2. When using Internet Explorer 5.0, you may have to manually refresh the
screen after making configuration changes by pressing the browsers refresh button.

Panel Display

The web agent displays an image of the switchs ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex, or Flow Control (i.e., with or without flow control). Clicking on the image of a port opens the Port Configuration page as described on page 3-78.

TL-SG5426

Figure 3-2 Panel Display

Main Menu

Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
Table 3-2 Main Menu Menu System System Information Switch Information Bridge Extension Configuration IP Configuration Jumbo Frames File Management Copy Operation Delete Set Start-Up Line Console Telnet Log Logs System Logs Remote Logs SMTP Renumbering Reset SNTP Configuration Clock Time Zone SNMP Configuration Agent Status SNMPv3 Configures community strings and related trap functions Enables or disables SNMP Agent Status Configures SNTP client settings, including broadcast mode or a specified list of servers Sets the local time zone for the system clock Stores and displays error messages Sends error messages to a logging process Configures the logging of messages to a remote logging process Sends an SMTP client message to a participating server. Renumbers the units in the stack Restarts the switch Sets console port connection parameters Sets Telnet connection parameters Allows the transfer and copying files Allows deletion of files from the flash memory Sets the startup file Provides basic system description, including contact information Shows the number of ports, hardware/firmware version numbers, and power status Shows the bridge extension parameters Sets the IP address for management access Enables jumbo frame packets. Description Page 3-10 3-10 3-11 3-13 3-14 3-17 3-17 3-17 3-18 3-18 3-21 3-21 3-23 3-25 3-25 3-26 3-27 3-28 3-30 3-30 3-31 3-31 3-32 3-33 3-33 3-35 3-36

4-69 4-22

Saving or Restoring Configuration Settings
You can upload/download configuration settings to/from a TFTP server. The configuration files can be later downloaded to restore the switchs settings. Command Attributes File Transfer Method The configuration copy operation includes these options: - file to file Copies a file within the switch directory, assigning it a new name. - file to running-config Copies a file in the switch to the running configuration. - file to startup-config Copies a file in the switch to the startup configuration. - file to tftp Copies a file from the switch to a TFTP server. - running-config to file Copies the running configuration to a file. - running-config to startup-config Copies the running config to the startup config. - running-config to tftp Copies the running configuration to a TFTP server. - startup-config to file Copies the startup configuration to a file on the switch. - startup-config to running-config Copies the startup config to the running config. - startup-config to tftp Copies the startup configuration to a TFTP server.
- tftp to file Copies a file from a TFTP server to the switch. - tftp to running-config Copies a file from a TFTP server to the running config. - tftp to startup-config Copies a file from a TFTP server to the startup config. TFTP Server IP Address The IP address of a TFTP server. File Type Specify config (configuration) to copy configuration settings. File Name The file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9,., -, _) Note: The maximum number of user-defined configuration files is limited only by
available flash memory space.
Downloading Configuration Settings from a Server
You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file Factory_Default_Config.cfg can be copied to the TFTP server, but cannot be used as the destination on the switch. Web Click System, File, Copy Operation. Select tftp to startup-config or tftp to file and enter the IP address of the TFTP server. Specify the name of the file to download and select a file on the switch to overwrite or specify a new file name, then click Apply.
Figure 3-12 Downloading Configuration Settings for Startup
If you download to a new file name using tftp to startup-config or tftp to file, the file is automatically set as the start-up configuration file. To use the new settings, reboot the system via the System/Reset menu.
Note: You can also select any configuration file as the start-up configuration by using the
System/File/Set Start-Up page.
Figure 3-13 Setting the Startup Configuration Settings

of client sessions includes both current Telnet sessions and SSH sessions.
Configuring the SSH Server
The SSH server includes basic settings for authentication. Field Attributes SSH Server Status Allows you to enable/disable the SSH server on the switch. (Default: Disabled) Version The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients. SSH Authentication Timeout Specifies the time interval in seconds that the SSH server waits for a response from a client during an authentication attempt. (Range: 1-120 seconds; Default: 120 seconds) SSH Authentication Retries Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process. (Range: 1-5 times; Default: 3) SSH Server-Key Size Specifies the SSH server key size. (Range: 512-896 bits; Default:768) - The server key is a private key that is never shared outside the switch. - The host key is shared with the SSH client, and is fixed at 1024 bits. Web Click Security, SSH, Settings. Enable SSH and adjust the authentication parameters as required, then click Apply. Note that you must first generate the host key pair on the SSH Host-Key Settings page before you can enable the SSH server.
Figure 3-36 SSH Server Settings
CLI This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection.
Console(config)#ip ssh server 4-35 Console(config)#ip ssh timeout 100 4-36 Console(config)#ip ssh authentication-retries 5 4-37 Console(config)#ip ssh server-key size 512 4-37 Console(config)#end Console#show ip ssh 4-40 SSH Enabled - version 2.0 Negotiation timeout: 120 secs; Authentication retries: 5 Server key size: 512 bits Console#show ssh 4-40 Connection Version State Username Encryption 0 2.0 Session-Started admin ctos aes128-cbc-hmac-md5 stoc aes128-cbc-hmac-md5 Console#disconnect 0 4-18 Console#
Generating the Host Key Pair
A host public/private key pair is used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the clients public key to the switch as described in the proceeding section (Command Usage). Field Attributes Public-Key of Host-Key The public key for the host. RSA (Version 1): The first field indicates the size of the host key (e.g., 1024), the second field is the encoded public exponent (e.g., 65537), and the last string is the encoded modulus. DSA (Version 2): The first field indicates that the encryption method used by SSH is based on the Digital Signature Standard (DSS). The last string is the encoded modulus. Host-Key Type The key type used to generate the host key pair (i.e., public and private keys). (Range: RSA (Version 1), DSA (Version 2), Both: Default: RSA) The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption. Save Host-Key from Memory to Flash Saves the host key from RAM (i.e., volatile memory to flash memory. Otherwise, the host key pair is stored to RAM by default. Note that you must select this item prior to generating the host-key pair. Generate This button is used to generate the host key pair. Note that you must first generate the host key pair before you can enable the SSH server on the SSH Server Settings page. Clear This button clears the host key from both volatile memory (RAM) and non-volatile memory (Flash).

Web Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate.
Figure 3-37 SSH Host-Key Settings
CLI This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the hosts public keys.
Console#ip ssh crypto host-key generate 4-35 Console#ip ssh save host-key 4-35 Console#show public-key host 4-35 Host: RSA: 190932104328579045764891 DSA: ssh-dss AAAAB3NzaC1kc3MAAACBAN6zwIqCqDb3869jYVXlME1sHL0EcE/Re6hlasfEthIwmj hLY4O0jqJZpcEQUgCfYlum0Y2uoLka+Py9ieGWQ8f2gobUZKIICuKg6vjO9XTs7XKc05xfzkBi KviDa+2OrIz6UK+6vFOgvUDFedlnixYTVo+h5v8r0ea2rpnO6DkZAAAAFQCNZn/x17dwpW8RrV DQnSWw4Qk+6QAAAIEAptkGeB6B5hwagH4gUOCY6i1TmrmSiJgfwO9OqRPUMbCAkCC+uzxatOo7 drnIZypMx+Sx5RUdMGgKS+9ywsa1cWqHeFY5ilc3lDCNBueeLykZzVS+RS+azTKIk/zrJh8GLG Nq375R55yRxFvmcGIn/Q7IphPqyJ3o9MK8LFDfmJEAAACAL8A6tESiswP2OFqX7VGoEbzVDSOI RTMFy3iUXtvGyQAOVSy67Mfc3lMtgqPRUOYXDiwIBp5NXgilCg5z7VqbmRm28mWc5a//f8TUAg PNWKV6W0hqmshQdotVzDR1e+XKNTZj0uTwWfjO5Kytdn4MdoTHgrbl/DMdAfjnte8MZZs= Console#
Configuring Port Security
Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted as authorized to access the network through that port. If a device with an unauthorized MAC address attempts to use the switch port, the intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message. To use port security, specify a maximum number of addresses to allow on the port and then let the switch dynamically learn the <source MAC address, VLAN> pair for frames received on the port. Note that you can also manually add secure addresses to the port using the Static Address Table (3-99). When the port has reached the maximum number of MAC addresses the selected port will stop learning. The MAC addresses already in the address table will be retained and will not age out. Any other device that attempts to use the port will be prevented from accessing the switch. Command Usage A secure port has the following restrictions: - It cannot use port monitoring. - It cannot be a multi-VLAN port. - It cannot be used as a member of a static or dynamic trunk. - It should not be connected to a network interconnection device. The default maximum number of MAC addresses allowed on a secure port is zero. You must configure a maximum address count from 1 - 1024 for the port to allow access. If a port is disabled (shut down) due to a security violation, it must be manually re-enabled from the Port/Port Configuration page (3-78). Command Attributes Port Port number. Name Descriptive text (4-117). Action Indicates the action to be taken when a port security violation is detected: - None: No action should be taken. (This is the default.) - Trap: Send an SNMP trap message. - Shutdown: Disable the port. - Trap and Shutdown: Send an SNMP trap message and disable the port. Security Status Enables or disables port security on the port. (Default: Disabled) Max MAC Count The maximum number of MAC addresses that can be learned on a port. (Range: 0 - 1024, where 0 means disabled) Trunk Trunk number if port is a member (page 3-81 and 3-82).

active links

Figure 3-51 Configuring Static Trunks

statically configured

CLI This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk.
Console(config)#interface port-channel 2 Console(config-if)#exit Console(config)#interface ethernet 1/1 Console(config-if)#channel-group 2 Console(config-if)#exit Console(config)#interface ethernet 1/2 Console(config-if)#channel-group 2 Console(config-if)#end Console#show interfaces status port-channel 2 Information of Trunk 2 Basic information: Port type: 100TX Mac address: 00-12-CF-12-34-84 Configuration: Name: Port admin: Up Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full Flow control: Disabled Port security: Disabled Max MAC count: 0 Current status: Created by: User Link status: Up Port operation status: Up Operation speed-duplex: 100full Flow control type: None Member Ports: Eth1/1, Eth1/2, Console# 4-116 4-116 4-131
Enabling LACP on Selected Ports
Command Usage To avoid creating a loop in the network, be sure dynamically enabled you enable LACP before connecting the ports, and also disconnect the ports before disabling LACP. backup active If the target switch has also enabled LACP on the link links connected ports, the trunk will be activated automatically. A trunk formed with another switch using LACP will automatically be assigned the next available configured members trunk ID. If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails. All ports on both ends of an LACP trunk must be configured for full duplex, and auto-negotiation. Trunks dynamically established through LACP will also be shown in the Member List on the Trunk Membership menu (see 3-81).
Command Attributes Member List (Current) Shows configured trunks (Port). New Includes entry fields for creating new trunks. - Port Port identifier. (Range: 1-26) Web Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply.
Figure 3-52 LACP Trunk Configuration
CLI The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk.
Console(config)#interface ethernet 1/1 Console(config-if)#lacp Console(config-if)#exit. Console(config)#interface ethernet 1/6 Console(config-if)#lacp Console(config-if)#end Console#show interfaces status port-channel 1 Information of Trunk 1 Basic information: Port type: 100TX Mac address: 00-12-CF-12-34-89 Configuration: Name: Port admin: Up Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full Flow control status: Disabled Port security: Disabled Max MAC count: 0 Current status: Created by: Lacp Link status: Up Port operation status: Up Operation speed-duplex: 100full Flow control type: None Member Ports: Eth1/1, Eth1/2, Eth1/3, Eth1/4, Eth1/5, Eth1/6, Console# 4-116 4-132

Displaying LACP Port Counters
You can display statistics for LACP protocol messages.
Table 3-7 LACP Port Counters Field LACPDUs Sent LACPDUs Received Marker Sent Marker Received Description Number of valid LACPDUs transmitted from this channel group. Number of valid LACPDUs received on this channel group. Number of valid Marker PDUs transmitted from this channel group. Number of valid Marker PDUs received by this channel group.
Table 3-7 LACP Port Counters (Continued) Field Marker Unknown Pkts Description
Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type. Number of frames that carry the Slow Protocols Ethernet Type value, but contain a badly formed PDU or an illegal value of Protocol Subtype.

Marker Illegal Pkts

Web Click Port, LACP, Port Counters Information. Select a member port to display the corresponding information.
Figure 3-54 LACP - Port Counters Information
CLI The following example displays LACP counters.
Console#show lacp counters 4-136 Port channel : 1 ------------------------------------------------------------------------Eth 1/ 1 ------------------------------------------------------------------------LACPDUs Sent: 91 LACPDUs Receive: 43 Marker Sent: 0 Marker Receive: 0 LACPDUs Unknown Pkts: 0 LACPDUs Illegal Pkts: 0.
Displaying LACP Settings and Status for the Local Side
You can display configuration settings and the operational state for the local side of an link aggregation.
Table 3-8 LACP Internal Configuration Information Field Oper Key Admin Key LACPDUs Interval LACP System Priority LACP Port Priority Admin State, Oper State Description Current operational value of the key for the aggregation port. Current administrative value of the key for the aggregation port. Number of seconds before invalidating received LACPDU information. LACP system priority assigned to this port channel. LACP port priority assigned to this interface within the channel group. Administrative or operational values of the actors state parameters: Expired The actors receive machine is in the expired state; Defaulted The actors receive machine is using defaulted operational partner information, administratively configured for the partner. Distributing If false, distribution of outgoing frames on this link is disabled; i.e., distribution is currently disabled and is not expected to be enabled in the absence of administrative changes or changes in received protocol information. Collecting Collection of incoming frames on this link is enabled; i.e., collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in received protocol information. Synchronization The System considers this link to be IN_SYNC; i.e., it has been allocated to the correct Link Aggregation Group, the group has been associated with a compatible Aggregator, and the identity of the Link Aggregation Group is consistent with the System ID and operational Key information transmitted. Aggregation The system considers this link to be aggregatable; i.e., a potential candidate for aggregation. Long timeout Periodic transmission of LACPDUs uses a slow transmission rate. LACP-Activity Activity control value with regard to this link. (0: Passive; 1: Active)

Trunk Member Indicates if a port is a member of a trunk. (STA Port Information only) These additional parameters are only displayed for the CLI: Admin status Shows if this interface is enabled. Path cost This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) Priority Defines the priority used for this port in the Spanning Tree Algorithm. If the path cost for all ports on a switch is the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Algorithm is detecting network loops. Where more than one port is assigned the highest priority, the port with the lowest numeric identifier will be enabled. Designated root The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device. Fast forwarding This field provides the same information as Admin Edge port, and is only included for backward compatibility with earlier products. Admin Edge Port You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state. Specifying Edge Ports provides quicker convergence for devices such as workstations or servers, retains the current forwarding database to reduce
the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to reconfigure when the interface changes state, and also overcomes other STA-related timeout problems. However, remember that Edge Port should only be enabled for ports connected to an end-node device. Admin Link Type The link type attached to this interface. - Point-to-Point A connection to exactly one other bridge. - Shared A connection to two or more bridges. - Auto The switch automatically determines if the interface is attached to a point-to-point link or to shared media. Web Click Spanning Tree, STA, Port Information or STA Trunk Information.
Figure 3-66 Displaying Spanning Tree Port Information
CLI This example shows the STA attributes for port 5.
Console#show spanning-tree ethernet 1/5 Eth 1/ 5 information -------------------------------------------------------------Admin status: enabled Role: disable State: discarding Path cost: 10000 Priority: 128 Designated cost: 0 Designated port : 128.5 Designated root: 32768.0012CF0B0D00 Designated bridge: 32768.0012CF0B0D00 Fast forwarding: disabled Forward transitions: 0 Admin edge port: disabled Oper edge port: disabled Admin Link type: auto Oper Link type: point-to-point Spanning Tree Status: enabled Console# 4-160

QoS functions) cannot be enabled at the same time. Thus, if the user has already enabled the IP source guard function, it needs to be disabled first in order for the QoS function to work and vice versa.
IP Source Guard Port Configuration
IP Source Guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor. When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping or static addresses configured in the source guard binding table. An inbound packets IP address (sip option) or both its IP address and corresponding MAC address (sip-mac option) are checked against the binding table. If no matching entry is found, the packet is dropped.
Command Attributes Filter Type Configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. (Default: None) None Disables IP source guard filtering on the port. SIP Enables traffic filtering based on IP addresses stored in the binding table. SIP-MAC Enables traffic filtering based on IP addresses and corresponding MAC addresses stored in the binding table. Web Click IP Source Guard, Port Configuration.
Figure 3-119 IP Source Guard Port Configuration
CLI This example shows how to enable IP source guard on port 5.
Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip Console(config-if)#end Console#show ip source-guard Interface Filter-type ------------------Eth 1/1 DISABLED Eth 1/2 DISABLED Eth 1/3 DISABLED Eth 1/4 DISABLED Eth 1/5 SIP Eth 1/6 DISABLED. 4-227 4-230
Static IP Source Guard Binding Configuration
Adds a static addresses to the source-guard binding table. Table entries include a MAC address, IP address, lease time, entry type (Static, Dynamic), VLAN identifier, and port identifier. All static entries are configured with an infinite lease time, which is indicated with a value of zero in the table.
Command Attributes Static Binding Table Counts The total number of static entries in the table. Port Switch port number. (Range: 1-26) VLAN ID ID of a configured VLAN (Range: 1-4094) MAC Address A valid unicast MAC address. IP Address A valid unicast IP address, including classful types A, B or C.
Web Click IP Source Guard, Static Configuration.
Figure 3-120 Static IP Source Guard Binding Configuration
CLI This example shows how to configure a static source-guard binding on port 5.
Console(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1 192.168.0.99 interface ethernet 1/5 Console(config)# 4-229
Dynamic IP Source Guard Binding Information

Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)#
This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in this table.
Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)#
This view includes the MIB-2 interfaces table, and the mask selects all index entries.
Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)#

show snmp view

This command shows information on the SNMP views. Command Mode Privileged Exec Example
Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile Row Status: active Console#
Table 4-39 show snmp view - display description
Field View Name Subtree OID View Type Storage Type Row Status Description Name of an SNMP view. A branch in the MIB tree. Indicates if the view is included or excluded. The storage type for this entry. The row status of this entry.

snmp-server group

This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname groupname - Name of an SNMP group. (Range: 1-32 characters) v1 | v2c | v3 - Use SNMP version 1, 2c or 3. auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy. See Simple Network Management Protocol on page 5-1 for further information about these authentication and encryption options. readview - Defines the view for read access. (1-64 characters) writeview - Defines the view for write access. (1-64 characters) notifyview - Defines the view for notifications. (1-64 characters)
Default Setting Default groups: public17 (read only), private18 (read/write) readview - Every object belonging to the Internet OID space (1.3.6.1). writeview - Nothing is defined. notifyview - Nothing is defined.
Command Mode Global Configuration Command Usage A group sets the access policy for the assigned users. When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command. When privacy is selected, the DES 56-bit algorithm is used for data encryption. For additional information on the notification messages supported by this switch, see Supported Notification Messages on page 5-13. Also, note that the authentication, link-up and link-down messages are legacy traps and must therefore be enabled in conjunction with the snmp-server enable traps command (page 4-106). Example

VLAN membership mode Indicates membership mode as Trunk or Hybrid (page 4-170).
Priority for untagged traffic Indicates the default priority for untagged frames (page 4-184).

Mirror Port Commands

This section describes how to mirror traffic from a source port to a target port. Table 4-44
Command port monitor show port monitor Function Configures a mirror session Shows the configuration for a mirror port
Mode IC PE Page 4-127 4-128

port monitor

This command configures a mirror session. Use the no form to clear a mirror session. Syntax port monitor interface [rx | tx] no port monitor interface interface - ethernet unit/port (source port) - unit - Stack unit. (Range: Unit 1) - port - Port number. (Range: 1-26) rx - Mirror received packets. tx - Mirror transmitted packets. Default Setting No mirror session is defined. Command Mode Interface Configuration (Ethernet, destination port) Command Usage You can mirror traffic from any source port to a destination port for real-time analysis. You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive manner. The destination port is set by specifying an Ethernet interface. The mirror port and monitor port speeds should match, otherwise traffic may be dropped from the monitor port. All mirror sessions must share the same destination port. When mirroring port traffic, the target port must be included in the same VLAN as the source port
Example The following example configures the switch to mirror received packets from port 6 to 11:
Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 rx Console(config-if)#

show port monitor

This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) unit - Stack unit. (Range: Unit 1) port - Port number. (Range: 1-26) Default Setting Shows all sessions. Command Mode Privileged Exec Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX). Example The following shows mirroring configured from port 6 to port 11:
Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 rx Console(config-if)#end Console#show port monitor Port Mirroring ------------------------------------Destination port(listen port):Eth1/11 Source port(monitored port) :Eth1/6 Mode :RX Console#

Mode Page

Dynamic Configuration Command
Trunk Status Display Command
Guidelines for Creating Trunks
General Guidelines Finish configuring port trunks before you connect the corresponding network cables between switches to avoid creating a loop. A trunk can have up to eight ports. The ports at both ends of a connection must be configured as trunk ports. All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings. All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel. STP, VLAN, and IGMP settings can only be made for the entire trunk via the specified port-channel. Dynamically Creating a Port Channel Ports assigned to a common port channel must meet the following criteria: Ports must have the same LACP system priority. Ports must have the same port admin key (Ethernet Interface). If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e., it has the null value of 0), this key is set to the same value as the port admin key (lacp admin key - Ethernet Interface) used by the interfaces that joined the group. However, if the port channel admin key is set, then the port admin key must be set to the same value for a port to be allowed to join a channel group. If a link goes down, LACP port priority is used to select the backup link.

channel-group

This command adds a port to a trunk. Use the no form to remove a port from a trunk. Syntax channel-group channel-id no channel-group channel-id - Trunk index (Range: 1-32) Default Setting The current port will be added to this trunk. Command Mode Interface Configuration (Ethernet) Command Usage When configuring static trunks, the switches must comply with the Cisco EtherChannel standard. Use no channel-group to remove a port group from a trunk. Use no interfaces port-channel to remove a trunk from the switch.
Example The following example creates trunk 1 and then adds port 11:
Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/11 Console(config-if)#channel-group 1 Console(config-if)#
This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage The ports on both ends of an LACP trunk must be configured for full duplex, and auto-negotiation. A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID. If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically. If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails.

This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link. priority - LACP port priority is used to select a backup link. (Range: 0-65535) Default Setting 32768 Command Mode Interface Configuration (Ethernet) Command Usage Setting a lower value indicates a higher effective priority. If an active port link goes down, the backup port with the highest priority is selected to replace the downed link. However, if two or more ports have the same LACP port priority, the port with the lowest physical port number will be selected as the backup port. Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner. Example
Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor port-priority 128

show lacp

This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sysid} port-channel - Local identifier for a link aggregation group. (Range: 1-32) counters - Statistics for LACP protocol messages. internal - Configuration settings and operational state for local side. neighbors - Configuration settings and operational state for remote side. sysid - Summary of system priority and MAC address for all channel groups.
Default Setting Port Channel: all Command Mode Privileged Exec Example
Console#show lacp 1 counters Port channel : 1 ------------------------------------------------------------------------Eth 1/ 1 ------------------------------------------------------------------------LACPDUs Sent : 21 LACPDUs Received : 21 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0. LACPDUs Illegal Pkts : 0.

Table 4-47

Field LACPDUs Sent LACPDUs Received Marker Sent Marker Received
show lacp counters - display description
Description Number of valid LACPDUs transmitted from this channel group. Number of valid LACPDUs received on this channel group. Number of valid Marker PDUs transmitted from this channel group. Number of valid Marker PDUs received by this channel group.
LACPDUs Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type. LACPDUs Illegal Pkts Number of frames that carry the Slow Protocols Ethernet Type value, but contain a badly formed PDU or an illegal value of Protocol Subtype.

show ip igmp filter

This command displays the global and interface settings for IGMP filtering. Syntax show ip igmp filter [interface interface] interface ethernet unit/port - -unit - Stack unit. (Range: 1) - -port - Port number. (Range: 1-29) port-channel channel-id (Range: 1-4) Default Setting None
Console#show ip igmp filter IGMP filter enabled onsole#show ip igmp filter interface ethernet 1/1 Ethernet 1/1 information --------------------------------IGMP Profile 19 Deny range 239.1.1.1 239.1.1.1 range 239.2.3.1 239.2.3.100 Console#

show ip igmp profile

This command displays IGMP filtering profiles created on the switch. Syntax show ip igmp profile [profile-number] profile-number - An existing IGMP filter profile number. (Range: 1-4294967295) Default Setting None Command Mode Privileged Exec Example
Console#show ip igmp profile IGMP Profile 19 IGMP Profile 50 Console#show ip igmp profile 19 IGMP Profile 19 Deny range 239.1.1.1 239.1.1.1 range 239.2.3.1 239.2.3.100 Console#
show ip igmp throttle interface
This command displays the interface settings for IGMP throttling. Syntax show ip igmp throttle interface [interface] interface ethernet unit/port - -unit - Stack unit. (Range: 1)
- -port - Port number. (Range: 1-29) port-channel channel-id (Range: 1-4) Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces. Example
Console#show ip igmp throttle interface ethernet 1/1 Eth 1/1 Information Status : TRUE Action : Deny Max Multicast Groups : 32 Current Multicast Groups : 0 Console#
Multicast VLAN Registration Commands
This section describes commands used to configure Multicast VLAN Registration (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service providers network. Any multicast traffic entering an MVR VLAN is sent to all subscribers. This can significantly reduce to processing overhead required to dynamically monitor and establish the distribution tree for a normal multicast VLAN. Also note that MVR maintains the user isolation and data security provided by VLAN segregation by passing only multicast traffic into other VLANs to which the subscribers belong. Table 4-72 Multicast VLAN Registration Commands
Command mvr mvr Function Globally enables MVR, statically configures MVR group address(es), or specifies the MVR VLAN identifier Mode GC Page 4-218 4-219
Configures an interface as an MVR receiver or source port, IC enables immediate leave capability, or configures an interface as a static member of the MVR VLAN Shows information about the global MVR configuration settings, the interfaces attached to the MVR VLAN, or the multicast groups assigned to the MVR VLAN PE

show mvr

mvr (Global Configuration)
This command enables Multicast VLAN Registration (MVR) globally on the switch, statically configures MVR multicast group IP address(es) using the group keyword, or specifies the MVR VLAN identifier using the vlan keyword. Use the no form of this command without any keywords to globally disable MVR. Use the no form with the group keyword to remove a specific address or range of addresses. Or use the no form with the vlan keyword restore the default MVR VLAN. Syntax [no] mvr [group ip-address [count] | vlan vlan-id] ip-address - IP address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.255) count - The number of contiguous MVR group addresses. (Range: 1-255) vlan-id - MVR VLAN ID (Range: 1-4094) Default Setting MVR is disabled. No MVR group address is defined. The default number of contiguous addresses is 0. MVR VLAN ID is 1. Command Mode Global Configuration Command Usage Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN. Any multicast data associated an MVR group is sent from all source ports, and to all receiver ports that have registered to receive data from that multicast group. The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x. IGMP snooping must be enabled to a allow a subscriber to dynamically join or leave an MVR group (see ip igmp snooping on page 4-202). Note that only IGMP version 2 or 3 hosts can issue multicast join or leave messages. Example The following example enables MVR globally, and configures a range of MVR group addresses:

26-port Gigabit Managed Switch TL-SG5426
ACL, 802.1x, IP Source Guard, SSL/HTTPS provides reliable security strategy IP Clustering supports Virtual Stack Granular QoS Options optimize voice and video application SNMP, RMON, WEB/CLI/Telnet Log-in bring redundant management policies with a user-friendly interface

Discription

Reliable Security Strategy Access Control Lists (ACLs) will restrict access to sensitive network resources by denying packets based on source and destination MAC addresses, IP addresses, TCP/UDP ports. This is done by hardware, so switching performance is not compromised. Moreover, TL-SG5426 is able to secure the network through professional tools such as DHCP Snooping, IP Source Guard, IEEE 802.1Q VLANs, Private VLAN and so on. IP Clustering Stackable With IP Clustering feature, TL-SG5426 allows a set of switches to be managed by a single IP, regardless of geographical locations. Traffic running across units in this virtual stack utilize full-duplex interfaces and network wires, eliminating costly and cumbersome cables and minimizing the impact of any single point of failure Optimized Voice and Video Applications Integrating voice, data and video on the same network is common for business now. TL-SG5426 from TP-LINK will fix this problem with its granular QoS options including 4 priority queues per port, traffic classification based on DSCP/802.1p/TCP or UDP port number and per port rate limiting. So the administrator can designate the priority of the traffic based on a variety of means including IP or MAC address ensuring voice and video application clear, smooth and jitter free. Abundant Management Policies/Easy-to-Use Management Interface TL-SG5426 supports SNMP v1/v2/v3, so traps can be set on abnormal events and information can be polled to maximize the productivity of the network. Other standard management features such as RMON, Web-based graphic interface, and industry-standard Command Line Interface (CLI) are also provided, allowing you to flexibly integrate and manage these devices in your network.

Features

High Speed and Compatibility Switch + 24 10/100/1000 Base-T ports, 4 Combo SFP Slots, Plus 2 10/100/1000 Uplink Ports Security: + SSL/HTTPS + RADIUS/TACACS+ + L2/3/4 Access Control List + Private VLANs + IP Source Guard + DHCP Snooping Network Management: + SNMPv1/v2c/v3 Support + RMON + Web GUI or CLI + Port Mirroring + IP Assignment Advanced Enterprise Features: + IP Clustering Stackable + Dual Firmware Images + L2/L3/L4 QoS + 802.1x + 802.1Q VLANs + Multicast Filtering: IGMP Snooping and MVR + 802.3ad Link Aggregation + 802.1w Rapid Spanning Tree + 802.1s Multiple Spanning group

www.tp-link.com

Specifications

Product specifications

TL-SG5426 MAC Address Table Switching Capability Buffer Size SDRAM FLASH 26-port Gigabit Managed Switch 8K 52Gbps 4Mb 64MB 16MB 24 10/100/1000 Base-T Ports Port Configuration 4 Combo SFP Ports 2 10/100/1000Base-T Uplinks Ports 1 Male DB9 RS-232C Console Port Cable Type UTP CAT 5e or Better for 1000BASE-T RS-232 DB9 Male Console Cord IEEE 802.3 10BASE-T IEEE 802.3u 100BASE-TX and 100BASE-FX IEEE 802.3ad Provide Link Aggregation IEEE 802.3x Flow Control Support IEEE IEEE 802.1D Spanning Tree Bridge IEEE 802.1s Multiple Spanning Tree IEEE 802.1w Rapid Spanning Tree IEEE 802.1Q (Virtual LAN) IEEE 802.1x, Port-based Network Access Control RFC 1517 for Network Management Applications(SNMP) IETF RFC1215 for Traps RFC 1757 for RMON

Network Protocols and Standards

Security

User/Password Protected System Management Terminal IP Security Access Control List Static Port Security Remote access security IEEE 802.1x MAC-based Filtering SNMP, Telnet, Web Support DHCP Snooping, IP Source Guard L2/L3/L4 ACL, size: 96MAC, 96IPv4 MAC based port security Supports SSH v2, HTTPS/SSL RADIUS and TACACS+ Authentication (Port-based) 1k
Management and Maintenance
In and out of band management IP Clustering Support TFTP Management IP Assignment MIBs Telnet, SLIP, Web-based HTTP, SNMP v1/v2c/v3, Port Mirroring, RMON (group 1, 2, 3, 9), HTTPS/SSL, SSH v2 CLI, Xmodem Allows Up To 32 Units To Be Managed From A Single IP Address Dual Firmware Images Supports Two Or More Configuration Files Static IP Assignment BOOTP and DHCP For IP Address Assignment MIB II (RFC 1213), Bridging MIB (RFC 1493), Ethernet-Like MIB (RFC 2665), Bridge MIB Extensions (RFC 2764), RMON MIB (RFC1757), RFC 2737, RFC 2742, RFC 2021, RFC2863, RFC 2618, TP-LINKs private MIB 4 Priority Queues Per Port Strict Priority, WRR IEEE 802.1p (COS) DSCP/TOS TCP/UDP Port Number Per Port, from 1Mbps to 1Gbps, granularity: 1Mbps IEEE 802.3x For Full Duplex Mode Back Pressure Flow Control Half Duplex Mode IEEE 802.1D Spanning Tree Spanning Tree Storm Control IEEE 802.1s Multiple Spanning Tree IEEE 802.1w Rapid Spanning Tree Broadcast/Multicast IEEE 802.1Q VLAN 255 VLAN groups Port-based VLAN VLAN Supports 256 Active VLAN Support GVRP 802.1v (Protocol based Vlans) Support Q in Q Support Private VLAN Edge Multicast Filtering Jumbo Frame IGMP Snooping V1/V2 Multicast VLAN Registration 9K Support IEEE 802.3ad Link Aggregation Manual Trunk Multi-Link Trunk (LACP) Up To 8 Aggregation Groups Are Supported, and Up To 8 Ports Per Group

Quality of Service

Priority Priority Queue Scheduling L2/L3/L4 Traffic Classification/ Priority Management Bandwidth Management

Switching Features

Flow Control
Electrical & Emissions Summary
Compliance Power CE Mark; FCC Class A 100-240VAC 50-60 Hz 1.5A Consumption 38W. CSA/CUS (CSA 22.2. NO 60950-1 & UL60950-1) Safety UL / CUL (UL 60950-1, CSA 22.2 NO60950-1) CB (IEC60950-1)

Physical Specifications

Dimensions(W x D x H) Temperature Humidity 17.32*9.06*1.73in.(440*230*44 mm) Operating Storage Operating Storage 0C ~ 40C (32F ~ 104F) -40C ~ 70C (-40F ~ 158F) 10%~90% Non-Condensing 5% to 90% RH, Non-Condensing

Topology Diagram:

Internet

100Mbps 1000Mbps

TL-SG5426

Managed Gigabit Switch

TL-SG2224WEB / TL-SG2248WEB TL-SG1024 / TL-SG1048 TG-3269
TG-3201 / TG-3269 TG-3201 / TG-3269 TG-3201 / TG-3269
Specifications are subject to change without notice. TP-LINK is a registered trademark of TP-LINK Technologies Co., Ltd. Other brands and product names are trademarks or registered trademarks of their respective holders. No part of the specificationsmay be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from TP-LINK Technologies Co., Ltd. Copyright 2008 TP-LINK Technologies Co., Ltd. All rights reserved.