Edge-Core ES3528M-PoE Installation Guide

Powered by Acctonwww.edge-core.comManagement GuideES3528M-PoEFast Ethernet Switch

ContentsxConfiguring Parameters for LACP Group Members 3-137Configuring Parameters for LACP Groups 3-140Displaying LACP Port Counters 3-141Displayi

Configuring the Switch3-503Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific secu

Simple Network Management Protocol3-513Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name

Configuring the Switch3-523Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read,

Simple Network Management Protocol3-533linkDown*1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP entity, acting in an agent role, has detec

Configuring the Switch3-543Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a securi

Simple Network Management Protocol3-553CLI – Use the snmp-server group command to configure a new group, specifying the security model and level, and

Configuring the Switch3-563Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID sub

User Authentication3-573CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the

Configuring the Switch3-583Configuring User AccountsThe guest only has read access for most configuration parameters. However, the administrator has w

User Authentication3-593Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, the

ContentsxiConfiguring Private VLANs 3-207Associating VLANs 3-208Displaying Private VLAN Interface Information 3-209Configuring Private VLAN Interf

Configuring the Switch3-603multiple user name/password pairs with associated privilege levels for each user that requires management access to the swi

User Authentication3-613- Accounting Port Number – UDP port on authentication server used for accounting messages. (Range: 1-65535; Default: 1813)- Nu

Configuring the Switch3-623Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authent

User Authentication3-633CLI – Specify all the required parameters to enable logon authentication.Console(config)#authentication login radius 4-98Conso

Configuring the Switch3-643Configuring Encryption KeysThe Encryption Key feature provides a central location for the management of all RADIUS and TACA

User Authentication3-653- Secret Text String – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Ma

Configuring the Switch3-663AAA Authorization and AccountingThe Authentication, authorization, and accounting (AAA) feature provides the main framework

User Authentication3-673Configuring AAA RADIUS Group SettingsThe AAA RADIUS Group Settings screen defines the configured RADIUS servers to use for acc

Configuring the Switch3-683Configuring AAA TACACS+ Group SettingsThe AAA TACACS+ Group Settings screen defines the configured TACACS+ servers to use f

User Authentication3-6933-59). Any other group name refers to a server group configured on the RADIUS or TACACS+ Group Settings pages.Web – Click Secu

ContentsxiiConfiguring IGMP Filtering and Throttling for Interfaces 3-261Multicast VLAN Registration 3-263Configuring Global MVR Settings 3-264Dis

Configuring the Switch3-703AAA Accounting UpdateThis feature sets the interval at which accounting updates are sent to accounting servers.Command Attr

User Authentication3-713AAA Accounting 802.1X Port SettingsThis feature applies the specified accounting method to an interface.Command Attributes• Po

Configuring the Switch3-723AAA Accounting Exec Command PrivilegesThis feature specifies a method name to apply to commands entered at specific CLI pri

User Authentication3-733AAA Accounting Exec SettingsThis feature specifies a method name to apply to console and Telnet connections.Command Attributes

Configuring the Switch3-743Web – Click Security, AAA, Summary. Figure 3-42 AAA Accounting SummaryCLI – Use the following command to display the curre

User Authentication3-753Authorization SettingsAAA authorization is a feature that verifies a user has access to specific services.Command Attributes•

Configuring the Switch3-763Authorization EXEC SettingsThis feature specifies an authorization method name to apply to console and Telnet connections.C

User Authentication3-773Authorization SummaryThe Authorization Summary displays the configured authorization methods and the interfaces to which they

Configuring the Switch3-783Configuring HTTPSYou can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Sock

User Authentication3-793Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply.Figure 3-46 HTTPS SettingsCL

Contentsxiiiquit 4-16System Management Commands 4-16Device Designation Commands 4-17hostname 4-17Banner Information Commands 4-18banner configure

Configuring the Switch3-803• Private Password – Password stored in the private key file. This password is used to verify authorization for certificate

User Authentication3-813Notes: 1. You need to install an SSH client on the management station to access the switch for management via the SSH protocol

Configuring the Switch3-8236. Authentication – One of the following authentication methods is employed:Password Authentication (for SSH v1.5 or V2 Cli

User Authentication3-833Generating the Host Key PairA host public/private key pair is used to provide secure communications between an SSH client and

Configuring the Switch3-843Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save th

User Authentication3-853Importing User Public KeysA user’s Public Key must be uploaded to the switch in order for the user to be able to log in using

Configuring the Switch3-863Web – Click Security, SSH, SSH User Public-Key Settings. Select the user name and the public-key type from the respective d

User Authentication3-873CLI – This example imports an SSHv2 DSA public key for the user admin and then displays admin’s imported public keys. Note tha

Configuring the Switch3-883• SSH Authentication Retries – Specifies the number of authentication attempts that a client is allowed before authenticati

User Authentication3-893Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attach

Contentsxivshow line 4-48Event Logging Commands 4-49logging on 4-49logging history 4-50logging host 4-51logging facility 4-51logging trap 4-52c

Configuring the Switch3-903• Each switch port that will be used must be set to dot1X “Auto” mode.• Each client that needs to be authenticated must hav

User Authentication3-913Configuring 802.1X Global SettingsThe 802.1X protocol provides port-based client authentication. The 802.1X protocol must be e

Configuring the Switch3-923• Re-authentication – Sets the client to be re-authenticated after the interval specified by the Re-authentication Period.

User Authentication3-933CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example,

Configuring the Switch3-943Displaying 802.1X StatisticsThis switch can display statistics for dot1x protocol exchanges for any port. Table 3-7 802.1X

User Authentication3-953Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statisti

Configuring the Switch3-963• IP address can be configured for SNMP, web and Telnet access respectively. Each of these groups can include up to five di

General Security Measures3-973CLI – This example allows SNMP access for a specific client.General Security Measures This switch supports many methods

Configuring the Switch3-983• IP Source Guard – Filters untrusted DHCP messages on unsecure ports by building and maintaining a DHCP snooping binding t

General Security Measures3-993• Security Status – Enables or disables port security on the port. (Default: Disabled)• Max MAC Count – The maximum numb

ContentsxvUPnP Commands 4-77upnp device 4-78upnp device ttl 4-78upnp device advertise duration 4-79show upnp 4-79Debug Commands 4-80debug spa

Configuring the Switch3-1003Configuring Web AuthenticationWeb authentication is configured on a per-port basis, however there are four configurable pa

General Security Measures3-1013Configuring Web Authentication for PortsWeb authentication is configured on a per-port basis. The following parameters

Configuring the Switch3-1023Displaying Web Authentication Port InformationThis switch can display web authentication information for all ports and con

General Security Measures3-1033Web – Click Security, Web Authentication, Re-authentication.Figure 3-60 Web Authentication Port Re-authenticationCLI –

Configuring the Switch3-1043• Configured static MAC addresses are added to the secure address table when seen on a switch port. Static addresses are t

General Security Measures3-1053CLI – This example sets and displays the reauthentication time. Configuring MAC Authentication for PortsConfigures MAC

Configuring the Switch3-1063Note: MAC authentication cannot be configured on trunk ports. Ports configured as trunk members are indicated on the Netwo

General Security Measures3-1073Displaying Secure MAC Address InformationAuthenticated MAC addresses are stored in the secure MAC address table. Inform

Configuring the Switch3-1083CLI – This example displays all entries currently in the secure MAC address table. Access Control Lists Access Control Lis

General Security Measures3-1093- Extended – IP ACL mode that filters packets based on source or destination IP address, as well as protocol type and p

ContentsxviAAA Commands 4-109aaa group server 4-109server 4-110aaa accounting dot1x 4-111aaa accounting exec 4-112aaa accounting commands 4-113aa

Configuring the Switch3-1103Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a

General Security Measures3-1113• Source/Destination Port Bitmask – Decimal number representing the port bits to match. (Range: 0-65535)• Control Code

Configuring the Switch3-1123Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type

General Security Measures3-1133Configuring a MAC ACLCommand Attributes• Action – An ACL can contain any combination of permit or deny rules.• Source/D

Configuring the Switch3-1143Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type

General Security Measures3-1153Binding a Port to an Access Control ListAfter configuring the Access Control Lists (ACL), you can bind the ports that n

Configuring the Switch3-1163Command Usage• Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP sno

General Security Measures3-1173configured as trusted. Note that the switch will not add a dynamic entry for itself to the binding table when it receiv

Configuring the Switch3-1183• When DHCP snooping is globally enabled, and DHCP snooping is then disabled on a VLAN, all dynamic bindings learned for t

General Security Measures3-1193• In some cases, the switch may receive DHCP packets from a client that already includes DHCP Option 82 information. Th

ContentsxviiManagement IP Filter Commands 4-140management 4-140show management 4-141General Security Measures 4-142Port Security Commands 4-143por

Configuring the Switch3-1203Configuring Ports for DHCP SnoopingUse the DHCP Snooping Port Configuration page to configure switch ports as trusted or u

General Security Measures3-1213CLI – This example shows how to enable the DHCP Snooping Trust Status for ports.Displaying DHCP Snooping Binding Inform

Configuring the Switch3-1223Web – Click DHCP Snooping, DHCP Snooping Binding Information. Figure 3-73 DHCP Snooping Binding InformationCLI – This exa

General Security Measures3-1233• If IP source guard is enabled, an inbound packet’s IP address (sip option) or both its IP address and corresponding M

Configuring the Switch3-1243CLI – This example shows how to enable IP source guard on port 5 to check the source IP address for ingress packets agains

General Security Measures3-1253Web – Click IP Source Guard, Static Configuration. Select the VLAN and port to which the entry will be bound, enter the

Configuring the Switch3-1263Web – Click IP Source Guard, Dynamic Information. Figure 3-76 Dynamic IP Source Guard Binding InformationCLI – This exam

Port Configuration3-1273Port ConfigurationDisplaying Connection StatusYou can use the Port Information or Trunk Information pages to display the curre

Configuring the Switch3-1283Field Attributes (CLI)Basic Information:• Port type – Indicates the port type. (100BASE-TX, 1000BASE-T, or SFP)• MAC addre

Port Configuration3-1293Current Status:• Link Status – Indicates if the link is up or down.• Port Operation Status – Provides detailed information on

ContentsxviiiAccess Control List Commands 4-170IP ACLs 4-170access-list ip 4-171permit, deny (Standard ACL) 4-172permit, deny (Extended ACL) 4-

Configuring the Switch3-1303trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches. Howev

Port Configuration3-1313back pressure is used for half-duplex operation and IEEE 802.3-2005 (formally IEEE 802.3x) for full-duplex operation.Avoid usi

Configuring the Switch3-1323CLI – Select the interface, and then enter the required settings.Console(config)#interface ethernet 1/13 4-182Console(conf

Port Configuration3-1333Creating Trunk GroupsYou can create multiple links between devices that work as one virtual, aggregate link. A port trunk offe

Configuring the Switch3-1343Statically Configuring a TrunkCommand Usage• When configuring static trunks, you may not be able to link switches of diffe

Port Configuration3-1353CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to

Configuring the Switch3-1363Command Attributes • Member List (Current) – Shows configured trunks (Port).• New – Includes entry fields for creating new

Port Configuration3-1373CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another swi

Configuring the Switch3-1383Command Attributes Set Port Actor – This menu sets the local side of an aggregate link; i.e., the ports on this switch.• P

Port Configuration3-1393Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can op

Contentsxixpower inline priority 4-208show power inline status 4-209show power mainpower 4-210Mirror Port Commands 4-211port monitor 4-211show po

Configuring the Switch3-1403CLI – The following example configures LACP parameters for ports 1-4. Ports 1-4 are used as active members of the LAG.Conf

Port Configuration3-1413Web – Click Port, LACP, Aggregator. Set the Admin Key for the required LACP group, and click Apply.Figure 3-82 LACP Aggregati

Configuring the Switch3-1423Web – Click Port, LACP, Port Counters Information. Select a member port to display the corresponding information.Figure 3-

Port Configuration3-1433Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information.Figure 3-84

Configuring the Switch3-1443CLI – The following example displays the LACP configuration settings and operational state for the local side of port chan

Port Configuration3-1453Web – Click Port, LACP, Port Neighbors Information. Select a port channel to display the corresponding information.Figure 3-85

Configuring the Switch3-1463Setting Broadcast Storm ThresholdsBroadcast storms may occur when a device on your network is malfunctioning, or if applic

Port Configuration3-1473Web – Click Port, Port/Trunk Broadcast Control. Set the threshold and mark the Enabled field for the required interface, then

Configuring the Switch3-1483Configuring Port MirroringYou can mirror traffic from any source port to a target port for real-time analysis. You can the

Port Configuration3-1493Configuring Rate LimitsThis function allows the network manager to control the maximum rate for traffic received on a port or

ContentsxxVLAN Commands 4-240GVRP and Bridge Extension Commands 4-241bridge-ext gvrp 4-241show bridge-ext 4-242switchport gvrp 4-242show gvrp con

Configuring the Switch3-1503Showing Port StatisticsYou can display standard statistics on network traffic from the Interfaces Group and Ethernet-like

Port Configuration3-1513Transmit Discarded Packets The number of outbound packets which were chosen to be discarded even though no errors had been det

Configuring the Switch3-1523Received Frames The total number of frames (bad, broadcast and multicast) received.Broadcast Frames The total number of go

Port Configuration3-1533Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the

Configuring the Switch3-1543CLI – This example shows statistics for port 13.Power Over Ethernet SettingsThis switch can provide DC power to a wide ran

Power Over Ethernet Settings3-1553Switch Power StatusUse the Main Power Status page to display the Power over Ethernet settings for the switch.Command

Configuring the Switch3-1563Setting a Switch Power BudgetA maximum PoE power budget for the switch (power available to all switch ports) can be define

Power Over Ethernet Settings3-1573Web – Click PoE, Power Port Status.Figure 3-92 Displaying Port PoE StatusCLI – This example displays the PoE status

Configuring the Switch3-1583Command Attributes• Port – The port number on the switch. (Range: 1-28)• Admin Status – Enables PoE power on the port. Pow

Address Table Settings3-1593Address Table SettingsSwitches store the addresses for all known devices. This information is used to pass traffic directl

ContentsxxiConfiguring Voice VLANs 4-270voice vlan 4-271voice vlan aging 4-271voice vlan mac-address 4-272switchport voice vlan 4-273switchport

Configuring the Switch3-1603CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.Display

Address Table Settings3-1613CLI – This example also displays the address table entries for port 1.Changing the Aging TimeYou can set the aging time fo

Configuring the Switch3-1623Spanning Tree Algorithm Configuration The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, a

Spanning Tree Algorithm Configuration3-1633MSTP – When using STP or RSTP, it may be difficult to maintain a stable path between all VLAN members. Freq

Configuring the Switch3-1643Configuring Port and Trunk Loopback DetectionWhen Port Loopback Detection is enabled and a port receives it’s own BPDU, th

Spanning Tree Algorithm Configuration3-1653CLI – This command enables loopback detection for port 1/5, configures automatic release-mode, and enables

Configuring the Switch3-1663These additional parameters are only displayed for the CLI:• Spanning Tree Mode – Specifies the type of spanning tree used

Spanning Tree Algorithm Configuration3-1673Web – Click Spanning Tree, STA, Information.Figure 3-98 Displaying Spanning Tree InformationCLI – This com

Configuring the Switch3-1683Configuring Global SettingsGlobal settings apply to the entire switch.Command Usage• Spanning Tree Protocol12Uses RSTP for

Spanning Tree Algorithm Configuration3-1693• Priority – Bridge priority is used in selecting the root device, root port, and designated port. The devi

Contentsxxiiswitchport priority default 4-300queue cos-map 4-301show queue mode 4-302show queue bandwidth 4-302show queue cos-map 4-303Priority C

Configuring the Switch3-1703Configuration Settings for RSTP The following attributes apply to both RSTP and MSTP:• Path Cost Method – The path cost is

Spanning Tree Algorithm Configuration3-1713Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply.Figure 3-99

Configuring the Switch3-1723CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters.

Spanning Tree Algorithm Configuration3-1733• Designated Port – The port priority and number of the port on the designated bridging device through whic

Configuring the Switch3-1743should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost ta

Spanning Tree Algorithm Configuration3-1753CLI – This example shows the STA attributes for port 5. Configuring Interface SettingsYou can configure RST

Configuring the Switch3-1763The following interface attributes can be configured:• Spanning Tree – Enables/disables STA on this interface. (Default: E

Spanning Tree Algorithm Configuration3-1773• Admin Link Type – The link type attached to this interface.- Point-to-Point – A connection to exactly one

Configuring the Switch3-1783Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration. Modify the required attributes, then click Appl

Spanning Tree Algorithm Configuration3-1793To ensure that the MSTI maintains connectivity across the network, you must configure a related set of brid

Contentsxxiiiip igmp max-groups action 4-329show ip igmp filter 4-330show ip igmp profile 4-331show ip igmp throttle interface 4-331Multicast VLAN

Configuring the Switch3-1803CLI – This example sets the priority for MSTI 1, and adds VLAN 1 to this MSTI. It then displays the STA settings for insta

Spanning Tree Algorithm Configuration3-1813Displaying Interface Settings for MSTPThe MSTP Port Information and MSTP Trunk Information pages display th

Configuring the Switch3-1823CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are globa

Spanning Tree Algorithm Configuration3-1833Configuring Interface Settings for MSTPYou can configure the STA interface settings for an MST Instance usi

Configuring the Switch3-1843Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interf

VLAN Configuration3-1853This switch supports the following VLAN features:• Up to 255 VLANs based on the IEEE 802.1Q standard• Distributed VLAN learnin

Configuring the Switch3-1863Untagged VLANs – Untagged (or static) VLANs are typically used to reduce broadcast traffic and to increase security. A gro

VLAN Configuration3-1873Forwarding Tagged/Untagged FramesIf you want to create a small port-based VLAN for devices attached directly to a single switc

Configuring the Switch3-1883Displaying Basic VLAN InformationThe VLAN Basic Information page displays basic information on the VLAN type supported by

VLAN Configuration3-1893Displaying Current VLANsThe VLAN Current Table shows the current port members of each VLAN and whether or not the port support

Contentsxxiv

Configuring the Switch3-1903• Name – Name of the VLAN (1 to 32 characters).• Status – Shows if this VLAN is enabled or disabled. - Active: VLAN is ope

VLAN Configuration3-1913Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to

Configuring the Switch3-1923Adding Static Members to VLANs (VLAN Index)Use the VLAN Static Table to configure port members for the selected VLAN index

VLAN Configuration3-1933Web – Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if re

Configuring the Switch3-1943Adding Static Members to VLANs (Port Index)Use the VLAN Static Membership by Port menu to assign VLAN groups to the select

VLAN Configuration3-1953Configuring VLAN Behavior for InterfacesYou can configure VLAN behavior for specific interfaces, including the default VLAN id

Configuring the Switch3-1963• GARP Leave Timer17 – The interval a port waits before leaving a VLAN group. This time should be set to more than twice t

VLAN Configuration3-1973Web – Click VLAN, 802.1Q VLAN, Port Configuration or Trunk Configuration. Fill in the required settings for each interface, cl

Configuring the Switch3-1983QinQ tunneling uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are p

VLAN Configuration3-1993process transmits the packet. Packets entering a QinQ tunnel port are processed in the following manner:1. New SPVLAN tags are

xxvTablesTable 1-1 Key Features 1-1Table 1-2 System Defaults 1-6Table 3-1 Configuration Options 3-3Table 3-2 Main Menu 3-4Table 3-3 Logging Levels

Configuring the Switch3-20034. After successful source and destination lookups, the packet is double tagged. The switch uses the TPID of 0x8100 to ind

VLAN Configuration3-20135. Configure the QinQ tunnel access port to join the SPVLAN as an untagged member (see “Adding Static Members to VLANs (VLAN I

Configuring the Switch3-2023CLI – This example sets the switch to operate in QinQ mode.Adding an Interface to a QinQ TunnelFollow the guidelines in th

VLAN Configuration3-2033Web – Click VLAN, 802.1Q VLAN, 802.1Q Tunnel Configuration or Tunnel Trunk Configuration. Set the mode for a tunnel access por

Configuring the Switch3-2043Configuring Global Settings for Traffic SegmentationUse the Traffic Segmentation Status page to enable traffic segmentatio

VLAN Configuration3-2053Web – Click VLAN, Traffic Segmentation, Session Configuration. Set the session number, specify whether an uplink or downlink i

Configuring the Switch3-2063Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This switch

VLAN Configuration3-2073Web – Click VLAN, Private VLAN, Information. Select the desired port from the VLAN ID drop-down menu.Figure 3-116 Private VLA

Configuring the Switch3-2083Web – Click VLAN, Private VLAN, Configuration. Enter the VLAN ID number, select Primary or Community type, then click Add.

VLAN Configuration3-2093CLI – This example associates community VLANs 6 and 7 with primary VLAN 5.Displaying Private VLAN Interface InformationUse the

xxviTablesTable 4-21 Switch Cluster Commands 4-73Table 4-22 Debug Commands 4-80Table 4-23 SNMP Commands 4-81Table 4-24 show snmp engine-id - displa

Configuring the Switch3-2103CLI – This example shows the switch configured with primary VLAN 5 and community VLAN 6. Port 3 has been configured as a p

VLAN Configuration3-2113Web – Click VLAN, Private VLAN, Port Configuration or Trunk Configuration. Set the PVLAN Port Type for each port that will joi

Configuring the Switch3-2123Command UsageTo configure protocol-based VLANs, follow these steps:1. First configure VLAN groups for the protocols you wa

VLAN Configuration3-2133CLI – This example shows the switch configured with Protocol Group 2 which matches RFC 1042 IP traffic.Configuring the Protoco

Configuring the Switch3-2143Link Layer Discovery ProtocolLink Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring

Link Layer Discovery Protocol3-2153This attribute must comply with the rule: (4 * Delay Interval) ≤ Transmission Interval • Reinitialization Delay – C

Configuring the Switch3-2163CLI – This example sets several attributes which control basic LLDP message timing.Configuring LLDP Interface AttributesUs

Link Layer Discovery Protocol3-2173• TLV Type – Configures the information included in the TLV field of advertised messages.- Port Description – The p

Configuring the Switch3-2183power (the Endpoint Device could use this information to decide to enter power conservation mode). Note that this device d

Link Layer Discovery Protocol3-2193CLI – This example sets the interface to both transmit and receive LLDP messages, enables SNMP trap messages, enabl

xxviiTablesTable 4-66 Link Type 4-229Table 4-66 IEEE 802.1D-1998 4-229Table 4-66 IEEE 802.1w-2001 4-229Table 4-67 Default STA Path Costs 4-230Tabl

Configuring the Switch3-2203• Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. • System Name

Link Layer Discovery Protocol3-2213Web – Click LLDP, Local Information.Figure 3-125 LLDP Local Device InformationCLI – This example displays LLDP inf

Configuring the Switch3-2223Displaying LLDP Remote Port InformationUse the LLDP Remote Port/Trunk Information screen to display information about devi

Link Layer Discovery Protocol3-2233Displaying LLDP Remote Information DetailsUse the LLDP Remote Information Details screen to display detailed inform

Configuring the Switch3-2243Web – Click LLDP, Remote Information Details. Select an interface from the drop down lists, and click Query.Figure 3-127

Link Layer Discovery Protocol3-2253Displaying Device StatisticsUse the LLDP Device Statistics screen to general statistics for LLDP-capable devices at

Configuring the Switch3-2263CLI – This example displays LLDP statistics received from all LLDP-enabled remote devices connected directly to this switc

Link Layer Discovery Protocol3-2273Web – Click LLDP, Device Statistics Details.Figure 3-129 LLDP Device Statistics DetailsCLI – This example displays

Configuring the Switch3-2283Class of Service ConfigurationClass of Service (CoS) allows you to specify which data packets have greater precedence when

Class of Service Configuration3-2293Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interfa

xxviiiTables

Configuring the Switch3-2303Mapping CoS Values to Egress QueuesThis switch processes Class of Service (CoS) priority tagged traffic by using four egre

Class of Service Configuration3-2313Web – Click Priority, Traffic Classes. The current mapping of CoS values to output queues is displayed. Assign pri

Configuring the Switch3-2323Selecting the Queue ModeYou can set the switch to service the queues based on a strict rule that requires all traffic in a

Class of Service Configuration3-2333Setting the Service Weight for Traffic ClassesThis switch uses the Weighted Round Robin (WRR) algorithm to determi

Configuring the Switch3-2343Layer 3/4 Priority SettingsMapping Layer 3/4 Priorities to CoS ValuesThis switch supports one method of prioritizing layer

Class of Service Configuration3-2353CLI – The following example globally enables DSCP Priority service on the switch.Mapping DSCP PriorityThe DSCP is

Configuring the Switch3-2363Web – Click Priority, IP DSCP Priority. Select an entry from the DSCP table, enter a value in the Class of Service Value f

Quality of Service3-2373Quality of Service The commands described in this section are used to configure Quality of Service (QoS) classification criter

Configuring the Switch3-2383Configuring a Class MapA class map is used for matching packets to a specified class.Command Usage • To configure a Class

Quality of Service3-2393• VLAN – A VLAN. (Range:1-4094)• Add – Adds specified criteria to the class. Up to 16 items are permitted per class.• Remove –

xxixFiguresFigure 3-1 Home Page 3-2Figure 3-2 Panel Display 3-3Figure 3-3 System Information 3-13Figure 3-4 Switch Information 3-14Figure 3-5 Brid

Configuring the Switch3-2403CLI - This example creates a class map call “rd_class,” and sets it to match packets marked for DSCP service value 3.Creat

Quality of Service3-2413Policy Configuration• Policy Name — Name of policy map. (Range: 1-16 characters)• Description – A brief description of a polic

Configuring the Switch3-2423Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Polic

Quality of Service3-2433CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps,

Configuring the Switch3-2443VoIP Traffic ConfigurationWhen IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice o

Quality of Service3-2453Web – Click QoS, VoIP Traffic Setting, Configuration. Enable Auto Detection, specify the Voice VLAN ID, the set the Voice VLAN

Configuring the Switch3-2463address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a

Quality of Service3-2473CLI – This example configures VoIP traffic settings for port 2 and displays the current Voice VLAN status.Configuring Telephon

Configuring the Switch3-2483Web – Click QoS, VoIP Traffic Setting, OUI Configuration. Enter a MAC address that specifies the OUI for VoIP devices in t

Multicast Filtering3-2493Multicast Filtering Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A mu

Management GuideFast Ethernet SwitchLayer 2 Workgroup Switchwith Power over Ethernet, 26 10/100BASE-T (RJ-45) Ports, and 2 Combination Gigabit (RJ-45/

xxxFiguresFigure 3-42 AAA Accounting Summary 3-74Figure 3-43 AAA Authorization Settings 3-75Figure 3-44 AAA Authorization Exec Settings 3-76Figure

Configuring the Switch3-2503Layer 2 IGMP (Snooping and Query)IGMP Snooping and Query – If multicast routing is not supported on other switches in your

Multicast Filtering3-2513Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a mu

Configuring the Switch3-2523• IGMP Report Delay — Sets the time between receiving an IGMP Report for an IP multicast address on a port before the swit

Multicast Filtering3-2533CLI – This example modifies the settings for multicast filtering, and then displays the current status.Enabling IGMP Immediat

Configuring the Switch3-2543Command Attributes• VLAN ID – VLAN Identifier. (Range: 1-4094).• Immediate Leave – Sets the status for immediate leave on

Multicast Filtering3-2553Web – Click IGMP Snooping, Multicast Router Port Information. Select the required VLAN ID from the scroll-down list to displa

Configuring the Switch3-2563Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast rout

Multicast Filtering3-2573Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from

Configuring the Switch3-2583• Multicast IP – The IP address for a specific multicast service• Port or Trunk – Specifies the interface attached to a mu

Multicast Filtering3-2593IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of g

xxxiFiguresFigure 3-87 Mirror Port Configuration 3-148Figure 3-88 Input Rate Limit Port Configuration 3-149Figure 3-89 Port Statistics 3-153Figure

Configuring the Switch3-2603Configuring IGMP Filter ProfilesWhen you have created an IGMP profile number, you can then configure the multicast groups

Multicast Filtering3-2613CLI – This example configures profile number 19 by setting the access mode to “permit” and then specifying a range of multica

Configuring the Switch3-2623Web – Click IGMP Snooping, IGMP Filter/Throttling Port Configuration or IGMP Filter/Throttling Trunk Configuration. Select

Multicast VLAN Registration3-2633Multicast VLAN Registration Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-

Configuring the Switch3-2643Configuring Global MVR Settings The global settings for Multicast VLAN Registration (MVR) include enabling or disabling MV

Multicast VLAN Registration3-2653Web – Click MVR, Configuration. Enable MVR globally on the switch, select the MVR VLAN, add the multicast groups that

Configuring the Switch3-2663Displaying MVR Interface Status You can display information about the interfaces attached to the MVR VLAN.Field Attributes

Multicast VLAN Registration3-2673Displaying Port Members of Multicast GroupsYou can display the multicast groups assigned to the MVR VLAN either throu

Configuring the Switch3-2683Configuring MVR Interface Status Each interface that participates in the MVR VLAN must be configured as an MVR source port

Multicast VLAN Registration3-2693- Non-MVR – An interface that does not participate in the MVR VLAN. (This is the default type.)• Immediate Leave – Co

xxxiiFiguresFigure 3-132 Queue Mode 3-232Figure 3-133 Configuring Queue Scheduling 3-233Figure 3-134 IP DSCP Priority Status 3-234Figure 3-135 Mapp

Configuring the Switch3-2703Assigning Static Multicast Groups to InterfacesFor multicast streams that will run for a long term and be associated with

Switch Clustering3-2713Switch ClusteringSwitch Clustering is a method of grouping switches together to enable centralized management through a single

Configuring the Switch3-2723• Cluster IP Pool – An “internal” IP address pool that is used to assign IP addresses to Member switches in the cluster. I

Switch Clustering3-2733Web – Click Cluster, Member Configuration. Figure 3-158 Cluster Member ConfigurationCLI – This example creates a new cluster M

Configuring the Switch3-2743Web – Click Cluster, Member Information. Figure 3-159 Cluster Member InformationCLI – This example shows information abou

UPnP3-2753CLI – This example shows information about cluster Candidate switches.UPnPUniversal Plug and Play (UPnP) is a set of protocols that allows d

Configuring the Switch3-2763Using UPnP under Windows Vista – To access or manage the switch with the aid of UPnP under Windows Vista, open the Network

UPnP3-2773CLI – This example enables UPnP, sets the device advertise duration to 200 seconds, the device TTL to 6, and displays information about basi

Configuring the Switch3-2783

4-1Chapter 4: Command Line InterfaceThis chapter describes how to use the Command Line Interface (CLI).Using the Command Line InterfaceAccessing the C

1-1Chapter 1: IntroductionThis switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to conf

Command Line Interface4-24Telnet ConnectionTelnet operates over the IP transport protocol. In this environment, your management station and any networ

Entering Commands4-34Entering CommandsThis section describes how to enter CLI commands.Keywords and ArgumentsA CLI command is a series of keywords and

Command Line Interface4-44Showing CommandsIf you enter a “?” at the command prompt, the system will display the first level of keywords for the curren

Entering Commands4-54The command “show interfaces ?” will display the following information:Partial Keyword LookupIf you terminate a partial keyword w

Command Line Interface4-64current mode. The command classes and associated modes are displayed in the following table:Exec CommandsWhen you open a new

Entering Commands4-74Configuration CommandsConfiguration commands are privileged level commands used to modify switch settings. These commands modify

Command Line Interface4-84For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mo

Command Groups4-94Command GroupsThe system commands can be broken down into the functional groups shown below.Table 4-4 Command GroupsCommand Group D

Command Line Interface4-104The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration)

General Commands4-114enableThis command activates Privileged Exec mode. In privileged mode, additional commands are available, and certain commands di

Introduction1-21Description of Software FeaturesThis switch provides a wide range of advanced performance enhancing features. Flow control eliminates

Command Line Interface4-124Example Related Commands enable (4-11)configureThis command activates Global Configuration mode. You must enter this mode t

General Commands4-134Example In this example, the show history command lists the contents of the command history buffer:The ! command repeats commands

Command Line Interface4-144Command Usage This command resets the entire system. The switch will wait the designated amount of time before resetting. I

General Commands4-154Command Mode Global ConfigurationExample endThis command returns to Privileged Exec mode.Default Setting NoneCommand Mode Global

Command Line Interface4-164quitThis command exits the configuration program.Default Setting NoneCommand Mode Normal Exec, Privileged ExecCommand Usage

System Management Commands4-174Device Designation CommandshostnameThis command specifies or modifies the host name for this device. Use the no form to

Command Line Interface4-184Banner Information CommandsThese commands are used to configure and manage administrative information about the switch, its

System Management Commands4-194Command Usage The administrator can batch-input all details for the switch with one command. When the administrator fin

Command Line Interface4-204Default Setting NoneCommand ModeGlobal ConfigurationCommand Usage Input strings cannot contain spaces. The banner configure

System Management Commands4-214banner configure departmentThis command is used to configure the department information displayed in the banner. Use th

Description of Software Features1-31Other authentication options include HTTPS for secure management access via the web, SSH for secure management acc

Command Line Interface4-224Command ModeGlobal ConfigurationCommand Usage Input strings cannot contain spaces. The banner configure equipment-info comm

System Management Commands4-234banner configure ip-lanThis command is used to configure the device IP address and subnet mask information displayed in

Command Line Interface4-244Example banner configure manager-infoThis command is used to configure the manager contact information displayed in the ban

System Management Commands4-254banner configure muxThis command is used to configure the mux information displayed in the banner. Use the no form to r

Command Line Interface4-264Command Usage Input strings cannot contain spaces. The banner configure note command interprets spaces as data input bounda

System Management Commands4-274System Status CommandsThis section describes commands used to display system information.show startup-configThis comman

Command Line Interface4-284- Spanning tree settings- Interface settings- Any configured settings for the console port and TelnetExample Related Comma

System Management Commands4-294show running-configThis command displays the configuration information currently in use.Default Setting NoneCommand Mod

Command Line Interface4-304Example Related Commandsshow startup-config (4-27)Console#show startup-configbuilding startup-config, please wait...!<st

System Management Commands4-314show systemThis command displays system information.Command Mode Normal Exec, Privileged ExecCommand Usage • For a desc

Introduction1-41Store-and-Forward Switching – This switch copies each frame into its memory before forwarding them to another port. This ensures that

Command Line Interface4-324Example show versionThis command displays hardware and software version information for the system.Command Mode Normal Exec

System Management Commands4-334show memoryThis command shows the location and size of free system memory.Command Mode Privileged ExecExample Frame Siz

Command Line Interface4-344ports. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-pa

System Management Commands4-354copyThis command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFT

Command Line Interface4-364• The Boot ROM and Loader cannot be uploaded or downloaded from the TFTP server. You must follow the instructions in the re

System Management Commands4-374The following example shows how to download a configuration file: This example shows how to copy a secure-site certific

Command Line Interface4-384Command Usage • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Config.cf

System Management Commands4-394Example The following example shows how to display all file information:whichbootThis command displays which files were

Command Line Interface4-404Command Mode Global ConfigurationCommand Usage • A colon (:) is required after the specified unit number and file type. • I

System Management Commands4-414lineThis command identifies a specific line for configuration, and to process subsequent line configuration commands.Sy

Description of Software Features1-51Note: This switch allows 255 user-manageable VLANs. One other VLAN (VLAN ID 4093) is reserved for switch clusterin

Command Line Interface4-424Command Usage • There are three authentication modes provided by the switch itself at login:- login selects authentication

System Management Commands4-434number of times a user can enter an incorrect password before the system terminates the line connection and returns the

Command Line Interface4-444Related Commandssilent-time (4-45)exec-timeout (4-14)exec-timeoutThis command sets the interval that the system waits until

System Management Commands4-454Default Setting The default value is three attempts.Command Mode Line Configuration Command Usage • When the logon atte

Command Line Interface4-464databitsThis command sets the number of data bits per character that are interpreted and generated by the console port. Use

System Management Commands4-474Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity

Command Line Interface4-484Default Setting 1 stop bitCommand Mode Line Configuration Example To specify 2 stop bits, enter this command:disconnectThis

System Management Commands4-494Command Mode Normal Exec, Privileged ExecExample To show all lines, enter this command:Event Logging CommandsThis secti

Command Line Interface4-504Command Mode Global ConfigurationCommand Usage The logging process controls error messages saved to switch memory or sent t

System Management Commands4-514Default Setting Flash: errors (level 3 - 0)RAM: warnings (level 7 - 0)Command Mode Global ConfigurationCommand Usage Th

Introduction1-61Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include detail

Command Line Interface4-524Default Setting 23Command Mode Global ConfigurationCommand Usage The command specifies the facility type tag sent in syslog

System Management Commands4-534Example clear logThis command clears messages from the log buffer.Syntax clear log [flash | ram]• flash - Event history

Command Line Interface4-544ExampleThe following example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., de

System Management Commands4-554show logThis command displays the system and event messages stored in memory.Syntax show log {flash | ram} [login]• fla

Command Line Interface4-564SMTP Alert CommandsThese commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP ser

System Management Commands4-574logging sendmail levelThis command sets the severity threshold used to trigger alert messages.Syntaxlogging sendmail le

Command Line Interface4-584logging sendmail destination-emailThis command specifies the email recipients of alert messages. Use the no form to remove

System Management Commands4-594ExampleTime CommandsThe system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). M

Command Line Interface4-604sntp clientThis command enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with

System Management Commands4-614sntp serverThis command sets the IP address of the servers to which SNTP time requests are issued. Use the this command

System Defaults1-71Web Management HTTP Server EnabledHTTP Port Number 80HTTP Secure Server EnabledHTTP Secure Port Number 443SNMP SNMP Agent EnabledCo

Command Line Interface4-624Example Related Commandssntp client (4-60)show sntpThis command displays the current time and configuration settings for th

System Management Commands4-634• This command enables client time requests to time servers specified via the ntp servers command. It issues time synch

Command Line Interface4-644Example Related Commandsntp client (4-62)ntp poll (4-64)show ntp (4-66)ntp pollThis command sets the interval between sendi

System Management Commands4-654Command Usage You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP s

Command Line Interface4-664Example Related Commandsntp authenticate (4-64)show ntpThis command displays the current time and configuration settings fo

System Management Commands4-674clock timezone-predefinedThis command uses predefined time zone configurations to set the time zone for the switch’s in

Command Line Interface4-684Default Setting NoneCommand Mode Global ConfigurationCommand Usage This command sets the local time zone relative to the Co

System Management Commands4-694• e-minute - The minute summer-time will end. (Range: 0-59 minutes)• offset - Summer-time offset from the regular time

Command Line Interface4-704Command Usage• In some countries or regions, clocks are adjusted through the summer months so that afternoons have more day

System Management Commands4-714• b-hour - The hour when summer-time will begin. (Range: 0-23 hours)• b-minute - The minute when summer-time will begin

ES3528M-PoEE112008/ST-R01 F1.1.0.11 149100041600A

Introduction1-81Traffic Prioritization Ingress Port Priority 0Weighted Round Robin Queue: 0 1 2 3 Weight: 1 2 4 8 IP DSCP Priority DisabledIP

Command Line Interface4-724calendar setThis command sets the system clock. It may be used if there is no time server on your network, or if you have n

System Management Commands4-734Switch Cluster CommandsSwitch Clustering is a method of grouping switches together to enable centralized management thr

Command Line Interface4-744Command Usage • To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled)

System Management Commands4-754cluster ip-poolThis command sets the cluster IP address pool. Use the no form to reset to the default address.Syntax cl

Command Line Interface4-764Command Usage • The maximum number of cluster Members is 36.• The maximum number of switch Candidates is 100.Examplercomman

System Management Commands4-774show cluster membersThis command shows the current switch cluster members.Command Mode Privileged ExecExampleshow clust

Command Line Interface4-784upnp device This command enables UPnP on the device. Use the no form to disable UPnP.Syntax [no] upnp device Default Settin

System Management Commands4-794ExampleIn the following example, the TTL is set to 6.upnp device advertise duration This command sets the duration for

Command Line Interface4-804Debug Commandsdebug spanning-treeThis command configures debug settings for spanning tree processes. Use the no form to dis

SNMP Commands4-814SNMP CommandsControls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as

2-1Chapter 2: Initial ConfigurationConnecting to the SwitchConfiguration OptionsThis switch includes a built-in network management agent. The agent of

Command Line Interface4-824Exampleshow snmpThis command can be used to check the status of SNMP communications.Default Setting NoneCommand Mode Normal

SNMP Commands4-834snmp-server communityThis command defines the SNMP v1 and v2c community access string. Use the no form to remove the specified commu

Command Line Interface4-844Related Commandssnmp-server location (4-84)snmp-server locationThis command sets the system location string. Use the no for

SNMP Commands4-854snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no for

Command Line Interface4-864command to enable the sending of traps or informs and to specify which SNMP notifications are sent globally. For a host to

SNMP Commands4-874Related Commandssnmp-server enable traps (4-87)snmp-server enable trapsThis command enables this device to send Simple Network Manag

Command Line Interface4-884snmp-server engine-idThis command configures an identification string for the SNMPv3 engine. Use the no form to restore the

SNMP Commands4-894Related Commandssnmp-server host (4-85)show snmp engine-idThis command shows the SNMP engine ID.Command Mode Privileged ExecExampleT

Command Line Interface4-904Command Usage • Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tr

SNMP Commands4-914snmp-server groupThis command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group.Syntax s

Initial Configuration2-22• Configure up to 8 static or LACP trunks• Enable port mirroring• Set broadcast storm control on any port• Display system inf

Command Line Interface4-924show snmp groupFour default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only acce

SNMP Commands4-934snmp-server userThis command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use

Command Line Interface4-944Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should ther

Authentication Commands4-954Authentication Commands You can configure this switch to authenticate users logging into the system for management access

Command Line Interface4-964usernameThis command adds named users, requires authentication at login, specifies or changes a user's password (or sp

Authentication Commands4-974Example This example shows how to set the access level and password for a user.enable passwordAfter initially logging onto

Command Line Interface4-984Authentication SequenceThree authentication methods can be specified to authenticate users logging into the system for mana

Authentication Commands4-994Related Commandsusername - for setting the local user names and passwords (4-96)authentication enableThis command defines

Command Line Interface4-1004RADIUS ClientRemote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software run

Authentication Commands4-1014Command Mode Global ConfigurationExample radius-server auth-portThis command sets the RADIUS server network port for auth

Basic Configuration2-32Remote ConnectionsPrior to accessing the switch’s onboard agent via a network connection, you must first configure it with a va

Command Line Interface4-1024radius-server keyThis command sets the RADIUS encryption key. Use the no form to restore the default.Syntax radius-server

Authentication Commands4-1034radius-server timeoutThis command sets the interval between transmitting authentication requests to the RADIUS server. Us

Command Line Interface4-1044Example TACACS+ ClientTerminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that u

Authentication Commands4-1054tacacs-server hostThis command specifies a TACACS+ server. Use the no form to restore the default.Syntax [no] tacacs-serv

Command Line Interface4-1064Example tacacs-server keyThis command sets the TACACS+ encryption key. Use the no form to restore the default.Syntax tacac

Authentication Commands4-1074tacacs-server timeoutThis command sets the interval between transmitting authentication requests to the TACACS+ server. U

Command Line Interface4-1084show tacacs-serverThis command displays the current settings for the TACACS+ server.Default Setting NoneCommand Mode Privi

Authentication Commands4-1094AAA CommandsThe Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring a

Command Line Interface4-1104Example serverThis command adds a security server to an AAA server group. Use the no form to remove the associated server

Authentication Commands4-1114aaa accounting dot1xThis command enables the accounting of requested 802.1X services for network access. Use the no form

Initial Configuration2-42Setting PasswordsNote: If this is your first time to log into the CLI program, you should define new passwords for both defau

Command Line Interface4-1124aaa accounting execThis command enables the accounting of requested Exec services for network access. Use the no form to d

Authentication Commands4-1134aaa accounting commandsThis command enables the accounting of Exec mode commands. Use the no form to disable the accounti

Command Line Interface4-1144aaa accounting updateThis command enables the sending of periodic updates to the accounting server. Use the no form to dis

Authentication Commands4-1154Example accounting execThis command applies an accounting method to local console or Telnet connections. Use the no form

Command Line Interface4-1164Command Mode Line ConfigurationExample aaa authorization execThis command enables the authorization for Exec access. Use t

Authentication Commands4-1174authorization execThis command applies an authorization method to local console or Telnet connections. Use the no form to

Command Line Interface4-1184Command ModePrivileged ExecExample Web Server CommandsThis section describes commands used to configure web browser manage

Authentication Commands4-1194ExampleRelated Commandsip http server (4-119)ip http serverThis command allows this device to be monitored or configured

Command Line Interface4-1204• When you start HTTPS, the connection is established in this way:- The client authenticates the server using the server’s

Authentication Commands4-1214Command Usage • You cannot configure the HTTP and HTTPS servers to use the same port. • If you change the HTTPS port numb

Basic Configuration2-52Before you can assign an IP address to the switch, you must obtain the following information from your network administrator:•

Command Line Interface4-1224Secure Shell CommandsThis section describes the commands used to configure the SSH server. However, note that you also nee

Authentication Commands4-1234Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.

Command Line Interface4-1244d. The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back

Authentication Commands4-1254Related Commandsip ssh crypto host-key generate (4-127)show ssh (4-129)ip ssh timeoutThis command configures the timeout

Command Line Interface4-1264Command Mode Global ConfigurationExample Related Commandsshow ip ssh (4-128)ip ssh server-key sizeThis command sets the SS

Authentication Commands4-1274Example ip ssh crypto host-key generateThis command generates the host key pair (i.e., public and private). Syntax ip ssh

Command Line Interface4-1284Command Mode Privileged ExecCommand Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh

Authentication Commands4-1294Example show sshThis command displays the current SSH server connections.Command Mode Privileged ExecExample Console#show

Command Line Interface4-1304show public-keyThis command shows the public key for the specified user or for the host.Syntax show public-key [user [user

Authentication Commands4-1314802.1X Port AuthenticationThe switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized ac

Initial Configuration2-623. Type “end” to return to the Privileged Exec mode. Press <Enter>.4. Wait a few minutes, and then check the IP configu

Command Line Interface4-1324dot1x defaultThis command sets all configurable dot1x global and port settings to their default values.Command ModeGlobal

Authentication Commands4-1334Defaultforce-authorizedCommand ModeInterface ConfigurationExampledot1x operation-modeThis command allows single or multip

Command Line Interface4-1344dot1x re-authenticateThis command forces re-authentication on all ports or a specific interface.Syntaxdot1x re-authenticat

Authentication Commands4-1354ExampleRelated Commandsdot1x timeout re-authperiod (4-135)dot1x timeout quiet-periodThis command sets the time that a swi

Command Line Interface4-1364Exampledot1x timeout tx-periodThis command sets the time that an interface on the switch waits during an authentication se

Authentication Commands4-1374Exampleshow dot1xThis command shows general port authentication related settings on the switch or a specific interface.Sy

Command Line Interface4-1384- max-req – Maximum number of times a port will retransmit an EAP request/identity packet to the client before it times ou

Authentication Commands4-1394ExampleConsole#show dot1xGlobal 802.1X Parameters system-auth-control: enable802.1X Port SummaryPort Name Status

Command Line Interface4-1404Management IP Filter CommandsThis section describes commands used to configure IP management access to the switch.manageme

Authentication Commands4-1414ExampleThis example restricts management access to the indicated addresses.show managementThis command displays the clien

Basic Configuration2-72The default strings are:• public - with read-only access. Authorized management stations are only able to retrieve MIB objects.

Command Line Interface4-1424General Security MeasuresThis switch supports many methods of segregating traffic for clients attached to each of the data

General Security Measures4-1434Port Security CommandsThese commands can be used to enable port security on a port. When using port security, the switc

Command Line Interface4-1444Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has

General Security Measures4-1454network-access agingUse this command to enable aging for authenticated MAC addresses stored in the secure MAC address t

Command Line Interface4-1464network-access modeUse this command to enable network access authentication on a port. Use the no form of this command to

General Security Measures4-1474network-access max-mac-countUse this command to set the maximum number of MAC addresses that can be authenticated on a

Command Line Interface4-1484have same VLAN configuration, or they are treated as an authentication failure.• If dynamic VLAN assignment is enabled on

General Security Measures4-1494mac-authentication reauth-timeUse this command to set the time period after which a connected MAC address must be re-au

Command Line Interface4-1504mac-authentication max-mac-countUse this command to set the maximum number of MAC addresses that can be authenticated on a

General Security Measures4-1514show network-accessUse this command to display the MAC authentication settings for port interfaces.Syntaxshow network-a

Initial Configuration2-82Configuring Access for SNMP Version 3 ClientsTo configure management access for SNMPv3 clients, you need to first create a vi

Command Line Interface4-1524Default Setting Displays all filters.Command Mode Privileged ExecCommand Usage When using a bit mask to filter displayed M

General Security Measures4-1534web-auth login-attemptsThis command defines the limit for failed web authentication login attempts. After the limit is

Command Line Interface4-1544Default Setting60 secondsCommand ModeGlobal ConfigurationExample web-auth session-timeoutThis command defines the amount o

General Security Measures4-1554Exampleweb-authThis command enables web authentication for a port. Use the no form to restore the default.Syntax[no] we

Command Line Interface4-1564web-auth re-authenticate (IP)This command ends the web authentication session associated with the designated IP address an

General Security Measures4-1574show web-auth interfaceThis command displays interface-specific web authentication parameters and statistics.Syntaxshow

Command Line Interface4-1584show web-auth summaryThis command displays a summary of web authentication port parameters and statistics.Command ModePriv

General Security Measures4-1594ip dhcp snoopingThis command enables DHCP snooping globally. Use the no form to restore the default setting.Syntax [no]

Command Line Interface4-1604MAC address verification is enabled, then the packet will only be forwarded if the client’s hardware address stored in the

General Security Measures4-1614packet filtering will be performed on any untrusted ports within the VLAN as specified by the ip dhcp snooping trust co

Managing System Files2-92Due to the size limit of the flash memory, the switch supports only one operation code file. However, you can have as many di

Command Line Interface4-1624• Additional considerations when the switch itself is a DHCP client – The port(s) through which it submits a client reques

General Security Measures4-1634ip dhcp snooping information optionThis command enables the DHCP Option 82 information relay for the switch. Use the no

Command Line Interface4-1644ip dhcp snooping information policyThis command sets the DHCP snooping information option policy for DHCP client packets t

General Security Measures4-1654clear ip dhcp snooping database flashThis command removes all dynamically learned snooping entries from flash memory.Co

Command Line Interface4-1664IP Source Guard CommandsIP Source Guard is a security feature that filters IP traffic on network interfaces based on manua

General Security Measures4-1674• When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configure

Command Line Interface4-1684ip source-guard bindingThis command adds a static address to the source-guard binding table. Use the no form to remove a s

General Security Measures4-1694Related Commands ip source-guard (4-166)ip dhcp snooping (4-159)ip dhcp snooping vlan (4-160)show ip source-guardThis c

Command Line Interface4-1704Access Control List CommandsAccess Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol,

Access Control List Commands4-1714access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs. U

vAbout This GuidePurposeThis guide gives specific information on how to operate and use the management functions of the switch.AudienceThe guide is in

Initial Configuration2-102Configuring Power over EthernetThis switch supports the IEEE 802.3af Power-over-Ethernet (PoE) standard that enables DC powe

Command Line Interface4-1724permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets em

Access Control List Commands4-1734permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL. The rule sets a filter condition for pac

Command Line Interface4-1744Command Usage• All new rules are appended to the end of the list.• Address bitmasks are similar to a subnet mask, containi

Access Control List Commands4-1754Related Commandsaccess-list ip (4-171)show ip access-list This command displays the rules for configured IP ACLs.Syn

Command Line Interface4-1764• If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with th

Access Control List Commands4-1774access-list mac This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove

Command Line Interface4-1784permit, deny (MAC ACL)This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or d

Access Control List Commands4-1794• protocol – A specific Ethernet protocol number. (Range: 600-fff hex.)• protocol-bitmask – Protocol bitmask. (Range

Command Line Interface4-1804mac access-groupThis command binds a port to a MAC ACL. Use the no form to remove the port.Syntaxmac access-group acl_name

Access Control List Commands4-1814ACL Informationshow access-listThis command shows all ACLs and associated rules, as well as all the user-defined mas

3-1Chapter 3: Configuring the SwitchUsing the Web InterfaceThis switch provides an embedded HTTP web agent. Using a web browser you can configure the

Command Line Interface4-1824Interface CommandsThese commands are used to display or set communication parameters for an Ethernet port, aggregated link

Interface Commands4-1834Default Setting NoneCommand Mode Global Configuration Example To specify port 24, enter the following command:descriptionThis

Command Line Interface4-1844Default Setting • Auto-negotiation is enabled by default.• When auto-negotiation is disabled, the default speed-duplex set

Interface Commands4-1854Command Usage • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilit

Command Line Interface4-1864Command Usage When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings f

Interface Commands4-1874• Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem. Otherwise back pres

Command Line Interface4-1884giga-phy-modeThis command forces two connected ports in to a master/slave configuration to enable 1000BASE-T full duplex.

Interface Commands4-1894shutdown This command disables an interface. To restart a disabled interface, use the no form.Syntax [no] shutdownDefault Sett

Command Line Interface4-1904Command Usage • When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packe

Interface Commands4-1914Example The following example clears statistics on port 5.show interfaces statusThis command displays the status for an interf

Configuring the Switch3-23Navigating the Web Browser InterfaceTo access the web-browser interface you must first enter a user name and password. The a

Command Line Interface4-1924Example show interfaces countersThis command displays interface statistics. Syntax show interfaces counters [interface]int

Interface Commands4-1934Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items display

Command Line Interface4-1944Command Mode Normal Exec, Privileged ExecCommand Usage If no interface is specified, information on all interfaces is disp

Interface Commands4-1954Priority for Untagged TrafficIndicates the default priority for untagged frames (page 4-277).GVRP Status Shows if GARP VLAN Re

Command Line Interface4-1964Link Aggregation CommandsPorts can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of

Link Aggregation Commands4-1974Dynamically Creating a Port Channel –Ports assigned to a common port channel must meet the following criteria:• Ports m

Command Line Interface4-1984Default Setting DisabledCommand Mode Interface Configuration (Ethernet)Command Usage • The ports on both ends of an LACP t

Link Aggregation Commands4-1994lacp system-priorityThis command configures a port's LACP system priority. Use the no form to restore the default

Command Line Interface4-2004Default Setting 0Command Mode Interface Configuration (Ethernet)Command Usage • Ports are only allowed to join the same LA

Link Aggregation Commands4-2014• If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e., it has

Panel Display3-33Configuration OptionsConfigurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a pa

Command Line Interface4-2024show lacpThis command displays LACP information.Syntax show lacp [port-channel] {counters | internal | neighbors | sysid}•

Link Aggregation Commands4-2034 Console#show lacp 1 internalPort Channel : 1---------------------------------------------------------------------

Command Line Interface4-2044Console#show lacp 1 neighborsPort channel 1 neighbors---------------------------------------------------------------------

Power over Ethernet Commands4-2054Power over Ethernet CommandsThe commands in this group control the power that can be delivered to attached PoE devic

Command Line Interface4-2064power mainpower maximum allocationThis command defines a power budget for the switch (i.e., the power available to all swi

Power over Ethernet Commands4-2074this switch can detect 802.3af compliant devices and the more recent 802.3af non-compliant devices that also reflect

Command Line Interface4-2084power inline maximum allocationThis command limits the power allocated to specific ports. Use the no form to restore the d

Power over Ethernet Commands4-2094- If a device is connected to a critical or high-priority port and causes the switch to exceed its budget, port powe

Command Line Interface4-2104show power mainpowerUse this command to display the current power status for the switch.Command Mode Privileged ExecExampl

Mirror Port Commands4-2114Mirror Port CommandsThis section describes how to mirror traffic from a source port to a target port. port monitorThis comma

Configuring the Switch3-43Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, o

Command Line Interface4-2124ExampleThe following example configures the switch to mirror received packets from port 6 to 11:show port monitorThis comm

Rate Limit Commands4-2134Rate Limit CommandsThis function allows the network manager to control the maximum rate for traffic received on an interface.

Command Line Interface4-2144Address Table CommandsThese commands are used to configure the address table for filtering specified addresses, displaying

Address Table Commands4-2154Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this com

Command Line Interface4-2164show mac-address-tableThis command shows classes of entries in the bridge-forwarding database.Syntax show mac-address-tabl

Address Table Commands4-2174mac-address-table aging-timeThis command sets the aging time for entries in the address table. Use the no form to restore

Command Line Interface4-2184Spanning Tree CommandsThis section includes commands that configure the Spanning Tree Algorithm (STA) globally for the swi

Spanning Tree Commands4-2194spanning-treeThis command enables the Spanning Tree Algorithm globally for the switch. Use the no form to disable it.Synta

Command Line Interface4-2204spanning-tree modeThis command selects the spanning tree mode for this switch. Use the no form to restore the default.Synt

Spanning Tree Commands4-2214Example The following example configures the switch to use Rapid Spanning Tree:spanning-tree forward-timeThis command conf

Main Menu3-53SNMPv3 3-46Engine ID Sets the SNMP v3 engine ID on this switch 3-46Remote Engine ID Sets the SNMP v3 engine ID for a remote device 3-47Us

Command Line Interface4-2224Command Mode Global ConfigurationCommand Usage This command sets the time interval (in seconds) at which the root device t

Spanning Tree Commands4-2234Related Commandsspanning-tree forward-time (4-221)spanning-tree hello-time (4-221)spanning-tree priorityThis command confi

Command Line Interface4-2244Command Mode Global ConfigurationCommand Usage The spanning-tree system-bpdu-flooding command has no effect if BPDU floodi

Spanning Tree Commands4-2254Default Setting 3Command Mode Global ConfigurationCommand Usage This command limits the maximum transmission rate for BPDU

Command Line Interface4-2264Command Mode MST ConfigurationCommand Usage • Use this command to group VLANs into spanning tree instances. MSTP generates

Spanning Tree Commands4-2274• You can set this switch to act as the MSTI root device by specifying a priority of 0, or as the MSTI alternate device by

Command Line Interface4-2284Command Usage The MST region name (page 4-227) and revision number are used to designate a unique MST region. A bridge (i.

Spanning Tree Commands4-2294Default Setting EnabledCommand Mode Interface Configuration (Ethernet, Port Channel)Example This example disables the span

Command Line Interface4-2304Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures t

Spanning Tree Commands4-2314Command Mode Interface Configuration (Ethernet, Port Channel)Command Usage • This command defines the priority for the use

Configuring the Switch3-63Port Security Configures per port security, including status, response for security breach, and maximum allowed MAC addresse

Command Line Interface4-2324Related Commandsspanning-tree portfast (4-232)spanning-tree portfastThis command sets an interface to fast forwarding. Use

Spanning Tree Commands4-2334Command Mode Interface Configuration (Ethernet, Port Channel)Command Usage • When enabled, BPDUs are flooded to all other

Command Line Interface4-2344spanning-tree loopback-detectionThis command enables the detection and response to Spanning Tree loopback BPDU packets on

Spanning Tree Commands4-2354Command Usage• If the port is configured for automatic loopback release, then the port will only be returned to the forwar

Command Line Interface4-2364spanning-tree mst costThis command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the

Spanning Tree Commands4-2374spanning-tree mst port-priorityThis command configures the interface priority on a spanning instance in the Multiple Spann

Command Line Interface4-2384Command Usage If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs,

Spanning Tree Commands4-2394ExampleConsole#show spanning-treeSpanning-tree information---------------------------------------------------------------

Command Line Interface4-2404show spanning-tree mst configurationThis command shows the configuration of the multiple spanning tree.Command Mode Privil

VLAN Commands4-2414GVRP and Bridge Extension CommandsGARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order

Main Menu3-73Port Neighbors Information Displays settings and operational state for the remote side 3-144Port Broadcast Control Sets the broadcast sto

Command Line Interface4-2424show bridge-extThis command shows the configuration for bridge extension commands.Default Setting NoneCommand Mode Privile

VLAN Commands4-2434show gvrp configurationThis command shows if GVRP is enabled.Syntax show gvrp configuration [interface]interface • ethernet unit/po

Command Line Interface4-2444Command Usage • Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes f

VLAN Commands4-2454Related Commandsgarp timer (4-243)Editing VLAN Groupsvlan databaseThis command enters VLAN database mode. All commands in this mode

Command Line Interface4-2464vlanThis command configures a VLAN. Use the no form to restore the default settings or delete a VLAN.Syntax vlan vlan-id [

VLAN Commands4-2474Configuring VLAN Interfacesinterface vlanThis command enters interface configuration mode for VLANs, which is used to configure VLA

Command Line Interface4-2484switchport modeThis command configures the VLAN membership mode for a port. Use the no form to restore the default.Syntax

VLAN Commands4-2494Default Setting All frame typesCommand Mode Interface Configuration (Ethernet, Port Channel)Command Usage When set to receive all f

Command Line Interface4-2504Example The following example shows how to select port 1 and then enable ingress filtering:switchport native vlanThis comm

VLAN Commands4-2514switchport allowed vlanThis command configures VLAN groups on the selected interface. Use the no form to restore the default.Syntax

Configuring the Switch3-83MSTP 3-178VLAN Configuration Configures priority and VLANs for a spanning tree instance 3-178Port Information Displays port

Command Line Interface4-2524switchport forbidden vlanThis command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs.Sy

VLAN Commands4-2534Displaying VLAN Informationshow vlanThis command shows VLAN information.Syntax show vlan [id vlan-id | name vlan-name | private-vla

Command Line Interface4-2544Configuring IEEE 802.1Q TunnelingIEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for c

VLAN Commands4-2554reconfigured to overcome a break in the tree. It is therefore advisable to disable spanning tree on these ports.dot1q-tunnel system

Command Line Interface4-2564• When a tunnel uplink port receives a packet from a customer, the customer tag (regardless of whether there are one or mo

VLAN Commands4-2574ExampleRelated Commandsshow interfaces switchport (4-193)show dot1q-tunnelThis command displays information about QinQ tunnel ports

Command Line Interface4-2584Configuring Port-based Traffic SegmentationIf tighter security is required for passing traffic from different clients thro

VLAN Commands4-2594Command Usage • When traffic segmentation is enabled, the forwarding state for the uplink and downlink ports assigned to different

Command Line Interface4-2604Command Usage • A port cannot be configured in both an uplink and downlink list.• A port can only be assigned to one traff

VLAN Commands4-2614pvlan up-to-upThis command specifies whether or not traffic can be forwarded between uplink ports assigned to different client sess

Main Menu3-93Port Configuration Sets the private VLAN interface type, and associates the interfaces with a private VLAN3-210Trunk Information Shows VL

Command Line Interface4-2624Configuring Private VLANsPrivate VLANs provide port-based security and isolation between ports within the assigned VLAN. T

VLAN Commands4-26344. Use the switchport private-vlan host-association command to assign a port to a secondary VLAN.5. Use the switchport private-vlan

Command Line Interface4-2644private vlan associationUse this command to associate a primary VLAN with a secondary (i.e., community) VLAN. Use the no f

VLAN Commands4-2654Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage• To assign a promiscuous port to a primary VLAN, use th

Command Line Interface4-2664switchport private-vlan mappingUse this command to map an interface to a primary VLAN. Use the no form to remove this mapp

VLAN Commands4-2674ExampleConfiguring Protocol-based VLANsThe network devices required to support multiple protocols cannot be easily grouped into a c

Command Line Interface4-2684protocol-vlan protocol-group (Configuring Groups)This command creates a protocol group, or adds specific protocols to a gr

VLAN Commands4-2694Command Usage • When creating a protocol-based VLAN, do not assign interfaces to the protocol VLAN via any of the standard VLAN com

Command Line Interface4-2704show protocol-vlan protocol-group-vidThis command shows the mapping from protocol groups to VLANs.Syntaxshow protocol-vlan

VLAN Commands4-2714voice vlanThis command enables VoIP traffic detection and defines the Voice VLAN ID. Use the no form to disable the Voice VLAN.Synt

vi

Configuring the Switch3-103QoS 3-237DiffServ 3-237Class Map Sets Class Maps 3-238Policy Map Sets Policy Maps 3-240Service Policy Defines service polic

Command Line Interface4-2724Default Setting1440 minutesCommand ModeGlobal ConfigurationCommand UsageThe Voice VLAN aging time is the time after which

VLAN Commands4-2734• Selecting a mask of FF-FF-FF-00-00-00 identifies all devices with the same OUI (the first three octets). Other masks restrict the

Command Line Interface4-2744switchport voice vlan ruleThis command selects a method for detecting VoIP traffic on a port. Use the no form to disable t

VLAN Commands4-2754Command Usage• Security filtering discards any non-VoIP packets received on the port that are tagged with the voice VLAN ID. VoIP t

Command Line Interface4-2764show voice vlanThis command displays the Voice VLAN settings on the switch and the OUI Telephony list.Syntaxshow voice vla

LLDP Commands4-2774LLDP CommandsLink Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broa

Command Line Interface4-2784* Vendor-specific options may or may not be advertised by neighboring devices.lldp basic-tlv system-nameConfigures an LLDP

LLDP Commands4-2794lldpThis command enables LLDP globally on the switch. Use the no form to disable LLDP.Syntax[no] lldpDefault SettingEnabledCommand

Command Line Interface4-2804lldp med-fast-start-countThis command specifies the amount of MED Fast Start LLDPDUs to transmit during the activation pro

LLDP Commands4-2814notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLast

Main Menu3-113Trunk Configuration Configures MVR interface type and immediate leave status 3-268Group Member Configuration Statically assigns MVR mult

Command Line Interface4-2824Command ModeGlobal ConfigurationCommand UsageWhen LLDP is re-initialized on a port, all information in the remote systems

LLDP Commands4-2834lldp admin-statusThis command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form t

Command Line Interface4-2844therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-e

LLDP Commands4-2854lldp basic-tlv management-ip-addressThis command configures an LLDP-enabled port to advertise the management address for this devic

Command Line Interface4-2864Command ModeInterface Configuration (Ethernet, Port Channel)Command UsageThe port description is taken from the ifDescr ob

LLDP Commands4-2874Command ModeInterface Configuration (Ethernet, Port Channel)Command UsageThe system description is taken from the sysDescr object i

Command Line Interface4-2884Command ModeInterface Configuration (Ethernet, Port Channel)Command UsageThis option advertises the protocols that are acc

LLDP Commands4-2894Command UsageThe port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associa

Command Line Interface4-2904Command UsageThis option advertises link aggregation capabilities, aggregation status of the link, and the 802.3 aggregate

LLDP Commands4-2914Command UsageRefer to “Frame Size Commands” on page 4-33 for information on configuring the maximum frame size for this switch.Exam

Configuring the Switch3-123Basic ConfigurationThis section describes the basic functions required to set up management access to the switch, display o

Command Line Interface4-2924Command UsageThis option advertises extended Power-over-Ethernet capability details, such as power availability from the s

LLDP Commands4-2934Command UsageThis option advertises location identification details.Examplelldp medtlv med-capThis command configures an LLDP-MED-e

Command Line Interface4-2944Command UsageThis option advertises network policy configuration information, aiding in the discovery and diagnosis of VLA

LLDP Commands4-2954ExampleConsole#show lldp configLLDP Global Configuation LLDP Enable : Yes LLDP Transmit interval : 30 LLDP Hold

Command Line Interface4-2964show lldp info local-deviceThis command shows LLDP global and interface-specific configuration settings for this device.Sy

LLDP Commands4-2974show lldp info remote-deviceThis command shows LLDP global and interface-specific configuration settings for remote devices attache

Command Line Interface4-2984show lldp info statisticsThis command shows statistics based on traffic received through all attached LLDP-enabled interfa

Class of Service Commands4-2994Class of Service CommandsThe commands described in this section allow you to specify which data packets have greater pr

Command Line Interface4-3004Command Mode Global ConfigurationCommand Usage • Strict priority requires all traffic in a higher priority queue to be pro

Class of Service Commands4-3014• This switch provides eight priority queues for each port. It is configured to use Weighted Round Robin, which can be

Basic Configuration3-133Web – Click System, System Information. Specify the system name, location, and contact information for the system administrato

Command Line Interface4-3024Command Usage • CoS values assigned at the ingress port are also used at the egress port.• This command sets the CoS prior

Class of Service Commands4-3034Example show queue cos-mapThis command shows the class of service priority map.Syntax show queue cos-map [interface]int

Command Line Interface4-3044Priority Commands (Layer 3 and 4)This section describes commands used to configure Layer 3 and Layer 4 traffic priority on

Class of Service Commands4-3054Default Setting The DSCP default values are defined in the following table. Note that all the DSCP values that are not

Command Line Interface4-3064Default Setting NoneCommand Mode Privileged ExecExample Related Commands map ip dscp (Global Configuration) (4-304)map ip

Quality of Service Commands4-3074To create a service policy for a specific category of ingress traffic, follow these steps:1. Use the class-map comman

Command Line Interface4-3084Command Usage • First enter this command to designate a class map and enter the Class Map configuration mode. Then use the

Quality of Service Commands4-3094Example This example creates a class map called “rd_class#1,” and sets it to match packets marked for DSCP service va

Command Line Interface4-3104Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_cla

Quality of Service Commands4-3114Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “r

Configuring the Switch3-143Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers f

Command Line Interface4-3124policeThis command defines an policer for classified traffic. Use the no form to remove a policer.Syntax [no] police rate-

Quality of Service Commands4-3134service-policyThis command applies a policy map defined by the policy-map command to the ingress queue of a particula

Command Line Interface4-3144Exampleshow policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic

Multicast Filtering Commands4-3154Example Multicast Filtering CommandsThis switch uses IGMP (Internet Group Management Protocol) to query for any atta

Command Line Interface4-3164ip igmp snoopingThis command enables IGMP snooping on this switch. Use the no form to disable it.Syntax [no] ip igmp snoop

Multicast Filtering Commands4-3174ip igmp snooping versionThis command configures the IGMP snooping version. Use the no form to restore the default.Sy

Command Line Interface4-3184Command Usage • The IGMP snooping leave-proxy feature suppresses all unnecessary IGMP leave messages so that the non-queri

Multicast Filtering Commands4-3194show ip igmp snoopingThis command shows the IGMP snooping configuration.Default Setting NoneCommand Mode Privileged

Command Line Interface4-3204Example The following shows the multicast entries learned through IGMP snooping for VLAN 1:IGMP Query Commands (Layer 2)Th

Multicast Filtering Commands4-3214Exampleip igmp snooping query-countThis command configures the query count. Use the no form to restore the default.S

Basic Configuration3-153CLI – Use the following command to display version information.Console#show version 4-32Unit 1 Serial Number: A62201

Command Line Interface4-3224Default Setting 125 secondsCommand Mode Global ConfigurationExample The following shows how to configure the query interva

Multicast Filtering Commands4-3234ip igmp snooping router-port-expire-timeThis command configures the query timeout. Use the no form to restore the de

Command Line Interface4-3244ip igmp snooping vlan mrouterThis command statically configures a multicast router port. Use the no form to remove the con

Multicast Filtering Commands4-3254Command Usage Multicast router port types displayed include Static.Example The following shows that port 11 in VLAN

Command Line Interface4-3264ip igmp filter (Global Configuration)This command globally enables IGMP filtering and throttling on the switch. Use the no

Multicast Filtering Commands4-3274Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join. The same prof

Command Line Interface4-3284Command Mode IGMP Profile ConfigurationCommand Usage Enter this command multiple times to specify more than one multicast

Multicast Filtering Commands4-3294ip igmp max-groupsThis command sets the IGMP throttling number for an interface on the switch. Use the no form to re

Command Line Interface4-3304Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny

Multicast Filtering Commands4-3314show ip igmp profileThis command displays IGMP filtering profiles created on the switch.Syntax show ip igmp profile

Configuring the Switch3-163Displaying Bridge Extension CapabilitiesThe Bridge MIB includes extensions for managed devices that support Multicast Filte

Command Line Interface4-3324Example Multicast VLAN Registration CommandsThis section describes commands used to configure Multicast VLAN Registration

Multicast Filtering Commands4-3334Default Setting • MVR is disabled.• No MVR group address is defined.• The default number of contiguous addresses is

Command Line Interface4-3344mvr (Interface Configuration)This command configures an interface as an MVR receiver or source port using the type keyword

Multicast Filtering Commands4-3354• Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the mu

Command Line Interface4-3364Default Setting Displays global configuration settings for MVR when no keywords are used.Command Mode Privileged ExecComma

Multicast Filtering Commands4-3374The following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN:Statu

Command Line Interface4-3384IP Interface CommandsAn IP addresses may be used for management access to the switch over your network. The IP address for

IP Interface Commands4-3394• If you select the bootp or dhcp option, IP is enabled but will not function until a BOOTP or DHCP reply has been received

Command Line Interface4-3404Related Commands show ip redirects (4-341)ip dhcp restart This command submits a BOOTP or DHCP client request.Default Sett

IP Interface Commands4-3414Related Commands show ip redirects (4-341)show ip redirectsThis command shows the default gateway configured for this devic

Basic Configuration3-173CLI – Enter the following command. Setting the Switch’s IP Address This section describes how to configure an IP interface for

Command Line Interface4-3424- Network or host unreachable - The gateway found no corresponding entry in the route table. • Press <Esc> to stop p

A-1Appendix A: Software SpecificationsSoftware FeaturesManagement AuthenticationLocal, RADIUS, TACACS, Port Authentication (802.1X), MAC Authenticatio

Software SpecificationsA-2ACoS configured by port or VLAN tagLayer 3/4 priority mapping: IP DSCPMulticast Filtering IGMP Snooping (Layer 2)Multicast V

Management Information BasesA-3ALink Aggregation Control Protocol (LACP)Full-duplex flow control (ISO/IEC 8802-3)IEEE 802.3ac VLAN taggingIEEE 802.3af

Software SpecificationsA-4ASNMP Framework MIB (RFC 3411)SNMP-MPD MIB (RFC 3412)SNMP Target MIB, SNMP Notification MIB (RFC 3413)SNMP User-Based SM MIB

B-1Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting ChartSymptom ActionCannot connect using Telnet,

TroubleshootingB-2BUsing System LogsIf a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caus

Glossary-1GlossaryAccess Control List (ACL)ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for

GlossaryGlossary-2DHCP SnoopingA technique used to enhance network security by snooping on DHCP server messages to track the physical location of host

Glossary-3GlossaryIEEE 802.1QVLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to differ

Configuring the Switch3-183Manual ConfigurationWeb – Click System, IP Configuration. Select the VLAN through which the management station is attached,

GlossaryGlossary-4one of the devices is made the “querier” and assumes responsibility for keeping track of group membership. In-Band ManagementManagem

Glossary-5GlossaryMulticast SwitchingA process whereby the switch filters incoming multicast frames for services for which no attached host has regist

GlossaryGlossary-6Power over EthernetThe IEEE 802.3af standard for providing Power over Ethernet (PoE) capabilities. When Ethernet is passed over copp

Glossary-7GlossarySimple Network Management Protocol (SNMP)The application protocol in the Internet suite of protocols which offers network management

GlossaryGlossary-8Virtual LAN (VLAN)A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical l

Index-1Numerics802.1Q tunnel 3-197, 4-254configuration, guidelines 3-200, 4-254configuration, limitations 3-200description 3-197ethernet type 3-201, 4

Index-2Indexqueue mapping 3-230, 4-301queue mode 3-232, 4-299traffic class weights 3-233Ddefault gateway, configuration 3-17, 4-339default priority, i

Index-3Indexfiltering/throttling, interface settings 3-261, 4-328–4-329groups, displaying 3-256, 4-319immediate leave, status 3-253, 4-318Layer 2 3-25

Index-4IndexTLV, PoE 3-217, 4-291TLV, port capabilities 3-217, 4-293loggingsyslog traps 3-30, 4-52to syslog servers 3-30, 4-51log-in, Web interface 3-

Index-5Indexpriority 3-158, 4-208showing mainpower 3-156, 4-210port priorityconfiguring 3-228, 4-299default ingress 3-228, 4-300STA 3-174, 4-230port s

Basic Configuration3-193Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by th

Index-6Indexgroup configuration 3-52, 4-91remote user configuration 3-50, 4-93user configuration 3-48, 3-50, 4-93views 3-55, 4-89softwaredisplaying ve

Index-7Indexadding static members 3-192, 3-194, 4-251creating 3-190, 4-246description 3-184, 3-213displaying basic information 3-188, 4-242displaying

Index-8Index

ES3528M-PoEE112008/ST-R01149100041600A

viiContents Chapter 1: Introduction 1-1Key Features 1-1Description of Software Features 1-2System Defaults 1-6Chapter 2: Initial Configuration

Configuring the Switch3-203Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web i

Basic Configuration3-213Managing FirmwareYou can upload/download firmware to or from a TFTP server. Just specify the method of file transfer, along wi

Configuring the Switch3-223Downloading System Software from a ServerWhen downloading runtime code, the new operation code file will overwrite the exis

Basic Configuration3-233CLI – To download new firmware from a TFTP server, enter the IP address of the TFTP server, select “opcode” as the file type,

Configuring the Switch3-243Downloading Configuration Settings from a ServerYou can download the configuration file under a new file name and then set

Basic Configuration3-253CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch,

Configuring the Switch3-263• Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive (from terminal). Set the speed to match

Basic Configuration3-273CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the curren

Configuring the Switch3-283• Password2 – Specifies a password for the line connection. When a connection is started on a line with password protection

Basic Configuration3-293Configuring Event LoggingThe switch allows you to control the logging of error messages, including the type of events that are

ContentsviiiManaging Firmware 3-21Downloading System Software from a Server 3-22Saving or Restoring Configuration Settings 3-23Downloading Configur

Configuring the Switch3-303Web – Click System, Log, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and fl

Basic Configuration3-313Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address

Configuring the Switch3-323Displaying Log MessagesThe Logs page allows you to scroll through the logged system and event messages. The switch can stor

Basic Configuration3-333configured email recipients. For example, using Level 7 will report all events from level 7 to level 0. (Default: Level 7)• SM

Configuring the Switch3-343CLI – Enter the host ip address, followed by the mail severity level, source and destination email addresses and enter the

Basic Configuration3-353Web – Click System, Reset. Enter the amount of time the switch should wait before rebooting. Click the Reset button to reboot

Configuring the Switch3-363Setting the Time ManuallyYou can set the system time on the switch manually without using SNTP.CLI – This example sets the

Basic Configuration3-373CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings.

Configuring the Switch3-383Web – Select SNTP, Configuration. Modify any of the required NTP parameters, and click Apply.Figure 3-21 NTP Client Config

Basic Configuration3-393Setting the Time ZoneSNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at

ContentsixConfiguring HTTPS 3-78Replacing the Default Secure-site Certificate 3-79Configuring the Secure Shell 3-80Generating the Host Key Pair 3

Configuring the Switch3-403Simple Network Management Protocol SNMP is a communication protocol designed specifically for managing devices on a network

Simple Network Management Protocol3-413Note: The predefined default groups and view can be deleted from the system. You can then define customized gro

Configuring the Switch3-423Setting Community Access Strings You may configure up to five community strings authorized for management access by clients

Simple Network Management Protocol3-433Specifying Trap Managers and Trap TypesTraps indicating status changes are issued by the switch to specified tr

Configuring the Switch3-443top of the SNMP Configuration page (for Version 1 or 2c clients), or define a corresponding “User Name” in the SNMPv3 Users

Simple Network Management Protocol3-453Web – Click SNMP, Configuration. Enter the IP address and community string for each management station that wil

Configuring the Switch3-463Configuring SNMPv3 Management AccessTo configure SNMPv3 management access to the switch, follow these steps:1. If you want

Simple Network Management Protocol3-473Specifying a Remote Engine IDTo send inform messages to an SNMPv3 user on a remote device, you must first speci

Configuring the Switch3-483Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security le

Simple Network Management Protocol3-493Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and as