User manual ALCATEL-LUCENT OMNISTACK 6300

Part No. 060191-10, Rev. B April 2004 OmniStack® 6300-24 Users Guide An Alcatel service agreement brings your company the assurance of 7x24 no-excuses technical support. You'll also receive regular software updates to maintain and maximize your Alcatel product's features and functionality and on-site hardware replacement through our global network of highly qualified service delivery partners. Additionally, with 24-hour-a-day access to Alcatel's Service and Support web page, you'll be able to view and update any case (open or closed) that you have reported to Alcatel's technical support, open a new case or access helpful release notes, technical bulletins, and manuals. For more information on Alcatel's Service Programs, see our web page at www.ind.alcatel.com, call us at 1-800-995-2696, or email us at support@ind.alcatel.com. This Manual documents OmniStack 6300-24 hardware and software. The functionality described in this Manual is subject to change without notice. Copyright© 2004 by Alcatel Internetworking, Inc. All rights reserved. This document may not be reproduced in whole or in part without the express written permission of Alcatel Internetworking, Inc. Alcatel®and the Alcatel logo are registered trademarks of Compagnie Financiére Alcatel, Paris, France. OmniSwitch® and OmniStack® are registered trademarks of Alcatel Internetworking, Inc. Omni Switch/RouterTM, SwitchExpertSM, the Xylan logo are trademarks of Alcatel Internetworking, Inc. All other brand and product names are trademarks of their respective companies. 26801 West Agoura Road Calabasas, CA 91301 (818) 880-3500 FAX (818) 880-3505 info@ind.alcatel.com US Customer Support-(800) 995-2696 International Customer Support-(818) 878-4507 Internet-http://eservice.ind.alcatel.com Warning This equipment has been tested and found to comply with the limits for Class A digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions in this guide, may cause interference to radio communications. Operation of this equipment in a residential area is likely to cause interference, in which case the user will be required to correct the interference at his own expense. The user is cautioned that changes and modifications made to the equipment without approval of the manufacturer could void the user's authority to operate this equipment. It is suggested that the user use only shielded and grounded cables to ensure compliance with FCC Rules. This digital apparatus does not exceed the Class A limits for radio noise emissions from digital apparatus set out in the radio interference regulations of the Canadian department of communications. Le present appareil numerique níemet pas de bruits radioelectriques depassant les limites applicables aux appareils numeriques de la Class A prescrites dans le reglement sur le brouillage radioelectrique edicte par le ministere des communications du Canada. Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings Trap Receivers Saving Configuration Settings Managing System Files Chapter 3: Configuring the Switch Using the Web Interface Navigating the Web Browser Interface Home Page Configuration Options Panel Display Main Menu Basic Configuration Displaying System Information Displaying Switch Hardware/Software Versions Displaying Bridge Extension Capabilities Setting the Switch's IP Address Manual Configuration Using DHCP/BOOTP Enabling Jumbo Frames Managing Firmware Downloading System Software from a Server Saving or Restoring Configuration Settings Downloading Configuration Settings from a Server Console Port Settings 1-1 1-1 1-2 1-5 2-1 2-1 2-1 2-2 2-3 2-3 2-3 2-4 2-4 2-4 2-5 2-6 2-6 2-7 2-7 2-8 3-1 3-1 3-2 3-2 3-2 3-3 3-3 3-8 3-8 3-10 3-11 3-12 3-13 3-14 3-15 3-15 3-16 3-17 3-17 3-18 v Contents Telnet Settings Configuring Event Logging System Logs System Logs Configuration Remote Logs Configuration Sending Simple Mail Transfer Protocol Alerts Resetting the System Setting the System Clock Configuring SNTP Setting the Time Zone Simple Network Management Protocol Enabling SNMP Setting Community Access Strings Specifying Trap Managers and Trap Types Configuring SNMPv3 Management Access Setting an Engine ID Configuring SNMPv3 Users Configuring SNMPv3 Groups Setting SNMPv3 Views User Authentication Configuring the Logon Password Configuring Local/Remote Logon Authentication Configuring HTTPS Replacing the Default Secure-site Certificate Configuring the Secure Shell Generating the Host Key Pair Configuring the SSH Server Configuring Port Security Configuring 802.1x Port Authentication Displaying 802.1x Global Settings Configuring 802.1x Global Settings Configuring Port Authorization Mode Displaying 802.1x Statistics Access Control Lists Configuring Access Control Lists Setting the ACL Name and Type Configuring a Standard IP ACL Configuring an Extended IP ACL Configuring a MAC ACL Configuring ACL Masks Specifying the Mask Type Configuring an IP ACL Mask Configuring a MAC ACL Mask Binding a Port to an Access Control List Filtering IP Addresses for Management Access vi 3-21 3-23 3-23 3-24 3-25 3-27 3-29 3-29 3-30 3-31 3-31 3-33 3-33 3-34 3-35 3-35 3-36 3-38 3-40 3-41 3-41 3-42 3-45 3-46 3-47 3-49 3-51 3-52 3-54 3-55 3-57 3-58 3-59 3-61 3-61 3-62 3-62 3-63 3-66 3-68 3-68 3-69 3-71 3-72 3-73 Contents Port Configuration Displaying Connection Status Configuring Interface Connections Creating Trunk Groups Statically Configuring a Trunk Enabling LACP on Selected Ports Configuring LACP Parameters Displaying LACP Port Counters Displaying LACP Settings and Status for the Local Side Displaying LACP Settings and Status for the Remote Side Setting Broadcast Storm Thresholds Configuring Port Mirroring Configuring Rate Limits Showing Port Statistics Alcatel Mapping Adjacency Protocol (AMAP) Configuring AMAP Displaying AMAP Detected Devices Address Table Settings Setting Static Addresses Displaying the Address Table Changing the Aging Time Spanning Tree Algorithm Configuration Displaying Global Settings Configuring Global Settings Displaying Interface Settings Configuring Interface Settings Configuring Multiple Spanning Trees Displaying Interface Settings for MSTP Configuring Interface Settings for MSTP VLAN Configuration Overview Assigning Ports to VLANs Forwarding Tagged/Untagged Frames Enabling or Disabling GVRP (Global Setting) Displaying Basic VLAN Information Displaying Current VLANs Creating VLANs Adding Static Members to VLANs (VLAN Index) Adding Static Members to VLANs (Port Index) Configuring VLAN Behavior for Interfaces Configuring Private VLANs Enabling Private VLANs Configuring Uplink and Downlink Ports Configuring Protocol-Based VLANs Configuring Protocol Groups 3-75 3-75 3-77 3-79 3-80 3-81 3-83 3-85 3-86 3-88 3-90 3-91 3-92 3-93 3-98 3-98 3-99 3-100 3-100 3-101 3-102 3-103 3-104 3-107 3-111 3-114 3-116 3-119 3-121 3-122 3-122 3-123 3-125 3-125 3-126 3-127 3-129 3-130 3-132 3-133 3-135 3-135 3-136 3-136 3-137 vii Contents Mapping Protocols to VLANs Class of Service Configuration Setting the Default Priority for Interfaces Mapping CoS Values to Egress Queues Selecting the Queue Mode Setting the Service Weight for Traffic Classes Mapping Layer 3/4 Priorities to CoS Values Selecting IP Precedence/DSCP Priority Mapping IP Precedence Mapping DSCP Priority Mapping IP Port Priority Mapping CoS Values to ACLs Changing Priorities Based on ACL Rules Quality of Service Configuring Quality of Service Parameters Configuring a Class Map Creating QoS Policies Attaching a Policy Map to Ingress and Egress Queues Multicast Filtering Layer 2 IGMP (Snooping and Query) Configuring IGMP Snooping and Query Parameters Displaying Interfaces Attached to a Multicast Router Specifying Static Interfaces for a Multicast Router Displaying Port Members of Multicast Services Assigning Ports to Multicast Services Configuring Domain Name Service Configuring General DNS Server Parameters Configuring Static DNS Host to Address Entries Displaying the DNS Cache Chapter 4: Command Line Interface Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Showing Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History viii 3-137 3-139 3-139 3-141 3-143 3-143 3-145 3-145 3-146 3-147 3-149 3-150 3-151 3-153 3-153 3-154 3-156 3-159 3-160 3-160 3-161 3-162 3-163 3-164 3-165 3-166 3-167 3-169 3-171 4-1 4-1 4-1 4-1 4-1 4-3 4-3 4-3 4-3 4-3 4-4 4-5 4-5 4-5 Contents Understanding Command Modes Exec Commands Configuration Commands Command Line Processing Command Groups Line Commands line login password timeout login response exec-timeout password-thresh silent-time databits parity speed stopbits disconnect show line General Commands enable disable configure show history reload end exit quit System Management Commands Device Designation Commands prompt hostname User Access Commands username enable password IP Filter Commands management show management Web Server Commands ip http port ip http server ip http secure-server ip http secure-port Secure Shell Commands ip ssh server 4-5 4-6 4-6 4-7 4-9 4-10 4-10 4-11 4-12 4-13 4-14 4-14 4-15 4-16 4-16 4-17 4-17 4-18 4-18 4-19 4-19 4-20 4-20 4-21 4-22 4-22 4-22 4-23 4-23 4-24 4-24 4-25 4-25 4-25 4-26 4-27 4-27 4-28 4-29 4-29 4-30 4-30 4-31 4-32 4-34 ix Contents ip ssh timeout ip ssh authentication-retries ip ssh server-key size delete public-key ip ssh crypto host-key generate ip ssh crypto zeroize ip ssh save host-key show ip ssh show ssh show public-key Event Logging Commands logging on logging history logging host logging facility logging trap clear logging show logging SMTP Alert Commands logging sendmail host logging sendmail level logging sendmail source-email logging sendmail destination-email logging sendmail show logging sendmail Time Commands sntp client sntp server sntp poll show sntp clock timezone calendar set show calendar System Status Commands show startup-config show running-config show system show users show version Frame Size Commands jumbo frame Flash/File Commands copy delete dir x 4-35 4-36 4-36 4-37 4-37 4-38 4-38 4-39 4-39 4-40 4-41 4-41 4-42 4-43 4-43 4-44 4-44 4-45 4-46 4-47 4-47 4-48 4-48 4-49 4-49 4-50 4-50 4-51 4-52 4-52 4-53 4-53 4-54 4-54 4-54 4-57 4-59 4-60 4-60 4-61 4-61 4-62 4-62 4-64 4-65 Contents whichboot boot system Authentication Commands Authentication Sequence authentication login authentication enable RADIUS Client radius-server host radius-server port radius-server key radius-server retransmit radius-server timeout show radius-server TACACS+ Client tacacs-server host tacacs-server port tacacs-server key show tacacs-server Port Security Commands port security 802.1x Port Authentication authentication dot1x default dot1x default dot1x max-req dot1x port-control dot1x operation-mode dot1x re-authenticate dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout tx-period show dot1x Access Control List Commands IP ACLs access-list ip permit, deny (Standard ACL) permit, deny (Extended ACL) show ip access-list access-list ip mask-precedence mask (IP ACL) show access-list ip mask-precedence ip access-group show ip access-group map access-list ip show map access-list ip 4-66 4-66 4-67 4-67 4-68 4-69 4-70 4-70 4-70 4-71 4-71 4-72 4-72 4-73 4-73 4-73 4-74 4-74 4-75 4-75 4-76 4-77 4-77 4-78 4-78 4-79 4-79 4-80 4-80 4-80 4-81 4-81 4-83 4-85 4-85 4-86 4-87 4-89 4-89 4-90 4-93 4-94 4-94 4-95 4-96 xi Contents match access-list ip show marking MAC ACLs access-list mac permit, deny (MAC ACL) show mac access-list access-list mac mask-precedence mask (MAC ACL) show access-list mac mask-precedence mac access-group show mac access-group map access-list mac show map access-list mac match access-list mac ACL Information show access-list show access-group SNMP Commands snmp-server community snmp-server contact snmp-server location snmp-server host snmp-server enable traps show snmp snmp-server snmp-server engine-id show snmp engine-id snmp-server view show snmp view snmp-server group show snmp group snmp-server user show snmp user DHCP Commands DHCP Client ip dhcp client-identifier ip dhcp restart client DNS Commands ip host clear host ip domain-name ip domain-list ip name-server ip domain-lookup show hosts xii 4-96 4-97 4-98 4-98 4-99 4-100 4-101 4-102 4-104 4-104 4-105 4-105 4-106 4-106 4-107 4-107 4-108 4-108 4-109 4-110 4-110 4-111 4-112 4-113 4-114 4-114 4-115 4-115 4-116 4-117 4-117 4-119 4-119 4-120 4-120 4-120 4-121 4-122 4-122 4-123 4-123 4-124 4-125 4-126 4-127 Contents show dns show dns cache clear dns cache Interface Commands interface description speed-duplex negotiation capabilities flowcontrol combo-forced-mode shutdown switchport broadcast packet-rate clear counters show interfaces status show interfaces counters show interfaces switchport Mirror Port Commands port monitor show port monitor AMAP Configuration amap enable amap run amap discovery timer amap common timer show amap Rate Limit Commands rate-limit Link Aggregation Commands channel-group lacp lacp system-priority lacp admin-key (Ethernet Interface) lacp admin-key (Port Channel) lacp port-priority show lacp Address Table Commands mac-address-table static clear mac-address-table dynamic show mac-address-table mac-address-table aging-time show mac-address-table aging-time Spanning Tree Commands spanning-tree spanning-tree mode 4-127 4-128 4-128 4-129 4-130 4-131 4-131 4-132 4-133 4-134 4-135 4-135 4-136 4-137 4-138 4-139 4-140 4-141 4-141 4-142 4-143 4-144 4-144 4-144 4-145 4-145 4-146 4-146 4-147 4-148 4-149 4-150 4-151 4-152 4-153 4-153 4-157 4-157 4-158 4-158 4-159 4-160 4-160 4-161 4-162 xiii Contents spanning-tree forward-time spanning-tree hello-time spanning-tree max-age spanning-tree priority spanning-tree pathcost method spanning-tree transmission-limit spanning-tree mst-configuration mst vlan mst priority name revision max-hops spanning-tree spanning-disabled spanning-tree cost spanning-tree port-priority spanning-tree edge-port spanning-tree portfast spanning-tree link-type spanning-tree mst cost spanning-tree mst port-priority spanning-tree protocol-migration show spanning-tree show spanning-tree mst configuration VLAN Commands Editing VLAN Groups vlan database vlan Configuring VLAN Interfaces interface vlan switchport mode switchport acceptable-frame-types switchport ingress-filtering switchport native vlan switchport allowed vlan switchport forbidden vlan Displaying VLAN Information show vlan Configuring Protocol-based VLANs protocol-vlan protocol-group (Configuring Groups) protocol-vlan protocol-group (Configuring Interfaces) show protocol-vlan protocol-group show interfaces protocol-vlan protocol-group Configuring Private VLANs pvlan show pvlan xiv 4-163 4-164 4-164 4-165 4-166 4-166 4-167 4-167 4-168 4-169 4-169 4-170 4-171 4-171 4-172 4-172 4-173 4-174 4-175 4-176 4-176 4-177 4-178 4-179 4-179 4-180 4-180 4-181 4-181 4-182 4-183 4-183 4-184 4-185 4-186 4-187 4-187 4-187 4-188 4-189 4-190 4-190 4-191 4-191 4-192 Contents GVRP and Bridge Extension Commands bridge-ext gvrp show bridge-ext switchport gvrp show gvrp configuration garp timer show garp timer Priority Commands Priority Commands (Layer 2) switchport priority default queue mode queue bandwidth queue cos-map show queue mode show queue bandwidth show queue cos-map Priority Commands (Layer 3 and 4) map ip port (Global Configuration) map ip port (Interface Configuration) map ip precedence (Global Configuration) map ip precedence (Interface Configuration) map ip dscp (Global Configuration) map ip dscp (Interface Configuration) map access-list ip show map ip port show map ip precedence show map ip dscp Quality of Service Commands class-map match policy-map class set police service-policy show class-map show policy-map show policy-map interface Multicast Filtering Commands IGMP Snooping Commands ip igmp snooping ip igmp snooping vlan static ip igmp snooping version show ip igmp snooping show mac-address-table multicast 4-192 4-193 4-193 4-194 4-194 4-195 4-196 4-197 4-197 4-197 4-198 4-199 4-200 4-201 4-201 4-202 4-202 4-203 4-203 4-204 4-204 4-205 4-206 4-207 4-208 4-208 4-209 4-210 4-211 4-212 4-213 4-214 4-214 4-215 4-216 4-216 4-217 4-217 4-218 4-218 4-218 4-219 4-220 4-220 4-221 xv Contents IGMP Query Commands (Layer 2) ip igmp snooping querier ip igmp snooping query-count ip igmp snooping query-interval ip igmp snooping query-max-response-time ip igmp snooping router-port-expire-time Static Multicast Routing Commands ip igmp snooping vlan mrouter show ip igmp snooping mrouter IP Interface Commands Basic IP Configuration ip address ip default-gateway ip dhcp restart show ip interface show ip redirects ping Appendix A: Software Specifications Software Features Management Features Standards Management Information Bases Appendix B: Troubleshooting Glossary Index 4-222 4-222 4-222 4-223 4-224 4-224 4-225 4-225 4-226 4-227 4-227 4-227 4-228 4-229 4-229 4-230 4-230 A-1 A-1 A-2 A-2 A-3 B-1 xvi Tables Table 1-1. Table 1-2. Table 3-4. Table 3-2. Table 3-1. Table 3-22. Table 3-30. Table 3-45. Table 3-47. Table 3-49. Table 3-54. Table 3-85. Table 3-86. Table 3-91. Table 3-93. Table 3-95. Table 4-1. Table 4-2. Table 4-3. Table 4-4. Table 4-5. Table 4-6. Table 4-7. Table 4-8. Table 4-9. Table 4-10. Table 4-11. Table 4-12. Table 4-13. Table 4-14. Table 4-15. Table 4-16. Table 4-17. Table 4-19. Table 4-20. Table 4-18. Table 4-21. Table 4-22. Table 4-23. Table 4-24. Table 4-25. Table 4-26. Key Features System Defaults Main Menu Configuration Options SNMPv3 Security Models and Levels Compatible Operating Systems 802.1X Statistics LACP Port Counters Information LACP Settings - Local Side LACP Settings - Remote Side Displaying Port Statistics Mapping CoS Values to Egress Queues Priority Levels Mapping IP Precedence Mapping DSCP Priority Mapping CoS Values to ACLs Command Modes Configuration Command Modes Keystroke Commands Command Groups Line Commands General Commands System Management Commands Device Designation Commands User Access Commands User Access Levels IP Filter Commands Web Server Commands Compatible Operating Systems Secure Shell Commands Secure Shell Information Event Logging Commands Logging Messages Remote Logging Parameters SMTP Alert Commands System Logging Parameters Time Commands System Status Commands Frame Size Commands Flash/File Commands File Directory Authentication Commands 1-1 1-5 3-3 3-3 3-32 3-45 3-59 3-85 3-86 3-88 3-94 3-141 3-141 3-146 3-147 3-150 4-5 4-7 4-7 4-9 4-10 4-19 4-23 4-24 4-25 4-26 4-27 4-29 4-31 4-32 4-39 4-41 4-42 4-46 4-46 4-46 4-50 4-54 4-61 4-62 4-65 4-67 xvii Tables Table 4-27. Table 4-28. Table 4-29. Table 4-30. Table 4-31. Table 4-32. Table 4-33. Table 4-34. Table 4-35. Table 4-36. Table 4-37. Table 4-38. Table 4-1. Table 4-2. Table 4-3. Table 4-4. Table 4-39. Table 4-40. Table 4-41. Table 4-42. Table 4-43. Table 4-44. Table 4-45. Table 4-46. Table 4-47. Table 4-48. Table 4-49. Table 4-50. Table 4-51. Table 4-52. Table 4-53. Table 4-54. Table 4-55. Table 4-56. Table 4-57. Table 4-58. Table 4-59. Table 4-60. Table 4-61. Table 4-62. Table 4-63. Table 4-64. Table 4-65. Table 4-66. Table 4-5. xviii Authentication Sequence RADIUS Commands TACACS+ Commands Port Security Commands 802.1X Port Authentication Commands ACL Information IP ACLs Priority Queue Mapping MAC ACLs Priority Queue Mapping ACL Information SNMP Commands SNMP Engine ID SNMP View SNMP Group SNMP User DHCP Clients DNS Commands DNS Cache Interface Commands Interfaces Switchport Parameters Mirror Port Commands AMAP Commands Rate Limit Commands Linnk Aggregation Commands LACP Counters LACPDUs LACP Neighbours Information LACP System ID Address Table Commands Spanning Tree Commands VLAN Commands Editing VLAN Groups Configuring VLAN Interfaces Displaying VLAN Information Protocol VLANs Configuring Private VLAN Groups GVRP and Bridge Extension Commands Priority Commands Priority Commands (Layer 2) Priority Queue Mapping Priority Commands (Layer 3 and 4) Mapping IP Precedence Mapping IP DSCP Precedence Mapping CoS Values to ACL Rules 4-67 4-70 4-73 4-75 4-76 4-84 4-85 4-95 4-98 4-105 4-107 4-108 4-115 4-116 4-118 4-120 4-120 4-122 4-128 4-129 4-140 4-141 4-143 4-146 4-147 4-154 4-155 4-156 4-156 4-157 4-160 4-179 4-179 4-181 4-187 4-188 4-191 4-192 4-197 4-197 4-200 4-202 4-205 4-206 4-207 Table 4-67. Table 4-68. Table 4-69. Table 4-70. Table 4-71. Table 4-72. Table B-1. Quality of Service Commands Multicast Filtering Commands IGMP Snooping Commands IGMP Query Commands (Layer 2) Static Multicast Routing Commands IP Configuration Troubleshooting Chart 4-210 4-218 4-218 4-222 4-225 4-227 B-1 xix Tables xx Figures Figure 3-1. Figure 3-3. Figure 3-5. Figure 3-6. Figure 3-7. Figure 3-8. Figure 3-9. Figure 3-10. Figure 3-11. Figure 3-12. Figure 3-13. Figure 3-14. Figure 3-1. Figure 3-2. Figure 3-3. Figure 3-4. Figure 3-5. Figure 3-6. Figure 3-15. Figure 3-16. Figure 3-17. Figure 3-7. Figure 3-18. Figure 3-19. Figure 3-8. Figure 3-9. Figure 3-10. Figure 3-11. Figure 3-20. Figure 3-21. Figure 3-23. Figure 3-24. Figure 3-25. Figure 3-26. Figure 3-27. Figure 3-28. Figure 3-29. Figure 3-31. Figure 3-32. Figure 3-33. Figure 3-34. Figure 3-35. Home Page Ports Panel System Information Switch Information Bridge Exentsion Configuration IP Configuration Selecting DHCP Mode Enabling Jumbo Frame Support Transfering an Operation Code Image File from a Server Selecting the Start-up Operation Code Image File Transfering a Configuration File from a Server Setting the Start-up Configuration File Console Port Settings Telnet Settings Logging Information Enabling System Logging Enabling Remote Logging and Adding Host IP Addresses Enabling and Configuring SMTP Alerts Resetting the System SNTP Configuration Clock Time Zone Enabling the SNMP Agent SNMP Configuration Configuring SNMP Trap Managers Setting an Engine ID Configuring SNMPv3 Users Configuring SNMPv3 Groups Configuring SNMPv3 Views Setting Passwords Authentication Settings HTTPS Settings Secure Shell Host-Key Settings Secure Shell Server Settings Configuring Port Security 802.1X Information 802.1X Configuration 802.1X Port Configuration 802.1X Statistics ACL Configuration Configuring a Standard ACL Configuring an Extended ACL Configuring a MAC ACL 3-2 3-3 3-9 3-10 3-12 3-13 3-14 3-15 3-16 3-16 3-17 3-18 3-20 3-22 3-24 3-25 3-26 3-28 3-29 3-30 3-31 3-33 3-34 3-35 3-36 3-37 3-39 3-40 3-42 3-44 3-46 3-50 3-51 3-53 3-55 3-57 3-59 3-60 3-62 3-63 3-65 3-67 xxi Figures Figure 3-36. Figure 3-37. Figure 3-38. Figure 3-39. Figure 3-12. Figure 3-40. Figure 3-41. Figure 3-42. Figure 3-43. Figure 3-44. Figure 3-46. Figure 3-48. Figure 3-50. Figure 3-51. Figure 3-52. Figure 3-53. Figure 3-55. Figure 3-56. Figure 3-57. Figure 3-58. Figure 3-59. Figure 3-60. Figure 3-61. Figure 3-62. Figure 3-63. Figure 3-64. Figure 3-65. Figure 3-66. Figure 3-67. Figure 3-68. Figure 3-69. Figure 3-70. Figure 3-71. Figure 3-72. Figure 3-73. Figure 3-74. Figure 3-75. Figure 3-76. Figure 3-77. Figure 3-78. Figure 3-79. Figure 3-80. Figure 3-81. Figure 3-82. Figure 3-83. xxii ACL Mask Configuration ACL IP Mask Configuration ACL MAC Mask Configuration ACL Port Binding Filtering IP Addresses Port Information Port Configuration Trunk Membership LACP Configuration LACP Aggregation Port Settings LACP Port Counters Information LACP Settings - Local Side LACP Port Settings - Remote Side Port Broadcast Control Mirror Port Configuration Output Rate Limit Port Configuration Displaying Port Statistics AMAP Settings AMAP Information Setting a Static Address Table Setting a Dynamic Address Table Address Aging Spanning Tree BPDUs STA Information STA Configuration STA Port Roles STA Port Information STA Port Configuration MSTP Vlan Configuration MSTP Port Information MSTP Port Configuration Tagged and Untagged Frames Port Based VLANs GVRP Status Basic VLAN Information VLAN Current Table VLAN Static List VLAN Static Table VLAN Static Membership by Port VLAN Port Configuration Configuring PVLANs PVLAN Status PVLAN Link Status Protocol VLAN Configuration Protocol VLAN Port Configuration 3-68 3-70 3-71 3-73 3-74 3-75 3-78 3-80 3-82 3-84 3-86 3-87 3-89 3-90 3-92 3-93 3-97 3-99 3-100 3-101 3-102 3-103 3-103 3-106 3-110 3-112 3-113 3-116 3-117 3-119 3-122 3-123 3-125 3-126 3-126 3-128 3-129 3-131 3-132 3-134 3-135 3-135 3-136 3-137 3-138 Figures Figure 3-84. Port Priority Configuration Figure 3-87. Traffic Classes Figure 3-88. Selecting the Queue Mode Figure 3-89. Queue Scheduling Figure 3-90. IP Precedence/DSCP Priority Status Figure 3-92. Assigning CoS Values to IP Precedence Figure 3-94. Mapping IP DSCP Priority Figure 3-13. Globally Enabling the IP Port Priority Status Figure 3-14. Mapping Switch Ports and Trunks to IP TCP/UDP Priority Figure 3-96. ACL CoS Priority Figure 3-97. ACL Marker Figure 3-98. Configuring Class Maps Figure 3-99. Configuring Policy Maps Figure 3-100. Service Policy Settings Figure 3-101. IGMP Configuration Figure 3-102. Multicast Router Port Information Figure 3-103. Static Multicast Router Port Configuration Figure 3-104. IP Multicast Registration Table Figure 3-105. IGMP Member Port Table Figure 3-106. DNS Configuration Figure 3-107. DNS Static Host Table Figure 3-108. Displaying the DNS Cache 3-140 3-142 3-143 3-144 3-145 3-146 3-148 3-149 3-149 3-151 3-152 3-155 3-158 3-159 3-162 3-163 3-164 3-165 3-166 3-168 3-170 3-171 xxiii Figures xxiv Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch's performance for your particular network environment. Key Features Table 1-1. Key Features Feature Configuration Backup and Restore Authentication Description Backup to TFTP server Console, Telnet, web ­ User name / password, RADIUS, TACACS+ Web ­ HTTPS; Telnet ­ SSH SNMP version 3 ­ MD5 or SHA password Port ­ IEEE 802.1x, MAC address filtering Supports up to 32 IP or MAC ACLs Supported Supported Speed, duplex mode and flow control Input and output rate limiting per port One or more ports mirrored to single analysis port Supports up to 6 trunks using either static or dynamic trunking (LACP) Supported Up to 16K MAC addresses in the forwarding table Supports dynamic data switching and addresses learning Supported to ensure wire-speed switching while eliminating bad frames Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Up to 255 using IEEE 802.1Q, port-based, protocol-based, or private VLANs Default port priority, traffic class map, queue scheduling, IP Precedence, or Differentiated Services Code Point (DSCP) Supports Quality of Service (QoS) Supports IGMP snooping and query Access Control Lists DHCP Client DNS Server Port Configuration Rate Limiting Port Mirroring Port Trunking Broadcast Storm Control Static Address IEEE 802.1D Bridge Store-and-Forward Switching Spanning Tree Protocol Virtual LANs Traffic Prioritization QoS Multicast Filtering 1-1 1 Introduction Table 1-1. Key Features Feature AMAP Description Configures Alcatel Mapping Adjacency Protocol (AMAP) parameters and displays information on attached AMAP-aware devices Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network. Port-based and protocol-based VLANs, plus support for automatic GVRP VLAN registration provide traffic security and efficient use of network bandwidth. CoS priority queueing ensures the minimum delay for moving real-time multimedia data across the network. While multicast filtering provides support for real-time network applications. Some of the management features are briefly described below. Configuration Backup and Restore ­ You can save the current configuration settings to a file on a TFTP server, and later download this file to restore the switch configuration settings. Authentication ­ This switch authenticates management access via the console port, Telnet or web browser. User names and passwords can be configured locally or can be verified via a remote authentication server (i.e., RADIUS or TACACS+). Port-based authentication is also supported via the IEEE 802.1x protocol. This protocol uses the Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.1x client, and then verifies the client's right to access the network via an authentication server. Other authentication options include HTTPS for secure management access via the web, SSH for secure management access over a Telnet-equivalent connection, IP address filtering for SNMP/web/Telnet management access, and MAC address filtering for port access. Access Control Lists ­ ACLs provide packet filtering for IP frames (based on address, protocol, TCP/UDP port number or TCP control code) or any frames (based on MAC address or Ethernet type). ACLs can by used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols. Port Configuration ­ You can manually configure the speed, duplex mode, and flow control used on specific ports, or use auto-negotiation to detect the connection settings used by the attached device. Use the full-duplex mode on ports whenever possible to double the throughput of switch connections. Flow control should also be enabled to control network traffic during periods of congestion and prevent the loss of packets when port buffer thresholds are exceeded. The switch supports flow control based on the IEEE 802.3x standard. 1-2 Description of Software Features 1 Rate Limiting ­ This feature controls the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped. Port Mirroring ­ The switch can unobtrusively mirror traffic from any port to a monitor port. You can then attach a protocol analyzer or RMON probe to this port to perform traffic analysis and verify connection integrity. Port Trunking ­ Ports can be combined into an aggregate connection. Trunks can be manually set up or dynamically configured using IEEE 802.3ad Link Aggregation Control Protocol (LACP). The additional ports dramatically increase the throughput across any connection, and provide redundancy by taking over the load if a port in the trunk should fail. The switch supports up to 6 trunks. Broadcast Storm Control ­ Broadcast suppression prevents broadcast traffic from overwhelming the network. When enabled on a port, the level of broadcast traffic passing through the port is restricted. If broadcast traffic rises above a pre-defined threshold, it will be throttled until the level falls back beneath the threshold. Static Addresses ­ A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table. Static addresses can be used to provide network security by restricting access for a known host to a specific port. IEEE 802.1D Bridge ­ The switch supports IEEE 802.1D transparent bridging. The address table facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information. The address table supports up to 16K addresses. Store-and-Forward Switching ­ The switch copies each frame into its memory before forwarding them to another port. This ensures that all frames are a standard Ethernet size and have been verified for accuracy with the cyclic redundancy check (CRC). This prevents bad frames from entering the network and wasting bandwidth. To avoid dropping frames on congested ports, the switch provides 1 MB for frame buffering. This buffer can queue packets awaiting transmission on congested networks. Spanning Tree Protocol ­ The switch supports these spanning tree protocols: Spanning Tree Protocol (STP, IEEE 802.1D) ­ This protocol adds a level of fault tolerance by allowing two or more redundant connections to be created between a pair of LAN segments. When there are multiple physical paths between segments, this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network. This prevents the creation of network loops. However, if the chosen path should fail for any reason, an alternate path will be activated to maintain the connection. Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) ­ This protocol reduces the convergence time for network topology changes to about 10% of that required by the 1-3 1 Introduction older IEEE 802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices. Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) ­ This protocol is a direct extension of RSTP. It can provide an independent spanning tree for different VLANs. It simplifies network management, provides for even faster convergence than RSTP by limiting the size of each region, and prevents VLAN members from being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP). Virtual LANs ­ The switch supports up to 255 VLANs. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. The switch supports tagged VLANs based on the IEEE 802.1Q standard. Members of VLAN groups can be dynamically learned via GVRP, or ports can be manually assigned to a specific set of VLANs. This allows the switch to restrict traffic to the VLAN groups to which a user has been assigned. By segmenting your network into VLANs, you can: · Eliminate broadcast storms which severely degrade performance in a flat network. · Simplify network management for node changes/moves by remotely configuring VLAN membership for any port, rather than having to manually change the network connection. · Provide data security by restricting all traffic to the originating VLAN. · Use private VLANs to restrict traffic to pass only between data ports and the uplink ports, thereby isolating adjacent ports within the same VLAN, and allowing you to limit the total number of VLANs that need to be configured. Traffic Prioritization ­ This switch prioritizes each packet based on the required level of service, using eight priority queues with strict or Weighted Round Robin Queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station application. These functions can be used to provide independent priorities for delay-sensitive data and best-effort data. This switch also supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic can be prioritized based on the priority bits in the IP frame's Type of Service (ToS) octet. When these services are enabled, the priorities are mapped to a Class of Service value by the switch, and the traffic then sent to the corresponding output queue. Quality of Service ­ Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence or DSCP values, or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. 1-4 System Defaults 1 Multicast Filtering ­ Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN. The switch uses IGMP Snooping and Query to manage multicast group registration. AMAP ­ The AMAP protocol enables a switch to discover the topology of other AMAP-aware devices in the network. The protocol allows each switch to determine if other AMAP-aware switches are adjacent to it. System Defaults The switch's system defaults are provided in the configuration file "Factory_Default_Config.cfg." To reset the switch defaults, this file should be set as the startup configuration file (page 3-18). The following table lists some of the basic system defaults. Table 1-2. System Defaults Function Console Port Connection Parameter Baud Rate Data bits Stop bits Parity Local Console Timeout Authentication Privileged Exec Level Normal Exec Level Default auto 8 1 none 0 (disabled) Username "admin" Password "admin" Username "guest" Password "guest" Enable Privileged Exec from Normal Password "super" Exec Level RADIUS Authentication TACACS Authentication 802.1x Port Authentication HTTPS SSH Port Security Web Management HTTP Server HTTP Port Number HTTP Secure Server HTTP Secure Port Number Disabled Disabled Disabled Enabled Enabled Disabled Enabled 80 Enabled 443 1-5 1 Introduction Table 1-2. System Defaults Function SNMP Parameter Community Strings Traps IP Filtering Default "public" (read only) "private" (read/write) Authentication traps: enabled Link-up-down events: enabled Disabled Enabled Enabled Disabled 1000BASE-T ­ 10 Mbps half duplex 10 Mbps full duplex 100 Mbps half duplex 100 Mbps full duplex 1000 Mbps full duplex Full-duplex flow control disabled Symmetric flow control disabled 1000BASE-SX/LX/LH ­ 1000 Mbps full duplex Full-duplex flow control disabled Symmetric flow control disabled Enabled 300 seconds 30 seconds Disabled None Disabled Enabled (all ports) 500 packets per second Enabled, MSTP (Defaults: All values based on IEEE 802.1s) Disabled 300 seconds Port Configuration Admin Status Auto-negotiation Flow Control Port Capability AMAP Status Common Phase Timeout Interval Discovery Phase Timeout Interval Rate Limiting Port Trunking Input and output limits Static Trunks LACP (all ports) Broadcast Storm Protection Spanning Tree Protocol Status Broadcast Limit Rate Status Fast Forwarding (Edge Port) Address Table Aging Time 1-6 System Defaults Table 1-2. System Defaults Function Virtual LANs Parameter Default VLAN PVID Acceptable Frame Type Ingress Filtering Switchport Mode (Egress Mode) GVRP (global) GVRP (port interface) Traffic Prioritization Ingress Port Priority Weighted Round Robin IP Precedence Priority IP DSCP Priority IP Settings IP Address Subnet Mask Default Gateway DHCP BOOTP DNS Server Multicast Filtering System Log Lookup IGMP Snooping Status Messages Logged Messages Logged to Flash SMTP Email Alerts SNTP Event Handler Clock Synchronization Default 1 1 All Disabled Hybrid: tagged/untagged frames Disabled Disabled 0 Queue: 0 1 2 3 4 5 6 7 Priority: 2 0 1 3 4 5 6 7 Disabled Disabled 0.0.0.0 255.0.0.0 0.0.0.0 Client: Disabled Disabled Disabled Snooping: Enabled Querier: Enabled Enabled Levels 0-7 (all) Levels 0-3 Disabled Disabled 1 1-7 1 Introduction 1-8 Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a Web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: The IP address for this switch is unassigned by default. To change this address, see "Setting an IP Address" on page 2-4. The switch's HTTP Web agent allows you to configure switch parameters, monitor port connections, and display statistics using a standard Web browser such as Netscape Navigator version 6.2 and higher or Microsoft IE version 5.0 and higher. The switch's Web management interface can be accessed from any computer attached to the network. The CLI program can be accessed by a direct connection to the RS-232 serial console port on the switch, or remotely by a Telnet connection over the network. The switch's management agent also supports SNMP (Simple Network Management Protocol). This SNMP agent permits the switch to be managed from any system in the network using network management software such as HP OpenView. The switch's Web interface, CLI configuration program, and SNMP agent allow you to perform the following management functions: · · · · · · · · · · · · · · · Set user names and passwords for up to 16 users Set an IP interface for a management VLAN Configure SNMP parameters Enable/disable any port Set the speed/duplex mode for any port Configure the bandwidth of any port by limiting input or output rates Configure up to 255 IEEE 802.1Q VLANs Enable GVRP automatic VLAN registration Configure IGMP multicast filtering Upload and download system firmware via TFTP Upload and download switch configuration files via TFTP Configure Spanning Tree parameters Configure Class of Service (CoS) priority queuing Configure up to 6 static or LACP trunks Enable port mirroring 2-1 2 Initial Configuration · Set broadcast storm control on any port · Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch. Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch. You can use the console cable provided with this package, or use a null-modem cable that complies with the wiring assignments shown in the Installation Guide. To connect a terminal to the console port, complete the following steps: 1. Connect the console cable to the serial port on a terminal, or a PC running terminal emulation software, and tighten the captive retaining screws on the DB-9 connector. Connect the other end of the cable to the RS-232 serial port on the switch. Make sure the terminal emulation software is set as follows: · Select the appropriate serial port (COM port 1 or COM port 2). · Set to any of the following baud rates: 9600, 19200, 38400, 57600, 115200 (Note: Set to 9600 baud if want to view all the system initialization messages.) · Set the data format to 8 data bits, 1 stop bit, and no parity. · Set flow control to none. · Set the emulation mode to VT100. · When using HyperTerminal, select Terminal keys, not Windows keys. Notes: 1. When using HyperTerminal with Microsoft® Windows® 2000, make sure that you have Windows 2000 Service Pack 2 or later installed. Windows 2000 Service Pack 2 fixes the problem of arrow keys not functioning in HyperTerminal's VT100 emulation. See www.microsoft.com for information on Windows 2000 service packs. 2. Refer to "Line Commands" on page 4-10 for a complete description of console configuration options. 3. Once you have set up the terminal correctly, the console login screen will be displayed. 2. 3. For a description of how to use the CLI, see "Using the Command Line Interface" on page 4-1. For a list of all the CLI commands and detailed information on using the CLI, refer to "Command Groups" on page 4-9. 2-2 Basic Configuration 2 Remote Connections Prior to accessing the switch's onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is unassigned by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see "Setting an IP Address" on page 2-4. Note: This switch supports four concurrent Telnet or SSH sessions. After configuring the switch's IP parameters, you can access the onboard configuration program from anywhere within the attached network. The onboard configuration program can be accessed using Telnet from any computer attached to the network. The switch can also be managed by any computer using a web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above), or from a network computer using SNMP network management software. Note: The onboard program only provides access to basic configuration functions. To access the full range of SNMP management functions, you must use SNMP-based network management software. Basic Configuration Console Connection The CLI program provides two different command levels -- normal access level (Normal Exec) and privileged access level (Privileged Exec). The commands available at the Normal Exec level are a limited subset of those available at the Privileged Exec level and allow you to only display information and use basic utilities. To fully configure the switch parameters, you must access the CLI at the Privileged Exec level. Access to both CLI levels are controlled by user names and passwords. The switch has a default user name and password for each level. To log into the CLI at the Privileged Exec level using the default user name and password, perform these steps: 1. 2. 3. 4. To initiate your console connection, press . The "User Access Verification" procedure starts. At the Username prompt, enter "admin." At the Password prompt, enter "switch." (The password characters are not displayed on the console screen.) The session is opened and the CLI displays the "Console#" prompt indicating you have access at the Privileged Exec level. 2-3 2 Initial Configuration Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the "username" command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows: 1. 2. 3. 4. Open the console interface with the default user name "admin" and password "switch" to access the Privileged Exec level. Type "configure" and press . Type "username guest password 0 password," for the Normal Exec level, where password is your new password. Press . Type "username admin password 0 password," for the Privileged Exec level, where password is your new password. Press . Username: admin Password: switch CLI session with the OmniStack 6300 is opened. To end the CLI session, enter [Exit]. Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# Setting an IP Address You must establish IP address information for the switch to obtain management access through the network. This can be done in either of the following ways: Manual -- You have to input the information, including IP address and subnet mask. If your management station is not in the same IP subnet as the switch, you will also need to specify the default gateway router. Dynamic -- The switch sends IP configuration requests to BOOTP or DHCP address allocation servers on the network. Manual Configuration You can manually assign an IP address to the switch. You may also need to specify a default gateway that resides between this device and management stations that exist on another network segment. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the CLI program. Note: The IP address for this switch is unassigned by default. 2-4 Basic Configuration Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: · IP address for the switch · Default gateway for the network · Network mask for this network To assign an IP address to the switch, complete the following steps: 1. 2. 3. 4. 2 From the Privileged Exec level global configuration mode prompt, type "interface vlan 1" to access the interface-configuration mode. Press . Type "ip address ip-address netmask," where "ip-address" is the switch IP address and "netmask" is the network mask for the network. Press . Type "exit" to return to the global configuration mode prompt. Press . To set the IP address of the default gateway for the network to which the switch belongs, type "ip default-gateway gateway," where "gateway" is the IP address of the default gateway. Press . Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 192.168.1.254 Console(config)# Dynamic Configuration If you select the "bootp" or "dhcp" option, IP will be enabled but will not function until a BOOTP or DHCP reply has been received. You therefore need to use the "ip dhcp restart client" command to start broadcasting service requests. Requests will be sent periodically in an effort to obtain IP configuration information. (BOOTP and DHCP values can include the IP address, subnet mask, and default gateway.) If the "bootp" or "dhcp" option is saved to the startup-config file (step 6), then the switch will start broadcasting service requests as soon as it is powered on. To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps: 1. 2. From the Global Configuration mode prompt, type "interface vlan 1" to access the interface-configuration mode. Press . At the interface-configuration mode prompt, use one of the following commands: · To obtain IP settings via DHCP, type "ip address dhcp" and press . · To obtain IP settings via BOOTP, type "ip address bootp" and press . 3. 4. Type "end" to return to the Privileged Exec mode. Press . Type "ip dhcp restart client" to begin broadcasting service requests. Press . 2-5 2 5. 6. Initial Configuration Wait a few minutes, and then check the IP configuration settings by typing the "show ip interface" command. Press . Then save your configuration changes by typing "copy running-config startup-config." Enter the startup file name and press . Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#ip dhcp restart client Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: User specified. Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming. \Write to FLASH finish. Success. Enabling SNMP Management Access The switch can be configured to accept management commands from Simple Network Management Protocol (SNMP) applications such as HP OpenView. You can configure the switch to (1) respond to SNMP requests or (2) generate SNMP traps. When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter. The switch can also be configured to send information to SNMP managers (without being requested by the managers) through trap messages, which inform the manager that certain events have occurred. Community Strings Community strings are used to control management access to SNMP stations, as well as to authorize SNMP stations to receive trap messages from the switch. You therefore need to assign community strings to specified users or user groups, and set the access level. The default strings are: · public - with read-only access. Authorized management stations are only able to retrieve MIB objects. · private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. Note: If you do not intend to utilize SNMP, we recommend that you delete both of the default community strings. If there are no community strings, then SNMP management access to the switch is disabled. To prevent unauthorized access to the switch via SNMP, it is recommended that you change the default community strings. 2-6 Basic Configuration To configure a community string, complete the following steps: 1. 2 From the Privileged Exec level global configuration mode prompt, type "snmp-server community string mode," where "string" is the community access string and "mode" is rw (read/write) or ro (read only). Press . (Note that the default mode is read only.) To remove an existing string, simply type "no snmp-server community string," where "string" is the community access string to remove. Press . Console(config)#snmp-server community admin rw Console(config)#snmp-server community private Console(config)# 2. Trap Receivers You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type "snmp-server host host-address community-string," where "host-address" is the IP address for the trap receiver and "community-string" is the string associated with that host. Press . In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server enable traps command. Type "snmp-server enable traps type," where "type" is either authentication or link-up-down. Press . Console(config)#snmp-server enable traps link-up-down Console(config)# 2. Saving Configuration Settings Configuration commands only modify the running configuration file and are not saved when the switch is rebooted. To save all your configuration changes in nonvolatile storage, you must copy the running configuration file to the start-up configuration file using the "copy" command. To save the current configuration settings, enter the following command: 1. From the Privileged Exec mode prompt, type "copy running-config startup-config" and press . 2-7 2 2. Initial Configuration Enter the name of the start-up file. Press . Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming. \Write to FLASH finish. Success. Console# Managing System Files The switch's flash memory supports three types of system files that can be managed by the CLI program, Web interface, or SNMP. The switch's file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file. The three types of files are: · Configuration -- This file stores system configuration information and is created when configuration settings are saved. Saved configuration files can be selected as a system start-up file or can be uploaded via TFTP to a server for backup. A file named "Factory_Default_Config.cfg" contains all the system default settings and cannot be deleted from the system. See "Saving or Restoring Configuration Settings" on page 3-17 for more information. · Operation Code -- System software that is executed after boot-up, also known as run-time code. This code runs the switch operations and provides the CLI and Web management interfaces. See "Managing Firmware" on page 3-15 for more information. · Diagnostic Code -- Software that is run during system boot-up, also known as POST (Power On Self-Test). Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows. In the system flash memory, one file of each type must be set as the start-up file. During a system boot, the diagnostic and operation code files set as the start-up file are run, and then the start-up configuration file is loaded. Note that configuration files should be downloaded using a file name that reflects the contents or usage of the file settings. If you download directly to the running-config, the system will reboot, and the settings will have to be copied from the running-config to a permanent file. 2-8 Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP Web agent. Using a Web browser you can configure the switch and view statistics to monitor network activity. The Web agent can be accessed by any computer on the network using a standard Web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet. For more information on using the CLI, refer to Chapter 4: "Command Line Interface." Prior to accessing the switch from a Web browser, be sure you have first performed the following tasks: 1. Configure the switch with a valid IP address, subnet mask, and default gateway using an out-of-band serial connection, BOOTP or DHCP protocol. (See "Setting an IP Address" on page 2-4.) Set user names and passwords using an out-of-band serial connection. Access to the Web agent is controlled by the same user names and passwords as the onboard configuration program. (See "Setting Passwords" on page 2-4.) After you enter a user name and password, you will have access to the system configuration program. failed attempt the current connection is terminated. 2. 3. Notes: 1. You are allowed three attempts to enter the correct password; on the third 2. If you log into the Web interface as guest (Normal Exec level), you can view the configuration settings or change the guest password. If you log in as "admin" (Privileged Exec level), you can change the settings on any page. 3. If the path between your management station and this switch does not pass through any device that uses the Spanning Tree Algorithm, then you can set the switch port attached to your management station to fast forwarding (i.e., enable Admin Edge Port) to improve the switch's response time to management commands issued through the web interface. See "Configuring Interface Settings" on page 3-114. 3-1 3 Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is "admin." Home Page When your web browser connects with the switch's web agent, the home page is displayed as shown below. The home page displays the Main Menu on the left side of the screen and System Information on the right side. The Main Menu links are used to navigate to other menus, and display configuration parameters and statistics. Figure 3-1. Home Page Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the "Apply" or "Apply Changes" button to confirm the new setting. The following table summarizes the web page configuration buttons. 3-2 Navigating the Web Browser Interface Table 3-2. Configuration Options Button Revert Refresh Apply Apply Changes Action Cancels specified values and restores current values prior to pressing "Apply" or "Apply Changes." Immediately updates values for the current page. Sets specified values to the system. Sets specified values to the system. 3 Notes: 1. To ensure proper screen refresh, be sure that Internet Explorer 5.x is configured as follows: Under the menu "Tools / Internet Options / General / Temporary Internet Files / Settings," the setting for item "Check for newer versions of stored pages" should be "Every visit to the page." 2. When using Internet Explorer 5.0, you may have to manually refresh the screen after making configuration changes by pressing the browser's refresh button. Panel Display The web agent displays an image of the switch's ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex, or Flow Control (i.e., with or without flow control). Clicking on the image of a port opens the Port Configuration page as described on page 3-77. Figure 3-3. Ports Panel Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 3-4. Main Menu Menu System System Information Switch Information Bridge Extension IP Configuration Provides basic system description, including contact information Shows the number of ports, hardware/firmware version numbers, and power status Shows the bridge extension parameters Sets the IP address for management access Description Page 3-8 3-8 3-10 3-11 3-12 3-3 3 Configuring the Switch Table 3-4. Main Menu Menu Jumbo Frame File Firmware Configuration Line Console Telnet Log Logs System Logs Remote Logs SMTP Reset SNTP Configuration Clock Time Zone SNMP Configuration Agent Status SNMPv3 Engine ID Users Groups Views Security Passwords Authentication Settings HTTPS Settings SSH Settings Host-Key Settings Description Enables jumbo frame support Manages code image files Manages switch configuration files Sets console port connection parameters Sets telnet connection parameters Stores and displays error messages Sends error messages to a logging process Configures the logging of messages to a remote logging process Sends an SMTP client message to a participating server Restarts the switch Configures SNTP client settings, including broadcast mode or a specified list of servers Sets the local time zone for the system clock Configures community strings and related trap functions Allows SNMP to be enabled or disabled Sets the SNMP v3 engine ID Configures SNMP v3 users Configures SNMP v3 groups Configures SNMP v3 views Assigns a new password for the current user Configures authentication sequence, RADIUS and TACACS Configures secure HTTP settings Configures Secure Shell server settings Generates the host key pair (public and private) Page 3-15 3-16 3-16 3-17 3-18 3-18 3-21 3-23 3-24 3-24 3-25 3-27 3-29 3-29 3-30 3-31 3-31 3-33 3-34 3-35 3-35 3-36 3-38 3-40 3-25 3-41 3-42 3-45 3-47 3-51 3-49 3-4 Navigating the Web Browser Interface Table 3-4. Main Menu Menu Port Security 802.1x Information Configuration Port Configuration Statistics ACL Configuration Mask Configuration Port Binding IP Filtering Port Port Information Trunk Information Port Configuration Trunk Configuration Trunk Membership LACP Configuration Aggregation Port Port Counters Information Port Internal Information Port Broadcast Control Trunk Broadcast Control Mirror Port Configuration Rate Limit Input Port Configuration Input Trunk Configuration Output Port Configuration Sets the input rate limit for each port Sets the input rate limit for each trunk Sets the output rate limit for each port Allows ports to dynamically join trunks Configures system priority, admin key, and port priority Displays statistics for LACP protocol messages Displays settings and operational state for local side Sets the broadcast storm threshold for each port Sets the broadcast storm threshold for each trunk Sets the source and target ports for mirroring Displays port connection status Displays trunk connection status Configures port connection settings Configures trunk connection settings Specifies ports to group into static trunks Configures packet filtering based on IP or MAC addresses Controls the order in which ACL rules are checked Binds a port to the specified ACL Sets IP addresses of clients allowed management access via the Web, SNMP, and Telnet Description Configures per port security, including status, response for security breach, and maximum allowed MAC addresses Port authentication Displays global configuration settings Configures protocol parameters Sets the authentication mode for individual ports Displays protocol statistics for the selected port 3 Page 3-52 3-54 3-55 3-57 3-58 3-59 3-61 3-61 3-68 3-72 3-73 3-75 3-75 3-75 3-77 3-77 3-80 3-81 3-81 3-83 3-85 3-86 3-88 3-90 3-90 3-91 3-92 3-92 3-92 3-92 3-92 Port Neighbors Information Displays settings and operational state for remote side Output Trunk Configuration Sets the output rate limit for each trunk 3-5 3 Configuring the Switch Table 3-4. Main Menu Menu Port Statistics Alcatel AMAP Settings Information Address Table Static Addresses Dynamic Addresses Address Aging Spanning Tree STA Information Configuration Port Information Trunk Information Port Configuration Trunk Configuration MSTP VLAN Configuration Port Information Trunk Information Port Configuration Trunk Configuration VLAN 802.1Q VLAN GVRP Status Basic Information Current Table Static List Static Table Static Membership Description Lists Ethernet and RMON port statistics Alcatel Mapping Adjacency Protocol (AMAP) Configures AMAP parameters Displays information on attached AMAP-aware devices Displays entries for interface, address or VLAN Displays or edits static entries in the Address Table Sets timeout for dynamically learned entries Page 3-93 3-98 3-98 3-98 3-99 3-80 3-100 3-101 3-102 3-103 3-103 Displays STA values used for the bridge Configures global bridge settings for STA, RSTP and MSTP Displays individual port settings for STA Displays individual trunk settings for STA Configures individual port settings for STA Configures individual trunk settings for STA Configures priority and VLANs for a spanning tree instance Displays port settings for a specified MST instance Displays trunk settings for a specified MST instance Configures port settings for a specified MST instance Configures trunk settings for a specified MST instance 3-104 3-107 3-111 3-111 3-114 3-114 3-116 3-116 3-119 3-119 3-121 3-121 3-122 3-122 Enables GVRP VLAN registration protocol Displays information on the VLAN type supported by this switch Shows the current port members of each VLAN and whether or not the port is tagged or untagged Used to create or remove VLAN groups Modifies the settings for an existing VLAN Configures membership type for interfaces, including tagged, untagged or forbidden 3-125 3-126 3-127 3-129 3-130 3-132 3-6 Navigating the Web Browser Interface Table 3-4. Main Menu Menu Port Configuration Trunk Configuration Private VLAN Status Link Status Protocol VLAN Configuration Port Configuration Priority Default Port Priority Default Trunk Priority Traffic Classes Traffic Classes Status Queue Mode Queue Scheduling IP Precedence/ DSCP Priority Status IP Precedence Priority IP DSCP Priority IP Port Priority Status IP Port Priority ACL CoS Priority ACL Marker QoS DiffServ Class Map Policy Map Service Policy Configure QoS classification criteria and service policies Creates a class map for a type of traffic Creates a policy map for multiple interfaces Applies a policy map defined to the input or output of a particular interface Sets the default priority for each port Sets the default priority for each trunk Maps IEEE 802.1p priority tags to output queues Enables/disables traffic class priorities (not implemented) Sets queue mode to strict priority or Weighted Round-Robin Configures Weighted Round Robin queueing Globally selects IP Precedence or DSCP Priority, or disables both. Sets IP Type of Service priority, mapping the precedence tag to a class-of-service value Sets IP Differentiated Services Code Point priority, mapping a DSCP tag to a class-of-service value Globally enables or disables IP Port Priority Sets TCP/UDP port priority, defining the socket number and associated class-of-service value Sets the CoS value and corresponding output queue for packets matching an ACL rule Change traffic priorities for frames matching an ACL rule Creates a protocol group, specifying the supported protocols Maps a protocol group to a VLAN Enables or disables the private VLAN Configures the private VLAN Description Specifies default PVID and VLAN attributes Specifies default trunk VID and VLAN attributes 3 Page 3-133 3-133 3-135 3-135 3-136 3-136 3-137 3-137 3-139 3-139 3-139 3-141 NA 3-143 3-143 3-145 3-146 3-147 3-149 3-149 3-133 3-151 3-153 3-153 3-154 3-156 3-159 3-7 3 Configuring the Switch Table 3-4. Main Menu Menu IGMP Snooping IGMP Configuration Multicast Router Port Information Static Multicast Router Port Configuration IP Multicast Registration Table IGMP Member Port Table DNS General Configuration Static Host Table Cache Description Enables multicast filtering; configures parameters for multicast query Displays the ports that are attached to a neighboring multicast router for each VLAN ID Assigns ports that are attached to a neighboring multicast router Displays all multicast groups active on this switch, including multicast IP addresses and VLAN ID Indicates multicast addresses associated with the selected VLAN Enables DNS; configures domain name and domain list; and specifies IP address of name servers for dynamic lookup Configures static entries for domain name to address mapping Displays cache entries discovered by designated name servers Page 3-160 3-161 3-162 3-163 3-164 3-165 3-166 3-167 3-169 3-171 Basic Configuration Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes · · · · · System Name ­ Name assigned to the switch system. Object ID ­ MIB II object ID for switch's network management subsystem. Location ­ Specifies the system location. Contact ­ Administrator responsible for the system. System Up Time ­ Length of time the management agent has been up. These additional parameters are displayed for the CLI. · · · · · · MAC Address ­ The physical layer address for this switch. Web server ­ Shows if management access via HTTP is enabled. Web server port ­ Shows the TCP port number used by the web interface. Web secure server ­ Shows if management access via HTTPS is enabled. Web secure server port ­ Shows the TCP port used by the HTTPS interface. POST result ­ Shows results of the power-on self-test 3-8 Basic Configuration 3 Web ­ Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.) Figure 3-5. System Information CLI ­ Specify the hostname, location and contact information. Console(config)#hostname R&D 5 Console(config)#snmp-server location WC 9 Console(config)#snmp-server contact Ted Console(config)#end Console#show system System description: OmniStack*24 10/100/1000 System OID string: 1.3.6.1.4.1.6486.800.1.1.2.1.5.1.1 System information System Up time: 0 days, 0 hours, 23 minutes, and 26.59 seconds System Name : R&D 5 System Location : WC 9 System Contact : Ted MAC address : 00-30-F1-99-B3-DB Web server : enable Web server port : 80 Web secure server : enable Web secure server port : 443 POST result UART LOOP BACK Test..........PASS DRAM Test....................PASS Timer Test...................PASS PCI Device 1 Test............PASS PCI Device 2 Test............PASS Switch Int Loopback test.....PASS Done All Pass. Console# 4-25 4-110 4-110 4-59 3-9 3 Configuring the Switch Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board · Serial Number ­ The serial number of the switch. · Number of Ports ­ Number of built-in RJ-45 ports and expansion ports. · Hardware Version ­ Hardware version of the main board. · Internal Power Status ­ Displays the status of the internal power supply. · Redundant Power Status* ­ Displays the status of the redundant power supply. * CLI only. Management Software · · · · Loader Version ­ Version number of loader code. Boot-ROM Version ­ Version of Power-On Self-Test (POST) and boot code. Operation Code Version ­ Version number of runtime code. Role ­ Shows that this switch is operating as Master (i.e., operating stand-alone). Web ­ Click System, Switch Information. Figure 3-6. Switch Information 3-10