Microsoft ES4625, ES4649 User Manual

Powered by Accton

ES4625/ES4649
24/48-Port Gigabit Ethernet

Stackable Layer 3 Switch

Management Guide

Management Guide

Gigabit Ethernet Switch

Layer 3 Switch
with 20/44 RJ-45 Ports,
4 Combination Ports (SFP/RJ-45),
1 Extender Module Slot,
and 2 Stacking Ports

ES4625
ES4649
F3.1.1.21 E042005-R01
149100022900A

Contents

Chapter 1: Introduction 1-1

Key Features 1-1
Description of Software Features 1-2
System Defaults 1-6

Chapter 2: Initial Configuration 2-1

Connecting to the Switch 2-1

Configuration Options 2-1
Required Connections 2-2
Remote Connections 2-3

Stack Operations 2-3

Selecting the Stack Master 2-3
Selecting the Backup Unit 2-4
Recovering from Stack Failure or Topology Change 2-4

Broken Link for Line and Wrap-around Topologies 2-4
Resilient IP Interface for Management Access 2-5

Resilient Configuration 2-5
Renumbering the Stack 2-5
Stack Limitations 2-5

Basic Configuration 2-6

Console Connection 2-6
Setting Passwords 2-7
Setting an IP Address 2-7

Manual Configuration 2-7

Dynamic Configuration 2-8
Enabling SNMP Management Access 2-9

Community Strings (for SNMP version 1 and 2c clients) 2-9

Trap Receivers 2-10

Configuring Access for SNMP Version 3 Clients 2-11
Saving Configuration Settings 2-11

Managing System Files 2-12

Chapter 3: Configuring the Switch 3-1

Using the Web Interface 3-1
Navigating the Web Browser Interface 3-2

Home Page 3-2
Configuration Options 3-3
Panel Display 3-3
Main Menu 3-4

Basic Configuration 3-12

Displaying System Information 3-12

v

Contents

Displaying Switch Hardware/Software Versions 3-13
Displaying Bridge Extension Capabilities 3-15
Configuring Support for Jumbo Frames 3-16
Setting the Switch’s IP Address 3-17

Manual Configuration 3-18
Using DHCP/BOOTP 3-19

Managing Firmware 3-20

Downloading System Software from a Server 3-21

Saving or Restoring Configuration Settings 3-23

Downloading Configuration Settings from a Server 3-24
Console Port Settings 3-25
Telnet Settings 3-27
Configuring Event Logging 3-29

System Log Configuration 3-29

Remote Log Configuration 3-30

Displaying Log Messages 3-32

Sending Simple Mail Transfer Protocol Alerts 3-32
Renumbering the Stack 3-34
Resetting the System 3-35
Setting the System Clock 3-35

Configuring SNTP 3-35

Setting the Time Zone 3-36

Simple Network Management Protocol 3-37

Enabling the SNMP Agent 3-39
Setting Community Access Strings 3-39
Specifying Trap Managers and Trap Types 3-40
Configuring SNMPv3 Management Access 3-42

Setting a Local Engine ID 3-43

Specifying a Remote Engine ID 3-43

Configuring SNMPv3 Users 3-44

Configuring Remote SNMPv3 Users 3-46

Configuring SNMPv3 Groups 3-48

Setting SNMPv3 Views 3-52

User Authentication 3-53

Configuring User Accounts 3-53
Configuring Local/Remote Logon Authentication 3-55
Configuring HTTPS 3-58

Replacing the Default Secure-site Certificate 3-59
Configuring the Secure Shell 3-60

Generating the Host Key Pair 3-61

Configuring the SSH Server 3-63
Configuring Port Security 3-65
Configuring 802.1X Port Authentication 3-67

Displaying 802.1X Global Settings 3-68

Configuring 802.1X Global Settings 3-69

vi

Contents

Configuring Port Settings for 802.1X 3-69
Displaying 802.1X Statistics 3-72

Filtering IP Addresses for Management Access 3-74

Access Control Lists 3-76

Configuring Access Control Lists 3-76

Setting the ACL Name and Type 3-77
Configuring a Standard IP ACL 3-77
Configuring an Extended IP ACL 3-78
Configuring a MAC ACL 3-81

Configuring ACL Masks 3-83

Specifying the Mask Type 3-83
Configuring an IP ACL Mask 3-84
Configuring a MAC ACL Mask 3-86

Binding a Port to an Access Control List 3-87

Port Configuration 3-88

Displaying Connection Status 3-88
Configuring Interface Connections 3-91
Creating Trunk Groups 3-93

Statically Configuring a Trunk 3-94
Enabling LACP on Selected Ports 3-95
Configuring LACP Parameters 3-97
Displaying LACP Port Counters 3-100
Displaying LACP Settings and Status for the Local Side 3-101

Displaying LACP Settings and Status for the Remote Side 3-103
Setting Broadcast Storm Thresholds 3-104
Configuring Port Mirroring 3-106
Configuring Rate Limits 3-107
Showing Port Statistics 3-108

Address Table Settings 3-112

Setting Static Addresses 3-112
Displaying the Address Table 3-113
Changing the Aging Time 3-115

Spanning Tree Algorithm Configuration 3-115

Displaying Global Settings 3-116
Configuring Global Settings 3-119
Displaying Interface Settings 3-123
Configuring Interface Settings 3-126
Configuring Multiple Spanning Trees 3-128
Displaying Interface Settings for MSTP 3-132
Configuring Interface Settings for MSTP 3-133

VLAN Configuration 3-135

IEEE 802.1Q VLANs 3-135

Enabling or Disabling GVRP (Global Setting) 3-138

Displaying Basic VLAN Information 3-138

Displaying Current VLANs 3-139

vii

Contents

Creating VLANs 3-140
Adding Static Members to VLANs (VLAN Index) 3-141
Adding Static Members to VLANs (Port Index) 3-143
Configuring VLAN Behavior for Interfaces 3-144

Configuring Private VLANs 3-146

Enabling Private VLANs 3-146
Configuring Uplink and Downlink Ports 3-147

Configuring Protocol-Based VLANs 3-147

Configuring Protocol Groups 3-148
Mapping Protocols to VLANs 3-149

Class of Service Configuration 3-150

Layer 2 Queue Settings 3-150

Setting the Default Priority for Interfaces 3-150
Mapping CoS Values to Egress Queues 3-152
Selecting the Queue Mode 3-154
Setting the Service Weight for Traffic Classes 3-154

Layer 3/4 Priority Settings 3-156

Mapping Layer 3/4 Priorities to CoS Values 3-156
Selecting IP Precedence/DSCP Priority 3-156
Mapping IP Precedence 3-157
Mapping DSCP Priority 3-158
Mapping IP Port Priority 3-160

Quality of Service 3-161

Configuring Quality of Service Parameters 3-162

Configuring a Class Map 3-162
Creating QoS Policies 3-165
Attaching a Policy Map to Ingress Queues 3-168

Multicast Filtering 3-169

IGMP Protocol 3-169
Layer 2 IGMP (Snooping and Query) 3-170

Configuring IGMP Snooping and Query Parameters 3-171
Displaying Interfaces Attached to a Multicast Router 3-173
Specifying Static Interfaces for a Multicast Router 3-174
Displaying Port Members of Multicast Services 3-175
Assigning Ports to Multicast Services 3-176

Layer 3 IGMP (Query used with Multicast Routing) 3-177

Configuring IGMP Interface Parameters 3-177
Displaying Multicast Group Information 3-180

Configuring Domain Name Service 3-181

Configuring General DNS Server Parameters 3-181
Configuring Static DNS Host to Address Entries 3-183
Displaying the DNS Cache 3-185

Dynamic Host Configuration Protocol 3-186

Configuring DHCP Relay Service 3-186
Configuring the DHCP Server 3-188

viii

Contents

Enabling the Server, Setting Excluded Addresses 3-188

Configuring Address Pools 3-190

Displaying Address Bindings 3-194

Configuring Router Redundancy 3-195

Virtual Router Redundancy Protocol 3-196

Configuring VRRP Groups 3-196

Displaying VRRP Global Statistics 3-201

Displaying VRRP Group Statistics 3-202

IP Routing 3-204

Overview 3-204

Initial Configuration 3-204
IP Switching 3-205

Routing Path Management 3-206

Routing Protocols 3-206
Basic IP Interface Configuration 3-207
Configuring IP Routing Interfaces 3-208
Address Resolution Protocol 3-210

Proxy ARP 3-210

Basic ARP Configuration 3-211

Configuring Static ARP Addresses 3-212

Displaying Dynamically Learned ARP Entries 3-213

Displaying Local ARP Entries 3-214

Displaying ARP Statistics 3-215
Displaying Statistics for IP Protocols 3-216

IP Statistics 3-216

ICMP Statistics 3-218

UDP Statistics 3-220

TCP Statistics 3-221
Configuring Static Routes 3-222
Displaying the Routing Table 3-223
Configuring the Routing Information Protocol 3-224

Configuring General Protocol Settings 3-225

Specifying Network Interfaces for RIP 3-227

Configuring Network Interfaces for RIP 3-228

Displaying RIP Information and Statistics 3-231
Configuring the Open Shortest Path First Protocol 3-234

Configuring General Protocol Settings 3-235

Configuring OSPF Areas 3-238

Configuring Area Ranges (Route Summarization for ABRs) 3-241

Configuring OSPF Interfaces 3-243

Configuring Virtual Links 3-247

Configuring Network Area Addresses 3-249

Configuring Summary Addresses (for External AS Routes) 3-252

Redistributing External Routes 3-253

Configuring NSSA Settings 3-254

ix

Contents

Displaying Link State Database Information 3-256
Displaying Information on Border Routers 3-258
Displaying Information on Neighbor Routers 3-259

Multicast Routing 3-260

Configuring Global Settings for Multicast Routing 3-260
Displaying the Multicast Routing Table 3-261
Configuring DVMRP 3-264

Configuring Global DVMRP Settings 3-264
Configuring DVMRP Interface Settings 3-267
Displaying Neighbor Information 3-269
Displaying the Routing Table 3-270

Configuring PIM-DM 3-271

Configuring Global PIM-DM Settings 3-271
Configuring PIM-DM Interface Settings 3-272
Displaying Interface Information 3-275
Displaying Neighbor Information 3-275

Chapter 4: Command Line Interface 4-1

Using the Command Line Interface 4-1

Accessing the CLI 4-1
Console Connection 4-1
Telnet Connection 4-1

Entering Commands 4-3

Keywords and Arguments 4-3
Minimum Abbreviation 4-3
Command Completion 4-3
Getting Help on Commands 4-3

Showing Commands 4-4
Partial Keyword Lookup 4-5
Negating the Effect of Commands 4-5
Using Command History 4-5
Understanding Command Modes 4-6
Exec Commands 4-6
Configuration Commands 4-7
Command Line Processing 4-9

Command Groups 4-10
Line Commands 4-11

line 4-12
login 4-12
password 4-13
timeout login response 4-14
exec-timeout 4-15
password-thresh 4-15
silent-time 4-16

x

Contents

databits 4-17
parity 4-17
speed 4-18
stopbits 4-18
disconnect 4-19
show line 4-19

General Commands 4-20

enable 4-20
disable 4-21
configure 4-22
show history 4-22
reload 4-23
end 4-23
exit 4-24
quit 4-24

System Management Commands 4-25

Device Designation Commands 4-25

prompt 4-25
hostname 4-26
switch renumber 4-26

User Access Commands 4-27

username 4-27
enable password 4-28

IP Filter Commands 4-29

management 4-29
show management 4-30

Web Server Commands 4-31

ip http port 4-31
ip http server 4-31
ip http secure-server 4-32
ip http secure-port 4-33

Telnet Server Commands 4-34

ip telnet server 4-34

Secure Shell Commands 4-34

ip ssh server 4-37
ip ssh timeout 4-37
ip ssh authentication-retries 4-38
ip ssh server-key size 4-38
delete public-key 4-39
ip ssh crypto host-key generate 4-39
ip ssh crypto zeroize 4-40
ip ssh save host-key 4-41
show ip ssh 4-41
show ssh 4-41
show public-key 4-42

xi

Contents

Event Logging Commands 4-43

logging on 4-43

logging history 4-44

logging host 4-45

logging facility 4-45

logging trap 4-46

clear log 4-47

show logging 4-47

show log 4-49
SMTP Alert Commands 4-49

logging sendmail host 4-50

logging sendmail level 4-50

logging sendmail source-email 4-51

logging sendmail destination-email 4-51

logging sendmail 4-52

show logging sendmail 4-52
Time Commands 4-53

sntp client 4-53

sntp server 4-54

sntp poll 4-55

show sntp 4-55

clock timezone 4-56

calendar set 4-56

show calendar 4-57
System Status Commands 4-57

show startup-config 4-57

show running-config 4-59

show system 4-61

show users 4-62

show version 4-62
Frame Size Commands 4-63

jumbo frame 4-63

Flash/File Commands 4-64

copy 4-64
delete 4-67
dir 4-67
whichboot 4-68
boot system 4-69

Authentication Commands 4-70

Authentication Sequence 4-70

authentication login 4-70

authentication enable 4-71
RADIUS Client 4-72

radius-server host 4-72

radius-server port 4-73

xii

Contents

radius-server key 4-73
radius-server retransmit 4-74
radius-server timeout 4-74
show radius-server 4-75

TACACS+ Client 4-75

tacacs-server host 4-76
tacacs-server port 4-76
tacacs-server key 4-77
show tacacs-server 4-77

Port Security Commands 4-78

port security 4-78

802.1X Port Authentication 4-80
dot1x system-auth-control 4-80
dot1x default 4-81
dot1x max-req 4-81
dot1x port-control 4-81
dot1x operation-mode 4-82
dot1x re-authenticate 4-83
dot1x re-authentication 4-83
dot1x timeout quiet-period 4-83
dot1x timeout re-authperiod 4-84
dot1x timeout tx-period 4-84
show dot1x 4-85

Access Control List Commands 4-87

IP ACLs 4-89

access-list ip 4-89
permit, deny (Standard ACL) 4-90
permit, deny (Extended ACL) 4-91
show ip access-list 4-93
access-list ip mask-precedence 4-93
mask (IP ACL) 4-94
show access-list ip mask-precedence 4-97
ip access-group 4-98
show ip access-group 4-98

MAC ACLs 4-99

access-list mac 4-99
permit, deny (MAC ACL) 4-100
show mac access-list 4-101
access-list mac mask-precedence 4-102
mask (MAC ACL) 4-102
show access-list mac mask-precedence 4-104
mac access-group 4-105
show mac access-group 4-105

ACL Information 4-106

show access-list 4-106

xiii

Contents

show access-group 4-106

SNMP Commands 4-107

snmp-server 4-107
show snmp 4-108
snmp-server community 4-109
snmp-server contact 4-109
snmp-server location 4-110
snmp-server host 4-110
snmp-server enable traps 4-112
snmp-server engine-id 4-113
show snmp engine-id 4-114
snmp-server view 4-115
show snmp view 4-116
snmp-server group 4-116
show snmp group 4-118
snmp-server user 4-119
show snmp user 4-120

DHCP Commands 4-121

DHCP Client 4-121

ip dhcp client-identifier 4-121
ip dhcp restart client 4-122

DHCP Relay 4-123

ip dhcp restart relay 4-123
ip dhcp relay server 4-124

DHCP Server 4-124

service dhcp 4-125
ip dhcp excluded-address 4-125
ip dhcp pool 4-126
network 4-127
default-router 4-127
domain-name 4-128
dns-server 4-128
next-server 4-129
bootfile 4-129
netbios-name-server 4-130
netbios-node-type 4-131
lease 4-131
host 4-132
client-identifier 4-133
hardware-address 4-134
clear ip dhcp binding 4-134
show ip dhcp binding 4-135

DNS Commands 4-136

ip host 4-136
clear host 4-137

xiv

Contents

ip domain-name 4-137
ip domain-list 4-138
ip name-server 4-139
ip domain-lookup 4-140
show hosts 4-141
show dns 4-141
show dns cache 4-142
clear dns cache 4-142

Interface Commands 4-143

interface 4-143
description 4-144
speed-duplex 4-144
negotiation 4-145
capabilities 4-146
media-type 4-148
shutdown 4-148
switchport broadcast packet-rate 4-149
clear counters 4-149
show interfaces status 4-150
show interfaces counters 4-151
show interfaces switchport 4-152

Mirror Port Commands 4-154

port monitor 4-154
show port monitor 4-155

Rate Limit Commands 4-156

rate-limit 4-156

Link Aggregation Commands 4-157

channel-group 4-158
lacp 4-159
lacp system-priority 4-160
lacp admin-key (Ethernet Interface) 4-161
lacp admin-key (Port Channel) 4-161
lacp port-priority 4-162
show lacp 4-163

Address Table Commands 4-166

mac-address-table static 4-167
clear mac-address-table dynamic 4-168
show mac-address-table 4-168
mac-address-table aging-time 4-169
show mac-address-table aging-time 4-169

Spanning Tree Commands 4-170

spanning-tree 4-171
spanning-tree mode 4-171
spanning-tree forward-time 4-172
spanning-tree hello-time 4-173

xv

Contents

spanning-tree max-age 4-173
spanning-tree priority 4-174
spanning-tree pathcost method 4-175
spanning-tree transmission-limit 4-175
spanning-tree mst-configuration 4-176
mst vlan 4-176
mst priority 4-177
name 4-177
revision 4-178
max-hops 4-179
spanning-tree spanning-disabled 4-179
spanning-tree cost 4-180
spanning-tree port-priority 4-181
spanning-tree edge-port 4-181
spanning-tree portfast 4-182
spanning-tree link-type 4-183
spanning-tree mst cost 4-183
spanning-tree mst port-priority 4-184
spanning-tree protocol-migration 4-185
show spanning-tree 4-186
show spanning-tree mst configuration 4-188

VLAN Commands 4-188

Editing VLAN Groups 4-188

vlan database 4-189
vlan 4-189

Configuring VLAN Interfaces 4-190

interface vlan 4-190
switchport mode 4-191
switchport acceptable-frame-types 4-192
switchport ingress-filtering 4-192
switchport native vlan 4-193
switchport allowed vlan 4-194
switchport forbidden vlan 4-195

Displaying VLAN Information 4-195

show vlan 4-196

Configuring Private VLANs 4-197

pvlan 4-197
show pvlan 4-198

Configuring Protocol-based VLANs 4-198

protocol-vlan protocol-group (Configuring Groups) 4-199
protocol-vlan protocol-group (Configuring Interfaces) 4-199
show protocol-vlan protocol-group 4-200
show interfaces protocol-vlan protocol-group 4-201

GVRP and Bridge Extension Commands 4-202

bridge-ext gvrp 4-202

xvi

Contents

show bridge-ext 4-202
switchport gvrp 4-203
show gvrp configuration 4-203
garp timer 4-204
show garp timer 4-205

Priority Commands 4-206

Priority Commands (Layer 2) 4-206

queue mode 4-206
switchport priority default 4-207
queue bandwidth 4-208
queue cos-map 4-209
show queue mode 4-210
show queue bandwidth 4-210
show queue cos-map 4-210

Priority Commands (Layer 3 and 4) 4-211

map ip port (Global Configuration) 4-211
map ip port (Interface Configuration) 4-212
map ip precedence (Global Configuration) 4-212
map ip precedence (Interface Configuration) 4-213
map ip dscp (Global Configuration) 4-214
map ip dscp (Interface Configuration) 4-214
show map ip port 4-215
show map ip precedence 4-216
show map ip dscp 4-217

Quality of Service Commands 4-218

class-map 4-219
match 4-220
policy-map 4-221
class 4-222
set 4-223
police 4-223
service-policy 4-224
show class-map 4-225
show policy-map 4-225
show policy-map interface 4-226

Multicast Filtering Commands 4-226

IGMP Snooping Commands 4-227

ip igmp snooping 4-227
ip igmp snooping vlan static 4-227
ip igmp snooping version 4-228
show ip igmp snooping 4-228
show mac-address-table multicast 4-229

IGMP Query Commands (Layer 2) 4-230

ip igmp snooping querier 4-230
ip igmp snooping query-count 4-230

xvii

Contents

ip igmp snooping query-interval 4-231
ip igmp snooping query-max-response-time 4-231
ip igmp snooping router-port-expire-time 4-232

Static Multicast Routing Commands 4-233

ip igmp snooping vlan mrouter 4-233
show ip igmp snooping mrouter 4-234

IGMP Commands (Layer 3) 4-234

ip igmp 4-235
ip igmp robustval 4-235
ip igmp query-interval 4-236
ip igmp max-resp-interval 4-237
ip igmp last-memb-query-interval 4-237
ip igmp version 4-238
show ip igmp interface 4-239
clear ip igmp group 4-239
show ip igmp groups 4-240

IP Interface Commands 4-241

Basic IP Configuration 4-241

ip address 4-242
ip default-gateway 4-243
show ip interface 4-244
show ip redirects 4-244
ping 4-245

Address Resolution Protocol (ARP) 4-246

arp 4-246
arp-timeout 4-247
clear arp-cache 4-247
show arp 4-247
ip proxy-arp 4-248

IP Routing Commands 4-249

Global Routing Configuration 4-249

ip routing 4-249
ip route 4-250
clear ip route 4-251
show ip route 4-251
show ip host-route 4-252
show ip traffic 4-253

Routing Information Protocol (RIP) 4-254

router rip 4-254
timers basic 4-255
network 4-256
neighbor 4-256
version 4-257
ip rip receive version 4-258
ip rip send version 4-259

xviii

Contents

ip split-horizon 4-260
ip rip authentication key 4-260
ip rip authentication mode 4-261
show rip globals 4-262
show ip rip 4-262

Open Shortest Path First (OSPF) 4-264

router ospf 4-265
router-id 4-265
compatible rfc1583 4-266
default-information originate 4-267
timers spf 4-268
area range 4-268
area default-cost 4-269
summary-address 4-270
redistribute 4-270
network area 4-271
area stub 4-272
area nssa 4-273
area virtual-link 4-274
ip ospf authentication 4-276
ip ospf authentication-key 4-277
ip ospf message-digest-key 4-278
ip ospf cost 4-279
ip ospf dead-interval 4-279
ip ospf hello-interval 4-280
ip ospf priority 4-280
ip ospf retransmit-interval 4-281
ip ospf transmit-delay 4-282
show ip ospf 4-282
show ip ospf border-routers 4-283
show ip ospf database 4-284
show ip ospf interface 4-292
show ip ospf neighbor 4-293
show ip ospf summary-address 4-294
show ip ospf virtual-links 4-294

Multicast Routing Commands 4-295

Static Multicast Routing Commands 4-295

ip igmp snooping vlan mrouter 4-295
show ip igmp snooping mrouter 4-296

General Multicast Routing Commands 4-297

ip multicast-routing 4-297
show ip mroute 4-297

DVMRP Multicast Routing Commands 4-299

router dvmrp 4-299
probe-interval 4-300

xix

Contents

nbr-timeout 4-301
report-interval 4-301
flash-update-interval 4-302
prune-lifetime 4-302
default-gateway 4-303
ip dvmrp 4-303
ip dvmrp metric 4-304
clear ip dvmrp route 4-305
show router dvmrp 4-305
show ip dvmrp route 4-306
show ip dvmrp neighbor 4-307
show ip dvmrp interface 4-307

PIM-DM Multicast Routing Commands 4-308

router pim 4-308
ip pim dense-mode 4-309
ip pim hello-interval 4-310
ip pim hello-holdtime 4-310
ip pim trigger-hello-interval 4-311
ip pim join-prune-holdtime 4-311
ip pim graft-retry-interval 4-312
ip pim max-graft-retries 4-312
show router pim 4-313
show ip pim interface 4-313
show ip pim neighbor 4-314

Router Redundancy Commands 4-314

Virtual Router Redundancy Protocol Commands 4-315

vrrp ip 4-315
vrrp authentication 4-316
vrrp priority 4-317
vrrp timers advertise 4-318
vrrp preempt 4-318
show vrrp 4-319
show vrrp interface 4-321
show vrrp router counters 4-322
show vrrp interface counters 4-322
clear vrrp router counters 4-323
clear vrrp interface counters 4-323

xx

Contents

Appendix A: Software Specifications A-1

Software Features A-1
Management Features A-2
Standards A-2
Management Information Bases A-3

Appendix B: Troubleshooting B-1

Problems Accessing the Management Interface B-1
Using System Logs B-2

Glossary

Index

xxi

Contents

xxii

Tables

Table 1-1 Key Features 1-1
Table 1-2 System Defaults 1-6
Table 3-1 Web Page Configuration Buttons 3-3
Table 3-2 Switch Main Menu 3-4
Table 3-3 Logging Levels 3-29
Table 3-4 SNMPv3 Security Models and Levels 3-38
Table 3-5 Supported Notification Messages 3-49
Table 3-6 HTTPS System Support 3-58
Table 3-7 802.1X Statistics 3-72
Table 3-8 LACP Port Counters 3-100
Table 3-9 LACP Internal Configuration Information 3-101
Table 3-10 LACP Neighbor Configuration Information 3-103
Table 3-11 Port Statistics 3-108
Table 3-12 Mapping CoS Values to Egress Queues 3-152
Table 3-13 CoS Priority Levels 3-152
Table 3-14 Mapping IP Precedence 3-157
Table 3-15 Mapping DSCP Priority 3-158
Table 3-16 Address Resolution Protocol 3-210
Table 3-17 ARP Statistics 3-215
Table 3-18 IP Statistics 3-216
Table 3-19 ICMP Statistics 3-218
Table 3-20 USP Statistics 3-220
Table 3-21 TCP Statistics 3-221
Table 3-22 RIP Information and Statistics 3-231
Table 4-1 General Command Modes 4-6
Table 4-2 Configuration Command Modes 4-8
Table 4-3 Keystroke Commands 4-9
Table 4-4 Command Group Index 4-10
Table 4-5 Line Commands 4-11
Table 4-6 General Commands 4-20
Table 4-7 System Management Commands 4-25
Table 4-8 Device Designation Commands 4-25
Table 4-9 User Access Commands 4-27
Table 4-10 Default Login Settings 4-27
Table 4-11 IP Filter Commands 4-29
Table 4-12 Web Server Commands 4-31
Table 4-13 HTTPS System Support 4-32
Table 4-14 Telnet Server Commands 4-34
Table 4-15 Secure Shell Commands 4-35
Table 4-16 show ssh - display description 4-42
Table 4-17 Event Logging Commands 4-43

xxiii

Tables

Table 4-18 Logging Levels 4-44
Table 4-19 show logging flash/ram - display description 4-48
Table 4-20 show logging trap - display description 4-48
Table 4-21 SMTP Alert Commands 4-49
Table 4-22 Time Commands 4-53
Table 4-23 System Status Commands 4-57
Table 4-24 Frame Size Commands 4-63
Table 4-25 Flash/File Commands 4-64
Table 4-26 File Directory Information 4-68
Table 4-27 Authentication Commands 4-70
Table 4-28 Authentication Sequence Commands 4-70
Table 4-29 RADIUS Client Commands 4-72
Table 4-30 TACACS+ Client Commands 4-75
Table 4-31 Port Security Commands 4-78
Table 4-32 802.1X Port Authentication Commands 4-80
Table 4-33 Access Control List Commands 4-88
Table 4-34 IP ACL Commands 4-89
Table 4-35 MAC ACL Commands 4-99
Table 4-36 ACL Information Commands 4-106
Table 4-37 SNMP Commands 4-107
Table 4-38 show snmp engine-id - display description 4-114
Table 4-39 show snmp view - display description 4-116
Table 4-40 show snmp group - display description 4-118
Table 4-41 show snmp user - display description 4-120
Table 4-42 DHCP Commands 4-121
Table 4-43 DHCP Client Commands 4-121
Table 4-44 DHCP Relay Commands 4-123
Table 4-45 DHCP Server Commands 4-124
Table 4-46 DNS Commands 4-136
Table 4-47 show dns cache - display description 4-142
Table 4-48 Interface Commands 4-143
Table 4-49 show interfaces switchport - display description 4-153
Table 4-50 Mirror Port Commands 4-154
Table 4-51 Rate Limit Commands 4-156
Table 4-52 Link Aggregation Commands 4-157
Table 4-53 show lacp counters - display description 4-163
Table 4-54 show lacp internal - display description 4-164
Table 4-55 show lacp neighbors - display description 4-165
Table 4-57 Address Table Commands 4-166
Table 4-56 show lacp sysid - display description 4-166
Table 4-58 Spanning Tree Commands 4-170
Table 4-59 VLAN Commands 4-188
Table 4-60 Commands for Editing VLAN Groups 4-188
Table 4-61 Commands for Configuring VLAN Interfaces 4-190
Table 4-62 Commands for Displaying VLAN Information 4-195

xxiv

Tables

Table 4-63 Private VLAN Commands 4-197
Table 4-64 Protocol-based VLAN Commands 4-198
Table 4-65 GVRP and Bridge Extension Commands 4-202
Table 4-66 Priority Commands 4-206
Table 4-67 Priority Commands (Layer 2) 4-206
Table 4-68 Default CoS Priority Levels 4-209
Table 4-69 Priority Commands (Layer 3 and 4) 4-211
Table 4-70 Mapping IP Precedence to CoS Values 4-213
Table 4-71 Mapping IP DSCP to CoS Values 4-215
Table 4-72 Quality of Service Commands 4-218
Table 4-73 Multicast Filtering Commands 4-226
Table 4-74 IGMP Snooping Commands 4-227
Table 4-75 IGMP Query Commands (Layer 2) 4-230
Table 4-76 Static Multicast Routing Commands 4-233
Table 4-77 IGMP Commands (Layer 3) 4-234
Table 4-78 show ip igmp groups - display description 4-240
Table 4-79 IP Interface Commands 4-241
Table 4-80 Basic IP Configuration Commands 4-241
Table 4-81 Address Resolution Protocol Commands 4-246
Table 4-82 IP Routing Commands 4-249
Table 4-83 Global Routing Configuration Commands 4-249
Table 4-84 show ip route - display description 4-252
Table 4-85 show ip host-route - display description 4-252
Table 4-86 Routing Information Protocol Commands 4-254
Table 4-87 show rip globals - display description 4-262
Table 4-88 show ip rip - display description 4-263
Table 4-89 Open Shortest Path First Commands 4-264
Table 4-91 show ip ospf border-routers - display description 4-283
Table 4-90 show ip ospf - display description 4-283
Table 4-92 show ip ospf database - display description 4-285
Table 4-93 show ip ospf asbr-summary - display description 4-286
Table 4-94 show ip ospf database-summary - display description 4-287
Table 4-95 show ip ospf external - display description 4-288
Table 4-96 show ip ospf network - display description 4-289
Table 4-97 show ip ospf router - display description 4-290
Table 4-98 show ip ospf summary - display description 4-291
Table 4-99 show ip ospf interface - display description 4-292
Table 4-100 show ip ospf neighbor - display description 4-293
Table 4-101 show ip ospf virtual-links - display description 4-294
Table 4-102 Multicast Routing Commands 4-295
Table 4-103 Static Multicast Routing Commands 4-295
Table 4-104 General Multicast Routing Commands 4-297
Table 4-105 show ip mroute - display description 4-298
Table 4-106 DVMRP Multicast Routing Commands 4-299
Table 4-107 show ip dvmrp route - display description 4-306

xxv

Tables

Table 4-108 show ip dvmrp neighbor - display description 4-307
Table 4-109 PIM-DM Multicast Routing Commands 4-308
Table 4-110 show ip pim neighbor - display description 4-314
Table 4-111 Router Redundancy Commands 4-314
Table 4-112 VRRP Commands 4-315
Table 4-113 show vrrp - display description 4-320
Table 4-114 show vrrp brief - display description 4-321
Table B-1 Troubleshooting Chart B-1

xxvi

Figures

Figure 3-1 Home Page 3-2
Figure 3-2 Front Panel Indicators 3-3
Figure 3-3 System Information 3-12
Figure 3-4 Switch Information 3-14
Figure 3-5 Displaying Bridge Extension Configuration 3-15
Figure 3-6 Configuring Support for Jumbo Frames 3-16
Figure 3-7 IP Interface Configuration - Manual 3-18
Figure 3-8 Default Gateway 3-18
Figure 3-9 IP Interface Configuration - DHCP 3-19
Figure 3-10 Copy Firmware 3-21
Figure 3-11 Setting the Startup Code 3-21
Figure 3-12 Deleting Files 3-22
Figure 3-13 Downloading Configuration Settings for Start-Up 3-24
Figure 3-14 Setting the Startup Configuration Settings 3-24
Figure 3-15 Configuring the Console Port 3-26
Figure 3-16 Configuring the Telnet Interface 3-28
Figure 3-17 System Logs 3-30
Figure 3-18 Remote Logs 3-31
Figure 3-19 Displaying Logs 3-32
Figure 3-20 Enabling and Configuring SMTP Alerts 3-33
Figure 3-21 Renumbering the Stack 3-34
Figure 3-22 Resetting the System 3-35
Figure 3-23 SNTP Configuration 3-36
Figure 3-24 Clock Time Zone 3-37
Figure 3-25 Enabling the SNMP Agent 3-39
Figure 3-26 Configuring SNMP Community Strings 3-40
Figure 3-27 Configuring SNMP Trap Managers 3-42
Figure 3-28 Setting the SNMPv3 Engine ID 3-43
Figure 3-29 Setting an Engine ID 3-44
Figure 3-30 Configuring SNMPv3 Users 3-45
Figure 3-31 Configuring Remote SNMPv3 Users 3-47
Figure 3-32 Configuring SNMPv3 Groups 3-51
Figure 3-33 Configuring SNMPv3 Views 3-52
Figure 3-34 User Accounts 3-54
Figure 3-35 Authentication Server Settings 3-57
Figure 3-36 HTTPS Settings 3-59
Figure 3-37 SSH Host-Key Settings 3-62
Figure 3-38 SSH Server Settings 3-64
Figure 3-39 Port Security 3-66
Figure 3-40 802.1X Global Information 3-68
Figure 3-41 802.1X Global Configuration 3-69

xxvii

Figures

Figure 3-42 802.1X Port Configuration 3-70
Figure 3-43 802.1X Port Statistics 3-73
Figure 3-44 IP Filter 3-75
Figure 3-45 Selecting ACL Type 3-77
Figure 3-46 ACL Configuration - Standard IP 3-78
Figure 3-47 ACL Configuration - Extended IP 3-80
Figure 3-48 ACL Configuration - MAC 3-82
Figure 3-49 Selecting ACL Mask Types 3-83
Figure 3-50 ACL Mask Configuration - IP 3-85
Figure 3-51 ACL Mask Configuration - MAC 3-86
Figure 3-52 ACL Port Binding 3-88
Figure 3-53 Port - Port Information 3-89
Figure 3-54 Port - Port Configuration 3-92
Figure 3-55 Static Trunk Configuration 3-94
Figure 3-56 LACP Trunk Configuration 3-96
Figure 3-57 LACP - Aggregation Port 3-98
Figure 3-58 LACP - Port Counters Information 3-100
Figure 3-59 LACP - Port Internal Information 3-102
Figure 3-60 LACP - Port Neighbors Information 3-103
Figure 3-61 Port Broadcast Control 3-105
Figure 3-62 Mirror Port Configuration 3-106
Figure 3-63 Rate Limit Configuration 3-107
Figure 3-64 Port Statistics 3-111
Figure 3-65 Static Addresses 3-113
Figure 3-66 Dynamic Addresses 3-114
Figure 3-67 Address Aging 3-115
Figure 3-68 STA Information 3-118
Figure 3-69 STA Global Configuration 3-122
Figure 3-70 STA Port Information 3-125
Figure 3-71 STA Port Configuration 3-128
Figure 3-72 MSTP VLAN Configuration 3-130
Figure 3-73 MSTP Port Information 3-132
Figure 3-74 MSTP Port Configuration 3-134
Figure 3-75 Globally Enabling GVRP 3-138
Figure 3-76 VLAN Basic Information 3-138
Figure 3-77 VLAN Current Table 3-139
Figure 3-78 VLAN Static List - Creating VLANs 3-141
Figure 3-79 VLAN Static Table - Adding Static Members 3-142
Figure 3-80 VLAN Static Membership by Port 3-143
Figure 3-81 VLAN Port Configuration 3-145
Figure 3-82 Private VLAN Status 3-146
Figure 3-83 Private VLAN Link Status 3-147
Figure 3-84 Protocol VLAN Configuration 3-148
Figure 3-85 Protocol VLAN Port Configuration 3-149
Figure 3-86 Default Port Priority 3-151

xxviii

Figures

Figure 3-87 Traffic Classes 3-153
Figure 3-88 Queue Mode 3-154
Figure 3-89 Queue Scheduling 3-155
Figure 3-90 IP Precedence/DSCP Priority Status 3-156
Figure 3-91 IP Precedence Priority 3-157
Figure 3-92 IP DSCP Priority 3-159
Figure 3-93 IP Port Priority Status 3-160
Figure 3-94 IP Port Priority 3-160
Figure 3-95 Configuring Class Maps 3-164
Figure 3-96 Configuring Policy Maps 3-167
Figure 3-97 Service Policy Settings 3-168
Figure 3-98 IGMP Configuration 3-172
Figure 3-99 Multicast Router Port Information 3-173
Figure 3-100 Static Multicast Router Port Configuration 3-174
Figure 3-101 IP Multicast Registration Table 3-175
Figure 3-102 IGMP Member Port Table 3-176
Figure 3-103 IGMP Interface Settings 3-179
Figure 3-104 IGMP Group Membership 3-180
Figure 3-105 DNS General Configuration 3-182
Figure 3-106 DNS Static Host Table 3-184
Figure 3-107 DNS Cache 3-185
Figure 3-108 DHCP Relay Configuration 3-187
Figure 3-109 DHCP Server General Configuration 3-189
Figure 3-110 DHCP Server Pool Configuration 3-191
Figure 3-111 DHCP Server Pool - Network Configuration 3-192
Figure 3-112 DHCP Server Pool - Host Configuration 3-193
Figure 3-113 DHCP Server - IP Binding 3-194
Figure 3-114 VRRP Group Configuration 3-199
Figure 3-115 VRRP Group Configuration Detail 3-200
Figure 3-116 VRRP Global Statistics 3-201
Figure 3-117 VRRP Group Statistics 3-203
Figure 3-118 IP Global Settings 3-207
Figure 3-119 IP Routing Interface 3-209
Figure 3-120 ARP General 3-211
Figure 3-121 ARP Static Addresses 3-212
Figure 3-122 ARP Dynamic Addresses 3-213
Figure 3-123 ARP Other Addresses 3-214
Figure 3-124 ARP Statistics 3-215
Figure 3-125 IP Statistics 3-218
Figure 3-126 ICMP Statistics 3-219
Figure 3-127 UDP Statistics 3-220
Figure 3-128 TCP Statistics 3-221
Figure 3-129 IP Static Routes 3-222
Figure 3-130 IP Routing Table 3-223
Figure 3-131 RIP General Settings 3-226

xxix

Figures

Figure 3-132 RIP Network Addresses 3-227
Figure 3-133 RIP Interface Settings 3-230
Figure 3-134 RIP Statistics 3-232
Figure 3-135 OSPF General Configuration 3-237
Figure 3-136 OSPF Area Configuration 3-240
Figure 3-137 OSPF Range Configuration 3-242
Figure 3-138 OSPF Interface Configuration 3-245
Figure 3-139 OSPF Interface Configuration - Detailed 3-246
Figure 3-140 OSPF Virtual Link Configuration 3-248
Figure 3-141 OSPF Network Area Address Configuration 3-250
Figure 3-142 OSPF Summary Address Configuration 3-252
Figure 3-143 OSPF Redistribute Configuration 3-254
Figure 3-144 OSPF NSSA Settings 3-255
Figure 3-145 OSPF Link State Database Information 3-257
Figure 3-146 OSPF Border Router Information 3-258
Figure 3-147 OSPF Neighbor Information 3-259
Figure 3-148 Multicast Routing General Settings 3-260
Figure 3-149 Multicast Routing Table 3-262
Figure 3-150 DVMRP General Settings 3-267
Figure 3-151 DVMRP Interface Settings 3-268
Figure 3-152 DVMRP Neighbor Information 3-269
Figure 3-153 DVMRP Routing Table 3-270
Figure 3-154 PIM-DM General Settings 3-272
Figure 3-155 PIM-DM Interface Settings 3-274
Figure 3-156 PIM-DM Interface Information 3-275
Figure 3-157 PIM-DM Neighbor Information 3-276

xxx

Chapter 1: Introduction

This switch provides a broad range of features for Layer 2 switching and Layer 3
routing. It includes a management agent that allows you to configure the features
listed in this manual. The default configuration can be used for most of the features
provided by this switch. However, there are many options that you should configure
to maximize the switch’s performance for your particular network environment.

Key Features

Table 1-1 Key Features

Feature Description

Configuration Backup
and Restore

Authentication Console, Telnet, web – User name / password, RADIUS, TACACS+

Access Control Lists Supports up to 32 IP or MAC ACLs

DHCP Client, Relay
and Server

DNS Client and proxy service

Port Configuration Speed and duplex mode

Rate Limiting Input and output rate limiting per port

Port Mirroring One or more ports mirrored to single analysis port

Port Trunking Supports up to 32 trunks using either static or dynamic trunking (LACP)

Broadcast Storm
Control

Address Table Up to 16K MAC addresses in forwarding table, 1024 static MAC addresses;

IEEE 802.1D Bridge Supports dynamic data switching and addresses learning

Store-and-Forward
Switching

Spanning Tree
Algorithm

Virtual LANs Up to 255 using IEEE 802.1Q, port-based, protocol-based, or private VLANs

Traffic Prioritization Default port priority, traffic class map, queue scheduling, IP Precedence, or

Backup to TFTP server

Web – SSL/HTTPS; Telnet – SSH
SNMP v1/2c - Community strings
SNMP version 3 – MD5 or SHA password
Port – IEEE 802.1X, MAC address filtering

Supported

Supported

Up to 8K IP entries in ARP cache, 64K IP entries in routing table, 256 static IP routes

Supported to ensure wire-speed switching while eliminating bad frames

Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple
Spanning Trees (MSTP)

Differentiated Services Code Point (DSCP), and TCP/UDP Port

1-1

Introduction

1

Table 1-1 Key Features (Continued)

Feature Description

Qualify of Service Supports Differentiated Services (DiffServ)

Router Redundancy Router backup is provided with the Virtual Router Redundancy Protocol (VRRP)

IP Routing Routing Information Protocol (RIP), Open Shortest Path First (OSPF), static routes

ARP Static and dynamic address configuration, proxy ARP

Multicast Filtering Supports IGMP snooping and query for Layer 2, and IGMP for Layer 3

Multicast Routing Supports DVMRP and PIM-DM

Description of Software Features

The switch provides a wide range of advanced performance enhancing features.
Broadcast storm suppression prevents broadcast traffic storms from engulfing the
network. Untagged (port-based), tagged, and protocol-based VLANs, plus support
for automatic GVRP VLAN registration provide traffic security and efficient use of
network bandwidth. CoS priority queueing ensures the minimum delay for moving
real-time multimedia data across the network. While multicast filtering and routing
provides support for real-time network applications. Some of the management
features are briefly described below.

Configuration Backup and Restore – You can save the current configuration
settings to a file on a TFTP server, and later download this file to restore the switch
configuration settings.

Authentication – This switch authenticates management access via the console
port, Telnet or web browser. User names and passwords can be configured locally or
can be verified via a remote authentication server (i.e., RADIUS or TACACS+).
Port-based authentication is also supported via the IEEE 802.1X protocol. This
protocol uses Extensible Authentication Protocol over LANs (EAPOL) to request
user credentials from the 802.1X client, and then uses the EAP between the switch
and the authentication server to verify the client’s right to access the network via an
authentication server (i.e., RADIUS server).

Other authentication options include HTTPS for secure management access via the
web, SSH for secure management access over a Telnet-equivalent connection,
SNMP Version 3, IP address filtering for SNMP/web/Telnet management access,
and MAC address filtering for port access.

Access Control Lists – ACLs provide packet filtering for IP frames (based on
address, protocol, TCP/UDP port number or TCP control code) or any frames
(based on MAC address or Ethernet type). ACLs can by used to improve
performance by blocking unnecessary network traffic or to implement security
controls by restricting access to specific network resources or protocols.

1-2

Description of Software Features

DHCP Server and DHCP Relay – A DHCP server is provided to assign IP
addresses to host devices. Since DHCP uses a broadcast mechanism, a DHCP
server and its client must physically reside on the same subnet. Since it is not
practical to have a DHCP server on every subnet, DHCP Relay is also supported to
allow dynamic configuration of local clients from a DHCP server located in a different
network.

Port Configuration – You can manually configure the speed and duplex mode used
on specific ports, or use auto-negotiation to detect the connection settings used by
the attached device. Use the full-duplex mode on ports whenever possible to double
the throughput of switch connections.

Rate Limiting – This feature controls the maximum rate for traffic transmitted or
received on an interface. Rate limiting is configured on interfaces at the edge of a
network to limit traffic into or out of the network. Traffic that falls within the rate limit is
transmitted, while packets that exceed the acceptable amount of traffic are dropped.

Port Mirroring – The switch can unobtrusively mirror traffic from any port to a
monitor port. You can then attach a protocol analyzer or RMON probe to this port to
perform traffic analysis and verify connection integrity.

Port Trunking – Ports can be combined into an aggregate connection. Trunks can
be manually set up or dynamically configured using IEEE 802.3-2002 (formerly
IEEE 802.3ad) Link Aggregation Control Protocol (LACP). The additional ports
dramatically increase the throughput across any connection, and provide
redundancy by taking over the load if a port in the trunk should fail. The switch
supports up to 32 trunks.

Broadcast Storm Control – Broadcast suppression prevents broadcast traffic from
overwhelming the network. When enabled on a port, the level of broadcast traffic
passing through the port is restricted. If broadcast traffic rises above a pre-defined
threshold, it will be throttled until the level falls back beneath the threshold.

Static Addresses – A static address can be assigned to a specific interface on this
switch. Static addresses are bound to the assigned interface and will not be moved.
When a static address is seen on another interface, the address will be ignored and
will not be written to the address table. Static addresses can be used to provide
network security by restricting access for a known host to a specific port.

IEEE 802.1D Bridge – The switch supports IEEE 802.1D transparent bridging. The
address table facilitates data switching by learning addresses, and then filtering or
forwarding traffic based on this information. The address table supports up to 16K
addresses.

Store-and-Forward Switching – The switch copies each frame into its memory
before forwarding them to another port. This ensures that all frames are a standard
Ethernet size and have been verified for accuracy with the cyclic redundancy check
(CRC). This prevents bad frames from entering the network and wasting bandwidth.

To avoid dropping frames on congested ports, the ES4625 and ES4649 provide
2 MB and 4 MB, respectively, for frame buffering. This buffer can queue packets
awaiting transmission on congested networks.

1

1-3

Introduction

1

Spanning Tree Algorithm – The switch supports these spanning tree protocols:

Spanning Tree Protocol (STP, IEEE 802.1D) – This protocol provides loop detection
and recovery by allowing two or more redundant connections to be created between
a pair of LAN segments. When there are multiple physical paths between segments,
this protocol will choose a single path and disable all others to ensure that only one
route exists between any two stations on the network. This prevents the creation of
network loops. However, if the chosen path should fail for any reason, an alternate
path will be activated to maintain the connection.

Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol reduces the
convergence time for network topology changes to about 3 to 5 seconds, compared
to 30 seconds or more for the older IEEE 802.1D STP standard. It is intended as a
complete replacement for STP, but can still interoperate with switches running the
older standard by automatically reconfiguring ports to STP-compliant mode if they
detect STP protocol messages from attached devices.

Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is a direct
extension of RSTP. It can provide an independent spanning tree for different VLANs.
It simplifies network management, provides for even faster convergence than RSTP
by limiting the size of each region, and prevents VLAN members from being
segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP).

Virtual LANs – The switch supports up to 255 VLANs. A Virtual LAN is a collection
of network nodes that share the same collision domain regardless of their physical
location or connection point in the network. The switch supports tagged VLANs
based on the IEEE 802.1Q standard. Members of VLAN groups can be dynamically
learned via GVRP, or ports can be manually assigned to a specific set of VLANs.
This allows the switch to restrict traffic to the VLAN groups to which a user has been
assigned. By segmenting your network into VLANs, you can:

• Eliminate broadcast storms which severely degrade performance in a flat network.

• Simplify network management for node changes/moves by remotely configuring
VLAN membership for any port, rather than having to manually change the network
connection.

• Provide data security by restricting all traffic to the originating VLAN, except where
a connection is explicitly defined via the switch’s routing service.

• Use private VLANs to restrict traffic to pass only between data ports and the uplink
ports, thereby isolating adjacent ports within the same VLAN, and allowing you to
limit the total number of VLANs that need to be configured.

• Use protocol VLANs to restrict traffic to specified interfaces based on protocol type.

Traffic Prioritization – This switch prioritizes each packet based on the required
level of service, using eight priority queues with strict or Weighted Round Robin
Queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on
input from the end-station application. These functions can
independent priorities for delay-sensitive data and best-effort data.

This switch also supports several common methods of prioritizing layer 3/4 traffic to
meet application requirements. Traffic can be prioritized based on the priority bits in
the IP frame’s Type of Service (ToS) octet or the number of the TCP/UDP port.

be used to provide

1-4

Description of Software Features

When these services are enabled, the priorities are mapped to a Class of Service
value by the switch, and the traffic then sent to the corresponding output queue.

IP Routing – The switch provides Layer 3 IP routing. To maintain a high rate of
throughput, the switch forwards all traffic passing within the same segment, and
routes only traffic that passes between different subnetworks. The wire-speed
routing provided by this switch lets you easily link network segments or VLANs
together without having to deal with the bottlenecks or configuration hassles
normally associated with conventional routers.

Routing for unicast traffic is supported with the Routing Information Protocol (RIP)
and the Open Shortest Path First (OSPF) protocol.

RIP – This protocol uses a distance-vector approach to routing. Routes are
determined on the basis of minimizing the distance vector, or hop count, which
serves as a rough estimate of transmission cost.

OSPF – This approach uses a link state routing protocol to generate a shortest-path
tree, then builds up its routing table based on this tree. OSPF produces a more
stable network because the participating routers act on network changes predictably
and simultaneously, converging on the best route more quickly than RIP.

Router Redundancy – The Virtual Router Redundancy Protocol (VRRP) uses a
virtual IP address to support a primary router and multiple backup routers. The
backups can be configured to take over the workload if the master fails or to load
share the traffic. The primary goal of this protocol is to allow a host device which has
been configured with a fixed gateway to maintain network connectivity in case the
primary gateway goes down.

Address Resolution Protocol – The switch uses ARP and Proxy ARP to convert
between IP addresses and MAC (i.e., hardware) addresses. This switch supports
conventional ARP, which locates the MAC address corresponding to a given IP
address. This allows the switch to use IP addresses for routing decisions and the
corresponding MAC addresses to forward packets from one hop to the next. You can
configure either static or dynamic entries in the ARP cache.

Proxy ARP allows hosts that do not support routing to determine the MAC address
of a device on another network or subnet. When a host sends an ARP request for a
remote network, the switch checks to see if it has the best route. If it does, it sends
its own MAC address to the host. The host then sends traffic for the remote
destination via the switch, which uses its own routing table to reach the destination
on the other network.

Quality of Service – Differentiated Services (DiffServ) provides policy-based
management mechanisms used for prioritizing network resources to meet the
requirements of specific traffic types on a per-hop basis. Each packet is classified
upon entry into the network based on access lists, IP Precedence or DSCP values,
or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3,
or Layer 4 information contained in each packet. Based on network policies, different
kinds of traffic can be marked for different kinds of forwarding.

1

1-5

Introduction

1

Multicast Filtering – Specific multicast traffic can be assigned to its own VLAN to
ensure that it does not interfere with normal network traffic and to guarantee
real-time delivery by setting the required priority level for the designated VLAN. The
switch uses IGMP Snooping and Query at Layer 2 and IGMP at Layer 3 to manage
multicast group registration.

Multicast Routing – Routing for multicast packets is supported by the Distance
Vector Multicast Routing Protocol (DVMRP) and Protocol-Independent Multicasting ­Dense Mode (PIM-DM). These protocols work in conjunction with IGMP to filter and
route multicast traffic. DVMRP is a more comprehensive implementation that
maintains its own routing table, but is gradually being replacing by most network
managers with PIM, Dense Mode and Sparse Mode. PIM is a very simple protocol
that uses the routing table of the unicast routing protocol enabled on an interface.
Dense Mode is designed for areas where the probability of multicast clients is
relatively high, and the overhead of frequent flooding is justified. While Sparse mode
is designed for network areas, such as the Wide Area Network, where the probability
of multicast clients is low. This switch currently supports DVMRP and PIM-DM. This
protocol works in conjunction with IGMP to filter and route multicast traffic.

System Defaults

The switch’s system defaults are provided in the configuration file
“Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as
the startup configuration file (page 3-24).

The following table lists some of the basic system defaults.

Table 1-2 System Defaults

Function Parameter Default

Console Port
Connection

Baud Rate auto

Data bits 8

Stop bits 1

Parity none

Local Console Timeout 0 (disabled)

1-6

Table 1-2 System Defaults (Continued)

Function Parameter Default

Authentication Privileged Exec Level Username “admin”

Normal Exec Level Username “guest”

Enable Privileged Exec from Normal
Exec Level

RADIUS Authentication Disabled

TACACS Authentication Disabled

802.1X Port Authentication Disabled

HTTPS Enabled

SSH Disabled

Port Security Disabled

IP Filtering Disabled

Web Management HTTP Server Enabled

HTTP Port Number 80

HTTP Secure Server Enabled

HTTP Secure Port Number 443

SNMP SNMP Agent Enabled

Community Strings “public” (read only)

Traps Authentication traps: enabled

SNMP V3 View: defaultview

Port Configuration Admin Status Enabled

Auto-negotiation Enabled

Flow Control

Rate Limiting Input and output limits Disabled

Port Trunking Static Trunks None

LACP (all ports) Disabled

Broadcast Storm
Protection

Status Enabled (all ports)

Broadcast Limit Rate 500 packets per second

*

Password “admin”

Password “guest”

Password “super”

“private” (read/write)

Link-up-down events: enabled

Group: public (read only); private (read/write)

Disabled

System Defaults

1

1-7

Introduction

1

Table 1-2 System Defaults (Continued)

Function Parameter Default

Spanning Tree
Algorithm

Address Table Aging Time 300 seconds

Virtual LANs Default VLAN 1

Traffic Prioritization Ingress Port Priority 0

IP Settings Management. VLAN Any VLAN configured with an IP address

Unicast Routing RIP Disabled

Router Redundancy VRRP Disabled

Status Enabled, RSTP

(Defaults: All values based on IEEE 802.1w)

Fast Forwarding (Edge Port) Disabled

PVID 1

Acceptable Frame Type All

Ingress Filtering Disabled

Switchport Mode (Egress Mode) Hybrid: tagged/untagged frames

GVRP (global) Disabled

GVRP (port interface) Disabled

Weighted Round Robin Queue: 0 1 2 3 4 5 6 7

Weight: 1 2 4 6 8 10 12 14

IP Precedence Priority Disabled

IP DSCP Priority Disabled

IP Port Priority Disabled

IP Address 0.0.0.0

Subnet Mask 255.0.0.0

Default Gateway 0.0.0.0

DHCP Client: Enabled

Relay: Disabled
Server: Disabled

DNS Server: Disabled

BOOTP Disabled

ARP Enabled

Cache Timeout: 20 minutes
Proxy: Disabled

OSPF Disabled

1-8

System Defaults

Table 1-2 System Defaults (Continued)

Function Parameter Default

Multicast Filtering IGMP Snooping (Layer 2) Snooping: Enabled

Querier: Disabled

IGMP (Layer 3) Disabled

Multicast Routing DVMRP Disabled

PIM-DM Disabled

System Log Status Enabled

Messages Logged Levels 0-7 (all)

Messages Logged to Flash Levels 0-3

SMTP Email Alerts Event Handler Enabled (but no server defined)

SNTP Clock Synchronization Disabled

* There are interoperability problems between Flow Control and Head-of-Line (HOL) blocking for the switch ASIC;

Flow Control is therefore not supported for this switch.

1

1-9

1

Introduction

1-10

Chapter 2: Initial Configuration

Connecting to the Switch

Configuration Options

The switch includes a built-in network management agent. The agent offers a variety
of management options, including SNMP, RMON and a web-based interface. A PC
may also be connected directly to the switch for configuration and monitoring via a
command line interface (CLI).

Note: The IP address for this switch is obtained via DHCP by default. To change this

address, see “Setting an IP Address” on page 2-7.

The switch’s HTTP web agent allows you to configure switch parameters, monitor
port connections, and display statistics using a standard web browser such as
Netscape Navigator version 6.2 and higher or Microsoft IE version 5.0 and higher.
The switch’s web management interface can be accessed from any computer
attached to the network.

The CLI program can be accessed by a direct connection to the RS-232 serial
console port on the switch, or remotely by a Telnet connection over the network.

The switch’s management agent also supports SNMP (Simple Network
Management Protocol). This SNMP agent permits the switch to be managed from
any system in the network using network management software such as
HP OpenView.

The switch’s web interface, CLI configuration program, and SNMP agent allow you
to perform the following management functions:

• Set user names and passwords

• Set an IP interface for any VLAN

• Configure SNMP parameters

• Enable/disable any port

• Set the speed/duplex mode for any port

• Configure the bandwidth of any port by limiting input or output rates

• Control port access through IEEE 802.1X security or static address filtering

• Filter packets using Access Control Lists (ACLs)

• Configure up to 255 IEEE 802.1Q VLANs

• Enable GVRP automatic VLAN registration

• Configure IP routing for unicast or multicast traffic

• Configure router redundancy

• Configure IGMP multicast filtering

• Upload and download system firmware via TFTP

• Upload and download switch configuration files via TFTP

2-1

Initial Configuration

2

• Configure Spanning Tree parameters

• Configure Class of Service (CoS) priority queuing

• Configure up to 6 static or LACP trunks per switch, up to 32 per stack

• Enable port mirroring

• Set broadcast storm control on any port

• Display system information and statistics

• Configure any stack unit through the same IP address

Required Connections

The switch provides an RS-232 serial port that enables a connection to a PC or
terminal for monitoring and configuring the switch. A null-modem console cable is
provided with the switch.

Note: When configuring a stack, connect to the console port on the Master unit.

Attach a VT100-compatible terminal, or a PC running a terminal emulation program
to the switch. You can use the console cable provided with this package, or use a
null-modem cable that complies with the wiring assignments shown in the
Installation Guide.

To connect a terminal to the console port, complete the following steps:

1. Connect the console cable to the serial port on a terminal, or a PC running

terminal emulation software, and tighten the captive retaining screws on the
DB-9 connector.

2. Connect the other end of the cable to the RS-232 serial port on the switch.

3. Make sure the terminal emulation software is set as follows:

• Select the appropriate serial port (COM port 1 or COM port 2).

• Set to any of the following baud rates: 9600, 19200, 38400, 57600, 115200
(Note: Set to 9600 baud if want to view all the system initialization messages.).

• Set the data format to 8 data bits, 1 stop bit, and no parity.

• Set flow control to none.

• Set the emulation mode to VT100.

• When using HyperTerminal, select Terminal keys, not Windows keys.

Notes: 1. When using HyperTerminal with Microsoft® Windows® 2000, make sure that

you have Windows 2000 Service Pack 2 or later installed. Windows 2000
Service Pack 2 fixes the problem of arrow keys not functioning in
HyperTerminal’s VT100 emulation. See www.microsoft.com for information
on Windows 2000 service packs.

2. Refer to “Line Commands” on page 4-11 for a complete description of
console configuration options.

3. Once you have set up the terminal correctly, the console login screen will be
displayed.

2-2

Stack Operations

For a description of how to use the CLI, see “Using the Command Line Interface” on
page 4-1. For a list of all the CLI commands and detailed information on using the
CLI, refer to “Command Groups” on page 4-10.

2

Remote Connections

Prior to accessing the switch’s onboard agent via a network connection, you must
first configure it with a valid IP address, subnet mask, and default gateway using a
console connection, DHCP or BOOTP protocol.

The IP address for this switch is obtained via DHCP by default. To manually
configure this address or enable dynamic address assignment via DHCP or BOOTP,
see “Setting an IP Address” on page 2-7.

Notes: 1. This switch supports four concurrent Telnet/SSH sessions.

2. Each VLAN group can be assigned its own IP interface address (page 2-7).

You can manage the stack via any IP interface in the stack. In other words,
the Master unit does not have to include an active port member of a VLAN
interface used for management access.

After configuring the switch’s IP parameters, you can access the onboard
configuration program from anywhere within the attached network. The onboard
configuration program can be accessed using Telnet from any computer attached to
the network. The switch can also be managed by any computer using a web
browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above), or
from a network computer using SNMP network management software.

Note: The onboard program only provides access to basic configuration functions. To

access the full range of SNMP management functions, you must use
SNMP-based network management software.

Stack Operations

Up to eight 24-port or 48-port Gigabit switches can be stacked together as described
in the Installation Guide. One unit in the stack acts as the Master for configuration
tasks and firmware upgrade. All of the other units function in Slave mode, but can
automatically take over management of the stack if the Master unit fails.

To configure any unit in the stack, first verify the unit number from the front panel of
the switch, and then select the appropriate unit number from the web or console
management interface.

Selecting the Stack Master

Note the following points about unit numbering:

• When the stack is initially powered on, the Master unit is designated as unit 1 for a
ring topology. For a line topology, the stack is simply numbered from top to bottom,
with the first unit in the stack designated at unit 1. This unit identification number
appears on the Stack Unit ID LED on the front panel of the switch. It can also be
selected on the front panel graphic of the web interface, or from the CLI.

2-3

Initial Configuration

2

• If more than one stack Master is selected using the Master/Slave push button on
the switch’s front panel, the system will select the unit with the lowest MAC address
as the Master.

• If the Master unit fails and another unit takes over control of the stack, the unit
numbering will not change.

• If a unit in the stack fails or is removed from the stack, the unit numbers will not
change. This means that when you replace a unit in the stack, the original
configuration for the failed unit will be restored to the replacement unit.

• If a unit is removed from the stack and later reattached to the stack, it will retain the
original unit number obtained during stacking.

• If a unit is removed from the stack, and powered up as a stand-alone unit, it will
also retain the original unit number obtained during stacking.

Selecting the Backup Unit

Once the Master unit finishes booting up, the Slave unit with the lowest MAC
address will be selected from the stack as the primary backup unit. The stack Master
immediately downloads all configuration information to the backup unit, and
continues to update the backup unit with information about any subsequent
configuration changes made to any unit in the stack. If the Master unit fails or is
powered off, the backup unit will take control of the stack without any loss of
configuration settings.

The Slave unit with the lowest MAC address is selected as the Backup unit. If you
want to ensure a logical fail over to next unit down in the stack, place the Slave unit
with the lowest MAC address directly beneath the Master unit in the stack.

Recovering from Stack Failure or Topology Change

When a link or unit in the stack fails, a trap message is sent and a failure event is
logged. The stack will be rebooted after any system failure or topology change. It
takes two to three minutes to for the stack to reboot. If the Master unit fails, the
backup unit will take over operations as the new Master unit, reboot the stack, and
then select another backup unit after the stack finishes rebooting. Also note that
powering down a unit or inserting a new unit in the stack will cause the stack to
reboot. If a unit is removed from the stack (due to a power down or failure) or a new
unit added to the stack, the original unit IDs are not affected after rebooting, and a
new unit is assigned the lowest available unit ID.

Broken Link for Line and Wrap-around Topologies

All units in the stack must be connected via stacking cable. You can connect the
units in a simple cascade configuration from the top to the bottom unit. Using this
kind of line topology, if any link or unit in the stack fails, the stack will be broken in
two. The Stack Link LED on the unit that is no longer receiving traffic from the next
unit up or down in the stack will begin flashing to indicate that the stack link is broken.

When the stack fails, a Master unit is selected from the two stack segments, either
the unit with the Master button depressed, or the unit with the lowest MAC address if

2-4

Stack Operations

the Master button is not depressed on any unit. The stack reboots and resumes
operations. However, note that the IP address will be the same for any common
VLANs (with active port connections) that appear in both of the new stack segments.
To resolve the conflicting IP addresses, you should manually replace the failed link
or unit as soon as possible. If you are using a wrap-around stack topology, a single
point of failure in the stack will not cause the stack to fail. It would take two or more
points of failure to break the stack apart.

Note: If a stack breaks apart, the IP address will be the same for any common VLANs

(with active port connections) that appear in both stack segments.

2

Resilient IP Interface for Management Access

The stack functions as one integral system for management and configuration
purposes. You can therefore manage the stack through any IP interface configured
on the stack. The Master unit does not even have to include an active port member
in the VLAN interface used for management access. However, if the unit to which
you normally connect for management access fails, and there are no active port
members on the other units within this VLAN interface, then this IP address will no
longer be available. To retain a constant IP address for management access across
fail over events, you should include port members on several units within the primary
VLAN used for stack management.

Resilient Configuration

If a unit in the stack fails, the unit numbers will not change. This means that when
you replace a unit in the stack, the original configuration for the failed unit will be
restored to the replacement unit. This applies to both the Master and Slave units.

Renumbering the Stack

The startup configuration file maps configuration settings to each switch in the stack
based on the unit identification number. If the units are no longer numbered
sequentially after several topology changes or failures, you can reset the unit
numbers using the “Renumbering” command in the web interface or CLI. Just
remember to save the new configuration settings to a startup configuration file prior
to powering off the stack Master.

Stack Limitations

Maximum Stack Size – You can stack up to eight units as long as total number of
switch ASIC chips is less than 32. Both the ES4625 and ES4649 use one ASIC chip
for each 12 ports and one ASIC for the optional module. If no optional modules are
installed, then you can stack up to eight ES4625 or ES4649 units in any
combination. However, if you install an optional module, then there will be three
switch ASICs active in a ES4625 or five switch ASICs active in a ES4649. For
example, if you build a stack of ES4649 switches with an optional module installed in
each switch, then the maximum number of units that can be stacked together is six,
because 30 switch ASICS will be active in a stack of this size.

2-5

Initial Configuration

2

Consistent Runtime Code in Each Switch – The main board runtime firmware
version for each unit in the stack must be the same as the Master unit’s runtime
firmware. After Auto-ID assignment is completed, the Master unit checks the image
versions for consistency. If the firmware versions (i.e., runtime code) configured for
bootup on any slave units are not the same as those on the Master Unit, it will
display a message requesting you to download the runtime image from the Master
unit to other units in the stack. After the runtime image has been downloaded, set
the newly downloaded image as the boot image (see “Managing Firmware” on
page 3-20 or “whichboot” on page 4-68). And then submit a global reset command
to reboot the whole stack (see “Resetting the System” on page 3-35 or “reload” on
page 4-23).

Consistent Runtime Code in Each 10G Module – The optional module firmware is
bound with main board image, so both the switch and firmware on the optional
modules are updated whenever you load new firmware into the switch. After the
stack has booted, the Master unit will isolate a newly inserted module and display a
message requesting that the firmware be upgraded if the newly added module
firmware version is different from the current runtime firmware. If you see this
message, you will have to reload the current firmware to switch as indicating in the
previous section, and then reboot the switch.

Basic Configuration

Console Connection

The CLI program provides two different command levels — normal access level
(Normal Exec) and privileged access level (Privileged Exec). The commands
available at the Normal Exec level are a limited subset of those available at the
Privileged Exec level and allow you to only display information and use basic
utilities. To fully configure the switch parameters, you must access the CLI at the
Privileged Exec level.

Note: You can only access the console interface through the Master unit in the stack.

Access to both CLI levels are controlled by user names and passwords. The switch
has a default user name and password for each level. To log into the CLI at the
Privileged Exec level using the default user name and password, perform these
steps:

1. To initiate your console connection, press <Enter>. The “User Access

Verification” procedure starts.

2. At the Username prompt, enter “admin.”

3. At the Password prompt, also enter “admin.” (The password characters are not

displayed on the console screen.)

4. The session is opened and the CLI displays the “Console#” prompt indicating

you have access at the Privileged Exec level.

2-6

Basic Configuration

2

Setting Passwords

Note: If this is your first time to log into the CLI program, you should define new

passwords for both default user names using the “username” command, record
them and put them in a safe place.

Passwords can consist of up to 8 alphanumeric characters and are case sensitive.
To prevent unauthorized access to the switch, set the passwords as follows:

1. Open the console interface with the default user name and password “admin” to

access the Privileged Exec level.

2. Type “configure” and press <Enter>.

3. Type “username guest password 0 password,” for the Normal Exec level, where

password is your new password. Press <Enter>.

4. Type “username admin password 0 password,” for the Privileged Exec level,

where password is your new password. Press <Enter>.

Username: admin
Password:

CLI session with 44GE+4Combo Layer2/3/4 Stackable Switch is opened.
To end the CLI session, enter [Exit].

Console#configure
Console(config)#username guest password 0 [password]
Console(config)#username admin password 0 [password]
Console(config)#

Setting an IP Address

You must establish IP address information for the stack to obtain management
access through the network. This can be done in either of the following ways:

Manual — You have to input the information, including IP address and subnet mask.
If your management station is not in the same IP subnet as the stack’s master unit,
you will also need to specify the default gateway router.

Dynamic — The switch sends IP configuration requests to BOOTP or DHCP
address allocation servers on the network.

Manual Configuration

You can manually assign an IP address to the switch. You may also need to specify
a default gateway that resides between this device and management stations that
exist on another network segment (if routing is not enabled on this switch). Valid IP
addresses consist of four decimal numbers, 0 to 255, separated by periods.
Anything outside this format will not be accepted by the CLI program.

Note: The IP address for this switch is obtained via DHCP by default.

2-7

Initial Configuration

2

Before you can assign an IP address to the switch, you must obtain the following
information from your network administrator:

• IP address for the switch

• Default gateway for the network

• Network mask for this network

To assign an IP address to the switch, complete the following steps:

1. From the Privileged Exec level global configuration mode prompt, type

“interface vlan 1” to access the interface-configuration mode. Press <Enter>.

2. Type “ip address ip-address netmask,” where “ip-address” is the switch IP

address and “netmask” is the network mask for the network. Press <Enter>.

3. Type “exit” to return to the global configuration mode prompt. Press <Enter>.

4. To set the IP address of the default gateway for the network to which the switch

belongs, type “ip default-gateway gateway,” where “gateway” is the IP address
of the default gateway. Press <Enter>.

Console(config)#interface vlan 1
Console(config-if)#ip address 192.168.1.5 255.255.255.0
Console(config-if)#exit
Console(config)#ip default-gateway 192.168.1.254
Console(config)#

Dynamic Configuration

If you select the “bootp” or “dhcp” option, IP will be enabled but will not function until
a BOOTP or DHCP reply has been received. You therefore need to use the “ip dhcp
restart client” command to start broadcasting service requests. Requests will be sent
periodically in an effort to obtain IP configuration information. (BOOTP and DHCP
values can include the IP address, subnet mask, and default gateway.)

If the “bootp” or “dhcp” option is saved to the startup-config file (step 6), then the
switch will start broadcasting service requests as soon as it is powered on.

To automatically configure the switch by communicating with BOOTP or DHCP
address allocation servers on the network, complete the following steps:

1. From the Global Configuration mode prompt, type “interface vlan 1” to access

the interface-configuration mode. Press <Enter>.

2. At the interface-configuration mode prompt, use one of the following commands:

• To obtain IP settings via DHCP, type “ip address dhcp” and press <Enter>.

• To obtain IP settings via BOOTP, type “ip address bootp” and press <Enter>.

3. Type “end” to return to the Privileged Exec mode. Press <Enter>.

4. Type “ip dhcp restart client” to begin broadcasting service requests.

Press <Enter>.

2-8

Basic Configuration

2

5. Wait a few minutes, and then check the IP configuration settings by typing the

“show ip interface” command. Press <Enter>.

6. Then save your configuration changes by typing “copy running-config

startup-config.” Enter the startup file name and press <Enter>.

Console(config)#interface vlan 1
Console(config-if)#ip address dhcp
Console(config-if)#end
Console#ip dhcp restart client
Console#show ip interface
IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1,
and address mode: User specified.
Console#copy running-config startup-config
Startup configuration file name []: startup
\Write to FLASH Programming.

\Write to FLASH finish.
Success.

Enabling SNMP Management Access

The switch can be configured to accept management commands from Simple
Network Management Protocol (SNMP) applications such as HP OpenView. You
can configure the switch to (1) respond to SNMP requests or (2) generate SNMP
traps.

When SNMP management stations send requests to the switch (either to return
information or to set a parameter), the switch provides the requested data or sets the
specified parameter. The switch can also be configured to send information to
SNMP managers (without being requested by the managers) through trap
messages, which inform the manager that certain events have occurred.

The switch includes an SNMP agent that supports SNMP version 1, 2c, and 3
clients. To provide management access for version 1 or 2c clients, you must specify
a community string. The switch provides a default MIB View (i.e., an SNMPv3
construct) for the default “public” community string that provides read access to the
entire MIB tree, and a default view for the “private” community string that provides
read/write access to the entire MIB tree. However, you may assign new views to
version 1 or 2c community strings that suit your specific security requirements (see
page 3-52).

Community Strings (for SNMP version 1 and 2c clients)

Community strings are used to control management access to SNMP version 1 and
2c stations, as well as to authorize SNMP stations to receive trap messages from
the switch. You therefore need to assign community strings to specified users, and
set the access level.

2-9

Initial Configuration

2

The default strings are:

• public - with read-only access. Authorized management stations are only able to
retrieve MIB objects.

• private - with read-write access. Authorized management stations are able to both
retrieve and modify MIB objects.

To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is
recommended that you change the default community strings.

To configure a community string, complete the following steps:

1. From the Privileged Exec level global configuration mode prompt, type

“snmp-server community string mode,” where “string” is the community access
string and “mode” is rw (read/write) or ro (read only). Press <Enter>. (Note that
the default mode is read only.)

2. To remove an existing string, simply type “no snmp-server community string,”

where “string” is the community access string to remove. Press <Enter>.

Console(config)#snmp-server community admin rw
Console(config)#snmp-server community private
Console(config)#

Note: If you do not intend to support access to SNMP version 1 and 2c clients, we

recommend that you delete both of the default community strings. If there are no
community strings, then SNMP management access from SNMP v1 and v2c
clients is disabled.

Trap Receivers

You can also specify SNMP stations that are to receive traps from the switch. To
configure a trap receiver, use the “snmp-server host” command. From the Privileged
Exec level global configuration mode prompt, type:

“snmp-server host host-address community-string

[version {1 | 2c | 3 {auth | noauth | priv}}]”

where “host-address” is the IP address for the trap receiver, “community-string”
specifies access rights for a version 1/2c host, or is the user name of a version 3
host, “version” indicates the SNMP client version, and “auth | noauth | priv” means
that authentication, no authentication, or authentication and privacy is used for v3
clients. Then press <Enter>. For a more detailed description of these parameters,
see “snmp-server host” on page 4-110. The following example creates a trap host
for each type of SNMP client.

Console(config)#snmp-server host 10.1.19.23 batman
Console(config)#snmp-server host 10.1.19.98 robin version 2c
Console(config)#snmp-server host 10.1.19.34 barbie version 3 auth

Console(config)#

2-10

Basic Configuration

2

Configuring Access for SNMP Version 3 Clients

To configure management access for SNMPv3 clients, you need to first create a
view that defines the portions of MIB that the client can read or write, assign the view
to a group, and then assign the user to a group. The following example creates one
view called “mib-2” that includes the entire MIB-2 tree branch, and then another view
that includes the IEEE 802.1d bridge MIB. It assigns these respective read and read/
write views to a group call “r&d” and specifies group authentication via MD5 or SHA.
In the last step, it assigns a v3 user to this group, indicating that MD5 will be used for
authentication, provides the password “greenpeace” for authentication, and the
password “einstien” for encryption.

Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included
Console(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included
Console(config)#snmp-server group r&d v3 auth mib-2 802.1d
Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace

priv des56 einstien

Console(config)#

For a more detailed explanation on how to configure the switch for access from
SNMP v3 clients, refer to “Simple Network Management Protocol” on page 3-37, or
refer to the specific CLI commands for SNMP starting on page 4-107.

Saving Configuration Settings

Configuration commands only modify the running configuration file and are not
saved when the switch is rebooted. To save all your configuration changes in
nonvolatile storage, you must copy the running configuration file to the start-up
configuration file using the “copy” command.

To save the current configuration settings, enter the following command:

1. From the Privileged Exec mode prompt, type “copy running-config

startup-config” and press <Enter>.

2. Enter the name of the start-up file. Press <Enter>.

Console#copy running-config startup-config
Startup configuration file name []: startup
\Write to FLASH Programming.

\Write to FLASH finish.
Success.

Console#

2-11

Initial Configuration

2

Managing System Files

The switch’s flash memory supports three types of system files that can be managed
by the CLI program, web interface, or SNMP. The switch’s file system allows files to
be uploaded and downloaded, copied, deleted, and set as a start-up file.

The three types of files are:

• Configuration — This file type stores system configuration information and is
created when configuration settings are saved. Saved configuration files can be
selected as a system start-up file or can be uploaded via TFTP to a server for
backup. The file named “Factory_Default_Config.cfg” contains all the system
default settings and cannot be deleted from the system. If the system is booted with
the factory default settings, the master unit will also create a file named
“startup1.cfg” that contains system settings for stack initialization, including
information about the unit identifier, MAC address, and installed module type for
each unit the stack. The configuration settings from the factory defaults
configuration file are copied to this file, which is then used to boot the stack. See
“Saving or Restoring Configuration Settings” on page 3-22 for more information.
See “Saving or Restoring Configuration Settings” on page 3-23 for more
information.

• Operation Code — System software that is executed after boot-up, also known as
run-time code. This code runs the switch operations and provides the CLI and web
management interfaces. See “Managing Firmware” on page 3-20 for more
information.

• Diagnostic Code — Software that is run during system boot-up, also known as
POST (Power On Self-Test).

Due to the size limit of the flash memory, the switch supports only two operation
code files. However, you can have as many diagnostic code files and configuration
files as available flash memory space allows.

In the system flash memory, one file of each type must be set as the start-up file.
During a system boot, the diagnostic and operation code files set as the start-up file
are run, and then the start-up configuration file is loaded.

Note that configuration files should be downloaded using a file name that reflects the
contents or usage of the file settings. If you download directly to the running-config,
the system will reboot, and the settings will have to be copied from the
running-config to a permanent file.

2-12

Chapter 3: Configuring the Switch

Using the Web Interface

This switch provides an embedded HTTP web agent. Using a web browser you can
configure the switch and view statistics to monitor network activity. The web agent
can be accessed by any computer on the network using a standard web browser
(Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above).

Note: You can also use the Command Line Interface (CLI) to manage the switch over a

serial connection to the console port or via Telnet. For more information on using
the CLI, refer to Chapter 4: “Command Line Interface.”

Prior to accessing the switch from a web browser, be sure you have first performed
the following tasks:

1. Configure the switch with a valid IP address, subnet mask, and default gateway

using an out-of-band serial connection, BOOTP or DHCP protocol. (See “Setting
an IP Address” on page 2-7.)

2. Set user names and passwords using an out-of-band serial connection. Access

to the web agent is controlled by the same user names and passwords as the
onboard configuration program. (See “Setting Passwords” on page 2-7.)

3. After you enter a user name and password, you will have access to the system

configuration program.

Notes: 1.

You are allowed three attempts to enter the correct password; on the third
failed attempt the current connection is terminated.

2. If you log into the web interface as guest (Normal Exec level), you can view

the configuration settings or change the guest password. If you log in as
“admin” (Privileged Exec level), you can change the settings on any page.

3. If the path between your management station and this switch does not pass

through any device that uses the Spanning Tree Algorithm, then you can set
the switch port attached to your management station to fast forwarding (i.e.,
enable Admin Edge Port) to improve the switch’s response time to
management commands issued through the web interface. See “Configuring
Interface Settings” on page 3-126.

3-1

Configuring the Switch

3

Navigating the Web Browser Interface

To access the web-browser interface you must first enter a user name and
password. The administrator has Read/Write access to all configuration parameters
and statistics. The default user name and password “admin” is used for the
administrator.

Home Page

When your web browser connects with the switch’s web agent, the home page is
displayed as shown below. The home page displays the Main Menu on the left side
of the screen and System Information on the right side. The Main Menu links are
used to navigate to other menus, and display configuration parameters and
statistics.

Figure 3-1 Home Page

Note: The examples in this chapter are based on the ES4649. Other than the number of

fixed ports, there are no major differences between the ES4625 and ES4649.

3-2

Navigating the Web Browser Interface

3

Configuration Options

Configurable parameters have a dialog box or a drop-down list. Once a configuration
change has been made on a page, be sure to click on the Apply button to confirm
the new setting. The following table summarizes the web page configuration
buttons.

Table 3-1 Web Page Configuration Buttons

Button Action

Apply Sets specified values to the system.

Revert Cancels specified values and restores current values prior to

Help Links directly to web help.

Notes: 1. To ensure proper screen refresh, be sure that Internet Explorer 5.x is

configured as follows: Under the menu “Tools / Internet Options / General /
Temporary Internet Files / Settings,” the setting for item “Check for newer
versions of stored pages” should be “Every visit to the page.”

2. When using Internet Explorer 5.0, you may have to manually refresh the

screen after making configuration changes by pressing the browser’s refresh
button.

pressing “Apply.”

Panel Display

The web agent displays an image of the switch’s ports. The Mode can be set to
display different information for the ports, including Active (i.e., up or down), Duplex
(i.e., half or full duplex), or Flow Control
Port Configuration page as described on page 3-91.

1

. Clicking on the image of a port opens the

Figure 3-2 Front Panel Indicators

1. There are interoperability problems between Flow Control and Head-of-Line (HOL)
blocking for the switch ASIC; Flow Control is therefore not supported for this switch.

3-3

Configuring the Switch

3

Main Menu

Using the onboard web agent, you can define system parameters, manage and
control the switch, and all its ports, or monitor network conditions. The following
table briefly describes the selections available from this program.

Table 3-2 Switch Main Menu

Menu Description Page

System 3-12

System Information Provides basic system description, including contact information 3-12

Switch Information Shows the number of ports, hardware/firmware version

Bridge Extension Shows the bridge extension parameters 3-15

Jumbo Frames Enables support for jumbo frames 3-16

File Management 3-20

Copy Operation Allows the transfer and copying files 3-20

Delete Allows deletion of files from the flash memory 3-20

Set Startup Sets the startup file 3-20

Line 3-25

Console Sets console port connection parameters 3-25

Telnet Sets Telnet connection parameters 3-27

Log 3-29

Logs Sends error messages to a logging process 3-29

System Logs Stores and displays error messages 3-32

Remote Logs Configures the logging of messages to a r emote logging process 3-30

SMTP Sends an SMTP client message to a participating server 3-32

Renumbering Renumbers the units in the stack 3-34

Reset Restarts the switch 3-35

SNTP 3-35

Configuration Configures SNTP client settings, including a specified list of

Clock Time Zone Sets the local time zone for the system clock 3-36

SNMP 3-37

Configuration Configures community strings and related trap functions 3-39

Agent Status Enables or disables SNMP 3-39

numbers, and power status

servers

3-13

3-35

3-4

Navigating the Web Browser Interface

Table 3-2 Switch Main Menu (Continued)

Menu Description Page

SNMPv3 3-42

Engine ID Sets the SNMP v3 engine ID 3-43

Remote Engine ID Sets the SNMP v3 engine ID on a remote device 3-43

Users Configures SNMP v3 users 3-44

Remote Users Configures SNMP v3 users on a remote device 3-46

Groups Configures SNMP v3 groups 3-48

Views Configures SNMP v3 views 3-52

Security 3-39

User Accounts Configures user names, passwords, and access levels 3-53

Authentication Settings Configures authentication sequence, RADIUS and TACACS 3-55

HTTPS Settings Configures secure HTTP settings 3-58

SSH 3-60

Settings Configures Secure Shell server settings 3-63

Host-Key Settings Generates the host key pair (public and private) 3-61

Port Security Configures per port security, including status, response for

security breach, and maximum allowed MAC addresses

802.1X Port authentication 3-67

Information Displays global configuration settings 3-68

Configuration Configures global configuration parameters 3-69

Port Configuration Sets the authentication mode for individual ports 3-69

Statistics Displays protocol statistics for the selected port 3-72

ACL 3-76

Configuration Configures packet filtering based on IP or MAC addresses 3-76

Mask Configuration Controls the order in which ACL rules are checked 3-83

Port Binding Binds a port to the specified ACL 3-87

IP Filter Configures IP addresses that are allowed management access 3-74

Port 3-88

Port Information Displays port connection status 3-88

Trunk Information Displays trunk connection status 3-88

Port Configuration Configures port connection settings 3-91

Trunk Configuration Configures trunk connection settings 3-91

Trunk Membership Specifies ports to group into static trunks 3-94

3

3-65

3-5

Configuring the Switch

3

Table 3-2 Switch Main Menu (Continued)

Menu Description Page

LACP 3-93

Configuration Allows ports to dynamically join trunks 3-95

Aggregation Port Configures parameters for link aggregation group members 3-97

Port Counters Information Displays statistics for LACP protocol messages 3-100

Port Internal Information Displays settings and operational state for the local side 3-101

Port Neighbors Information Displays settings and operational state for the remote side 3-103

Port Broadcast Control Sets the broadcast storm threshold for each port 3-104

Trunk Broadcast Control Sets the broadcast storm threshold for each trunk 3-104

Mirror Port Configuration Sets the source and target ports for mirroring 3-106

Rate Limit 3-107

Input Port Configuration Sets the input rate limit for each port 3-107

Input Trunk Configuration Sets the input rate limit for each trunk 3-107

Output Port Configuration Sets the output rate limit for each port 3-107

Output Trunk Configuration Sets the output rate limit for each trunk 3-107

Port Statistics Lists Ethernet and RMON port statistics 3-108

Address Table 3-112

Static Addresses Displays entries for interface, address or VLAN 3-112

Dynamic Addresses Displays or edits static entries in the Address Table 3-113

Address Aging Sets timeout for dynamically learned entries 3-115

Spanning Tree 3-115

STA

Information Displays STA values used for the bridge 3-116

Configuration Configures global bridge settings for STP, RSTP and MSTP 3-119

Port Information Displays individual port settings for STA 3-123

Trunk Information Displays individual trunk settings for STA 3-123

Port Configuration Configures individual port settings for STA 3-126

Trunk Configuration Configures individual trunk settings for STA 3-126

MSTP

VLAN Configuration Configures priority and VLANs for a spanning tree instance 3-128

Port Information Displays port settings for a specified MST instance 3-132

Trunk Information Displays trunk settings for a specified MST instance 3-132

Port Configuration Configures port settings for a specified MST instance 3-133

3-6

Navigating the Web Browser Interface

Table 3-2 Switch Main Menu (Continued)

Menu Description Page

Trunk Configuration Configures trunk settings for a specified MST instance 3-133

VLAN 3-135

802.1Q VLAN

GVRP Status Enables GVRP VLAN registration protocol 3-138

Basic Information Displays information on the VLAN type supported by this switch 3-138

Current Table Shows the current port members of each VLAN and whether or

Static List Used to create or remove VLAN groups 3-140

Static Table Modifies the settings for an existing VLAN 3-141

Static Membership by Port Configures membership type for interfaces, including tagged,

Port Configuration Specifies default PVID and VLAN attributes 3-144

Trunk Configuration Specifies default trunk VID and VLAN attributes 3-144

Private VLAN

Status Enables or disables the private VLAN 3-146

Link Status Configures the private VLAN 3-147

Protocol VLAN

Configuration Creates a protocol group, specifying the supported protocols 3-148

Port Configuration Maps a protocol group to a VLAN 3-149

Priority 3-150

Default Port Priority Sets the default priority for each port 3-150

Default Trunk Priority Sets the default priority for each trunk 3-150

Traffic Classes Maps IEEE 802.1p priority tags to output queues 3-152

Traffic Classes Status Enables/disables traffic class priorities (not implemented) NA

Queue Mode Sets queue mode to strict priority or Weighted Round-Robin 3-154

Queue Scheduling Configures Weighted Round Robin queueing 3-154

IP Precedence/
DSCP Priority Status

IP Precedence Priority Sets IP Type of Service priority, mapping the precedence tag to

IP DSCP Priority Sets IP Differentiated Services Code Point priority, mapping a

IP Port Priority Status Globally enables or disables IP Port Priority 3-160

IP Port Priority Sets TCP/UDP port priority, defining the socket number and

not the port is tagged or untagged

untagged or forbidden

Globally selects IP Precedence or DSCP Priority, or disables
both.

a class-of-service value

DSCP tag to a class-of-service value

associated class-of-service value

3

3-139

3-143

3-156

3-157

3-158

3-160

3-7

Configuring the Switch

3

Table 3-2 Switch Main Menu (Continued)

Menu Description Page

QoS 3-161

DiffServ Configure QoS classification criteria and service policies 3-161

Class Map Creates a class map for a type of traffic 3-162

Policy Map Creates a policy map for multiple interfaces 3-165

Service Policy Applies a policy map defined to an ingress port 3-168

IGMP Snooping 3-169

IGMP Configuration Enables multicast filtering; configures parameters for multicast

Multicast Router
Port Information

Static Multicast Router
Port Configuration

IP Multicast Registration
Table

IGMP Member Port Table Indicates multicast addresses associated with the selected

DNS 3-181

General Configuration Enables DNS; configures domain name and domain list; and

Static Host Table Configures static entries for domain name to address mapping 3-183

Cache Displays cache entries discovered by designated name servers 3-185

DHCP 3-186

Relay Configuration Specifies DHCP relay servers; enables or disables relay service 3-186

Server Configures DHCP server parameters 3-186

General Enables DHCP server; configures excluded address range 3-188

Pool Configuration Configures address pools for network groups or a specific host 3-190

IP Binding Displays addresses currently bound to DHCP clients 3-194

IP 3-204

General 3-207

Global Settings Enables or disables routing, specifies the default gateway 3-207

Routing Interface Configures the IP interface for the specified VLAN 3-208

query

Displays the ports that are attached to a neighboring multicast
router for each VLAN ID

Assigns ports that are attached to a neighboring multicast router 3-174

Displays all multicast groups active on this switch, including
multicast IP addresses and VLAN ID

VLAN

specifies IP address of name servers for dynamic lookup

3-171

3-173

3-175

3-176

3-181

3-8

Navigating the Web Browser Interface

Table 3-2 Switch Main Menu (Continued)

Menu Description Page

ARP 3-210

General Sets the pro tocol timeout, and enables or disables proxy AR P for

Static Addresses Statically maps a physical address to an IP address 3-212

Dynamic Addresses Shows dynamically learned entries in the IP routing table 3-213

Other Addresses Shows internal addresses used by the switch 3-214

Statistics Shows statistics on ARP requests sent and received 3-215

IGMP 3-176

Interface Settings Configures Layer 3 IGMP for specific VLAN interfaces 3-177

Group Membership Displays the current multicast groups learned via IGMP 3-180

Statistics 3-216

IP Shows statistics for IP traffic, including the amount of traffic,

ICMP Shows statistics for ICMP traffic, including the amount of traffic,

UDP Shows statistics for UDP, including the amount of traffic and

TCP Shows s tatistics for TCP, i ncluding the amount of traffic and TCP

Routing 3-205

Static Routes Configures and display static routing entries 3-222

Routing Table Shows all routing entries, including local, static and dynamic

Multicast Routing 3-260

General Settings Globally enables multicast routing 3-260

Multicast Routing Table Shows each multicast route this switch has learned 3-261

VRRP 3-196

Group Configuration Configures VRRP groups, including virtual interface address,

Global Statistics Displays global statistics for VRRP protocol packet errors 3-201

Group Statistics Displays statistics for VRRP protocol events and errors on the

the specified VLAN

address errors, routing, fragmentation and reassembly

protocol errors, and the number of echoes, timestamps, and
address masks

errors

connection activity

routes

advertisement interval, preemption, priority, and authentication

specified VRRP group and interface

3

3-211

3-216

3-218

3-220

3-221

3-223

3-196

3-202

3-9

Configuring the Switch

3

Table 3-2 Switch Main Menu (Continued)

Menu Description Page

Routing Protocol 3-206

RIP 3-224

General Settings Enables or disables RIP, sets the global RIP version and timer

Network Addresses Configures the network interfaces that will use RIP 3-227

Interface Settings Configures RIP parameters for each interface, including send

Statistics Displays general information on update time, route changes a nd

OSPF 3-234

General Configuration Enables or disables OSPF; also configures the Router ID and

Area Configuration Specifies rules for importing routes into each area 3-238

Area Range Configuration Configures route summaries to advertise at an area boundary 3-241

Interface Configuration Shows area ID and designated router; also configures OSPF

Virtual Link Configuration Configures a virtual link through a transit area to the backbone 3-247

Network Area Address
Configuration

Summary Address
Configuration

Redistribute Configuration Redistributes routes from one routing domain to another 3-253

NSSA Settings Configures settings for importing routes into or exporting routes

Link State Database
Information

Border Router Information Displays routing table entries for area border routers and

Neighbor Information Displays information about neighboring routers on each

DVMRP 3-264

General Settings Configure global settings for prune and graft messages, and the

Interface Settings Enables/disables DVMRP per interface and sets the route metric 3-267

Neighbor Information Displays neighboring DVMRP routers 3-269

Routing Table Displays DVMRP routing information 3-270

values

and receive versions, message loopback prevention, and
authentication

number of queries, as well as a list of statistics for known
interfaces and neighbors

various other global settings

protocol settings and authentication for each interface

Defines OSPF areas and associated interfaces 3-249

Aggregates routes learned from other protocols for advertising
into other autonomous systems

out of not-so-stubby areas

Shows information about different OSPF Link State
Advertisements (LSAs) stored in this router’s database

autonomous system boundary routers

interface within an OSPF area

exchange of routing information

3-225

3-228

3-231

3-235

3-243

3-252

3-254

3-256

3-258

3-259

3-264

3-10

Navigating the Web Browser Interface

Table 3-2 Switch Main Menu (Continued)

Menu Description Page

PIM-DM

General Settings Enables or disables PIM-DM globally for the switch 3-271

Interface Settings Enables or disables PIM-DM per interface, configures protocol

settings for hello, prune and graft messages

Interface Information Displays summary information for each interface 3-275

Neighbor Information Displays neighboring PIM-DM routers 3-275

3

3-272

3-11

Configuring the Switch

3

Basic Configuration

Displaying System Information

You can easily identify the system by displaying the device name, location and
contact information.

Field Attributes

• System Name – Name assigned to the switch system.

• Object ID – MIB II object ID for switch’s network management subsystem.

• Location – Specifies the system location.

• Contact – Administrator responsible for the system.

• System Up Time – Length of time the management agent has been up.

These additional parameters are displayed for the CLI.

• MAC Address – The physical layer address for this switch.

• Web server – Shows if management access via HTTP is enabled.

• Web server port – Shows the TCP port number used by the web interface.

• Web secure server – Shows if management access via HTTPS is enabled.

• Web secure server port – Shows the TCP port used by the HTTPS interface.

• Telnet server – Shows if management access via Telnet is enabled.

• Telnet server port – Shows the TCP port used by the Telnet interface.

• Authentication login – Shows the user login authentication sequence.

• Jumbo Frame – Shows if jumbo frames are enabled.

• POST result – Shows results of the power-on self-test

Web – Click System, System Information. Specify the system name, location, and
contact information for the system administrator, then click Apply. (This page also
includes a Telnet button that allows access to the Command Line Interface via Telnet.)

Figure 3-3 System Information

3-12

Basic Configuration

CLI – Specify the hostname, location and contact information.

Console(config)#hostname R&D 5 4-26
Console(config)#snmp-server location WC 9 4-110
Console(config)#snmp-server contact Ted 4-109
Console(config)#exit
Console#show system 4-61
System description: 44GE+4Combo Layer2/3/4 Stackable Switch
System OID string: 1.3.6.1.4.1.259.6.10.64
System information

System Up time: 0 days, 1 hours, 28 minutes, and 0.51 seconds
System Name: R&D 5
System Location: WC 9
System Contact: Ted
MAC Address (Unit1): 00-20-1A-DF-9C-A0
MAC Address (Unit2): 00-20-1A-DF-9E-C0
Web Server: Enabled
Web Server Port: 80
Web Secure Server: Enabled
Web Secure Server Port: 443
Telnet Server: Enable
Telnet Server Port: 23
Jumbo Frame: Disabled

POST Result:

DUMMY Test 1 ................. PASS

UART Loopback Test ........... PASS

DRAM Test .................... PASS

Timer Test ................... PASS

PCI Device 1 Test ............ PASS

I2C Bus Initialization ....... PASS

Switch Int Loopback Test ..... PASS

Crossbar Int Loopback Test ... PASS

Fan Speed Test ............... PASS

Done All Pass.
Console#

3

Displaying Switch Hardware/Software Versions

Use the Switch Information page to display hardware/firmware version numbers for
the main board and management software, as well as the power status of the
system.

Field Attributes

Main Board

• Serial Number – The serial number of the switch.

• Number of Ports – Number of built-in ports.

• Hardware Version – Hardware version of the main board.

• Internal Power Status – Displays the status of the internal power supply.

Management Software

• EPLD Version – Version number of EEPROM Programmable Logic Device.

• Loader Version – Version number of loader code.

• Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code.

3-13

Configuring the Switch

3

• Operation Code Version – Version number of runtime code.

• Role – Shows that this switch is operating as Master or Slave.

These additional parameters are displayed for the CLI.

• Unit ID – Unit number in stack.

• Redundant Power Status – Displays the status of the redundant power supply.

Web – Click System, Switch Information.

Figure 3-4 Switch Information

CLI – Use the following command to display version information.

Console#show version 4-62
Unit 1

Serial number: A422000632
Hardware version: R01
EPLD version: 15.15
Number of ports: 48
Main power status: up
Redundant power status: not present

Agent (master)

Unit ID: 1
Loader Version: 1.0.1.3
Boot ROM Version: 1.0.1.4
Operation Code Version: 3.1.1.21

Console#

3-14

Basic Configuration

3

Displaying Bridge Extension Capabilities

The Bridge MIB includes extensions for managed devices that support Multicast
Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to
display default settings for the key variables.

Field Attributes

• Extended Multicast Filtering Services – This switch does not support the filtering
of individual multicast addresses based on GMRP (GARP Multicast Registration
Protocol).

• Traffic Classes – This switch provides mapping of user priorities to multiple traffic
classes. (Refer to “Class of Service Configuration” on page 3-150.)

• Static Entry Individual Port – This switch allows static filtering for unicast and
multicast addresses. (Refer to “Setting Static Addresses” on page 3-112.)

• VLAN Learning – This switch uses Independent VLAN Learning (IVL), where each
port maintains its own filtering database.

• Configurable PVID Tagging – This switch allows you to override the default Port
VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or
Untagged) on each port. (Refer to “VLAN Configuration” on page 3-135.)

• Local VLAN Capable – This switch does not support multiple local bridges outside
of the scope of 802.1Q defined VLANs.

• GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to
register endstations with multicast groups. This switch does not support GMRP; it
uses the Internet Group Management Protocol (IGMP) to provide automatic
multicast filtering.

Web – Click System, Bridge Extension.

Figure 3-5 Displaying Bridge Extension Configuration

3-15

Configuring the Switch

3

CLI – Enter the following command.

Console#show bridge-ext 4-202

Max support VLAN numbers: 256
Max support VLAN ID: 4093
Extended multicast filtering services: No
Static entry individual port: Yes
VLAN learning: IVL
Configurable PVID tagging: Yes
Local VLAN capable: No
Traffic classes: Enabled
Global GVRP status: Disabled
GMRP: Disabled

Console#

Configuring Support for Jumbo Frames

The switch provides more efficient throughput for large sequential data transfers by
supporting jumbo frames up to 9216 bytes. Compared to standard Ethernet frames
that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet
overhead required to process protocol encapsulation fields.

Command Usage

To use jumbo frames, both the source and destination end nodes (such as a
computer or server) must support this feature. Also, when the connection is
operating at full duplex, all switches in the network between the two end nodes must
be able to accept the extended frame size. And for half-duplex connections, all
devices in the collision domain would need to support jumbo frames.

Command Attributes

Jumbo Packet Status – Configures support for jumbo frames. (Default: Disabled)

Web – Click System, Jumbo Frames. Enable or disable support for jumbo frames,

and click Apply.

Figure 3-6 Configuring Support for Jumbo Frames

CLI – This example enables jumbo frames globally for the switch.

Console(config)#jumbo frame 4-63
Console(config)#

3-16

Basic Configuration

3

Setting the Switch’s IP Address

This section describes how to configure an initial IP interface for management
access over the network. The IP address for this stack is obtained via DHCP by
default. To manually configure an address, you need to change the stack’s default
settings to values that are compatible with your network. You may also need to a
establish a default gateway between the stack and management stations that exist
on another network segment (if routing is not enabled on this stack).

You can manually configure a specific IP address, or direct the device to obtain an
address from a BOOTP or DHCP server. Valid IP addresses consist of four decimal
numbers, 0 to 255, separated by periods. Anything outside this format will not be
accepted by the CLI program.

Command Usage

• This section describes how to configure a single local interface for initial access to
the stack. To configure multiple IP interfaces on this stack, you must set up an IP
interface for each VLAN (page 3-208).

• To enable routing between the different interfaces on this stack, you must enable
IP routing (page 3-207).

• To enable routing between the interfaces defined on this stack and external
network interfaces, you must configure static routes (page 3-222) or use dynamic
routing; i.e., either RIP (page 3-224) or OSPF (page 3-234).

• The precedence for configuring IP interfaces is the IP / General / Routing Interface
menu (page 3-208), static routes (page 3-222), and then dynamic routing.

Command Attributes

• VLAN – ID of the configured VLAN (1-4093). By default, all ports on the stack are
members of VLAN 1. However, the management station can be attached to a port
belonging to any VLAN, as long as that VLAN has been assigned an IP address.

• IP Address Mode – Specifies whether IP functionality is enabled via manual
configuration (Static), Dynamic Host Configuration Protocol (DHCP), or Boot
Protocol (BOOTP). If DHCP/BOOTP is enabled, IP will not function until a reply has
been received from the server. Requests will be broadcast periodically by the
switch for an IP address. (DHCP/BOOTP values can include the IP address,
subnet mask, and default gateway.)

• IP Address – Address of the VLAN to which the management station is attached.
(Note you can manage the stack through any configured IP interface.) Valid IP
addresses consist of four numbers, 0 to 255, separated by periods.
(Default: 0.0.0.0)

• Subnet Mask – This mask identifies the host address bits used for routing to
specific subnets. (Default: 255.0.0.0)

• Default Gateway – IP address of the gateway router between the stack and
management stations that exist on other network segments. (Default: 0.0.0.0)

3-17

Configuring the Switch

3

Manual Configuration

Web – Click IP, General, Routing Interface. Select the VLAN through which the

management station is attached, set the IP Address Mode to “Static,” and specify a
“Primary” interface. Enter the IP address, subnet mask and gateway, then click
Apply.

Figure 3-7 IP Interface Configuration - Manual

Click IP, Global Setting. If this stack and management stations exist on other
network segments, then specify the default gateway, and click Apply.

Figure 3-8 Default Gateway

CLI – Specify the management interface, IP address and default gateway.

Console#config
Console(config)#interface vlan 1 4-143
Console(config-if)#ip address 10.1.0.253 255.255.255.0 4-242
Console(config-if)#exit
Console(config)#ip default-gateway 10.1.0.254 4-243
Console(config)#

3-18

Basic Configuration

3

Using DHCP/BOOTP

If your network provides DHCP/BOOTP services, you can configure the stack to be
dynamically configured by these services.

Web – Click IP, General, Routing Interface. Specify the VLAN to which the
management station is attached, set the IP Address Mode to DHCP or BOOTP. Click
Apply to save your changes. Then click Restart DHCP to immediately request a new
address. Note that the stack will also broadcast a request for IP configuration
settings on each power reset.

Figure 3-9 IP Interface Configuration - DHCP

Note: If you lose your management connection, make a console connection to the

Master unit and enter “show ip interface” to determine the new stack address.

CLI – Specify the management interface, and set the IP address mode to DHCP or
BOOTP, and then enter the “ip dhcp restart client” command.

Console#config
Console(config)#interface vlan 1 4-143
Console(config-if)#ip address dhcp 4-242
Console(config-if)#end
Console#ip dhcp restart client 4-122
Console#show ip interface 4-244

Vlan 1 is up, addressing mode is DHCP

Interface address is 192.168.1.253, mask is 255.255.255.0, Primary
MTU is 1500 bytes
Proxy ARP is disabled
Split horizon is enabled

Console#

3-19

Configuring the Switch

3

Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a
specific period of time. If the address expires or the stack is moved to another
network segment, you will lose management access to the stack. In this case, you
can reboot the stack or submit a client request to restart DHCP service via the CLI.

Web – If the address assigned by DHCP is no longer functioning, you will not be
able to renew the IP settings via the web interface. You can only restart DHCP
service via the web interface if the current address is still available.

CLI – Enter the following command to restart DHCP service.

Console#ip dhcp restart client 4-122
Console#

Managing Firmware

You can upload/download firmware to or from a TFTP server, or copy files to and
from switch units in a stack. By saving runtime code to a file on a TFTP server, that
file can later be downloaded to the switch to restore operation. You can also set the
switch to use new firmware without overwriting the previous version. You must
specify the method of file transfer, along with the file type and file names as required.

Command Attributes

• File Transfer Method – The firmware copy operation includes these options:

- file to file – Copies a file within the switch directory, assigning it a new name.

- file to tftp – Copies a file from the switch to a TFTP server.

- tftp to file – Copies a file from a TFTP server to the switch.

- file to unit – Copies a file from this switch to another unit in the stack.

- unit to file – Copies a file from another unit in the stack to this switch.

• TFTP Server IP Address – The IP address of a TFTP server.

• File Type – Specify opcode (operational code) to copy firmware.

• File Name –
the file name should not be a period (.), and the maximum length for file names on
the TFTP server is 127 characters or 31 characters for files on the switch.
(Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

• Source/Destination Unit – Stack unit. (Range: 1 - 8)

Note:

Up to two copies of the system software (i.e., the runtime firmware) can be stored
in the file directory on the switch. The currently designated startup version of this
file cannot be deleted.

The file name should not contain slashes (\ or /),

the leading letter of

3-20

Basic Configuration

3

Downloading System Software from a Server

When downloading runtime code, you can specify the destination file name to
replace the current image, or first download the file using a different name from the
current runtime code file, and then set the new file as the startup file.

Web – Click System, File Management, Copy Operation. Select “tftp to file” as the
file transfer method, enter the IP address of the TFTP server, set the file type to
“opcode,” enter the file name of the software to download, select a file on the switch
to overwrite or specify a new file name, then click Apply. If you replaced the current
firmware used for startup and want to start using the new operation code, reboot the
system via the System/Reset menu.

Figure 3-10 Copy Firmware

If you download to a new destination file, go to the File Management, Set Start-Up
menu, mark the operation code file used at startup, and click Apply. To start the new
firmware, reboot the system via the System/Reset menu.

Figure 3-11 Setting the Startup Code

3-21

Configuring the Switch

3

To delete a file select System, File Management, Delete. Select the file name from
the given list by checking the tick box and click Apply. Note that the file currently
designated as the startup code cannot be deleted.

Figure 3-12 Deleting Files

CLI – To download new firmware form a TFTP server, enter the IP address of the
TFTP server, select “config” as the file type, then enter the source and destination
file names. When the file has finished downloading, set the new file to start up the
system, and then restart the switch.

To start the new firmware, enter the “reload” command or reboot the system.

Console#copy tftp file 4-64
TFTP server ip address: 10.1.0.19
Choose file type:

1. config: 2. opcode: <1-2>: 2

Source file name: V3.1.1.21.bix
Destination file name: V31121
\Write to FLASH Programming.

-Write to FLASH finish.
Success.
Console#config
Console(config)#boot system opcode:V31121 4-69
Console(config)#exit
Console#reload 4-23

3-22

Basic Configuration

3

Saving or Restoring Configuration Settings

You can upload/download configuration settings to/from a TFTP server, or copy files
to and from switch units in a stack. The configuration file can be later downloaded to
restore the switch’s settings.

Command Attributes

• File Transfer Method – The configuration copy operation includes these options:

- file to file – Copies a file within the switch directory, assigning it a new name.

- file to running-config – Copies a file in the switch to the running configuration.

- file to startup-config – Copies a file in the switch to the startup configuration.

- file to tftp – Copies a file from the switch to a TFTP server.

- running-config to file – Copies the running configuration to a file.

- running-config to startup-config – Copies the running config to the startup config.

- running-config to tftp – Copies the running configuration to a TFTP server.

- startup-config to file – Copies the startup configuration to a file on the switch.

- startup-config to running-config – Copies the startup config to the running config.

- startup-config to tftp – Copies the startup configuration to a TFTP server.

- tftp to file – Copies a file from a TFTP server to the switch.

- tftp to running-config – Copies a file from a TFTP server to the running config.

- tftp to startup-config – Copies a file from a TFTP server to the startup config.

- file to unit – Copies a file from this switch to another unit in the stack.

- unit to file – Copies a file from another unit in the stack to this switch.

• TFTP Server IP Address – The IP address of a TFTP server.

• File Type – Specify config (configuration) to copy configuration settings.

File Name

•

leading letter of the file name should not be a period (.), and the maximum length
for file names on the TFTP server is 127 characters or 31 characters for files on
the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

• Source/Destination Unit – Stack unit. (Range: 1 - 8)

Note:

— The configuration file name should not contain slashes (\ or /),

The maximum number of user-defined configuration files is limited only by
available flash memory space.

the

3-23

Configuring the Switch

3

Downloading Configuration Settings from a Server

You can download the configuration file under a new file name and then set it as the
startup file, or you can specify the current startup configuration file as the destination
file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be
copied to the TFTP server, but cannot be used as the destination on the switch.

Web – Click System, File Management, Copy Operation. Choose “tftp to
startup-config” or “tftp to file,” and enter the IP address of the TFTP server. Specify
the name of the file to download, select a file on the switch to overwrite or specify a
new file name, and then click Apply.

Figure 3-13 Downloading Configuration Settings for Start-Up

If you download to a new file name using “tftp to startup-config” or “tftp to file,” the file
is automatically set as the start-up configuration file. To use the new settings, reboot
the system via the System/Reset menu. You can also select any configuration file as
the start-up configuration by using the System/File Management/Set Start-Up page.

Figure 3-14 Setting the Startup Configuration Settings

3-24

Basic Configuration

3

CLI – Enter the IP address of the TFTP server, specify the source file on the server,
set the startup file name on the switch, and then restart the switch.

Console#copy tftp startup-config 4-64
TFTP server ip address: 192.168.1.19
Source configuration file name: config-1
Startup configuration file name [] : startup
\Write to FLASH Programming.

-Write to FLASH finish.
Success.

Console#reload

To select another configuration file as the start-up configuration, use the boot
system command and then restart the switch.

Console#config
Console(config)#boot system config: startup 4-69
Console(config)#exit
Console#reload 4-23

Console Port Settings

You can access the onboard configuration program by attaching a VT100
compatible device to the switch’s serial console port. Management access through
the console port is controlled by various parameters, including a password, timeouts,
and basic communication settings. These parameters can be configured via the web
or CLI interface.

Command Attributes

• Login Timeout – Sets the interval that the system waits for a user to log into the

CLI. If a login attempt is not detected within the timeout interval, the connection is
terminated for the session. (Range: 0 - 300 seconds; Default: 0)

• Exec Timeout – Sets the interval that the system waits until user input is detected.

If user input is not detected within the timeout interval, the current session is
terminated. (Range: 0 - 65535 seconds; Default: 0 seconds)

• Password Threshold – Sets the password intrusion threshold, which limits the

number of failed logon attempts. When the logon attempt threshold is reached, the
system interface becomes silent for a specified amount of time (set by the Silent
Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3
attempts)

• Silent Time – Sets the amount of time the management console is inaccessible

after the number of unsuccessful logon attempts has been exceeded.
(Range: 0-65535; Default: 0)

• Data Bits – Sets the number of data bits per character that are interpreted and

generated by the console port. If parity is being generated, specify 7 data bits per
character. If no parity is required, specify 8 data bits per character. (Default: 8 bits)

• Parity – Defines the generation of a parity bit. Communication protocols provided

by some terminals can require a specific parity bit setting. Specify Even, Odd, or
None. (Default: None)

3-25

Configuring the Switch

3

• Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive
(from terminal). Set the speed to match the baud rate of the device connected to
the serial port. (Range: 9600, 19200, 38400, 57600, or 115200 baud, Auto;
Default: Auto)

• Stop Bits – Sets the number of the stop bits transmitted per byte.
(Range: 1-2; Default: 1 stop bit)

• Password2 – Specifies a password for the line connection. When a connection is
started on a line with password protection, the system prompts for the password.
If you enter the correct password, the system shows a prompt. (Default: No
password)

• Login2 – Enables password checking at login. You can select authentication by a
single global password as configured for the Password parameter, or by
passwords set up for specific user-name accounts. (Default: Local)

Web – Click System, Line, Console. Specify the console port connection parameters
as required, then click Apply.

2. CLI only.

3-26

Figure 3-15 Configuring the Console Port

Basic Configuration

3

CLI – Enter Line Configuration mode for the console, then specify the connection
parameters as required. To display the current console port settings, use the show
line command from the Normal Exec level.

Console(config)#line console 4-12
Console(config-line)#login local 4-12
Console(config-line)#password 0 secret 4-13
Console(config-line)#timeout login response 0 4-14
Console(config-line)#exec-timeout 0 4-15
Console(config-line)#password-thresh 5 4-15
Console(config-line)#silent-time 60 4-16
Console(config-line)#databits 8 4-17
Console(config-line)#parity none 4-17
Console(config-line)#speed auto 4-18
Console(config-line)#stopbits 1 4-18
Console(config-line)#end
Console#show line console 4-19

Console configuration:

Password threshold: 5 times
Interactive timeout: Disabled
Login timeout: Disabled
Silent time: 60
Baudrate: auto
Databits: 8
Parity: none
Stopbits: 1

Console#

Telnet Settings

You can access the onboard configuration program over the network using Telnet
(i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and
other various parameters set, including the TCP port number, timeouts, and a
password. These parameters can be configured via the web or CLI interface.

Command Attributes

• Telnet Status – Enables or disables Telnet access to the switch.

(Default: Enabled)

• Telnet Port Number – Sets the TCP port number for Telnet on the switch.

(Default: 23)

• Login Timeout – Sets the interval that the system waits for a user to log into the

CLI. If a login attempt is not detected within the timeout interval, the connection is
terminated for the session. (Range: 0 - 300 seconds; Default: 300 seconds)

• Exec Timeout – Sets the interval that the system waits until user input is detected.

If user input is not detected within the timeout interval, the current session is
terminated. (Range: 0 - 65535 seconds; Default: 600 seconds)

• Password Threshold – Sets the password intrusion threshold, which limits the

number of failed logon attempts. When the logon attempt threshold is reached, the
system interface becomes silent for a specified amount of time (set by the Silent
Time parameter) before allowing the next logon attempt.
(Range: 0-120; Default: 3 attempts)

3-27

Configuring the Switch

3

• Password3 – Specifies a password for the line connection. When a connection is
started on a line with password protection, the system prompts for the password.
If you enter the correct password, the system shows a prompt. (Default: No
password)

• Login

3

– Enables password checking at login. You can select authentication by a
single global password as configured for the Password parameter, or by
passwords set up for specific user-name accounts. (Default: Local)

Web – Click System, Line, Telnet. Specify the connection parameters for Telnet
access, then click Apply.

Figure 3-16 Configuring the Telnet Interface

CLI – Enter Line Configuration mode for a virtual terminal, then specify the
connection parameters as required. To display the current virtual terminal settings,
use the show line command from the Normal Exec level.

Console(config)#line vty 4-12
Console(config-line)#login local 4-12
Console(config-line)#password 0 secret 4-13
Console(config-line)#timeout login response 300 4-14
Console(config-line)#exec-timeout 600 4-15
Console(config-line)#password-thresh 3 4-15
Console(config-line)#end
Console#show line vty 4-19

VTY configuration:

Password threshold: 3 times
Interactive timeout: 600 sec
Login timeout: 300 sec

Console#

3. CLI only.

3-28

Basic Configuration

3

Configuring Event Logging

The switch allows you to control the logging of error messages, including the type of
events that are recorded in switch memory, logging to a remote System Log (syslog)
server, and displays a list of recent event messages.

System Log Configuration

The system allows you to enable or disable event logging, and specify which levels
are logged to RAM or flash memory.

Severe error messages that are logged to flash memory are permanently stored in
the switch to assist in troubleshooting network problems. Up to 4096 log entries can
be stored in the flash memory, with the oldest entries being overwritten first when the
available log memory (256 kilobytes) has been exceeded.

The System Logs page allows you to configure and limit system messages that are
logged to flash or RAM memory. The default is for event levels 0 to 3 to be logged to
flash and levels 0 to 7 to be logged to RAM.

Command Attributes

• System Log Status – Enables/disables the logging of debug or error messages to

the logging process. (Default: Enabled)

• Flash Level – Limits log messages saved to the switch’s permanent flash memory

for all levels up to the specified level. For example, if level 3 is specified, all

messages from level 0 to level 3 will be logged to flash. (Range: 0-7, Default: 3)

Table 3-3 Logging Levels

Level Severity Name Description

7 Debug Debugging messages

6 Informational Informational messages only

5 Notice Normal but significant condition, such as cold start

4 Warning Warning conditions (e.g., return false, unexpected return)

3 Error Error conditions (e.g., invalid input, default used)

2 Critical Critical conditions (e.g., memory allocation, or free memory

1 Alert Immediate action needed

0 Emergency System unusable

* There are only Level 2, 5 and 6 error messages for the current firmware release.

error - resource exhausted)

• RAM Level – Limits log messages saved to the switch’s temporary RAM memory

for all levels up to the specified level. For example, if level 7 is specified, all
messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7)

The Flash Level must be equal to or less than the RAM Level.

Note:

3-29

Configuring the Switch

3

Web – Click System, Logs, System Logs. Specify System Log Status, set
event messages to be logged to RAM and flash memory, then click Apply.

Figure 3-17 System Logs

CLI – Enable system logging and then specify the level of messages to be logged to
RAM and flash memory. Use the show logging command to display the current
settings.

Console(config)#logging on 4-43
Console(config)#logging history ram 0 4-44
Console(config)#
Console#show logging ram 4-47
Syslog logging: Disabled
History logging in RAM: level emergencies
Console#

the level of

Remote Log Configuration

The Remote Logs page allows you to configure the logging of messages that are
sent to syslog servers or other management stations. You can also limit the event
messages sent to only those messages at or above a specified level.

Command Attributes

• Remote Log Status – Enables/disables the logging of debug or error messages
to the remote logging process. (Default: Disabled)

• Logging Facility – Sets the facility type for remote logging of syslog messages.
There are eight facility types specified by values of 16 to 23. The facility type is
used by the syslog server to dispatch log messages to an appropriate service.

The attribute specifies the facility type tag sent in syslog messages. (See RFC

3164.) This type has no effect on the kind of messages reported by the switch.
However, it may be used by the syslog server to process messages, such as sorting
or storing messages in the corresponding database. (Range: 16-23, Default: 23)

• Logging Trap – Limits log messages that are sent to the remote syslog server for
all levels up to the specified level. For example, if level 3 is specified, all messages
from level 0 to level 3 will be sent to the remote server. (Range: 0-7, Default: 7)

• Host IP List – Displays the list of remote server IP addresses that will receive
syslog messages. The maximum number of host IP addresses allowed is five.

• Host IP Address – Specifies a new server IP address to add to the Host IP List.

3-30

Basic Configuration

3

Web – Click System, Logs, Remote Logs. To add an IP address to the Host IP List,
type the new IP address in the Host IP Address box, and then click Add. To delete
an IP address, click the entry in the Host IP List, and then click Remove.

Figure 3-18 Remote Logs

CLI – Enter the syslog server host IP address, choose the facility type and set the
logging trap.

Console(config)#logging host 10.1.0.9 4-45
Console(config)#logging facility 23 4-45
Console(config)#logging trap 4 4-46
Console(config)#logging trap
Console(config)#exit
Console#show logging trap 4-47
Syslog logging: Enabled
REMOTELOG status: Disabled
REMOTELOG facility type: local use 7
REMOTELOG level type: Warning conditions
REMOTELOG server ip address: 10.1.0.9
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
Console#

3-31

Configuring the Switch

3

Displaying Log Messages

Use the Logs page to scroll through the logged system and event messages. The
switch can store up to 2048 log entries in temporary random access memory (RAM;
i.e., memory flushed on power reset) and up to 4096 entries in permanent flash
memory.

Web – Click System, Log, Logs.

Figure 3-19 Displaying Logs

CLI – This example shows the event message stored in RAM.

Console#show log ram 4-49
[1] 00:01:30 2001-01-01

"VLAN 1 link-up notification."
level: 6, module: 5, function: 1, and event no.: 1

[0] 00:01:30 2001-01-01

"Unit 1, Port 1 link-up notification."
level: 6, module: 5, function: 1, and event no.: 1

Console#

Sending Simple Mail Transfer Protocol Alerts

To alert system administrators of problems, the switch can use SMTP (Simple Mail
Transfer Protocol) to send email messages when triggered by logging events of a
specified level. The messages are sent to specified SMTP servers on the network
and can be retrieved using POP or IMAP clients.

Command Attributes

• Admin Status – Enables/disables the SMTP function. (Default: Enabled)

• Email Source Address – Sets the email address used for the “From” field in alert
messages. You may use a symbolic email address that identifies the switch, or the
address of an administrator responsible for the switch.

• Severity – Sets the syslog severity threshold level (see table on page 3-29) used
to trigger alert messages. All events at this level or higher will be sent to the
configured email recipients. For example, using Level 7 will report all events from
level 7 to level 0. (Default: Level 7)

3-32

Basic Configuration

• SMTP Server List – Specifies a list of up to three recipient SMTP servers. The

switch attempts to connect to the other listed servers if the first fails. Use the New
SMTP Server text field and the Add/Remove buttons to configure the list.

• Email Destination Address List – Specifies the email recipients of alert

messages. You can specify up to five recipients. Use the New Email Destination
Address text field and the Add/Remove buttons to configure the list.

Web – Click System, Log, SMTP. Enable SMTP, specify a source email address,
and select the minimum severity level. To add an IP address to the SMTP Server
List, type the new IP address in the SMTP Server field and click Add. To delete an IP
address, click the entry in the SMTP Server List and click Remove. Specify up to five
email addresses to receive the alert messages, and click Apply.

3

Figure 3-20 Enabling and Configuring SMTP Alerts

3-33

Configuring the Switch

3

CLI – Enter the IP address of at least one SMTP server, set the syslog severity level
to trigger an email message, and specify the switch (source) and up to five recipient
(destination) email addresses. Enable SMTP with the logging sendmail command
to complete the configuration. Use the show logging sendmail command to display
the current SMTP configuration.

Console(config)#logging sendmail host 192.168.1.4 4-50
Console(config)#logging sendmail level 3 4-50
Console(config)#logging sendmail source-email

big-wheels@matel.com 4-51

Console(config)#logging sendmail destination-email

chris@matel.com 4-51
Console(config)#logging sendmail 4-52
Console(config)#exit
Console#show logging sendmail 4-52
SMTP servers

-----------------------------------------------

1. 192.168.1.4

SMTP minimum severity level: 4

SMTP destination email addresses

-----------------------------------------------

1. chris@matel.com

SMTP source email address: big-wheels@matel.com

SMTP status: Enabled
Console#

Renumbering the Stack

If the units are no longer numbered sequentially after several topology changes or
failures, you can reset the unit numbers using the “Renumbering” command. Just
remember to save the new configuration settings to a startup configuration file prior
to powering off the stack Master.

Command Usage

• The startup configuration file maps configuration settings to each switch in the
stack based on the unit identification number. You should therefore remember to
save the current configuration after renumbering the stack.

• For a line topology, the stack is numbered from top to bottom, with the first unit in
the stack designated at unit 1. For a ring topology, the Master unit taken as the top
of the stack and is numbered as unit 1, and all other units are numbered
sequentially down through the ring.

Web – Click System, Renumbering.

Figure 3-21 Renumbering the Stack

3-34

Basic Configuration

CLI – This example renumbers all units in the stack.

Console#switch all renumber 4-26
Console#

3

Resetting the System

Web – Click System, Reset. Click the Reset button to restart the switch. When

prompted, confirm that you want reset the switch.

Figure 3-22 Resetting the System

CLI – Use the reload command to restart the switch.

Console#reload 4-23
System will be restarted, continue <y/n>?

When restarting the system, it will always run the Power-On Self-Test.

Note:

Setting the System Clock

Simple Network Time Protocol (SNTP) allows the switch to set its internal clock
based on periodic updates from a time server (SNTP or NTP). Maintaining an
accurate time on the switch enables the system log to record meaningful dates and
times for event entries. You can also manually set the clock using the CLI. (See
“calendar set” on page 4-56.) If the clock is not set, the switch will only record the
time from the factory default set at the last bootup.

When the SNTP client is enabled, the switch periodically sends a request for a time
update to a configured time server. You can configure up to three time server IP
addresses. The switch will attempt to poll each server in the configured sequence.

Configuring SNTP

You can configure the switch to send time synchronization requests to time servers.

Command Attributes

• SNTP Client – Configures the switch to operate as an SNTP client. This requires

at least one time server to be specified in the SNTP Server field. (Default: Disabled)

• SNTP Poll Interval – Sets the interval between sending requests for a time update

from a time server. (Range: 16-16384 seconds; Default: 16 seconds)

• SNTP Server – Sets the IP address for up to three time servers. The switch

attempts to update the time from the first server, if this fails it attempts an update
from the next server in the sequence.

3-35

Configuring the Switch

3

Web – Select SNTP, Configuration. Modify any of the required parameters, and click
Apply.

Figure 3-23 SNTP Configuration

CLI – This example configures the switch to operate as an SNTP client and then
displays the current time and settings.

Console(config)#sntp client 4-53
Console(config)#sntp poll 16 4-55
Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-54
Console(config)#exit
Console#show sntp 4-55
Current time: Jan 6 14:56:05 2004
Poll interval: 60
Current mode: unicast
SNTP status : Enabled
SNTP server 10.1.0.19 137.82.140.80 128.250.36.2
Current server: 128.250.36.2
Console#

Setting the Time Zone

SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time,
or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To
display a time corresponding to your local time, you must indicate the number of
hours and minutes your time zone is east (before) or west (after) of UTC.

Command Attributes

• Current Time – Displays the current time.

• Name – Assigns a name to the time zone. (Range: 1-29 characters)

• Hours (0-13) – The number of hours before/after UTC.

• Minutes (0-59) – The number of minutes before/after UTC.

• Direction – Configures the time zone to be before (east) or after (west) UTC.

3-36

Simple Network Management Protocol

Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to
the UTC, and click Apply.

Figure 3-24 Clock Time Zone

CLI - This example shows how to set the time zone for the system clock.

Console(config)#clock timezone Dhaka hours 6 minute 0 after-UTC 4-56
Console#

3

Simple Network Management Protocol

Simple Network Management Protocol (SNMP) is a communication protocol
designed specifically for managing devices on a network. Equipment commonly
managed with SNMP includes switches, routers and host computers. SNMP is
typically used to configure these devices for proper operation in a network
environment, as well as to monitor them to evaluate performance or detect potential
problems.

Managed devices supporting SNMP contain software, which runs locally on the
device and is referred to as an agent. A defined set of variables, known as managed
objects, is maintained by the SNMP agent and used to manage the device. These
objects are defined in a Management Information Base (MIB) that provides a
standard presentation of the information controlled by the agent. SNMP defines both
the format of the MIB specifications and the protocol used to access this information
over the network.

The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3.
This agent continuously monitors the status of the switch hardware, as well as the
traffic passing through its ports. A network management station can access this
information using software such as HP OpenView. Access to the onboard agent
from clients using SNMP v1 and v2c is controlled by community strings. To
communicate with the switch, the management station must first submit a valid
community string for authentication.

Access to the switch using from clients using SNMPv3 provides additional security
features that cover message integrity, authentication, and encryption; as well as
controlling user access to specific areas of the MIB tree.

3-37

Configuring the Switch

3

The SNMPv3 security structure consists of security models, with each model having
it’s own security levels. There are three security models defined, SNMPv1,
SNMPv2c, and SNMPv3. Users are assigned to “groups” that are defined by a
security model and specified security levels. Each group also has a defined security
access to set of MIB objects for reading and writing, which are known as “views.”
The switch has a default view (all MIB objects) and default groups defined for
security models v1 and v2c. The following table shows the security models and
levels available and the system default settings.

Table 3-4 SNMPv3 Security Models and Levels

Model Level Group Read View Write View Notify View Security

v1 noAuthNoPriv public

v1 noAuthNoPriv private

v1 noAuthNoPriv user defined user defined user defined user defined Community string only

v2c noAuthNoPriv public

v2c noAuthNoPriv private

v2c noAuthNoPriv user defined user defined user defined user defined Community string only

v3 noAuthNoPriv user defined user defined user defined user defined A user name match only

v3 AuthNoPriv user defined user defined user defined user defined Provides user

v3 AuthPriv user defined user defined user defined user defined Provides user

(read only)

(read/write)

(read only)

(read/write)

defaultview none none Community string only

defaultview defaultview none Community string only

defaultview none none Community string only

defaultview defaultview none Community string only

authentication via MD5 or
SHA algorithms

authentication via MD5 or
SHA algorithms and data
privacy using DES 56-bit
encryption

Note:

The predefined default groups and view can be deleted from the system. You can
then define customized groups and views for the SNMP clients that require access.

3-38

Simple Network Management Protocol

3

Enabling the SNMP Agent

Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3).

Command Attributes

SNMP Agent Status – Enables SNMP on the switch.

Web – Click SNMP, Agent Status. Enable the SNMP Agent by marking the Enabled

checkbox, and click Apply.

Figure 3-25 Enabling the SNMP Agent

CLI – The following example enables SNMP on the switch.

Console(config)#snmp-server 4-107
Console(config)#

Setting Community Access Strings

You may configure up to five community strings authorized for management access
by clients using SNMP v1 and v2c. All community strings used for IP Trap Managers
should be listed in this table. For security reasons, you should consider removing the
default strings.

Command Attributes

• SNMP Community Capability – The switch supports up to five community strings.

• Current – Displays a list of the community strings currently configured.

• Community String – A community string that acts like a password and permits

access to the SNMP protocol.

Default strings: “public” (read-only access), “private” (read/write access)
Range: 1-32 characters, case sensitive

• Access Mode – Specifies the access rights for the community string:

- Read-Only – Authorized management stations are only able to retrieve MIB
objects.

- Read/Write – Authorized management stations are able to both retrieve and
modify MIB objects.

3-39

Configuring the Switch

3

Web – Click SNMP, Configuration. Add new community strings as required, select
the access rights from the Access Mode drop-down list, then click Add.

Figure 3-26 Configuring SNMP Community Strings

CLI – The following example adds the string “spiderman” with read/write access.

Console(config)#snmp-server community spiderman rw 4-109
Console(config)#

Specifying Trap Managers and Trap Types

Traps indicating status changes are issued by the switch to specified trap managers.
You must specify trap managers so that key events are reported by this switch to
your management station (using network management platforms such as HP
OpenView). You can specify up to five management stations that will receive
authentication failure messages and other trap messages from the switch.

Command Usage

• If you specify an SNMP Version 3 host, then the “Trap Manager Community String”
is interpreted as an SNMP user name. If you use V3 authentication or encryption
options (authNoPriv or authPriv), the user name must first be defined in the
SNMPv3 Users page (page 3-44). Otherwise, the authentication password and/or
privacy password will not exist, and the switch will not authorize SNMP access for
the host. However, if you specify a V3 host with the no authentication (noAuth)
option, an SNMP user account will be automatically generated, and the switch will
authorize SNMP access for the host.

• Notifications are issued by the switch as trap messages by default. The recipient
of a trap message does not send a response to the switch. Traps are therefore not
as reliable as inform messages, which include a request for acknowledgement of
receipt. Informs can be used to ensure that critical information is received by the
host. However, note that informs consume more system resources because they
must be kept in memory until a response is received. Informs also add to network
traffic. You should consider these effects when deciding whether to issue
notifications as traps or informs.

3-40

Simple Network Management Protocol

To send an inform to a SNMPv2c host, complete these steps:

1. Enable the SNMP agent (page 3-39).

2. Enable trap informs as described in the following pages.

3. Create a view with the required notification messages (page 3-52).

4. Create a group that includes the required notify view (page 3-48).

To send an inform to a SNMPv3 host, complete these steps:

1. Enable the SNMP agent (page 3-39).

2. Enable trap informs as described in the following pages.

3. Create a view with the required notification messages (page 3-52).

4. Create a group that includes the required notify view (page 3-48).

5. Specify a remote engine ID where the user resides (page 3-43).

6. Then configure a remote user (page 3-46).

Command Attributes

• Trap Manager Capability – This switch supports up to five trap managers.

• Current – Displays a list of the trap managers currently configured.

• Trap Manager IP Address – IP address of a new management station to receive

notification messages.

• Trap Manager Community String – Specifies a valid community string for the

new trap manager entry. Though you can set this string in the Trap Managers table,
we recommend that you define this string in the SNMP Configuration page (for
Version 1 or 2c clients), or define a corresponding “User Name” in the SNMPv3
Users page (for Version 3 clients). (Range: 1-32 characters, case sensitive)

• Trap UDP Port – Specifies the UDP port number used by the trap manager.

• Trap Version – Indicates if the user is running SNMP v1, v2c, or v3. (Default: v1)

• Trap Security Level – When trap version 3 is selected, you must specify one of

the following security levels. (Default: noAuthNoPriv)

- noAuthNoPriv – There is no authentication or encryption used in SNMP
communications.

- AuthNoPriv – SNMP communications use authentication, but the data is not
encrypted (only available for the SNMPv3 security model).

- AuthPriv – SNMP communications use both authentication and encryption (only
available for the SNMPv3 security model).

• Trap Inform – Notifications are sent as inform messages. Note that this option is
only available for version 2c and 3 hosts. (Default: traps are used)

- Timeout – The number of seconds to wait for an acknowledgment before

resending an inform message. (Range: 0-2147483647 centiseconds;
Default: 1500 centiseconds)

- Retry times – The maximum number of times to resend an inform message if

the recipient does not acknowledge receipt. (Range: 0-255; Default: 3)

• Enable Authentication Traps
trap managers whenever authentication of an SNMP request fails.
(Default: Enabled)

4. These are legacy notifications and therefore when used for SNMP Version 3 hosts, they must
be enabled in conjunction with the corresponding entries in the Notification View (page 3-48).

4

– Issues a notification message to specified IP

3

3-41

Configuring the Switch

3

• Enable Link-up and Link-down Traps4 – Issues a notification message
whenever a port link is established or broken. (Default: Enabled)

Web – Click SNMP, Configuration. Enter the IP address and community string for
each management station that will receive trap messages, specify the UDP port,
SNMP trap version, trap security level (for v3 clients), trap inform settings (for v2c/v3
clients), and then click Add. Select the trap types required using the check boxes for
Authentication and Link-up/down traps, and then click Apply.

Figure 3-27 Configuring SNMP Trap Managers

CLI – This example adds a trap manager and enables authentication traps.

Console(config)#snmp-server host 10.1.19.23 private version 2c

udp-port 162 4-110

Console(config)#snmp-server enable traps authentication 4-112

Configuring SNMPv3 Management Access

To configure SNMPv3 management access to the switch, follow these steps:

1. If you want to change the default engine ID, do so before configuring other

SNMP parameters.

2. Specify read and write access views for the switch MIB tree.

3. Configure SNMP user groups with the required security model (i.e., SNMP v1,

v2c or v3) and security level (i.e., authentication and privacy).

4. Assign SNMP users to groups, along with their specific authentication and

privacy passwords.

3-42

Simple Network Management Protocol

3

Setting a Local Engine ID

An SNMPv3 engine is an independent SNMP agent that resides on the switch. This
engine protects against message replay, delay, and redirection. The engine ID is
also used in combination with user passwords to generate the security keys for
authenticating and encrypting SNMPv3 packets.

A local engine ID is automatically generated that is unique to the switch. This is
referred to as the default engine ID. If the local engineID is deleted or changed, all
SNMP users will be cleared. You will need to reconfigure all existing users.

A new engine ID can be specified by entering 1 to 26 hexadecimal characters. If less
than 26 characters are specified, trailing zeroes are added to the value. For
example, the value “1234” is equivalent to “1234” followed by 22 zeroes.

Web – Click SNMP, SNMPv3, Engine ID. Enter an ID of up to 26 hexadecimal
characters and then click Save.

Figure 3-28 Setting the SNMPv3 Engine ID

CLI – This example sets an SNMPv3 engine ID.

Console(config)#snmp-server engine-id local 12345abcdef 4-113
Console(config)#exit
Console#show snmp engine-id 4-114
Local SNMP engineID: 8000002a8000000000e8666672
Local SNMP engineBoots: 1
Console#

Specifying a Remote Engine ID

To send inform messages to an SNMPv3 user on a remote device, you must first
specify the engine identifier for the SNMP agent on the remote device where the
user resides. The remote engine ID is used to compute the security digest for
authenticating and encrypting packets sent to a user on the remote host.

SNMP passwords are localized using the engine ID of the authoritative agent. For
informs, the authoritative SNMP agent is the remote agent. You therefore need to
configure the remote agent’s SNMP engine ID before you can send proxy requests
or informs to it. (See “Specifying Trap Managers and Trap Types” on page 3-40 and
“Configuring Remote SNMPv3 Users” on page 3-46.)

3-43

Configuring the Switch

3

The engine ID can be specified by entering 1 to 26 hexadecimal characters. If less
than 26 characters are specified, trailing zeroes are added to the value. For
example, the value “1234” is equivalent to “1234” followed by 22 zeroes.

Web – Click SNMP, SNMPv3, Remote Engine ID. Enter an ID of up to 26
hexadecimal characters and then click Save.

Figure 3-29 Setting an Engine ID

CLI – This example specifies a remote SNMPv3 engine ID.

Console(config)#snmp-server engineID remote 54321 192.168.1.19 4-113
Console(config)#exit
Console#show snmp engine-id 4-114
Local SNMP engineID: 8000002a8000000000e8666672
Local SNMP engineBoots: 1

Remote SNMP engineID IP address
80000000030004e2b316c54321 192.168.1.19
Console#

Configuring SNMPv3 Users

Each SNMPv3 user is defined by a unique name. Users must be configured with a
specific security level and assigned to a group. The SNMPv3 group restricts users to
a specific read, write, or notify view.

Command Attributes

• User Name – The name of user connecting to the SNMP agent. (Range: 1-32
characters)

• Group Name – The name of the SNMP group to which the user is assigned.
(Range: 1-32 characters)

• Security Model – The user security model; SNMP v1, v2c or v3.

• Security Level – The security level used for the user:

- noAuthNoPriv – There is no authentication or encryption used in SNMP

communications. (This is the default for SNMPv3.)

- AuthNoPriv – SNMP communications use authentication, but the data is not

encrypted (only available for the SNMPv3 security model).

- AuthPriv – SNMP communications use both authentication and encryption (only

available for the SNMPv3 security model).

• Authentication Protocol – The method used for user authentication. (Options:
MD5, SHA; Default: MD5)

• Authentication Password – A minimum of eight plain text characters is required.

3-44

Simple Network Management Protocol

• Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES

is currently available.

• Privacy Password – A minimum of eight plain text characters is required.

• Actions – Enables the user to be assigned to another SNMPv3 group.

Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the
New User page, define a name and assign it to a group, then click Add to save the
configuration and return to the User Name list. To delete a user, check the box next
to the user name, then click Delete. To change the assigned group of a user, click
Change Group in the Actions column of the users table and select the new group.

3

Figure 3-30 Configuring SNMPv3 Users

3-45

Configuring the Switch

3

CLI – Use the snmp-server user command to configure a new user name and
assign it to a group.

Console(config)#snmp-server user chris group r&d v3 auth md5

greenpeace priv des56 einstien 4-119

Console(config)#exit
Console#show snmp user 4-120
EngineId: 80000034030001f488f5200000
User Name: chris
Authentication Protocol: md5
Privacy Protocol: des56
Storage Type: nonvolatile
Row Status: active

Console#

Configuring Remote SNMPv3 Users

Each SNMPv3 user is defined by a unique name. Users must be configured with a
specific security level and assigned to a group. The SNMPv3 group restricts users to
a specific read and a write view.

To send inform messages to an SNMPv3 user on a remote device, you must first
specify the engine identifier for the SNMP agent on the remote device where the
user resides. The remote engine ID is used to compute the security digest for
authenticating and encrypting packets sent to a user on the remote host. (See
“Specifying Trap Managers and Trap Types” on page 3-40 and “Specifying a
Remote Engine ID” on page 3-43.)

Command Attributes

• User Name – The name of user connecting to the SNMP agent. (Range: 1-32
characters)

• Group Name – The name of the SNMP group to which the user is assigned.
(Range: 1-32 characters)

• Engine ID – The engine identifier for the SNMP agent on the remote deivce where
the remote user resides. Note that the remote engine identifier must be specified
before you configure a remote user. (See “Specifying a Remote Engine ID” on
page 3-43.)

• Remote IP – The Internet address of the remote device where the user resides.

• Security Model – The user security model; SNMP v1, v2c or v3. (Default: v1)

• Security Level – The security level used for the user:

- noAuthNoPriv – There is no authentication or encryption used in SNMP

communications. (This is the default for SNMPv3.)

- AuthNoPriv – SNMP communications use authentication, but the data is not

encrypted (only available for the SNMPv3 security model).

- AuthPriv – SNMP communications use both authentication and encryption (only

available for the SNMPv3 security model).

• Authentication Protocol – The method used for user authentication. (Options:
MD5, SHA; Default: MD5)

• Authentication Password – A minimum of eight plain text characters is required.

3-46

Simple Network Management Protocol

• Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES

is currently available.

• Privacy Password – A minimum of eight plain text characters is required.

Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name.
In the New User page, define a name and assign it to a group, then click Add to save
the configuration and return to the User Name list. To delete a user, check the box
next to the user name, then click Delete.

3

Figure 3-31 Configuring Remote SNMPv3 Users

3-47

Configuring the Switch

3

CLI – Use the snmp-server user command to configure a new user name and
assign it to a group.

Console(config)#snmp-server user mark group r&d remote 192.168.1.19 v3

auth md5 greenpeace priv des56 einstien 4-119
Console(config)#exit
Console#show snmp user 4-120
No user exist.

SNMP remote user
EngineId: 80000000030004e2b316c54321
User Name: mark
Authentication Protocol: none
Privacy Protocol: none
Storage Type: nonvolatile
Row Status: active

Console#

Configuring SNMPv3 Groups

An SNMPv3 group sets the access policy for its assigned users, restricting them to
specific read, write, and notify views. You can use the pre-defined default groups or
create new groups to map a set of SNMP users to SNMP views.

Command Attributes

• Group Name – The name of the SNMP group. (Range: 1-32 characters)

• Model – The group security model; SNMP v1, v2c or v3.

• Level – The security level used for the group:

- noAuthNoPriv – There is no authentication or encryption used in SNMP
communications.

- AuthNoPriv – SNMP communications use authentication, but the data is not
encrypted (only available for the SNMPv3 security model).

- AuthPriv – SNMP communications use both authentication and encryption (only
available for the SNMPv3 security model).

• Read View – The configured view for read access. (Range: 1-64 characters)

• Write View – The configured view for write access. (Range: 1-64 characters)

• Notify View – The configured view for notifications. (Range: 1-64 characters)

3-48