Edge-products ES3528-WDM Manuel d'utilisateur

Powered by AcctonManagement GuideES3528ES3528-WDMLayer 2 Metro Access Switchwww.edge-core.com

Contentsxshow system 19-6show users 19-7show version 19-7System Mode Commands 19-8system mode 19-8show system mode 19-9System MTU Commands 19-

Simple Network Management Protocol5-165CLI – Use the snmp-server group command to configure a new group, specifying the security model and level, and

Configuring SNMPv3 Management Access5-175Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and s

Simple Network Management Protocol5-185CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces

6-1Chapter 6: User AuthenticationYou can configure this switch to authenticate users logging into the system for management access using local or remo

User Authentication6-26Web – Click Security, User Accounts. To configure a new user account, enter the user name, access level, and password, then cli

Configuring Local/Remote Logon Authentication6-36the network. An authentication server contains a database of multiple user name/password pairs with a

User Authentication6-46- Number of Server Transmits – Number of times the switch tries to authenticate logon access via the authentication server. (Ra

Configuring HTTPS6-56Configuring HTTPSYou can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Lay

User Authentication6-66• The following web browsers and operating systems currently support HTTPS:• To specify a secure-site certificate, see “Replaci

Configuring the Secure Shell6-76When you have obtained these, place them on your TFTP server, and use the following command at the switch's comma

Contentsxishow logging sendmail 19-37Time Commands 19-37sntp client 19-38sntp server 19-39sntp poll 19-39show sntp 19-40clock timezone 19-40cal

User Authentication6-86To use the SSH server, complete these steps:1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a host publ

Configuring the Secure Shell6-96stored on the switch can access it. The following exchanges take place during this process:Authenticating SSH v1.5 Cli

User Authentication6-106Note: The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients.• Save Host-Key from Memory t

Configuring the Secure Shell6-116CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory,

User Authentication6-126Web – Click Security, SSH, Settings. Enable SSH and adjust the authentication parameters as required, then click Apply. Note t

Configuring 802.1X Port Authentication6-136Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resourc

User Authentication6-146• The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the s

Configuring 802.1X Port Authentication6-156Configuring 802.1X Global SettingsThe 802.1X protocol provides port authentication. The 802.1X protocol mus

User Authentication6-166• Max Request – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it

Configuring 802.1X Port Authentication6-176CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields display

ContentsxiiWeb Server Commands 21-11ip http port 21-11ip http server 21-12ip http secure-server 21-12ip http secure-port 21-13Telnet Server Comma

User Authentication6-186Displaying 802.1X StatisticsThis switch can display statistics for dot1x protocol exchanges for any port. Table 6-2 802.1X S

Configuring 802.1X Port Authentication6-196Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to

User Authentication6-206Filtering IP Addresses for Management AccessYou can create a list of up to 16 IP addresses or IP address groups that are allow

Filtering IP Addresses for Management Access6-216Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed manage

User Authentication6-226

7-1Chapter 7: Client Security This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensurin

Client Security7-27MAC addresses already in the address table will be retained and will not age out. Any other device that attempts to use the port wi

Configuring Port Security7-37Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the check

Client Security7-47

8-1Chapter 8: Access Control ListsAccess Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port

Contentsxiiiip dhcp snooping vlan 22-9ip dhcp snooping binding 22-10ip dhcp snooping verify mac-address 22-11ip dhcp snooping database flash 22-12

Access Control Lists8-28• Each ACL can have up to 32 rules. However, due to resource restrictions, the average number of rules bound to the ports shou

Configuring Access Control Lists8-38Web – Click Security, ACL, Configuration. Enter an ACL name in the Name field, select the list type (IP Standard,

Access Control Lists8-48Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a spe

Configuring Access Control Lists8-58• Source/Destination Port – Source/destination port number for the specified protocol type. (Range: 0-65535)• Sour

Access Control Lists8-68Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any

Configuring Access Control Lists8-78Configuring a MAC ACLCommand Attributes• Action – An ACL can contain any combination of permit or deny rules.• Sou

Access Control Lists8-88Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any

Configuring Access Control Lists8-98Configuring ACL MasksYou must specify masks that control the order in which ACL rules are checked. ACL rules match

Access Control Lists8-108CLI – This example creates an IP ingress mask, and then adds two rules. Each rule is checked in order of precedence to look f

Configuring Access Control Lists8-118Web – Configure the mask to match the required rules in the IP ingress or egress ACLs. Set the mask to check for

Contentsxivshow interfaces switchport 24-11Chapter 25: Link Aggregation Commands 25-1channel-group 25-2lacp 25-2lacp system-priority 25-4lacp adm

Access Control Lists8-128Configuring a MAC ACL MaskThis mask defines the fields to check in the packet header. Command UsageYou must configure a mask

Binding a Port to an Access Control List8-138CLI – This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that th

Access Control Lists8-148Web – Click Security, ACL, Port Binding. Mark the Enable field for the port you want to bind to an ACL for ingress traffic, s

9-1Chapter 9: Port ConfigurationDisplaying Connection StatusYou can use the Port Information or Trunk Information pages to display the current connect

Port Configuration9-29Field Attributes (CLI)Basic information:• Port type – Indicates port type. (100BASE-TX10, 100BASE-BX11, 1000BASE-T, or SFP)• MAC

Configuring Interface Connections9-39CLI – This example shows the connection status for Port 5.Configuring Interface Connections You can use the Port

Port Configuration9-49- 100full - Supports 100 Mbps full-duplex operation - 1000full - Supports 1 Gbps full-duplex operation - Sym (Gigabit only) - Ch

Configuring Interface Connections9-59Web – Click Port, Port Configuration or Trunk Configuration. Modify the required interface settings, and click Ap

Port Configuration9-69Creating Trunk GroupsYou can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers

Creating Trunk Groups9-79Statically Configuring a TrunkCommand Usage• When configuring static trunks, you may not be able to link switches of differen

Contentsxvspanning-tree link-type 29-15spanning-tree mst cost 29-16spanning-tree mst port-priority 29-17spanning-tree protocol-migration 29-18show

Port Configuration9-89CLI – This example creates trunk 1 with ports 9 and 10. Just connect these ports to two static trunk ports on another switch to

Creating Trunk Groups9-99Command Attributes• Member List (Current) – Shows configured trunks (Port).• New – Includes entry fields for creating new tru

Port Configuration9-109Configuring LACP ParametersDynamically Creating a Port Channel –Ports assigned to a common port channel must meet the following

Creating Trunk Groups9-119Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can

Port Configuration9-129CLI – The following example configures LACP parameters for ports 1-10. Ports 1-8 are used as active members of the LAG, ports 9

Creating Trunk Groups9-139Displaying LACP Port CountersYou can display statistics for LACP protocol messages. Web – Click Port, LACP, Port Counters In

Port Configuration9-149Displaying LACP Settings and Status for the Local SideYou can display configuration settings and the operational state for the

Creating Trunk Groups9-159Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information.Figure 9-7

Port Configuration9-169Displaying LACP Settings and Status for the Remote SideYou can display configuration settings and the operational state for the

Setting Broadcast Storm Thresholds9-179CLI – The following example displays the LACP configuration settings and operational state for the remote side

Contentsxviqueue bandwidth 31-4queue cos-map 31-4show queue bandwidth 31-5show queue cos-map 31-6vlan priority 31-6show vlan based priority 31-

Port Configuration9-189• Threshold – Threshold as percentage of port bandwidth. (Options: 500-262143 packets per second; Default: 500 pps) • Trunk12 –

Configuring Port Mirroring9-199Configuring Port MirroringYou can mirror traffic from any source port to a target port for real-time analysis. You can

Port Configuration9-209Configuring Rate LimitsThis function allows the network manager to control the maximum rate for traffic transmitted or received

Showing Port Statistics9-219CLI - This example sets the rate limit for input and output traffic passing through port 1 to 60 Mbps.Showing Port Statist

Port Configuration9-229Transmit Multicast Packets The total number of packets that higher-level protocols requested be transmitted, and which were add

Showing Port Statistics9-239RMON StatisticsDrop Events The total number of events in which packets were dropped due to lack of resources.Jabbers The t

Port Configuration9-249Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the b

Showing Port Statistics9-259CLI – This example shows statistics for port 12.Console#show interfaces counters ethernet 1/12 24-10Ethernet 1/12 Iftable

Port Configuration9-269

10-1Chapter 10: Address Table SettingsSwitches store the addresses for all known devices. This information is used to pass traffic directly between th

Contentsxviishow ip igmp snooping mrouter 33-11Multicast VLAN Registration Commands 33-11mvr (Global Configuration) 33-12mvr (Interface Configurati

Address Table Settings10-210CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.Display

Displaying the Address Table10-310Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLA

Address Table Settings10-410Changing the Aging TimeYou can set the aging time for entries in the dynamic address table. Command Attributes• Aging Stat

11-1Chapter 11: Spanning Tree Algorithm The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links

Spanning Tree Algorithm11-211MSTP – When using STP or RSTP, it may be difficult to maintain a stable path between all VLAN members. Frequent changes i

Displaying Global Settings11-311Displaying Global SettingsYou can display a summary of the current bridge STA information that applies to the entire s

Spanning Tree Algorithm11-411• Instance – Instance identifier of this spanning tree. (This is always 0 for the CIST.)• VLANs configuration – VLANs ass

Displaying Global Settings11-511CLI – This command displays global STA settings, followed by settings for each port. Note:The current root port and cu

Spanning Tree Algorithm11-611Configuring Global SettingsGlobal settings apply to the entire switch.Command Usage• Spanning Tree Protocol17Uses RSTP fo

Configuring Global Settings11-711address will then become the root device. (Note that lower numeric values indicate higher priority.)• Default: 32768•

Contentsxviii

Spanning Tree Algorithm11-811Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be

Configuring Global Settings11-911Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply.Figure 11-2 STA Glob

Spanning Tree Algorithm11-1011CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters

Displaying Interface Settings11-1111• Designated Port – The port priority and number of the port on the designated bridging device through which this

Spanning Tree Algorithm11-1211These additional parameters are only displayed for the CLI:• Admin status – Shows if this interface is enabled.• Externa

Configuring Interface Settings11-1311CLI – This example shows the STA attributes for port 5. Configuring Interface SettingsYou can configure RSTP and

Spanning Tree Algorithm11-1411The following interface attributes can be configured:• Spanning Tree – Enables/disables STA on this interface. (Default:

Configuring Interface Settings11-1511• Admin Link Type – The link type attached to this interface.• Point-to-Point – A connection to exactly one other

Spanning Tree Algorithm11-1611Configuring Multiple Spanning Trees MSTP generates a unique spanning tree for each instance. This provides multiple path

Configuring Multiple Spanning Trees11-1711Web – Click Spanning Tree, MSTP, VLAN Configuration. Select an instance identifier from the list, set the in

xixTablesTable 1-1 Key Features 1-1Table 1-2 System Defaults 1-6Table 3-1 Web Page Configuration Buttons 3-3Table 3-2 Switch Main Menu 3-4Table 4-

Spanning Tree Algorithm11-1811CLI – This example sets the priority for MSTI 1, and adds VLANs 1-5 to this MSTI. --------------------------------------

Displaying Interface Settings for MSTP11-1911Displaying Interface Settings for MSTPThe MSTP Port Information and MSTP Trunk Information pages display

Spanning Tree Algorithm11-2011Configuring Interface Settings for MSTPYou can configure the STA interface settings for an MST Instance using the MSTP P

Configuring Interface Settings for MSTP11-2111Protocol is detecting network loops. Where more than one port is assigned the highest priority, the port

Spanning Tree Algorithm11-2211

12-1Chapter 12: VLAN ConfigurationIEEE 802.1Q VLANsIn large networks, routers are used to isolate broadcast traffic for each subnet into separate doma

VLAN Configuration12-212Note: VLAN-tagged frames can pass through VLAN-aware or VLAN-unaware network interconnection devices, but the VLAN tags should

IEEE 802.1Q VLANs12-312these hosts, and core switches in the network, enable GVRP on the links between these devices. You should also determine securi

VLAN Configuration12-412Enabling or Disabling GVRP (Global Setting) GARP VLAN Registration Protocol (GVRP) defines a way for switches to exchange VLAN

IEEE 802.1Q VLANs12-512CLI – Enter the following command.Displaying Current VLANsThe VLAN Current Table shows the current port members of each VLAN an

xxTablesTable 20-4 show snmp group - display description 20-13Table 20-5 show snmp user - display description 20-15Table 21-1 Authentication Command

VLAN Configuration12-612Command Attributes (CLI)• VLAN – ID of configured VLAN (1-4093, no leading zeroes).• Type – Shows how this VLAN was added to t

IEEE 802.1Q VLANs12-712Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to

VLAN Configuration12-812Command Attributes • VLAN – ID of configured VLAN (1-4093).• Name – Name of the VLAN (1 to 32 characters).• Status – Enables o

IEEE 802.1Q VLANs12-912CLI – The following example adds tagged and untagged ports to VLAN 2.Adding Static Members to VLANs (Port Index)Use the VLAN St

VLAN Configuration12-1012Configuring VLAN Behavior for InterfacesYou can configure VLAN behavior for specific interfaces, including the default VLAN i

IEEE 802.1Q VLANs12-1112Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group. (Range: 60-300

VLAN Configuration12-1212CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GAR

Configuring IEEE 802.1Q Tunneling12-1312processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again add

VLAN Configuration12-14125. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outg

Configuring IEEE 802.1Q Tunneling12-1512Configuration Limitations for QinQ• The native VLAN of uplink ports should not be used as the SPVLAN. If the S

xxiTablesTable 30-8 IEEE 802.1Q Tunneling Commands 30-20Table 31-1 Priority Commands 31-1Table 31-2 Priority Commands (Layer 2) 31-1Table 31-3 Defa

VLAN Configuration12-1612Adding an Interface to a QinQ TunnelFollow the guidelines in the preceding section to set up a QinQ tunnel on the switch. Use

Configuring Private VLANs12-1712CLI – This example sets port 2 to tunnel mode, indicates that the TPID used for 802.1Q tagged frames will be 9100 hexa

VLAN Configuration12-1812Configuring Uplink and Downlink PortsUse the Private VLAN Link Status page to set ports as downlink or uplink ports. Ports de

Configuring Protocol-Based VLANs12-1912Command UsageTo configure protocol-based VLANs, follow these steps:1. First configure VLAN groups for the proto

VLAN Configuration12-2012Mapping Protocols to VLANsMap a protocol group to a VLAN for each interface that will participate in the group.Command Usage•

Configuring Protocol-Based VLANs12-2112CLI – The following maps the traffic entering Port 1 which matches the protocol type specified in protocol grou

VLAN Configuration12-2212

13-1Chapter 13: Class of ServiceClass of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in th

Class of Service13-213Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click

Layer 2 Queue Settings13-313Mapping CoS Values to Egress QueuesThis switch processes Class of Service (CoS) priority tagged traffic by using eight pri

xxiiTables

Class of Service13-413Web – Click Priority, Traffic Classes. Assign priorities to the traffic classes (i.e., output queues), then click Apply.Figure 1

Layer 2 Queue Settings13-513Selecting the Queue ModeYou can set the switch to service the queues based on a strict rule that requires all traffic in a

Class of Service13-613Setting the Service Weight for Traffic ClassesThis switch uses the Weighted Round Robin (WRR) algorithm to determine the frequen

Layer 3/4 Priority Settings13-713CLI – The following example shows how to assign WRR weights to each of the priority queues.Layer 3/4 Priority Setting

Class of Service13-813Web – Click Priority, IP Precedence/DSCP Priority Status. Select Disabled, IP Precedence or IP DSCP from the scroll-down menu, t

Layer 3/4 Priority Settings13-913Web – Click Priority, IP Precedence Priority. Select an entry from the IP Precedence Priority Table, enter a value in

Class of Service13-1013Mapping DSCP PriorityThe DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP replaces

Layer 3/4 Priority Settings13-1113CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (

Class of Service13-1213Click Priority, IP Port Priority. Enter the port number for a network application in the IP Port Number box and the new CoS val

14-1Chapter 14: Quality of Service The commands described in this section are used to configure Quality of Service (QoS) classification criteria and s

xxiiiFiguresFigure 3-1 Home Page 3-2Figure 3-2 Front Panel Indicators 3-3Figure 4-1 System Information 4-2Figure 4-2 System Mode 4-3Figure 4-3 Sys

Quality of Service14-2146. Use the “Service Policy” to assign a policy map to a specific interface.Configuring a Class MapA class map is used for matc

Configuring Quality of Service Parameters14-314Match Class Settings• Class Name – List of class maps. • ACL List – Name of an access control list. Any

Quality of Service14-414Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class.

Configuring Quality of Service Parameters14-514Creating QoS PoliciesThis function creates a policy map that can be attached to multiple interfaces.Com

Quality of Service14-614Policy Rule Settings- Class Settings -• Class Name – Name of class map.• Action – Shows the service provided to ingress traffi

Configuring Quality of Service Parameters14-714Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy

Quality of Service14-814CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps,

15-1Chapter 15: Multicast Filtering Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast s

Multicast Filtering15-215Layer 2 IGMP (Snooping and Query)IGMP Snooping and Query – If multicast routing is not supported on other switches in your ne

Layer 2 IGMP (Snooping and Query)15-315Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manual

xxivFiguresFigure 7-1 Port Security 7-3Figure 8-1 Selecting ACL Type 8-3Figure 8-2 ACL Configuration - Standard IPv4 8-4Figure 8-3 ACL Configuratio

Multicast Filtering15-415• IGMP Query Timeout — The time the switch waits after the previous querier stops before it considers the router port (i.e.,

Layer 2 IGMP (Snooping and Query)15-515Displaying Interfaces Attached to a Multicast RouterMulticast routers that are attached to ports on the switch

Multicast Filtering15-615Specifying Static Interfaces for a Multicast RouterDepending on your network connections, IGMP snooping may not always be abl

Layer 2 IGMP (Snooping and Query)15-715Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN

Multicast Filtering15-815Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query me

Multicast VLAN Registration15-915Multicast VLAN RegistrationMulticast VLAN Registration (MVR) is a protocol that controls access to a single network-w

Multicast Filtering15-1015Configuring Global MVR SettingsThe global settings for Multicast VLAN Registration (MVR) include enabling or disabling MVR f

Multicast VLAN Registration15-1115CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addre

Multicast Filtering15-1215Configuring MVR Interface StatusEach interface that participates in the MVR VLAN must be configured as an MVR source port or

Multicast VLAN Registration15-1315Web – Click MVR, Port Configuration or Trunk Configuration.Figure 15-8 MVR Port ConfigurationCLI – This example co

xxvFiguresFigure 13-3 Queue Mode 13-5Figure 13-4 Queue Scheduling 13-6Figure 13-5 IP Precedence/DSCP Priority Status 13-8Figure 13-6 IP Precedence

Multicast Filtering15-1415Displaying Port Members of Multicast GroupsYou can display the multicast groups assigned to the MVR VLAN either through IGMP

Multicast VLAN Registration15-1515Assigning Static Multicast Groups to InterfacesFor multicast streams that will run for a long term and be associated

Multicast Filtering15-1615

16-1Chapter 16: Domain Name ServiceThe Domain Naming System (DNS) service on this switch allows host names to be mapped to IP addresses using static t

Domain Name Service16-216Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name server

Configuring Static DNS Host to Address Entries16-316Configuring Static DNS Host to Address EntriesYou can manually configure static entries in the DNS

Domain Name Service16-416Web – Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply.Figure 16-2

Displaying the DNS Cache16-516Displaying the DNS CacheYou can display entries in the DNS cache that have been learned via the designated name servers.

Domain Name Service16-616CLI - This example displays all the resource records learned from the designated name servers.Console#show dns cache 34-7NO

Section III:Command Line InterfaceThis section provides a detailed description of the Command Line Interface, along with examples for all of the comma

xxviFigures

Command Line Interface

17-1Chapter 17: Overview of Command Line InterfaceThis chapter describes how to use the Command Line Interface (CLI).Using the Command Line InterfaceA

Overview of Command Line Interface17-217Note: The IP address for this switch is obtained via DHCP by default. To access the switch through a Telnet se

Entering Commands17-317Entering CommandsThis section describes how to enter CLI commands.Keywords and ArgumentsA CLI command is a series of keywords a

Overview of Command Line Interface17-417Showing CommandsIf you enter a “?” at the command prompt, the system will display the first level of keywords

Entering Commands17-517The command “show interfaces ?” will display the following information:Partial Keyword LookupIf you terminate a partial keyword

Overview of Command Line Interface17-617Understanding Command ModesThe command set is divided into Exec and Configuration classes. Exec commands gener

Entering Commands17-717Configuration CommandsConfiguration commands are privileged level commands used to modify switch settings. These commands modif

Overview of Command Line Interface17-817To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end

Entering Commands17-917Command Line ProcessingCommands are not case sensitive. You can abbreviate commands and parameters as long as they contain enou

Section I: Getting StartedThis section provides an overview of the switch, and introduces some basic concepts about network switches. It also describe

Overview of Command Line Interface17-1017Command GroupsThe system commands can be broken down into the functional groups shown below.Table 17-4 Comm

Command Groups17-1117The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) LC (Li

Overview of Command Line Interface17-1217

18-1Chapter 18: General CommandsThese commands are used to control the command access mode, configuration mode, and other basic functions.enableThis c

General Commands18-218• The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode. Example Relat

show history18-318Example Related Commands end (18-4)show historyThis command shows the contents of the command history buffer.Default Setting NoneCom

General Commands18-418reloadThis command restarts the system.Note:When the system is restarted, it will always run the Power-On Self-Test. It will als

exit18-518Command Mode Global Configuration, Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Conf

General Commands18-618Example This example shows how to quit a CLI session:Console#quitPress ENTER to start sessionUser Access VerificationUsername:

19-1Chapter 19: System Management CommandsThese commands are used to control system logs, passwords, user names, management options, and display or co

Getting Started

System Management Commands19-219Example System Status CommandsThis section describes commands used to display system information.show startup-configTh

System Status Commands19-319- IP address - Layer 4 precedence settings- Spanning tree settings- Any configured settings for the console port and Telne

System Management Commands19-419show running-configThis command displays the configuration information currently in use.Default Setting NoneCommand Mo

System Status Commands19-519Example Related Commandsshow startup-config (19-2)Console#show running-configbuilding running-config, please wait...!<

System Management Commands19-619show systemThis command displays system information.Default Setting NoneCommand Mode Normal Exec, Privileged ExecComma

System Status Commands19-719show usersShows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client.De

System Management Commands19-819Example System Mode CommandsThis section describes command used to configure the switch to operate in normal mode or Q

System MTU Commands19-919ExampleRelated Commandsshow system mode (19-9)show system mode This command displays the switch system mode.Command Mode Priv

System Management Commands19-1019jumbo frameThis command enables support for extended frame sizes on Fast Ethernet and Gigabit Ethernet ports. Use the

System MTU Commands19-1119system mtuThis command sets the maximum transfer unit for traffic crossing the switch. Use the no form to restore the defaul

1-1Chapter 1: IntroductionThis switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to conf

System Management Commands19-1219Example File Management CommandsManaging FirmwareFirmware can be uploaded and downloaded to or from a TFTP server. By

File Management Commands19-1319copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a

System Management Commands19-1419• The Boot ROM and Loader cannot be uploaded or downloaded from the TFTP server. You must follow the instructions in

File Management Commands19-1519The following example shows how to download a configuration file: This example shows how to copy a secure-site certific

System Management Commands19-1619Command Usage • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Con

File Management Commands19-1719Example The following example shows how to display all file information:whichbootThis command displays which files were

System Management Commands19-1819Default Setting NoneCommand Mode Global ConfigurationCommand Usage • If the file contains an error, it cannot be set

Line Commands19-1919Line CommandsYou can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port.

System Management Commands19-2019Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such a

Line Commands19-2119Example Related Commandsusername (21-2)password (19-21)passwordThis command specifies the password for a line. Use the no form to

Management GuideES3528 Fast Ethernet SwitchLayer 2 Ethernet Metro Access Switchwith 24 Fast Ethernet Ports (RJ-45), 2 Gigabit Combination Ports (RJ-45

Introduction1-21Description of Software FeaturesThe switch provides a wide range of advanced performance enhancing features. Flow control eliminates t

System Management Commands19-2219timeout login responseThis command sets the interval that the system waits for a user to log into the CLI. Use the no

Line Commands19-2319Command Usage • If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminat

System Management Commands19-2419silent-timeThis command sets the amount of time the management console is inaccessible after the number of unsuccessf

Line Commands19-2519Example To specify 7 data bits, enter this command:Related Commands parity (19-25)parityThis command defines the generation of a p

System Management Commands19-2619Default Setting autoCommand Mode Line Configuration Command Usage Set the speed to match the baud rate of the device

Line Commands19-2719Command Mode Privileged ExecCommand Usage Specifying session identifier “0” will disconnect the console connection. Specifying any

System Management Commands19-2819Event Logging CommandsThis section describes commands used to configure event logging on the switch.logging onThis co

Event Logging Commands19-2919logging historyThis command limits syslog messages saved to switch memory based on severity. The no form returns the logg

System Management Commands19-3019logging hostThis command adds a syslog server host IP address that will receive logging messages. Use the no form to

Event Logging Commands19-3119logging trapThis command enables the logging of system messages to a remote server, or limits the syslog messages saved t

Description of Software Features1-31Access Control Lists – ACLs provide packet filtering for IP frames (based on address, protocol, TCP/UDP port numbe

System Management Commands19-3219Related Commandsshow log (19-33)show loggingThis command displays the configuration settings for logging messages to

Event Logging Commands19-3319The following example displays settings for the trap function. Related Commandsshow logging sendmail (19-37)show logThis

System Management Commands19-3419ExampleThe following example shows the event message stored in RAM. SMTP Alert CommandsThese commands configure SMTP

SMTP Alert Commands19-3519• To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and

System Management Commands19-3619Default Setting None Command Mode Global ConfigurationCommand Usage You may use an symbolic email address that identi

Time Commands19-3719Command Mode Global ConfigurationExampleshow logging sendmailThis command displays the settings for the SMTP event handler.Command

System Management Commands19-3819sntp clientThis command enables SNTP client requests for time synchronization from NTP or SNTP time servers specified

Time Commands19-3919sntp serverThis command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no ar

System Management Commands19-4019Example Related Commandssntp client (19-38)show sntpThis command displays the current time and configuration settings

Time Commands19-4119Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time

Introduction1-41Store-and-Forward Switching – The switch copies each frame into its memory before forwarding them to another port. This ensures that a

System Management Commands19-4219show calendarThis command displays the system clock.Default Setting NoneCommand Mode Normal Exec, Privileged ExecExam

20-1Chapter 20: SNMP CommandsControls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as t

SNMP Commands20-220snmp-serverThis command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no for

snmp-server community20-320Examplesnmp-server communityThis command defines the SNMP v1 and v2c community access string. Use the no form to remove the

SNMP Commands20-420• private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects.Command Mode Global

snmp-server host20-520Command Mode Global ConfigurationExample Related Commandssnmp-server contact (20-4)snmp-server host This command specifies the r

SNMP Commands20-620• SNMP Version: 1• UDP Port: 162Command Mode Global ConfigurationCommand Usage • If you do not enter an snmp-server host command, n

snmp-server enable traps20-720supports. If the snmp-server host command does not specify the SNMP version, the default is to send SNMP version 1 notif

SNMP Commands20-820conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command (page 20-11).Example Relate

show snmp engine-id20-920• A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If

Description of Software Features1-51Queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station ap

SNMP Commands20-1020snmp-server viewThis command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view.Synta

show snmp view20-1120show snmp viewThis command shows information on the SNMP views.Command Mode Privileged ExecExample snmp-server groupThis command

SNMP Commands20-1220Default Setting • Default groups: public30 (read only), private31 (read/write)• readview - Every object belonging to the Internet

show snmp group20-1320Group Name: publicSecurity Model: v2cRead View: defaultviewWrite View: noneNotify View: noneStorage Type: volatileRow Status: ac

SNMP Commands20-1420snmp-server userThis command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Us

show snmp user20-1520need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it.Exampleshow snmp userThis

SNMP Commands20-1620

21-1Chapter 21: User Authentication Commands You can configure this switch to authenticate users logging into the system for management access using l

User Authentication Commands21-221usernameThis command adds named users, requires authentication at login, specifies or changes a user's password

User Account Commands21-321enable passwordAfter initially logging onto the system, you should set the Privileged Exec password. Remember to record it

Introduction1-61System DefaultsThe switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch d

User Authentication Commands21-421Authentication SequenceThree authentication methods can be specified to authenticate users logging into the system f

Authentication Sequence21-521Example Related Commandsusername - for setting the local user names and passwords (21-2)authentication enableThis command

User Authentication Commands21-621RADIUS ClientRemote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses softwa

RADIUS Client21-721Example radius-server portThis command sets the RADIUS server network port. Use the no form to restore the default.Syntax radius-se

User Authentication Commands21-821radius-server retransmitThis command sets the number of retries. Use the no form to restore the default.Syntax radiu

TACACS+ Client21-921Example TACACS+ ClientTerminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses soft

User Authentication Commands21-1021Command Mode Global ConfigurationExample tacacs-server portThis command specifies the TACACS+ server network port.

Web Server Commands21-1121show tacacs-serverThis command displays the current settings for the TACACS+ server.Default Setting NoneCommand Mode Privile

User Authentication Commands21-1221ExampleRelated Commandsip http server (21-12)ip http serverThis command allows this device to be monitored or confi

Web Server Commands21-1321• When you start HTTPS, the connection is established in this way:- The client authenticates the server using the server’s d

System Defaults1-71SNMP SNMP Agent EnabledCommunity Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabledLink-up-dow

User Authentication Commands21-1421• If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port numb

Secure Shell Commands21-1521Secure Shell CommandsThis section describes the commands used to configure the SSH server. Note that you also need to inst

User Authentication Commands21-1621To use the SSH server, complete these steps:1. Generate a Host Key Pair – Use the ip ssh crypto host-key generate c

Secure Shell Commands21-1721stored on the switch can access it. The following exchanges take place during this process:Authenticating SSH v1.5 Clients

User Authentication Commands21-1821Example Related Commandsip ssh crypto host-key generate (21-20)show ssh (21-22)ip ssh timeoutThis command configure

Secure Shell Commands21-1921ip ssh authentication-retriesThis command configures the number of times the SSH server attempts to reauthenticate a user.

User Authentication Commands21-2021delete public-keyThis command deletes the specified user’s public key.Syntax delete public-key username [dsa | rsa]

Secure Shell Commands21-2121Related Commandsip ssh crypto zeroize (21-21)ip ssh save host-key (21-21)ip ssh crypto zeroizeThis command clears the host

User Authentication Commands21-2221Example Related Commandsip ssh crypto host-key generate (21-20)show ip sshThis command displays the connection sett

Secure Shell Commands21-2321show public-keyThis command shows the public key for the specified user or for the host.Syntax show public-key [user [user

Introduction1-81Traffic Prioritization Ingress Port Priority 0Queue Mode WRRWeighted Round Robin Queue: 0 1 2 3 4 5 6 7Weight: 1 2 4

User Authentication Commands21-2421Example 802.1X Port AuthenticationThe switch supports IEEE 802.1X (dot1x) port-based access control that prevents u

802.1X Port Authentication21-2521dot1x system-auth-controlThis command enables IEEE 802.1X port authentication globally on the switch. Use the no form

User Authentication Commands21-2621dot1x port-controlThis command sets the dot1x mode on a port interface. Use the no form to restore the default.Synt

802.1X Port Authentication21-2721Command Usage • The “max-count” parameter specified by this command is only effective if the dot1x mode is set to “au

User Authentication Commands21-2821Command Usage• The re-authentication process verifies the connected client’s user ID and password on the RADIUS ser

802.1X Port Authentication21-2921Default3600 secondsCommand ModeInterface ConfigurationExampledot1x timeout tx-periodThis command sets the time that a

User Authentication Commands21-3021Command UsageThis command displays the following information:• Global 802.1X Parameters – Shows whether or not 802.

802.1X Port Authentication21-3121• Backend State Machine - State – Current state (including request, response, success, fail, timeout, idle, initializ

User Authentication Commands21-3221ExampleConsole#show dot1xGlobal 802.1X Parameters system-auth-control: enable802.1X Port SummaryPort Name Status

Management IP Filter Commands21-3321Management IP Filter CommandsThis section describes commands used to configure IP management access to the switch.

2-1Chapter 2: Initial ConfigurationConnecting to the SwitchConfiguration OptionsThe switch includes a built-in network management agent. The agent off

User Authentication Commands21-3421ExampleThis example restricts management access to the indicated addresses.show managementThis command displays the

22-1Chapter 22: Client Security Commands This switch supports many methods of segregating traffic for clients attached to each of the data ports, and

Client Security Commands22-222port securityThis command enables or configures port security. Use the no form without any keywords to disable port secu

IP Source Guard Commands22-322Example The following example enables port security for port 5, and sets the response to a security violation to issue a

Client Security Commands22-422Command ModeInterface Configuration (Ethernet)Command Usage • Source guard is used to filter traffic on an unsecure port

IP Source Guard Commands22-522ExampleThis example enables IP source guard on port 5.Related Commands ip source-guard binding (22-5)ip dhcp snooping (2

Client Security Commands22-622- If there is an entry with same VLAN ID and MAC address, and the type of entry is static IP source guard binding, then

DHCP Snooping Commands22-722DHCP Snooping CommandsDHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which se

Client Security Commands22-822• When enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP s

DHCP Snooping Commands22-922ExampleThis example enables DHCP snooping globally for the switch.Related Commands ip dhcp snooping vlan (22-9)ip dhcp sno

Initial Configuration2-22• Configure up to 12 static or LACP trunks• Enable port mirroring• Set broadcast storm control on any port• Display system in

Client Security Commands22-1022Related Commands ip dhcp snooping (22-7)ip dhcp snooping trust (22-12)ip dhcp snooping binding (22-10)ip dhcp snooping

DHCP Snooping Commands22-1122- If there is a binding with same VLAN ID and MAC address, and the entry type is static IP source guard binding, static D

Client Security Commands22-1222ip dhcp snooping database flashThis command writes all dynamically learned snooping entries to flash memory.Command Mod

DHCP Snooping Commands22-1322ExampleThis example sets port 5 to untrusted.Related Commands ip dhcp snooping (22-7)ip dhcp snooping vlan (22-9)ip dhcp

Client Security Commands22-1422

23-1Chapter 23: Access Control List CommandsAccess Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 pro

Access Control List Commands23-223access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs. U

IP ACLs23-323Default SettingNoneCommand ModeStandard IP ACLCommand Usage• New rules are appended to the end of the list.• Address bitmasks are similar

Access Control List Commands23-423• precedence – IP precedence level. (Range: 0-7)• tos – Type of Service level. (Range: 0-15)• dscp – DSCP priority l

IP ACLs23-523ExampleThis example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.

Basic Configuration2-32Remote ConnectionsPrior to accessing the switch’s onboard agent via a network connection, you must first configure it with a va

Access Control List Commands23-623access-list ip mask-precedence This command changes to the IP Mask mode used to configure access control masks. Use

IP ACLs23-723• destination-bitmask – Destination address of rule must match this bitmask.• precedence – Check the IP precedence field.• tos – Check th

Access Control List Commands23-823This shows that the entries in the mask override the precedence in which the rules are entered into the ACL. In the

IP ACLs23-923This shows how to create an extended ACL with an egress mask to drop packets leaving network 171.69.198.0 when the Layer 4 source port is

Access Control List Commands23-1023This is a more comprehensive example. It denies any TCP packets in which the SYN bit is ON, and permits all other p

IP ACLs23-1123Related Commandsmask (IP ACL) (23-6)ip access-group This command binds a port to an IP ACL. Use the no form to remove the port.Syntax[no

Access Control List Commands23-1223MAC ACLsThe commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type.

MAC ACLs23-1323Example Related Commandspermit, deny (23-13)mac access-group (23-18)show mac access-list (23-14)permit, deny (MAC ACL)This command adds

Access Control List Commands23-1423• address-bitmask34 – Bitmask for MAC address (in hexidecimal format).• vid – VLAN ID. (Range: 1-4093)•vid-bitmask3

MAC ACLs23-1523Related Commandspermit, deny 23-13mac access-group (23-18)access-list mac mask-precedence This command changes to MAC Mask mode used to

ES3528ES3528-WDMF1.0.1.7 E122006/ST-R01149100033100A

Initial Configuration2-42Setting PasswordsNote: If this is your first time to log into the CLI program, you should define new passwords for both defau

Access Control List Commands23-1623• host – The address must be for a single node.• source-bitmask – Source address of rule must match this bitmask.•

MAC ACLs23-1723This example creates an Egress MAC ACL.show access-list mac mask-precedence This command shows the ingress or egress rule masks for MAC

Access Control List Commands23-1823mac access-groupThis command binds a port to a MAC ACL. Use the no form to remove the port.Syntaxmac access-group a

ACL Information23-1923ACL InformationThis section describes commands used to display ACL information.show access-listThis command shows all IP ACLs an

Access Control List Commands23-2023

24-1Chapter 24: Interface CommandsThese commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. i

Interface Commands24-224Command Mode Global Configuration Example To specify port 4, enter the following command:descriptionThis command adds a descri

negotiation24-324Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting is: -

Interface Commands24-424Command Usage • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilit

flowcontrol24-524Command Usage When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings for a link b

Basic Configuration2-52Before you can assign an IP address to the switch, you must obtain the following information from your network administrator:•

Interface Commands24-624ExampleThe following example enables flow control on port 5.Related Commands negotiation (24-3)capabilities (flowcontrol, symm

switchport packet-rate24-724Command Mode Interface Configuration (Ethernet, Port Channel)Command Usage This command allows you to disable a port due t

Interface Commands24-824switchport block This command prevents flooding of unknown unicast or multicast packets to an interface. Use the no form to re

show interfaces status24-924Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics

Interface Commands24-1024Example show interfaces countersThis command displays interface statistics. Syntax show interfaces counters [interface]interf

show interfaces switchport24-1124Example show interfaces switchportThis command displays the administrative and operational status of the specified in

Interface Commands24-1224Example This example shows the configuration setting for port 4. Console#show interfaces switchport ethernet 1/4 Broadcast Th

25-1Chapter 25: Link Aggregation CommandsPorts can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network c

Link Aggregation Commands25-225Dynamically Creating a Port Channel –Ports assigned to a common port channel must meet the following criteria:• Ports m

lacp25-325Default Setting DisabledCommand Mode Interface Configuration (Ethernet)Command Usage • The ports on both ends of an LACP trunk must be confi

Initial Configuration2-625. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press <Ente

Link Aggregation Commands25-425lacp system-priorityThis command configures a port's LACP system priority. Use the no form to restore the default

lacp admin-key (Port Channel)25-525Default Setting 0Command Mode Interface Configuration (Ethernet)Command Usage • Ports are only allowed to join the

Link Aggregation Commands25-625• If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e., it has

show lacp25-725show lacpThis command displays LACP information.Syntax show lacp [port-channel] {counters | internal | neighbors | sys-id}• port-channe

Link Aggregation Commands25-825Console#show lacp 1 internalPort channel: 1-------------------------------------------------------------------------Ope

show lacp25-925Console#show lacp 1 neighborsPort channel 1 neighbors-------------------------------------------------------------------------Eth 1/1--

Link Aggregation Commands25-1025Console#show lacp sysidPort Channel System Priority System MAC Address-----------------------------------------

26-1Chapter 26: Mirror Port CommandsThis section describes how to mirror traffic from a source port to a target port. port monitorThis command configu

Mirror Port Commands26-226Example The following example configures the switch to mirror all packets from port 6 to 11:show port monitorThis command di

27-1Chapter 27: Rate Limit CommandsThis function allows the network manager to control the maximum rate for traffic transmitted or received on an inte

Basic Configuration2-72The default strings are:• public - with read-only access. Authorized management stations are only able to retrieve MIB objects.

Rate Limit Commands27-227Related Command show interfaces switchport (24-11)rate-limit cosThis command defines the output rate limit for an interface b

show rate-limit cos27-327ExampleThis example sets the maximum output rate for CoS traffic of priority level 0 to 50 Mbps on Port 1. show rate-limit co

Rate Limit Commands27-427

28-1Chapter 28: Address Table CommandsThese commands are used to configure the address table for filtering specified addresses, displaying current ent

Address Table Commands28-228Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this com

show mac-address-table28-328show mac-address-tableThis command shows classes of entries in the bridge-forwarding database.Syntax show mac-address-tabl

Address Table Commands28-428mac-address-table aging-timeThis command sets the aging time for entries in the address table. Use the no form to restore

29-1Chapter 29: Spanning Tree CommandsThis section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and com

Spanning Tree Commands29-229spanning-treeThis command enables the Spanning Tree Algorithm globally for the switch. Use the no form to disable it.Synta

spanning-tree mode29-329Default Setting rstpCommand Mode Global ConfigurationCommand Usage • Spanning Tree ProtocolUses RSTP for the internal state ma

Initial Configuration2-82Configuring Access for SNMP Version 3 ClientsTo configure management access for SNMPv3 clients, you need to first create a vi

Spanning Tree Commands29-429spanning-tree forward-timeThis command configures the spanning tree bridge forward time globally for this switch. Use the

spanning-tree max-age29-529Example Related Commandsspanning-tree forward-time (29-4)spanning-tree max-age (29-5)spanning-tree max-ageThis command conf

Spanning Tree Commands29-629spanning-tree priorityThis command configures the spanning tree priority globally for this switch. Use the no form to rest

spanning-tree transmission-limit29-729Command Usage The path cost method is used to determine the best path between devices. Therefore, lower values s

Spanning Tree Commands29-829Related Commands mst vlan (29-8)mst priority (29-9)name (29-9)revision (29-10)max-hops (29-11)mst vlanThis command adds VL

mst priority29-929mst priorityThis command configures the priority of a spanning tree instance. Use the no form to restore the default.Syntax mst inst

Spanning Tree Commands29-1029Command Usage The MST region name and revision number (page 29-10) are used to designate a unique MST region. A bridge (i

max-hops29-1129max-hopsThis command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the def

Spanning Tree Commands29-1229spanning-tree costThis command configures the spanning tree path cost for the specified interface. Use the no form to res

spanning-tree port-priority29-1329Command Usage • This command is used by the Spanning Tree Algorithm to determine the best path between devices. Ther

Managing System Files2-92Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many d

Spanning Tree Commands29-1429spanning-tree edge-portThis command specifies an interface as an edge port. Use the no form to restore the default.Syntax

spanning-tree link-type29-1529Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port. In this mode,

Spanning Tree Commands29-1629• RSTP only works on point-to-point links between two bridges. If you designate a port as a shared link, RSTP is forbidde

spanning-tree mst port-priority29-1729Example Related Commandsspanning-tree mst port-priority (29-17)spanning-tree mst port-priorityThis command confi

Spanning Tree Commands29-1829spanning-tree protocol-migrationThis command re-checks the appropriate BPDU format to send on the selected interface. Syn

show spanning-tree29-1929Command Mode Privileged ExecCommand Usage •Use the show spanning-tree command with no parameters to display the spanning tree

Spanning Tree Commands29-2029show spanning-tree mst configurationThis command shows the configuration of the multiple spanning tree.Command Mode Privi

30-1Chapter 30: VLAN CommandsA VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same

VLAN Commands30-230bridge-ext gvrpThis command enables GVRP globally for the switch. Use the no form to disable it.Syntax [no] bridge-ext gvrpDefault

GVRP and Bridge Extension Commands30-330switchport gvrpThis command enables GVRP for a port. Use the no form to disable it.Syntax [no] switchport gvrp

Initial Configuration2-102

VLAN Commands30-430garp timerThis command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default valu

GVRP and Bridge Extension Commands30-530show garp timerThis command shows the GARP timers for the selected interface.Syntax show garp timer [interface

VLAN Commands30-630Editing VLAN Groupsvlan databaseThis command enters VLAN database mode. All commands in this mode will take effect immediately.Defa

Editing VLAN Groups30-730vlanThis command configures a VLAN. Use the no form to restore the default settings or delete a VLAN.Syntax vlan vlan-id [nam

VLAN Commands30-830Configuring VLAN Interfacesinterface vlanThis command enters interface configuration mode for VLANs, which is used to configure VLA

Configuring VLAN Interfaces30-930switchport modeThis command configures the VLAN membership mode for a port. Use the no form to restore the default.Sy

VLAN Commands30-1030Command Usage When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN. Example

Configuring VLAN Interfaces30-1130switchport native vlanThis command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restor

VLAN Commands30-1230Command Mode Interface Configuration (Ethernet, Port Channel)Command Usage • A port, or a trunk with switchport mode set to hybrid

Displaying VLAN Information30-1330Command Usage • This command prevents a VLAN from being automatically added to the specified interface via GVRP.• If

Section II: Switch ManagementThis section describes the basic switch features, along with a detailed description of how to configure each feature via

VLAN Commands30-1430Example The following example shows how to display information for VLAN 1:Configuring Private VLANsPrivate VLANs provide port-base

Configuring Private VLANs30-1530• Entering the pvlan command without any parameters enables the private VLAN. Entering no pvlan disables the private V

VLAN Commands30-1630Configuring Protocol-based VLANsThe network devices required to support multiple protocols cannot be easily grouped into a common

Configuring Protocol-based VLANs30-1730protocol-vlan protocol-group (Configuring Groups)This command creates a protocol group, or to add specific prot

VLAN Commands30-1830Command Usage • When creating a protocol-based VLAN, only assign interfaces via this command. If you assign interfaces using any o

Configuring Protocol-based VLANs30-1930show interfaces protocol-vlan protocol-groupThis command shows the mapping from protocol groups to VLANs for th

VLAN Commands30-2030Configuring IEEE 802.1Q TunnelingQinQ tunneling uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs

Configuring IEEE 802.1Q Tunneling30-2130switchport mode dot1q-tunnelThis command configures an interface as a QinQ tunnel port. Use the no form to res

VLAN Commands30-2230Related Commandsswitchport mode dot1q-tunnel (page 30-21)switchport dot1q-ethertypeThis command sets the Tag Protocol Identifier (

31-1Chapter 31: Class of Service CommandsThe commands described in this section allow you to specify which data packets have greater precedence when t

Switch Management

Class of Service Commands31-231queue modeThis command sets the queue mode to strict priority or Weighted Round-Robin (WRR) for the class of service (C

Priority Commands (Layer 2)31-331Example switchport priority defaultThis command sets a priority for incoming untagged frames. Use the no form to rest

Class of Service Commands31-431Related Commandsshow interfaces switchport (24-11)queue bandwidth This command assigns weighted round-robin (WRR) weigh

Priority Commands (Layer 2)31-531Default Setting This switch supports Class of Service by using eight priority queues, with Weighted Round Robin queui

Class of Service Commands31-631Example show queue cos-mapThis command shows the class of service priority map.Syntax show queue cos-map [interface]int

Priority Commands (Layer 2)31-731Default Setting The original priority value in the VLAN tag of a tagged packet, or a VLAN priority tag inserted by an

Class of Service Commands31-831Priority Commands (Layer 3 and 4)This section describes commands used to configure Layer 3 and Layer 4 traffic priority

Priority Commands (Layer 3 and 4)31-931map ip port (Interface Configuration)This command sets IP port priority (i.e., TCP/UDP port priority). Use the

Class of Service Commands31-1031Example The following example shows how to enable IP precedence mapping globally:map ip precedence (Interface Configur

Priority Commands (Layer 3 and 4)31-1131map ip dscp (Global Configuration)This command enables IP DSCP mapping (i.e., Differentiated Services Code Poi

3-1Chapter 3: Configuring the SwitchUsing the Web InterfaceThis switch provides an embedded HTTP web agent. Using a web browser you can configure the

Class of Service Commands31-1231Default Setting The DSCP default values are defined in the following table. Note that all the DSCP values that are not

Priority Commands (Layer 3 and 4)31-1331Default SettingNoneCommand Mode Privileged ExecExample The following shows that HTTP traffic has been mapped t

Class of Service Commands31-1431Example Related Commands map ip precedence (Global Configuration) (31-9)map ip precedence (Interface Configuration) (3

Priority Commands (Layer 3 and 4)31-1531Example Related Commands map ip dscp (Global Configuration) (31-11)map ip dscp (Interface Configuration) (31-1

Class of Service Commands31-1631

32-1Chapter 32: Quality of Service CommandsThe commands described in this section are used to configure Differentiated Services (DiffServ) classificat

Quality of Service Commands32-232Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map.2. Yo

match32-332matchThis command defines the criteria used to classify traffic. Use the no form to delete the matching criteria.Syntax [no] match {access-

Quality of Service Commands32-432This example creates a class map call “rd_class#3,” and sets it to match packets marked for VLAN 1:policy-mapThis com

class32-532classThis command defines a traffic classification upon which a policy can act, and enters Policy Map Class configuration mode. Use the no

vContents Section I: Getting StartedChapter 1: Introduction 1-1Key Features 1-1Description of Software Features 1-2System Defaults 1-6Chapter 2

Configuring the Switch3-23Navigating the Web Browser InterfaceTo access the web-browser interface you must first enter a user name and password. The a

Quality of Service Commands32-632setThis command services IP traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified

service-policy32-732Command Usage • You can configure up to 63 policers (i.e., class maps) for Fast Ethernet and Gigabit Ethernet ingress ports.• Poli

Quality of Service Commands32-832show class-mapThis command displays the QoS class maps which define matching criteria used for classifying traffic.Sy

show policy-map interface32-932Exampleshow policy-map interfaceThis command displays the service policy assigned to the specified interface.Syntax sho

Quality of Service Commands32-1032

33-1Chapter 33: Multicast Filtering CommandsThis switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to re

Multicast Filtering Commands33-233ip igmp snoopingThis command enables IGMP snooping on this switch. Use the no form to disable it.Syntax [no] ip igmp

IGMP Snooping Commands33-333ip igmp snooping versionThis command configures the IGMP snooping version. Use the no form to restore the default.Syntax i

Multicast Filtering Commands33-433Command Usage • This command setting is only effective if IGMP snooping is enabled.• Any port can be designated as a

IGMP Snooping Commands33-533Command Mode Interface Configuration (VLAN)Command Usage • If immediate-leave is not used, a multicast router (or querier)

Navigating the Web Browser Interface3-33Configuration OptionsConfigurable parameters have a dialog box or a drop-down list. Once a configuration chang

Multicast Filtering Commands33-633show mac-address-table multicast This command shows known multicast addresses.Syntax show mac-address-table multicas

IGMP Query Commands33-733ip igmp snooping querierThis command enables the switch as an IGMP querier. Use the no form to disable it.Syntax [no] ip igmp

Multicast Filtering Commands33-833Example The following shows how to configure the query count to 10:Related Commands ip igmp snooping query-max-respo

IGMP Query Commands33-933• This command defines the time after a query, during which a response is expected from a multicast client. If a querier has

Multicast Filtering Commands33-1033Static Multicast Routing CommandsThis section describes commands used to configure static multicast routing on the

Multicast VLAN Registration Commands33-1133show ip igmp snooping mrouter This command displays information on statically configured and dynamically le

Multicast Filtering Commands33-1233mvr (Global Configuration)This command enables Multicast VLAN Registration (MVR) globally on the switch, statically

Multicast VLAN Registration Commands33-1333mvr (Interface Configuration)This command configures an interface as an MVR receiver or source port using t

Multicast Filtering Commands33-1433response to determine if there are any remaining subscribers for that multicast group before removing the port from

Multicast VLAN Registration Commands33-1533Command Usage Enter this command without any keywords to display the global settings for MVR. Use the inter

Configuring the Switch3-43Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, o

Multicast Filtering Commands33-1633The following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN:Cons

34-1Chapter 34: Domain Name Service CommandsThese commands are used to configure Domain Naming System (DNS) services. You can manually configure entri

Domain Name Service Commands34-234Command Usage Servers or other network devices may support one or more connections via multiple IP addresses. If mor

ip domain-name34-334ip domain-nameThis command defines the default domain name appended to incomplete host names (i.e., host names passed from a clien

Domain Name Service Commands34-434Command Usage • Domain names are added to the end of the list one at a time. • When an incomplete host name is recei

ip domain-lookup34-534ExampleThis example adds two domain-name servers to the list and then displays the list.Related Commands ip domain-name (34-3)ip

Domain Name Service Commands34-634ExampleThis example enables DNS and then displays the configuration.Related Commands ip domain-name (34-3)ip name-se

show dns34-734show dnsThis command displays the configuration of the DNS service.Command Mode Privileged ExecExampleshow dns cacheThis command display

Domain Name Service Commands34-834clear dns cacheThis command clears all entries in the DNS cache.Command Mode Privileged ExecExampleConsole#clear dns

35-1Chapter 35: IP Interface CommandsAn IP address may be used for management access to the switch over your network. An IP address is obtained via DH

Navigating the Web Browser Interface3-53SNMPv3 5-7Engine ID Sets the SNMP v3 engine ID 5-7Remote Engine ID Sets the SNMP v3 engine ID on a remote devi

IP Interface Commands35-235Command Usage • You must assign an IP address to this device to gain management access over the network or to connect the s

Basic IP Configuration35-335Command Usage • A gateway must be defined if the management station is located in a different IP segment.• An default gate

IP Interface Commands35-435show ip interfaceThis command displays the settings of an IP interface.Command Mode Normal Exec, Privileged ExecExample Rel

Basic IP Configuration35-535Example This example displays all entries in the ARP cache.pingThis command sends ICMP echo request packets to another nod

IP Interface Commands35-635Example Related Commands interface (24-1)Console#ping 10.1.0.9Type ESC to abort.PING to 10.1.0.9, by 5 32-byte payload ICMP

Section IV:AppendicesThis section provides additional information on the following topics. Software Specifications . . . . . . . . . . . . . . . . .

Appendices

A-1Appendix A: Software SpecificationsSoftware FeaturesAuthenticationLocal, RADIUS, TACACS+, Port (802.1X), HTTPS, SSH, Port SecurityAccess Control Li

Software SpecificationsA-2AQuality of ServiceDiffServ supports class maps, policy maps, and service policiesMulticast Filtering IGMP SnoopingAdditiona

Management Information BasesA-3AIPv4 IGMP (RFC 3228)RADIUS+ (RFC 2618)RMON (RFC 2819 groups 1,2,3,9)SNMP (RFC 1157)SNMPv2c (RFC 2571)SNMPv3 (RFC DRAFT

Configuring the Switch3-63LACP 9-8Configuration Allows ports to dynamically join trunks 9-8Aggregation Port Configures parameters for link aggregati

Software SpecificationsA-4AUDP MIB (RFC 2013)

B-1Appendix B: TroubleshootingProblems Accessing the Management Interface Table B-1 Troubleshooting ChartSymptom ActionCannot connect using Telnet,

TroubleshootingB-2BUsing System LogsIf a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caus

Glossary-1GlossaryAccess Control List (ACL)ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for

GlossaryGlossary-2Extensible Authentication Protocol over LAN (EAPOL) EAPOL is a client authentication protocol used by this switch to verify the netw

Glossary-3GlossaryIEEE 802.1XPort Authentication controls access to the switch ports by requiring users to first enter a user ID and password for auth

GlossaryGlossary-4Link AggregationSee Port Trunk. Link Aggregation Control Protocol (LACP)Allows ports to automatically negotiate a trunked link with

Glossary-5GlossaryPort AuthenticationSee IEEE 802.1X.Port MirroringA method whereby data on a target port is mirrored to a monitor port for troublesho

GlossaryGlossary-6Simple Network Management Protocol (SNMP)The application protocol in the Internet suite of protocols which offers network management

Glossary-7GlossaryVirtual LAN (VLAN)A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical l

Navigating the Web Browser Interface3-73Trunk Configuration Configures trunk settings for a specified MST instance 11-20VLAN 12-1802.1Q VLAN 12-1GVRP

GlossaryGlossary-8

Index-1Numerics802.1Q tunnel 12-12, 30-20description 12-12interface configuration 12-16, 30-21–30-22mode selection 12-16TPID 12-11, 12-16, 30-22802.1X

Index-2IndexFfirmwaredisplaying version 4-6, 19-7upgrading 4-12, 19-13GGARP VLAN Registration Protocol See GVRPgateway, default 4-9, 35-2GVRPglobal

Index-3Indexsetting multicast groups 15-10, 33-12specifying a VLAN 15-10, 33-12using immediate leave 15-12, 33-13Ppassword, line 19-21passwords 2-4adm

Index-4IndexSTP Also see STAswitch settings, saving or restoring 19-12switchport dot1q-ethertype 30-22switchport mode dot1q-tunnel 30-21system clock

ES3528ES3528-WDME122006/ST-R01149100033100A

Configuring the Switch3-83QoS 14-1DiffServ Configure QoS classification criteria and service policies 14-1Class Map Creates a class map for a type of

4-1Chapter 4: Basic Management TasksThis chapter describes the basic functions required to set up management access to the switch, display or upgrade

Basic Management Tasks4-24Web – Click System, System Information. Specify the system name, location, and contact information for the system administra

Configuring the Switch for Normal Operation or Tunneling Mode4-34Configuring the Switch for Normal Operation or Tunneling ModeThe system can be config

ContentsviManual Configuration 4-9Using DHCP/BOOTP 4-10Managing Firmware 4-11Downloading System Software from a Server 4-12Saving or Restoring Co

Basic Management Tasks4-44Configuring the Maximum Frame SizeThe maximum transfer unit (or frame size) for traffic crossing the switch should be set to

Configuring Support for Jumbo Frames4-54CLI – This example sets the MTU for Fast Ethernet ports to 1528 bytes.Configuring Support for Jumbo FramesThe

Basic Management Tasks4-64Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers fo

Displaying Bridge Extension Capabilities4-74CLI – Use the following command to display version information.Displaying Bridge Extension CapabilitiesThe

Basic Management Tasks4-84Web – Click System, Bridge Extension.Figure 4-6 Displaying Bridge Extension ConfigurationCLI – Enter the following command

Setting the Switch’s IP Address4-94Command Attributes• Management VLAN – ID of the configured VLAN (1-4093). By default, all ports on the stack are me

Basic Management Tasks4-104CLI – Specify the management interface, IP address and default gateway.Using DHCP/BOOTP If your network provides DHCP/BOOTP

Managing Firmware4-114Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the

Basic Management Tasks4-124Downloading System Software from a Server When downloading runtime code, you can specify the destination file name to repla

Managing Firmware4-134To delete a file select System, File Management, Delete. Select the file name from the given list by checking the tick box and c

ContentsviiChapter 7: Client Security 7-1Configuring Port Security 7-1Chapter 8: Access Control Lists 8-1Configuring Access Control Lists 8-1Sett

Basic Management Tasks4-144Saving or Restoring Configuration SettingsYou can upload/download configuration settings to/from a TFTP server, or copy fil

Saving or Restoring Configuration Settings4-154Downloading Configuration Settings from a ServerYou can download the configuration file under a new fil

Basic Management Tasks4-164CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the swit

Console Port Settings4-174• Parity – Defines the generation of a parity bit. Communication protocols provided by some terminals can require a specific

Basic Management Tasks4-184CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the cur

Telnet Settings4-194• Password2 – Specifies a password for the line connection. When a connection is started on a line with password protection, the s

Basic Management Tasks4-204Configuring Event LoggingThe switch allows you to control the logging of error messages, including the type of events that

Configuring Event Logging4-214Web – Click System, Logs, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM an

Basic Management Tasks4-224Web – Click System, Logs, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Add

Configuring Event Logging4-234Displaying Log MessagesUse the Logs page to scroll through the logged system and event messages. The switch can store up

ContentsviiiDisplaying Basic VLAN Information 12-4Displaying Current VLANs 12-5Creating VLANs 12-6Adding Static Members to VLANs (VLAN Index) 12-7

Basic Management Tasks4-244• SMTP Server List – Specifies a list of up to three recipient SMTP servers. The switch attempts to connect to the other li

Resetting the System4-254CLI – Enter the IP address of at least one SMTP server, set the syslog severity level to trigger an email message, and specif

Basic Management Tasks4-264Setting the System ClockSimple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic u

Setting the System Clock4-274CLI – This example configures the switch to operate as an SNTP client and then displays the current time and settings.Set

Basic Management Tasks4-284

5-1Chapter 5: Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for manag

Simple Network Management Protocol5-25Note: The predefined default groups and view can be deleted from the system. You can then define customized grou

Setting Community Access Strings5-35Setting Community Access Strings You may configure up to five community strings authorized for management access b

Simple Network Management Protocol5-45Specifying Trap Managers and Trap TypesTraps indicating status changes are issued by the switch to specified tra

Specifying Trap Managers and Trap Types5-55Version 1 or 2c clients), or define a corresponding “User Name” in the SNMPv3 Users page (for Version 3 cli

ContentsixAssigning Static Multicast Groups to Interfaces 15-15Chapter 16: Domain Name Service 16-1Configuring General DNS Service Parameters 16-1

Simple Network Management Protocol5-65Web – Click SNMP, Configuration. Enter the IP address and community string for each management station that will

Configuring SNMPv3 Management Access5-75Configuring SNMPv3 Management AccessTo configure SNMPv3 management access to the switch, follow these steps:1.

Simple Network Management Protocol5-85Specifying a Remote Engine IDTo send inform messages to an SNMPv3 user on a remote device, you must first specif

Configuring SNMPv3 Management Access5-95Configuring SNMPv3 UsersEach SNMPv3 user is defined by a unique name. Users must be configured with a specific

Simple Network Management Protocol5-105Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and as

Configuring SNMPv3 Management Access5-115Configuring Remote SNMPv3 UsersEach SNMPv3 user is defined by a unique name. Users must be configured with a

Simple Network Management Protocol5-125Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name

Configuring SNMPv3 Management Access5-135Configuring SNMPv3 GroupsAn SNMPv3 group sets the access policy for its assigned users, restricting them to s

Simple Network Management Protocol5-145linkUp*1.3.6.1.6.3.1.1.5.4 A linkUp trap signifies that the SNMP entity, acting in an agent role, has detected

Configuring SNMPv3 Management Access5-155Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, a