enterasys switch configuration guide

14881000 for 10- Gigabit ports Use the show port broadcast command to display current threshold settings. Disabled MAC lock Syslog messages Specifies whether Syslog messages associated with MAC locking will be sent. Therefore, you must know the serial number of the switch to be licensed when you activate the license on the Enterasys customer site, and also when you apply the license to the switch as described below. Optionally, enable the aging of first arrival MAC addresses on a port or ports. Configuring ACLs Procedure 24-2 Configuring IPv6 ACLs (continued) Step Task Command(s) 3. Therefore, a value of 7 is given the highest priority. Router R1 serves as the master and Router R2 serves as the backup. Configuring CLI Properties Basic Line Editing Commands The CLI supports EMACs-like line editing commands. Refer to page Spanning Tree Basics underlying physical ports. Disable the default super-user account, admin set system login admin super-user disable This example creates a new super-user account named usersu and enables it. Stateless autoconfiguration is part of Router Advertisement and the Enterasys Fixed Switches can support both stateless and stateful autoconfiguration of end nodes. RIP is described in RFC 2453. When a packet is received, the packet is mapped to a CoS index based on the packet 802.1 priority, port, and policy role, if a policy role is present. 21 IPv4 Basic Routing Protocols This chapter describes how to configure the Routing Information Protocol (RIP) and the ICMP Router Discovery Protocol (IRDP). Terms and Definitions 15-38 Configuring Spanning Tree. Interpreting Messages Every system message generated by the Enterasys switch platforms follows the same basic format: time stamp address application [unit] message text Example This example shows Syslog informational messages, displayed with the show logging buffer command. P/N 9034174-01. . Configuring IGMP Table 19-3 Layer 2 IGMP Configuration Commands Task Command Enable or disable IGMP on the system. This guarantees that the default behavior of a bridge is to not be part of an MST region. Use the area virtual-link authentication-key command in OSPF router configuration command mode to configure simple authentication on this area virtual-link. Enterasys devices support version 2 of the PIM protocol as described in RFC 4601 and draft-ietfpim-sm-v2-new-09. If it is not, then the sending device proceeds no further. The forward delay interval is the amount of time spent listening for topology change information after an interface has been activated for bridging and before forwarding actually begins. Terms and Definitions LoopProtect Lock status for port lag.0.2, SID 56_ is UNLOCKED Enterasys->show spantree lpcapablepartner port lag.0.2 Link partner of port lag.0.2_is LoopProtect-capable. In router configuration mode, optionally enable split horizon poison reverse. When a port mirror is created, the mirror destination port is removed from the egress list of VLAN 1 after a reboot. RMON Table 18-1 RMON Group Event RMON Monitoring Group Functions and Commands (continued) What It Does What It Monitors CLI Command(s) Controls the generation and notification of events from the device. Optionally, display the ACLs associated with a VLAN or port. The feature prevents a class of man-in-the-middle attacks where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors. 3. 2 ipsourcesocket Classifies based on source IP address and optional post-fixed L4 TCP/UDP port. Terms and Definitions 2. For example, for a network with the address 192.168.0.0/16, the directed broadcast address would be 192.168.255.255. The stackable fixed switch and standalone fixed switch devices support MAC-based authentication. Table 20-9 show ip pimsm interface vlan Output Details, Table 20-10 show ip pimsm interface stats Output Details. Use this command to manually unlock a port that was locked by the SpanGuard function. RIP Configuration Example Table 21-2 lists the default RIP configuration values. For example, set logging local console enable would not execute without also specifying file enable or disable. 8. Use the area virtual-link command in OSPF router configuration command mode, providing the transit area ID and the ABRs router ID, to configure an area virtual-link. All generated messages are eligible for logging to local destinations and to remote servers configured as Syslog servers. SNTP Configuration Unicast Polling Mode When an SNTP client is operating in unicast mode, SNTP update requests are made directly to a server, configured using the set sntp server command. Table 11-5 describes how to display link aggregation information and statistics. The VLAN authorization table will always list any tunnel attributes VIDs that have been received for authenticated end systems, but a VID will not actually be assigned unless VLAN authorization is enabled both globally and on the authenticating port. Enable or disable notifications for one or more authentication notification types. 1.4 IP phone ge. ENTERASYS MATRIX-V V2H124-24FX QUICK REFERENCE MANUAL . ieee The Enterasys device uses only the IEEE 802. Understanding and Configuring SpanGuard Monitoring MSTP Use the commands in Table 15-8 to monitor MSTP statistics and configurations on stackable, and standalone switch devices. Note: Globally enabling 802.1x on a switch sets the port-control type to auto for all ports. 2. show config [all | facility | memcard] Display the contents of a file located in the configs or logs directory. Notice Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. RMON Table 18-2 Default RMON Parameters (continued) Parameter Description Default Value capture asksize The RMON capture requested maximum octets to save in the buffer. Meraki MS Switches have many valuable key features. You can use the following commands to review and, if necessary, change the edge port detection status on the device and the edge port status of Spanning Tree ports. Format Examples The following examples illustrate secure log entry formats for different types of events. A code example follows the procedure. DHCP Snooping Procedure 26-6 Basic Configuration for DHCP Snooping Step Task Command(s) 1. Thisexampledisplaystheoutputofthiscommand. Enabling IGMP on the device and on the VLANs. Active Cisco 800 Series Router Configuration. Press ENTER to advance the output one line at a time. Tabl e 268providesanexplanationofthecommandoutput. 15 Configuring Spanning Tree This chapter provides the following information about configuring and monitoring the Spanning Tree protocol on Enterasys stackable and standalone fixed switches. 5. Please consult the release notes or configuration guide to properly configure a static multicast Filter Database Entry for: 00-00-00-00-00-00 on vlan.0.123 . Configuration Examples Enabling a Server and Console Logging Procedure 14-1 shows how you would complete a basic Syslog configuration. ThisexampleshowshowtodisplaythesystemIPaddressandsubnetmask: Thefollowingtableprovidesanexplanationofthecommandoutput. The hardware, firmware, or software described in this document is subject to change without notice. Transmit Queue Monitoring If no additional power losses occur on the PoE devices and no additional link flapping conditions occur, the network administrator disables link flap detection on the PoE ports. Configuring SNMP security model and security level used to request access. set macauthentication {enable | disable} 4. Create an SNMPv3 user and specify authentication, encryption, and security credentials. Skilled in network testing and troubleshooting. Since the admin key for the LAG and its associated ports must agree for the LAG to form, an easy way to ensure that LAGs do not automatically form is to set the admin key for all LAGS on all devices to a nondefault value. Configuring PIM-SM Basic PIM-SM Configuration By default, PIM-SM is disabled globally on Enterasys fixed switches and attached interfaces. show igmpsnooping Display static IGMP ports for one or more VLANs or IGMP groups. Display MAC authentication configuration or status of active sessions. Quality of Service (QoS) configuration on Enterasys switches is usually done via policies. Configuring IGMP Snooping. Refer to page SNMP Concepts 2. For a subnet with the address 192.168.12.0/24, the directed broadcast address would be 192.168.12.255. 6. Configuring STP and RSTP Figure 15-10 Example of Multiple Regions and MSTIs Region 1 1 Region 2 2 Region 3 6 8 5 12 3 4 CIST Regional Root 7 10 CIST Root and CIST Regional Root CIST Regional Root Master Port Table 15-5 9 11 Master Port MSTI Characteristics for Figure 15-10 MSTI / Region Characteristics MSTI 1 in Region 1 Root is switching device 4, which is also the CIST regional root MSTI 2 in Region 1 Root is switching device 5 MSTI 1 in Region 2 Root is switching device 7, w. Configuring STP and RSTP Reviewing and Enabling Spanning Tree By default, Spanning Tree is enabled globally on Enterasys switch devices and enabled on all ports. It can be enabled using the set security profile c2 command. Enabling DVMRP globally on the device and on the VLANs. 1. Authentication Header (AH) mode is not supported. Using Multicast in Your Network Figure 19-1 IGMP Querier Determining Group Membership IGMP Querier IGMP Query IGMP Membership IGMP Membership Router for 224.1.1.1 Router for 226.7.8.9 Member of 224.1.1.1 Member of 226.7.8.9 As shown in Figure 19-1, a multicast-enabled device can periodically ask its hosts if they want to receive multicast traffic. DHCP Snooping Table 26-9 DHCP Snooping Default Parameters (continued) Parameter Default Setting Burst interval 1 second Managing DHCP Snooping Table 26-10 on page 21 lists the commands to display DHCP snooping information. C5(su)->router# Debug network issues with ping and traceroute Global Configuration Mode Set system-wide router parameters. Dynamic ARP Inspection Dynamic ARP Inspection Configuration set arpinspection vlan 10 set arpinspection trust port ge.1.1 enable Routing Example T Note: This example applies only to platforms that support routing. Event type, description, last time event was sent. Monitoring MSTP 15-29 Example 1: Configuring MSTP for Traffic Segregation This example illustrates the use of MSTP for traffic segregation by VLAN and SID. 24 Configuring Access Control Lists This chapter describes how to configure access control lists on the Fixed Switch platforms. Configuring IRDP The following code example enables IRDP on VLAN 10, leaving all default values, and then shows the IRDP configuration on that VLAN. Configuring ACLs Port-string ----------ge.1.29 Access-list ----------121 Configuring ACLs This section provides procedures and examples for configuring IPv4, IPv6, and MAC ACLs. TheCLIsupportsEMACslikelineeditingcommands.Tabl e 13listssomecommonlyused commands. Ctrl+F Move cursor forward one character. If authentication is not specified, no authentication will be applied. 11 Configuring Link Aggregation This chapter describes how to configure link aggregation on the fixed switch platforms. 1. This overrides the specified timeout variable: set spantree spanguardlock port-string Monitoring SpanGuard Status and Settings Use the commands in Table 15-9 to review SpanGuard status and settings. StudentFS(rw)->set policy profile 2 name student pvid-status enable pvid 10 cos-status enable cos 8 Assigning Traffic Classification Rules Forward traffic on UDP source port for IP address request (68), and UDP destination ports for protocols DHCP (67) and DNS (53). Firewalls Fortigate, Netscreen and Stonegate configuration. set dhcpsnooping trust port port-string enable 4. . Thisexampleenablesmulticastfloodprotection. Refer to page Syslog Operation By default, Syslog is operational on Enterasys switch devices at startup. set snmp user user [remote remoteid] [privacy privpassword] [authentication {md5 | sha}] [authpassword] If remote is not specified, the user will be registered for the local SNMP engine. Disable WebView and show the current state. 5 User Account and Password Management This chapter describes user account and password management features, which allow enhanced control of password usage and provide additional reporting of usage. Dynamic ARP Inspection 26-28 Configuring Security Features. Important Notice Depending on the firmware version used on your Fixed Switch platform, some features described in this document may not be supported. lacptimeout - Transmitting LACP PDUs every 30 seconds. Legacy Protocols If IPX, AppleTalk, DECnet or other protocols should no longer be running on your network, prevent clients from using them. Cisco Nexus 5000 Series NX-OS Software Configuration Guide. I have enjoyed my solid commitment to this profession since 1997. Further, if a BPDU timeout occurs on a port, its state becomes listening until a new BPDU is received. BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT, CAREFULLY READ THIS LICENSE AGREEMENT. Open a MIB browser, such as Netsight MIB Tools 2. . area area-id virtual-link router-id Refer to Configuring Area Virtual-Links on page 22-12 for more information. Procedure 4-4 DHCP Server Configuration on a Non-Routing System Step Task Command(s) 1. A manual pool can be configured using either the clients hardware address (set dhcp pool hardware-address) or the clients client-identifier (set dhcp pool client-identifier), but using both is not recommended. set multiauth idle-timeout auth-method timeout 2. show mac [address mac-address] [fid fid] [port port-string] [type {other | learned | self | mgmt | mcast}] 2. About This Guide This guide provides basic configuration information for the Enterasys Networks Fixed Switch platforms using the Command Line Interface (CLI0, including procedures and code examples. Figure 15-5 on page 15-11 presents a root port configuration for Bridge B determined by the port priority setting. FIPS mode can be cleared using the clear security profile command. Assign switch ports to the VLAN. Configuring VRRP Router 2(su)->router(Config-router)#exit Multiple Backup VRRP Configuration Figure 23-3 shows a multi-backup sample configuration. Understanding How VLANs Operate Forwarding Decisions VLAN forwarding decisions for transmitting frames is determined by whether or not the traffic being classified is or is not in the VLANs forwarding database as follows: Unlearned traffic: When a frames destination MAC address is not in the VLANs forwarding database (FDB), it will be forwarded out of every port on the VLANs egress list with the frame format that is specified. Enterasys Networks, Inc. declares that the equipment packaged with this notice conforms to the above directives. set port discard port-string {tagged | untagged | none | both} 8. ipv6 route ipv6-prefix/prefix-length {global-next-hop-addr | interface {tunnel tunnel-id | vlan vlan-id} ll-next-hop-addr} [pref] 2. -1 (request as many octets as possible) capture slice The RMON capture maximum number of octets from each packet to be saved to the buffer. interface {vlan vlan-id | loopback loopbackid } 2. Basic OSPF Topology Configuration OSPF Router Types OSPF router type is an attribute of an OSPF process. Any authentication requests to this authentication server must present the correct secret value to gain authentication. 3. Configuring Node Aliases C5(su)->show nodealias config ge.1.1 Port Number ----------ge.1.1 Max Entries ----------32 Used Entries -----------32 Status ---------Enable The following command disables the node alias agent on port ge.1.8: C5(su)->set nodealias disable ge.1. Configuring OSPF Areas Area 2 ABR2(su)->router(Config)#router ospf 1 ABR2(su)->router(Config-router)#area 0.0.0.2 range 10.3.0.0 255.255.0.0 ABR2(su)->router(Config-router)#area 0.0.0.2 range 10.3.2.0 255.255.255.0 noadvertise Area 3 ABR3(su)->router(Config)#router ospf 1 ABR3(su)->router(Config-router)#area 0.0.0.3 range 10.1.0.0 255.255.0.0 Figure 22-3 OSPF Summarization Topology Configuring a Stub Area A stub area is a non-transit area. The set inlinepower mode command is set to auto, which means that the power available for PoE (150W) is distributed evenly75W to each PoE module. Lead and handle change configuration team of process upon business requirements. (7) Router 2 forwards the multicast stream to Host 2. Table 12-2 SNMP Terms and Definitions Term Definition community A name string used to authenticate SNMPv1 and v2c users. Ports assigned to a new port group cannot belong to another non-default port group entry and must be comprised of the same port type as defined by the port group you are associating it with. User Account Overview The emergency access user is still subject to the system lockout interval even on the console port. show ipsec 2. You can enable link flap detection globally on your Enterasys switch or on specific ports, such as uplink ports. set snmp targetaddr targetaddr ipaddr param param [udpport udpport] [mask mask] [timeout timeout] [retries retries] [taglist taglist] [volatile | nonvolatile] If not specified, udpport will be set to 162. By enabling the link flap detection feature on your Enterasys switch, you can monitor and act upon link flapping to avoid these recalculations. See The RADIUS Filter-ID on page 8 for RADIUS Filter-ID information. Securestack a2 Read online or download PDF Enterasys Networks A2H124-24FX User Manual. set multiauth mode multi 5. Factory Default Settings Table 4-1 Default Settings for Basic Switch Operation (continued) Feature Default Setting Password history No passwords are checked for duplication. Do you want to continue (y/n) [n]? Using Multicast in Your Network Generation ID gen id: 1331801871 10.5.40.0/255.255.255.0 [2] via neighbor: 10.5.50.1 Uptime: 66704 , expires: 0 version: 3 Generation ID gen id: 1331805217 10.5.50.0/255.255.255.0 [0] via neighbor: direct 10.5.51.0/255.255.255.0 [0] via neighbor: direct direct direct Uptime: 3615 , expires: 0 version: 3 10.5.70.0/255.255.255.0 [3] via neighbor: Uptime: 66716 , expires: 0 version: 3 10.5.60.0/255.255.255. set igmpsnooping adminmode {enable | disable} Enable or disable IGMP on one or all ports. If Spanning Tree is disabled globally all linked ports will be in a forwarding state and the Spanning Tree Protocol will not run. OSPF adjacencies can not be formed on a passive interface. UsethiscommandtodisplaytheswitchsARPtable. Refer to page Policy Configuration Overview Identifying and restricting routing to legitimate routing IP addresses to prevent DoS, spoofing, data integrity and other routing related security issues. Basic OSPF Topology Configuration 1. Table 19-5 Layer 2 IGMP Show Commands Task Command Display IGMP snooping information. 2. show snmp community name Display the context list configuration for SNMP view- show snmp context based access control. Thisexampleshowshowtosetloginattemptsto5andlockouttimeto30minutes: TodisplayandsetthesystemIPaddressandotherbasicsystem(switch)properties. Save Your System Configuration Settings. Table 26-3 lists the logging commands that require different user access permissions when the security mode is set to C2. In this way, VACM allows you to permit or deny access to any individual item of management information depending on a user's group membership and the level of security provided by the communications channel. Two PoE modules are installed. User Authentication Overview Figure 10-1 Applying Policy to Multiple Users on a Single Port Authentication Request User 1 Switch Authentication Response Radius Server SMAC 00-00-00-11-11-11 Authentication Credentials User 1 Authentication Credentials User 2 Authentication Request Authentication Credentials User 3 Authentication Response User 2 SMAC 00-00-00-22-22-22 Port ge.1.5 Authentication Request User 3 Dynamic Admin Rule for Policy 1 SMAC = 00-00-00-11-11-11 ge.1. Basic Network Monitoring Features Network Diagnostics Fixed Switch network diagnostics provide for: Pinging another node on the network to determine its availability Performing a traceroute through the IP network to display a hop-by-hop path from the device to a specific destination host Use the ping command, in switch mode or in router privileged exec mode, to determine whether the specified node is available. DHCPv6 Configuration DHCPv6 Configuration DHCP is generally used between clients (for example, hosts) and servers (for example, routers) for the purpose of assigning IP addresses, gateways, and other networking definitions such as DNS, NTP, and/or SIP parameters. Here is the Enterasys MST configs: C2 (rw)->show spantree mstilist Configured Multiple Spanning Tree Instances: 11 12 C2 (rw)->show spantree mstcfgid MST Configuration Identifier: Format Selector: 0 Configuration Name: LKS Revision Level: 1 Configuration Digest:c8:02:17:44:25:20:9e:ea:66:13:94:79:6a:f4:c5:96 C2 (rw)-> C2 (rw)->show spantree mstmap Review and define edge port status as follows: 1. For ports where no authentication is present, such as switch to switch, or switch to router connections, you should also set MultiAuth port mode to force authenticate to assure that traffic is not blocked by a failed authentication. In router global configuration mode, enable DHCPv6. How many VLANs will be required? SNMP Support on Enterasys Switches Terms and Definitions Table 12-2 lists common SNMP terms and defines their use on Enterasys devices. By convention, the higher the port speed, the lower the port cost. The days of the week for which access will be allowed for this user. 3 CLI Basics This chapter provides information about CLI conventions for stackable and standalone switches and CLI properties that you can configure. Only a system administrator (super-user) may enable the security audit logging function, and only a system administrator has the ability to retrieve, copy, or upload the secure.log file. CoS Hardware Resource Configuration 4 4 * * enabled 5 5 * * enabled 6 6 * * enabled 7 7 * * enabled Use the show cos port-resource flood-ctrl command to display the flood control unit and rate to flood control resource mapping: System(su)->show cos port-resource flood-ctrl 1.0 '?' Optionally, configure a default distance, or preference, for static IPv6 routes that do not have a preference specified. Up to 5 TACACS+ servers can be configured, with the index value of 1 having the highest priority. Auto-negotiation is enabled by default. RMON Procedure 18-1 Step Configuring Remote Network Monitoring (continued) Task Command(s) startup - (Optional) Specifies the alarm type generated when this event is first enabled rthresh - (Optional) Specifies the minimum threshold that will cause a rising alarm fthresh - (Optional) Specifies the minimum threshold that will cause a falling alarm revent - (Optional) Specifies the index number of the RMON event to be triggered when the rising threshold is crossed fevent - (Optional) Specifies. On ABRs connected to stub areas and NSSAs, configure the cost value for the default route sent into stub areas and NSSAs. Optionally, change the authentication protocol. Terms and Definitions Table 11-7 11-16 Link Aggregation Configuration Terms and Definitions (continued) Term Definition Port Priority Port priority determines which physical ports are moved to the attached state when physical ports of differing speeds form a LAG. Link Aggregation Overview problems if they also wanted, or needed, to use a different brand of networking hardware. Stackable Switches Configuration Guide Firmware Version 1.1.xx P/N 9034314-05. i Notice Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. Save the running configuration. For information on the command syntax and parameters, refer to the online help or the CLL Reference for your platform. Port Traffic Rate Limiting You can mix WRR and SP by assigning SP to the higher numbered queues and assigning WRR to the lower numbered queues, making sure that the values assigned to the WRR queues totals 100 percent. Configuring Authentication Table 10-1 Default Authentication Parameters (continued) Parameter Description Default Value macauthentication Globally enables or disables MAC authentication on a device. Table 25-3 lists the tasks and commands. Configuring Authentication Procedure 10-1 IEEE 802.1x Configuration (continued) Step Task Command(s) 2. Figure 16-1 displays an illustration of the policy configuration of a example infrastructure. User Manuals, Guides and Specications for your Enterasys C5K175-24 Switch. Such a group, together with the routers having interfaces to any one of the included networks, is called an area. Use the ipv6 nd ns-interval command to configure the interval between Neighbor Solicitation messages sent on an interface. Policy Configuration Overview Applying a Default Policy The following example assigns a default policy with index 100 to all user ports (ge.1.1 through ge.1.22) on a switch: System(su)-> set policy port ge.1.1-22 100 Applying Policies Dynamically Dynamic policy assignment requires that users authenticate through a RADIUS server. Also, use this command to append ports to or clear ports from the egress ports list. 4. When passwords are entered on the switch using the CLI, the switch automatically suppresses the clear text representation of the password. Refer to Table 2-3 on page 2-30 for RJ45 to DB9 adapter pinout assignments. Configuring Authentication Procedure 10-2 MAC-Based Authentication Configuration (continued) Step Task Command(s) 3. Setting SNMP notification parameters (filters) 7. The RP de-encapsulates each register message and sends the resulting multicast packet down the shared tree. IP-directed broadcasts Disabled. Connecting to a Switch This procedure describes how to connect to a switch. Note Do not use hardware flow control. ThisexampleshowshowtodisplayallOSPFrelatedinformationfortheVLAN6interface: Tabl e 209providesanexplanationoftheshowippimsminterfacevlancommandoutput. Table 28-2 show sflow receivers Output Descriptions. Procedure 18-2 Configuring sFlow Step Task Command(s) 1. The default value of 0 may be administratively changed. Display the current IPsec settings. There are a couple of restrictions on the use of stub areas. Terms and Definitions Table 9-3 VLAN Terms and Definitions (continued) Term Definition Forwarding List A list of the ports on a particular device that are eligible to transmit frames for a selected VLAN.

Dr Azadeh Shirazi Husband, Articles E