TP-LINK TL-SL5428 User Manual

TL-SL5428
24-Port 10/100 + 4-Port Gigabit Managed Switch
Rev: 1.0.0
1910010123
COPYRIGHT & TRADEMARKS
®
trademark
of TP-LINK TECHNOLOGIES CO., LTD. Other brands and product names
are trademarks or registered trademarks of their respective holders.
No part of the specifications may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from TP-LINK TECHNOLOGIES CO., LTD. Copyright © 2008 TP-LINK TECHNOLOGIES CO., LTD. All rights reserved.
http://www.tp-link.com
Specifications are subject to change without notice.
FCC STATEMENT
This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna.
Increase the separation between the equipment and receiver.
Connect the equipment into an outlet on a circuit different from that to which
the receiver is connected.
Consult the dealer or an experienced radio/ TV technician for help.
This device complies with part 15 of the FCC Rules. Operation is subject to the following two conditions:
1) This device may not cause harmful interference.
2) This device must accept any interference received, including interference that
may cause undesired operation.
Any changes or modifications not expressly approved by the party responsible for compliance could void the user’s authority to operate the equipment.
CE Mark Warning
This is a class A product. In a domestic environment, this product may cause radio interference, in which case the user may be required to take adequate measures.
Contents
Chapter 1: Introduction 1-1
Key Features 1-1 Description of Software Features 1-2 System Defaults 1-6
Chapter 2: Initial Configuration 2-1
Connecting to the Switch 2-1
Configuration Options 2-1 Required Connections 2-2 Remote Connections 2-3
Basic Configuration 2-3
Console Connection 2-3 Setting Passwords 2-4 Setting an IP Address 2-4
Manual Configuration 2-4 Dynamic Configuration 2-5
Enabling SNMP Management Access 2-6
Community Strings (for SNMP version 1 and 2c clients) 2-6 Trap Receivers 2-7 Configuring Access for SNMP Version 3 Clients 2-8
Saving Configuration Settings 2-8
Managing System Files 2-9
Chapter 3: Configuring the Switch 3-1
Using the Web Interface 3-1 Navigating the Web Browser Interface 3-2
Home Page 3-2
Configuration Options 3-3 Panel Display 3-3 Main Menu 3-4 Basic Configuration 3-12
Displaying System Information 3-12
Displaying Switch Hardware/Software Versions 3-13
Displaying Bridge Extension Capabilities 3-15
Setting the Switch’s IP Address 3-16
Manual Configuration 3-17
Using DHCP/BOOTP 3-18 Enabling Jumbo Frames 3-19 Managing Firmware 3-19
Downloading System Software from a Server 3-20
i
Contents
Saving or Restoring Configuration Settings 3-21
Downloading Configuration Settings from a Server 3-22 Console Port Settings 3-23 Telnet Settings 3-25 Configuring Event Logging 3-28
Displaying Log Messages 3-28
System Log Configuration 3-28
Remote Log Configuration 3-30
Simple Mail Transfer Protocol 3-31 Resetting the System 3-33 Setting the System Clock 3-34
Setting the Time Manually 3-34
Configuring SNTP 3-34
Configuring NTP 3-35
Setting the Time Zone 3-37
Simple Network Management Protocol 3-38
Setting Community Access Strings 3-40 Specifying Trap Managers and Trap Types 3-41 Enabling SNMP Agent Status 3-42 Configuring SNMPv3 Management Access 3-43
Setting the Local Engine ID 3-43
Specifying a Remote Engine ID 3-45 Configuring SNMPv3 Users 3-45 Configuring Remote SNMPv3 Users 3-47 Configuring SNMPv3 Groups 3-48 Setting SNMPv3 Views 3-50
User Authentication 3-51
Configuring User Accounts 3-52 Configuring Local/Remote Logon Authentication 3-54 Configuring Encryption Keys 3-58
AAA Authorization and Accounting 3-59
Configuring AAA RADIUS Group Settings 3-60 Configuring AAA TACACS+ Group Settings 3-60 Configuring AAA Accounting 3-61 AAA Accounting Update 3-63 AAA Accounting 802.1X Port Settings 3-63 AAA Accounting Exec Command Privileges 3-64 AAA Accounting Exec Settings 3-66 AAA Accounting Summary 3-66 Authorization Settings 3-68 Authorization EXEC Settings 3-69 Authorization Summary 3-69 Configuring HTTPS 3-70 Replacing the Default Secure-site Certificate 3-71 Configuring the Secure Shell 3-72
ii
Contents
Configuring the SSH Server 3-75 Generating the Host Key Pair 3-76
Importing User Public Keys 3-77 Configuring Port Security 3-81 Configuring 802.1X Port Authentication 3-82
Displaying 802.1X Global Settings 3-84
Configuring 802.1X Global Settings 3-84
Configuring Port Settings for 802.1X 3-85
Displaying 802.1X Statistics 3-88 Web Authentication 3-89
Configuring Web Authentication 3-90
Configuring Web Authentication for Ports 3-91
Displaying Web Authentication Port Information 3-92
Re-authenticating Web Authenticated Ports 3-93 Network Access – MAC Address Authentication 3-94
Configuring the MAC Authentication Reauthentication Time 3-95
Configuring MAC Authentication for Ports 3-95
Configuring Port Link Detection 3-97
Displaying Secure MAC Address Information 3-98 MAC Authentication 3-99
Configuring MAC authentication parameters for ports 3-99
Access Control Lists 3-100
Configuring Access Control Lists 3-101
Setting the ACL Name and Type 3-101
Configuring a Standard IP ACL 3-102
Configuring an Extended IP ACL 3-103
Configuring a MAC ACL 3-106 Binding a Port to an Access Control List 3-107 Filtering IP Addresses for Management Access 3-108
Port Configuration 3-111
Displaying Connection Status 3-111 Configuring Interface Connections 3-113 Creating Trunk Groups 3-115
Statically Configuring a Trunk 3-116
Enabling LACP on Selected Ports 3-117
Configuring LACP Parameters 3-119
Displaying LACP Port Counters 3-121
Displaying LACP Settings and Status for the Local Side 3-123
Displaying LACP Settings and Status for the Remote Side 3-125 Setting Broadcast Storm Thresholds 3-126 Configuring Port Mirroring 3-128 Configuring Rate Limits 3-129
Rate Limit Configuration 3-129 Showing Port Statistics 3-130
Address Table Settings 3-134
iii
Contents
Setting Static Addresses 3-134 Displaying the Address Table 3-135 Changing the Aging Time 3-137
Spanning Tree Algorithm Configuration 3-137
Configuring Port and Trunk Loopback Detection 3-139 Displaying Global Settings 3-141 Configuring Global Settings 3-143 Displaying Interface Settings 3-147 Configuring Interface Settings 3-149 Configuring Multiple Spanning Trees 3-151 Displaying Interface Settings for MSTP 3-154 Configuring Interface Settings for MSTP 3-156
VLAN Configuration 3-158
IEEE 802.1Q VLANs 3-158
Enabling or Disabling GVRP (Global Setting) 3-161 Displaying Basic VLAN Information 3-162 Displaying Current VLANs 3-162 Creating VLANs 3-164 Adding Static Members to VLANs (VLAN Index) 3-165 Adding Static Members to VLANs (Port Index) 3-167 Configuring VLAN Behavior for Interfaces 3-168
Configuring IEEE 802.1Q Tunneling 3-170
Enabling QinQ Tunneling on the Switch 3-173 Adding an Interface to a QinQ Tunnel 3-175
Private VLANs 3-176
Displaying Current Private VLANs 3-177 Configuring Private VLANs 3-178 Associating VLANs 3-179 Displaying Private VLAN Interface Information 3-180 Configuring Private VLAN Interfaces 3-181
Protocol VLANs 3-182
Protocol VLAN Group Configuration 3-182 Protocol VLAN System Configuration 3-183
Link Layer Discovery Protocol 3-184
Setting LLDP Timing Attributes 3-184 Configuring LLDP Interface Attributes 3-186 Displaying LLDP Local Device Information 3-189 Displaying LLDP Remote Port Information 3-190 Displaying LLDP Remote Information Details 3-191 Displaying Device Statistics 3-192 Displaying Detailed Device Statistics 3-193
Class of Service Configuration 3-194
Layer 2 Queue Settings 3-194
Setting the Default Priority for Interfaces 3-194 Mapping CoS Values to Egress Queues 3-195
iv
Contents
Enabling CoS 3-197
Selecting the Queue Mode 3-198
Setting the Service Weight for Traffic Classes 3-198 Layer 3/4 Priority Settings 3-199
Mapping Layer 3/4 Priorities to CoS Values 3-199
Enabling IP DSCP Priority 3-200
Mapping DSCP Priority 3-201
Quality of Service 3-202
Configuring Quality of Service Parameters 3-203
Configuring a Class Map 3-203
Creating QoS Policies 3-206
Attaching a Policy Map to Ingress Queues 3-209
VoIP Traffic Configuration 3-210
Configuring VoIP Traffic 3-210 Configuring VoIP Traffic Port 3-211 Configuring Telephony OUI 3-213
Multicast Filtering 3-215
Layer 2 IGMP (Snooping and Query) 3-215
Configuring IGMP Snooping and Query Parameters 3-216
Enabling IGMP Immediate Leave 3-218
Displaying Interfaces Attached to a Multicast Router 3-219
Specifying Static Interfaces for a Multicast Router 3-220
Displaying Port Members of Multicast Services 3-221
Assigning Ports to Multicast Services 3-222 IGMP Filtering and Throttling 3-223
Enabling IGMP Filtering and Throttling 3-224
Configuring IGMP Filter Profiles 3-225
Configuring IGMP Filtering and Throttling for Interfaces 3-226
Multicast VLAN Registration 3-228
Configuring Global MVR Settings 3-229 Displaying MVR Interface Status 3-230 Displaying Port Members of Multicast Groups 3-231 Configuring MVR Interface Status 3-232 Assigning Static Multicast Groups to Interfaces 3-234
DHCP Snooping 3-235
DHCP Snooping Configuration 3-236 DHCP Snooping VLAN Configuration 3-236 DHCP Snooping Information Option Configuration 3-237 DHCP Snooping Port Configuration 3-238 DHCP Snooping Binding Information 3-239
IP Source Guard 3-240
IP Source Guard Port Configuration 3-240 Static IP Source Guard Binding Configuration 3-241 Dynamic IP Source Guard Binding Information 3-242
Switch Clustering 3-243
v
Contents
Cluster Configuration 3-244 Cluster Member Configuration 3-245 Cluster Member Information 3-246 Cluster Candidate Information 3-247
UPnP 3-248
UPnP Configuration 3-248
Chapter 4: Command Line Interface 4-1
Using the Command Line Interface 4-1
Accessing the CLI 4-1 Console Connection 4-1 Telnet Connection 4-2
Entering Commands 4-3
Keywords and Arguments 4-3 Minimum Abbreviation 4-3 Command Completion 4-3 Getting Help on Commands 4-3 Showing Commands 4-4 Partial Keyword Lookup 4-6 Negating the Effect of Commands 4-6 Using Command History 4-6 Understanding Command Modes 4-6 Exec Commands 4-7 Configuration Commands 4-8
Command Line Processing 4-10 Command Groups 4-11 Line Commands 4-12
line 4-13
login 4-13
password 4-14
timeout login response 4-15
exec-timeout 4-15
password-thresh 4-16
silent-time 4-17
databits 4-17
parity 4-18
speed 4-19
stopbits 4-19
disconnect 4-20
show line 4-20 General Commands 4-21
enable 4-21
disable 4-22
configure 4-23
vi
Contents
show history 4-23 reload 4-24 reload cancel 4-24 show reload 4-25 end 4-25 exit 4-26 quit 4-26
System Management Commands 4-27
Device Designation Commands 4-27
prompt 4-27 hostname 4-28
Banner 4-28
banner configure 4-29 banner configure company 4-30 banner configure dc-power-info 4-31 banner configure department 4-31 banner configure equipment-info 4-32 banner configure equipment-location 4-33 banner configure ip-lan 4-33 banner configure lp-number 4-34 banner configure manager-info 4-35 banner configure mux 4-35 banner configure note 4-36 show banner 4-37
User Access Commands 4-38
username 4-38 enable password 4-39
IP Filter Commands 4-40
management 4-40 show management 4-41
Web Server Commands 4-42
ip http port 4-42 ip http server 4-42 ip http secure-server 4-43 ip http secure-port 4-44
Telnet Server Commands 4-45
ip telnet port 4-45 ip telnet server 4-45
Secure Shell Commands 4-46
ip ssh server 4-48 ip ssh timeout 4-49 ip ssh authentication-retries 4-49 ip ssh server-key size 4-50 delete public-key 4-50 ip ssh crypto host-key generate 4-51
vii
Contents
ip ssh crypto zeroize 4-51 ip ssh save host-key 4-52 show ip ssh 4-52 show ssh 4-53 show public-key 4-54
Event Logging Commands 4-55
logging on 4-55 logging history 4-56 logging host 4-57 logging facility 4-57 logging trap 4-58 clear logging 4-58 show logging 4-59 show log 4-60
SMTP Alert Commands 4-61
logging sendmail host 4-61 logging sendmail level 4-62 logging sendmail source-email 4-63 logging sendmail destination-email 4-63 logging sendmail 4-64 show logging sendmail 4-64
Time Commands 4-65
sntp client 4-65 sntp server 4-66 sntp poll 4-67 show sntp 4-67 ntp client 4-68 ntp server 4-69 ntp poll 4-70 ntp authenticate 4-70 ntp authentication-key 4-71 show ntp 4-72 clock timezone-predefined 4-72 clock timezone 4-73 clock summer-time (date) 4-74 clock summer-time (predefined) 4-75 clock summer-time (recurring) 4-76 calendar set 4-77 show calendar 4-77
System Status Commands 4-78
show startup-config 4-78 show running-config 4-79 show system 4-82 show users 4-82 show version 4-83
viii
Contents
Frame Size Commands 4-84
jumbo frame 4-84
Flash/File Commands 4-85
copy 4-85 delete 4-88 dir 4-89 whichboot 4-90 boot system 4-90
Authentication Commands 4-91
Authentication Sequence 4-91
authentication login 4-92 authentication enable 4-93
RADIUS Client 4-94
radius-server host 4-95 radius-server acct-port 4-95 radius-server auth-port 4-96 radius-server key 4-96 radius-server retransmit 4-97 radius-server timeout 4-97 show radius-server 4-97
TACACS+ Client 4-98
tacacs-server host 4-98 tacacs-server port 4-99 tacacs-server key 4-99 tacacs-server retransmit 4-100 tacacs-server timeout 4-100 show tacacs-server 4-101
AAA Commands 4-102
aaa group server 4-102 server 4-103 aaa accounting dot1x 4-103 aaa accounting exec 4-104 aaa accounting commands 4-105 aaa accounting update 4-106 accounting dot1x 4-107 accounting exec 4-107 accounting commands 4-108 aaa authorization exec 4-108 authorization exec 4-109 show accounting 4-110
Port Security Commands 4-111
port security 4-111
802.1X Port Authentication 4-112 dot1x system-auth-control 4-113 dot1x default 4-113
ix
Contents
dot1x max-req 4-114 dot1x port-control 4-114 dot1x operation-mode 4-115 dot1x re-authenticate 4-115 dot1x re-authentication 4-116 dot1x timeout quiet-period 4-116 dot1x timeout re-authperiod 4-117 dot1x timeout tx-period 4-117 dot1x intrusion-action 4-118 show dot1x 4-118
Network Access – MAC Address Authentication 4-121
network-access mode 4-121 network-access max-mac-count 4-122 mac-authentication intrusion-action 4-123 mac-authentication max-mac-count 4-123 network-access dynamic-qos 4-124 network-access dynamic-vlan 4-124 network-access guest-vlan 4-125 network-access link-detection 4-125 network-access link-detection link-down 4-126 network-access link-detection link-up 4-126 network-access link-detection link-up-down 4-127 mac-authentication reauth-time 4-127 clear network-access 4-128 show network-access 4-128 show network-access mac-address-table 4-129
Web Authentication 4-130
web-auth login-attempts 4-131 web-auth login-fail-page-url 4-131 web-auth login-page-url 4-132 web-auth login-success-page-url 4-132 web-auth quiet-period 4-133 web-auth session-timeout 4-133 web-auth system-auth-control 4-134 web-auth 4-134 show web-auth 4-135 show web-auth interface 4-135 web-auth re-authenticate (Port) 4-136 web-auth re-authenticate (IP) 4-136 show web-auth summary 4-137
Access Control List Commands 4-139
IP ACLs 4-140
access-list ip 4-140 permit, deny (Standard ACL) 4-141 permit, deny (Extended ACL) 4-141
x
Contents
show ip access-list 4-143 ip access-group 4-143 show ip access-group 4-144
MAC ACLs 4-144
access-list mac 4-145 permit, deny (MAC ACL) 4-146 show mac access-list 4-147 mac access-group 4-148 show mac access-group 4-148
ACL Information 4-149
show access-list 4-149 show access-group 4-149
SNMP Commands 4-150
snmp-server 4-151 show snmp 4-151 snmp-server community 4-152 snmp-server contact 4-153 snmp-server location 4-153 snmp-server host 4-154 snmp-server enable traps 4-156 snmp-server engine-id 4-157 show snmp engine-id 4-158 snmp-server view 4-159 show snmp view 4-160 snmp-server group 4-160 show snmp group 4-161 snmp-server user 4-163 show snmp user 4-165
Interface Commands 4-166
interface 4-166 description 4-167 speed-duplex 4-167 negotiation 4-168 capabilities 4-169 flowcontrol 4-170 shutdown 4-171 switchport packet-rate 4-172 clear counters 4-172 show interfaces status 4-173 show interfaces counters 4-174 show interfaces switchport 4-175
Mirror Port Commands 4-177
port monitor 4-177 show port monitor 4-178
Rate Limit Commands 4-179
xi
Contents
rate-limit 4-179
Link Aggregation Commands 4-180
channel-group 4-181 lacp 4-182 lacp system-priority 4-183 lacp admin-key (Ethernet Interface) 4-184 lacp admin-key (Port Channel) 4-185 lacp port-priority 4-186 show lacp 4-186
Address Table Commands 4-190
mac-address-table static 4-190 clear mac-address-table dynamic 4-191 show mac-address-table 4-191 mac-address-table aging-time 4-192 show mac-address-table aging-time 4-193
LLDP Commands 4-193
lldp 4-195 lldp holdtime-multiplier 4-195 lldp medFastStartCount 4-196 lldp notification-interval 4-196 lldp refresh-interval 4-197 lldp reinit-delay 4-198 lldp tx-delay 4-198 lldp admin-status 4-199 lldp notification 4-199 lldp mednotification 4-200 lldp basic-tlv management-ip-address 4-201 lldp basic-tlv port-description 4-201 lldp basic-tlv system-capabilities 4-202 lldp basic-tlv system-description 4-202 lldp basic-tlv system-name 4-203 lldp dot1-tlv proto-ident 4-203 lldp dot1-tlv proto-vid 4-204 lldp dot1-tlv pvid 4-204 lldp dot1-tlv vlan-name 4-205 lldp dot3-tlv link-agg 4-205 lldp dot3-tlv mac-phy 4-206 lldp dot3-tlv max-frame 4-206 lldp dot3-tlv poe 4-207 lldp medtlv extpoe 4-207 lldp medtlv inventory 4-208 lldp medtlv location 4-208 lldp medtlv med-cap 4-209 lldp medtlv network-policy 4-209 show lldp config 4-210
xii
Contents
show lldp info local-device 4-212 show lldp info remote-device 4-213 show lldp info statistics 4-213
UPnP Commands 4-215
upnp device 4-215 upnp device ttl 4-216 upnp device advertise duration 4-216 show upnp 4-217
Spanning Tree Commands 4-217
spanning-tree 4-218 spanning-tree mode 4-219 spanning-tree forward-time 4-220 spanning-tree hello-time 4-221 spanning-tree max-age 4-221 spanning-tree priority 4-222 spanning-tree pathcost method 4-222 spanning-tree transmission-limit 4-223 spanning-tree mst-configuration 4-223 mst vlan 4-224 mst priority 4-225 name 4-225 revision 4-226 max-hops 4-226 spanning-tree spanning-disabled 4-227 spanning-tree cost 4-227 spanning-tree port-priority 4-228 spanning-tree edge-port 4-229 spanning-tree portfast 4-230 spanning-tree link-type 4-231 spanning-tree loopback-detection 4-231 spanning-tree loopback-detection release-mode 4-232 spanning-tree loopback-detection trap 4-233 spanning-tree mst cost 4-233 spanning-tree mst port-priority 4-234 spanning-tree protocol-migration 4-235 show spanning-tree 4-235 show spanning-tree mst configuration 4-237
VLAN Commands 4-238
GVRP and Bridge Extension Commands 4-238
bridge-ext gvrp 4-239 show bridge-ext 4-239 switchport gvrp 4-240 show gvrp configuration 4-240 garp timer 4-241 show garp timer 4-241
xiii
Contents
Editing VLAN Groups 4-242
vlan database 4-242 vlan 4-243
Configuring VLAN Interfaces 4-244
interface vlan 4-244 switchport mode 4-245 switchport acceptable-frame-types 4-246 switchport ingress-filtering 4-246 switchport native vlan 4-247 switchport allowed vlan 4-248 switchport forbidden vlan 4-249
Displaying VLAN Information 4-250
show vlan 4-250
Configuring IEEE 802.1Q Tunneling 4-251
dot1q-tunnel system-tunnel-control 4-251 switchport dot1q-tunnel mode 4-252 switchport dot1q-tunnel tpid 4-253 show dot1q-tunnel 4-253
Configuring Private VLANs 4-254
private-vlan 4-256 private vlan association 4-256 switchport mode private-vlan 4-257 switchport private-vlan host-association 4-258 switchport private-vlan isolated 4-258 switchport private-vlan mapping 4-259 show vlan private-vlan 4-259
Configuring Protocol-based VLANs 4-261
protocol-vlan protocol-group (Configuring Groups) 4-261 protocol-vlan protocol-group (Configuring VLANs) 4-262 show protocol-vlan protocol-group 4-263 show protocol-vlan protocol-group-vid 4-263
Priority Commands 4-264
Priority Commands (Layer 2) 4-264
queue mode 4-265 switchport priority default 4-265 queue bandwidth 4-266 queue cos-map 4-267 show queue mode 4-268 show queue bandwidth 4-268 show queue cos-map 4-269
Priority Commands (Layer 3 and 4) 4-269
map ip dscp (Global Configuration) 4-269 map ip dscp (Interface Configuration) 4-270 show map ip dscp 4-271
Quality of Service Commands 4-272
xiv
Contents
class-map 4-273 match 4-274 policy-map 4-275 class 4-276 set 4-277 police 4-277 service-policy 4-278 show class-map 4-279 show policy-map 4-279 show policy-map interface 4-280
Voice VLAN Commands 4-280
voice vlan 4-281 voice vlan aging 4-282 voice vlan mac-address 4-282 switchport voice vlan 4-283 switchport voice vlan rule 4-284 switchport voice vlan security 4-284 switchport voice vlan priority 4-285 show voice vlan 4-286
Multicast Filtering Commands 4-287
IGMP Snooping Commands 4-287
ip igmp snooping 4-288 ip igmp snooping vlan static 4-288 ip igmp snooping version 4-289 ip igmp snooping leave-proxy 4-289 ip igmp snooping immediate-leave 4-290 show ip igmp snooping 4-291 show mac-address-table multicast 4-291
IGMP Query Commands (Layer 2) 4-292
ip igmp snooping querier 4-292 ip igmp snooping query-count 4-293 ip igmp snooping query-interval 4-293 ip igmp snooping query-max-response-time 4-294 ip igmp snooping router-port-expire-time 4-295
Static Multicast Routing Commands 4-295
ip igmp snooping vlan mrouter 4-296 show ip igmp snooping mrouter 4-296
IGMP Filtering and Throttling Commands 4-297
ip igmp filter (Global Configuration) 4-298 ip igmp profile 4-298 permit, deny 4-299 range 4-299 ip igmp filter (Interface Configuration) 4-300 ip igmp max-groups 4-300 ip igmp max-groups action 4-301
xv
Contents
show ip igmp filter 4-302 show ip igmp profile 4-302 show ip igmp throttle interface 4-303
Multicast VLAN Registration Commands 4-304
mvr (Global Configuration) 4-304 mvr (Interface Configuration) 4-305 show mvr 4-307
IP Interface Commands 4-309
ip address 4-309 ip default-gateway 4-310 ip dhcp restart 4-311 show ip interface 4-311 show ip redirects 4-312 ping 4-312
IP Source Guard Commands 4-313
ip source-guard 4-313 ip source-guard binding 4-315 show ip source-guard 4-316 show ip source-guard binding 4-316
DHCP Snooping Commands 4-317
ip dhcp snooping 4-317 ip dhcp snooping vlan 4-319 ip dhcp snooping trust 4-320 ip dhcp snooping verify mac-address 4-321 ip dhcp snooping information option 4-321 ip dhcp snooping information policy 4-322 ip dhcp snooping database flash 4-323 show ip dhcp snooping 4-323 show ip dhcp snooping binding 4-324
Switch Cluster Commands 4-324
cluster 4-324 cluster commander 4-325 cluster ip-pool 4-326 cluster member 4-326 rcommand 4-327 show cluster 4-327 show cluster members 4-328 show cluster candidates 4-328
Appendix A: Software Specifications A-1
Software Features A-1 Management Features A-2 Standards A-2 Management Information Bases A-3
xvi
Contents
Appendix B: Troubleshooting B-1
Problems Accessing the Management Interface B-1 Using System Logs B-2
Glossary
Index
xvii
Contents
xviii
Tables
Table 1-1 Key Features 1-1 Table 1-2 System Defaults 1-6 Table 3-1 Configuration Options 3-3 Table 3-2 Main Menu 3-4 Table 3-3 Logging Levels 3-29 Table 3-5 Supported Notification Messages 3-48 Table 3-6 HTTPS System Support 3-70 Table 3-7 802.1X Statistics 3-88 Table 3-8 LACP Port Counters 3-121 Table 3-9 LACP Internal Configuration Information 3-123 Table 3-10 LACP Neighbor Configuration Information 3-125 Table 3-11 Port Statistics 3-130 Table 3-12 Mapping CoS Values to Egress Queues 3-196 Table 3-13 CoS Priority Levels 3-196 Table 3-14 Mapping DSCP Priority Values 3-201 Table 4-1 Command Modes 4-7 Table 4-2 Configuration Modes 4-8 Table 4-3 Command Line Processing 4-10 Table 4-4 Command Groups 4-11 Table 4-5 Line Commands 4-12 Table 4-6 General Commands 4-21 Table 4-7 System Management Commands 4-27 Table 4-8 Device Designation Commands 4-27 Table 4-9 Banner Commands 4-28 Table 4-10 User Access Commands 4-38 Table 4-11 Default Login Settings 4-38 Table 4-12 IP Filter Commands 4-40 Table 4-13 Web Server Commands 4-42 Table 4-14 HTTPS System Support 4-43 Table 4-15 Telnet Server Commands 4-45 Table 4-16 SSH Commands 4-46 Table 4-17 show ssh - display description 4-53 Table 4-18 Event Logging Commands 4-55 Table 4-19 Logging Levels 4-56 Table 4-20 show logging flash/ram - display description 4-59 Table 4-21 show logging trap - display description 4-60 Table 4-22 SMTP Alert Commands 4-61 Table 4-23 Time Commands 4-65 Table 4-24 Predefined Summer-Time Parameters 4-75 Table 4-25 System Status Commands 4-78 Table 4-26 Frame Size Commands 4-84 Table 4-27 Flash/File Commands 4-85
xix
Tables
Table 4-28 File Directory Information 4-89 Table 4-29 Authentication Commands 4-91 Table 4-30 Authentication Sequence 4-91 Table 4-31 RADIUS Client Commands 4-94 Table 4-32 TACACS Commands 4-98 Table 4-34 Port Security Commands 4-111 Table 4-35 802.1X Port Authentication 4-112 Table 4-36 Network Access 4-121 Table 4-37 Web Authentication 4-130 Table 4-38 Access Control Lists 4-139 Table 4-39 IP ACLs 4-140 Table 4-40 MAC ACL Commands 4-144 Table 4-41 ACL Information 4-149 Table 4-42 SNMP Commands 4-150 Table 4-43 show snmp engine-id - display description 4-158 Table 4-44 show snmp view - display description 4-160 Table 4-45 show snmp group - display description 4-163 Table 4-46 show snmp user - display description 4-165 Table 4-47 Interface Commands 4-166 Table 4-48 Interfaces Switchport Statistics 4-176 Table 4-49 Mirror Port Commands 4-177 Table 4-50 Rate Limit Commands 4-179 Table 4-51 Link Aggregation Commands 4-180 Table 4-52 show lacp counters - display description 4-187 Table 4-53 show lacp internal - display description 4-188 Table 4-54 show lacp neighbors - display description 4-189 Table 4-55 show lacp sysid - display description 4-189 Table 4-56 Address Table Commands 4-190 Table 4-57 LLDP Commands 4-193 Table 4-58 Spanning Tree Commands 4-217 Table 4-59 VLANs 4-238 Table 4-60 GVRP and Bridge Extension Commands 4-238 Table 4-61 Editing VLAN Groups 4-242 Table 4-62 Configuring VLAN Interfaces 4-244 Table 4-63 Show VLAN Commands 4-250 Table 4-64 IEEE 802.1Q Tunneling Commands 4-251 Table 4-65 Private VLAN Commands 4-254 Table 4-66 Protocol-based VLAN Commands 4-261 Table 4-67 Priority Commands 4-264 Table 4-68 Priority Commands (Layer 2) 4-264 Table 4-69 Default CoS Values to Egress Queues 4-267 Table 4-70 Priority Commands (Layer 3 and 4) 4-269 Table 4-71 IP DSCP to CoS Vales 4-270 Table 4-72 Quality of Service Commands 4-272 Table 4-73 Voice VLAN Commands 4-280
xx
Ta bl e s
Table 4-74 Multicast Filtering Commands 4-287 Table 4-75 IGMP Snooping Commands 4-287 Table 4-76 IGMP Query Commands (Layer 2) 4-292 Table 4-77 Static Multicast Routing Commands 4-295 Table 4-78 IGMP Filtering and Throttling Commands 4-297 Table 4-79 Multicast VLAN Registration Commands 4-304 Table 4-80 show mvr - display description 4-307 Table 4-81 show mvr interface - display description 4-308 Table 4-82 show mvr members - display description 4-308 Table 4-83 IP Interface Commands 4-309 Table 4-84 IP Source Guard Commands 4-313 Table 4-85 DHCP Snooping Commands 4-317 Table 4-86 Switch Cluster Commands 4-324 Table B-1 Troubleshooting Chart B-1
xxi
Tables
xxii
Figures
Figure 3-1 Home Page 3-2 Figure 3-2 Panel Display 3-3 Figure 3-3 System Information 3-12 Figure 3-4 Switch Information 3-14 Figure 3-5 Bridge Extension Configuration 3-15 Figure 3-6 Manual IP Configuration 3-17 Figure 3-7 DHCP IP Configuration 3-18 Figure 3-8 Jumbo Frames Configuration 3-19 Figure 3-9 Copy Firmware 3-20 Figure 3-10 Setting the Startup Code 3-20 Figure 3-11 Deleting Files 3-21 Figure 3-12 Downloading Configuration Settings for Startup 3-22 Figure 3-13 Setting the Startup Configuration Settings 3-23 Figure 3-14 Console Port Settings 3-24 Figure 3-15 Enabling Telnet 3-26 Figure 3-16 Displaying Logs 3-28 Figure 3-17 System Logs 3-29 Figure 3-18 Remote Logs 3-31 Figure 3-19 Enabling and Configuring SMTP 3-32 Figure 3-20 Resetting the System 3-33 Figure 3-21 SNTP Configuration 3-35 Figure 3-22 NTP Client Configuration 3-36 Figure 3-23 Setting the System Clock 3-38 Figure 3-24 Configuring SNMP Community Strings 3-41 Figure 3-25 Configuring IP Trap Managers 3-42 Figure 3-26 Enabling SNMP Agent Status 3-43 Figure 3-27 Setting an Engine ID 3-44 Figure 3-28 Setting a Remote Engine ID 3-45 Figure 3-29 Configuring SNMPv3 Users 3-46 Figure 3-30 Configuring Remote SNMPv3 Users 3-47 Figure 3-31 Configuring SNMPv3 Groups 3-50 Figure 3-32 Configuring SNMPv3 Views 3-51 Figure 3-33 Access Levels 3-53 Figure 3-34 Authentication Settings 3-56 Figure 3-35 Encryption Key Settings 3-58 Figure 3-36 AAA Radius Group Settings 3-60 Figure 3-37 AAA TACACS+ Group Settings 3-61 Figure 3-38 AAA Accounting Settings 3-62 Figure 3-39 AAA Accounting Update 3-63 Figure 3-40 AAA Accounting 802.1X Port Settings 3-64 Figure 3-41 AAA Accounting Exec Command Privileges 3-65 Figure 3-42 AAA Accounting Exec Settings 3-66
xxiii
Figures
Figure 3-43 AAA Accounting Summary 3-67 Figure 3-44 AAA Authorization Settings 3-68 Figure 3-45 AAA Authorization Exec Settings 3-69 Figure 3-46 AAA Authorization Summary 3-70 Figure 3-47 HTTPS Settings 3-71 Figure 3-48 HTTPS Settings 3-72 Figure 3-49 SSH Server Settings 3-75 Figure 3-50 SSH Host-Key Settings 3-77 Figure 3-51 SSH User Public-Key Settings 3-79 Figure 3-52 Configuring Port Security 3-82 Figure 3-53 802.1X Global Information 3-84 Figure 3-54 802.1X Global Configuration 3-85 Figure 3-55 802.1X Port Configuration 3-86 Figure 3-56 Displaying 802.1X Port Statistics 3-89 Figure 3-57 Web Authentication Configuration 3-90 Figure 3-58 Web Authentication Port Configuration 3-91 Figure 3-59 Web Authentication Port Information 3-93 Figure 3-60 Web Authentication Port Re-authentication 3-93 Figure 3-61 Network Access Configuration 3-95 Figure 3-62 Network Access Port Configuration 3-96 Figure 3-63 Network Access Port Link Detection Configuration 3-98 Figure 3-64 Network Access MAC Address Information 3-99 Figure 3-65 MAC Authentication Port Configuration 3-100 Figure 3-66 Selecting ACL Type 3-102 Figure 3-67 Configuring Standard IP ACLs 3-103 Figure 3-68 Configuring Extended IP ACLs 3-105 Figure 3-69 Configuring MAC ACLs 3-107 Figure 3-70 Configuring ACL Port Binding 3-108 Figure 3-71 Creating an IP Filter List 3-110 Figure 3-72 Displaying Port/Trunk Information 3-111 Figure 3-73 Port/Trunk Configuration 3-114 Figure 3-74 Configuring Static Trunks 3-116 Figure 3-75 LACP Trunk Configuration 3-118 Figure 3-76 LACP Port Configuration 3-120 Figure 3-77 LACP - Port Counters Information 3-122 Figure 3-78 LACP - Port Internal Information 3-124 Figure 3-79 LACP - Port Neighbors Information 3-125 Figure 3-80 Port Broadcast Control 3-127 Figure 3-81 Mirror Port Configuration 3-128 Figure 3-82 Input Rate Limit Port Configuration 3-129 Figure 3-83 Port Statistics 3-133 Figure 3-84 Configuring a Static Address Table 3-135 Figure 3-85 Configuring a Dynamic Address Table 3-136 Figure 3-86 Setting the Address Aging Time 3-137 Figure 3-87 Configuring Port Loopback Detection 3-140
xxiv
Figures
Figure 3-88 Displaying Spanning Tree Information 3-142 Figure 3-89 Configuring Spanning Tree 3-146 Figure 3-90 Displaying Spanning Tree Port Information 3-149 Figure 3-91 Configuring Spanning Tree per Port 3-151 Figure 3-92 Configuring Multiple Spanning Trees 3-153 Figure 3-93 Displaying MSTP Interface Settings 3-155 Figure 3-94 Displaying MSTP Interface Settings 3-158 Figure 3-95 Globally Enabling GVRP 3-161 Figure 3-96 Displaying Basic VLAN Information 3-162 Figure 3-97 Displaying Current VLANs 3-163 Figure 3-98 Configuring a VLAN Static List 3-165 Figure 3-99 Configuring a VLAN Static Table 3-167 Figure 3-100 VLAN Static Membership by Port 3-167 Figure 3-101 Configuring VLANs per Port 3-169 Figure 3-102 802.1Q Tunnel Status and Ethernet Type 3-174 Figure 3-103 Tunnel Port Configuration 3-176 Figure 3-104 Private VLAN Information 3-178 Figure 3-105 Private VLAN Configuration 3-179 Figure 3-106 Private VLAN Association 3-179 Figure 3-107 Private VLAN Port Information 3-180 Figure 3-108 Private VLAN Port Configuration 3-182 Figure 3-109 Protocol VLAN Configuration 3-183 Figure 3-110 Protocol VLAN System Configuration 3-184 Figure 3-111 LLDP Configuration 3-186 Figure 3-112 LLDP Port Configuration 3-188 Figure 3-113 LLDP Local Device Information 3-189 Figure 3-114 LLDP Remote Port Information 3-190 Figure 3-115 LLDP Remote Information Details 3-191 Figure 3-116 LLDP Device Statistics 3-192 Figure 3-117 LLDP Device Statistics Details 3-193 Figure 3-118 Port Priority Configuration 3-195 Figure 3-119 Traffic Classes 3-197 Figure 3-120 Enable Traffic Classes 3-198 Figure 3-121 Queue Mode 3-198 Figure 3-122 Configuring Queue Scheduling 3-199 Figure 3-123 IP DSCP Priority Status 3-200 Figure 3-124 Mapping IP DSCP Priority Values 3-201 Figure 3-125 Configuring Class Maps 3-205 Figure 3-126 Configuring Policy Maps 3-208 Figure 3-127 Service Policy Settings 3-209 Figure 3-128 Configuring VoIP Traffic 3-211 Figure 3-129 VoIP Traffic Port Configuration 3-212 Figure 3-130 Telephony OUI List 3-214 Figure 3-131 IGMP Configuration 3-218 Figure 3-132 IGMP Immediate Leave 3-219
xxv
Figures
Figure 3-133 Displaying Multicast Router Port Information 3-220 Figure 3-134 Static Multicast Router Port Configuration 3-221 Figure 3-135 IP Multicast Registration Table 3-222 Figure 3-136 IGMP Member Port Table 3-223 Figure 3-137 Enabling IGMP Filtering and Throttling 3-224 Figure 3-138 IGMP Profile Configuration 3-226 Figure 3-139 IGMP Filter and Throttling Port Configuration 3-227 Figure 3-140 MVR Global Configuration 3-230 Figure 3-141 MVR Port Information 3-231 Figure 3-142 MVR Group IP Information 3-232 Figure 3-143 MVR Port Configuration 3-233 Figure 3-144 MVR Group Member Configuration 3-234 Figure 3-145 DHCP Snooping Configuration 3-236 Figure 3-146 DHCP Snooping VLAN Configuration 3-237 Figure 3-147 DHCP Snooping Information Option Configuration 3-238 Figure 3-148 DHCP Snooping Port Configuration 3-238 Figure 3-149 DHCP Snooping Binding Information 3-239 Figure 3-150 IP Source Guard Port Configuration 3-240 Figure 3-151 Static IP Source Guard Binding Configuration 3-242 Figure 3-152 Dynamic IP Source Guard Binding Information 3-243 Figure 3-153 Cluster Member Choice 3-244 Figure 3-154 Cluster Configuration 3-245 Figure 3-155 Cluster Member Configuration 3-246 Figure 3-156 Cluster Member Information 3-246 Figure 3-157 Cluster Candidate Information 3-247 Figure 3-158 UPnP Configuration 3-248
xxvi

Chapter 1: Introduction

This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.

Key Features

Table 1-1 Key Features
Feature Description
Configuration Backup and Restore
Authentication Console, Telnet, web – User name / password, RADIUS, TACACS+
Access Control Lists Supports IP and MAC ACLs, 100 rules per system
DHCP Client Supported
DHCP Snooping Supported with Option 82 relay information
Port Configuration Speed, duplex mode and flow control
Rate Limiting Input rate limiting per port
Port Mirroring One port mirrored to a single analysis port
Port Trunking Supports up to 8 trunks using either static or dynamic trunking (LACP)
Broadcast Storm Control Supported
Static Address Up to 8K MAC addresses in the forwarding table
IEEE 802.1D Bridge Supports dynamic data switching and addresses learning
Store-and-Forward Switching Supported to ensure wire-speed switching while eliminating bad frames
Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple
Virtual LANs Up to 255 using IEEE 802.1Q, port-based, or private VLANs
Traffic Prioritization Default port priority, traffic class map, queue scheduling, or Differentiated
Quality of Service Supports Differentiated Services (DiffServ)
Multicast Filtering Supports IGMP snooping and query, as well as Multicast VLAN Registration
Backup to TFTP server
Web – HTTPS Telnet – SSH SNMP v1/2c - Community strings SNMP version 3 – MD5 or SHA password Port – IEEE 802.1X, MAC address filtering, Web Authentication
Spanning Trees (MSTP)
Services Code Point (DSCP), and TCP/UDP Port
1-1
Introduction
1
Table 1-1 Key Features
Feature Description
Switch Clustering Supports up to 36 Member switches in a cluster

Description of Software Features

The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network. Port-based and private VLANs, plus support for automatic GVRP VLAN registration provide traffic security and efficient use of network bandwidth. CoS priority queueing ensures the minimum delay for moving real-time multimedia data across the network. While multicast filtering provides support for real-time network applications. Some of the management features are briefly described below.
Configuration Backup and Restore – You can save the current configuration settings to a file on a TFTP server, and later download this file to restore the switch configuration settings.
Authentication – This switch authenticates management access via the console port, Telnet or web browser. User names and passwords can be configured locally or can be verified via a remote authentication server (i.e., RADIUS or TACACS+). Port-based authentication is also supported via the IEEE 802.1X protocol. This protocol uses the Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.1X client, and then verifies the client’s right to access the network via an authentication server.
Other authentication options include HTTPS for secure management access via the web, SSH for secure management access over a Telnet-equivalent connection, IP address filtering for SNMP/web/Telnet management access, and MAC address filtering for port access.
Access Control Lists – ACLs provide packet filtering for IP frames (based on address, protocol, or TCP/UDP port number) or any frames (based on MAC address or Ethernet type). ACLs can be used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols.
Port Configuration – You can manually configure the speed, duplex mode, and flow control used on specific ports, or use auto-negotiation to detect the connection settings used by the attached device. Use the full-duplex mode on ports whenever possible to double the throughput of switch connections. Flow control should also be enabled to control network traffic during periods of congestion and prevent the loss of packets when port buffer thresholds are exceeded. The switch supports flow control based on the IEEE 802.3x standard.
1-2
Description of Software Features
Rate Limiting – This feature controls the maximum rate for traffic received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into the network. Packets that exceed the acceptable amount of traffic are dropped.
Port Mirroring – The switch can unobtrusively mirror traffic from any port to a monitor port. You can then attach a protocol analyzer or RMON probe to this port to perform traffic analysis and verify connection integrity.
Port Trunking – Ports can be combined into an aggregate connection. Trunks can be manually set up or dynamically configured using IEEE 802.3ad Link Aggregation Control Protocol (LACP). The additional ports dramatically increase the throughput across any connection, and provide redundancy by taking over the load if a port in the trunk should fail. The switch supports up to 8 trunks.
Broadcast Storm Control – Broadcast suppression prevents broadcast traffic from overwhelming the network. When enabled on a port, the level of broadcast traffic passing through the port is restricted. If broadcast traffic rises above a pre-defined threshold, it will be throttled until the level falls back beneath the threshold.
Static Addresses – A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table. Static addresses can be used to provide network security by restricting access for a known host to a specific port.
IEEE 802.1D Bridge – The switch supports IEEE 802.1D transparent bridging. The address table facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information. The address table supports up to 8K addresses.
Store-and-Forward Switching – The switch copies each frame into its memory before forwarding them to another port. This ensures that all frames are a standard Ethernet size and have been verified for accuracy with the cyclic redundancy check (CRC). This prevents bad frames from entering the network and wasting bandwidth.
To avoid dropping frames on congested ports, the switch provides 4 Mbits for frame buffering. This buffer can queue packets awaiting transmission on congested networks.
Spanning Tree Algorithm – The switch supports these spanning tree protocols:
Spanning Tree Protocol (STP, IEEE 802.1D) – This protocol provides loop detection and recovery by allowing two or more redundant connections to be created between a pair of LAN segments. When there are multiple physical paths between segments, this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network. This prevents the creation of network loops. However, if the chosen path should fail for any reason, an alternate path will be activated to maintain the connection.
Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol reduces the convergence time for network topology changes to 3 to 5 seconds, compared to 30
1
1-3
Introduction
1
seconds or more for the older IEEE 802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices.
Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is a direct extension of RSTP. It can provide an independent spanning tree for different VLANs. It simplifies network management, provides for even faster convergence than RSTP by limiting the size of each region, and prevents VLAN members from being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP).
Virtual LANs – The switch supports up to 255 VLANs. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. The switch supports tagged VLANs based on the IEEE 802.1Q standard. Members of VLAN groups can be dynamically learned via GVRP, or ports can be manually assigned to a specific set of VLANs. This allows the switch to restrict traffic to the VLAN groups to which a user has been assigned. By segmenting your network into VLANs, you can:
• Eliminate broadcast storms which severely degrade performance in a flat network.
• Simplify network management for node changes/moves by remotely configuring VLAN membership for any port, rather than having to manually change the network connection.
• Provide data security by restricting all traffic to the originating VLAN.
• Use private VLANs to restrict traffic to pass only between data ports and the uplink ports, thereby isolating adjacent ports within the same VLAN, and allowing you to limit the total number of VLANs that need to be configured.
• Use protocol VLANs to restrict traffic to specified interfaces based on protocol type.
Note: The switch allows 255 user-manageable VLANs. One other VLAN (VLAN ID 4093)
is reserved for switch clustering.
Traffic Prioritization – This switch prioritizes each packet based on the required level of service, using four priority queues with strict or Weighted Round Robin Queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station application. These functions can independent priorities for delay-sensitive data and best-effort data.
This switch also supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic can be prioritized based on the DSCP field in the IP frame. When these services are enabled, the priorities are mapped to a Class of Service value by the switch, and the traffic then sent to the corresponding output queue.
Quality of Service – Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence or DSCP values, or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding.
be used to provide
1-4
Description of Software Features
Multicast Filtering – Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN. The switch uses IGMP Snooping and Query to manage multicast group registration. It also supports Multicast VLAN Registration (MVR) which allows common multicast traffic, such as television channels, to be transmitted across a single network-wide multicast VLAN shared by hosts residing in other standard or private VLAN groups, while preserving security and data isolation for normal traffic.
1
1-5
Introduction
1

System Defaults

The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-21).
The following table lists some of the basic system defaults.
Table 1-2 System Defaults
Function Parameter Default
Console Port Connection
Authentication Privileged Exec Level Username “admin”
Web Management HTTP Server Enabled
SNMP Community Strings “public” (read only)
Baud Rate 9600
Data bits 8
Stop bits 1
Parity none
Local Console Timeout 0 (disabled)
Password “admin”
Normal Exec Level Username “guest”
Enable Privileged Exec from Normal Exec Level
RADIUS Authentication Disabled
TACACS Authentication Disabled
802.1X Port Authentication Disabled
Web Authentication Disabled
MAC Authentication Disabled
HTTPS Enabled
SSH Disabled
Port Security Disabled
IP Filtering Disabled
HTTP Port Number 80
HTTP Secure Server Enabled
HTTP Secure Port Number 443
Traps Authentication traps: enabled
Password “guest”
Password “super”
“private” (read/write)
Link-up-down events: enabled
1-6
System Defaults
Table 1-2 System Defaults (Continued)
Function Parameter Default
Port Configuration Admin Status Enabled
Auto-negotiation Enabled
Flow Control Disabled
Rate Limiting Input limits Disabled
Port Trunking Static Trunks None
LACP (all ports) Disabled
Broadcast Storm Protection
Spanning Tree Algorithm
Address Table Aging Time 300 seconds
Virtual LANs Default VLAN 1
Traffic Prioritization Ingress Port Priority 0
IP Settings IP Address DHCP assigned, otherwise 192.168.1.1
Multicast Filtering IGMP Snooping Snooping: Enabled
Status Enabled (all ports)
Broadcast Limit Rate 64 kbits per second
Status Enabled, RSTP
(Defaults: All values based on IEEE 802.1w)
Fast Forwarding (Edge Port) Disabled
PVID 1
Acceptable Frame Type All
Ingress Filtering Enabled
Switchport Mode (Egress Mode) Hybrid: tagged/untagged frames
GVRP (global) Disabled
GVRP (port interface) Disabled
Weighted Round Robin Queue: 0 1 2 3
Weight: 1 2 4 8
IP DSCP Priority Disabled
Subnet Mask 255.255.255.0
Default Gateway 0.0.0.0
DHCP Client: Enabled
BOOTP Disabled
Querier: Enabled
Multicast VLAN Registration Disabled
1
1-7
Introduction
1
Table 1-2 System Defaults (Continued)
Function Parameter Default
System Log Status Enabled
Messages Logged Levels 0-6 (all)
Messages Logged to Flash Levels 0-3
SMTP Email Alerts Event Handler Enabled (but no server defined)
SNTP Clock Synchronization Disabled
NTP Clock Synchronization Disabled
DHCP Snooping Status Disabled
IP Source Guard Status Disabled (all ports)
Switch Clustering Status Enabled
Commander Disabled
1-8

Chapter 2: Initial Configuration

Connecting to the Switch

Configuration Options

The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Note: The IP address for this switch is obtained via DHCP by default. To change this
address, see “Setting an IP Address” on page 2-4.
The switch’s HTTP web agent allows you to configure switch parameters, monitor port connections, and display statistics using a standard web browser such as Netscape version 6.2 and higher or Microsoft IE version 5.0 and higher. The switch’s web management interface can be accessed from any computer attached to the network.
The CLI program can be accessed by a direct connection to the RS-232 serial console port on the switch, or remotely by a Telnet connection over the network.
The switch’s management agent also supports SNMP (Simple Network Management Protocol). This SNMP agent permits the switch to be managed from any system in the network using network management software such as HP OpenView.
The switch’s web interface, CLI configuration program, and SNMP agent allow you to perform the following management functions:
• Set user names and passwords
• Set an IP interface for a management VLAN
• Configure SNMP parameters
• Enable/disable any port
• Set the speed/duplex mode for any port
• Configure the bandwidth of any port by limiting input rates
• Control port access through IEEE 802.1X security or static address filtering
• Filter packets using Access Control Lists (ACLs)
• Configure up to 255 IEEE 802.1Q VLANs
• Enable GVRP automatic VLAN registration
• Configure IGMP multicast filtering
• Upload and download system firmware via TFTP
• Upload and download switch configuration files via TFTP
• Configure Spanning Tree parameters
• Configure Class of Service (CoS) priority queuing
2-1
Initial Configuration
2
• Configure up to 8 static or LACP trunks
• Enable port mirroring
• Set broadcast storm control on any port
• Display system information and statistics

Required Connections

The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch.
Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch. You can use the console cable provided with this package, or use a null-modem cable that complies with the wiring assignments shown in the Installation Guide.
To connect a terminal to the console port, complete the following steps:
1. Connect the console cable to the serial port on a terminal, or a PC running
terminal emulation software, and tighten the captive retaining screws on the DB-9 connector.
2. Connect the other end of the cable to the RS-232 serial port on the switch.
3. Make sure the terminal emulation software is set as follows:
• Select the appropriate serial port (COM port 1 or COM port 2).
• Set the baud rate to 9600 bps.
• Set the data format to 8 data bits, 1 stop bit, and no parity.
• Set flow control to none.
• Set the emulation mode to VT100.
• When using HyperTerminal, select Terminal keys, not Windows keys.
Notes: 1. Refer to “Line Commands” on page 4-11 for a complete description of
For a description of how to use the CLI, see “Using the Command Line Interface” on page 4-1. For a list of all the CLI commands and detailed information on using the CLI, refer to “Command Groups” on page 4-10.
console configuration options.
2. Once you have set up the terminal correctly, the console login screen will be displayed.
2-2

Basic Configuration

2

Remote Connections

Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol.
The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address” on page 2-4.
Note: This switch supports four concurrent Telnet/SSH sessions.
After configuring the switch’s IP parameters, you can access the onboard configuration program from anywhere within the attached network. The onboard configuration program can be accessed using Telnet from any computer attached to the network. The switch can also be managed by any computer using a web browser (Internet Explorer 5.0 or above, or Netscape 6.2 or above), or from a network computer using SNMP network management software.
Note: The onboard program only provides access to basic configuration functions. To
access the full range of SNMP management functions, you must use SNMP-based network management software.
Basic Configuration

Console Connection

The CLI program provides two different command levels — normal access level (Normal Exec) and privileged access level (Privileged Exec). The commands available at the Normal Exec level are a limited subset of those available at the Privileged Exec level and allow you to only display information and use basic utilities. To fully configure the switch parameters, you must access the CLI at the Privileged Exec level.
Access to both CLI levels are controlled by user names and passwords. The switch has a default user name and password for each level. To log into the CLI at ]the Privileged Exec level using the default user name and password, perform these steps:
1. To initiate your console connection, press <Enter>. The “User Access Verification” procedure starts.
2. At the Username prompt, enter “admin.”
3. At the Password prompt, also enter “admin.” (The password characters are not displayed on the console screen.)
4. The session is opened and the CLI displays the “Console#” prompt indicating you have access at the Privileged Exec level.
2-3
Initial Configuration
2

Setting Passwords

Note: If this is your first time to log into the CLI program, you should define new
passwords for both default user names using the “username” command, record them and put them in a safe place.
Passwords can consist of up to 8 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows:
1. Open the console interface with the default user name and password “admin” to access the Privileged Exec level.
2. Type “configure” and press <Enter>.
3. Type “username guest password 0 password,” for the Normal Exec level, where password is your new password. Press <Enter>.
4. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press <Enter>.
Note: ‘0’ specifies the password in plain text, ‘7’ specifies the password in encrypted
form.
Username: admin Password:
CLI session with the TL-SL5428 is opened. To end the CLI session, enter [Exit].
Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)#

Setting an IP Address

You must establish IP address information for the stack to obtain management access through the network. This can be done in either of the following ways:
Manual — You have to input the information, including IP address and subnet mask. If your management station is not in the same IP subnet as the stack’s master unit, you will also need to specify the default gateway router.
Dynamic — The switch sends IP configuration requests to BOOTP or DHCP address allocation servers on the network.
Manual Configuration
You can manually assign an IP address to the switch. You may also need to specify a default gateway that resides between this device and management stations that exist on another network segment. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the CLI program.
Note: The IP address for this switch is obtained via DHCP by default.
2-4
Basic Configuration
Before you can assign an IP address to the switch, you must obtain the following information from your network administrator:
• IP address for the switch
• Default gateway for the network
• Network mask for this network
To assign an IP address to the switch, complete the following steps:
1. From the Privileged Exec level global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>.
2. Type “ip address ip-address netmask,” where “ip-address” is the switch IP address and “netmask” is the network mask for the network. Press <Enter>.
3. Type “exit” to return to the global configuration mode prompt. Press <Enter>.
4. To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway,” where “gateway” is the IP address of the default gateway. Press <Enter>.
Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.1 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 192.168.1.254 Console(config)#
2
Dynamic Configuration
If you select the “bootp” or “dhcp” option, IP will be enabled but will not function until a BOOTP or DHCP reply has been received. You therefore need to use the “ip dhcp restart” command to start broadcasting service requests. Requests will be sent periodically in an effort to obtain IP configuration information. (BOOTP and DHCP values can include the IP address, subnet mask, and default gateway.)
If the “bootp” or “dhcp” option is saved to the startup-config file (step 6), then the switch will start broadcasting service requests as soon as it is powered on.
To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps:
1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>.
2. At the interface-configuration mode prompt, use one of the following commands:
• To obtain IP settings via DHCP, type “ip address dhcp” and press <Enter>.
• To obtain IP settings via BOOTP, type “ip address bootp” and press <Enter>.
3. Type “end” to return to the Privileged Exec mode. Press <Enter>.
4. Type “ip dhcp restart” to begin broadcasting service requests. Press <Enter>.
2-5
Initial Configuration
2
5. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press <Enter>.
6. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press <Enter>.
Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#ip dhcp restart Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: User specified. Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming.
\Write to FLASH finish. Success.

Enabling SNMP Management Access

The switch can be configured to accept management commands from Simple Network Management Protocol (SNMP) applications such as HP OpenView. You can configure the switch to (1) respond to SNMP requests or (2) generate SNMP traps.
When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter. The switch can also be configured to send information to SNMP managers (without being requested by the managers) through trap messages, which inform the manager that certain events have occurred.
The switch includes an SNMP agent that supports SNMP version 1, 2c, and 3 clients. To provide management access for version 1 or 2c clients, you must specify a community string. The switch provides a default MIB View (i.e., an SNMPv3 construct) for the default “public” community string that provides read access to the entire MIB tree, and a default view for the “private” community string that provides read/write access to the entire MIB tree. However, you may assign new views to version 1 or 2c community strings that suit your specific security requirements (see page 3-49).
Community Strings (for SNMP version 1 and 2c clients)
Community strings are used to control management access to SNMP version 1 and 2c stations, as well as to authorize SNMP stations to receive trap messages from the switch. You therefore need to assign community strings to specified users, and set the access level.
2-6
Basic Configuration
2
The default strings are:
public - with read-only access. Authorized management stations are only able to retrieve MIB objects.
private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects.
To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings.
To configure a community string, complete the following steps:
1. From the Privileged Exec level global configuration mode prompt, type
“snmp-server community string mode,” where “string” is the community access string and “mode” is rw (read/write) or ro (read only). Press <Enter>. (Note that the default mode is read only.)
2. To remove an existing string, simply type “no snmp-server community string,”
where “string” is the community access string to remove. Press <Enter>.
Console(config)#snmp-server community admin rw 4-151 Console(config)#snmp-server community private Console(config)#
Note: If you do not intend to support access to SNMP version 1 and 2c clients, we
recommend that you delete both of the default community strings. If there are no community strings, then SNMP management access from SNMP v1 and v2c clients is disabled.
Trap Receivers
You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command. From the Privileged Exec level global configuration mode prompt, type:
“snmp-server host host-address community-string
[version {1 | 2c | 3 {auth | noauth | priv}}]”
where “host-address” is the IP address for the trap receiver, “community-string” specifies access rights for a version 1/2c host, or is the user name of a version 3 host, “version” indicates the SNMP client version, and “auth | noauth | priv” means that authentication, no authentication, or authentication and privacy is used for v3 clients. Then press <Enter>. For a more detailed description of these parameters, see “snmp-server host” on page 4-153. The following example creates a trap host for each type of SNMP client.
Console(config)#snmp-server host 10.1.19.23 batman 4-153 Console(config)#snmp-server host 10.1.19.98 robin version 2c Console(config)#snmp-server host 10.1.19.34 barbie version 3 auth Console(config)#
2-7
Initial Configuration
2
Configuring Access for SNMP Version 3 Clients
To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2” that includes the entire MIB-2 tree branch, and then another view that includes the IEEE 802.1d bridge MIB. It assigns these respective read and read/ write views to a group call “r&d” and specifies group authentication via MD5 or SHA. In the last step, it assigns a v3 user to this group, indicating that MD5 will be used for authentication, provides the password “greenpeace” for authentication, and the password “einstien” for encryption.
Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included 4-158 Console(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included Console(config)#snmp-server group r&d v3 auth mib-2 802.1d 4-159 Console(config)#snmp-server user steve group r&d v3 auth md5
greenpeace priv des56 einstien 4-162
Console(config)#
For a more detailed explanation on how to configure the switch for access from SNMP v3 clients, refer to “Simple Network Management Protocol” on page 3-38, or refer to the specific CLI commands for SNMP starting on page 4-149.

Saving Configuration Settings

Configuration commands only modify the running configuration file and are not saved when the switch is rebooted. To save all your configuration changes in nonvolatile storage, you must copy the running configuration file to the start-up configuration file using the “copy” command.
To save the current configuration settings, enter the following command:
1. From the Privileged Exec mode prompt, type “copy running-config startup-config” and press <Enter>.
2. Enter the name of the start-up file. Press <Enter>.
Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming.
\Write to FLASH finish. Success.
Console#
2-8

Managing System Files

2
Managing System Files
The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.
The three types of files are:
Configuration — This file stores system configuration information and is created when configuration settings are saved. Saved configuration files can be selected as a system start-up file or can be uploaded via TFTP to a server for backup. A file named “Factory_Default_Config.cfg” contains all the system default settings and cannot be deleted from the system. See “Saving or Restoring Configuration Settings” on page 3-21 for more information.
Operation Code — System software that is executed after boot-up, also known as run-time code. This code runs the switch operations and provides the CLI and web management interfaces. See “Managing Firmware” on page 3-19 for more information.
Diagnostic Code — Software that is run during system boot-up, also known as POST (Power On Self-Test).
Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows.
In the system flash memory, one file of each type must be set as the start-up file. During a system boot, the diagnostic and operation code files set as the start-up file are run, and then the start-up configuration file is loaded.
Note that configuration files should be downloaded using a file name that reflects the contents or usage of the file settings. If you download directly to the running-config, the system will reboot, and the settings will have to be copied from the running-config to a permanent file.
2-9
Initial Configuration
2
2-10

Chapter 3: Configuring the Switch

Using the Web Interface

This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, or Netscape 6.2 or above).
Note:
You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet. For more information on using the CLI, refer to Chapter 4: “Command Line Interface.”
Prior to accessing the switch from a web browser, be sure you have first performed the following tasks:
1. Configure the switch with a valid IP address, subnet mask, and default gateway
using an out-of-band serial connection, BOOTP or DHCP protocol. (See “Setting an IP Address” on page 2-4.)
2. Set user names and passwords using an out-of-band serial connection. Access
to the web agent is controlled by the same user names and passwords as the onboard configuration program. (See “Setting Passwords” on page 2-4)
3. After you enter a user name and password, you will have access to the system
configuration program.
Notes: 1.
You are allowed three attempts to enter the correct password; on the third failed attempt the current connection is terminated.
2. If you log into the web interface as guest (Normal Exec level), you can view
the configuration settings or change the guest password. If you log in as “admin” (Privileged Exec level), you can change the settings on any page.
3. If the path between your management station and this switch does not pass
through any device that uses the Spanning Tree Algorithm, then you can set the switch port attached to your management station to fast forwarding (i.e., enable Admin Edge Port) to improve the switch’s response time to management commands issued through the web interface. See “Configuring Interface Settings” on page 3-148.
3-1
Configuring the Switch
3

Navigating the Web Browser Interface

To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.”

Home Page

When your web browser connects with the switch’s web agent, the home page is displayed as shown below. The home page displays the Main Menu on the left side of the screen and System Information on the right side. The Main Menu links are used to navigate to other menus, and display configuration parameters and statistics.
3-2
Figure 3-1 Home Page

Panel Display

3

Configuration Options

Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Table 3-1 Configuration Options
Button Action
Revert Cancels specified values and restores current values prior to pressing Apply.
Apply Sets specified values to the system.
Help Links directly to webhelp.
Notes: 1.
To ensure proper screen refresh, be sure that Internet Explorer is configured so that the setting “Check for newer versions of stored pages” reads “Every visit to the page”. Internet Explorer 6.x and earlier: This option is available under the menu “Tools / Internet Options / General / Temporary Internet Files / Settings”. Internet Explorer 7.x: This option is available under “Tools / Internet Options / General / Browsing History / Settings / Temporary Internet Files”.
2. You may have to manually refresh the screen after making configuration
changes by pressing the browser’s refresh button.
Panel Display
The web agent displays an image of the switch’s ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex, or Flow Control (i.e., with or without flow control). Clicking on the image of a port opens the Port Configuration page as described on page 3-112.
Figure 3-2 Panel Display
3-3
Configuring the Switch
3

Main Menu

Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
Table 3-2 Main Menu
Menu Description Page
System 3-12
System Information Provides basic system description, including contact information 3-12
Switch Information Shows the number of ports, hardware/firmware version
Bridge Extension Configuration
IP Configuration Sets the IP address for management access 3-16
Jumbo Frames Enables jumbo frame packets. 3-19
File Management 3-19
Copy Operation Allows the transfer and copying of files 3-19
Delete Allows deletion of files from the flash memory 3-20
Set Start-Up Sets the startup file 3-20
Line 3-23
Console Sets console port connection parameters 3-23
Telnet Sets Telnet connection parameters 3-25
Log 3-28
Logs Stores and displays error messages 3-28
System Logs Sends error messages to a logging process 3-28
Remote Logs Configures the logging of messages to a remote logging process 3-30
SMTP Sends an SMTP client message to a participating server. 3-31
Reset Restarts the switch 3-33
SNTP 3-34
Configuration Configures SNTP and NTP client settings, including broadcast
Clock Time Zone Sets the local time zone for the system clock 3-37
SNMP 3-38
Configuration Configures community strings and related trap functions 3-40
Agent Status Enables or disables SNMP Agent Status 3-42
SNMPv3 3-42
Engine ID Sets the SNMP v3 engine ID on this switch 3-42
numbers, and power status
Shows the bridge extension parameters 3-15
mode, authentication parameters or a specified list of servers
3-13
3-34
3-4
Main Menu
Table 3-2 Main Menu (Continued)
Menu Description Page
Remote Engine ID Sets the SNMP v3 engine ID for a remote device 3-44
Users Configures SNMP v3 users on this switch 3-44
Remote Users Configures SNMP v3 users from a remote device 3-46
Groups Configures SNMP v3 groups 3-47
Views Configures SNMP v3 views 3-49
Security 3-50
User Accounts Assigns a new password for the current user 3-51
Authentication Settings Configures authentication sequence, RADIUS and TACACS 3-53
Encryption Key Configures RADIUS and TACACS encryption key settings 3-57
AAA 3-58
RADIUS Group Settings Defines the configured RADIUS servers to use for accounting 3-59
TACACS+ Group Settings Defines the configured TACACS+ servers to use for accounting 3-59
Accounting
Settings Configures accounting of requested services for billing or
Periodic Update Sets the interval at which accounting updates are sent to
802.1X Port Settings Applies the specified accounting method to an interface 3-62
Exec Settings Specifies console or Telnet authentication method 3-65
Summary Displays accounting information and statistics 3-65
Authorization 3-67
Settings Configures authorization of requested services 3-67
EXEC Settings Specifies console or Telnet authorization method 3-68
Summary Displays authorization information 3-68
AAA 3-58
HTTPS Settings Configures secure HTTP settings 3-57
SSH 3-71
Settings Configures Secure Shell server settings 3-80
Host-Key Settings Generates the host key pair (public and private) 3-75
SSH User Public-Key Settings
Port Security Configures per port security, including status, response for
802.1X 3-81
security purposes
RADIUS AAA servers
Imports and manages user RSA and DSA public keys 3-77
security breach, and maximum allowed MAC addresses
3
3-60
3-62
3-80
3-5
Configuring the Switch
3
Table 3-2 Main Menu (Continued)
Menu Description Page
Information Displays global configuration settings for 802.1X Port
Configuration Configures the global configuration settings 3-83
Port Configuration Sets parameters for individual ports 3-84
Statistics Displays protocol statistics for the selected port 3-87
Web Authentication 3-88
Configuration Configures Web Authentication settings 3-89
Port Configuration Enables Web Authentication for individual ports 3-90
Port Information Displays status information for individual ports 3-91
Re-authentication Forces a host to re-authenticate itself immediately 3-92
Network Access 3-93
Configuration Configures global Network Access parameters 3-94
Port Configuration Configures Network Access parameters for individual ports 3-94
Port Link Detection Configuration
MAC Address Information Displays Network Access statistics sorted by various attributes 3-97
MAC Authentication 3-98
Port Configuration Configures MAC Authentication parameters for ports 3-98
ACL 3-100
Configuration Configures packet filtering based on IP or MAC addresses 3-100
Port Binding Binds a port to the specified ACL 3-106
IP Filter Sets IP addresses of clients allowed management access via
Port 3-110
Port Information Displays port connection status 3-110
Trunk Information Displays trunk connection status 3-110
Port Configuration Configures port connection settings 3-112
Trunk Configuration Configures trunk connection settings 3-112
Trunk Membership Specifies ports to group into static trunks 3-115
LACP 3-116
Configuration Allows ports to dynamically join trunks 3-116
Aggregation Port Configures parameters for link aggregation group members 3-118
Port Counters Information Displays statistics for LACP protocol messages 3-120
Port Internal Information Displays settings and operational state for the local side 3-122
authentication
Configures Port Link Detection parameters 3-96
the web, SNMP, and Telnet
3-83
3-107
3-6
Main Menu
Table 3-2 Main Menu (Continued)
Menu Description Page
Port Neighbors Information Displays settings and operational state for the remote side 3-124
Port Broadcast Control Sets the broadcast storm threshold for each port 3-125
Trunk Broadcast Control Sets the broadcast storm threshold for each trunk 3-125
Mirror Port Configuration Sets the source and target ports for mirroring 3-127
Rate Limit 3-128
Input Port Configuration Sets the input rate limit for each port 3-128
Input Trunk Configuration Sets the input rate limit for each trunk 3-128
Output Port Configuration Sets the output rate limit for ports 3-128
Output Trunk Configuration Sets the output rate limit for trunks 3-128
Port Statistics Lists Ethernet and RMON port statistics 3-129
Address Table 3-133
Static Addresses Displays entries for interface, address or VLAN 3-133
Dynamic Addresses Displays or edits static entries in the Address Table 3-134
Address Aging Sets timeout for dynamically learned entries 3-136
Spanning Tree 3-137
Port Loopback Detection Configures Port Loopback Detection parameters 3-139
Trunk Loopback Detection Configures Trunk Loopback Detection parameters 3-139
STA 3-137
Information Displays STA values used for the bridge 3-140
Configuration Configures global bridge settings for STA and RSTP 3-142
Port Information Displays individual port settings for STA 3-146
Trunk Information Displays individual trunk settings for STA 3-146
Port Configuration Configures individual port settings for STA 3-148
Trunk Configuration Configures individual trunk settings for STA 3-148
MSTP 3-150
VLAN Configuration Configures priority and VLANs for a spanning tree instance 3-150
Port Information Displays port settings for a specified MST instance 3-153
Trunk Information Displays trunk settings for a specified MST instance 3-153
Port Configuration Configures port settings for a specified MST instance 3-155
Trunk Configuration Configures trunk settings for a specified MST instance 3-155
VLAN 3-157
802.1Q VLAN 3-157
3
3-7
Configuring the Switch
3
Table 3-2 Main Menu (Continued)
Menu Description Page
GVRP Status Enables GVRP on the switch 3-160
802.1Q Tunnel Configuration
Basic Information Displays information on the VLAN type supported by this switch 3-161
Current Table Shows the current port members of each VLAN and whether or
Static List Used to create or remove VLAN groups 3-163
Static Table Modifies the settings for an existing VLAN 3-164
Static Membership by Port Configures membership type for interfaces, including tagged,
Port Configuration Specifies default PVID and VLAN attributes 3-167
Trunk Configuration Specifies default trunk VID and VLAN attributes 3-167
Tunnel Port Configuration Adds an interface to a QinQ Tunnel 3-174
Tunnel Trunk Configuration Adds an interface to a QinQ Tunnel 3-174
Private VLAN 3-175
Information Displays Private VLAN feature information 3-176
Configuration This page is used to create/remove primary or community
Association Each community VLAN must be associated with a primary VLAN 3-178
Port Information Shows VLAN port type, and associated primary or secondary
Port Configuration Sets the private VLAN interface type, and associates the
Trunk Information Shows VLAN port type, and associated primary or secondary
Trunk Configuration Sets the private VLAN interface type, and associates the
Protocol VLAN 3-181
Configuration Configures protocol VLANs 3-181
System Configuration Configures protocol VLAN system parameters 3-182
LLDP 3-183
Configuration Configures global LLDP timing parameters 3-183
Port Configuration Configures parameters for individual ports 3-185
Trunk Configuration Configures parameters for trunks 3-185
Local Information Displays LLDP information about the local device 3-188
Enables 802.1Q (QinQ) Tunneling 3-172
not the port is tagged or untagged
untagged or forbidden
VLANs
VLANs
interfaces with a private VLAN
VLANs
interfaces with a private VLAN
3-161
3-166
3-177
3-179
3-180
3-179
3-180
3-8
Main Menu
Table 3-2 Main Menu (Continued)
Menu Description Page
Remote Port Information Displays LLDP information about a remote device connected to
Remote Trunk Information Displays LLDP information about a remote device connected to
Remote Information Details Displays detailed LLDP information about a remote device
Device Statistics Displays LLDP statistics for all connected remote devices 3-191
Device Statistics Details Displays LLDP statistics for remote devices on a selected port or
Priority 3-193
Default Port Priority Sets the default priority for each port 3-193
Default Trunk Priority Sets the default priority for each trunk 3-193
Traffic Classes Maps IEEE 802.1p priority tags to output queues 3-194
Traffic Classes Status Enables/disables traffic class priorities (not implemented) 3-196
Queue Mode Sets queue mode to strict priority or Weighted Round-Robin 3-197
Queue Scheduling Configures Weighted Round Robin queueing 3-197
IP DSCP Priority Status Globally selects DSCP Priority, or disables it. 3-199
IP DSCP Priority Sets IP Differentiated Services Code Point priority, mapping a
QoS 3-201
DiffServ 3-201
Class Map Sets Class Maps 3-202
Policy Map Sets Policy Maps 3-205
Service Policy Defines service policy settings for ports 3-208
VoIP Traffic Setting 3-209
Configuration VoIP Traffic Setting Configuration 3-209
Port Configuration Configures VoIP Traffic Settings for ports 3-210
OUI Configuration Defines OUI settings 3-212
IGMP Snooping 3-214
IGMP Configuration Enables multicast filtering; configures parameters for multicast
IGMP Filter Configuration Configures IGMP filtering 3-194
IGMP Immediate Leave Enables the immediate leave function 3-217
Multicast Router Port Information
a port on this switch
a trunk on this switch
connected to this switch
trunk
DSCP tag to a class-of-service value
query
Displays the ports that are attached to a neighboring multicast router for each VLAN ID
3
3-189
3-189
3-190
3-192
3-200
3-215
3-218
3-9
Configuring the Switch
3
Table 3-2 Main Menu (Continued)
Menu Description Page
Static Multicast Router Port Configuration
IP Multicast Registration Table
IGMP Member Port Table Indicates multicast addresses associated with the selected
IGMP Filter Profile Configuration
IGMP Filter/Throttling Port Configuration
IGMP Filter/Throttling Trunk Configuration
MVR 3-227
Configuration Globally enables MVR, sets the MVR VLAN, adds multicast
Port Information Displays MVR interface type, MVR operational and activity
Trunk Information Displays MVR interface type, MVR operational and activity
Group IP Information Displays the ports attached to an MVR multicast stream 3-230
Port Configuration Configures MVR interface type and immediate leave status 3-231
Trunk Configuration Configures MVR interface type and immediate leave status 3-231
Group Member Configuration Statically assigns MVR multicast streams to an interface 3-233
DHCP Snooping 3-234
Configuration Enables DHCP Snooping and DHCP Snooping MAC-Address
VLAN Configuration Enables DHCP Snooping for a VLAN 3-235
Information Option Configuration
Port Configuration Selects the DHCP Snooping Information Option policy 3-237
Binding Information Displays the DHCP Snooping binding information 3-238
IP Source Guard 3-239
Port Configuration Enables IP source guard and selects filter type per port 3-239
Static Configuration Adds a static addresses to the source-guard binding table 3-240
Dynamic Information Displays the source-guard binding table for a selected interface 3-241
Cluster 3-242
Configuration Globally enables clustering for the switch 3-243
Assigns ports that are attached to a neighboring multicast router 3-219
Displays all multicast groups active on this switch, including multicast IP addresses and VLAN ID
VLAN
Configures IGMP Filter Profiles 3-195
Configures IGMP Filtering and Throttling for ports 3-196
Configures IGMP Filtering and Throttling for trunks 3-196
stream addresses
status, and immediate leave status
status, and immediate leave status
Verification
Enables DHCP Snooping Information Option 3-236
3-220
3-221
3-228
3-229
3-229
3-235
3-10
Main Menu
Table 3-2 Main Menu (Continued)
Menu Description Page
Member Configuration Adds switch Members to the cluster 3-244
Member Information Displays cluster Member switch information 3-245
Candidate Information Displays network Candidate switch information 3-246
UPNP 3-247
Configuration Enables UPNP and defines timeout values 3-247
3
3-11
Configuring the Switch
3

Basic Configuration

Displaying System Information

You can easily identify the system by displaying the device name, location and contact information.
Field Attributes
System Name – Name assigned to the switch system.
Object ID – MIB II object ID for switch’s network management subsystem.
Location – Specifies the system location.
Contact – Administrator responsible for the system.
System Up Time – Length of time the management agent has been up.
These additional parameters are displayed for the CLI.
MAC Address – The physical layer address for this switch.
Web server – Shows if management access via HTTP is enabled.
Web server port – Shows the TCP port number used by the web interface.
Web secure server – Shows if management access via HTTPS is enabled.
Web secure server port – Shows the TCP port used by the HTTPS interface.
Telnet server – Shows if management access via Telnet is enabled.
Telnet port – Shows the TCP port used by the Telnet interface.
Jumbo Frame – Shows if jumbo frames are enabled.
POST result – Shows results of the power-on self-test.
Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.)
Figure 3-3 System Information
3-12
Basic Configuration
CLI – Specify the hostname, location and contact information.
Console(config)#hostname R&D 5 4-27 Console(config)#snmp-server location WC 9 4-152 Console(config)#snmp-server contact Ted 4-152 Console(config)#exit Console#show system 4-81 System description : TL-SL5428 System OID string : 1.3.6.1.4.1.11863.1.1.59 System information System Up time : 0 days, 0 hours, 14 minutes, and 32.93 seconds System Name : R&D 5 System Location : WC 9 System Contact : Ted MAC address : 00-00-35-28-10-03 Web server : enabled Web server port : 80 Web secure server : enabled Web secure server port : 443 Telnet server : enable Telnet port : 23 Jumbo Frame : Disabled POST result
UART Loopback Test ........... PASS
DRAM Test .................... PASS
Timer Test ................... PASS
PCI Device 1 Test ............ PASS
I2C Bus Initialization ....... PASS
Switch Int Loopback Test ..... PASS
Fan Speed Test ............... PASS
Done All Pass. Console#
3

Displaying Switch Hardware/Software Versions

Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system.
Field Attributes
Main Board
Serial Number – The serial number of the switch.
Number of Ports – Number of built-in RJ-45 ports.
Hardware Version – Hardware version of the main board.
Internal Power Status – Displays the status of the internal power supply.
Management Software
• EPLD Version – Version number of the Electronically Programmable Logic Device code.
Loader Version – Version number of loader code.
Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code.
Operation Code Version – Version number of runtime code.
Role – Shows that this switch is operating as Master or Slave.
3-13
Configuring the Switch
3
Web – Click System, Switch Information.
Figure 3-4 Switch Information
CLI – Use the following command to display version information.
Console#show version 4-82 Unit 1 Serial number: A733006612 Hardware version: R01 Chip Device ID: Marvell 98DX107-A2, 88E6095[F] EPLD Version: 0.07 Number of ports: 28 Main power status: Up Redundant power status: Not present
Agent (master) Unit ID: 1 Loader version: 1.0.0.1 Boot ROM version: 1.0.0.8 Operation code version: 1.3.0.2
Console#
3-14
Basic Configuration
3

Displaying Bridge Extension Capabilities

The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables.
Field Attributes
Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
Traffic Classes – This switch provides mapping of user priorities to multiple traffic classes. (Refer to “Class of Service Configuration” on page 3-193.)
Static Entry Individual Port – This switch allows static filtering for unicast and multicast addresses. (Refer to “Setting Static Addresses” on page 3-133.)
VLAN Learning – This switch uses Shared VLAN Learning (SVL), where all VLANs share the same address table.
Configurable PVID Tagging – This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to “VLAN Configuration” on page 3-157.)
Local VLAN Capable – This switch does not support multiple local bridges outside of the scope of 802.1Q defined VLANs.
GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to register endstations with multicast groups. This switch does not support GMRP; it uses the Internet Group Management Protocol (IGMP) to provide automatic multicast filtering.
Web – Click System, Bridge Extension Configuration.
Figure 3-5 Bridge Extension Configuration
3-15
Configuring the Switch
3
CLI – Enter the following command.
Console#show bridge-ext 4-239 Max support VLAN numbers: 256 Max support VLAN ID: 4092 Extended multicast filtering services: No Static entry individual port: Yes VLAN learning: IVL Configurable PVID tagging: Yes Local VLAN capable: No Traffic classes: Enabled Global GVRP status: Disabled GMRP: Disabled Console#

Setting the Switch’s IP Address

This section describes how to configure an IP interface for management access over the network. The IP address for the stack is obtained via DHCP by default. To manually configure an address, you need to change the switch’s default settings (IP address 192.168.1.1 and netmask 255.255.255.0) to values that are compatible with your network. You may also need to a establish a default gateway between the stack and management stations that exist on another network segment.
You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the CLI program.
Command Attributes
Management VLAN – ID of the configured VLAN (1-4092, no leading zeroes). By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
IP Address Mode – Specifies whether IP functionality is enabled via manual configuration (Static), Dynamic Host Configuration Protocol (DHCP), or Boot Protocol (BOOTP). If DHCP/BOOTP is enabled, IP will not function until a reply has been received from the server. Requests will be broadcast periodically by the switch for an IP address. (DHCP/BOOTP values can include the IP address, subnet mask, and default gateway.)
IP Address – Address of the VLAN interface that is allowed management access. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. (Default: 0.0.0.0)
Subnet Mask – This mask identifies the host address bits used for routing to specific subnets. (Default: 255.0.0.0)
Gateway IP address – IP address of the gateway router between this device and management stations that exist on other network segments. (Default: 0.0.0.0)
MAC Address – The physical layer address for this switch.
Restart DHCP – Requests a new IP address from the DHCP server.
3-16
Basic Configuration
Manual Configuration
Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply.
Figure 3-6 Manual IP Configuration
CLI – Specify the management interface, IP address and default gateway.
Console#config Console(config)#interface vlan 1 4-166 Console(config-if)#ip address 192.168.1.1 255.255.255.0 4-309 Console(config-if)#exit Console(config)#ip default-gateway 0.0.0.0 4-310 Console(config)#
3
3-17
Configuring the Switch
3
Using DHCP/BOOTP
If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services.
Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes. Then click Restart DHCP to immediately request a new address. Note that the switch will also broadcast a request for IP configuration settings on each power reset.
Figure 3-7 DHCP IP Configuration
Note: If you lose your management connection, use a console connection and enter
“show ip interface” to determine the new switch address.
CLI – Specify the management interface, and set the IP address mode to DHCP or BOOTP, and then enter the “ip dhcp restart” command.
Console#config Console(config)#interface vlan 1 4-166 Console(config-if)#ip address dhcp 4-309 Console(config-if)#end Console#ip dhcp restart 4-311 Console#show ip interface 4-311 IP address and netmask: 192.168.1.1 255.255.255.0 on VLAN 1, and address mode: User specified. Console#
Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the switch is moved to another network segment, you will lose management access to the switch. In this case, you can reboot the switch or submit a client request to restart DHCP service via the CLI.
3-18
Basic Configuration
Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface. You can only restart DHCP service via the web interface if the current address is still available.
CLI – Enter the following command to restart DHCP service.
Console#ip dhcp restart 4-311 Console#

Enabling Jumbo Frames

You can enable jumbo frames to support data packets up to 9000 bytes in size.
Command Attributes
Jumbo Packet Status – Check the box to enable jumbo frames.
Web – Click System, Jumbo Frames.
3
Figure 3-8 Jumbo Frames Configuration
CLI – Enter the following command.
Console#config Console(config)#jumbo frame Console(config)#

Managing Firmware

You can upload/download firmware to or from a TFTP server, or copy files to and from switch units in a stack. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. You can also set the switch to use new firmware without overwriting the previous version. You must specify the method of file transfer, along with the file type and file names as required.
Command Attributes
File Transfer Method – The firmware copy operation includes these options:
- file to file – Copies a file within the switch directory, assigning it a new name.
- file to tftp – Copies a file from the switch to a TFTP server.
- tftp to file – Copies a file from a TFTP server to the switch.
TFTP Server IP Address – The IP address of a TFTP server.
File Type – Specify opcode (operational code) to copy firmware.
3-19
Configuring the Switch
3
File Name – the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)
Note:
Up to two copies of the system software (i.e., the runtime firmware) can be stored in the file directory on the switch. The currently designated startup version of this file cannot be deleted.
The file name should not contain slashes (\ or /),
the leading letter of
Downloading System Software from a Server
When downloading runtime code, you can specify the destination file name to replace the current image, or first download the file using a different name from the current runtime code file, and then set the new file as the startup file.
Web –Click System, File Management, Copy Operation. Select “tftp to file” as the file transfer method, enter the IP address of the TFTP server, set the file type to “opcode,” enter the file name of the software to download, select a file on the switch to overwrite or specify a new file name, then click Apply. If you replaced the current firmware used for startup and want to start using the new operation code, reboot the system via the System/Reset menu.
Figure 3-9 Copy Firmware
If you download to a new destination file, go to the System/File/Set Start-Up menu, mark the operation code file used at startup, and click Apply. To start the new firmware, reboot the system via the System/Reset menu.
Figure 3-10 Setting the Startup Code
3-20
Basic Configuration
3
To delete a file, select System, File, Delete. Select the file name from the given list by checking the tick box and click Apply. Note that t
startup code cannot be deleted.
Figure 3-11 Deleting Files
he file currently designated as the
CLI – To download new firmware form a TFTP server, enter the IP address of the TFTP server, select “opcode” as the file type, then enter the source and destination file names. When the file has finished downloading, set the new file to start up the system, and then restart the switch.
To start the new firmware, enter the “reload” command or reboot the system.
Console#copy tftp file 4-84 TFTP server ip address: 192.168.1.19 Choose file type:
1. config: 2. opcode: 4. diag: 5. loader: <1,2,4,5>: 2 Source file name: TL-SL5428_V1.3.0.2.bix Destination file name: TL-SL5428_V1.3.0.2 \Write to FLASH Programming.
-Write to FLASH finish. Success. Console#config Console(config)#boot system opcode:TL-SL5428_V1.3.0.2 4-89 Console(config)#exit Console#reload 4-23

Saving or Restoring Configuration Settings

You can upload/download configuration settings to/from a TFTP server. The configuration files can be later downloaded to restore the switch’s settings.
Command Attributes
File Transfer Method – The configuration copy operation includes these options:
- file to file – Copies a file within the switch directory, assigning it a new name.
- file to running-config – Copies a file in the switch to the running configuration.
- file to startup-config – Copies a file in the switch to the startup configuration.
- file to tftp – Copies a file from the switch to a TFTP server.
- running-config to file – Copies the running configuration to a file.
- running-config to startup-config – Copies the running config to the startup config.
- running-config to tftp – Copies the running configuration to a TFTP server.
- startup-config to file – Copies the startup configuration to a file on the switch.
- startup-config to running-config – Copies the startup config to the running config.
3-21
Configuring the Switch
3
- startup-config to tftp – Copies the startup configuration to a TFTP server.
- tftp to file – Copies a file from a TFTP server to the switch.
- tftp to running-config – Copies a file from a TFTP server to the running config.
- tftp to startup-config – Copies a file from a TFTP server to the startup config.
TFTP Server IP Address – The IP address of a TFTP server.
File Type – Specify config (configuration) to copy configuration settings.
File Name
the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)
Note:
— The file name should not contain slashes (\ or /),
The maximum number of user-defined configuration files is limited only by available flash memory space.
the leading letter of
Downloading Configuration Settings from a Server
You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch.
Web – Click System, File, Copy Operation. Select “tftp to startup-config” or “tftp to file” and enter the IP address of the TFTP server. Specify the name of the file to download and select a file on the switch to overwrite or specify a new file name, then click Apply.
Figure 3-12 Downloading Configuration Settings for Startup
If you download to a new file name using “tftp to startup-config” or “tftp to file,” the file is automatically set as the start-up configuration file. To use the new settings, reboot the system via the System/Reset menu.
3-22
Basic Configuration
3
Note: You can also select any configuration file as the start-up configuration by using the
System/File/Set Start-Up page.
Figure 3-13 Setting the Startup Configuration Settings
CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch.
Console#copy tftp startup-config 4-84 TFTP server ip address: 192.168.1.19 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming.
-Write to FLASH finish. Success.
Console#reload
To select another configuration file as the start-up configuration, use the boot system command and then restart the switch.
Console#config Console(config)#boot system config: startup-new 4-89 Console(config)#exit Console#reload 4-23

Console Port Settings

You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port. Management access through the console port is controlled by various parameters, including a password, timeouts, and basic communication settings. These parameters can be configured via the web or CLI interface.
Command Attributes
Login Timeout – Sets the interval that the system waits for a user to log into the
CLI. If a login attempt is not detected within the timeout interval, the connection is terminated for the session. (Range: 0-300 seconds; Default: 0 seconds)
Exec Timeout – Sets the interval that the system waits until user input is detected.
If user input is not detected within the timeout interval, the current session is terminated. (Range: 0-65535 seconds; Default: 600 seconds)
Password Threshold – Sets the password intrusion threshold, which limits the
number of failed logon attempts. When the logon attempt threshold is reached, the
3-23
Configuring the Switch
3
system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3 attempts)
Silent Time – Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts has been exceeded. (Range: 0-65535; Default: 0)
Data Bits – Sets the number of data bits per character that are interpreted and generated by the console port. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character. (Default: 8 bits)
Parity – Defines the generation of a parity bit. Communication protocols provided by some terminals can require a specific parity bit setting. Specify Even, Odd, or None. (Default: None)
Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive (from terminal). Set the speed to match the baud rate of the device connected to the serial port. (Range: 9600, 19200, 38400 baud, or Auto; Default: Auto)
Stop Bits – Sets the number of the stop bits transmitted per byte. (Range: 1-2; Default: 1 stop bit)
Password started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. (Default: No password)
Login single global password as configured for the Password parameter, or by passwords set up for specific user-name accounts. (Default: Local)
1
– Specifies a password for the line connection. When a connection is
1
– Enables password checking at login. You can select authentication by a
Web – Click System, Line, Console. Specify the console port connection parameters
as required, then click Apply.
Figure 3-14 Console Port Settings
1. CLI only.
3-24
Basic Configuration
3
CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level.
Console(config)#line console 4-12 Console(config-line)#login local 4-12 Console(config-line)#password 0 secret 4-13 Console(config-line)#timeout login response 0 4-14 Console(config-line)#exec-timeout 0 4-14 Console(config-line)#password-thresh 3 4-15 Console(config-line)#silent-time 60 4-16 Console(config-line)#databits 8 4-16 Console(config-line)#parity none 4-17 Console(config-line)#speed 19200 4-18 Console(config-line)#stopbits 1 4-18 Console(config-line)#end Console#show line 4-19 Console configuration: Password threshold: 3 times Interactive timeout: Disabled Login timeout: Disabled Silent time: 60 Baudrate: 19200 Databits: 8 Parity: none Stopbits: 1
VTY configuration: Password threshold: 3 times Interactive timeout: 600 sec Login timeout: 300 sec Console#

Telnet Settings

You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other various parameters set, including the TCP port number, timeouts, and a password. These parameters can be configured via the web or CLI interface.
Command Attributes
• Telnet Status – Enables or disables Telnet access to the switch.
(Default: Enabled)
• Telnet Port Number – Sets the TCP port number for Telnet on the switch.
(Default: 23)
Login Timeout – Sets the interval that the system waits for a user to log into the
CLI. If a login attempt is not detected within the timeout interval, the connection is terminated for the session. (Range: 0-300 seconds; Default: 300 seconds)
Exec Timeout – Sets the interval that the system waits until user input is detected.
If user input is not detected within the timeout interval, the current session is terminated. (Range: 0-65535 seconds; Default: 600 seconds)
3-25
Configuring the Switch
3
Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts. When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3 attempts)
Password started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. (Default: No password)
Login single global password as configured for the Password parameter, or by passwords set up for specific user-name accounts. (Default: Local)
Web – Click System, Line, Telnet. Specify the connection parameters for Telnet access, then click Apply.
2
– Specifies a password for the line connection. When a connection is
2
– Enables password checking at login. You can select authentication by a
Figure 3-15 Enabling Telnet
2. CLI only.
3-26
Basic Configuration
CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level.
Console(config)#line vty 4-12 Console(config-line)#login local 4-12 Console(config-line)#password 0 secret 4-13 Console(config-line)#timeout login response 300 4-14 Console(config-line)#exec-timeout 600 4-14 Console(config-line)#password-thresh 3 4-15 Console(config-line)#end Console#show line 4-19 Console configuration: Password threshold: 3 times Interactive timeout: Disabled Login timeout: Disabled Silent time: Disabled Baudrate: 9600 Databits: 8 Parity: none Stopbits: 1
VTY configuration: Password threshold: 3 times Interactive timeout: 600 sec Login timeout: 300 sec Console#
3
3-27
Configuring the Switch
3

Configuring Event Logging

The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages.
Displaying Log Messages
The Logs page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory.
Web – Click System, Log, Logs.
Figure 3-16 Displaying Logs
CLI – This example shows the event message stored in RAM.
Console#show log ram 4-58 [1] 00:00:27 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:00:25 2001-01-01 "System coldStart notification." level: 6, module: 5, function: 1, and event no.: 1 Console#
System Log Configuration
The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.
Severe error messages that are logged to flash memory are permanently stored in the switch to assist in troubleshooting network problems. Up to 4096 log entries can be stored in the flash memory, with the oldest entries being overwritten first when the available log memory (256 kilobytes) has been exceeded.
3-28
Basic Configuration
The System Logs page allows you to configure and limit system messages that are logged to flash or RAM memory. The default is for event levels 0 to 3 to be logged to flash and levels 0 to 6 to be logged to RAM.
Command Attributes
System Log Status – Enables/disables the logging of debug or error messages to
the logging process. (Default: Enabled)
Flash Level – Limits log messages saved to the switch’s permanent flash memory
for all levels up to the specified level. For example, if level 3 is specified, all messages from level 0 to level 3 will be logged to flash. (Range: 0-7, Default: 3)
Table 3-3 Logging Levels
Level Severity Name Description
7 Debug Debugging messages
6 Informational Informational messages only
5 Notice Normal but significant condition, such as cold start
4 Warning Warning conditions (e.g., return false, unexpected return)
3 Error Error conditions (e.g., invalid input, default used)
2 Critical Critical conditions (e.g., memory allocation, or free memory
1 Alert Immediate action needed
0 Emergency System unusable
* There are only Level 2, 5 and 6 error messages for the current firmware release.
error - resource exhausted)
3
RAM Level – Limits log messages saved to the switch’s temporary RAM memory
for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 6)
Note:
The Flash Level must be equal to or less than the RAM Level.
Web – Click System, Log, System Logs. Specify System Log Status, event messages to be logged to RAM and flash memory, then click Apply.
Figure 3-17 System Logs
set the level of
3-29
Configuring the Switch
3
CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings.
Console(config)#logging on 4-54 Console(config)#logging history ram 0 4-55 Console(config)#end Console#show logging flash 4-58 Syslog logging: Enabled History logging in FLASH: level emergencies Console#
Remote Log Configuration
The Remote Logs page allows you to configure the logging of messages that are sent to syslog servers or other management stations. You can also limit the error messages sent to only those messages below a specified level.
Command Attributes
Remote Log Status – Enables/disables the logging of debug or error messages to the remote logging process. (Default: Enabled)
Logging Facility – Sets the facility type for remote logging of syslog messages. There are eight facility types specified by values of 16 to 23. The facility type is used by the syslog server to dispatch log messages to an appropriate service.
The attribute specifies the facility type tag sent in syslog messages. (See RFC
3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to process messages, such as sorting or storing messages in the corresponding database. (Range: 16-23, Default: 23)
Logging Trap – Limits log messages that are sent to the remote syslog server for all levels up to the specified level. For example, if level 3 is specified, all messages from level 0 to level 3 will be sent to the remote server. (Range: 0-7, Default: 6)
Host IP List – Displays the list of remote server IP addresses that receive the syslog messages. The maximum number of host IP addresses allowed is five.
Host IP Address – Specifies a new server IP address to add to the Host IP List.
3-30
Basic Configuration
Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove.
Figure 3-18 Remote Logs
CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap.
Console(config)#logging host 192.168.1.15 4-56 Console(config)#logging facility 23 4-56 Console(config)#logging trap 4 4-57 Console(config)#end Console#show logging trap 4-57 Syslog logging: Enabled REMOTELOG status: Enabled REMOTELOG facility type: local use 7 REMOTELOG level type: Warning conditions REMOTELOG server ip address: 192.168.1.15 REMOTELOG server ip address: 0.0.0.0 REMOTELOG server ip address: 0.0.0.0 REMOTELOG server ip address: 0.0.0.0 REMOTELOG server ip address: 0.0.0.0 Console#
3
Simple Mail Transfer Protocol
SMTP (Simple Mail Transfer Protocol) is used to send email messages between servers. The messages can be retrieved using POP or IMAP clients.
Command Attributes
Admin Status – Enables/disables the SMTP function. (Default: Enabled)
Email Source Address – This command specifies SMTP servers email addresses
that can send alert messages.
Severity – Specifies the degree of urgency that the message carries.
3-31
Configuring the Switch
3
• Debugging – Sends a debugging notification. (Level 7)
• Information – Sends informatative notification only. (Level 6)
• Notice – Sends notification of a normal but significant condition, such as a cold start. (Level 5)
• Warning – Sends notification of a warning condition such as return false, or unexpected return. (Level 4)
• Error – Sends notification that an error conditions has occurred, such as invalid input, or default used. (Level 3)
• Critical – Sends notification that a critical condition has occurred, such as memory allocation, or free memory error - resource exhausted. (Level 2)
• Alert – Sends urgent notification that immediate action must be taken. (Level 1)
• Emergency – Sends an emergency notification that the system is now unusable. (Level 0)
SMTP Server List – Specifies a list of recipient SMTP servers.
SMTP Server – Specifies a new SMTP server address to add to the SMTP Server List.
Email Destination Address List – Specifies a list of recipient Email Destination Address.
Email Destination Address – This command specifies SMTP servers that may receive alert messages.
Web – Click System, Log, SMTP. To add an IP address to the Server IP List, type the new IP address in the Server IP Address box, and then click Add. To delete an IP address, click the entry in the Server IP List, and then click Remove.
3-32
Figure 3-19 Enabling and Configuring SMTP
Basic Configuration
CLI – Enter the host ip address, followed by the mail severity level, source and destination email addresses and enter the sendmail command to complete the action. Use the show logging command to display SMTP information.
Console(config)#logging sendmail host 192.168.1.19 Console(config)#logging sendmail level 3 Console(config)#logging sendmail source-email bill@this-company.com Console(config)#logging sendmail destination-email ted@this-company.com Console(config)#logging sendmail Console#
3

Resetting the System

This feature restarts the system. You can reboot the system immediately, or you can configure the switch to reset after a specified amount of time.
Command Attributes
Hours – Specifies the amount of hours to wait, combined with the minutes, before
the switch resets. (Range: 0-576; Default: 0)
Minutes – Specifies the amount of minutes to wait, combined with the hours,
before the switch resets. (Range: 1-34560; Default: 0)
Reset – Resets the switch after the specified time. If the hour and minute fields are
blank, then the switch will reset immediately.
Refresh – Refreshes the countdown timer of a pending delayed reset.
Cancel – Cancels a pending delayed reset.
Web – Click System, Reset. Enter the amount of time the switch should wait before rebooting. Click the Reset button to reboot the switch or click the Cancel button to cancel a configured reset. If prompted, confirm that you want reset the switch or cancel a configured reset.
Figure 3-20 Resetting the System
3-33
Configuring the Switch
3
CLI – Use the reload command to restart the switch. When prompted, confirm that you want to reset the switch.
Console#reload 4-23 System will be restarted, continue <y/n>? y
Note:
When restarting the system, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory (See “Saving or Restoring Configuration Settings” on page 3-21 or the copy running-config startup-config command (See “copy” on page 4-84)).

Setting the System Clock

Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. You can also manually set the clock. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
When the SNTP client is enabled, the switch periodically sends a request for a time update to a configured time server. You can configure up to three time server IP addresses. The switch will attempt to poll each server in the configured sequence.
Setting the Time Manually
You can set the system time on the switch manually without using SNTP.
CLI – This example sets the system clock time and then displays the current time and date
.
Console#calendar set 17 46 00 october 18 2007 4-76 Console#show calendar 4-76 17:46:11 October 18 2007 Console#
Configuring SNTP
You can configure the switch to send time synchronization requests to time servers.
Command Attributes
SNTP Client – Configures the switch to operate as an SNTP client. This requires at least one time server to be specified in the SNTP Server field. (Default: Disabled)
SNTP Poll Interval – Sets the interval between sending requests for a time update from a time server. (Range: 16-16384 seconds; Default: 16 seconds)
SNTP Server – Sets the IP address for up to three time servers. The switch attempts to update the time from the first server, if this fails it attempts an update from the next server in the sequence.
3-34
Basic Configuration
3
Web – Select SNTP, Configuration. Modify any of the required SNTP parameters, and click Apply.
Figure 3-21 SNTP Configuration
CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings.
Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-65 Console(config)#sntp poll 60 4-66 Console(config)#sntp client 4-64 Console(config)#exit Console#show sntp Current time: Jan 6 14:56:05 2004 Poll interval: 60 Current mode: unicast SNTP status : Enabled SNTP server 10.1.0.19 137.82.140.80 128.250.36.2 Current server: 128.250.36.2 Console#
Configuring NTP
The NTP client allows you to configure up to 50 NTP servers to poll for time updates. You can also enable authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients. The key numbers and key values must match on both the server and client.
Command Attributes
NTP Client – Configures the switch to operate as an NTP client. This requires at
least one time server to be specified in the NTP Server list. (Default: Disabled)
NTP Polling Interval – Sets the interval between sending requests for a time
update from NTP servers. (Range: 16-16384 seconds; Default: 16 seconds)
NTP Authenticate – Enables authentication for time requests and updates
between the switch and NTP servers. (Default: Disabled)
NTP Server – Sets the IP address for an NTP server to be polled. The switch
requests an update from all configured servers, then determines the most accurate time update from the responses received.
3-35
Configuring the Switch
3
Version – Specifies the NTP version supported by the server. (Range: 1-3; Default: 3)
Authenticate Key – Specifies the number of the key in the NTP Authentication Key List to use for authentication with the configured server. The authentication key must match the key configured on the NTP server.
Key Number – A number that specifies a key value in the NTP Authentication Key List. Up to 255 keys can be configured in the NTP Authentication Key List. Note that key numbers and values must match on both the server and client. (Range: 1-65535)
Key Context – Specifies an MD5 authentication key string. The key string can be up to 32 case-sensitive printable ASCII characters (no spaces).
Web – Select SNTP, Configuration. Modify any of the required NTP parameters, and click Apply.
3-36
Figure 3-22 NTP Client Configuration
Basic Configuration
3
CLI – This example configures the switch to operate as an NTP client and then displays the current settings.
Console(config)#ntp authentication-key 19 md5 thisiskey19 4-70 Console(config)#ntp authentication-key 30 md5 ntpkey30 Console(config)#ntp server 192.168.3.20 4-68 Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.4.22 version 2 Console(config)#ntp server 192.168.5.23 version 3 key 19 Console(config)#ntp poll 60 4-69 Console(config)#ntp client 4-67 Console(config)#ntp authenticate 4-69 Console(config)#exit Console#show ntp 4-71 Current time: Jan 1 02:58:58 2001 Poll interval: 60 Current mode: unicast NTP status : Enabled NTP Authenticate status : Enabled Last Update NTP Server: 0.0.0.0 Port: 0 Last Update time: Dec 31 00:00:00 2000 UTC NTP Server 192.168.3.20 version 3 NTP Server 192.168.3.21 version 3 NTP Server 192.168.4.22 version 2 NTP Server 192.168.5.23 version 3 key 19 NTP Authentication-Key 19 md5 Q33O16Q6338241J022S29Q731K7 7 NTP Authentication-Key 30 md5 D2V8777I51K1132K3552L26R6141O4 7 Console#
Setting the Time Zone
SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC. You can choose one of the 80 predefined time zone definitions, or your can manually configure the parameters for your local time zone.
Command Attributes
• Predefined Configuration – A drop-down box provides access to the 80
predefined time zone configurations. Each choice indicates it’s offset from UTC and lists at least one major city or location covered by the time zone.
• User-defined Configuration – Allows the user to define all parameters of the local
time zone.
Direction: Configures the time zone to be before (east) or after (west) UTC.
Name – Assigns a name to the time zone. (Range: 1-29 characters)
Hours (0-13) The number of hours before/after UTC. The maximum value before
UTC is 12. The maximum value after UTC is 13.
Minutes (0-59) – The number of minutes before/after UTC.
3-37
Configuring the Switch
3
Web Select SNTP, Clock Time Zone. Set the offset for your time zone relative to the UTC using either a predefined or custom definition, and click Apply.
Figure 3-23 Setting the System Clock
CLI - This example shows how to set the time zone for the system clock using one of the predefined time zone configurations.
Console(config)#clock timezone-predefined GMT-0930-Taiohae 4-71 Console(config)#

Simple Network Management Protocol

SNMP is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
Managed devices supporting SNMP contain software, which runs locally on the device and is referred to as an agent. A defined set of variables, known as managed objects, is maintained by the SNMP agent and used to manage the device. These objects are defined in a Management Information Base (MIB) that provides a standard presentation of the information controlled by the agent. SNMP defines both the format of the MIB specifications and the protocol used to access this information over the network.
The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3. This agent continuously monitors the status of the switch hardware, as well as the traffic passing through its ports. A network management station can access this information using software such as HP OpenView. Access to the onboard agent from clients using SNMP v1 and v2c is controlled by community strings. To communicate with the switch, the management station must first submit a valid community string for authentication.
3-38
Simple Network Management Protocol
3
Access to the switch using from clients using SNMPv3 provides additional security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
The SNMPv3 security structure consists of security models, with each model having it’s own security levels. There are three security models defined, SNMPv1, SNMPv2c, and SNMPv3. Users are assigned to “groups” that are defined by a security model and specified security levels. Each group also has a defined security access to set of MIB objects for reading and writing, which are known as “views.” The switch has a default view (all MIB objects) and default groups defined for security models v1 and v2c. The following table shows the security models and levels available and the system default settings.
Table 3-4 SNMPv3 Security Models and Levels
Model Level Group Read View Write View Notify View Security
v1 noAuthNoPriv public
v1 noAuthNoPriv private
v1 noAuthNoPriv user defined user defined user defined user defined Community string only
v2c noAuthNoPriv public
v2c noAuthNoPriv private
v2c noAuthNoPriv user defined user defined user defined user defined Community string only
v3 noAuthNoPriv user defined user defined user defined user defined A user name match only
v3 AuthNoPriv user defined user defined user defined user defined Provides user
v3 AuthPriv user defined user defined user defined user defined Provides user
(read only)
(read/write)
(read only)
(read/write)
defaultview none none Community string only
defaultview defaultview none Community string only
defaultview none none Community string only
defaultview defaultview none Community string only
authentication via MD5 or SHA algorithms
authentication via MD5 or SHA algorithms and data privacy using DES 56-bit encryption
Note:
The predefined default groups and view can be deleted from the system. You can then define customized groups and views for the SNMP clients that require access.
3-39
Configuring the Switch
3

Setting Community Access Strings

You may configure up to five community strings authorized for management access. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings.
Command Attributes
SNMP Community Capability – Indicates that the switch supports up to five community strings.
Community String – A community string that acts like a password and permits access to the SNMP protocol. Default strings: “public” (read-only), “private” (read/write) Range: 1-32 characters, case sensitive
Access Mode
- Read-Only – Specifies read-only access. Authorized management stations are
only able to retrieve MIB objects.
- Read/Write – Specifies read-write access. Authorized management stations are
able to both retrieve and modify MIB objects.
Web – Click SNMP, Configuration. Add new community strings as required, select the access rights from the Access Mode drop-down list, then click Add.
Figure 3-24 Configuring SNMP Community Strings
CLI – The following example adds the string “spiderman” with read/write access.
Console(config)#snmp-server community spiderman rw 4-151 Console(config)#

Specifying Trap Managers and Trap Types

Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView). You can specify up to five management stations that will receive authentication failure messages and other trap messages from the switch.
3-40
Simple Network Management Protocol
Command Attributes
Trap Manager Capability – This switch supports up to five trap managers.
Current – Displays a list of the trap managers currently configured.
Trap Manager IP Address – IP address of the host (the targeted recipient).
Trap Manager Community String – Community string sent with the notification
operation. (Range: 1-32 characters, case sensitive)
Trap UDP Port – Sets the UDP port number. (Default: 162)
Trap Version – Specifies whether to send notifications as SNMP v1, v2c, or v3
traps. (The default is version 1.)
Trap Security Level – Specifies the security level.
Enable Authentication Traps – Issues a trap message whenever an invalid
community string is submitted during the SNMP access authentication process. (Default: Enabled)
Enable Link-up and Link-down Traps – Issues a trap message whenever a port
link is established or broken. (Default: Enabled)
Web – Click SNMP, Configuration. Fill in the IP address and community string for each trap manager that will receive trap messages, and then click Add. Select the trap types required using the check boxes for Authentication and Link-up/down traps, and then click Apply.
3
Figure 3-25 Configuring IP Trap Managers
CLI – This example adds a trap manager and enables both authentication and link-up, link-down traps.
Console(config)#snmp-server host 192.168.1.19 private version 2c 4-153 Console(config)#snmp-server enable traps 4-155
3-41
Configuring the Switch
3

Enabling SNMP Agent Status

Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3).
Command Attributes
SNMP Agent Status – Check the box to enable or disable the SNMP Agent.
Web – Click SNMP, Agent Status.
Figure 3-26 Enabling SNMP Agent Status

Configuring SNMPv3 Management Access

To configure SNMPv3 management access to the switch, follow these steps:
1. If you want to change the default engine ID, it must be changed first before
configuring other parameters.
2. Specify read and write access views for the switch MIB tree.
3. Configure SNMP user groups with the required security model (i.e., SNMP v1,
v2c or v3) and security level (i.e., authentication and privacy).
4. Assign SNMP users to groups, along with their specific authentication and
privacy passwords.
Setting the Local Engine ID
An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets.
A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users.
3-42
Simple Network Management Protocol
A new engine ID can be specified by entering 9 to 64 hexadecimal characters (5 to 32 octets in hexadecimal format). If an odd number of characters are specified, a trailing zero is added to the value to fill in the last octet. For example, the value “123456789” is equivalent to “1234567890”.
Web – Click SNMP, SNMPv3, Engine ID.
Figure 3-27 Setting an Engine ID
3
3-43
Configuring the Switch
3
Specifying a Remote Engine ID
To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
SNMP passwords are localized using the engine ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it.
The engine ID can be specified by entering 9 to 64 hexadecimal characters (5 to 32 octets in hexadecimal format). If an odd number of characters are specified, a trailing zero is added to the value to fill in the last octet. For example, the value “123456789” is equivalent to “1234567890”.
Web – Click SNMP, SNMPv3, Remote Engine ID.
Figure 3-28 Setting a Remote Engine ID

Configuring SNMPv3 Users

Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view.
Command Attributes
User Name – The name of user connecting to the SNMP agent. (Range: 1-32 characters)
Group Name – The name of the SNMP group to which the user is assigned. (Range: 1-32 characters)
Model – The user security model; SNMP v1, v2c or v3.
Level – The security level used for the user:
- noAuthNoPriv – There is no authentication or encryption used in SNMP
communications. (This is the default for SNMPv3.)
- AuthNoPriv – SNMP communications use authentication, but the data is not
encrypted (only available for the SNMPv3 security model).
- AuthPriv – SNMP communications use both authentication and encryption (only
available for the SNMPv3 security model).
Authentication – The method used for user authentication. (Options: MD5, SHA; Default: MD5)
3-44
Simple Network Management Protocol
Authentication Password – A minimum of eight plain text characters is required.
Privacy – The encryption algorithm use for data privacy; only 56-bit DES is
currently available.
Actions – Enables the user to be assigned to another SNMPv3 group.
Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete. To change the assigned group of a user, click Change Group in the Actions column of the users table and select the new group.
3
Figure 3-29 Configuring SNMPv3 Users
3-45
Configuring the Switch
3

Configuring Remote SNMPv3 Users

Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view.
To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
Command Attributes
User Name – The name of user connecting to the SNMP agent. (Range: 1-32 characters)
Group Name – The name of the SNMP group to which the user is assigned. (Range: 1-32 characters)
Engine ID – The engine identifier for the SNMP agent on the remote device where the remote user resides. Note that the remote engine identifier must be specified before you configure a remote user. (See “Specifying a Remote Engine ID” on page 44.)
Model – The user security model; SNMP v1, v2c or v3.
Level – The security level used for the user:
- noAuthNoPriv – There is no authentication or encryption used in SNMP
communications. (This is the default for SNMPv3.)
- AuthNoPriv – SNMP communications use authentication, but the data is not
encrypted (only available for the SNMPv3 security model).
- AuthPriv – SNMP communications use both authentication and encryption (only
available for the SNMPv3 security model).
Authentication – The method used for user authentication. (Options: MD5, SHA; Default: MD5)
Privacy – The encryption algorithm use for data privacy; only 56-bit DES is currently available.
Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Figure 3-30 Configuring Remote SNMPv3 Users
3-46
Simple Network Management Protocol
3

Configuring SNMPv3 Groups

An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
Command Attributes
Group Name – The name of the SNMP group to which the user is assigned.
(Range: 1-32 characters)
Model – The user security model; SNMP v1, v2c or v3.
Level – The security level used for the group:
- noAuthNoPriv – There is no authentication or encryption used in SNMP communications. (This is the default for SNMPv3.)
- AuthNoPriv – SNMP communications use authentication, but the data is not encrypted (only available for the SNMPv3 security model).
- AuthPriv – SNMP communications use both authentication and encryption (only available for the SNMPv3 security model).
Read View – The configured view for read access. (Range: 1-64 characters)
Write View – The configured view for write access. (Range: 1-64 characters)
Notify View – The configured view for notifications. (Range: 1-64 characters)
Table 3-5 Supported Notification Messages
Object Label Object ID Description
RFC 1493 Traps
newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending
topologyChange 1.3.6.1.2.1.17.0.2 A topologyChange trap is sent by a bridge when
SNMPv2 Traps
coldStart 1.3.6.1.6.3.1.1.5.1 A coldStart trap signifies that the SNMPv2
warmStart 1.3.6.1.6.3.1.1.5.2 A warmStart trap signifies that the SNMPv2
agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election.
any of its configured ports transitions from the Learning state to the Forwarding state, or from the Forwarding state to the Discarding state. The trap is not sent if a newRoot trap is sent for the same transition.
entity, acting in an agent role, is reinitializing itself and that its configuration may have been altered.
entity, acting in an agent role, is reinitializing itself such that its configuration is unaltered.
3-47
Configuring the Switch
3
Table 3-5 Supported Notification Messages (Continued)
Object Label Object ID Description
a
linkDown
linkUp 1.3.6.1.6.3.1.1.5.4 A linkUp trap signifies that the SNMP entity,
authenticationFailure 1.3.6.1.6.3.1.1.5.5 An authenticationFailure trap signifies that the
RMON Events (V2)
risingAlarm 1.3.6.1.2.1.16.0.1 The SNMP trap that is generated when an
fallingAlarm 1.3.6.1.2.1.16.0.2 The SNMP trap that is generated when an
Private Traps
swPowerStatus ChangeTrap
swIpFilterRejectTrap 1.3.6.1.4.1.11863.1.1.59.2.1.0.40 This trap is sent when an incorrect IP address is
a. These are legacy notifications and therefore must be enabled in conjunction with the corresponding traps on the SNMP Configuration menu.
1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP entity,
1.3.6.1.4.1.11863.1.1.59.2.1.0.1 This trap is sent when the power state changes.
acting in an agent role, has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state (but not from the notPresent state). This other state is indicated by the included value of ifOperStatus.
acting in an agent role, has detected that the ifOperStatus object for one of its communication links left the down state and transitioned into some other state (but not into the notPresent state). This other state is indicated by the included value of ifOperStatus.
SNMPv2 entity, acting in an agent role, has received a protocol message that is not properly authenticated. While all implementations of the SNMPv2 must be capable of generating this trap, the snmpEnableAuthenTraps object indicates whether this trap will be generated.
alarm entry crosses its rising threshold and generates an event that is configured for sending SNMP traps.
alarm entry crosses its falling threshold and generates an event that is configured for sending SNMP traps.
rejected by the IP Filter.
3-48
Simple Network Management Protocol
Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read and write views. Click Add to save the new group and return to the Groups list. To delete a group, check the box next to the group name, then click Delete.
3
Figure 3-31 Configuring SNMPv3 Groups

Setting SNMPv3 Views

SNMPv3 views are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree.
Command Attributes
View Name – The name of the SNMP view. (Range: 1-64 characters)
View OID Subtrees – Shows the currently configured object identifiers of branches within the MIB tree that define the SNMP view.
Edit OID Subtrees – Allows you to configure the object identifiers of branches within the MIB tree. Wild cards can be used to mask a specific portion of the OID string.
3-49
Configuring the Switch
3
Type – Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view.
Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list. For a specific view, click on View OID Subtrees to display the current configuration, or click on Edit OID Subtrees to make changes to the view settings. To delete a view, check the box next to the view name, then click Delete.
Figure 3-32 Configuring SNMPv3 Views

User Authentication

You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either
3-50
User Authentication
management access to the uplink ports or client access to the data ports. This switch provides secure network management access using the following options:
• User Accounts – Manually configures management access rights for users.
• Authentication Settings – Uses remote authentication to configure access rights.
• AAA – Enables accounting of requested services for billing or security purposes.
• HTTPS Settings – Provides a secure web connection.
• SSH Settings – Provides a secure shell (for secure Telnet access).
• 802.1X – Uses IEEE 802.1X port authentication to control access to specific ports.
• IP Filter – Filters management access to the web, SNMP or Telnet interface.
• Port Security – Configures notification and automatic shutdown options for ports.
3

Configuring User Accounts

The guest only has read access for most configuration parameters. However, the administrator has write access for all parameters governing the onboard agent. You should therefore assign a new administrator password as soon as possible, and store it in a safe place.
The default guest name is “guest” with the password “guest.” The default administrator name is “admin” with the password “admin.”
Command Attributes
Account List – Displays the current list of user accounts and associated access
levels. (Defaults: admin, and guest)
New Account – Displays configuration settings for a new account.
- User Name – The name of the user. (Maximum length: 8 characters; maximum number of users: 16)
- Access Level – Specifies the user level. (Options: Normal and Privileged)
- Password – Specifies the user password. (Range: 0-8 characters plain text, case sensitive)
Change Password – Sets a new password for the specified user name.
Add/Remove – Adds or removes an account from the list.
3-51
Configuring the Switch
3
Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it. Click Add to save the new user account and add it to the Account List. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply.
Figure 3-33 Access Levels
CLI – Assign a user name to access-level 15 (i.e., administrator), then specify the password.
Console(config)#username bob access-level 15 4-37 Console(config)#username bob password 0 smith Console(config)#
3-52
User Authentication
3

Configuring Local/Remote Logon Authentication

Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
Remote Authentication Dial-in User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) are logon
Web Telnet
authentication protocols that use software running on a central server to control access to RADIUS-aware or TACACS-aware devices on the network. An authentication
RADIUS/ TACACS+ server
1. Client attempts management access.
2. Switch contacts authentication server.
3. Authentication server challenges client.
4. Client responds with proper password or key.
5. Authentication server approves access.
6. Switch grants management access.
server contains a database of multiple user name/password pairs with associated privilege levels for each user that requires management access to the switch.
RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.
Command Usage
• By default, management access is always checked against the authentication database stored on the local switch. If a remote authentication server is used, you must specify the authentication sequence and the corresponding parameters for the remote authentication protocol. Local and remote logon authentication control management access via the console port, web browser, or Telnet.
• RADIUS and TACACS+ logon authentication assign a specific privilege level for each user name/password pair. The user name, password, and privilege level must be configured on the authentication server. The encryption methods used for the authentication process must also be configured or negotiated between the authentication server and logon client. This switch can pass authentication messages between the server and client that have been encrypted using MD5 (Message-Digest 5), TLS (Transport Layer Security), or TTLS (Tunneled Transport Layer Security).
• You can specify up to three authentication methods for any user to indicate the authentication sequence. For example, if you select (1) RADIUS, (2) TACACS and (3) Local, the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted using the TACACS+ server, and finally the local user name and password is checked.
console
3-53
Loading...