ACL Information Commands 4-112 Table 4-38 SNMP Commands 4-113 Table 4-39 show snmp engine-id - display description 4-120 Table 4-40 show snmp view - display description 4-121 Table 4-41 show snmp group - display description 4-124 Table 4-42 show snmp user - display description 4-125 Table 4-43 DHCP Commands 4-126 Table 4-44 DHCP Client Commands 4-126 Table 4-45 DHCP Relay Commands 4-128 Table 4-46 DHCP Server Commands 4-130 Table 4-47 DNS Commands 4-141 Table 4-48 show dns cache - display description 4-147 Table 4-49 Interface Commands 4-149 Table 4-50 show interfaces switchport - display description 4-159 Table 4-51 Mirror Port Commands 4-160 Table 4-52 Rate Limit Commands 4-162 Table 4-53 Link Aggregation Commands 4-163 Table 4-54 Address Table Commands 4-166 Table 4-55 Spanning Tree Commands 4-169 Table 4-56 VLAN Commands 4-188 Table 4-57 Commands for Editing VLAN Groups 4-189 Table 4-58 Commands for Configuring VLAN Interfaces 4-191 Table 4-59 Commands for Displaying VLAN Information 4-197 Table 4-60 Private VLAN Commands 4-198 Table 4-61 Protocol-based VLAN Commands 4-199 Table 4-62 GVRP and Bridge Extension Commands 4-203

xxii

Tables

Table 4-63 Priority Commands 4-207 Table 4-64 Priority Commands (Layer 2) 4-207 Table 4-65 Default CoS Priority Levels 4-211 Table 4-66 Priority Commands (Layer 3 and 4) 4-213 Table 4-67 Mapping IP Precedence to CoS Values 4-215 Table 4-68 Mapping IP DSCP to CoS Values 4-217 Table 4-69 Multicast Filtering Commands 4-220 Table 4-70 IGMP Snooping Commands 4-221 Table 4-71 IGMP Query Commands (Layer 2) 4-224 Table 4-72 Static Multicast Routing Commands 4-227 Table 4-73 IGMP Commands (Layer 3) 4-229 Table 4-74 show ip igmp groups - display description 4-235 Table 4-75 IP Interface Commands 4-236 Table 4-76 Basic IP Configuration Commands 4-236 Table 4-77 Address Resolution Protocol Commands 4-241 Table 4-78 IP Routing Commands 4-244 Table 4-79 Global Routing Configuration Commands 4-244 Table 4-80 show ip route - display description 4-247 Table 4-81 show ip host-route - display description 4-247 Table 4-82 Routing Information Protocol Commands 4-248 Table 4-83 show rip globals - display description 4-257 Table 4-84 show ip rip - display description 4-258 Table 4-85 Open Shortest Path First Commands 4-259 Table 4-87 show ip ospf border-routers - display description 4-279 Table 4-86 show ip ospf - display description 4-279 Table 4-88 show ip ospf database - display description 4-281 Table 4-89 show ip ospf asbr-summary - display description 4-282 Table 4-90 show ip ospf database-summary - display description 4-283 Table 4-91 show ip ospf external - display description 4-284 Table 4-92 show ip ospf network - display description 4-285 Table 4-93 show ip ospf router - display description 4-286 Table 4-94 show ip ospf summary - display description 4-287 Table 4-95 show ip ospf interface - display description 4-288 Table 4-96 show ip ospf neighbor - display description 4-289 Table 4-97 show ip ospf virtual-links - display description 4-290 Table 4-98 Multicast Routing Commands 4-291 Table 4-99 Static Multicast Routing Commands 4-291 Table 4-100 General Multicast Routing Commands 4-293 Table 4-101 show ip mroute - display description 4-294 Table 4-102 DVMRP Multicast Routing Commands 4-295 Table 4-103 show ip dvmrp route - display description 4-302 Table 4-104 show ip dvmrp neighbor - display description 4-303 Table 4-105 PIM-DM Multicast Routing Commands 4-304 Table 4-106 show ip pim neighbor - display description 4-310 Table 4-107 Router Redundancy Commands 4-311

xxiii

Tables

Table 4-108 VRRP Commands 4-311 Table 4-110 show vrrp brief - display description 4-317 Table 4-109 show vrrp - display description 4-317 Table 4-111 HSRP Commands 4-320 Table 4-112 show standby - display description 4-327 Table 4-113 show standby brief - display description 4-328 Table B-1 Troubleshooting Chart B-1

xxiv

Figures

Figure 3-1 Home Page 3-2 Figure 3-2 Front Panel Indicators 3-3 Figure 3-3 System Information 3-11 Figure 3-4 Switch Information 3-13 Figure 3-5 Bridge Extension Configuration 3-14 Figure 3-6 IP Interface Configuration - Manual 3-16 Figure 3-7 Default Gateway 3-17 Figure 3-8 IP Interface Configuration - DHCP 3-18 Figure 3-9 Copy Firmware 3-20 Figure 3-10 Setting the Startup Code 3-20 Figure 3-11 Deleting Files 3-21 Figure 3-12 Copy Configuration Settings 3-23 Figure 3-13 Setting the Startup Configuration Settings 3-23 Figure 3-14 Configuring the Console Port 3-25 Figure 3-15 Configuring the Telnet Interface 3-27 Figure 3-16 System Logs 3-29 Figure 3-17 Remote Logs 3-31 Figure 3-18 Displaying Logs 3-32 Figure 3-19 Resetting the System 3-32 Figure 3-20 SNTP Configuration 3-33 Figure 3-21 Clock Time Zone 3-34 Figure 3-22 Enabling the SNMP Agent 3-36 Figure 3-23 Configuring SNMP Community Strings 3-37 Figure 3-24 Configuring SNMP Trap Managers 3-38 Figure 3-25 Setting the SNMPv3 Engine ID 3-39 Figure 3-26 Configuring SNMPv3 Users 3-40 Figure 3-27 Configuring SNMPv3 Groups 3-42 Figure 3-28 Configuring SNMPv3 Views 3-43 Figure 3-29 User Accounts 3-45 Figure 3-30 Authentication Server Settings 3-47 Figure 3-31 HTTPS Settings 3-49 Figure 3-32 SSH Host-Key Settings 3-53 Figure 3-33 SSH Server Settings 3-54 Figure 3-34 Port Security 3-56 Figure 3-35 802.1X Information 3-59 Figure 3-36 802.1X Configuration 3-61 Figure 3-37 802.1X Port Configuration 3-62 Figure 3-38 802.1X Statistics 3-63 Figure 3-39 IP Filter 3-65 Figure 3-40 ACL Configuration 3-67 Figure 3-41 ACL Configuration - Standard IP 3-68

xxv

Figures

Figure 3-42 ACL Configuration - Extended IP 3-70 Figure 3-43 ACL Configuration - MAC 3-72 Figure 3-44 ACL Mask Configuration 3-73 Figure 3-45 ACL Mask Configuration - IP 3-75 Figure 3-46 ACL Mask Configuration - MAC 3-76 Figure 3-47 ACL Port Binding 3-78 Figure 3-48 Port - Port Information 3-79 Figure 3-49 Port - Port Configuration 3-82 Figure 3-50 Static Trunk Configuration 3-84 Figure 3-51 LACP Trunk Configuration 3-86 Figure 3-52 LACP - Aggregation Port 3-88 Figure 3-53 LACP - Port Counters Information 3-89 Figure 3-54 LACP - Port Internal Information 3-91 Figure 3-55 LACP - Port Neighbors Information 3-92 Figure 3-56 Port Broadcast Control 3-93 Figure 3-57 Mirror Port Configuration 3-95 Figure 3-58 Rate Limit Configuration 3-96 Figure 3-59 Port Statistics 3-100 Figure 3-60 Static Addresses 3-102 Figure 3-61 Dynamic Addresses 3-103 Figure 3-62 Address Aging 3-104 Figure 3-63 STA Information 3-107 Figure 3-64 STA Configuration 3-111 Figure 3-65 STA Port Information 3-114 Figure 3-66 STA Port Configuration 3-117 Figure 3-67 MSTP VLAN Configuration 3-118 Figure 3-68 MSTP Port Information 3-120 Figure 3-69 MSTP Port Configuration 3-122 Figure 3-70 Enabling GVRP 3-126 Figure 3-71 VLAN Basic Information 3-126 Figure 3-72 VLAN Current Table 3-127 Figure 3-73 VLAN Static List - Creating VLANs 3-129 Figure 3-74 VLAN Static Table - Adding Static Members 3-130 Figure 3-75 VLAN Static Membership 3-131 Figure 3-76 VLAN Port Configuration 3-133 Figure 3-77 Private VLAN Status 3-134 Figure 3-78 Private VLAN Link Status 3-135 Figure 3-79 Protocol VLAN Configuration 3-136 Figure 3-80 Protocol VLAN Port Configuration 3-137 Figure 3-81 Default Port Priority 3-139 Figure 3-82 Traffic Classes 3-141 Figure 3-83 Queue Mode 3-142 Figure 3-84 Queue Scheduling 3-143 Figure 3-85 IP Precedence/DSCP Priority Status 3-144 Figure 3-86 IP Precedence Priority 3-145

xxvi

Figures

Figure 3-87 IP DSCP Priority 3-147 Figure 3-88 IP Port Priority Status 3-148 Figure 3-89 IP Port Priority 3-148 Figure 3-90 ACL CoS Priority 3-150 Figure 3-91 ACL Marker 3-151 Figure 3-92 IGMP Configuration 3-155 Figure 3-93 Multicast Router Port Information 3-156 Figure 3-94 Static Multicast Router Port Configuration 3-157 Figure 3-95 IP Multicast Registration Table 3-158 Figure 3-96 IGMP Member Port Table 3-159 Figure 3-97 IGMP Interface Settings 3-162 Figure 3-98 IGMP Group Membership 3-163 Figure 3-99 DNS General Configuration 3-165 Figure 3-100 DNS Static Host Table 3-167 Figure 3-101 DNS Cache 3-168 Figure 3-102 DHCP Relay Configuration 3-170 Figure 3-103 DHCP Server General Configuration 3-172 Figure 3-104 DHCP Server Pool Configuration 3-174 Figure 3-105 DHCP Server Pool - Network Configuration 3-175 Figure 3-106 DHCP Server Pool - Host Configuration 3-176 Figure 3-107 DHCP Server - IP Binding 3-177 Figure 3-108 VRRP Group Configuration 3-182 Figure 3-109 VRRP Group Configuration Detail 3-183 Figure 3-110 VRRP Global Statistics 3-184 Figure 3-111 VRRP Group Statistics 3-186 Figure 3-112 HSRP Group Configuration 3-190 Figure 3-113 HSRP Group Configuration Detail 3-191 Figure 3-114 IP Global Settings 3-196 Figure 3-115 IP Routing Interface 3-198 Figure 3-116 ARP General 3-200 Figure 3-117 ARP Static Addresses 3-201 Figure 3-118 ARP Dynamic Addresses 3-202 Figure 3-119 ARP Other Addresses 3-203 Figure 3-120 ARP Statistics 3-204 Figure 3-121 IP Statistics 3-207 Figure 3-122 ICMP Statistics 3-208 Figure 3-123 UDP Statistics 3-209 Figure 3-124 TCP Statistics 3-210 Figure 3-125 IP Static Routes 3-211 Figure 3-126 IP Routing Table 3-212 Figure 3-127 RIP General Settings 3-215 Figure 3-128 RIP Network Addresses 3-216 Figure 3-129 RIP Interface Settings 3-219 Figure 3-130 RIP Statistics 3-221 Figure 3-131 OSPF General Configuration 3-226

xxvii

Figures

Figure 3-132 OSPF Area Configuration 3-229 Figure 3-133 OSPF Range Configuration 3-231 Figure 3-134 OSPF Interface Configuration 3-234 Figure 3-135 OSPF Interface Configuration - Detailed 3-235 Figure 3-136 OSPF Virtual Link Configuration 3-237 Figure 3-137 OSPF Network Area Address Configuration 3-239 Figure 3-138 OSPF Summary Address Configuration 3-241 Figure 3-139 OSPF Redistribute Configuration 3-243 Figure 3-140 OSPF NSSA Settings 3-244 Figure 3-141 OSPF Link State Database Information 3-246 Figure 3-142 OSPF Border Router Information 3-247 Figure 3-143 OSPF Neighbor Information 3-248 Figure 3-144 Multicast Routing General Settings 3-249 Figure 3-145 Multicast Routing Table 3-251 Figure 3-146 DVMRP General Settings 3-256 Figure 3-147 DVMRP Interface Settings 3-257 Figure 3-148 DVMRP Neighbor Information 3-258 Figure 3-149 DVMRP Routing Table 3-259 Figure 3-150 PIM-DM General Settings 3-261 Figure 3-151 PIM-DM Interface Settings 3-263 Figure 3-152 PIM-DM Interface Information 3-264 Figure 3-153 PIM-DM Neighbor Information 3-265

xxviii

Chapter 1: Introduction

This switch provides a broad range of features for Layer 2 switching and Layer 3 routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.

Key Features

Table 1-1 Key Features

Feature Description

Configuration Backup and Restore

Authentication Console, Telnet, web – User name / password, RADIUS, TACACS+

Access Control Lists Supports up to 32 IP or MAC ACLs

DHCP Client, Relay and Server

DNS Server Supported

Port Configuration Speed, duplex mode and flow control

Rate Limiting Input and output rate limiting per port

Port Mirroring One or more ports mirrored to single analysis port

Port Trunking Supports up to 6 trunks using either static or dynamic trunking (LACP)

Broadcast Storm Control

Address Table Up to 16K MAC addresses in the forwarding table, 1024 static MAC addresses;

IEEE 802.1D Bridge Supports dynamic data switching and addresses learning

Store-and-Forward Switching

Spanning Tree Protocol

Virtual LANs Up to 255 using IEEE 802.1Q, port-based, protocol-based, or private VLANs

Traffic Prioritization Default port priority, traffic class map, queue scheduling, IP Precedence, or

Backup to TFTP server

Web – HTTPS; Telnet – SSH SNMP v1/2c - Community strings SNMP version 3 – MD5 or SHA password Port – IEEE 802.1x, MAC address filtering

Supported

Up to 4K IP entries in ARP cache, 2045 IP entries in routing table, 128 static IP routes

Supported to ensure wire-speed switching while eliminating bad frames

Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP)

Differentiated Services Code Point (DSCP), and TCP/UDP Port

1-1

Introduction

Table 1-1 Key Features (Continued)

Feature Description

Router Redundancy Router backup is provided with the Virtual Router Redundancy Protocol (VRRP)

IP Routing Routing Information Protocol (RIP), Open Shortest Path First (OSPF), static routes

ARP Static and dynamic address configuration, proxy ARP

Multicast Filtering Supports IGMP snooping and query for Layer 2, and IGMP for Layer 3

Multicast Routing Supports DVMRP and PIM-DM

and the Hot Standby Router Protocol (HSRP)

Description of Software Features

The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network. Untagged (port-based), tagged, and protocol-based VLANs, plus support for automatic GVRP VLAN registration provide traffic security and efficient use of network bandwidth. CoS priority queueing ensures the minimum delay for moving real-time multimedia data across the network. While multicast filtering and routing provides support for real-time network applications. Some of the management features are briefly described below.

Configuration Backup and Restore – You can save the current configuration settings to a file on a TFTP server, and later download this file to restore the switch configuration settings.

Authentication – This switch authenticates management access via the console port, Telnet or web browser. User names and passwords can be configured locally or can be verified via a remote authentication server (i.e., RADIUS or TACACS+). Port-based authentication is also supported via the IEEE 802.1x protocol. This protocol uses Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.1x client, and then uses the EAP between the switch and the authentication server to verify the client’s right to access the network via an authentication server (i.e., RADIUS server).

Other authentication options include HTTPS for secure management access via the web, SSH for secure management access over a Telnet-equivalent connection, SNMP Version 3, IP address filtering for SNMP/web/Telnet management access, and MAC address filtering for port access.

Access Control Lists – ACLs provide packet filtering for IP frames (based on address, protocol, TCP/UDP port number or TCP control code) or any frames (based on MAC address or Ethernet type). ACLs can by used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols.

1-2

Description of Software Features

DHCP Server and DHCP Relay – A DHCP server is provided to assign IP addresses to host devices. Since DHCP uses a broadcast mechanism, a DHCP server and its client must physically reside on the same subnet. Since it is not practical to have a DHCP server on every subnet, DHCP Relay is also supported to allow dynamic configuration of local clients from a DHCP server located in a different network.

Port Configuration – You can manually configure the speed, duplex mode, and flow control used on specific ports, or use auto-negotiation to detect the connection settings used by the attached device. Use the full-duplex mode on ports whenever possible to double the throughput of switch connections. Flow control should also be enabled to control network traffic during periods of congestion and prevent the loss of packets when port buffer thresholds are exceeded. The switch supports flow control based on the IEEE 802.3x standard.

Rate Limiting – This feature controls the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.

Port Mirroring – The switch can unobtrusively mirror traffic from any port to a monitor port. You can then attach a protocol analyzer or RMON probe to this port to perform traffic analysis and verify connection integrity.

Port Trunking – Ports can be combined into an aggregate connection. Trunks can be manually set up or dynamically configured using IEEE 802.3ad Link Aggregation Control Protocol (LACP). The additional ports dramatically increase the throughput across any connection, and provide redundancy by taking over the load if a port in the trunk should fail. The switch supports up to 6 trunks.

Broadcast Storm Control – Broadcast suppression prevents broadcast traffic from overwhelming the network. When enabled on a port, the level of broadcast traffic passing through the port is restricted. If broadcast traffic rises above a pre-defined threshold, it will be throttled until the level falls back beneath the threshold.

Static Addresses – A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table. Static addresses can be used to provide network security by restricting access for a known host to a specific port.

IEEE 802.1D Bridge – The switch supports IEEE 802.1D transparent bridging. The address table facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information. The address table supports up to 16K addresses.

Store-and-Forward Switching – The switch copies each frame into its memory before forwarding them to another port. This ensures that all frames are a standard Ethernet size and have been verified for accuracy with the cyclic redundancy check (CRC). This prevents bad frames from entering the network and wasting bandwidth.

1-3

Introduction

To avoid dropping frames on congested ports, the switch provides 1 MB for frame buffering. This buffer can queue packets awaiting transmission on congested networks.

Spanning Tree Protocol – The switch supports these spanning tree protocols:

Spanning Tree Protocol (STP, IEEE 802.1D) – This protocol adds a level of fault tolerance by allowing two or more redundant connections to be created between a pair of LAN segments. When there are multiple physical paths between segments, this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network. This prevents the creation of network loops. However, if the chosen path should fail for any reason, an alternate path will be activated to maintain the connection.

Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol reduces the convergence time for network topology changes to about 10% of that required by the older IEEE 802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices.

Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is a direct extension of RSTP. It can provide an independent spanning tree for different VLANs. It simplifies network management, provides for even faster convergence than RSTP by limiting the size of each region, and prevents VLAN members from being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP).

Virtual LANs – The switch supports up to 255 VLANs. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. The switch supports tagged VLANs based on the IEEE 802.1Q standard. Members of VLAN groups can be dynamically learned via GVRP, or ports can be manually assigned to a specific set of VLANs. This allows the switch to restrict traffic to the VLAN groups to which a user has been assigned. By segmenting your network into VLANs, you can:

• Eliminate broadcast storms which severely degrade performance in a flat network.

• Simplify network management for node changes/moves by remotely configuring VLAN membership for any port, rather than having to manually change the network connection.

• Provide data security by restricting all traffic to the originating VLAN, except where a connection is explicitly defined via the switch’s routing service.

• Use private VLANs to restrict traffic to pass only between data ports and the uplink ports, thereby isolating adjacent ports within the same VLAN, and allowing you to limit the total number of VLANs that need to be configured.

• Use protocol VLANs to restrict traffic to specified interfaces based on protocol type.

Traffic Prioritization – This switch prioritizes each packet based on the required level of service, using eight priority queues with strict or Weighted Round Robin Queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station application. These functions can independent priorities for delay-sensitive data and best-effort data.

be used to provide

1-4

Description of Software Features

This switch also supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic can be prioritized based on the priority bits in the IP frame’s Type of Service (ToS) octet or the number of the TCP/UDP port. When these services are enabled, the priorities are mapped to a Class of Service value by the switch, and the traffic then sent to the corresponding output queue.

IP Routing – The switch provides Layer 3 IP routing. To maintain a high rate of throughput, the switch forwards all traffic passing within the same segment, and routes only traffic that passes between different subnetworks. The wire-speed routing provided by this switch lets you easily link network segments or VLANs together without having to deal with the bottlenecks or configuration hassles normally associated with conventional routers.

Routing for unicast traffic is supported with the Routing Information Protocol (RIP) and the Open Shortest Path First (OSPF) protocol.

RIP – This protocol uses a distance-vector approach to routing. Routes are determined on the basis of minimizing the distance vector, or hop count, which serves as a rough estimate of transmission cost.

OSPF – This approach uses a link state routing protocol to generate a shortest-path tree, then builds up its routing table based on this tree. OSPF produces a more stable network because the participating routers act on network changes predictably and simultaneously, converging on the best route more quickly than RIP.

Router Redundancy – Hot Standby Router Protocol (HSRP) and Virtual Router Redundancy Protocol (VRRP) both use a virtual IP address to support a primary router and multiple backup routers. The backups can be configured to take over the workload if the master fails or to load share the traffic. The primary goal of these protocols is to allow a host device which has been configured with a fixed gateway to maintain network connectivity in case the primary gateway goes down.

Address Resolution Protocol – The switch uses ARP and Proxy ARP to convert between IP addresses and MAC (i.e., hardware) addresses. This switch supports conventional ARP, which locates the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next. You can configure either static or dynamic entries in the ARP cache.

Proxy ARP allows hosts that do not support routing to determine the MAC address of a device on another network or subnet. When a host sends an ARP request for a remote network, the switch checks to see if it has the best route. If it does, it sends its own MAC address to the host. The host then sends traffic for the remote destination via the switch, which uses its own routing table to reach the destination on the other network.

Multicast Filtering – Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN. The switch uses IGMP Snooping and Query at Layer 2 and IGMP at Layer 3 to manage multicast group registration.

1-5

Introduction

Multicast Routing – Routing for multicast packets is supported by the Distance Vector Multicast Routing Protocol (DVMRP) and Protocol-Independent Multicasting Dense Mode (PIM-DM). These protocols work in conjunction with IGMP to filter and route multicast traffic. DVMRP is a more comprehensive implementation that maintains its own routing table, but is gradually being replacing by most network managers with PIM, Dense Mode and Sparse Mode. PIM is a very simple protocol that uses the routing table of the unicast routing protocol enabled on an interface. Dense Mode is designed for areas where the probability of multicast clients is relatively high, and the overhead of frequent flooding is justified. While Sparse mode is designed for network areas, such as the Wide Area Network, where the probability of multicast clients is low. This switch currently supports DVMRP and PIM-DM.

System Defaults

The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-23).

The following table lists some of the basic system defaults.

Table 1-2 System Defaults

Function Parameter Default

Console Port Connection

Authentication Privileged Exec Level Username “admin”

Baud Rate auto

Data bits 8

Stop bits 1

Parity none

Local Console Timeout 0 (disabled)

Password “admin”

Normal Exec Level Username “guest”

Enable Privileged Exec from Normal Exec Level

RADIUS Authentication Disabled

TACACS Authentication Disabled

802.1x Port Authentication Disabled

HTTPS Enabled

SSH Disabled

Port Security Disabled

IP Filtering Disabled

Password “guest”

Password “super”

1-6

Table 1-2 System Defaults (Continued)

Function Parameter Default

Web Management HTTP Server Enabled

HTTP Port Number 80

HTTP Secure Server Enabled

HTTP Secure Port Number 443

SNMP Community Strings “public” (read only)

Traps Authentication traps: enabled

SNMP V3 View: defaultview

Port Configuration Admin Status Enabled

Auto-negotiation Enabled

Flow Control Disabled

Port Capability 1000BASE-T –

SFP/Module Port Capability 1000BASE-SX/LX/LH –

Rate Limiting Input and output limits Disabled

Port Trunking Static Trunks None

LACP (all ports) Disabled

Broadcast Storm Protection

Status Enabled (all ports)

Broadcast Limit Rate 500 packets per second

“private” (read/write)

Link-up-down events: enabled

Group: public (read only), private (read/write)

10 Mbps half duplex 10 Mbps full duplex 100 Mbps half duplex 100 Mbps full duplex 1000 Mbps full duplex Full-duplex flow control disabled Symmetric flow control disabled

1000 Mbps full duplex Full-duplex flow control disabled Symmetric flow control disabled

100BASE-FX – 100 Mbps full duplex Full-duplex flow control disabled Symmetric flow control disabled

System Defaults

1-7

Introduction

Table 1-2 System Defaults (Continued)

Function Parameter Default

Spanning Tree Protocol

Address Table Aging Time 300 seconds

Virtual LANs Default VLAN 1

Traffic Prioritization Ingress Port Priority 0

IP Settings Management. VLAN Any VLAN configured with an IP address

Unicast Routing RIP Disabled

Status Enabled, MSTP

(Defaults: All values based on IEEE 802.1s)

Fast Forwarding (Edge Port) Disabled

PVID 1

Acceptable Frame Type All

Ingress Filtering Disabled

Switchport Mode (Egress Mode) Hybrid: tagged/untagged frames

GVRP (global) Disabled

GVRP (port interface) Disabled

Weighted Round Robin Queue: 0 1 2 3 4 5 6 7

Weight: 1 2 4 6 8 10 12 14

IP Precedence Priority Disabled

IP DSCP Priority Disabled

IP Port Priority Disabled

IP Address 0.0.0.0

Subnet Mask 255.0.0.0

Default Gateway 0.0.0.0

DHCP Client: Enabled

Relay: Disabled Server: Disabled

DNS Server: Disabled

BOOTP Disabled

ARP Enabled

Cache Timeout: 20 minutes Proxy: Disabled

OSPF Disabled

1-8

Table 1-2 System Defaults (Continued)

Function Parameter Default

Router Redundancy HSRP Disabled

VRRP Disabled

Multicast Filtering IGMP Snooping (Layer 2) Snooping: Enabled

Querier: Disabled

IGMP (Layer 3) Disabled

Multicast Routing DVMRP Disabled

PIM-DM Disabled

System Log Status Enabled

Messages Logged Levels 0-7 (all)

Messages Logged to Flash Levels 0-3

SMTP Email Alerts Event Handler Disabled

SNTP Clock Synchronization Disabled

System Defaults

1-9

Introduction

1-10

Chapter 2: Initial Configuration

Connecting to the Switch

Configuration Options

The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).

Note: The IP address for this switch is obtained via DHCP by default. To change this

address, see “Setting an IP Address” on page 2-4.

The switch’s HTTP web agent allows you to configure switch parameters, monitor port connections, and display statistics using a standard web browser such as Netscape Navigator version 6.2 and higher or Microsoft IE version 5.0 and higher. The switch’s web management interface can be accessed from any computer attached to the network.

The CLI program can be accessed by a direct connection to the RS-232 serial console port on the switch, or remotely by a Telnet connection over the network.

The switch’s management agent also supports SNMP (Simple Network Management Protocol). This SNMP agent permits the switch to be managed from any system in the network using network management software such as HP OpenView.

The switch’s web interface, CLI configuration program, and SNMP agent allow you to perform the following management functions:

• Set user names and passwords

• Set an IP interface for any VLAN

• Configure SNMP parameters

• Enable/disable any port

• Set the speed/duplex mode for any port

• Configure the bandwidth of any port by limiting input or output rates

• Control port access through IEEE 802.1x security or static address filtering

• Filter packets using Access Control Lists (ACLs)

• Configure up to 255 IEEE 802.1Q VLANs

• Enable GVRP automatic VLAN registration

• Configure IP routing for unicast or multicast traffic

• Configure router redundancy

• Configure IGMP multicast filtering

• Upload and download system firmware via TFTP

• Upload and download switch configuration files via TFTP

2-1

Initial Configuration

• Configure Spanning Tree parameters

• Configure Class of Service (CoS) priority queuing

• Configure up to 6 static or LACP trunks

• Enable port mirroring

• Set broadcast storm control on any port

• Display system information and statistics

Required Connections

The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch.

Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch. You can use the console cable provided with this package, or use a null-modem cable that complies with the wiring assignments shown in the Installation Guide.

To connect a terminal to the console port, complete the following steps:

1. Connect the console cable to the serial port on a terminal, or a PC running

terminal emulation software, and tighten the captive retaining screws on the DB-9 connector.

2. Connect the other end of the cable to the RS-232 serial port on the switch.

3. Make sure the terminal emulation software is set as follows:

• Select the appropriate serial port (COM port 1 or COM port 2).

• Set to any of the following baud rates: 9600, 19200, 38400, 57600, 115200 (Note: Set to 9600 baud if want to view all the system initialization messages.).

• Set the data format to 8 data bits, 1 stop bit, and no parity.

• Set flow control to none.

• Set the emulation mode to VT100.

• When using HyperTerminal, select Terminal keys, not Windows keys.

Notes: 1. When using HyperTerminal with Microsoft® Windows® 2000, make sure that

For a description of how to use the CLI, see “Using the Command Line Interface” on page 4-1. For a list of all the CLI commands and detailed information on using the CLI, refer to “Command Groups” on page 4-10.

you have Windows 2000 Service Pack 2 or later installed. Windows 2000 Service Pack 2 fixes the problem of arrow keys not functioning in HyperTerminal’s VT100 emulation. See www.microsoft.com for information on Windows 2000 service packs.

2. Refer to “Line Commands” on page 4-11 for a complete description of console configuration options.

3. Once you have set up the terminal correctly, the console login screen will be displayed.

2-2

Basic Configuration

Remote Connections

Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol.

The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address” on page 2-4.

Notes: 1. This switch supports four concurrent Telnet/SSH sessions.

2. Each VLAN group can be assigned its own IP interface address (page 2-4).

You can manage the switch via any of these addresses.

After configuring the switch’s IP parameters, you can access the onboard configuration program from anywhere within the attached network. The onboard configuration program can be accessed using Telnet from any computer attached to the network. The switch can also be managed by any computer using a web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above), or from a network computer using SNMP network management software.

Note: The onboard program only provides access to basic configuration functions. To

access the full range of SNMP management functions, you must use SNMP-based network management software.

Basic Configuration

Console Connection

The CLI program provides two different command levels — normal access level (Normal Exec) and privileged access level (Privileged Exec). The commands available at the Normal Exec level are a limited subset of those available at the Privileged Exec level and allow you to only display information and use basic utilities. To fully configure the switch parameters, you must access the CLI at the Privileged Exec level.

Access to both CLI levels are controlled by user names and passwords. The switch has a default user name and password for each level. To log into the CLI at the Privileged Exec level using the default user name and password, perform these steps:

1. To initiate your console connection, press <Enter>. The “User Access Verification” procedure starts.

2. At the Username prompt, enter “admin.”

3. At the Password prompt, also enter “admin.” (The password characters are not displayed on the console screen.)

4. The session is opened and the CLI displays the “Console#” prompt indicating you have access at the Privileged Exec level.

2-3

Initial Configuration

Setting Passwords

Note: If this is your first time to log into the CLI program, you should define new

passwords for both default user names using the “username” command, record them and put them in a safe place.

Passwords can consist of up to 8 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows:

1. Open the console interface with the default user name and password “admin” to access the Privileged Exec level.

2. Type “configure” and press <Enter>.

3. Type “username guest password 0 password,” for the Normal Exec level, where password is your new password. Press <Enter>.

4. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press <Enter>.

Username: admin Password:

CLI session with the switch is opened. To end the CLI session, enter [Exit].

Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)#

Setting an IP Address

You must establish IP address information for the switch to obtain management access through the network. This can be done in either of the following ways:

Manual — You have to input the information, including IP address and subnet mask. If your management station is not in the same IP subnet as the switch, you will also need to specify the default gateway router.

Dynamic — The switch sends IP configuration requests to BOOTP or DHCP address allocation servers on the network.

Manual Configuration

You can manually assign an IP address to the switch. You may also need to specify a default gateway that resides between this device and management stations that exist on another network segment (if routing is not enabled on this switch). Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the CLI program.

Note: The IP address for this switch is obtained via DHCP by default.

2-4

Basic Configuration

Before you can assign an IP address to the switch, you must obtain the following information from your network administrator:

• IP address for the switch

• Default gateway for the network

• Network mask for this network

To assign an IP address to the switch, complete the following steps:

1. From the Privileged Exec level global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>.

2. Type “ip address ip-address netmask,” where “ip-address” is the switch IP address and “netmask” is the network mask for the network. Press <Enter>.

3. Type “exit” to return to the global configuration mode prompt. Press <Enter>.

4. To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway,” where “gateway” is the IP address of the default gateway. Press <Enter>.

Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 192.168.1.254 Console(config)#

Dynamic Configuration

If you select the “bootp” or “dhcp” option, IP will be enabled but will not function until a BOOTP or DHCP reply has been received. You therefore need to use the “ip dhcp restart client” command to start broadcasting service requests. Requests will be sent periodically in an effort to obtain IP configuration information. (BOOTP and DHCP values can include the IP address, subnet mask, and default gateway.)

If the “bootp” or “dhcp” option is saved to the startup-config file (step 6), then the switch will start broadcasting service requests as soon as it is powered on.

To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps:

1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>.

2. At the interface-configuration mode prompt, use one of the following commands:

• To obtain IP settings via DHCP, type “ip address dhcp” and press <Enter>.

• To obtain IP settings via BOOTP, type “ip address bootp” and press <Enter>.

3. Type “end” to return to the Privileged Exec mode. Press <Enter>.

4. Type “ip dhcp restart client” to begin broadcasting service requests. Press <Enter>.

2-5

Initial Configuration

5. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press <Enter>.

6. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press <Enter>.

Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#ip dhcp restart client Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: User specified. Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming.

\Write to FLASH finish. Success.

Enabling SNMP Management Access

The switch can be configured to accept management commands from Simple Network Management Protocol (SNMP) applications such as HP OpenView. You can configure the switch to (1) respond to SNMP requests or (2) generate SNMP traps.

When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter. The switch can also be configured to send information to SNMP managers (without being requested by the managers) through trap messages, which inform the manager that certain events have occurred.

The switch includes an SNMP agent that supports SNMP version 1, 2c, and 3 clients. To provide management access for version 1 or 2c clients, you must specify a community string. The switch provides a default MIB View (i.e., an SNMPv3 construct) for the default “public” community string that provides read access to the entire MIB tree, and a default view for the “private” community string that provides read/write access to the entire MIB tree. However, you may assign new views to version 1 or 2c community strings that suit your specific security requirements (see page 3-43).

Community Strings (for SNMP version 1 and 2c clients)

Community strings are used to control management access to SNMP version 1 and 2c stations, as well as to authorize SNMP stations to receive trap messages from the switch. You therefore need to assign community strings to specified users, and set the access level.

2-6

Basic Configuration

The default strings are:

• public - with read-only access. Authorized management stations are only able to retrieve MIB objects.

• private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects.

To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings.

To configure a community string, complete the following steps:

1. From the Privileged Exec level global configuration mode prompt, type

“snmp-server community string mode,” where “string” is the community access string and “mode” is rw (read/write) or ro (read only). Press <Enter>. (Note that the default mode is read only.)

2. To remove an existing string, simply type “no snmp-server community string,”

where “string” is the community access string to remove. Press <Enter>.

Console(config)#snmp-server community admin rw Console(config)#snmp-server community private Console(config)#

Note: If you do not intend to support access to SNMP version 1 and 2c clients, we

recommend that you delete both of the default community strings. If there are no community strings, then SNMP management access from SNMP v1 and v2c clients is disabled.

Trap Receivers

You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command. From the Privileged Exec level global configuration mode prompt, type:

“snmp-server host host-address community-string

[version {1 | 2c | 3 {auth | noauth | priv}}]”

where “host-address” is the IP address for the trap receiver, “community-string” specifies access rights for a version 1/2c host, or is the user name of a version 3 host, “version” indicates the SNMP client version, and “auth | noauth | priv” means that authentication, no authentication, or authentication and privacy is used for v3 clients. Then press <Enter>. For a more detailed description of these parameters, see “snmp-server host” on page 4-117. The following example creates a trap host for each type of SNMP client.

Console(config)#snmp-server host 10.1.19.23 batman Console(config)#snmp-server host 10.1.19.98 robin version 2c Console(config)#snmp-server host 10.1.19.34 barbie version 3 auth

Console(config)#

2-7

Initial Configuration

Configuring Access for SNMP Version 3 Clients

To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2” that includes the entire MIB-2 tree branch, and then another view that includes the IEEE 802.1d bridge MIB. It assigns these respective read and read/ write views to a group call “r&d” and specifies group authentication via MD5 or SHA. In the last step, it assigns a v3 user to this group, indicating that MD5 will be used for authentication, provides the password “greenpeace” for authentication, and the password “einstien” for encryption.

Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included Console(config)#snmp-server group r&d v3 auth mib-2 802.1d Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace

priv des56 einstien

Console(config)#

For a more detailed explanation on how to configure the switch for access from SNMP v3 clients, refer to “Simple Network Management Protocol” on page 3-35, or refer to the specific CLI commands for SNMP starting on page 4-113.

Saving Configuration Settings

Configuration commands only modify the running configuration file and are not saved when the switch is rebooted. To save all your configuration changes in nonvolatile storage, you must copy the running configuration file to the start-up configuration file using the “copy” command.

To save the current configuration settings, enter the following command:

1. From the Privileged Exec mode prompt, type “copy running-config startup-config” and press <Enter>.

2. Enter the name of the start-up file. Press <Enter>.

Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming.

\Write to FLASH finish. Success.

Console#

2-8

Managing System Files

The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.

The three types of files are:

• Configuration — This file stores system configuration information and is created when configuration settings are saved. Saved configuration files can be selected as a system start-up file or can be uploaded via TFTP to a server for backup. A file named “Factory_Default_Config.cfg” contains all the system default settings and cannot be deleted from the system. See “Saving or Restoring Configuration Settings” on page 3-22 for more information.

• Operation Code — System software that is executed after boot-up, also known as run-time code. This code runs the switch operations and provides the CLI and web management interfaces. See “Managing Firmware” on page 3-19 for more information.

• Diagnostic Code — Software that is run during system boot-up, also known as POST (Power On Self-Test).

Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows.

In the system flash memory, one file of each type must be set as the start-up file. During a system boot, the diagnostic and operation code files set as the start-up file are run, and then the start-up configuration file is loaded.

Note that configuration files should be downloaded using a file name that reflects the contents or usage of the file settings. If you download directly to the running-config, the system will reboot, and the settings will have to be copied from the running-config to a permanent file.

2-9

Initial Configuration

2-10

Chapter 3: Configuring the Switch

Using the Web Interface

This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above).

Note: You can also use the Command Line Interface (CLI) to manage the switch over a

serial connection to the console port or via Telnet. For more information on using the CLI, refer to Chapter 4: “Command Line Interface.”

Prior to accessing the switch from a web browser, be sure you have first performed the following tasks:

1. Configure the switch with a valid IP address, subnet mask, and default gateway

using an out-of-band serial connection, BOOTP or DHCP protocol. (See “Setting an IP Address” on page 2-4.)

2. Set user names and passwords using an out-of-band serial connection. Access

to the web agent is controlled by the same user names and passwords as the onboard configuration program. (See “Setting Passwords” on page 2-4.)

3. After you enter a user name and password, you will have access to the system

configuration program.

Notes: 1. You are allowed three attempts to enter the correct password; on the third

failed attempt the current connection is terminated.

2. If you log into the web interface as guest (Normal Exec level), you can view

the configuration settings or change the guest password. If you log in as “admin” (Privileged Exec level), you can change the settings on any page.

3. If the path between your management station and this switch does not pass

through any device that uses the Spanning Tree Algorithm, then you can set the switch port attached to your management station to fast forwarding (i.e., enable Admin Edge Port) to improve the switch’s response time to management commands issued through the web interface. See “Configuring Interface Settings” on page 3-115.

3-1

Configuring the Switch

Navigating the Web Browser Interface

To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.”

Home Page

When your web browser connects with the switch’s web agent, the home page is displayed as shown below. The home page displays the Main Menu on the left side of the screen and System Information on the right side. The Main Menu links are used to navigate to other menus, and display configuration parameters and statistics.

3-2

Figure 3-1 Home Page

Navigating the Web Browser Interface

Configuration Options

Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.

Table 3-1 Web Page Configuration Buttons

Button Action

Revert Cancels specified values and restores current values prior to

Refresh Immediately updates values for the current page.

Apply Sets specified values to the system.

Help Links directly to web help.

pressing “Apply” or “Apply Changes.”

Notes: 1.

To ensure proper screen refresh, be sure that Internet Explorer 5.x is configured as follows: Under the menu “Tools / Internet Options / General / Temporary Internet Files / Settings,” the setting for item “Check for newer versions of stored pages” should be “Every visit to the page.”

2. When using Internet Explorer 5.0, you may have to manually refresh the

screen after making configuration changes by pressing the browser’s refresh button.

Panel Display

The web agent displays an image of the switch’s ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex), or Flow Control (i.e., with or without flow control). Clicking on the image of a port opens the Port Configuration page as described on page 3-81.

Figure 3-2 Front Panel Indicators

3-3

Configuring the Switch

Main Menu

Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.

Table 3-2 Switch Main Menu

Menu Description Page

System 3-11

System Information Provides basic system description, including contact information 3-11

Switch Information Shows the number of ports, hardware/firmware version

Bridge Extension Shows the bridge extension parameters 3-14

File Management 3-19

Copy Operation Allows the transfer and copying files 3-19

Delete Allows deletion of files from the flash memory 3-19

Set Startup Sets the startup file 3-19

Line 3-24

Console Sets console port connection parameters 3-24

Telnet Sets Telnet connection parameters 3-26

Log 3-28

Logs Sends error messages to a logging process 3-28

System Logs Stores and displays error messages 3-32

Remote Logs Configures the logging of messages to a remote logging process 3-30

Reset Restarts the switch 3-32

SNTP 3-33

Configuration Configures SNTP client settings, including broadcast mode or a

Clock Time Zone Sets the local time zone for the system clock 3-34

SNMP 3-35

Configuration Configures community strings and related trap functions 3-36

Agent Status Enables or disables SNMP 3-36

SNMPv3 3-38

Engine ID Sets the SNMP v3 engine ID 3-38

Users Configures SNMP v3 users 3-39

Groups Configures SNMP v3 groups 3-41

Views Configures SNMP v3 views 3-43

numbers, and power status

specified list of servers

3-12

3-33

3-4

Navigating the Web Browser Interface

Table 3-2 Switch Main Menu (Continued)

Menu Description Page

Security 3-36

User Accounts Configures user names, passwords, and access levels 3-44

Authentication Settings Configures authentication sequence, RADIUS and TACACS 3-46

HTTPS Settings Configures secure HTTP settings 3-48

SSH 3-50

Settings Configures Secure Shell server settings 3-54

Host-Key Settings Generates the host key pair (public and private) 3-52

Port Security Configures per port security, including status, response for

802.1x Port authentication 3-57

Information Displays global configuration settings 3-58

Configuration Configures protocol parameters 3-60

Port Configuration Sets the authentication mode for individual ports 3-61

Statistics Displays protocol statistics for the selected port 3-62

ACL 3-66

Configuration Configures packet filtering based on IP or MAC addresses 3-66

Mask Configuration Controls the order in which ACL rules are checked 3-73

Port Binding Binds a port to the specified ACL 3-77

IP Filter Configures IP addresses that are allowed management access 3-64

Port 3-78

Port Information Displays port connection status 3-78

Trunk Information Displays trunk connection status 3-78

Port Configuration Configures port connection settings 3-81

Trunk Configuration Configures trunk connection settings 3-81

Trunk Membership Specifies ports to group into static trunks 3-84

LACP 3-83

Configuration Allows ports to dynamically join trunks 3-85

Aggregation Port Configures parameters for link aggregation group members 3-87

Port Counters Displays statistics for LACP protocol messages 3-89

Port Internal Information Displays settings and operational state for the local side 3-90

Port Neighbors Information Displays settings and operational state for the remote side 3-92

Port Broadcast Control Sets the broadcast storm threshold for each port 3-93

Mirror Port Configuration Sets the source and target ports for mirroring 3-95

security breach, and maximum allowed MAC addresses

3-55

3-5

Configuring the Switch

Table 3-2 Switch Main Menu (Continued)

Menu Description Page

Rate Limit 3-96

Input Port Configuration Sets the input rate limit for each port 3-96

Input Trunk Configuration Sets the input rate limit for each trunk 3-96

Output Port Configuration Sets the output rate limit for each port 3-96

Output Trunk Configuration Sets the output rate limit for each trunk 3-96

Port Statistics Lists Ethernet and RMON port statistics 3-97

Address Table 3-101

Static Addresses Displays entries for interface, address or VLAN 3-101

Dynamic Addresses Displays or edits static entries in the Address Table 3-102

Address Aging Sets timeout for dynamically learned entries 3-104

Spanning Tree 3-104

STA

Information Displays STA values used for the bridge 3-105

Configuration Configures global bridge settings for STA, RSTP and MSTP 3-108

Port Information Displays individual port settings for STA 3-112

Trunk Information Displays individual trunk settings for STA 3-112

Port Configuration Configures individual port settings for STA 3-115

Trunk Configuration Configures individual trunk settings for STA 3-115

MSTP

VLAN Configuration Configures priority and VLANs for a spanning tree instance 3-117

Port Information Displays port settings for a specified MST instance 3-120

Trunk Information Displays trunk settings for a specified MST instance 3-120

Port Configuration Configures port settings for a specified MST instance 3-121

Trunk Configuration Configures trunk settings for a specified MST instance 3-121

VLAN 3-123

802.1Q VLAN

GVRP Status Enables GVRP VLAN registration protocol 3-126

Basic Information Displays information on the VLAN type supported by this switch 3-126

Current Table Shows the current port members of each VLAN and whether or

Static List Used to create or remove VLAN groups 3-128

Static Table Modifies the settings for an existing VLAN 3-129

not the port is tagged or untagged

3-127

3-6

Navigating the Web Browser Interface

Table 3-2 Switch Main Menu (Continued)

Menu Description Page

Static Membership Configures membership type for interfaces, including tagged,

Port Configuration Specifies default PVID and VLAN attributes 3-132

Trunk Configuration Specifies default trunk VID and VLAN attributes 3-132

Private VLAN

Status Enables or disables the private VLAN 3-134

Link Status Configures the private VLAN 3-135

Protocol VLAN

Configuration Creates a protocol group, specifying the supported protocols 3-136

Port Configuration Maps a protocol group to a VLAN 3-136

Priority 3-138

Default Port Priority Sets the default priority for each port 3-138

Default Trunk Priority Sets the default priority for each trunk 3-138

Traffic Classes Maps IEEE 802.1p priority tags to output queues 3-140

Traffic Classes Status Enables/disables traffic class priorities (not implemented) NA

Queue Mode Sets queue mode to strict priority or Weighted Round-Robin 3-142

Queue Scheduling Configures Weighted Round Robin queueing 3-142

IP Precedence/ DSCP Priority Status

IP Precedence Priority Sets IP Type of Service priority, mapping the precedence tag to

IP DSCP Priority Sets IP Differentiated Services Code Point priority, mapping a

IP Port Priority Status Globally enables or disables IP Port Priority 3-148

IP Port Priority Sets TCP/UDP port priority, defining the socket number and

ACL CoS Priority Sets the CoS value and corresponding output queue for packets

ACL Marker Change traffic priorities for frames matching an ACL rule 3-150

IGMP Snooping 3-152

IGMP Configuration Enables multicast filtering; configures parameters for multicast

Multicast Router Port Information

Static Multicast Router Port Configuration

untagged or forbidden

Globally selects IP Precedence or DSCP Priority, or disables both.

a class-of-service value

DSCP tag to a class-of-service value

associated class-of-service value

matching an ACL rule

query

Displays the ports that are attached to a neighboring multicast router for each VLAN ID

Assigns ports that are attached to a neighboring multicast router 3-157

3-131

3-144

3-145

3-146

3-148

3-149

3-154

3-156

3-7

Configuring the Switch

Table 3-2 Switch Main Menu (Continued)

Menu Description Page

IP Multicast Registration Table

IGMP Member Port Table Indicates multicast addresses associated with the selected

DNS 3-164

General Configuration Enables DNS; configures domain name and domain list; and

Static Host Table Configures static entries for domain name to address mapping 3-166

Cache Displays cache entries discovered by designated name servers 3-168

DHCP 3-169

Relay Configuration Specifies DHCP relay servers; enables or disables relay service 3-169

Server Configures DHCP server parameters 3-169

General Enables DHCP server; configures excluded address range 3-171

Pool Configuration Configures address pools for network groups or a specific host 3-173

IP Binding Displays addresses currently bound to DHCP clients 3-177

IP 3-193

General 3-196

Global Settings Enables or disables routing, specifies the default gateway 3-196

Routing Interface Configures the IP interface for the specified VLAN 3-197

ARP 3-199

General Sets the pro tocol timeout, and enables or disables proxy ARP for

Static Addresses Statically maps a physical address to an IP address 3-201

Dynamic Addresses Shows dynamically learned entries in the IP routing table 3-202

Other Addresses Shows internal addresses used by the switch 3-203

Statistics Shows statistics on ARP requests sent and received 3-204

IGMP 3-159

Interface Settings Configures Layer 3 IGMP for specific VLAN interfaces 3-160

Group Membership Displays the current multicast groups learned via IGMP 3-163

Statistics 3-205

IP Shows statistics for IP traffic, including the amount of traffic,

ICMP Shows statistics for ICMP traffic, including the amount of traffic,

Displays all multicast groups active on this switch, including multicast IP addresses and VLAN ID

VLAN

specifies IP address of name servers for dynamic lookup

the specified VLAN

address errors, routing, fragmentation and reassembly

protocol errors, and the number of echoes, timestamps, and address masks

3-158

3-159

3-164

3-200

3-205

3-207

3-8

Navigating the Web Browser Interface

Table 3-2 Switch Main Menu (Continued)

Menu Description Page

UDP Shows statistics for UDP, including the amount of traffic and

TCP Shows s tatistics for TCP, i ncluding the amount of traffic and TCP

Routing 3-194

Static Routes Configures and display static routing entries 3-211

Routing Table Shows all routing entries, including local, static and dynamic

Multicast Routing 3-249

General Settings Globally enables multicast routing 3-249

Multicast Routing Table Shows each multicast route this switch has learned 3-250

VRRP 3-179

Group Configuration Configures VRRP groups, including virtual interface address,

Global Statistics Displays global statistics for VRRP protocol packet errors 3-184

Group Statistics Displays statistics for VRRP protocol events and errors on the

HSRP 3-186

Group Configuration Configures HSRP groups, including virtual interface address,

Routing Protocol 3-195

RIP 3-213

General Settings Enables or disables RIP, sets the global RIP version and timer

Network Addresses Configures the network interfaces that will use RIP 3-216

Interface Settings Configures RIP parameters for each interface, including send

Statistics Displays general information on update time, route changes and

OSPF 3-223

General Configuration Enables or disables OSPF; also configures the Router ID and

Area Configuration Specifies rules for importing routes into each area 3-227

Area Range Configuration Configures route summaries to advertise at an area boundary 3-230

errors

connection activity

routes

advertisement interval, preemption, priority, and authentication

specified VRRP group and interface

advertisement interval, preemption, priority, authentication, and interface tracking

values

and receive versions, message loopback prevention, and authentication

number of queries, as well as a list of statistics for known interfaces and neighbors

various other global settings

3-209

3-210

3-212

3-179

3-185

3-186

3-214

3-217

3-220

3-224

3-9

Configuring the Switch

Table 3-2 Switch Main Menu (Continued)

Menu Description Page

Interface Configuration Shows area ID and designated router; also configures OSPF

Virtual Link Configuration Configures a virtual link through a transit area to the backbone 3-236

Network Area Address Configuration

Summary Address Configuration

Redistribute Configuration Redistributes routes from one routing domain to another 3-242

NSSA Settings Configures settings for importing routes into or exporting routes

Link State Database Information

Border Router Information Displays routing table entries for area border routers and

Neighbor Information Displays information about neighboring routers on each

DVMRP 3-253

General Settings Configure global settings for prune and graft messages, and the

Interface Settings Enables/disables DVMRP per interface and sets the route metric 3-256

Neighbor Information Displays neighboring DVMRP routers 3-258

Routing Table Displays DVMRP routing information 3-259

PIM-DM

General Settings Enables or disables PIM-DM globally for the switch 3-260

Interface Settings Enables or disables PIM-DM per interface, configures protocol

Interface Information Displays summary information for each interface 3-264

Neighbor Information Displays neighboring PIM-DM routers 3-264

protocol settings and authentication for each interface

Defines OSPF areas and associated interfaces 3-238

Aggregates routes learned from other protocols for advertising into other autonomous systems

out of not-so-stubby areas

Shows information about different OSPF Link State Advertisements (LSAs) stored in this router’s database

autonomous system boundary routers

interface within an OSPF area

exchange of routing information

settings for hello, prune and graft messages

3-232

3-241

3-243

3-245

3-247

3-248

3-253

3-261

3-10

Basic Configuration

Displaying System Information

You can easily identify the system by displaying the device name, location and contact information.

Field Attributes

• System Name – Name assigned to the switch system.

• Object ID – MIB II object ID for switch’s network management subsystem.

• Location – Specifies the system location.

• Contact – Administrator responsible for the system.

• System Up Time – Length of time the management agent has been up.

These additional parameters are displayed for the CLI.

• MAC Address – The physical layer address for this switch.

• Web server – Shows if management access via HTTP is enabled.

• Web server port – Shows the TCP port number used by the web interface.

• Web secure server – Shows if management access via HTTPS is enabled.

• Web secure server port – Shows the TCP port used by the HTTPS interface.

• Telnet server – Shows if management access via Telnet is enabled.

• Telnet server port – Shows the TCP port used by the Telnet interface.

• Jumbo Frame – Shows if jumbo frames are enabled.

• POST result – Shows results of the power-on self-test

Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.)

Figure 3-3 System Information

3-11

Configuring the Switch

CLI – Specify the hostname, location and contact information.

Console(config)#hostname R&D 5 4-26 Console(config)#snmp-server location WC 9 4-116 Console(config)#snmp-server contact Ted 4-115 Console(config)#exit Console#show system 4-61 System description: 8 SFP ports + 4 Gigabit Combo ports L2/L3/L4 managed

System OID string: 1.3.6.1.4.1.259.6.10.57 System information System Up time: 0 days, 2 hours, 4 minutes, and 7.13 seconds System Name : R&D 5 System Location : WC 9 System Contact : Ted MAC address : 00-30-f1-47-58-3a Web server : enable Web server port : 80 Web secure server : enable Web secure server port : 443 Telnet server : enable Telnet server port : 23 Jumbo Frame : Disabled POST result

DUMMY Test 1.................PASS

UART LOOP BACK Test..........PASS

DRAM Test....................PASS

Timer Test...................PASS

PCI Device 1 Test............PASS

PCI Device 2 Test............PASS

I2C bus Initialization.......PASS

RTC Initialization...........PASS

Switch Int Loopback test.....PASS

Done All Pass. Console#

standalone switch

Displaying Switch Hardware/Software Versions

Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system.

Field Attributes

Main Board

• Serial Number – The serial number of the switch.

• Number of Ports – Number of built-in ports.

• Hardware Version – Hardware version of the main board.

• Internal Power Status – Displays the status of the internal power supply.

Management Software

• Loader Version – Version number of loader code.

• Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code.

• Operation Code Version – Version number of runtime code.

• Role – Shows that this switch is operating as Master (i.e., operating stand-alone).

3-12

Basic Configuration

These additional parameters are displayed for the CLI.

• Unit ID – Unit number in stack.

• Redundant Power Status – Displays the status of the redundant power supply.

Web – Click System, Switch Information.

Figure 3-4 Switch Information

CLI – Use the following command to display version information.

Console#show version 4-62 Unit1 Serial number : A322043872 Hardware version : R01 Number of ports :12 Main power status :up Redundant power status :down

Agent (master) Unit ID : 1 Loader version : 2.1.0.0 Boot ROM version : 2.0.2.1 Operation code version : 1.0.2.5

Console#

3-13

Configuring the Switch

Displaying Bridge Extension Capabilities

The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables.

Field Attributes

• Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).

• Traffic Classes – This switch provides mapping of user priorities to multiple traffic classes. (Refer to “Class of Service Configuration” on page 3-138.)

• Static Entry Individual Port – This switch allows static filtering for unicast and multicast addresses. (Refer to “Setting Static Addresses” on page 3-101.)

• VLAN Learning – This switch uses Independent VLAN Learning (IVL), where each port maintains its own filtering database.

• Configurable PVID Tagging – This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to “VLAN Configuration” on page 3-123.)

• Local VLAN Capable – This switch does not support multiple local bridges outside of the scope of 802.1Q defined VLANs.

• GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to register endstations with multicast groups. This switch does not support GMRP; it uses the Internet Group Management Protocol (IGMP) to provide automatic multicast filtering.

Web – Click System, Bridge Extension.

Figure 3-5 Bridge Extension Configuration

3-14

Basic Configuration

CLI – Enter the following command.

Console#show bridge-ext 4-204 Max support vlan numbers: 255 Max support vlan ID: 4094 Extended multicast filtering services: No Static entry individual port: Yes VLAN learning: IVL Configurable PVID tagging: Yes Local VLAN capable: Yes Traffic classes: Enabled Global GVRP status: Disabled GMRP: Disabled Console#

Setting the Switch’s IP Address

This section describes how to configure an initial IP interface for management access over the network. The IP address for this switch is obtained via DHCP by default. To manually configure an address, you need to change the switch’s default settings to values that are compatible with your network. You may also need to a establish a default gateway between the switch and management stations that exist on another network segment (if routing is not enabled on this switch).

You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the CLI program.

Command Usage

• This section describes how to configure a single local interface for initial access to

the switch. To configure multiple IP interfaces on this switch, you must set up an IP interface for each VLAN (page 3-197).

• To enable routing between the different interfaces on this switch, you must enable

IP routing (page 3-196).

• To enable routing between the interfaces defined on this switch and external

network interfaces, you must configure static routes (page 3-211) or use dynamic routing; i.e., either RIP (page 3-213) or OSPF (page 3-223).

• The precedence for configuring IP interfaces is the IP / General / Routing Interface

menu (page 3-197), static routes (page 3-211), and then dynamic routing.

3-15

Configuring the Switch

Command Attributes

•VLAN – ID of the configured VLAN (1-4094, no leading zeroes). By default, all

ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.

• IP Address Mode – Specifies whether IP functionality is enabled via manual configuration (Static), Dynamic Host Configuration Protocol (DHCP), or Boot Protocol (BOOTP). If DHCP/BOOTP is enabled, IP will not function until a reply has been received from the server. Requests will be broadcast periodically by the switch for an IP address. (DHCP/BOOTP values can include the IP address, subnet mask, and default gateway.)

• IP Address – Address of the VLAN to which the management station is attached. (Note you can manage the switch through configured IP interface.) Valid IP addresses consist of four numbers, 0 to 255, separated by periods. (Default: 0.0.0.0)

• Subnet Mask – This mask identifies the host address bits used for routing to specific subnets. (Default: 255.0.0.0)

• Default Gateway – IP address of the gateway router between this device and management stations that exist on other network segments. (Default: 0.0.0.0)

Manual Configuration

Web – Click IP, General, Routing Interface. Select the VLAN through which the

management station is attached, set the IP Address Mode to “Static,” and specify a “Primary” interface. Enter the IP address, subnet mask and gateway, then click Apply.

3-16

Figure 3-6 IP Interface Configuration - Manual

Basic Configuration

Click IP, Global Setting. If this switch and management stations exist on other network segments, then specify the default gateway, and click Apply.

Figure 3-7 Default Gateway

CLI – Specify the management interface, IP address and default gateway.

Console#config Console(config)#interface vlan 1 4-149 Console(config-if)#ip address 10.1.0.253 255.255.255.0 4-236 Console(config-if)#exit Console(config)#ip default-gateway 10.1.0.254 4-238 Console(config)#

3-17

Configuring the Switch

Using DHCP/BOOTP

If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services.

Web – Click IP, General, Routing Interface. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes. Then click Restart DHCP to immediately request a new address. Note that the switch will also broadcast a request for IP configuration settings on each power reset.

Figure 3-8 IP Interface Configuration - DHCP

Note: If you lose your management connection, use a console connection and enter

“show ip interface” to determine the new switch address.

CLI – Specify the management interface, and set the IP address mode to DHCP or BOOTP, and then enter the “ip dhcp restart client” command.

Console#config Console(config)#interface vlan 1 4-149 Console(config-if)#ip address dhcp 4-236 Console(config-if)#end Console#ip dhcp restart client 4-127 Console#show ip interface 4-239 IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: User specified. Console#

Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the switch is moved to another network segment, you will lose management access to the switch. In this case, you can reboot the switch or submit a client request to restart DHCP service via the CLI.

3-18

Basic Configuration

Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface. You can only restart DHCP service via the web interface if the current address is still available.

CLI – Enter the following command to restart DHCP service.

Console#ip dhcp restart client 4-127

Managing Firmware

You can upload/download firmware to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. You can also set the switch to use new firmware without overwriting the previous version. You must specify the method of file transfer, along with the file type and file names as required.

Command Attributes

• File Transfer Method – The firmware copy operation includes these options:

- file to file – Copies a file within the switch directory, assigning it a new name.

- file to tftp – Copies a file from the switch to a TFTP server.

- tftp to file – Copies a file from a TFTP server to the switch.

- file to unit

- unit to file

• TFTP Server IP Address – The IP address of a TFTP server.

• File Type – Specify opcode (operational code) to copy firmware.

• File Name –

the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

Note: Up to two copies of the system software (i.e., the runtime firmware) can be stored

in the file directory on the switch. The currently designated startup version of this file cannot be deleted.

– Copies a file from this switch to another unit in the stack.

– Copies a file from another unit in the stack to this switch.

The file name should not contain slashes (\ or /),

the leading letter of

1. These operations are not supported for this switch.

3-19

Configuring the Switch

Downloading System Software from a Server

When downloading runtime code, you can specify the destination file name to replace the current image, or first download the file using a different name from the current runtime code file, and then set the new file as the startup file.

Web – Click System, File Management, Copy Operation. Select “tftp to file” as the file transfer method, enter the IP address of the TFTP server, set the file type to “opcode,” enter the file name of the software to download, select a file on the switch to overwrite or specify a new file name, then click Apply. If you replaced the current firmware used for startup and want to start using the new operation code, reboot the system via the System/Reset menu.

Figure 3-9 Copy Firmware

If you download to a new destination file, go to the File Management, Set Start-Up menu, mark the operation code file used at startup, and click Apply. To start the new firmware, reboot the system via the System/Reset menu.

Figure 3-10 Setting the Startup Code

3-20

Basic Configuration

To delete a file select System, File, Delete. Select the file name from the given list by checking the tick box and click Apply. Note that t

startup code cannot be deleted.

Figure 3-11 Deleting Files

he file currently designated as the

CLI – To download new firmware form a TFTP server, enter the IP address of the TFTP server, select “config” as the file type, then enter the source and destination file names. When the file has finished downloading, set the new file to start up the system, and then restart the switch.

To start the new firmware, enter the “reload” command or reboot the system

Console#copy tftp file 4-64 TFTP server ip address: 10.1.0.19 Choose file type:

1. config: 2. opcode: <1-2>: 2 Source file name: V1025.bix Destination file name: V1025 \Write to FLASH Programming.

-Write to FLASH finish. Success. Console#config Console(config)#boot system opcode:V1025 4-69 Console(config)#exit Console#reload 4-23

3-21

Configuring the Switch

Saving or Restoring Configuration Settings

You can upload/download configuration settings to/from a TFTP server. The configuration file can be later downloaded to restore the switch’s settings.

Command Attributes

• File Transfer Method – The configuration copy operation includes these options:

- file to file – Copies a file within the switch directory, assigning it a new name.

- file to running-config – Copies a file in the switch to the running configuration.

- file to startup-config – Copies a file in the switch to the startup configuration.

- file to tftp – Copies a file from the switch to a TFTP server.

- running-config to file – Copies the running configuration to a file.

- running-config to startup-config – Copies the running config to the startup config.

- running-config to tftp – Copies the running configuration to a TFTP server.

- startup-config to file – Copies the startup configuration to a file on the switch.

- startup-config to running-config – Copies the startup config to the running config.

- startup-config to tftp – Copies the startup configuration to a TFTP server.

- tftp to file – Copies a file from a TFTP server to the switch.

- tftp to running-config – Copies a file from a TFTP server to the running config.

- tftp to startup-config – Copies a file from a TFTP server to the startup config.

- file to unit

- unit to file

• TFTP Server IP Address – The IP address of a TFTP server.

• File Type – Specify config (configuration) to copy configuration settings.

•

File Name

leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

Note:

– Copies a file from this switch to another unit in the stack.

– Copies a file from another unit in the stack to this switch.

— The configuration file name should not contain slashes (\ or /),

The maximum number of user-defined configuration files is limited only by available flash memory space.

the

2. These operations are not supported for this switch.

3-22

Basic Configuration

Downloading Configuration Settings from a Server

You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch.

Web – Click System, File Management, Copy Operation. Choose “tftp to startup-config” or “tftp to file,” and enter the IP address of the TFTP server. Specify the name of the file to download, select a file on the switch to overwrite or specify a new file name, and then click Apply.

Figure 3-12 Copy Configuration Settings

If you download to a new file name using “tftp to startup-config” or “tftp to file,” the file is automatically set as the start-up configuration file. To use the new settings, reboot the system via the System/Reset menu. You can also select any configuration file as the start-up configuration by using the System/File/Set Start-Up page.

Figure 3-13 Setting the Startup Configuration Settings

3-23

Configuring the Switch

CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch.

Console#copy tftp startup-config 4-64 TFTP server ip address: 192.168.1.19 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming.

-Write to FLASH finish. Success.

Console#reload

To select another configuration file as the start-up configuration, use the boot system command and then restart the switch.

Console#config Console(config)#boot system config: startup-new 4-69 Console(config)#exit Console#reload 4-23

Console Port Settings

You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port. Management access through the console port is controlled by various parameters, including a password, timeouts, and basic communication settings. These parameters can be configured via the Web or CLI interface.

Command Attributes

• Login Timeout – Sets the interval that the system waits for a user to log into the CLI. If a login attempt is not detected within the timeout interval, the connection is terminated for the session. (Range: 0 - 300 seconds; Default: 0)

• Exec Timeout – Sets the interval that the system waits until user input is detected. If user input is not detected within the timeout interval, the current session is terminated. (Range: 0 - 65535 seconds; Default: 600 seconds)

• Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts. When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3 attempts)

• Silent Time – Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts has been exceeded. (Range: 0-65535; Default: 0)

• Data Bits – Sets the number of data bits per character that are interpreted and generated by the console port. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character. (Default: 8 bits)

• Parity – Defines the generation of a parity bit. Communication protocols provided by some terminals can require a specific parity bit setting. Specify Even, Odd, or None. (Default: None)

3-24

Basic Configuration

• Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive

(from terminal). Set the speed to match the baud rate of the device connected to the serial port. (Range: 9600, 19200, 38400, 57600, or 115200 baud, Auto; Default: Auto)

• Stop Bits – Sets the number of the stop bits transmitted per byte.

(Range: 1-2; Default: 1 stop bit)

• Password3 – Specifies a password for the line connection. When a connection is

started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. (Default: No password)

• Login3 – Enables password checking at login. You can select authentication by a

single global password as configured for the Password parameter, or by passwords set up for specific user-name accounts (the default).

Web – Click System, Line, Console. Specify the console port connection parameters as required, then click Apply.

3. CLI only.

Figure 3-14 Configuring the Console Port

3-25

Configuring the Switch

CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level.

Console(config)#line console 4-12 Console(config-line)#login local 4-12 Console(config-line)#password 0 secret 4-13 Console(config-line)#timeout login response 0 4-14 Console(config-line)#exec-timeout 0 4-15 Console(config-line)#password-thresh 5 4-15 Console(config-line)#silent-time 60 4-16 Console(config-line)#databits 8 4-17 Console(config-line)#parity none 4-17 Console(config-line)#speed auto 4-18 Console(config-line)#stopbits 1 4-18 Console(config-line)#end Console#show line 4-19 Console configuration: Password threshold: 5 times Interactive timeout: Disabled Login timeout: Disabled Silent time: 60 Baudrate: auto Databits: 8 Parity: none Stopbits: 1 VTY configuration: Password threshold: 3 times Interactive timeout: 600 sec Login timeout: 300 sec Console#

Telnet Settings

You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other various parameters set, including the TCP port number, timeouts, and a password. These parameters can be configured via the Web or CLI interface.

Command Attributes

• Telnet Status – Enables or disables Telnet access to the switch. (Default: Enabled)

• Telnet Port Number – Sets the TCP port number for Telnet on the switch. (Default: 23)

3-26

Basic Configuration

• Password Threshold – Sets the password intrusion threshold, which limits the

number of failed logon attempts. When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3 attempts)

• Password

started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. (Default: No password)

• Login4 – Enables password checking at login. You can select authentication by a

single global password as configured for the Password parameter, or by passwords set up for specific user-name accounts (the default).

Web – Click System, Line, Telnet. Specify the connection parameters for Telnet access, then click Apply.

– Specifies a password for the line connection. When a connection is

4. CLI only.

Figure 3-15 Configuring the Telnet Interface

3-27

Configuring the Switch

CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level.

Console(config)#line vty 4-12 Console(config-line)#login local 4-12 Console(config-line)#password 0 secret 4-13 Console(config-line)#timeout login response 0 4-14 Console(config-line)#exec-timeout 600 4-15 Console(config-line)#password-thresh 3 4-15 Console(config-line)#end Console#show line 4-19 Console configuration: Password threshold: 5 times Interactive timeout: Disabled Login timeout: Disabled Silent time: 60 Baudrate: auto Databits: 8 Parity: none Stopbits: 1

VTY configuration: Password threshold: 3 times Interactive timeout: 600 sec Login timeout: 300 sec Console#

Configuring Event Logging

The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages.

System Log Configuration

The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.

Severe error messages that are logged to flash memory are permanently stored in the switch to assist in troubleshooting network problems. Up to 4096 log entries can be stored in the flash memory, with the oldest entries being overwritten first when the available log memory (256 kilobytes) has been exceeded.

The System Logs page allows you to configure and limit system messages that are logged to flash or RAM memory. The default is for event levels 0 to 3 to be logged to flash and levels 0 to 7 to be logged to RAM.

Command Attributes

• System Log Status – Enables/disables the logging of debug or error messages to the logging process.

• Flash Level – Limits log messages saved to the switch’s permanent flash memory for all levels up to the specified level. For example, if level 3 is specified, all messages from level 0 to level 3 will be logged to flash. (Range: 0-7, Default: 3)

3-28

Basic Configuration

Table 3-3 Logging Levels

Level Name Level Description

debugging 7 Debugging messages

informational 6 Informational messages only

notifications 5 Normal but significant condition, such as cold start

warnings 4 Warning conditions (e.g., return false, unexpected return)

errors 3 Error conditions (e.g., invalid input, default used)

critical 2 Critical conditions (e.g., memory allocation, or free

memory error - resource exhausted)

alerts 1 Immediate action needed

emergencies 0 System unusable

* There are only Level 2, 5 and 6 error messages for the current firmware release.

• RAM Level – Limits log messages saved to the switch’s temporary RAM memory

for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7)

The Flash Level must be equal to or less than the RAM Level.

Note:

Web – Click System, Logs, System Logs. Specify System Log Status, set

the level of

event messages to be logged, and click Apply.

Figure 3-16 System Logs

CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings.

Console(config)#logging on 4-44 Console(config)#logging history ram 0 4-45 Console(config)# Console#show logging flash 4-48 Syslog logging: Disable History logging in FLASH: level errors Console#

3-29

Configuring the Switch

Remote Log Configuration

The Remote Logs page allows you to configure the logging of messages that are sent to syslog servers or other management stations. You can also limit the event messages sent to only those messages at or above a specified level.

Command Attributes

• Remote Log Status – Enables/disables the logging of debug or error messages to the remote logging process. (Default: enabled)

• Logging Facility – Sets the facility type for remote logging of syslog messages. There are eight facility types specified by values of 16 to 23. The facility type is used by the syslog server to dispatch log messages to an appropriate service.

The attribute specifies the facility type tag sent in syslog messages. (See RFC

3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to process messages, such as sorting or storing messages in the corresponding database. (Range: 16-23, Default: 23)

• Logging Trap – Limits log messages that are sent to the remote syslog server for all levels up to the specified level. For example, if level 3 is specified, all messages from level 0 to level 3 will be sent to the remote server. (Range: 0-7, Default: 3)

• Host IP List – Displays the list of remote server IP addresses that will receive syslog messages. The maximum number of host IP addresses allowed is five.

• Host IP Address – Specifies a new server IP address to add to the Host IP List.

3-30

Basic Configuration

Web – Click System, Logs, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove.

Figure 3-17 Remote Logs

CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap.

Console(config)#logging host 10.1.0.9 4-46 Console(config)#logging facility 23 4-46 Console(config)#logging trap 4 4-47 Console(config)#logging trap Console(config)# Console#show logging trap 4-48 Syslog logging: Enable REMOTELOG status: enable REMOTELOG facility type: local use 7 REMOTELOG level type: Warning conditions REMOTELOG server ip address: 10.1.0.9 REMOTELOG server ip address: 0.0.0.0 REMOTELOG server ip address: 0.0.0.0 REMOTELOG server ip address: 0.0.0.0 REMOTELOG server ip address: 0.0.0.0 Console#

3-31

Configuring the Switch

Displaying Log Messages

Use the Logs page to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory.

Web – Click System, Log, Logs.

Figure 3-18 Displaying Logs

CLI – This example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., default level 3 - 0), the message level for RAM is “debugging” (i.e., default level 7 - 0), and lists one sample error.

Console#show logging flash 4-48 Syslog logging: Enable History logging in FLASH: level errors Console#show logging ram 4-48 Syslog logging: Enable History logging in RAM: level debugging [0] 0:0:5 1/1/1 PRI_MGR_InitDefault function fails." level: 3, module: 13, function: 0, and event no.: 0 Console#

Resetting the System

Web – Click System, Reset. Click the Reset button to restart the switch. When

prompted, confirm that you want reset the switch.

Figure 3-19 Resetting the System

CLI – Use the reload command to restart the switch.

Console#reload 4-23 System will be restarted, continue <y/n>?

When restarting the system, it will always run the Power-On Self-Test.

Note:

3-32

Basic Configuration

Setting the System Clock

Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. You can also manually set the clock using the CLI. (See “calendar set” on page 4-57.) If the clock is not set, the switch will only record the time from the factory default set at the last bootup.

When the SNTP client is enabled, the switch periodically sends a request for a time update to a configured time server. You can configure up to three time server IP addresses. The switch will attempt to poll each server in the configured sequence.

Configuring SNTP

You can configure the switch to send time synchronization requests to time servers.

Command Attributes

• SNTP Client – Configures the switch to operate as an SNTP client. This requires

at least one time server to be specified in the SNTP Server field. (Default: Disabled)

• SNTP Poll Interval – Sets the interval between sending requests for a time update

from a time server. (Range: 16-16384 seconds; Default: 16 seconds)

• SNTP Server – Sets the IP address for up to three time servers. The switch

attempts to update the time from the first server, if this fails it attempts an update from the next server in the sequence.

Web – Select SNTP, Configuration. Modify any of the required parameters, and click Apply.

Figure 3-20 SNTP Configuration

3-33

Configuring the Switch

CLI – This example configures the switch to operate as an SNTP client and then displays the current time and settings.

Console(config)#sntp client 4-53 Console(config)#sntp poll 16 4-55 Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-54 Console(config)#exit Console#show sntp 4-55 Current time: Jan 6 14:56:05 2004 Poll interval: 60 Current mode: unicast SNTP status : Enabled SNTP server 10.1.0.19 137.82.140.80 128.250.36.2 Current server: 128.250.36.2 Console#

Setting the Time Zone

SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.

Command Attributes

• Current Time – Displays the current time.

• Name – Assigns a name to the time zone. (Range: 1-29 characters)

• Hours (0-12) – The number of hours before/after UTC.

• Minutes (0-59) – The number of minutes before/after UTC.

• Direction – Configures the time zone to be before (east) or after (west) UTC.

Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to the UTC, and click Apply.

Figure 3-21 Clock Time Zone

CLI - This example shows how to set the time zone for the system clock.

Console(config)#clock timezone Dhaka hours 6 minute 0 after-UTC 4-56 Console#

3-34

Simple Network Management Protocol

Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.

Managed devices supporting SNMP contain software, which runs locally on the device and is referred to as an agent. A defined set of variables, known as managed objects, is maintained by the SNMP agent and used to manage the device. These objects are defined in a Management Information Base (MIB) that provides a standard presentation of the information controlled by the agent. SNMP defines both the format of the MIB specifications and the protocol used to access this information over the network.

The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3. This agent continuously monitors the status of the switch hardware, as well as the traffic passing through its ports. A network management station can access this information using software such as HP OpenView. Access to the onboard agent from clients using SNMP v1 and v2c is controlled by community strings. To communicate with the switch, the management station must first submit a valid community string for authentication.

Access to the switch using from clients using SNMPv3 provides additional security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.

The SNMPv3 security structure consists of security models, with each model having it’s own security levels. There are three security models defined, SNMPv1, SNMPv2c, and SNMPv3. Users are assigned to “groups” that are defined by a security model and specified security levels. Each group also has a defined security access to set of MIB objects for reading and writing, which are known as “views.” The switch has a default view (all MIB objects) and default groups defined for security models v1 and v2c. The following table shows the security models and levels available and the system default settings.

Table 3-4 SNMPv3 Security Models and Levels

Model Level Group Read View Write View Security

v1 noAuthNoPriv public defaultview none Community string only

v1 noAuthNoPriv private defaultview defaultview Community string only

v1 noAuthNoPriv user defined user defined user defined Community string only

v2c noAuthNoPriv public defaultview none Community string only

v2c noAuthNoPriv private defaultview defaultview Community string only

v2c noAuthNoPriv user defined user defined user defined Community string only

v3 noAuthNoPriv user defined user defined user defined A user name match only

3-35

Configuring the Switch

Table 3-4 SNMPv3 Security Models and Levels (Continued)

Model Level Group Read View Write View Security

v3 AuthNoPriv user defined user defined user defined Provides user

v3 AuthPriv user defined user defined user defined Provides user

Note: The predefined default groups and view can be deleted from the system. You can

then define customized groups and views for the SNMP clients that require access.

authentication via MD5 or SHA algorithms

authentication via MD5 or SHA algorithms and data privacy using DES 56-bit encryption

Enabling the SNMP Agent

Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3).

Command Attributes

• SNMP Agent Status – Enables SNMP on the switch.

Web – Click SNMP, Agent Status. Enable the SNMP Agent by marking the Enabled

checkbox, and click Apply.

Figure 3-22 Enabling the SNMP Agent

CLI – The following example enables SNMP on the switch.

Console(config)#snmp-server 4-113 Console(config)#

Setting Community Access Strings

You may configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings.

Command Attributes

• SNMP Community Capability – The switch supports up to five community strings.

• Community String – A community string that acts like a password and permits access to the SNMP protocol.

Default strings: “public” (read-only access), “private” (read/write access) Range: 1-32 characters, case sensitive

3-36

Simple Network Management Protocol

• Access Mode – Specifies the access rights for the community string:

- Read-Only – Authorized management stations are only able to retrieve MIB objects.

- Read/Write – Authorized management stations are able to both retrieve and modify MIB objects.

Web – Click SNMP, Configuration. Add new community strings as required, select the access rights from the Access Mode drop-down list, then click Add.

Figure 3-23 Configuring SNMP Community Strings

CLI – The following example adds the string “spiderman” with read/write access.

Console(config)#snmp-server community spiderman rw 4-115 Console(config)#

Specifying Trap Managers and Trap Types

Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView). You can specify up to five management stations that will receive authentication failure messages and other trap messages from the switch.

Command Attributes

• Trap Manager Capability – This switch supports up to five trap managers.

• Trap Manager IP Address – IP address of a new management station to receive trap messages.

• Trap Manager Community String – Specifies a valid community string for the new trap manager entry. Though you can set this string in the Trap Managers table, we recommend that you define this string in the SNMP Configuration page (for Version 1 or 2c clients), or define a corresponding “User Name” in the SNMPv3 Users page (for Version 3 clients). (Range: 1-32 characters, case sensitive)

• Trap UDP Port – Specifies the UDP port number used by the trap manager.

• Trap Version – Indicates if the user is running SNMP v1, v2c, or v3. (Default: v1)

3-37

Configuring the Switch

• Enable Authentication Traps – Issues a trap message to specified IP trap managers whenever authentication of an SNMP request fails. (Default: Enabled)

• Enable Link-up and Link-down Traps – Issues a trap message whenever a port link is established or broken. (Default: Enabled)

Web – Click SNMP, Configuration. Enter the IP address and community string for each management station that will receive trap messages, specify the UDP port and SNMP version, and then click Add. Select the trap types required using the check boxes for Authentication and Link-up/down traps, and then click Apply.

Figure 3-24 Configuring SNMP Trap Managers

CLI – This example adds a trap manager and enables authentication traps.

Console(config)#snmp-server host 10.1.19.23 batman private version 2c

udp-port 162 4-117

Console(config)#snmp-server enable traps authentication 4-118

Configuring SNMPv3 Management Access

To configure SNMPv3 management access to the switch, follow these steps:

1. Configure an SNMP engine ID.

2. Specify read and write access views for the switch MIB tree.

3. Configure SNMP user groups with the required security model (i.e., SNMP v1,

v2c or v3) and security level (i.e., authentication and privacy).

4. Assign SNMP users to groups, along with their specific authentication and

privacy passwords.

Setting an Engine ID

An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets.

3-38

Simple Network Management Protocol

A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engineID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users.

Web – Click SNMP, SNMPv3, Engine ID. Enter an ID of up to 26 hexadecimal characters and then click Save.

Figure 3-25 Setting the SNMPv3 Engine ID

CLI – This example sets an SNMPv3 engine ID.

Console(config)#snmp-server engine-id local 12345abcdef 4-119 Console(config)#exit Console#show snmp engine-id 4-119 Local SNMP engineID: 12345abcdef000000000000000 Local SNMP engineBoots: 1 Console#

Configuring SNMPv3 Users

Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read and a write view.

Command Attributes

• User Name – The name of user connecting to the SNMP agent. (Range: 1-32

characters)

• Group Name – The name of the SNMP group to which the user is assigned.

(Range: 1-32 characters)

• Model – The user security model; SNMP v1, v2c or v3.

• Level – The security level used for the user:

- noAuthNoPriv – There is no authentication or encryption used in SNMP communications.

- AuthNoPriv – SNMP communications use authentication, but the data is not encrypted (only available for the SNMPv3 security model).

- AuthPriv – SNMP communications use both authentication and encryption (only available for the SNMPv3 security model).

• Authentication – The method used for user authentication; MD5 or SHA

3-39

Configuring the Switch

• Privacy – The encryption algorithm use for data privacy; only 56-bit DES is currently available

• Actions – Enables the user to be assigned to another SNMPv3 group.

Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete. To change the assigned group of a user, click Change Group in the Actions column of the users table and select the new group.

3-40

Figure 3-26 Configuring SNMPv3 Users

Simple Network Management Protocol

CLI – Use the snmp-server user command to configure a new user name and assign it to a group.

Console(config)#snmp-server user chris group r&d v3 auth md5

greenpeace priv des56 einstien 4-124 Console(config)#exit Console#show snmp user 4-125 EngineId: 80000034030001f488f5200000 User Name: chris Authentication Protocol: md5 Privacy Protocol: des56 Storage Type: nonvolatile Row Status: active

Console#

Configuring SNMPv3 Groups

An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read and write views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.

Command Attributes

• Group Name – The name of the SNMP group. (Range: 1-32 characters)

• Model – The group security model; SNMP v1, v2c or v3.

• Level – The security level used for the group:

- noAuthNoPriv – There is no authentication or encryption used in SNMP communications.

- AuthNoPriv – SNMP communications use authentication, but the data is not encrypted (only available for the SNMPv3 security model).

- AuthPriv – SNMP communications use both authentication and encryption (only available for the SNMPv3 security model).

• Read View – The configured view for read access. (Range: 1-64 characters)

• Write View – The configured view for write access. (Range: 1-64 characters)

3-41

Configuring the Switch

Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read and write views. Click Add to save the new group and return to the Groups list. To delete a group, check the box next to the group name, then click Delete.

Figure 3-27 Configuring SNMPv3 Groups

CLI – Use the snmp-server group command to configure a new group, specifying the security model and level, and restricting MIB access to defined read and write views.

Console(config)#snmp-server group v3secure v3 priv read

defaultview write defaultview 4-121 Console(config)#exit Console#show snmp group 4-123 Group Name: v3secure Security Model: v3 Read View: defaultview Write View: defaultview Notify View: none Storage Type: nonvolatile Row Status: active

Console#

3-42

Simple Network Management Protocol

Setting SNMPv3 Views

SNMPv3 views are used to restrict user access to specified portions of the MIB tree.

The predefined view “defaultview” includes access to the entire MIB tree.

Command Attributes

• View Name – The name of the SNMP view. (Range: 1-64 characters)

• View OID Subtrees – Shows the currently configured object identifiers of branches within the MIB tree that define the SNMP view.

• Edit OID Subtrees – Allows you to configure the object identifiers of branches within the MIB tree. Wild cards can be used to mask a specific portion of the OID string.

• Type – Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view.

Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list. For a specific view, click on View OID Subtrees to display the current configuration, or click on Edit OID Subtrees to make changes to the view settings. To delete a view, check the box next to the view name, then click Delete.

Figure 3-28 Configuring SNMPv3 Views

3-43

Configuring the Switch

CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries.

Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.*

included 4-120 Console(config)#exit Console#show snmp view 4-121 View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.* View Type: included Storage Type: nonvolatile Row Status: active

View Name: readaccess Subtree OID: 1.3.6.1.2 View Type: included Storage Type: nonvolatile Row Status: active

View Name: defaultview Subtree OID: 1 View Type: included Storage Type: nonvolatile Row Status: active

Console#

User Authentication

You can restrict management access to this switch using the following options:

• User Accounts – Manually configure access rights for specified users.

• Authentication Settings – Use remote authentication to configure access rights.

• HTTPS Settings – Provide a secure web connection.

• SSH Settings – Provide a secure shell (for secure Telnet access).

• Port Security – Configure secure addresses for individual ports.

• 802.1x – Use IEEE 802.1x port authentication to control access to specific ports.

• IP Filter – Filters management access to the web, SNMP or Telnet interface.

Configuring User Accounts

The guest only has read access for most configuration parameters. However, the administrator has write access for all parameters governing the onboard agent. You should therefore assign a new administrator password as soon as possible, and store it in a safe place.

The default guest name is “guest” with the password “guest.” The default administrator name is “admin” with the password “admin.”

3-44

User Authentication

Command Attributes

• Account List – Shows the list of users that are allowed management access. (Defaults: admin, and guest)

• New Account – Displays configuration settings for a new account.

- User Name – The name of the user.

(Maximum length: 8 characters; maximum number of users: 16)

- Access Level – Specifies the user level.

(Options: Normal and Privileged)

- Password – Specifies the user password.

(Range: 0-8 characters plain text, case sensitive)

• Change Password – Sets a new password for the specified user.

Web – Click Security, User Accounts. To configure a new user account, enter the user name, access level, and password, then click Add. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply.

Figure 3-29 User Accounts

CLI – Assign a user name to access-level 15 (i.e., administrator), then specify the password.

Console(config)#username bob access-level 15 4-27 Console(config)#username bob password 0 smith Console(config)#

3-45

Configuring the Switch

Configuring Local/Remote Logon Authentication

Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.

Remote Authentication Dial-in User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) are logon

Web Telnet

authentication protocols that use software running on a central server to control access to RADIUS-aware or TACACSaware devices on the network.

RADIUS/ TACACS+ server

1. Client attempts management access.

2. Switch contacts authentication server.

3. Authentication server challenges client.

4. Client responds with proper password or key.

5. Authentication server approves access.

6. Switch grants management access.

An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user that requires management access to the switch.

RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.

Command Usage

• By default, management access is always checked against the authentication database stored on the local switch. If a remote authentication server is used, you must specify the authentication sequence and the corresponding parameters for the remote authentication protocol. Local and remote logon authentication control management access via the console port, web browser, or Telnet.

• RADIUS and TACACS+ logon authentication assign a specific privilege level for each user name/password pair. The user name, password, and privilege level must be configured on the authentication server.

• You can specify up to three authentication methods for any user to indicate the authentication sequence. For example, if you select (1) RADIUS, (2) TACACS and (3) Local, the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted using the TACACS+ server, and finally the local user name and password is checked.

Command Attributes

• Authentication – Select the authentication, or authentication sequence required:

- Local – User authentication is performed only locally by the switch.

- Radius – User authentication is performed using a RADIUS server only.

- TACACS – User authentication is performed using a TACACS+ server only.

- [authentication sequence] – User authentication is performed by up to three

authentication methods in the indicated sequence.

console

3-46

User Authentication

• RADIUS Settings

- Server IP Address – Address of authentication server. (Default: 10.1.0.1)

- Server Port Number – Network (UDP) port of authentication server used for authentication messages. (Range: 1-65535; Default: 1812)

- Secret Text String – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 20 characters)

- Number of Server Transmits – Number of times the switch tries to authenticate logon access via the authentication server. (Range: 1-30; Default: 2)

- Timeout for a reply – The number of seconds the switch waits for a reply from the RADIUS server before it resends the request. (Range: 1-65535; Default: 5)

• TACACS Settings

- Server IP Address – Address of the TACACS+ server. (Default: 10.11.12.13)

- Server Port Number – Network (TCP) port of TACACS+ server used for authentication messages. (Range: 1-65535; Default: 49)

- Secret Text String – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 20 characters)

The local switch user database has to be set up by manually entering user names

Note:

and passwords using the CLI. (See “username” on page 4-27.)

Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply.

Figure 3-30 Authentication Server Settings

3-47

Configuring the Switch

CLI – Specify all the required parameters to enable logon authentication.

Console(config)#authentication login radius 4-70 Console(config)#radius-server host 192.168.1.25 4-72 Console(config)#radius-server port 181 4-73 Console(config)#radius-server key green 4-73 Console(config)#radius-server retransmit 5 4-74 Console(config)#radius-server timeout 10 4-74 Console#show radius-server 4-74 Server IP address: 192.168.1.25 Communication key with radius server: Server port number: 181 Retransmit times: 5 Request timeout: 10 Console(config)#authentication login tacacs 4-70 Console(config)#tacacs-server host 10.20.30.40 4-75 Console(config)#tacacs-server port 200 4-76 Console(config)#tacacs-server key green 4-76 Console#show tacacs-server 4-77 Server IP address: 10.20.30.40 Communication key with tacacs server: green Server port number: 200 Console(config)#

Configuring HTTPS

You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface.

Command Usage

• Both the HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure both services to use the same UDP port.

• If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number]

• When you start HTTPS, the connection is established in this way:

- The client authenticates the server using the server’s digital certificate.

- The client and server negotiate a set of security protocols to use for the

connection.

- The client and server generate session keys for encrypting and decrypting data.

• The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 5.x or above and Netscape Navigator 4.x or above.

3-48

User Authentication

• The following web browsers and operating systems currently support HTTPS:

Table 3-5 HTTPS System Support

Web Browser Operating System

Internet Explorer 5.0 or later Windows 98,Windows NT (with service pack 6a),

Netscape Navigator 4.76 or later Windows 98,Windows NT (with service pack 6a),

• To specify a secure-site certificate, see “Replacing the Default Secure-site

Certificate” on page 3-49.

Command Attributes

• HTTPS Status – Allows you to enable/disable the HTTPS server feature on the

switch.

(Default: Enabled)

•

Change HTTPS Port Number – Specifies the UDP port number used for HTTPS/ SSL connection to the switch’s web interface. (Default: Port 443)

Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply.

Windows 2000, Windows XP

Windows 2000, Windows XP, Solaris 2.6

Figure 3-31 HTTPS Settings

CLI – This example enables the HTTP secure server and modifies the port number.

Console(config)#ip http secure-server 4-32 Console(config)#ip http secure-port 441 4-33 Console(config)#

Replacing the Default Secure-site Certificate

When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that Netscape and Internet Explorer display will be associated with a warning that the site is not recognized as a secure site. This is because the certificate has not been signed by an approved certification authority. If you want this warning to be replaced by a message confirming that the connection to the switch is secure, you must obtain a unique certificate and a private key and password from a recognized certification authority.

Caution:

For maximum security, we recommend you obtain a unique Secure Sockets Layer certificate at the earliest opportunity. This is because the default certificate for the switch is not unique to the hardware you have purchased.

3-49

Configuring the Switch

When you have obtained these, place them on your TFTP server, and use the following command at the switch's command-line interface to replace the default (unrecognized) certificate with an authorized one:

Console#copy tftp https-certificate 4-64 TFTP server ip address: <server ip-address> Source certificate file name: <certificate file name> Source private file name: <private key file name> Private password: <password for private key>

Note: The switch must be reset for the new certificate to be activated. To reset the

switch, type “reload” at the command prompt:

Console#reload

Configuring the Secure Shell

The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.

The Secure Shell (SSH) includes server/client applications intended as a secure replacement for the older Berkley remote access tools. SSH can also provide remote management access to this switch as a secure replacement for Telnet. When the client contacts the switch via the SSH protocol, the switch generates a public-key that the client uses along with a local user name and password for access authentication. SSH also encrypts all data transfers passing between the switch and SSH-enabled management station clients, and ensures that data traveling over the network arrives unaltered.

Note that you need to install an SSH client on the management station to access the switch for management via the SSH protocol.

The switch supports both SSH Version 1.5 and 2.0.

Note:

Command Usage

The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified on the Authentication Settings page (page 3-46). If public key authentication is specified by the client, then you must configure authentication keys on both the client and the switch as described in the following section. Note that regardless of whether you use public key or password authentication, you still have to generate authentication keys on the switch (SSH Host Key Settings) and enable the SSH server (Authentication Settings).

To use the SSH server, complete these steps:

1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a host

public/private key pair.

2. Provide Host Public Key to Clients – Many SSH client programs automatically

import the host public key during the initial connection setup with the switch.

3-50

User Authentication

Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it. An entry for a public key in the known hosts file would appear similar to the following example:

10.1.0.54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 10825913212890233 76546801726272571413428762941301196195566782 59566410486957427888146206 51941746772984865468615717739390164779355942303577413098022737087794545 24083971752646358058176716709574804776117

3. Import Client’s Public Key to the Switch – Use the copy tftp public-key

command (page 4-64) to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch via the User Accounts page as described on page 3-44.) The clients are subsequently authenticated using these keys. The current firmware only accepts public key files based on standard UNIX format as shown in the following example for an RSA Version 1 key:

1024 35 1341081685609893921040944920155425347631641921872958921143173880 05553616163105177594083868631109291232226828519254374603100937187721199 69631781366277414168985132049117204830339254324101637997592371449011938 00609025394840848271781943722884025331159521348610229029789827213532671 31629432532818915045306393916643 steve@192.168.1.19

4. Set the Optional Parameters – On the SSH Settings page, configure the

optional parameters, including the authentication timeout, the number of retries, and the server key size.

5. Enable SSH Service – On the SSH Settings page, enable the SSH server on

the switch.

6. Challenge-Response Authentication – When an SSH client attempts to contact

the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access it. The following exchanges take place during this process:

a. The client sends its public key to the switch. b. The switch compares the client's public key to those stored in memory. c. If a match is found, the switch uses the public key to encrypt a random

sequence of bytes, and sends this string to the client.

d. The client uses its private key to decrypt the bytes, and sends the

decrypted bytes back to the switch.

e. The switch compares the decrypted bytes to the original bytes it sent. If the

two sets match, this means that the client's private key corresponds to an authorized public key, and the client is authenticated.

3-51

Configuring the Switch

Notes: 1. To use SSH with only password authentication, the host public key must still

be given to the client, either during initial connection or manually entered into the known host file. However, you do not need to configure the client’s keys.

2. The SSH server supports up to four client sessions. The maximum number

of client sessions includes both current Telnet sessions and SSH sessions.

Generating the Host Key Pair

A host public/private key pair is used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the preceding section (Command Usage).

Field Attributes

• Public-Key of Host-Key – The public key for the host.

- RSA (Version 1): The first field indicates the size of the host key (e.g., 1024), the

second field is the encoded public exponent (e.g., 65537), and the last string is the encoded modulus.

- DSA (Version 2): The first field indicates that the encryption method used by

SSH is based on the Digital Signature Standard (DSS). The last string is the encoded modulus.

• Host-Key Type – The key type used to generate the host key pair (i.e., public and private keys). (Range: RSA (Version 1), DSA (Version 2), Both: Default: RSA) The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.

• Save Host-Key from Memory to Flash – Saves the host key from RAM (i.e., volatile memory to flash memory). Otherwise, the host key pair is stored to RAM by default. Note that you must select this item prior to generating the host-key pair.

• Generate – This button is used to generate the host key pair. Note that you must first generate the host key pair before you can enable the SSH server on the SSH Server Settings page.

3-52

Microsoft ES4612 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Chapter 1: Introduction

Key Features

Description of Software Features

System Defaults

Chapter 2: Initial Configuration

Connecting to the Switch

Configuration Options

Required Connections

Basic Configuration

Remote Connections

Console Connection

Setting Passwords

Setting an IP Address

Manual Configuration

Dynamic Configuration

Enabling SNMP Management Access

Community Strings (for SNMP version 1 and 2c clients)

Trap Receivers

Configuring Access for SNMP Version 3 Clients

Saving Configuration Settings

Managing System Files

Chapter 3: Configuring the Switch

Using the Web Interface

Navigating the Web Browser Interface

Home Page

Configuration Options

Panel Display

Main Menu

Basic Configuration

Displaying System Information

Displaying Switch Hardware/Software Versions

Displaying Bridge Extension Capabilities

Setting the Switch’s IP Address

Manual Configuration

Using DHCP/BOOTP

Managing Firmware

Downloading System Software from a Server

Saving or Restoring Configuration Settings

Downloading Configuration Settings from a Server

Console Port Settings

Telnet Settings

Configuring Event Logging

System Log Configuration

Remote Log Configuration

Displaying Log Messages

Resetting the System

Setting the System Clock

Configuring SNTP

Setting the Time Zone

Simple Network Management Protocol

Enabling the SNMP Agent

Setting Community Access Strings

Specifying Trap Managers and Trap Types

Configuring SNMPv3 Management Access

Setting an Engine ID

Configuring SNMPv3 Users

Configuring SNMPv3 Groups

Setting SNMPv3 Views

User Authentication

Configuring User Accounts

Configuring Local/Remote Logon Authentication

Configuring HTTPS

Replacing the Default Secure-site Certificate

Configuring the Secure Shell

Generating the Host Key Pair