Smc-networks SMC TigerAccess SMC7824M/FSW Instrukcja Użytkownika

TigerAccess™ 10/100Fast Ethernet Switch◆ 24 100BASE-BX Single-Fiber Ports◆ 2 10/100/1000BASE-T ports shared with SFP slots◆ 2 module slots for shared

TABLE OF CONTENTSxCreating Trunk Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8Statically Configuring a Trun

BASIC MANAGEMENT TASKS4-26Web – Click System, Line, Telnet. Specify the connection parameters for Telnet access, then click Apply.Figure 4-15 Configu

CONFIGURING EVENT LOGGING4-27Configuring Event LoggingThe switch allows you to control the logging of error messages, including the type of events tha

BASIC MANAGEMENT TASKS4-28• RAM Level – Limits log messages saved to the switch’s temporary RAM memory for all levels up to the specified level. For e

CONFIGURING EVENT LOGGING4-29CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show log

BASIC MANAGEMENT TASKS4-30• Host IP Address – Specifies a new server IP address to add to the Host IP List.Web – Click System, Logs, Remote Logs. To a

CONFIGURING EVENT LOGGING4-31CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap.Displaying Log MessagesU

BASIC MANAGEMENT TASKS4-32CLI – This example shows the event message stored in RAM.Sending Simple Mail Transfer Protocol AlertsTo alert system adminis

CONFIGURING EVENT LOGGING4-33Web – Click System, Log, SMTP. Enable SMTP, specify a source email address, and select the minimum severity level. To add

BASIC MANAGEMENT TASKS4-34CLI – Enter the IP address of at least one SMTP server, set the syslog severity level to trigger an email message, and speci

SETTING THE SYSTEM CLOCK4-35CLI – Use the reload command to restart the switch.Note: When restarting the system, it will always run the Power-On Self-

TABLE OF CONTENTSxiConfiguring Private VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-25Enabling Private VLANs . . . . .

BASIC MANAGEMENT TASKS4-36• SNTP Server – Sets the IP address for up to three time servers. The switch attempts to update the time from the first serv

SETTING THE SYSTEM CLOCK4-37Setting the Time ZoneSNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time

BASIC MANAGEMENT TASKS4-38

5-1CHAPTER 5SIMPLE NETWORKMANAGEMENT PROTOCOLSimple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing

SIMPLE NETWORK MANAGEMENT PROTOCOL5-2Access to the switch using from clients using SNMPv3 provides additional security features that cover message int

5-3Note: The predefined default groups and view can be deleted from the system. You can then define customized groups and views for the SNMP clients t

SIMPLE NETWORK MANAGEMENT PROTOCOL5-4Enabling the SNMP AgentEnables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3). Command Attri

SETTING COMMUNITY ACCESS STRINGS5-5• Community String – A community string that acts like a password and permits access to the SNMP protocol. Default

SIMPLE NETWORK MANAGEMENT PROTOCOL5-6Specifying Trap Managers and Trap TypesTraps indicating status changes are issued by the switch to specified trap

SPECIFYING TRAP MANAGERS AND TRAP TYPES5-7To send an inform to a SNMPv3 host, complete these steps:1. Enable the SNMP agent (page 5-4).2. Enable trap

TABLE OF CONTENTSxiiDisplaying Port Members of Multicast Groups . . . . . . . . . . . 15-19Assigning Static Multicast Groups to Interfaces . . . . .

SIMPLE NETWORK MANAGEMENT PROTOCOL5-8• Trap Inform – Notifications are sent as inform messages. Note that this option is only available for version 2c

SPECIFYING TRAP MANAGERS AND TRAP TYPES5-9Web – Click SNMP, Configuration. Enter the IP address and community string for each management station that

SIMPLE NETWORK MANAGEMENT PROTOCOL5-10Configuring SNMPv3 Management AccessTo configure SNMPv3 management access to the switch, follow these steps:1. I

CONFIGURING SNMPV3 MANAGEMENT ACCESS5-11Web – Click SNMP, SNMPv3, Engine ID. Enter an ID of up to 64 hexadecimal characters and then click Save.Figure

SIMPLE NETWORK MANAGEMENT PROTOCOL5-12Web – Click SNMP, SNMPv3, Remote Engine ID. Enter an ID of up to 64 hexadecimal characters and then click Save.F

CONFIGURING SNMPV3 MANAGEMENT ACCESS5-13- AuthPriv – SNMP communications use both authentication and encryption (only available for the SNMPv3 securit

SIMPLE NETWORK MANAGEMENT PROTOCOL5-14Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and ass

CONFIGURING SNMPV3 MANAGEMENT ACCESS5-15CLI – Use the snmp-server user command to configure a new user name and assign it to a group.Configuring Remot

SIMPLE NETWORK MANAGEMENT PROTOCOL5-16• Security Model – The user security model; SNMP v1, v2c or v3. (Default: v1)• Security Level – The security lev

CONFIGURING SNMPV3 MANAGEMENT ACCESS5-17Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a nam

TABLE OF CONTENTSxiiiprompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-6end . . . . . .

SIMPLE NETWORK MANAGEMENT PROTOCOL5-18CLI – Use the snmp-server user command to configure a new user name and assign it to a group.Configuring SNMPv3

CONFIGURING SNMPV3 MANAGEMENT ACCESS5-19• Notify View – The configured view for notifications. (Range: 1-64 characters)Table 5-2 Supported Notificati

SIMPLE NETWORK MANAGEMENT PROTOCOL5-20linkDown*1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP entity, acting in an agent role, has detect

CONFIGURING SNMPV3 MANAGEMENT ACCESS5-21RMON Events (V2)risingAlarm 1.3.6.1.2.1.16.0.1 The SNMP trap that is generated when an alarm entry crosses its

SIMPLE NETWORK MANAGEMENT PROTOCOL5-22swThermalRising Notification1.3.6.1.4.1.202.20.64.90.2.1.0.58 This trap is sent when the temperature exceeds the

CONFIGURING SNMPV3 MANAGEMENT ACCESS5-23Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, as

SIMPLE NETWORK MANAGEMENT PROTOCOL5-24CLI – Use the snmp-server group command to configure a new group, specifying the security model and level, and r

CONFIGURING SNMPV3 MANAGEMENT ACCESS5-25Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and sp

SIMPLE NETWORK MANAGEMENT PROTOCOL5-26CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces

6-1CHAPTER 6USER AUTHENTICATIONYou can configure this switch to authenticate users logging into the system for management access using local or remote

TABLE OF CONTENTSxivspeed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-32stopbits . . . . . . . . .

USER AUTHENTICATION6-2Command Attributes• Account List – Displays the current list of user accounts and associated access levels. (Defaults: admin, an

CONFIGURING LOCAL/REMOTE LOGON AUTHENTICATION6-3CLI – Assign a user name to access-level 15 (i.e., administrator), then specify the password.Configuri

USER AUTHENTICATION6-4Command Usage• By default, management access is always checked against the authentication database stored on the local switch. I

CONFIGURING LOCAL/REMOTE LOGON AUTHENTICATION6-5• RADIUS Settings- Global – Provides globally applicable RADIUS settings.- ServerIndex – Specifies one

USER AUTHENTICATION6-6Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authenticati

CONFIGURING HTTPS6-7Configuring HTTPSYou can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Laye

USER AUTHENTICATION6-8• The following web browsers and operating systems currently support HTTPS:• To specify a secure-site certificate, see “Replacin

CONFIGURING HTTPS6-9Replacing the Default Secure-site CertificateWhen you log onto the web interface using HTTPS (for secure access), a Secure Sockets

USER AUTHENTICATION6-10Configuring the Secure Shell The Berkley-standard includes remote access tools originally designed for Unix systems. Some of th

CONFIGURING THE SECURE SHELL6-11To use the SSH server, complete these steps:1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a

TABLE OF CONTENTSxvsnmp-server engine-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-10show snmp engine-id . . . .

USER AUTHENTICATION6-126. Authentication – One of the following authentication methods is employed:Password Authentication (for SSH v1.5 or V2 Clients

CONFIGURING THE SECURE SHELL6-13Authenticating SSH v2 Clientsa. The client first queries the switch to determine if DSA public key authentication usin

USER AUTHENTICATION6-14• Host-Key Type – The key type used to generate the host key pair (i.e., public and private keys). (Range: RSA, DSA, Both: Defa

CONFIGURING THE SECURE SHELL6-15Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to sa

USER AUTHENTICATION6-16CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then d

CONFIGURING THE SECURE SHELL6-17• SSH Authentication Retries – Specifies the number of authentication attempts that a client is allowed before authent

USER AUTHENTICATION6-18CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the a

CONFIGURING 802.1X PORT AUTHENTICATION6-19Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resource

USER AUTHENTICATION6-20Transport Layer Security). PEAP will be supported in future releases. The client responds to the appropriate method with its cr

CONFIGURING 802.1X PORT AUTHENTICATION6-21Displaying 802.1X Global SettingsThe 802.1X protocol provides port authentication. Command Attributes 802.1X

TABLE OF CONTENTSxviip ssh timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-25ip ssh authentication-retries .

USER AUTHENTICATION6-22Configuring 802.1X Global SettingsThe 802.1X protocol provides port authentication. The 802.1X protocol must be enabled globall

CONFIGURING 802.1X PORT AUTHENTICATION6-23Configuring Port Settings for 802.1XWhen 802.1X is enabled, you need to configure the parameters for the aut

USER AUTHENTICATION6-24• Re-authentication Period – Sets the time period after which a connected client must be re-authenticated. (Range: 1-65535 seco

CONFIGURING 802.1X PORT AUTHENTICATION6-25CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displaye

USER AUTHENTICATION6-26Displaying 802.1X StatisticsThis switch can display statistics for dot1x protocol exchanges for any port. Backend State Machine

CONFIGURING 802.1X PORT AUTHENTICATION6-27Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to u

USER AUTHENTICATION6-28Filtering IP Addresses for Management AccessYou can create a list of up to 16 IP addresses or IP address groups that are allowe

FILTERING IP ADDRESSES FOR MANAGEMENT ACCESS6-29• End IP Address – The end address of a range.Web – Click Security, IP Filter. Enter the IP addresses

USER AUTHENTICATION6-30

7-1CHAPTER 7CLIENT SECURITYThis switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring t

TABLE OF CONTENTSxviiip dhcp snooping binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-14ip dhcp snooping verify mac-address . .

CLIENT SECURITY7-2• DHCP Snooping5 – Filters IP traffic on unsecure ports for which the source address cannot be identified via DHCP snooping nor stat

CONFIGURING PORT SECURITY7-3• The default maximum number of MAC addresses allowed on a secure port is zero. You must configure a maximum address count

CLIENT SECURITY7-4Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the

8-1CHAPTER 8ACCESS CONTROL LISTSAccess Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port n

ACCESS CONTROL LISTS8-2The following filtering modes are supported: • Standard IP ACL mode (STD-ACL) filters packets based on the source IP address. •

CONFIGURING ACCESS CONTROL LISTS8-3• Egress MAC ACLs only work for destination-mac-known packets, not for multicast, broadcast, or destination-mac-unk

ACCESS CONTROL LISTS8-4Web – Click Security, ACL, Configuration. Enter an ACL name in the Name field, select the list type (IP Standard, IP Extended,

CONFIGURING ACCESS CONTROL LISTS8-5Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,”

ACCESS CONTROL LISTS8-6• Source/Destination IP Address – Source or destination IP address.• Source/Destination Subnet Mask – Subnet mask for source or

CONFIGURING ACCESS CONTROL LISTS8-7Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the addres

TABLE OF CONTENTSxviiiflowcontrol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-7media-type . .

ACCESS CONTROL LISTS8-83. Permit all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.”Configuring a MAC ACLComman

CONFIGURING ACCESS CONTROL LISTS8-9Command UsageEgress MAC ACLs only work for destination-mac-known packets, not for multicast, broadcast, or destinat

ACCESS CONTROL LISTS8-10Configuring ACL MasksYou must specify masks that control the order in which ACL rules are checked. ACL rules matching the firs

CONFIGURING ACCESS CONTROL LISTS8-11Specifying the Mask TypeUse the ACL Mask Configuration page to edit the mask for the Ingress IP ACL, Egress IP ACL

ACCESS CONTROL LISTS8-12Configuring an IP ACL MaskThis mask defines the fields to check in the IP header. Command Usage• Masks that include an entry f

CONFIGURING ACCESS CONTROL LISTS8-13Web – Configure the mask to match the required rules in the IP ingress or egress ACLs. Set the mask to check for a

ACCESS CONTROL LISTS8-14CLI – This shows that the entries in the mask override the precedence in which the rules are entered into the ACL. In the foll

CONFIGURING ACCESS CONTROL LISTS8-15Web – Configure the mask to match the required rules in the MAC ingress or egress ACLs. Set the mask to check for

ACCESS CONTROL LISTS8-16CLI – This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules

BINDING A PORT TO AN ACCESS CONTROL LIST8-17• When an ACL is bound to an interface as an egress filter, all entries in the ACL must be deny rules. Oth

TABLE OF CONTENTSxixspanning-tree mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29-4spanning-tree forward-time

ACCESS CONTROL LISTS8-18CLI – This examples assigns an IP and MAC ingress ACL to port 1, and an IP ingress ACL to port 2.Console(config)#interface eth

9-1CHAPTER 9PORT CONFIGURATIONDisplaying Connection StatusYou can use the Port Information or Trunk Information pages to display the current connectio

PORT CONFIGURATION9-2Web – Click Port, Port Information or Trunk Information.Figure 9-1 Port - Port InformationField Attributes (CLI)Basic informatio

DISPLAYING CONNECTION STATUS9-3- 100full - Supports 100 Mbps full-duplex operation - 1000full - Supports 1000 Mbps full-duplex operation - Sym - Trans

PORT CONFIGURATION9-4CLI – This example shows the connection status for Port 5.Configuring Interface Connections You can use the Port Configuration or

CONFIGURING INTERFACE CONNECTIONS9-5Note: 100BASE-BX ports are fixed at 100 Mbps, full-duplex. The 1000BASE-T standard does not support forced mode. A

PORT CONFIGURATION9-6-SFP-Forced - Always uses the SFP port (even if module is not installed).-SFP-Preferred-Auto - Uses SFP port if both combination

CONFIGURING INTERFACE CONNECTIONS9-7CLI – Select the interface, and then enter the required settings.Console(config)#interface ethernet 1/13 24-2Conso

PORT CONFIGURATION9-8Creating Trunk GroupsYou can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers

CREATING TRUNK GROUPS9-9• The ports at both ends of a trunk must be configured in an identical manner, including communication mode (i.e., speed, dupl

TABLE OF CONTENTSxxinterface vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30-9switchport mode . . . . . . . .

PORT CONFIGURATION9-10Command Attributes• Member List (Current) – Shows configured trunks (Trunk ID, Unit, Port).• New – Includes entry fields for cr

CREATING TRUNK GROUPS9-11CLI – This example creates trunk 1 with ports 9 and 10. Just connect these ports to two static trunk ports on another switch

PORT CONFIGURATION9-12• A trunk formed with another switch using LACP will automatically be assigned the next available trunk ID. • If more than eight

CREATING TRUNK GROUPS9-13CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another sw

PORT CONFIGURATION9-14Note: If the port channel admin key (lacp admin key, page 25-8) is not set (through the CLI) when a channel group is formed (i.e

CREATING TRUNK GROUPS9-15Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can o

PORT CONFIGURATION9-16CLI – The following example configures LACP parameters for ports 1-10. Ports 1-8 are used as active members of the LAG, ports 9

CREATING TRUNK GROUPS9-17Displaying LACP Port CountersYou can display statistics for LACP protocol messages. Web – Click Port, LACP, Port Counters Inf

PORT CONFIGURATION9-18CLI – The following example displays LACP counters for port channel 1.Displaying LACP Settings and Status for the Local SideYou

CREATING TRUNK GROUPS9-19Admin State, Oper StateAdministrative or operational values of the actor’s state parameters:• Expired – The actor’s receive m

TABLE OF CONTENTSxximap ip precedence (Interface Configuration) . . . . . . . . . . . . . 31-13map ip dscp (Global Configuration) . . . . . . . . .

PORT CONFIGURATION9-20Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information.Figure 9-7 LA

CREATING TRUNK GROUPS9-21Displaying LACP Settings and Status for the Remote SideYou can display configuration settings and the operational state for t

PORT CONFIGURATION9-22Web – Click Port, LACP, Port Neighbors Information. Select a port channel to display the corresponding information.Figure 9-8 L

SETTING BROADCAST STORM THRESHOLDS9-23Setting Broadcast Storm ThresholdsBroadcast storms may occur when a device on your network is malfunctioning, or

PORT CONFIGURATION9-24Web – Click Port, Port Broadcast Control or Trunk Broadcast Control. Check the Enabled box for any interface, set the threshold,

CONFIGURING PORT MIRRORING9-25Configuring Port MirroringYou can mirror traffic from any source port to a target port for real-time analysis. You can t

PORT CONFIGURATION9-26Web – Click Port, Mirror Port Configuration. Specify the source port, the traffic type to be mirrored, and the monitor port, the

CONFIGURING RATE LIMITS9-27Command AttributeRate Limit – Sets the output rate limit for an interface. Default Status – DisabledDefault Rate – Fast Eth

PORT CONFIGURATION9-28Showing Port StatisticsYou can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs,

SHOWING PORT STATISTICS9-29Received Unknown PacketsThe number of packets received via the interface which were discarded because of an unknown or unsu

TABLE OF CONTENTSxxiiMulticast VLAN Registration Commands . . . . . . . . . . . . . . . . . . . . . 33-15mvr (Global Configuration) . . . . . . . .

PORT CONFIGURATION9-30FCS Errors A count of frames received on a particular interface that are an integral number of octets in length but do not pass

SHOWING PORT STATISTICS9-31RMON StatisticsDrop Events The total number of events in which packets were dropped due to lack of resources.Jabbers The to

PORT CONFIGURATION9-32Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bo

SHOWING PORT STATISTICS9-33Figure 9-12 Port Statistics

PORT CONFIGURATION9-34CLI – This example shows statistics for port 12.Console#show interfaces counters ethernet 1/12 24-14Ethernet 1/12 Iftable stats:

10-1CHAPTER 10ADDRESS TABLE SETTINGSSwitches store the addresses for all known devices. This information is used to pass traffic directly between the

ADDRESS TABLE SETTINGS10-2Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address.

DISPLAYING THE ADDRESS TABLE10-3Displaying the Address TableThe Dynamic Address Table contains the MAC addresses learned by monitoring the source addr

ADDRESS TABLE SETTINGS10-4Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkb

CHANGING THE AGING TIME10-5Changing the Aging TimeYou can set the aging time for entries in the dynamic address table. Command Attributes• Aging Statu

TABLE OF CONTENTSxxiiiSection IV AppendicesA Software Specifications . . . . . . . . . . . . . . . . . . . . . . . . A-1Software Features . . . . .

ADDRESS TABLE SETTINGS10-6

11-1CHAPTER 11SPANNING TREE ALGORITHMThe Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links be

SPANNING TREE ALGORITHM11-2Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transm

11-3maintain connectivity among each of the assigned VLAN groups. MSTP then builds a Internal Spanning Tree (IST) for the Region containing all common

SPANNING TREE ALGORITHM11-4MSTP connects all bridges and LAN segments with a single Common and Internal Spanning Tree (CIST). The CIST is formed as a

DISPLAYING GLOBAL SETTINGS11-5make it return to a discarding state; otherwise, temporary data loops might result.• Designated Root – The priority and

SPANNING TREE ALGORITHM11-6configuration messages at regular intervals. If the root port ages out STA information (provided in the last configuration

DISPLAYING GLOBAL SETTINGS11-7CLI – This command displays global STA settings, followed by settings for each port. Note: The current root port and cur

SPANNING TREE ALGORITHM11-8Configuring Global SettingsGlobal settings apply to the entire switch.Command Usage• Spanning Tree Protocol11Uses RSTP for

CONFIGURING GLOBAL SETTINGS11-9- Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previ

TABLE OF CONTENTSxxiv

SPANNING TREE ALGORITHM11-10reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. An

CONFIGURING GLOBAL SETTINGS11-11Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can

SPANNING TREE ALGORITHM11-12Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply.Figure 11-2 STA Global Con

DISPLAYING INTERFACE SETTINGS11-13CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parame

SPANNING TREE ALGORITHM11-14- If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, th

DISPLAYING INTERFACE SETTINGS11-15• Trunk Member – Indicates if a port is a member of a trunk. (STA Port Information only)These additional parameters

SPANNING TREE ALGORITHM11-16loops. Where more than one port is assigned the highest priority, the port with the lowest numeric identifier will be enab

CONFIGURING INTERFACE SETTINGS11-17CLI – This example shows the STA attributes for port 5. Configuring Interface SettingsYou can configure RSTP and MS

SPANNING TREE ALGORITHM11-18- Discarding - Port receives STA configuration messages, but does not forward packets.- Learning - Port has transmitted co

CONFIGURING INTERFACE SETTINGS11-19When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceed

xxvTABLESTable 1-1 Key Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1Table 1-2 System Defaults . . . . . .

SPANNING TREE ALGORITHM11-20such as workstations or servers, retains the current forwarding database to reduce the amount of frame flooding required t

CONFIGURING MULTIPLE SPANNING TREES11-21Configuring Multiple Spanning Trees MSTP generates a unique spanning tree for each instance. This provides mul

SPANNING TREE ALGORITHM11-22• VLANs in MST Instance – VLANs assigned this instance.• MST ID – Instance identifier to configure. (Range: 0-4094; Defaul

CONFIGURING MULTIPLE SPANNING TREES11-23CLI – This displays STA settings for instance 1, followed by settings for each port. Console#show spanning-tre

SPANNING TREE ALGORITHM11-24CLI – This example sets the priority for MSTI 1, and adds VLANs 1-5 to this MSTI. Displaying Interface Settings for MSTPTh

DISPLAYING INTERFACE SETTINGS FOR MSTP11-25CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for insta

SPANNING TREE ALGORITHM11-26Configuring Interface Settings for MSTPYou can configure the STA interface settings for an MST Instance using the MSTP Por

CONFIGURING INTERFACE SETTINGS FOR MSTP11-27• Admin MST Path Cost – This parameter is used by the MSTP to determine the best path between devices. The

SPANNING TREE ALGORITHM11-28CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 24-2Console(config-if)#span

12-1CHAPTER 12VLAN CONFIGURATIONIEEE 802.1Q VLANsIn large networks, routers are used to isolate broadcast traffic for each subnet into separate domain

TABLESxxviTable 19-11 show logging flash/ram - display description . . . . . . . . . . 19-43Table 19-12 show logging trap - display description . .

VLAN CONFIGURATION12-2• Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol• Port overlapping, all

IEEE 802.1Q VLANS12-3VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the

VLAN CONFIGURATION12-4To implement GVRP in a network, first add the host devices to the required VLANs (using the operating system or other applicatio

IEEE 802.1Q VLANS12-5forwarding a frame from this switch along a path that does not contain any VLAN-aware devices (including the destination host), t

VLAN CONFIGURATION12-6Displaying Basic VLAN InformationThe VLAN Basic Information page displays basic information on the VLAN type supported by the sw

IEEE 802.1Q VLANS12-7Displaying Current VLANsThe VLAN Current Table shows the current port members of each VLAN and whether or not the port supports V

VLAN CONFIGURATION12-8Command Attributes (CLI)• VLAN – ID of configured VLAN (1-4093, no leading zeroes).• Type – Shows how this VLAN was added to the

IEEE 802.1Q VLANS12-9• VLAN ID – ID of configured VLAN (1-4093).• VLAN Name – Name of the VLAN (1 to 32 characters).• Status (Web) – Enables or disabl

VLAN CONFIGURATION12-10CLI – This example creates a new VLAN.Adding Static Members to VLANs (VLAN Index)Use the VLAN Static Table to configure port me

IEEE 802.1Q VLANS12-11• Status – Enables or disables the specified VLAN. - Enable: VLAN is operational.- Disable: VLAN is suspended; i.e., does not pa

TABLESxxviiTable 26-1 Mirror Port Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 26-1Table 27-1 Rate Limit Commands . . . . . . . .

VLAN CONFIGURATION12-12Web – Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if req

IEEE 802.1Q VLANS12-13Adding Static Members to VLANs (Port Index)Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected int

VLAN CONFIGURATION12-14Configuring VLAN Behavior for InterfacesYou can configure VLAN behavior for specific interfaces, including the default VLAN ide

IEEE 802.1Q VLANS12-15- If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will b

VLAN CONFIGURATION12-16belonging to the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames. - Hybrid – Specifi

CONFIGURING IEEE 802.1Q TUNNELING12-17CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP,

VLAN CONFIGURATION12-18IDs. QinQ tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy, preserving the customer’s original tagged packets, an

CONFIGURING IEEE 802.1Q TUNNELING12-19Layer 2 Flow for Packets Coming into a Tunnel PortA QinQ tunnel port may receive either tagged or untagged packe

VLAN CONFIGURATION12-203. After packet classification through the switching process, the packet is written to memory with one tag (an outer tag) or wi

CONFIGURING IEEE 802.1Q TUNNELING12-214. After successful source and destination lookup, the packet is double tagged. The switch uses the TPID of 0x81

TABLESxxviii

VLAN CONFIGURATION12-22- Tunnel ports do not support IP Access Control Lists. - Layer 3 Quality of Service (QoS) and other QoS features containing Lay

CONFIGURING IEEE 802.1Q TUNNELING12-23Adding an Interface to a QinQ TunnelFollow the guidelines in the preceding section to set up a QinQ tunnel on th

VLAN CONFIGURATION12-24Web – Click VLAN, 802.1Q VLAN, Port Configuration or Trunk Configuration. Set the mode for the tunnel port to Dot1q-Tunnel, and

CONFIGURING PRIVATE VLANS12-25Configuring Private VLANsPrivate VLANs provide port-based security and isolation between ports within the assigned VLAN.

VLAN CONFIGURATION12-26Configuring Uplink and Downlink PortsUse the Private VLAN Link Status page to set ports as downlink or uplink ports. Ports desi

CONFIGURING PROTOCOL-BASED VLANS12-27Configuring Protocol-Based VLANs The network devices required to support multiple protocols cannot be easily grou

VLAN CONFIGURATION12-28• Frame Type16 – Frame type used by this protocol. (Options: Ethernet, RFC_1042, LLC_other) • Protocol Type – The only option f

CONFIGURING PROTOCOL-BASED VLANS12-29Membership by Port menu (page 13), these interfaces will admit traffic of any protocol type into the associated V

VLAN CONFIGURATION12-30CLI – The following maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 3. C

13-1CHAPTER 13CLASS OF SERVICEClass of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the

xxixFIGURESFigure 3-1 Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3Figure 3-2 Front Panel Indicators .

CLASS OF SERVICE13-2• If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmissio

LAYER 2 QUEUE SETTINGS13-3CLI – This example assigns a default priority of 5 to port 3.Mapping CoS Values to Egress QueuesThis switch processes Class

CLASS OF SERVICE13-4The priority levels recommended in the IEEE 802.1p standard for various network applications are shown in the following table. How

LAYER 2 QUEUE SETTINGS13-5Web – Click Priority, Traffic Classes. Assign priorities to the traffic classes (i.e., output queues), then click Apply.Figu

CLASS OF SERVICE13-6Selecting the Queue ModeYou can set the switch to service the queues based on a strict rule that requires all traffic in a higher

LAYER 2 QUEUE SETTINGS13-7Setting the Service Weight for Traffic ClassesThis switch uses the Weighted Round Robin (WRR) algorithm to determine the fre

CLASS OF SERVICE13-8CLI – The following example shows how to assign WRR weights to each of the priority queues.Layer 3/4 Priority SettingsMapping Laye

LAYER 3/4 PRIORITY SETTINGS13-9Selecting IP Precedence/DSCP PriorityThe switch allows you to choose between using IP Precedence or DSCP priority. Sele

CLASS OF SERVICE13-10Mapping IP PrecedenceThe Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different p

LAYER 3/4 PRIORITY SETTINGS13-11Web – Click Priority, IP Precedence Priority. Select an entry from the IP Precedence Priority Table, enter a value in

38 TeslaIrvine, CA 92618Phone: (949) 679-8000TigerAccess™ 10/100Management GuideFrom SMC’s Tiger line of feature-rich workgroup LAN solutionsDecember

FIGURESxxxFigure 6-4 SSH Host-Key Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15Figure 6-5 SSH Server Settings . . . . . . . .

CLASS OF SERVICE13-12Mapping DSCP PriorityThe DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP replaces th

LAYER 3/4 PRIORITY SETTINGS13-13Web – Click Priority, IP DSCP Priority. Select an entry from the DSCP table, enter a value in the Class of Service Val

CLASS OF SERVICE13-14Mapping IP Port PriorityYou can also map network applications to Class of Service values based on the IP port number (i.e., TCP/U

LAYER 3/4 PRIORITY SETTINGS13-15Click Priority, IP Port Priority. Enter the port number for a network application in the IP Port Number box and the ne

CLASS OF SERVICE13-16

14-1CHAPTER 14QUALITY OF SERVICEThe commands described in this section are used to configure Quality of Service (QoS) classification criteria and serv

QUALITY OF SERVICE14-2Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map.2. You should cr

CONFIGURING QUALITY OF SERVICE PARAMETERS14-3Configuring a Class MapA class map is used for matching packets to a specified class.Command Usage • To c

QUALITY OF SERVICE14-4Settings” page. Enter the criteria used to classify ingress traffic on this page.• Remove Class – Removes the selected class.Cla

CONFIGURING QUALITY OF SERVICE PARAMETERS14-5Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules

FIGURESxxxiFigure 11-7 MSTP Port Configuration . . . . . . . . . . . . . . . . . . . . . . . 11-28Figure 12-1 Globally Enabling GVRP . . . . . . . .

QUALITY OF SERVICE14-6CLI - This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3.Creating Qo

CONFIGURING QUALITY OF SERVICE PARAMETERS14-7• After using the policy map to define packet classification, service tagging, and bandwidth policing, it

QUALITY OF SERVICE14-8• Meter – The maximum throughput and burst rate.- Rate (kbps) – Rate in kilobits per second.- Burst (byte) – Burst in bytes.• Ex

CONFIGURING QUALITY OF SERVICE PARAMETERS14-9Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy ma

QUALITY OF SERVICE14-10CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps,

CONFIGURING QUALITY OF SERVICE PARAMETERS14-11Web – Click QoS, DiffServ, Service Policy Settings. Check Enabled and choose a Policy Map for a port fro

QUALITY OF SERVICE14-12

15-1CHAPTER 15MULTICAST FILTERINGMulticasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast serv

MULTICAST FILTERING15-2those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will c

LAYER 2 IGMP (SNOOPING AND QUERY)15-3Only IGMPv3 hosts can request service from a specific multicast source. When downstream hosts request service fro

FIGURESxxxiiFigure 16-3 DNS Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-7

MULTICAST FILTERING15-4Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a mult

LAYER 2 IGMP (SNOOPING AND QUERY)15-5Note: Multicast routers use this information, along with a multicast routing protocol such as DVMRP or PIM, to su

MULTICAST FILTERING15-6Web – Click IGMP Snooping, IGMP Configuration. Adjust the IGMP settings as required, and then click Apply. (The default setting

LAYER 2 IGMP (SNOOPING AND QUERY)15-7Displaying Interfaces Attached to a Multicast RouterMulticast routers that are attached to ports on the switch us

MULTICAST FILTERING15-8CLI – This example shows that Port 11 has been statically configured as a port attached to a multicast router.Specifying Static

LAYER 2 IGMP (SNOOPING AND QUERY)15-9CLI – This example configures port 1 as a multicast router port within VLAN 1.Displaying Port Members of Multicas

MULTICAST FILTERING15-10Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from t

LAYER 2 IGMP (SNOOPING AND QUERY)15-11Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and

MULTICAST FILTERING15-12Web – Click IGMP Snooping, IGMP Member Port Table. Specify the interface attached to a multicast service (via an IGMP-enabled

MULTICAST VLAN REGISTRATION15-13distribution tree for a normal multicast VLAN. This makes it possible to support common multicast services over a wide

SECTION IGETTING STARTEDThis section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes

MULTICAST FILTERING15-144. For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind t

MULTICAST VLAN REGISTRATION15-15Web – Click MVR, Configuration. Enable MVR globally on the switch, select the MVR VLAN, add the multicast groups that

MULTICAST FILTERING15-16• MVR Status – Shows the MVR status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR sta

MULTICAST VLAN REGISTRATION15-17Configuring MVR Interface StatusEach interface that participates in the MVR VLAN must be configured as an MVR source p

MULTICAST FILTERING15-18- Non-MVR – An interface that does not participate in the MVR VLAN. (This is the default type.)• Immediate Leave – Configures

MULTICAST VLAN REGISTRATION15-19Displaying Port Members of Multicast GroupsYou can display the multicast groups assigned to the MVR VLAN either throug

MULTICAST FILTERING15-20Assigning Static Multicast Groups to InterfacesFor multicast streams that will run for a long term and be associated with a st

MULTICAST VLAN REGISTRATION15-21Web – Click MVR, Group Member Configuration. Select a port or trunk from the “Interface” field, and click Query to dis

MULTICAST FILTERING15-22

16-1CHAPTER 16DOMAIN NAME SERVICEThe Domain Naming System (DNS) service on this switch allows host names to be mapped to IP addresses using static tab

GETTING STARTED

DOMAIN NAME SERVICE16-2• When more than one name server is specified, the servers are queried in the specified sequence until a response is received,

CONFIGURING GENERAL DNS SERVICE PARAMETERS16-3Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify on

DOMAIN NAME SERVICE16-4CLI - This example sets a default domain name and a domain list. However, remember that if a domain list is specified, the defa

CONFIGURING STATIC DNS HOST TO ADDRESSENTRIES16-5Field Attributes• Host Name – Name of a host device that is mapped to one or more IP addresses. (Rang

DOMAIN NAME SERVICE16-6CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses.Displaying th

DISPLAYING THE DNS CACHE16-7Web – Select DNS, Cache.Figure 16-3 DNS CacheCLI - This example displays all the resource records learned from the design

DOMAIN NAME SERVICE16-8

SECTION IIICOMMAND LINE INTERFACEThis section provides a detailed description of the Command Line Interface, along with examples for all of the comman

COMMAND LINE INTERFACEIP Interface Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35-1

17-1CHAPTER 17OVERVIEW OF COMMANDLINE INTERFACEThis chapter describes how to use the Command Line Interface (CLI).Using the Command Line InterfaceAcce

1-1CHAPTER 1INTRODUCTIONThis switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to config

OVERVIEW OF COMMAND LINE INTERFACE17-2After connecting to the system through the console port, the login screen displays:Telnet ConnectionTelnet opera

ENTERING COMMANDS17-3After you configure the switch with an IP address, you can open a Telnet session by performing these steps:1. From the remote hos

OVERVIEW OF COMMAND LINE INTERFACE17-4You can enter commands as follows:• To enter a simple command, enter the command keyword. • To enter multiple co

ENTERING COMMANDS17-5Showing CommandsIf you enter a “?” at the command prompt, the system will display the first level of keywords for the current com

OVERVIEW OF COMMAND LINE INTERFACE17-6The command “show interfaces ?” will display the following information:Partial Keyword LookupIf you terminate a

ENTERING COMMANDS17-7Understanding Command ModesThe command set is divided into Exec and Configuration classes. Exec commands generally display inform

OVERVIEW OF COMMAND LINE INTERFACE17-8Privileged Exec mode from within Normal Exec mode, by entering the enable command, followed by the privileged le

ENTERING COMMANDS17-9• Interface Configuration - These commands modify the port configuration such as speed-duplex and negotiation. • Line Configurati

OVERVIEW OF COMMAND LINE INTERFACE17-10To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end c

ENTERING COMMANDS17-11Command Line ProcessingCommands are not case sensitive. You can abbreviate commands and parameters as long as they contain enoug

KEY FEATURES1-2Rate Limiting Input and output rate limiting per portInput rate limiting per port per CoS valuePort Mirroring Single session, one sourc

OVERVIEW OF COMMAND LINE INTERFACE17-12Command GroupsThe system commands can be broken down into the functional groups shown below.Table 17-4 Command

COMMAND GROUPS17-13The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration)CM (Class

OVERVIEW OF COMMAND LINE INTERFACE17-14

18-1CHAPTER 18GENERAL COMMANDSThese commands are used to control the command access mode, configuration mode, and other basic functions.Table 18-1 Ge

GENERAL COMMANDS18-2enableThis command activates Privileged Exec mode. In privileged mode, additional commands are available, and certain commands dis

DISABLE18-3disableThis command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the

GENERAL COMMANDS18-4Example Related Commands end (18-6)show historyThis command shows the contents of the command history buffer.Default Setting NoneC

RELOAD18-5The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands f

GENERAL COMMANDS18-6promptThis command customizes the CLI prompt. Use the no form to restore the default prompt.Syntax prompt stringno promptstring -

EXIT18-7exitThis command returns to the previous configuration mode or exits the configuration program.Default Setting NoneCommand Mode AnyExample Thi

INTRODUCTION1-3Description of Software FeaturesThe switch provides a wide range of advanced performance enhancing features. Flow control eliminates th

GENERAL COMMANDS18-8Example This example shows how to quit a CLI session:Console#quitPress ENTER to start sessionUser Access VerificationUsername:

19-1CHAPTER 19SYSTEM MANAGEMENTCOMMANDSThese commands are used to control system logs, passwords, user names, management options, and display or confi

SYSTEM MANAGEMENT COMMANDS19-2Device Designation CommandsThis section describes commands used to configure information that uniquely identifies the sw

SYSTEM STATUS COMMANDS19-3System Status CommandsThis section describes commands used to display system information.show startup-configThis command dis

SYSTEM MANAGEMENT COMMANDS19-4mode command, and corresponding commands. This command displays the following information:- MAC address for the switch-

SYSTEM STATUS COMMANDS19-5Related Commandsshow running-config (19-5)show running-configThis command displays the configuration information currently i

SYSTEM MANAGEMENT COMMANDS19-6- VLAN configuration settings for each interface- Multiple spanning tree instances (name and interfaces)- IP address - L

SYSTEM STATUS COMMANDS19-7Related Commandsshow startup-config (19-3)show systemThis command displays system information.Default Setting NoneCommand Mo

SYSTEM MANAGEMENT COMMANDS19-8Exampleshow usersShows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet

SYSTEM STATUS COMMANDS19-9Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index n

DESCRIPTION OF SOFTWARE FEATURES1-4Access Control Lists – ACLs provide packet filtering for IP frames (based on address, protocol, TCP/UDP port number

SYSTEM MANAGEMENT COMMANDS19-10Example System Mode CommandsThis section describes command used to configure the switch to operate in normal mode or Qi

SYSTEM MODE COMMANDS19-11Default Setting No system mode is set; the switch functions in normal operating mode.Command Mode Global ConfigurationCommand

SYSTEM MANAGEMENT COMMANDS19-12System MTU CommandsThis section describes commands used to configure the Ethernet frame size on the switch.jumbo frameT

SYSTEM MTU COMMANDS19-13• To use jumbo frames, both the source and destination end nodes (such as a computer or server) must support this feature. Als

SYSTEM MANAGEMENT COMMANDS19-14Command Usage • Gigabit Ethernet ports are not affected by the system mtu FE-size command. Fast Ethernet ports are not

FILE MANAGEMENT COMMANDS19-15When downloading runtime code, the destination file name can be specified to replace the current image, or the file can b

SYSTEM MANAGEMENT COMMANDS19-16copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a

FILE MANAGEMENT COMMANDS19-17or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)• Due to the size limit of the

SYSTEM MANAGEMENT COMMANDS19-18The following example shows how to upload the configuration settings to a file on the TFTP server:The following example

FILE MANAGEMENT COMMANDS19-19This example shows how to copy a public-key used by SSH from an TFTP server. Note that public key authentication via SSH

INTRODUCTION1-5Storm Control – Broadcast and multicast storm suppression prevents traffic from overwhelming the network. When enabled on a port, the l

SYSTEM MANAGEMENT COMMANDS19-20Related Commandsdir (19-20)delete public-key (21-28)dirThis command displays a list of files in flash memory.Syntax dir

FILE MANAGEMENT COMMANDS19-21Example The following example shows how to display all file information:whichbootThis command displays which files were b

SYSTEM MANAGEMENT COMMANDS19-22boot systemThis command specifies the file or image used to start up the system.Syntax boot system {boot-rom| config |

LINE COMMANDS19-23Line CommandsYou can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. Th

SYSTEM MANAGEMENT COMMANDS19-24lineThis command identifies a specific line for configuration, and to process subsequent line configuration commands.Sy

LINE COMMANDS19-25loginThis command enables password checking at login. Use the no form to disable password checking and allow connections without a p

SYSTEM MANAGEMENT COMMANDS19-26Example Related Commandsusername (21-2)password (19-26)passwordThis command specifies the password for a line. Use the

LINE COMMANDS19-27configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords.Example Related Commandslo

SYSTEM MANAGEMENT COMMANDS19-28Example To set the timeout to two minutes, enter this command:exec-timeoutThis command sets the interval that the syste

LINE COMMANDS19-29password-threshThis command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form

Information furnished by SMC Networks, Inc. (SMC) is believed to be accurate and reliable. However, no responsibility is assumed by SMC for its use, n

DESCRIPTION OF SOFTWARE FEATURES1-6this protocol will choose a single path and disable all others to ensure that only one route exists between any two

SYSTEM MANAGEMENT COMMANDS19-30silent-timeThis command sets the amount of time the management console is inaccessible after the number of unsuccessful

LINE COMMANDS19-31Default Setting 8 data bits per characterCommand Mode Line Configuration Command Usage The databits command can be used to mask the

SYSTEM MANAGEMENT COMMANDS19-32Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity

LINE COMMANDS19-33Example To specify 57600 bps, enter this command:stopbitsThis command sets the number of the stop bits transmitted per byte. Use the

SYSTEM MANAGEMENT COMMANDS19-34Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifier

LINE COMMANDS19-35Example To show all lines, enter this command:Console#show line Console configuration: Password threshold: 3 times Interactive ti

SYSTEM MANAGEMENT COMMANDS19-36Event Logging CommandsThis section describes commands used to configure event logging on the switch.logging onThis comm

EVENT LOGGING COMMANDS19-37command to control the type of error messages that are stored in memory. You can use the logging trap command to control th

SYSTEM MANAGEMENT COMMANDS19-38Default Setting Flash: errors (level 3 - 0)RAM: warnings (level 7 - 0)Command Mode Global ConfigurationCommand Usage Th

EVENT LOGGING COMMANDS19-39Command Mode Global ConfigurationCommand Usage Use this command more than once to build up a list of host IP addresses.The

INTRODUCTION1-7• Use private VLANs to restrict traffic to pass only between data ports and the uplink ports, thereby isolating adjacent ports within t

SYSTEM MANAGEMENT COMMANDS19-40logging trapThis command enables the logging of system messages to a remote server, or limits the syslog messages saved

EVENT LOGGING COMMANDS19-41clear logThis command clears messages from the log buffer.Syntax clear log [flash | ram]• flash - Event history stored in f

SYSTEM MANAGEMENT COMMANDS19-42show loggingThis command displays the configuration settings for logging messages to local switch memory, to an SMTP ev

EVENT LOGGING COMMANDS19-43ExampleThe following example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., de

SYSTEM MANAGEMENT COMMANDS19-44Related Commandsshow logging sendmail (19-49)show logThis command displays the log messages stored in local memory.Synt

SMTP ALERT COMMANDS19-45SMTP Alert CommandsThese commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP server

SYSTEM MANAGEMENT COMMANDS19-46• To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one

SMTP ALERT COMMANDS19-47logging sendmail source-emailThis command sets the email address used for the “From” field in alert messages. Syntaxlogging se

SYSTEM MANAGEMENT COMMANDS19-48Command Usage You can specify up to five recipients for alert messages. However, you must enter a separate command to s

SMTP ALERT COMMANDS19-49show logging sendmailThis command displays the settings for the SMTP event handler.Command Mode Normal Exec, Privileged ExecEx

SYSTEM DEFAULTS1-8to be transmitted across a single network-wide multicast VLAN shared by hosts residing in other standard or private VLAN groups, whi

SYSTEM MANAGEMENT COMMANDS19-50Time CommandsThe system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintain

TIME COMMANDS19-51Command Usage • The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the swi

SYSTEM MANAGEMENT COMMANDS19-52Command Mode Global ConfigurationCommand Usage This command specifies time servers from which the switch will poll for

TIME COMMANDS19-53Related Commandssntp client (19-50)show sntpThis command displays the current time and configuration settings for the SNTP client, a

SYSTEM MANAGEMENT COMMANDS19-54clock timezoneThis command sets the time zone for the switch’s internal clock.Syntax clock timezone name hour hours min

TIME COMMANDS19-55calendar setThis command sets the system clock. It may be used if there is no time server on your network, or if you have not config

SYSTEM MANAGEMENT COMMANDS19-56Example Console#show calendar 15:12:34 February 1 2002Console#

20-1CHAPTER 20SNMP COMMANDSControls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the

SNMP COMMANDS20-2snmp-serverThis command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form

SHOW SNMP20-3Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol d

INTRODUCTION1-9Authentication Privileged Exec Level Username “admin”Password “admin”Normal Exec Level Username “guest”Password “guest”Enable Privilege

SNMP COMMANDS20-4snmp-server communityThis command defines the SNMP v1 and v2c community access string. Use the no form to remove the specified commun

SNMP-SERVER CONTACT20-5snmp-server contactThis command sets the system contact string. Use the no form to remove the system contact information.Syntax

SNMP COMMANDS20-6Command Mode Global ConfigurationExample Related Commandssnmp-server contact (20-5)snmp-server host This command specifies the recipi

SNMP-SERVER HOST20-7community command prior to using the snmp-server host command. (Maximum length: 32 characters)• version - Specifies whether to sen

SNMP COMMANDS20-8• Notifications are issued by the switch as trap messages by default. The recipient of a trap message does not send a response to the

SNMP-SERVER ENABLE TRAPS20-9user command. Otherwise, the authentication password and/or privacy password will not exist, and the switch will not autho

SNMP COMMANDS20-10notifications are enabled. If you enter the command with a keyword, only the notification type related to that keyword is enabled. •

SNMP-SERVER ENGINE-ID20-11Command Mode Global ConfigurationCommand Usage • An SNMP engine is an independent SNMP agent that resides either on this swi

SNMP COMMANDS20-12show snmp engine-idThis command shows the SNMP engine ID.Command Mode Privileged ExecExampleThis example shows the default engine ID

SNMP-SERVER VIEW20-13snmp-server viewThis command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view.Synt

SYSTEM DEFAULTS1-10Port Configuration Admin Status EnabledAuto-negotiation EnabledFlow Control DisabledRate Limiting Input and output limits DisabledI

SNMP COMMANDS20-14This view includes the MIB-2 interfaces table, and the mask selects all index entries.show snmp viewThis command shows information o

SNMP-SERVER GROUP20-15snmp-server groupThis command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group.Synt

SNMP COMMANDS20-16• When privacy is selected, the DES 56-bit algorithm is used for data encryption.• For additional information on the notification me

SHOW SNMP GROUP20-17Group Name: publicSecurity Model: v2cRead View: defaultviewWrite View: noneNotify View: noneStorage Type: volatileRow Status: acti

SNMP COMMANDS20-18snmp-server userThis command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use

SNMP-SERVER USER20-19Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore

SNMP COMMANDS20-20show snmp userThis command shows information on SNMP users.Command Mode Privileged ExecExample Console#show snmp userEngineId: 80000

21-1CHAPTER 21USER AUTHENTICATIONCOMMANDSYou can configure this switch to authenticate users logging into the system for management access using local

USER AUTHENTICATION COMMANDS21-2User Account CommandsThe basic commands required for management access are listed in this section. This switch also in

USER ACCOUNT COMMANDS21-3• password password - The authentication password for the user. (Maximum length: 8 characters plain text, 32 encrypted, case

INTRODUCTION1-11Traffic PrioritizationIngress Port Priority 0Queue Mode WRRWeighted Round Robin Queue: 0 1 2 3 4 5 6 7Weight: 1 2 4 6

USER AUTHENTICATION COMMANDS21-4enable passwordAfter initially logging onto the system, you should set the Privileged Exec password. Remember to recor

AUTHENTICATION SEQUENCE21-5Related Commandsenable (18-2)authentication enable (21-7)Authentication SequenceThree authentication methods can be specifi

USER AUTHENTICATION COMMANDS21-6Command Usage • RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a conne

AUTHENTICATION SEQUENCE21-7authentication enableThis command defines the authentication method and precedence to use when changing from Exec command m

USER AUTHENTICATION COMMANDS21-8Example Related Commandsenable password - sets the password for changing command modes (21-4)RADIUS ClientRemote Authe

RADIUS CLIENT21-9radius-server hostThis command specifies primary and backup RADIUS servers and authentication parameters that apply to each server. U

USER AUTHENTICATION COMMANDS21-10radius-server portThis command sets the RADIUS server network port. Use the no form to restore the default.Syntax rad

RADIUS CLIENT21-11Example radius-server retransmitThis command sets the number of retries. Use the no form to restore the default.Syntax radius-server

USER AUTHENTICATION COMMANDS21-12Command Mode Global ConfigurationExample show radius-serverThis command displays the current settings for the RADIUS

TACACS+ CLIENT21-13TACACS+ ClientTerminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software runn

SYSTEM DEFAULTS1-12

USER AUTHENTICATION COMMANDS21-14tacacs-server portThis command specifies the TACACS+ server network port. Use the no form to restore the default.Synt

WEB SERVER COMMANDS21-15Example show tacacs-serverThis command displays the current settings for the TACACS+ server.Default Setting NoneCommand Mode P

USER AUTHENTICATION COMMANDS21-16ip http portThis command specifies the TCP port number used by the web browser interface. Use the no form to use the

WEB SERVER COMMANDS21-17Example Related Commandsip http port (21-16)ip http secure-serverThis command enables the secure hypertext transfer protocol (

USER AUTHENTICATION COMMANDS21-18• The client and server establish a secure encrypted connection.A padlock icon should appear in the status bar for In

WEB SERVER COMMANDS21-19Default Setting 443Command Mode Global ConfigurationCommand Usage • You cannot configure the HTTP and HTTPS servers to use the

USER AUTHENTICATION COMMANDS21-20Telnet Server CommandsThis section describes commands used to configure Telnet management access to the switch.ip tel

SECURE SHELL COMMANDS21-21Secure Shell CommandsThis section describes the commands used to configure the SSH server. Note that you also need to instal

USER AUTHENTICATION COMMANDS21-22Configuration GuidelinesThe SSH server on this switch supports both password and public key authentication. If passwo

SECURE SHELL COMMANDS21-231024 35 1341081685609893921040944920155425347631641921872958921143173880 055536161631051775940838686311092912322268285192543

2-1CHAPTER 2INITIAL CONFIGURATIONConnecting to the SwitchConfiguration OptionsThe switch includes a built-in network management agent. The agent offer

USER AUTHENTICATION COMMANDS21-24c. If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts t

SECURE SHELL COMMANDS21-25Default Setting DisabledCommand Mode Global ConfigurationCommand Usage • The SSH server supports up to four client sessions.

USER AUTHENTICATION COMMANDS21-26Default Setting 10 secondsCommand Mode Global ConfigurationCommand Usage The timeout specifies the interval the switc

SECURE SHELL COMMANDS21-27Example Related Commandsshow ip ssh (21-31)ip ssh server-key sizeThis command sets the SSH server key size. Use the no form

USER AUTHENTICATION COMMANDS21-28delete public-keyThis command deletes the specified user’s public key.Syntax delete public-key username [dsa | rsa]•u

SECURE SHELL COMMANDS21-29• This command stores the host key pair in memory (i.e., RAM). Use the ip ssh save host-key command to save the host key pai

USER AUTHENTICATION COMMANDS21-30• The SSH server must be disabled before you can execute this command.Example Related Commandsip ssh crypto host-key

SECURE SHELL COMMANDS21-31show ip sshThis command displays the connection settings used when authenticating client access to the SSH server.Command Mo

USER AUTHENTICATION COMMANDS21-32show public-keyThis command shows the public key for the specified user or for the host.Syntax show public-key [user

SECURE SHELL COMMANDS21-33Command Mode Privileged ExecCommand Usage • If no parameters are entered, all keys are displayed. If the user keyword is ent

CONNECTING TO THE SWITCH2-2The switch’s web interface, CLI configuration program, and SNMP agent allow you to perform the following management functio

USER AUTHENTICATION COMMANDS21-34802.1X Port AuthenticationThe switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorize

802.1X PORT AUTHENTICATION21-35dot1x system-auth-controlThis command enables IEEE 802.1X port authentication globally on the switch. Use the no form t

USER AUTHENTICATION COMMANDS21-36dot1x max-reqThis command sets the maximum number of times the switch port will retransmit an EAP request/identity pa

802.1X PORT AUTHENTICATION21-37Defaultforce-authorizedCommand ModeInterface ConfigurationExampledot1x operation-modeThis command allows single or mult

USER AUTHENTICATION COMMANDS21-38• In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be gran

802.1X PORT AUTHENTICATION21-39dot1x re-authenticationThis command enables periodic re-authentication for a specified port. Use the no form to disable

USER AUTHENTICATION COMMANDS21-40Default60 secondsCommand ModeInterface ConfigurationExampledot1x timeout re-authperiodThis command sets the time peri

802.1X PORT AUTHENTICATION21-41dot1x timeout tx-periodThis command sets the time that an interface on the switch waits during an authentication sessio

USER AUTHENTICATION COMMANDS21-42Command UsageThis command displays the following information:• Global 802.1X Parameters – Shows whether or not 802.1X

802.1X PORT AUTHENTICATION21-43- Port-control – Shows the dot1x mode on a port as auto, force-authorized, or force-unauthorized (page 21-36).- Supplic

INITIAL CONFIGURATION2-3To connect a terminal to the console port, complete the following steps: 1. Connect the console cable to the serial port on a

USER AUTHENTICATION COMMANDS21-44ExampleConsole#show dot1xGlobal 802.1X Parameters system-auth-control: enable802.1X Port SummaryPort Name Status

MANAGEMENT IP FILTER COMMANDS21-45Management IP Filter CommandsThis section describes commands used to configure IP management access to the switch.ma

USER AUTHENTICATION COMMANDS21-46Command Usage • If anyone tries to access a management interface on the switch from an invalid address, the switch wi

MANAGEMENT IP FILTER COMMANDS21-47Command Mode Privileged ExecExampleConsole#show management all-clientManagement Ip Filter HTTP-Client: Start IP ad

USER AUTHENTICATION COMMANDS21-48

22-1CHAPTER 22CLIENT SECURITYCOMMANDSThis switch supports many methods of segregating traffic for clients attached to each of the data ports, and for

CLIENT SECURITY COMMANDS22-2Port Security CommandsThese commands can be used to enable port security on a port. When using port security, the switch s

PORT SECURITY COMMANDS22-3port securityThis command enables or configures port security. Use the no form without any keywords to disable port security

CLIENT SECURITY COMMANDS22-4Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has

IP SOURCE GUARD COMMANDS22-5the IP address of a neighbor to access the network. This section describes commands used to configure IP Source Guard.ip s

vLIMITED WARRANTYLimited Warranty Statement: SMC Networks, Inc. (“SMC”) warrants its products to be free from defects in workmanship and materials, un

BASIC CONFIGURATION2-4Remote ConnectionsPrior to accessing the switch’s onboard agent via a network connection, you must first configure it with a val

CLIENT SECURITY COMMANDS22-6Command Usage • Source guard is used to filter traffic on an unsecure port which receives messages from outside the networ

IP SOURCE GUARD COMMANDS22-7static DHCP snooping binding or dynamic DHCP snooping binding, the packet will be forwarded.- If IP source guard if enable

CLIENT SECURITY COMMANDS22-8Command ModeGlobal ConfigurationCommand Usage • Table entries include a MAC address, IP address, lease time, entry type (S

IP SOURCE GUARD COMMANDS22-9show ip source-guardThis command shows whether source guard is enabled or disabled on each interface.Command Mode Privileg

CLIENT SECURITY COMMANDS22-10DHCP Snooping CommandsDHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which s

DHCP SNOOPING COMMANDS22-11ip dhcp snoopingThis command enables DHCP snooping globally. Use the no form to restore the default setting.Syntax [no] ip

CLIENT SECURITY COMMANDS22-12- If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, all DHCP packets

DHCP SNOOPING COMMANDS22-13binding table when it receives an ACK message from a DHCP server. Also, when the switch sends out DHCP client packets for i

CLIENT SECURITY COMMANDS22-14• When the DHCP snooping is globally disabled, DHCP snooping can still be configured for specific VLANs, but the changes

DHCP SNOOPING COMMANDS22-15• unit - Stack unit. (Range: 1) • port - Port number. (Range: 1-28)• lease-time - The time after which an entry is removed

INITIAL CONFIGURATION2-5Access to both CLI levels are controlled by user names and passwords. The switch has a default user name and password for each

CLIENT SECURITY COMMANDS22-16• When the lease time for a dynamic or static DHCP binding entry expires, it is removed from the binding table.ExampleThi

DHCP SNOOPING COMMANDS22-17Related Commands ip dhcp snooping (22-11)ip dhcp snooping vlan (22-13)ip dhcp snooping trust (22-17)ip dhcp snooping databa

CLIENT SECURITY COMMANDS22-18Command Usage • An untrusted interface is an interface that is configured to receive messages from outside the network or

DHCP SNOOPING COMMANDS22-19Exampleshow ip dhcp snooping bindingThis command shows the DHCP snooping binding table entries.Command Mode Privileged Exec

CLIENT SECURITY COMMANDS22-20

23-1CHAPTER 23ACCESS CONTROL LISTCOMMANDSAccess Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protoc

ACCESS CONTROL LIST COMMANDS23-2IP ACLsThe commands in this section configure ACLs based on IP addresses, TCP/UDP port number, protocol type, and TCP

IP ACLS23-3access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs. Use the no form to remov

ACCESS CONTROL LIST COMMANDS23-4permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packet

IP ACLS23-5permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL. The rule sets a filter condition for packets with specific sour

BASIC CONFIGURATION2-64. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press <Ente

ACCESS CONTROL LIST COMMANDS23-6• control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (R

IP ACLS23-7ExampleThis example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e.

ACCESS CONTROL LIST COMMANDS23-8Example Related Commandspermit, deny 23-4ip access-group (23-14)access-list ip mask-precedence This command changes to

IP ACLS23-9Example Related Commandsmask (IP ACL) (23-9)ip access-group (23-14)mask (IP ACL)This command defines a mask for IP ACLs. This mask defines

ACCESS CONTROL LIST COMMANDS23-10Default SettingNoneCommand ModeIP MaskCommand Usage• Packets crossing a port are checked against all the rules in the

IP ACLS23-11This shows that the entries in the mask override the precedence in which the rules are entered into the ACL. In the following example, pac

ACCESS CONTROL LIST COMMANDS23-12This shows how to create an extended ACL with an egress mask to drop packets leaving network 171.69.198.0 when the La

IP ACLS23-13This is a more comprehensive example. It denies any TCP packets in which the SYN bit is ON, and permits all other packets. It then sets th

ACCESS CONTROL LIST COMMANDS23-14Command ModePrivileged ExecExample Related Commandsmask (IP ACL) (23-9)ip access-group This command binds a port to a

MAC ACLS23-15Related Commandsshow ip access-list (23-7)show ip access-groupThis command shows the ports assigned to IP ACLs.Command ModePrivileged Exe

INITIAL CONFIGURATION2-7Before you can assign an IP address to the switch, you must obtain the following information from your network administrator:•

ACCESS CONTROL LIST COMMANDS23-16access-list mac This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove

MAC ACLS23-17Related Commandspermit, deny (23-17)mac access-group (23-23)show mac access-list (23-19)permit, deny (MAC ACL)This command adds a rule to

ACCESS CONTROL LIST COMMANDS23-18• tagged-eth2 – Tagged Ethernet II packets.• untagged-eth2 – Untagged Ethernet II packets.• tagged-802.3 – Tagged Eth

MAC ACLS23-19Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 080

ACCESS CONTROL LIST COMMANDS23-20access-list mac mask-precedence This command changes to MAC Mask mode used to configure access control masks. Use the

MAC ACLS23-21mask (MAC ACL)This command defines a mask for MAC ACLs. This mask defines the fields to check in the packet header. Use the no form to re

ACCESS CONTROL LIST COMMANDS23-22ExampleThis example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of

MAC ACLS23-23show access-list mac mask-precedence This command shows the ingress or egress rule masks for MAC ACLs.Syntaxshow access-list mac mask-pre

ACCESS CONTROL LIST COMMANDS23-24• If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding wi

ACL INFORMATION23-25show access-listThis command shows all IPv4 ACLs and associated rules.Command ModePrivileged ExecCommand UsageOnce the ACL is boun

BASIC CONFIGURATION2-8To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete th

ACCESS CONTROL LIST COMMANDS23-26

24-1CHAPTER 24INTERFACE COMMANDSThese commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Tab

INTERFACE COMMANDS24-2interfaceThis command configures an interface type and enter interface configuration mode. Use the no form to remove a trunk.Syn

DESCRIPTION24-3descriptionThis command adds a description to an interface. Use the no form to remove the description.Syntax description stringno descr

INTERFACE COMMANDS24-4Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting

NEGOTIATION24-5negotiationThis command enables autonegotiation for a given interface. Use the no form to disable autonegotiation.Syntax [no] negotiati

INTERFACE COMMANDS24-6capabilitiesThis command advertises the port capabilities of a given interface during autonegotiation. Use the no form with para

FLOWCONTROL24-7Example The following example configures Ethernet port 5 capabilities to 100half and 100full.Related Commands negotiation (24-5)speed-d

INTERFACE COMMANDS24-8To enable flow control under auto-negotiation, “flowcontrol” must be included in the capabilities list for any port• Avoid using

SHUTDOWN24-9ExampleThis forces the switch to use the built-in RJ-45 port for the combination port 28.shutdown This command disables an interface. To r

INITIAL CONFIGURATION2-9Enabling SNMP Management Access The switch can be configured to accept management commands from Simple Network Management Prot

INTERFACE COMMANDS24-10switchport packet-rateThis command configures broadcast and multicast storm control. Use the no form to restore the default set

SWITCHPORT BLOCK24-11switchport block This command prevents flooding of unknown unicast or multicast packets to an interface. Use the no form to resto

INTERFACE COMMANDS24-12clear countersThis command clears statistics on an interface.Syntax clear counters interfaceinterface • ethernet unit/port- uni

SHOW INTERFACES STATUS24-13show interfaces statusThis command displays the status for an interface.Syntax show interfaces status [interface]interface

INTERFACE COMMANDS24-14Example show interfaces countersThis command displays interface statistics. Syntax show interfaces counters [interface]interfac

SHOW INTERFACES COUNTERS24-15Command Mode Normal Exec, Privileged ExecCommand Usage If no interface is specified, information on all interfaces is dis

INTERFACE COMMANDS24-16show interfaces switchportThis command displays the administrative and operational status of the specified interfaces.Syntax sh

SHOW INTERFACES SWITCHPORT24-17Table 24-2 show interfaces switchport - display descriptionField DescriptionBroadcast threshold Shows if broadcast sto

INTERFACE COMMANDS24-18

25-1CHAPTER 25LINK AGGREGATIONCOMMANDSPorts can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network conn

BASIC CONFIGURATION2-10To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default c

LINK AGGREGATION COMMANDS25-2Guidelines for Creating TrunksGeneral Guidelines –• Finish configuring port trunks before you connect the corresponding n

CHANNEL-GROUP25-3• If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e., it has the null valu

LINK AGGREGATION COMMANDS25-4Example The following example creates trunk 1 and then adds port 11:lacpThis command enables 802.3ad Link Aggregation Con

LACP25-5ExampleThe following shows LACP enabled on ports 46-48. Because LACP has also been enabled on the ports at the other end of the links, the sho

LINK AGGREGATION COMMANDS25-6lacp system-priorityThis command configures a port's LACP system priority. Use the no form to restore the default se

LACP ADMIN-KEY (ETHERNET INTERFACE)25-7lacp admin-key (Ethernet Interface)This command configures a port's LACP administration key. Use the no fo

LINK AGGREGATION COMMANDS25-8lacp admin-key (Port Channel)This command configures a port channel's LACP administration key string. Use the no for

LACP PORT-PRIORITY25-9lacp port-priorityThis command configures LACP port priority. Use the no form to restore the default setting.Syntax lacp {actor

LINK AGGREGATION COMMANDS25-10show lacpThis command displays LACP information.Syntax show lacp [port-channel] {counters | internal | neighbors | sys-i

SHOW LACP25-11Table 25-2 show lacp counters - display descriptionField DescriptionLACPDUs Sent Number of valid LACPDUs transmitted from this channel

INITIAL CONFIGURATION2-11Then press <Enter>. For a more detailed description of these parameters, see “snmp-server host” on page 20-6. The follo

LINK AGGREGATION COMMANDS25-12LACPDUs InternalNumber of seconds before invalidating received LACPDU information.LACP System PriorityLACP system priori

SHOW LACP25-13Console#show lacp 1 neighborsPort channel 1 neighbors-------------------------------------------------------------------Eth 1/1---------

LINK AGGREGATION COMMANDS25-14Console#show lacp sysidPort Channel System Priority System MAC Address-------------------------------------------

26-1CHAPTER 26MIRROR PORT COMMANDSThis section describes how to mirror traffic from a source port to a target port. port monitorThis command configure

MIRROR PORT COMMANDS26-2Command Usage • You can mirror traffic from any source port to a destination port for real-time analysis. You can then attach

SHOW PORT MONITOR26-3Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX)

MIRROR PORT COMMANDS26-4

27-1CHAPTER 27RATE LIMIT COMMANDSThis function allows the network manager to control the maximum rate for traffic transmitted or received on an interf

RATE LIMIT COMMANDS27-2rate-limitThis command defines the rate limit for a specific interface. Use this command without specifying a rate to restore t

RATE-LIMIT COS27-3rate-limit cosThis command defines the output rate limit for an interface based on specified CoS priorities. Use the no form to rest

MANAGING SYSTEM FILES2-12Managing System FilesThe switch’s flash memory supports three types of system files that can be managed by the CLI program, w

RATE LIMIT COMMANDS27-4ExampleThis example sets the maximum output rate for CoS traffic of priority level 0 to 50 Mbps on Port 1. Table 27-2 Mapping

SHOW RATE-LIMIT COS27-5show rate-limit cosThis command displays the output rate limit for CoS priorities.Command Mode Privileged ExecCommand Usage If

RATE LIMIT COMMANDS27-6

28-1CHAPTER 28ADDRESS TABLE COMMANDSThese commands are used to configure the address table for filtering specified addresses, displaying current entri

ADDRESS TABLE COMMANDS28-2mac-address-table staticThis command maps a static address to a destination port in a VLAN. Use the no form to remove an add

CLEAR MAC-ADDRESS-TABLE DYNAMIC28-3• A static address cannot be learned on another port until the address is removed with the no form of this command.

ADDRESS TABLE COMMANDS28-4show mac-address-tableThis command shows classes of entries in the bridge-forwarding database.Syntax show mac-address-table

MAC-ADDRESS-TABLE AGING-TIME28-5• The maximum number of address entries is 8191.Examplemac-address-table aging-timeThis command sets the aging time fo

ADDRESS TABLE COMMANDS28-6show mac-address-table aging-timeThis command shows the aging time for entries in the address table.Default Setting NoneComm

29-1CHAPTER 29SPANNING TREE COMMANDSThis section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and comma

INITIAL CONFIGURATION2-13In the system flash memory, one file of each type must be set as the start-up file. During a system boot, the diagnostic and

SPANNING TREE COMMANDS29-2revision Configures the revision number for the multiple spanning treeMST 29-14max-hops Configures the maximum number of hop

SPANNING-TREE29-3spanning-treeThis command enables the Spanning Tree Algorithm globally for the switch. Use the no form to disable it.Syntax [no] span

SPANNING TREE COMMANDS29-4spanning-tree modeThis command selects the spanning tree mode for this switch. Use the no form to restore the default.Syntax

SPANNING-TREE FORWARD-TIME29-5restarts the migration delay timer and begins using RSTP BPDUs on that port.• Multiple Spanning Tree Protocol- To allow

SPANNING TREE COMMANDS29-6Command Usage This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discar

SPANNING-TREE MAX-AGE29-7Related Commandsspanning-tree forward-time (29-5)spanning-tree max-age (29-7)spanning-tree max-ageThis command configures the

SPANNING TREE COMMANDS29-8Related Commandsspanning-tree forward-time (29-5)spanning-tree hello-time (29-6)spanning-tree priorityThis command configure

SPANNING-TREE PATHCOST METHOD29-9spanning-tree pathcost methodThis command configures the path cost method used for Rapid Spanning Tree and Multiple S

SPANNING TREE COMMANDS29-10spanning-tree transmission-limitThis command configures the minimum interval between the transmission of consecutive RSTP/M

MST VLAN29-11Related Commands mst vlan (29-11)mst priority (29-12)name (29-13)revision (29-14)max-hops (29-14)mst vlanThis command adds VLANs to a spa

viWARRANTIES EXCLUSIVE: IF AN SMC PRODUCT DOES NOT OPERATE AS WARRANTED ABOVE, CUSTOMER’S SOLE REMEDY SHALL BE REPAIR OR REPLACEMENT OF THE PRODUCT IN

MANAGING SYSTEM FILES2-14To save the current configuration settings, enter the following command:1. From the Privileged Exec mode prompt, type “copy r

SPANNING TREE COMMANDS29-12instance (on each bridge) with the same set of VLANs. Also, note that RSTP treats each MSTI region as a single node, connec

NAME29-13Example nameThis command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear

SPANNING TREE COMMANDS29-14revisionThis command configures the revision number for this multiple spanning tree configuration of this switch. Use the n

SPANNING-TREE SPANNING-DISABLED29-15Default Setting 20Command Mode MST ConfigurationCommand Usage An MSTI region is treated as a single node by the ST

SPANNING TREE COMMANDS29-16Example This example disables the spanning tree algorithm for port 5.spanning-tree costThis command configures the spanning

SPANNING-TREE COST29-17Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the pa

SPANNING TREE COMMANDS29-18spanning-tree port-priorityThis command configures the priority for the specified interface. Use the no form to restore the

SPANNING-TREE PORTFAST29-19Default Setting DisabledCommand Mode Interface Configuration (Ethernet, Port Channel)Command Usage • You can enable this op

SPANNING TREE COMMANDS29-20Command Mode Interface Configuration (Ethernet, Port Channel)Command Usage • This command is used to enable/disable the fas

SPANNING-TREE LINK-TYPE29-21spanning-tree link-typeThis command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree. Use the n

SECTION IISWITCH MANAGEMENTThis section describes the basic switch features, along with a detailed description of how to configure each feature via a

SPANNING TREE COMMANDS29-22spanning-tree mst costThis command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the n

SPANNING-TREE MST PORT-PRIORITY29-23should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower me

SPANNING TREE COMMANDS29-24Where more than one interface is assigned the highest priority, the interface with lowest numeric identifier will be enable

SHOW SPANNING-TREE29-25Example show spanning-treeThis command shows the configuration for the common spanning tree (CST) or for an instance within the

SPANNING TREE COMMANDS29-26description of the items displayed for specific interfaces, see “Displaying Interface Settings” on page 11-13.ExampleConsol

SHOW SPANNING-TREE MST CONFIGURATION29-27show spanning-tree mst configurationThis command shows the configuration of the multiple spanning tree.Comman

SPANNING TREE COMMANDS29-28

30-1CHAPTER 30VLAN COMMANDSA VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same p

VLAN COMMANDS30-2GVRP and Bridge Extension CommandsGARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to

GVRP AND BRIDGE EXTENSION COMMANDS30-3Command Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on

SWITCH MANAGEMENT

VLAN COMMANDS30-4switchport gvrpThis command enables GVRP for a port. Use the no form to disable it.Syntax [no] switchport gvrpDefault Setting Disable

GVRP AND BRIDGE EXTENSION COMMANDS30-5garp timerThis command sets the values for the join, leave and leaveall timers. Use the no form to restore the t

VLAN COMMANDS30-6Example Related Commandsshow garp timer (30-6)show garp timerThis command shows the GARP timers for the selected interface.Syntax sho

EDITING VLAN GROUPS30-7Editing VLAN Groupsvlan databaseThis command enters VLAN database mode. All commands in this mode will take effect immediately.

VLAN COMMANDS30-8vlanThis command configures a VLAN. Use the no form to restore the default settings or delete a VLAN.Syntax vlan vlan-id [name vlan-n

CONFIGURING VLAN INTERFACES30-9Related Commands show vlan (30-16)Configuring VLAN Interfacesinterface vlanThis command enters interface configuration

VLAN COMMANDS30-10Default Setting NoneCommand Mode Global ConfigurationExample The following example shows how to set the interface configuration mode

CONFIGURING VLAN INTERFACES30-11Example The following shows how to set the configuration mode to port 1, and then set the switchport mode to hybrid:Re

VLAN COMMANDS30-12Related Commandsswitchport mode (30-10)switchport ingress-filtering This command enables ingress filtering for an interface. Use the

CONFIGURING VLAN INTERFACES30-13switchport native vlanThis command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore

3-1CHAPTER 3CONFIGURING THE SWITCHUsing the Web InterfaceThis switch provides an embedded HTTP web agent. Using a web browser you can configure the sw

VLAN COMMANDS30-14switchport allowed vlanThis command configures VLAN groups on the selected interface. Use the no form to restore the default.Syntax

CONFIGURING VLAN INTERFACES30-15• If a VLAN on the forbidden list for an interface is manually added to that interface, the VLAN is automatically remo

VLAN COMMANDS30-16Example The following example shows how to prevent port 1 from being added to VLAN 3:Displaying VLAN InformationThis section describ

CONFIGURING PRIVATE VLANS30-17Example The following example shows how to display information for VLAN 1:Configuring Private VLANsPrivate VLANs provide

VLAN COMMANDS30-18Command Mode Global ConfigurationCommand Usage• A private VLAN provides port-based security and isolation between ports within the V

CONFIGURING PROTOCOL-BASED VLANS30-19Configuring Protocol-based VLANsThe network devices required to support multiple protocols cannot be easily group

VLAN COMMANDS30-203. Then map the protocol for each interface to the appropriate VLAN using the protocol-vlan protocol-group command (Interface Config

CONFIGURING PROTOCOL-BASED VLANS30-21protocol-vlan protocol-group (Configuring Interfaces)This command maps a protocol group to a VLAN for the current

VLAN COMMANDS30-22Example The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN

CONFIGURING PROTOCOL-BASED VLANS30-23show interfaces protocol-vlan protocol-groupThis command shows the mapping from protocol groups to VLANs for the

CONFIGURING THE SWITCH3-2Notes: 1. You are allowed three attempts to enter the correct password; on the third failed attempt the current connection is

VLAN COMMANDS30-24Configuring IEEE 802.1Q TunnelingQinQ tunneling uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs.

CONFIGURING IEEE 802.1Q TUNNELING30-25ethertype to identify 802.1Q tagged frames. The standard ethertype value is 0x8100. (See switchport dot1q-ethert

VLAN COMMANDS30-26ExampleRelated Commandsshow dot1q-tunnel (page 30-26)show interfaces switchport (24-16)show dot1q-tunnelThis command displays infor

CONFIGURING IEEE 802.1Q TUNNELING30-27switchport dot1q-ethertypeThis command sets the Tag Protocol Identifier (TPID) value of a tunnel port. Use the n

VLAN COMMANDS30-28

31-1CHAPTER 31CLASS OF SERVICECOMMANDSThe commands described in this section allow you to specify which data packets have greater precedence when traf

CLASS OF SERVICE COMMANDS31-2Priority Commands (Layer 2)This section describes commands used to configure Layer 2 traffic priority on the switch.Table

PRIORITY COMMANDS (LAYER 2)31-3queue modeThis command sets the queue mode to strict priority or Weighted Round-Robin (WRR) for the class of service (C

CLASS OF SERVICE COMMANDS31-4Related Commandsqueue bandwidth (31-6)show queue mode (31-4)show queue modeThis command shows the current queue mode.Defa

PRIORITY COMMANDS (LAYER 2)31-5Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priori

NAVIGATING THE WEB BROWSER INTERFACE3-3Navigating the Web Browser InterfaceTo access the web-browser interface you must first enter a user name and pa

CLASS OF SERVICE COMMANDS31-6queue bandwidth This command assigns weighted round-robin (WRR) weights to the eight class of service (CoS) priority queu

PRIORITY COMMANDS (LAYER 2)31-7queue cos-mapThis command assigns class of service (CoS) values to the priority queues (i.e., hardware output queues 0

CLASS OF SERVICE COMMANDS31-8Example The following example shows how to change the CoS assignments to a one-to-one mapping:Related Commands show queue

PRIORITY COMMANDS (LAYER 2)31-9show queue cos-mapThis command shows the class of service priority map.Syntax show queue cos-map [interface]interface •

CLASS OF SERVICE COMMANDS31-10Default Setting The original priority value in the VLAN tag of a tagged packet, or a VLAN priority tag inserted by anoth

PRIORITY COMMANDS (LAYER 3 AND 4)31-11Priority Commands (Layer 3 and 4)This section describes commands used to configure Layer 3 and Layer 4 traffic p

CLASS OF SERVICE COMMANDS31-12Command Usage The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority.

PRIORITY COMMANDS (LAYER 3 AND 4)31-13map ip precedence (Global Configuration)This command enables IP precedence mapping (i.e., IP Type of Service). U

CLASS OF SERVICE COMMANDS31-14Default Setting The list below shows the default priority mapping.Command Mode Interface Configuration (Ethernet, Port C

PRIORITY COMMANDS (LAYER 3 AND 4)31-15Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport

CONFIGURING THE SWITCH3-4Configuration OptionsConfigurable parameters have a dialog box or a drop-down list. Once a configuration change has been made

CLASS OF SERVICE COMMANDS31-16Command Mode Interface Configuration (Ethernet, Port Channel)Command Usage • The precedence for priority mapping is IP P

PRIORITY COMMANDS (LAYER 3 AND 4)31-17Example The following shows that HTTP traffic has been mapped to CoS value 0:Related Commands map ip port (Globa

CLASS OF SERVICE COMMANDS31-18Example Related Commands map ip precedence (Global Configuration) (31-13)map ip precedence (Interface Configuration) (31

PRIORITY COMMANDS (LAYER 3 AND 4)31-19Example Related Commands map ip dscp (Global Configuration) (31-14)map ip dscp (Interface Configuration) (31-15)

CLASS OF SERVICE COMMANDS31-20

32-1CHAPTER 32QUALITY OF SERVICECOMMANDSThe commands described in this section are used to configure Differentiated Services (DiffServ) classification

QUALITY OF SERVICE COMMANDS32-2To create a service policy for a specific category of ingress traffic, follow these steps:1. Use the class-map command

CLASS-MAP32-3Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map.2. You should create a Cl

QUALITY OF SERVICE COMMANDS32-4• The class map is used with a policy map (page 32-6) to create a service policy (page 32-10) for a specific interface

MATCH32-5Command Usage •First enter the class-map command to designate a class map and enter the Class Map configuration mode. Then use the match comm

NAVIGATING THE WEB BROWSER INTERFACE3-5Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all

QUALITY OF SERVICE COMMANDS32-6policy-mapThis command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configur

CLASS32-7classThis command defines a traffic classification upon which a policy can act, and enters Policy Map Class configuration mode. Use the no fo

QUALITY OF SERVICE COMMANDS32-8Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_

POLICE32-9Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set

QUALITY OF SERVICE COMMANDS32-10burst-byte field, and the average rate tokens are removed from the bucket is by specified by the rate-bps option. Exam

SHOW CLASS-MAP32-11• You must first define a class map, then define a policy map, and finally use the service-policy command to bind the policy map to

QUALITY OF SERVICE COMMANDS32-12show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, a

SHOW POLICY-MAP INTERFACE32-13show policy-map interfaceThis command displays the service policy assigned to the specified interface.Syntax show policy

QUALITY OF SERVICE COMMANDS32-14

33-1CHAPTER 33MULTICAST FILTERINGCOMMANDSThis switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to recei

CONFIGURING THE SWITCH3-6Remote Logs Configures the logging of messages to a remote logging process4-29SMTP Sends an SMTP client message to a partici

MULTICAST FILTERING COMMANDS33-2IGMP Snooping CommandsThis section describes commands used to configure IGMP snooping on the switch. ip igmp snoopingT

IGMP SNOOPING COMMANDS33-3Command Mode Global ConfigurationExample The following example enables IGMP snooping.ip igmp snooping vlan staticThis comman

MULTICAST FILTERING COMMANDS33-4ip igmp snooping versionThis command configures the IGMP snooping version. Use the no form to restore the default.Synt

IGMP SNOOPING COMMANDS33-5ip igmp snooping leave-proxyThis command suppresses leave messages unless received from the last member port in the group. U

MULTICAST FILTERING COMMANDS33-6• IGMP version 1 hosts do not respond to multicast group-specific queries. If a version 1 host is known by the switch

IGMP SNOOPING COMMANDS33-7• This command is only effective if IGMP snooping is enabled, and IGMPv2 or IGMPv3 snooping is used. Example The following s

MULTICAST FILTERING COMMANDS33-8show mac-address-table multicast This command shows known multicast addresses.Syntax show mac-address-table multicast

IGMP QUERY COMMANDS33-9IGMP Query CommandsThis section describes commands used to configure Layer 2 IGMP query on the switch. ip igmp snooping querier

MULTICAST FILTERING COMMANDS33-10Exampleip igmp snooping query-countThis command configures the query count. Use the no form to restore the default.Sy

IGMP QUERY COMMANDS33-11ip igmp snooping query-intervalThis command configures the query interval. Use the no form to restore the default.Syntax ip ig

NAVIGATING THE WEB BROWSER INTERFACE3-7Port Security Configures per port security, including status, response for security breach, and maximum allowed

MULTICAST FILTERING COMMANDS33-12Command Usage• The switch must be using IGMPv2 or v3 snooping for this command to take effect. • This command defines

STATIC MULTICAST ROUTING COMMANDS33-13Command Usage The switch must use IGMPv2 or v3 snooping for this command to take effect.Example The following sh

MULTICAST FILTERING COMMANDS33-14Default Setting No static multicast router ports are configured. Command Mode Global ConfigurationCommand Usage Depen

MULTICAST VLAN REGISTRATION COMMANDS33-15Example The following shows that port 11 in VLAN 1 is attached to a multicast router:Multicast VLAN Registrat

MULTICAST FILTERING COMMANDS33-16mvr (Global Configuration)This command enables Multicast VLAN Registration (MVR) globally on the switch, statically c

MULTICAST VLAN REGISTRATION COMMANDS33-17• IGMP snooping must be enabled to a allow a subscriber to dynamically join or leave an MVR group (see ip igm

MULTICAST FILTERING COMMANDS33-18Command Mode Interface Configuration (Ethernet, Port Channel)Command Usage • A port which is not configured as an MVR

MULTICAST VLAN REGISTRATION COMMANDS33-19page 33-2). Note that only IGMP version 2 or 3 hosts can issue multicast join or leave messages.Example The f

MULTICAST FILTERING COMMANDS33-20Command Mode Privileged ExecCommand Usage Enter this command without any keywords to display the global settings for

MULTICAST VLAN REGISTRATION COMMANDS33-21The following displays information about the interfaces attached to the MVR VLAN:Console#show mvr interfacePo

viiTABLE OF CONTENTSSection I Getting Started1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1Key Features . .

CONFIGURING THE SWITCH3-8Port Neighbors Information Displays settings and operational state for the remote side9-21Port Broadcast Control Sets the bro

MULTICAST FILTERING COMMANDS33-22The following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN:Consol

34-1CHAPTER 34DOMAIN NAME SERVICECOMMANDSThese commands are used to configure Domain Naming System (DNS) services. You can manually configure entries

DOMAIN NAME SERVICE COMMANDS34-2ip hostThis command creates a static entry in the DNS table that maps a host name to an IP address. Use the no form to

CLEAR HOST34-3Example This example maps two address to a host name.clear hostThis command deletes entries from the DNS table.Syntax clear host {name |

DOMAIN NAME SERVICE COMMANDS34-4ip domain-nameThis command defines the default domain name appended to incomplete host names (i.e., host names passed

IP DOMAIN-LIST34-5ip domain-listThis command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed fro

DOMAIN NAME SERVICE COMMANDS34-6ExampleThis example adds two domain names to the current list and then displays the list.Related Commands ip domain-na

IP DOMAIN-LOOKUP34-7ExampleThis example adds two domain-name servers to the list and then displays the list.Related Commands ip domain-name (34-4)ip d

DOMAIN NAME SERVICE COMMANDS34-8ExampleThis example enables DNS and then displays the configuration.Related Commands ip domain-name (34-4)ip name-serv

SHOW DNS34-9show dnsThis command displays the configuration of the DNS service.Command Mode Privileged ExecExampleshow dns cacheThis command displays

NAVIGATING THE WEB BROWSER INTERFACE3-9MSTP VLAN Configuration Configures priority and VLANs for a spanning tree instance11-21 Port Information Displ

DOMAIN NAME SERVICE COMMANDS34-10clear dns cacheThis command clears all entries in the DNS cache.Command Mode Privileged ExecExampleTYPE This field in

35-1CHAPTER 35IP INTERFACE COMMANDSAn IP address may be used for management access to the switch over your network. An IP address is obtained via DHCP

IP INTERFACE COMMANDS35-2ip address This command sets the IP address for the currently selected VLAN interface. Use the no form to remove the current

BASIC IP CONFIGURATION35-3Notes: 1. Only one VLAN interface can be assigned an IP address (the default is VLAN 1). This defines the management VLAN, t

IP INTERFACE COMMANDS35-4• An default gateway can only be successfully set when a network interface that directly connects to the gateway has been con

BASIC IP CONFIGURATION35-5Example In the following example, the device is reassigned the same address.Related Commands ip address (35-2)show ip interf

IP INTERFACE COMMANDS35-6Example Related Commands ip default-gateway (35-3)show arpUse this command to display entries in the Address Resolution Proto

BASIC IP CONFIGURATION35-7pingThis command sends ICMP echo request packets to another node on the network.Syntax ping host [count count][size size]• h

IP INTERFACE COMMANDS35-8Example Related Commands interface (24-2)Console#ping 10.1.0.9Type ESC to abort.PING to 10.1.0.9, by 5 32-byte payload ICMP p

SECTION IVAPPENDICESThis section provides additional information on the following topics. Software Specifications . . . . . . . . . . . . . . . . .

CONFIGURING THE SWITCH3-10Priority 13-1Default Port Priority Sets the default priority for each port 13-1Default Trunk Priority Sets the default prior

APPENDICES

A-1APPENDIX ASOFTWARE SPECIFICATIONSSoftware FeaturesAuthenticationLocal, RADIUS, TACACS+, Port (802.1X), HTTPS, SSH, Port SecurityAccess Control List

SOFTWARE SPECIFICATIONSA-2Rate LimitsInput LimitOutput limitRange (configured per port)Port TrunkingStatic trunks (Cisco EtherChannel compliant)Dynami

MANAGEMENT FEATURESA-3Management FeaturesIn-Band ManagementTelnet, web-based HTTP or HTTPS, SNMP manager, or Secure ShellOut-of-Band ManagementRS-232

SOFTWARE SPECIFICATIONSA-4IGMPv2 (RFC 2236)IPv4 IGMP (RFC 3228)RADIUS+ (RFC 2618)RMON (RFC 2819 groups 1,2,3,9)SNMP (RFC 1157)SNMPv2c (RFC 2571)SNMPv3

MANAGEMENT INFORMATION BASESA-5RADIUS Authentication Client MIB (RFC 2621)RMON MIB (RFC 2819)RMON II Probe Configuration Group (RFC 2021, partial impl

SOFTWARE SPECIFICATIONSA-6

B-1APPENDIX BTROUBLESHOOTINGProblems Accessing the Management Interface Table B-1 Troubleshooting ChartSymptom ActionCannot connect using Telnet, we

TROUBLESHOOTINGB-2Cannot connect using Secure Shell• If you cannot connect using SSH, you may have exceeded the maximum number of concurrent Telnet/SS

USING SYSTEM LOGSB-3Using System LogsIf a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually cau

NAVIGATING THE WEB BROWSER INTERFACE3-11Static Multicast Router Port ConfigurationAssigns ports that are attached to a neighboring multicast router15-

TROUBLESHOOTINGB-4

Glossary-1GLOSSARYAccess Control List (ACL)ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for

GLOSSARYGlossary-2marked for different kinds of forwarding. The DSCP bits are mapped to the Class of Service categories, and then into the output queu

GLOSSARYGlossary-3Generic Multicast Registration Protocol (GMRP)GMRP allows network devices to register end stations with multicast groups. GMRP requi

GLOSSARYGlossary-4IEEE 802.3acDefines frame extensions for VLAN tagging.IEEE 802.3xDefines Ethernet frame start/stop requests and timers used for flow

GLOSSARYGlossary-5IP PrecedenceThe Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority lev

GLOSSARYGlossary-6Multicast SwitchingA process whereby the switch filters incoming multicast frames for services for which no attached host has regist

GLOSSARYGlossary-7Port MirroringA method whereby data on a target port is mirrored to a monitor port for troubleshooting with a logic analyzer or RMON

GLOSSARYGlossary-8Rapid Spanning Tree Protocol (RSTP)RSTP reduces the convergence time for network topology changes to about 10% of that required by t

GLOSSARYGlossary-9Terminal Access Controller Access Control System Plus (TACACS+)TACACS+ is a logon authentication protocol that uses software running

CONFIGURING THE SWITCH3-12

GLOSSARYGlossary-10XModemA protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected.

Index-1Numerics802.1Q tunnel 12-17, 30-24description 12-17interface configuration 12-23, 30-25–30-27mode selection 12-23TPID 12-16, 12-23, 30-27802.1X

INDEXIndex-2name server list 16-1, 34-6static entries 16-4Domain Name Service See DNSdownloading software 4-16, 19-16DSCPenabling 13-9, 31-14mapping

INDEXIndex-3Link Aggregation Control Protocol See LACPlink type, STA 11-16, 11-19, 29-21loggingsyslog traps 19-40to syslog servers 19-38log-in, Web i

INDEXIndex-4rate limitssetting input and output limits 27-2setting output limits based on priorities 27-3rate limits, setting 9-26remote logging 19-40

INDEXIndex-5user account 6-1user password 6-1, 21-2, 21-4VVLANs 12-1–12-26, 30-1–30-18802.1Q tunnel mode 12-23adding static members 12-10, 12-13, 30-1

INDEXIndex-6

38 TeslaIrvine, CA 92618Phone: (949) 679-8000FOR TECHNICAL SUPPORT, CALL:From U.S.A. and Canada (24 hours a day, 7 days a week)(800) SMC-4-YOU; (949)

4-1CHAPTER 4BASIC MANAGEMENT TASKSThis chapter describes the basic functions required to set up management access to the switch, display or upgrade op

BASIC MANAGEMENT TASKS4-2• Web Secure Server Port – Shows the TCP port used by the HTTPS interface.• Telnet Server – Shows if management access via Te

DISPLAYING SYSTEM INFORMATION4-3CLI – Specify the hostname, location and contact information.Console(config)#hostname R&D 5 19-2Console(config)#sn

BASIC MANAGEMENT TASKS4-4Configuring the Switch for Normal Operation or Tunneling ModeThe system can be configured to operate in normal mode or IEEE 8

CONFIGURING THE MAXIMUM FRAME SIZE4-5CLI – This example sets the switch to operate in QinQ mode.Configuring the Maximum Frame SizeThe maximum transfer

TABLE OF CONTENTSviiiMain Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-54 Basic Management Tasks . .

BASIC MANAGEMENT TASKS4-6Command Attributes• System MTU (1500-1548) – Specifies the MTU size for Fast Ethernet ports. (Range: 1500-1548 bytes)• Jumbo

CONFIGURING SUPPORT FOR JUMBO FRAMES4-7Configuring Support for Jumbo FramesThe switch provides more efficient throughput for large sequential data tra

BASIC MANAGEMENT TASKS4-8Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for

DISPLAYING SWITCH HARDWARE/SOFTWARE VERSIONS4-9Web – Click System, Switch Information.Figure 4-5 Switch InformationCLI – Use the following command to

BASIC MANAGEMENT TASKS4-10Displaying Bridge Extension CapabilitiesThe Bridge MIB includes extensions for managed devices that support Multicast Filter

DISPLAYING BRIDGE EXTENSION CAPABILITIES4-11Web – Click System, Bridge Extension.Figure 4-6 Displaying Bridge Extension ConfigurationCLI – Enter the

BASIC MANAGEMENT TASKS4-12Setting the Switch’s IP AddressThis section describes how to configure an IP interface for management access over the networ

SETTING THE SWITCH’S IP ADDRESS4-13• MAC Address – The physical layer address for this switch.Manual ConfigurationWeb – Click System, System, IP Confi

BASIC MANAGEMENT TASKS4-14Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the stack to be dynamically configured by t

MANAGING FIRMWARE4-15Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the

TABLE OF CONTENTSixConfiguring Remote SNMPv3 Users . . . . . . . . . . . . . . . . . . . . . 5-15Configuring SNMPv3 Groups . . . . . . . . . . . . .

BASIC MANAGEMENT TASKS4-16• File Name – The file name should not contain slashes (\ or /), the leading letter of the file name should not be a period

MANAGING FIRMWARE4-17If you download to a new destination file, go to the File Management, Set Start-Up menu, mark the operation code file used at sta

BASIC MANAGEMENT TASKS4-18CLI – To download new firmware form a TFTP server, enter the IP address of the TFTP server, select “config” as the file type

SAVING OR RESTORING CONFIGURATION SETTINGS4-19- running-config to startup-config – Copies the running config to the startup config.- running-config to

BASIC MANAGEMENT TASKS4-20Downloading Configuration Settings from a ServerYou can download the configuration file under a new file name and then set i

SAVING OR RESTORING CONFIGURATION SETTINGS4-21If you download to a new file name using “tftp to startup-config” or “tftp to file,” the file is automat

BASIC MANAGEMENT TASKS4-22Console Port SettingsYou can access the onboard configuration program by attaching a VT100 compatible device to the switch’s

CONSOLE PORT SETTINGS4-23device connected to the serial port. (Range: 9600, 19200, 38400, 57600, or 115200 baud, Auto; Default: Auto)• Stop Bits – Set

BASIC MANAGEMENT TASKS4-24CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the curr

TELNET SETTINGS4-25• Login Timeout – Sets the interval that the system waits for a user to log into the CLI. If a login attempt is not detected within