Smc 8124PL2 Management Guide

MANAGEMENT GUIDE

SMC8124PL2

TigerSwitchTM 10/100/1000
24-Port Managed Switch with PoE

TigerSwitch 10/100/1000
Management Guide

From SMC’s Tiger line of feature-rich workgroup LAN solutions

20 Mason
Irvine, CA 92618
Phone: (949) 679-8000

Pub. # 149100034100A

May 2007

E052007-DT-R01

Information furnished by SMC Networks, Inc. (SMC) is believed to be accurate and
reliable. However, no responsibility is assumed by SMC for its use, nor for any
infringements of patents or other rights of third parties which may result from its use. No
license is granted by implication or otherwise under any patent or patent rights of SMC.
SMC reserves the right to change specifications at any time without notice.

Copyright © 2007 by

SMC Networks, Inc.

20 Mason

Irvine, CA 92618

All rights reserved. Printed in Taiwan

Trademarks:
SMC is a registered trademark; and EZ Switch, TigerStack and TigerSwitch are

trademarks of SMC Networks, Inc. Other product and company names are trademarks or
registered trademarks of their respective holders.

Limited Warranty

Limited Warranty Statement: SMC Networks, Inc. (“SMC”) warrants its products to be
free from defects in workmanship and materials, under normal use and service, for the
applicable warranty term. All SMC products carry a standard 90-day limited warranty from
the date of purchase from SMC or its Authorized Reseller. SMC may , at its own discretion,
repair or replace any product not operating as warranted with a similar or functionally
equivalent product, during the applicable warranty term. SMC will endeavor to repair or
replace any product returned under warranty within 30 days of receipt of the product.

The standard limited warranty can be upgraded to a Limited Lifetime* warranty by
registering new products within 30 days of purchase from SMC or its Authorized Reseller.
Registration can be accomplished via the enclosed product registration card or online via
the SMC Web site. Failure to register will not affect the standard limited warranty. The
Limited Lifetime warranty covers a product during the Life of that Product, which is
defined as the period of time during which the product is an “Active” SMC product. A
product is considered to be “Active” while it is listed on the current SMC price list. As new
technologies emerge, older technologies become obsolete and SMC will, at its discretion,
replace an older product in its product line with one that incorporates these newer
technologies. At that point, the obsolete product is discontinued and is no longer an
“Active” SMC product. A list of discontinued products with their respective dates of
discontinuance can be found at:
http://www.smc.com/index.cfm?action=customer_service_warranty.

All products that are replaced become the property of SMC. Replacement products may
be either new or reconditioned. Any replaced or repaired product carries either a 30-day
limited warranty or the remainder of the initial warranty, whichever is longer. SMC is not
responsible for any custom software or firmware, configuration information, or memory
data of Customer contained in, stored on, or integrated with any products returned to
SMC pursuant to any warranty. Products returned to SMC should have any
customer-installed accessory or add-on components, such as expansion modules,
removed prior to returning the product for replacement. SMC is not responsible for these
items if they are returned with the product.

Customers must contact SMC for a Return Material Authorization number prior to
returning any product to SMC. Proof of purchase may be required. Any product returned
to SMC without a valid Return Material Authorization (RMA) number clearly marked on
the outside of the package will be returned to customer at customer’s expense. For
warranty claims within North America, please call our toll-free customer support number
at (800) 762-4968. Customers are responsible for all shipping charges from their facility to
SMC. SMC is responsible for return shipping charges from SMC to customer.

WARRANTIES EXCLUSIVE: IF AN SMC PRODUCT DOES NO T OPERATE AS
WARRANTED ABOVE, CUSTOMER’S SOLE REMEDY SHALL BE REPAIR OR
REPLACEMENT OF THE PRODUCT IN QUESTION, AT SMC’S OPTION. THE
FOREGOING WARRANTIES AND REMEDIES ARE EXCLUSIVE AND ARE IN LIEU OF
ALL OTHER WARRANTIES OR CON DITIONS, EXPRESS OR IMPLIED, EITH ER I N
FACT OR BY OPERATION OF LAW, STATUTORY OR OTHERWISE, INCLUDING
WARRANTIES OR CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A
PAR TICULAR PURPOSE. SMC NEITHER ASSUMES NOR AUTHORIZES ANY OT HER
PERSON TO ASSUME FOR IT ANY OTHER LIABILITY IN CONNECTION WITH THE
SALE, INSTALLATION, MAINTENANCE OR USE OF ITS PRODUCTS. SMC SHALL

i

NOT BE LIABLE UNDER THIS WARRANTY IF ITS TESTING AND EXAMINATION
DISCLOSE THE ALLEGED DEFECT IN THE PRODUCT DOES NOT EXIST OR WAS
CAUSED BY CUSTOMER’S OR ANY THIRD PERSON’S MISUSE, NEGLECT,
IMPROPER INSTALLATION OR TESTING, UNAUTHORIZED ATTEMPTS TO REP AIR,
OR ANY OTHER CAUSE BEYOND THE RANGE OF THE INTENDED USE, OR BY
ACCIDENT, FIRE, LIGHTNING, OR OTHER HAZARD.

LIMITATION OF LIABILITY: IN NO EVENT, WHETHER BASED IN CONTRACT OR
TORT (INCLUDING NEGLIGENCE), SHALL SMC BE LIABLE FOR INCIDENTAL,
CONSEQUENTIAL, INDIRECT , S PECIAL, OR PUNITIVE DAMAGES OF ANY KIND, OR
FOR LOSS OF REVENUE, LOSS OF BUSINESS, OR OTHER FINANCIAL LOSS
ARISING OUT OF OR IN CONNECTION WITH THE SALE, I N STALLA TION,
MAINTENANCE, USE, PERFORMANCE, FAILURE, OR INTERRUPTION OF ITS
PRODUCTS, EVEN IF SMC OR ITS AUTHORIZED RESELLER HAS BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES.

SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES OR
THE LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES FOR
CONSUMER PROD UCTS, SO THE ABOVE LIMITATI O N S AN D EXCLUSIONS MAY
NOT APPLY T O YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS,
WHICH MAY VARY FROM STATE TO STATE. NOTHING IN THIS WARRANTY SHALL
BE TAKEN T O AFFECT YOUR STATUTORY RIGHTS.

* SMC will provide warranty service for one year following discontinuance from the active
SMC price list. Under the limited lifetime warranty, internal and external power supplies,
fans, and cables are covered by a standard one-year warranty from date of purchase.

SMC Networks, Inc.

20 Mason

Irvine, CA 92618

ii

Contents

Chapter 1: Introduction 1-1

Key Features 1-1
Description of Software Features 1-2
System Defaults 1-5

Chapter 2: Initial Configuration 2-1

Connecting to the Switch 2-1

Configuration Options 2-1
Required Connections 2-2
Remote Connections 2-3

Basic Configuration 2-3

Console Connection 2-3
Setting Passwords 2-4
Setting an IP Address 2-4

Manual Configuration 2-5
Dynamic Configuration 2-5

Enabling SNMP Management Access 2-6

Community Strings (for SNMP version 1 and 2c clients) 2-7
Trap Receivers 2-7
Configuring Access for SNMP Version 3 Clients 2-8

Saving Configuration Settings 2-8

Managing System Files 2-9

Chapter 3: Configuring the Switch 3-1

Using the Web Interface 3-1
Navigating the Web Browser Interface 3-2

Home Page 3-2

Configuration Options 3-2
Panel Display 3-3
Main Menu 3-3
Basic Configuration 3-10

Displaying System Information 3-10

Displaying Switch Hardware/Software Versions 3-11

Displaying Bridge Extension Capabilities 3-12

Setting the Switch’s IP Address 3-14

Manual Configuration 3-15
Using DHCP/BOOTP 3-16

Enabling Jumbo Frames 3-17

iii

Contents

Managing Firmware 3-18

Downloading System Software from a Server 3-18
Saving or Restoring Configuration Settings 3-20

Downloading Configuration Settings from a Server 3-21
Console Port Settings 3-22
Telnet Settings 3-24
Configuring Event Logging 3-26

Displaying Log Messages 3-26

System Log Configuration 3-27

Remote Log Configuration 3-29

Simple Mail Transfer Protocol 3-30
Resetting the System 3-32
Setting the System Clock 3-32

Configuring SNTP 3-32

Setting the Time Zone 3-33

Simple Network Management Protocol 3-34

Enabling the SNMP Agent 3-36
Setting Community Access Strings 3-36
Specifying Trap Managers and Trap Types 3-37
Configuring SNMPv3 Management Access 3-39

Setting the Local Engine ID 3-40

Specifying a Remote Engine ID 3-40

Configuring SNMPv3 Users 3-41

Configuring Remote SNMPv3 Users 3-43

Configuring SNMPv3 Groups 3-45

Setting SNMPv3 Views 3-48

User Authentication 3-50

Configuring User Accounts 3-50
Configuring Local/Remote Logon Authentication 3-51
Configuring HTTPS 3-54

Replacing the Default Secure-site Cert ific at e 3-56
Configuring the Secu re Shell 3-56

Configuring the SSH settings 3-58

Generating the Host Key Pair 3-59

Generating the User Public Key Pair 3-61
Configuring Port Security 3-63
Configuring 802.1X Port Authentication 3-64

Displaying 802.1X Global Settings 3-66

Configuring 802.1X Global Settings 3-66

Configuring Port Settings for 802.1X 3-67

Displaying 802.1X Statistics 3-70

Access Control Lists 3-72

Configuring Access Control Lists 3-72

Setting the ACL Name and Type 3-72

Configuring a Standard IP ACL 3-73

iv

Contents

Configuring an Extended IP ACL 3-74
Configuring a MAC ACL 3-77

Binding a Port to an Access Control List 3-78
Filtering Management Access 3-79
Port Configuration 3-81

Displaying Connection Status 3-81

Configuring Interface Connections 3-83

Creating Trunk Groups 3-85

Statically Configuring a Trunk 3-86
Enabling LACP on Selected Ports 3-88
Configuring LACP Parameters 3-89
Displaying LACP Port Counters 3-91
Displaying LACP Settings and Status for the Local Side 3-92

Displaying LACP Settings and Status for the Remote Side 3-94
Setting Broadcast Storm Thresholds 3-96
Configuring Port Mirroring 3-97
Configuring Rate Limits 3-98

Rate Limit Configuration 3-98
Showing Port Statistics 3-99

Power over E thernet Settings 3-104

Switch Power Status 3-105
Setting a Switch Power Budget 3-106
Displaying Port Power Status 3-106
Configuring Port PoE Power 3-107

Address Table Settings 3-108

Setting Static Addresses 3-108
Displaying the Addres s Table 3-109
Changing the Aging Time 3-110

Spanning Tree Algorithm Configuration 3-111

Displaying Global Settings 3-112
Configuring Global Settings 3-114
Displaying Interface Settings 3-118
Configuring Interface Settings 3-121

VLAN Configuration 3-123

Overview 3-123

Assigning Ports to VLANs 3-123

Forwarding Tagged/Untagged Frames 3-125
Displaying Basic VLAN Information 3-126
Displaying Current VLANs 3-126
Creating VLANs 3-128
Adding Static Members to VLANs (VLAN Index) 3-129
Adding Static Members to VLANs (Port Index) 3-131
Configuring VLAN Behavior fo r Interfaces 3-132
Configuring Private VLANs 3-133

Displaying Current Private VLANs 3-134

v

Contents

Configuring Private VLANs 3-135
Associating VLANs 3-136
Displaying Private VLAN Interface Information 3-136
Configuring Private VLAN Interfaces 3-137

Configuring Protocol VLANs 3-139

Configuring Protocol VLAN Basic Settings 3-139
Configuring Protocol VLAN System 3-140

LLDP 3-140

Configuring Basic LLDP Time Information 3-140
Configuring LLDP Port and Trunk Information 3-141
Displaying LLDP Local and Remote Device Informat ion 3-143

Class of Service Configuration 3-145

Setting the Default Priority for Interfaces 3-146
Mapping CoS Values to Egress Queues 3-147
Enabling CoS 3-149
Selecting the Queue Mode 3-149
Setting the Service Weight for Traffic Classes 3-150
Mapping Layer 3/4 Priorities to CoS Values 3-151
Selecting IP DSCP Priority 3-151
Mapping DSCP Priority 3-152

Quality of Service 3-153

Configuring Quality of Service Parameters 3-154
Configuring a Class Map 3-154
Creating QoS Policies 3-157
Attaching a Policy Map to Ingress Queues 3-160

Multicast Filtering 3-161

IGMP Protocol 3-161
Layer 2 IGMP (Snooping and Query) 3-162

Configuring IGMP Snooping and Query Parameters 3-162
Displaying Interfaces Attached to a Multicast Router 3-164
Specifying Static Interfaces for a Multicast Router 3-165
Displaying Port Members of Multicast Services 3-166
Assigning Ports to Multicast Services 3-167

Multicast VLAN Registration 3-168

Configuring Global MVR Settings 3-169
Displaying MVR Interface Status 3-170
Displaying Port Members of Multicast Groups 3-171
Configuring MVR Interface Status 3-172
Assigning Static Multicast Groups to Interfaces 3-174

DHCP Snooping 3-175

DHCP Snooping Configuration 3-176
DHCP Snooping VLAN Configuration 3-176
DHCP Snooping Information Option Configuration 3-177
DHCP Snooping Port Configuration 3-178
DHCP Snooping Binding Information 3-179

vi

Contents

IP Source Guard 3-180

IP Source Guard Port Configuration 3-180
Static IP Source Guard Binding Configuration 3-181
Dynamic IP Source Gua rd Binding Information 3-182

Switch Clus tering 3-183

Cluster Configuration 3-184
Cluster Member Configuration 3-185
Cluster Member Information 3-185
Cluster Candidate Information 3-186

UPnP 3-187

UPnP Configuration 3-188

Chapter 4: Command Line Interface 4-1

Using the Command Line Interface 4-1

Accessing the CLI 4-1
Console Connection 4-1
Telnet Connection 4-1

Entering Commands 4-3

Keywords and Arguments 4-3
Minimum Abbreviation 4-3
Command Completion 4-3
Getting Help on Commands 4-3

Showing Commands 4-3
Partial Keyword Lookup 4-5
Negating the Effect of Commands 4-5
Using Command History 4-5
Understanding Command Modes 4-5
Exec Commands 4-6
Configuration Commands 4-6
Command Line Processing 4- 7

Command Groups 4-8
Line Commands 4-9

line 4-10
login 4-11
password 4-12
timeout login response 4-13
exec-timeout 4-13
password-thresh 4-14
silent-time 4-15
databits 4-15
parity 4-16
speed 4-16
stopbits 4-17
disconnect 4-17

vii

Contents

show line 4-18

General Commands 4-19

enable 4-19
disable 4-20
configure 4-20
show history 4-21
reload 4-21
end 4-22
exit 4-22
quit 4-23

System Management Commands 4-23

Device Designation Commands 4-24

prompt 4-24
hostname 4-25

User Access Commands 4-25

username 4-25
enable password 4-26

IP Filter Commands 4-27

management 4-27
show management 4-28

Web Server Commands 4-29

ip http port 4-29
ip http server 4-30
ip http secure-server 4-30
ip http secure-port 4-31

Telnet Server Commands 4-32

ip telnet server 4-32
ip telnet server port 4-32

Secure Shell Commands 4-33

ip ssh server 4-35
ip ssh timeout 4-36
ip ssh authentication-retries 4-37
ip ssh server-key size 4-37
delete public-key 4-38
ip ssh crypto host-key generate 4-38
ip ssh crypto zeroize 4-39
ip ssh save host-key 4-39
show ip ssh 4-40
show ssh 4-40
show public-key 4-41

Event Logging Commands 4-43

logging on 4-43
logging history 4-44
logging host 4-45
logging facility 4-45

viii

Contents

logging trap 4-46

clear logging 4-46

show logging 4-47

show log 4-48
SMTP Alert Commands 4-49

logging sendmail host 4-49

logging sendmail level 4-50

logging sendmail source-email 4-51

logging sendmail destination-email 4-51

logging sendmail 4-52

show logging sendmail 4-52
Time Commands 4-53

sntp client 4-53

sntp server 4-54

sntp poll 4-55

show sntp 4-55

clock timezone 4-56

calendar set 4-56

show calendar 4-57
System Status Commands 4-57

show startup-config 4-57

show running-config 4-59

show system 4-60

show users 4-61

show version 4-62
Frame Size Commands 4-63

jumbo frame 4-63

Flash/File Commands 4-64

copy 4-64
delete 4-67
dir 4-67
whichboot 4-68
boot system 4-69

Authentication Commands 4-70

Authentication Sequence 4-70

authentication login 4-70

authentication enable 4-71
RADIUS Client 4-72

radius-server host 4-72

radius-server port 4-73

radius-server key 4-74

radius-server retransmi t 4-74

radius-server timeo ut 4-75

show radius-server 4-75
TACACS+ Client 4-76

ix

Contents

tacacs-server host 4-76
tacacs-server port 4-76
tacacs-server key 4-77
show tacacs-server 4-77

Port Security Commands 4-78

port security 4-78

802.1X Port Authentication 4-80
dot1x system-auth-control 4-80
dot1x default 4-81
dot1x max-req 4-81
dot1x port-control 4-81
dot1x operation-mode 4-82
dot1x re-authenticate 4-83
dot1x re-authentication 4-83
dot1x timeout quiet-period 4-83
dot1x timeout re-authperiod 4-84
dot1x timeout tx-period 4-84
show dot1x 4-85

Access Control List Commands 4-88

IP ACLs 4-89

access-list ip 4-89
permit, deny (Standard ACL) 4-90
permit, deny (Extended ACL) 4-91
show ip access-list 4-92
ip access-group 4-92
show ip access-group 4-93
map access-list ip 4-93
show map access-list ip 4-94

ACL Information 4-95

show access-list 4-95
show access-group 4-95

SNMP Commands 4-96

snmp-server 4-96
show snmp 4-97
snmp-server community 4-98
snmp-server contact 4-99
snmp-server location 4-99
snmp-server host 4-100
snmp-server enable traps 4-102
snmp-server engine-id 4-103
show snmp eng ine-id 4-104
snmp-server view 4-105
show snmp view 4-105
snmp-server group 4-106
show snmp group 4-107

x

Contents

snmp-server user 4-109
show snmp user 4-110

Interface Commands 4-111

interface 4-111
description 4-112
speed-duplex 4-112
negotiation 4-113
capabilities 4-114
flowcontrol 4-115
shutdown 4-116
clear counters 4-116
show interfaces status 4-117
show interfaces counters 4-118
show interfaces switchport 4-119

Broadcast Commands 4-121

broadcast packet-rate 4-121
switchport broadcast 4-121

Mirror Port Commands 4-122

port monitor 4-122
show port monitor 4-123

Rate Limit Commands 4-124

rate-limit 4-124

Link Aggregation Commands 4-125

channel-group 4-126
lacp 4-127
lacp system-priority 4-128
lacp admin-key (Ethernet Interface) 4-129
lacp admin-key (Port Channel) 4-130
lacp port-priority 4-131
show lacp 4-131

Address Table Commands 4-135

mac-addr ess-table static 4-135
clear mac-address-tab le dyn am ic 4 -136
show mac-address-table 4-137
mac-address-table aging-time 4-138
show mac-address-table aging-time 4-138

Spanning Tree Commands 4-139

spanning-tree 4-139
spanning-tree mode 4-140
spanning-tree forward-time 4-141
spanning-tree hello-time 4-142
spanning-tree max-age 4-142
spanning-tree priority 4-143
spanning-tree pathcost method 4-144
spanning-tree transmission-limit 4-144

xi

Contents

spanning-tree spanning-disabled 4-145
spanning-tree cost 4-145
spanning-tree port-priority 4-146
spanning-tree edge-port 4-147
spanning-tree portfast 4-148
spanning-tree link-type 4-148
spanning-tree protocol-migration 4-149
show spanning-tree 4-150

VLAN Commands 4-152

Editing VLAN Groups 4-152

vlan database 4-152
vlan 4-153

Configuring VLAN Interfaces 4-154

interface vlan 4-154
switchport mode 4-155
switchport acceptable-frame-types 4-155
switchport ingress-filtering 4-156
switchport native vlan 4-157
switchport allowed vlan 4-157
switchport forbidden vlan 4-158

Displaying VLAN Information 4-159

show vlan 4-159

Configuring Private VLANs 4-160

private-vlan 4-161
private vlan association 4-162
switchport mode private-vlan 4-162
switchport private-vlan host-association 4-163
switchport private-vlan mapping 4-164
show vlan private-vlan 4-164

GVRP and Bridge Extension Commands 4-165

bridge-ext gvrp 4-165
show bridge-ext 4-166
switchport gvrp 4-166
show gvrp configuration 4-167
garp timer 4-167
show garp timer 4-168

Priority Commands 4-169

Priority Commands (Layer 2) 4-170

queue mode 4-170
switchport priority default 4-171
queue bandwidth 4-172
queue cos-map 4-172
show queue mode 4-173
show queue bandwidth 4-174
show queue cos-map 4-174

xii

Contents

Priority Commands (Layer 3 and 4) 4-175

map ip dscp (Global Configuration) 4-175
map ip dscp (Interface Configuration) 4-176
show map ip dscp 4-177

Multicast F iltering Commands 4-178

IGMP Snooping Commands 4-178

ip igmp snooping 4-178
ip igmp snooping vlan static 4-179
ip igmp snooping version 4-179
ip igmp snooping immediate-leave 4-180
show ip igmp snooping 4-180
show mac-address-table multicast 4-181

IGMP Query Commands (Layer 2) 4-182

ip igmp snooping querier 4-182
ip igmp snooping query-count 4-182
ip igmp snooping query-interval 4-183
ip igmp snooping qu ery-max-response-time 4-184
ip igmp snooping router-port-expire-time 4-185

Static Multicast Routing Commands 4-185

ip igmp snooping vlan mrouter 4-185
show ip igmp snooping mrouter 4-186

IGMP Filtering and Throttling Commands 4-187

ip igmp filter (Global Configuration) 4-187
ip igmp profile 4-188
permit, deny 4-189
range 4-189
ip igmp filter (Interface Configuration) 4-190
ip igmp max-groups 4-191
ip igmp max-groups action 4-191
show ip igmp filter 4-192
show ip igmp profile 4-193
show ip igmp throttle interface 4-193

Multicast VLAN Registration Commands 4-194

mvr (Global Configuration) 4-194
mvr (Interface Configuration) 4-195
show mvr 4-197

LLDP 4-199

lldp transmit-interva l 4-201
lldp transmit-delay 4-201
lldp transmit-hold 4-202
lldp reinit-delay 4-202
lldp notification-interval 4-203
lldp 4-204
lldp basic-tlv management-address 4-204
lldp basic-tlv description 4-205

xiii

Contents

lldp basic-tlv system-capabilities 4-206
lldp basic-tlv system-description 4-206
lldp basic-tlv system-name 4-207
lldp notification 4-207
lldp dot1-tlv port-vlan-id 4-208
lldp dot1-tlv port-protocol-vlan-id 4-209
lldp dot1-tlv vlan-name 4-209
lldp dot1-tlv protocol-identity 4-210
lldp dot3- tlv mac-phy 4-210
lldp dot3- tlv link-aggregation 4-211
lldp dot3-tlv power-via-mdi 4-211
lldp dot3- tlv maximum-frame-size 4-212
show lldp config 4-212
show lldp info local-device 4-213
show lldp info remote-device 4-214
show lldp info statistics 4-215

UPnP 4-216

UPnP Configuration 4-216

upnp device 4-217
upnp devic e ttl 4-217
upnp device advertise duration 4-218
show upnp 4-218

IP Interface Commands 4-219

Basic IP Configuration 4-219

ip address 4-219
ip dhcp restart 4-220
ip default-gateway 4-221
show ip interface 4-222
show ip redirect s 4-222
ping 4-222

IP Source Guard Commands 4-223

ip source-guard 4-224
ip source-guard binding 4-225
show ip source-guard 4-227
show ip source-guard binding 4-227

DHCP Snooping Commands 4-227

ip dhcp snooping 4-228
ip dhcp snooping vlan 4-230
ip dhcp snooping trust 4-230
ip dhcp snooping verify mac-address 4-231
ip dhcp snooping information option 4-232
ip dhcp snooping information policy 4-233
ip dhcp snooping da tabase flash 4-233
show ip dhcp snooping 4-234
show ip dhcp snooping binding 4-234

xiv

Contents

Switch Cluster Commands 4-235

cluster 4-235
cluster commander 4-236
cluster ip-pool 4 -236
cluster member 4-237
rcommand 4-238
show cluster 4-238
show cluster members 4-239
show cluster candidates 4-239

Appendix A: Software Specifications A-1

Software Features A-1
Management Features A- 2
Standards A-2
Management Informa tio n Bases A-3

Appendix B: Troubleshooting B-1

Problems Accessing the Management Interface B-1
Using System Logs B-2

Glossary

Index

xv

Contents

xvi

Tables

Table 1-1 Key Features 1-1
Table 1-2 System Defaults 1-5
Table 3-1 Configuration Options 3-2
Table 3-2 Main Menu 3-3
Table 3-3 Logging Levels 3-27
Table 3-4 SNMPv3 Security Models and Levels 3-35
Table 3-5 Supported Notification Messages 3-45
Table 3-6 HTTPS Support 3-55
Table 3-7 802.1X Statistics 3-70
Table 3-8 LACP Port Counter Information 3-91
Table 3-9 LACP Settings 3-92
Table 3-10 LACP Remote Side Setting s 3-94
Table 3-11 Port Statistics 3-100
Table 3-12 Egress Queue Priority Mapping 3-147
Table 3-13 CoS Priority Levels 3-147
Table 3-14 Mapping DSCP Priority 3-152
Table 4-1. Command Modes 4-5
Table 4-2. Configuration Commands 4-7
Table 4-3. Keystroke Commands 4-7
Table 4-4. Command Group Index 4-8
Table 4-5. Line Command Syntax 4-9
Table 4-6. General Commands 4-19
Table 4-7. System Management Commands 4-23
Table 4-8. Device Designation Commands 4-24
Table 4-9. User Access Commands 4-25
Table 4-10. Default Login Settings 4-26
Table 4-11. IP Filter Commands 4-27
Table 4-12. Web Server Command 4-29
Table 4-13. HTTPS System Support 4-31
Table 4-14. Telnet Server Commands 4-32
Table 4-15. Secure Shell Commands 4-33
Table 4-16. show ssh - display description 4-41
Table 4-17. Event Logging Commands 4-43
Table 4-18. Logging Levels 4-44
Table 4-19. show logging flash/ram - display description 4-48
Table 4-20. show logging trap - display description 4-48
Table 4-21. SMTP Alert Commands 4-49
Table 4-22. Time Commands 4-53
Table 4-23. System Status Commands 4-57
Table 4-24. Frame Size Commands 4-63
Table 4-25. Flash/File Commands 4-64
Table 4-26. File Directory Information 4-68

xvii

Tables

Table 4-27. Authentication Commands 4-70
Table 4-28. Authentication Sequence 4-70
Table 4-29. RADIUS Client Commands 4-72
Table 4-30. TACACS+ Client Commands 4-76
Table 4-31. Port Security Commands 4-78
Table 4-32. 802.1X Port Authentication Commands 4-80
Table 4-33. Access Control List Commands 4-88
Table 4-34. IP ACL Commands 4-89
Table 4-35. Egress Queue Priority Mapping 4-94
Table 4-36. ACL Information 4-95
Table 4-37. SNMP Commands 4-96
Table 4-38. show snmp engine-id - display description 4-104
Table 4-39. show snmp view - display description 4-106
Table 4-40. show snmp group - display description 4-108
Table 4-41. show snmp user - display description 4-110
Table 4-42. Interface Commands 4-111
Table 4-43. show interfaces switchport - display description 4-120
Table 4-44. Broadcast Commands 4-121
Table 4-45. Mirror Port Commands 4-122
Table 4-46. Rate Limit Commands 4-124
Table 4-47. Link Aggregation Commands 4-125
Table 4-48. show lacp counters - display description 4-132
Table 4-49. show lacp internal - display description 4-133
Table 4-50. show lacp neighbors - display description 4-134
Table 4-52. Address Table Commands 4-135
Table 4-51. show lacp sysid - display description 4-135
Table 4-53. Spanning Tree Commands 4-139
Table 4-54. VLAN Commands 4-152
Table 4-55. Editing VLAN Groups 4-152
Table 4-56. Configuring VLAN Interfaces 4-154
Table 4-57. Displaying VLAN Information 4-159
Table 4-58. Private VLAN Commands 4-160
Table 4-59. GVRP and Bridge Extension Commands 4-165
Table 4-60. Priority Commands 4-169
Table 4-61. Priority Commands (Layer 2) 4-170
Table 4-62. Default CoS Priority Levels 4-173
Table 4-63. Priority Commands (Layer 3 and 4) 4-175
Table 4-64. Mapping IP DSCP to CoS Values 4-176
Table 4-65. Multicast Filtering Commands 4-178
Table 4-66. IGMP Snooping Commands 4-178
Table 4-67. IGMP Query Commands (Layer 2) 4-182
Table 4-68. Static Multicast Routing Commands 4-185
Table 4-69. IGMP Filtering and Throttling Commands 4-187
Table 4-70. Multicast VLAN Registration Commands 4-194
Table 4-71. show mvr - display description 4-198

xii

Tables

Table 4-72. show mvr interface - display description 4-198
Table 4-73. show mvr members - display description 4-199
Table 4-74. LLDP Commands 4-199
Table 4-75. UPnP Commands 4-216
Table 4-76. IP Interface Commands 4-219
Table 4-77. IP Source Guard Commands 4-224
Table 4-78. DHCP Snooping Commands 4-227
Table 4-79. Switch Cluster Commands 4-235
Table 2-1. Troubleshooting Chart B-1

xii

Figures

Figure 3-1. Homepage 3-2
Figure 3-2. Panel Display 3-3
Figure 3-3. System Information 3-10
Figure 3-4. Switch Information 3-12
Figure 3-5. Bridge Extension Configuration 3-13
Figure 3-6. Manual IP Configuration 3-15
Figure 3-7. DHCP IP Configuration 3-16
Figure 3-8. Enabling Jumbo Frames 3-17
Figure 3-9. Copy Firmware 3-19
Figure 3-10. Setting the Startup Code 3-19
Figure 3-11. Deleting Files 3-19
Figure 3-12. Downloading Configuration Settings for Startup 3-21
Figure 3-13. Setting the Startup Configuration Settings 3-21
Figure 3-14. Console Port Setting 3-23
Figure 3-15. Enabling Telnet 3-25
Figure 3-16. Displaying Logs 3-27
Figure 3-17. System Logs 3-28
Figure 3-18. Remote Logs 3-29
Figure 3-19. Enabling and Configuring SMTP 3-31
Figure 3-20. Resetting the System 3-32
Figure 3-21. SNTP Configuration 3-33
Figure 3-22. Setting the Time Zone 3-34
Figure 3-23. Enabling the SNMP Agent 3-36
Figure 3-24. Configuring SNMP Community Strings 3-37
Figure 3-25. Configuring SNMP Trap Managers 3-39
Figure 3-26. Setting an Engine ID 3-40
Figure 3-27. Setting an Engine ID 3-41
Figure 3-28. Configuring SNMPv3 Users 3-42
Figure 3-29. Configuring Remote SNMPv3 Users 3-44
Figure 3-30. Configuring SNMPv3 Groups 3-47
Figure 3-31. Configuring SNMPv3 Views 3-49
Figure 3-32. Access Levels 3-51
Figure 3-33. Authentication Settings 3-53
Figure 3-34. HTTPS Settings 3-55
Figure 3-35. SSH Server Settings 3-59
Figure 3-36. SSH Host-Key Settings 3-60
Figure 3-37. SSH User Public-Key Settings 3-62
Figure 3-38. Configuring Port Security 3-64
Figure 3-39. 802.1X Global Information 3-66
Figure 3-40. 802.1X Global Configuration 3-67
Figure 3-41. 802.1X Port Configuration 3-68
Figure 3-42. Displaying 802.1X Port Statistics 3-71

xx

Figures

Figure 3-43. Naming and Choosing ACLs 3-73
Figure 3-44. Configuring Standard IP ACLs 3-74
Figure 3-45. Configuring Extended IP ACLs 3-76
Figure 3-46. Configuring MAC ACLs 3-78
Figure 3-47. Mapping ACLs to Port Ingress Queues 3-79
Figure 3-48. Filtering Management Access 3-80
Figure 3-49. Port Status Information 3-81
Figure 3-50. Configuring Port Attributes 3-84
Figure 3-51. Static Trunk Configuration 3-87
Figure 3-52. LACP Port Configuration 3-88
Figure 3-53. LACP Aggregation Port Configuration 3-90
Figure 3-54. Displaying LACP Port Counters Information 3-92
Figure 3-55. Displaying LACP Port Information 3-93
Figure 3-56. Displaying Remote LACP Port Information 3-95
Figure 3-57. Enabling Port Broadcast Control 3-96
Figure 3-58. Configuring a Mirror Port 3-98
Figure 3-59. Configuring Input Port Rate Limi ting 3-99
Figure 3-60. Displaying Port Statistics 3-102
Figure 3-61. Displaying Etherlike and RMON Statistics 3-103
Figure 3-62 Displaying the Global PoE Status 3-105
Figure 3-63 Setting the Switch Power Budget 3-106
Figure 3-64 Displaying Port PoE Status 3-107
Figure 3-65 Configuring Port PoE Power 3-108
Figure 3-66. Mapping Ports to Static Addresses 3-109
Figure 3-67. Displaying the MAC Dynamic Address Table 3-110
Figure 3-68. Setting the Aging Time 3-111
Figure 3-69. Displaying the Spanning Tree Algorithm 3-114
Figure 3-70. Configuring the Spanning Tree Algorithm 3-117
Figure 3-71. Displaying STA - Port Status Information 3-120
Figure 3-72. Configuring Spanning Tree Algorithm per Port 3-122
Figure 3-73. Displaying Basic VLAN Information 3-126
Figure 3-74. Displaying VLAN Information by Port Membership 3-127
Figure 3-75. Creating Virtual LANs 3-129
Figure 3-76. Configuring VLAN Port Attributes 3-130
Figure 3-77. Assigning VLAN Port and Trunk Groups 3-131
Figure 3-78. Configuring VLAN Ports 3-133
Figure 3-79. Private VLAN Information 3-134
Figure 3-80. Private VLAN Configuration 3-135
Figure 3-81. Private VLAN Association 3-136
Figure 3-82. Private VLAN Port Information 3-137
Figure 3-83. Private VLAN Port Configuration 3-138
Figure 3-84. Protocol VLAN Configuration 3-139
Figure 3-85. Protocol VLAN Port Configuration 3-140
Figure 3-86. LLDP Configuration 3-141
Figure 3-87. LLDP Port Configuration 3-142

xxi

Figures

Figure 3-88. LLDP Local Device Information 3-143
Figure 3-89. LLDP Remote Device Information 3-143
Figure 3-90. Port Priority Configuration 3-146
Figure 3-91. Configuring Class of Service 3-148
Figure 3-92. Enable Traffic Classes 3-149
Figure 3-93. Setting the Queue Mode 3-149
Figure 3-94. Configuring Queue Scheduling 3-150
Figure 3-95. IP DSCP Priority Status 3-151
Figure 3-96. Mapping IP DSCP Priority to Class of Service Values 3-152
Figure 3-97. Configuring Class Maps 3-156
Figure 3-98. Configuring Policy Maps 3-159
Figure 3-99. Service Policy Settings 3-160
Figure 3-100. Configuring Internet Group Management Protocol 3-164
Figure 3-101. Mapping Multicast Switch Ports to VLANs 3-165
Figure 3-102. Static Multicast Router Port Configuration 3-166
Figure 3-103. Displaying Port Members of Multicast Services 3-167
Figure 3-104. Specifying Multicast Port Membership 3-168
Figure 3-105. MVR Global Configuration 3-170
Figure 3-106. MVR Port Information 3-171
Figure 3-107. MVR Group IP Information 3-172
Figure 3-108. MVR Port Configuration 3-173
Figure 3-109. MVR Group Member Configuration 3-174
Figure 3-110. DHCP Snooping Configuration 3-176
Figure 3-111. DHCP Snooping VLAN Configuration 3-177
Figure 3-112. DHCP Snooping Information Option Configuration 3-178
Figure 3-113. DHCP Snooping Port Configuration 3-178
Figure 3-114. DHCP Snooping Binding Information 3-179
Figure 3-115. IP Source Guard Port Configuration 3-180
Figure 3-116. Static IP Source Guard Binding Configuration 3-182
Figure 3-117. Dynamic IP Source Guard Binding Information 3-183
Figure 3-118. Cluster Configuration 3-184
Figure 3-119. Cluster Member Configuration 3-185
Figure 3-120. Cluster Member Information 3-186
Figure 3-121. Cluster Candidate Information 3-186
Figure 3-122. UPnP Configuration 3-188

xxii

Figures

xxiii

Chapter 1: Introduction

This switch provides a broa d r ange of features for Layer 2 sw i tchi ng. It includes a
management agent th at allo w s you to configure the featur es list ed in thi s m anual.
The default configurati on can be used for most of the feat u res provided by this
switch. However, there are many options that you should conf i gur e t o m axi m i ze th e
switch’s performance for your particular network en vi ro nm ent.

Key Features

Table 1-1 Key Features

Feature Description

Configuration Backup
and Restore

Authentication Console, Telnet, web – User name / password, RADIUS, TACACS+

Access Control Lists Supports up to 32 IP
DHCP Client Supported
Port Configuration Speed, duplex mode and flow control
Rate Limiting Input rate limiting per port
Port Mirroring One port mirrored to single analysis port
Port Trunking Supports up to 8 trunks using either static or dynamic trunking (LACP)
Broadcast Storm

Control
Static Address Up to 8K MAC addresses in the forwarding table
IEEE 802.1D Bridge Supports dynamic data switching and addresses learning
Store-and-Forward

Switching
Spanning Tree

Protocol
Virtual LANs Up to 255 using IEEE 802.1Q, port-based, protocol-based, or private

LLDP Link Layer Discovery Protocol (LLDP) is used to discover basic information

Traffic Prioritization Default port priority, traffic class map, queue scheduling, Differentiated

Backup to TFTP server

Web – HTTPS; Telnet – SSH
SNMP v1/v2c/v3– Community strings
Port – IEEE 802.1X, MAC address filtering

Supported

Supported to ensure wire-speed switching while eliminating bad frames

Supports standard STP and Rapid Spanning Tree Protocol (RSTP)

VLANs

about neighboring devices on th e local broadcast domain.

Services Code Point (DSCP), and TCP/UDP Port

1-1

Introduction

1

Table 1-1 Key Features (Continued)

Feature Description

Multicast Filtering Supports IGMP snooping and query

Description of Software Features

The switch provides a wide range of advanced performance enhancing features.
Flow control eliminate s th e loss of packets due to bottlenecks caused by port
saturation. Broadcast storm suppression prevents broadcast traffic storms from
engulfi ng the network. Port-based and protocol-base d VLANs, plus support for
automatic GVRP VLAN registration provide traffic secu rit y and efficient use of
network bandwidth. CoS priority queueing ensures t he m ini m um delay for moving
real-time multimedia da ta acr os s th e network. While multicas t fi lter i ng provides
support for real-time net wor k applications. Some of the m anagement features are
briefly described below.

Configur ati on Back up and Resto re – You can save the cu rren t con fig urat io n sett ings
to a file on a TFTP server, and later download this file to res to re th e swi t ch
configuration setting s.

Authentication – This switch authenticates management access via the console
port, Telnet or web browser. User names and passwords can be configured locally or
can be verified via a remote authentication server (i.e., RADIUS or TACACS+).
Port-based authentication is also supported via the IEEE 802.1X protocol. This
protocol uses the Extensible Authentication Protocol over LANs (EAPOL) to request
a user name and password from the 802.1X client, and then verifies the client’s right
to access the network vi a an au t hentication server.

Other authentication options include HTTPS for secure management access via the
web, SSH for secure man agement access over a Telnet-equivalent connection,
SNMP Version 3, IP address filtering for SN M P/ w eb /Telnet management access,
and MAC address filte ring for port access.

Access Control Lists – ACLs prov id e packe t filter ing for IP frames (based on
address, protocol, TCP/U DP port number or TCP control co de) or any fra m es
(based on MAC address or Ethernet type). ACLs can by used to improve
performance by block ing unnecessary networ k t ra ffic or to im pl em ent security
controls by restrictin g access to specific networ k r esources or protocols.

Port Configuration – You can manually configure the speed, duplex mode, and
flow control used on spe ci fic p or ts, or use aut o- negotiation to detect th e con n e ct io n
settings used by the attache d device. Use the full-du plex mode on ports whenever
possible to double the throughput of switch connections. Flow control should also be
enabled to control networ k t ra ffic duri ng periods of congestion a nd prevent the loss
of packets when port buffer threshold s ar e ex ceeded. The switch sup ports flow
control based on the IEEE 802. 3x standard.

1-2

Description of Software Features

Rate Limiting – This feature controls the maximum rate for traffic receiv ed on an
interface. Rate limiting is configured on interfaces at the edge of a network to limit
traffic into the network. Packets that exceed the acceptable amount of traffic are
dropped.

Port Mirroring – The switch can unobtr usi vely mirror traffic from any port t o a
monitor port. You can then attach a protocol analyzer or RMON probe to this port to
perform traffic analysis and verify connection integrity.

Port Trunking – Ports can be combined into an aggregate connection. Trunks can
be manually set up or dynamically configured using IEEE 802.3ad Link Aggregation
Control Protocol (LACP). The add itional ports dramatically increase the th ro ughput
across any connecti on, and provide redundan cy by taking over the load if a port in
the trunk should fail. The switch supports up to 8 trunk s.

Broadcast Storm Control – Broadcast suppression prevents broadcast traffic from
overwhelming the netw or k. W hen enabled on a port, the lev el of broadcast traffic
passing through the port is rest r ic t ed. If broadcast traffic rises above a pr e- defined
threshold, it will be throttle d unt i l the level fa lls back beneath the thresho ld .

Static Addresses – A static address can be assigned to a sp ecific interface on this
switch. Static addresses are bound to the assigned interface and will not be moved.
When a static address is seen on another interface, the address will be ignored and
will not be written to the add re ss tab le . Static addresses ca n be used to provide
network security b y restricting access for a known host to a specific port.

IEEE 802.1D Bridge – The swit ch s upports IEEE 802.1D transparent br id ging. The
address table facilitates data switch ing by learning addresses , and then filtering or
forwarding traffic based on thi s in fo rmation. The address table su pp orts up to 8K
addresses.

Store-and-Forward Switching – The switch copies each frame in to its memory
before forwarding them to another port. This ensures that all frames are a standard
Ethernet size and have bee n verified for accuracy wit h th e cy cl ic red undancy check
(CRC). This prevents bad fram es from entering the netwo rk and w asting bandwidth.

To avoid dropping frames on congested ports, the switch prov i des 1.5 M B fo r frame
buffering. This buffer can queue packets awaiting transmission on congested
networks.

Spanning Tree Protocol – The switch supports these spanning tree prot ocols:
Spanning Tree Protocol (STP, IEEE 802.1D) – This pro tocol adds a level of fault

tolerance by allowing tw o or more redundant connect i on s to be created between a
pair of LAN segments. When ther e ar e m ul t i ple physical paths between seg m ents,
this protocol will choose a single path and disable all others to ensure that only one
route exists between any tw o stations on the network. This prev ents the creation of
network loops. However, if the chosen path should f ai l for any reason, an alternate
path will be activated to maintain the connection.

Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol reduces the
convergence time for network topology changes to about 10% of that required by the

1

1-3

Introduction

1

older IEEE 802.1D STP standard. It is intended as a complete replacement for STP,
but can still interoperate w ith switches running the old er stand ar d by automatically
reconfiguring ports to STP-com pli ant m od e if t hey det ec t ST P pro to col messages
from attached devices.

Virtual LANs – The switch supports up to 255 VLANs. A Virtual LAN is a collection
of network nodes that sha re the same collision dom ai n r egardless of their physical
location or connection poi nt in the net w ork. The switch supports tagged VLANs
based on the IEEE 802.1Q standard. Members of VLAN groups can be dynamically
learned via GVRP, or ports can be manually assigned to a specific set of VLANs.
This allows the switch to restrict traffic to the VLAN groups to which a user has been
assigned. By segment in g your network into VLANs, you can:

• Eliminate broadcast storms which severely degrade performance in a flat network.

• Simplify network mana gement for node change s/ m oves by remotely configuring
VLAN membership for a ny port, rather than having to m anually change the
network connection.

• Provide data security by restricting all traffic to the originating VLAN.

• Use private VLANs to restrict traffic to pass only between data ports and the uplink
ports, thereby isolating adjacent ports within the same VLAN, and allowing you to
limit the total number of VLAN s th at need to be configured.

Traffic Prioritization – This switch priorit iz es each packet based on the requi re d
level of service, using ei ght pr io rity queues with strict or Weight ed R o und Robin
Queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on
input from the end-station application. These functions can
independent priorities for del ay - sensitive data and best -effort data.

This switch also supports sev er al com m on methods of prioritizi ng layer 3/4 traffic to
meet application requirements. Traffic can be prioritized based on the DSCP field in
the IP frame. When these services are enabled, the priorities are mapped to a Class
of Service value by the switch, and the traffic then sent to the cor r esponding output
queue.

be used to provide

Multicast Filtering – Multicast filtering is a system where network devices forward
multicast traffic only to the ports that are registered with the multicast group. Without
mulicast filtering the data packet wi ll be br oa dcast to all endstations within a LA N or
VLAN. The purpose is to keep the non-multicast group members from receiving
unsolicited packets and to prevent a possible reduction in network performance. The
switch uses IGMP Snooping and Query at Layer 2 and IGMP at Layer 3 to manage
multicast group regist ra t ion.

1-4

System Defaults

System Defaults

The switch’s system defaults are pr ovi ded in the configuration file
“Factory_Defau l t_ Config.cfg.” To reset the s witch defaults, this file shou ld be set as
the startup configuration file (page 3-20).

The following table lists some of t he basic system defaults.

Table 1-2 System Defaults

Function Parameter Default

Console Port
Connection

Authentication Privileged Exec Level Username “admin”

Web Management HTTP Server Enabled

SNMP Community Strings “pub lic” (rea d only)

Baud Rate 9600
Data bits 8
Stop bits 1
Parity none
Local Console Timeout 0 (disabled)

Password “admin”

Normal Exec Level Username “guest”

Enable Privileged Exec from
Normal Exec Level

RADIUS Authentication Disabled
TACACS Authentication Disabled

802.1X Port Authenticati on Disabled
HTTPS Enabled
SSH Disabled
Port Security Disabled
IP Filtering Disabled

HTTP Port Number 80
HTTP Secure Server Enabled
HTTP Secure Port Number 443

Traps Authentication traps: ena ble d

SNMP V3 View: defaultview

Password “guest”
Password “super”

“private” (read/write)

Link-up-down events:

Group: public (read only); private
(read/write)

enabled

1

1-5

Introduction

1

Table 1-2 System Defaults (Continued)

Function Parameter Default

Port Configuration A dm in Statu s Enabled

Auto-negotiation Enabled

Flow Control Disabled
Rate Limiting Input limits Disabled
Port Trunking Static Trunks None

LACP (all ports) Disabled
Broadcast Storm

Protection

Spanning Tree
Protocol

Address Table Aging Time 300 seconds
Virtual LANs Default VLAN 1

Traffic Prioritization Ingress Port Priority 0

IP Settings IP Address 0.0.0.0

Multicast Filtering IGMP Snooping Snooping: Enabled

Status Enabled (all ports)

Broadcast Limit Rate 500 packets per second

Status Enabled, RSTP

Fast Forwarding (Edge Port) Disabled

PVID 1

Acceptable Frame Type All

Ingress Filtering Enabled

Switchport Mode (Egress Mode) Hybrid: tagged/untagged frames

GVRP (global) Disabled

GVRP (port interface) Disabled

Weighted Round Robin Queue: 0 1 2 3 4 5 6 7

IP DSCP Priority Disabled

Subnet Mask 255.0.0.0

Default Gateway 0.0.0.0

DHCP Enabled

BOOTP Disabled

(Defaults: All values based on IEEE

802.1w)

Weight: 1 2 4 6 8 10 12 14

Querier: Enabled

1-6

System Defaults

Table 1-2 System Defaults (Continued)

Function Parameter Default

System Log Status Enabled

Messages Logged Levels 0-6 (all)

Messages Logged to Flash Levels 0-3
SMTP Email Alerts Event Handler Enabled (but no server defined)
SNTP Clock Synchronization Disabled

1

1-7

1

Introduction

1-8

Chapter 2: Initial Configuration

Connecting to the Switch

Configuration Options

The switch includes a built-in network management agent. The agent offers a variety
of management options, including SNMP, RMON and a Web-based interface. A PC
may also be connected di re ct l y to the sw i t ch f or configuration and monitoring via a
command line interface (CLI).

Note: The IP address for this switch is unassigned by default. To change this address,

see “Setting an IP Address” on page 22-4.

The switch ’s HTTP Web agent allows you to configure switch parameters, mo nitor
port connections, an d di splay statistics using a standard Web bro w ser such as
Netscape Navigator version 6.2 and higher or Microsoft IE version 5.0 and higher.
The switch’s Web managemen t inter fa ce can be accessed from any computer
attached to the network.

The CLI program can be ac cessed by a direct connec tion to the RS-232 serial
console port on the switch, or remotely by a Telnet connection over the network.

The switch’s management ag ent al so supports SNMP (Simple Networ k
Management Protocol ). This SN M P agent permits the switch to be managed from
any system in the netwo rk usi ng network management software such as SMC
EliteView.

The switch’s Web interface, CLI conf igur at io n pr ogram, and SNMP agent allow you
to perform the following management function s:

• Set user names and passwords

• Set an IP interface for a management VLAN

• Configure SNMP parameters

• Enable/disable any port

• Set the speed/duplex m ode for any port

• Configure the bandwidth of any port by limiting input rates

• Control port access through IEEE 802.1X security or static address filtering

• Filter packets using Access Control Lists (ACLs)

• Configure up to 255 IEEE 802.1Q VLANs

• Enable GVRP automatic VLAN registration

• Configure IGMP multicast filtering

• Upload and download system firmware via TFTP

• Upload and download switch configuration files via TFTP

2-1

Initial Configuration

2

• Configure Spanning Tree par am eters

• Configure Class of Service (CoS) priority queuing

• Configure up to 8 static or LACP trunks

• Enable port mirroring

• Set broadcast storm control on any port

• Display system information and statistics

Required Connections

The switch provides an RS- 232 serial port that enables a connection to a PC or
terminal for monitoring and configuring the switch. A null-modem conso le cable is
provided with the switch .

Attach a VT100-compatible terminal, or a PC running a terminal em ul ati on pr ogram
to the switch. You can use the console cable provided w i th th is package, or use a
null-modem cable that complies with the wiring assignments shown in the
Installation Guide.

To conn ect a terminal to the console por t, complete the following s te ps:

1. Connect the console cabl e t o t he se rial port on a terminal, or a PC run ning
terminal emulation software, and tighten the captive retaining screws on the
DB-9 connector.

2. Connect the other end of the cable to the RS-232 serial port on the switch.

3. Make sure the terminal emulation software is set as follows:

• Select the appropriate ser ial por t ( CO M por t 1 or CO M port 2).

• Set to any of these baud rates : 9600, 19200, 38400, 57600 , 11 5200
(Note: Set to 9600 baud to view al l syst em i ni t ial iz at ion m e s sages.)

• Set the data format to 8 data bits, 1 stop bit, and no parity.

• Set flow control to none.

• Set the emulation mod e to V T100.

• With HyperTermina l , se le ct Ter m i nal keys, not Windows keys.

Notes: 1. When using HyperTerminal with Microsoft® Windows® 2000, make sure that

you have Windows 2000 Service Pack 2 or later installed. Windows 2000
Service Pack 2 fixes the problem of arrow keys not functioning in
HyperTerminal’s VT100 emulation. See www.microsoft.com for information
on Windows 2000 service packs.

2. Refer to “Line Commands” on page 44-9 for a complete description of
console configuration options.

3. Once you have set up the terminal correctly, the console login screen will be
displayed.

2-2

Basic Configuration

For a description of how to use the CLI, see “Using the Command Line Interface” on
page 44-1. For a list of all the CLI comm a nds and detailed information on us in g th e
CLI, refer to “Command Groups” on page 44-8.

Remote Connections

Prior to accessing the switch’s onboard agent via a network connection, you must
first configure it with a valid IP address, subnet mask, and default gateway using a
console connection, DH C P or BO O T P pr otocol.

The IP address for this switch is obtained via DHCP by default. To manually
configure this address or enable dynamic address assignment via DHCP or BOOTP ,
see “Setting an IP Addres s” on page 22-4.

Note: This switch supports four concurrent Telnet/SSH sessions.

After configuring the switch’s IP paramet er s, you can access the onboa rd
configuration program from anywhere within the attached network. The onboard
configuration program can be accessed using Telnet from any computer attached to
the network. The switch can also be managed by an y com puter using a web
browser (Internet Expl or er 5 .0 or ab ove, or Netscape Navigator 6. 2 or abo ve) , or
from a network computer using SNMP network management software.

Note: The onboard program only provides access to basic configuration functions. To

access the full range of SNMP management functions, you must use
SNMP-based network management software.

2

Basic Configuration

Console Connection

The CLI program provides two different command levels — normal access level
(Normal Exec) and privilege d access level (Privileged Exec ). The commands
available at the Normal Exe c l evel are a limited subset of thos e available at the
Privileged Exec level and onl y allow you to display inform at i on and use basic
utilities. To fully configure the swit ch parameters, you must ac cess the CLI at the
Privileged Exec level.

Access to both CLI level s ar e controlled by user name s and passwords. The switch
has a default user name and pass w or d f or each level. To log into the CLI at the
Privileged Exec level usin g t he de fa ul t user name and password, perform th ese
steps:

1. To initiat e your console connection, pr ess <Enter>. The “User Access
Ve r i f ication” procedure starts.

2. At the Username prompt, ent er “admin.”

3. The Password is blank.

2-3

Initial Configuration

2

4. The session is opened and t he C LI displays the “Console#” prompt indicating
you have access at the Privi le ged Exec level.

Setting Passwords

Note: If this is your first time to log into the CLI program, you should define new

passwords for both default user names using the “username” command, record
them and put them in a safe place.

Passwords can consist of up t o 8 alphanumeric charact er s an d are case sensitive.
To prevent unauthorized access to the switch, set the passwords as follows:

1. Open the console interface with the default user name and password “admin” to
access the Privileged Exec level.

2. Type “configure” and press <Enter>.

3. Type “username guest password 0 password,” for the Normal Exec level, where
password is your new password. Press <Enter>.

4. Type “username admin password 0 password,” for the Privilege d Exec level,
where password is your new password. Press < Ent er >.

Note: ‘0’ specifies the password in plain text, ‘7’ specifies the password in encrypted

form.

Username: admin
Password:

CLI session with the SMC8124PL2 is opened.
To end the CLI session, enter [Exit].

Console#configure
Console(config)#username guest password 0 [password]
Console(config)#username admin password 0 [password]
Console(config)#

Setting an IP Address

Yo u m ust establish IP address info rmation for the switch to obtain m an agement
access through the network. This can be done in eit her of the following ways:

Manual — Y ou have to input the information, including IP address and subnet mask.
If your management station is not in the same IP subnet as the switch, you will also
need to specify the defaul t gat ew ay router.

Dynamic — The switch sends IP conf igur at io n re quests to BOOTP or DHCP
address allocation ser ver s on the network.

2-4

Basic Configuration

Manual Configuration

You can manually assign an IP address to the switch. You may also need to specify
a default gateway that res i des between this device a nd m anagement stations on
another network segment. Valid IP addresses consist of four decimal numbers, 0 to
255, separated by periods. Anything outside this format will not be accepted by the
CLI program.

Note: The IP address for this switch is obtained via DHCP by default.

Before you can assign an IP address to the switch, yo u m ust obtain the following
information from your net w ork administrator:

• IP address for the switch

• Default gateway for the network

• Network mask for this network
To assign an IP address to the sw itc h, com plete the following steps:

1. From the Privileged Exec le ve l global configuration mod e pr om pt , type
“interface vlan 1” to access th e i nter fa ce-configuration mode. Pr ess <Enter>.

2. Type “ip address ip-address netmask,” where “ip-ad dr ess” is the switch IP
address and “netmask” is th e net w ork mask for the network. Pr es s <Enter>.

3. Type “exit” to return to the global configuration mo de prompt. Press <Enter>.

4. To set the IP address of the default gateway for the network to which the switch
belongs, type “ip default -g at ew ay gateway,” where “gateway” is the IP address
of the default gateway. Press <Enter>.

2

Console(config)#interface vlan 1
Console(config-if)#ip address 192.168.1.5 255.255.255.0
Console(config-if)#exit
Console(config)#ip default-gateway 192.168.1.254
Console(config)#

Dynamic Configuration

If you select the “bootp” or “d hcp” o pt io n, IP will be enabled but will not function until
a BOOTP or DHCP reply has been received. You therefore need to use the “ip dhcp
restart client” command to start broadcasting service requests. Requests will be sent
periodically in an effort to obtain IP configuration information. (BOOTP and DHCP
values can include the IP ad dr ess, subnet mask, and de fa ult gat ew ay.)

If the “bootp” or “dhcp” option is saved to the sta rtup-config file (step 6), then the
switch will start broadcasting service requests as soon as it is powered on.

To automatically configure the switch by communicating with BOOTP or DHCP
address allocation ser ver s on the network, complet e t he following steps:

1. From the Global Configur at i on m ode prompt, type “interfa ce vlan 1” to access
the interface-configurati on mo de. Pr ess <Enter>.

2-5

Initial Configuration

2

2. At the interface-configur at io n m od e prompt, use one of the followi ng
commands:

• To obtain IP settings via DHCP, type “ip address dhcp” and press <Enter>.

• To obtain IP settings vi a BO O TP, type “ip address bootp” and press <Enter>.

3. Type “end” to return to the Privileged Exec mode. Pr ess <Enter>.

4. Type “ip dhcp restart client” to begin broadcasting service requests.
Press <Enter>.

5. Wait a few minutes, and then check t he I P configuration settings by t yping the
“show ip interface” com m and. Press <Enter>.

6. Then save your config ur at ion changes by typing “copy running-config
startup-config.” Enter the startup f i le nam e and press <Enter>.

Console(config)#interface vlan 1
Console(config-if)#ip address dhcp
Console(config-if)#end
Console#ip dhcp restart client
Console#show ip interface
IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1,
and address mode: User specified.
Console#copy running-config startup-config
Startup configuration file name []: startup
\Write to FLASH Programming.

\Write to FLASH finish.
Success.

Enabling SNMP Management Access

The switch can be configu re d to acc ept m anagement command s f ro m Simple
Network Managemen t Protocol (SNMP) applications such as SMC EliteView. You
can configure the switch to (1) respon d t o SN M P r equests or (2) generate SNMP
traps.

When SNMP management stations send requ ests to t he switch (either to return
information or to set a parameter), the switch provides the requested data or sets the
specified parameter. The switch can also be conf igured to send informatio n to
SNMP managers (witho ut bei ng requested by the manager s) th ro ugh trap
messages, which info rm t he manager that certain events ha ve occurred.

The switch in cludes an SNMP agent that supports SNMP version 1, 2c, and 3
clients. To provide management access for version 1 or 2c clients, you must specify
a community string. The switch provides a default MIB View (i.e. , an SN M Pv3
construct) for the defaul t “pu bl ic” community string that pr ov id es read access to the
entire MIB tree, and a defau lt vi ew for the “private” community string that provides

2-6

Basic Configuration

read/write access to the entire MIB tr ee. However, you may assign new views to
version 1 or 2c commun ity st r in gs that suit your specific sec ur ity r equirements (see
page 3-48).

Community Strings (for SNMP version 1 and 2c clients)

Community strings are used to control management access to SNMP version 1 and
2c stations, as well as to authori ze SNMP stations to receive trap m essages from
the switch. You therefore need to assign community strings to specified users, and
set the access level.

The default strings are:

• public - Specifies read-only acce ss. Aut horized managemen t stations are only
able to retrieve MIB objects.

• private - Specifies read-write access. Authorized manag em ent stations are able
to both retrieve and modify MI B obj ects.

T o prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is
recommended that yo u change the default comm unity strings.

To configure a community string, complete the following steps:

1. From the Privileged Exec le ve l global configuration mod e pr om pt , type

“snmp-server community string mode,” where “st ring” is the community acces s
string and “mode” is rw (read/write) or ro (read only). Press <Enter>. (Note that
the default mode is read onl y.)

2. To remove an existing string, sim pl y type “no snmp-serve r co m m unity string,”

where “string” is the community access string to rem ove. Press <Enter>.

2

Console(config)#snmp-server community admin rw
Console(config)#snmp-server community private
Console(config)#

Note: If you do not intend to support access to SNMP version 1 and 2c clients, we

recommend that you delete both of the default community strings. If there are no
community strings, then SNMP management access from SNMP v1 and v2c
clients is disabled.

Trap Receivers

Yo u can also specify SNMP stations that are to receive traps from th e sw i tch. To
configure a trap receiver, use the “snmp-server host” command. From the Privileged
Exec level global configur at i on m ode prompt, type:

“snmp-server host host-address community-string [version {1 | 2c | 3 {auth |
noauth | priv}}]”

where “host-address” is the IP address for the trap receiver, “community-string”
specifies access rights for a version 1/2c host, or is th e us er name of a version 3
host, “version” indicat es the SNMP client vers io n, and “auth | noauth | priv” me ans

2-7

Initial Configuration

2

that authentication, no aut he nt ic at i on, or authentication and pri vac y i s used for v3
clients. Then press <Enter>. For a mo re detail ed de scription of these parameter s,
see “snmp-server hos t” on page 44-100. The following ex am ple creates a trap host
for each type of SNMP client.

Console(config)#snmp-server host 10.1.19.23 batman
Console(config)#snmp-server host 10.1.19.98 robin version 2c
Console(config)#snmp-server host 10.1.19.34 barbie version 3 auth

Console(config)#

Configuring Access for SNMP Version 3 Clients

To confi gu re management access for SN M P v 3 cl i en ts, you need to first create a
view that defines the portions of MIB that the client can read or write, assign the view
to a group, and then assign th e user to a group. The following ex am pl e creates one
view called “mib-2” that includes the entire MIB-2 tree branch, and then another view
that includes the IEEE 802.1d bridge MIB. It assigns these respective read and read/
write views to a group call “r&d” and specifies group authentication via MD5 or SHA.
In the last step, it assigns a v3 user to this grou p, indicating tha t MD5 will be used for
authentication, provides the password “greenpeace” for authentication, and the
password “einstie n” for encryption.

Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included
Console(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included
Console(config)#snmp-server group r&d v3 auth mib-2 802.1d
Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace

priv des56 einstien

Console(config)#

For a more detailed explanation on how to configure the switch for access from
SNMP v3 clients, refer to “Simple Network Management Protocol” on page 33-34, or
refer to the specific CLI co m m ands for SNMP starting on page 4-96.

Saving Configuration Settings

Configuration comma nds only modify the runnin g configuration file and are not
saved when the swit ch is rebooted. To save all your configuration changes in
nonvolatile storage, you must copy the running configuration file to the start- up
configuration file using t he “copy” command.

To save th e cur r ent configuration setting s, ent er th e fo llo w in g command:

1. From the Privileged Exec m ode prompt, type “copy running-config
startup-config” and press <Enter>.

2. Enter the name of the start-up fil e. P re ss <Enter>.

2-8

Managing System Files

Console#copy running-config startup-config
Startup configuration file name []: startup
\Write to FLASH Programming.
\Write to FLASH finish.
Success.
Console#

Managing System Files

The switch ’ s fl ash memory su ppor ts thr ee t ypes of s yste m fi le s tha t ca n be ma nag ed
by the CLI program, Web interface, or SNMP. The switch’s file system allows files to
be uploaded and downloaded, copied, deleted , a nd set as a start-up file.

The three types of files are:

• Configuration — This file stores system configuration information and is created
when configuration settings are saved. Saved configuration files can be selected
as a system start-up file or can be uploaded via TFTP to a server for backup. A file
named “Factory_Default_Config.cfg” con ta ins al l the syst em def ault settings and
cannot be deleted from t he sy st em . See “Saving or Restoring C onfiguration
Settings” on page 33-20 for m or e i nf or m atio n.

• Operation Code — System so ftw ar e t hat is executed after boot-up, also known
as run-time code. This code runs the switch operations and provides the CLI and
Web management interfaces. See “Managing Firmware” on page 33-18 for more
information.

• Diagnostic Code — Softw ar e th at is run dur in g system boot-up, also kn ow n as
POST (Power On Self-Test).

Due to the size limit of the flas h m em or y, the switch supports only tw o operation
code files. However, you can have as many diagnostic code files an d configuration
files as available flash me m or y space allows.

In the system flash memory, one file of each type must be set as the start-up file.
During a system boot, the diagnostic and operation code files set as the start-up file
are run, and then the start-up co nf ig ur at i on f ile is loa ded.

Note that configuration files should be downloaded using a file name that reflects the
contents or usage of the file sett i ngs. If you download directl y to th e running-config,
the system will reboot, and the settings will have to be copied from the
running-config to a permanent file.

2

2-9

Initial Configuration

2

2-10

Chapter 3: Configuring the Switch

Using the Web Interface

This switch provides an embedded HTTP Web agent. Using a Web browser you can
configure the switch and view statistics to monitor network activity. The Web agent
can be accessed by any com puter on the network using a standard Web browser
(Internet Explorer 5.0 or above, or Netscape Navigato r 6.2 or above).

Note: You can also use the Command Line Interface (CLI) to manage the switch over a

serial connection to the console port or via Telnet. For more information on using
the CLI, refer to Chapter 4: “Command Line Interface.”

Prior to accessing the switch fro m a Web browser, be sure you have first performed
the following tasks:

1. Configure the switch with a valid IP address, subnet mask, and default gateway

using an out-of-band serial connection, BOOTP or DH C P pr ot ocol. (See
“Setting an IP Address” on page 2-4.)

2. Set user names and passwords using an out-of-band serial connection. Access

to the Web agent is controlled by th e same user names and passwor ds as the
onboard configuration program. (See “S etting Passwords” on page 2-4.)

3. After you enter a user name and password, you will have access to the system

configuration progra m .

Notes: 1.

You are allowed three attempts to enter the correct password; on the third
failed attempt the current connection is terminated.

2. If you log into the Web interface as guest (Normal Exec level), you can view

the configuration settings or change the guest password. If you log in as
“admin” (Privileged Exec level), you can change the settings on any page.

3. If the path between your management station and this switch does not pass

through any device that uses the Spanning Tree Algorithm, then you can set
the switch port attached to your management station to fast forwarding (i.e.,
enable Admin Edge Port) to improve the switch’s response time to
management commands issued through the web interface. See “Configuring
Interface Settings” on page 3-121.

3-1

Configuring the Switch

Navigating the Web Browser Interface

To acce ss the web-browser inte rface you must first enter a us er nam e and
password. The administrator has Read/Write access to all configuration parameters
and statistics. The default user name and password for the administrator is “admin.”

Home Page

When your web browse r co nnects with the switch’s web agent , th e home page is
displayed as shown below. The home page displays the Main Menu on t he l eft side
of the screen and System Info rm ation on the right side. The M ai n M en u links are
used to navigate to other m enus, and display confi gur at ion parameters and
statistics.

Figure 3-1. Homepage

Configuration Options

Configurable parameters have a dialog box or a drop-down list. Once a configuration
change has been mad e on a page, be sure to click on the “A pply” button to confirm
the new setting. The followi ng table summarizes the web page configuration
buttons.

Table 3-1 Configuration Options

Button Action

Revert Cancels specified values and restores current values prior to

Apply Sets specified values to the system.
Help Links directly to webhe lp.

Notes: 1. To ensure proper screen refresh, be sure t hat Internet Explorer 5.x is

3-2

pressing “Apply.”

Panel Display

configured as follows: Under the menu “Tools/Internet Options/General/
Temporary Internet Files/Settings,” the setting for item “Check for newer
versions of stored pages” should be “Every visit to the page.”

2. When using Internet Explorer 5.0, you may have to manually refresh the

screen after making configuration changes by pressing the browser’s refresh
button.

Panel Display

The web agent displays an i m age of the switch’s ports. The Mode can be set to
display different information for the ports, including Active (i.e ., up or down), Duplex
(i.e., half or full duplex, or Flow Control (i.e., with or without flow control). Clicking on
the image of a port opens the Port Configuration page as de sc ribed on page 3-83.

Figure 3-2. Panel Display

Main Menu

Using the onboard web agent, you can define syst em param e t er s, ma nage and
control the switch, and a ll its ports, or m oni tor network conditions. The f ol low i ng
table briefly describes the sel ec t io ns available from this progr am .

Table 3-2 Main Menu

Menu Description Page

System 3-10

System Information Provides basic system description, including contact

Switch Information Shows the number of ports, hardware/firmware version

Bridge Extension
Configuration

IP Configuration Sets the IP address for management access 3-14
Jumbo Frames Enables or disables jumbo frames 3-17
File Management 3-18

Copy Operation Allows the transfer and copying files 3-18
Delete Allows deletion of files from the flash memory 3-20
Set Start-Up Sets the start-up file 3-18

information

numbers, and power status
Shows the bridge extension parameters 3-12

3-10

3-11

3-3

Configuring the Switch

Table 3-2 Main Menu (Continued)

Menu Description Page

Line 3-22

Console Sets console port connection parameters 3-22
Telnet Sets Telnet connection parameters 3-24

Log 3-26

Logs Stores and displays error messages 3-26
System Logs Sends error messages to a logging process 3-27
Remote Logs Configures the logging of messages to a remote logging

SMTP Sends an SMTP client message to a participating server. 3-30

Reset Restarts the switch 3-32

SNTP 3-32

Configur atio n Configures SN TP cl ient s etti ngs, includ ing br oadc ast mo de or

Clock Time Zone Sets the local time zone for the system clock 3-33

SNMP 3-34

Configuration Configures community strings and related trap functions 3-36
Agent Status Enables or disables SNMP Agent Status 3-36
SNMPv3 3-39

Engine ID Sets SNMPv3 Engine ID 3-40
Remote Engine ID Adds a Remote Engine ID and IP Host 3-40
Users Creates or deletes user accounts 3-41
Remote Users Creates or deletes remote user accounts 3-43
Groups Creates or deletes SNMPv3 Groups 3-45
Views Creates or deletes SNMPv3 Views 3-48

Security 3-50

User Accounts Assigns a new password for the current user 3-50
Authentication Settings Configures authentication sequence, RADIUS and TACACS 3-51
HTTPS Settings Configures secure HTTP settings 3-54
SSH 3-56

Settings Configures Secure Shell server settings 3-63
Host-Key Settings Generates the host key pair (public and private) 3-59
SSH User Public-Key

Settings

process

a specified list of servers

Copies the user key pair (public and private) 3-61

3-29

3-32

3-4

Main Menu

Table 3-2 Main Menu (Continued)

Menu Description Page

Port Security Configures per port security, including status, response for

security breach, and maximum allowed MAC addresses

802.1X 3-64
Information Displays global configuration settings 3-66
Configuration Configures protocol parameters 3-66
Port Configuration Sets the authentication mode for individual ports 3-67
Statistics Displays protocol statistics for the selected port 3-70

ACL 3-72

Configuration Configures packet filtering based on IP or MAC addresses 3-72
Port Binding Binds a port to the specified ACL 3-78

IP Filter Sets IP addresses of clients allowed management access 3-79

Port 3-79

Port Information Displays port connection status 3-81
Trunk Information Displays trunk connection status 3-81
Port Configuration Configures port connection settings 3-83
Trunk Configuration Configures trunk connection settings 3-83
Trunk Membership Specifies ports to group into static trunks 3-86
LACP 3-88

Configuration Allows ports to dynamically join trunks 3-88
Aggregation Port Configures system priority, admin key, and port priority 3-89
Port Counters Information Displays statistics for LACP protocol messages 3-91
Port Internal Information Displays settings and operational state for local side 3-92
Port Neighbors Information Displays settings and operational state for remote side 3-94

Port Broadcast Control Sets the broadcast storm threshold for each port 3-96
Trunk Broadcast Control Sets the broadcast storm threshold for each trunk 3-96
Mirror Port Configuration Sets the source and target ports for mirroring 3-97
Rate Limit 3-98

Input Port Configuration Sets the input rate limit for each ports 3-98
Input Trunk Configuration Sets the input rate limit for each trunks 3-98
Output Port Configuration Sets the output rate limit for each ports 3-98
Output TrunkConfiguration Sets the output rate limit for each trunks 3-98

Port Statistics Lists Ethernet and RMON port statistics 3-99

3-63

3-5

Configuring the Switch

Table 3-2 Main Menu (Continued)

Menu Description Page

PoE

Power Status Displays the status of global power parameters 3-105
Power Config Configures the power budget for the switch 3-106
Power Port Status Displays the status of port power parameters 3-106
Power Port Config Configures port power parameters 3-107

Address Table 3-108

Static Addresses Displays entries for interface, address or VLAN 3-108
Dynamic Addresses Displays or edits static entries in the Address Table 3-109
Address Aging Sets timeout for dynamically learned entries 3-110

Spanning Tree 3-111

STA 3-112

Information Displays STA values used for the bridge 3-112
Configuration Configures global bridge settings for STA, and RSTP 3-114
Port Information Displays individual port settings for STA 3-118
Trunk Information Displays individual trunk settings for STA 3-118
Port Configuration Configures individual port settings for STA 3-121
Trunk Configuration Configures individual trunk settings for STA 3-121

VLAN 3-123

802.1Q VLAN 3-123
Basic Information Displays information on the VLAN type supported by this

switch

Current Table Shows the current port members of each VLAN and whether

or not the port is tagged or untagged
Static List Used to create or remove VLAN groups 3-128
Static Table Modifies the settings for an existing VLAN 3-129
Static Memb er s hi p by Por t Configures m em be r sh i p ty p e fo r i nt e r fa c es , i nc lud i n g t a gg e d,

untagged or forbidden
Port Configuration Specifies default PVID and VLAN attributes 3-132
Trunk Configuration Specifies default trunk VID and VLAN attributes 3-132

Private VLAN 3-133

Information Displays Private VLAN fea ture inform atio n 3-134
Configuration This page is used to create/remove primary or community

VLANs

3-126

3-126

3-131

3-135

3-6

Main Menu

Table 3-2 Main Menu (Continued)

Menu Description Page

Association Each community VLAN must be associated with a primary

Port Information Shows VLAN port type, and associated primary or secondary

Port Configuration Sets the private VLAN interface type, and associates the

Trunk Information Shows VLAN trunk type, and associated primary or secondary

Trunk Configuration Sets the private VLAN interface type, and associates the

Protocol VLAN 3-139

Configuration Configures protocol VLANs. 3-139
Port Configuration Configures protocol VLAN port type, and associated protocol

LLDP 3-140

Configuration Configures basic LLDP time parameters 3-140
Port Configuration Configures a port for receive and, or transmit status, allows

Trunk configuration Configures a trunkt for receive and, or transmit status, allows

Local Information Displays information about the local device. 3-143
Remote Port Information Displays information about ports on a remote device 3-143
Remote Trunk Information Displays information about trunks ona remote device 3-143
Remote Information Details Sets the port and, or trunk to display information about 3-143
Device Statistics Displays device statistics 3-143
Device Statistics Details Allows the user to select the port or trunk on which to display

Priority 3-145

Default Port Priority Sets the default priority for each port 3-146
Default Trunk Priority Sets the default priority for each trunk 3-146
Traffic Classes Maps IEEE 802.1p priority tags to output queues 3-147
Traffic Classes Status Enables/disables traffic class priorities. 3-149
Queue Mode Sets queue mode to strict priority or Weighted Round-Robin 3-149
Queue Scheduling Configures Weighted Round Robin queueing 3-150
IP DSCP Priority Status Globally selects IP DSCP Priority, or disables it. 3-151

VLAN

VLANs

interfaces with a private VLAN

VLANs

interfaces with a private VLAN

VLANs.

sending of SNMP notication messages, and configures TLV
information.

sending of SNMP notication messages, and configures TLV
information.

statistical information

3-136

3-136

3-137

3-136

3-137

3-140

3-141

3-141

3-143

3-7

Configuring the Switch

Table 3-2 Main Menu (Continued)

Menu Description Page

IP DSCP Priority Sets IP Differentiated Services Code Point priority, mapping a

QoS 3-153

DiffServ 3-153

Class Map Sets Class Maps 3-154
Policy Map Sets Policy Maps 3-157
Service Policy Defines service policy settings for ports 3-160

IGMP Snooping 3-161

IGMP Configuration Enables multicast filtering; configures parameters for

IGMP Filter Configuration Enables multicast filtering; sets IGMP profiles 3-167
IGMP Immediate Leave Enables the immediate leave function 3-168
Multicast Router

Port Information
Static Multicast Router Port

Configuration
IP Multicast Registration

Table
IGMP Member PortTable Indicates multicast addresse s associated with the selected

MVR 3-168

Configuration Globally enables MVR, sets the MVR VLAN, adds multicast

Port Information Displays MVR interface type, MVR operational and activity

Trunk Information Displays MVR interface type, MVR operational and activity

Group IP Information Displays the ports attached to an MVR multicast stream 3-171
Port Configuration Configures MVR interface type and immediate leave status 3-172
Trunk Configuration Configures MVR interface type and immediate leave status 3-172
Group Member Configuration Statically assigns MVR multicast streams to an interface 3-174

DHCP Snooping 3-175

Configuration Enables DHCP Snooping and DHCP Snooping MAC-Address

VLAN Configuration Enables DHCP Snooping for a VLAN 3-176
Information Option

Configuration

DSCP tag to a class-of-service value

multicast query

Displays the ports that are attached to a neighboring multicast

router for each VLAN ID

Assigns ports that are attached to a neighboring multicast

router

Displays all multicast groups active on this switch, including

multicast IP addresses and VLAN ID

VLAN

stream addresses

status, and immediate leave status

status, and immediate leave status

Verification

Enables DHCP Snooping Information Option 3-177

3-152

3-162

3-164

3-165

3-166

3-167

3-169

3-170

3-170

3-176

3-8

Main Menu

Table 3-2 Main Menu (Continued)

Menu Description Page

Port Configuration Selects the DHCP Snooping Information Option policy 3-178
Binding Information Displays the DHCP Sno op ing bin ding inform atio n 3-179

IP Source Guard 3-180

Port Configuration Enables IP source guard and selects filter type per port 3-180
Static Configuration Adds a static addresses to the source-guard binding table 3-181
Dynamic Information Displays the source-guard binding table for a selected

Cluster 3-183

Configuration Globally enables clustering for the switch 3-184
Member Configuration Adds switch Members to the cluster 3-185
Member Information Displays cluster Member switch information 3-185
Candidate Information Displays network Candidate switch information 3-186

UPNP 3-187

Configuration Configues basic UPnP parameters 3-188

interface

3-182

3-9

Configuring the Switch

Basic Configuration

Displaying System Information

Yo u can easily identify the sy st em by displaying the device nam e, location and
contact information.

Field Attributes

• System Name – Name assigned to the switch system.

• Object ID – MIB II object ID for switch’s netw or k m anagement subsystem .

• Location – Specifies the sy st em l ocation.

• Contact – Administrato r r esponsible for the system .

• System Up Time – Length of time the management agent has been up.
These additional parameter s ar e di splayed for the CLI.

• MAC Address – The physical layer address for this switch.

• Web server – Shows if m anagement access via HTTP is enabled.

• Web server port – Shows the TCP port number used by the web interface.

• Web secure server – S hows if management acces s vi a H TTPS is enabled.

• Web secure server po rt – Shows the TCP port used by the HTTPS interface.

• Telnet server – Shows if management acces s vi a Telnet is enabled.

• Telnet port – Shows the TCP port used by th e Te ln et inte rface.

• Jumbo Frame – Shows if jumbo f ra m es ar e enabled.

• POST result – Shows results of the power-on self -test
Web – Click System, System Information. Specify the system name, location, and

contact information for the sys te m adm i ni st r at or, then click Apply. (This page also
includes a Telnet button that allows access to the Command Line Interface via Telnet.)

3-10

Figure 3-3. System Information

Basic Configuration

CLI – Specify the hostname, location and contact information.

Console(config)#hostname R&D 5 4-25
Console(config)#snmp-server location WC 9 4-99
Console(config)#snmp-server contact Geoff 4-99
Console(config)#exit
Console#show system 4-60
System Description: SMC Networks SMC8124PL2
System OID String: 1.3.6.1.4.1.259.6.10.94
System Information
System Up Time: 0 days, 0 hours, 7 minutes, and 22.65 seconds
System Name: R&D 5
System Location: WC 9
System Contact: Geoff
MAC Address (Unit1): 00-00-35-28-00-03
Web Server: Enabled
Web Server Port: 80
Web Secure Server: Enabled
Web Secure Server Port: 443
Telnet Server: Enable
Telnet Server Port: 23
Jumbo Frame: Disabled

POST Result:

DUMMY Test 1 ................. PASS

UART Loopback Test ........... PASS

DRAM Test .................... PASS

Timer Test ................... PASS

Done All Pass.
Console#

Displaying Switch Hardware/Software Versions

Use the Switch Informat io n page t o di sp la y hardware/firmware ve rs io n numbers for
the main board and management software, as well as the power status of the system.

Field Attributes

Main Board

• Serial Number – The serial number of the switch.

• Number of Ports – Number of built-in RJ-45 ports and expan sion ports.

• Hardware Version – Hardware version of the main board.

• Internal Power Status – Displ a ys t he status of the internal pow er supply.
Management Software

• EPLD Version – Version number of the Electronically Programmable Logic Device
code.

• Loader Version – Version nu m ber of loader code.

• Boot-ROM Version – Version of Power-On Self-Tes t (POS T) and boot code.

• Operation Code Version – Version number of runtime code.

• Role – Displays th e sw itch as a master or slave unit.

3-11

Configuring the Switch

Web – Click System, Switch Information.

Figure 3-4. Switch Informat io n

CLI – Use the following command to display version inf or m at i on.

Console#show version 4-62
Unit 1
Serial Number:
Hardware Version:
EPLD Version: 0.01
Number of Ports: 28
Main Power Status: Up
Redundant Power Status: Not present

Agent (Master)
Unit ID: 1
Loader Version: 1.0.0.0
Boot ROM Version: 1.0.0.3
Operation Code Version: 1.0.0.8

Console#

Displaying Bridge Extension Capabilities

The Bridge MIB includes ex te ns io ns for managed devices tha t supp or t M ult i cas t
Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to
display def ault settings for the key variables.

Field Attributes

• Extended Multicast Filtering Services – This switch does not support the filtering
of individual multicast addresses based on GMR P (GARP Multicast Regi stration
Protocol).

• Traffic Classes – This switch provides mapping of user priorities to multiple traffic
classes. (Refer to “Displaying Private VLAN Interface Information” on page 3-136.)

3-12

Basic Configuration

• Static Entry Individual Port – This switc h all ow s static filtering for unicast and

multicast addresses . (Ref er to “Set ti ng St at ic Addresses” on page 3-108. )

• VLAN Learning – This switch uses Independent VLAN Learning (IVL), where each

port maintains its own filtering database.

• Configurable PVID Tagging – This switch allows you to override the default Port

VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or
Untagged) on each port. (Ref er to “VLAN Configuration” on page 3-123.)

• Local VLAN Capable – This switch supports multiple local bridges; i.e., multiple

spanning trees. (Refer t o “ VLAN Configuration” on page 3-161.)

• GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to

register endstations with multicast groups. This switch does not support GMRP; it
uses the Internet Group M anagement Protocol (IGM P) to pr ovide automatic
multicast filtering.

Web – Click System, Bridge Extension Configuration.

Figure 3-5. Bridge Extension Configuration

CLI – Enter the following comm and.

Console#show bridge-ext 4-166
Max Support VLAN Numbers: 256
Max Support VLAN ID: 4094
Extended Multicast Filtering Services: No
Static Entry Individual Port: Yes
VLAN Learning: IVL
Configurable PVID Tagging: Yes
Local VLAN Capable: No
Traffic Classes: Enabled
GMRP: Disabled
Console#

3-13

Configuring the Switch

Setting the Switch’s IP Address

This section describes how to configure an initial IP interface for management
access over the network. The IP address for this switch is unassigned by default. To
manually configure an addr ess, you need to change th e sw it ch’s de fa ult set tings
(IP address 0.0.0.0 and netmask 25 5. 0. 0. 0) to val ues that are compatible with your
network. You may also need to a establish a default gatew ay between the switch
and management stations tha t exi st on an ot her network segment (if ro ut in g i s not
enabled on this switch ).

Yo u can manually configur e a specific IP address, or di rec t the device to obtain an
address from a BOOTP or DHCP server. Val id IP addresses consist of four deci m al
numbers, 0 to 255, separate d by periods. Anything outside thi s f or m at will not be
accepted by the CLI program.

Command Usage

• This section describes how to configure a single local interface for initial access to
the switch. To configure multiple IP in terfaces on this switch, you must set up an
IP interface for each VLAN ( page 3-115).

• To enable routing between the different interfaces on this switch, you must enable
IP routing ( page 3-114).

• To enable routing betwe en t he interfaces defined on this switch and external
network interfaces, you must configure static routes (page 3-128) or use dynamic
routing; i.e., either RIP (page 3-130) or OSPF (page 3-1 40) .

• The precedence for configuring IP interfaces is the IP / General / Routing Interface
menu (page 3-115), stat ic rou t es ( page 3-128), and then dyna m i c ro ut in g.

Command Attributes

• Management VLAN – ID of t he configured VLAN (1-409 3, no l ead i ng zeroes). By
default, all ports on the switch are members of VLAN 1. However, the management
station can be attached to a port belonging to any VLAN, as long as that VLAN has
been assigned an IP addr ess.

• IP Address Mode – Specifies whether IP fu nct ionality is enabled via man ual
configuration (Static), D yn am i c Host Configuration Protoc ol (DH CP), or Boot
Protocol (BOOTP). If DHCP/BOOTP is enabled, IP will not function until a reply has
been received from the server. Requests will be broadcast periodically by the
switch for an IP address. (DHCP/BOOTP values can include the IP address,
subnet mask, and defau lt gateway.)

• IP Address – Address of the V LAN in terf ace t hat is al lowe d mana geme nt ac cess .
Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
(Default: 0.0.0.0)

• Subnet Mask – This mask identifies the host add re ss bits used for routing to
specific subnets. (Def ault: 255.255.255.0)

• Gateway IP Address – IP address of the gateway router between this device and
management stations that exist on other networ k segments. (Default: 0. 0. 0. 0)

• MAC Address – The physical layer address for this switch.

• Restart DHCP – Requests a new IP addres s fr om the D H CP server.

3-14

Basic Configuration

Manual Configuration

Web – Click Syst em , I P Configuration. Select the VLAN t hr oug h w hi c h th e

management station is attached, set the IP Address Mode to “Static,” enter the IP
address, subnet mask and gateway, then click Apply.

and specify a “Primary” inte rf ac e,

Figure 3-6. Manual IP Configuration

CLI – Specify the management interface, IP address and default gate w ay.

Console#config
Console(config)#interface vlan 1 4-111
Console(config-if)#ip address 10.1.0.254 255.255.255.0 4-219
Console(config-if)#exit
Console(config)#ip default-gateway 192.168.1.254 4-221
Console(config)#

3-15

Configuring the Switch

Using DHCP/BOOTP

If your network provides DHCP/BOOTP services, you can configure the switch to be
dynamical ly configured by these ser vices.

Web – Click Syst em , IP Configuration. Specify the VLAN to which the m anagement
station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to
save your changes. Then click Restart DHCP to immediately request a new
address. Note that the sw itc h w i ll also broadcast a request for IP co nf i gur at io n
settings on each powe r re set.

IP, General, Routing Interface

Figure 3-7. DHCP IP Configuration

If you lose your management connection, use a console connection and enter

Note:

“show ip interface” to determine the new switch address.

CLI – Specify the management interfac e, and set the IP address mode to DHCP or
BOOTP, and t hen enter the “ip dhcp restart” comm and.

Console#config
Console(config)#interface vlan 1 4-111
Console(config-if)#ip address dhcp 4-219
Console(config-if)#end
Console#ip dhcp restart 4-220
Console#show ip interface 4-222
IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1,
and address mode: User specified.
Console#

Renewing DCHP – DHCP may lease addr esses to clients indefinitely or fo r a
specific period of time. If the address expires or the sw i tch i s m oved to another
network segment, you will lose management access to the switch. In this case, you
can reboot the switch or submit a client request to restart DHCP service via the CLI.

3-16

Basic Configuration

Web – If the address assigned by DHCP is no longer functioning, you will not be
able to renew the IP settings via the web interface. You can only restart DHCP
service via the web interface if the current addre ss is st i ll av ai la ble.

CLI – Enter the following command to restart DHCP service.

Console#ip dhcp restart 4-220
Console#

Enabling Jumbo Frames

Yo u can enable jumbo frame s t o support data packets up to 9000 bytes in siz e.

Command Usage

• This section describes how to configure a single local interface for initial access to

the switch. To configure multiple IP in terfaces on this switch, you must set up an
IP interface for each VLAN ( page 3-115).

• To enable routing between the different interfaces on this switch, you must enable

IP routing ( page 3-114).

• To enable routing betwe en t he interfaces defined on this switch and external

network interfaces, you must configure static routes (page 3-128) or use dynamic
routing; i.e., either RIP (page 3-130) or OSPF (page 3-1 40) .

• The precedence for configuring IP interfaces is the IP / General / Routing Interface

menu (page 3-115), stat ic rou t es ( page 3-128), and then dyna m i c ro ut in g.

Command Attributes

• Jumbo Packet Status – Check the box to enable jumbo frames.
Web – Click IP, General, Routing Interface Syste m , Ju m bo Frames.and specify a

“Primary” interface,

Figure 3-8. Enabling Jumbo Frames

CLI – Specify the jumbo frame status.

Console#config
Console(config)#jumbo frame
Console(config)#

3-17

Configuring the Switch

Managing Firmware

Yo u can upload/download firm w ar e t o or from a TFTP server. By saving runtime
code to a file on a TFTP server, that file can later be downloaded to the switch to
restore operation. You can also set the switch to use new f i rmw are without
overwriting the previous version.

Note: Runtime code can also be upgraded by using Batch Upgrade. Batch Upgrade can

discover switches on local, or other networks. After discovering the switches,
Batch Upgrade can then be set to automatically upgrade the runtime code on all
discovered switches. Batch Upgrade is provided in the Batch Upgrade folder in the
CD provided with this switch. For details see the Batch Upgrade document in this
Batch Upgrade folder.

Command Attributes

• File Transfer Method – The fir m w ar e copy operation includes th ese options.

• file to file – Copies a file within the switch directory, assi gni ng it a new name.

• file to tftp – Copies a file from the switch to a TFTP server.

• tftp to file – Copies a file from a TFTP server to the switch.

• TFTP Server IP Address – The IP address of a TFTP server.

• File Type – Specify opcod e (o per at ional code) to copy firmwa re .

• File Name –
the file name should not be a period (.), and the maximum length for file names on
the TFTP server is 127 char acter s or 31 characters for files on the s w itch .
(Valid charact e rs: A-Z, a-z, 0 -9, “.”, “-”, “_”)

Note: Up to two copies of the system software (i.e., the runtime firmware) can be stored

in the file directory on the switch. The currently designated startup version of this
file cannot be deleted.

The file name should not contain slashes (\ or /),

the leading letter of

Downloading System Software from a Server

When downloading ru nt im e code, you can specify the destination file name to
replace the current image, or first download the file us in g a di fferen t nam e f ro m the
current runtime code file, and then set the new file as the start up f i le.

Web – Click Syst em , File Management, Copy Operation. Select “tftp to file” as the
file transfer method, enter th e IP address of the TFTP server, set the file type to
“opcode,” enter the file name of the software to download, select a file on the switch
to overwrite or specify a new file name, then click Apply. If you replaced the current
firmware used for startup and want to start using the new operation code, reboot the
system via the System/R eset menu.

3-18

Basic Configuration

Figure 3-9. Copy Firmware

If you download to a new de st inat i on f ile , go to the System, File Management ,
Set Start-Up menu, mark the ope ra tion code file used at startup, and cl ick Apply. To
start the new firmware, reboot the system via the System/Reset menu.

Figure 3-10. Setting the Startup Code

To delete a f ile s el ect Sy st em , File M anagement, Delete. Sele ct th e file name from
the given list by checking th e t ick box and click Apply. Note that the file currently
designated as the startup co de cannot be deleted.

Figure 3-11. Deleting Files

3-19

Configuring the Switch

CLI – Enter the IP address of the TFT P ser ver, select “config” or “opcode” file type,
then enter the source and destination file names, set the new file to start up the
system, and then restart the switch.

.

Console#copy tftp file 4-64
TFTP server ip address: 10.1.0.19
Choose file type:

1. config: 2. opcode: <1-2>: 2
Source file name: v1000-18.bix
Destination file name: V1.0
\Write to FLASH Programming.

-Write to FLASH finish.
Success.
Console#config
Console(config)#boot system opcode:V1.0 4-69
Console(config)#exit
Console#reload 4-21

Saving or Restoring Configuration Settings

Yo u can upload/download co nf i gur at ion settings to/from a TFTP se rv er. The
configuration file can be la ter downloaded to restore the sw i t ch’s setti ngs.

Command Attributes

• File Transfer Method – The fir m w ar e copy operation includes th ese options.

• file to file – Copies a file within the switch directory, assi gni ng it a new name.

• file to running-config – Co pies a file in the switch to the runn in g co nf ig ur at i on.

• file to startup-config – Copi es a file in the switch to the sta rtup configuration.

• file to tftp – Copies a file from the switch to a TFTP server.

• running-config to file – Copies the running configuration to a file.

• running-config to startup-config – Copies the running config to the startup config.

• running-config to tftp – Copies the running configuration to a TFTP server.

• startup-config to file – Copi es the startup configurat ion to a file on the switch.

• startup-config to running-config – Copies the startup config to the running config.

• startup-config to tftp – Copies the startup configurat ion t o a TFTP server.

• tftp to file – Copies a file from a TFTP server to the switch.

• tftp to running-config – Copi es a file from a TFTP server to the runn i ng config.

• tftp to startup-config – Copi e s a fil e from a TFTP server to the startu p config.

• TFTP Server IP Address – The IP address of a TFTP server.

• File Type – Specify config (configuration) to copy configuration file.

File Name

•
leading letter of the file name should not be a period (.), and the m aximum length
for file names on the TFTP serv er is 127 ch ar acters or 31 characters for fi les on
the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

— The configuration file name should not contain slashes (\ or /),

the

3-20

Basic Configuration

Note: The maximum number of user-defined configuration files is limited only by

available flash memory space.

Downloading Configuration Settings from a Server

You can download the configuration file under a new file name and then set it as the
startup file, or you can specify the current startup configuration file as the destination
file to directly replace it. Not e th at th e fil e “ Factory_Default_Con fig.cfg” can be
copied to the TFTP server, but cannot be used as th e destination on the switch.

Web – Click Syst em , File Management, Copy Operation. Select “tftp to
startup-config” o r “tftp to file” and enter t h e IP addres s of the TFTP server. Specify
the name of the file to download and select a file on the switch to overwrite or specify
a new file name, then click Ap ply.

Figure 3-12. Downloading Configuration Settings for Startup

If you download to a new file name using “tftp to startup-config” or “tftp to file,” the file
is automatically set as the start-up configuration file. To use the new settings, reboot
the system via the System/Reset menu.

You can also select any configuration file as the start-up configuration by using the

Note:

System/File Management/Set Start-Up page.

Figure 3-13. Setting the Startup Configuration Settings

3-21

Configuring the Switch

CLI – Enter the IP address of the TFTP server, specify the source file on the server,
set the startup file name on the sw i t ch, and then restart the switch .

Console#copy tftp startup-config 4-64
TFTP server ip address: 192.168.1.19
Source configuration file name: config-1
Startup configuration file name [] : startup
\Write to FLASH Programming.

-Write to FLASH finish.
Success.

Console#reload

To select another configuration f ile as the start-up configuratio n, use the boot
system command a nd t hen res tar t the s w itch.

Console#config
Console(config)#boot system config: startup-new 4-69
Console(config)#exit
Console#reload 4-21

Console Port Settings

Yo u can access the onboard configuration program by at tach in g a VT1 00
compatible device to the sw itch’s serial console port. Mana gement access throug h
the console port is controlled by various parameters, including a password, timeouts,
and basic communication settings. These parameters can be configured via the web
or CLI interface.

Command Attributes

• Login Timeout – Sets the int er val t hat th e system waits for a user to log in to th e
CLI. If a login attempt is not d e te cted with in th e time out interval, the connection is
terminated for the sessi on. (Range: 0-300 second s; D ef ault: 0 seconds)

• Exec Timeout – Sets the interval that the system waits until user input is detected.
If user input is not detected w ith i n th e tim e out in t erv al , the current session is
terminated. (Range: 0-6 5535 seconds; Defaul t: 60 0 seconds)

• Password Threshold – Sets the password intrusion threshold, which limits the
number of failed logon attempts. When the logon attempt threshold is reached, the
system interface becomes silent for a specifie d am ount of time (set by the Silen t
Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3
attempts)

• Silent Time – Sets the amount of time the management console is inaccessible
after the number of unsuc cessful logon attempts has been exceeded. (Range:
0-65535; Default: 0)

• Data Bits – Sets the number of data bits per char acter that are interpre t ed and
generated by the console port. If parity is being generated, specify 7 data bits per
character. If no parity is required, specify 8 data bits per character. (Default: 8 bits)

3-22

Basic Configuration

• Parity – Defines the generation of a parity bit. Communication protocols provided

by some terminals can require a specific parity bit setting. Specify Even, Odd , or
None. (Def ault: None)

• Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive

(from terminal). Set the spe ed to match the baud rate of th e dev i ce connected to
the serial port. (Range: 96 00, 19200, or 38400 baud; De fa ult : 96 00 bps)

• Stop Bits – Sets the number of the stop bi ts transm i t te d pe r by te . (R ange: 1-2;

Default: 1 stop bit)

Available in CLI only:

• Password – Specifies a password for the line connection. When a co nnection is

started on a line with password protection, the system prompts for the password. If
you enter the correct passw or d, th e system shows a prompt . ( Def aul t : No
password)

• Login – Enables password c hec ki ng at login. You can select authentication by a

single global password as configured for the Password parameter, or by passwords
set up for specific user-name accounts. (Default : Lo cal)

Web – Click System, Line, Console. Specify the console port connection parameters
as required, then click Apply.

Figure 3-14. Console Port Setting

3-23

Configuring the Switch

CLI – Enter Line Configuration m ode for the console, then specify the connection
parameters as required. To display the current console port sett i ngs , us e t he show
line command from the Normal Exec level.

Console(config)#line console 4-10
Console(config-line)#login local 4-11
Console(config-line)#password 0 secret 4-12
Console(config-line)#timeout login response 0 4-13
Console(config-line)#exec-timeout 0 4-13
Console(config-line)#password-thresh 3 4-14
Console(config-line)#silent-time 60 4-15
Console(config-line)#databits 8 4-15
Console(config-line)#parity none 4-16
Console(config-line)#speed 9600 4-16
Console(config-line)#stopbits 1 4-17
Console(config-line)#end
Console#show line 4-18
Console configuration:
Password threshold: 3 times
Interactive timeout: Disabled
Login timeout: Disabled
Silent time: 60
Baudrate: 9600
Databits: 8
Parity: none
Stopbits: 1

VTY configuration:
Password threshold: 3 times
Interactive timeout: 600 sec
Login timeout: 300 sec
Console#

Telnet Settings

Yo u can access the onboar d con figuration program over th e ne twork using Telnet
(i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and
other various parameter s se t, in cl ud in g th e TC P port number, timeouts, and a
password. These parameters can be configured via th e w eb or CLI interface.

Command Attributes

• Telnet Status – Enables or disabl es Telnet access to the swit ch. (De fa ul t :
Enabled)

• Telnet Por t Number – Sets the TCP port number for Telnet on the switch. (Default:

23)

• Login Timeout – Sets the interval that the system waits for a user to log into the
CLI. If a login attempt is not d e te cted with in th e time out interval, the connection is
terminated for the sessi on. (Range: 0-300 second s; D ef ault: 300 seconds)

• Exec Timeout – Sets the interval that the system waits until user input is detected.
If user input is not detected w ith i n th e tim e out in t erv al , the current session is
terminated. (Range: 0-6 5535 seconds; Defaul t: 60 0 seconds)

• Password Threshold – Sets the passwo rd in trusion threshold, which lim its the
number of failed logon attempts. When the logon attempt threshold is reached, the

3-24

Basic Configuration

system interface becomes silent for a specifie d am ount of time (set by the Silen t
Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3
attempts)

Available in CLI only:

• Password – Specifies a password for the line connection. When a co nnection is

started on a line with password protection, the system prompts for the password. If
you enter the correct passw or d, th e system shows a prompt . ( Def aul t : No
password)

• Login – Enables password checking at login. You can select authentication by a

single global password as configured for the Password parameter, or by passwords
set up for specific user-name accounts. (Default : Lo cal)

Web – Click Syst em , Line, Telnet. Specify the connection parameters for Telnet
access, then click Apply..

Figure 3-15. Enabling Telnet

3-25

Configuring the Switch

CLI – Enter Line Configuration m ode for a virtual terminal, the n specify the
connection parameters as required. To display the current virtual terminal settings,
use the show line command from the Normal Exec level.

Console(config)#line vty 4-10
Console(config-line)#login local 4-11
Console(config-line)#password 0 secret 4-12
Console(config-line)#timeout login response 300 4-13
Console(config-line)#exec-timeout 600 4-13
Console(config-line)#password-thresh 3 4-14
Console(config-line)#end
Console#show line 4-18
Console configuration:
Password threshold: 3 times
Interactive timeout: Disabled
Login timeout: Disabled
Silent time: Disabled
Baudrate: 9600
Databits: 8
Parity: none
Stopbits: 1

VTY configuration:
Password threshold: 3 times
Interactive timeout: 600 sec
Login timeout: 300 sec
Console#

Configuring Event Logging

The switch allows you to control the logging of error messages, including the type of
events that are recorded in switch memory, logging to a remote System Log (syslog)
server, and displays a list of recent event m es sages.

Displaying Log Messages

The Logs page allows you to scroll through the logged system and event messages.
The switch can store up to 2 048 log entries in temporary r andom access memory
(RAM; i.e., memory flus hed on power reset) and up to 4096 entries in permanent
flash memory.

3-26

Basic Configuration

Web – Click Syst em , Log , Lo gs.

Figure 3-16. Displaying Logs

CLI – This example shows the event message stored in RAM.

Console#show log ram 4-48
[1] 00:01:37 2001-01-01
"DHCP request failed - will retry later."
level: 4, module: 9, function: 0, and event no.: 10
[0] 00:00:35 2001-01-01
"System coldStart notification."
level: 6, module: 6, function: 1, and event no.: 1
Console#

System Log Configuration

The system allows you to enable or disable event loggi ng, and specify which lev els
are logged to RAM or flash m em ory.

Severe error messages th at are logged to flash memory are per m anently stored in
the switch to assist in troubleshooting network problems. Up to 4096 log entries can
be stored in t he fla sh memory, with the old est entr ies be ing over writ ten fir st when the
available log memory (2 56 ki l ob yt es) has been exceeded.

The System Logs page allows you to configure and limit system messages that ar e
logged to flash or RAM memory. The default is for event levels 0 to 3 to be logged to
flash and levels 0 to 6 to be logg ed t o R AM .

Command Attributes

• System Log St atus – Enables/disables the logging of debug or error messages to

the logging process. (Def au l t: Enabled)

• Flash Level – Limits log messages saved to the switch’s permanent flash memory

for all levels up to the specified level. For example, if level 3 is specified, all
messages from level 0 to level 3 will be logged to flash. (Range: 0-7, Default: 3)

Table 3-3 Logging Levels

Level Severity Name Description

7 Debug Debugging messages
6 Informational Informational messages only

3-27

Configuring the Switch

Table 3-3 Logging Levels (Continued)

Level Severity Name Description

5 Notice Normal but significant condition, such as cold start
4 Warning Warning conditions (e.g., return false, unexpected return)
3 Error Error conditions (e.g., invalid input, default used)
2 Critical Critical conditions (e.g., memory allocation, or free memory

1 Alert Immediate action needed
0 Emergency System unusable
* There are only Level 2, 5 and 6 error messages for the current firmware release.

error - resource exhausted)

• RAM Level – Limits log messages saved to the switch’s temporary RAM memory
for all levels up to the specified level. For example, if level 7 is specified, all
messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7)

The Flash Level must be equal to or less than the RAM Level.

Note:
Web – Click System, Log, System Logs. Specify System Log Status, set the level of

event messages to be log ged to RAM and flash memory, then click Apply.

Figure 3-17. System Logs

CLI – Enable system logging and then specify the level of messages to be logged to

RAM and flash memory. Use the show logging command to display the current
settings.

Console(config)#logging on 4-43
Console(config)#logging history ram 0 4-44
Console(config)#end
Console#show logging flash 4-47
Syslog logging: Enabled
History logging in FLASH: level emergencies
Console#

3-28

Basic Configuration

Remote Log Configuration

The Remote Logs page allow s yo u t o configure the logging of m ess ages that are
sent to syslog servers or other management stations. You can also limit the error
messages sent to only those messages below a spec i fied level.

Command Attributes

• Remote Log Status – Enables/di sab l es t he l ogging of debug or error messages

to the remote logging proc ess. (Default: Enabled)

• Logging Facility – Sets the facility type for remote logging of syslo g m es sages.

There are eight facility types specified by values of 16 to 23. The facility type is
used by the syslog server to dispatch log messages to an appropriate service. The
attribute specifies the fa ci l ity t yp e ta g sent in syslog messag es. (See RFC 3164.)
This type has no effect on the kind of messages reported by the switch. However,
it may be used by the syslog server to process mes sa ges, such as sorting or
storing messages in the cor re sponding database. (Ra nge: 16-23, Default: 23)

• Logging Trap – Limits log messages that are sent to the remote syslog server for

all levels up to the specified level. For example, if level 3 is specified, all messages
from level 0 to level 3 will be sent to the re m ot e ser ver. (Range: 0-7, Defaul t : 7)

• Host IP List – Displays the list of remote server I P addresses that receive t he

syslog messages. The m aximum number of h ost IP addresses allowed is five.

• Host IP Address – Specifies a new server IP address to add to the Host IP List .
Web – Click Syst em , Log, Remote Logs. To add an IP address to the Host IP List,

type the new IP address in the Host IP Address box, and then click Add. To delete
an IP address, click the ent r y in th e H ost IP List, and then click Re move.

Figure 3-18. Remote Logs

3-29

Configuring the Switch

CLI – Enter the syslog server host IP address, choose the facility type and set the
logging trap.

Console(config)#logging host 192.168.1.15 4-45
Console(config)#logging facility 23 4-45
Console(config)#logging trap 4 4-46
Console(config)#end
Console#show logging trap 4-47
Syslog logging: Enabled
REMOTELOG status: Enabled
REMOTELOG facility type: local use 7
REMOTELOG level type: Warning conditions
REMOTELOG server ip address: 192.168.1.15
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
Console#

Simple Mail Transfer Protocol

SMTP (Simple Mail Transfer Protocol) is used to send email messages between
servers. The messages can be retrieved using POP or IM AP cl ients .

Command Attributes

• Admin Status – Enables/disa bles t he SMTP function. (Default: Enabled)

• Email Source Address – This command specifies SMTP servers email addresses
that can send alert messages.

• Severity – Specifies the degr ee of urgency that the mes sag e carries.

• Debugging – Sends a deb ug gi ng notification. (Level 7)

• Information – Sends inform at ative notification only. (Level 6)

• Notifice – Sends notification of a normal but significant condition, such as a cold

start. (Level 5)

• Warning – Sends notificat i on of a war ni ng condition such as return f alse, or

unexpected return. (Level 4)

• Error – Sends notification that an error conditions has occurred, such as invalid

input, or default used. (Level 3)

• Critical – Sends notification that a critical condition has occurred, such as

memory allocation, or free m emory error - resource exhausted. (Level 2)

• Alert – Sends urgent notificat i on that imm ediate action must be take n. (Le vel 1)

• Emergency – Sends an emergency notification that the system is now unusable.

(Level 0)

• SMTP Server List – Specifies a list of recipient SMTP servers.

• SMTP Server – Specifies a new SMTP server address to add to the SMTP Server
List.

• Email Destination Address Li st – Specifies a list of recipient Email Destination
Address.

3-30

Basic Configuration

• Email Destination Address – This command specifies SMTP serv ers th at ma y

receive alert messages.

Web – Click System, Log, SMTP. To add an IP address to the Server IP List, type
the new IP address in the Server IP Address box, and then click Add. To delete an IP
address, click the entry in th e Ser ver IP List, and then click Remove.

Figure 3-19. Enabling and Configuring SMTP

CLI – Enter the host ip address, foll ow e d by the mail severity leve l, source and

destination email addr esses and enter the sendm ai l command to complete t he
action. Use the show logg ing command to display SM TP i nf or m at ion.

Console(config)#logging sendmail host 192.168.1.19
Console(config)#logging sendmail level 3
Console(config)#logging sendmail source-email
bill@this-company.com
Console(config)#logging sendmail destination-email
ted@this-company.com
Console(config)#logging sendmail
Console#

3-31

Configuring the Switch

Resetting the System

Web – Click Syst em , R eset. Click the Reset button to reboot the switch. When

prompted, confirm that you want reset the switch.

Figure 3-20. Resetting the System

CLI – Use the reload command to restart the switch. When prompted, confirm t hat

you want to reset the switch.

Console#reload 4-21
System will be restarted, continue <y/n>?

Note:

When restarting the system, it will always run the Power-On Self-Test.

Setting the System Clock

Simple Network Time Protocol (SNTP) allows the switch to set its internal clock
based on periodic updates from a time server (SNTP or N TP) . Mai ntaining an
accurate time on the switch enables the system lo g to rec or d m eaningful dates and
times for event entries . You can also manually set the clock using the CLI. (See
“calendar set” on page 4-56.) If the clock is not set, the switch will only r ecord the
time from the factory default set at the last bootup.

When the SNTP client is enabled , the swi tc h per iodically sends a request for a time
update to a configured time se rv er. You can configure up to three time server IP
addresses. The switch will attempt to poll each server in the configured sequence.

Configuring SNTP

Yo u can configure the switch to send time synchroni za tion requests to specific time
servers.

Command Attributes

• SNTP Client – Configures the switch to oper at e as an SNTP client. This requires
at least one time server to be specified in the SNTP Server field. (Default: Disabled)

• SNTP Poll Interval – Sets the interval between sending requests for a time update
from a time server. (Range: 16-16384 second s; Def ault: 16 seconds)

• SNTP Server – Sets the IP address for up to three time servers. The switch
attempts to update the time from the first server, if this fails it attempts an update
from the next server in the sequence.

3-32

Basic Configuration

Web – Select SNTP, Config urat ion . Modi fy an y of t he re quir ed p ara meter s, a nd cli ck
Apply.

Figure 3-21. SNTP Configuration

CLI – This example configures t he switch to operate as an SNT P uni cast client and

then displays the curren t tim e and settings.

Console(config)#sntp client 4-54
Console(config)#sntp poll 60 4-55
Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-54
Console(config)#exit
Console#show sntp
Current time: Jan 6 14:56:05 2004
Poll interval: 60
Current mode: unicast
SNTP status : Enabled
SNTP server 10.1.0.19 137.82.140.80 128.250.36.2
Current server: 128.250.36.2
Console#

Setting the Time Zone

SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time,
or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To
display a time corresp onding to your local time, you must indicate the number of
hours and minutes your tim e zone is east (before) or we st (after) of UT C.

Command Attributes

• Current Time – Displays the current time.

• Name – Assigns a name to the t ime zone. (Range: 1-29 characters)

• Hours (0-13) – The numb er of ho ur s before/after UTC.

• Minutes (0-59) – The number of minutes before/after UTC.

• Direction – Configures the time zone to be before (east) or after (wes t) UT C.

3-33

Configuring the Switch

Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to
the UTC, and click Apply.

Figure 3-22. Setting the Time Zone

CLI - This example shows how to set th e tim e zone for the system clo ck.

Console(config)#clock timezone Dhaka hours 6 minute 0 after-UTC 4-56
Console#

Simple Network Management Protocol

Simple Net w ork Management Protocol (SNMP) is a commu nication protocol
designed specifically f or managing devices on a net w or k. Equipment commonly
managed with SNMP in cludes switches, routers and host computers. SNMP is
typically used to configure these devices for proper operation in a network
environment, as well as to monitor them to evaluate performance or detect potential
problems.

Managed devices sup por t in g SNM P contain software, which runs lo call y on the
device and is referred to as an agent. A defined set of variables, known as managed
objects, is maintained by the SNM P agent and used to manage th e de vi ce. These
objects are defined in a Management Information Bas e (MI B ) th at provides a
standard presentation of the information controlled by the agent. SNMP defines both
the format of the MIB specifications and the protocol used to access this information
over the network.

The switch includes an on boa rd agent that supports SNMP vers ions 1, 2c, and 3
clients. This agent continuously monitors the status of the swi t ch hardware, as well
as the traffic passing through its ports. A netw ork m anagement station can acces s
this information using software such as SMC EliteView. Access to the onboard agent
from clients using SNMP v1 a nd v 2c i s controlled by commun ity s tri ngs. To
communicate with the swi tc h, th e m anagement station must firs t su bm it a val i d
community string for au t hentication.

Access to the switch using f ro m clie nts us in g SNM P v 3 pr ovides additional securit y
features that cover mes sage integrity, authentication, and encryptio n; as well as
controlling user access to specific areas of the MIB tree.

3-34

Simple Network Management Protocol

The SNMPv3 security structure consists of security models, with each model having
it’s own security levels. There are three security models defined, SNMPv1,
SNMPv2c, and SN M P v3. Users are assigned to “groups” that are defined by a
security model and specified security levels. Each group also has a defined security
access to set of MIB objects for re adi ng and writing, which are k nown as “views.”
The switch has a default vie w (a ll MIB objects) and default groups defi ned for
security models v1 an d v2 c. T he f oll ow i ng table shows the security m odels and
levels available and the system default setting s.

Table 3-4 SNMPv3 Security Models and Levels

Model Level Group Read View Write View Notify

v1 noAuth

v1 noAuth

v1 noAuth

v2c noAuth

v2c noAuth

v2c noAuth

v3 noAuth

v3 Auth

v3 Auth Priv user

NoPriv

NoPriv

NoPriv

NoPriv

NoPriv

NoPriv

NoPriv

NoPriv

public
(read
only)

private
(read/
write)

user
defined

public
(read
only)

private
(read/
write)

user
defined

user
defined

user
defined

defined

defaultview none no ne C omm un ity strin g only

defaultview defaultv iew none Community strin g only

user defined user defined user

defaultview none no ne C omm un ity strin g only

defaultview defaultv iew none Community strin g only

user defined user defined user

user defined user defined user

user defined user defined user

user defined user defined user

View

defined

defined

defined

defined

defined

Security

Community string only

Community string only

A user name match only

Provides user
authentication via MD5 or
SHA algorithms

Provides user
authentication via MD5 or
SHA algorithms and data
privacy using DES 56-bit
encryption

Note:

The predefined default groups and view can be deleted from the system. You can
then define customized groups and views for the SNMP clients that require access.

3-35

Configuring the Switch

Enabling the SNMP Agent

Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3).

Command Attributes

• SNMP Agent Status – Enables SNMP on the switch.

Web – Click SNMP, Agent Sta tus. Enable the SNMP Agent by marking the Enabled

checkbox, and click Apply.

Figure 3-23. Enabling the SNMP Agent

CLI – The following example en abl es SNMP on the switch.

Console(config)#snmp-server 4-96
Console(config)#

Setting Community Access Strings

Yo u m ay configure up to five commu ni t y strings authorized for manag ement access
by clients using SNMP v1 and v2c. All community strings used for IP Trap Managers
should be listed in this table. For security reasons, you should consider removing the
default strings.

Command Attributes

• SNMP Community Capability – The switch supports up to five community strings.

• Current – Displays a list of the communi t y strings currently configured.

• Community String – A community string that acts like a password an d permits
access to the SNMP proto col.

• Default strings: “public” (read-onl y access), “priva te” (read/write access)

• Range: 1-32 characters, case sensitive

• Access Mode – Specifies the access rights for the community string:

• Read-Only – Authorized management stations are only able to retrieve MIB

objects.

• Read/Write – Authorized management st at i ons are able to both retrieve and

modify MIB objects.

3-36

Simple Network Management Protocol

Web – Click SNMP, Configuration. Add new communi ty st rings as required, select
the access rights from the Access Mod e drop-down list, then cl ick Add.

Figure 3-24. Configuring SNMP Community Strings

CLI – The following example adds the string “spiderm an” w i th rea d/ wri te access.

Console(config)#snmp-server community spiderman rw 4-98
Console(config)#

Specifying Trap Managers and Trap Types

Traps indicating status changes are issued by the switch to specified trap managers.
Yo u m ust specify trap manage rs so t hat key events are reported by this switch to
your management statio n (u si ng n et w or k m anagement platforms such as SMC
EliteView). You can specify up to five management stations that will receive
authenti cation failure messages and other notificati on messages from the switch .

Command Usage

• If you specify an SNMP Version 3 host, then the “Trap Manager Community String”

is interpreted as an SNMP user nam e. If you use V3 authenticatio n or encryption
options (authNoPriv or au t hPr iv ), t he user name must first be defined in the
SNMPv3 Users page (page 3-41). Otherwise, the authentication password and/or
privacy password will not exist, and the switc h will no t authorize SNMP access for
the host. However, if you sp ecify a V3 host with the no authen tication (noAuth)
option, an SNMP user account will be automatically generated, and the switch will
authorize SNMP access for the host.

• Notifications are issue d by t he sw i tch as t ra p messages by default. Th e re ci pi ent

of a trap message does not send a response to the switch. Traps are therefore not
as reliable as inform me ssa ges, which include a request for acknowledgem ent of
receipt. Informs can be used to ensure that critical information is received by the
host. However, note tha t inf or m s consume more system r esources because the y
must be kept in memory until a response is received. Informs also add to network
traffic. You should con si der th es e ef fe ct s w hen deciding whether to i ssue
notifications as traps or in forms.

• To send an inform to a SNMP v2c host, complete thes e st ep s:

3-37

Configuring the Switch

1. Enable the SNMP agent (page 3-36).

2. Enable trap informs as described in the following pages.

3. Create a view with the requi re d not i f icat io n m essages (page 3 -4 8).

4. Create a group that includ es the required notify view ( page 3-45).

• To send an inform to a SNMP v3 host , com plete these steps:

1. Enable the SNMP agent (page 3-36).

2. Enable trap informs as described in the following pages.

3. Create a view with the requi re d not i f icat io n m essages (page 3 -4 8).

4. Create a group that includ es the required notify view ( page 3-45).

5. Specify a remote engine ID where the user resides (page 3-40).

6. Then configure a remote user (page 3-43) .

Command Attributes

• Trap Manager Capability – This switch su pports up to five trap manag er s.

• Current – Displays a list of the trap manager s currently configured.

• Trap Manager IP Address – IP address of a new management station to receive
notification messages .

• Trap Manager Community String – Specifies a val i d community string for the
new trap manager entry. Though you can set this string in the Trap Managers table,
we recommend that you def in e t his st ring in the SNMP Configurat io n page (for
Version 1 or 2c clients), or def ine a corresponding “User Name” in the SNMPv3
Users page (for Version 3 cl ie nt s) . (R an ge: 1- 32 characters, case sen sitive)

• Trap UDP Port – Specifies the UDP port number used by the trap manager.

• Trap Version – Indicates if the user is running SN M P v1, v2c, or v3. (Default: v1)

• Trap Security Level – When trap version 3 is sel ected, you must specify one of
the following security levels. (Default: noAuthN oPriv)

• noAuthNoPriv – There is no authent i cat ion or encryption used in S NM P

communications.

• AuthNoPriv – SNMP communicat i ons use authentication, bu t the data is not

encrypted (only avai la ble f or t he SNMPv3 security model).

• AuthPriv – SNMP communications use both authentication and encryption (only

available for the SNMPv3 security model).

• Trap Inform – Notifications are sent as inform messages. Note that this optio n is
only avail able for version 2c and 3 hosts. (Default: trap s are used)

• Timeout – The number of seconds to wait for an acknowled gment before

resending an inform me ssage. (Range: 0-2147483647 centiseconds;
Default: 1500 centiseconds)

• Retry times – The maximum number of tim es t o re send an inform message i f

3-38

Simple Network Management Protocol

the recipient does not ack nowledge receipt. (Ra ng e: 0-2 55; D ef ault: 3)

1

• Enable Authentication Trap s

– Issues a notification mes sa ge t o specified IP
trap managers whene ve r authentication of an SNMP r equest fails.
(Default: Enabled)

• Enable Link-up and Link-down Traps – Issues a notification message whenever
a port link is established or brok en. (Default: Enabled)

Web – Click SNMP, Configuration. Enter the IP address and community string for
each management station that will receive trap messages, specify the UDP port,
trap version, trap se cur i ty le vel (f or v3 clients), trap inform se t tings (for v2c/v3
clients), and then click Add. Select the trap types required using the check boxes for
Authentication and Link- up/ down traps, and then click Apply.

Figure 3-25. Configuring SNMP Trap Managers

CLI – This example adds a trap m anager and enables authentication traps.

Console(config)#snmp-server host 10.1.19.23 inform private version 2c
udp-port 160 4-100
Console(config)#snmp-server enable traps authentication 4-102
Console(config)#

Configuring SNMPv3 Management Access

To configure SNMPv3 m anagement access to the switch, follow these step s:

1. If you want to change the de fa ul t engine ID, it must be changed first bef ore

configuring other paramet er s.

2. Specify read and write access views fo r the switch MIB tree.

3. Configure SNMP user groups with the required security model (i.e., SNMP v1,

v2c or v3) and se curity level (i.e., au t hentication and privac y).

1.

These are legacy notifications and therefore when used for SNMP Version 3 hosts, they
must be enabled in conjunction with the corresponding entries in the Notification View
(page 3-45).

3-39

Configuring the Switch

4. Assign SNMP users to grou ps, alon g w i th thei r sp eci f ic aut hentication and
privacy passwords.

Setting the Local Engine ID

An SNMPv3 engine is an independent SNMP agent that resides on the switch. This
engine protects against message replay, delay, and redirection. The engi ne I D is
also used in combinatio n w i th user passwords to generate the security keys for
authenti cating and encrypting SN M P v3 packets.

A local engine ID is automat ical l y gen er at ed that is unique to the switch. T his i s
referred to as the default e ngi ne ID. If th e l oca l engi ne ID is deleted or changed, all
SNMP users will be cleared. You will need to reconfigure all existing users.

A new engine ID can be specified by entering 1 to 26 hexadecimal characters. If less
than 26 characters are s pecified, trailing zeroes are added to the value. For
example, the value “123 4” is e qui va l ent to “12 34” followed by 22 zeroes.

Web – Click SNMP, SNMPv3, Engine ID. Enter an ID of up to 26 hexadecimal
characters and then clic k Save.

Figure 3-26. Setting an Engine ID

CLI – This example sets an SNMPv3 engine ID.

Console(config)#snmp-server engine-id local 12345abcdef 4-103
Console(config)#exit
Console#show snmp engine-id 4-104
Local SNMP engineID: 12345abcdef000000000000000
Local SNMP engineBoots: 1
Console#

Specifying a Remote Engine ID

To send info rm m essages to an SNMPv3 us er o n a re mote device, you must first
specify the engine ident ifier fo r the SNMP agent on the remot e device where the
user resides. The remot e engine ID is used to compute th e security digest for
authenticating and encrypting packets sen t to a user on the remote host.

SNMP passwords are localized using the engine ID of the authoritative agent. For
informs, the authoritative SNMP agent is the remote agent. You therefore need to
configure the remote ag en t’s SNMP engine ID before you can s end proxy requests

3-40

Simple Network Management Protocol

or informs to it. (See “Specifying Trap Managers and Trap Types” on page 3-37 and
“Configuring Remote SNMPv3 Users” on page 3-43.)

The engine ID can be specified by entering 1 to 26 hexadecimal characters. If less
than 26 characters are s pecified, trailing zeroes are added to the value. For
example, the value “123 4” is e qui va l ent to “12 34” followed by 22 zeroes.

Web – Click SNMP, SNMPv3, Remote Engine ID. Enter an ID of up to 26
hexadecimal characters and then click Sa ve.

Figure 3-27. Setting an Engine ID

CLI – This example specifies a re m ot e SNM P v 3 engine ID.

Console(config)#snmp-server engineID remote 54321 192.168.1.19 4-103
Console(config)#exit
Console#show snmp engine-id 4-104
Local SNMP engineID: 8000002a8000000000e8666672
Local SNMP engineBoots: 1

Remote SNMP engineID IP address
80000000030004e2b316c54321

192.168.1.19
Console#

Configuring SNMPv3 Users

Each SNMPv3 user is defin ed by a unique name. Users must be configured with a
specific security level and assigned to a group. The SNMPv3 group restricts users to
a specific read, write, and not i fy vi ew.

Command Attributes

• User Name – The name of user connecting to the SNMP agent. (Range: 1-32
characters)

• Group Name – The name of the SNMP gro up t o w hich the user is assigned.
(Range: 1- 32 characte rs)

• Security Model – The user security mo del ; S NM P v1, v2c or v3.

• Security Level – The security level used for the user:

• noAuthNoPriv – There is no authentication or encryption used in SNMP

communications. (T hi s is th e default for SNMPv3.)

• AuthNoPriv – SNMP com m unications use authentic at ion, but th e da ta is not

encrypted (only avai la ble f or t he SNMPv3 security model).

3-41

Configuring the Switch

• AuthPriv – SNMP communications use both authentication and encryption (only
available for the SNMPv3 security model).

• Authentication Protoc ol – The m et hod used for user authen tication.
(Options: MD5, SHA; Default: MD5)

• Authentication Password – A minimum of eight plain text characters is required.

• Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES
is currently available.

• Privacy Password – A minimum of eight plain text characters is required.

• Actions – Enables the us er to be assigned to another SNM P v3 group.

Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the
New User page, define a nam e and assign it to a group, then cli ck A dd t o sa ve t he
configuration and return to the User Name list. T o delete a user, check the box next
to the user name, then click D el et e. To change the assigned group of a user, click
Change Group in the Actions column of the users table an d select the new group.

3-42

Figure 3-28. Configuring SNMPv3 Users

Simple Network Management Protocol

CLI – Use the sn mp - server user command to configur e a new user name and
assign it to a group.

Console(config)#snmp-server user chris group r&d v3 auth md5 greenpeace
priv des56 einstien 4-109
Console(config)#exit
Console#show snmp user 4-110
EngineId: 80000034030001f488f5200000
User Name: chris
Authentication Protocol: md5
Privacy Protocol: des56
Storage Type: nonvolatile
Row Status: active

Console#

Configuring Remote SNMPv3 Users

Each SNMPv3 user is defin ed by a unique name. Users must be configured with a
specific security level and assigned to a group. The SNMPv3 group restricts users to
a specific read, write, and not i fy vi ew.

To send info rm m essages to an SNMPv3 us er o n a re mote device, you must first
specify the engine ident ifier fo r the SNMP agent on the remot e device where the
user resides. The remote engine ID is used to comput e th e se cur i ty di ges t for
authenticating and encrypting packets sen t to a user on the remote host. (See
“Specifying Trap Manag er s and Tra p Types” on page 3-37 and “Specifying a
Remote Engine ID” on page 3-4 0. )

Command Attributes

• User Name – The name of user connecting to the SNMP agent. (Range: 1-32

characters)

• Group Name – The name of the SNMP gro up t o w hich the user is assigned.

(Range: 1- 32 characte rs)

• Engine ID – The engine identifier for the SNMP agent on the remote device where

the remote user resides . Note that the remote engin e i den tif i er must be specified
before you configure a rem ote user. (See “Specifyin g a R em ote Engine ID” on
page 3-40.)

• Remote IP – The Internet address of the rem ot e device where the user re sides.

• Security Model – The user security model; SNMP v1, v2 c or v3. (Default: v1)

• Security Level – The security level used for the user:

• noAuthNoPriv – There is no authentication or encryption used in SNMP
communications. (T hi s is th e default for SNMPv3.)

• AuthNoPriv – SNMP com m unications use authentic at ion, but th e da ta is not
encrypted (only avai la ble f or t he SNMPv3 security model).

• AuthPriv – SNMP communications use both authentication and encryption (only
available for the SNMPv3 security model).

• Authentication Protoc ol – The m et hod used for user authen tication. (Options:
MD5, SHA; Default: MD5)

3-43

Configuring the Switch

• Authentication Password – A minimum of eight plain text characters is required.

• Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES
is currently available.

• Privacy Password – A minimum of eight plain text characters is required.

Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name.
In the New User page, define a name and assign it to a group, then click Add to save
the configuration and ret ur n to the U ser N am e list. To de le te a user, check the box
next to the user name, then click Delete.

3-44

Figure 3-29. Configuring Remote SNMPv3 User s

Simple Network Management Protocol

CLI – Use the sn mp - server user command to configur e a new user name and
assign it to a group.

Console(config)#snmp-server user mark group r&d remote 192.168.1.19 v3
auth md5 greenpeace priv des56 einstien 4-109
Console(config)#exit
Console#show snmp user 4-110
No user exist.

SNMP remote user
EngineId: 80000000030004e2b316c54321
User Name: mark
Authentication Protocol: none
Privacy Protocol: none
Storage Type: nonvolatile
Row Status: active

Console#

Configuring SNMPv3 Groups

An SNMPv3 group sets th e access policy for its assigned users, restricting them t o
specific read, write, and not ify vi ews. You can use the pre-defined default groups or
create new groups to map a set of SNMP users to SNMP view s.

Command Attributes

• Group Name – The name of the SNMP gro up. (Range: 1-32 characte rs )

• Model – The group secur ity mo del; SNMP v1, v2c or v3.

• Level – The security level use d fo r the group:

• noAuthNoPriv – There is no authentication or encryption used in SNMP
communications.

• AuthNoPriv – SNMP com m unications use authentic at ion, but th e da ta is not
encrypted (only avai la ble f or t he SNMPv3 security model).

• AuthPriv – SNMP communications use both authentication and encryption (only
available for the SNMPv3 security model).

• Read View – The configured view for re ad access. (Range: 1-64 characters)

• Write View – The configured view for write access. (Range: 1-64 characters)

• Notify View – The configured view for notifica tion s. (Range: 1-64 character s)

Table 3-5 Supported Notification Messages

Object Label Object ID Description
RFC 1493 Traps
newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending

agent has become the new root of the
Spanning Tree; the trap is sent by a bridge
soon after its election as the new root, e.g.,
upon expiration of the T opology Change Timer
immediately subsequent to its election.

3-45

Configuring the Switch

Table 3-5 Supported Notification Messages (Continued)

Object Label Object ID Description
topologyChange 1.3.6.1.2.1.17.0.2 A topologyChange trap is sent by a bridge

SNMPv2 Traps
coldStart 1.3.6.1.6.3.1.1.5.1 A coldStart trap signifies that the SNMPv2

warmStart 1.3.6.1.6.3.1.1.5.2 A warmStart trap signifies that the SNMPv2

a

linkDown

a

linkUp

authenticationFailure

1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP entity,

1.3.6.1.6.3.1.1.5.4 A linkUp trap signifies that the SNMP entity,

a

1.3.6.1.6.3.1.1.5.5 An authenticationFailure trap signifies that the

RMON Events (V2)
risingAlarm 1.3.6.1.2.1.16.0.1 The SNMP trap that is generated when an

fallingAlarm 1.3.6.1.2.1.16.0.2 The SNMP trap that is generated when an

when any of its configured ports transitions
from the Learning state to the Forwarding
state, or from the Forwarding state to the
Discarding state. The trap is not sent if a
newRoot trap is sent for the same transition.

entity, acting in an agent role, is reinitializing
itself and that its configuration may have been
altered.

entity, acting in an agent role, is reinitializing
itself such that its configuration is unaltered.

acting in an agent role, has detected that the
ifOperStatus object for one of its
communication links is about to enter the
down state from some other state (but not
from the notPresent state). This other state is
indicated by the included value of
ifOperStatus.

acting in an agent role, has detected that the
ifOperStatus object for one of its
communication links left the down state and
transiti oned into s ome o ther stat e (b ut no t in to
the notPresent state). This other state is
indicated by the included value of
ifOperStatus.

SNMPv2 entity, acting in an agent role, has
received a protocol message that is not
properly authenticated. While all
implementations of the SNMPv2 must be
capable of generating this trap, the
snmpEnableAuthenTraps object indicates
whether this trap will be generated.

alarm entry crosses its rising threshold and
generates an event that is configured for
sending SNMP traps.

alarm entry crosses its falling threshold and
generates an event that is configured for
sending SNMP traps.

3-46

Simple Network Management Protocol

Table 3-5 Supported Notification Messages (Continued)

Object Label Object ID Description
Private Traps
swPowerStatus

ChangeTrap

1.3.6.1.4.1.259.6.10.94.2.1.

0.1

This trap is sent when the power state
changes.

swIpFilterRejectTrap 1.3.6.1.4.1.259.6.10.94.2.1.

a. These are legacy notifications and therefore must be enabled in conjunction with the

corresponding traps on the SNMP Configuration menu (page 3-39).

0.40

This trap is sent when an incorrect IP address
is rejected by the IP Filter.

Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the
New Group page, define a name, assign a security model and level, and then select
read and write views. Click Add to save the new group and return to the Groups list.
To delet e a gr oup, check the box next to th e gr oup name, then click Delete.

Figure 3-30. Configuring SNMPv3 Groups

3-47

Configuring the Switch

CLI – Use the sn mp - server group command to configur e a ne w gr oup, specifying
the security model and level, and restricting MIB a cce ss to defined read and write
views.

Console(config)#snmp-server group secure-users v3 priv read defaultview
write defaultview notify defaultview 4-106
Console(config)#exit
Console#show snmp group 4-107
Group Name: secure-users
Security Model: v3
Read View: defaultview
Write View: defaultview
Notify View: defaultview
Storage Type: nonvolatile
Row Status: active

Console#

Setting SNMPv3 Views

SNMPv3 views are used to restrict user access to specified portions of the MIB tree.
The predefined view “de fa ul tv iew ” inc ludes access to the entire M IB tree.

Command Attributes

• View Name – The name of the SNMP vie w. (Range: 1-64 characters)

• View OID Subtrees – Shows the currently configured object identifiers of branches
within the MIB tree that define th e SN M P vi ew.

• Edit OID Subtrees – Allows you to configure th e object identifiers of branches
within the MIB tree. Wild ca rds can be used to mask a spec i fic portion of the OID
string.

• Type – Indicates if the object ident i f ier of a br anc h w i th in the MIB t re e is in cluded
or excluded from the SNMP view .

Web – Click SNMP, SNMPv3, V ie ws. Click New to configure a new view. In the New
View page, define a name and specify OID subtrees in the switch MIB to be included
or excluded in the view. Click Back to save the ne w vi ew and return to the SNMPv 3
Views list. For a specific view, click on View OID Subtrees to dis pl ay the cur rent
configuration, or click on Edit OID Subtrees to make changes to the view settings. T o
delete a view, check the box next to the view name, then click Delete.

3-48

Simple Network Management Protocol

Figure 3-31. Configuring SNMPv3 Views

CLI – Use the sn mp-server view com m and to configure a new vi ew. This example

view includes the MIB-2 interfaces table, and the wildcard mask selects all index
entries.

Console(config)#snmp-server view ifEntry.a

1.3.6.1.2.1.2.2.1.1.* included 4-105
Console(config)#exit
Console#show snmp view 4-105
View Name: ifEntry.a
Subtree OID: 1.3.6.1.2.1.2.2.1.1.*
View Type: included
Storage Type: nonvolatile
Row Status: active

View Name: readaccess
Subtree OID: 1.3.6.1.2
View Type: included
Storage Type: nonvolatile
Row Status: active

View Name: defaultview
Subtree OID: 1
View Type: included
Storage Type: nonvolatile
Row Status: active

Console#

3-49

Configuring the Switch

User Authentication

You can restrict management access to this switch using the following options:

• User Accounts – Manually configure access rights on the switch for specified
users.

• Authentication Settings – Use remote authenticat io n t o configure access rights.

• HTTPS Settings – Provide a secure web connection.

• SSH Settings – Provide a secure she ll (for sec ure Telnet access).

• Port Security – Configure secure addresses for individua l po rts.

• 802.1X – Use IEEE 802.1X port authentication to control access to specific ports.

• ACL - Access Control Lists (ACL) provide packet filtering for IP frames (based on
address, protocol, Layer 4 protocol port number or TCP control code) or any
frames (based on MAC address or Ethernet type).

• IP Filter – Filters managem ent ac cess to the web, SNMP or Telnet inte rface.

Configuring User Accounts

The guest only has read a cc ess for most configuration para m et er s. H ow e ver, the
administrator has write access for all parameters gove rn in g th e on board agent. You
should therefore assign a new administrator passw or d as soon as possible, and
store it in a safe place.

The default guest name is “guest” with the password “guest . ” Th e def ault
administrator name is “admin” with the password “admin.”

Command Attributes

• Account List – Displays the current list of user accounts and associated access
levels. (Default: admin, and guest)

• New Account – Displays configuration settings f or a new ac count.

• User Name – The name of the user.

• (Maximum length: 8 characters; maximum number of users: 16)

• Access Level – Specifies the user level.

(Options: Normal and Priv ileg ed)

• Password – Specifies the user password.

(Range: 0-8 characters plain text, case sensitive)

• Confirm Password – Re-enter the use r pa ssword.

• Change Password – Sets a new pas sw ord for the specified user nam e.

• Add/Remove – Adds or removes an account from the l ist .

3-50

User Authentication

Web – Click Secur i ty, User Accounts. To configure a new user account, specify a
user name, select the user’s access leve l, th en enter a password and confi rm i t.
Click Add to save the new user account and add it to the Account List. To change the
password for a specific user, enter the user na m e and new password, confirm the
password by entering it aga in, the n cl i ck A ppl y.

Figure 3-32. Access Level s

CLI – Assign a user name to access-level 15 (i.e., admi ni st r at or ), th en specify the

password.

Console(config)#username bob access-level 15 4-25
Console(config)#username bob password 0 smith
Console(config)#

Configuring Local/Remote Logon Authentication

Use the Authentication Settings menu to restrict management access based on
specified user names and passwords. You can manually configure access rights on
the switc h, o r y ou c a n use a re mot e acce s s au th en ti ca ti on se r ver ba se d on R ADI US
or TACACS+ protocols.

Web
Telnet

RADIUS/
TACACS+
server

1. Client attempts management access.

2. Switch contacts authentication server.

3. Authentication server challenges client.

4. Client responds with proper password or key.

5. Authentication server approves access.

6. Switch grants management access.

console

3-51

Configuring the Switch

Remote Authentication Dial-in User Service (RADIUS) and Terminal Access
Controller Access Control System Plus (TACACS+) are logon authentication
protocols that use softwar e ru nning on a central server to control access to
RADIUS-aware or TAC ACS -aware devices on the network. An authentication
server contains a database of m ultiple user name/password pairs w ith a ssociated
privilege levels for each user that requires management access to the switch.

RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery,
while TCP offers a connection-or i ent ed transport. Also, note that R A DI U S encrypts
only the password in the acce ss-request packet from the cl ient to the server, while
T ACACS+ encrypts the entire body of the packet.

Command Usage

• By default, management access is always checked against the auth ent ication
database stored on the local switch. If a remote authentication server is used, you
must specify the authen tication sequence and th e cor responding paramet er s f or
the remote authentication protocol. Local and remote logon authentication control
management acces s via t he console port, web brow ser , or Te ln et .

• RADIUS and TACACS+ log on authentication assign a specific privilege level for
each user name/pass wor d pair. The user name, pass w or d, and privilege level
must be confi gured on the authenticat i on server.

• You can specify up to thre e authentication method s fo r an y user to indicate the
authentication sequence. For example, if you select (1) RADIUS, (2) TACACS and
(3) Local, the user name and password on the RADIUS server is verified first. If the
RADIUS server is not available, then authentica tion is attempted using the
TACACS+ server, and fin all y t he local user name and passwor d i s checked.

Command Attributes

• Authentication – Select the authentication, or authentication sequence required:

• Local – User authentication is performed only locally by the switch.

• Radius – User authentication is performed using a RADI U S server only.

• TACACS – User authentication is per fo rm e d using a TACACS+ server only.

• [authentication sequence] – Us er authentication is perfor m ed by up to three

authentication methods in the indicated seque nce.

• RADIUS Settings

• Global – Provides globally appli cable RADIUS settings.

• ServerIndex – Specifies one of five R AD I US servers that may be configu red.

The switch attempts authentication using the listed sequence of servers. The
process ends when a se rv er either approves or deni es access to a user.

• Server Port Number – Network (UDP) port of authentication serve r us ed for

authentication messages.
(Range: 1- 65535; Default: 1812)

• Secret Text String – Encryption key used to au th ent i ca te lo gon access for

client. Do not use blank spa ces in the string.
(Maximum length: 20 characters)

3-52

User Authentication

• Number of Server Transmits – Number of times the switch tries to authenticate
logon access via the aut hentication server. (Rang e: 1- 30; D ef ault: 2)

• Timeout for a reply – The number of seconds the switch waits for a reply from
the RADIUS server befor e i t res ends the request. (Range: 1-6 5535; Default: 5)

• TACACS Settings

• Server IP Address – Address of the TACACS+ server.
(Default: 10.11.12.13)

• Server Port Number – Network (TCP) port of TACACS+ server used for
authentication messages.
(Range: 1- 65535; Default: 49)

• Secret Text String – Encryption key used to au th ent i ca te lo gon access for
client. Do not use blank spa ces in the string.
(Maximum length: 20 characters)

Note:

The local switch user database has to be set up by manually entering user names
and passwords using the CLI.
(See “username” on page 4-25.)

Web – Click Security, Authentication Settings. To configure local or remote
authentication prefe re nces, specify the authen tication sequence (i.e. , on e t o th re e
methods), fill in the pa rameters for RADIUS or TACACS+ authentication if selected,
and click Apply.

Figure 3-33. Authent i cat i on Set t in gs

3-53

Configuring the Switch

CLI – Specify all the required parameters to enable logon authentication.

Console(config)#authentication login radius 4-70
Console(config)#radius-server host 192.168.1.25 4-72
Console(config)#radius-server port 181 4-73
Console(config)#radius-server key green 4-74
Console(config)#radius-server retransmit 5 4-74
Console(config)#radius-server timeout 10 4-75
Console#show radius-server 4-75
Server IP address: 192.168.1.25
Communication key with radius server:
Server port number: 181
Retransmit times: 5
Request timeout: 10
Console(config)#authentication login tacacs 4-70
Console(config)#tacacs-server host 10.20.30.40 4-76
Console(config)#tacacs-server port 200 4-76
Console(config)#tacacs-server key green 4-77
Console#show tacacs-server 4-77
Server IP address: 10.20.30.40
Communication key with tacacs server: green
Server port number: 200
Console(config)#

Configuring HTTPS

Yo u can configure the switch to e nab le th e Secure Hypertext Transfer Protocol
(HTTPS) over the Secu re Socket Layer (SSL), provid i ng se cure access (i.e., an
encrypted connection) to the switch’s web interface.

Command Usage

• Both the HTTP and HTTPS ser vice can be enabled indepen dently on the switch.
However, you cannot configure both ser vi ce s t o use the same UDP port.

• If you enable HTTPS, you mu st in di ca te this in the URL that you specify in y our
browser: https://device[:port_number]

• When you start HTTPS, the connection is established in this way:

• The client authenticates th e ser ver using the server’s digit al cer tifi cat e .

• The client and server ne got i ate a se t o f se cur i ty pr ot ocols to use for the

connection.

• The client and server generate session keys for encrypting and decrypting data.

• The client and server establish a secure encrypted connection.

• A padlock icon should appear in the status bar for In te rn et Expl orer 5.x or above
and Netscape Navigator 6.2 or above.

• The following web browsers and operating system s currently support HTTP S:

3-54

User Authentication

Table 3-6 HTTPS Support

Web Browser Operating System

Internet Explorer 5.0 or later Windows 98,Windows NT (with service pack 6a),

Netscape Navigator 6.2 or later Windows 98,Windows NT (with service pack 6a),

Windows 2000, Windows XP

Windows 2000, Windows XP, Solaris 2.6

• To specify a secure-site cer tif icat e, see “Replacing the Defaul t Se cur e- sit e

Certificate” on page 3-56.

Command Attributes

• HTTPS Status – Allows you to enable/di sable the HTTPS server feat ur e on the

switch.

(Default: Enabled)

•

Change HTTPS Port Number – Specifies the UDP port number used for HTTPS/
SSL connection to the switch’s we b in terface. (Default: Port 443)

•

TFTP Server IP Address – Specifies the TFTP Ser ver where the authoriz ed
certificate will be saved.

•

Source Certificate File Name – Fi l e na m e fo r the certificate.

•

Source Private File Name – Private key file nam e.

•

Private Password – Passw or d fo r the private key.

Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number,

then click Apply. To replace the default secure-site certificate, enter the TFTP Server
IP Address, the Source Certificate File Name, the Source Private File Name, and the
Private Password, then click Copy Certificate.

Figure 3-34. HTTPS Settings

3-55