Samsung iES4028FP User Manual

iES4028F iES4028FP E072008/ST-R01

149100000022A

This manual is proprietary to SAMSUNG Electronics Co., Ltd. and is protected by copyright.

No information contained herein may be copied, translated, transcribed or duplicated for any commercial purposes or disclosed to third parties in any form without the prior written consent of SAMSUNG Electronics Co., Ltd.

TRADEMARKS

Ubigate iES4028F and Ubigate iES4028FP are registered trademarks of SAMSUNG Electronics.

All other company and product names may be trademarks of the respective companies with which they are associated.

This manual should be read before the installation and operation, and the operator should correctly install and operate the product by using this manual.

This manual may be changed for the system improvement, standardization and other technical reasons without prior notice.

For further information on the updated manual or have a question for the content of manual, contact the homepage below.

Homepage: http://www.samsungnetwork.com

For A/S and Tech. support: http://www.samsungnetwork.com

For Manual: http://www.samsungdocs.com

iii

This page is intentionally left blank.

About This Guide

Purpose

This guide gives specific information on how to operate and use the management functions of the switch.

Audience

The guide is intended for use by network administrators who are responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).

Conventions

The following conventions are used throughout this guide to show information:

Note: Emphasizes important information or calls your attention to related features or

instructions.

Caution: Alerts you to a potential hazard that could cause loss of data, or damage the

Warning: Alerts you to a potential hazard that could cause personal injury.

Related Publications

The following publication details the hardware features of the switch, including the physical and performance-related characteristics, and how to install the switch:

The Installation Manual

Also, as part of the switch’s software, there is an online web-based help that describes all management related features.

system or equipment.

Revision History

This section summarizes the changes in each revision of this guide.

July 2008 Revision

This is the second revision of this guide. It combines information for the Ubigate iES4028F and iES4028FP. This guide is valid for software release v1.1.0.13. Other than the addition of information about the iES4028F, it also includes the following updated and additional information in the indicated tables or sections:

• Table 1-1, “Key Features,” on page 1-1.

• “Description of Software Features” on page 1-2.

• Table 1-2, “System Defaults,” on page 1-6.

• “Dynamic Configuration” on page 2-5.

• “Managing System Files” on page 2-8.

• “Saving Configuration Settings” on page 2-9.

• “Configuring Power over Ethernet” on page 2-10.

• VLAN Learning under “Displaying Bridge Extension Capabilities” on page 3-16.

• Removal of default IP address under “Setting the Switch’s IP Address” on page 3-17.

• Change to jumbo frame size under “Enabling Jumbo Frames” on page 3-20.

• “Managing Firmware” on page 3-21.

• Command Usage and Command Attributes under “Specifying Trap Managers and Trap Types” on page 3-43.

• NAS IP Address under “Configuring Local/Remote Logon Authentication” on page 3-59.

• Size of Secret Text String under “Configuring Encryption Keys” on page 3-64.

• Private Password under “Replacing the Default Secure-site Certificate” on page 3-78.

• Public Key Type under “Importing User Public Keys” on page 3-84.

• Command Usage under “Configuring Port Security” on page 3-97.

• Notes under “Web Authentication” on page 3-98.

• Note under “Network Access (MAC Address Authentication)” on page 3-102.

• Guest VLAN, Dynamic VLAN, and removal of Dynamic QoS under “Configuring MAC Authentication for Ports” on page 3-104.

• Removed Security, Network Access, Port Link Detection Configuration web page.

• Command Usage under “Access Control Lists” on page 3-108.

• Removed references to static bindings for DHCP Snooping under “DHCP Snooping” on page 3-116.

• Command Usage and Command Attributes under “Configuring VLANs for DHCP Snooping” on page 3-118.

• Command Usage and Command Attributes under “Configuring the DHCP Snooping Information Option” on page 3-118.

• Command Usage under “Configuring Ports for DHCP Snooping” on page 3-120.

• Command Usage under “IP Source Guard” on page 3-123.

• Command Usage under “Configuring Static Binding for IP Source Guard” on page 3-124.

• Command Usage and Command Attributes under “Configuring Interface Connections” on page 3-129.

• “Configuring Parameters for LACP Groups” on page 3-139.

• Flooding Behavior Field Attributes under STA - “Displaying Global Settings” on page 3-164.

• Spanning Tree BPDU Flooding Command Attribute under STA - “Configuring Global Settings” on page 3-167.

• BPDU Flooding Field Attribute under “Displaying Interface Settings” on page 3-171.

• Admin Path Cost Command Attribute under “Configuring Interface Settings” on page 3-174.

• Forwarding Tagged/Untagged Frames under “IEEE 802.1Q VLANs” on page 3-183.

• Untagged Command Attribute under “Adding Static Members to VLANs (VLAN Index)” on page 3-191.

• Ingress Filtering Command Attribute under “Configuring VLAN Behavior for Interfaces” on page 3-194.

• Mode Access Command Attribute under “Configuring VLAN Behavior for Interfaces” on page 3-194.

• 802.1Q Tunnel Status Command Attribute under “Enabling QinQ Tunneling on the Switch” on page 3-200.

• “Traffic Segmentation” on page 3-202.

• Removed Isolated VLAN option from “Private VLANs” on page 3-204.

• Introduction and Command Usage under “Protocol VLANs” on page 3-210.

• Command Usage under “Configuring the Protocol VLAN System” on page 3-211.

• Field Attributes under “Displaying LLDP Local Device Information” on page 3-218.

• Field Attributes under “Displaying LLDP Remote Port Information” on page 3-220.

• Field Attributes under “Displaying LLDP Remote Information Details” on page 3-221.

• Introduction and Field Attributes under “Displaying Device Statistics” on page 3-223.

• Field Attributes under “Displaying Detailed Device Statistics” on page 3-225.

• Introduction, Command Usage and Command Attributes under “Selecting the Queue Mode” on page 3-230.

• Introduction under “Setting the Service Weight for Traffic Classes” on page 3-230.

• “Mapping Layer 3/4 Priorities to CoS Values” on page 3-231.

• Action Command Attribute under “Creating QoS Policies” on page 3-238.

• Introduction under “Multicast Filtering” on page 3-247.

• Introduction and Command Usage under “Enabling IGMP Immediate Leave” on page 3-251.

• New Multicast Address Range List Command Attribute under “Configuring IGMP Filter Profiles” on page 3-258.

• Command Usage and MVR Running Status Command Attribute under “Configuring Global MVR Settings” on page 3-262.

• Command Usage and Command Attributes under “Configuring MVR Interface Status” on page 3-266.

• Command Usage under “Switch Clustering” on page 3-269.

• Introduction under “UPnP” on page 3-273.

• Command Usage under “jumbo frame” on page 4-33.

• Command Usage under “copy” on page 4-35.

• Syntax under “show log” on page 4-55.

• Using Switch Clustering under “Switch Cluster Commands” on page 4-73.

• Introduction under “UPnP Commands” on page 4-77.

• “Debug Commands” on page 4-80.

• Syntax for “radius-server host” on page 4-105.

• Introduction, Default Setting and Command Usage under “radius-server attribute 4” on page 4-107.

• Syntax for “radius-server key” on page 4-107.

• Syntax for “tacacs-server host” on page 4-110.

• Syntax for “tacacs-server key” on page 4-111.

• Introduction for “aaa group server” on page 4-114.

• Syntax for “show accounting” on page 4-122.

• “ip telnet server” on page 4-126.

• Authentication section of Configuration Guidelines under “Secure Shell Commands” on page 4-127.

• Command Usage under “dot1x re-authenticate” on page 4-139.

• Command Usage under “dot1x re-authentication” on page 4-139.

vii

• Command Usage under “port security” on page 4-148.

• Introduction under “Network Access (MAC Address Authentication)” on page 4-149.

• Removed network-access dynamic-qos, network-access link-detection, network-access link-detection link-down, network-access link-detection link-up, and network-access link-detection link-up-down commands from “Network Access (MAC Address Authentication)” on page 4-149.

• Removed web-auth login-fail-page-url, web-auth login-page-url, and web-auth login-success-page-url commands from “Web Authentication” on page 4-157.

• Command Usage under “ip dhcp snooping information option” on page 4-168.

• Removed reference to static DHCP Snooping entries from Command Usage under “ip source-guard” on page 4-171 and “ip source-guard binding” on page 4-173.

• Introduction, Syntax and Command Usage under “permit, deny (Extended ACL)” on page 4-178.

• Removed Command Usage from “ACL Information” on page 4-186.

• Command Usage under “speed-duplex” on page 4-188.

• “media-type” on page 4-192.

• “giga-phy-mode” on page 4-193.

• Default Setting under “switchport packet-rate” on page 4-194.

• “lacp active/passive” on page 4-208.

• Software Version parameter in Table 4-60, “show power mainpower parameters,” on page 4-217.

• Syntax and Command Usage under “port monitor” on page 4-218.

• “spanning-tree system-bpdu-flooding” on page 4-230.

• Syntax and Default Setting under “spanning-tree cost” on page 4-236.

• “spanning-tree port-bpdu-flooding” on page 4-239.

• Syntax and Default Setting under “spanning-tree mst cost” on page 4-243.

• Syntax for “switchport mode” on page 4-255.

• Removed note under “switchport ingress-filtering” on page 4-256.

• Removed note under “switchport allowed vlan” on page 4-258.

• Command Usage under “switchport allowed vlan” on page 4-258.

• Syntax for “show vlan” on page 4-260.

• Limitations for QinQ under “Configuring IEEE 802.1Q Tunneling” on page 4-261.

• Command Usage under “switchport dot1q-tunnel mode” on page 4-262.

• “Configuring Port-based Traffic Segmentation” on page 4-265.

• Removed references to isolated VLAN option from “Configuring Private VLANs” on page 4-269 and related commands which had supported this option.

• Removed switchport private-vlan isolated command.

• Command Usage under “switchport voice vlan” on page 4-280.

• Command Usage under “queue mode” on page 4-306.

• Removed queue bandwidth command.

• Configuration guidelines under “Quality of Service Commands” on page 4-313.

• Introduction and Syntax for “set” on page 4-318.

• Command Usage under “mvr (Global Configuration)” on page 4-339.

• Command Usage under “mvr (Interface Configuration)” on page 4-341.

• Command Usage under “ip default-gateway” on page 4-346.

• General Security Measures under “Software Specifications” on page A-1.

viii

• Updated entries for Standards under “Software Specifications” on page A-1.

• Updated entries for Management Information Bases under “Software Specifications” on page A-1.

April 2008 Revision

This was the first revision of this guide for the Ubigate iES4028FP.

This page is intentionally left blank.

Contents

Chapter 1: Introduction 1-1

Key Features 1-1 Description of Software Features 1-2 System Defaults 1-6

Chapter 2: Initial Configuration 2-1

Connecting to the Switch 2-1

Configuration Options 2-1 Required Connections 2-2 Remote Connections 2-3

Basic Configuration 2-3

Console Connection 2-3 Setting Passwords 2-4 Setting an IP Address 2-4

Manual Configuration 2-5 Dynamic Configuration 2-5

Enabling SNMP Management Access 2-6

Community Strings (for SNMP version 1 and 2c clients) 2-7 Trap Receivers 2-7 Configuring Access for SNMP Version 3 Clients 2-8

Managing System Files 2-8

Saving Configuration Settings 2-9

Configuring Power over Ethernet 2-10

Chapter 3: Configuring the Switch 3-1

Using the Web Interface 3-1 Navigating the Web Browser Interface 3-2

Home Page 3-2

Configuration Options 3-3 Panel Display 3-3 Main Menu 3-4 Basic Configuration 3-12

Displaying System Information 3-12

Displaying Switch Hardware/Software Versions 3-14

Displaying Bridge Extension Capabilities 3-16

Setting the Switch’s IP Address 3-17

Manual Configuration 3-18 Using DHCP/BOOTP 3-19

Enabling Jumbo Frames 3-20

Contents

Managing Firmware 3-21

Downloading System Software from a Server 3-22

Saving or Restoring Configuration Settings 3-23

Downloading Configuration Settings from a Server 3-24 Console Port Settings 3-25 Telnet Settings 3-27 Configuring Event Logging 3-29

System Log Configuration 3-29

Remote Log Configuration 3-30

Displaying Log Messages 3-32

Sending Simple Mail Transfer Protocol Alerts 3-32 Resetting the System 3-34 Setting the System Clock 3-35

Setting the Time Manually 3-36

Configuring SNTP 3-36

Configuring NTP 3-37

Setting the Time Zone 3-39

Simple Network Management Protocol 3-40

Enabling SNMP Agent Status 3-41 Setting Community Access Strings 3-42 Specifying Trap Managers and Trap Types 3-43 Configuring SNMPv3 Management Access 3-46

Setting the Local Engine ID 3-46

Specifying a Remote Engine ID 3-47

Configuring SNMPv3 Users 3-48

Configuring Remote SNMPv3 Users 3-50

Configuring SNMPv3 Groups 3-52

Setting SNMPv3 Views 3-55

User Authentication 3-57

Configuring User Accounts 3-58 Configuring Local/Remote Logon Authentication 3-59 Configuring Encryption Keys 3-64 AAA Authorization and Accounting 3-65

Configuring AAA RADIUS Group Settings 3-66

Configuring AAA TACACS+ Group Settings 3-67

Configuring AAA Accounting 3-67

AAA Accounting Update 3-69

AAA Accounting 802.1X Port Settings 3-70

AAA Accounting Exec Command Privileges 3-71

AAA Accounting Exec Settings 3-72

AAA Accounting Summary 3-72

Authorization Settings 3-74

Authorization EXEC Settings 3-75

Authorization Summary 3-76

xii

Contents

Configuring HTTPS 3-77

Replacing the Default Secure-site Certificate 3-78

Configuring the Secure Shell 3-79

Generating the Host Key Pair 3-82 Importing User Public Keys 3-84 Configuring the SSH Server 3-86

Configuring 802.1X Port Authentication 3-88

Displaying 802.1X Global Settings 3-89 Configuring 802.1X Global Settings 3-90 Configuring Port Settings for 802.1X 3-90 Displaying 802.1X Statistics 3-93

Filtering IP Addresses for Management Access 3-94

General Security Measures 3-96

Configuring Port Security 3-97 Web Authentication 3-98

Configuring Web Authentication 3-99 Configuring Web Authentication for Ports 3-100 Displaying Web Authentication Port Information 3-101 Re-authenticating Web Authenticated Ports 3-101

Network Access (MAC Address Authentication) 3-102

Configuring the MAC Authentication Reauthentication Time 3-103 Configuring MAC Authentication for Ports 3-104 Displaying Secure MAC Address Information 3-106

MAC Authentication 3-107

Configuring MAC authentication parameters for ports 3-107

Access Control Lists 3-108

Setting the ACL Name and Type 3-109 Configuring a Standard IP ACL 3-110 Configuring an Extended IP ACL 3-111 Configuring a MAC ACL 3-113 Binding a Port to an Access Control List 3-115

DHCP Snooping 3-116

Configuring DHCP Snooping 3-117 Configuring VLANs for DHCP Snooping 3-118 Configuring the DHCP Snooping Information Option 3-118 Configuring Ports for DHCP Snooping 3-120 Displaying DHCP Snooping Binding Information 3-122

IP Source Guard 3-123

Configuring Ports for IP Source Guard 3-123 Configuring Static Binding for IP Source Guard 3-124 Displaying Information for Dynamic IP Source Guard Bindings 3-126

Port Configuration 3-127

Displaying Connection Status 3-127 Configuring Interface Connections 3-129

xiii

Contents

Creating Trunk Groups 3-132

Statically Configuring a Trunk 3-133

Enabling LACP on Selected Ports 3-134

Configuring Parameters for LACP Group Members 3-136

Configuring Parameters for LACP Groups 3-139

Displaying LACP Port Counters 3-140

Displaying LACP Settings and Status for the Local Side 3-141

Displaying LACP Settings and Status for the Remote Side 3-143 Setting Broadcast Storm Thresholds 3-145 Configuring Port Mirroring 3-147 Configuring Rate Limits 3-148

Rate Limit Configuration 3-148 Showing Port Statistics 3-149

Power Over Ethernet Settings 3-153

Switch Power Status 3-154 Setting a Switch Power Budget 3-155 Displaying Port Power Status 3-155 Configuring Port PoE Power 3-156

Address Table Settings 3-158

Setting Static Addresses 3-158 Displaying the Address Table 3-159 Changing the Aging Time 3-160

Spanning Tree Algorithm Configuration 3-161

Configuring Port and Trunk Loopback Detection 3-163 Displaying Global Settings 3-164 Configuring Global Settings 3-167 Displaying Interface Settings 3-171 Configuring Interface Settings 3-174 Configuring Multiple Spanning Trees 3-177 Displaying Interface Settings for MSTP 3-180 Configuring Interface Settings for MSTP 3-182

VLAN Configuration 3-183

IEEE 802.1Q VLANs 3-183

Enabling or Disabling GVRP (Global Setting) 3-186

Displaying Basic VLAN Information 3-187

Displaying Current VLANs 3-188

Creating VLANs 3-189

Adding Static Members to VLANs (VLAN Index) 3-191

Adding Static Members to VLANs (Port Index) 3-193

Configuring VLAN Behavior for Interfaces 3-194 Configuring IEEE 802.1Q Tunneling 3-196

Enabling QinQ Tunneling on the Switch 3-200

Adding an Interface to a QinQ Tunnel 3-201 Traffic Segmentation 3-202

Configuring Global Settings for Traffic Segmentation 3-202

xiv

Contents

Configuring Traffic Segmentation Sessions 3-203

Private VLANs 3-204

Displaying Current Private VLANs 3-205 Configuring Private VLANs 3-206 Associating VLANs 3-207 Displaying Private VLAN Interface Information 3-207 Configuring Private VLAN Interfaces 3-208

Protocol VLANs 3-210

Configuring Protocol VLAN Groups 3-210 Configuring the Protocol VLAN System 3-211

Link Layer Discovery Protocol 3-212

Setting LLDP Timing Attributes 3-213 Configuring LLDP Interface Attributes 3-215 Displaying LLDP Local Device Information 3-218 Displaying LLDP Remote Port Information 3-220 Displaying LLDP Remote Information Details 3-221 Displaying Device Statistics 3-223 Displaying Detailed Device Statistics 3-225

Class of Service Configuration 3-226

Layer 2 Queue Settings 3-226

Setting the Default Priority for Interfaces 3-226 Mapping CoS Values to Egress Queues 3-228 Selecting the Queue Mode 3-230 Setting the Service Weight for Traffic Classes 3-230

Layer 3/4 Priority Settings 3-231

Mapping Layer 3/4 Priorities to CoS Values 3-231 Enabling IP DSCP Priority 3-232 Mapping DSCP Priority 3-233

Quality of Service 3-234

Configuring Quality of Service Parameters 3-235

Configuring a Class Map 3-235 Creating QoS Policies 3-238 Attaching a Policy Map to Ingress Queues 3-241

VoIP Traffic Configuration 3-242

Configuring VoIP Traffic 3-242 Configuring VoIP Traffic Ports 3-243 Configuring Telephony OUI 3-245

Multicast Filtering 3-247

Layer 2 IGMP (Snooping and Query) 3-248

Configuring IGMP Snooping and Query Parameters 3-249 Enabling IGMP Immediate Leave 3-251 Displaying Interfaces Attached to a Multicast Router 3-252 Specifying Static Interfaces for a Multicast Router 3-253 Displaying Port Members of Multicast Services 3-254 Assigning Ports to Multicast Services 3-255

Contents

IGMP Filtering and Throttling 3-256

Enabling IGMP Filtering 3-257

Configuring IGMP Filter Profiles 3-258

Configuring IGMP Filtering and Throttling for Interfaces 3-259

Multicast VLAN Registration 3-261

Configuring Global MVR Settings 3-262 Displaying MVR Interface Status 3-264 Displaying Port Members of Multicast Groups 3-265 Configuring MVR Interface Status 3-266 Assigning Static Multicast Groups to Interfaces 3-267

Switch Clustering 3-269

Configuring General Settings for Clusters 3-269 Configuring Cluster Members 3-270 Displaying Information on Cluster Members 3-271 Displaying Information on Cluster Candidates 3-272

UPnP 3-273

UPnP Configuration 3-274

Chapter 4: Command Line Interface 4-1

Using the Command Line Interface 4-1

Accessing the CLI 4-1 Console Connection 4-1 Telnet Connection 4-2

Entering Commands 4-3

Keywords and Arguments 4-3 Minimum Abbreviation 4-3 Command Completion 4-3 Getting Help on Commands 4-3 Showing Commands 4-4 Partial Keyword Lookup 4-5 Negating the Effect of Commands 4-5 Using Command History 4-5 Understanding Command Modes 4-5 Exec Commands 4-6 Configuration Commands 4-7 Command Line Processing 4-8

Command Groups 4-9 General Commands 4-10

enable 4-11 disable 4-11 configure 4-12 show history 4-12 reload 4-13 show reload 4-14

xvi

Contents

prompt 4-14 end 4-15 exit 4-15 quit 4-16

System Management Commands 4-16

Device Designation Commands 4-17

hostname 4-17

Banner Information Commands 4-18

banner configure 4-18 banner configure company 4-19 banner configure dc-power-info 4-20 banner configure department 4-21 banner configure equipment-info 4-21 banner configure equipment-location 4-22 banner configure ip-lan 4-23 banner configure lp-number 4-23 banner configure manager-info 4-24 banner configure mux 4-25 banner configure note 4-25 show banner 4-26

System Status Commands 4-27

show startup-config 4-27 show running-config 4-29 show system 4-31 show users 4-31 show version 4-32

Frame Size Commands 4-33

jumbo frame 4-33

File Management Commands 4-34

copy 4-35 delete 4-37 dir 4-38 whichboot 4-39 boot system 4-39

Line Commands 4-40

line 4-41 login 4-41 password 4-42 timeout login response 4-43 exec-timeout 4-44 password-thresh 4-44 silent-time 4-45 databits 4-46 parity 4-46 speed 4-47

xvii

Contents

stopbits 4-47

disconnect 4-48

show line 4-48 Event Logging Commands 4-49

logging on 4-49

logging history 4-50

logging host 4-51

logging facility 4-51

logging trap 4-52

clear log 4-53

show logging 4-53

show log 4-55 SMTP Alert Commands 4-56

logging sendmail host 4-56

logging sendmail level 4-57

logging sendmail source-email 4-57

logging sendmail destination-email 4-58

logging sendmail 4-58

show logging sendmail 4-58 Time Commands 4-59

sntp client 4-60

sntp server 4-61

sntp poll 4-61

show sntp 4-62

ntp client 4-62

ntp server 4-63

ntp poll 4-64

ntp authenticate 4-64

ntp authentication-key 4-65

show ntp 4-66

clock timezone-predefined 4-67

clock timezone 4-67

clock summer-time (date) 4-68

clock summer-time (predefined) 4-69

clock summer-time (recurring) 4-70

calendar set 4-72

show calendar 4-72 Switch Cluster Commands 4-73

cluster 4-73

cluster commander 4-74

cluster ip-pool 4-75

cluster member 4-75

rcommand 4-76

show cluster 4-76

show cluster members 4-77

xviii

Contents

show cluster candidates 4-77

UPnP Commands 4-77

upnp device 4-78 upnp device ttl 4-78 upnp device advertise duration 4-79 show upnp 4-79

Debug Commands 4-80

debug dot1x 4-80 debug radius 4-82 debug tacacs 4-84

SNMP Commands 4-86

snmp-server 4-86 show snmp 4-87 snmp-server community 4-88 snmp-server contact 4-88 snmp-server location 4-89 snmp-server host 4-90 snmp-server enable traps 4-92 snmp-server engine-id 4-93 show snmp engine-id 4-94 snmp-server view 4-94 show snmp view 4-95 snmp-server group 4-96 show snmp group 4-97 snmp-server user 4-98 show snmp user 4-99

Authentication Commands 4-100

User Account Commands 4-100

username 4-101 enable password 4-102

Authentication Sequence 4-103

authentication login 4-103 authentication enable 4-104

RADIUS Client 4-105

radius-server host 4-105 radius-server auth-port 4-106 radius-server acct-port 4-106 radius-server attribute 4 4-107 radius-server key 4-107 radius-server retransmit 4-108 radius-server timeout 4-108 show radius-server 4-109

TACACS+ Client 4-109

tacacs-server host 4-110 tacacs-server port 4-110

xix

Contents

tacacs-server key 4-111

tacacs-server retransmit 4-111

tacacs-server timeout 4-112

show tacacs-server 4-113 AAA Commands 4-114

aaa group server 4-114

server 4-115

aaa accounting dot1x 4-116

aaa accounting exec 4-117

aaa accounting commands 4-118

aaa accounting update 4-119

accounting dot1x 4-119

accounting exec 4-120

accounting commands 4-120

aaa authorization exec 4-121

authorization exec 4-122

show accounting 4-122 Web Server Commands 4-123

ip http port 4-123

ip http server 4-124

ip http secure-server 4-124

ip http secure-port 4-125 Telnet Server Commands 4-126

ip telnet server 4-126 Secure Shell Commands 4-127

ip ssh server 4-129

ip ssh timeout 4-130

ip ssh authentication-retries 4-130

ip ssh server-key size 4-131

delete public-key 4-131

ip ssh crypto host-key generate 4-132

ip ssh crypto zeroize 4-132

ip ssh save host-key 4-133

show ip ssh 4-133

show ssh 4-134

show public-key 4-135

802.1X Port Authentication 4-136

dot1x system-auth-control 4-136

dot1x default 4-137

dot1x max-req 4-137

dot1x port-control 4-137

dot1x operation-mode 4-138

dot1x re-authenticate 4-139

dot1x re-authentication 4-139

dot1x timeout quiet-period 4-140

Contents

dot1x timeout re-authperiod 4-140 dot1x timeout tx-period 4-141 dot1x intrusion-action 4-141 show dot1x 4-142

Management IP Filter Commands 4-145

management 4-145 show management 4-146

General Security Measures 4-147

Port Security Commands 4-148

port security 4-148

Network Access (MAC Address Authentication) 4-149

network-access aging 4-150 network-access mode 4-151 network-access max-mac-count 4-152 network-access dynamic-vlan 4-152 network-access guest-vlan 4-153 mac-authentication reauth-time 4-154 mac-authentication intrusion-action 4-154 mac-authentication max-mac-count 4-155 clear network-access 4-155 show network-access 4-156 show network-access mac-address-table 4-156

Web Authentication 4-157

web-auth login-attempts 4-158 web-auth quiet-period 4-158 web-auth session-timeout 4-159 web-auth system-auth-control 4-159 web-auth 4-160 web-auth re-authenticate (Port) 4-160 web-auth re-authenticate (IP) 4-161 show web-auth 4-161 show web-auth interface 4-162 show web-auth summary 4-163

DHCP Snooping Commands 4-163

ip dhcp snooping 4-164 ip dhcp snooping vlan 4-165 ip dhcp snooping trust 4-166 ip dhcp snooping verify mac-address 4-167 ip dhcp snooping information option 4-168 ip dhcp snooping information policy 4-169 ip dhcp snooping database flash 4-169 clear ip dhcp snooping database flash 4-170 show ip dhcp snooping 4-170 show ip dhcp snooping binding 4-170

xxi

Contents

IP Source Guard Commands 4-171

ip source-guard 4-171

ip source-guard binding 4-173

show ip source-guard 4-174

show ip source-guard binding 4-174

Access Control List Commands 4-175

IP ACLs 4-175

access-list ip 4-176

permit, deny (Standard ACL) 4-177

permit, deny (Extended ACL) 4-178

show ip access-list 4-180

ip access-group 4-180

show ip access-group 4-181 MAC ACLs 4-181

access-list mac 4-182

permit, deny (MAC ACL) 4-183

show mac access-list 4-184

mac access-group 4-185

show mac access-group 4-185 ACL Information 4-186

show access-list 4-186

show access-group 4-186

Interface Commands 4-187

interface 4-187 description 4-188 speed-duplex 4-188 negotiation 4-189 capabilities 4-190 flowcontrol 4-191 media-type 4-192 giga-phy-mode 4-193 shutdown 4-194 switchport packet-rate 4-194 clear counters 4-195 show interfaces status 4-196 show interfaces counters 4-198 show interfaces switchport 4-199

Link Aggregation Commands 4-201

channel-group 4-202 lacp 4-203 lacp system-priority 4-204 lacp admin-key (Ethernet Interface) 4-205 lacp admin-key (Port Channel) 4-206 lacp port-priority 4-207 lacp active/passive 4-208

xxii

Contents

show lacp 4-208

Power over Ethernet Commands 4-212

power mainpower maximum allocation 4-213 power inline compatible 4-213 power inline 4-214 power inline maximum allocation 4-215 power inline priority 4-215 show power inline status 4-216 show power mainpower 4-217

Mirror Port Commands 4-218

port monitor 4-218 show port monitor 4-219

Rate Limit Commands 4-220

rate-limit 4-220

Address Table Commands 4-221

mac-address-table static 4-221 clear mac-address-table dynamic 4-222 show mac-address-table 4-223 mac-address-table aging-time 4-224 show mac-address-table aging-time 4-224

Spanning Tree Commands 4-225

spanning-tree 4-226 spanning-tree mode 4-227 spanning-tree forward-time 4-228 spanning-tree hello-time 4-228 spanning-tree max-age 4-229 spanning-tree priority 4-230 spanning-tree system-bpdu-flooding 4-230 spanning-tree pathcost method 4-231 spanning-tree transmission-limit 4-231 spanning-tree mst configuration 4-232 mst vlan 4-232 mst priority 4-233 name 4-234 revision 4-234 max-hops 4-235 spanning-tree spanning-disabled 4-235 spanning-tree cost 4-236 spanning-tree port-priority 4-237 spanning-tree edge-port 4-238 spanning-tree portfast 4-239 spanning-tree port-bpdu-flooding 4-239 spanning-tree link-type 4-240 spanning-tree loopback-detection 4-241 spanning-tree loopback-detection release-mode 4-241

xxiii

Contents

spanning-tree loopback-detection trap 4-242 spanning-tree mst cost 4-243 spanning-tree mst port-priority 4-244 spanning-tree protocol-migration 4-244 show spanning-tree 4-245 show spanning-tree mst configuration 4-247

VLAN Commands 4-247

GVRP and Bridge Extension Commands 4-248

bridge-ext gvrp 4-248

show bridge-ext 4-249

switchport gvrp 4-249

show gvrp configuration 4-250

garp timer 4-250

show garp timer 4-251 Editing VLAN Groups 4-252

vlan database 4-252

vlan 4-253 Configuring VLAN Interfaces 4-254

interface vlan 4-254

switchport mode 4-255

switchport acceptable-frame-types 4-255

switchport ingress-filtering 4-256

switchport native vlan 4-257

switchport allowed vlan 4-258

switchport forbidden vlan 4-259 Displaying VLAN Information 4-260

show vlan 4-260 Configuring IEEE 802.1Q Tunneling 4-261

dot1q-tunnel system-tunnel-control 4-262

switchport dot1q-tunnel mode 4-262

switchport dot1q-tunnel tpid 4-263

show dot1q-tunnel 4-264 Configuring Port-based Traffic Segmentation 4-265

pvlan 4-265

pvlan uplink/downlink 4-266

pvlan session 4-267

pvlan up-to-up 4-268

show pvlan 4-268 Configuring Private VLANs 4-269

private-vlan 4-270

private vlan association 4-271

switchport mode private-vlan 4-271

switchport private-vlan host-association 4-272

switchport private-vlan mapping 4-273

show vlan private-vlan 4-273

xxiv

Contents

Configuring Protocol-based VLANs 4-274

protocol-vlan protocol-group (Configuring Groups) 4-275 protocol-vlan protocol-group (Configuring VLANs) 4-275 show protocol-vlan protocol-group 4-276 show protocol-vlan protocol-group-vid 4-277

Configuring Voice VLANs 4-277

voice vlan 4-278 voice vlan aging 4-278 voice vlan mac-address 4-279 switchport voice vlan 4-280 switchport voice vlan rule 4-281 switchport voice vlan security 4-281 switchport voice vlan priority 4-282 show voice vlan 4-283

LLDP Commands 4-284

lldp 4-286 lldp holdtime-multiplier 4-286 lldp medFastStartCount 4-287 lldp notification-interval 4-287 lldp refresh-interval 4-288 lldp reinit-delay 4-288 lldp tx-delay 4-289 lldp admin-status 4-290 lldp notification 4-290 lldp mednotification 4-291 lldp basic-tlv management-ip-address 4-292 lldp basic-tlv port-description 4-292 lldp basic-tlv system-capabilities 4-293 lldp basic-tlv system-description 4-293 lldp basic-tlv system-name 4-294 lldp dot1-tlv proto-ident 4-294 lldp dot1-tlv proto-vid 4-295 lldp dot1-tlv pvid 4-295 lldp dot1-tlv vlan-name 4-296 lldp dot3-tlv link-agg 4-296 lldp dot3-tlv mac-phy 4-297 lldp dot3-tlv max-frame 4-297 lldp dot3-tlv poe 4-298 lldp medtlv extpoe 4-298 lldp medtlv inventory 4-299 lldp medtlv location 4-299 lldp medtlv med-cap 4-300 lldp medtlv network-policy 4-300 show lldp config 4-301 show lldp info local-device 4-303

xxv

Contents

show lldp info remote-device 4-304 show lldp info statistics 4-305

Class of Service Commands 4-306

Priority Commands (Layer 2) 4-306

queue mode 4-306

switchport priority default 4-307

queue cos-map 4-308

show queue mode 4-309

show queue bandwidth 4-309

show queue cos-map 4-310 Priority Commands (Layer 3 and 4) 4-311

map ip dscp (Global Configuration) 4-311

map ip dscp (Interface Configuration) 4-311

show map ip dscp 4-312

Quality of Service Commands 4-313

class-map 4-314

match 4-315

policy-map 4-316

class 4-317

set 4-318

police 4-319

service-policy 4-320

show class-map 4-320

show policy-map 4-321

show policy-map interface 4-321

Multicast Filtering Commands 4-322

IGMP Snooping Commands 4-322

ip igmp snooping 4-323

ip igmp snooping vlan static 4-323

ip igmp snooping version 4-324

ip igmp snooping leave-proxy 4-324

ip igmp snooping immediate-leave 4-325

show ip igmp snooping 4-326

show mac-address-table multicast 4-326 IGMP Query Commands (Layer 2) 4-327

ip igmp snooping querier 4-327

ip igmp snooping query-count 4-328

ip igmp snooping query-interval 4-328

ip igmp snooping query-max-response-time 4-329

ip igmp snooping router-port-expire-time 4-330 Static Multicast Routing Commands 4-330

ip igmp snooping vlan mrouter 4-331

show ip igmp snooping mrouter 4-331 IGMP Filtering and Throttling Commands 4-332

ip igmp filter (Global Configuration) 4-333

xxvi

Contents

ip igmp profile 4-333 permit, deny 4-334 range 4-334 ip igmp filter (Interface Configuration) 4-335 ip igmp max-groups 4-336 ip igmp max-groups action 4-336 show ip igmp filter 4-337 show ip igmp profile 4-338 show ip igmp throttle interface 4-338

Multicast VLAN Registration Commands 4-339

mvr (Global Configuration) 4-339 mvr (Interface Configuration) 4-341 show mvr 4-342

IP Interface Commands 4-345

ip address 4-345 ip default-gateway 4-346 ip dhcp restart 4-347 show ip interface 4-347 show ip redirects 4-348 ping 4-348

Appendix A: Software Specifications A-1

Software Features A-1 Management Features A-2 Standards A-2 Management Information Bases A-3

Appendix B: Troubleshooting B-1

Problems Accessing the Management Interface B-1 Using System Logs B-2

Glossary

Index

xxvii

Contents

This page is intentionally left blank.

xxviii

Tables

Table 1-1 Key Features 1-1 Table 1-2 System Defaults 1-6 Table 3-1 Configuration Options 3-3 Table 3-2 Main Menu 3-4 Table 3-3 Logging Levels 3-29 Table 3-5 Supported Notification Messages 3-52 Table 3-6 HTTPS System Support 3-77 Table 3-7 802.1X Statistics 3-93 Table 3-8 LACP Port Counters 3-140 Table 3-9 LACP Internal Configuration Information 3-141 Table 3-10 LACP Neighbor Configuration Information 3-143 Table 3-11 Port Statistics 3-149 Table 3-12 Recommended STA Path Cost Range 3-175 Table 3-13 Recommended STA Path Costs 3-175 Table 3-14 Default STA Path Costs 3-176 Table 3-15 Chassis ID Subtype 3-218 Table 3-16 System Capabilities 3-218 Table 3-17 Port ID Subtype 3-221 Table 3-18 Mapping CoS Values to Egress Queues 3-228 Table 3-19 CoS Priority Levels 3-228 Table 3-20 Mapping DSCP Priority Values 3-233 Table 4-1 Command Modes 4-6 Table 4-2 Configuration Modes 4-7 Table 4-3 Command Line Processing 4-8 Table 4-4 Command Groups 4-9 Table 4-5 General Commands 4-10 Table 4-6 System Management Commands 4-16 Table 4-7 Device Designation Commands 4-17 Table 4-8 Banner Commands 4-18 Table 4-9 System Status Commands 4-27 Table 4-10 Frame Size Commands 4-33 Table 4-11 Flash/File Commands 4-34 Table 4-12 File Directory Information 4-38 Table 4-13 Line Commands 4-40 Table 4-14 Event Logging Commands 4-49 Table 4-15 Logging Levels 4-50 Table 4-16 show logging flash/ram - display description 4-54 Table 4-17 show logging trap - display description 4-54 Table 4-18 SMTP Alert Commands 4-56 Table 4-19 Time Commands 4-59 Table 4-20 Predefined Summer-Time Parameters 4-70 Table 4-21 Switch Cluster Commands 4-73

xxix

Tables

Table 4-22 Debug Commands 4-80 Table 4-23 SNMP Commands 4-86 Table 4-24 show snmp engine-id - display description 4-94 Table 4-25 show snmp view - display description 4-95 Table 4-26 show snmp group - display description 4-98 Table 4-28 Authentication Commands 4-100 Table 4-29 User Access Commands 4-100 Table 4-27 show snmp user - display description 4-100 Table 4-30 Default Login Settings 4-101 Table 4-31 Authentication Sequence 4-103 Table 4-32 RADIUS Client Commands 4-105 Table 4-33 TACACS Commands 4-109 Table 4-34 Web Server Commands 4-123 Table 4-35 HTTPS System Support 4-125 Table 4-36 Telnet Server Commands 4-126 Table 4-37 SSH Commands 4-127 Table 4-38 show ssh - display description 4-134 Table 4-39 802.1X Port Authentication 4-136 Table 4-40 IP Filter Commands 4-145 Table 4-41 Client Security Commands 4-147 Table 4-42 Port Security Commands 4-148 Table 4-43 Network Access 4-149 Table 4-44 Web Authentication 4-157 Table 4-45 DHCP Snooping Commands 4-163 Table 4-46 IP Source Guard Commands 4-171 Table 4-47 Access Control Lists 4-175 Table 4-48 IP ACLs 4-175 Table 4-49 MAC ACL Commands 4-181 Table 4-50 ACL Information 4-186 Table 4-51 Interface Commands 4-187 Table 4-52 Interfaces Switchport Statistics 4-200 Table 4-53 Link Aggregation Commands 4-201 Table 4-54 show lacp counters - display description 4-209 Table 4-55 show lacp internal - display description 4-210 Table 4-56 show lacp neighbors - display description 4-211 Table 4-57 show lacp sysid - display description 4-212 Table 4-61 Mirror Port Commands 4-218 Table 4-62 Rate Limit Commands 4-220 Table 4-63 Address Table Commands 4-221 Table 4-64 Spanning Tree Commands 4-225 Table 4-65 Port Type 4-236 Table 4-65 IEEE 802.1D-1998 4-236 Table 4-65 IEEE 802.1w-2001 4-236 Table 4-66 Port Type 4-236 Table 4-66 Link Type 4-236

xxx

+ 674 hidden pages