SMC Networks SMC8624-48T User Manual

TigerSwitch 10/100/1000

Gigabit Ethernet Switch

◆ 24/48 auto-MDI/MDI-X 10/100/1000BASE-T ports

◆ 4 ports shared with 4 SFP transceiver slots

◆ Non-blocking switching architecture

◆ Support for a redundant power unit

◆ Spanning Tree Protocol, Rapid STP, and Multiple STP

◆ Up to six LACP or static 8-port trunks

◆ Layer 2/3/4 CoS support through 8 priority queues

◆ Layer 3/4 traffic priority with IP Precedence and IP DSCP

◆ Full support for VLANs with GVRP

◆ IGMP multicast filtering and snooping

◆ Support for jumbo frames up to 9 KB

◆ Manageable via console, Web, and SNMP/RMON

Management Guide

SMC8624/48T

TigerSwitch 10/100/1000
Management Guide

From SMC’s Tiger line of feature-rich workgroup LAN solutions

38 Tesla
Irvine, CA 92618
Phone: (949) 679-8000

April 2004

Pub. # 150200041000A

Information furnished by SMC Networks, Inc. (SMC) is believed to be
accurate and reliable. However, no responsibility is assumed by SMC for its
use, nor for any infringements of patents or other rights of third parties
which may result from its use. No license is granted by implication or oth­erwise under any patent or patent rights of SMC. SMC reserves the right to
change specifications at any time without notice.

Copyright © 2004 by

SMC Networks, Inc.

38 Tesla

Irvine, CA 92618

All rights reserved.

Trademarks:

SMC is a registered trademark; and EZ Switch, TigerStack and TigerSwitch are trademarks of SMC
Networks, Inc. Other product and company names are trademarks or registered trademarks of their
respective holders.

L

IMITED

Limited Warranty Statement: SMC Networks, Inc. (“SMC”) warrants its products to be
free from defects in workmanship and materials, under normal use and service, for the
applicable warranty term. All SMC products carry a standard 90-day limited warranty from
the date of purchase from SMC or its Authorized Reseller. SMC may, at its own discretion,
repair or replace any product not operating as warranted with a similar or functionally
equivalent product, during the applicable warranty term. SMC will endeavor to repair or
replace any product returned under warranty within 30 days of receipt of the product.

The standard limited warranty can be upgraded to a Limited Lifetime* warranty by registering
new products within 30 days of purchase from SMC or its Authorized Reseller. Registration
can be accomplished via the enclosed product registration card or online via the SMC web
site. Failure to register will not affect the standard limited warranty. The Limited Lifetime
warranty covers a product during the Life of that Product, which is defined as the period of
time during which the product is an “Active” SMC product. A product is considered to be
“Active” while it is listed on the current SMC price list. As new technologies emerge, older
technologies become obsolete and SMC will, at its discretion, replace an older product in its
product line with one that incorporates these newer technologies. At that point, the obsolete
product is discontinued and is no longer an “Active” SMC product. A list of discontinued
products with their respective dates of discontinuance can be found at:
http://www.smc.com/index.cfm?action=customer_service_warranty.

All products that are replaced become the property of SMC. Replacement products may be
either new or reconditioned. Any replaced or repaired product carries either a 30-day limited
warranty or the remainder of the initial warranty, whichever is longer. SMC is not responsible
for any custom software or firmware, configuration information, or memory data of
Customer contained in, stored on, or integrated with any products returned to SMC pursuant
to any warranty. Products returned to SMC should have any customer-installed accessory or
add-on components, such as expansion modules, removed prior to returning the product for
replacement. SMC is not responsible for these items if they are returned with the product.

Customers must contact SMC for a Return Material Authorization number prior to returning
any product to SMC. Proof of purchase may be required. Any product returned to SMC
without a valid Return Material Authorization (RMA) number clearly marked on the outside
of the package will be returned to customer at customer’s expense. For warranty claims within
North America, please call our toll-free customer support number at (800) 762-4968.
Customers are responsible for all shipping charges from their facility to SMC. SMC is
responsible for return shipping charges from SMC to customer.

W

ARRANTY

i

L

IMITED WARRANTY

WARRANTIES EXCLUSIVE: IF AN SMC PRODUCT DOES NOT OPERATE AS
WARRANTED ABOVE, CUSTOMER’S SOLE REMEDY SHALL BE REPAIR OR
REPLACEMENT OF THE PRODUCT IN QUESTION, AT SMC’S OPTION. THE
FOREGOING WARRANTIES AND REMEDIES ARE EXCLUSIVE AND ARE IN
LIEU OF ALL OTHER WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED,
EITHER IN FACT OR BY OPERATION OF LAW, STATUTORY OR OTHERWISE,
INCLUDING WARRANTIES OR CONDITIONS OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. SMC NEITHER ASSUMES NOR
AUTHORIZES ANY OTHER PERSON TO ASSUME FOR IT ANY OTHER
LIABILITY IN CONNECTION WITH THE SALE, INSTALLATION,
MAINTENANCE OR USE OF ITS PRODUCTS. SMC SHALL NOT BE LIABLE
UNDER THIS WARRANTY IF ITS TESTING AND EXAMINATION DISCLOSE THE
ALLEGED DEFECT IN THE PRODUCT DOES NOT EXIST OR WAS CAUSED BY
CUSTOMER’S OR ANY THIRD PERSON’S MISUSE, NEGLECT, IMPROPER
INSTALLATION OR TESTING, UNAUTHORIZED ATTEMPTS TO REPAIR, OR
ANY OTHER CAUSE BEYOND THE RANGE OF THE INTENDED USE, OR BY
ACCIDENT, FIRE, LIGHTNING, OR OTHER HAZARD.

LIMITATION OF LIABILITY: IN NO EVENT, WHETHER BASED IN CONTRACT
OR TORT (INCLUDING NEGLIGENCE), SHALL SMC BE LIABLE FOR
INCIDENTAL, CONSEQUENTIAL, INDIRECT, SPECIAL, OR PUNITIVE
DAMAGES OF ANY KIND, OR FOR LOSS OF REVENUE, LOSS OF BUSINESS, OR
OTHER FINANCIAL LOSS ARISING OUT OF OR IN CONNECTION WITH THE
SALE, INSTALLATION, MAINTENANCE, USE, PERFORMANCE, FAILURE, OR
INTERRUPTION OF ITS PRODUCTS, EVEN IF SMC OR ITS AUTHORIZED
RESELLER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES
OR THE LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES FOR
CONSUMER PRODUCTS, SO THE ABOVE LIMITATIONS AND EXCLUSIONS
MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL
RIGHTS, WHICH MAY VARY FROM STATE TO STATE. NOTHING IN THIS
WARRANTY SHALL BE TAKEN TO AFFECT YOUR STATUTORY RIGHTS.

* SMC will provide warranty service for one year following discontinuance from the active
SMC price list. Under the limited lifetime warranty, internal and external power supplies, fans,
and cables are covered by a standard one-year warranty from date of purchase.

SMC Networks, Inc.

38 Tesla

Irvine, CA 92618

ii

C

ONTENTS

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1

Key Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Description of Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

System Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

2 Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Connecting to the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Required Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Remote Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

Console Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

Setting an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6

Manual Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6

Dynamic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7

Enabling SNMP Management Access . . . . . . . . . . . . . . . . . . . . . 2-9

Community Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9

Trap Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11

Saving Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11

Managing System Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12

3 Configuring the Switch . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Using the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Navigating the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

Panel Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

Main Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12

Displaying System Information . . . . . . . . . . . . . . . . . . . . . . . . . 3-12

Displaying Switch Hardware/Software Versions . . . . . . . . . . . 3-14

Displaying Bridge Extension Capabilities . . . . . . . . . . . . . . . . . 3-16

iii

C

ONTENTS

Setting the Switch’s IP Address . . . . . . . . . . . . . . . . . . . . . . . . 3-17

Manual Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19

Using DHCP/BOOTP . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20

Managing Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22

Downloading System Software from a Server . . . . . . . . . . 3-22

Saving or Restoring Configuration Settings . . . . . . . . . . . . . . . 3-24

Downloading Configuration Settings from a Server . . . . . 3-25

Resetting the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26

Setting the System Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-27

Configuring SNTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-27

Setting the Time Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29

Simple Network Management Protocol . . . . . . . . . . . . . . . . . . . . . . . . 3-30

Setting Community Access Strings . . . . . . . . . . . . . . . . . . . . . . 3-30

Specifying Trap Managers and Trap Types . . . . . . . . . . . . . . . . 3-31

User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-33

Configuring the Logon Password . . . . . . . . . . . . . . . . . . . . . . . 3-33

Configuring Local/Remote Logon Authentication . . . . . . . . . 3-34

Configuring HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-38

Replacing the Default Secure-site Certificate . . . . . . . . . . 3-40

Configuring the Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41

Generating the Host Key Pair . . . . . . . . . . . . . . . . . . . . . . 3-43

Configuring the SSH Server . . . . . . . . . . . . . . . . . . . . . . . . 3-46

Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-48

Configuring 802.1x Port Authentication . . . . . . . . . . . . . . . . . . 3-51

Displaying 802.1x Global Settings . . . . . . . . . . . . . . . . . . . 3-52

Configuring 802.1x Global Settings . . . . . . . . . . . . . . . . . . 3-55

Configuring Port Authorization Mode . . . . . . . . . . . . . . . 3-56

Displaying 802.1x Statistics . . . . . . . . . . . . . . . . . . . . . . . . 3-58

Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-60

Configuring Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . 3-60

Setting the ACL Name and Type . . . . . . . . . . . . . . . . . . . . 3-61

Configuring a Standard IP ACL . . . . . . . . . . . . . . . . . . . . . 3-63

Configuring an Extended IP ACL . . . . . . . . . . . . . . . . . . . 3-64

Configuring a MAC ACL . . . . . . . . . . . . . . . . . . . . . . . . . . 3-67

Configuring ACL Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-70

Specifying the Mask Type . . . . . . . . . . . . . . . . . . . . . . . . . . 3-70

Configuring an IP ACL Mask . . . . . . . . . . . . . . . . . . . . . . . 3-71

Configuring a MAC ACL Mask . . . . . . . . . . . . . . . . . . . . . 3-74

Binding a Port to an Access Control List . . . . . . . . . . . . . . . . . 3-76

iv

C

ONTENTS

Filtering Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-78

Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-80

Displaying Connection Status . . . . . . . . . . . . . . . . . . . . . . . . . . 3-80

Configuring Interface Connections . . . . . . . . . . . . . . . . . . . . . . 3-84

Creating Trunk Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-86

Statically Configuring a Trunk . . . . . . . . . . . . . . . . . . . . . . 3-88

Enabling LACP on Selected Ports . . . . . . . . . . . . . . . . . . . 3-89

Configuring LACP Parameters . . . . . . . . . . . . . . . . . . . . . . 3-91

Displaying LACP Port Counters . . . . . . . . . . . . . . . . . . . . 3-94

Displaying LACP Settings and Status for the Local Side . 3-96
Displaying LACP Settings and Status for the Remote Side . . .

3-99

Setting Broadcast Storm Thresholds . . . . . . . . . . . . . . . . . . . . 3-101

Configuring Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-103

Configuring Rate Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-104

Showing Port Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-106

Address Table Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-112

Setting Static Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-112

Displaying the Address Table . . . . . . . . . . . . . . . . . . . . . . . . . . 3-114

Changing the Aging Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-115

Spanning Tree Algorithm Configuration . . . . . . . . . . . . . . . . . . . . . . 3-116

Displaying Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-117

Configuring Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-121

Displaying Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 3-126

Configuring Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . 3-130

Configuring Multiple Spanning Trees . . . . . . . . . . . . . . . . . . . 3-133

Displaying Interface Settings for MSTP . . . . . . . . . . . . . . . . . 3-137

Configuring Interface Settings for MSTP . . . . . . . . . . . . . . . . 3-139

VLAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-141

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-141

Assigning Ports to VLANs . . . . . . . . . . . . . . . . . . . . . . . . 3-142

Forwarding Tagged/Untagged Frames . . . . . . . . . . . . . . 3-145

Enabling or Disabling GVRP (Global Setting) . . . . . . . . . . . 3-146

Displaying Basic VLAN Information . . . . . . . . . . . . . . . . . . . 3-146

Displaying Current VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-147

Creating VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-149

Adding Static Members to VLANs (VLAN Index) . . . . . . . . 3-151

v

C

ONTENTS

Adding Static Members to VLANs (Port Index) . . . . . . . . . . 3-153

Configuring VLAN Behavior for Interfaces . . . . . . . . . . . . . . 3-154

Configuring Private VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . 3-158

Enabling Private VLANs . . . . . . . . . . . . . . . . . . . . . . . . . 3-158

Configuring Uplink and Downlink Ports . . . . . . . . . . . . 3-159

Configuring Protocol-Based VLANs . . . . . . . . . . . . . . . . . . . 3-159

Configuring Protocol Groups . . . . . . . . . . . . . . . . . . . . . 3-160

Mapping Protocols to VLANs . . . . . . . . . . . . . . . . . . . . . 3-161

Class of Service Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-163

Setting the Default Priority for Interfaces . . . . . . . . . . . . . . . . 3-163

Mapping CoS Values to Egress Queues . . . . . . . . . . . . . . . . . 3-165

Selecting the Queue Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-167

Setting the Service Weight for Traffic Classes . . . . . . . . . . . . 3-168

Mapping Layer 3/4 Priorities to CoS Values . . . . . . . . . . . . . 3-169

Selecting IP Precedence/DSCP Priority . . . . . . . . . . . . . . . . . 3-170

Mapping IP Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-171

Mapping DSCP Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-173

Mapping IP Port Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-175

Mapping CoS Values to ACLs . . . . . . . . . . . . . . . . . . . . . . . . . 3-177

Changing Priorities Based on ACL Rules . . . . . . . . . . . . . . . . 3-178

Multicast Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-181

Layer 2 IGMP (Snooping and Query) . . . . . . . . . . . . . . . . . . . 3-182

Configuring IGMP Snooping and Query Parameters . . . 3-182
Displaying Interfaces Attached to a Multicast Router . . 3-185

Specifying Static Interfaces for a Multicast Router . . . . . 3-186

Displaying Port Members of Multicast Services . . . . . . . 3-187

Assigning Ports to Multicast Services . . . . . . . . . . . . . . . 3-188

Configuring Domain Name Service . . . . . . . . . . . . . . . . . . . . . . . . . . 3-190

Configuring General DNS Server Parameters . . . . . . . . . . . . 3-190

Configuring Static DNS Host to Address Entries . . . . . . . . . 3-193

Displaying the DNS Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-195

4 Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . 4-1

Using the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Accessing the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Console Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Telnet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

vi

C

ONTENTS

Entering Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4

Keywords and Arguments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4

Minimum Abbreviation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4

Command Completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

Getting Help on Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

Showing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6

Partial Keyword Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7

Negating the Effect of Commands . . . . . . . . . . . . . . . . . . . . . . . 4-7

Using Command History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7

Understanding Command Modes . . . . . . . . . . . . . . . . . . . . . . . . 4-8

Exec Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8

Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9

Command Line Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11

Command Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12

Line Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14

line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15

login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-16

password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17

exec-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18

password-thresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19

silent-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20

databits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-21

parity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-22

speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23

stopbits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24

disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24

show line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25

General Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26

enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26

disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-27

configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28

show history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28

reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-29

end . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-30

exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-31

quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-31

vii

C

ONTENTS

System Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32

Device Designation Commands . . . . . . . . . . . . . . . . . . . . . . . . 4-33

prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-33

hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-34

User Access Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-34

username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-35

enable password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-36

IP Filter Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-37

management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-38

show management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-39

Web Server Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-40

ip http port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-41

ip http server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-41

ip http secure-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-42

ip http secure-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-44

Secure Shell Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-45

ip ssh server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-48

ip ssh timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-49

ip ssh authentication-retries . . . . . . . . . . . . . . . . . . . . . . . . 4-50

ip ssh server-key size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-51

delete public-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-51

ip ssh crypto host-key generate . . . . . . . . . . . . . . . . . . . . . 4-52

ip ssh crypto zeroize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-53

ip ssh save host-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-54

show ip ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-54

show ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-55

show public-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-56

Event Logging Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-58

logging on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-58

logging history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-59

logging host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-60

logging facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-61

logging trap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-62

clear logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-62

show logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-63

viii

C

ONTENTS

SMTP Alert Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-65

logging sendmail host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-66

logging sendmail level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-67

logging sendmail source-email . . . . . . . . . . . . . . . . . . . . . . 4-67

logging sendmail destination-email . . . . . . . . . . . . . . . . . . 4-68

logging sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-69

show logging sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-69

Time Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-70

sntp server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-71

sntp poll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-72

sntp client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-72

sntp broadcast client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-74

show sntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-74

clock timezone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-75

calendar set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-76

show calendar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-76

System Status Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-77

show startup-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-77

show running-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-80

show system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-82

show users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-83

show version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-83

Frame Size Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-84

jumbo frame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-84

Flash/File Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-85

copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-86

delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-89

dir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-90

whichboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-91

boot system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-92

Authentication Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-93

Authentication Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-93

authentication login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-94

RADIUS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-95

radius-server host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-95

radius-server port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-96

radius-server key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-97

ix

C

ONTENTS

radius-server retransmit . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-97

radius-server timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-98

show radius-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-98

TACACS+ Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-99

tacacs-server host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-99

tacacs-server port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-100

tacacs-server key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-101

show tacacs-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-101

Port Security Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-102

port security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-102

802.1x Port Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-104

authentication dot1x default . . . . . . . . . . . . . . . . . . . . . . . 4-105

dot1x default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-106

dot1x max-req . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-106

dot1x port-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-107

dot1x operation-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-108

dot1x re-authenticate . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-108

dot1x re-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-109

dot1x timeout quiet-period . . . . . . . . . . . . . . . . . . . . . . . . 4-109

dot1x timeout re-authperiod . . . . . . . . . . . . . . . . . . . . . . 4-110

dot1x timeout tx-period . . . . . . . . . . . . . . . . . . . . . . . . . . 4-110

show dot1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-111

Access Control List Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-114

IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-116

access-list ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-118

permit, deny (Standard ACL) . . . . . . . . . . . . . . . . . . . . . 4-119

permit, deny (Extended ACL) . . . . . . . . . . . . . . . . . . . . . 4-120

show ip access-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-123

access-list ip mask-precedence . . . . . . . . . . . . . . . . . . . . . 4-123

mask (IP ACL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-125

show access-list ip mask-precedence . . . . . . . . . . . . . . . . 4-128

ip access-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-129

show ip access-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-130

map access-list ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-130

show map access-list ip . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-132

match access-list ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-133

show marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-134

x

C

ONTENTS

MAC ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-135

access-list mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-136

permit, deny (MAC ACL) . . . . . . . . . . . . . . . . . . . . . . . . . 4-137

show mac access-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-139

access-list mac mask-precedence . . . . . . . . . . . . . . . . . . . 4-139

mask (MAC ACL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-140

show access-list mac mask-precedence . . . . . . . . . . . . . . 4-143

mac access-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-144

show mac access-group . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-145

map access-list mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-145

show map access-list mac . . . . . . . . . . . . . . . . . . . . . . . . . 4-146

match access-list mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-147

ACL Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-148

show access-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-148

show access-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-149

SNMP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-149

snmp community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-150

snmp contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-151

snmp location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-151

snmp host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-152

snmp enable traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-154

show snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-155

DNS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-157

ip host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-158

clear host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-159

ip domain-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-159

ip domain-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-160

ip name-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-162

ip domain-lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-163

show hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-164

show dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-165

show dns cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-165

clear dns cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-166

xi

C

ONTENTS

Interface Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-167

interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-168

description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-168

speed-duplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-169

negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-170

capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-172

flowcontrol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-173

combo-forced-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-174

shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-175

switchport broadcast packet-rate . . . . . . . . . . . . . . . . . . . . . . . 4-176

clear counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-177

show interfaces status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-178

show interfaces counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-179

show interfaces switchport . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-181

Mirror Port Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-183

port monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-183

show port monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-184

Rate Limit Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-185

rate-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-186

Link Aggregation Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-187

channel-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-189

lacp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-190

lacp system-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-192

lacp admin-key (Ethernet Interface) . . . . . . . . . . . . . . . . . . . . 4-193

lacp admin-key (Port Channel) . . . . . . . . . . . . . . . . . . . . . . . . . 4-194

lacp port-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-195

show lacp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-196

Address Table Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-200

mac-address-table static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-201

clear mac-address-table dynamic . . . . . . . . . . . . . . . . . . . . . . . 4-202

show mac-address-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-202

mac-address-table aging-time . . . . . . . . . . . . . . . . . . . . . . . . . . 4-203

show mac-address-table aging-time . . . . . . . . . . . . . . . . . . . . . 4-204

xii

C

ONTENTS

Spanning Tree Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-205

spanning-tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-206

spanning-tree mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-207

spanning-tree forward-time . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-209

spanning-tree hello-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-210

spanning-tree max-age . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-210

spanning-tree priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-211

spanning-tree pathcost method . . . . . . . . . . . . . . . . . . . . . . . . 4-212

spanning-tree transmission-limit . . . . . . . . . . . . . . . . . . . . . . . 4-213

spanning-tree mst-configuration . . . . . . . . . . . . . . . . . . . . . . . 4-213

mst vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-214

mst priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-215

name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-216

revision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-217

max-hops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-218

spanning-tree spanning-disabled . . . . . . . . . . . . . . . . . . . . . . . 4-219

spanning-tree cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-219

spanning-tree port-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-220

spanning-tree edge-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-221

spanning-tree portfast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-222

spanning-tree link-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-223

spanning-tree mst cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-224

spanning-tree mst port-priority . . . . . . . . . . . . . . . . . . . . . . . . 4-226

spanning-tree protocol-migration . . . . . . . . . . . . . . . . . . . . . . 4-227

show spanning-tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-228

show spanning-tree mst configuration . . . . . . . . . . . . . . . . . . . 4-230

VLAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-231

Editing VLAN Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-231

vlan database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-232

vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-233

Configuring VLAN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . 4-234

interface vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-235

switchport mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-236

switchport acceptable-frame-types . . . . . . . . . . . . . . . . . 4-237

switchport ingress-filtering . . . . . . . . . . . . . . . . . . . . . . . 4-238

switchport native vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-239

switchport allowed vlan . . . . . . . . . . . . . . . . . . . . . . . . . . 4-240

switchport forbidden vlan . . . . . . . . . . . . . . . . . . . . . . . . . 4-241

xiii

C

ONTENTS

Displaying VLAN Information . . . . . . . . . . . . . . . . . . . . . . . . 4-242

show vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-242

Configuring Protocol-based VLANs . . . . . . . . . . . . . . . . . . . . 4-243

protocol-vlan protocol-group (Configuring Groups) . . . 4-244
protocol-vlan protocol-group (Configuring Interfaces) . 4-245

show protocol-vlan protocol-group . . . . . . . . . . . . . . . . . 4-246

show interfaces protocol-vlan protocol-group . . . . . . . . 4-247

Configuring Private VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . 4-248

pvlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-248

show pvlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-249

GVRP and Bridge Extension Commands . . . . . . . . . . . . . . . . . . . . . 4-250

bridge-ext gvrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-250

show bridge-ext . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-251

switchport gvrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-252

show gvrp configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 4-252

garp timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-253

show garp timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-254

Priority Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-255

Priority Commands (Layer 2) . . . . . . . . . . . . . . . . . . . . . . . . . . 4-256

switchport priority default . . . . . . . . . . . . . . . . . . . . . . . . 4-256

queue mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-258

queue bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-259

queue cos-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-260

show queue mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-261

show queue bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-262

show queue cos-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-262

Priority Commands (Layer 3 and 4) . . . . . . . . . . . . . . . . . . . . . 4-263

map ip port (Global Configuration) . . . . . . . . . . . . . . . . . 4-264

map ip port (Interface Configuration) . . . . . . . . . . . . . . . 4-264

map ip precedence (Global Configuration) . . . . . . . . . . . 4-265

map ip precedence (Interface Configuration) . . . . . . . . . 4-266

map ip dscp (Global Configuration) . . . . . . . . . . . . . . . . 4-267

map ip dscp (Interface Configuration) . . . . . . . . . . . . . . . 4-268

show map ip port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-269

show map ip precedence . . . . . . . . . . . . . . . . . . . . . . . . . 4-270

show map ip dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-271

xiv

C

ONTENTS

Multicast Filtering Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-272

IGMP Snooping Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 4-272

ip igmp snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-273

ip igmp snooping vlan static . . . . . . . . . . . . . . . . . . . . . . . 4-274

ip igmp snooping version . . . . . . . . . . . . . . . . . . . . . . . . . 4-275

show ip igmp snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-276

show mac-address-table multicast . . . . . . . . . . . . . . . . . . 4-276

IGMP Query Commands (Layer 2) . . . . . . . . . . . . . . . . . . . . . 4-277

ip igmp snooping querier . . . . . . . . . . . . . . . . . . . . . . . . . 4-278

ip igmp snooping query-count . . . . . . . . . . . . . . . . . . . . . 4-278

ip igmp snooping query-interval . . . . . . . . . . . . . . . . . . . . 4-279

ip igmp snooping query-max-response-time . . . . . . . . . . 4-280

ip igmp snooping router-port-expire-time . . . . . . . . . . . . 4-281

Static Multicast Routing Commands . . . . . . . . . . . . . . . . . . . . 4-282

ip igmp snooping vlan mrouter . . . . . . . . . . . . . . . . . . . . 4-282

show ip igmp snooping mrouter . . . . . . . . . . . . . . . . . . . 4-283

IP Interface Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-284

Basic IP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-284

ip address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-285

ip dhcp restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-286

ip default-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-287

show ip interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-288

show ip redirects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-288

ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-289

A Software Specifications . . . . . . . . . . . . . . . . . . . . . . . . A-1

Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1

Management Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-3

Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-3

Management Information Bases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4

B Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1

Glossary

Index

xv

T

ABLES

Table 1-1. Key Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Table 1-2. System Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Table 3-1. Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

Table 3-2. Main Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Table 3-3. HTTPS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39

Table 3-4. 802.1x Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-58

Table 3-5. LACP Port Counter Information . . . . . . . . . . . . . . . . . . . . 3-94

Table 3-6. LACP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-96

Table 3-7. LACP Remote Side Settings . . . . . . . . . . . . . . . . . . . . . . . . 3-99

Table 3-8. Port Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-106

Table 3-9. Egress Queue Priority Mapping . . . . . . . . . . . . . . . . . . . . 3-165

Table 3-10. CoS Priority Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-165

Table 3-11. IP Precedence Prioruty . . . . . . . . . . . . . . . . . . . . . . . . . . 3-171

Table 3-12. Mapping DSCP Priority . . . . . . . . . . . . . . . . . . . . . . . . . . 3-173

Table 3-13. CoS to ACL Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-177

Table 4-1. Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8

Table 4-2. Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . 4-10

Table 4-3. Keystroke Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11

Table 4-4. Command Group Index . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12

Table 4-5. Line Command Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14

Table 4-6. General Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26

Table 4-7. System Mangement Commands . . . . . . . . . . . . . . . . . . . . . 4-32

Table 4-8. Device Designation Commands . . . . . . . . . . . . . . . . . . . . . 4-33

Table 4-9. User Access Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-34

Table 4-10. IP Filter Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-37

Table 4-11. Web Server Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-40

Table 4-12. Secure Shell Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-45

Table 4-13. SSH Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-55

Table 4-14. Event Logging Commands . . . . . . . . . . . . . . . . . . . . . . . . . 4-58

Table 4-15. SMTP Alert Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-65

Table 4-16. Time Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-70

Table 4-17. System Status Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 4-77

Table 4-18. Frame Size Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-84

Table 4-19. Flash/File Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-85

Table 4-20. Authentication Commands . . . . . . . . . . . . . . . . . . . . . . . . . 4-93

Table 4-21. Authentication Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . 4-93

xvi

T

ABLES

Table 4-22. RADIUS Client Commands . . . . . . . . . . . . . . . . . . . . . . . . 4-95

Table 4-23. TACACS+ Client Commands . . . . . . . . . . . . . . . . . . . . . . 4-99

Table 4-24. Port Security Commands . . . . . . . . . . . . . . . . . . . . . . . . . 4-102

Table 4-25. 802.1x Port Authentication Commands . . . . . . . . . . . . . 4-104

Table 4-26. Access Control List Commands . . . . . . . . . . . . . . . . . . . . 4-116

Table 4-27. IP ACL Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-116

Table 4-28. MAC ACL Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-135

Table 4-29. ACL Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-148

Table 4-30. SNMP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-149

Table 4-31. DNS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-157

Table 4-32. Interface Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-167

Table 4-33. Mirror Port Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 4-183

Table 4-34. Rate Limit Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-185

Table 4-35. Link Aggregation Commands . . . . . . . . . . . . . . . . . . . . . 4-187

Table 4-36. Adress Table Commands . . . . . . . . . . . . . . . . . . . . . . . . . 4-200

Table 4-37. Spanning Tree Commands . . . . . . . . . . . . . . . . . . . . . . . . 4-205

Table 4-38. VLAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-231

Table 4-39. Editing VLAN Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-231

Table 4-40. Configuring VLAN Interfaces . . . . . . . . . . . . . . . . . . . . . 4-234

Table 4-41. Displaying VLAN Information . . . . . . . . . . . . . . . . . . . . 4-242

Table 4-42. Protocol-based VLAN Commands . . . . . . . . . . . . . . . . . 4-243

Table 4-43. Private VLAN Commands . . . . . . . . . . . . . . . . . . . . . . . . 4-248

Table 4-44. GVRP and Bridge Extension Commands . . . . . . . . . . . . 4-250

Table 4-45. Priority Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-255

Table 4-46. Priority Commands (Layer 2) . . . . . . . . . . . . . . . . . . . . . . 4-256

Table 4-47. Priority Commands (Layer 3 and 4) . . . . . . . . . . . . . . . . . 4-263

Table 4-48. Multicast Filtering Commands . . . . . . . . . . . . . . . . . . . . . 4-272

Table 4-49. IGMP Snooping Commands . . . . . . . . . . . . . . . . . . . . . . 4-272

Table 4-50. IGMP Query Commands (Layer 2) . . . . . . . . . . . . . . . . . 4-277

Table 4-51. Static Multicast Routing Commands . . . . . . . . . . . . . . . . 4-282

Table 4-52. Basic IP Configuration commands . . . . . . . . . . . . . . . . . 4-284

Table B-1. Troubleshooting Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1

xvii

F

IGURES

Figure 3-1. Homepage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

Figure 3-2. Panel Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

Figure 3-3. System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13

Figure 3-4. Switch Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15

Figure 3-5. Bridge Extension Configuration . . . . . . . . . . . . . . . . . . . 3-17

Figure 3-6. Manual IP Configuration . . . . . . . . . . . . . . . . . . . . . . . . 3-19

Figure 3-7. DHCP IP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 3-20

Figure 3-8. Operation Code Image File Transfer . . . . . . . . . . . . . . . 3-23

Figure 3-9. Select Start-Up Operation File . . . . . . . . . . . . . . . . . . . . 3-23

Figure 3-10. Downloading Configuration Settings from a Server . . . 3-25

Figure 3-11. Selecting the Startup Configuration File . . . . . . . . . . . . 3-25

Figure 3-12. Resetting the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26

Figure 3-13. SNTP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28

Figure 3-14. Setting the Time Zone . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29

Figure 3-15. Setting Community Access Strings . . . . . . . . . . . . . . . . . 3-31

Figure 3-16. Specifying Trap Managers and Trap Types . . . . . . . . . . 3-32

Figure 3-17. Configuring the Logon Password . . . . . . . . . . . . . . . . . . 3-34

Figure 3-18. Setting Local, RADIUS and TACACS Authentication . 3-37

Figure 3-19. HTTPS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39

Figure 3-20. SSH Host-Key Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 3-45

Figure 3-21. SSH Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-47

Figure 3-22. Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . 3-50

Figure 3-23. 802.1x Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-53

Figure 3-24. 802.1x Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-56

Figure 3-25. 802.1x Port Configuration . . . . . . . . . . . . . . . . . . . . . . . 3-57

Figure 3-26. 802.1x Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-59

Figure 3-27. Naming and Choosing ACLs . . . . . . . . . . . . . . . . . . . . . 3-62

Figure 3-28. Configuring Standard IP ACLs . . . . . . . . . . . . . . . . . . . 3-63

Figure 3-29. Configuring Extended IP ACLs . . . . . . . . . . . . . . . . . . . 3-66

Figure 3-30. Configuring MAC ACLs . . . . . . . . . . . . . . . . . . . . . . . . . 3-69

Figure 3-31. Choosing ACL Types . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-71

Figure 3-32. Configuring an IP based ACL . . . . . . . . . . . . . . . . . . . . 3-73

Figure 3-33. Configuring a MAC based ACL . . . . . . . . . . . . . . . . . . . 3-75

Figure 3-34. Mapping ACLs to Port Ingress/Egress Queues . . . . . . 3-77

Figure 3-35. Filtering Management Access . . . . . . . . . . . . . . . . . . . . . 3-79

Figure 3-36. Port Status Information . . . . . . . . . . . . . . . . . . . . . . . . . 3-81

xviii

F

IGURES

Figure 3-37. Configuring Port Attributes . . . . . . . . . . . . . . . . . . . . . . 3-86

Figure 3-38. Static Trunk Configuration . . . . . . . . . . . . . . . . . . . . . . . 3-88

Figure 3-39. LACP Port Configuratio . . . . . . . . . . . . . . . . . . . . . . . . . 3-90

Figure 3-40. LACP Aggregation Port Configuration . . . . . . . . . . . . . 3-93

Figure 3-41. Displaying LACP Port Counters Information . . . . . . . . 3-95

Figure 3-42. Displaying LACP Port Information . . . . . . . . . . . . . . . . 3-98

Figure 3-43. Displaying Remote LACP Port Information . . . . . . . . 3-100

Figure 3-44. Enabling Port Broadcast Control . . . . . . . . . . . . . . . . . 3-102

Figure 3-45. Configuring a Mirror Port . . . . . . . . . . . . . . . . . . . . . . 3-104

Figure 3-46. Configuring Output Port Rate Limiting . . . . . . . . . . . . 3-105

Figure 3-47. Displaying Port Statistics . . . . . . . . . . . . . . . . . . . . . . . 3-110

Figure 3-48. Displaying Etherlike and RMON Statistics . . . . . . . . . 3-111

Figure 3-49. Mapping Ports to Static Addresses . . . . . . . . . . . . . . . . 3-113

Figure 3-50. Displaying the MAC Dynamic Address Table . . . . . . . 3-114

Figure 3-51. Setting the Aging Time . . . . . . . . . . . . . . . . . . . . . . . . . 3-115

Figure 3-52. Displaying the Spanning Tree Algorithm . . . . . . . . . . 3-120

Figure 3-53. Configuring the Spanning Tree Algorithm . . . . . . . . . 3-125

Figure 3-54. Displaying STA - Port Status Information . . . . . . . . . 3-130

Figure 3-55. Configuring Spanning Tree Algorithm per Port . . . . . 3-133

Figure 3-56. Configuring Multiple Spanning Trees . . . . . . . . . . . . . 3-135

Figure 3-57. Displaying MSTP Interface Settings . . . . . . . . . . . . . . 3-137

Figure 3-58. MSTP Port Configuration . . . . . . . . . . . . . . . . . . . . . . 3-140

Figure 3-59. Enabling GVRP Status . . . . . . . . . . . . . . . . . . . . . . . . . 3-146

Figure 3-60. Displaying Basic VLAN Information . . . . . . . . . . . . . 3-147

Figure 3-61. Displaying VLAN Information by Port Membership . 3-148

Figure 3-62. Creating Virtual LANs . . . . . . . . . . . . . . . . . . . . . . . . . 3-150

Figure 3-63. Configuring VLAN Port Attributes . . . . . . . . . . . . . . . 3-152

Figure 3-64. Assigning VLAN Port and Trunk Groups . . . . . . . . . 3-154

Figure 3-65. Configuring VLAN Ports . . . . . . . . . . . . . . . . . . . . . . . 3-157

Figure 3-66. Enabling Private VLANS . . . . . . . . . . . . . . . . . . . . . . . 3-158

Figure 3-67. PVLAN Uplink/Downlink Port Configuration . . . . . 3-159

Figure 3-68. Protocil VLAN Configuration . . . . . . . . . . . . . . . . . . . 3-161

Figure 3-69. Mapping Protocols to VLANs . . . . . . . . . . . . . . . . . . . 3-162

Figure 3-70. Configuring Class of Service per Port . . . . . . . . . . . . . 3-164

Figure 3-71. Configuring Ports and Trunks for Class of Service . . . 3-166

Figure 3-72. Setting the Queue Mode . . . . . . . . . . . . . . . . . . . . . . . . 3-167

Figure 3-73. Configuring Class of Service for Each Ingress Queue 3-168

xix

F

IGURES

Figure 3-74. Setting IP Precedence/DSCP Priority Status . . . . . . . 3-170

Figure 3-75. Mapping IP Precedence to Class of Service Values . . . 3-172
Figure 3-76. Mapping IP DSCP Priority to Class of Service Values 3-174

Figure 3-77. Globally Enabling the IP Port Priority Status . . . . . . . 3-175

Figure 3-78. IP Port Priority Mapping . . . . . . . . . . . . . . . . . . . . . . . 3-176

Figure 3-79. Changing Priorities Based on ACL Rules . . . . . . . . . . 3-180

Figure 3-80. Configuring Internet Group Management Protocol . . 3-184

Figure 3-81. Mapping Multicast Switch Ports to VLANs . . . . . . . . 3-185

Figure 3-82. Static Multicast Router Port Configuration . . . . . . . . . 3-186

Figure 3-83. Displaying Port Members of Multicast Services . . . . . 3-188

Figure 3-84. Specifying Multicast Port Membership . . . . . . . . . . . . 3-189

Figure 3-85. Configuring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-192

Figure 3-86. Mapping IP Addresses to a Host Name . . . . . . . . . . . 3-194

Figure 3-87. Displaying the DNS Cache . . . . . . . . . . . . . . . . . . . . . . 3-196

xx

C

HAPTER

I

NTRODUCTION

This switch provides a broad range of features for Layer 2 switching. It
includes a management agent that allows you to configure the features
listed in this manual. The default configuration can be used for most of the
features provided by this switch. However, there are many options that you
should configure to maximize the switch’s performance for your particular
network environment.

Key Features

Table 1-1. Key Features

Feature Description

Configuration
Backup and
Restore

Authentication Console, Telnet, web – User name / password, RADIUS,

Access Control
Lists

Port Configuration Speed, duplex mode and flow control

Rate Limiting Input and output rate limiting per port

Port Mirroring One or more ports mirrored to single analysis port

Port Trunking Supports up to 6 trunks using either static or dynamic

Backup to TFTP server

TACACS+

Web – HTTPS; Telnet – SSH

SNMP – Community strings, IP address filtering

Port – IEEE 802.1x, MAC address filtering

Supports up to 32 IP or MAC ACLs

trunking (LACP)

1

1-1

I

NTRODUCTION

Table 1-1. Key Features

Feature Description

Broadcast Storm
Control

Static Address Up to 16K MAC addresses in the forwarding table

IEEE 802.1D
Bridge

Store-and-Forward
Switching

Spanning Tree
Protocol

Virtual LANs Up to 255 using IEEE 802.1Q, port-based, protocol-based, or

Traffic
Prioritization

Multicast Filtering Supports IGMP snooping and query

Supported

Supports dynamic data switching and addresses learning

Supported to ensure wire-speed switching while eliminating
bad frames

Supports standard STP, Rapid Spanning Tree Protocol
(RSTP), and Multiple Spanning Trees (MSTP)

private VLANs

Default port priority, traffic class map, queue scheduling, IP
Precedence, or Differentiated Services Code Point (DSCP)

Description of Software Features

The switch provides a wide range of advanced performance enhancing
features. Flow control eliminates the loss of packets due to bottlenecks
caused by port saturation. Broadcast storm suppression prevents broadcast
traffic storms from engulfing the network. Port-based and protocol-based
VLANs, plus support for automatic GVRP VLAN registration provide
traffic security and efficient use of network bandwidth. CoS priority
queueing ensures the minimum delay for moving real-time multimedia data
across the network. While multicast filtering provides support for real-time
network applications. Some of the management features are briefly
described below.

Configuration Backup and Restore – You can save the current
configuration settings to a file on a TFTP server, and later download this
file to restore the switch configuration settings.

1-2

D

ESCRIPTION OF SOFTWARE FEATURES

Authentication – This switch authenticates management access via the
console port, Telnet or web browser. User names and passwords can be
configured locally or can be verified via a remote authentication server (i.e.,
RADIUS or TACACS+). Port-based authentication is also supported via
the IEEE 802.1x protocol. This protocol uses the Extensible
Authentication Protocol over LANs (EAPOL) to request a user name and
password from the 802.1x client, and then verifies the client’s right to
access the network via an authentication server.

Other authentication options include HTTPS for secure management
access via the web, SSH for secure management access over a
Telnet-equivalent connection, IP address filtering for SNMP/web/Telnet
management access, and MAC address filtering for port access.

Access Control Lists – ACLs provide packet filtering for IP frames
(based on address, protocol, TCP/UDP port number or TCP control
code) or any frames (based on MAC address or Ethernet type). ACLs can
by used to improve performance by blocking unnecessary network traffic
or to implement security controls by restricting access to specific network
resources or protocols.

Port Configuration – You can manually configure the speed, duplex
mode, and flow control used on specific ports, or use auto-negotiation to
detect the connection settings used by the attached device. Use the
full-duplex mode on ports whenever possible to double the throughput of
switch connections. Flow control should also be enabled to control
network traffic during periods of congestion and prevent the loss of
packets when port buffer thresholds are exceeded. The switch supports
flow control based on the IEEE 802.3x standard.

Rate Limiting – This feature controls the maximum rate for traffic
transmitted or received on an interface. Rate limiting is configured on
interfaces at the edge of a network to limit traffic into or out of the
network. Traffic that falls within the rate limit is transmitted, while packets
that exceed the acceptable amount of traffic are dropped.

1-3

I

NTRODUCTION

Port Mirroring – The switch can unobtrusively mirror traffic from any
port to a monitor port. You can then attach a protocol analyzer or RMON
probe to this port to perform traffic analysis and verify connection
integrity.

Port Trunking – Ports can be combined into an aggregate connection.
Trunks can be manually set up or dynamically configured using IEEE

802.3ad Link Aggregation Control Protocol (LACP). The additional ports
dramatically increase the throughput across any connection, and provide
redundancy by taking over the load if a port in the trunk should fail. The
switch supports up to 6 trunks.

Broadcast Storm Control – Broadcast suppression prevents broadcast
traffic from overwhelming the network. When enabled on a port, the level
of broadcast traffic passing through the port is restricted. If broadcast
traffic rises above a pre-defined threshold, it will be throttled until the level
falls back beneath the threshold.

Static Addresses – A static address can be assigned to a specific interface
on this switch. Static addresses are bound to the assigned interface and will
not be moved. When a static address is seen on another interface, the
address will be ignored and will not be written to the address table. Static
addresses can be used to provide network security by restricting access for
a known host to a specific port.

IEEE 802.1D Bridge – The switch supports IEEE 802.1D transparent
bridging. The address table facilitates data switching by learning addresses,
and then filtering or forwarding traffic based on this information. The
address table supports up to 16K addresses.

Store-and-Forward Switching – The switch copies each frame into its
memory before forwarding them to another port. This ensures that all
frames are a standard Ethernet size and have been verified for accuracy
with the cyclic redundancy check (CRC). This prevents bad frames from
entering the network and wasting bandwidth.

1-4

D

ESCRIPTION OF SOFTWARE FEATURES

To avoid dropping frames on congested ports, the switch provides 1 MB
for frame buffering. This buffer can queue packets awaiting transmission
on congested networks.

Spanning Tree Protocol – The switch supports these spanning tree
protocols:

Spanning Tree Protocol (STP, IEEE 802.1D) – This protocol adds a level
of fault tolerance by allowing two or more redundant connections to be
created between a pair of LAN segments. When there are multiple physical
paths between segments, this protocol will choose a single path and disable
all others to ensure that only one route exists between any two stations on
the network. This prevents the creation of network loops. However, if the
chosen path should fail for any reason, an alternate path will be activated
to maintain the connection.

Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol
reduces the convergence time for network topology changes to about 10%
of that required by the older IEEE 802.1D STP standard. It is intended as
a complete replacement for STP, but can still interoperate with switches
running the older standard by automatically reconfiguring ports to
STP-compliant mode if they detect STP protocol messages from attached
devices.

Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is
a direct extension of RSTP. It can provide an independent spanning tree
for different VLANs. It simplifies network management, provides for even
faster convergence than RSTP by limiting the size of each region, and
prevents VLAN members from being segmented from the rest of the
group (as sometimes occurs with IEEE 802.1D STP).

1-5

I

NTRODUCTION

Virtual LANs – The switch supports up to 255 VLANs. A Virtual LAN is
a collection of network nodes that share the same collision domain
regardless of their physical location or connection point in the network.
The switch supports tagged VLANs based on the IEEE 802.1Q standard.
Members of VLAN groups can be dynamically learned via GVRP, or ports
can be manually assigned to a specific set of VLANs. This allows the
switch to restrict traffic to the VLAN groups to which a user has been
assigned. By segmenting your network into VLANs, you can:

• Eliminate broadcast storms which severely degrade performance in a
flat network.

• Simplify network management for node changes/moves by remotely
configuring VLAN membership for any port, rather than having to
manually change the network connection.

• Provide data security by restricting all traffic to the originating VLAN.

• Use private VLANs to restrict traffic to pass only between data ports
and the uplink ports, thereby isolating adjacent ports within the same
VLAN, and allowing you to limit the total number of VLANs that need
to be configured.

Traffic Prioritization – This switch prioritizes each packet based on the
required level of service, using four priority queues with strict or Weighted
Round Robin Queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize
incoming traffic based on input from the end-station application. These
functions can
data and best-effort data.

be used to provide independent priorities for delay-sensitive

This switch also supports several common methods of prioritizing layer 3/
4 traffic to meet application requirements. Traffic can be prioritized based
on the priority bits in the IP frame’s Type of Service (ToS) octet. When
these services are enabled, the priorities are mapped to a Class of Service
value by the switch, and the traffic then sent to the corresponding output
queue.

Multicast Filtering – Specific multicast traffic can be assigned to its own
VLAN to ensure that it does not interfere with normal network traffic and
to guarantee real-time delivery by setting the required priority level for the
designated VLAN. The switch uses IGMP Snooping and Query to manage
multicast group registration.

1-6

System Defaults

The switch’s system defaults are provided in the configuration file
“Factory_Default_Config.cfg.” To reset the switch defaults, this file
should be set as the startup configuration file (page 3-25).

The following table lists some of the basic system defaults.

Table 1-2. System Defaults

Function Parameter Default

Console Port
Connection

Authentication Privileged Exec Level Username “admin”

Web Management HTTP Server Enabled

SNMP Community Strings “public” (read only)

Baud Rate auto

Data bits 8

Stop bits 1

Parity none

Local Console Timeout 0 (disabled)

Password “admin”

Normal Exec Level Username “guest”

Password “guest”

Enable Privileged Exec from
Normal Exec Level

RADIUS Authentication Disabled

TACACS Authentication Disabled

802.1x Port Authentication Disabled

HTTPS Enabled

SSH Enabled

Port Security Disabled

HTTP Port Number 80

HTTP Secure Server Enabled

HTTP Secure Port Number 443

Traps Authentication traps: enabled

Password “super”

“private” (read/write)

Link-up-down events:

S

YSTEM DEFAULTS

enabled

1-7

I

NTRODUCTION

Function Parameter Default

Port
Configuration

Rate Limiting Input and output limits Disabled

Port Trunking Static Trunks None

Broadcast Storm
Protection

Spanning Tree
Protocol

Address Table Aging Time 300 seconds

Table 1-2. System Defaults

Admin Status Enabled

Auto-negotiation Enabled

Flow Control Disabled

Port Capability 1000BASE-T –

(10 Mbps half duplex)
(10 Mbps full duplex)
(100 Mbps half duplex)
(100 Mbps full duplex)
(1000 Mbps full duplex)
(Full-duplex flow control)
(disabled)
(Symmetric flow control)
(disabled)

1000BASE-SX/LX/LH –

(1000 Mbps full duplex)
(Full-duplex flow control)
(disabled)
(Symmetric flow control)
(disabled)

LACP (all ports) Disabled

Status Enabled (all ports)

Broadcast Limit Rate 500 packets per second

Status Enabled, MSTP

(Defaults: All values based on
IEEE 802.1s)

Fast Forwarding (Edge Port) Disabled

1-8

S

YSTEM DEFAULTS

Table 1-2. System Defaults

Function Parameter Default

Virtual LANs Default VLAN 1

PVID 1

Acceptable Frame Type All

Ingress Filtering Disabled

Switchport Mode (Egress
Mode)

GVRP (global) Disabled

GVRP (port interface) Disabled

Traffic
Prioritization

IP Settings IP Address 0.0.0.0

Multicast Filtering IGMP Snooping Snooping: Enabled

System Log Status Enabled

SMTP Email
Alerts

SNTP Clock Synchronization Disabled

Ingress Port Priority 0

Weighted Round Robin Queue: 0 1 2 3 4 5 6 7

IP Precedence Priority Disabled

IP DSCP Priority Disabled

Subnet Mask 255.0.0.0

Default Gateway 0.0.0.0

DHCP Client: Disabled

BOOTP Disabled

Messages Logged Levels 0-7 (all)

Messages Logged to Flash Levels 0-3

Event Handler Disabled

Hybrid: tagged/untagged
frames

Priority: 2 0 1 3 4 5 6 7

Querier: Enabled

1-9

I

NTRODUCTION

1-10

C

HAPTER

I

NITIAL

C

ONFIGURATION

Connecting to the Switch

Configuration Options

The switch includes a built-in network management agent. The agent
offers a variety of management options, including SNMP, RMON and a
Web-based interface. A PC may also be connected directly to the switch
for configuration and monitoring via a command line interface (CLI).

Note: The IP address for this switch is unassigned by default. To change

this address, see “Setting an IP Address” on page 2-6.

The switch’s HTTP Web agent allows you to configure switch parameters,
monitor port connections, and display statistics using a standard Web
browser such as Netscape Navigator version 6.2 and higher or Microsoft
IE version 5.0 and higher. The switch’s Web management interface can be
accessed from any computer attached to the network.

2

The CLI program can be accessed by a direct connection to the RS-232
serial console port on the switch, or remotely by a Telnet connection over
the network.

The switch’s management agent also supports SNMP (Simple Network
Management Protocol). This SNMP agent permits the switch to be
managed from any system in the network using network management
software such as SMC EliteView and HP OpenView.

2-1

I

NITIAL CONFIGURATION

The switch’s Web interface, CLI configuration program, and SNMP agent
allow you to perform the following management functions:

• Set user names and passwords for up to 16 users

• Set an IP interface for a management VLAN

• Configure SNMP parameters

• Enable/disable any port

• Set the speed/duplex mode for any port

• Configure the bandwidth of any port by limiting input or output rates

• Configure up to 255 IEEE 802.1Q VLANs

• Enable GVRP automatic VLAN registration

• Configure IGMP multicast filtering

• Upload and download system firmware via TFTP

• Upload and download switch configuration files via TFTP

• Configure Spanning Tree parameters

• Configure Class of Service (CoS) priority queuing

• Configure up to 6 static or LACP trunks

• Enable port mirroring

• Set broadcast storm control on any port

• Display system information and statistics

Required Connections

The switch provides an RS-232 serial port that enables a connection to a
PC or terminal for monitoring and configuring the switch. A null-modem
console cable is provided with the switch.

Attach a VT100-compatible terminal, or a PC running a terminal
emulation program to the switch. You can use the console cable provided
with this package, or use a null-modem cable that complies with the wiring
assignments shown in the Installation Guide.

2-2

C

ONNECTING TO THE SWITCH

To connect a terminal to the console port, complete the following steps:

1. Connect the console cable to the serial port on a terminal, or a PC
running terminal emulation software, and tighten the captive retaining
screws on the DB-9 connector.

2. Connect the other end of the cable to the RS-232 serial port on the
switch.

3. Make sure the terminal emulation software is set as follows:

• Select the appropriate serial port (COM port 1 or COM port 2).

• Set to any of these baud rates: 9600, 19200, 38400, 57600, 115200
(Note: Set to 9600 baud to view all system initialization messages.)

• Set the data format to 8 data bits, 1 stop bit, and no parity.

• Set flow control to none.

• Set the emulation mode to VT100.

• With HyperTerminal, select Terminal keys, not Windows keys.

Notes: 1. When using HyperTerminal with Microsoft

make sure that you have Windows 2000 Service Pack 2 or later
installed. Windows 2000 Service Pack 2 fixes the problem of
arrow keys not functioning in HyperTerminal’s VT100
emulation. See www.microsoft.com for information on
Windows 2000 service packs.

2. Refer to “Line Commands” on page 4-14 for a complete
description of console configuration options.

3. Once you have set up the terminal correctly, the console login
screen will be displayed.

For a description of how to use the CLI, see “Using the Command Line
Interface” on page 4-1. For a list of all the CLI commands and detailed
information on using the CLI, refer to “Command Groups” on page 4-12.

®

Windows® 2000,

2-3

I

NITIAL CONFIGURATION

Remote Connections

Prior to accessing the switch’s onboard agent via a network connection,
you must first configure it with a valid IP address, subnet mask, and default
gateway using a console connection, DHCP or BOOTP protocol.

The IP address for this switch is unassigned by default. To manually
configure this address or enable dynamic address assignment via DHCP or
BOOTP, see “Setting an IP Address” on page 2-6.

Note: This switch supports four concurrent Telnet sessions.

After configuring the switch’s IP parameters, you can access the onboard
configuration program from anywhere within the attached network. The
onboard configuration program can be accessed using Telnet from any
computer attached to the network. The switch can also be managed by any
computer using a web browser (Internet Explorer 5.0 or above, or
Netscape Navigator 6.2 or above), or from a network computer using
SNMP network management software.

Note: The onboard program only provides access to basic configuration

functions. To access the full range of SNMP management
functions, you must use SNMP-based network management
software.

Basic Configuration

Console Connection

The CLI program provides two different command levels — normal
access level (Normal Exec) and privileged access level (Privileged Exec).
The commands available at the Normal Exec level are a limited subset of
those available at the Privileged Exec level and only allow you to display
information and use basic utilities. To fully configure the switch
parameters, you must access the CLI at the Privileged Exec level.

2-4

B

ASIC CONFIGURATION

Access to both CLI levels are controlled by user names and passwords.
The switch has a default user name and password for each level. To log
into the CLI at the Privileged Exec level using the default user name and
password, perform these steps:

1. To initiate your console connection, press <Enter>. The “User Access
Verification” procedure starts.

2. At the Username prompt, enter “admin.”

3. At the Password prompt, also enter “admin.” (The password
characters are not displayed on the console screen.)

4. The session is opened and the CLI displays the “Console#” prompt
indicating you have access at the Privileged Exec level.

Setting Passwords

Note: If this is your first time to log into the CLI program, you should

define new passwords for both default user names using the
“username” command, record them and put them in a safe place.

Passwords can consist of up to 8 alphanumeric characters and are case
sensitive. To prevent unauthorized access to the switch, set the passwords
as follows:

1. Open the console interface with the default user name and password
“admin” to access the Privileged Exec level.

2. Type “configure” and press <Enter>.

3. Type “username guest password 0 password,” for the Normal Exec
level, where password is your new password. Press <Enter>.

2-5

I

NITIAL CONFIGURATION

Type “username admin password 0 password,” for the Privileged Exec level,
where password is your new password. Press <Enter>.

Username: admin
Password:

CLI session is opened.
To end the CLI session, enter [Exit].

Console#configure
Console(config)#username guest password 0 [password]
Console(config)#username admin password 0 [password]
Console(config)#

Setting an IP Address

You must establish IP address information for the switch to obtain
management access through the network. This can be done in either of the
following ways:

Manual — You have to input the information, including IP address and
subnet mask. If your management station is not in the same IP subnet as
the switch, you will also need to specify the default gateway router.

Dynamic — The switch sends IP configuration requests to BOOTP or
DHCP address allocation servers on the network.

Manual Configuration

You can manually assign an IP address to the switch. You may also need to
specify a default gateway that resides between this device and management
stations on another network segment. Valid IP addresses consist of four
decimal numbers, 0 to 255, separated by periods. Anything outside this
format will not be accepted by the CLI program.

Note: The IP address for this switch is unassigned by default.

2-6

B

ASIC CONFIGURATION

Before you can assign an IP address to the switch, you must obtain the
following information from your network administrator:

• IP address for the switch

• Default gateway for the network

• Network mask for this network

To assign an IP address to the switch, complete the following steps:

1. From the Privileged Exec level global configuration mode prompt,
type “interface vlan 1” to access the interface-configuration mode.
Press <Enter>.

2. Type “ip address ip-address netmask,” where “ip-address” is the switch
IP address and “netmask” is the network mask for the network. Press
<Enter>.

3. Type “exit” to return to the global configuration mode prompt. Press
<Enter>.

4. To set the IP address of the default gateway for the network to which
the switch belongs, type “ip default-gateway gateway,” where “gateway”
is the IP address of the default gateway. Press <Enter>.

Console(config)#interface vlan 1
Console(config-if)#ip address 192.168.1.5 255.255.255.0
Console(config-if)#exit
Console(config)#ip default-gateway 192.168.1.254
Console(config)#

Dynamic Configuration

If you select the “bootp” or “dhcp” option, IP will be enabled but will not
function until a BOOTP or DHCP reply has been received. You therefore
need to use the “ip dhcp restart client” command to start broadcasting
service requests. Requests will be sent periodically in an effort to obtain IP
configuration information. (BOOTP and DHCP values can include the IP
address, subnet mask, and default gateway.)

2-7

I

NITIAL CONFIGURATION

If the “bootp” or “dhcp” option is saved to the startup-config file (step 6),
then the switch will start broadcasting service requests as soon as it is
powered on.

To automatically configure the switch by communicating with BOOTP or
DHCP address allocation servers on the network, complete the following
steps:

1. From the Global Configuration mode prompt, type “interface vlan 1”
to access the interface-configuration mode. Press <Enter>.

2. At the interface-configuration mode prompt, use one of the following
commands:

• To obtain IP settings via DHCP, type “ip address dhcp” and press
<Enter>.

• To obtain IP settings via BOOTP, type “ip address bootp” and
press <Enter>.

3. Type “end” to return to the Privileged Exec mode. Press <Enter>.

4. Type “ip dhcp restart client” to begin broadcasting service requests.
Press <Enter>.

5. Wait a few minutes, and then check the IP configuration settings by
typing the “show ip interface” command. Press <Enter>.

2-8

B

ASIC CONFIGURATION

6. Then save your configuration changes by typing “copy running-config
startup-config.” Enter the startup file name and press <Enter>.

Console(config)#interface vlan 1
Console(config-if)#ip address dhcp
Console(config-if)#end
Console#ip dhcp restart client
Console#show ip interface
IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1,
and address mode: User specified.
Console#copy running-config startup-config
Startup configuration file name []: startup
\Write to FLASH Programming.

\Write to FLASH finish.
Success.

Enabling SNMP Management Access

The switch can be configured to accept management commands from
Simple Network Management Protocol (SNMP) applications such as
SMC EliteView or HP OpenView. You can configure the switch to
(1) respond to SNMP requests or (2) generate SNMP traps.

When SNMP management stations send requests to the switch (either to
return information or to set a parameter), the switch provides the
requested data or sets the specified parameter. The switch can also be
configured to send information to SNMP managers (without being
requested by the managers) through trap messages, which inform the
manager that certain events have occurred.

Community Strings

Community strings are used to control management access to SNMP
stations, as well as to authorize SNMP stations to receive trap messages
from the switch. You therefore need to assign community strings to
specified users or user groups, and set the access level.

2-9

I

NITIAL CONFIGURATION

The default strings are:

• public - with read-only access. Authorized management stations are
only able to retrieve MIB objects.

• private - with read-write access. Authorized management stations are
able to both retrieve and modify MIB objects.

Note: If you do not intend to utilize SNMP, we recommend that you

delete both of the default community strings. If there are no
community strings, then SNMP management access to the switch
is disabled.

To prevent unauthorized access to the switch via SNMP, it is
recommended that you change the default community strings.

To configure a community string, complete the following steps:

1. From the Privileged Exec level global configuration mode prompt,

type “snmp-server community string mode,” where “string” is the
community access string and “mode” is rw (read/write) or ro (read
only). Press <Enter>. (Note that the default mode is read only.)

2. To remove an existing string, simply type “no snmp-server community

string,” where “string” is the community access string to remove. Press
<Enter>.

Console(config)#snmp-server community admin rw
Console(config)#snmp-server community private
Console(config)#

2-10

B

ASIC CONFIGURATION

Trap Receivers

You can also specify SNMP stations that are to receive traps from the
switch.

To configure a trap receiver, complete the following steps:

1. From the Privileged Exec level global configuration mode prompt,
type “snmp-server host host-address community-string,” where
“host-address” is the IP address for the trap receiver and
“community-string” is the string associated with that host. Press
<Enter>.

2. In order to configure the switch to send SNMP notifications, you must
enter at least one snmp-server enable traps command. Type
“snmp-server enable traps type,” where “type” is either authentication
or link-up-down. Press <Enter>.

Console(config)#snmp-server enable traps link-up-down
Console(config)#

Saving Configuration Settings

Configuration commands only modify the running configuration file and
are not saved when the switch is rebooted. To save all your configuration
changes in nonvolatile storage, you must copy the running configuration
file to the start-up configuration file using the “copy” command.

To save the current configuration settings, enter the following command:

1. From the Privileged Exec mode prompt, type “copy running-config
startup-config” and press <Enter>.

2. Enter the name of the start-up file. Press <Enter>.

Console#copy running-config startup-config
Startup configuration file name []: startup
\Write to FLASH Programming.
\Write to FLASH finish.
Success.
Console#

2-11

I

NITIAL CONFIGURATION

Managing System Files

The switch’s flash memory supports three types of system files that can be
managed by the CLI program, Web interface, or SNMP. The switch’s file
system allows files to be uploaded and downloaded, copied, deleted, and
set as a start-up file.

The three types of files are:

• Configuration — This file stores system configuration information
and is created when configuration settings are saved. Saved
configuration files can be selected as a system start-up file or can be
uploaded via TFTP to a server for backup. A file named
“Factory_Default_Config.cfg” contains all the system default settings
and cannot be deleted from the system. See “Saving or Restoring
Configuration Settings” on page 3-24 for more information.

• Operation Code — System software that is executed after boot-up,
also known as run-time code. This code runs the switch operations and
provides the CLI and Web management interfaces. See “Managing
Firmware” on page 3-22 for more information.

• Diagnostic Code — Software that is run during system boot-up, also
known as POST (Power On Self-Test).

Due to the size limit of the flash memory, the switch supports only two
operation code files. However, you can have as many diagnostic code files
and configuration files as available flash memory space allows.

In the system flash memory, one file of each type must be set as the
start-up file. During a system boot, the diagnostic and operation code files
set as the start-up file are run, and then the start-up configuration file is
loaded.

2-12

M

ANAGING SYSTEM FILES

Note that configuration files should be downloaded using a file name that
reflects the contents or usage of the file settings. If you download directly
to the running-config, the system will reboot, and the settings will have to
be copied from the running-config to a permanent file.

2-13

I

NITIAL CONFIGURATION

2-14

C

HAPTER

C

ONFIGURING THE

S

WITCH

Using the Web Interface

This switch provides an embedded HTTP Web agent. Using a Web
browser you can configure the switch and view statistics to monitor
network activity. The Web agent can be accessed by any computer on the
network using a standard Web browser (Internet Explorer 5.0 or above, or
Netscape Navigator 6.2 or above).

Note: You can also use the Command Line Interface (CLI) to manage

the switch over a serial connection to the console port or via
Telnet. For more information on using the CLI, refer to Chapter 4
“Command Line Interface.”

Prior to accessing the switch from a Web browser, be sure you have first
performed the following tasks:

1. Configure the switch with a valid IP address, subnet mask, and default
gateway using an out-of-band serial connection, BOOTP or DHCP
protocol. (See “Setting an IP Address” on page 2-6.)

2. Set user names and passwords using an out-of-band serial connection.
Access to the Web agent is controlled by the same user names and
passwords as the onboard configuration program. (See “Setting
Passwords” on page 2-5.)

3. After you enter a user name and password, you will have access to the
system configuration program.

3

3-1

C

ONFIGURING THE SWITCH

Notes: 1. You are allowed three attempts to enter the correct password;

on the third failed attempt the current connection is
terminated.

2. If you log into the Web interface as guest (Normal Exec level),
you can view the configuration settings or change the guest
password. If you log in as “admin” (Privileged Exec level), you
can change the settings on any page.

3. If the path between your management station and this switch
does not pass through any device that uses the Spanning Tree
Algorithm, then you can set the switch port attached to your
management station to fast forwarding (i.e., enable Admin
Edge Port) to improve the switch’s response time to
management commands issued through the web interface. See
“Configuring Interface Settings” on page 3-130.

3-2

N

AVIGATING THE WEB BROWSER INTERFACE

Navigating the Web Browser Interface

To access the web-browser interface you must first enter a user name and
password. The administrator has Read/Write access to all configuration
parameters and statistics. The default user name and password for the
administrator is “admin.”

Home Page

When your web browser connects with the switch’s web agent, the home
page is displayed as shown below. The home page displays the Main Menu
on the left side of the screen and System Information on the right side.
The Main Menu links are used to navigate to other menus, and display
configuration parameters and statistics.

Figure 3-1. Homepage

3-3

C

ONFIGURING THE SWITCH

Configuration Options

Configurable parameters have a dialog box or a drop-down list. Once a
configuration change has been made on a page, be sure to click on the
“Apply” or “Apply Changes” button to confirm the new setting. The
following table summarizes the web page configuration buttons.

Button Action

Revert Cancels specified values and restores current values

Refresh Immediately updates values for the current page.

Apply Sets specified values to the system.

Apply Changes Sets specified values to the system.

Notes: 1. To ensure proper screen refresh, be sure that Internet Explorer

5.x is configured as follows: Under the menu “Tools/Internet
Options/General/Temporary Internet Files/Settings,” the
setting for item “Check for newer versions of stored pages”
should be “Every visit to the page.”

2. When using Internet Explorer 5.0, you may have to manually
refresh the screen after making configuration changes by
pressing the browser’s refresh button.

Table 3-1. Configuration Options

prior to pressing “Apply” or “Apply Changes.”

Panel Display

The web agent displays an image of the switch’s ports. The Mode can be
set to display different information for the ports, including Active (i.e., up
or down), Duplex (i.e., half or full duplex, or Flow Control (i.e., with or
without flow control). Clicking on the image of a port opens the Port
Configuration page as described on page 3-84.

Figure 3-2. Panel Display

3-4

N

AVIGATING THE WEB BROWSER INTERFACE

Main Menu

Using the onboard web agent, you can define system parameters, manage
and control the switch, and all its ports, or monitor network conditions.
The following table briefly describes the selections available from this
program.

Table 3-2. Main Menu

Menu Description Page

System 3-12

System Information Provides basic system description, including

contact information

Switch Information Shows the number of ports, hardware/

firmware version numbers, and power
status

Bridge Extension Shows the bridge extension parameters 3-16

IP Configuration Sets the IP address for management access 3-17

File 3-22

Firmware Manages code image files 3-22

Configuration Manages switch configuration files 3-24

Reset Restarts the switch 3-26

SNTP 3-27

Configuration Configures SNTP client settings, including

broadcast mode or a specified list of servers

Clock Time Zone Sets the local time zone for the system clock 3-29

SNMP 3-30

Configuration Configures community strings and related

trap functions

Security 3-33

Passwords Assigns a new password for the current user 3-33

Authentication Settings Configures authentication sequence,

RADIUS and TACACS

HTTPS Settings Configures secure HTTP settings 3-38

3-12

3-14

3-27

3-30

3-34

3-5

C

ONFIGURING THE SWITCH

Menu Description Page

SSH 3-41

Settings Configures Secure Shell server settings 3-46

Host-Key Settings Generates the host key pair (public and

Port Security Configures per port security, including

802.1x Port authentication 3-104

Information Displays global configuration settings 3-52

Configuration Configures protocol parameters 3-55

Port Configuration Sets the authentication mode for individual

Statistics Displays protocol statistics for the selected

ACL 3-60

Configuration Configures packet filtering based on IP or

Mask Configuration Controls the order in which ACL rules are

Port Binding Binds a port to the specified ACL 3-76

IP Filter Sets IP addresses of clients allowed

Port 3-78

Port Information Displays port connection status 3-80

Trunk Information Displays trunk connection status 3-80

Port Configuration Configures port connection settings 3-84

Trunk Configuration Configures trunk connection settings 3-84

Trunk Membership Specifies ports to group into static trunks 3-88

Table 3-2. Main Menu

3-43

private)

3-48
status, response for security breach, and
maximum allowed MAC addresses

3-56
ports

3-58
port

3-60
MAC addresses

3-70
checked

3-78
management access

3-6

N

AVIGATING THE WEB BROWSER INTERFACE

Table 3-2. Main Menu

Menu Description Page

LACP 3-89

Configuration Allows ports to dynamically join trunks 3-89

Aggregation Port Configures system priority, admin key, and

port priority

Port Counters
Information

Port Internal
Information

Port Neighbors
Information

Port Broadcast Control Sets the broadcast storm threshold for each

Trunk Broadcast
Control

Mirror Port
Configuration

Rate Limit 3-104

Input
Port Configuration

Input
Trunk Configuration

Output
Port Configuration

Output
Trunk Configuration

Port Statistics Lists Ethernet and RMON port statistics 3-106

Address Table 3-112

Static Addresses Displays entries for interface, address or

Dynamic Addresses Displays or edits static entries in the

Displays statistics for LACP protocol
messages

Displays settings and operational state for
local side

Displays settings and operational state for
remote side

port

Sets the broadcast storm threshold for each
trunk

Sets the source and target ports for
mirroring

Sets the input rate limit for each port 3-104

Sets the input rate limit for each trunk 3-104

Sets the output rate limit for each port 3-104

Sets the output rate limit for each trunk 3-104

VLAN

Address Table

3-91

3-94

3-96

3-99

3-101

3-101

3-103

3-112

3-114

3-7

C

ONFIGURING THE SWITCH

Menu Description Page

Address Aging Sets timeout for dynamically learned entries 3-115

Spanning Tree 3-116

STA

Information Displays STA values used for the bridge 3-117

Configuration Configures global bridge settings for STA,

Port Information Displays individual port settings for STA 3-126

Trunk Information Displays individual trunk settings for STA 3-126

Port Configuration Configures individual port settings for STA 3-130

Trunk Configuration Configures individual trunk settings for

MSTP

VLAN Configuration Configures priority and VLANs for a

Port Information Displays port settings for a specified MST

Trunk Information Displays trunk settings for a specified MST

Port Configuration Configures port settings for a specified

Trunk Configuration Configures trunk settings for a specified

Table 3-2. Main Menu

3-121

RSTP and MSTP

3-130

STA

3-133

spanning tree instance

3-137

instance

3-137

instance

3-139

MST instance

3-139

MST instance

3-8

N

AVIGATING THE WEB BROWSER INTERFACE

Table 3-2. Main Menu

Menu Description Page

VLAN 3-141

802.1Q VLAN

GVRP Status Enables GVRP VLAN registration

protocol

Basic Information Displays information on the VLAN type

supported by this switch

Current Table Shows the current port members of each

VLAN and whether or not the port is
tagged or untagged

Static List Used to create or remove VLAN groups 3-149

Static Table Modifies the settings for an existing VLAN 3-151

Static Membership Configures membership type for interfaces,

including tagged, untagged or forbidden

Port Configuration Specifies default PVID and VLAN

attributes

Trunk Configuration Specifies default trunk VID and VLAN

attributes

Private VLAN

Status Enables or disables the private VLAN 3-158

Link Status Configures the private VLAN 3-159

Protocol VLAN

Configuration Creates a protocol group, specifying the

supported protocols

Port Configuration Maps a protocol group to a VLAN 3-161

Priority 3-163

Default Port Priority Sets the default priority for each port 3-163

Default Trunk Priority Sets the default priority for each trunk 3-163

Traffic Classes Maps IEEE 802.1p priority tags to output

queues

3-146

3-146

3-147

3-153

3-154

3-154

3-160

3-165

3-9

C

ONFIGURING THE SWITCH

Menu Description Page

Traffic Classes Status Enables/disables traffic class priorities (not

Queue Mode Sets queue mode to strict priority or

Queue Scheduling Configures Weighted Round Robin

IP Precedence/
DSCP Priority Status

IP Precedence Priority Sets IP Type of Service priority, mapping

IP DSCP Priority Sets IP Differentiated Services Code Point

IP Port Priority Status Globally enables or disables IP Port Priority 3-175

IP Port Priority Sets TCP/UDP port priority, defining the

ACL CoS Priority Sets the CoS value and corresponding

ACL Marker Change traffic priorities for frames

IGMP Snooping 3-181

IGMP Configuration Enables multicast filtering; configures

Multicast Router
Port Information

Static Multicast Router
Port Configuration

Table 3-2. Main Menu

implemented)

Weighted Round-Robin

queueing

Globally selects IP Precedence or DSCP
Priority, or disables both.

the precedence tag to a class-of-service
value

priority, mapping a DSCP tag to a
class-of-service value

socket number and associated
class-of-service value

output queue for packets matching an ACL
rule

matching an ACL rule

parameters for multicast query

Displays the ports that are attached to a
neighboring multicast router for each
VLAN ID

Assigns ports that are attached to a
neighboring multicast router

NA

3-167

3-168

3-170

3-171

3-173

3-175

3-177

3-178

3-182

3-185

3-186

3-10

N

AVIGATING THE WEB BROWSER INTERFACE

Table 3-2. Main Menu

Menu Description Page

IP Multicast Registration
Table

IGMP Member
Port Table

DNS

General Configuration Enables DNS; configures domain name and

Static Host Table Configures static entries for domain name

Cache Displays cache entries discovered by

Displays all multicast groups active on this
switch, including multicast IP addresses and
VLAN ID

Indicates multicast addresses associated
with the selected VLAN

domain list; and specifies IP address of
name servers for dynamic lookup

to address mapping

designated name servers

3-187

3-188

3-190

3-193

3-195

3-11

C

ONFIGURING THE SWITCH

Basic Configuration

Displaying System Information

You can easily identify the system by displaying the device name, location
and contact information.

Field Attributes

• System Name – Name assigned to the switch system.

• Object ID – MIB II object ID for switch’s network management
subsystem.

• Location – Specifies the system location.

• Contact – Administrator responsible for the system.

• System Up Time – Length of time the management agent has been
up.

These additional parameters are displayed for the CLI.

• MAC Address – The physical layer address for this switch.

• Web server – Shows if management access via HTTP is enabled.

• Web server port – Shows the TCP port number used by the web
interface.

• Web secure server – Shows if management access via HTTPS is
enabled.

• Web secure server port – Shows the TCP port used by the HTTPS
interface.

• POST result – Shows results of the power-on self-test

3-12

B

ASIC CONFIGURATION

Web – Click System, System Information. Specify the system name,
location, and contact information for the system administrator, then click
Apply. (This page also

includes a Telnet button that allows access to the

Command Line Interface via Telnet.)

Figure 3-3. System Information

CLI – Specify the hostname, location and contact information.

Console(config)#hostname R&D 5 3-34
Console(config)#snmp-server location WC 9 3-151
Console(config)#snmp-server contact Geoff 3-151
Console(config)#exit
Console#show system 3-82
System description: SMC Networks SMC8624T
System information
System Up time: 0 days, 2 hours, 3 minutes, and 47.49 seconds
System Name : R & D 5
System Location : WC 9
System Contact : Geoff
MAC address : 00-00-A3-42-00-80
Web server : enable
Web server port : 80
Web secure server : enable
Web secure server port : 443
POST result

DUMMY Test 1 ................. PASS

UART Loopback Test ........... PASS

DRAM Test .................... PASS

Timer Test ................... PASS

PCI Device 1 Test ............ PASS

Switch Int Loopback Test ..... PASS

Crossbar Int Loopback Test ... PASS
Done All Pass.
Console#

3-13

C

ONFIGURING THE SWITCH

Displaying Switch Hardware/Software Versions

Use the Switch Information page to display hardware/firmware version
numbers for
power status of the system.

Field Attributes

Main Board

• Serial Number – The serial number of the switch.

• Number of Ports – Number of built-in RJ-45 ports and expansion
ports.

• Hardware Version – Hardware version of the main board.

• Internal Power Status – Displays the status of the internal power
supply.

• Redundant Power Status* – Displays the status of the redundant
power supply.

* CLI only.

Management Software

• Loader Version – Version number of loader code.

• Boot-ROM Version – Version of Power-On Self-Test (POST) and
boot code.

• Operation Code Version – Version number of runtime code.

• Role – Shows that this switch is operating as Master (i.e., operating
stand-alone).

the main board and management software, as well as the

3-14

B

ASIC CONFIGURATION

Web – Click System, Switch Information.

Figure 3-4. Switch Information

CLI – Use the following command to display version information.

Console#show version 3-83
Unit1
Serial number :
Hardware version :
Number of ports :48
Main power status :up
Redundant power status :not present
Agent(master)
Unit id :1
Loader version :1.0.0.1
Boot rom version :1.0.0.1
Operation code version :1.1.0.4
Console#

3-15

C

ONFIGURING THE SWITCH

Displaying Bridge Extension Capabilities

The Bridge MIB includes extensions for managed devices that support
Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these
extensions to display default settings for the key variables.

Field Attributes

• Extended Multicast Filtering Services – This switch does not
support the filtering of individual multicast addresses based on GMRP
(GARP Multicast Registration Protocol).

• Traffic Classes – This switch provides mapping of user priorities to
multiple traffic classes. (Refer to “Class of Service Configuration” on
page 3-163.)

• Static Entry Individual Port – This switch allows static filtering for
unicast and multicast addresses. (Refer to “Setting Static Addresses”
on page 3-112.)

• VLAN Learning – This switch uses Independent VLAN Learning
(IVL), where each port maintains its own filtering database.

• Configurable PVID Tagging – This switch allows you to override
the default Port VLAN ID (PVID used in frame tags) and egress status
(VLAN-Tagged or Untagged) on each port. (Refer to “VLAN
Configuration” on page 3-141.)

• Local VLAN Capable – This switch supports multiple local bridges;
i.e., multiple spanning trees. (Refer to “Configuring Multiple Spanning
Trees” on page 3-133.)

• GMRP – GARP Multicast Registration Protocol (GMRP) allows
network devices to register endstations with multicast groups. This
switch does not support GMRP; it uses the Internet Group
Management Protocol (IGMP) to provide automatic multicast
filtering.

3-16

B

ASIC CONFIGURATION

Web – Click System, Bridge Extension.

Figure 3-5. Bridge Extension Configuration

CLI – Enter the following command.

Console#show bridge-ext 3-251
Max support vlan numbers: 255
Max support vlan ID: 4094
Extended multicast filtering services: No
Static entry individual port: Yes
VLAN learning: IVL
Configurable PVID tagging: Yes
Local VLAN capable: Yes
Traffic classes: Enabled
Global GVRP status: Disabled
GMRP: Disabled
Console#

Setting the Switch’s IP Address

This section describes how to configure an IP interface for management
access over the network. The IP address for this switch is unassigned by
default. To manually configure an address, you need to change the switch’s
default settings (IP address 0.0.0.0 and netmask 255.0.0.0) to values that
are compatible with your network. You may also need to a establish a
default gateway between the switch and management stations that exist on
another network segment.

3-17

C

ONFIGURING THE SWITCH

You can manually configure a specific IP address, or direct the device to
obtain an address from a BOOTP or DHCP server. Valid IP addresses
consist of four decimal numbers, 0 to 255, separated by periods. Anything
outside this format will not be accepted by the CLI program.

Command Attributes

• Management VLAN – ID of the configured VLAN (1-4094, no

leading zeroes). By default, all ports on the switch are members of
VLAN 1. However, the management station can be attached to a port
belonging to any VLAN, as long as that VLAN has been assigned an
IP address.

• IP Address Mode – Specifies whether IP functionality is enabled via
manual configuration (Static), Dynamic Host Configuration Protocol
(DHCP), or Boot Protocol (BOOTP). If DHCP/BOOTP is enabled,
IP will not function until a reply has been received from the server.
Requests will be broadcast periodically by the switch for an IP address.
(DHCP/BOOTP values can include the IP address, subnet mask, and
default gateway.)

• IP Address – Address of the VLAN interface that is allowed
management access. Valid IP addresses consist of four numbers, 0 to
255, separated by periods. (Default: 0.0.0.0)

• Subnet Mask – This mask identifies the host address bits used for
routing to specific subnets. (Default: 255.0.0.0)

• Default Gateway – IP address of the gateway router between this
device and management stations that exist on other network segments.
(Default: 0.0.0.0)

• MAC Address – The physical layer address for this switch.

3-18

B

ASIC CONFIGURATION

Manual Configuration

Web – Click System, IP Configuration. Select the VLAN through which

the management station is attached, set the IP Address Mode to “Static,”
enter the IP address, subnet mask and gateway, then click Apply.

Figure 3-6. Manual IP Configuration

CLI – Specify the management interface, IP address and default gateway.

Console#config
Console(config)#interface vlan 1 3-168
Console(config-if)#ip address 10.1.0.254 255.255.255.0 3-285
Console(config-if)#exit
Console(config)#ip default-gateway 192.168.1.254 3-286
Console(config)#

3-19

C

ONFIGURING THE SWITCH

Using DHCP/BOOTP

If your network provides DHCP/BOOTP services, you can configure the
switch to be dynamically configured by these services.

Web – Click System, IP Configuration. Specify the VLAN to which the
management station is attached, set the IP Address Mode to DHCP or
BOOTP. Click Apply to save your changes. Then click Restart DHCP to
immediately request a new address. Note that the switch will also broadcast
a request for IP configuration settings on each power reset.

Figure 3-7. DHCP IP Configuration

Note: If you lose your management connection, use a console

connection and enter “show ip interface” to determine the new
switch address.

3-20

B

ASIC CONFIGURATION

CLI – Specify the management interface, and set the IP address mode to
DHCP or BOOTP, and then enter the “ip dhcp restart client” command.

Console#config
Console(config)#interface vlan 1 3-168
Console(config-if)#ip address dhcp 3-285
Console(config-if)#end
Console#ip dhcp restart 3-286
Console#show ip interface 3-288
IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1,
and address mode: User specified.
Console#

Renewing DCHP – DHCP may lease addresses to clients indefinitely or
for a specific period of time. If the address expires or the switch is moved
to another network segment, you will lose management access to the
switch. In this case, you can reboot the switch or submit a client request to
restart DHCP service via the CLI.

Web – If the address assigned by DHCP is no longer functioning, you will
not be able to renew the IP settings via the web interface. You can only
restart DHCP service via the web interface if the current address is still
available.

CLI – Enter the following command to restart DHCP service.

Console#ip dhcp restart 3-286
Console#

3-21

C

ONFIGURING THE SWITCH

Managing Firmware

You can upload/download firmware to or from a TFTP server. By saving
runtime code to a file on a TFTP server, that file can later be downloaded
to the switch to restore operation. You can also set the switch to use new
firmware without overwriting the previous version.

Note: Runtime code can also be upgraded by using Batch Upgrade.

Batch Upgrade can discover switches on local, or other networks.
After discovering the switches, Batch Upgrade can then be set to
automatically upgrade the runtime code on all discovered switches.
Batch Upgrade is provided in the Batch Upgrade folder in the CD
provided with this switch. For details see the Batch Upgrade
document in this Batch Upgrade folder.

Command Attributes

• TFTP Server IP Address – The IP address of a TFTP server.

• File Name –
leading letter of the file name should not be a period (.), and the
maximum length for file names on the TFTP server is 127 characters
or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9,
“.”, “-”, “_”)

The file name should not contain slashes (\ or /),

the

Note: Up to two copies of the system software (i.e., the runtime

firmware) can be stored in the file directory on the switch. The
currently designated startup version of this file cannot be deleted.

Downloading System Software from a Server

When downloading runtime code, you can specify the destination file
name to replace the current image, or first download the file using a
different name from the current runtime code file, and then set the new
file as the startup file.

3-22

B

ASIC CONFIGURATION

Web – Click System, File, Firmware. Enter the IP address of the TFTP
server, enter the file name of the software to download, select a file on the
switch to overwrite or specify a new file name, then click Transfer from
Server. To start the new firmware, reboot the system via the System/Reset
menu.

Figure 3-8. Operation Code Image File Transfer

If you download to a new destination file, then select the file from the
drop-down box for the operation code used at startup, and click Apply
Changes. To start the new firmware, reboot the system via the System/
Reset menu.

Figure 3-9. Select Start-Up Operation File

3-23

C

ONFIGURING THE SWITCH

CLI – Enter the IP address of the TFTP server, select “config” or
“opcode” file type, then enter the source and destination file names, set the
new file to start up the system, and then restart the switch.

.

Console#copy tftp file 3-86
TFTP server ip address: 10.1.0.19
Choose file type:

1. config: 2. opcode: <1-2>: 2
Source file name: v1000-18.bix
Destination file name: V1.0
\Write to FLASH Programming.

-Write to FLASH finish.
Success.
Console#config
Console(config)#boot system opcode:V1.0 3-92
Console(config)#exit
Console#reload 3-29

Saving or Restoring Configuration Settings

You can upload/download configuration settings to/from a TFTP server.
The configuration file can be later downloaded to restore the switch’s
settings.

Command Attributes

• TFTP Server IP Address – The IP address of a TFTP server.

•

File Name

(\ or /),
and the maximum length for file names on the TFTP server is 127
characters or 31 characters for files on the switch. (Valid characters:
A-Z, a-z, 0-9, “.”, “-”, “_”)

Note: The maximum number of user-defined configuration files is

limited only by available flash memory space.

— The configuration file name should not contain slashes

the leading letter of the file name should not be a period (.),

3-24

B

ASIC CONFIGURATION

Downloading Configuration Settings from a Server

You can download the configuration file under a new file name and then
set it as the startup file, or you can specify the current startup
configuration file as the destination file to directly replace it. Note that the
file “Factory_Default_Config.cfg” can be copied to the TFTP server, but
cannot be used as the destination on the switch.

Web – Click System, File, Configuration. Enter the IP address of the
TFTP server, enter the name of the file to download, select a file on the
switch to overwrite or specify a new file name, and then click Transfer
from Server.

Figure 3-10. Downloading Configuration Settings from a Server

If you download to a new file name, then select the new file from the
drop-down box for Startup Configuration File, and press Apply Changes.
To use the new settings, reboot the system via the System/Reset menu.

Figure 3-11. Selecting the Startup Configuration File

CLI – Enter the IP address of the TFTP server, specify the source file on

the server, set the startup file name on the switch, and then restart the
switch

3-25

C

ONFIGURING THE SWITCH

.

Console#copy tftp startup-config 3-86
TFTP server ip address: 192.168.1.19
Source configuration file name: config-1
Startup configuration file name [] : startup
\Write to FLASH Programming.

-Write to FLASH finish.
Success.

Console#reload

If you download the startup configuration file under a new file name, you
can set this file as the startup file at a later time, and then restart the switch.

Console#config
Console(config)#boot system config: startup-new 3-92
Console(config)#exit
Console#reload 3-29

Resetting the System

Web – Click System, Reset. Click the Reset button to restart the switch.

Figure 3-12. Resetting the System

CLI – Use the reload command to restart the switch.

Console#reload 3-29
System will be restarted, continue <y/n>?

Note: When restarting the system, it will always run the Power-On

Self-Test.

3-26

B

ASIC CONFIGURATION

Setting the System Clock

Simple Network Time Protocol (SNTP) allows the switch to set its internal
clock based on periodic updates from a time server (SNTP or NTP).
Maintaining an accurate time on the switch enables the system log to
record meaningful dates and times for event entries. You can also manually
set the clock using the CLI. (See “calendar set” on page 4-76.) If the clock
is not set, the switch will only record the time from the factory default set
at the last bootup.

This switch acts as an SNTP client in two modes:

Unicast – The switch periodically sends a request for a time update to a
configured time server. You can configure up to three time server IP
addresses. The switch will attempt to poll each server in the configured
sequence.

Broadcast – The switch sets its clock from a time server in the same subnet
that broadcasts time updates. If there is more than one SNTP server, the
switch accepts the first broadcast it detects and ignores broadcasts from
other servers.

Configuring SNTP

You can configure the switch to send time synchronization requests to
specific time servers (i.e., client mode), update its clock based on
broadcasts from time servers, or use both methods. When both methods
are enabled, the switch will update its clock using information broadcast
from time servers, but will query the specified server(s) if a broadcast is
not received within the polling interval.

3-27

C

ONFIGURING THE SWITCH

Command Attributes

• SNTP Client – Configures the switch to operate as an SNTP unicast
client. This mode requires at least one time server to be specified in the
SNTP Server field.

• SNTP Broadcast Client – Configures the switch to operate as an
SNTP broadcast client. This mode requires no other configuration
settings; the switch will obtain time updates from time server
broadcasts (using the multicast address 224.0.1.1).

• SNTP Poll Interval – Sets the interval between sending requests for
a time update from a time server when set to SNTP Client mode.
(Range: 16-16284 seconds; Default: 16 seconds)

• SNTP Server – In unicast mode, sets the IP address for up to three
time servers. The switch attempts to update the time from the first
server, if this fails it attempts an update from the next server in the
sequence.

Web – Select SNTP, Configuration. Modify any of the required
parameters, and click Apply.

Figure 3-13. SNTP Configuration

CLI – This example configures the switch to operate as an SNTP

broadcast client.

Console(config)#sntp client 3-73
Console(config)#sntp poll 16 3-72
Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.23-71
Console(config)#sntp broadcast client 3-74
Console(config)#

3-28

B

ASIC CONFIGURATION

Setting the Time Zone

SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich
Mean Time, or GMT) based on the time at the Earth’s prime meridian,
zero degrees longitude. To display a time corresponding to your local time,
you must indicate the number of hours and minutes your time zone is east
(before) or west (after) of UTC.

Command Attributes

•Current Time – Displays the current time.

• Name – Assigns a name to the time zone.

• Hours (0-12) – The number of hours before/after UTC.

• Minutes (0-59) – The number of minutes before/after UTC.

• Direction – Configures the time zone to be before (east) or after
(west) UTC.

Web – Select SNTP, Clock Time Zone. Set the offset for your time zone
relative to the UTC, and click Apply.

Figure 3-14. Setting the Time Zone

CLI - This example shows how to set the time zone for the system clock.

Console(config)#clock timezone Dhaka hours 6 minute 0 after-UTC 3-75
Console#

3-29

C

ONFIGURING THE SWITCH

Simple Network Management Protocol

Simple Network Management Protocol (SNMP) is a communication
protocol designed specifically for managing devices on a network.
Equipment commonly managed with SNMP includes switches, routers
and host computers. SNMP is typically used to configure these devices for
proper operation in a network environment, as well as to monitor them to
evaluate performance or detect potential problems.

The switch includes an onboard SNMP agent that continuously monitors
the status of its hardware, as well as the traffic passing through its ports. A
network management station can access this information using software
such as SMC EliteView or HP OpenView. Access rights to the onboard
agent are controlled by community strings. To communicate with the
switch, the management station must first submit a valid community string
for authentication. The options for configuring community strings, trap
functions, and restricting access to clients with specified IP addresses are
described in the following sections.

Setting Community Access Strings

You may configure up to five community strings authorized for
management access. All community strings used for IP Trap Managers
should be listed in this table. For security reasons, you should consider
removing the default strings.

Command Attributes

• SNMP Community Capability – Indicates that the switch supports
up to five community strings.

• Community String – A community string that acts like a password
and permits access to the SNMP protocol.

Default strings: “public” (read-only access), “private” (read/write
access)

Range: 1-32 characters, case sensitive

3-30

S

IMPLE NETWORK MANAGEMENT PROTOCOL

• Access Mode

- Read-Only – Specifies read-only access. Authorized management
stations are only able to retrieve MIB objects.

- Read/Write – Specifies read-write access. Authorized management
stations are able to both retrieve and modify MIB objects.

Web – Click SNMP, Configuration. Add new community strings as
required, select the access rights from the Access Mode drop-down list,
then click Add.

Figure 3-15. Setting Community Access Strings

CLI – The following example adds the string “spiderman” with read/write

access.

Console(config)#snmp-server community spiderman rw 3-150
Console(config)#

Specifying Trap Managers and Trap Types

Traps indicating status changes are issued by the switch to specified trap
managers. You must specify trap managers so that key events are reported
by this switch to your management station (using network management
platforms such as SMC EliteView or HP OpenView). You can specify up
to five management stations that will receive authentication failure
messages and other trap messages from the switch.

3-31

C

ONFIGURING THE SWITCH

Command Attributes

• Trap Manager Capability – This switch supports up to five trap
managers.

• Trap Manager IP Address – Internet address of the host (the
targeted recipient).

• Trap Manager Community String – Community string sent with the
notification operation. (Range: 1-32 characters, case sensitive)

• Trap Version – Specifies whether to send notifications as SNMP v1
or v2c traps. (The default is version 1.)

• Enable Authentication Traps – Issues a trap message whenever an
invalid community string is submitted during the SNMP access
authentication process. (The default is enabled.)

• Enable Link-up and Link-down Traps – Issues link-up or
link-down traps. (The default is enabled.)

Web – Click SNMP, Configuration. Fill in the IP address and community
string for each trap manager that will receive these messages, specify the
SNMP version, mark the trap types required, and then click Add.

Figure 3-16. Specifying Trap Managers and Trap Types

CLI – This example adds a trap manager and enables both authentication

and link-up, link-down traps.

Console(config)#snmp-server host 192.168.1.19 private version 2c3-152
Console(config)#snmp-server enable traps 3-154

3-32

U

SER AUTHENTICATION

User Authentication

You can restrict management access to this switch using the following
options:

• Passwords – Manually configure access rights on the switch for
specified users.

• Authentication Settings – Use remote authentication to configure
access rights.

• HTTPS Settings – Provide a secure web connection.

• SSH Settings – Provide a secure shell (for secure Telnet access).

• Port Security – Configure secure addresses for individual ports.

• 802.1x – Use IEEE 802.1x port authentication to control access to
specific ports.

Configuring the Logon Password

The guest only has read access for most configuration parameters.
However, the administrator has write access for all parameters governing
the onboard agent. You should therefore assign a new administrator
password as soon as possible, and store it in a safe place.

The default guest name is “guest” with the password “guest.” The default
administrator name is “admin” with the password “admin.” Note that user
names can only be assigned via the CLI.

Command Attributes

• User Name* – The name of the user.
(Maximum length: 8 characters)

• Access Level* – Specifies the user level.
(Options: Normal and Privileged)

• Password – Specifies the user password.
(Range: 0-8 characters plain text, case sensitive)

* CLI only.

3-33

C

ONFIGURING THE SWITCH

Web – Click Security, Passwords. To change the password for the current
user, enter the old password, the new password, confirm it by entering it
again, then click Apply.

Figure 3-17. Configuring the Logon Password

CLI – Assign a user name to access-level 15 (i.e., administrator), then

specify the password.

Console(config)#username bob access-level 15 3-35
Console(config)#username bob password 0 smith
Console(config)#

Configuring Local/Remote Logon Authentication

Use the Authentication Settings menu to restrict management access based
on specified user names and passwords. You can manually configure access
rights on the switch, or you can use a remote access authentication server
based on RADIUS or TACACS+ protocols.

3-34

Web
Telnet

RADIUS/
TACACS+
server

console

1. Client attempts management access.

2. Switch contacts authentication server.

3. Authentication server challenges client.

4. Client responds with proper password or key.

5. Authentication server approves access.

6. Switch grants management access.

U

SER AUTHENTICATION

Remote Authentication Dial-in User Service (RADIUS) and Terminal
Access Controller Access Control System Plus (TACACS+) are logon
authentication protocols that use software running on a central server to
control access to RADIUS-aware or TACACS -aware devices on the
network. An authentication server contains a database of multiple user
name/password pairs with associated privilege levels for each user that
requires management access to the switch.

RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best
effort delivery, while TCP offers a connection-oriented transport. Also,
note that RADIUS encrypts only the password in the access-request
packet from the client to the server, while TACACS+ encrypts the entire
body of the packet.

Command Usage

• By default, management access is always checked against the
authentication database stored on the local switch. If a remote
authentication server is used, you must specify the authentication
sequence and the corresponding parameters for the remote
authentication protocol. Local and remote logon authentication
control management access via the console port, web browser, or
Telnet.

• RADIUS and TACACS+ logon authentication assign a specific
privilege level for each user name/password pair. The user name,
password, and privilege level must be configured on the authentication
server.

• You can specify up to three authentication methods for any user to
indicate the authentication sequence. For example, if you select (1)
RADIUS, (2) TACACS and (3) Local, the user name and password on
the RADIUS server is verified first. If the RADIUS server is not
available, then authentication is attempted using the TACACS+ server,
and finally the local user name and password is checked.

3-35

C

ONFIGURING THE SWITCH

Command Attributes

• Authentication – Select the authentication, or authentication
sequence required:

- Local – User authentication is performed only locally by the

switch.

- Radius – User authentication is performed using a RADIUS server

only.

- TACACS – User authentication is performed using a TACACS+

server only.

- [authentication sequence] – User authentication is performed by up

to three authentication methods in the indicated sequence.

• RADIUS Settings

- Server IP Address – Address of authentication server.

(Default: 10.1.0.1)

- Server Port Number – Network (UDP) port of authentication

server used for authentication messages.
(Range: 1-65535; Default: 1812)

- Secret Text String – Encryption key used to authenticate logon

access for client. Do not use blank spaces in the string.
(Maximum length: 20 characters)

- Number of Server Transmits – Number of times the switch tries

to authenticate logon access via the authentication server. (Range:
1-30; Default: 2)

- Timeout for a reply – The number of seconds the switch waits for

a reply from the RADIUS server before it resends the request.
(Range: 1-65535; Default: 5)

3-36

U

SER AUTHENTICATION

• TACACS Settings

- Server IP Address – Address of the TACACS+ server.
(Default: 10.11.12.13)

- Server Port Number – Network (TCP) port of TACACS+ server
used for authentication messages.
(Range: 1-65535; Default: 49)

- Secret Text String – Encryption key used to authenticate logon
access for client. Do not use blank spaces in the string.
(Maximum length: 20 characters)

Note: The local switch user database has to be set up by manually

entering user names and passwords using the CLI.
(See “username” on page 4-35.)

Web – Click Security, Authentication Settings. To configure local or
remote authentication preferences, specify the authentication sequence
(i.e., one to three methods), fill in the parameters for RADIUS or
TACACS+ authentication if selected, and click Apply.

Figure 3-18. Setting Local, RADIUS and TACACS Authentication

3-37

C

ONFIGURING THE SWITCH

CLI – Specify all the required parameters to enable logon authentication.

Console(config)#authentication login radius 3-94
Console(config)#radius-server host 192.168.1.25 3-95
Console(config)#radius-server port 181 3-96
Console(config)#radius-server key green 3-97
Console(config)#radius-server retransmit 5 3-97
Console(config)#radius-server timeout 10 3-98
Console#show radius-server 3-98
Server IP address: 192.168.1.25
Communication key with radius server:
Server port number: 181
Retransmit times: 5
Request timeout: 10
Console(config)#authentication login tacacs 3-94
Console(config)#tacacs-server host 10.20.30.40 3-99
Console(config)#tacacs-server port 200 3-100
Console(config)#tacacs-server key green 3-101
Console#show tacacs-server 3-101
Server IP address: 10.20.30.40
Communication key with tacacs server: green
Server port number: 200
Console(config)#

Configuring HTTPS

You can configure the switch to enable the Secure Hypertext Transfer
Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure
access (i.e., an encrypted connection) to the switch’s web interface.

Command Usage

• Both the HTTP and HTTPS service can be enabled independently on
the switch. However, you cannot configure both services to use the
same UDP port.

• If you enable HTTPS, you must indicate this in the URL that you
specify in your browser: https://device[:port_number]

• When you start HTTPS, the connection is established in this way:

- The client authenticates the server using the server’s digital

certificate.

- The client and server negotiate a set of security protocols to use for

the connection.

- The client and server generate session keys for encrypting and

decrypting data.

3-38

U

SER AUTHENTICATION

• The client and server establish a secure encrypted connection.
A padlock icon should appear in the status bar for Internet Explorer

5.x or above and Netscape Navigator 4.x or above.

• The following web browsers and operating systems currently support
HTTPS:

Table 3-3. HTTPS Support

Web Browser Operating System

Internet Explorer 5.0 or later Windows 98,Windows NT (with

service pack 6a), Windows 2000,
Windows XP

Netscape Navigator 4.76 or later Windows 98,Windows NT (with

service pack 6a), Windows 2000,
Windows XP, Solaris 2.6

• To specify a secure-site certificate, see “Replacing the Default
Secure-site Certificate” on page 3-40.

Command Attributes

• HTTPS Status – Allows you to enable/disable the HTTPS server
feature on the switch.

•

Change HTTPS Port Number – Specifies the UDP port number
used for HTTPS/SSL connection to the switch’s web interface.
(Default: Port 443)

(Default: Enabled)

Web – Click Security, HTTPS Settings. Enable HTTPS and specify the
port number, then click Apply.

Figure 3-19. HTTPS Settings

3-39

C

ONFIGURING THE SWITCH

CLI – This example enables the HTTP secure server and modifies the
port number.

Console(config)#ip http secure-server 3-42
Console(config)#ip http secure-port 441 3-44
Console(config)#

Replacing the Default Secure-site Certificate

When you log onto the web interface using HTTPS (for secure access), a
Secure Sockets Layer (SSL) certificate appears for the switch. By default,
the certificate that Netscape and Internet Explorer display will be
associated with a warning that the site is not recognized as a secure site.
This is because the certificate has not been signed by an approved
certification authority. If you want this warning to be replaced by a
message confirming that the connection to the switch is secure, you must
obtain a unique certificate and a private key and password from a
recognized certification authority.

Caution: For maximum security, we recommend you obtain a unique

Secure Sockets Layer certificate at the earliest opportunity.
This is because the default certificate for the switch is not
unique to the hardware you have purchased.

When you have obtained these, place them on your TFTP server, and use
the following command at the switch's command-line interface to replace
the default (unrecognized) certificate with an authorized one:

Console#copy tftp https-certificate 3-86
TFTP server ip address: <server ip-address>
Source certificate file name: <certificate file name>
Source private file name: <private key file name>
Private password: <password for private key>

Note: The switch must be reset for the new certificate to be activated. To

reset the switch, type:

Console#reload

3-40

U

SER AUTHENTICATION

Configuring the Secure Shell

The Berkley-standard includes remote access tools originally designed for
Unix systems. Some of these tools have also been implemented for
Microsoft Windows and other environments. These tools, including
commands such as rlogin (remote login), rsh (remote shell), and rcp (remote
copy), are not secure from hostile attacks.

The Secure Shell (SSH) includes server/client applications intended as a
secure replacement for the older Berkley remote access tools. SSH can also
provide remote management access to this switch as a secure replacement
for Telnet. When the client contacts the switch via the SSH protocol, the
switch generates a public-key that the client uses along with a local user
name and password for access authentication. SSH also encrypts all data
transfers passing between the switch and SSH-enabled management
station clients, and ensures that data traveling over the network arrives
unaltered.

Notes: 1. Note that you need to install an SSH client on the management

station to access the switch for management via the SSH
protocol.

2. The switch supports both SSH Version 1.5 and 2.0.

Command Usage

The SSH server on this switch supports both password and public key
authentication. If password authentication is specified by the SSH client,
then the password can be authenticated either locally or via a RADIUS or
TACACS+ remote authentication server, as specified on the
Authentication Settings page (page 3-34). If public key authentication is
specified by the client, then you must configure authentication keys on
both the client and the switch as described in the following section. Note
that regardless of whether you use public key or password authentication,
you still have to generate authentication keys on the switch (SSH Host Key
Settings) and enable the SSH server (Authentication Settings).

3-41

C

ONFIGURING THE SWITCH

To use the SSH server, complete these steps:

1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a
host public/private key pair.

2. Provide Host Public Key to Clients – Many SSH client programs
automatically import the host public key during the initial connection
setup with the switch. Otherwise, you need to manually create a known
hosts file on the management station and place the host public key in it.
An entry for a public key in the known hosts file would appear similar
to the following example:

10.1.0.54 1024 35 15684995401867669259333946775054617325313674890836547254

15020245593199868544358361651999923329781766065830956 10825913212890233

76546801726272571413428762941301196195566782 59566410486957427888146206

51941746772984865468615717739390164779355942303577413098022737087794545240839

71752646358058176716709574804776117

3. Import Client’s Public Key to the Switch – Use the copy tftp public-key
command (page 4-86) to copy a file containing the public key for all the
SSH client’s granted management access to the switch. (Note that these
clients must be configured locally on the switch via the User Accounts
page as described on page 3-33) The clients are subsequently
authenticated using these keys. The current firmware only accepts
public key files based on standard UNIX format as shown in the
following example:

1024 35 1341081685609893921040944920155425347631641921872958921143173880

05553616163105177594083868631109291232226828519254374603100937187721199696317

81366277414168985132049117204830339254324101637997592371449011938006090253948

40848271781943722884025331159521348610229029789827213532671316294325328189150

45306393916643 steve@192.168.1.19

4. Set the Optional Parameters – On the SSH Settings page, configure the
optional parameters, including the authentication timeout, the number
of retries, and the server key size.

5. Enable SSH Service – On the SSH Settings page, enable the SSH server
on the switch.

3-42

U

SER AUTHENTICATION

6. Challenge-Response Authentication – When an SSH client attempts to
contact the switch, the SSH server uses the host key pair to negotiate a
session key and encryption method. Only clients that have a private key
corresponding to the public keys stored on the switch can access. The
following exchanges take place during this process:

a. The client sends its public key to the switch.
b. The switch compares the client's public key to those stored in

memory.

c. If a match is found, the switch uses the public key to encrypt a

random sequence of bytes, and sends this string to the client.

d. The client uses its private key to decrypt the bytes, and sends the

decrypted bytes back to the switch.

e. The switch compares the decrypted bytes to the original bytes it

sent. If the two sets match, this means that the client's private key
corresponds to an authorized public key, and the client is
authenticated.

Notes: 1. To use SSH with only password authentication, the host public

key must still be given to the client, either during initial
connection or manually entered into the known host file.
However, you do not need to configure the client’s keys.

2. The SSH server supports up to four client sessions. The
maximum number of client sessions includes both current
Telnet sessions and SSH sessions.

Generating the Host Key Pair

A host public/private key pair is used to provide secure communications
between an SSH client and the switch. After generating this key pair, you
must provide the host public key to SSH clients and import the client’s
public key to the switch as described in the proceeding section (Command
Usage).

3-43

C

ONFIGURING THE SWITCH

Field Attributes

• Public-Key of Host-Key – The public key for the host.

- RSA: The first field indicates the size of the host key (e.g., 1024), the
second field is the encoded public exponent (e.g., 65537), and the
last string is the encoded modulus.

- DSA: The first field indicates that the encryption method used by
SSH is based on the Digital Signature Standard (DSS). The last string
is the encoded modulus.

• Host-Key Type – The key type used to generate the host key pair (i.e.,
public and private keys). (Range: RSA, DSA, Both: Default: RSA)

The SSH server uses RSA or DSA for key exchange when the client
first establishes a connection with the switch, and then negotiates with
the client to select either DES (56-bit) or 3DES (168-bit) for data
encryption.

• Save Host-Key from Memory to Flash – Saves the host key from
RAM (i.e., volatile memory to flash memory. Otherwise, the host key
pair is stored to RAM by default. Note that you must select this item
prior to generating the host-key pair.

• Generate – This button is used to ge nerate the h ost key pair. N ote that
you must first generate the host key pair before you can enable the SSH
server on the SSH Server Settings page.

3-44

U

SER AUTHENTICATION

Web – Click Security, SSH, Host-Key Settings. Select the host-key type
from the drop-down box, select the option to save the host key from
memory to flash (if required) prior to generating the key, and then click
Generate.

Figure 3-20. SSH Host-Key Settings

3-45

C

ONFIGURING THE SWITCH

CLI – This example generates a host-key pair using both the RSA and

algorithms, stores the keys to flash memory, and then displays the

DSA
host’s public keys.

Console#ip ssh crypto host-key generate 3-48
Console#ip ssh save host-key 3-48
Console#show public-key host 3-48
Host:
RSA:
1024 65537
127250922544926402131336514546131189679055192360076028653006761
8240969094744832010252487896597759216832222558465238779154647980739
6314033869257931051057652122430528078658854857892726029378660892368
4142327591212760325919683697053439336438445223335188287173896894511
729290510813919642025190932104328579045764891
DSA:
ssh-dss AAAAB3NzaC1kc3MAAACBAN6zwIqCqDb3869jYVXlME1sHL0EcE/
Re6hlasfEthIwmjhLY4O0jqJZpcEQUgCfYlum0Y2uoLka+Py9ieGWQ8f2gobUZKIICu
Kg6vjO9XTs7XKc05xfzkBiKviDa+2OrIz6UK+6vFOgvUDFedlnixYTVo+h5v8r0ea2r
pnO6DkZAAAAFQCNZn/x17dwpW8RrV DQnSWw4Qk+6QAAAIEAptkGeB6B5hwagH4g
UOCY6i1TmrmSiJgfwO9OqRPUMbCAkCC+uzxatOo7drnIZypMx+Sx5RUdMGgKS+9ywsa
1cWqHeFY5ilc3lDCNBueeLykZzVS+RS+azTKIk/zrJh8GLG Nq375R55yRxFvmcGIn
Q7IphPqyJ3o9MK8LFDfmJEAAACAL8A6tESiswP2OFqX7VGoEbzVDSOI RTMFy
3iUXtvGyQAOVSy67Mfc3lMtgqPRUOYXDiwIBp5NXgilCg5z7VqbmRm28mWc5a//
f8TUAg PNWKV6W0hqmshQdotVzDR1e+XKNTZj0uTwWfjO5Kytdn4MdoTHgrbl/
DMdAfjnte8MZZs=

Console#

Configuring the SSH Server

The SSH server includes basic settings for authentication.

Field Attributes

• SSH Server Status – Allows you to enable/disable the SSH server on
the switch.

(Default: Enabled)

• Version – The Secure Shell version number. Version 2.0 is displayed,
but the switch supports management access via either SSH Version 1.5
or 2.0 clients.

• SSH Authentication Timeout – Specifies the time interval in
seconds that the SSH server waits for a response from a client during
an authentication attempt.
(Range: 1 to 120 seconds; Default: 120 seconds)

3-46

U

SER AUTHENTICATION

• SSH Authentication Retries – Specifies the number of
authentication attempts that a client is allowed before authentication
fails and the client has to restart the authentication process.
(Range: 1-5 times; Default: 3)

• SSH Server-Key Size – Specifies the SSH server key size.
(Range: 512-896 bits)

- The server key is a private key that is never shared outside the switch.

- The host key is shared with the SSH client, and is fixed at 1024 bits.

Web – Click Security, SSH, Settings. Enable SSH and adjust the
authentication parameters as required, then click Apply. Note that you
must first generate the host key pair on the SSH Host-Key Settings page
before you can enable the SSH server.

Figure 3-21. SSH Server Settings

3-47

C

ONFIGURING THE SWITCH

CLI – This example enables SSH, sets the authentication parameters, and
displays the current configuration. It shows that the administrator has
made a connection via SHH, and then disables this connection.

Console(config)#ip ssh server 3-48
Console(config)#ip ssh timeout 100 3-49
Console(config)#ip ssh authentication-retries 5 3-50
Console(config)#ip ssh server-key size 512 3-51
Console(config)#end
Console#show ip ssh 3-54
SSH Enabled - version 2.0
Negotiation timeout: 120 secs; Authentication retries: 3
Server key size: 768 bits
Console#show ssh 3-55
Information of secure shell
Session Username Version Encrypt method Negotiation state

------- -------- ------- -------------- ----------------­ 0 admin 2.0 cipher-3des session-started
Console#disconnect 0 3-24
Console#

Configuring Port Security

Port security is a feature that allows you to configure a switch port with
one or more device MAC addresses that are authorized to access the
network through that port.

When port security is enabled on a port, the switch stops learning new
MAC addresses on the specified port. Only incoming traffic with source
addresses already stored in the dynamic or static address table will be
accepted as authorized to access the network through that port. If a device
with an unauthorized MAC address attempts to use the switch port, the
intrusion will be detected and the switch can automatically take action by
disabling the port and sending a trap message.

To use port security, first allow the switch to dynamically learn the
<source MAC address, VLAN> pair for frames received on a port for an
initial training period, and then enable port security to stop address
learning. Be sure you enable the learning function long enough to ensure
that all valid VLAN members have been registered on the selected port.
Note that you can also restrict the maximum number of addresses that can
be learned by a port.

3-48

U

SER AUTHENTICATION

To add new VLAN members at a later time, you can manually add secure
addresses with the Static Address Table (page 3-112), or turn off port
security to reenable the learning function long enough for new VLAN
members
for security.

to be registered. Learning may then be disabled again, if desired,

Command Usage

• A secure port has the following restrictions:

- Cannot use port monitoring.

- Cannot be a multi-VLAN port.

- It cannot be used as a member of a static or dynamic trunk.

- It should not be connected to a network interconnection device.

• If a port is disabled (shut down) due to a security violation, it must be
manually re-enabled from the Port/Port Configuration page
(page 3-84).

Command Attributes

•Port – Port number.

•Name – Descriptive text (page 4-168).

• Action – Indicates the action to be taken when a port security violation
is detected:

- None: No action should be taken. (This is the default.)

- Trap: Send an SNMP trap message.

- Shutdown: Disable the port.

- Trap and Shutdown: Send an SNMP trap message and disable the

port.

• Security Status – Enables or disables port security on the port.
(Default: Disabled)

• Max MAC Count – The maximum number of MAC addresses that
can be learned on a port. (Range: 0 - 20)

• Trunk – Trunk number if port is a member (page 3-88 and 3-89).

3-49

C

ONFIGURING THE SWITCH

Web – Click Security, Port Security. Set the action to take when an invalid
address is detected on a port, mark the checkbox in the Status column to
enable security for a port, set the maximum number of MAC addresses
allowed on a port, and click Apply.

Figure 3-22. Configuring Port Security

CLI – This example sets the command mode to Port 5, sets the port

security action to send a trap and disable the port, and then enables port
security for the switch.

Console(config)#interface ethernet 1/5
Console(config-if)#port security action trap-and-shutdown 3-102
Console(config-if)#port security
Console(config-if)#

3-50

U

SER AUTHENTICATION

Configuring 802.1x Port Authentication

Network switches can provide open and easy access to network resources
by simply attaching a client PC. Although this automatic configuration and
access is a desirable feature, it also allows unauthorized personnel to easily
intrude and possibly gain access to sensitive network data.

The IEEE 802.1x (dot1x) standard defines a port-based access control
procedure that prevents unauthorized access to a network by requiring
users to first submit credentials for authentication.

Access to all switch ports in a network can be centrally controlled from a
server, which means that authorized users can use the same credentials for
authentication from any point within the network.

This switch uses the Extensible Authentication Protocol over LANs
(EAPOL) to exchange authentication protocol messages with the client,
and a remote RADIUS authentication server to verify user identity and
access rights. When a client (i.e., Supplicant) connects to a switch port, the
switch (i.e., Authenticator) responds with an EAPOL identity request. The
client provides its identity (such as a user name) in an EAPOL response to
the switch, which it forwards to the RADIUS server. The RADIUS server
verifies the client identity and sends an access challenge back to the client.
The EAP packet from the RADIUS server contains not only the challenge,
but the authentication method to be used. The client can reject the
authentication method and request another, depending on the
configuration of the client software and the RADIUS server. The current
version of the firmware supports only the MD5 authentication method.
The client responds to the appropriate method with its credentials, such as
a password or certificate. The RADIUS server verifies the client
credentials and responds with an accept or reject packet. If authentication
is successful, the switch allows the client to access the network. Otherwise,
network access is denied and the port remains blocked.

3-51

C

ONFIGURING THE SWITCH

802.1x
client

1. Client attempts to access a switch port.

2. Switch sends client an identity request.

RADIUS
server

3. Client sends back identity information.

4. Switch forwards this to authentication server.

5. Authentication server challenges client.

6. Client responds with proper credentials.

7. Authentication server approves access.

8. Switch grants client access to this port.

The operation of 802.1x on the switch requires the following:

• The switch must have an IP address assigned.

• RADIUS authentication must be enabled on the switch and the IP
address of the RADIUS server specified.

• Each switch port that will be used must be set to dot1x “Auto” mode.

• Each client that needs to be authenticated must have dot1x client
software installed and properly configured.

• The RADIUS server and 802.1x client support EAP. (The switch only
supports EAPOL in order to pass the EAP packets from the server to
the client.)

• The RADIUS server and client also have to support the same EAP
authentication type. The current version of the firmware supports only
the EAP-MD5 authetication type. (Some clients have native support in
Windows, otherwise the dot1x client must support it.)

Displaying 802.1x Global Settings

The dot1x protocol includes global parameters that control the client
authentication process that runs between the client and the switch (i.e.,
authenticator), as well as the client identity lookup process that runs
between the switch and authentication server. These parameters are
described in this section.

3-52