ADMINISTRATION GUIDE Cisco Small Business 300 Series Managed Switch Administration Guide Release 1.
Contents Chapter 1: Getting Started 1 Starting the Web-based Configuration Utility Launching the Configuration Utility 1 2 HTTP/HTTPS 3 Logging Out 4 Quick Start Device Configuration 5 Interface Naming Conventions 6 Window Navigation 7 Application Header 7 Management Buttons 9 Chapter 2: Status and Statistics 12 Viewing Ethernet Interfaces 12 Viewing Etherlike Statistics 13 Viewing GVRP Statistics 15 Viewing 802.
Contents Chapter 4: Administration: File Management 34 System Files 34 Upgrade/Backup Firmware/Language 37 Upgrade/Backing Firmware or Language File 38 Active Image 41 Download/Backup Configuration/Log 41 Configuration File Backwards Compatibility 42 Downloading or Backing-up a Configuration or Log File 43 Configuration Files Properties 47 Copy/Save Configuration 48 DHCP Auto Configuration 49 DHCP Server Options 50 Auto Configuration Download Protocol (TFTP or SCP) 50 SSH Client A
Contents System Time Options 73 Time 73 Time Zone and Daylight Savings Time (DST) 74 SNTP Modes 74 Configuring System Time 75 Selecting Source of System Time 75 Adding a Unicast SNTP Server 77 Configuring the SNTP Mode 80 Defining SNTP Authentication 80 Time Range 81 Absolute Time Range 82 Recurring Time Range 83 Chapter 7: Administration: Diagnostics 84 Testing Copper Ports 84 Displaying Optical Module Status 86 MSA-compatible SFPs 86 Configuring Port and VLAN Mirroring 87
Contents Displaying LLDP Neighbors Information 108 Accessing LLDP Statistics 112 LLDP Overloading 113 Configuring CDP 115 Setting CDP Properties 115 Editing CDP Interface Settings 118 Displaying CDP Local Information 119 Displaying CDP Neighbors Information 121 Viewing CDP Statistics 123 Chapter 9: Port Management 124 Configuring Ports 124 Setting Port Configuration 125 Configuring Link Aggregation 128 Link Aggregation Overview 129 Load Balancing 129 Default Settings and Confi
Contents What is a Smartport 146 Smartport Types 146 Special Smartport Types Smartport Macros Applying a Smartport Type to an Interface 148 149 150 Macro Failure and the Reset Operation 150 How the Smartport Feature Works 151 Auto Smartport 152 Enabling Auto Smartport 152 Identifying Smartport Type 152 Using CDP/LLDP Information to Identify Smartport Types 153 Multiple Devices Attached to the Port 154 Persistent Auto Smartport Interface 155 Error Handling 155 Default Configuration
Contents Chapter 12: VLAN Management 184 VLANs 184 Configuring Default VLAN Settings 187 Creating VLANs 189 Configuring VLAN Interface Settings 190 Defining VLAN Membership 191 Configuring Port to VLAN 192 Configuring VLAN Membership 193 GVRP Settings Defining GVRP Settings VLAN Groups MAC-based Groups 194 195 195 196 Assigning MAC-based VLAN Groups 196 Mapping VLAN Group to VLAN Per Interface 197 Voice VLAN Voice VLAN Overview Dynamic Voice VLAN Modes 198 198 199 Voice End-Points
Contents Customer Port Multicast TV VLAN 214 Mapping CPE VLANs to Multicast TV VLANs 215 CPE Port Multicast VLAN Membership 216 Chapter 13: Spanning Tree 218 STP Flavors 218 Configuring STP Status and Global Settings 219 Defining Spanning Tree Interface Settings 221 Configuring Rapid Spanning Tree Settings 223 Multiple Spanning Tree 226 Defining MSTP Properties 226 Mapping VLANs to a MSTP Instance 227 Defining MSTP Instance Settings 228 Defining MSTP Interface Settings 229 Chapter
Contents MLD Snooping 247 Querying IGMP/MLD IP Multicast Group 249 Defining Multicast Router Ports 250 Defining Forward All Multicast 251 Defining Unregistered Multicast Settings 252 Chapter 16: IP Configuration Overview 254 254 Layer 2 IP Addressing 255 Layer 3 IP Addressing 256 IPv4 Management and Interfaces IPv4 Interface 256 256 Defining an IPv4 Interface in Layer 2 System Mode 257 Defining IPv4 Interface in Layer 3 System Mode 258 IPv4 Routes 260 ARP 261 ARP Proxy 262 UDP R
Contents DHCP Server 276 DHCP Options 276 Dependencies Between Features 278 Default Settings and Configurations 278 DHCPv4 Server 279 Network Pool 279 Excluded Addresses 281 Static Hosts 281 Address Binding 283 IPv6 Management and Interfaces 284 IPv6 Global Configuration 285 IPv6 Interface 285 IPv6 Tunnel 288 Configuring Tunnels 289 Defining IPv6 Addresses 290 IPv6 Default Router List 291 Defining IPv6 Neighbors Information 293 Viewing IPv6 Route Tables 294 DHCPv6 Relay
Contents Interactions With Other Features 308 Workflow 308 Configuring a TACACS+ Server 308 Configuring RADIUS 311 Accounting Using a RADIUS Server 311 Defaults 311 Interactions With Other Features 312 Radius Workflow 312 Configuring Management Access Authentication 315 Defining Management Access Method 316 Active Access Profile 317 Defining Profile Rules 319 SSL Server 321 SSL Overview 321 Default Settings and Configuration 322 SSL Server Authentication Settings 322 Configu
Contents Default Configuration 342 Configuring DoS Prevention 342 Security Suite Settings 342 SYN Protection 344 Martian Addresses 345 SYN Filtering 346 SYN Rate Protection 347 ICMP Filtering 348 IP Fragmented Filtering 348 IP Source Guard 349 Interactions with Other Features 349 Filtering 350 Configuring IP Source Guard Work Flow 350 Enabling IP Source Guard 351 Configuring IP Source Guard on Interfaces 351 Binding Database 352 Dynamic ARP Inspection 353 How ARP Prevents
Contents SSD Default Read Mode Session Override 366 SSD Properties 366 Passphrase 367 Default and User-defined Passphrases 367 Local Passphrase 367 Configuration File Passphrase Control 368 Configuration File Integrity Control 368 Read Mode 369 Configuration Files 369 File SSD Indicator 369 SSD Control Block 370 Startup Configuration File 370 Running Configuration File 371 Backup and Mirror Configuration File 372 Sensitive Data Zero-Touch Auto Configuration 373 SSD Management
Contents SSH Client Configuration Through the GUI 387 SSH User Authentication 387 SSH Server Authentication 388 Modifying the User Password on the SSH Server 388 Chapter 20: Security: SSH Server 390 Overview 390 Common Tasks 391 SSH Server Configuration Pages 392 SSH User Authentication 392 SSH Server Authentication 393 Chapter 21: Access Control 396 Access Control Lists 396 Defining MAC-based ACLs 398 Adding Rules to a MAC-based ACL IPv4-based ACLs 399 401 Defining an IPv4-ba
Contents Configuring Bandwidth 423 Configuring Egress Shaping per Queue 425 Configuring VLAN Ingress Rate Limit 425 TCP Congestion Avoidance 427 QoS Basic Mode 427 Workflow to Configure Basic QoS Mode 427 Configuring Global Settings 428 Interface QoS Settings 429 QoS Advanced Mode 429 Workflow to Configure Advanced QoS Mode 431 Configuring Global Settings 431 Configuring Out-of-Profile DSCP Mapping 432 Defining Class Mapping 434 QoS Policers 435 Defining Aggregate Policers 436
Contents Configuring SNMP Views 452 Creating SNMP Groups 453 Managing SNMP Users 455 Defining SNMP Communities 457 Defining Trap Settings 459 Notification Recipients 460 Defining SNMPv1,2 Notification Recipients 460 Defining SNMPv3 Notification Recipients 462 SNMP Notification Filters Cisco Small Business 300 Series Managed Switch Administration Guide 463 15
Contents Cisco Small Business 300 Series Managed Switch Administration Guide 16
1 Getting Started This section provides an introduction to the web-based configuration utility, and covers the following topics: • Starting the Web-based Configuration Utility • Quick Start Device Configuration • Interface Naming Conventions • Window Navigation Starting the Web-based Configuration Utility This section describes how to navigate the web-based switch configuration utility. If you are using a pop-up blocker, make sure it is disabled.
Getting Started Starting the Web-based Configuration Utility 1 Launching the Configuration Utility To open the web-based configuration utility: STEP 1 Open a Web browser. STEP 2 Enter the IP address of the device you are configuring in the address bar on the browser, and then press Enter. NOTE When the device is using the factory default IP address of 192.168.1.254, its power LED flashes continuously.
1 Getting Started Starting the Web-based Configuration Utility STEP 3 If this is the first time that you logged on with the default user ID (cisco) and the default password (cisco) or your password has expired, the Change Password Page appears. See Password Expiration for additional information. STEP 4 Choose whether to select Disable Password Complexity Enforcement or not. For more information on password complexity, see the Setting Password Complexity Rules section.
Getting Started Starting the Web-based Configuration Utility 1 Logging Out By default, the application logs out after ten minutes of inactivity. You can change this default value as described in the Defining Idle Session Timeout section. ! CAUTION Unless the Running Configuration is copied to the Startup Configuration, rebooting the device will remove all changes made since the last time the file was saved.
1 Getting Started Quick Start Device Configuration Quick Start Device Configuration To simplify device configuration through quick navigation, the Getting Started page provides links to the most commonly used pages.
1 Getting Started Interface Naming Conventions Interface Naming Conventions Within the GUI, interfaces are denoted by concatenating the following elements: • • Type of interface: The following types of interfaces are found on the various types of devices: - Fast Ethernet (10/100 bits)—These are displayed as FE. - Gigabit Ethernet ports (10/100/1000 bits)—These are displayed as GE. - LAG (Port Channel)—These are displayed as LAG. - VLAN—These are displayed as VLAN.
1 Getting Started Window Navigation Window Navigation This section describes the features of the web-based switch configuration utility. Application Header The Application Header appears on every page. It provides the following application links: Application Links Application Link Name Description A flashing red X icon displayed to the left of the Save application link indicates that Running Configuration changes have been made that have not yet been saved to the Startup Configuration file.
1 Getting Started Window Navigation Application Links (Continued) Application Link Name Description Language Menu This menu provides the following options: • Select a language: Select one of the languages that appear in the menu. This language will be the webbased configuration utility language. • Download Language: Add a new language to the device. • Delete Language: Deletes the second language on the device. The first language (English) cannot be deleted.
1 Getting Started Window Navigation Management Buttons The following table describes the commonly-used buttons that appear on various pages in the system. Management Buttons Button Name Description Use the pull-down menu to configure the number of entries per page. Indicates a mandatory field. 9 Add Click to display the related Add page and add an entry to a table. Enter the information and click Apply to save it to the Running Configuration. Click Close to return to the main page.
1 Getting Started Window Navigation Management Buttons (Continued) Button Name Description Copy Settings A table typically contains one or more entries containing configuration settings. Instead of modifying each entry individually, it is possible to modify one entry and then copy the selected entry to multiple entries, as described below: 1. Select the entry to be copied. Click Copy Settings to display the popup. 2. Enter the destination entry numbers in the to field. 3.
1 11 Getting Started Window Navigation Cisco Small Business 300 Series Managed Switch Administration Guide
2 Status and Statistics This section describes how to view device statistics. It covers the following topics: • Viewing Ethernet Interfaces • Viewing Etherlike Statistics • Viewing GVRP Statistics • Viewing 802.1X EAP Statistics • Viewing TCAM Utilization[ • Managing RMON Viewing Ethernet Interfaces The Interface page displays traffic statistics per port. The refresh rate of the information can be selected.
2 Status and Statistics Viewing Etherlike Statistics - 15 Sec—Statistics are refreshed every 15 seconds. - 30 Sec—Statistics are refreshed every 30 seconds. - 60 Sec—Statistics are refreshed every 60 seconds. The Receive Statistics area displays information about incoming packets. • Total Bytes (Octets)—Octets received, including bad packets and FCS octets, but excluding framing bits. • Unicast Packets—Good Unicast packets received. • Multicast Packets—Good Multicast packets received.
2 Status and Statistics Viewing Etherlike Statistics STEP 1 Click Status and Statistics > Etherlike. STEP 2 Enter the parameters. • Interface—Select the type of interface and specific interface for which Ethernet statistics are to be displayed. • Refresh Rate—Select the amount of time that passes before the Etherlike statistics are refreshed. The fields are displayed for the selected interface. • Frame Check Sequence (FCS) Errors—Received frames that failed the CRC (cyclic redundancy checks).
2 Status and Statistics Viewing GVRP Statistics Viewing GVRP Statistics The GVRP page displays information regarding GARP VLAN Registration Protocol (GVRP) frames that were sent or received from a port. GVRP is a standards-based Layer 2 network protocol, for automatic configuration of VLAN information on switches. It was defined in the 802.1ak amendment to 802.1Q-2005. GVRP statistics for a port are only displayed if GVRP is enabled globally and on the port. See the GVRP page.
2 Status and Statistics Viewing 802.1X EAP Statistics To clear statistics counters: • Click Clear Interface Counters to clear the selected counters. • Click View All Interfaces Statistics to see all ports on a single page. Viewing 802.1X EAP Statistics The 802.1x EAP page displays detailed information regarding the EAP (Extensible Authentication Protocol) frames that were sent or received. To configure the 802.1X feature, see the 802.1X Properties page.
2 Status and Statistics Viewing TCAM Utilization[ • Invalid EAPOL Frames Received—Unrecognized EAPOL frames received on this port. • EAP Length Error Frames Received—EAPOL frames with an invalid Packet Body Length received on this port. • Last EAPOL Frame Version—Protocol version number attached to the most recently received EAPOL frame. • Last EAPOL Frame Source—Source MAC address attached to the most recently received EAPOL frame.
2 Status and Statistics Managing RMON • Non-IP Rules - In Use—Number of TCAM entries used for non-IP rules. - Maximum—Number of available TCAM entries that can be used for nonIP rules. Managing RMON RMON (Remote Networking Monitoring) is an SNMP specification that enables an SNMP agent in the device to proactively monitor traffic statistics over a given period and send traps to an SNMP manager.
2 Status and Statistics Managing RMON • Late collision event has not been detected. • Received (Rx) error event has not been detected. • Packet has a valid CRC. To view RMON statistics and/or set the refresh rate: STEP 1 Click Status and Statistics > RMON > Statistics. STEP 2 Select the Interface for which Ethernet statistics are to be displayed. STEP 3 Select the Refresh Rate, the time period that passes before the interface statistics are refreshed.
2 Status and Statistics Managing RMON - Packet has an invalid CRC. - Received (Rx) Error Event has not been detected. • Collisions—Number of collisions received. If Jumbo Frames are enabled, the threshold of Jabber Frames is raised to the maximum size of Jumbo Frames. • Frames of 64 Bytes—Number of frames, containing 64 bytes that were received. • Frames of 65 to 127 Bytes—Number of frames, containing 65-127 bytes that were received.
2 Status and Statistics Managing RMON To enter RMON control information: STEP 1 Click Status and Statistics > RMON > History. The fields displayed on this page are defined in the Add RMON History page, below. The only field is that is on this page and not defined in the Add page is: • Current Number of Samples—RMON is allowed by standard to not grant all requested samples, but rather to limit the number of samples per request.
2 Status and Statistics Managing RMON The fields are displayed for the selected sample. • Owner—History table entry owner. • Sample No.—Statistics were taken from this sample. • Drop Events—Dropped packets due to lack of network resources during the sampling interval. This may not represent the exact number of dropped packets, but rather the number of times dropped packets were detected. • Bytes Received—Octets received including bad packets and FCS octets, but excluding framing bits.
2 Status and Statistics Managing RMON • Alarms Page—Configures the occurrences that trigger an alarm. To define RMON events: STEP 1 Click Status and Statistics > RMON > Events. This page displays previously defined events. STEP 2 Click Add. STEP 3 Enter the parameters. • Event Entry—Displays the event entry index number for the new entry. • Community—Enter the SNMP community string to be included when traps are sent (optional). • Description—Enter a name for the event.
2 Status and Statistics Managing RMON Viewing the RMON Events Logs The Event Log Table page displays the log of events (actions) that occurred. Two types of events can be logged: Log or Log and Trap. The action in the event is performed when the event is bound to an alarm (see the Alarms page) and the conditions of the alarm have occurred. STEP 1 Click Status and Statistics > RMON > Events. STEP 2 Click Event Log Table. This page displays the following fields: • Event Entry No.—Event’s log entry number.
2 Status and Statistics Managing RMON To enter RMON alarms: STEP 1 Click Status and Statistics > RMON > Alarms. All previously-defined alarms are displayed. The fields are described in the Add RMON Alarm page below. In addition to those fields, the following field appears: • Counter Value—Displays the value of the statistic during the last sampling period. STEP 2 Click Add. STEP 3 Enter the parameters. 25 • Alarm Entry—Displays the alarm entry number.
2 Status and Statistics Managing RMON • Interval—Enter the alarm interval time in seconds. • Owner—Enter the name of the user or network management system that receives the alarm. STEP 4 Click Apply. The RMON alarm is saved to the Running Configuration file.
2 27 Status and Statistics Managing RMON Cisco Small Business 300 Series Managed Switch Administration Guide
3 Administration: System Log This section describes the System Log feature, which enables the device to generate several independent logs. Each log is a set of messages describing system events. The device generates the following local logs: • Log sent to the console interface. • Log written into a cyclical list of logged events in the RAM and erased when the device reboots. • Log written to a cyclical log-file saved to the Flash memory and persists across reboots.
3 Administration: System Log Setting System Log Settings The event severity levels are listed from the highest severity to the lowest severity, as follows: • Emergency—System is not usable. • Alert—Action is needed. • Critical—System is in a critical condition. • Error—System is in error condition. • Warning—System warning has occurred. • Notice—System is functioning properly, but a system notice has occurred. • Informational—Device information. • Debug—Detailed information about an event.
3 Administration: System Log Setting Remote Logging Settings • Originator Identifier—Enables adding an origin identifier to SYSLOG messages. The options are: - None—Do not include the origin identifier in SYSLOG messages. - Hostname—Include the system hostname in SYSLOG messages. - IPv4 Address—Include the IPv4 address of the sending interface in SYSLOG messages. - IPv6 Address—Include the IPv6 address of the sending interface in SYSLOG messages.
3 Administration: System Log Viewing Memory Logs - Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration. - Global—The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks.
3 Administration: System Log Viewing Memory Logs RAM Memory The RAM Memory page displays all messages that were saved in the RAM (cache) in chronological order. Entries are stored in the RAM log according to the configuration in the Log Settings page. To view log entries, click Status and Statistics > View Log > RAM Memory. The top of the page has a button that allows you to Disable Alert Icon Blinking. Click to toggle between disable and enable.
3 33 Administration: System Log Viewing Memory Logs Cisco Small Business 300 Series Managed Switch Administration Guide
4 Administration: File Management This section describes how system files are managed. The following topics are covered: • System Files • Upgrade/Backup Firmware/Language • Active Image • Download/Backup Configuration/Log • Configuration Files Properties • Copy/Save Configuration • DHCP Auto Configuration System Files System files are files that contain configuration information, firmware images or boot code.
4 Administration: File Management System Files Configuration files on the device are defined by their type, and contain the settings and parameter values for the device. When a configuration is referenced on the device, it is referenced by its configuration file type (such as Startup Configuration or Running Configuration), as opposed to a file name that can be modified by the user.
Administration: File Management System Files 4 Only the system can copy the Startup Configuration to the Mirror Configuration. However, you can copy from the Mirror Configuration to other file types or to another device. The option of automatically copying the Running Configuration to the mirror configuration can be disabled in the Configuration Files Properties page.
4 Administration: File Management Upgrade/Backup Firmware/Language This section covers the following topics: • Upgrade/Backup Firmware/Language • Active Image • Download/Backup Configuration/Log • Configuration Files Properties • Copy/Save Configuration • DHCP Auto Configuration Upgrade/Backup Firmware/Language The Upgrade/Backup Firmware/Language process can be used to: • Upgrade or backup the firmware image. • Upgrade or backup the boot code. • Import or upgrade a second language file.
4 Administration: File Management Upgrade/Backup Firmware/Language Upgrade/Backing Firmware or Language File To upgrade or backup a software image or language file: STEP 1 Click Administration > File Management > Upgrade/Backup Firmware/ Language. STEP 2 Click the Transfer Method. Proceed as follows: • If you selected TFTP, go to STEP 3. • If you selected via HTTP/HTTPS, go to STEP 4. • If you selected via SCP, go to STEP 5.
4 Administration: File Management Upgrade/Backup Firmware/Language • Link Local Interface—Select the link local interface (if IPv6 is used) from the list. • TFTP Server IP Address/Name—Enter the IP address or the domain name of the TFTP server. • (For Upgrade) Source File Name—Enter the name of the source file. • (For Backup) Destination File Name—Enter the name of the backup file. STEP 4 If you selected via HTTP/HTTPS, you can only Upgrade. Enter the parameters as described in this step.
4 Administration: File Management Upgrade/Backup Firmware/Language Select one of the following Save Actions: • Upgrade—Specifies that the file type on the device is to be replaced with a new version of that file type located on a TFTP server. • Backup—Specifies that a copy of the file type is to be saved to a file on another device. Enter the following fields: • File Type—Select the destination file type. Only valid file types are shown.
4 Administration: File Management Active Image • If SSH server authentication is not enabled, the operation succeeds for any SCP server. Active Image There are two firmware images stored on the device. One of the images is identified as the active image and other image is identified as the inactive image. The device boots from the image you set as the active image. You can change the image identified as the inactive image to the active image.
4 Administration: File Management Download/Backup Configuration/Log • Restoring configuration files from an external device to the device. When restoring a configuration file to the Running Configuration, the imported file adds any configuration commands that did not exist in the old file and overwrites any parameter values in the existing configuration commands. When restoring a configuration file to the Startup Configuration or a backup configuration file, the new file replaces the previous file.
4 Administration: File Management Download/Backup Configuration/Log Downloading or Backing-up a Configuration or Log File To backup or restore the system configuration file: STEP 1 Click Administration > File Management > Download/Backup Configuration/ Log. STEP 2 Select the Transfer Method. STEP 3 If you selected via TFTP, enter the parameters. Otherwise, skip to STEP 4. Select either Download or Backup as the Save Action.
4 Administration: File Management Download/Backup Configuration/Log Backup Save Action—Specifies that a file type is to be copied to a file on another device. Enter the following fields: a. Server Definition—Select whether to specify the TFTP server by IP address or by domain name. b. IP Version—Select whether an IPv4 or an IPv6 address is used. c. IPv6 Address Type—Select the IPv6 address type (if used). The options are: • Link Local—The IPv6 address uniquely identifies hosts on a single network link.
4 Administration: File Management Download/Backup Configuration/Log STEP 4 If you selected via HTTP/HTTPS, enter the parameters as described in this step. Select the Save Action. If Save Action is Download (replacing the file on the device with a new version from another device), do the following. Otherwise, go to the next procedure in this step. a. Source File Name—Click Browse to select a file or enter the path and source file name to be used in the transfer. b.
4 Administration: File Management Download/Backup Configuration/Log SSH Client Authentication—Client authentication can be done in one of the following ways: • Use SSH Client—Sets permanent SSH user credentials. Click System Credentials to go to the SSH User Authentication page where the user/ password can be set once for all future use. • Use SSH Client One-Time Credentials—Enter the following: - Username—Enter a username for this copy action. - Password—Enter a password for this copy.
4 Administration: File Management Configuration Files Properties If Save Action is Backup (copying a file to another device), enter the following fields (in addition to those fields listed above): • Source File Type—Select the configuration file type. Only valid file types are displayed. (The file types are described in the Files and File Types section). • Sensitive Data—Select how sensitive data should be included in the backup file.
Administration: File Management Copy/Save Configuration 4 STEP 3 If required, select either the Startup Configuration, Backup Configuration or both and click Clear Files to delete these files. This page provides the following fields: • Configuration File Name—Displays the type of file. • Creation Time—Displays the date and time that file was modified.
4 Administration: File Management DHCP Auto Configuration STEP 3 Select the Destination File Name to be overwritten by the source file. • If you are backing up a configuration file, select one of the following formats for the backup file. - Exclude—Sensitive data is not included in the backup file. - Encrypted—Sensitive data is included in the backup file in encrypted form. - Plaintext—Sensitive data is included in the backup file in plain text.
4 Administration: File Management DHCP Auto Configuration • After reboot when an IP address is allocated or renewed dynamically (using DHCPv4). • Upon an explicit DHCPv4 renewal request and if the device and the server are configured to do so. • Upon automatic renewal of the DHCPv4 lease. DHCPv6 Auto Configuration is triggered when the following conditions are fulfilled: • • When a DHCPv6 server sends information to the device.
4 Administration: File Management DHCP Auto Configuration extension are downloaded using SCP, and files with the other extensions are downloaded using TFTP. • TFTP Only—The download is done through TFTP regardless of the file extension of the configuration file name. • SCP Only—The download is done through SCP (over SSH) regardless of the file extension of the configuration file name.
4 Administration: File Management DHCP Auto Configuration • If the DHCP server did not send these options and the backup TFTP/SCP server address parameter is empty then: - For DHCPv4: SCP—The Auto Configuration process is halted. TFTP—The device sends TFTP Request messages to a limited Broadcast address (for IPv4) or ALL NODES address (for IPv6) on its IP interfaces and continues the process of Auto Configuration with the first answering TFTP server.
4 Administration: File Management DHCP Auto Configuration Configuring DHCP Auto Configuration Workflow To configure DHCP Auto Configuration. 1. Configure the DHCPv4 and/or DHCPv6 servers to send the required options. this process is not described in this guide. 2. Configure Auto Configuration parameters. 3.
4 Administration: File Management DHCP Auto Configuration • Download Protocol—Select one of the following options: - Auto By File Extension—Select to indicate that auto configuration uses the TFTP or SCP protocol depending on the extension of the configuration file. If this option is selected, the extension of the configuration file does not necessarily have to be given. If it is not given, the default extension is used (as indicated below).
4 Administration: File Management DHCP Auto Configuration - Global—The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks. • Link Local Interface—Select the link local interface (if IPv6 is used) from the list. • Backup Server IP Address/Name—Enter the IP address or the name of the server to be used if no server IP address was specified in the DHCP message.
5 Administration: General Information This section describes how to view system information and configure various options on the device. It covers the following topics: • Device Models • System Information • Console Settings (Autobaud Rate Support)Rebooting the Device • Routing Resources • Monitoring Fan Status • Defining Idle Session Timeout • Pinging a Host • Traceroute Device Models All models can be fully managed through the web-based switch configuration utility.
5 Administration: General Information Device Models • FE is used for Fast Ethernet (10/100) ports. The following table describes the various models, the number and type of ports on them and their PoE information. Managed Switch Models Model Name Product ID (PID) Description of Ports on Device Power Dedicated to PoE No.
5 Administration: General Information System Information Managed Switch Models (Continued) Model Name Product ID (PID) Description of Ports on Device Power Dedicated to PoE No.
5 Administration: General Information System Information System Information: • System Description—A description of the system. • System Location—Physical location of the device. Click Edit to go the System Settings page to enter this value. • System Contact—Name of a contact person. Click Edit to go the System Settings page to enter this value. • Host Name—Name of the device. Click Edit to go the System Settings page to enter this value.
Administration: General Information System Information 5 • Firmware Version (Active Image)—Firmware version number of the active image. • Firmware MD5 Checksum (Active Image)—MD5 checksum of the active image. • Firmware Version (Non-active Image)—Firmware version number of the non-active image. • Firmware MD5 Checksum (Non-active Image)—MD5 checksum of the non-active image. • Boot Version—Boot version number. • Boot MD5 Checksum—MD5 checksum of the boot version.
5 Administration: General Information Console Settings (Autobaud Rate Support) • • Host Name—Select the host name of this device. This is used in the prompt of CLI commands: - Use Default—The default hostname (System Name) of these switches is: switch123456, where 123456 represents the last three bytes of the device MAC address in hex format. - User Defined—Enter the hostname. Use only letters, digits, and hyphens. Host names cannot begin or end with a hyphen.
Administration: General Information Rebooting the Device 5 After Auto Detection is enabled in the Console Settings page, it can be activated by connecting the console to the device and press the Enter key twice. The device detects the baud rate automatically. To enable Auto Detection or to manually set the baud rate of the console: STEP 1 Click Administration > Console Settings. STEP 2 Select one of the following: • Auto Detection—The console baud rate is detected automatically.
5 Administration: General Information Rebooting the Device To reboot the device: STEP 1 Click Administration > Reboot. STEP 2 Click one of the Reboot buttons to reboot the device. • Reboot—Reboots the device. Since any unsaved information in the Running Configuration is discarded when the device is rebooted, you must click Save in the upper-right corner of any window to preserve current configuration across the boot process.
Administration: General Information Routing Resources 5 Routing Resources Use the Router Resources page to display TCAM allocation and modify total TCAM size. TCAM entries are divided into the following groups: • • IP Entries—TCAM entries reserved for IP static routes, IP addresses on the device, and IP hosts.
5 Administration: General Information Monitoring Fan Status You must save your current configuration before changing the TCAM Allocation Settings. NOTE A summary of the TCAM entries actually in use and available is displayed at the bottom of this page. For an explanation of the fields, see Viewing TCAM Utilization[. STEP 2 Save the new settings by clicking Apply. This checks the feasibility of the TCAM allocation. If it is incorrect, an error message is displayed.
5 Administration: General Information Monitoring Fan Status Event Action At least one temperature sensor exceeds the Critical threshold The following are generated: • SYSLOG message • SNMP trap The following actions are performed: Cool down period after the Critical threshold was exceeded (all sensors are lower than the Warning threshold - 2 °C). • System LED is set to solid amber (if hardware supports this).
5 Administration: General Information Defining Idle Session Timeout Defining Idle Session Timeout The Idle Session Timeout configures the time intervals that the management sessions can remain idle before they timeout and you must log in again to reestablish one of the following sessions: • HTTP Session Timeout • HTTPS Session Timeout • Console Session Timeout • Telnet Session Timeout • SSH Session Timeout To set the idle session timeout for various types of sessions: STEP 1 Click Administration
Administration: General Information Pinging a Host 5 • IP Version—If the host is identified by its IP address, select either IPv4 or IPv6 to indicate that it will be entered in the selected format. • IPv6 Address Type—Select Link Local or Global as the type of IPv6 address to enter. - Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network.
5 Administration: General Information Traceroute Traceroute Traceroute discovers the IP routes along which packets were forwarded by sending an IP packet to the target host and back to the device. The Traceroute page shows each hop between the device and a target host, and the round-trip time to each such hop. STEP 1 Click Administration > Traceroute.
Administration: General Information Traceroute 5 A page appears showing the Round Trip Time (RTT) and status for each trip in the fields: • Index—Displays the number of the hop. • Host—Displays a stop along the route to the destination. • Round Trip Time (1-3)—Displays the round trip time in (ms) for the first through third frame and the status of the first through third operation.
5 71 Administration: General Information Traceroute Cisco Small Business 300 Series Managed Switch Administration Guide
6 Administration: Time Settings Synchronized system clocks provide a frame of reference between all devices on the network. Network time synchronization is critical because every aspect of managing, securing, planning, and debugging a network involves determining when events occur. Without synchronized clocks, accurately correlating log files between devices when tracking security breaches or network usage is impossible.
6 Administration: Time Settings System Time Options System Time Options System time can be set manually by the user, dynamically from an SNTP server, or synchronized from the PC running the GUI. If an SNTP server is chosen, the manual time settings are overwritten when communications with the server are established. As part of the boot process, the device always configures the time, time zone, and DST.
6 Administration: Time Settings SNTP Modes Time Zone and Daylight Savings Time (DST) The Time Zone and DST can be set on the device in the following ways: • • Dynamic configuration of the device through a DHCP server, where: - Dynamic DST, when enabled and available, always takes precedence over the manual configuration of DST. - If the server supplying the source parameters fails, or dynamic configuration is disabled by the user, the manual settings are used.
6 Administration: Time Settings Configuring System Time Configuring System Time Selecting Source of System Time Use the System Time page to select the system time source. If the source is manual, you can enter the time here. ! CAUTION If the system time is set manually and the device is rebooted, the manual time settings must be reentered. To define system time: STEP 1 Click Administration > Time Settings > System Time.
6 Administration: Time Settings Configuring System Time Manual Settings—Set the date and time manually. The local time is used when there is no alternate source of time, such as an SNTP server: • Date—Enter the system date. • Local Time—Enter the system time. Time Zone Settings—The local time is used via the DHCP server or Time Zone offset. • Get Time Zone from DHCP—Select to enable dynamic configuration of the time zone and the DST from the DHCP server.
6 Administration: Time Settings Configuring System Time - From—Day and time that DST starts. - To—Day and time that DST ends. Selecting Recurring allows different customization of the start and stop of DST: • • From—Date when DST begins each year. - Day—Day of the week on which DST begins every year. - Week—Week within the month from which DST begins every year. - Month—Month of the year in which DST begins every year. - Time—The time at which DST begins every year.
6 Administration: Time Settings Configuring System Time • Poll Interval—Displays whether polling is enabled or disabled. • Authentication Key ID—Key Identification used to communicate between the SNTP server and device. • Stratum Level—Distance from the reference clock expressed as a numerical value. An SNTP server cannot be the primary server (stratum level 1) unless polling interval is enabled. • Status—SNTP server status.
6 Administration: Time Settings Configuring System Time • IP Version—Select the version of the IP address: Version 6 or Version 4. • IPv6 Address Type—Select the IPv6 address type (if IPv6 is used). The options are - Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network. Only one link local address is supported.
6 Administration: Time Settings Configuring System Time Configuring the SNTP Mode The device can be in active and/or passive mode (see SNTP Modes for more information). To enable receiving SNTP packets from all servers on the subnet and/or to enable transmitting time requests to SNTP servers: STEP 1 Click Administration > Time Settings > SNTP Multicast/Anycast.
6 Administration: Time Settings Configuring System Time The authentication key is created on the SNTP server in a separate process that depends on the type of SNTP server you are using. Consult with the SNTP server system administrator for more information. Workflow STEP 1 Enable authentication in the SNTP Authentication page. STEP 2 Create a key in the SNTP Authentication page. STEP 3 Associate this key with an SNTP server in the SNTP Unicast page.
6 Administration: Time Settings Configuring System Time • 8021X Port Authentication • Port Stat • Time-Based PoE There are two types of time ranges: • Absolute —This type of time range begins on a specific date or immediately and ends on a specific date or extends infinitely. It is created in the Time Range pages. A recurring element can be added to it. • Recurring — This type of time range contains a time range element that is added to an absolute range, and begins and ends on a recurring basis.
6 Administration: Time Settings Configuring System Time • Time Range Name—Enter a new time range name. • Absolute Starting Time—To define the start time, enter the following: • - Immediate—Select for the time range to start immediately. - Date, Time—Enter the date and time that the Time Range begins. Absolute Ending Time—To define the start time, enter the following: - Infinite—Select for the time range to never end. - Date, Time—Enter the date and time that the Time Range ends.
7 Administration: Diagnostics This section contains information for configuring port mirroring, running cable tests, and viewing device operational information. It covers the following topics: • Testing Copper Ports • Displaying Optical Module Status • Configuring Port and VLAN Mirroring • Viewing CPU Utilization and Secure Core Technology Testing Copper Ports The Copper Test page displays the results of integrated cable tests performed on copper cables by the Virtual Cable Tester (VCT).
7 Administration: Diagnostics Testing Copper Ports • (Optional) Disable EEE (see the Port Management > Green Ethernet > Properties page) Use a CAT5 data cable when testing cables using (VCT). Accuracy of the test results can have an error range of +/- 10 for Advanced Testing and +/- 2 for basic testing. ! CAUTION When a port is tested, it is set to the Down state and communications are interrupted. After the test, the port returns to the Up state.
7 Administration: Diagnostics Displaying Optical Module Status If the port being tested is a Giga port, the Advanced Information block contains the following information, which is refreshed each time you enter the page: • Cable Length: Provides an estimate for the length. • Pair—Cable wire pair being tested. • Status—Wire pair status. Red indicates fault and Green indicates status OK. • Channel—Cable channel indicating whether the wires are straight or crossover.
7 Administration: Diagnostics Configuring Port and VLAN Mirroring • MGBLH1: 1000BASE-LH SFP transceiver, for single-mode fiber, 1310 nm wavelength, supports up to 40 km. • MGBLX1: 1000BASE-LX SFP transceiver, for single-mode fiber, 1310 nm wavelength, supports up to 10 km. • MGBSX1:1000BASE-SX SFP transceiver, for multimode fiber, 850 nm wavelength, supports up to 550 m. • MGBT1: 1000BASE-T SFP transceiver for category 5 copper wire, supports up to 100 m.
7 Administration: Diagnostics Configuring Port and VLAN Mirroring A packet that is received on a network port assigned to a VLAN that is subject to mirroring is mirrored to the analyzer port even if the packet was eventually trapped or discarded. Packets sent by the device are mirrored when Transmit (Tx) mirroring is activated. Mirroring does not guarantee that all traffic from the source port(s) is received on the analyzer (destination) port.
7 Administration: Diagnostics Viewing CPU Utilization and Secure Core Technology • Destination Port—Select the analyzer port to where packets are copied. A network analyzer, such as a PC running Wireshark, is connected to this port. If a port is identified as an analyzer destination port, it remains the analyzer destination port until all entries are removed. • Source Interface—Select the source port or source VLAN from where traffic is to be mirrored.
Administration: Diagnostics Viewing CPU Utilization and Secure Core Technology 7 STEP 1 Click Administration > Diagnostics > CPU Utilization. The CPU Utilization page appears. The CPU Input Rate field displays the rate of input frames to the CPU per second. The window contains a graph of the CPU utilization. The Y axis is percentage of usage, and the X axis is the sample number. STEP 2 Select the Refresh Rate (time period in seconds) that passes before the statistics are refreshed.
7 91 Administration: Diagnostics Viewing CPU Utilization and Secure Core Technology Cisco Small Business 300 Series Managed Switch Administration Guide
8 Administration: Discovery This section provides information for configuring Discovery. It covers the following topics: • Configuring Bonjour Discovery • LLDP and CDP • Configuring LLDP • Configuring CDP Configuring Bonjour Discovery As a Bonjour client, the device periodically broadcasts Bonjour Discovery protocol packets to directly-connected IP subnet(s), advertising its existence and the services that it provides; for example, HTTP, HTTPs, and Telnet.
8 Administration: Discovery Configuring Bonjour Discovery When Bonjour Discovery is disabled, the device stops any service type advertisements and does not respond to requests for service from network management applications. To globally enable Bonjour when the system is in Layer 2 system mode: STEP 1 Click Administration > Discovery - Bonjour. STEP 2 Select Enable to enable Bonjour Discovery globally on the device. STEP 3 Click Apply.
8 Administration: Discovery LLDP and CDP STEP 3 Click Apply to update the Running Configuration file. STEP 4 To enable Bonjour on an interface, click Add. STEP 5 Select the interface, and click Apply. NOTE Click Delete to disable Bonjour on an interface (this performs the delete operation without any additional operation, such as Apply).
8 Administration: Discovery Configuring LLDP • CDP and LLDP end devices, such as IP phones, learn the voice VLAN configuration from CDP and LLDP advertisements. By default, the device is enabled to send out CDP and LLDP advertisement based on the voice VLAN configured at the device. Refer to the Voice VLAN and Auto Voice VLAN sections for details. NOTE CDP/LLDP does not distinguish if a port is in a LAG.
8 Administration: Discovery Configuring LLDP • Displaying LLDP Local Information • Displaying LLDP Neighbors Information • Accessing LLDP Statistics • LLDP Overloading LLDP Overview LLDP is a protocol that enables network managers to troubleshoot and enhance network management in multi-vendor environments. LLDP standardizes methods for network devices to advertise themselves to other systems, and to store discovered information.
8 Administration: Discovery Configuring LLDP 4. Associate LLDP MED network policies and the optional LLDP-MED TLVs to the desired interfaces by using the LLDP MED Port Settings page. 5. If Auto Smartport is to detect the capabilities of LLDP devices, enable LLDP in the Smartport Properties page. 6. Display overloading information by using the LLDP Overloading page.
8 Administration: Discovery Configuring LLDP STEP 3 In the Fast Start Repeat Count field, enter the number of times LLDP packets are sent when the LLDP-MED Fast Start mechanism is initialized. This occurs when a new endpoint device links to the device. For a description of LLDP MED, refer to the LLDP MED Network Policy section. STEP 4 Click Apply. The LLDP properties are added to the Running Configuration file.
8 Administration: Discovery Configuring LLDP The time interval between notifications is entered in the Topology Change SNMP Notification Interval field in the LLDP Properties page. Define SNMP Notification Recipients by using the SNMP > Notification Recipient v1,2 and/or SNMP > Notification Recipient v3 page. • Available Optional TLVs—Select the information to be published by the device by moving the TLV to the Selected Optional TLVs list.
8 Administration: Discovery Configuring LLDP lowest IP address among the dynamic IP addresses. If there are no dynamic addresses, the software chooses the lowest IP address among the static IP addresses. • - None—Do not advertise the management IP address. - Manual Advertise—Select this option and the management IP address to be advertised.
8 Administration: Discovery Configuring LLDP Setting LLDP MED Network Policy An LLDP-MED network policy is a related set of configuration settings for a specific real-time application such as voice, or video. A network policy, if configured, can be included in the outgoing LLDP packets to the attached LLDP media endpoint device. The media endpoint device must send its traffic as specified in the network policy it receives.
8 Administration: Discovery Configuring LLDP • VLAN Tag—Select whether the traffic is Tagged or Untagged. • User Priority—Select the traffic priority applied to traffic defined by this network policy. This is the CoS value. • DSCP Value—Select the DSCP value to associate with application data sent by neighbors. This informs them how they must mark the application traffic they send to the device. STEP 6 Click Apply. The network policy is defined.
8 Administration: Discovery Configuring LLDP • SNMP Notification—Select whether SNMP notification is sent on a per-port basis when an end station that supports MED is discovered; for example a SNMP managing system, when there is a topology change. • Available Optional TLVs—Select the TLVs that can be published by the device by moving them to the Selected Optional TLVs list.
8 Administration: Discovery Configuring LLDP • Chassis ID Subtype—Type of chassis ID (for example, MAC address). • Chassis ID—Identifier of chassis. Where the chassis ID subtype is a MAC address, the MAC address of the device appears. • System Name—Name of device. • System Description—Description of the device (in alpha-numeric format). • Supported System Capabilities—Primary functions of the device, such as Bridge, WLAN AP, or Router.
8 Administration: Discovery Configuring LLDP This page provides the following fields: Global • Chassis ID Subtype—Type of chassis ID. (For example, the MAC address.) • Chassis ID—Identifier of chassis. Where the chassis ID subtype is a MAC address, the MAC address of the device appears. • System Name—Name of device. • System Description—Description of the device (in alpha-numeric format). • Supported System Capabilities—Primary functions of the device, such as Bridge, WLAN AP, or Router.
8 Administration: Discovery Configuring LLDP • Auto-Negotiation Advertised Capabilities—Port speed auto-negotiation capabilities; for example, 1000BASE-T half duplex mode, 100BASE-TX full duplex mode. • Operational MAU Type—Medium Attachment Unit (MAU) type. The MAU performs physical layer functions, including digital data conversion from the Ethernet interfaces’ collision detection and bit injection into the network; for example, 100BASE-TX full duplex mode. 802.3 Details • 802.
8 Administration: Discovery Configuring LLDP - Endpoint Class 1—Indicates a generic endpoint class, offering basic LLDP services. - Endpoint Class 2—Indicates a media endpoint class, offering media streaming capabilities, as well as all Class 1 features. - Endpoint Class 3—Indicates a communications device class, offering all Class 1 and Class 2 features plus location, 911, Layer 2 device support, and device information management capabilities. • PoE Device Type—Port PoE type; for example, powered.
8 Administration: Discovery Configuring LLDP - Untagged—Indicates the network policy is defined for untagged VLANs. • User Priority—Network policy user priority. • DSCP—Network policy DSCP. Displaying LLDP Neighbors Information The LLDP Neighbors Information page contains information that was received from neighboring devices. After timeout (based on the value received from the neighbor Time To Live TLV during which no LLDP PDU was received from a neighbor), the information is deleted.
8 Administration: Discovery Configuring LLDP Basic Details • Chassis ID Subtype—Type of chassis ID (for example, MAC address). • Chassis ID—Identifier of the 802 LAN neighboring device chassis. • Port ID Subtype—Type of the port identifier that is shown. • Port ID—Identifier of port. • Port Description—Information about the port, including manufacturer, product name and hardware/software version. • System Name—Name of system that is published.
8 Administration: Discovery Configuring LLDP • Operational MAU Type—Medium Attachment Unit (MAU) type. The MAU performs physical layer functions, including digital data conversion from the Ethernet interfaces’ collision detection and bit injection into the network; for example, 100BASE-TX full duplex mode. 802.3 Power via MDI • MDI Power Support Port Class—Advertised power support port class. • PSE MDI Power Support—Indicates if MDI power is supported on the port.
8 Administration: Discovery Configuring LLDP MED Details • Capabilities Supported—MED capabilities enabled on the port. • Current Capabilities—MED TLVs advertised by the port. • Device Class—LLDP-MED endpoint device class. The possible device classes are: - Endpoint Class 1—Indicates a generic endpoint class, offering basic LLDP services. - Endpoint Class 2—Indicates a media endpoint class, offering media streaming capabilities as well as all Class 1 features.
8 Administration: Discovery Configuring LLDP • Enabled—Enabled Port and Protocol VLAN IDs. VLAN IDs • VID—Port and Protocol VLAN ID. • VLAN Names—Advertised VLAN names. Protocol IDs • Protocol ID Table—Advertised protocol IDs. Location Information Enter the following data structures in hexadecimal as described in section 10.2.4 of the ANSI-TIA-1057 standard: • Civic—Civic or street address. • Coordinates—Location map coordinates—latitude, longitude, and altitude.
8 Administration: Discovery Configuring LLDP STEP 1 Click Administration > Discovery - LLDP > LLDP Statistics. For each port, the fields are displayed: • Interface—Identifier of interface. • Tx Frames Total—Number of transmitted frames. • Rx Frames • • - Total—Number of received frames. - Discarded—Total number of received frames that were discarded. - Errors—Total number of received frames with errors. Rx TLVs - Discarded—Total number of received TLVs that were discarded.
8 Administration: Discovery Configuring LLDP • Left to Send (Bytes)—Total number of available bytes left for additional LLDP information in each packet. • Status—Whether TLVs are being transmitted or if they are overloaded. STEP 2 To view the overloading details for a port, select it and click Details. This page contains the following information for each TLV sent on the port: • • • • • LLDP Mandatory TLVs - Size (Bytes)—Total mandatory TLV byte size.
8 Administration: Discovery Configuring CDP • • LLDP Optional TLVs - Size (Bytes)—Total LLDP MED optional TLVs packets byte size. - Status—If the LLDP MED optional TLVs packets were sent, or if they were overloaded. LLDP MED Inventory - Size (Bytes)—Total LLDP MED inventory TLVs packets byte size. - Status—If the LLDP MED inventory packets were sent, or if they were overloaded.
8 Administration: Discovery Configuring CDP CDP Configuration Workflow The followings is sample workflow in configuring CDP on the device. You can also find additional CDP configuration guidelines in the LLDP/CDP section. STEP 1 Enter the CDP global parameters using the CDP Properties page STEP 2 Configure CDP per interface using the Interface Setting page STEP 3 If Auto Smartport is to detect the capabilities of CDP devices, enable CDP in the Smartport Properties page.
8 Administration: Discovery Configuring CDP • • CDP Hold Time—Amount of time that CDP packets are held before the packets are discarded, measured in multiples of the TLV Advertise Interval. For example, if the TLV Advertise Interval is 30 seconds, and the Hold Multiplier is 4, then the LLDP packets are discarded after 120 seconds. The following options are possible: - Use Default—Use the default time (180 seconds) - User Defined—Enter the time in seconds.
8 Administration: Discovery Configuring CDP Editing CDP Interface Settings The Interface Settings page enables administrators to enable/disable CDP per port. Notifications can also be triggered when there are conflicts with CDP neighbors. The conflict can be Voice VLAN data, Native VLAN, or Duplex. By setting these properties it is possible to select the types of information to be provided to devices that support the LLDP protocol.
8 Administration: Discovery Configuring CDP • Syslog Voice VLAN Mismatch—Select to enable the option of sending a SYSLOG message when a voice VLAN mismatch is detected This means that the voice VLAN information in the incoming frame does not match what the local device is advertising. • Syslog Native VLAN Mismatch—Select to enable the option of sending a SYSLOG message when a native VLAN mismatch is detected.
8 Administration: Discovery Configuring CDP • Capabilities TLV - • • - Appliance ID—Type of device attached to port advertised in the appliance TLV. - Appliance VLAN ID—VLAN on the device used by the appliance, for instance if the appliance is an IP phone, this is the voice VLAN. Extended Trust TLV Extended Trust—Enabled indicates that the port is trusted, meaning that the host/server from which the packet is received is trusted to mark the packets itself.
8 Administration: Discovery Configuring CDP - Request ID—Last power request ID received echoes the Request-ID field last received in a Power Requested TLV. It is 0 if no Power Requested TLV was received since the interface last transitioned to Up.
8 Administration: Discovery Configuring CDP • Capabilities—Capabilities advertised by neighbor. • Platform—Information from Platform TLV of neighbor. • Neighbor Interface—Outgoing interface of the neighbor. STEP 2 Select a device, and click Details. This page contains the following fields about the neighbor: • Device ID—Identifier of the neighboring device ID. • Local Interface—Interface number of port through which frame arrived. • Advertisement Version—Version of CDP.
8 Administration: Discovery Configuring CDP Viewing CDP Statistics The CDP Statistics page displays information regarding Cisco Discovery Protocol (CDP) frames that were sent or received from a port. CDP packets are received from devices attached to the switches interfaces, and are used for the Smartport feature. See Configuring CDP for more information. CDP statistics for a port are only displayed if CDP is enabled globally and on the port.
9 Port Management This section describes port configuration, link aggregation, and the Green Ethernet feature. It covers the following topics: • Configuring Ports • Setting Port Configuration • Configuring Link Aggregation • Configuring Green Ethernet Configuring Ports To configure ports, perform the following actions: 1. Configure port by using the Port Settings page. 2.
9 Port Management Setting Port Configuration Setting Port Configuration The Port Settings page displays the global and per port setting of all the ports. This page enables you to select and configure the desired ports from the Edit Port Settings page. To configure port settings: STEP 1 Click Port Management > Port Settings. STEP 2 Select Jumbo Frames to support packets of up to 10 Kb in size. If Jumbo Frames is not enabled (default), the system supports packet size up to 2,000 bytes.
9 Port Management Setting Port Configuration • Operational Status—Displays whether the port is currently Up or Down. If the port is down because of an error, the description of the error is displayed. • Time Range—Select to enable the time range during which the port is in Up state. When the time range is not active, the port is in shutdown. If a time range is configured, it is effective only when the port is administratively Up.
9 Port Management Setting Port Configuration • Auto Advertisement—Select the capabilities advertised by autonegotiation when it is enabled. The options are: - Max Capability—All port speeds and duplex mode settings can be accepted. - 10 Half—10 Mbps speed and Half Duplex mode. - 10 Full—10 Mbps speed and Full Duplex mode. - 100 Half—100 Mbps speed and Half Duplex mode. - 100 Full—100 Mbps speed and Full Duplex mode. - 1000 Full—1000 Mbps speed and Full Duplex mode.
9 Port Management Configuring Link Aggregation • - Protected Ports provide Layer 2 isolation between interfaces (Ethernet ports and LAGs) that share the same VLAN. - Packets received from protected ports can be forwarded only to unprotected egress ports. Protected port filtering rules are also applied to packets that are forwarded by software, such as snooping applications. - Port protection is not subject to VLAN membership.
9 Port Management Configuring Link Aggregation Link Aggregation Overview Link Aggregation Control Protocol (LACP) is part of the IEEE specification (802.3az) that enables you to bundle several physical ports together to form a single logical channel (LAG). LAGs multiply the bandwidth, increase port flexibility, and provide link redundancy between two devices. Two types of LAGs are supported: • Static—A LAG is static if the LACP is disabled on it.
9 Port Management Configuring Link Aggregation Every LAG has the following characteristics: • All ports in a LAG must be of the same media type. • To add a port to the LAG, it cannot belong to any VLAN except the default VLAN. • Ports in a LAG must not be assigned to another LAG. • No more than eight ports are assigned to a static LAG and no more than 16 ports can be candidates for a dynamic LAG.
9 Port Management Configuring Link Aggregation To configure a dynamic LAG, perform the following actions: 1. Enable LACP on the LAG. Assign up to 16 candidates ports to the dynamic LAG by selecting and moving the ports from the Port List to the LAG Members List by using the LAG Management page. 2. Configure various aspects of the LAG, such as speed and flow control by using the LAG Settings page. 3. Set the LACP priority and timeout of the ports in the LAG by using the LACP page.
9 Port Management Configuring Link Aggregation • Port List—Move those ports that are to be assigned to the LAG from the Port List to the LAG Members list. Up to eight ports per static LAG can be assigned, and 16 ports can be assigned to a dynamic LAG. STEP 3 Click Apply. LAG membership is saved to the Running Configuration file. Configuring LAG Settings The LAG Settings page displays a table of current settings for all LAGs.
9 Port Management Configuring Link Aggregation • Administrative Auto Negotiation—Enables or disable auto-negotiation on the LAG. Auto-negotiation is a protocol between two link partners that enables a LAG to advertise its transmission speed and flow control to its partner (the Flow Control default is disabled). It is recommended to keep auto-negotiation enabled on both sides of an aggregate link, or disabled on both sides, while ensuring that link speeds are identical.
9 Port Management Configuring Link Aggregation Configuring LACP A dynamic LAG is LACP-enabled, and LACP is run on every candidate port defined in the LAG. LACP Priority and Rules LACP system priority and LACP port priority are both used to determine which of the candidate ports become active member ports in a dynamic LAG configured with more than eight candidate ports. The selected candidate ports of the LAG are all connected to the same remote device.
9 Port Management Configuring Link Aggregation However, there are cases when one link partner is temporarily not configured for LACP. One example for such case is when the link partner is on a device, which is in the process of receiving its configuration using the auto-config protocol. This device's ports are not yet configured to LACP. If the LAG link cannot come up, the device cannot ever become configured. A similar case occurs with dual-NIC network-boot computers (e.g.
9 Port Management Configuring Green Ethernet STEP 5 Click Apply. The Running Configuration file is updated. Configuring Green Ethernet This section describes the Green Ethernet feature that is designed to save power on the device.
9 Port Management Configuring Green Ethernet In addition to the above Green Ethernet features, the 802.3az Energy Efficient Ethernet (EEE) is found on devices supporting GE ports. EEE reduces power consumption when there is no traffic on the port. See 802.3az Energy Efficient Ethernet Feature for more information (available on GE models only). EEE is enabled globally by default. On a given port, if EEE is enabled, short reach mode be disabled. If Short Reach Mode is enabled, EEE be grayed out.
9 Port Management Configuring Green Ethernet 802.3az Energy Efficient Ethernet Feature This section describes the 802.3az Energy Efficient Ethernet (EEE) feature. It covers the following topics: • 802.3az EEE Overview • Advertise Capabilities Negotiation • Link Level Discovery for 802.3az EEE • Availability of 802.3az EEE • Default Configuration • Interactions Between Features • 802.3az EEE Configuration Workflow 802.3az EEE Overview 802.
9 Port Management Configuring Green Ethernet Advertise Capabilities Negotiation 802.3az EEE support is advertised during the Auto-Negotiation stage. AutoNegotiation provides a linked device with the capability to detect the abilities (modes of operation) supported by the device at the other end of the link, determine common abilities, and configure itself for joint operation. AutoNegotiation is performed at the time of link-up, on command from management, or upon detection of a link error.
9 Port Management Configuring Green Ethernet 802.3az EEE Configuration Workflow This section describes how to configure the 802.3az EEE feature and view its counters. STEP 1 Ensure that auto-negotiation is enabled on the port by opening the Port Management > Port Settings page. a. Select a port and open the Edit Port Setting page. b. Select Auto Negotiation field to ensure that it is Enabled. STEP 2 Ensure that 802.
9 Port Management Configuring Green Ethernet • Energy Detect Mode—Disabled by default. Click the checkbox to enable. • Short Reach—Globally enable or disable Short Reach mode if there are GE ports on the device. NOTE If Short Reach is enabled, EEE must be disabled. • Power Savings—Displays the percentage of power saved by running Green Ethernet and Short Reach. The power savings displayed is only relevant to the power saved by Short Reach and Energy Detect modes.
9 Port Management Configuring Green Ethernet To define per port Green Ethernet settings: STEP 1 Click Port Management > Green Ethernet > Port Settings. The Port Settings page displays the following: • Global Parameter Status—Describes the enabled features. For each port the following fields are described: • Port—The port number. • Energy Detect—State of the port regarding Energy Detect mode: • - Administrative—Displays whether Energy Detect mode was enabled.
9 Port Management Configuring Green Ethernet - EEE Support on Remote—Displays whether EEE is supported on the link partner. EEE must be supported on both the local and remote link partners. NOTE The window displays the Short Reach, Energy Detect and EEE settings for each port; however, they are not enabled on any port unless they are also enabled globally by using the Properties page. To enable Short Reach and EEE globally, see Setting Global Green Ethernet Properties.
10 Smartport This document describes the Smartports feature.
10 Smartport Overview Overview The Smartport feature provides a convenient way to save and share common configurations. By applying the same Smartport macro to multiple interfaces, the interfaces share a common set of configurations. A Smartport macro is a script of CLI (Command Line Interface) commands A Smartport macro can be applied to an interface by the macro name, or by the Smartport type associated with the macro. Applying a Smartport macro by macro name can be done only through CLI.
10 Smartport What is a Smartport What is a Smartport A Smartport is an interface to which a built-in (or user-defined) macro may be applied. These macros are designed to provide a means of quickly configuring the device to support the communication requirements and utilize the features of various types of network devices. The network access and QoS requirements vary if the interface is connected to an IP phone, a printer, or a router and/or Access Point (AP).
10 Smartport Smartport Types • Statically from a Smartport macro by name only from the CLI. A Smartport macro can be applied by its Smartport type statically from CLI and GUI, and dynamically by Auto Smartport. Auto Smartport derives the Smartport types of the attached devices based on CDP capabilities, LLDP system capabilities, and/or LLDP-MED capabilities.
10 Smartport Smartport Types Special Smartport Types There are two special Smartport types; default and unknown. These two types are not associated with macros, but they exist to signify the state of the interface regarding Smartport. The following describe these special Smartport types: • Default An interface that does not (yet) have a Smartport type assigned to it has the Default Smartport status.
10 Smartport Smartport Macros Smartport Macros A Smartport macro is a script of CLI commands that configure an interface appropriately for a particular network device. Smartport macros should not be confused with global macros. Global macros configure the device globally, however, the scope of a Smartport macro is limited to the interface on which it is applied.
10 Smartport Macro Failure and the Reset Operation Applying a Smartport Type to an Interface When Smartport types are applied to interfaces, the Smartport types and configuration in the associated Smartport macros are saved in the Running Configuration File.
10 Smartport How the Smartport Feature Works After the source of the problem is determined and the existing configuration or Smartport macro is corrected, you must perform a reset operation to reset the interface before it can be reapplied with a Smartport type (in the Interface Settings pages). See the workflow area in Common Smartport Tasks section for troubleshooting tips.
10 Smartport Auto Smartport Auto Smartport In order for Auto Smartport to automatically assign Smartport types to interfaces, the Auto Smartport feature must be enabled globally and on the relevant interfaces which Auto Smartport should be allowed to configure. By default, Auto Smartport is enabled and allowed to configure all interfaces. The Smartport type assigned to each interface is determined by the CDP and LLDP packets received on the each interface respectively.
10 Smartport Auto Smartport If, for example, an IP phone is attached to a port, it transmits CDP or LLDP packets that advertise its capabilities. After reception of these CDP and/or LLDP packets, the device derives the appropriate Smartport type for phone and applies the corresponding Smartport macro to the interface where the IP phone attaches.
10 Smartport Auto Smartport LLDP Capabilities Mapping to Smartport Type Capability Name LLDP Bit Smartport Type Other 1 Ignore Repeater IETF RFC 2108 2 Ignore MAC Bridge IEEE Std. 802.1D 3 Switch WLAN Access Point IEEE Std. 802.11 MIB 4 Wireless Access Point Router IETF RFC 1812 5 Router Telephone IETF RFC 4293 6 ip_phone DOCSIS cable device IETF RFC 4639 and IETF RFC 4546 7 Ignore Station Only IETF RFC 4293 8 Host C-VLAN Component of a VLAN Bridge IEEE Std. 802.
10 Smartport Error Handling • If all devices on an interface advertise the same capability (there is no conflict) the matching Smartport type is applied to the interface. • If one of the devices is a switch, the Switch Smartport type is used. • If one of the devices is an AP, the Wireless Access Point Smartport type is used. • If one of the devices is an IP phone and another device is a host, the ip_phone_desktop Smartport type is used.
10 Smartport Default Configuration Default Configuration Smartport is always available. By default, Auto Smartport is enabled by Auto Voice VLAN, relies on both CDP and LLDP to detect attaching device's Smartport type, and detects Smartport type IP phone, IP phone + Desktop, Switch, and Wireless Access Point. See Voice VLAN for a description of the voice factory defaults. Relationships with Other Features and Backwards Compatibility Auto Smartport is enabled by default and may be disabled.
10 Smartport Common Smartport Tasks STEP 4 Click Apply STEP 5 To enable the Auto Smartport feature on one or more interfaces, open the Smartport > Interface Settings page. STEP 6 Select the interface, and click Edit. STEP 7 Select Auto Smartport in the Smartport Application field. STEP 8 Check or uncheck Persistent Status if desired. STEP 9 Click Apply.
10 Smartport Common Smartport Tasks 3. Click View Macro Source to view the current Smartport macro that is associated with the selected Smartport Type. 4. Click Edit to open a new window in which you can bind user-defined macros to the selected Smartport type and/or modify the default values of the parameters in the macros bound to that Smartport type. These parameter default values are used when Auto Smartport applies the selected Smartport type (if applicable) to an interface. 5.
10 Smartport Configuring Smartport Using The Web-based Interface Configuring Smartport Using The Web-based Interface The Smartport feature is configured in the Smartport > Properties, Smartport Type Settings and Interface Settings pages. For Voice VLAN configuration, see Voice VLAN. For LLDP/CDP configuration, see the Configuring LLDP and Configuring CDP sections, respectively. Smartport Properties To configure the Smartport feature globally: STEP 1 Click Smartport > Properties.
Smartport Configuring Smartport Using The Web-based Interface 10 STEP 3 Click Apply. This sets the global Smartport parameters on the device. Smartport Type Settings Use the Smartport Type Settings page to edit the Smartport Type settings and view the Macro Source. By default, each Smartport type is associated with a pair of built-in Smartport macros. See Smartport Types for further information on macro versus anti-macro.
10 Smartport Configuring Smartport Using The Web-based Interface • User Defined Macro—If desired, select the user-defined macro that is to be associated with the selected Smartport type. The macro must have already been paired with an anti-macro. Pairing of the two macros is done by name and is described in the Smartport Macro section. • Macro Parameters—Displays the following fields for three parameters in the macro: - Parameter Name—Name of parameter in macro.
Smartport Configuring Smartport Using The Web-based Interface 10 corrections have been made prior to clicking Reapply. See the workflow area in Common Smartport Tasks section for troubleshooting tips. • Reapply a Smartport macro to an interface. In some circumstances, you may want to reapply a Smartport macro so that the configuration at an interface is up to date.
10 Smartport Configuring Smartport Using The Web-based Interface NOTE Resetting the interface of unknown type does not reset the configuration performed by the macro that failed. This clean up must be done manually. To assign a Smartport type to an interface or activate Auto Smartport on the interface: STEP 1 Select an interface and click Edit. STEP 2 Enter the fields. • Interface—Select the port or LAG. • Smartport Type—Displays the Smartport type currently assigned to the port/LAG.
10 Smartport Built-in Smartport Macros Built-in Smartport Macros The following describes the pair of built-in macros for each Smartport type. For each Smartport type there is a macro to configure the interface and an anti macro to remove the configuration.
10 Smartport Built-in Smartport Macros port security mode max-addresses port security discard trap 60 # smartport storm-control broadcast level 10 smartport storm-control include-multicast smartport storm-control broadcast enable # spanning-tree portfast # @ no_desktop [no_desktop] #macro description No Desktop # no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all # no port security no port security mode no port security max # no smartport storm-control broadcast
10 Smartport Built-in Smartport Macros # smartport storm-control broadcast level 10 smartport storm-control include-multicast smartport storm-control broadcast enable # spanning-tree portfast # @ no_printer [no_printer] #macro description No printer # no switchport access vlan no switchport mode # no port security no port security mode # no smartport storm-control broadcast enable no smartport storm-control broadcast level no smartport storm-control include-multicast # spanning-tree portfast auto # @ gu
10 Smartport Built-in Smartport Macros smartport storm-control broadcast enable # spanning-tree portfast # @ no_guest]] [no_guest] #macro description No guest # no switchport access vlan no switchport mode # no port security no port security mode # no smartport storm-control broadcast enable no smartport storm-control broadcast level no smartport storm-control include-multicast # spanning-tree portfast auto # @ server [server] #macro description server #macro keywords $native_vlan $max_hosts # #macro ke
10 Smartport Built-in Smartport Macros spanning-tree portfast # @ no_server [no_server] #macro description No server # no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all # no port security no port security mode no port security max # no smartport storm-control broadcast enable no smartport storm-control broadcast level # spanning-tree portfast auto # @ host [host] #macro description host #macro keywords $native_vlan $max_hosts # #macro key description: $native_v
10 Smartport Built-in Smartport Macros # @ no_host [no_host] #macro description No host # no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all # no port security no port security mode no port security max # no smartport storm-control broadcast enable no smartport storm-control broadcast level no smartport storm-control include-multicast # spanning-tree portfast auto # @ ip_camera [ip_camera] #macro description ip_camera #macro keywords $native_vlan # #macro key de
10 Smartport Built-in Smartport Macros no_ip_camera [no_ip_camera] #macro description No ip_camera # no switchport access vlan no switchport mode # no port security no port security mode # no smartport storm-control broadcast enable no smartport storm-control broadcast level no smartport storm-control include-multicast # spanning-tree portfast auto # @ ip_phone [ip_phone] #macro description ip_phone #macro keywords $native_vlan $voice_vlan $max_hosts # #macro key description: $native_vlan: The untag VLAN
10 Smartport Built-in Smartport Macros no_ip_phone [no_ip_phone] #macro description no ip_phone #macro keywords $voice_vlan # #macro key description: $voice_vlan: The voice VLAN ID # #Default Values are #$voice_vlan = 1 # smartport switchport trunk allowed vlan remove $voice_vlan no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all # no port security no port security mode no port security max # no smartport storm-control broadcast enable no smartport storm-control b
10 Smartport Built-in Smartport Macros smartport storm-control broadcast enable # spanning-tree portfast # @ no_ip_phone_desktop [no_ip_phone_desktop] #macro description no ip_phone_desktop #macro keywords $voice_vlan # #macro key description: $voice_vlan: The voice VLAN ID # #Default Values are #$voice_vlan = 1 # smartport switchport trunk allowed vlan remove $voice_vlan no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all # no port security no port security mode
10 Smartport Built-in Smartport Macros # @ no_switch [no_switch] #macro description No switch #macro keywords $voice_vlan # #macro key description: $voice_vlan: The voice VLAN ID # no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all # no spanning-tree link-type # @ router [router] #macro description router #macro keywords $native_vlan $voice_vlan # #macro key description: $native_vlan: The untag VLAN which will be configured on the port # $voice_vlan: The voice V
10 Smartport Built-in Smartport Macros #macro keywords $voice_vlan # #macro key description: $voice_vlan: The voice VLAN ID # no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all # no smartport storm-control broadcast enable no smartport storm-control broadcast level # no spanning-tree link-type # @ ap [ap] #macro description ap #macro keywords $native_vlan $voice_vlan # #macro key description: $native_vlan: The untag VLAN which will be configured on the port Cisc
10 175 Smartport Built-in Smartport Macros Cisco Small Business 300 Series Managed Switch Administration Guide
11 Port Management: PoE The Power over Ethernet (PoE) feature is only available on PoE-based devices. For a list of PoE-based devices, refer to the Device Models section. This section describes how to use the PoE feature.
11 Port Management: PoE PoE on the Device Power over Ethernet can be used in any enterprise network that deploys relatively low-powered devices connected to the Ethernet LAN, such as: • IP phones • Wireless access points • IP gateways • Audio and video remote monitoring devices PoE Operation PoE implements in the following stages: • Detection—Sends special pulses on the copper cable. When a PoE device is located at the other end, that device responds to these pulses.
11 Port Management: PoE PoE on the Device You can decide the following: • Maximum power a PSE is allowed to supply to a PD • During device operation, to change the mode from Class Power Limit to Port Limit and vice versa. The power values per port that were configured for the Port Limit mode are retained. NOTE Changing the mode from Class Limit to Port limit and vice versa when the device is operational forces the Powered Device to reboot.
11 Port Management: PoE Configuring PoE Properties may not be able to properly supply power to its attaching PDs. To prevent false detection, you should disable PoE on the ports on the PoE switches that are used to connect to PSEs. You should also first power up a PSE device before connecting it to a PoE device. When a device is being falsely detected as a PD, you should disconnect the device from the PoE port and power recycle the device with AC power before reconnecting its PoE ports.
11 Port Management: PoE Configuring PoE Settings The following counters are displayed for each device: • Nominal Power—The total amount of power the device can supply to all the connected PDs. • Consumed Power—Amount of power currently being consumed by the PoE ports. • Available Power—Nominal power minus the amount of consumed power. STEP 3 Click Apply to save the PoE properties.
11 Port Management: PoE Configuring PoE Settings The administrator configures all ports to allocate up to 30 watts. This results in 48 times 30 ports equaling 1440 watts, which is too much. The device cannot provide enough power to each port, so it provides power according to the priority. The administrator sets the priority for each port, allocating how much power it can be given. These priorities are entered in the PoE Settings page.
11 Port Management: PoE Configuring PoE Settings • Class—This field appears only if the Power Mode set in the PoE Properties page is Class Limit. The class determines the power level: Class Maximum Power Delivered by Device Port 0 15.4 watt 1 4.0 watt 2 7.0 watt 3 15.4 watt 4 30.0 watt • Power Consumption—Displays the amount of power in milliwatts assigned to the powered device connected to the selected interface. • Overload Counter—Displays the total number of power overload occurrences.
11 183 Port Management: PoE Configuring PoE Settings Cisco Small Business 300 Series Managed Switch Administration Guide
12 VLAN Management This section covers the following topics: • VLANs • Configuring Default VLAN Settings • Creating VLANs • Configuring VLAN Interface Settings • Defining VLAN Membership • GVRP Settings • VLAN Groups • Voice VLAN • Access Port Multicast TV VLAN • Customer Port Multicast TV VLAN VLANs A VLAN is a logical group of ports that enables devices associated with it to communicate with each other over the Ethernet MAC layer, regardless of the physical LAN segment of the bridged
12 VLAN Management VLANs VLAN Description Each VLAN is configured with a unique VID (VLAN ID) with a value from 1 to 4094. A port on a device in a bridged network is a member of a VLAN if it can send data to and receive data from the VLAN. A port is an untagged member of a VLAN if all packets destined for that port into the VLAN have no VLAN tag. A port is a tagged member of a VLAN if all packets destined for that port into the VLAN have a VLAN tag.
12 VLAN Management VLANs VLAN Roles VLANs function at Layer 2. All VLAN traffic (Unicast/Broadcast/Multicast) remains within its VLAN. Devices attached to different VLANs do not have direct connectivity to each other over the Ethernet MAC layer. Devices from different VLANs can communicate with each other only through Layer 3 routers. An IP router, for example, is required to route IP traffic between VLANs if each VLAN represents an IP subnet.
12 VLAN Management Configuring Default VLAN Settings Customer traffic is encapsulated with an S-tag with TPID 0x8100, regardless of whether it was originally c-tagged or untagged. The S-tag allows this traffic to be treated as an aggregate within a provider bridge network, where the bridging is based on the S-tag VID (S-VID) only. The S-Tag is preserved while traffic is forwarded through the network service provider's infrastructure, and is later removed by an egress device.
12 VLAN Management Configuring Default VLAN Settings • It cannot be used for any special role, such as unauthenticated VLAN or Voice VLAN. This is only relevant for OUI-enabled voice VLAN. • If a port is no longer a member of any VLAN, the device automatically configures the port as an untagged member of the default VLAN. A port is no longer a member of a VLAN if the VLAN is deleted or the port is removed from the VLAN. • RADIUS servers cannot assign the default VLAN to 802.
12 VLAN Management Creating VLANs Creating VLANs You can create a VLAN, but this has no effect until the VLAN is attached to at least one port, either manually or dynamically. Ports must always belong to one or more VLANs. The 300 Series device supports up to 4K VLANs, including the default VLAN. Each VLAN must be configured with a unique VID (VLAN ID) with a value from 1 to 4094. The device reserves VID 4095 as the Discard VLAN.
12 VLAN Management Configuring VLAN Interface Settings Configuring VLAN Interface Settings The Interface Settings page displays and enables configuration of VLAN-related parameters for all interfaces To configure the VLAN settings: STEP 1 Click VLAN Management > Interface Settings. STEP 2 Select an interface type (Port or LAG), and click Go. Ports or LAGs and their VLAN parameters are displayed. STEP 3 To configure a Port or LAG, select it and click Edit.
12 VLAN Management Defining VLAN Membership • - Admit Tagged Only—The interface accepts only tagged frames. - Admit Untagged Only—The interface accepts only untagged and priority frames. Ingress Filtering—(Available only in General mode) Select to enable ingress filtering. When an interface is ingress filtering enabled, the interface discards all incoming frames that are classified as VLANs of which the interface is not a member. Ingress filtering can be disabled or enabled on general ports.
12 VLAN Management Defining VLAN Membership Configuring Port to VLAN Use the Port to VLAN page to display and configure the ports within a specific VLAN. To map ports or LAGs to a VLAN: STEP 1 Click VLAN Management > Port to VLAN. STEP 2 Select a VLAN and the interface type (Port or LAG), and click Go to display or to change the port characteristic with respect to the VLAN.
12 VLAN Management Defining VLAN Membership Configuring VLAN Membership The Port VLAN Membership page displays all ports on the device along with a list of VLANs to which each port belongs. If the port-based authentication method for an interface is 802.1x and the Administrative Port Control is Auto, then: • Until the port is authenticated, it is excluded from all VLANs, except guest and unauthenticated ones. In the VLAN to Port page, the port is marked with an upper case P.
12 VLAN Management GVRP Settings - Forbidden—The interface is not allowed to join the VLAN even from GVRP registration. When a port is not a member of any other VLAN, enabling this option on the port makes the port part of internal VLAN 4095 (a reserved VID). - Excluded—The interface is currently not a member of the VLAN. This is the default for all the ports and LAGs. The port can join the VLAN through GVRP registration - Tagged—Select whether the port is tagged.
12 VLAN Management VLAN Groups GVRP must be activated globally as well as on each port. When it is activated, it transmits and receives GARP Packet Data Units (GPDUs). VLANs that are defined but not active are not propagated. To propagate the VLAN, it must be up on at least one port. By default, GVRP is disabled globally and on ports. Defining GVRP Settings To define GVRP settings for an interface: STEP 1 Click VLAN Management > GVRP Settings. STEP 2 Select GVRP Global Status to enable GVRP globally.
12 VLAN Management VLAN Groups If several classifications schemes are defined, packets are assigned to a VLAN in the following order: • TAG: If the packet is tagged, the VLAN is taken from the tag. • MAC-Based VLAN: If a MAC-based VLAN has been defined, the VLAN is taken from the source MAC-to-VLAN mapping of the ingress interface. • PVID: VLAN is taken from the port default VLAN ID. MAC-based Groups MAC-based VLAN classification enable packets to be classified according to their source MAC address.
12 VLAN Management VLAN Groups NOTE This MAC address cannot be assigned to any other VLAN group. • • Prefix Mask—Enter one of the following: - Host—Source host of the MAC address - Length—Prefix of the MAC address Group ID—Enter a user-created VLAN group ID number. STEP 4 Click Apply. The MAC address is assigned to a VLAN group. Mapping VLAN Group to VLAN Per Interface Ports/LAGs must be in General mode.
12 VLAN Management Voice VLAN Voice VLAN In a LAN, voice devices, such as IP phones, VoIP endpoints, and voice systems are placed into the same VLAN. This VLAN is referred as the voice VLAN. If the voice devices are in different voice VLANs, IP (Layer 3) routers are needed to provide communication.
12 VLAN Management Voice VLAN From a VLAN perspective, the above models operate in both VLAN-aware and VLAN-unaware environments. In the VLAN-aware environment, the voice VLAN is one of the many VLANs configured in an installation. The VLAN-unaware scenario is equivalent to a VLAN-aware environment with only one VLAN. The device always operates as a VLAN-aware switch. The device supports a single voice VLAN. By default, the voice VLAN is VLAN 1. The voice VLAN is defaulted to VLAN 1.
12 VLAN Management Voice VLAN Unlike Telephony OUI mode that detects voice devices based on telephony OUI, Auto Voice VLAN mode depends on Auto Smartport to dynamically add the ports to the voice VLAN. Auto Smartport, if enabled, adds a port to the voice VLAN if it detects an attaching device to the port that advertises itself as a phone or media end points through CDP and/or LLDP-MED.
12 VLAN Management Voice VLAN When Auto Smartport is enabled, depending on Auto Voice VLAN mode, Auto Smartport is enabled when Auto Voice VLAN becomes operational. If desired, you can make Auto Smartport independent of Auto Voice VLAN. NOTE The default configuration list here applies to switches whose firmware version supports Auto Voice VLAN out of the box. It also applies to unconfigured switches that have been upgraded to the firmware version that supports Auto Voice VLAN.
12 VLAN Management Voice VLAN • When a new voice VLAN is configured/discovered, the device automatically creates it, and replaces all the port memberships of the existing voice VLAN to the new voice VLAN. This may interrupt or terminate existing voice sessions, which is expected when network topology is altered. NOTE If the device is in Layer 2 system mode, it can synchronize with only VSDP capable switches in the same management VLAN.
12 VLAN Management Voice VLAN Voice VLAN Constraints The following constraints exist: • Only one Voice VLAN is supported. • A VLAN that is defined as a Voice VLAN cannot be removed In addition the following constraints are applicable for Telephony OUI: • The Voice VLAN cannot be VLAN1 (the default VLAN). • The Voice VLAN cannot be Smartport enabled. • The Voice VLAN cannot support DVA (Dynamic VLAN assignment). • The Voice VLAN cannot be the Guest VLAN if the voice VLAN mode is OUI.
12 VLAN Management Voice VLAN STEP 4 Select the Auto Voice VLAN Activation method. NOTE If the device is currently in Telephony OUI mode, you must disable it before you can configure Auto Voice Vlan STEP 5 Click Apply. STEP 6 Configure Smartports as described in the Common Smartport Tasks section. STEP 7 Configure LLDP/CDP as described in the Configuring LLDP and Configuring CDP sections, respectively.
12 VLAN Management Voice VLAN Configuring Voice VLAN Properties Use the Voice VLAN Properties page for the following: • View how voice VLAN is currently configured. • Configure the VLAN ID of the Voice VLAN. • Configure voice VLAN QoS settings. • Configure the voice VLAN mode (Telephony OUI or Auto Voice VLAN). • Configure how Auto Voice VLAN is triggered. To view and configure Voice VLAN properties: STEP 1 Click VLAN Management > Voice VLAN > Properties.
12 VLAN Management Voice VLAN - Enable Telephony OUI—Enable Dynamic Voice VLAN in Telephony OUI mode. • Disable—Disable Auto Voice Vlan or Telephony OUI. Auto Voice VLAN Activation—If Auto Voice VLAN was enabled, select one of the following options to activate Auto Voice VLAN: - Immediate—Auto Voice VLAN on the device is to be activated and put into operation immediately if enabled.
12 VLAN Management Voice VLAN • Source Type—Displays the type of source where the voice VLAN is discovered by the root device. • CoS/802.1p—Displays CoS/802.1p values to be used by the LLDP-MED as a voice network policy. • DSCP—Displays DSCP values to be used by the LLDP-MED as a voice network policy. • Root Switch MAC Address—The MAC address of the Auto Voice VLAN root device that discovers or is configured with the voice VLAN from which the voice VLAN is learned.
12 VLAN Management Voice VLAN • Voice VLAN ID—The identifier of the current voice VLAN. • CoS/802.1p—The advertised or configured CoS/802.1p values that are used by the LLDP-MED as a voice network policy. • DSCP—The advertised or configured DSCP values that are used by the LLDP-MED as a voice network policy. • Best Local Source—Displays whether this voice VLAN was used by the device.
12 VLAN Management Voice VLAN To configure Telephony OUI and/or add a new Voice VLAN OUI: STEP 1 Click VLAN Management > Voice VLAN > Telephony OUI. The Telephony OUI page contains the following fields: • Telephony OUI Operational Status—Displays whether OUIs are used to identify voice traffic. • CoS/802.1p—Select the CoS queue to be assigned to voice traffic. • Remark CoS/802.1p—Select whether to remark egress traffic.
12 VLAN Management Voice VLAN Adding Interfaces to Voice VLAN on Basis of OUIs The QoS attributes can be assigned per port to the voice packets in one of the following modes: • All—Quality of Service (QoS) values configured to the Voice VLAN are applied to all of the incoming frames that are received on the interface and are classified to the Voice VLAN.
12 VLAN Management Access Port Multicast TV VLAN Access Port Multicast TV VLAN Multicast TV VLANs enable Multicast transmissions to subscribers who are not on the same data VLAN (Layer 2-isolated), without replicating the Multicast transmission frames for each subscriber VLAN. Subscribers, who are not on the same data VLAN (Layer 2-isolated) and are connected to the device with different VLAN ID membership. can share the same Multicast stream by joining the ports to the same Multicast VLAN ID.
12 VLAN Management Access Port Multicast TV VLAN IGMP Snooping Multicast TV VLAN relies on IGMP snooping, which means that: • Subscribers use IGMP messages to join or leave a Multicast group. • Device performs IGMP snooping and configures the access port according to its Multicast membership on Multicast TV VLAN.
12 VLAN Management Access Port Multicast TV VLAN Regular VLAN Multicast TV VLAN Receiver ports VLAN can be used to both send and receive traffic (both Multicast and Unicast). Multicast VLAN can only be used to receive traffic by the stations on the port (only Multicast).
12 VLAN Management Customer Port Multicast TV VLAN Port Multicast VLAN Membership To define the Multicast TV VLAN configuration: STEP 1 Click VLAN Management > Access Port Multicast TV VLAN > Port Multicast VLAN Membership. STEP 2 Select a VLAN from the Multicast TV VLAN field. STEP 3 The Candidate Access Ports list contains all access ports configured on the device. Move the required ports from the Candidate Access Ports field to the Member Access Ports field. STEP 4 Click Apply.
12 VLAN Management Customer Port Multicast TV VLAN All packets from the subscriber to the service provider network are encapsulated by the access device with the subscriber’s VLAN configured as customer VLAN (Outer tag or S-VID), except for IGMP snooping messages from the TV receivers, which are associated with the Multicast TV VLAN. VOD information that is also sent from the TV receivers are sent like any other type of traffic.
12 VLAN Management Customer Port Multicast TV VLAN To map CPE VLANs: STEP 1 Click VLAN Management > Customer Port Multicast TV VLAN > CPE VLAN to VLAN. STEP 2 Click Add. STEP 3 Enter the following fields: • CPE VLAN—Enter the VLAN defined on the CPE box. • Multicast TV VLAN—Select the Multicast TV VLAN which is mapped to the CPE VLAN. STEP 4 Click Apply. CPE VLAN Mapping is modified, and written to the Running Configuration file.
12 217 VLAN Management Customer Port Multicast TV VLAN Cisco Small Business 300 Series Managed Switch Administration Guide
13 Spanning Tree This section describes the Spanning Tree Protocol (STP) (IEEE802.1D and IEEE802.
13 Spanning Tree Configuring STP Status and Global Settings The device supports the following Spanning Tree Protocol versions: • Classic STP – Provides a single path between any two end stations, avoiding and eliminating loops. • Rapid STP (RSTP) – Detects network topologies to provide faster convergence of the spanning tree. This is most effective when the network topology is naturally tree-structured, and therefore faster convergence might be possible. RSTP is enabled by default.
Spanning Tree Configuring STP Status and Global Settings • • 13 BPDU Handling—Select how Bridge Protocol Data Unit (BPDU) packets are managed when STP is disabled on the port or the device. BPDUs are used to transmit spanning tree information. - Filtering—Filters BPDU packets when Spanning Tree is disabled on an interface. - Flooding—Floods BPDU packets when Spanning Tree is disabled on an interface. Path Cost Default Values—Selects the method used to assign default path costs to the STP ports.
13 Spanning Tree Defining Spanning Tree Interface Settings • Topology Changes Counts—The total number of STP topology changes that have occurred. • Last Topology Change—The time interval that elapsed since the last topology change occurred. The time appears in a days/hours/minutes/ seconds format. STEP 3 Click Apply. The STP Global settings are written to the Running Configuration file.
Spanning Tree Defining Spanning Tree Interface Settings • 13 Root Guard—Enables or disables Root Guard on the device. The Root Guard option provides a way to enforce the root bridge placement in the network. Root Guard ensures that the port on which this feature is enabled is the designated port. Normally, all root bridge ports are designated ports, unless two or more ports of the root bridge are connected.
13 Spanning Tree Configuring Rapid Spanning Tree Settings - Blocking—The port is currently blocked, and cannot forward traffic (with the exception of BPDU data) or learn MAC addresses. - Listening—The port is in Listening mode. The port cannot forward traffic, and cannot learn MAC addresses. - Learning—The port is in Learning mode. The port cannot forward traffic, but it can learn new MAC addresses. - Forwarding—The port is in Forwarding mode.
Spanning Tree Configuring Rapid Spanning Tree Settings 13 To enter RSTP settings: STEP 1 Click Spanning Tree > STP Status and Global Settings. Enable RSTP. STEP 2 Click Spanning Tree > RSTP Interface Settings. The RSTP Interface Settings page appears: STEP 3 Select a port. NOTE Activate Protocol Migration is only available after selecting the port that is connected to the bridge partner being tested.
13 Spanning Tree Configuring Rapid Spanning Tree Settings - Designated—The interface through which the bridge is connected to the LAN, which provides the lowest cost path from the LAN to the Root Bridge. - Alternate—Provides an alternate path to the Root Bridge from the root interface. - Backup—Provides a backup path to the designated port path toward the Spanning Tree leaves. This provides a configuration in which two ports are connected in a loop by a point-to-point link.
13 Spanning Tree Multiple Spanning Tree Multiple Spanning Tree Multiple Spanning Tree Protocol (MSTP) is used to separate the STP port state between various domains (on different VLANs). For example, while port A is blocked in one STP instance due to a loop on VLAN A, the same port can be placed in the Forwarding State in another STP instance. The MSTP Properties page enables you to define the global MSTP settings. To configure MSTP: 1.
13 Spanning Tree Mapping VLANs to a MSTP Instance Switches intended to be in the same MST region are never separated by switches from another MST region. If they are separated, the region becomes two separate regions. This mapping can be done in the VLAN to MST Instance page. Use this page if the system operates in MSTP mode. To define MSTP: STEP 1 Click Spanning Tree > STP Status and Global Settings. Enable MSTP. STEP 2 Click Spanning Tree > MSTP Properties. STEP 3 Enter the parameters.
13 Spanning Tree Defining MSTP Instance Settings For those VLANs that are not explicitly mapped to one of the MST instances, the device automatically maps them to the CIST (Core and Internal Spanning Tree) instance. The CIST instance is MST instance 0. To map VLANs to MST Instances: STEP 1 Click Spanning Tree > VLAN to MSTP Instance. The VLAN to MSTP Instance page contains the following fields: • MST Instance ID—All MST instances are displayed.
13 Spanning Tree Defining MSTP Interface Settings • Included VLAN—Displays the VLANs mapped to the selected instance. The default mapping is that all VLANs are mapped to the common and internal spanning tree (CIST) instance 0). • Bridge Priority—Set the priority of this bridge for the selected MST instance. • Designated Root Bridge ID—Displays the priority and MAC address of the Root Bridge for the MST instance. • Root Port—Displays the root port of the selected instance.
13 Spanning Tree Defining MSTP Interface Settings STEP 5 Enter the parameters. • Instance ID—Select the MST instance to be configured. • Interface—Select the interface for which the MSTI settings are to be defined. • Interface Priority—Set the port priority for the specified interface and MST instance. • Path Cost—Set the port contribution to the root path cost or use the default value. • Port State—Displays the MSTP status of the specific port on a specific MST instance.
13 Spanning Tree Defining MSTP Interface Settings - Backup—The interface provides a backup path to the designated port path toward the Spanning Tree leaves. Backup ports occur when two ports are connected in a loop by a point-to-point link. Backup ports also occur when a LAN has two or more established connections to a shared segment. - Disabled—The interface does not participate in the Spanning Tree. - Boundary—The port on this instance is a boundary port.
14 Managing MAC Address Tables This section describe how to add MAC addresses to the system. It covers the following topics: • Configuring Static MAC Addresses • Managing Dynamic MAC Addresses • Defining Reserved MAC Addresses Types of MAC Addresses There are two types of MAC addresses—static and dynamic. Depending on their type, MAC addresses are either stored in the Static Address table or in the Dynamic Address table, along with VLAN and port information.
14 Managing MAC Address Tables Configuring Static MAC Addresses Configuring Static MAC Addresses Static MAC addresses are assigned to a specific physical interface and VLAN on the device. If that address is detected on another interface, it is ignored, and is not written to the address table. To define a static address: STEP 1 Click MAC Address Tables > Static Addresses. The Static Addresses page contains the currently defined static addresses. STEP 2 Click Add. STEP 3 Enter the parameters.
Managing MAC Address Tables Managing Dynamic MAC Addresses 14 Managing Dynamic MAC Addresses The Dynamic Address Table (bridging table) contains the MAC addresses acquired by monitoring the source addresses of frames entering the device. To prevent this table from overflowing and to make room for new MAC addresses, an address is deleted if no corresponding traffic is received for a certain period. This period of time is the aging interval.
14 Managing MAC Address Tables Defining Reserved MAC Addresses Defining Reserved MAC Addresses When the device receives a frame with a Destination MAC address that belongs to a reserved range (per the IEEE standard), the frame can be discarded or bridged. The entry in the Reserved MAC Address Table can either specify the reserved MAC address or the reserved MAC address and a frame type: To add an entry for a reserved MAC address: STEP 1 Click MAC Address Tables > Reserved MAC Addresses.
15 Multicast This section describes the Multicast Forwarding feature, and covers the following topics: • Multicast Forwarding • Defining Multicast Properties • Adding MAC Group Address • Adding IP Multicast Group Addresses • Configuring IGMP Snooping • MLD Snooping • Querying IGMP/MLD IP Multicast Group • Defining Multicast Router Ports • Defining Forward All Multicast • Defining Unregistered Multicast Settings Multicast Forwarding Multicast forwarding enables one-to-many information di
15 Multicast Multicast Forwarding For Multicast forwarding to work across IP subnets, nodes, and routers must be Multicast-capable. A Multicast-capable node must be able to: • Send and receive Multicast packets. • Register the Multicast addresses being listened to by the node with local routers, so that local and remote routers can route the Multicast packet to the nodes.
15 Multicast Multicast Forwarding The device can forward Multicast streams based on one of the following options: • Multicast MAC Group Address • IP Multicast Group Address (G) • A combination of the source IP address (S) and the destination IP Multicast Group Address (G) of the Multicast packet. One of these options can be configured per VLAN. The system maintains lists of Multicast groups for each VLAN, and this manages the Multicast information that each port should receive.
15 Multicast Defining Multicast Properties If the device is enabled as an IGMP Querier, it starts after 60 seconds have passed with no IGMP traffic (queries) detected from a Multicast router. In the presence of other IGMP Queriers, the device might (or might not) stop sending queries, based on the results of the standard querier selection process. Multicast Address Properties Multicast addresses have the following properties: • Each IPv4 Multicast address is in the address range 224.0.0.0 to 239.255.
15 Multicast Defining Multicast Properties A common way of representing Multicast membership is the (S,G) notation where S is the (single) source sending a Multicast stream of data, and G is the IPv4 or IPv6 group address. If a Multicast client can receive Multicast traffic from any source of a specific Multicast group, this is saved as (*,G). The following are ways of forwarding Multicast frames: • MAC Group Address—Based on the destination MAC address in the Ethernet frame.
15 Multicast Adding MAC Group Address STEP 3 Click Apply. The Running Configuration file is updated. Adding MAC Group Address The device supports forwarding incoming Multicast traffic based on the Multicast group information. This information is derived from the IGMP/MLD packets received or as the result of manual configuration, and it is stored in the Multicast Forwarding Database (MFDB).
15 Multicast Adding MAC Group Address Entries that were created both in this page and in the IP Multicast Group Address page are displayed. For those created in the IP Multicast Group Address page, the IP addresses are converted to MAC addresses. STEP 4 Click Add to add a static MAC Group Address. STEP 5 Enter the parameters. • VLAN ID—Defines the VLAN ID of the new Multicast group. • MAC Group Address—Defines the MAC address of the new Multicast group.
15 Multicast Adding IP Multicast Group Addresses Adding IP Multicast Group Addresses The IP Multicast Group Address page is similar to the MAC Group Address page except that Multicast groups are identified by IP addresses. The IP Multicast Group Address page enables querying and adding IP Multicast groups. To define and view IP Multicast groups: STEP 1 Click Multicast > IP Multicast Group Address. The page contains all of the IP Multicast group addresses learned by snooping.
15 Multicast Configuring IGMP Snooping • IP Source Address—Defines the source address to be included. STEP 6 Click Apply. The IP Multicast group is added, and the device is updated. STEP 7 To configure and display the registration of an IP group address, select an address and click Details. The VLAN ID, IP Version, IP Multicast Group Address, and Source IP Address selected are displayed as read-only in the top of the window.
15 Multicast Configuring IGMP Snooping When IGMP Snooping is enabled globally or on a VLAN, all IGMP packets are forwarded to the CPU. The CPU analyzes the incoming packets, and determines the following: • Which ports are asking to join which Multicast groups on what VLAN. • Which ports are connected to Multicast routers (Mrouters) that are generating IGMP queries. • Which ports are receiving PIM, DVMRP, or IGMP query protocols. These are displayed on the IGMP Snooping page.
15 Multicast Configuring IGMP Snooping There can be only one IGMP Querier in a network. The device supports standards-based IGMP Querier election. Some of the values of the operational parameters of this table are sent by the elected querier. The other values are derived from the device. STEP 4 Enter the parameters. • VLAN ID—Select the VLAN ID on which IGMP snooping is defined. • IGMP Snooping Status—Enable or disable the monitoring of network traffic for the selected VLAN.
15 Multicast MLD Snooping • Operational Last Member Query Interval—Displays the Last Member Query Interval sent by the elected querier. • Immediate Leave—Enable Immediate Leave to decrease the time it takes to block a Multicast stream sent to a member port when an IGMP Group Leave message is received on that port. • IGMP Querier Status—Enable or disable the IGMP Querier. • Administrative Querier Source IP Address—Select the source IP address of the IGMP Querier.
15 Multicast MLD Snooping In an approach similar to IGMP snooping, MLD frames are snooped as they are forwarded by the device from stations to an upstream Multicast router and vice versa.
15 Multicast Querying IGMP/MLD IP Multicast Group • Operational Query Robustness—Displays the robustness variable sent by the elected querier. • Query Interval—Enter the Query Interval value to be used by the device if the device cannot derive the value from the messages sent by the elected querier. • Operational Query Interval—The time interval in seconds between General Queries received from the elected querier.
15 Multicast Defining Multicast Router Ports There might be a difference between information on this page and, for example, information displayed in the MAC Group Address page. Assuming that the system is in MAC-based groups and a port that requested to join the following Multicast groups 224.1.1.1 and 225.1.1.1, both are mapped to the same MAC Multicast address 01:00:5e:01:01:01. In this case, there is a single entry in the MAC Multicast page, but two entries on this page.
15 Multicast Defining Forward All Multicast To statically configure or see dynamically-detected ports connected to the Multicast router: STEP 1 Click Multicast > Multicast Router Port. STEP 2 Enter some or all of following query filter criteria: • VLAN ID equals to—Select the VLAN ID for the router ports that are described. • IP Version equals to—Select the IP version that the Multicast router supports. • Interface Type equals to—Select whether to display ports or LAGs. STEP 3 Click Go.
Multicast Defining Unregistered Multicast Settings 15 IGMP or MLD messages are not forwarded to ports defined as Forward All. NOTE The configuration affects only the ports that are members of the selected VLAN. To define Forward All Multicast: STEP 1 Click Multicast > Forward All. STEP 2 Define the following: • VLAN ID equals to—The VLAN ID the ports/LAGs are to be displayed. • Interface Type equals to—Define whether to display ports or LAGs. STEP 3 Click Go.
15 Multicast Defining Unregistered Multicast Settings You can select a port to receive or filter unregistered Multicast streams. The configuration is valid for any VLAN of which it is a member (or will be a member). This feature ensures that the customer receives only the Multicast groups requested and not others that may be transmitted in the network. To define unregistered Multicast settings: STEP 1 Click Multicast > Unregistered Multicast.
16 IP Configuration IP interface addresses can be configured manually by the user, or automatically configured by a DHCP server. This section provides information for defining the device IP addresses, either manually or by making the device a DHCP client.
16 IP Configuration Overview Layer 2 IP Addressing In Layer 2 system mode, the device has up to one IPv4 address and up to two IPv6 interfaces (either “native” interface or Tunnel) in the management VLAN. This IP address and the default gateway can be configured manually, or by DHCP. The static IP address and default gateway for Layer 2 system mode are configured on the IPv4 Interface and IPv6 Interfaces pages.
16 IP Configuration IPv4 Management and Interfaces • The system status LED changes to solid green when a new unique IP address is received from the DHCP server. If a static IP address has been set, the system status LED also changes to solid green. The LED flashes when the device is acquiring an IP address and is currently using the factory default IP address 192.168.1.254. • The same rules apply when a client must renew the lease, prior to its expiration date through a DHCPREQUEST message.
16 IP Configuration IPv4 Management and Interfaces Defining an IPv4 Interface in Layer 2 System Mode To manage the device by using the web-based configuration utility, the IPv4 device management IP address must be defined and known. The device IP address can be manually configured or automatically taken from a DHCP server. To configure the IPv4 device IP address: STEP 1 Click Administration > Management Interface > IPv4 Interface.
16 IP Configuration IPv4 Management and Interfaces If a dynamic IP address is retrieved from the DHCP server, select those of the following fields that are enabled: • Renew IP Address Now—The device dynamic IP address can be renewed any time after it is assigned by a DHCP server. Note that depending on your DHCP server configuration, the device might receive a new IP address after the renewal that requires setting the web-based configuration utility to the new IP address.
16 IP Configuration IPv4 Management and Interfaces • IP Address—Configured IP address for the interface. • Mask—Configured IP address mask. • Status—Results of the IP address duplication check. - Tentative—There is no final result for the IP address duplication check. - Valid—The IP address collision check was completed, and no IP address collision was detected. - Valid-Duplicated—The IP address duplication check was completed, and a duplicate IP address was detected.
16 IP Configuration IPv4 Management and Interfaces IPv4 Routes When the device is in Layer 3 system mode, this page enables configuring and viewing IPv4 static routes on the device. When routing traffic, the next hop is decided on according to the longest prefix match (LPM algorithm). A destination IPv4 address may match multiple routes in the IPv4 Static Route Table. The device uses the matched route with the highest subnet mask, that is, the longest prefix match.
16 IP Configuration IPv4 Management and Interfaces ARP The device maintains an ARP (Address Resolution Protocol) table for all known devices that reside in the IP subnets directly connected to it. A directly-connected IP subnet is the subnet to which an IPv4 interface of the device is connected. When the device is required to send/route a packet to a local device, it searches the ARP table to obtain the MAC address of the device. The ARP table contains both static and dynamic addresses.
16 IP Configuration IPv4 Management and Interfaces • Status—Whether the entry was manually entered or dynamically learned. STEP 4 Click Add. STEP 5 Enter the parameters: • IP Version—The IP address format supported by the host. Only IPv4 is supported. • VLAN—In Layer 2, displays the management VLAN ID. For devices in Layer 2 mode, there is only one directly-connected IP subnet, which is always in the management VLAN.
16 IP Configuration IPv4 Management and Interfaces STEP 3 Click Apply. The ARP proxy is enabled, and the Running Configuration file is updated. UDP Relay/IP Helper The UDP Relay/IP Helper feature is only available when the device is in Layer 3 system mode. Switches do not typically route IP Broadcast packets between IP subnets. However, if this feature enables the device to relay specific UDP Broadcast packets, received from its IPv4 interfaces, to specific destination IP addresses.
16 IP Configuration IPv4 Management and Interfaces A trusted port is a port that is connected to a DHCP server and is allowed to assign DHCP addresses. DHCP messages received on trusted ports are allowed to pass through the device. An untrusted port is a port that is not allowed to assign DHCP addresses. By default, all ports are considered untrusted until you declare them trusted (in the DHCP Snooping Interface Settings page). DHCPv4 Relay DHCP Relay relays DHCP packets to the DHCP server.
16 IP Configuration IPv4 Management and Interfaces The following Option 82 options are available on the device: • DHCP Insertion - Add Option 82 information to packets that do not have foreign Option 82 information. • DHCP Passthrough - Forward or reject DHCP packets that contain Option 82 information from untrusted ports. On trusted ports, DHCP packets containing Option 82 information are always forwarded.
16 IP Configuration IPv4 Management and Interfaces Option 82 Insertion Disabled Option 82 Insertion Enabled DHCP Relay DHCP Relay VLAN with IP Address VLAN without IP Address Packet is sent without Option 82 Packet is sent with the original Option 82 Relay – inserts Option 82 Relay – discards the packet Bridge – no Option 82 is inserted Bridge – Packet is sent with the original Option 82 Packet is sent with the original Option 82 Relay – is sent with Option 82 Relay – discards the packet Br
16 IP Configuration IPv4 Management and Interfaces Option 82 Insertion Enabled DHCP Relay DHCP Relay VLAN with IP Address VLAN without IP Address Relay – is sent with Option 82 Bridge – Option 82 is added Packet is sent with the original Option 82 (if port is trusted, behaves as if DHCP Snooping is not enabled) Relay – is sent with Option 82 Bridge – Option 82 is inserted (if port is trusted, behaves as if DHCP Snooping is not enabled) Relay – discards the packet Bridge – Packet is sent with the
16 IP Configuration IPv4 Management and Interfaces Option 82 insertion disabled DHCP Relay DHCP Relay VLAN with IP Address VLAN without IP Address Packet is sent without Option 82 Relay – discards Option 82 Packet is sent with the original Option 82 Bridge – Packet is sent without Option 82 Relay – 1. If reply originates in device, packet is sent without Option 82 2.
16 IP Configuration IPv4 Management and Interfaces The following describes how DHCP reply packets are handled when both DHCP Snooping and DHCP Relay are enabled Option 82 Insertion Disabled DHCP Relay DHCP Relay VLAN with IP Address VLAN without IP Address Packet arrives without Option 82 Packet arrives with Option 82 Packet arrives without Option 82 Packet arrives with Option 82 Packet is sent without Option 82 Packet is sent with the original Option 82 Relay discards Option 82 Relay Bridge
IP Configuration IPv4 Management and Interfaces 16 The DHCP Snooping Binding database is also used by IP Source Guard and Dynamic ARP Inspection features to determine legitimate packet sources. DHCP Trusted Ports Ports can be either DHCP trusted or untrusted. By default, all ports are untrusted. To create a port as trusted, use the DHCP Snooping Interface Settings page. Packets from these ports are automatically forwarded.
16 IP Configuration IPv4 Management and Interfaces STEP 6 Device forwards DHCPOFFER, DHCPACK, or DHCPNAK. The following summarizes how DHCP packets are handled from both trusted and untrusted ports. The DHCP Snooping Binding database is stored in non-volatile memory. DHCP Snooping Packet Handling 271 Packet Type Arriving from Untrusted Ingress Interface Arriving from Trusted Ingress Interface DHCPDISCOVER Forward to trusted interfaces only. Forwarded to trusted interfaces only. DHCPOFFER Filter.
16 IP Configuration IPv4 Management and Interfaces Packet Type Arriving from Untrusted Ingress Interface Arriving from Trusted Ingress Interface DHCPRELEASE Same as DHCPDECLINE. Same as DHCPDECLINE. DHCPINFORM Forward to trusted interfaces only. Forward to trusted interfaces only. DHCPLEASEQUE RY Filtered. Forward.
16 IP Configuration IPv4 Management and Interfaces STEP 1 Enable DHCP Snooping and/or DHCP Relay in the IP Configuration > DHCP > Properties page or in the Security > DHCP Snooping > Properties page. STEP 2 Define the interfaces on which DHCP Snooping is enabled in the IP Configuration > DHCP > Interface Settings page. STEP 3 Configure interfaces as trusted or untrusted in the IP Configuration > DHCP > DHCP Snooping Interface page. STEP 4 Optional.
IP Configuration IPv4 Management and Interfaces 16 STEP 2 Click Apply. The settings are written to the Running Configuration file. STEP 3 To define a DHCP server, click Add. STEP 4 Enter the IP address of the DHCP server and click Apply. The settings are written to the Running Configuration file. Interface Settings In Layer 2, DHCP Relay and Snooping can only be enabled on VLANs with IP addresses.
16 IP Configuration IPv4 Management and Interfaces DHCP Snooping Binding Database See How the DHCP Snooping Binding Database is Built for a description of how dynamic entries are added to the DHCP Snooping Binding database. Note the following points about maintenance of the DHCP Snooping Binding database: • The device does not update the DHCP Snooping Binding database when a station moves to another interface. • If a port is down, the entries for that port are not deleted.
16 IP Configuration DHCP Server STEP 4 Click Apply. The settings are defined, and the device is updated. DHCP Server The DHCPv4 Server feature enables you to configure the device as a DHCPv4 server. A DHCPv4 server is used to assign IPv4 address and other information to another device (DHCP client) The DHCPv4 server allocates IPv4 addresses from a user-defined pool of IPv4 addresses.
16 IP Configuration DHCP Server 51 Extension IP Address Lease Time 44 NetBIOS NetBIOS over TCP/IP Name Server Option netbios-name-server 46 NetBIOS NetBIOS over TCP/IP Node Type Option netbios-node-type The following options can be set with the generic DHCP option CLI command: • Integer type: 2, 13, 22, 26, 24, 25, 35, 38 • ASCII type: 14, 17, 18, 40, 43, 47, 64 • IP Address type: 16, 28, 32 • IP List type: 5, 7-11, 21, 33, 41, 42, 45, 48, 49, 65, 69-76 The following table defines DHCP op
16 IP Configuration DHCP Server Option # Option Name Description 55 Parameter Request List Created by the DHCP client. 56 Message Contains error text. 58 Renewal (T1) Time Value Hard-coded. 59 Rebinding (T2) Time Value Hard-coded. 61 Client-identifier Created by the DHCP client using sysName. Dependencies Between Features • A single interface cannot be configured as both a DHCPv4 client and DHCPv4 server at the same time.
16 IP Configuration DHCP Server STEP 5 View the allocated IP addresses using the Address Binding page. IP addresses can be deleted in this page. DHCPv4 Server To configure the device as a DHCPv4 server: STEP 1 Click IP Configuration > IPv4 Management and Interfaces > DHCP Server > Properties to display the Properties page. STEP 2 Select Enable to configure the device as a DHCP server. STEP 3 Click Apply. The device immediately begins functioning as a DHCP server.
16 IP Configuration DHCP Server • Pool Name—Enter the pool name. • Subnet IP Address—Enter the subnet in which the network pool resides. • Mask—Enter one of following: - Network Mask—Check and enter the pool’s network mask. - Prefix Length—Check and enter the number of bits that comprise the address prefix. • Address Pool Start—Enter the first IP address in the range of the network pool. • Address Pool End—Enter the last IP address in the range of the network pool.
16 IP Configuration DHCP Server - Mixed—A combination of b-node and p-node communications is used to register and resolve NetBIOS names. M-node first uses b-node; then, if necessary, p-node. M-node is typically not the best choice for larger networks because its preference for b-node Broadcasts increases network traffic. - Peer-to-Peer—Point-to-point communications with a NetBIOS name server are used to register and resolve computer names to IP addresses.
16 IP Configuration DHCP Server To manually allocate a permanent IP address to a specific client: STEP 1 Click IP Configuration > IPv4 Management and Interfaces > DHCP Server > Static Hosts to display the Static Hosts page. The static hosts are displayed. STEP 2 To add a static host, click Add, and enter the fields: • IP Address—Enter the IP address that was statically assigned to the host. • Pool Name—Enter the host name, which can be a string of symbols and an integer.
16 IP Configuration DHCP Server - Hybrid—A hybrid combination of b-node and p-node is used. When configured to use h-node, a computer always tries p-node first and uses b-node only if p-node fails. This is the default. - Mixed—A combination of b-node and p-node communications is used to register and resolve NetBIOS names. M-node first uses b-node; then, if necessary, p-node.
16 IP Configuration IPv6 Management and Interfaces • Lease Expiration—The lease expiration date and time of the host’s IP address or Infinite is such was the lease duration defined. • Type—The manner in which the IP address was assigned to the client. The possible options are: • - Static—The hardware address of the host was mapped to an IP address. - Dynamic—The IP address, obtained dynamically from the device, is owned by the client for a specified period of time.
16 IP Configuration IPv6 Management and Interfaces IPv6 Global Configuration To define IPv6 global parameters and DHCPv6 client settings: STEP 1 In Layer 2 system mode, click Administration > Management Interface > IPv6 Global Configuration. In Layer 3 system mode, click IP Configuration > IPv6 Management and Interfaces > IPv6 Global Configuration. STEP 2 Enter values for the following fields: • ICMPv6 Rate Limit Interval—Enter how often the ICMP error messages are generated.
16 IP Configuration IPv6 Management and Interfaces To define an IPv6 interface: STEP 1 In Layer 2 system mode, click Administration > Management Interface > IPv6 Interfaces. In Layer 3 system mode, click IP Configuration > IPv6 Management and Interfaces > IPv6 Interfaces. STEP 2 Click Add to add a new interface on which interface IPv6 is enabled. STEP 3 Enter the fields: • IPv6 Interface—Select a specific port, LAG, VLAN, or ISATAP tunnel for the IPv6 address.
16 IP Configuration IPv6 Management and Interfaces • Send ICMPv6 Messages—Enable generating unreachable destination messages. STEP 6 Click Apply to enable IPv6 processing on the selected interface.
16 IP Configuration IPv6 Management and Interfaces • Received Information Refresh Time—Refresh time received from DHCPv6 server. • Remaining Information Refresh Time—Remaining time until next refresh. • DNS Servers—List of DNS servers received from the DHCPv6 server. • DNS Domain Search List—List of domains received from the DHCPv6 server. • SNTP Servers—List of SNTP servers received from the DHCPv6 server. • POSIX Timezone String—Timezone received from the DHCPv6 server.
16 IP Configuration IPv6 Management and Interfaces Configuring Tunnels NOTE To configure a tunnel, first configure an IPv6 interface as a tunnel in the IPv6 Interfaces page. To configure an IPv6 tunnel: STEP 1 In Layer 2 system mode, click Administration > Management Interface > IPv6 Tunnel. In Layer 3 system mode, click IP Configuration > IPv6 Management and Interfaces > IPv6 Tunnel. STEP 2 Enter values for the following fields: • Tunnel Number—Displays the automatic tunnel router domain number.
16 IP Configuration IPv6 Management and Interfaces • ISATAP Robustness—Used to calculate the interval for the DNS or router solicitation queries. The larger the number, the more frequent the queries. NOTE The ISATAP tunnel is not operational if the underlying IPv4 interface is not in operation. STEP 3 Click Apply. The tunnel is saved to the Running Configuration file.
16 IP Configuration IPv6 Management and Interfaces is specified in hexadecimal format by using 16-bit values separated by colons.You cannot configure an IPv6 addresses directly on an ISATAP tunnel interface. • Prefix Length—The length of the Global IPv6 prefix is a value from 0-128 indicating the number of the high-order contiguous bits of the address comprise the prefix (the network portion of the address).
16 IP Configuration IPv6 Management and Interfaces In Layer 3 system mode, click IP Configuration > IPv6 Management and Interfaces > IPv6 Default Router List. This page displays the following fields for each default router: • Default Router IPv6 Address—Link local IP address of the default router. • Interface—Outgoing IPv6 interface where the default router resides.
16 IP Configuration IPv6 Management and Interfaces Defining IPv6 Neighbors Information The IPv6 Neighbors page enables configuring and viewing the list of IPv6 neighbors on the IPv6 interface. The IPv6 Neighbor Table (also known as IPv6 Neighbor Discovery Cache) displays the MAC addresses of the IPv6 neighbors that are in the same IPv6 subnet as the device. This is the IPv6 equivalent of the IPv4 ARP Table.
16 IP Configuration IPv6 Management and Interfaces - Stale—Previously-known neighbor is unreachable. No action is taken to verify its reachability until traffic must be sent. - Delay—Previously-known neighbor is unreachable. The interface is in Delay state for a predefined Delay Time. If no reachability confirmation is received, the state changes to Probe. - Probe—Neighbor is no longer known to be reachable, and Unicast Neighbor Solicitation probes are being sent to verify the reachability.
16 IP Configuration IPv6 Management and Interfaces STEP 1 Click Administration > Management Interface > IPv6 Routes. -or To view IPv6 routing entries in Layer 3 system mode: Click IP Configuration > IPv6 Management and Interfaces > IPv6 Routes. This page displays the following fields: • IPv6 Address—The IPv6 subnet address. • Prefix Length—IP route prefix length for the destination IPv6 subnet address. It is preceded by a forward slash. • Interface—Interface used to forward the packet.
16 IP Configuration IPv6 Management and Interfaces - Static—The entry was manually configured by a user. DHCPv6 Relay DHCPv6 Relay is used for relaying DHCPv6 messages to DHCPv6 servers. It is defined in RFC 3315. When the DHCPv6 client is not directly connected to the DHCPv6 server, a DHCPv6 relay agent (the device) to which this DHCPv6 client is directlyconnected encapsulates the received messages from the directly-connected DHCPv6 client, and forwards them to the DHCPv6 server.
16 IP Configuration Domain Name • DHCPv6 Server IP Address—Enter the address of the DHCPv6 server to which packets are forwarded. • IPv6 Interface—Enter the interface on which packets are transmitted when the address type of the DHCPv6 server is Link Local or Multicast. STEP 4 Click Apply. The Running Configuration file is updated.
16 IP Configuration Domain Name As a DNS client, the device resolves domain names to IP addresses through the use of one or more configured DNS servers. DNS Settings Use the DNS Settings page to enable the DNS feature, configure the DNS servers and set the default domain used by the device. STEP 1 Click IP Configuration > Domain Name > DNS Settings. STEP 2 Enter the parameters.
16 IP Configuration Domain Name • Preference—Each server has a preference value, a lower value means a higher chance of being used. • Source—Source of the server’s IP address (static or DHCPv4 or DHCPv6) • Interface—Interface of the server’s IP address. STEP 4 Up to eight DNS servers can be defined. To add a DNS server, click Add. Enter the parameters. • IP Version—Select Version 6 for IPv6 or Version 4 for IPv4. • IPv6 Address Type—Select the IPv6 address type (if IPv6 is used).
16 IP Configuration Domain Name • Source—Source of the server’s IP address (static or DHCPv4 or DHCPv6) for this domain. • Interface—Interface of the server’s IP address for this domain. • Preference—This is the order in which the domains are used (from low to high). This effectively determines the order in which unqualified names are completed during DNS queries. Host Mapping Host name/IP address mappings are stored in the Host Mapping Table (DNS cache).
16 IP Configuration Domain Name • Type—Is this a Dynamic or Static entry to the cache. • Status— Displays the results of attempts to access the host - OK—Attempt succeeded. - Negative Cache—Attempt failed, do not try again. - No Response—There was no response, but system can try again in future. • TTL— If this is a dynamic entry, how long will it remain in the cache. • Remaining TTL— If this is a dynamic entry, how much longer will it remain in the cache.
17 Security This section describes device security and access control. The system handles various types of security. The following list of topics describes the various types of security features described in this section. Some features are used for more than a single type of security or control, and so they appear twice in the list of topics below.
17 Security Defining Users • Configuring RADIUS • Configuring Port Security • Configuring 802.1X • Defining Time Ranges Protection from other network users is described in the following sections. These are attacks that pass through, but are not directed at, the device. • Denial of Service Prevention • SSL Server • Defining Storm Control • Configuring Port Security • IP Source Guard • Dynamic ARP Inspection • Access Control Defining Users The default username/password is cisco/cisco.
17 Security Defining Users STEP 1 Click Administration > User Accounts. This page displays the users defined in the system and their user privilege level. STEP 2 Select Password Recovery Service to enable this feature. When this is enabled, an end user, with physical access to the console port of the device, can enter the boot menu and trigger the password recovery process. When the boot system process ends, you are allowed to login to the device without password authentication.
17 Security Defining Users STEP 5 Click Apply. The user is added to the Running Configuration file of the device. Setting Password Complexity Rules Passwords are used to authenticate users accessing the device. Simple passwords are potential security hazards. Therefore, password complexity requirements are enforced by default and may be configured as necessary. Password complexity requirements are configured on the Password Strength page reached through the Security drop-down menu.
17 Security Configuring TACACS+ STEP 4 If the Password Complexity Settings are enabled, the following parameters may be configured: • Minimal Password Length—Enter the minimal number of characters required for passwords. NOTE A zero-length password (no password) is allowed, and can still have password aging assigned to it. • Allowed Character Repetition—Enter the number of times that a character can be repeated.
17 Security Configuring TACACS+ • Accounting—Enable accounting of login sessions using the TACACS+ server. This enables a system administrator to generate accounting reports from the TACACS+ server. In addition to providing authentication and authorization services, the TACACS+ protocol helps to ensure TACACS message protection through encrypted TACACS body messages. TACACS+ is supported only with IPv4.
17 Security Configuring TACACS+ Defaults The following defaults are relevant to this feature: • No default TACACS+ server is defined by default. • If you configure a TACACS+ server, the accounting feature is disabled by default. Interactions With Other Features You cannot enable accounting on both a RADIUS and TACACS+ server. Workflow To use a TACACS+ server, do the following: STEP 1 Open an account for a user on the TACACS+ server.
17 Security Configuring TACACS+ STEP 1 Click Security > TACACS+. STEP 2 Enable TACACS+ Accounting if required. See explanation in the Accounting Using a TACACS+ Server section. STEP 3 Enter the following default parameters: • Key String—Enter the default Key String used for communicating with all TACACS+ servers in Encrypted or Plaintext mode. The device can be configured to use this key or to use a key entered for an specific server (entered in the Add TACACS+ Server page).
17 Security Configuring TACACS+ • Server IP Address/Name—Enter the IP address or name of the TACACS+ server. • Priority—Enter the order in which this TACACS+ server is used. Zero is the highest priority TACACS+ server and is the first server used. If it cannot establish a session with the high priority server, the device tries the next highest priority server. • Source IP Address—(For SG500X devices and other devices in Layer 3 system mode).
17 Security Configuring RADIUS Configuring RADIUS Remote Authorization Dial-In User Service (RADIUS) servers provide a centralized 802.1X or MAC-based network access control. The device is a RADIUS client that can use a RADIUS server to provide centralized security. An organization can establish a Remote Authorization Dial-In User Service (RADIUS) server to provide centralized 802.1X or MAC-based network access control for all of its devices.
17 Security Configuring RADIUS Interactions With Other Features You cannot enable accounting on both a RADIUS and TACACS+ server. Radius Workflow To user a RADIUS server, do the following: STEP 1 Open an account for the device on the RADIUS server. STEP 2 Configure that server along with the other parameters in the RADIUS and ADD RADIUS Server pages.
17 Security Configuring RADIUS • Dead Time—Enter the number of minutes that elapse before a nonresponsive RADIUS server is bypassed for service requests. If the value is 0, the server is not bypassed. • Key String—Enter the default key string used for authenticating and encrypting between the device and the RADIUS server. This key must match the key configured on the RADIUS server. A key string is used to encrypt communications by using MD5. The key can be entered in Encrypted or Plaintext form.
17 Security Configuring RADIUS • Server IP Address/Name—Enter the RADIUS server by IP address or name. • Priority—Enter the priority of the server. The priority determines the order the device attempts to contact the servers to authenticate a user. The device starts with the highest priority RADIUS server first. Zero is the highest priority. • Source IP Address—(For devices in Layer 3 system mode) Select to use either the default source address or select one of the available IP addresses.
17 Security Configuring Management Access Authentication STEP 6 To display sensitive data in plaintext form in the configuration file, click Display Sensitive Data As Plaintext. STEP 7 Click Apply. The RADIUS server definition is added to the Running Configuration file of the device. Configuring Management Access Authentication You can assign authentication methods to the various management access methods, such as SSH, console, Telnet, HTTP, and HTTPS.
17 Security Defining Management Access Method • Local—Username and password are checked against the data stored on the local device. These username and password pairs are defined in the User Accounts page. NOTE The Local or None authentication method must always be selected last. All authentication methods selected after Local or None are ignored. STEP 4 Click Apply. The selected authentication methods are associated with the access method.
17 Security Defining Management Access Method • Source IP Address—IP addresses or subnets. Access to management methods might differ among user groups. For example, one user group might be able to access the device module only by using an HTTPS session, while another user group might be able to access the device module by using both HTTPS and Telnet sessions.
17 Security Defining Management Access Method A caution message displays if you selected any other access profile, warning you that, depending on the selected access profile, you might be disconnected from the web-based configuration utility. STEP 3 Click OK to select the active access profile or click Cancel to discontinue the action. STEP 4 Click Add to open the Add Access Profile page. The page allows you to configure a new profile and one rule. STEP 5 Enter the Access Profile Name.
17 Security Defining Management Access Method - All—Applies to all ports, VLANs, and LAGs. - User Defined—Applies to selected interface. • Interface—Enter the interface number if User Defined was selected. • Applies to Source IP Address—Select the type of source IP address to which the access profile applies. The Source IP Address field is valid for a subnetwork. Select one of the following values: - All—Applies to all types of IP addresses.
17 Security Defining Management Access Method STEP 1 Click Security > Mgmt Access Method > Profile Rules. STEP 2 Select the Filter field, and an access profile. Click Go. The selected access profile appears in the Profile Rule Table. STEP 3 Click Add to add a rule. STEP 4 Enter the parameters. • Access Profile Name—Select an access profile. • Rule Priority—Enter the rule priority. When the packet is matched to a rule, user groups are either granted or denied access to the device.
17 Security SSL Server • Interface—Enter the interface number. • Applies to Source IP Address—Select the type of source IP address to which the access profile applies. The Source IP Address field is valid for a subnetwork. Select one of the following values: - All—Applies to all types of IP addresses. - User Defined—Applies to only those types of IP addresses defined in the fields. • IP Version—Select the supported IP version of the source address: IPv6 or IPv4.
17 Security SSL Server To open an HTTPS session with a user-created certificate, perform the following actions: 1. Generate a certificate. 2. Request that the certificate be certified by a CA. 3. Import the signed certificate into the device. Default Settings and Configuration By default, the device contains a certificate that can be modified. HTTPS is enabled by default.
17 Security SSL Server • - Organization Unit—Specifies the organization-unit or department name. - Organization Name—Specifies the organization name. - Location—Specifies the location or city name. - State—Specifies the state or province name. - Country—Specifies the country name. - Duration—Specifies the number of days a certification is valid. Generate Certificate Request—Generate a certificate request to be signed by a CA.
17 Security Configuring TCP/UDP Services Configuring TCP/UDP Services The TCP/UDP Services page enables TCP or UDP-based services on the device, usually for security reasons. The device offers the following TCP/UDP services: • HTTP—Enabled by factory default • HTTPS—Enabled by factory default • SNMP—Disabled by factory default • Telnet—Disabled by factory default • SSH—Disabled by factory default The active TCP connections are also displayed in this window.
17 Security Defining Storm Control • Remote IP Address—IP address of the remote device that is requesting the service. • Remote Port—TCP port of the remote device that is requesting the service. • State—Status of the service. The UDP Services table displays the following information: • Service Name—Access method through which the device is offering the UDP service. • Type—IP protocol the service uses. • Local IP Address—Local IP address through which the device is offering the service.
17 Security Configuring Port Security STEP 1 Click Security > Storm Control. All the fields on this page are described in the Edit Storm Control page except for the Storm Control Rate Threshold (%). It displays the percent of the total available bandwidth for unknown Unicast, Multicast, and Broadcast packets before storm control is applied at the port. The default value is 10% of the maximum rate of the port and is set in the Edit Storm Control page. STEP 2 Select a port and click Edit.
17 Security Configuring Port Security • Classic Lock—All learned MAC addresses on the port are locked, and the port does not learn any new MAC addresses. The learned addresses are not subject to aging or re-learning. • Limited Dynamic Lock—The device learns MAC addresses up to the configured limit of allowed addresses. After the limit is reached, the device does not learn additional addresses. In this mode, the addresses are subject to aging and re-learning.
17 Security Configuring Port Security • Interface—Select the interface name. • Interface Status—Select to lock the port. • Learning Mode—Select the type of port locking. To configure this field, the Interface Status must be unlocked. The Learning Mode field is enabled only if the Interface Status field is locked. To change the Learning Mode, the Lock Interface must be cleared. After the mode is changed, the Lock Interface can be reinstated.
17 Security Configuring 802.1X • Trap—Select to enable traps when a packet is received on a locked port. This is relevant for lock violations. For Classic Lock, this is any new address received. For Limited Dynamic Lock, this is any new address that exceeds the number of allowed addresses. • Trap Frequency—Enter minimum time (in seconds) that elapses between traps. STEP 4 Click Apply. Port security is modified, and the Running Configuration file is updated. Configuring 802.
17 Security Configuring 802.1X - • Single session/multiple hosts—This follows the 802.1x standard. In this mode, the device as an authenticator allows any device to use a port as long as it has been granted permission. Multi-Session 802.1X—Every device (supplicant) connecting to a port must be authenticated and authorized by the device (authenticator) separately in a different 802.1x session. NOTE This is the only mode that supports Dynamic VLAN Assignment (DVA).
17 Security Configuring 802.1X delimiting characters (for example: aaccbb55ccff). To use MAC-based authentication at a port: - A Guest VLAN must be defined - The port must be Guest VLAN enabled. - The packets from the first supplicant at the port before it is authorized must be untagged packets. You can configure a port to use 802.1x, MAC-based, or 802.1x and MAC-based authentication. If a port is configured to use both 802.1x and MAC-based authentication, 802.1x has precedence over non-802.
17 Security Configuring 802.1X The device also uses the Guest VLAN for the authentication process at ports configured with Multiple Session mode and MAC-based authentication. Therefore, you must configure a Guest VLAN before you can use the MAC authentication mode. 802.1X Parameters Workflow Define the 802.1X parameters as follows: • Optional) Set a time range(s) using the Time Range and Recurring Range pages. These are used in the Edit Port Authentication page.
17 Security Configuring 802.1X • Port-Based Authentication—Enable or disable port-based, 802.1X authentication. • Authentication Method—Select the user authentication methods. The options are: - RADIUS, None—Perform port authentication first by using the RADIUS server. If no response is received from RADIUS (for example, if the server is down), then no authentication is performed, and the session is permitted.
17 Security Configuring 802.1X Configuring Unauthenticated VLANs When a port is 802.1x-enabled, unauthorized ports or devices are not allowed to access a VLAN unless the VLAN is a Guest VLAN or an unauthenticated VLAN. You can make a static VLAN an authenticated VLAN by using the procedure in the Defining 802.1X Properties section, allowing both 802.1x authorized and unauthorized devices or ports to send or receive packets to or from unauthenticated VLANs.
17 Security Configuring 802.1X • Current Port Control—Displays the current port authorization state. If the state is Authorized, the port is either authenticated or the Administrative Port Control is Force Authorized. Conversely, if the state is Unauthorized, then the port is either not authenticated or the Administrative Port Control is Force Unauthorized. • Administrative Port Control—Select the Administrative Port Authorization state.
17 Security Configuring 802.1X • Authentication Method—Select the authentication method for the port. The options are: - 802.1X Only—802.1X authentication is the only authentication method performed on the port. - MAC Only—Port is authenticated based on the supplicant MAC address. Only 8 MAC-based authentications can be used on the port. - 802.1X and MAC—Both 802.1X and MAC-based authentication are performed on the device. The 802.1X authentication takes precedence.
17 Security Configuring 802.1X • Resending EAP—Enter the number of seconds that the device waits for a response to an Extensible Authentication Protocol (EAP) request/identity frame from the supplicant (client) before resending the request. • Max EAP Requests—Enter the maximum number of EAP requests that can be sent. If a response is not received after the defined period (supplicant timeout), the authentication process is restarted.
17 Security Configuring 802.1X To define 802.1X advanced settings for ports: STEP 1 Click Security > 802.1X > Host and Session Authentication. 802.1X authentication parameters are described for all ports. All fields except the following are described in the Edit Host and Session Authentication page. • • Status—Displays the host status. An asterisk indicates that the port is either not linked or is down.
17 Security Defining Time Ranges - Shutdown—Discards the packets and shuts down the port. The ports remains shut down until reactivated, or until the device is rebooted. • Traps (on single host violation)—Select to enable traps. • Trap Frequency (on Single Host Violation)—Defines how often traps are sent to the host. This field can be defined only if multiple hosts are disabled. STEP 4 Click Apply. The settings are written to the Running Configuration file.
17 Security Denial of Service Prevention Denial of Service Prevention A Denial of Service (DoS) attack is a hacker attempt to make a device unavailable to its users. DoS attacks saturate the device with external communication requests, so that it cannot respond to legitimate traffic. These attacks usually lead to a device CPU overload. Secure Core Technology (SCT) One method of resisting DoS attacks employed by the device is the use of SCT. SCT is enabled by default on the device and cannot be disabled.
17 Security Denial of Service Prevention • Martian Addresses—Martian addresses are illegal from the point of view of the IP protocol. See Martian Addresses for more details. • ICMP Attack—Sending malformed ICMP packets or overwhelming number of ICMP packets to the victim that might lead to a system crash. • IP Fragmentation—Mangled IP fragments with overlapping, over-sized payloads are sent to the device.
17 Security Denial of Service Prevention • Prevent TCP connections from a specific interface (SYN Filtering page) and rate limit the packets (SYN Rate Protection page) • Configure the blocking of certain ICMP packets (ICMP Filtering page) • Discard fragmented IP packets from a specific interface (IP Fragments Filtering page) • Deny attacks from Stacheldraht Distribution, Invasor Trojan, and Back Orifice Trojan (Security Suite Settings page).
17 Security Denial of Service Prevention STEP 1 Click Security > Denial of Service Prevention > Security Suite Settings. The Security Suite Settings displays. CPU Protection Mechanism: Enabled indicates that SCT is enabled. STEP 2 Click Details beside CPU Utilization to go to the CPU Utilization page and view CPU resource utilization information. STEP 3 Click Edit beside TCP SYN Protection to go to the SYN Protection page and enable this feature. STEP 4 Select DoS Prevention to enable the feature.
17 Security Denial of Service Prevention SYN Protection The network ports might be used by hackers to attack the device in a SYN attack, which consumes TCP resources (buffers) and CPU power. Since the CPU is protected using SCT, TCP traffic to the CPU is limited. However, if one or more ports are attacked with a high rate of SYN packets, the CPU receives only the attacker packets, thus creating Denial-of-Service.
17 Security Denial of Service Prevention • • Current Status—Interface status. The possible values are: - Normal—No attack was identified on this interface. - Blocked—Traffic is not forwarded on this interface. - Attacked—Attack was identified on this interface. Last Attack—Date of last SYN-FIN attack identified by the system and the system action (Reported or Blocked and Reported).
17 Security Denial of Service Prevention STEP 3 To add a Martian address click Add. STEP 4 Enter the parameters. • IP Version—Indicates the supported IP version. Currently, support is only offered for IPv4. • IP Address—Enter an IP addresses to reject. The possible values are: - From Reserved List—Select a well-known IP address from the reserved list. • New IP Address—Enter an IP address. Mask—Enter the mask of the IP address to define a range of IP addresses to reject.
17 Security Denial of Service Prevention - User Defined—Enter a port number. - All Ports—Select to indicate that all ports are filtered. STEP 4 Click Apply. The SYN filter is defined, and the Running Configuration file is updated. SYN Rate Protection The SYN Rate Protection page enables limiting the number of SYN packets received on the ingress port. This can mitigate the effect of a SYN flood against servers, by rate limiting the number of new connections opened to handle packets.
17 Security Denial of Service Prevention STEP 4 Click Apply. The SYN rate protection is defined, and the Running Configuration is updated. ICMP Filtering The ICMP Filtering page enables the blocking of ICMP packets from certain sources. This can reduce the load on the network in case of an ICMP attack. To define ICMP filtering: STEP 1 Click Security > Denial of Service Prevention > ICMP Filtering. STEP 2 Click Add. STEP 3 Enter the parameters.
17 Security IP Source Guard • Interface—Select the interface on which the IP fragmentation is being defined. • IP Address—Enter an IP network from which the fragmented IP packets is filtered or select All Addresses to block IP fragmented packets from all addresses. If you enter the IP address, enter either the mask or prefix length.
17 Security IP Source Guard - The interface is DHCP untrusted. All packets on trusted ports are forwarded. • If a port is DHCP trusted, filtering of static IP addresses can be configured, even though IP Source Guard is not active in that condition by enabling IP Source Guard on the port. • When the ports status changes from DHCP untrusted to DHCP trusted, the static IP address filtering entries remain in the Binding database, but they become inactive.
17 Security IP Source Guard STEP 5 Enable IP Source Guard on the untrusted interfaces as required in the Security > IP Source Guard > Interface Settings page. STEP 6 View entries to the Binding database in the Security > IP Source Guard > Binding Database page. Enabling IP Source Guard To enable IP Source Guard globally: STEP 1 Click Security > IP Source Guard > Properties. STEP 2 Select Enable to enable IP Source Guard globally.
17 Security IP Source Guard Binding Database IP Source Guard uses the DHCP Snooping Binding database to check packets from untrusted ports. If the device attempts to write too many entries to the DHCP Snooping Binding database, the excessive entries are maintained in an inactive status. Entries are deleted when their lease time expires and so inactive entries may be made active. See DHCPv4 Snooping/Relay.
17 Security Dynamic ARP Inspection - No Snoop VLAN—DHCP Snooping is not enabled on the VLAN. - Trusted Port—Port has become trusted. - Resource Problem—TCAM resources are exhausted. To see a subset of these entries, enter the relevant search criteria and click Go. Dynamic ARP Inspection ARP enables IP communication within a Layer 2 Broadcast domain by mapping IP addresses to a MAC addresses.
17 Security Dynamic ARP Inspection Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP, MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA. When Host A needs to communicate with Host B at the IP layer, it broadcasts an ARP request for the MAC address associated with IP address IB. Host B responds with an ARP reply. The switch and Host A update their ARP cache with the MAC and IP of Host B.
17 Security Dynamic ARP Inspection • If a packet is valid, it is forwarded and the ARP cache is updated. If the ARP Packet Validation option is selected (Properties page), the following additional validation checks are performed: • Source MAC — Compares the packet’s source MAC address in the Ethernet header against the sender’s MAC address in the ARP request. This check is performed on both ARP requests and responses.
17 Security Dynamic ARP Inspection ARP Inspection Work Flow To configure ARP Inspection: STEP 1 Enable ARP Inspection and configure various options in the Security > ARP Inspection > Properties page. STEP 2 Configure interfaces as ARP trusted or untrusted in the Security > ARP Inspection > Interface Setting page. STEP 3 Add rules in the Security > ARP Inspection > ARP Access Control and ARP Access Control Rules pages.
17 Security Dynamic ARP Inspection - Never—Disabled SYSLOG dropped packet messages. STEP 2 Click Apply. The settings are defined, and the Running Configuration file is updated. Defining Dynamic ARP Inspection Interfaces Settings Packets from untrusted ports/LAGs are checked against the ARP Access Rules table and the DHCP Snooping Binding database if DHCP Snooping is enabled (see the DHCP Snooping Binding Database page). By default, ports/LAGs are ARP Inspection untrusted.
17 Security Dynamic ARP Inspection STEP 4 Click Apply. The settings are defined, and the Running Configuration file is updated. Defining ARP Inspection Access Control Rules To add more rules to a previously-created ARP Access Control group: STEP 1 Click Security > ARP Inspection > ARP Access Control Rules. The currently-defined access rules are displayed. STEP 2 To add more rules to a group, click Add. STEP 3 Select a Access Control Group and enter the fields: • MAC Address—MAC address of packet.
17 359 Security Dynamic ARP Inspection Cisco Small Business 300 Series Managed Switch Administration Guide
18 Security: Secure Sensitive Data Management Secure Sensitive Data (SSD) is an architecture that facilitates the protection of sensitive data on a device, such as passwords and keys. The facility makes use of passphrases, encryption, access control, and user authentication to provide a secure solution to managing sensitive data. The facility is extended to protect the integrity of configuration files, to secure the configuration process, and to support SSD zero-touch auto configuration.
18 Security: Secure Sensitive Data Management SSD Rules SSD grants read permission to sensitive data only to authenticated and authorized users, and according to SSD rules. A device authenticates and authorizes management access to users through the user authentication process.
Security: Secure Sensitive Data Management SSD Rules 18 NOTE A device may not support all the channels defined by SSD. Elements of an SSD Rule An SSD rule includes the following elements: • User type—The user types supported in order of most preference to least preference are as follows: (If a user matches multiple SSD rules, the rule with the most preference User Type will be applied). - Specific—The rule applies to a specific user.
18 Security: Secure Sensitive Data Management SSD Rules - (Higher) Plaintext Only—Users are permitted to access sensitive data in plaintext only. Users will also have read and write permission to SSD parameters as well. - (Highest) Both—Users have both encrypted and plaintext permissions and are permitted to access sensitive data as encrypted and in plaintext. Users will also have read and write permission to SSD parameters as well. Each management channel allows specific read permissions.
18 Security: Secure Sensitive Data Management SSD Rules Table 2 Default Read Modes for Read Permissions Read Permission Default Read Mode Allowed Both *Plaintext, Encrypted * The Read mode of a session can be temporarily changed in the SSD Properties page if the new read mode does not violate the read permission. NOTE Note the following: • The default Read mode for the Secure XML SNMP and Insecure XML SNMP management channels must be identical to their read permission.
18 Security: Secure Sensitive Data Management SSD Rules NOTE When doing a file transfer initiated by an XML or SNMP command, the underlying protocol used is TFTP. Therefore, the SSD rule for insecure channel will apply. SSD Rules and User Authentication SSD grants SSD permission only to authenticated and authorized users and according to the SSD rules. A device depends on its user authentication process to authenticate and authorize management access.
18 Security: Secure Sensitive Data Management SSD Properties Table 3 Default SSD Rules Rule Key Rule Action User Channel Read Permission Default Read Mode All Secure Encrypted Only Encrypted All Insecure Encrypted Only Encrypted The default rules can be modified, but they cannot be deleted. If the SSD default rules have been changed, they can be restored.
18 Security: Secure Sensitive Data Management SSD Properties Passphrase A passphrase is the basis of the security mechanism in the SSD feature, and is used to generate the key for the encryption and decryption of sensitive data. Sx200, Sx300, Sx500, and SG500X/ESW2-550X series switches that have the same passphrase are able to decrypt each other's sensitive data encrypted with the key generated from the passphrase. A passphrase must comply with the following rules: • Length—Between 8-16 characters.
Security: Secure Sensitive Data Management SSD Properties 18 automatically changed to the passphrase in the startup configuration file, when the startup configuration becomes the running configuration of the device. When a device is reset to factory default, the local passphrase is reset to the default passphrase.
18 Security: Secure Sensitive Data Management Configuration Files A device determines whether the integrity of a configuration file is protected by examining the File Integrity Control command in the file's SSD Control block. If a file is integrity protected but a device finds the integrity of the file is not intact, the device rejects the file. Otherwise, the file is accepted for further processing.
Security: Secure Sensitive Data Management Configuration Files 18 • A text-based configuration that does not include an SSD indicator is considered not to contain sensitive data. • The SSD indicator is used to enforce SSD read permissions on text-based configuration files, but is ignored when copying the configuration files to the Running or Startup Configuration file.
18 Security: Secure Sensitive Data Management Configuration Files • If there is a passphrase in the SSD control block of the source configuration file, the device will reject the source file, and the copy fails if there is encrypted sensitive data in the file not encrypted by the key generated from the passphrase in the SSD control block.
Security: Secure Sensitive Data Management Configuration Files 18 • When copied from a source file, the copy will fail if the passphrase in the source file is in plaintext. If the passphrase is encrypted, it is ignored. • When directly configuring the passphrase, (non file copy), in the Running Configuration, the passphrase in the command must be entered in plaintext. Otherwise, the command is rejected.
18 Security: Secure Sensitive Data Management Configuration Files • A user with Exclude permission cannot access mirror and backup configuration files with their file SSD indicator showing either encrypted or plaintext sensitive data. The user should not manually change the file SSD indicator that conflicts with the sensitive data, if any, in the file. Otherwise, plaintext sensitive data may be unexpectedly exposed.
18 Security: Secure Sensitive Data Management SSD Management Channels If the device creating the configuration file is in Unrestricted passphrase control mode, the device includes the passphrase in the file. As a result, the user can auto configure the target devices, including devices that are out-of-the-box or in factory default, with the configuration file without manually pre-configuring the target devices with the passphrase.
18 Security: Secure Sensitive Data Management Menu CLI and Password Recovery SNMPv3 with privacy Secure-XML-SNMP (level-15 users) TFTP Insecure SCP (Secure Copy) Secure HTTP based file transfer Insecure HTTPS based file transfer Secure SCP HTTPS-based file transfer Menu CLI and Password Recovery The Menu CLI interface is only allowed to users if their read permissions are Both or Plaintext Only. Other users are rejected. Sensitive data in the Menu CLI is always displayed as plaintext.
Security: Secure Sensitive Data Management Configuring SSD 18 STEP 1 Click Security > Secure Sensitive Data Management > Properties. The following field appears: • Current Local Passphrase Type—Displays whether the default passphrase or a user-defined passphrase is currently being used. STEP 2 Enter the following Persistent Settings fields: • Configuration File Passphrase Control—Select an option as described in Configuration File Passphrase Control.
18 Security: Secure Sensitive Data Management Configuring SSD • • • - Level 15—Indicates that this rule applies to all users with privilege level 15. - All—Indicates that this rule applies to all users. Channel—This defines the security level of the input channel to which the rule applies: Select one of the following options: - Secure—Indicates that this rule applies only to secure channels (console, SCP, SSH and HTTPS), not including the SNMP and XML channels.
Security: Secure Sensitive Data Management Configuring SSD • 18 Restore All Rules to Default—Restore all user-modified default rules to the default rule and remove all user-defined rules.
18 379 Security: Secure Sensitive Data Management Configuring SSD Cisco Small Business 300 Series Managed Switch Administration Guide
19 Security: SSH Client This section describes the device when it functions as an SSH client. It covers the following topics: • Secure Copy (SCP) and SSH • Protection Methods • SSH Server Authentication • SSH Client Authentication • Before You Begin • Common Tasks • SSH Client Configuration Through the GUI Secure Copy (SCP) and SSH Secure Shell or SSH is a network protocol that enables data to be exchanged on a secure channel between an SSH client (in this case, the device) and an SSH server.
19 Security: SSH Client Protection Methods When files are downloaded via TFTP or HTTP, the data transfer is unsecured. When files are downloaded via SCP, the information is downloaded from the SCP server to the device via a secure channel. The creation of this secure channel is preceded by authentication, which ensures that the user is permitted to perform the operation.
19 Security: SSH Client Protection Methods The username/password must then be created on the device. When data is transferred from the server to the device, the username/password supplied by the device must match the username/password on the server. Data can be encrypted using a one-time symmetric key negotiated during the session. Each device being managed must have its own username/password, although the same username/password can be used for multiple switches.
19 Security: SSH Client SSH Server Authentication When a private key is created on a device, it is also possible to create an associated passphrase. This passphrase is used to encrypt the private key and to import it into the remaining switches. In this way, all the switches can use the same public/private key. SSH Server Authentication A device, as an SSH client, only communicates with a trusted SSH server.
19 Security: SSH Client SSH Client Authentication SSH Client Authentication SSH client authentication by password is enabled by default, with the username/ password being “anonymous”. The user must configure the following information for authentication: • The authentication method to be used. • The username/password or public/private key pair. In order to support auto configuration of an out-of-box device (device with factory default configuration), SSH server authentication is disabled by default.
19 Security: SSH Client Before You Begin Before You Begin The following actions must be performed before using the SCP feature: • When using the password authentication method, a username/password must be set up on the SSH server. • When using public/private keys authentication method, the public key must be stored on the SSH server. Common Tasks This section describes some common tasks performed using the SSH client. All pages referenced are pages found under the SSH Client branch of the menu tree.
19 Security: SSH Client Common Tasks STEP 4 If the public/private key method is being used, perform the following steps: a. Select whether to use an RSA or DSA key, create a username and then generate the public/private keys. b. View the generated key by clicking the Details button, and transfer the username and public key to the SSH server. This action depends on the server and is not described in this guide. c.
19 Security: SSH Client SSH Client Configuration Through the GUI SSH Client Configuration Through the GUI This section describes the pages used to configure the SSH Client feature. SSH User Authentication Use this page to select an SSH user authentication method, set a username and password on the device, if the password method is selected or generate an RSA or DSA key, if the public/private key method is selected. To select an authentication method, and set the username/password/keys.
Security: SSH Client SSH Client Configuration Through the GUI • Key Source—Auto Generated or User Defined. • Fingerprint—Fingerprint generated from the key. 19 STEP 6 To handle an RSA or DSA key, select either RSA or DSA and perform one of the following actions: • Generate—Generate a new key. • Edit—Display the keys for copying/pasting to another device. • Delete—Delete the key. • Details—Display the keys.
19 Security: SSH Client SSH Client Configuration Through the GUI STEP 1 Click Security > SSH Client > Change User Password on SSH Server. STEP 2 Enter the following fields: • Server Definition—Define the SSH server by selecting either By IP Address or By Name. Enter the server name or IP address of the server in the Server IP Address/Name field. • IP Version—If you selected to specify the SSH server by IP address, select whether that IP address is an IPv4 or IPv6 address.
20 Security: SSH Server This section describes how to establish an SSH session on the device. It covers the following topics: • Overview • Common Tasks • SSH Server Configuration Pages Overview The SSH Server feature enables users to create an SSH session to the device. This is similar to establishing a telnet session, except that the session is secured. Public and private keys are automatically generated on the device. These can be modified by the user.
20 Security: SSH Server Common Tasks Common Tasks This section describes some common tasks performed using the SSH Server feature. Workflow1: To logon to the device over SSH using the device’s automatically-created (default) key, perform the following: STEP 1 Enable SSH server in the TCP/UDP Services page and verify that SSH user authentication by public key is disabled in the SSH User Authentication page.
20 Security: SSH Server SSH Server Configuration Pages SSH Server Configuration Pages This section describes the pages used to configure the SSH Server feature. SSH User Authentication Use the SSH User Authentication page to enable SSH user authentication by public key and/or password, and (when using authentication by public key) to add an SSH client user that will be used to create an SSH session in an external SSH application (like PuTTY).
20 Security: SSH Server SSH Server Configuration Pages • SSH User Authentication by Password—Select to perform authentication of the SSH client user using the username/password configured in the local database (see Defining Users). • SSH User Authentication by Public Key—Select to perform authentication of the SSH client user using the public key. • Automatic Login—This field can be enabled if the SSH User Authentication by Public Key feature was selected. See Automatic Login.
20 Security: SSH Server SSH Server Configuration Pages STEP 3 You can perform any of the following actions: • Generate—Generates a key of the selected type. • Edit—Enables you to copy in a key from another device. • Delete—Enables you to delete a key. • Details—Enables you to view the generated key. The Details window also enables you to click Display Sensitive Data as Plaintext. If this is clicked, the keys are displayed as plaintext and not in encrypted form.
20 395 Security: SSH Server SSH Server Configuration Pages Cisco Small Business 300 Series Managed Switch Administration Guide
21 Access Control The Access Control List (ACL) feature is part of the security mechanism. ACL definitions serve as one of the mechanisms to define traffic flows that are given a specific Quality of Service (QoS). For more information see Quality of Service. ACLs enable network managers to define patterns (filter and actions) for ingress traffic. Packets, entering the device on a port or LAG with an active ACL, are either admitted or denied entry.
21 Access Control Access Control Lists When a packet matches an ACE filter, the ACE action is taken and that ACL processing is stopped. If the packet does not match the ACE filter, the next ACE is processed. If all ACEs of an ACL have been processed without finding a match, and if another ACL exists, it is processed in a similar manner. NOTE If no match is found to any ACE in all relevant ACLs, the packet is dropped (as a default action).
21 Access Control Defining MAC-based ACLs Creating ACLs Workflow To create ACLs and associate them with an interface, perform the following: 1. Create one or more of the following types of ACLs: a. MAC-based ACL by using the MAC Based ACL page and the MAC Based ACE page b. IP-based ACL by using the IPv4 Based ACL page and the IPv4 Based ACE page c. IPv6-based ACL by using the IPv6 Based ACL page and the IPv6 Based ACE page 2. Associate the ACL with interfaces by using the ACL Binding page.
21 Access Control Defining MAC-based ACLs MAC-based ACLs are defined in the MAC Based ACL page. The rules are defined in the MAC Based ACE page. To define a MAC-based ACL: STEP 1 Click Access Control > MAC-Based ACL. This page contains a list of all currently-defined MAC-based ACLs. STEP 2 Click Add. STEP 3 Enter the name of the new ACL in the ACL Name field. ACL names are case-sensitive. STEP 4 Click Apply. The MAC-based ACL is saved to the Running Configuration file.
21 Access Control Defining MAC-based ACLs • Time Range Name—If Time Range is selected, select the time range to be used. Time ranges are defined in the Time Range section. • Destination MAC Address—Select Any if all destination addresses are acceptable or User defined to enter a destination address or a range of destination addresses. • Destination MAC Address Value—Enter the MAC address to which the destination MAC address is to be matched and its mask (if relevant).
21 Access Control IPv4-based ACLs IPv4-based ACLs IPv4-based ACLs are used to check IPv4 packets, while other types of frames, such as ARPs, are not checked.
21 Access Control IPv4-based ACLs Adding Rules (ACEs) to an IPv4-Based ACL To add rules (ACEs) to an IPv4-based ACL: STEP 1 Click Access Control > IPv4-Based ACE. STEP 2 Select an ACL, and click Go. All currently-defined IP ACEs for the selected ACL are displayed. STEP 3 Click Add. STEP 4 Enter the parameters. • ACL Name—Displays the name of the ACL. • Priority—Enter the priority. ACEs with higher priority are processed first. • Action—Select the action assigned to the packet matching the ACE.
21 Access Control IPv4-based ACLs - UDP—User Datagram Protocol - HMP—Host Mapping Protocol - RDP—Reliable Datagram Protocol.
21 Access Control IPv4-based ACLs NOTE Given a mask of 0000 0000 0000 0000 0000 0000 1111 1111 (which means that you match on the bits where there is 0 and don't match on the bits where there are 1's). You need to translate the 1's to a decimal integer and you write 0 for each four zeros. In this example since 1111 1111 = 255, the mask would be written: as 0.0.0.255.
21 Access Control IPv6-Based ACLs - IP Precedence to Match—IP precedence is a model of TOS (type of service) that the network uses to help provide the appropriate QoS commitments. This model uses the 3 most significant bits of the service type byte in the IP header, as described in RFC 791 and RFC 1349. • • • ICMP—If the IP protocol of the ACL is ICMP, select the ICMP message type used for filtering purposes.
21 Access Control IPv6-Based ACLs NOTE ACLs are also used as the building elements of flow definitions for per-flow QoS handling (see QoS Advanced Mode). Defining an IPv6-based ACL To define an IPv6-based ACL: STEP 1 Click Access Control > IPv6-Based ACL. This window contains the list of defined ACLs and their contents STEP 2 Click Add. STEP 3 Enter the name of a new ACL in the ACL Name field. The names are case-sensitive. STEP 4 Click Apply.
21 407 Access Control IPv6-Based ACLs • Time Range—Select to enable limiting the use of the ACL to a specific time range. • Time Range Name—If Time Range is selected, select the time range to be used. Time ranges are described in the Time Range section. • Protocol—Select to create an ACE based on a specific protocol. Select Any (IPv6) to accept all IP protocols. Otherwise select one of the following protocols: - TCP—Transmission Control Protocol.
21 Access Control IPv6-Based ACLs • Range—Select a range of TCP/UDP source ports to which the packet is matched. Destination Port—Select one of the available values. (They are the same as for the Source Port field described above). NOTE You must specify the IPv6 protocol for the ACL before you can configure the source and/or destination port. • TCP Flags—Select one or more TCP flags with which to filter packets. Filtered packets are either forwarded or dropped.
21 Access Control Defining ACL Binding Defining ACL Binding When an ACL is bound to an interface, its ACE rules are applied to packets arriving at that interface. Packets that do not match any of the ACEs in the ACL are matched to a default rule, whose action is to drop unmatched packets. Although each interface can be bound to only one ACL, multiple interfaces can be bound to the same ACL by grouping them into a policy-map, and binding that policy-map to the interface.
21 Access Control Defining ACL Binding • Permit Any—Select one of the following options: - .Disable (Deny Any)—If packet does not match an ACL, it is denied (dropped). - Enable—If packet does not match an ACL, it is permitted (forwarded). NOTE Permit Any can be defined only if IP Source Guard is not activated on the interface. STEP 7 Click Apply. The ACL binding is modified, and the Running Configuration file is updated.
21 411 Access Control Defining ACL Binding Cisco Small Business 300 Series Managed Switch Administration Guide
22 Quality of Service The Quality of Service feature is applied throughout the network to ensure that network traffic is prioritized according to required criteria and the desired traffic receives preferential treatment.
22 Quality of Service QoS Features and Components QoS Features and Components The QoS feature is used to optimize network performance.
22 Quality of Service QoS Features and Components The header field to be trusted is entered in the Global Settings page. For every value of that field, an egress queue is assigned where the frame is sent in the CoS/802.1p to Queue page or the DSCP to Queue page (depending on whether the trust mode is CoS/802.1p or DSCP, respectively). • Advanced Mode—Per-flow Quality of Service (QoS).
22 Quality of Service Configuring QoS - General STEP 3 Assign the schedule method (Strict Priority or WRR) and bandwidth allocation for WRR to the egress queues by using the Queue page. STEP 4 Designate an egress queue to each IP DSCP/TC value with the DSCP to Queue page. If the device is in DSCP trusted mode, incoming packets are put into the egress queues based on the their DSCP/TC value. STEP 5 Designate an egress queue to each CoS/802.1p priority. If the device is in CoS/ 802.
22 Quality of Service Configuring QoS - General Setting QoS Properties To select the QoS mode: STEP 1 Click Quality of Service > General > QoS Properties. STEP 2 Set the QoS mode. The following options are available: • Disable—QoS is disabled on the device. • Basic—QoS is enabled on the device in Basic mode. • Advanced—QoS is enabled on the device in Advanced mode. STEP 3 Select Port/LAG and click GO to display/modify all ports/LAGs on the device and their CoS information.
22 Quality of Service Configuring QoS - General Configuring QoS Queues The device supports either 4 or 8 queues for each interface (selected in the System Mode and Stack Management page). Queue number four or eight is the highest priority queue. Queue number one is the lowest priority queue. There are two ways of determining how traffic in queues is handled, Strict Priority and Weighted Round Robin (WRR). • Strict Priority—Egress traffic from the highest-priority queue is transmitted first.
22 Quality of Service Configuring QoS - General - Strict Priority—Traffic scheduling for the selected queue and all higher queues is based strictly on the queue priority. - - WRR—Traffic scheduling for the selected queue is based on WRR. The period time is divided between the WRR queues that are not empty, meaning they have descriptors to egress. This happens only if strict priority queues are empty. WRR Weight—If WRR is selected, enter the WRR weight assigned to the queue.
22 Quality of Service Configuring QoS - General 802.1p Values (0-7, 7 being the highest) Queue (4 queues 14, 4 being the highest priority) Notes 5 4 Voice - Cisco IP phone default 6 4 Interwork Control - LVS phone RTP 7 4 Network Control Default Mapping for 8 Queues Notes 802.
22 Quality of Service Configuring QoS - General • The device is in QoS Basic mode and CoS/802.1p trusted mode • The device is in QoS Advanced mode and the packets belong to flows that are CoS/802.1p trusted Queue 1 has the lowest priority, queue 4 or 8 has the highest priority. To map CoS values to egress queues: STEP 1 Click Quality of Service > General > CoS/802.1p to Queue. STEP 2 Enter the parameters. • 802.1p—Displays the 802.
22 Quality of Service Configuring QoS - General The following tables describe the default DSCP to queue mapping for a 4 and 8 queue systems: Table 4 DSCP to Queue Default Mapping – 4 Queues System DSCP 63 55 47 39 31 23 15 7 Queue 3 3 4 3 3 2 1 1 DSCP 62 54 46 38 30 22 14 6 Queue 3 3 4 3 3 2 1 1 DSCP 61 53 45 37 29 21 13 5 Queue 3 3 4 3 3 2 1 1 DSCP 60 52 44 36 28 20 12 4 Queue 3 3 4 3 3 2 1 1 DSCP 59 51 43 35 27 19 11 3 Qu
22 Quality of Service Configuring QoS - General Table 5 DSCP to Queue Default Mapping – 8 Queues System (7 is highest and 8 is used for stack control purposes) Queue 6 6 7 5 4 3 2 1 DSCP 61 53 45 37 29 21 13 5 Queue 6 6 7 5 4 3 2 1 DSCP 60 52 44 36 28 20 12 4 Queue 6 6 7 5 4 3 2 1 DSCP 59 51 43 35 27 19 11 3 Queue 6 6 7 5 4 3 2 1 DSCP 58 50 42 34 26 18 10 2 Queue 6 6 7 5 4 3 2 1 DSCP 57 49 41 33 25 17 9 1 Queue 6 6
22 Quality of Service Configuring QoS - General Table 6 DSCP to Queue Default Mapping – 8 Queues System (8 is highest) DSCP 59 51 43 35 27 19 11 3 Queue 7 7 8 6 5 4 3 1 DSCP 58 50 42 34 26 18 10 2 Queue 7 7 8 6 5 4 3 1 DSCP 57 49 41 33 25 17 9 1 Queue 7 7 8 6 5 4 3 1 DSCP 56 48 40 32 24 16 8 0 Queue 7 7 7 8 7 7 1 2 To map DSCP to queues: STEP 1 Click Quality of Service > General > DSCP to Queue.
22 Quality of Service Configuring QoS - General • Committed Burst Size (CBS) is the burst of data that is allowed to be sent, even though it is above the CIR. This is defined in number of bytes of data. To enter bandwidth limitation: STEP 1 Click Quality of Service > General > Bandwidth. The Bandwidth page displays bandwidth information for each interface. The % column is the ingress rate limit for the port divided by the total port bandwidth. STEP 2 Select an interface, and click Edit.
22 Quality of Service Configuring QoS - General Configuring Egress Shaping per Queue In addition to limiting transmission rate per port, which is done in the Bandwidth page, the device can limit the transmission rate of selected egressing frames on a per-queue per-port basis. Egress rate limiting is performed by shaping the output load. The device limits all frames except for management frames.
22 Quality of Service Configuring QoS - General Rate limiting per VLAN, performed in the VLAN Ingress Rate Limit page, enables traffic limiting on VLANs. When VLAN ingress rate limiting is configured, it limits aggregate traffic from all the ports on the device. The following constraints apply to rate limiting per VLAN: • It has lower precedence than any other traffic policing defined in the system.
22 Quality of Service QoS Basic Mode TCP Congestion Avoidance The TCP Congestion Avoidance page enables activating a TCP congestion avoidance algorithm. The algorithm breaks up or avoids TCP global synchronization in a congested node, where the congestion is due to various sources sending packets with the same byte count. To configure TCP congestion avoidance: STEP 1 Click Quality of Service > General > TCP Congestion Avoidance. STEP 2 Click Enable to enable TCP congestion avoidance, and click Apply.
22 Quality of Service QoS Basic Mode Configuring Global Settings The Global Settings page contains information for enabling Trust on the device (see the Trust Mode field below). This configuration is active when the QoS mode is Basic mode. Packets entering a QoS domain are classified at the edge of the QoS domain. To define the Trust configuration: STEP 1 Click Quality of Service > QoS Basic Mode > Global Settings. STEP 2 Select the Trust Mode while the device is in Basic mode.
22 Quality of Service QoS Advanced Mode Interface QoS Settings The Interface Settings page enables configuring QoS on each port of the device, as follows: QoS State Disabled on an Interface—All inbound traffic on the port is mapped to the best effort queue and no classification/prioritization takes place. QoS State of the Port is Enabled—Port prioritize traffic on ingress is based on the system wide configured trusted mode, which is either CoS/ 802.1p trusted mode or DSCP trusted mode.
22 Quality of Service QoS Advanced Mode quality of services. Thus, a policy contains one or more flows, each with a user defined QoS. • The QoS of a class map (flow) is enforced by the associating policer. There are two type of policers, single policer and aggregate policer. Each policer is configured with a QoS specification. A single policer applies the QoS to a single class map, and thus to a single flow, based on the policer QoS specification.
22 Quality of Service QoS Advanced Mode Workflow to Configure Advanced QoS Mode To configure Advanced QoS mode, perform the following: 1. Select Advanced mode for the system by using the QoS Properties page. Select the Trust Mode using the Global Settings page.
22 Quality of Service QoS Advanced Mode • CoS/802.1p—Traffic is mapped to queues based on the VPT field in the VLAN tag, or based on the per-port default CoS/802.1p value (if there is no VLAN tag on the incoming packet), the actual mapping of the VPT to queue can be configured in the mapping CoS/802.1p to Queue page. • DSCP—All IP traffic is mapped to queues based on the DSCP field in the IP header. The actual mapping of the DSCP to queue can be configured in the DSCP to Queue page.
22 Quality of Service QoS Advanced Mode If the exceed action is Out of Profile DSCP, the device remaps the original DSCP value of the out-of-profile IP packets with a new value based on the Out of Profile DSCP Mapping Table. The device uses the new values to assign resources and the egress queues to these packets. The device also physically replaces the original DSCP value in the out of profile packets with the new DSCP value.
22 Quality of Service QoS Advanced Mode Defining Class Mapping A Class Map defines a traffic flow with ACLs (Access Control Lists). A MAC ACL, IP ACL, and IPv6 ACL can be combined into a class map. Class maps are configured to match packet criteria on a match-all or match-any basis. They are matched to packets on a first-fit basis, meaning that the action associated with the first-matched class map is the action performed by the system.
22 Quality of Service QoS Advanced Mode • MAC—Select the MAC based ACL for the class map. • Preferred ACL—Select whether packets are first matched to an IP-based ACL or a MAC-based ACL. STEP 4 Click Apply. The Running Configuration file is updated. QoS Policers NOTE QoS policers are not supported on Sx500 devices in Layer 3 system mode. They are always supported on SG500X devices.
22 Quality of Service QoS Advanced Mode Each policer is defined with its own QoS specification with a combination of the following parameters: • A maximum allowed rate, called a Committed Information Rate (CIR), measured in Kbps. • An amount of traffic, measured in bytes, called a Committed Burst Size (CBS). This is traffic that is allowed to pass as a temporary burst even if it is above the defined maximum rate.
22 Quality of Service QoS Advanced Mode • Ingress Committed Burst Size (CBS)—Enter the maximum burst size (even if it goes beyond the CIR) in bytes. See the description of this in the Bandwidth page. • Exceed Action—Select the action to be performed on incoming packets that exceed the CIR. Possible values are: - Forward—Packets exceeding the defined CIR value are forwarded. - Drop—Packets exceeding the defined CIR value are dropped.
22 Quality of Service QoS Advanced Mode STEP 4 Click Apply. The QoS policy profile is added, and the Running Configuration file is updated. Policy Class Maps One or more class maps can be added to a policy. A class map defines the type of packets that are considered to belong to the same traffic flow. NOTE You cannot configure a policer to a class map when the device is operating in Layer 3 mode. The device supports policers only in Layer 2 mode.
22 Quality of Service QoS Advanced Mode If the new value (0..7) is a CoS/802.1p priority, use the priority value and the CoS/802.1p to Queue Table to determine the egress queue of all the matching packets. If the new value (0..63) is a DSCP, use the new DSCP and the DSCP to Queue Table to determine the egress queue of the matching IP packets. Otherwise, use the new value (1..8) as the egress queue number for all the matching packets. • • Police Type—Available in Layer 2 system mode only.
22 Quality of Service Managing QoS Statistics Policy Binding The Policy Binding page shows which policy profile is bound and to which port. When a policy profile is bound to a specific port, it is active on that port. Only one policy profile can be configured on a single port, but a single policy can be bound to more than one port. When a policy is bound to a port, it filters and applies QoS to ingress traffic that belongs to the flows defined in the policy.
22 Quality of Service Managing QoS Statistics Policer Statistics A Single Policer is bound to a class map from a single policy. An Aggregate Policer is bound to one or more class maps from one or more policies. Viewing Single Policer Statistics The Single Policer Statistics page indicates the number of in-profile and out-ofprofile packets that are received from an interface that meet the conditions defined in the class map of a policy. NOTE This page is not displayed when the device is in Layer 3 mode.
22 Quality of Service Managing QoS Statistics Viewing Aggregated Policer Statistics To view aggregated policer statistics: STEP 1 Click Quality of Service > QoS Statistics > Aggregate Policer Statistics. This page displays the following fields: • Aggregate Policer Name—Policer on which statistics are based. • In-profile bytes—Number of in-profile packets that were received. • Out-of-profile bytes—Number of out-of-profile packets that were received. STEP 2 Click Add.
22 Quality of Service Managing QoS Statistics • 60 Sec—Statistics are refreshed every 60 seconds. Counter Set—The options are: - Set 1—Displays the statistics for Set 1 that contains all interfaces and queues with a high DP (Drop Precedence). - Set 2—Displays the statistics for Set 2 that contains all interfaces and queues with a low DP. • Interface—Queue statistics are displayed for this interface. • Queue—Packets were forwarded or tail dropped from this queue.
22 Quality of Service Managing QoS Statistics • - Set 1—Displays the statistics for Set 1 that contains all interfaces and queues with a high DP (Drop Precedence). - Set 2—Displays the statistics for Set 2 that contains all interfaces and queues with a low DP. Interface—Select the ports for which statistics are displayed. The options are: - Port—Selects the port on the selected unit number for which statistics are displayed. - All Ports—Specifies that statistics are displayed for all ports.
22 445 Quality of Service Managing QoS Statistics Cisco Small Business 300 Series Managed Switch Administration Guide
23 SNMP This section describes the Simple Network Management Protocol (SNMP) feature that provides a method for managing network devices.
23 SNMP SNMP Versions and Workflow SNMPv1 and v2 To control access to the system, a list of community entries is defined. Each community entry consists of a community string and its access privilege. The system responds only to SNMP messages specifying the community which has the correct permissions and correct operation. SNMP agents maintain a list of variables that are used to manage the device. These variables are defined in the Management Information Base (MIB).
23 SNMP SNMP Versions and Workflow If you decide to use SNMPv1 or v2: STEP 1 Navigate to the SNMP -> Communities page and click Add. The community can be associated with access rights and a view in Basic mode or with a group in Advanced mode. There are two ways to define access rights of a community: • Basic mode—The access rights of a community can configure with Read Only, Read Write, or SNMP Admin.
23 SNMP Model OIDs STEP 7 Define a notification recipient(s) by using the Notification Recipients SNMPv3 page. Supported MIBs For a list of supported MIBs, visit the following URL and navigate to the download area listed as Cisco MIBS: www.cisco.com/cisco/software/navigator.html Model OIDs The following are the device model Object IDs (OIDs): 449 Model Name Description Object ID SG300-10 8 GE ports, and 2 special-purpose combo ports (GE/SFP) 9.6.1.83.10.
23 SNMP SNMP Engine ID Model Name Description Object ID SF300-24 24 FE ports plus 4 GE special-purpose ports - 2 uplinks and 2 combo-ports. 9.6.1.82.24.1 SF300-24P 24 FE ports plus 4 GE special-purpose ports - 2 uplinks and 2 combo-ports. 9.6.1.82.24.2 SF300-48 48 FE ports plus 4 GE special-purpose ports - 2 uplinks and 2 combo-ports 9.6.1.82.48.1 SF300-48P 48 FE ports plus 4 GE special-purpose ports - 2 uplinks and 2 combo-ports 9.6.1.82.48.
23 SNMP SNMP Engine ID Local information is stored in four MIB variables that are read-only (snmpEngineId, snmpEngineBoots, snmpEngineTime, and snmpEngineMaxMessageSize). ! CAUTION When the engine ID is changed, all configured users and groups are erased. To define the SNMP engine ID: STEP 1 Click SNMP > Engine ID. STEP 2 Choose which to use for Local Engine ID. • Use Default—Select to use the device-generated engine ID.
23 SNMP Configuring SNMP Views - Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration. - Global—The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks.
23 SNMP Creating SNMP Groups • Object ID Subtree—Select the node in the MIB tree that is included or excluded in the selected SNMP view. The options to select the object are as follows: - Select from list—Enables you to navigate the MIB tree. Press the Up arrow to go to the level of the selected node's parent and siblings; press the Down arrow to descend to the level of the selected node's children. Click nodes in the view to pass from one node to its sibling.
23 SNMP Creating SNMP Groups • Privacy—SNMP frames can carry encrypted data. Thus, in SNMPv3, there are three levels of security: • No security (No authentication and no privacy) • Authentication (Authentication and no privacy) • Authentication and privacy SNMPv3 provides a means of controlling the content each user can read or write and the notifications they receive. A group defines read/write privileges and a level of security.
23 SNMP Managing SNMP Users • Authentication and Privacy—Authenticates SNMP messages, and encrypts them. View—Associating a view with the read, write, and notify access privileges of the group limits the scope of the MIB tree to which the group has read, write, and notify access. - View—Select a previously-defined view for Read, Write and Notify. - Read—Management access is read-only for the selected view.
23 SNMP Managing SNMP Users To display SNMP users and define new ones: STEP 1 Click SNMP > Users. This page contains existing users. STEP 2 Click Add. This page provides information for assigning SNMP access control privileges to SNMP users. STEP 3 Enter the parameters. • User Name—Enter a name for the user. • Engine ID—Select either the local or remote SNMP entity to which the user is connected. Changing or removing the local SNMP Engine ID deletes the SNMPv3 User Database.
23 SNMP Defining SNMP Communities • Authentication Password—If authentication is accomplished by either a MD5 or a SHA password, enter the local user password in either Encrypted or Plaintext. Local user passwords are compared to the local database. and can contain up to 32 ASCII characters. • Privacy Method—Select one of the following options: • - None—Privacy password is not encrypted. - DES—Privacy password is encrypted according to the Data Encryption Standard (DES).
23 SNMP Defining SNMP Communities To define SNMP communities: STEP 1 Click SNMP > Communities. This page contains a table of configured SNMP communities and their properties. STEP 2 Click Add. This page enables network managers to define and configure new SNMP communities. STEP 3 SNMP Management Station—Click User Defined to enter the management station IP address that can access the SNMP community. Click All to indicate that any IP device can access the SNMP community.
23 SNMP Defining Trap Settings Read Write—Management access is read-write. Changes can be made to the device configuration, but not to the community. SNMP Admin—User has access to all device configuration options, as well as permissions to modify the community. SNMP Admin is equivalent to Read Write for all MIBs except for the SNMP MIBs. SNMP Admin is required for access to the SNMP MIBs. • View Name—Select an SNMP view (a collection of MIB subtrees to which access is granted).
23 SNMP Notification Recipients Notification Recipients Trap messages are generated to report system events, as defined in RFC 1215. The system can generate traps defined in the MIB that it supports. Trap receivers (aka Notification Recipients) are network nodes where the trap messages are sent by the device. A list of notification recipients are defined as the targets of trap messages.
23 SNMP Notification Recipients • IP Version—Select either IPv4 or IPv6. • IPv6 Address Type—Select either Link Local or Global. - Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration.
23 SNMP Notification Recipients Defining SNMPv3 Notification Recipients To define a recipient in SNMPv3: STEP 1 Click SNMP > Notification Recipients SNMPv3. This page contains recipients for SNMPv3. STEP 2 Click Add. STEP 3 Enter the parameters. • Server Definition—Select whether to specify the remote log server by IP address or name. • IP Version—Select either IPv4 or IPv6. • IPv6 Address Type—Select the IPv6 address type (if IPv6 is used).
23 SNMP SNMP Notification Filters • User Name—Select from the drop-down list the user to whom SNMP notifications are sent. In order to receive notifications, this user must be defined on the SNMP User page, and its engine ID must be remote. • Security Level—Select how much authentication is applied to the packet. NOTE The Security Level here depends on which User Name was selected. If this User Name was configured as No Authentication, the Security Level is No Authentication only.
23 SNMP SNMP Notification Filters To define a notification filter: STEP 1 Click SNMP > Notification Filter. The Notification Filter page contains notification information for each filter. The table is able to filter notification entries by Filter Name. STEP 2 Click Add. STEP 3 Enter the parameters. • Filter Name—Enter a name between 0-30 characters. • Object ID Subtree—Select the node in the MIB tree that is included or excluded in the selected SNMP filter.
23 465 SNMP SNMP Notification Filters Cisco Small Business 300 Series Managed Switch Administration Guide
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) © 2010-2013 Cisco Systems, Inc. All rights reserved.
