ADMINISTRATION GUIDE Cisco 500 Series Stackable Managed Switch Administration Guide Release 1.3.
Contents Table of Contents Chapter 1: Getting Started 1 Starting the Web-based Configuration Utility 1 Quick Start Device Configuration 5 Interface Naming Conventions 6 Differences Between Sx500, SG500X, ESW2-550X and the SG500XG Devices 7 Window Navigation Chapter 2: Status and Statistics 8 12 System Summary 12 Viewing Ethernet Interfaces 13 Viewing Etherlike Statistics 14 Viewing GVRP Statistics 15 Viewing 802.
Contents Upgrade/Backup Firmware/Language 37 Active Image 41 Download/Backup Configuration/Log 42 Configuration Files Properties 48 Copy/Save Configuration 49 Auto Configuration via DHCP 50 Chapter 5: Administration: Stack Management 58 Overview 59 Types of Units in Stack 60 Stack Topology 62 Unit ID Assignment 63 Master Selection Process 65 Stack Changes 66 Unit Failure in Stack 68 Software Auto Synchronization in Stack 70 Stack Unit Mode 70 Stack Ports 74 Def
Contents Time Settings 112 System Log 112 File Management 113 Rebooting the Device 113 Routing Resources 115 Health 119 Diagnostics 121 Discovery - Bonjour 121 UDLD 121 Discovery - LLDP 121 Discovery - CDP 121 Ping 121 Traceroute Chapter 7: Administration: Time Settings 123 126 System Time Options 127 SNTP Modes 128 Configuring System Time 129 Chapter 8: Ad
Contents Chapter 10: Administration: Unidirectional Link Detection 183 UDLD Overview 183 UDLD Operation 184 Usage Guidelines 187 Dependencies On Other Features 187 Default Settings and Configuration 188 Before You Start 188 Common UDLD Tasks 188 Configuring UDLD 189 Chapter 11: Port Management 194 Configuring Ports 195 Setting Port Configuration 195 Link Aggregation 200 PoE 208 Configuring Green Ethernet 208 Chapter 12: Smartport 216 Overview 217 What is a Smar
Contents Built-in Smartport Macros Chapter 13: Port Management: PoE 236 248 PoE on the Device 248 Configuring PoE Properties 251 Configuring PoE Settings 253 Chapter 14: VLAN Management 256 VLANs 257 Configuring Default VLAN Settings 260 Creating VLANs 261 Configuring VLAN Interface Settings 262 Defining VLAN Membership 264 GVRP Settings 267 VLAN Groups 268 Voice VLAN 272 Access Port Multicast TV VLAN 286 Customer Port Multicast TV VLAN
Contents Chapter 16: Managing MAC Address Tables 308 Configuring Static MAC Addresses 309 Managing Dynamic MAC Addresses 310 Defining Reserved MAC Addresses 311 Chapter 17: Multicast 312 Multicast Forwarding 312 Defining Multicast Properties 316 Adding MAC Group Address 317 Adding IP Multicast Group Addresses 319 Configuring IGMP Snooping 321 MLD Snooping 324 Querying IGMP/MLD IP Multicast Group 326 Defining Multicast Router Ports 327 Defining Forward All Multicast 328 Defining
Contents Overview 416 Configurable Elements of VRRP 420 Configuring VRRP 423 Chapter 21: Security 428 Defining Users 430 Configuring TACACS+ 433 Configuring RADIUS 438 Key Management 442 Management Access Method 445 Management Access Authentication 451 Secure Sensitive Data Management 452 SSL Server 452 SSH Server 454 SSH Client 454 Configuring TCP/UDP Services 455 Defining Storm Control 456 Configuring Port Sec
Contents Defining Time Ranges 510 Authentication Method and Port Mode Support 511 Chapter 23: Security: First Hop Security 515 First Hop Security Overview 516 Router Advertisement Guard 520 Neighbor Discovery Inspection 520 DHCPv6 Guard 521 Neighbor Binding Integrity 522 Attack Protection 525 Policies, Global Parameters and System Defaults 527 Common Tasks 528 Default Settings and Configuration 530 Before You Start 530 Configuring First Hop Security through W
Contents Chapter 26: Security: Secure Sensitive Data Management 562 Introduction 562 SSD Rules 563 SSD Properties 569 Configuration Files 571 SSD Management Channels 576 Menu CLI and Password Recovery 577 Configuring SSD 577 Chapter 27: Access Control 582 Access Control Lists 582 Defining MAC-based ACLs 585 IPv4-based ACLs 587 IPv6-Based ACLs 591 Defining ACL Binding 595 Chapter 28: Quality of Service 598 QoS Features and Components 599 Configuring QoS - General 602 QoS Ba
Contents Defining SNMP Communities 647 Defining Trap Settings 649 Notification Recipients 650 SNMP Notification Filters 654 Cisco 500 Series Stackable Managed Switch Administration Guide 10
1 Getting Started This section provides an introduction to the web-based configuration utility, and covers the following topics: • Starting the Web-based Configuration Utility • Quick Start Device Configuration • Interface Naming Conventions • Differences Between 500 Devices<500> • Window Navigation Starting the Web-based Configuration Utility This section describes how to navigate the web-based switch configuration utility. If you are using a pop-up blocker, make sure it is disabled.
1 Getting Started Starting the Web-based Configuration Utility NOTE When the device is using the factory default IP address of 192.168.1.254, its power LED flashes continuously. When the device is using a DHCP assigned IP address or an administrator-configured static IP address, the power LED is on solid. Logging In The default username is cisco and the default password is cisco. The first time that you log in with the default username and password, you are required to enter a new password.
Getting Started Starting the Web-based Configuration Utility 1 When the login attempt is successful, the Getting Started page appears. If you entered an incorrect username or password, an error message appears and the Login page remains displayed on the window. If you are having problems logging in, please see the Launching the Configuration Utility section in the Administration Guide for additional information.
1 Getting Started Starting the Web-based Configuration Utility Configuration changes have not yet been saved to the Startup Configuration file. The flashing can be disabled by clicking on the Disable Save Icon Blinking button on the Copy/Save Configuration page When the device auto-discovers a device, such as an IP phone (see What is a Smartport), and it configures the port appropriately for the device. These configuration commands are written to the Running Configuration file.
1 Getting Started Quick Start Device Configuration Quick Start Device Configuration To simplify device configuration through quick navigation, the Getting Started page provides links to the most commonly used pages.
1 Getting Started Interface Naming Conventions Interface Naming Conventions Within the GUI, interfaces are denoted by concatenating the following elements: • Type of interface: The following types of interfaces are found on the various types of devices: - Fast Ethernet (10/100 bits)—These are displayed as FE. - Gigabit Ethernet ports (10/100/1000 bits)—These are displayed as GE. - Ten Gigabit Ethernet ports (10000 bits)—These are displayed as XG. - LAG (Port Channel)—These are displayed as LAG.
1 Getting Started Differences Between 500 Devices • Enabling IPv4 routing is done differently in the devices, as follows: - SG500XSG500XG/ESW2-550X—IPv4 routing must be enabled in the IPv4 Interface page. - Sx500—When the device is switched from Layer 2 to Layer 3 system mode, IPv4 routing is automatically enabled.
1 Getting Started Window Navigation Window Navigation This section describes the features of the web-based switch configuration utility. Application Header The Application Header appears on every page. It provides the following application links: Application Link Name Description A flashing red X icon displayed to the left of the Save application link indicates that Running Configuration changes have been made that have not yet been saved to the Startup Configuration file.
1 Getting Started Window Navigation Application Link Name Description Language Menu This menu provides the following options: • Select a language: Select one of the languages that appear in the menu. This language will be the webbased configuration utility language. • Download Language: Add a new language to the device. • Delete Language: Deletes the second language on the device. The first language (English) cannot be deleted. • Debug: Used for translation purposes.
1 Getting Started Window Navigation Management Buttons The following table describes the commonly-used buttons that appear on various pages in the system. Button Name Description Use the pull-down menu to configure the number of entries per page. Indicates a mandatory field. 10 Add Click to display the related Add page and add an entry to a table. Enter the information and click Apply to save it to the Running Configuration. Click Close to return to the main page.
1 Getting Started Window Navigation Button Name Description Copy Settings A table typically contains one or more entries containing configuration settings. Instead of modifying each entry individually, it is possible to modify one entry and then copy the selected entry to multiple entries, as described below: 1. Select the entry to be copied. Click Copy Settings to display the popup. 2. Enter the destination entry numbers in the to field. 3.
1 12 Getting Started Window Navigation Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
2 Status and Statistics This section describes how to view device statistics. It covers the following topics: • System Summary • Viewing Ethernet Interfaces • Viewing Etherlike Statistics • Viewing GVRP Statistics • Viewing 802.1X EAP Statistics • Viewing TCAM Utilization • Health • Managing RMON • View Log System Summary See System Settings. Viewing Ethernet Interfaces The Interface page displays traffic statistics per port. The refresh rate of the information can be selected.
2 Status and Statistics Viewing Ethernet Interfaces To display Ethernet statistics and/or set the refresh rate: STEP 1 Click Status and Statistics > Interface. STEP 2 Enter the parameters. • Interface—Select the type of interface and specific interface for which Ethernet statistics are to be displayed. • Refresh Rate—Select the time period that passes before the interface Ethernet statistics are refreshed. The available options are: - No Refresh—Statistics are not refreshed.
2 Status and Statistics Viewing Etherlike Statistics Viewing Etherlike Statistics The Etherlike page displays statistics per port according to the Etherlike MIB standard definition. The refresh rate of the information can be selected. This page provides more detailed information regarding errors in the physical layer (Layer 1), which might disrupt traffic. To view Etherlike Statistics and/or set the refresh rate: STEP 1 Click Status and Statistics > Etherlike. STEP 2 Enter the parameters.
2 Status and Statistics Viewing GVRP Statistics • Click View All Interfaces Statistics to see all ports on a single page. Viewing GVRP Statistics The GVRP page displays information regarding GARP VLAN Registration Protocol (GVRP) frames that were sent or received from a port. GVRP is a standards-based Layer 2 network protocol, for automatic configuration of VLAN information on switches. It was defined in the 802.1ak amendment to 802.1Q-2005.
2 Status and Statistics Viewing 802.1X EAP Statistics • Invalid Attribute Value—Invalid attribute value errors. • Invalid Attribute Length—Invalid attribute length errors. • Invalid Event—Invalid events. To clear statistics counters: • Click Clear Interface Counters to clear the selected counters. • Click View All Interfaces Statistics to see all ports on a single page. Viewing 802.1X EAP Statistics The 802.
2 Status and Statistics Viewing TCAM Utilization • EAP Request/ID Frames Transmitted—EAP Req/ID frames transmitted by the port. • EAP Request Frames Transmitted—EAP Request frames transmitted by the port. • Invalid EAPOL Frames Received—Unrecognized EAPOL frames received on this port. • EAP Length Error Frames Received—EAPOL frames with an invalid Packet Body Length received on this port. • Last EAPOL Frame Version—Protocol version number attached to the most recently received EAPOL frame.
2 Status and Statistics Health • • IPv4 Routing - In Use—Number of TCAM entries used for IPv4 routing. - Maximum—Number of available TCAM entries that can be used for IPv4 routing. IPv6 Routing—Number of TCAM entries used for IPv6 routing. - In Use—Number of TCAM entries used for IPv6 routing. - Maximum—Number of available TCAM entries that can be used for IPv6 routing. • Maximum TCAM Entries for Non-IP Rules—Maximum TCAM Entries available for non-IP rules.
2 Status and Statistics Managing RMON RMON decreases the traffic between the manager and the device because the SNMP manager does not have to poll the device frequently for information, and enables the manager to get timely status reports, because the device reports events as they occur. With this feature, you can perform the following actions: • View the current statistics (since the counter values were cleared).
2 Status and Statistics Managing RMON • Packets Received—Number of good packets received, including Multicast and Broadcast packets. • Broadcast Packets Received—Number of good Broadcast packets received. This number does not include Multicast packets. • Multicast Packets Received—Number of good Multicast packets received. • CRC & Align Errors—Number of CRC and Align errors that have occurred. • Undersize Packets—Number of undersized packets (less than 64 octets) received.
2 Status and Statistics Managing RMON • Frames of 512 to 1023 Bytes—Number of frames, containing 512-1023 bytes that were received. • Frames of 1024 Bytes or More—Number of frames, containing 1024-2000 bytes, and Jumbo Frames, that were received. To clear statistics counters: • Click Clear Interface Counters to clear the selected interfaces counters. • Click View All Interfaces Statistics to see all ports on a single page.
2 Status and Statistics Managing RMON • Owner—Enter the RMON station or user that requested the RMON information. STEP 4 Click Apply. The entry is added to the History Control Table page, and the Running Configuration file is updated. STEP 5 Click History Table to view the actual statistics. Viewing the RMON History Table The History Table page displays interface-specific statistical network samplings. The samples were configured in the History Control table described above.
2 Status and Statistics Managing RMON • Fragments—Fragments (packets with less than 64 octets) received, excluding framing bits, but including FCS octets. • Jabbers—Total number of received packets that were longer than 2000 octets. This number excludes frame bits, but includes FCS octets that had either a bad FCS (Frame Check Sequence) with an integral number of octets (FCS Error) or a bad FCS with a non-integral octet (Alignment Error) number. • Collisions—Collisions received.
2 Status and Statistics Managing RMON - None—No action occurs when the alarm goes off. - Log (Event Log Table)—Add a log entry to the Event Log table when the alarm is triggered. - Trap (SNMP Manager and SYSLOG Server)—Send a trap to the remote log server when the alarm goes off. - Log and Trap—Add a log entry to the Event Log table and send a trap to the remote log server when the alarm goes off. • Time—Displays the time of the event.
2 Status and Statistics Managing RMON Defining RMON Alarms RMON alarms provide a mechanism for setting thresholds and sampling intervals to generate exception events on any counter or any other SNMP object counter maintained by the agent. Both the rising and falling thresholds must be configured in the alarm. After a rising threshold is crossed, no rising events are generated until the companion falling threshold is crossed.
2 Status and Statistics View Log • Rising Event—Select an event to be performed when a rising event is triggered. Events are created in the Events page. • Falling Threshold—Enter the value that triggers the falling threshold alarm. • Falling Event—Select an event to be performed when a falling event is triggered. • Startup Alarm—Select the first event from which to start generation of alarms. Rising is defined by crossing the threshold from a low-value threshold to a higher-value threshold.
2 28 Status and Statistics View Log Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
3 Administration: System Log This section describes the System Log feature, which enables the device to generate multiple independent logs. Each log is a set of messages describing system events. The device generates the following local logs: • Log sent to the console interface. • Log written into a cyclical list of logged events in the RAM and erased when the device reboots. • Log written to a cyclical log-file saved to the Flash memory and persists across reboots.
3 Administration: System Log Setting System Log Settings The event severity levels are listed from the highest severity to the lowest severity, as follows: • Emergency—System is not usable. • Alert—Action is needed. • Critical—System is in a critical condition. • Error—System is in error condition. • Warning—System warning has occurred. • Notice—System is functioning properly, but a system notice has occurred. • Informational—Device information. • Debug—Detailed information about an event.
3 Administration: System Log Setting Remote Logging Settings • Originator Identifier—Enables adding an origin identifier to SYSLOG messages. The options are: - None—Do not include the origin identifier in SYSLOG messages. - Hostname—Include the system hostname in SYSLOG messages. - IPv4 Address—Include the IPv4 address of the sending interface in SYSLOG messages. - IPv6 Address—Include the IPv6 address of the sending interface in SYSLOG messages.
3 Administration: System Log Setting Remote Logging Settings NOTE If the Auto option is selected, the system takes the source IP address from the IP address defined on the outgoing interface. STEP 3 Click Add. STEP 4 Enter the parameters. • Server Definition—Select whether to identify the remote log server by IP address or name. • IP Version—Select the supported IP format. • IPv6 Address Type—Select the IPv6 address type (if IPv6 is used).
3 Administration: System Log Viewing Memory Logs Viewing Memory Logs The device can write to the following logs: • Log in RAM (cleared during reboot). • Log in Flash memory (cleared only upon user command). You can configure the messages that are written to each log by severity, and a message can go to more than one log, including logs that reside on external SYSLOG servers. RAM Memory The RAM Memory page displays all messages that were saved in the RAM (cache) in chronological order.
3 Administration: System Log Viewing Memory Logs This page contains the following fields: • Log Index—Log entry number. • Log Time—Time when message was generated. • Severity—Event severity. • Description—Message text describing the event. To clear the messages, click Clear Logs. The messages are cleared.
4 Administration: File Management This section describes how system files are managed. The following topics are covered: • System Files • Upgrade/Backup Firmware/Language • Active Image • Download/Backup Configuration/Log • Configuration Files Properties • Copy/Save Configuration • Auto Configuration via DHCP System Files System files are files that contain configuration information, firmware images or boot code.
4 Administration: File Management System Files Configuration files on the device are defined by their type, and contain the settings and parameter values for the device. When a configuration is referenced on the device, it is referenced by its configuration file type (such as Startup Configuration or Running Configuration), as opposed to a file name that can be modified by the user.
Administration: File Management System Files 4 Only the system can copy the Startup Configuration to the Mirror Configuration. However, you can copy from the Mirror Configuration to other file types or to another device. The option of automatically copying the Running Configuration to the mirror configuration can be disabled in the Configuration Files Properties page.
4 Administration: File Management Upgrade/Backup Firmware/Language This section covers the following topics: • Upgrade/Backup Firmware/Language • Active Image • Download/Backup Configuration/Log • Configuration Files Properties • Copy/Save Configuration • Auto Configuration via DHCP Upgrade/Backup Firmware/Language The Upgrade/Backup Firmware/Language process can be used to: • Upgrade or backup the firmware image. • Upgrade or backup the boot code.
4 Administration: File Management Upgrade/Backup Firmware/Language - Copy image from TFTP/SCP server to master, using the Upgrade/ Backup Firmware/Language page. - Change the active image, using the Active Image page. - Reboot, using the Reboot page. There are two firmware images stored on the device. One of the images is identified as the active image and other image is identified as the inactive image.
4 Administration: File Management Upgrade/Backup Firmware/Language • Backup—Specifies that a copy of the file type is to be saved to a file on another device. Enter the following fields: • File Type—Select the destination file type. Only valid file types are shown. (The file types are described in the Files and File Types section). • TFTP Server Definition—Select whether to specify the TFTP server by IP address or domain name. • IP Version—Select whether an IPv4 or an IPv6 address is used.
4 Administration: File Management Upgrade/Backup Firmware/Language • Remote SSH Server Authentication—To enable SSH server authentication (which is disabled by default), click Edit. This takes you to the SSH Server Authentication page to configure the SSH server, and return to this page.
4 Administration: File Management Active Image - Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration. - Global—The IPv6 address is a global Unicast IPv6 type that is visible and reachable from other networks.
Administration: File Management Download/Backup Configuration/Log 4 • Active Image Version Number—Displays the firmware version of the active image. • Active Image After Reboot—Displays the image that is active after reboot. • Active Image Version Number After Reboot—Displays the firmware version of the active image as it be after reboot. STEP 2 Select the image from the Active Image After Reboot menu to identify the firmware image that is used as the active image after the device is rebooted.
4 Administration: File Management Download/Backup Configuration/Log • Change Queues Mode from 4 to 8—Queue-related configurations must be examined and adjusted to meet QoS objectives with the new Queues mode. See the CLI Reference Guide for a listing of these QoS commands. • Change Queues Mode from 8 to 4—Queue-related configuration commands that conflict with the new Queues mode are rejected, meaning that the download of the configuration file fails.
4 Administration: File Management Download/Backup Configuration/Log Select either Download or Backup as the Save Action. Download Save Action—Specifies that the file on another device replaces a file type on the device. Enter the following fields: a. Server Definition—Select whether to specify the TFTP server by IP address or by domain name. b. IP Version—Select whether an IPv4 or an IPv6 address is used.
4 Administration: File Management Download/Backup Configuration/Log • Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration.
4 Administration: File Management Download/Backup Configuration/Log STEP 4 If you selected via HTTP/HTTPS, enter the parameters as described in this step. Select the Save Action. If Save Action is Download (replacing the file on the device with a new version from another device), do the following. Otherwise, go to the next procedure in this step. a. Source File Name—Click Browse to select a file or enter the path and source file name to be used in the transfer. b.
4 Administration: File Management Download/Backup Configuration/Log SSH Client Authentication—Client authentication can be done in one of the following ways: • Use SSH Client—Sets permanent SSH user credentials. Click System Credentials to go to the SSH User Authentication page where the user/ password can be set once for all future use. • Use SSH Client One-Time Credentials—Enter the following: - Username—Enter a username for this copy action. - Password—Enter a password for this copy.
4 Administration: File Management Configuration Files Properties If Save Action is Backup (copying a file to another device), enter the following fields (in addition to those fields listed above): • Source File Type—Select the configuration file type. Only valid file types are displayed. (The file types are described in the Files and File Types section). • Sensitive Data—Select how sensitive data should be included in the backup file.
4 Administration: File Management Copy/Save Configuration STEP 2 If required, disable Auto Mirror Configuration. This disables the automatic creation of mirror configuration files. When disabling this feature, the mirror configuration file, if it exists, is deleted. See System Files for a description of mirror files and why you might not want to automatically create mirror configuration files.
4 Administration: File Management Auto Configuration via DHCP • If you are backing up a configuration file, select one of the following formats for the backup file. - Exclude—Sensitive data is not included in the backup file. - Encrypted—Sensitive data is included in the backup file in encrypted form. - Plaintext—Sensitive data is included in the backup file in plain text. NOTE The available sensitive data options are determined by the current user SSD rules.
4 Administration: File Management Auto Configuration via DHCP Auto Configuration via DHCPv4 is triggered in the following cases: • After reboot when an IP address is allocated or renewed dynamically (using DHCPv4). • Upon an explicit DHCPv4 renewal request and if the device and the server are configured to do so. • Upon automatic renewal of the DHCPv4 lease.
Administration: File Management Auto Configuration via DHCP 4 Auto Configuration Download Protocol (TFTP or SCP) The Auto Configuration download protocol can be configured, as follows: • Auto By File Extension—(Default) If this option is selected, a user-defined file extension indicates that files with this extension are downloaded using SCP (over SSH), while files with other extensions are downloaded using TFTP. For example, if the file extension specified is.xyz, files with the .
4 Administration: File Management Auto Configuration via DHCP Auto Configuration Process When the Auto Configuration process is triggered, the following sequence of events occurs: • The DHCP server is accessed to acquire the TFTP/SCP server name/ address and configuration file name/path (DHCPv4 options: 66,150, and 67, DHCPv6 options: 59 and 60).
Administration: File Management Auto Configuration via DHCP • 4 If the information is available, the TFTP/SCP server is accessed to download the file from it. The download process is done only if the new configuration filename is different from the current configuration filename (even if the current configuration file is empty). • A SYSLOG message is generated acknowledging that the Auto Configuration process is completed.
4 Administration: File Management Auto Configuration via DHCP server table. This ensures that each device has its own reserved IP address and other relevant information. To configure auto configuration: STEP 1 Click Administration > File Management > DHCP Auto Configuration. STEP 2 Enter the values. • Auto Configuration Via DHCP—Select this field to enable DHCP Auto Configuration. This feature is enabled by default, but can be disabled here.
4 Administration: File Management Auto Configuration via DHCP • IP Version—Select whether an IPv4 or an IPv6 address is used. • IPv6 Address Type—Select the IPv6 address type (if IPv6 is used). The options are: - Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network. Only one link local address is supported.
5 Administration: Stack Management This section describes how stacks are managed.
Administration: Stack Management Overview 5 An example of eight devices connected into a stack is shown in the following: Stack Architecture (Chain Topology) A stack provides the following benefits: • Network capacity can be expanded or contracted dynamically. By adding a unit, the administrator can dynamically increase the number of ports in the stack while maintaining a single, logically-managed device. Similarly, units can be removed to decrease network capacity.
Administration: Stack Management Types of Units in Stack 5 Types of Units in Stack A stack consists of a maximum of eight units. A unit in a stack is one of the following types: • Master—The master unit’s ID must be either 1 or 2. The stack is managed through the master unit that manages itself, the backup unit and the slave units. • Backup—If the master unit fails, the backup unit assumes the master role (switchover). The backup unit’s ID must be either 1 or 2.
Administration: Stack Management Types of Units in Stack 5 Unit LEDs The device has 4 LEDs marked as 1, 2, 3, 4, which are used to display the unit ID of each unit (e.g. on Unit ID 1, LED 1 is ON and the other LEDs are OFF). To support unit IDs greater than 4, the LED display is changed in accordance to the below definition: • Units 1-4: LEDs 1-4 are lit, respectively. • Unit 5: LED 1 and 4 are lit. • Unit 6: LED 2 and 4 are lit. • Unit 7: LED 3 and 4 are lit. • Unit 8: LED 1, 3, and 4 are lit.
Administration: Stack Management Stack Topology 5 Stack Topology Types of Stack Topology The units in a stack can be connected in one of the following types of topologies: Chain Topology—One stack port (either left or right) of the first unit is connected to the stack port in the second unit. All units in the stack are connected to the stack port in the next unit except for the first and last unit. “Stack Architecture (Chain Topology)” shows a chain topology.
Administration: Stack Management Unit ID Assignment 5 • Merging two stacks into a single stack • Splitting the stack • Inserting other slave units to the stack, for instance because the units were previously disconnected from the stack due to a failure. This can happen in a chain topology if a unit in the middle of the stack fails. During topology discovery, each unit in a stack exchanges packets, which contain topology information.
Administration: Stack Management Unit ID Assignment 5 Duplicate Unit Shut Down The following shows a case where one of the duplicate units (auto-numbered) is renumbered.
Administration: Stack Management Master Selection Process 5 The following shows a case where one of the duplicate units is renumbered. The one with the lower MAC retains its unit ID (see Master Selection Process for a description of this process). Duplication Between Two Units With Auto Number Unit ID NOTE If a new stack has more than the maximum number of units (8), all extra units are shut down. Master Selection Process The master unit is selected from the master-enabled units (1 or 2).
Administration: Stack Management Stack Changes • 5 MAC Address—If both units IDs are the same, the unit with the lowest MAC address is chosen. NOTE For a stack to operate, it must have a master unit. A master unit is defined as the active unit that assumes the master role. The stack must contain a unit 1 and/or unit 2 after the master selection process. Otherwise, the stack and all its units are partially shut down, not as a complete power-off, but with traffic-passing capabilities halted.
Administration: Stack Management Stack Changes 5 • One or more duplicate unit IDs exist. Auto numbering resolves conflicts and assigns unit IDs. In case of manual numbering, only one unit retains its unit ID and the other(s) are shutdown. • The number of units in the stack exceeds the maximum number of units allowed. The new units that joined the stack are shut down, and a SYSLOG message is generated and appears on the master unit.
Administration: Stack Management Unit Failure in Stack 5 The following shows what happens when a user-assigned, master-enabled unit with Unit ID 1 joins a stack that already has a master unit with user-assigned unit ID 1. The newer Unit 1 does not join the stack and is shutdown. User-assigned Master-enabled Unit Unit Failure in Stack Failure of Master Unit If the Master fails, the backup unit takes over the master role and continues to operate the stack normally.
Administration: Stack Management Unit Failure in Stack 5 If a unit is inserted into a running stack, and is selected as a backup unit, the master synchronizes it so that it has an up-to date configuration, and then generates a SYNC COMPLETE SYSLOG message. This is a unique SYSLOG message that appears only when backup is converging with the master unit, and looks like this: %DSYNCH-I-SYNCH_SUCCEEDED: Synchronization with unit 2 is finished successfully.
Administration: Stack Management Software Auto Synchronization in Stack 5 Reconnecting the Original Master Unit After Failover After failover, if the original master is connected again, the master selection process is performed. If the original master (unit 1) is reselected to be the master, the current master (unit 2, which was the original backup unit) is rebooted and becomes the backup once again. NOTE During master/backup failover, the up time of the backup unit is retained.
5 Administration: Stack Management Stack Unit Mode • Advanced Hybrid—A device in Advanced Hybrid mode can be connected to Sx500 and SG500X/ESW2-550X devices to form a stack. In this mode, VRRP and/or RIP are supported, but auto numbering of units is not supported, because only the SG500Xor ESW2-550X devices can function as master/backup. Sx500 devices can only be slaves, therefore up to 6 Sx500 units can be stacked together with two SG500X/ESW2-550Xs devices.
5 Administration: Stack Management Stack Unit Mode Possible Stack Configuration Possible RIP/ VRRP Support Stack Ports Speed Stack consists of mixed device types in Advanced Hybrid mode. Enabled/ Disabled 1G/5G Enabled/ Disabled 1 G or 10G • Master: SG500X • Backup: SG500X • Slaves: Either type of device Stack consists of mixed device types in Advanced Hybrid XG mode.
Administration: Stack Management Stack Unit Mode 5 Changing the Stack Unit Mode Change the stack unit mode of a device to remove it from a stack (by changing its stack unit mode to Standalone), or when configuring it to become part of a stack (by changing its stack unit mode to Native Stacking, Basic Hybrid Stacking or Advanced Hybrid Stacking). The following sections describe the system mode and configuration of the devices after reboot when the stack unit mode is changed.
Administration: Stack Management Stack Ports • • 5 SG500XG: - Standalone to Native Stacking—Retained only when the unit is forced to become the master unit with unit ID = 1 - Native to Advanced Hybrid XG—Retained only when the unit is forced to become the master unit with unit ID = 1 Sx500 devices: - Standalone to Native Stacking—Retained only when the unit is forced to become the master unit with unit ID = 1 - Standalone to Basic Hybrid—Retained only when the unit is forced to become the master
Administration: Stack Management Stack Ports • 5 SG500XG Devices—Any ports can be stack or network. By default the device is standalone. When you convert a device from one of the Stacking modes to Standalone mode, all its stack ports automatically become regular network ports.
5 Administration: Stack Management Stack Ports Pairs of Ports The following table describes the pairs of ports that are available on the device in the various stack unit modes: Device Type/ Pair of Ports Stacking Sx500 Standalone • Native Stacking mode: Available as both network and stack ports • Hybrid Modes: Available as stack ports Sx500 • Combo slot 1G Fiber/Copper Native Stacking mode: Available as both network and stack ports • Hybrid Modes: Available as network ports SG500X/ESW2550X
5 Administration: Stack Management Stack Ports Device Type Port Pair Possible Speeds in Stack Auto Speed Selection Available SG500X/ ESW2-550X S1-S2-XG 10G/1G Yes SG500X/ ESW2-550X S1-S2-5G 5G/1G Yes SG500XG Any pair of ports from XG1 - XG16 1G or 10G Yes Auto Selection of Port Speed You can set the stacking cable type to be discovered automatically when the cable is connected to the port (auto-discovery is the default setting).
5 Administration: Stack Management Stack Ports The following describes the possible combinations of cables types and ports.
5 Administration: Stack Management Stack Ports Stack Ports Network Ports Connector Type S1-S2-5G for SG500X/ ESW2550X and S3-S4 for Sx500 S1, S2 in Sx500 S1,S2 - XG in SG500X/ ESW2550X S1,S2 - 5G for SG500X and S3, S4 for Sx500 S1,S2 in Sx500 S1,S2 - XG in SG500X 100Mbs SFP Module MFEBX1 Not supported Not supported Not supported Not supported 100Mbs Not supported Other SFPs 1G According to: According to: 1G According to: According to: Forced user speed Forced user speed Forced use
5 Administration: Stack Management Default Configuration Default Configuration The following are the device defaults in the various stacking modes: Device Type Stack Mode Default Stack Ports Default System Mode Sx500 Native Stack S3-S4 5G Stack Layer 2 Basic Hybrid S3-S4 5G Stack Layer 2 Advanced Hybrid S3-S4 5G Stack Layer 2 Native Stack S1-S2 10G Stack Layer 2+Layer 3 Basic Hybrid S1-S2 5G Stack Layer 2 Advanced Hybrid S1-S2 5G Stack Layer 2 Advanced Hybrid XG S1-S2 5G Stack La
Administration: Stack Management System Modes 5 • Change the stack mode of a device to one of the stacking modes, change the unit ID, stack ports, and the speed of the stack ports of all the devices in a stack. • Change the system mode (Layer 2/3) of a standalone device or of the stack. • Change the queues mode from 4 to 8 supported queues or vice versa.
Administration: Stack Management System Modes 5 STEP 1 Click Administration > System Mode and Stack Management. The operational status of a standalone device or a stack is displayed in the Operational Status block: • Stack Unit Mode—Displays one of the following values for the device: - Standalone—Device is not part of a stack. - Native Stacking—Device is part of a stack in which all of the units are of the same types.
Administration: Stack Management System Modes • Model Name—Model name of a known and active unit. • Stack Connection 1—Information for the first stack connection: - Port—The type of the stack port that is connected. - Speed—The speed of the stack port that is connected. - Neighbor—Unit ID of the connected stack unit.
5 Administration This section describes how to view system information and configure various options on the device.
5 Administration Device Models Device Models All models can be fully managed through the web-based switch configuration utility. NOTE Each model can be set to Layer 3 system mode by using the System Mode and Stack Management page. When the device operates in Layer 3 system mode, the VLAN Rate Limit, and QoS policers are not operational. Other QoS Advanced mode features are operational.
5 Administration Device Models Model Name Product ID (PID) Description of Ports on Device Power Dedicated to PoE No.
5 Administration System Settings System Settings The System Summary page provides a graphic view of the device, and displays device status, hardware information, firmware version information, general PoE status, and other items. Displaying the System Summary To view system information, click Status and Statistics > System Summary. The System Summary page contains system and hardware information. System Information: • Base MAC Address—Device MAC address.
5 Administration System Settings • System Uptime—Time that has elapsed since the last reboot. • Current Time—Current system time. • Base MAC Address—Device MAC address. If the system is in stack mode, the base MAC address of the master unit is displayed. • Jumbo Frames—Jumbo frame support status. This support can be enabled or disabled by using the Port Settings page of the Port Management menu. NOTE Jumbo frames support takes effect only after it is enabled, and after the device is rebooted.
5 Administration System Settings • SNMP Service—Displays whether SNMP is enabled/disabled. • Telnet Service—Displays whether Telnet is enabled/disabled. • SSH Service—Displays whether SSH is enabled/disabled. PoE Power Information on Master Unit: • Maximum Available PoE Power (W)—Maximum available power that can be delivered by the PoE. • Total PoE Power Consumption (W)—Total PoE power delivered to connected PoE devices. • PoE Power Mode—Port Limit or Class Limit.
Administration Console Settings (Autobaud Rate Support) • 5 - Use Default—The default hostname (System Name) of these switches is: switch123456, where 123456 represents the last three bytes of the device MAC address in hex format. - User Defined—Enter the hostname. Use only letters, digits, and hyphens. Host names cannot begin or end with a hyphen. No other symbols, punctuation characters, or blank spaces are permitted (as specified in RFC1033, 1034, 1035).
5 Administration Management Interface STEP 1 Click Administration > Console Settings. STEP 2 Select one of the following: • Auto Detection—The console baud rate is detected automatically. • Static—Select one of the available speeds. Management Interface See IPv4 Management and Interfaces. System Mode and Stack Management See Administration: Stack Management. User Accounts See Defining Users.
5 Administration Time Settings To set the idle session timeout for various types of sessions: STEP 1 Click Administration > Idle Session Timeout. STEP 2 Select the timeout for the each session from the corresponding list. The default timeout value is 10 minutes. STEP 3 Click Apply to set the configuration settings on the device. Time Settings See Administration: Time Settings. System Log See Administration: System Log. File Management See Administration: File Management.
5 Administration Rebooting the Device There are cases when you might prefer to set the time of the reboot for some time in the future. This could happen for example in one of the following cases: • You are performing actions on a remote device, and these actions might create loss of connectivity to the remote device. Pre-scheduling a reboot restores the working configuration and enables restoring the connectivity to the remote device. If these actions are successful, the delayed reboot can be cancelled.
5 Administration Routing Resources • Reboot to Factory Defaults—Reboots the device by using the factory default configuration. This process erases the Startup Configuration file and the backup configuration file. The stack unit ID is set to auto, and in Sx500, the system mode is set to Layer 2. The mirror configuration file is not deleted when restoring to factory defaults. • Clear Startup Configuration File—Check to clear the startup configuration on the device for the next time it boots up.
5 Administration Routing Resources Logical Entity IPv4 IP Address on an interface 2 entries IP Remote Route 1 entry If IPv6 routing is enabled on the device, the following table describes the number of TCAM entries used by the various features: Logical Entity IPv4 IPv6 (PCL TCAM) IPv6 (Router TCAM) IP Neighbor 1 entry 1 entry 4 Entries IP Address on an interface 2 entries 2 entries 8 entries IP Remote Route 1 entry 1 entry 4 Entries 1 Entry 4 Entries On-Link-Prefix The Router Reso
5 Administration Routing Resources • Total—Displays the number of TCAM entries which are currently being used. • Maximum Entries—Select one of the following options: - Use Default—On Sx500 the number of TCAM entries is 25% of the TCAM size. On SG500X/SG500XG the number of Router TCAM entries is 50% of the Router TCAM size. - User Defined—Enter a value.
5 Administration Health STEP 3 Save the new settings by clicking Apply. This checks the feasibility of the TCAM allocation. If it is incorrect, an error message is displayed. If it is correct, the allocation is saved to the Running Configuration file and a reboot is performed. Health The Health page monitors the fan status on all devices with fans. Depending on the model, there are one or more fans on a device. Some models have no fans at all.
5 Administration Diagnostics Event Action Cool down period after the Critical threshold was exceeded (all sensors are lower than the Warning threshold - 2 °C). After all the sensors cool down to Warning Threshold minus 2 degree C, the PHY will be reenabled, and all ports brought back up. If FAN status is OK, the ports are enabled. (On devices that support PoE) the PoE circuitry is enabled. To view the device health parameters, click Status and Statistics > Health.
5 Administration Discovery - Bonjour Discovery - Bonjour See Bonjour. Discovery - LLDP See Configuring LLDP. Discovery - CDP See Configuring CDP. Ping Ping is a utility used to test if a remote host can be reached and to measure the round-trip time for packets sent from the device to a destination device. Ping operates by sending Internet Control Message Protocol (ICMP) echo request packets to the target host and waiting for an ICMP response, sometimes called a pong.
5 Administration Ping in this drop-down field. If the Host Definition field was By IP Address, only the existing IP addresses of the type specified in the IP Version field will be displayed. NOTE If the Auto option is selected, the system computes the source address based on the destination address. • Destination IPv6 Address Type—Select Link Local or Global as the type of IPv6 address to enter as the destination IP address.
5 Administration Traceroute Traceroute Traceroute discovers the IP routes along which packets were forwarded by sending an IP packet to the target host and back to the device. The Traceroute page shows each hop between the device and a target host, and the round-trip time to each such hop. STEP 1 Click Administration > Traceroute. STEP 2 Configure Traceroute by entering information into the following fields: • Host Definition—Select whether hosts are identified by their IP address or name.
5 Administration Traceroute • TTL—Enter the maximum number of hops that Traceroute permits. This is used to prevent a case where the sent frame gets into an endless loop. The Traceroute command terminates when the destination is reached or when this value is reached. To use the default value (30), select Use Default. • Timeout—Enter the length of time that the system waits for a frame to return before declaring it lost, or select Use Default. STEP 3 Click Activate Traceroute.
5 76 Administration Traceroute Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
Administration Traceroute Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 5 77
5 78 Administration Traceroute Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
Administration Traceroute Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 5 79
5 80 Administration Traceroute Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
Administration Traceroute Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 5 81
5 82 Administration Traceroute Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
Administration Traceroute Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 5 83
6 Administration: Time Settings Synchronized system clocks provide a frame of reference between all devices on the network. Network time synchronization is critical because every aspect of managing, securing, planning, and debugging a network involves determining when events occur. Without synchronized clocks, accurately correlating log files between devices when tracking security breaches or network usage is impossible.
6 Administration: Time Settings System Time Options System Time Options System time can be set manually by the user, dynamically from an SNTP server, or synchronized from the PC running the GUI. If an SNTP server is chosen, the manual time settings are overwritten when communications with the server are established. As part of the boot process, the device always configures the time, time zone, and DST.
6 Administration: Time Settings SNTP Modes Time Zone and Daylight Savings Time (DST) The Time Zone and DST can be set on the device in the following ways: • • Dynamic configuration of the device through a DHCP server, where: - Dynamic DST, when enabled and available, always takes precedence over the manual configuration of DST. - If the server supplying the source parameters fails, or dynamic configuration is disabled by the user, the manual settings are used.
6 Administration: Time Settings Configuring System Time Configuring System Time Selecting Source of System Time Use the System Time page to select the system time source. If the source is manual, you can enter the time here. ! CAUTION If the system time is set manually and the device is rebooted, the manual time settings must be reentered. To define system time: STEP 1 Click Administration > Time Settings > System Time.
6 Administration: Time Settings Configuring System Time Manual Settings—Set the date and time manually. The local time is used when there is no alternate source of time, such as an SNTP server: • Date—Enter the system date. • Local Time—Enter the system time. Time Zone Settings—The local time is used via the DHCP server or Time Zone offset. • Get Time Zone from DHCP—Select to enable dynamic configuration of the time zone and the DST from the DHCP server.
6 Administration: Time Settings Configuring System Time - From—Day and time that DST starts. - To—Day and time that DST ends. Selecting Recurring allows different customization of the start and stop of DST: • • From—Date when DST begins each year. - Day—Day of the week on which DST begins every year. - Week—Week within the month from which DST begins every year. - Month—Month of the year in which DST begins every year. - Time—The time at which DST begins every year.
6 Administration: Time Settings Configuring System Time • IPv4 Source Interface—Select the IPv4 interface whose IPv4 address will be used as the source IPv4 address in messages used for communication with the SNTP server. • IPv6 Source Interface—Select the IPv6 interface whose IPv6 address will be used as the source IPv6 address in messages used for communication with the SNTP server.
6 Administration: Time Settings Configuring System Time • Source—How SNTP server was defined, for example: manually or from DHCPv6 server. • Interface—Interface on which packets are received. STEP 3 To add a Unicast SNTP server, enable SNTP Client Unicast. STEP 4 Click Add. STEP 5 Enter the following parameters: • Server Definition—Select if the SNTP server is going to be identified by its IP address or if you are going to select a well-known SNTP server by name from the list.
6 Administration: Time Settings Configuring System Time is a secondary server, and so forth. If the primary server is down, the device polls all servers with the polling setting enabled, and selects a new primary server with the lowest stratum. • Authentication—Select the check box to enable authentication. • Authentication Key ID—If authentication is enabled, select the value of the key ID. (Create the authentication keys using the SNTP Authentication page.) STEP 6 Click Apply.
6 Administration: Time Settings Configuring System Time Select an interface and select the reception/transmission options. STEP 4 Click Apply to save the settings to the Running Configuration file. Defining SNTP Authentication SNTP clients can authenticate responses by using HMAC-MD5. An SNTP server is associated with a key, which is used as input together with the response itself to the MD5 function; the result of the MD5 is also included in the response packet.
6 Administration: Time Settings Configuring System Time • Authentication Key—Enter the key used for authentication (up to eight characters). The SNTP server must send this key for the device to synchronize to it. • Trusted Key—Select to enable the device to receive synchronization information only from a SNTP server by using this authentication key. STEP 6 Click Apply. The SNTP Authentication parameters are written to the Running Configuration file.
6 Administration: Time Settings Configuring System Time of the network is blocked (see Chapter 9, “Configuring Ports” and Chapter 9, “Configuring LAG Settings”) • Limit PoE operation to a specified period. Absolute Time Range To define an absolute time range: STEP 1 Click Administration > Time Settings > Time Range. The existing time ranges are displayed. STEP 2 To add a new time range, click Add. STEP 3 Enter the following fields: • Time Range Name—Enter a new time range name.
6 Administration: Time Settings Configuring System Time STEP 3 To add a new recurring time range, click Add. STEP 4 Enter the following fields: • Recurring Starting Time—Enter the date and time that the Time Range begins on a recurring basis. Recurring Ending Time—Enter the date and time that the Time Range ends on a recurring basis.
7 Administration: Diagnostics This section contains information for configuring port mirroring, running cable tests, and viewing device operational information. It covers the following topics: • Testing Copper Ports • Displaying Optical Module Status • Configuring Port and VLAN Mirroring • Viewing CPU Utilization and Secure Core Technology Testing Copper Ports The Copper Test page displays the results of integrated cable tests performed on copper cables by the Virtual Cable Tester (VCT).
7 Administration: Diagnostics Testing Copper Ports • (Optional) Disable EEE (see the Port Management > Green Ethernet > Properties page) Use a CAT5 data cable when testing cables using (VCT). Accuracy of the test results can have an error range of +/- 10 for Advanced Testing and +/- 2 for basic testing. ! CAUTION When a port is tested, it is set to the Down state and communications are interrupted. After the test, the port returns to the Up state.
7 Administration: Diagnostics Displaying Optical Module Status If the port being tested is a Giga port, the Advanced Information block contains the following information, which is refreshed each time you enter the page: • Cable Length: Provides an estimate for the length. • Pair—Cable wire pair being tested. • Status—Wire pair status. Red indicates fault and Green indicates status OK. • Channel—Cable channel indicating whether the wires are straight or crossover.
7 Administration: Diagnostics Displaying Optical Module Status • MGBLH1: 1000BASE-LH SFP transceiver, for single-mode fiber, 1310 nm wavelength, supports up to 40 km. • MGBLX1: 1000BASE-LX SFP transceiver, for single-mode fiber, 1310 nm wavelength, supports up to 10 km. • MGBSX1:1000BASE-SX SFP transceiver, for multimode fiber, 850 nm wavelength, supports up to 550 m. • MGBT1: 1000BASE-T SFP transceiver for category 5 copper wire, supports up to 100 m.
Administration: Diagnostics Configuring Port and VLAN Mirroring 7 Configuring Port and VLAN Mirroring Port mirroring is used on a network device to send a copy of network packets seen on one device port, multiple device ports, or an entire VLAN to a network monitoring connection on another port on the device. This is commonly used for network appliances that require monitoring of network traffic, such as an intrusiondetection system.
7 Administration: Diagnostics Viewing CPU Utilization and Secure Core Technology - Active—Both source and destination interfaces are up and forwarding traffic. - Not Ready—Either source or destination (or both) are down or not forwarding traffic for some reason. STEP 2 Click Add to add a port or VLAN to be mirrored. STEP 3 Enter the parameters: • Destination Port—Select the analyzer port to where packets are copied. A network analyzer, such as a PC running Wireshark, is connected to this port.
Administration: Diagnostics Viewing CPU Utilization and Secure Core Technology 7 Excessive traffic burdens the CPU, and might prevent normal device operation. The device uses the Secure Core Technology (SCT) feature to ensure that the device receives and processes management and protocol traffic, no matter how much total traffic is received. SCT is enabled by default on the device and cannot be disabled. There are no interactions with other features.
8 Administration: Discovery This section provides information for configuring Discovery. It covers the following topics: • Bonjour • LLDP and CDP • Configuring LLDP • Configuring CDP Bonjour As a Bonjour client, the device periodically broadcasts Bonjour Discovery protocol packets to directly-connected IP subnet(s), advertising its existence and the services that it provides; for example, HTTP, HTTPs, and Telnet. (Use the Security > TCP/UDP Services page to enable or disable the device services.
Administration: Discovery Bonjour 8 When Bonjour Discovery is disabled, the device stops any service type advertisements and does not respond to requests for service from network management applications. To globally enable Bonjour when the system is in Layer 2 system mode: STEP 1 Click Administration > Discovery - Bonjour. STEP 2 Select Enable to enable Bonjour Discovery globally on the device. STEP 3 Click Apply. Bonjour is enabled or disabled on the device according to the selection.
8 Administration: Discovery LLDP and CDP STEP 3 Click Apply to update the Running Configuration file. STEP 4 To enable Bonjour on an interface, click Add. STEP 5 Select the interface, and click Apply. NOTE Click Delete to disable Bonjour on an interface (this performs the delete operation without any additional operation, such as Apply).
8 Administration: Discovery Configuring LLDP • CDP and LLDP end devices, such as IP phones, learn the voice VLAN configuration from CDP and LLDP advertisements. By default, the device is enabled to send out CDP and LLDP advertisement based on the voice VLAN configured at the device. Refer to the Voice VLAN and Auto Voice VLAN sections for details. NOTE CDP/LLDP does not distinguish if a port is in a LAG.
8 Administration: Discovery Configuring LLDP • Displaying LLDP Local Information • Displaying LLDP Neighbors Information • Accessing LLDP Statistics • LLDP Overloading LLDP Overview LLDP is a protocol that enables network managers to troubleshoot and enhance network management in multi-vendor environments. LLDP standardizes methods for network devices to advertise themselves to other systems, and to store discovered information.
8 Administration: Discovery Configuring LLDP 4. Associate LLDP MED network policies and the optional LLDP-MED TLVs to the desired interfaces by using the LLDP MED Port Settings page. 5. If Auto Smartport is to detect the capabilities of LLDP devices, enable LLDP in the Smartport Properties page. 6. Display overloading information by using the LLDP Overloading page.
8 Administration: Discovery Configuring LLDP • Chassis ID Advertisement—Select one of the following options for advertisement in the LLDP messages: - MAC Address—Advertise the MAC address of the device. - Host Name—Advertise the host name of the device. STEP 3 In the Fast Start Repeat Count field, enter the number of times LLDP packets are sent when the LLDP-MED Fast Start mechanism is initialized. This occurs when a new endpoint device links to the device.
8 Administration: Discovery Configuring LLDP • SNMP Notification—Select Enable to send notifications to SNMP notification recipients; for example, an SNMP managing system, when there is a topology change. The time interval between notifications is entered in the Topology Change SNMP Notification Interval field in the LLDP Properties page. Define SNMP Notification Recipients by using the SNMP > Notification Recipient v1,2 and/or SNMP > Notification Recipient v3 page.
8 Administration: Discovery Configuring LLDP • - Auto Advertise—Specifies that the software would automatically choose a management address to advertise from all the IP addresses of the product. In case of multiple IP addresses the software chooses the lowest IP address among the dynamic IP addresses. If there are no dynamic addresses, the software chooses the lowest IP address among the static IP addresses. - None—Do not advertise the management IP address.
8 Administration: Discovery Configuring LLDP Setting LLDP MED Network Policy An LLDP-MED network policy is a related set of configuration settings for a specific real-time application such as voice, or video. A network policy, if configured, can be included in the outgoing LLDP packets to the attached LLDP media endpoint device. The media endpoint device must send its traffic as specified in the network policy it receives.
8 Administration: Discovery Configuring LLDP • VLAN Tag—Select whether the traffic is Tagged or Untagged. • User Priority—Select the traffic priority applied to traffic defined by this network policy. This is the CoS value. • DSCP Value—Select the DSCP value to associate with application data sent by neighbors. This informs them how they must mark the application traffic they send to the device. STEP 6 Click Apply. The network policy is defined.
8 Administration: Discovery Configuring LLDP • SNMP Notification—Select whether SNMP notification is sent on a per-port basis when an end station that supports MED is discovered; for example a SNMP managing system, when there is a topology change. • Available Optional TLVs—Select the TLVs that can be published by the device by moving them to the Selected Optional TLVs list.
8 Administration: Discovery Configuring LLDP LLDP Port Status Global Information • Chassis ID Subtype—Type of chassis ID (for example, MAC address). • Chassis ID—Identifier of chassis. Where the chassis ID subtype is a MAC address, the MAC address of the device appears. • System Name—Name of device. • System Description—Description of the device (in alpha-numeric format). • Supported System Capabilities—Primary functions of the device, such as Bridge, WLAN AP, or Router.
8 Administration: Discovery Configuring LLDP Click LLDP Local Information Details to see the details of the LLDP and LLDP MED TLVs sent to the neighbor. Click LLDP Neighbor Information Details to see the details of the LLDP and LLDPMED TLVs received from the neighbor. STEP 3 Select the desired port from the Port list. This page displays the following fields: Global • Chassis ID Subtype—Type of chassis ID. (For example, the MAC address.) • Chassis ID—Identifier of chassis.
8 Administration: Discovery Configuring LLDP MAC/PHY Details • Auto-Negotiation Supported—Port speed auto-negotiation support status. • Auto-Negotiation Enabled—Port speed auto-negotiation active status. • Auto-Negotiation Advertised Capabilities—Port speed auto-negotiation capabilities; for example, 1000BASE-T half duplex mode, 100BASE-TX full duplex mode. • Operational MAU Type—Medium Attachment Unit (MAU) type.
8 Administration: Discovery Configuring LLDP • Current Capabilities—MED capabilities enabled on the port. • Device Class—LLDP-MED endpoint device class. The possible device classes are: - Endpoint Class 1—Indicates a generic endpoint class, offering basic LLDP services. - Endpoint Class 2—Indicates a media endpoint class, offering media streaming capabilities, as well as all Class 1 features.
8 Administration: Discovery Configuring LLDP • VLAN Type—VLAN type for which the network policy is defined. The possible field values are: - Tagged—Indicates the network policy is defined for tagged VLANs. - Untagged—Indicates the network policy is defined for untagged VLANs. • User Priority—Network policy user priority. • DSCP—Network policy DSCP. Displaying LLDP Neighbors Information The LLDP Neighbors Information page contains information that was received from neighboring devices.
8 Administration: Discovery Configuring LLDP The LLDP Neighbor Information page contains the following fields: Port Details • Local Port—Port number. • MSAP Entry—Device Media Service Access Point (MSAP) entry number. Basic Details • Chassis ID Subtype—Type of chassis ID (for example, MAC address). • Chassis ID—Identifier of the 802 LAN neighboring device chassis. • Port ID Subtype—Type of the port identifier that is shown. • Port ID—Identifier of port.
8 Administration: Discovery Configuring LLDP • Auto-Negotiation Enabled—Port speed auto-negotiation active status. The possible values are True and False. • Auto-Negotiation Advertised Capabilities—Port speed auto-negotiation capabilities, for example, 1000BASE-T half duplex mode, 100BASE-TX full duplex mode. • Operational MAU Type—Medium Attachment Unit (MAU) type.
8 Administration: Discovery Configuring LLDP • Remote Rx—Indicates the time (in micro seconds) that the receiving link partner requests that the transmitting link partner waits before transmission of data following Low Power Idle (LPI mode). • Local Tx Echo—Indicates the local link partner’s reflection of the remote link partner’s Tx value. • Local Rx Echo—Indicates the local link partner’s reflection of the remote link partner’s Rx value.
8 Administration: Discovery Configuring LLDP 802.1 VLAN and Protocol • PVID—Advertised port VLAN ID. PPVID Table • VID—Protocol VLAN ID. • Supported—Supported Port and Protocol VLAN IDs. • Enabled—Enabled Port and Protocol VLAN IDs. VLAN IDs • VID—Port and Protocol VLAN ID. • VLAN Names—Advertised VLAN names. Protocol IDs • Protocol ID Table—Advertised protocol IDs. Location Information Enter the following data structures in hexadecimal as described in section 10.2.
8 Administration: Discovery Configuring LLDP Accessing LLDP Statistics The LLDP Statistics page displays LLDP statistical information per port. To view the LLDP statistics: STEP 1 Click Administration > Discovery - LLDP > LLDP Statistics. For each port, the fields are displayed: • Interface—Identifier of interface. • Tx Frames Total—Number of transmitted frames. • Rx Frames • • - Total—Number of received frames. - Discarded—Total number of received frames that were discarded.
8 Administration: Discovery Configuring LLDP To view LLDP overloading information: STEP 1 Click Administration > Discovery - LLDP > LLDP Overloading. This page contains the following fields for each port: • Interface—Port identifier. • Total (Bytes)—Total number of bytes of LLDP information in each packet • Left to Send (Bytes)—Total number of available bytes left for additional LLDP information in each packet. • Status—Whether TLVs are being transmitted or if they are overloaded.
8 Administration: Discovery Configuring CDP - Status—If the LLDP MED extended power via MDI packets were sent, or if they were overloaded. • 802.3 TLVs - Size (Bytes)—Total LLDP MED 802.3 TLVs packets byte size. - Status—If the LLDP MED 802.3 TLVs packets were sent, or if they were overloaded. • • LLDP Optional TLVs - Size (Bytes)—Total LLDP MED optional TLVs packets byte size. - Status—If the LLDP MED optional TLVs packets were sent, or if they were overloaded.
8 Administration: Discovery Configuring CDP Setting CDP Properties Similar to LLDP, CDP (Cisco Discovery Protocol) is a link layer protocol for directly connected neighbors to advertise themselves and their capabilities to each other. Unlike LLDP, CDP is a Cisco proprietary protocol. CDP Configuration Workflow The followings is sample workflow in configuring CDP on the device. You can also find additional CDP configuration guidelines in the LLDP/CDP section.
8 Administration: Discovery Configuring CDP • CDP Version—Select the version of CDP to use. • CDP Hold Time—Amount of time that CDP packets are held before the packets are discarded, measured in multiples of the TLV Advertise Interval. For example, if the TLV Advertise Interval is 30 seconds, and the Hold Multiplier is 4, then the LLDP packets are discarded after 120 seconds.
8 Administration: Discovery Configuring CDP • Syslog Duplex Mismatch—Check to send a SYSLOG message when duplex information is mismatched. This means that the duplex information in the incoming frame does not match what the local device is advertising. STEP 3 Click Apply. The LLDP properties are defined. Editing CDP Interface Settings The Interface Settings page enables administrators to enable/disable CDP per port. Notifications can also be triggered when there are conflicts with CDP neighbors.
8 Administration: Discovery Configuring CDP This page provides the following fields: • Interface—Select the interface to be defined. • CDP Status—Select to enable/disable the CDP publishing option for the port. NOTE The next three fields are operational when the device has been set up to send traps to the management station.
8 Administration: Discovery Configuring CDP • System Name TLV - • Address TLV - • • Duplex—Whether port is half or full duplex advertised in the full/half duplex TLV. Appliance TLV - Appliance ID—Type of device attached to port advertised in the appliance TLV. - Appliance VLAN ID—VLAN on the device used by the appliance, for instance if the appliance is an IP phone, this is the voice VLAN. Extended Trust TLV - 120 Native VLAN—The native VLAN identifier advertised in the native VLAN TLV.
8 Administration: Discovery Configuring CDP • CoS for Untrusted Ports TLV - • CoS for Untrusted Ports—If Extended Trust is disabled on the port, this fields displays the Layer 2 CoS value, meaning, an 802.1D/802.1p priority value. This is the COS value with which all packets received on an untrusted port are remarked by the device. Power TLV - Request ID—Last power request ID received echoes the Request-ID field last received in a Power Requested TLV.
8 Administration: Discovery Configuring CDP • System Name—Neighbors system name. • Local Interface—Number of the local port to which the neighbor is connected. • Advertisement Version—CDP protocol version. • Time to Live (sec)—Time interval (in seconds) after which the information for this neighbor is deleted. • Capabilities—Capabilities advertised by neighbor. • Platform—Information from Platform TLV of neighbor. • Neighbor Interface—Outgoing interface of the neighbor.
8 Administration: Discovery Configuring CDP NOTE Clicking on the Clear Table button disconnect all connected devices if from CDP, and if Auto Smartport is enabled change all port types to default. Viewing CDP Statistics The CDP Statistics page displays information regarding Cisco Discovery Protocol (CDP) frames that were sent or received from a port. CDP packets are received from devices attached to the switches interfaces, and are used for the Smartport feature.
8 124 Administration: Discovery Configuring CDP Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
Administration: Discovery Configuring CDP Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 8 125
9 Port Management This section describes port configuration, link aggregation, and the Green Ethernet feature. It covers the following topics: • Configuring Ports • Setting Port Configuration • Link Aggregation • UDLD • Configuring Green Ethernet Configuring Ports To configure ports, perform the following actions: 1. Configure port by using the Port Settings page. 2.
9 Port Management Setting Port Configuration 7. If PoE is supported and enabled for the device, configure the device as described in Port Management: PoE. Setting Port Configuration Ports can be configured in the following pages. Port Settings The Port Settings page displays the global and per port setting of all the ports. This page enables you to select and configure the desired ports from the Edit Port Settings page. To configure port settings: STEP 1 Click Port Management > Port Settings.
9 Port Management Setting Port Configuration - Combo Fiber—SFP Fiber Gigabit Interface Converter Port with the following values: 100M and 1000M (type: ComboF). - 10G-Fiber Optics—Ports with speed of either 1G or 10G. NOTE SFP Fiber takes precedence in Combo ports when both ports are being used. 126 • Administrative Status—Select whether the port must be Up or Down when the device is rebooted. • Operational Status—Displays whether the port is currently Up or Down.
9 Port Management Setting Port Configuration • Administrative Duplex Mode—Select the port duplex mode. This field is configurable only when auto-negotiation is disabled, and the port speed is set to 10M or 100M. At port speed of 1G, the mode is always full duplex. The possible options are: - Full—The interface supports transmission between the device and the client in both directions simultaneously.
9 Port Management Setting Port Configuration - MDI—Select to connect this device to a station by using a straight through cable. - Auto—Select to configure this device to automatically detect the correct pinouts for the connection to another device. • Operational MDI/MDIX—Displays the current MDI/MDIX setting. • Protected Port—Select to make this a protected port. (A protected port is also referred as a Private VLAN Edge (PVE).
9 Port Management Link Aggregation • Port Security—Select to enable the error recovery mechanism for the port security err-disable state. • 802.1x Single Host Violation—Select to enable error recovery mechanism for the 802.1x error-disable state. • ACL Deny—Select to enable. error recovery mechanism for the ACL deny error-disable state. • STP BPDU Guard—Select to enable the error recovery mechanism for thee STP BPDU guard error-disable state.
9 Port Management Link Aggregation Link Aggregation Overview Link Aggregation Control Protocol (LACP) is part of the IEEE specification (802.3az) that enables you to bundle several physical ports together to form a single logical channel (LAG). LAGs multiply the bandwidth, increase port flexibility, and provide link redundancy between two devices. Two types of LAGs are supported: • Static—A LAG is static if the LACP is disabled on it. The group of ports assigned to a static LAG are always active members.
9 Port Management Link Aggregation Every LAG has the following characteristics: • All ports in a LAG must be of the same media type. • To add a port to the LAG, it cannot belong to any VLAN except the default VLAN. • Ports in a LAG must not be assigned to another LAG. • No more than eight ports are assigned to a static LAG and no more than 16 ports can be candidates for a dynamic LAG. • All the ports in a LAG must have auto-negotiation disabled, although the LAG can have auto-negotiation enabled.
9 Port Management Link Aggregation To configure a dynamic LAG, perform the following actions: 1. Enable LACP on the LAG. Assign up to 16 candidates ports to the dynamic LAG by selecting and moving the ports from the Port List to the LAG Members List by using the LAG Management page. 2. Configure various aspects of the LAG, such as speed and flow control by using the LAG Settings page. 3. Set the LACP priority and timeout of the ports in the LAG by using the LACP page.
9 Port Management Link Aggregation • Unit/Slot—Displays the stacking member for which LAG information is defined. • Port List—Move those ports that are to be assigned to the LAG from the Port List to the LAG Members list. Up to eight ports per static LAG can be assigned, and 16 ports can be assigned to a dynamic LAG. STEP 3 Click Apply. LAG membership is saved to the Running Configuration file. Configuring LAG Settings The LAG Settings page displays a table of current settings for all LAGs.
9 Port Management Link Aggregation • Reactivate Suspended LAG—Select to reactivate a port if the LAG has been disabled through the locked port security option or through ACL configurations. • Administrative Auto Negotiation—Enables or disable auto-negotiation on the LAG. Auto-negotiation is a protocol between two link partners that enables a LAG to advertise its transmission speed and flow control to its partner (the Flow Control default is disabled).
9 Port Management Link Aggregation Configuring LACP A dynamic LAG is LACP-enabled, and LACP is run on every candidate port defined in the LAG. LACP Priority and Rules LACP system priority and LACP port priority are both used to determine which of the candidate ports become active member ports in a dynamic LAG configured with more than eight candidate ports. The selected candidate ports of the LAG are all connected to the same remote device. Both the local and remote switches have a LACP system priority.
9 Port Management Link Aggregation However, there are cases when one link partner is temporarily not configured for LACP. One example for such case is when the link partner is on a device, which is in the process of receiving its configuration using the auto-config protocol. This device's ports are not yet configured to LACP. If the LAG link cannot come up, the device cannot ever become configured. A similar case occurs with dual-NIC network-boot computers (e.g.
9 Port Management UDLD STEP 5 Click Apply. The Running Configuration file is updated. UDLD See Port Management: Unidirectional Link Detection. PoE See Port Management: PoE. Configuring Green Ethernet This section describes the Green Ethernet feature that is designed to save power on the device.
9 Port Management Configuring Green Ethernet operational mode is fast, transparent, and no frames are lost. This mode is supported on both GE and FE ports. • Short-Reach Mode—This feature provides for power savings on a short length of cable. After cable length is analyzed, the power usage is adjusted for various cable lengths. If the cable is shorter than 50 meters, the device uses less power to send frames over the cable, thus saving energy.
9 Port Management Configuring Green Ethernet Power Saving by Disabling Port LEDs The Disable Port LEDs feature allows the user to save extra power consumed by device LEDs. Since most of the time the devices are in an unoccupied room, having these LEDs lit is a waste of energy. The Green Ethernet feature enables you to disable the port LEDs (for link, speed, and PoE) when they are not required, and to enable the LEDs if they are needed (debugging, connecting additional devices etc.).
9 Port Management Configuring Green Ethernet LLDP is used to select the optimal set of parameters for both devices. If LLDP is not supported by the link partner, or is disabled, 802.3az EEE still be operational, but it might not be in the optimal operational mode. The 802.3az EEE feature is implemented using a port mode called Low Power Idle (LPI) mode. When there is no traffic and this feature is enabled on the port, the port is placed in the LPI mode, which reduces power consumption dramatically.
9 Port Management Configuring Green Ethernet Default Configuration By default, 802.3az EEE and EEE LLDP are enabled globally and per port. Interactions Between Features The following describe 802.3az EEE interactions with other features: • If auto-negotiation is not enabled on the port, the 802.3az EEE operational status is disabled. The exception to this rule is that if the link speed is 1gigabyte, EEE still be enabled even though Auto-Negotiation is disabled. • If 802.
9 Port Management Configuring Green Ethernet STEP 4 To see 802.3 EEE-related information on the local device, open the Administration > Discovery LLDP >LLDP Local Information page, and view the information in the 802.3 Energy Efficient Ethernet (EEE) block. STEP 5 To display 802.3az EEE information on the remote device, open the Administration > Discovery LLDP > LLDP Neighbor Information pages, and view the information in the 802.3 Energy Efficient Ethernet (EEE) block.
9 Port Management Configuring Green Ethernet STEP 3 Click Apply. The Green Ethernet Properties are written to the Running Configuration file. Setting Green Ethernet Properties for Ports The Port Settings page displays the current Green Ethernet and EEE modes per port, and enables configuring Green Ethernet on a port using the Edit Port Setting page. For the Green Ethernet modes to operate on a port, the corresponding modes must be activated globally in the Properties page.
9 Port Management Configuring Green Ethernet NOTE Short-reach mode is only supported on RJ45 GE ports; it does not apply to Combo ports. • 802.3 Energy Efficient Ethernet (EEE)—State of the port regarding the EEE feature: - Administrative—Displays whether EEE was enabled. - Operational—Displays whether EEE is currently operating on the local port.
Port Management Configuring Green Ethernet Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 9 145
10 Port Management: Unidirectional Link Detection This section describes how the Unidirectional Link Detection (UDLD) feature. It covers the following topics: • UDLD Overview • UDLD Operation • Usage Guidelines • Dependencies On Other Features • Default Settings and Configuration • Before You Start • Common UDLD Tasks • Configuring UDLD UDLD Overview UDLD is a Layer 2-protocol that enables devices connected through fiber-optic or twisted-pair Ethernet cables to detect unidirectional links.
Port Management: Unidirectional Link Detection UDLD Operation 10 All connected devices must support UDLD for the protocol to successfully detect unidirectional links. If only the local device supports UDLD, it is not possible for the device to detect the status of the link. In this case, the status of the link is set to undetermined. The user can configure whether ports in the undetermined state are shut down or merely trigger notifications.
10 Port Management: Unidirectional Link Detection UDLD Operation UDLD is enabled on a port when one of the following occurs: • The port is a fiber port and UDLD is enabled globally. • The port is a copper port and you specifically enable UDLD on it. How UDLD Works When UDLD is enabled on a port, the following actions are performed: • UDLD initiates the detection state on the port. In this state, UDLD periodically sends messages on every active interface to all neighbors.
Port Management: Unidirectional Link Detection UDLD Operation 10 If an interface is down and UDLD is enabled, the device removes all neighbor information and sends at least one ULDL message to the neighbors informing them that the port is down. When the port is brought up, the UDLD state is changed to detection. UDLD Not Supported or is Disabled on a Neighbor If UDLD is not supported or disabled on a neighbor, then no UDLD messages are received from that neighbor.
10 Port Management: Unidirectional Link Detection Usage Guidelines UDLD again begins running on the port. If the link is still unidirectional, UDLD shuts it down again after the UDLD expiration time expires, for instance. • Manually—You can reactivate a port in the Port Management > Error Recovery Settings page Usage Guidelines Cisco does not recommend enabling UDLD on ports that are connected to devices on which UDLD is not supported or disabled.
Port Management: Unidirectional Link Detection Default Settings and Configuration • 10 UDLD and Layer 2 Protocols UDLD runs on a port independently from other Layer 2 protocols running on the same port, such as STP or LACP. For example, UDLD assigns the port a status regardless of the STP status of the port or regardless of whether the port belongs to a LAG or not. Default Settings and Configuration The following defaults exist for this feature: • UDLD is disabled by default on all ports of the device.
10 Port Management: Unidirectional Link Detection Configuring UDLD STEP 2 Click Apply Workflow2: To change the UDLD configuration of a fiber port or to enable UDLD on a copper port, perform the following steps: STEP 1 Open the Port Management > UDLD Global Settings page. a. Select a port. b. Select either Default, Disabled, Normal or Aggressive as the port’s UDLD status. If you select Default, the port receives the global setting. STEP 2 Click Apply.
Port Management: Unidirectional Link Detection Configuring UDLD • 10 Fiber Port UDLD Default State—This field is only relevant for fiber ports. The UDLD state of copper ports must be set individually in the UDLD Interface Settings page. The possible states are: - Disabled—UDLD is disabled on all ports of the device. - Normal—Device shuts down an interface if the link is unidirectional. If the link is undetermined, a notification is issued.
10 Port Management: Unidirectional Link Detection Configuring UDLD determination (if there was one), or since UDLD began running on the port, so that the state is not yet determined. • - Bidirectional—Traffic sent by the local device is received by its neighbor, and traffic from the neighbor is received by the local device.
Port Management: Unidirectional Link Detection Configuring UDLD • 10 State—State of the link between the local and neighboring device on the local port. The following values are possible: - Detection—The latest UDLD state of the port is in the process of being determined. Expiration time has not yet expired since the last determination (if there was one), or since UDLD began running on the port, so that the state is not yet determined.
11 Smartport This document describes the Smartports feature.
11 Smartport Overview Overview The Smartport feature provides a convenient way to save and share common configurations. By applying the same Smartport macro to multiple interfaces, the interfaces share a common set of configurations. A Smartport macro is a script of CLI (Command Line Interface) commands A Smartport macro can be applied to an interface by the macro name, or by the Smartport type associated with the macro. Applying a Smartport macro by macro name can be done only through CLI.
11 Smartport What is a Smartport What is a Smartport A Smartport is an interface to which a built-in (or user-defined) macro may be applied. These macros are designed to provide a means of quickly configuring the device to support the communication requirements and utilize the features of various types of network devices. The network access and QoS requirements vary if the interface is connected to an IP phone, a printer, or a router and/or Access Point (AP).
11 Smartport Smartport Types • Statically from a Smartport macro by name only from the CLI. A Smartport macro can be applied by its Smartport type statically from CLI and GUI, and dynamically by Auto Smartport. Auto Smartport derives the Smartport types of the attached devices based on CDP capabilities, LLDP system capabilities, and/or LLDP-MED capabilities.
11 Smartport Smartport Macros If Auto Smartport assigns a Smartport type to an interface and the interface is not configured to be Auto Smartport Persistent, then its Smartport type is re-initialized to Default in the following cases: • - A link down/up operation is performed on the interface. - The device is restarted. - All devices attached to the interface have aged out, which is defined as the absence of CDP and/or LLDP advertisement from the device for a specified time period.
11 Smartport Smartport Macros There are two types of Smartport macros: • • Built-In—These are macros provided by the system. One macro applies the configuration profile and the other removes it. The macro names of the builtin Smartport macros and the Smartport type they are associated with as follows - macro-name (for example: printer) - no_macro-name (for example: no_printer) User-Defined—These are macros written by the users. See the CLI Reference Guide for more information about these.
11 Smartport Macro Failure and the Reset Operation - Else the corresponding anti-macro is applied and the interfaces status is set to Default. Macro Failure and the Reset Operation A Smartport macro might fail if there is a conflict between the existing configuration of the interface and a Smartport macro.
11 Smartport Auto Smartport There are two ways to apply a Smartport macro by Smartport type to an interface: • Static Smartport You manually assign a Smartport type to an interface. The corresponding Smartport macro is applied to the interface. You can manually assign a Smartport type to an interface from the Smartport Interface Settings Page.
11 Smartport Auto Smartport • Enabled—This manually enables Auto Smartport and places it into operation immediately. • Enable by Auto Voice VLAN—This enables Auto Smartport to operate if Auto Voice VLAN is enabled and in operation. Enable by Auto Voice VLAN is the default. NOTE In addition to enabling Auto Smartport globally, you must enable Auto Smartport at the desired interface as well. By default, Auto Smartport is enabled at all the interfaces.
11 Smartport Auto Smartport CDP Capabilities Mapping to Smartport Type (Continued) Capability Name CDP Bit Smartport Type SR Bridge 0x04 Ignore Switch 0x08 Switch Host 0x10 Host IGMP conditional filtering 0x20 Ignore Repeater 0x40 Ignore VoIP Phone 0x80 ip_phone Remotely-Managed Device 0x100 Ignore CAST Phone Port 0x200 Ignore Two-Port MAC Relay 0x400 Ignore LLDP Capabilities Mapping to Smartport Type Capability Name LLDP Bit Smartport Type Other 1 Ignore Repeater IETF
11 Smartport Auto Smartport LLDP Capabilities Mapping to Smartport Type (Continued) Capability Name LLDP Bit Smartport Type Reserved 12-16 Ignore NOTE If only the IP Phone and Host bits are set, then the Smartport type is ip_phone_desktop. Multiple Devices Attached to the Port The device derives the Smartport type of a connected device via the capabilities the device advertises in its CDP and/or LLDP packets.
11 Smartport Error Handling Persistent status of an interface is disabled, the interface reverts to the default Smartport type when the attaching device to it ages out, the interface goes down, or the device is rebooted. Enabling Persistent status on an interface eliminates the device detection delay that otherwise occurs.
11 Smartport Relationships with Other Features and Backwards Compatibility Relationships with Other Features and Backwards Compatibility Auto Smartport is enabled by default and may be disabled. Telephony OUI cannot function concurrently with Auto Smartport, and Auto Voice VLAN. Auto Smartport must be disabled before enabling Telephony OUI. Common Smartport Tasks This section describes some common tasks to setup Smartport and Auto Smartport.
11 Smartport Common Smartport Tasks Workflow2: To configure an interface as a static Smartport, perform the following steps: STEP 1 To enable the Smartport feature on the interface, open the Smartport > Interface Settings page. STEP 2 Select the interface, and click Edit. STEP 3 Select the Smartport type that is to be assigned to the interface in the Smartport Application field. STEP 4 Set the macro parameters as required. STEP 5 Click Apply.
11 Smartport Configuring Smartport Using The Web-based Interface Workflow4: To rerun a Smartport macro after it has failed, perform the following steps: STEP 1 In the Interface Settings page, select an interface with Smartport type Unknown. STEP 2 Click Show Diagnostics to see the problem. STEP 3 Troubleshoot, then correct the problem. Consider the troubleshooting tip below. STEP 4 Click Edit. A new window appears in which you can click Reset to reset the interface.
Smartport Configuring Smartport Using The Web-based Interface 11 Smartport Properties To configure the Smartport feature globally: STEP 1 Click Smartport > Properties. STEP 2 Enter the parameters. • Administrative Auto Smartport—Select to globally enable or disable Auto Smartport. The following options are available: - Disable—Select to disable Auto Smartport on the device. - Enable—Select to enable Auto Smartport on the device.
11 Smartport Configuring Smartport Using The Web-based Interface Smartport Type Settings Use the Smartport Type Settings page to edit the Smartport Type settings and view the Macro Source. By default, each Smartport type is associated with a pair of built-in Smartport macros. See Smartport Types for further information on macro versus anti-macro. Alternatively, you can associate your own pair of user-defined macros with customized configurations to a Smartport type.
Smartport Configuring Smartport Using The Web-based Interface • 11 Macro Parameters—Displays the following fields for three parameters in the macro: - Parameter Name—Name of parameter in macro. - Parameter Value—Current value of parameter in macro. This can be changed here. - Parameter Description—Description of parameter. You can restore the default parameter values by clicking Restore Defaults. STEP 5 Click Apply to save the changes to the running configuration.
11 Smartport Configuring Smartport Using The Web-based Interface since the last macro application. You have to be familiar with the current configurations on the device and the definition of the macro to determine if a reapplication has any impact on the interface. • Reset unknown interfaces. This sets the mode of Unknown interfaces to Default. To apply a Smartport macro: STEP 1 Click Smartport > Interface Settings.
11 Smartport Built-in Smartport Macros STEP 1 Select an interface and click Edit. STEP 2 Enter the fields. • Interface—Select the port or LAG. • Smartport Type—Displays the Smartport type currently assigned to the port/LAG. • Smartport Application—Select the Smartport type from the Smartport Application pull-down.
11 Smartport Built-in Smartport Macros Macro code for the following Smartport types are provided: • desktop • printer • guest • server • host • ip_camera • ip_phone • ip_phone_desktop • switch • router • ap desktop [desktop] #interface configuration, for increased network security and reliability when connecting a desktop device, such as a PC, to a switch port.
11 Smartport Built-in Smartport Macros # @ no_desktop [no_desktop] #macro description No Desktop # no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all # no port security no port security mode no port security max # no smartport storm-control broadcast enable no smartport storm-control broadcast level no smartport storm-control include-multicast # spanning-tree portfast auto # @ printer [printer] #macro description printer #macro keywords $native_vlan # #macro key
11 Smartport Built-in Smartport Macros no_printer [no_printer] #macro description No printer # no switchport access vlan no switchport mode # no port security no port security mode # no smartport storm-control broadcast enable no smartport storm-control broadcast level no smartport storm-control include-multicast # spanning-tree portfast auto # @ guest [guest] #macro description guest #macro keywords $native_vlan # #macro key description: $native_vlan: The untag VLAN which will be configured on the port
11 Smartport Built-in Smartport Macros [no_guest] #macro description No guest # no switchport access vlan no switchport mode # no port security no port security mode # no smartport storm-control broadcast enable no smartport storm-control broadcast level no smartport storm-control include-multicast # spanning-tree portfast auto # @ server [server] #macro description server #macro keywords $native_vlan $max_hosts # #macro key description: $native_vlan: The untag VLAN which will be configured on the port #
11 Smartport Built-in Smartport Macros # no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all # no port security no port security mode no port security max # no smartport storm-control broadcast enable no smartport storm-control broadcast level # spanning-tree portfast auto # @ host [host] #macro description host #macro keywords $native_vlan $max_hosts # #macro key description: $native_vlan: The untag VLAN which will be configured on the port # $max_hosts: The maxi
11 Smartport Built-in Smartport Macros no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all # no port security no port security mode no port security max # no smartport storm-control broadcast enable no smartport storm-control broadcast level no smartport storm-control include-multicast # spanning-tree portfast auto # @ ip_camera [ip_camera] #macro description ip_camera #macro keywords $native_vlan # #macro key description: $native_vlan: The untag VLAN which will b
11 Smartport Built-in Smartport Macros no port security mode # no smartport storm-control broadcast enable no smartport storm-control broadcast level no smartport storm-control include-multicast # spanning-tree portfast auto # @ ip_phone [ip_phone] #macro description ip_phone #macro keywords $native_vlan $voice_vlan $max_hosts # #macro key description: $native_vlan: The untag VLAN which will be configured on the port # $voice_vlan: The voice VLAN ID # $max_hosts: The maximum number of allowed devices on
11 Smartport Built-in Smartport Macros #$voice_vlan = 1 # smartport switchport trunk allowed vlan remove $voice_vlan no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all # no port security no port security mode no port security max # no smartport storm-control broadcast enable no smartport storm-control broadcast level no smartport storm-control include-multicast # spanning-tree portfast auto # @ ip_phone_desktop [ip_phone_desktop] #macro description ip_phone_deskt
11 Smartport Built-in Smartport Macros [no_ip_phone_desktop] #macro description no ip_phone_desktop #macro keywords $voice_vlan # #macro key description: $voice_vlan: The voice VLAN ID # #Default Values are #$voice_vlan = 1 # smartport switchport trunk allowed vlan remove $voice_vlan no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all # no port security no port security mode no port security max # no smartport storm-control broadcast enable no smartport storm-contr
11 Smartport Built-in Smartport Macros # #macro key description: $voice_vlan: The voice VLAN ID # no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all # no spanning-tree link-type # @ router [router] #macro description router #macro keywords $native_vlan $voice_vlan # #macro key description: $native_vlan: The untag VLAN which will be configured on the port # $voice_vlan: The voice VLAN ID # #Default Values are #$native_vlan = Default VLAN #$voice_vlan = 1 # #the de
11 Smartport Built-in Smartport Macros # no smartport storm-control broadcast enable no smartport storm-control broadcast level # no spanning-tree link-type # @ ap [ap] #macro description ap #macro keywords $native_vlan $voice_vlan # #macro key description: $native_vlan: The untag VLAN which will be configured on the port 186 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
12 Port Management: PoE The Power over Ethernet (PoE) feature is only available on PoE-based devices. For a list of PoE-based devices, refer to the Device Models section. This section describes how to use the PoE feature. NOTE The PoE feature is not enabled on SG500XG/ESW2-550X devices.
12 Port Management: PoE PoE on the Device Power over Ethernet can be used in any enterprise network that deploys relatively low-powered devices connected to the Ethernet LAN, such as: • IP phones • Wireless access points • IP gateways • Audio and video remote monitoring devices PoE Operation PoE implements in the following stages: • Detection—Sends special pulses on the copper cable. When a PoE device is located at the other end, that device responds to these pulses.
12 Port Management: PoE PoE on the Device You can decide the following: • Maximum power a PSE is allowed to supply to a PD • During device operation, to change the mode from Class Power Limit to Port Limit and vice versa. The power values per port that were configured for the Port Limit mode are retained. NOTE Changing the mode from Class Limit to Port limit and vice versa when the device is operational forces the Powered Device to reboot.
12 Port Management: PoE Configuring PoE Properties a PoE device acting as a PSE may mistakenly detect and supply power to an attaching PSE, including other PoE switches, as a legacy PD. Even though Sx200/300/500 PoE switches are PSE, and as such should be powered by AC, they could be powered up as a legacy PD by another PSE due to false detection. When this happens, the PoE device may not operate properly and may not be able to properly supply power to its attaching PDs.
12 Port Management: PoE Configuring PoE Settings • Traps—Enable or disable traps. If traps are enabled, you must also enable SNMP and configure at least one SNMP Notification Recipient. • Power Trap Threshold—Enter the usage threshold that is a percentage of the power limit. An alarm is initiated if the power exceeds this value.
12 Port Management: PoE Configuring PoE Settings • Class Limit: Power is limited based on the class of the connected PD. For these settings to be active, the system must be in PoE Class Limit mode. That mode is configured in the PoE Properties page. When the power consumed on the port exceeds the class limit, the port power is turned off. PoE priority example: Given: A 48 port device is supplying a total of 375 watts. The administrator configures all ports to allocate up to 30 watts.
12 Port Management: PoE Configuring PoE Settings • Administrative Power Allocation—This field appears only if the Power Mode set in the PoE Properties page is Port Limit. If the Power mode is Power Limit, enter the power in milliwatts allocated to the port. • Max Power Allocation—This field appears only if the Power Mode set in the PoE Properties page is Power Limit. Displays the maximum amount of power permitted on this port.
12 194 Port Management: PoE Configuring PoE Settings Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
13 VLAN Management This section covers the following topics: • VLANs • Configuring Default VLAN Settings • Creating VLANs • Configuring VLAN Interface Settings • Defining VLAN Membership • GVRP Settings • VLAN Groups • Voice VLAN • Access Port Multicast TV VLAN • Customer Port Multicast TV VLAN VLANs A VLAN is a logical group of ports that enables devices associated with it to communicate with each other over the Ethernet MAC layer, regardless of the physical LAN segment of the bridged
13 VLAN Management VLANs VLAN Description Each VLAN is configured with a unique VID (VLAN ID) with a value from 1 to 4094. A port on a device in a bridged network is a member of a VLAN if it can send data to and receive data from the VLAN. A port is an untagged member of a VLAN if all packets destined for that port into the VLAN have no VLAN tag. A port is a tagged member of a VLAN if all packets destined for that port into the VLAN have a VLAN tag.
13 VLAN Management VLANs VLAN Roles VLANs function at Layer 2. All VLAN traffic (Unicast/Broadcast/Multicast) remains within its VLAN. Devices attached to different VLANs do not have direct connectivity to each other over the Ethernet MAC layer. Devices from different VLANs can communicate with each other only through Layer 3 routers. An IP router, for example, is required to route IP traffic between VLANs if each VLAN represents an IP subnet.
13 VLAN Management VLANs Customer traffic is encapsulated with an S-tag with TPID 0x8100, regardless of whether it was originally c-tagged or untagged. The S-tag allows this traffic to be treated as an aggregate within a provider bridge network, where the bridging is based on the S-tag VID (S-VID) only. The S-Tag is preserved while traffic is forwarded through the network service provider's infrastructure, and is later removed by an egress device.
13 VLAN Management Configuring Default VLAN Settings Configuring Default VLAN Settings When using factory default settings, the device automatically creates VLAN 1 as the default VLAN, the default interface status of all ports is Trunk, and all ports are configured as untagged members of the default VLAN. The default VLAN has the following characteristics: • It is distinct, non-static/non-dynamic, and all ports are untagged members by default. • It cannot be deleted. • It cannot be given a label.
13 VLAN Management Creating VLANs • Default VLAN ID After Reboot—Enter a new VLAN ID to replace the default VLAN ID after reboot. STEP 3 Click Apply. STEP 4 Click Save (in the upper-right corner of the window) and save the Running Configuration to the Startup Configuration. The Default VLAN ID After Reset becomes the Current Default VLAN ID after you reboot the device.
13 VLAN Management Configuring VLAN Interface Settings The page enables the creation of either a single VLAN or a range of VLANs. STEP 3 To create a single VLAN, select the VLAN radio button, enter the VLAN ID (VID), and optionally the VLAN Name. To create a range of VLANs, select the Range radio button, and specify the range of VLANs to be created by entering the Starting VID and Ending VID, inclusive. When using the Range function, the maximum number of VLANs you can create at one time is 100.
13 VLAN Management Defining VLAN Membership - Customer—Selecting this option places the interface in QinQ mode. This enables you to use your own VLAN arrangements (PVID) across the provider network. The device is in Q-in-Q mode when it has one or more customer ports. See QinQ. • Administrative PVID—Enter the Port VLAN ID (PVID) of the VLAN to which incoming untagged and priority tagged frames are classified. The possible values are 1 to 4094.
13 VLAN Management Defining VLAN Membership Untagged port membership between two VLAN-aware devices with no intervening VLAN-aware devices, must be to the same VLAN. In other words, the PVID on the ports between the two devices must be the same if the ports are to send and receive untagged packets to and from the VLAN. Otherwise, traffic might leak from one VLAN to another. Frames that are VLAN-tagged can pass through other network devices that are VLAN-aware or VLAN-unaware.
13 VLAN Management Defining VLAN Membership • Multicast TV VLAN—The interface used for Digital TV using Multicast IP. The port joins the VLAN with a VLAN tag of Multicast TV VLAN. See Access Port Multicast TV VLAN for more information. • PVID—Select to set the PVID of the interface to the VID of the VLAN. PVID is a per-port setting. STEP 4 Click Apply. The interfaces are assigned to the VLAN, and written to the Running Configuration file.
13 VLAN Management GVRP Settings • LAG—If interface selected is Port, displays the LAG in which it is a member. STEP 3 Select a port, and click the Join VLAN button. STEP 4 Enter the values for the following fields: • Interface—Select a Port or LAG. Select the Unit/Slot on a 500 Series device. • Mode—Displays the port VLAN mode that was selected in the Interface Settings page.
13 VLAN Management GVRP Settings When a port joins a VLAN by using GVRP, it is added to the VLAN as a dynamic member, unless this was expressly forbidden in the Port VLAN Membership page. If the VLAN does not exist, it is dynamically created when Dynamic VLAN creation is enabled for this port (in the GVRP Settings page). GVRP must be activated globally as well as on each port. When it is activated, it transmits and receives GARP Packet Data Units (GPDUs).
13 VLAN Management VLAN Groups VLAN Groups VLAN groups are used for load balancing of traffic on a Layer 2 network. Packets are assigned a VLAN according to various classifications that have been configured (such as VLAN groups). If several classifications schemes are defined, packets are assigned to a VLAN in the following order: • TAG: If the packet is tagged, the VLAN is taken from the tag.
13 VLAN Management VLAN Groups SKU System Mode MAC-based VLAN Groups Supported Sx500, Sx500ESW2550X Layer 2 Yes Layer 3 No SG500X Native Yes Basic Hybrid - Layer 2 Yes Basic Hybrid - Layer 3 No Same as Sx500 Yes SG500XG Workflow To define a MAC-based VLAN group: 1. Assign a MAC address to a VLAN group ID (using the MAC-Based Groups page). 2. For each required interface: a. Assign the VLAN group to a VLAN (using Mac-Based Groups to VLAN page). The interfaces must be in General mode. b.
13 VLAN Management VLAN Groups • Length—Prefix of the MAC address Group ID—Enter a user-created VLAN group ID number. STEP 4 Click Apply. The MAC address is assigned to a VLAN group. Mapping VLAN Group to VLAN Per Interface See Table 1 for a description of the availability of this feature. Ports/LAGs must be in General mode. To assign a MAC-based VLAN group to a VLAN on an interface: STEP 1 Click VLAN Management > VLAN Groups > MAC-Based Groups to VLAN. STEP 2 Click Add.
13 VLAN Management VLAN Groups 1. Define a protocol group (using the Protocol-Based Groups page). 2. For each required interface, assign the protocol group to a VLAN (using Protocol-Based Groups to VLAN page). The interfaces must be in General mode and cannot have a Dynamic VLAN (DVA) assigned to it. Protocol-Based Groups To define a set of protocols. STEP 1 Click VLAN Management > VLAN Groups > Protocol-Based Groups.
13 VLAN Management Voice VLAN Protocol-Based Groups to VLAN Mapping To map a protocol group to a port, the port must be in General mode and not have DVA configured on it (see Configuring VLAN Interface Settings). Several groups can be bound to a single port, with each port being associated to its own VLAN. It is possible to map several groups to a single VLAN as well. To map the protocol port to a VLAN: STEP 1 Click VLAN Management > VLAN Groups > Protocol-Based Groups to VLAN.
13 VLAN Management Voice VLAN Voice VLAN Overview This section covers the following topics: • Dynamic Voice VLAN Modes • Auto Voice VLAN, Auto Smartports, CDP, and LLDP • Voice VLAN QoS • Voice VLAN Constraints • Voice VLAN Workflows The following are typical voice deployment scenarios with appropriate configurations: • UC3xx/UC5xx hosted: All Cisco phones and VoIP endpoints support this deployment model.
13 VLAN Management Voice VLAN The device supports a single voice VLAN. By default, the voice VLAN is VLAN 1. The voice VLAN is defaulted to VLAN 1. A different voice VLAN can be manually configured. It can also be dynamically learned when Auto Voice VLAN is enabled. Ports can be manually added to the voice VLAN by using basic VLAN configuration described in the Configuring VLAN Interface Setting section, or by manually applying voice-related Smartport macro to the ports.
13 VLAN Management Voice VLAN Voice End-Points To have a voice VLAN work properly, the voice devices, such as Cisco phones and VoIP endpoints, must be assigned to the voice VLAN where it sends and receives its voice traffic. Some of the possible scenarios are as follows: • A phone/endpoint may be statically configured with the voice VLAN. • A phone/endpoint may obtain the voice VLAN in the boot file it downloads from a TFTP server.
13 VLAN Management Voice VLAN NOTE The default configuration list here applies to switches whose firmware version supports Auto Voice VLAN out of the box. It also applies to unconfigured switches that have been upgraded to the firmware version that supports Auto Voice VLAN. NOTE The defaults and the voice VLAN triggers are designed to have no effect on any installations without a voice VLAN and on switches that have already been configured.
13 VLAN Management Voice VLAN NOTE If the device is in Layer 2 system mode, it can synchronize with only VSDP capable switches in the same management VLAN. If the device is in Layer 3 system mode, it can synchronize with VSDP capable switches that are in the directly-connected IP subnets configured at the device.
13 VLAN Management Voice VLAN Voice VLAN Constraints The following constraints exist: • Only one Voice VLAN is supported. • A VLAN that is defined as a Voice VLAN cannot be removed In addition the following constraints are applicable for Telephony OUI: • The Voice VLAN cannot be VLAN1 (the default VLAN). • The Voice VLAN cannot be Smartport enabled. • The Voice VLAN cannot support DVA (Dynamic VLAN assignment). • The Voice VLAN cannot be the Guest VLAN if the voice VLAN mode is OUI.
13 VLAN Management Voice VLAN STEP 4 Select the Auto Voice VLAN Activation method. NOTE If the device is currently in Telephony OUI mode, you must disable it before you can configure Auto Voice Vlan STEP 5 Click Apply. STEP 6 Configure Smartports as described in the Common Smartport Tasks section. STEP 7 Configure LLDP/CDP as described in the Configuring LLDP and Configuring CDP sections, respectively.
13 VLAN Management Voice VLAN Configuring Voice VLAN Properties Use the Voice VLAN Properties page for the following: • View how voice VLAN is currently configured. • Configure the VLAN ID of the Voice VLAN. • Configure voice VLAN QoS settings. • Configure the voice VLAN mode (Telephony OUI or Auto Voice VLAN). • Configure how Auto Voice VLAN is triggered. To view and configure Voice VLAN properties: STEP 1 Click VLAN Management > Voice VLAN > Properties.
13 VLAN Management Voice VLAN - Enable Telephony OUI—Enable Dynamic Voice VLAN in Telephony OUI mode. • Disable—Disable Auto Voice Vlan or Telephony OUI. Auto Voice VLAN Activation—If Auto Voice VLAN was enabled, select one of the following options to activate Auto Voice VLAN: - Immediate—Auto Voice VLAN on the device is to be activated and put into operation immediately if enabled.
13 VLAN Management Voice VLAN • Source Type—Displays the type of source where the voice VLAN is discovered by the root device. • CoS/802.1p—Displays CoS/802.1p values to be used by the LLDP-MED as a voice network policy. • DSCP—Displays DSCP values to be used by the LLDP-MED as a voice network policy. • Root Switch MAC Address—The MAC address of the Auto Voice VLAN root device that discovers or is configured with the voice VLAN from which the voice VLAN is learned.
13 VLAN Management Voice VLAN • Voice VLAN ID—The identifier of the current voice VLAN. • CoS/802.1p—The advertised or configured CoS/802.1p values that are used by the LLDP-MED as a voice network policy. • DSCP—The advertised or configured DSCP values that are used by the LLDP-MED as a voice network policy. • Best Local Source—Displays whether this voice VLAN was used by the device.
13 VLAN Management Voice VLAN To configure Telephony OUI and/or add a new Voice VLAN OUI: STEP 1 Click VLAN Management > Voice VLAN > Telephony OUI. The Telephony OUI page contains the following fields: • Telephony OUI Operational Status—Displays whether OUIs are used to identify voice traffic. • CoS/802.1p—Select the CoS queue to be assigned to voice traffic. • Remark CoS/802.1p—Select whether to remark egress traffic.
13 VLAN Management Voice VLAN Adding Interfaces to Voice VLAN on Basis of OUIs The QoS attributes can be assigned per port to the voice packets in one of the following modes: • All—Quality of Service (QoS) values configured to the Voice VLAN are applied to all of the incoming frames that are received on the interface and are classified to the Voice VLAN.
13 VLAN Management Access Port Multicast TV VLAN Access Port Multicast TV VLAN Multicast TV VLANs enable Multicast transmissions to subscribers who are not on the same data VLAN (Layer 2-isolated), without replicating the Multicast transmission frames for each subscriber VLAN. Subscribers, who are not on the same data VLAN (Layer 2-isolated) and are connected to the device with different VLAN ID membership. can share the same Multicast stream by joining the ports to the same Multicast VLAN ID.
13 VLAN Management Access Port Multicast TV VLAN IGMP Snooping Multicast TV VLAN relies on IGMP snooping, which means that: • Subscribers use IGMP messages to join or leave a Multicast group. • Device performs IGMP snooping and configures the access port according to its Multicast membership on Multicast TV VLAN.
13 VLAN Management Access Port Multicast TV VLAN Regular VLAN Multicast TV VLAN Receiver ports VLAN can be used to both send and receive traffic (both Multicast and Unicast). Multicast VLAN can only be used to receive traffic by the stations on the port (only Multicast).
13 VLAN Management Customer Port Multicast TV VLAN Port Multicast VLAN Membership To define the Multicast TV VLAN configuration: STEP 1 Click VLAN Management > Access Port Multicast TV VLAN > Port Multicast VLAN Membership. STEP 2 Select a VLAN from the Multicast TV VLAN field. STEP 3 The Candidate Access Ports list contains all access ports configured on the device. Move the required ports from the Candidate Access Ports field to the Member Access Ports field. STEP 4 Click Apply.
13 VLAN Management Customer Port Multicast TV VLAN All packets from the subscriber to the service provider network are encapsulated by the access device with the subscriber’s VLAN configured as customer VLAN (Outer tag or S-VID), except for IGMP snooping messages from the TV receivers, which are associated with the Multicast TV VLAN. VOD information that is also sent from the TV receivers are sent like any other type of traffic.
13 VLAN Management Customer Port Multicast TV VLAN To map CPE VLANs: STEP 1 Click VLAN Management > Customer Port Multicast TV VLAN > CPE VLAN to VLAN. STEP 2 Click Add. STEP 3 Enter the following fields: • CPE VLAN—Enter the VLAN defined on the CPE box. • Multicast TV VLAN—Select the Multicast TV VLAN which is mapped to the CPE VLAN. STEP 4 Click Apply. CPE VLAN Mapping is modified, and written to the Running Configuration file.
14 Spanning Tree This section describes the Spanning Tree Protocol (STP) (IEEE802.1D and IEEE802.
14 Spanning Tree Configuring STP Status and Global Settings The device supports the following Spanning Tree Protocol versions: • Classic STP – Provides a single path between any two end stations, avoiding and eliminating loops. • Rapid STP (RSTP) – Detects network topologies to provide faster convergence of the spanning tree. This is most effective when the network topology is naturally tree-structured, and therefore faster convergence might be possible. RSTP is enabled by default.
Spanning Tree Configuring STP Status and Global Settings • • 14 BPDU Handling—Select how Bridge Protocol Data Unit (BPDU) packets are managed when STP is disabled on the port or the device. BPDUs are used to transmit spanning tree information. - Filtering—Filters BPDU packets when Spanning Tree is disabled on an interface. - Flooding—Floods BPDU packets when Spanning Tree is disabled on an interface. Path Cost Default Values—Selects the method used to assign default path costs to the STP ports.
14 Spanning Tree Defining Spanning Tree Interface Settings • Topology Changes Counts—The total number of STP topology changes that have occurred. • Last Topology Change—The time interval that elapsed since the last topology change occurred. The time appears in a days/hours/minutes/ seconds format. STEP 3 Click Apply. The STP Global settings are written to the Running Configuration file.
Spanning Tree Defining Spanning Tree Interface Settings • 14 Root Guard—Enables or disables Root Guard on the device. The Root Guard option provides a way to enforce the root bridge placement in the network. Root Guard ensures that the port on which this feature is enabled is the designated port. Normally, all root bridge ports are designated ports, unless two or more ports of the root bridge are connected.
14 Spanning Tree Configuring Rapid Spanning Tree Settings - Blocking—The port is currently blocked, and cannot forward traffic (with the exception of BPDU data) or learn MAC addresses. - Listening—The port is in Listening mode. The port cannot forward traffic, and cannot learn MAC addresses. - Learning—The port is in Learning mode. The port cannot forward traffic, but it can learn new MAC addresses. - Forwarding—The port is in Forwarding mode.
Spanning Tree Configuring Rapid Spanning Tree Settings 14 To enter RSTP settings: STEP 1 Click Spanning Tree > STP Status and Global Settings. Enable RSTP. STEP 2 Click Spanning Tree > RSTP Interface Settings. The RSTP Interface Settings page appears: STEP 3 Select a port. NOTE Activate Protocol Migration is only available after selecting the port that is connected to the bridge partner being tested.
14 Spanning Tree Configuring Rapid Spanning Tree Settings - Designated—The interface through which the bridge is connected to the LAN, which provides the lowest cost path from the LAN to the Root Bridge. - Alternate—Provides an alternate path to the Root Bridge from the root interface. - Backup—Provides a backup path to the designated port path toward the Spanning Tree leaves. This provides a configuration in which two ports are connected in a loop by a point-to-point link.
14 Spanning Tree Multiple Spanning Tree Multiple Spanning Tree Multiple Spanning Tree Protocol (MSTP) is used to separate the STP port state between various domains (on different VLANs). For example, while port A is blocked in one STP instance due to a loop on VLAN A, the same port can be placed in the Forwarding State in another STP instance. The MSTP Properties page enables you to define the global MSTP settings. To configure MSTP: 1.
14 Spanning Tree Mapping VLANs to a MSTP Instance Switches intended to be in the same MST region are never separated by switches from another MST region. If they are separated, the region becomes two separate regions. This mapping can be done in the VLAN to MST Instance page. Use this page if the system operates in MSTP mode. To define MSTP: STEP 1 Click Spanning Tree > STP Status and Global Settings. Enable MSTP. STEP 2 Click Spanning Tree > MSTP Properties. STEP 3 Enter the parameters.
14 Spanning Tree Defining MSTP Instance Settings For those VLANs that are not explicitly mapped to one of the MST instances, the device automatically maps them to the CIST (Core and Internal Spanning Tree) instance. The CIST instance is MST instance 0. To map VLANs to MST Instances: STEP 1 Click Spanning Tree > VLAN to MSTP Instance. The VLAN to MSTP Instance page contains the following fields: • MST Instance ID—All MST instances are displayed.
14 Spanning Tree Defining MSTP Interface Settings • Included VLAN—Displays the VLANs mapped to the selected instance. The default mapping is that all VLANs are mapped to the common and internal spanning tree (CIST) instance 0). • Bridge Priority—Set the priority of this bridge for the selected MST instance. • Designated Root Bridge ID—Displays the priority and MAC address of the Root Bridge for the MST instance. • Root Port—Displays the root port of the selected instance.
14 Spanning Tree Defining MSTP Interface Settings STEP 5 Enter the parameters. • Instance ID—Select the MST instance to be configured. • Interface—Select the interface for which the MSTI settings are to be defined. • Interface Priority—Set the port priority for the specified interface and MST instance. • Path Cost—Enter the port contribution to the root path cost in the User Defined textbox or select Use Default to use the default value.
14 Spanning Tree Defining MSTP Interface Settings - Backup—The interface provides a backup path to the designated port path toward the Spanning Tree leaves. Backup ports occur when two ports are connected in a loop by a point-to-point link. Backup ports also occur when a LAN has two or more established connections to a shared segment. - Disabled—The interface does not participate in the Spanning Tree. - Boundary—The port on this instance is a boundary port.
Spanning Tree Defining MSTP Interface Settings Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 14 245
15 Managing MAC Address Tables This section describe how to add MAC addresses to the system. It covers the following topics: • Configuring Static MAC Addresses • Managing Dynamic MAC Addresses • Defining Reserved MAC Addresses Types of MAC Addresses There are two types of MAC addresses—static and dynamic. Depending on their type, MAC addresses are either stored in the Static Address table or in the Dynamic Address table, along with VLAN and port information.
15 Managing MAC Address Tables Configuring Static MAC Addresses Configuring Static MAC Addresses Static MAC addresses are assigned to a specific physical interface and VLAN on the device. If that address is detected on another interface, it is ignored, and is not written to the address table. To define a static address: STEP 1 Click MAC Address Tables > Static Addresses. The Static Addresses page contains the currently defined static addresses. STEP 2 Click Add. STEP 3 Enter the parameters.
15 Managing MAC Address Tables Managing Dynamic MAC Addresses Managing Dynamic MAC Addresses The Dynamic Address Table (bridging table) contains the MAC addresses acquired by monitoring the source addresses of frames entering the device. To prevent this table from overflowing and to make room for new MAC addresses, an address is deleted if no corresponding traffic is received for a certain period. This period of time is the aging interval.
15 Managing MAC Address Tables Defining Reserved MAC Addresses Defining Reserved MAC Addresses When the device receives a frame with a Destination MAC address that belongs to a reserved range (per the IEEE standard), the frame can be discarded or bridged. The entry in the Reserved MAC Address Table can either specify the reserved MAC address or the reserved MAC address and a frame type: To add an entry for a reserved MAC address: STEP 1 Click MAC Address Tables > Reserved MAC Addresses.
16 Multicast This section describes the Multicast Forwarding feature, and covers the following topics: • Multicast Forwarding • Defining Multicast Properties • Adding MAC Group Address • Adding IP Multicast Group Addresses • Configuring IGMP Snooping • MLD Snooping • Querying IGMP/MLD IP Multicast Group • Defining Multicast Router Ports • Defining Forward All Multicast • Defining Unregistered Multicast Settings Multicast Forwarding Multicast forwarding enables one-to-many information di
16 Multicast Multicast Forwarding For Multicast forwarding to work across IP subnets, nodes, and routers must be Multicast-capable. A Multicast-capable node must be able to: • Send and receive Multicast packets. • Register the Multicast addresses being listened to by the node with local routers, so that local and remote routers can route the Multicast packet to the nodes.
16 Multicast Multicast Forwarding The device can forward Multicast streams based on one of the following options: • Multicast MAC Group Address • IP Multicast Group Address (G) • A combination of the source IP address (S) and the destination IP Multicast Group Address (G) of the Multicast packet. One of these options can be configured per VLAN. The system maintains lists of Multicast groups for each VLAN, and this manages the Multicast information that each port should receive.
16 Multicast Defining Multicast Properties If the device is enabled as an IGMP Querier, it starts after 60 seconds have passed with no IGMP traffic (queries) detected from a Multicast router. In the presence of other IGMP Queriers, the device might (or might not) stop sending queries, based on the results of the standard querier selection process. Multicast Address Properties Multicast addresses have the following properties: • Each IPv4 Multicast address is in the address range 224.0.0.0 to 239.255.
16 Multicast Defining Multicast Properties A common way of representing Multicast membership is the (S,G) notation where S is the (single) source sending a Multicast stream of data, and G is the IPv4 or IPv6 group address. If a Multicast client can receive Multicast traffic from any source of a specific Multicast group, this is saved as (*,G). The following are ways of forwarding Multicast frames: • MAC Group Address—Based on the destination MAC address in the Ethernet frame.
16 Multicast Adding MAC Group Address STEP 3 Click Apply. The Running Configuration file is updated. Adding MAC Group Address The device supports forwarding incoming Multicast traffic based on the Multicast group information. This information is derived from the IGMP/MLD packets received or as the result of manual configuration, and it is stored in the Multicast Forwarding Database (MFDB).
16 Multicast Adding MAC Group Address Entries that were created both in this page and in the IP Multicast Group Address page are displayed. For those created in the IP Multicast Group Address page, the IP addresses are converted to MAC addresses. STEP 4 Click Add to add a static MAC Group Address. STEP 5 Enter the parameters. • VLAN ID—Defines the VLAN ID of the new Multicast group. • MAC Group Address—Defines the MAC address of the new Multicast group.
Multicast Adding IP Multicast Group Addresses 16 Adding IP Multicast Group Addresses The IP Multicast Group Address page is similar to the MAC Group Address page except that Multicast groups are identified by IP addresses. The IP Multicast Group Address page enables querying and adding IP Multicast groups. To define and view IP Multicast groups: STEP 1 Click Multicast > IP Multicast Group Address. The page contains all of the IP Multicast group addresses learned by snooping.
16 Multicast Configuring IGMP Snooping • Source Specific—Indicates that the entry contains a specific source, and adds the address in the IP Source Address field. If not, the entry is added as a (*,G) entry, an IP group address from any IP source. • Source IP Address—Defines the source address to be included. STEP 7 Click Apply. The IP Multicast group is added, and the device is updated. STEP 8 To configure and display the registration of an IP group address, select an address and click Details.
16 Multicast Configuring IGMP Snooping When IGMP Snooping is enabled globally or on a VLAN, all IGMP packets are forwarded to the CPU. The CPU analyzes the incoming packets, and determines the following: • Which ports are asking to join which Multicast groups on what VLAN. • Which ports are connected to Multicast routers (Mrouters) that are generating IGMP queries. • Which ports are receiving PIM, DVMRP, or IGMP query protocols. These are displayed on the IGMP Snooping page.
16 Multicast Configuring IGMP Snooping There can be only one IGMP Querier in a network. The device supports standards-based IGMP Querier election. Some of the values of the operational parameters of this table are sent by the elected querier. The other values are derived from the device. STEP 4 Enter the parameters. 260 • VLAN ID—Select the VLAN ID on which IGMP snooping is defined. • IGMP Snooping Status—Enable or disable the monitoring of network traffic for the selected VLAN.
16 Multicast MLD Snooping • Operational Last Member Query Interval—Displays the Last Member Query Interval sent by the elected querier. • Immediate Leave—Enable Immediate Leave to decrease the time it takes to block a Multicast stream sent to a member port when an IGMP Group Leave message is received on that port. • IGMP Querier Status—Enable or disable the IGMP Querier. • Administrative Querier Source IP Address—Select the source IP address of the IGMP Querier.
16 Multicast MLD Snooping In an approach similar to IGMP snooping, MLD frames are snooped as they are forwarded by the device from stations to an upstream Multicast router and vice versa.
Multicast Querying IGMP/MLD IP Multicast Group 16 • Operational Query Robustness—Displays the robustness variable sent by the elected querier. • Query Interval—Enter the Query Interval value to be used by the device if the device cannot derive the value from the messages sent by the elected querier. • Operational Query Interval—The time interval in seconds between General Queries received from the elected querier.
16 Multicast Defining Multicast Router Ports There might be a difference between information on this page and, for example, information displayed in the MAC Group Address page. Assuming that the system is in MAC-based groups and a port that requested to join the following Multicast groups 224.1.1.1 and 225.1.1.1, both are mapped to the same MAC Multicast address 01:00:5e:01:01:01. In this case, there is a single entry in the MAC Multicast page, but two entries on this page.
16 Multicast Defining Forward All Multicast To statically configure or see dynamically-detected ports connected to the Multicast router: STEP 1 Click Multicast > Multicast Router Port. STEP 2 Enter some or all of following query filter criteria: • VLAN ID equals to—Select the VLAN ID for the router ports that are described. • IP Version equals to—Select the IP version that the Multicast router supports. • Interface Type equals to—Select whether to display ports or LAGs. STEP 3 Click Go.
16 Multicast Defining Unregistered Multicast Settings IGMP or MLD messages are not forwarded to ports defined as Forward All. NOTE The configuration affects only the ports that are members of the selected VLAN. To define Forward All Multicast: STEP 1 Click Multicast > Forward All. STEP 2 Define the following: • VLAN ID equals to—The VLAN ID the ports/LAGs are to be displayed. • Interface Type equals to—Define whether to display ports or LAGs. STEP 3 Click Go.
Multicast Defining Unregistered Multicast Settings 16 You can select a port to receive or filter unregistered Multicast streams. The configuration is valid for any VLAN of which it is a member (or will be a member). This feature ensures that the customer receives only the Multicast groups requested and not others that may be transmitted in the network. To define unregistered Multicast settings: STEP 1 Click Multicast > Unregistered Multicast.
16 268 Multicast Defining Unregistered Multicast Settings Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
17 IP Configuration IP interface addresses can be configured manually by the user, or automatically configured by a DHCP server. This section provides information for defining the device IP addresses, either manually or by making the device a DHCP client.
17 IP Configuration Overview retains much of the Layer 2 functionality, such as Spanning Tree Protocol and VLAN membership. • In Layer 3 system mode on Sx500 devices only, the device does not support MAC-based VLAN, Dynamic VLAN Assignment, VLAN Rate Limit, SYN Rate DoS Protection, and Advanced QoS Policers.
17 IP Configuration Overview When a VLAN is configured to use dynamic IPv4 addresses, the device issues DHCPv4 requests until it is assigned an IPv4 address from a DHCPv4 server. In Layer 2 system mode, only the management VLAN can be configured with a static or dynamic IP address. In Layer 3 system mode, all the interface types (ports, LAGs, and/or VLANs) on the device can be configured with a static or dynamic IP address.
17 IP Configuration Overview All the IP addresses configured or assigned to the device are referred to as Management IP addresses in this guide. If the pages for Layer 2 and Layer 3 are different, both versions are displayed. Loopback Interface Overview The loopback interface is a virtual interface whose operational state is always up.
17 IP Configuration IPv4 Management and Interfaces To configure an IPv6 loopback interface, do the following: • In Layer 2, add a loopback interface in the Administration > Management Interface > IPv6 Interfaces page. Configure the IPv6 address of that interface in the Administration > Management Interface > IPv6 Addresses page. This page is not available in SG500X, ESW2-550X and SG500XG devices.
17 IP Configuration IPv4 Management and Interfaces - Static—Manually define a static IP address. NOTE DHCP Option 12 (Host Name option) is supported when the device is a DHCP client. If DHCP Option 12 is received from a DHCP server, it is saved as the server’s host name. DHCP option 12 will not be requested by the device. The DHCP server must be configured to send option 12, regardless of what is requested in order to make use of this feature.
17 IP Configuration IPv4 Management and Interfaces • Auto Configuration via DHCP—Displays status of Auto Configuration feature. You can configure this from Administration > File Management > DHCP Auto Configuration. STEP 3 Click Apply. The IPv4 interface settings are written to the Running Configuration file. Defining IPv4 Interface in Layer 3 System Mode The IPv4 Interface page is used when the device is in Layer 3 system mode.
17 IP Configuration IPv4 Management and Interfaces • Mask—Configured IP address mask. • Status—Results of the IP address duplication check. - Tentative—There is no final result for the IP address duplication check. - Valid—The IP address collision check was completed, and no IP address collision was detected. - Valid-Duplicated—The IP address duplication check was completed, and a duplicate IP address was detected. - Duplicated—A duplicated IP address was detected for the default IP address.
17 IP Configuration IPv4 Management and Interfaces ! CAUTION When the system is in one of the stacking modes with a Backup Master present, it is recommended to configure the IP address as a static address to prevent disconnecting from the network during a Stacking Master switchover. This is because when the backup master takes control of the stack, when using DHCP, it might receive a different IP address than the one that was received by the stack’s original master-enabled unit.
17 IP Configuration IPv4 Management and Interfaces NOTE You cannot configure a static route through a directly-connected IP subnet where the device gets its IP address from a DHCP server. • Metric—Enter the administrative distance to the next hop. The range is 1– 255. STEP 4 Click Apply. The IP Static route is saved to the Running Configuration file. RIPv2 See IP Configuration: RIPv2. Access List See Access Lists.
17 IP Configuration IPv4 Management and Interfaces • ARP Entry Age Out—Enter the number of seconds that dynamic addresses can remain in the ARP table. A dynamic address ages out after the time it is in the table exceeds the ARP Entry Age Out time. When a dynamic address ages out, it is deleted from the table, and only returns when it is relearned. • Clear ARP Table Entries—Select the type of ARP entries to be cleared from the system. - All—Deletes all of the static and dynamic addresses immediately.
17 IP Configuration IPv4 Management and Interfaces • MAC Address—Enter the MAC address of the local device. STEP 6 Click Apply. The ARP entry is saved to the Running Configuration file. ARP Proxy The Proxy ARP technique is used by the device on a given IP subnet to answer ARP queries for a network address that is not on that network. NOTE The ARP proxy feature is only available when the device is in L3 mode. The ARP Proxy is aware of the destination of traffic, and offers another MAC address in reply.
17 IP Configuration IPv4 Management and Interfaces UDP Relay/IP Helper The UDP Relay/IP Helper feature is only available when the device is in Layer 3 system mode. Switches do not typically route IP Broadcast packets between IP subnets. However, if this feature enables the device to relay specific UDP Broadcast packets, received from its IPv4 interfaces, to specific destination IP addresses.
17 IP Configuration IPv4 Management and Interfaces An untrusted port is a port that is not allowed to assign DHCP addresses. By default, all ports are considered untrusted until you declare them trusted (in the DHCP Snooping Interface Settings page). DHCPv4 Relay DHCP Relay relays DHCP packets to the DHCP server. DHCPv4 in Layer 2 and Layer 3 In Layer 2 system mode, the device relays DHCP messages received from VLANs on which DHCP Relay has been enabled.
17 IP Configuration IPv4 Management and Interfaces • DHCP Insertion - Add Option 82 information to packets that do not have foreign Option 82 information. • DHCP Passthrough - Forward or reject DHCP packets that contain Option 82 information from untrusted ports. On trusted ports, DHCP packets containing Option 82 information are always forwarded.
17 IP Configuration IPv4 Management and Interfaces Option 82 Insertion Disabled Option 82 Insertion Enabled DHCP Relay DHCP Relay VLAN with IP Address VLAN without IP Address Packet is sent without Option 82 Packet is sent with the original Option 82 Relay – inserts Option 82 Relay – discards the packet Bridge – no Option 82 is inserted Bridge – Packet is sent with the original Option 82 Packet is sent with the original Option 82 Relay – is sent with Option 82 Relay – discards the packet Br
17 IP Configuration IPv4 Management and Interfaces Option 82 Insertion Enabled DHCP Relay DHCP Relay VLAN with IP Address VLAN without IP Address Relay – is sent with Option 82 Bridge – Option 82 is added Packet is sent with the original Option 82 (if port is trusted, behaves as if DHCP Snooping is not enabled) Relay – is sent with Option 82 Bridge – Option 82 is inserted (if port is trusted, behaves as if DHCP Snooping is not enabled) Relay – discards the packet Bridge – Packet is sent with the
17 IP Configuration IPv4 Management and Interfaces Option 82 insertion disabled DHCP Relay DHCP Relay VLAN with IP Address VLAN without IP Address Packet is sent without Option 82 Relay – discards Option 82 Packet is sent with the original Option 82 Bridge – Packet is sent without Option 82 Relay – 1. If reply originates in device, packet is sent without Option 82 2.
17 IP Configuration IPv4 Management and Interfaces The following describes how DHCP reply packets are handled when both DHCP Snooping and DHCP Relay are enabled Option 82 Insertion Disabled DHCP Relay DHCP Relay VLAN with IP Address VLAN without IP Address Packet arrives without Option 82 Packet arrives with Option 82 Packet arrives without Option 82 Packet arrives with Option 82 Packet is sent without Option 82 Packet is sent with the original Option 82 Relay discards Option 82 Relay Bridge
IP Configuration IPv4 Management and Interfaces 17 The DHCP Snooping Binding database is also used by IP Source Guard and Dynamic ARP Inspection features to determine legitimate packet sources. DHCP Trusted Ports Ports can be either DHCP trusted or untrusted. By default, all ports are untrusted. To create a port as trusted, use the DHCP Snooping Interface Settings page. Packets from these ports are automatically forwarded.
17 IP Configuration IPv4 Management and Interfaces STEP 6 Device forwards DHCPOFFER, DHCPACK, or DHCPNAK. The following summarizes how DHCP packets are handled from both trusted and untrusted ports. The DHCP Snooping Binding database is stored in non-volatile memory. DHCP Snooping Packet Handling 288 Packet Type Arriving from Untrusted Ingress Interface Arriving from Trusted Ingress Interface DHCPDISCOVER Forward to trusted interfaces only. Forwarded to trusted interfaces only. DHCPOFFER Filter.
17 IP Configuration IPv4 Management and Interfaces Packet Type Arriving from Untrusted Ingress Interface Arriving from Trusted Ingress Interface DHCPRELEASE Same as DHCPDECLINE. Same as DHCPDECLINE. DHCPINFORM Forward to trusted interfaces only. Forward to trusted interfaces only. DHCPLEASEQUE RY Filtered. Forward.
17 IP Configuration IPv4 Management and Interfaces STEP 1 Enable DHCP Snooping and/or DHCP Relay in the IP Configuration > DHCP > Properties page or in the Security > DHCP Snooping > Properties page. STEP 2 Define the interfaces on which DHCP Snooping is enabled in the IP Configuration > DHCP > Interface Settings page. STEP 3 Configure interfaces as trusted or untrusted in the IP Configuration > DHCP > DHCP Snooping Interface page. STEP 4 Optional.
IP Configuration IPv4 Management and Interfaces 17 STEP 2 Click Apply. The settings are written to the Running Configuration file. STEP 3 To define a DHCP server, click Add. STEP 4 Enter the IP address of the DHCP server and click Apply. The settings are written to the Running Configuration file. Interface Settings In Layer 2, DHCP Relay and Snooping can only be enabled on VLANs with IP addresses.
17 IP Configuration IPv4 Management and Interfaces DHCP Snooping Binding Database See How the DHCP Snooping Binding Database is Built for a description of how dynamic entries are added to the DHCP Snooping Binding database. Note the following points about maintenance of the DHCP Snooping Binding database: • The device does not update the DHCP Snooping Binding database when a station moves to another interface. • If a port is down, the entries for that port are not deleted.
17 IP Configuration DHCP Server STEP 3 Enter the fields: • VLAN ID—VLAN on which packet is expected. • MAC Address—MAC address of packet. • IP Address—IP address of packet. • Interface—Unit/Slot/Interface on which packet is expected. • Type—The possible field values are: • - Dynamic—Entry has limited lease time. - Static—Entry was statically configured. Lease Time—If the entry is dynamic, enter the amount of time that the entry is to be active in the DHCP Database.
17 IP Configuration DHCP Server Dependencies Between Features • It is impossible to configure DHCP server and DHCP client on the system at the same time, meaning: if one interface is DHCP client enabled, it is impossible to enable DHCP server globally. • If DHCPv4 Relay is enabled, the device cannot be configured as a DHCP server. Default Settings and Configurations • The device is not configured as a DHCPv4 server by default.
17 IP Configuration DHCP Server DHCPv4 Server To configure the device as a DHCPv4 server: STEP 1 Click IP Configuration > IPv4 Management and Interfaces > DHCP Server > Properties to display the Properties page. STEP 2 Select Enable to configure the device as a DHCP server. STEP 3 Click Apply. The device immediately begins functioning as a DHCP server. However, it does not assign IP addresses to clients until a pool is created.
17 IP Configuration DHCP Server • Mask—Enter one of following: - Network Mask—Check and enter the pool’s network mask. - Prefix Length—Check and enter the number of bits that comprise the address prefix. • Address Pool Start—Enter the first IP address in the range of the network pool. • Address Pool End—Enter the last IP address in the range of the network pool. • Lease Duration—Enter the amount of time a DHCP client can use an IP address from this pool.
17 IP Configuration DHCP Server - Mixed—A combination of b-node and p-node communications is used to register and resolve NetBIOS names. M-node first uses b-node; then, if necessary, p-node. M-node is typically not the best choice for larger networks because its preference for b-node Broadcasts increases network traffic. - Peer-to-Peer—Point-to-point communications with a NetBIOS name server are used to register and resolve computer names to IP addresses.
17 IP Configuration DHCP Server To manually allocate a permanent IP address to a specific client: STEP 1 Click IP Configuration > IPv4 Management and Interfaces > DHCP Server > Static Hosts to display the Static Hosts page. The static hosts are displayed. STEP 2 To add a static host, click Add, and enter the fields: • IP Address—Enter the IP address that was statically assigned to the host. • Host Name—Enter the host name, which can be a string of symbols and an integer.
17 IP Configuration DHCP Server - Hybrid—A hybrid combination of b-node and p-node is used. When configured to use h-node, a computer always tries p-node first and uses b-node only if p-node fails. This is the default. - Mixed—A combination of b-node and p-node communications is used to register and resolve NetBIOS names. M-node first uses b-node; then, if necessary, p-node.
17 IP Configuration DHCP Server To configure one or more DHCP options: STEP 1 Click IP Configuration > IPv4 Management and Interfaces > DHCP Server > DHCP Options. The previously-configured DHCP options are displayed.. STEP 2 To configure an option that has not been configured yet and enter the field: • DHCP Server Pool Name—Select one of the pool of network addresses defined in the Network Pools page. STEP 3 Click Add and enter the fields: • Code— Enter the DHCP option code.
17 IP Configuration DHCP Server Address Binding Use the Address Binding page to view and remove the IP addresses allocated by the device and their corresponding MAC addresses. To view and/or remove address bindings: STEP 1 Click IP Configuration > IPv4 Management and Interfaces > DHCP Server > Address Binding to display the Address Binding page. The following fields for the address bindings are displayed: • IP Address—The IP addresses of the DHCP clients.
17 IP Configuration IPv6 Management and Interfaces IPv6 Management and Interfaces The Internet Protocol version 6 (IPv6) is a network-layer protocol for packetswitched internetworks. IPv6 was designed to replace IPv4, the predominantly deployed Internet protocol. IPv6 introduces greater flexibility in assigning IP addresses, because the address size increases from 32-bit to 128-bit addresses.
17 IP Configuration IPv6 Management and Interfaces • Directly-attached, meaning that the destination is directly-attached to an interface on the device, so that the packet destination (which is the interface) is used as the next-hop address. • Recursive, where only the next-hop is specified, and the outgoing interface is derived from the next-hop. In the same manner, the MAC address of the next-hop devices (including directlyattached end-systems) are automatically derived using Network Discovery.
17 IP Configuration IPv6 Management and Interfaces - Link-Layer—(Default). If you select this option, the MAC address of the device is used. - Enterprise Number—If you select this option, enter the following fields. • Enterprise Number—The vendors registered Private Enterprise number as maintained by IANA. • Identifier—The vendor-defined hex string (up to 64 hex characters). If the number of the character is not even, a zero is added at the right.
17 IP Configuration IPv6 Management and Interfaces • Tunnel Type—(Not present for Sx500) If the IPv6 interface is a tunnel, select its type: Manual or ISATAP (see IPv6 Tunnel). STEP 5 To configure the interface as a DHCPv6 client, meaning to enable the interface to receive information from the DHCPv6 server, such as: SNTP configuration and DNS information, enter the DHCPv6 Client fields: • Stateless—Select to enable the interface as a stateless DHCPv6 client.
17 IP Configuration IPv6 Management and Interfaces STEP 7 Click Apply to enable IPv6 processing on the selected interface. Regular IPv6 interfaces have the following addresses automatically configured: • Link local address using EUI-64 format interface ID based on a device’s MAC address • All node link local Multicast addresses (FF02::1) • Solicited-Node Multicast address (format FF02::1:FFXX:XXXX) STEP 8 Click IPv6 Address Table to manually assign IPv6 addresses to the interface, if required.
17 IP Configuration IPv6 Management and Interfaces • Remaining Information Refresh Time—Remaining time until next refresh. • DNS Servers—List of DNS servers received from the DHCPv6 server. • DNS Domain Search List—List of domains received from the DHCPv6 server. • SNTP Servers—List of SNTP servers received from the DHCPv6 server. • POSIX Timezone String—Timezone received from the DHCPv6 server. • Configuration Server—Server containing configuration file received from the DHCPv6 server.
17 IP Configuration IPv6 Management and Interfaces record is not resolved, ISATAP host name-to-address mapping is searched in the host mapping table. - • When the ISATAP router IPv4 address is not resolved via the DNS process, the ISATAP IP interface remains active. The system does not have a default router for ISATAP traffic until the DNS process is resolved. Manual Tunnel This is a point-to-point definition.
17 IP Configuration IPv6 Management and Interfaces STEP 6 Enter the following fields: • Type—Displays the tunnel type: Manual or ISATAP. • Tunnel State—Select to enable the tunnel. • Link Status SNMP Traps—Select to enable generating a trap when the link status of a port is changed.
17 IP Configuration IPv6 Management and Interfaces • ISATAP Router Name— (For ISATAP tunnels only) Select one of the following options to configure a global string that represents a specific automatic tunnel router domain name. - Use Default—This is always ISATAP. - User Defined—Enter the router’s domain name. STEP 7 Click Apply. The tunnel is saved to the Running Configuration file.
17 IP Configuration IPv6 Management and Interfaces - Anycast—(Layer 3 only) The IPv6 address is an Anycast address. This is an address that is assigned to a set of interfaces that typically belong to different nodes. A packet sent to an Anycast address is delivered to the closest interface—as defined by the routing protocols in use—identified by the Anycast address. NOTE Anycast cannot be used, if the IPv6 address is on an ISATAP interface.
17 IP Configuration IPv6 Management and Interfaces • Suppress Router Advertisement—Select Yes to suppress IPv6 router advertisement transmissions on the interface. If this feature is not suppressed, enter the following fields. • Router Preference—Select either Low, Medium or High preference for the router. Router advertisement messages are sent with the preference configured in this field. If no preference is configured, they are sent with a medium preference.
17 IP Configuration IPv6 Management and Interfaces The interval between transmissions should be less than or equal to the IPv6 router advertisement lifetime if you configure the route as a default router by using this command. To prevent synchronization with other IPv6 nodes, the actual interval used is randomly selected from a value between the minimum and maximum values.
17 IP Configuration IPv6 Management and Interfaces - • Prefix Advertisement—Select to advertise this prefix. • Valid Lifetime—Remaining length of time, in seconds, that this prefix will continue to be valid, i.e., time until invalidation. The address generated from an invalidated prefix should not appear as the destination or source address of a packet. • 314 Prefix-Length—The length of the IPv6 prefix.
17 IP Configuration IPv6 Management and Interfaces - Offlink—Configures the specified prefix as offlink. The prefix will be advertised with the L-bit clear. The prefix will not be inserted into the routing table as a connected prefix. If the prefix is already present in the routing table as a connected prefix (for example, because the prefix was also configured by adding an IPv6 address), it will be removed. STEP 6 Click Apply to save the configuration to the Running Configuration file.
17 IP Configuration IPv6 Management and Interfaces • Metric—Cost of this hop. STEP 2 Click Add to add a static default router. STEP 3 Enter the following fields: • Next Hop—The IP address of the next destination to which the packet is sent. This is composed of the following: - Global—An IPv6 address that is a global Unicast IPV6 type that is visible and reachable from other networks. - Link Local—An IPv6 interface and IPv6 address that uniquely identifies hosts on a single network link.
17 IP Configuration IPv6 Management and Interfaces To define IPv6 neighbors: STEP 1 In Layer 2 system mode, click Administration > Management Interface > IPv6 Neighbors. In Layer 3 system mode, click IP Configuration > IPv6 Management and Interfaces > IPv6 Neighbors. You can select a Clear Table option to clear some or all of IPv6 addresses in the IPv6 Neighbors Table. • Static Only—Deletes the static IPv6 address entries. • Dynamic Only—Deletes the dynamic IPv6 address entries.
17 IP Configuration IPv6 Management and Interfaces STEP 3 Enter values for the following fields: • Interface—The neighboring IPv6 interface to be added. • IPv6 Address—Enter the IPv6 network address assigned to the interface. The address must be a valid IPv6 address. • MAC Address—Enter the MAC address mapped to the specified IPv6 address. STEP 4 Click Apply. The Running Configuration file is updated.
17 IP Configuration IPv6 Management and Interfaces To create a prefix list: STEP 1 (In Layer 3) Click IP Configuration > IPv6 Management Interfaces > IPv6 Prefix List. -or (In Layer 2)Click Administration > IPv6 Management Interfaces > IPv6 Prefix List. STEP 2 Click Add. STEP 3 Enter the following fields: • • • List Name—Select one of the following options: - Use Existing List—Select a previously-defined list to add a prefix to it. - Create New List—Enter a name to create a new list.
17 IP Configuration IPv6 Management and Interfaces • • Lower Than—Maximum prefix length to be used for matching. Select one of the following options: - No Limit—No maximum prefix length to be used for matching. - User Defined—Maximum prefix length to be matched. Description—Enter a description of the prefix list. STEP 4 Click Apply to save the configuration to the Running Configuration file. Viewing IPv6 Route Tables The IPv6 Forwarding Table contains the various routes that have been configured.
17 IP Configuration IPv6 Management and Interfaces network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration. - Global—An IPv6 address that is a global Unicast IPV6 type that is visible and reachable from other networks. - Point-to-Point—A Point-to-point tunnel. • Metric—Value used for comparing this route to other routes with the same destination in the IPv6 router table.
17 IP Configuration IPv6 Management and Interfaces • Interface List—This is a per-interface list of DHCPv6 servers. When a DHCPv6 packet is received on an interface, the packet is relayed both to the servers on the interface list (if it exists) and to the servers on the global destination list. Dependencies with Other Features The DHCPv6 client and DHCPv6 relay functions are mutually exclusive on an interface.
17 IP Configuration Domain Name Enter the fields: • Source Interface—Select the interface (port, LAG, VLAN or tunnel) for which DHCPv6 Relay is enabled. • Use Global Destinations Only—Select to forward packets to the DHCPv6 global destination servers only. • IPv6 Address Type—Enter the type of the destination address to which client messages are forwarded. The address type can be Link Local, Global or Multicast (All_DHCP_Relay_Agents_and_Servers).
17 IP Configuration Domain Name • Polling Timeout—Enter the number of seconds that the device will wait for a response to a DNS query. • Polling Interval—Enter how often (in seconds) the device sends DNS query packets after the number of retries has been exhausted. - Use Default—Select to use the default value. This value = 2*(Polling Retries + 1)* Polling Timeout • User Defined—Select to enter a user-defined value.
17 IP Configuration Domain Name - Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration. - Global—The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks.
17 IP Configuration Domain Name Host Mapping Host name/IP address mappings are stored in the Host Mapping Table (DNS cache). This cache can contain the following type of entries: • Static Entries—These are mapping pairs that were manually added to the cache. There can be up to 64 static entries. • Dynamic Entries—These are mapping pairs that were either added by the system as a result of being used by the user, or and an entry for each IP address configured on the device by DHCP.
17 IP Configuration Domain Name - No Response—There was no response, but system can try again in future. • TTL— If this is a dynamic entry, how long will it remain in the cache. • Remaining TTL— If this is a dynamic entry, how much longer will it remain in the cache. STEP 3 To add a host mapping, click Add. STEP 4 Enter the parameters. • IP Version—Select Version 6 for IPv6 or Version 4 for IPv4. • IPv6 Address Type—Select the IPv6 address type (if IPv6 is used).
17 328 IP Configuration Domain Name Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
IP Configuration Domain Name Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 17 329
17 330 IP Configuration Domain Name Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
IP Configuration Domain Name Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 17 331
17 332 IP Configuration Domain Name Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
IP Configuration Domain Name Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 17 333
17 334 IP Configuration Domain Name Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
IP Configuration Domain Name Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 17 335
17 336 IP Configuration Domain Name Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
IP Configuration Domain Name Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 17 337
17 338 IP Configuration Domain Name Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
19 IP Configuration: RIPv2 This section describes the Routing Information Protocol (RIP) version 2 feature. It covers the following topics: • Overview • How Rip Operates on the Device • Configuring RIP NOTE RIP is supported in the following devices: - SG500X/SG500XG in standalone stacking mode. - SG500X/SG500XG in advanced hybrid stacking modes in Layer 3. Overview Routing Information Protocol (RIP) is an implementation of a distance-vector protocol for local and wide-area networks.
19 IP Configuration: RIPv2 How Rip Operates on the Device • RFC2453 RIP Version 2, November 1998 • RFC2082 RIP-2 MD5 Authentication, January 1997 • RFC1724 RIP Version 2 MIB Extension Received RIPv1 packets are dropped. How Rip Operates on the Device The following section describes enabling, offset configuration, passive mode, authentication, statistical counters, and peers database of RIP. Enabling RIP Enabling RIP • RIP must be enabled globally and per interface.
IP Configuration: RIPv2 How Rip Operates on the Device 19 It is your responsibility to set the offset for each interface (1 by default). The following illustrates the configuration of the metric offset for various interfaces, based on port speed. Configuring the Offset (Based on Port Speed) Router rD can send data to rA via rB or rC.
19 IP Configuration: RIPv2 How Rip Operates on the Device See RIPv2 Settings on an IP Interface for more information. Filtering Routing Updates You can filter incoming and outgoing routes for a given IP interface using two Standard Access Lists - one for input and one for output. The Standard Access List is a named, ordered list of pairs of IP prefix (IP address and IP mask length) and action. The action can be deny or permit.
19 IP Configuration: RIPv2 How Rip Operates on the Device If these features are enabled, rejected routes are advertised by routes with a metric of 16. The route configurations can be propagated using one of the following options: • Default Metric Causes RIP to use the predefined default metric value for the propagated route configuration. • Transparent (default) Causes RIP to use the routing table metric as the RIP metric for the propagated route configuration.
19 IP Configuration: RIPv2 How Rip Operates on the Device Using RIP in Network with Non-Rip Devices Static route configuration and connected interfaces must be taken into account when using RIP. This is shown in the following, which illustrates a network where some routers support RIP and others do not. A Network with RIP and non-RIP Routers Router rA does not support RIP. Therefore, routing entries with an appropriate metric are configured statically on this router.
19 IP Configuration: RIPv2 Configuring RIP • MD5—Uses MD5 digest authentication. Each router is configured with a set of secret keys. This set is called a key chain. Each key chain consists of one or more keys. Each key has an identifying number (key identifier), key string and optionally, a send-lifetime and accept-lifetime value.
19 IP Configuration: RIPv2 Configuring RIP - Configure the offset added to the metric for incoming routes on an IP interface, using the RIPv2 Settings page. - Enable passive mode on an IP interface, using the RIPv2 Settings page. - Control which routes are processed in the incoming/outgoing routing updates by specifying an IP address list on the IP interface (see Access Lists). - Advertise default route entries on the IP interface, using the RIPv2 Settings page.
19 IP Configuration: RIPv2 Configuring RIP STEP 3 Redistribute Static Route—Select to enable this feature (described in Redistribution Feature. STEP 4 If Redistribute Static Route is enabled, select an option for the Redistribute Static Metric field. The following options are available: • Default Metric—Causes RIP to use the default metric value for the propagated static route configuration (refer to Redistribution Feature).
19 IP Configuration: RIPv2 Configuring RIP RIPv2 Settings on an IP Interface To configure RIP on an IP interface: STEP 1 Click IP Configuration > RIPv2 > RIPv2 Settings. STEP 2 RIP parameters are displayed per IP interface. To add a new IP interface, click Add to open the Add RIPv2 Settings page and enter the following fields: 388 • IP Address—Select an IP interface defined on the Layer 2 interface. • Shutdown—Select to enable RIP on the interface even in the shutdown state.
19 IP Configuration: RIPv2 Configuring RIP • Key Password—If Text was selected as the authentication type, enter the password to be used. • Key Chain—If MD5 was selected as the authentication mode, enter the key chain to be digested. This key chain is created as described in the Management Access Method section. • Distribute-list In —Select to configure filtering on RIP incoming routes for the specified IP address(es) in the Access List Name.
19 IP Configuration: RIPv2 Configuring RIP STEP 2 To clear all interface counters, click Clear All Interface Counters. Displaying the RIPv2 Peers Database To view the RIP Peers (neighbors) database: STEP 1 Click IP Configuration > RIPv2 > RIPv2 Peer Router Database. The following fields are displayed for the peer router database: • Router IP Address—IP interface defined on the Layer 2 interface. • Bad Packets Received—Specifies the number of bad packets identified by RIP on the IP interface.
19 IP Configuration: RIPv2 Configuring RIP Creating an Access List To set the global configuration of an access list. STEP 1 Click IP Configuration > Access List > Access List Settings. STEP 2 To add a new Access List, click Add to open the Add Access List page and enter the following fields: • Name—Define a name for the access list. • Source IPv4 Address—Enter the source IPv4 address. The following options are available: • • - Any—All IP addresses are included.
19 IP Configuration: RIPv2 Configuring RIP • • • 392 Source IPv4 Address—Source IPv4 address. The following options are available: - Any—All IP addresses are included. - User Defined—Enter an IP address. Source IPv4 Mask—Source IPv4 address mask type and value. The following options are available: - Network Mask—Enter the network mask (for example 255.255.0.0). - Prefix Length—Enter the prefix length. Action—Action for the access list.
20 IP Configuration: VRRP This chapter describes how Virtual Router Redundancy Protocol (VRRP) works and how to configure virtual routers running VRRP through the WEB GUI. NOTE The SF500 models do not support the VRRP feature. It covers the following topics: • Overview • Configurable Elements of VRRP • Configuring VRRP Overview VRRP is an election and redundancy protocol that dynamically assigns the responsibility of a virtual router to one of the physical routers on a LAN.
20 IP Configuration: VRRP Overview Constraints VRRP is only supported on SG500X/ESW2-550X switches. VRRP Topology The following shows a LAN topology in which VRRP is configured. In this example, Routers A, B and C are VRRP and comprise a virtual router. The IP address of the virtual router is the same as that configured for the Ethernet interface of Router A (198.168.2.1).
20 IP Configuration: VRRP Overview Router B and C function as a virtual router backups. If the virtual router master fails, the router configured with the higher priority becomes the virtual router master and provides service to the LAN hosts with minimal interruption. NOTE The VRRP router priority depends on the following: If the VRRP router is the owner, its priority is 255 (the highest), if it is not an owner, the priority is manually configured (always less than 255).
20 IP Configuration: VRRP Overview Load Sharing VRRP Topology In this topology, two virtual routers are configured. For virtual router 1, rA is the owner of IP address 192.168.2.1 and is the virtual router master, and rB is the virtual router backup to rA. Clients 1 and 2 are configured with the default gateway IP address of 192.168.2.1. For virtual router 2, rB is the owner of IP address 192.168.2.2 and virtual router master, and rA is the virtual router backup to rB.
20 IP Configuration: VRRP Configurable Elements of VRRP Configurable Elements of VRRP A virtual router must be assigned an unique virtual router identifier (VRID) among all the virtual routers on the same LAN. All VRRP routers supporting the same virtual router must be configured with all the information relating to the virtual router including its VRID. Virtual routers should be enabled on the device only when IP routing is also enabled on the device.
20 IP Configuration: VRRP Configurable Elements of VRRP • If there is at least one VRRP router of the virtual router operating in both VRRPv2 and VRRPv3. In this case, configure your VRRP router to operate in VRRPv3 even though VRRPv2 is also interoperable. NOTE If there are VRRPv2 only routers and VRRPv3 only routers in the virtual router, you must configure at least one VRRPv2 and VRRPv3 router.
IP Configuration: VRRP Configurable Elements of VRRP 20 All the VRRP routers supporting the same virtual router must have the same configuration. If the configurations are different, the configuration of the master is used. A backup VRRP router syslogs a message when its configuration is different from the configuration of the master.
20 IP Configuration: VRRP Configuring VRRP • Enabled - When a VRRP router is configured with higher priority than the current master is up, it replaces the current master. • Disabled - Even if a VRRP router with a higher priority than the current master is up, it does not replace the current master. Only the original master (when it becomes available) replaces the backup.
20 IP Configuration: VRRP Configuring VRRP • Description—User-defined string identifying virtual router. • Status—Select to enable VRRP on the device. • Version—Select the version of VRRP to be used on this router. • IP Address Owner—If Yes is checked, this indicates that the IP address of the device is the IP address of the virtual router. Select the IP addresses of the owner from the Available IP Address list and move it to the Owner IP Address list.
20 IP Configuration: VRRP Configuring VRRP • Status—Is VRRP enabled. • IP Address Owner—The owner of the IP address of the virtual router. • Master/Backup Status—Is the virtual router the master or backup. • Skew Time—Time used in calculation of master down interval. • Master Down Interval—Time interval for Backup to declare Master down. • Preempt Mode—Is Preempt mode enabled.
20 IP Configuration: VRRP Configuring VRRP • Invalid VRRP Packet Type—Displays number of packets with invalid VRRP packet types. • Invalid VRRP ID—Displays number of packets with invalid VRRP IDs. • Invalid Protocol Number—Displays number of packets with invalid protocol numbers. • Invalid IP List—Displays number of packets with invalid IP lists. • Invalid Interval—Displays number of packets with invalid intervals. • Invalid Authentication—Displays number of packets that failed authentication.
18 Security This section describes device security and access control. The system handles various types of security. The following list of topics describes the various types of security features described in this section. Some features are used for more than a single type of security or control, and so they appear twice in the list of topics below.
18 Security Defining Users • Configuring TACACS+ • Configuring RADIUS • Configuring Port Security • 802.1X • Defining Time Ranges Protection from other network users is described in the following sections. These are attacks that pass through, but are not directed at, the device.
18 Security Defining Users NOTE It is not permitted to delete all users. If all users are selected, the Delete button is disabled. To add a new user: STEP 1 Click Administration > User Accounts. This page displays the users defined in the system and their user privilege level. STEP 2 Select Password Recovery Service to enable this feature. When this is enabled, an end user, with physical access to the console port of the device, can enter the boot menu and trigger the password recovery process.
18 Security Defining Users - Read/Write Management Access (15)—User can access the GUI, and can configure the device. STEP 5 Click Apply. The user is added to the Running Configuration file of the device. Setting Password Complexity Rules Passwords are used to authenticate users accessing the device. Simple passwords are potential security hazards. Therefore, password complexity requirements are enforced by default and may be configured as necessary.
18 Security Configuring TACACS+ • Do not repeat or reverse the manufacturers name or any variant reached by changing the case of the characters. STEP 4 If the Password Complexity Settings are enabled, the following parameters may be configured: • Minimal Password Length—Enter the minimal number of characters required for passwords. NOTE A zero-length password (no password) is allowed, and can still have password aging assigned to it.
18 Security Configuring TACACS+ • Authorization—Performed at login. After the authentication session is completed, an authorization session starts using the authenticated username. The TACACS+ server then checks user privileges. • Accounting—Enable accounting of login sessions using the TACACS+ server. This enables a system administrator to generate accounting reports from the TACACS+ server.
18 Security Configuring TACACS+ The following information is sent to the TACACS+ server by the device when a user logs in or out: Table 2: Argument Description In Start Message In Stop Message task_id A unique accounting session identifier. Yes Yes user Username that is entered for login authentication. Yes Yes rem-addr P address of the user. Yes Yes elapsed-time Indicates how long the user was logged in. No Yes reason Reports why the session was terminated.
18 Security Configuring TACACS+ STEP 3 Select TACACS+ in the Management Access Authentication page, so that when a user logs onto the device, authentication is performed on the TACACS+ server instead of in the local database. NOTE If more than one TACACS+ server has been configured, the device uses the configured priorities of the available TACACS+ servers to select the TACACS+ server to be used by the device. Configuring a TACACS+ Server The TACACS+ page enables configuring TACACS+ servers.
18 Security Configuring TACACS+ • Source IPv4 —(In Layer 3 system mode only) Select the device IPv4 source interface to be used in messages sent for communication with the TACACS+ server. • Source IPv6 —(In Layer 3 system mode only) Select the device IPv6 source interface to be used in messages sent for communication with the TACACS+ server. NOTE If the Auto option is selected, the system takes the source IP address from the IP address defined on the outgoing interface. STEP 4 Click Apply.
18 Security Configuring TACACS+ • Priority—Enter the order in which this TACACS+ server is used. Zero is the highest priority TACACS+ server and is the first server used. If it cannot establish a session with the high priority server, the device tries the next highest priority server. • Source IP Address—(For SG500X devices and other devices in Layer 3 system mode).
18 Security Configuring RADIUS Configuring RADIUS Remote Authorization Dial-In User Service (RADIUS) servers provide a centralized 802.1X or MAC-based network access control. The device is a RADIUS client that can use a RADIUS server to provide centralized security. An organization can establish a Remote Authorization Dial-In User Service (RADIUS) server to provide centralized 802.1X or MAC-based network access control for all of its devices.
18 Security Configuring RADIUS Interactions With Other Features You cannot enable accounting on both a RADIUS and TACACS+ server. Radius Workflow To user a RADIUS server, do the following: STEP 1 Open an account for the device on the RADIUS server. STEP 2 Configure that server along with the other parameters in the RADIUS and ADD RADIUS Server pages.
18 Security Configuring RADIUS • Dead Time—Enter the number of minutes that elapse before a nonresponsive RADIUS server is bypassed for service requests. If the value is 0, the server is not bypassed. • Key String—Enter the default key string used for authenticating and encrypting between the device and the RADIUS server. This key must match the key configured on the RADIUS server. A key string is used to encrypt communications by using MD5. The key can be entered in Encrypted or Plaintext form.
18 Security Configuring RADIUS - Global—The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks. • Link Local Interface—Select the link local interface (if IPv6 Address Type Link Local is selected) from the list. • Server IP Address/Name—Enter the RADIUS server by IP address or name. • Priority—Enter the priority of the server. The priority determines the order the device attempts to contact the servers to authenticate a user.
18 Security Key Management - All—RADIUS server is used for authenticating user that ask to administer the device and for 802.1X authentication. STEP 6 To display sensitive data in plaintext form in the configuration file, click Display Sensitive Data As Plaintext. STEP 7 Click Apply. The RADIUS server definition is added to the Running Configuration file of the device. Key Management Key Management NOTE This feature is only relevant for SG500X/ESW2-550X devices.
18 Security Key Management - User Defined (Plaintext)—Enter a plaintext version NOTE Both the Accept Life Time and the Send LifeTime values can be entered. The Accept Life Time indicates when the key-identifier for receiving packets is valid. The Send Life Time indicates when the key-identifier for sending packets is valid. • Accept Life Time/Send Life Time—Specifies when packets with this key are accepted. Select one of the following options.
18 Security Key Management Creating a Key Settings Use the Key Chain Settings page to add a key to an already existing key chain. STEP 1 Click Security > Key Management > Key Settings. STEP 2 To add a new key string, click Add. STEP 3 Enter the following fields: • Key Chain—Name for the key chain. • Key Identifier—Integer identifier for the key chain. • Key String—Value of the key chain string. Enter one of the following options: - User Defined (Encrypted)—Enter an encrypted version.
18 Security Management Access Method - Days—Number of days that the key-identifier is valid. - Hours—Number of hours that the key-identifier is valid. - Minutes—Number of minutes that the key-identifier is valid. - Seconds—Number of seconds that the key-identifier is valid. STEP 4 To always display sensitive data as plaintext (and not in encrypted form), click Display Sensitive Data as Plaintext. STEP 5 Click Apply. The settings are written to the Running Configuration file.
18 Security Management Access Method • Source IP Address—IP addresses or subnets. Access to management methods might differ among user groups. For example, one user group might be able to access the device module only by using an HTTPS session, while another user group might be able to access the device module by using both HTTPS and Telnet sessions. Active Access Profile The Access Profiles page displays the access profiles that are defined and enables selecting one access profile to be the active one.
18 Security Management Access Method A caution message displays if you selected any other access profile, warning you that, depending on the selected access profile, you might be disconnected from the web-based configuration utility. STEP 3 Click OK to select the active access profile or click Cancel to discontinue the action. STEP 4 Click Add to open the Add Access Profile page. The page allows you to configure a new profile and one rule. STEP 5 Enter the Access Profile Name.
18 Security Management Access Method - All—Applies to all ports, VLANs, and LAGs. - User Defined—Applies to selected interface. • Interface—Enter the interface number if User Defined was selected. • Applies to Source IP Address—Select the type of source IP address to which the access profile applies. The Source IP Address field is valid for a subnetwork. Select one of the following values: - All—Applies to all types of IP addresses.
18 Security Management Access Method STEP 1 Click Security > Mgmt Access Method > Profile Rules. STEP 2 Select the Filter field, and an access profile. Click Go. The selected access profile appears in the Profile Rule Table. STEP 3 Click Add to add a rule. STEP 4 Enter the parameters. • Access Profile Name—Select an access profile. • Rule Priority—Enter the rule priority. When the packet is matched to a rule, user groups are either granted or denied access to the device.
18 Security Management Access Authentication • Interface—Enter the interface number. • Applies to Source IP Address—Select the type of source IP address to which the access profile applies. The Source IP Address field is valid for a subnetwork. Select one of the following values: - All—Applies to all types of IP addresses. - User Defined—Applies to only those types of IP addresses defined in the fields. • IP Version—Select the supported IP version of the source address: IPv6 or IPv4.
18 Security Secure Sensitive Data Management If an authentication method fails or the user has insufficient privilege level, the user is denied access to the device. In other words, if authentication fails at an authentication method, the device stops the authentication attempt; it does not continue and does not attempt to use the next authentication method. To define authentication methods for an access method: STEP 1 Click Security > Management Access Authentication.
18 Security SSL Server SSL Server This section describes the Secure Socket Layer (SSL) feature. SSL Overview The Secure Socket Layer (SSL) feature is used to open an HTTPS session to the device. An HTTPS session may be opened with the default certificate that exists on the device. Some browsers generate warnings when using a default certificate, since this certificate is not signed by a Certification Authority (CA). It is best practice to have a certificate signed by a trusted CA.
18 Security SSL Server • Valid To—Specifies the date up to which the certificate is valid. • Certificate Source—Specifies whether the certificate was generated by the system (Auto Generated) or the user (User Defined). STEP 2 Select an active certificate. STEP 3 Click Generate Certificate Request. STEP 4 Enter the following fields: • Regenerate RSA Key—Select to regenerate the RSA key. • Key Length—Enter the length of the RSA key to be generated.
18 Security SSH Server • Private Key (Encrypted)—Select and copy in the RSA private key in encrypted form. • Private Key (Plaintext)—Select and copy in the RSA private key in plain text form. STEP 4 Click Display Sensitive Data as Encrypted to display this key as encrypted. When this button is clicked, the private keys are written to the configuration file in encrypted form (when Apply is clicked). STEP 5 Click Apply to apply the changes to the Running Configuration.
18 Security Configuring TCP/UDP Services • Telnet—Disabled by factory default • SSH—Disabled by factory default The active TCP connections are also displayed in this window. To configure TCP/UDP services: STEP 1 Click Security > TCP/UDP Services. STEP 2 Enable or disable the following TCP/UDP services on the displayed services. • HTTP Service—Indicates whether the HTTP service is enabled or disabled. • HTTPS Service—Indicates whether the HTTPS service is enabled or disabled.
18 Security Defining Storm Control • Local IP Address—Local IP address through which the device is offering the service. • Local Port—Local UDP port through which the device is offering the service. • Application Instance—The service instance of the UDP service. (For example, when two senders send data to the same destination.) STEP 3 Click Apply. The services are written to the Running Configuration file.
18 Security Configuring Port Security • Storm Control Mode—Select one of the modes: - Unknown Unicast, Multicast & Broadcast—Counts unknown Unicast, Broadcast, and Multicast traffic towards the bandwidth threshold. - Multicast & Broadcast—Counts Broadcast and Multicast traffic towards the bandwidth threshold. - Broadcast Only—Counts only Broadcast traffic towards the bandwidth threshold. STEP 4 Click Apply. Storm control is modified, and the Running Configuration file is updated.
18 Security Configuring Port Security When a frame from a new MAC address is detected on a port where it is not authorized (the port is classically locked, and there is a new MAC address, or the port is dynamically locked, and the maximum number of allowed addresses has been exceeded), the protection mechanism is invoked, and one of the following actions can take place: • Frame is discarded • Frame is forwarded • Port is shut down When the secure MAC address is seen on another port, the frame is for
18 Security 802.1X - Secure Permanent—Keeps the current dynamic MAC addresses associated with the port and learns up to the maximum number of addresses allowed on the port (set by Max No. of Addresses Allowed). Relearning and aging are enabled. - Secure Delete on Reset—Deletes the current dynamic MAC addresses associated with the port after reset. New MAC addresses can be learned as Delete-On-Reset ones up to the maximum addresses allowed on the port. Relearning and aging are disabled. • Max No.
18 Security Denial of Service Prevention Denial of Service Prevention A Denial of Service (DoS) attack is a hacker attempt to make a device unavailable to its users. DoS attacks saturate the device with external communication requests, so that it cannot respond to legitimate traffic. These attacks usually lead to a device CPU overload. Secure Core Technology (SCT) One method of resisting DoS attacks employed by the device is the use of SCT. SCT is enabled by default on the device and cannot be disabled.
18 Security Denial of Service Prevention • Martian Addresses—Martian addresses are illegal from the point of view of the IP protocol. See Martian Addresses for more details. • ICMP Attack—Sending malformed ICMP packets or overwhelming number of ICMP packets to the victim that might lead to a system crash. • IP Fragmentation—Mangled IP fragments with overlapping, over-sized payloads are sent to the device.
18 Security Denial of Service Prevention • Prevent TCP connections from a specific interface (SYN Filtering page) and rate limit the packets (SYN Rate Protection page) • Configure the blocking of certain ICMP packets (ICMP Filtering page) • Discard fragmented IP packets from a specific interface (IP Fragments Filtering page) • Deny attacks from Stacheldraht Distribution, Invasor Trojan, and Back Orifice Trojan (Security Suite Settings page).
18 Security Denial of Service Prevention STEP 1 Click Security > Denial of Service Prevention > Security Suite Settings. The Security Suite Settings displays. CPU Protection Mechanism: Enabled indicates that SCT is enabled. STEP 2 Click Details beside CPU Utilization to go to the CPU Utilization page and view CPU resource utilization information. STEP 3 Click Edit beside TCP SYN Protection to go to the SYN Protection page and enable this feature. STEP 4 Select DoS Prevention to enable the feature.
18 Security Denial of Service Prevention SYN Protection The network ports might be used by hackers to attack the device in a SYN attack, which consumes TCP resources (buffers) and CPU power. Since the CPU is protected using SCT, TCP traffic to the CPU is limited. However, if one or more ports are attacked with a high rate of SYN packets, the CPU receives only the attacker packets, thus creating Denial-of-Service.
18 Security Denial of Service Prevention • • Current Status—Interface status. The possible values are: - Normal—No attack was identified on this interface. - Blocked—Traffic is not forwarded on this interface. - Attacked—Attack was identified on this interface. Last Attack—Date of last SYN-FIN attack identified by the system and the system action (Reported or Blocked and Reported).
18 Security Denial of Service Prevention STEP 3 To add a Martian address click Add. STEP 4 Enter the parameters. • IP Version—Indicates the supported IP version. Currently, support is only offered for IPv4. • IP Address—Enter an IP addresses to reject. The possible values are: - From Reserved List—Select a well-known IP address from the reserved list. • New IP Address—Enter an IP address. Mask—Enter the mask of the IP address to define a range of IP addresses to reject.
18 Security Denial of Service Prevention - User Defined—Enter a port number. - All Ports—Select to indicate that all ports are filtered. STEP 4 Click Apply. The SYN filter is defined, and the Running Configuration file is updated. SYN Rate Protection The SYN Rate Protection page enables limiting the number of SYN packets received on the ingress port. This can mitigate the effect of a SYN flood against servers, by rate limiting the number of new connections opened to handle packets.
18 Security Denial of Service Prevention STEP 4 Click Apply. The SYN rate protection is defined, and the Running Configuration is updated. ICMP Filtering The ICMP Filtering page enables the blocking of ICMP packets from certain sources. This can reduce the load on the network in case of an ICMP attack. To define ICMP filtering: STEP 1 Click Security > Denial of Service Prevention > ICMP Filtering. STEP 2 Click Add. STEP 3 Enter the parameters.
18 Security DHCP Snooping • Interface—Select the interface on which the IP fragmentation is being defined. • IP Address—Enter an IP network from which the fragmented IP packets is filtered or select All Addresses to block IP fragmented packets from all addresses. If you enter the IP address, enter either the mask or prefix length.
18 Security IP Source Guard • DHCP Snooping must be globally enabled in order to enable IP Source Guard on an interface. • IP source guard can be active on an interface only if: - DHCP Snooping is enabled on at least one of the port's VLANs - The interface is DHCP untrusted. All packets on trusted ports are forwarded. • If a port is DHCP trusted, filtering of static IP addresses can be configured, even though IP Source Guard is not active in that condition by enabling IP Source Guard on the port.
18 Security IP Source Guard Configuring IP Source Guard Work Flow To configure IP Source Guard: STEP 1 Enable DHCP Snooping in the IP Configuration > DHCP > Properties page or in the Security > DHCP Snooping > Properties page. STEP 2 Define the VLANs on which DHCP Snooping is enabled in the IP Configuration > DHCP > Interface Settings page. STEP 3 Configure interfaces as trusted or untrusted in the IP Configuration > DHCP > DHCP Snooping Interface page.
18 Security IP Source Guard STEP 1 Click Security > IP Source Guard > Interface Settings. STEP 2 Select port/LAG from the Filter field and click Go. The ports/LAGs on this unit are displayed along with the following: • IP Source Guard —Indicates whether IP Source Guard is enabled on the port. • DHCP Snooping Trusted Interface—Indicates whether this is a DHCP trusted interface. STEP 3 Select the port/LAG and click Edit.
18 Security ARP Inspection The entries in the Binding database are displayed: • VLAN ID—VLAN on which packet is expected. • MAC Address—MAC address to be matched. • IP Address—IP address to be matched. • Interface—Interface on which packet is expected. • Status—Displays whether interface is active. • Type—Displays whether entry is dynamic or static. • Reason—If the interface is not active, displays the reason. The following reasons are possible: - No Problem—Interface is active.
18 Security ARP Inspection The following shows an example of ARP cache poisoning. ARP Cache Poisoning Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP, MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA. When Host A needs to communicate with Host B at the IP layer, it broadcasts an ARP request for the MAC address associated with IP address IB. Host B responds with an ARP reply.
18 Security ARP Inspection • Trusted — Packets are not inspected. • Untrusted —Packets are inspected as described above. ARP inspection is performed only on untrusted interfaces. ARP packets that are received on the trusted interface are simply forwarded. Upon packet arrival on untrusted interfaces the following logic is implemented: • Search the ARP access control rules for the packet's IP/MAC addresses.
18 Security ARP Inspection Interaction Between ARP Inspection and DHCP Snooping If DHCP Snooping is enabled, ARP Inspection uses the DHCP Snooping Binding database in addition to the ARP access control rules. If DHCP Snooping is not enabled, only the ARP access control rules are used. ARP Defaults The following table describes the ARP defaults: Option Default State Dynamic ARP Inspection Not enabled.
18 Security ARP Inspection STEP 1 Click Security > ARP Inspection > Properties. Enter the following fields: • ARP Inspection Status—Select to enable ARP Inspection. • ARP Packet Validation—Select to enable the following validation checks: • - Source MAC — Compares the packets source MAC address in the Ethernet header against the senders MAC address in the ARP request. This check is performed on both ARP requests and responses.
18 Security ARP Inspection STEP 3 Select Trusted or Untrusted and click Apply to save the settings to the Running Configuration file. Defining ARP Inspection Access Control To add entries to the ARP Inspection table: STEP 1 Click Security > ARP Inspection > ARP Access Control. STEP 2 To add an entry, click Add. STEP 3 Enter the fields: • ARP Access Control Name—Enter a user-created name. • MAC Address—MAC address of packet. • IP Address—IP address of packet. STEP 4 Click Apply.
18 Security First Hop Security Defining ARP Inspection VLAN Settings To enable ARP Inspection on VLANs and associate Access Control Groups with a VLAN: STEP 1 Click Security > ARP Inspection > VLAN Settings. STEP 2 To enable ARP Inspection on a VLAN, move the VLAN from the Available VLANs list to the Enabled VLANs list. STEP 3 To associate an ARP Access Control group with a VLAN, click Add. Select the VLAN number and select a previously-defined ARP Access Control group. STEP 4 Click Apply.
18 380 Security First Hop Security Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
19 Security: 802.1X Authentication This section describes 802.1X authentication. It covers the following topics: • Overview of 802.1X • Authenticator Overview • Common Tasks • 802.1X Configuration Through the GUI • Defining Time Ranges • Authentication Method and Port Mode Support Overview of 802.1X 802.1x authentication restricts unauthorized clients from connecting to a LAN through publicity-accessible ports. 802.1x authentication is a client-server model.
19 Security: 802.1X Authentication Overview of 802.1X This is described in the figure below: A network device can be either a client/supplicant, authenticator or both per port. Client or Supplicant A client or supplicant is a network device that requests access to the LAN. The client is connected to an authenticator. If the client uses the 802.1x protocol for authentication, it runs the supplicant part of the 802.1x protocol and the client part of the EAP protocol.
Security: 802.1X Authentication Authenticator Overview 19 See Port Host Modes for more information. The following authentication methods are supported: • 802.1x-based—Supported in all authentication modes. • MAC-based—Supported in all authentication modes. • WEB-based—Supported only in multi-sessions modes. In 802.1x-based authentication, the authenticator extracts the EAP messages from the 802.1x messages (EAPOL frames) and passes them to the authentication server, using the RADIUS protocol.
19 Security: 802.1X Authentication Authenticator Overview • force-unauthorized Port authentication is disabled and the port transmits all traffic via the guest VLAN and unauthenticated VLANs. For more information see Defining Host and Session Authentication. The switch sends 802.1x EAP packets with EAP failure messages inside when it receives 802.1x EAPOL-Start messages. • auto Enables 802.
19 Security: 802.1X Authentication Authenticator Overview When a port is unauthorized and a guest VLAN is enabled, untagged traffic is remapped to the guest VLAN. Tagged traffic is dropped unless it belongs to the guest VLAN or to an unauthenticated VLAN. If guest VLAN is not enabled on a port, only tagged traffic belonging to unauthenticated VLANs is bridged.
19 Security: 802.1X Authentication Authenticator Overview - SG500XG Multiple Authentication Methods If more than one authentication method is enabled on the switch, the following hierarchy of authentication methods is applied: • 802.1x Authentication: Highest • WEB-Based Authentication • MAC-Based Authentication: Lowest Multiple methods can run at the same time.
19 Security: 802.1X Authentication Authenticator Overview This is described in the following: Figure 1 802.1x-Based Authentication MAC-Based Authentication MAC-based authentication is an alternative to 802.1X authentication that allows network access to devices (such as printers and IP phones) that do not have the 802.1X supplicant capability. MAC-based authentication uses the MAC address of the connecting device to grant or deny network access.
19 Security: 802.1X Authentication Authenticator Overview WEB-Based Authentication WEB-based authentication is used to authenticate end users who request access to a network through a switch. It enables clients directly connected to the switch to be authenticated using a captive-portal mechanism before the client is given access to the network. Web-based authentication is client-based authentication and is supported in the multi-sessions mode in both Layer 2 and Layer 3.
19 Security: 802.1X Authentication Authenticator Overview After authentication is completed, the switch forwards all traffic arriving from the client on the port, as shown in the figure below. Figure 3 WEB-Based Authentication Web-based authentication cannot be configured on a port that has the guest VLAN or RADIUS-Assigned VLAN feature enabled. Web-based authentication supports the following pages: • Login page • Login Success page There is a predefined, embedded set of these pages.
19 Security: 802.1X Authentication Authenticator Overview SKU System Mode WBA Supported SG500X Native Yes Basic Hybrid - Layer 2 Yes Basic Hybrid - Layer 3 No Same as Sx500 Yes SG500XG NOTE • When web-based authentication is not supported, guest VLAN and DVA cannot be configured in multi-session mode.
Security: 802.1X Authentication Authenticator Overview 19 Host Modes with Guest VLAN The host modes work with guest VLAN in the following way: • Single-Host and Multi-Host Mode Untagged traffic and tagged traffic belonging to the guest VLAN arriving on an unauthorized port are bridged via the guest VLAN. All other traffic is discarded. The traffic belonging to an unauthenticated VLAN is bridged via the VLAN.
19 Security: 802.1X Authentication Authenticator Overview For a device to be authenticated and authorized at a port which is DVA-enabled: • The RADIUS server must authenticate the device and dynamically assign a VLAN to the device. You can set the RADIUS VLAN Assignment field to static in the Port Authentication page. This enables the host to be bridged according to static configuration.
Security: 802.1X Authentication Authenticator Overview 19 Violation Mode In single-host mode you can configure the action to be taken when an unauthorized host on authorized port attempts to access the interface. This is done in the Host and Session Authentication page. The following options are available: • restrict—Generates a trap when a station, whose MAC address is not the supplicant MAC address, attempts to access the interface. The minimum time between the traps is 1 second.
19 Security: 802.1X Authentication Common Tasks Common Tasks Workflow 1: To enable 802.1x authentication on a port: STEP 1 Click Security > 802.1X/MAC/Web Authentication > Properties. STEP 2 Enable Port-based Authentication. STEP 3 Select the Authentication Method . STEP 4 Click Apply, and the Running Configuration file is updated. STEP 5 Click Security > 802.1X/MAC/Web Authentication> Host and Session. STEP 6 Select the required port and click Edit. STEP 7 Set the Host Authentication mode.
Security: 802.1X Authentication Common Tasks 19 STEP 4 Click Apply, and the Running Configuration file is updated. Use the Copy Settings button to copy settings from one port to another. Workflow 4: To configure the quiet period STEP 1 Click Security > 802.1X/MAC/Web Authentication > Port Authentication . STEP 2 Select a port, and click Edit. STEP 3 Enter the quiet period in the Quiet Period field. STEP 4 Click Apply, and the Running Configuration file is updated.
19 Security: 802.1X Authentication 802.1X Configuration Through the GUI 802.1X Configuration Through the GUI Defining 802.1X Properties The 802.1X Properties page is used to globally enable 802.1X and define how ports are authenticated. For 802.1X to function, it must be activated both globally and individually on each port. To define port-based authentication: STEP 1 Click Security > 802.1X/MAC/Web Authentication > Properties. STEP 2 Enter the parameters.
19 Security: 802.1X Authentication 802.1X Configuration Through the GUI • • If the port state changes from Authorized to Not Authorized, the port is added to the guest VLAN only after the Guest VLAN timeout has expired. Traps—To enable traps, select one of more of the following options: - 802.1x Authentication Failure Traps—Select to generate a trap if 802.1x authentication fails. - 802.1x Authentication Success Traps—Select to generate a trap if 802.1x authentication succeeds.
19 Security: 802.1X Authentication 802.1X Configuration Through the GUI STEP 1 Click Security > 802.1X/MAC/Web Authentication > Port Authentication. This page displays authentication settings for all ports. STEP 2 Select a port, and click Edit. STEP 3 Enter the parameters. • Interface—Select a port. • Current Port Control—Displays the current port authorization state. If the state is Authorized, the port is either authenticated or the Administrative Port Control is Force Authorized.
19 Security: 802.1X Authentication 802.1X Configuration Through the GUI After an authentication failure, and if guest VLAN is activated globally on a given port, the guest VLAN is automatically assigned to the unauthorized ports as an Untagged VLAN. - Cleared—Disables guest VLAN on the port. • 802.1X Based Authentication—802.1X authentication is the only authentication method performed on the port. • MAC Based Authentication—Port is authenticated based on the supplicant MAC address.
19 Security: 802.1X Authentication 802.1X Configuration Through the GUI • Maximum WBA Login Attempts—Available only in Layer 2 switch mode. Enter the maximum number of login attempts allowed on the interface. Select either Infinite for no limit or User Defined to set a limit. • Max WBA Silence Period—Available only in Layer 2 switch mode. Enter the maximum length of the silent period allowed on the interface. Select either Infinite for no limit or User Defined to set a limit.
19 Security: 802.1X Authentication 802.1X Configuration Through the GUI To define 802.1X advanced settings for ports: STEP 1 Click Security > 802.1X/MAC/Web Authentication > Host and Session Authentication. 802.1X authentication parameters are described for all ports. All fields except the following are described in the Edit Host and Session Authentication page.
19 Security: 802.1X Authentication 802.1X Configuration Through the GUI Viewing Authenticated Hosts To view details about authenticated users: STEP 1 Click Security > 802.1X/MAC/Web Authentication > Authenticated Hosts. This page displays the following fields: • User Name—Supplicant names that were authenticated on each port. • Port—Number of the port. • Session Time (DD:HH:MM:SS)—Amount of time that the supplicant was logged on the port.
Security: 802.1X Authentication 802.1X Configuration Through the GUI 19 Web Authentication Customization This page enables designing web-based authentication pages in various languages. You can add up to 4 languages. NOTE Up to 5 HTTP users and one HTTPS user can request web-based authentication at the same time. When these users are authenticated, more users can request authentication. To add a language for web-based authentication: STEP 1 Click Security > 802.
19 Security: 802.1X Authentication 802.1X Configuration Through the GUI To customize the web-authentication pages: STEP 1 Click Security > 802.1X/MAC/Web Authentication > Web Authentication Customization. This page displays the languages that can be customized. STEP 2 Click Edit Logon Page. Figure 4 The following page is displayed: . STEP 3 Click Edit1. The following fields are displayed: • Language—Displays the page’s language. • Color Scheme—Select one of the contrast options.
19 Security: 802.1X Authentication 802.1X Configuration Through the GUI - None—No logo. - Default—Use the default logo. - Other—Select to enter a customized logo. If the Other logo option is selected, the following options are available: - Logo Image Filename—Enter the logo file name or Browse to the image. - Application Text—Enter text to accompany the logo. - Window Title Text—Enter a title for the Login page. STEP 4 Click Apply and the settings are saved to the Running Configuration file.
19 Security: 802.1X Authentication 802.1X Configuration Through the GUI • Language Dropdown Label—Enter the label of the language selection dropdown. • Login Button Label—Enter the label of the login button. • Login Progress Label—Enter the text that will be displayed during the login process. STEP 8 Click Apply and the settings are saved to the Running Configuration file. STEP 9 Click Edit4.
19 Security: 802.1X Authentication Defining Time Ranges STEP 15 Enter the Success Message, which is the text that will be displayed if the end user successfully logs in. STEP 16 Click Apply and the settings are saved to the Running Configuration file. To preview the login or success message, click Preview. To set one of the languages as the default language, click Set Default Display Language. Defining Time Ranges See Time Range for an explanation of this feature.
19 Security: 802.1X Authentication Authentication Method and Port Mode Support Mode Behavior The following table describes how authenticated and non-authenticated traffic is handled in various situations.
19 Security: 802.
19 410 Security: 802.
20 Security: IPV6 First Hop Security This section describes how First Hop Security (FHS) works and how to configure it in the GUI.
20 Security: IPV6 First Hop Security First Hop Security Overview First Hop Security Overview IPv6 FHS is a suite of features designed to secure link operations in an IPv6enabled network. It is based on the Neighbor Discovery Protocol and DHCPv6 messages. In this feature, a Layer 2 switch (as shown in Figure 6) filters Neighbor Discovery Protocol messages, DHCPv6 messages and user data messages according to a number of different rules.
20 Security: IPV6 First Hop Security First Hop Security Overview Name Description NA message Neighbor Advertisement message NDP Neighbor Discovery Protocol NS message Neighbor Solicitation message RA message Router Advertisement message RS message Router Solicitation message SAVI Source Address Validation Improvement IPv6 First Hop Security Components IPv6 First Hop Security includes the following features: • IPv6 First Hop Security Common • RA Guard • ND Inspection • Neighbor Binding
Security: IPV6 First Hop Security First Hop Security Overview • Neighbor Solicitation (NS) messages • ICMPv6 Redirect messages • Certification Path Advertisement (CPA) messages • Certification Path Solicitation (CPS) messages • DHCPv6 messages 20 Trapped RA, CPA, and ICMPv6 Redirect messages are passed to the RA Guard feature. RA Guard validates these messages, drops illegal message, and legal messages passes to the ND Inspection feature.
20 Security: IPV6 First Hop Security First Hop Security Overview IPv6 First Hop Security Perimeter IPv6 First Hop Security switches can form a perimeter separating untrusted area from trusted area. All switches inside the perimeter support IPv6 First Hop Security, and hosts and routers inside this perimeter are trusted devices.
Security: IPV6 First Hop Security Router Advertisement Guard 20 The device-role command in the Neighbor Binding policy configuration screen specifies the perimeter. Each IPv6 First Hop Security switch establishes binding for neighbors partitioned by the edge. In this way, binding entries are distributed on IPv6 First Hop Security devices forming the perimeter.
20 Security: IPV6 First Hop Security DHCPv6 Guard • Validation of received Neighbor Discovery protocol messages. • Egress filtering Message Validation ND Inspection validates the Neighbor Discovery protocol messages, based on an ND Inspection policy attached to the interface. This policy can be defined in the ND Inspection Settings page. If a message does not pass the verification defined in the policy, it is dropped and a rate limited SYSLOG message is sent.
Security: IPV6 First Hop Security Neighbor Binding Integrity 20 Neighbor Binding Integrity Neighbor Binding (NB) Integrity establishes binding of neighbors. A separate, independent instance of NB Integrity runs on each VLAN on which the feature is enabled. Learning Advertised IPv6 Prefixes NB Integrity learns IPv6 prefixes advertised in RA messages and saves it in the Neighbor Prefix table. The prefixes are used for verification of assigned global IPv6 addresses. By default, this validation is disabled.
20 Security: IPV6 First Hop Security Neighbor Binding Integrity NBI-NDP method The NBI-NDP method used is based on the FCFS- SAVI method specified in RFC6620, with the following differences: • Unlike FCFS-SAVI, which supports only binding for link local IPv6 addresses, NBI-NDP additionally supports binding global IPv6 addresses as well. • NBI-NDP supports IPv6 address binding only for IPv6 addresses learnt from NDP messages.
Security: IPV6 First Hop Security Attack Protection 20 NBI-NDP supports a lifetime timer. A value of the timer is configurable in the Neighbor Binding Settings page. The timer is restarted each time that the bound IPv6 address is confirmed. If the timer expires, the device sends up to 2 DAD-NS messages with short intervals to validate the neighbor.
20 Security: IPV6 First Hop Security Attack Protection • A Neighbor Advertisement (NA) message is dropped if the target IPv6 address is bound with another interface. Protection against IPv6 Duplication Address Detection Spoofing An IPv6 host must perform Duplication Address Detection for each assigned IPv6 address by sending a special NS message (Duplicate Address Detection Neighbor Solicitation message (DAD_NS) message).
Security: IPV6 First Hop Security Policies, Global Parameters and System Defaults 20 A malicious host could send IPv6 messages with a different destination IPv6 address for the last hop forwarding, causing overflow of the NBD cache. An embedded mechanism in the NDP implementation, which limits the number of entries allowed in the INCOMPLETE state in the Neighbor Discovery cache, provides protection.
20 Security: IPV6 First Hop Security Common Tasks When a user-defined policy is attached to an interface, the default policy for that interface is detached. If the user-define policy is detached from the interface, the default policy is reattached. Policies do not take effect until: • The feature in the policy is enabled on the VLAN containing the interface • The policy is attached to the interface (VLAN, port or LAG). When you attach a policy, the default policy for that interface is detached.
Security: IPV6 First Hop Security Common Tasks 20 STEP 3 If required, either configure a user-defined policy or add rules to the default policies for the feature. STEP 4 Attach the policy to a VLAN, port or LAG using either the Policy Attachment (VLAN) or Policy Attachment (Port) pages. Router Advertisement Guard Work Flow STEP 1 In the RA Guard Settings page, enter the list of VLANs on which this feature is enabled.
20 Security: IPV6 First Hop Security Default Settings and Configuration STEP 3 If required, either configure a user-defined policy or add rules to the default policies for the feature. STEP 4 Attach the policy to a VLAN, port or LAG using either the Policy Attachment (VLAN) or Policy Attachment (Port) pages. Neighbor Binding Work Flow STEP 1 In the Neighbor Bindings Settings page, enter the list of VLANs on which this feature is enabled.
Security: IPV6 First Hop Security Before You Start 20 Before You Start No preliminary tasks are required. Configuring First Hop Security through Web GUI FHS Common Settings Use the FHS Settings page to enable the FHS Common feature on a specified group of VLANs and to set the global configuration value for logging packet dropping. If required, a policy can be added or the packet drop logging can be added to the system-defined default policy.
20 Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI RA Guard Settings Use the RA Guard Settings page to enable the RA Guard feature on a specified group of VLANs and to set the global configuration values for this feature. If required, a policy can be added or the system-defined default RA Guard policies can be configured in this page. To configure RA Guard on ports or LAGs: STEP 1 Click Security > First Hop Security > RA Guard Settings.
Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI • • • 20 Other Configuration Flag—This field specifies verification of the advertised Other Configuration flag within an IPv6 RA Guard policy. - No Verification—Disables verification of the advertised Other Configuration flag. - On—Enables verification of the advertised Managed Other flag. - Off—The value of the flag must be 0.
20 Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI To create an RA Guard policy or to configure the system-defined default policies, click Add and enter the above parameters. If required, click either Attach Policy to VLAN or Attach Policy to Interface. DHCPv6 Guard Settings Use the DHCPv6 Guard Settings page to enable the DHCPv6 Guard feature on a specified group of VLANs and to set the global configuration values for this feature.
Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI • • • 20 Device Role—Select either Server or Client to specify the role of the device attached to the port for DHCPv6 Guard. - Inherited—Role of device is inherited from either the VLAN or system default (client). - Client—Role of device is client. - Host—Role of device is host. Match Reply Prefixes—Select to enable verification of the advertised prefixes in received DHCP reply messages within a DHCPv6 Guard policy.
20 Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI To configure ND Inspection on ports or LAGs: STEP 1 Click Security > First Hop Security > ND Inspection Settings. STEP 2 Enter the following global configuration fields: • ND Inspection VLAN List—Enter one or more VLANs on which ND Inspection is enabled. • Drop Unsecure—Select to enable dropping messages with no CGA or RSA Signature option within an IPv6 ND Inspection policy.
Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI 20 STEP 5 If required, click either Attach Policy to VLAN or Attach Policy to Interface. Neighbor Binding Settings The Neighbor Binding table is a database table of IPv6 neighbors connected to a device is created from information sources, such as Neighbor Discovery Protocol (NDP) snooping. This database, or binding, table is used by various IPv6 guard features to prevent spoofing and redirect attacks.
20 Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI STEP 4 Enter the following fields: • Policy Name—Enter a user-defined policy name. • Device Role—Select either Server or Client to specify the role of the device attached to the port for the Neighbor Binding policy. - Inherited—Role of device is inherited from either the VLAN or system default (client). - Client—Role of device is client. - Host—Role of device is host. • Neighbor Binding Logging—See above.
Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI 20 Policy Attachment (Port) To attach a policy to one or more ports or LAGs: STEP 1 Click Security > First Hop Security > Policy Attachment (Port). The list of policies that are already attached are displayed along with their Interface number, Policy Type, Policy Name and VLAN List.
20 Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI FHS Status To display the global configuration for the FHS features: STEP 1 Click Security > First Hop Security > FHS Status. STEP 2 Select a port, LAG or VLAN for which the FHS state is reported. STEP 3 The following fields are displayed for the selected interface: • • • FHS Status - FHS State on Current VLAN:—Is FHS enabled on the current VLAN.
Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI • • 20 - Device Role:—ND Inspection device role. - Drop Unsecure:—Are unsecure messages dropped. - Minimal Security Level:—If unsecure messages are not dropped, what is the minimum security level for packets to be forwarded. - Validate Source MAC:—Is source MAC address verification enabled. DHCP Guard Status - DHCPv6 Guard State on Current VLAN:—Is DHCPv6 Guard enabled on the current VLAN.
20 Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI FHS Statistics To display FHS statistics: STEP 1 Click Security > First Hop Security > FHS Statistics: STEP 2 The following fields are displayed: • • NDP (Neighbor Discovery Protocol) Messages—The number of received and bridged messages are displayed for the following types of messages: - RA—Router Advertisement messages - CPA—Certification Path Advertisement messages - ICMPv6—Internet Control Message IPv6 Protocol
Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 20 437
22 Security: SSH Client This section describes the device when it functions as an SSH client. It covers the following topics: • Secure Copy (SCP) and SSH • Protection Methods • SSH Server Authentication • SSH Client Authentication • Before You Begin • Common Tasks • SSH Client Configuration Through the GUI Secure Copy (SCP) and SSH Secure Shell or SSH is a network protocol that enables data to be exchanged on a secure channel between an SSH client (in this case, the device) and an SSH server.
22 Security: SSH Client Protection Methods When files are downloaded via TFTP or HTTP, the data transfer is unsecured. When files are downloaded via SCP, the information is downloaded from the SCP server to the device via a secure channel. The creation of this secure channel is preceded by authentication, which ensures that the user is permitted to perform the operation.
22 Security: SSH Client Protection Methods The username/password must then be created on the device. When data is transferred from the server to the device, the username/password supplied by the device must match the username/password on the server. Data can be encrypted using a one-time symmetric key negotiated during the session. Each device being managed must have its own username/password, although the same username/password can be used for multiple switches.
22 Security: SSH Client SSH Server Authentication When a private key is created on a device, it is also possible to create an associated passphrase. This passphrase is used to encrypt the private key and to import it into the remaining switches. In this way, all the switches can use the same public/private key. SSH Server Authentication A device, as an SSH client, only communicates with a trusted SSH server.
22 Security: SSH Client SSH Client Authentication SSH Client Authentication SSH client authentication by password is enabled by default, with the username/ password being “anonymous”. The user must configure the following information for authentication: • The authentication method to be used. • The username/password or public/private key pair. In order to support auto configuration of an out-of-box device (device with factory default configuration), SSH server authentication is disabled by default.
22 Security: SSH Client Before You Begin Before You Begin The following actions must be performed before using the SCP feature: • When using the password authentication method, a username/password must be set up on the SSH server. • When using public/private keys authentication method, the public key must be stored on the SSH server. Common Tasks This section describes some common tasks performed using the SSH client. All pages referenced are pages found under the SSH Client branch of the menu tree.
22 Security: SSH Client SSH Client Configuration Through the GUI STEP 4 If the public/private key method is being used, perform the following steps: a. Select whether to use an RSA or DSA key, create a username and then generate the public/private keys. b. View the generated key by clicking the Details button, and transfer the username and public key to the SSH server. This action depends on the server and is not described in this guide. c.
Security: SSH Client SSH Client Configuration Through the GUI 22 SSH User Authentication Use this page to select an SSH user authentication method, set a username and password on the device, if the password method is selected or generate an RSA or DSA key, if the public/private key method is selected. To select an authentication method, and set the username/password/keys. STEP 1 Click Security > SSH Client > SSH User Authentication. STEP 2 Select an SSH User Authentication Method.
22 Security: SSH Client SSH Client Configuration Through the GUI • Generate—Generate a new key. • Edit—Display the keys for copying/pasting to another device. • Delete—Delete the key. • Details—Display the keys. SSH Server Authentication To enable SSH server authentication and define the trusted servers: STEP 1 Click Security > SSH Client > SSH Server Authentication. STEP 2 Select Enable to enable SSH server authentication.
Security: SSH Client SSH Client Configuration Through the GUI 22 - Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration.
22 Security: SSH Client SSH Client Configuration Through the GUI - Global—The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks. • Link Local Interface—Select the link local interface from the list of interfaces. • Server IP Address/Name—Enter either the IP address of the SSH server or its name, depending on what was selected in Server Definition. • Username—This must match the username on the server.
21 Security: Secure Sensitive Data Management Secure Sensitive Data (SSD) is an architecture that facilitates the protection of sensitive data on a device, such as passwords and keys. The facility makes use of passphrases, encryption, access control, and user authentication to provide a secure solution to managing sensitive data. The facility is extended to protect the integrity of configuration files, to secure the configuration process, and to support SSD zero-touch auto configuration.
Security: Secure Sensitive Data Management SSD Rules 21 SSD grants read permission to sensitive data only to authenticated and authorized users, and according to SSD rules. A device authenticates and authorizes management access to users through the user authentication process.
21 Security: Secure Sensitive Data Management SSD Rules NOTE A device may not support all the channels defined by SSD. Elements of an SSD Rule An SSD rule includes the following elements: • - Specific—The rule applies to a specific user. - Default User (cisco)—The rule applies to the default user (cisco). - Level 15—The rule applies to users with privilege level 15. - All—The rule applies to all users. • User Name—If user type is Specific, a user name is required. • Channel.
21 Security: Secure Sensitive Data Management SSD Rules - (Higher) Plaintext Only—Users are permitted to access sensitive data in plaintext only. Users will also have read and write permission to SSD parameters as well. - (Highest) Both—Users have both encrypted and plaintext permissions and are permitted to access sensitive data as encrypted and in plaintext. Users will also have read and write permission to SSD parameters as well. Each management channel allows specific read permissions.
21 Security: Secure Sensitive Data Management SSD Rules NOTE Note the following: • The default Read mode for the Secure XML SNMP and Insecure XML SNMP management channels must be identical to their read permission. • Read permission Exclude is allowed only for Secure XML SNMP and Insecure XML SNMP management channels; Exclude is not allowed for regular secure and insecure channels.
21 Security: Secure Sensitive Data Management SSD Rules is recommended that the user authentication process on a device is secured. To secure the user authentication process, you can use the local authentication database, as well as secure the communication through external authentication servers, such as a RADIUS server. The configuration of the secure communication to the external authentication servers are sensitive data and are protected under SSD.
21 Security: Secure Sensitive Data Management SSD Properties SSD Default Read Mode Session Override The system contains sensitive data in a session, as either encrypted or plaintext, based on the read permission and the default read mode of the user. The default read mode can be temporarily overridden as long it does not conflict with the SSD read permission of the session. This change is effective immediately in the current session, until one of the following occurs: • User changes it again.
Security: Secure Sensitive Data Management SSD Properties • 21 Character Classes—The passphrase must have at least one upper case character, one lower case character, one numeric character, and one special character e.g. #,$. Default and User-defined Passphrases All devices come with a default, out-of-the box passphrase that is transparent to users. The default passphrase is never displayed in the configuration file or in the CLI/GUI.
21 Security: Secure Sensitive Data Management SSD Properties • Unrestricted (default)—The device includes its passphrase when creating a configuration file. This enables any device accepting the configuration file to learn the passphrase from the file. • Restricted—The device restricts its passphrase from being exported into a configuration file. Restricted mode protects the encrypted sensitive data in a configuration file from devices that do not have the passphrase.
Security: Secure Sensitive Data Management Configuration Files 21 Read Mode Each session has a Read mode. This determines how sensitive data appears. The Read mode can be either Plaintext, in which case sensitive data appears as regular text, or Encrypted, in which sensitive data appears in its encrypted form. Configuration Files A configuration file contains the configuration of a device.
21 Security: Secure Sensitive Data Management Configuration Files The SSD indicator in a file is set according to the user’s instruction, during copy, to include encrypted, plaintext or exclude sensitive data from a file. SSD Control Block When a device creates a text-based configuration file from its Startup or Running Configuration file, it inserts an SSD control block into the file if a user requests the file is to include sensitive data.
Security: Secure Sensitive Data Management Configuration Files 21 • If there is an SSD control block in the source configuration file and the file fails the SSD integrity check, and/or file integrity check, the device rejects the source file and fails the copy.
21 Security: Secure Sensitive Data Management Configuration Files • Configuration commands with encrypted sensitive data, that are encrypted with the key generated from the local passphrase, are configured into the Running Configuration. Otherwise, the configuration command is in error, and is not incorporated into the Running Configuration file.
Security: Secure Sensitive Data Management Configuration Files 21 Sensitive Data Zero-Touch Auto Configuration SSD Zero-touch Auto Configuration is the auto configuration of target devices with encrypted sensitive data, without the need to manually pre-configure the target devices with the passphrase whose key is used to encrypted the sensitive data. The device currently supports Auto Configuration, which is enabled by default.
21 Security: Secure Sensitive Data Management SSD Management Channels SSD Management Channels Devices can be managed over management channels such as telnet, SSH, and web. SSD categories the channels into the following types based on their security and/or protocols: secured, insecure, secure-XML-SNMP, and insecure-XML-SNMP. The following describes whether SSD considers each management channel to be secure or insecure. If it is insecure, the table indicates the parallel secure channel.
Security: Secure Sensitive Data Management Configuring SSD 21 Password recovery is currently activated from the boot menu and allows the user to log on to the terminal without authentication. If SSD is supported, this option is only permitted if the local passphrase is identical to the default passphrase. If a device is configured with a user-defined passphrase, the user is unable to activate password recovery.
21 Security: Secure Sensitive Data Management Configuring SSD • User Defined (Plaintext)—Enter a new passphrase. • Confirm Passphrase—Confirm the new passphrase. SSD Rules Only users with SSD read permission of Plaintext-only or Both are allowed to set SSD rules. To configure SSD rules: STEP 1 Click Security > Secure Sensitive Data Management > SSD Rules. The currently-defined rules are displayed. STEP 2 To add a new rule, click Add.
Security: Secure Sensitive Data Management Configuring SSD • • 21 Read Permission—The read permissions associated with the rule. These can be the following: - Exclude—Lowest read permission. Users are not permitted to get sensitive data in any form. - Plaintext Only—Higher read permission than above ones. Users are permitted to get sensitive data in plaintext only. - Encrypted Only—Middle read permission. Users are permitted to get sensitive data as encrypted only.
21 456 Security: Secure Sensitive Data Management Configuring SSD Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
23 Security: SSH Server This section describes how to establish an SSH session on the device. It covers the following topics: • Overview • Common Tasks • SSH Server Configuration Pages Overview The SSH Server feature enables users to create an SSH session to the device. This is similar to establishing a telnet session, except that the session is secured. Public and private keys are automatically generated on the device. These can be modified by the user.
23 Security: SSH Server Common Tasks Common Tasks This section describes some common tasks performed using the SSH Server feature. Workflow1: To logon to the device over SSH using the device’s automatically-created (default) key, perform the following: STEP 1 Enable SSH server in the TCP/UDP Services page and verify that SSH user authentication by public key is disabled in the SSH User Authentication page.
23 Security: SSH Server SSH Server Configuration Pages SSH Server Configuration Pages This section describes the pages used to configure the SSH Server feature. SSH User Authentication Use the SSH User Authentication page to enable SSH user authentication by public key and/or password, and (when using authentication by public key) to add an SSH client user that will be used to create an SSH session in an external SSH application (like PuTTY).
23 Security: SSH Server SSH Server Configuration Pages • SSH User Authentication by Public Key—Select to perform authentication of the SSH client user using the public key. • Automatic Login—This field can be enabled if the SSH User Authentication by Public Key feature was selected. See Automatic Login. The following fields are displayed for the configured users: • SSH User Name—User name of user. • Key Type—Whether this is an RSA or DSA key.
23 Security: SSH Server SSH Server Configuration Pages • Edit—Enables you to copy in a key from another device. • Delete—Enables you to delete a key. • Details—Enables you to view the generated key. The Details window also enables you to click Display Sensitive Data as Plaintext. If this is clicked, the keys are displayed as plaintext and not in encrypted form. If the key is already being displayed as plaintext, you can click Display Sensitive Data as Encrypted. to display the text in encrypted form.
23 473 Security: SSH Server SSH Server Configuration Pages Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
24 Access Control The Access Control List (ACL) feature is part of the security mechanism. ACL definitions serve as one of the mechanisms to define traffic flows that are given a specific Quality of Service (QoS). For more information see Quality of Service. ACLs enable network managers to define patterns (filter and actions) for ingress traffic. Packets, entering the device on a port or LAG with an active ACL, are either admitted or denied entry.
24 Access Control Access Control Lists When a packet matches an ACE filter, the ACE action is taken and that ACL processing is stopped. If the packet does not match the ACE filter, the next ACE is processed. If all ACEs of an ACL have been processed without finding a match, and if another ACL exists, it is processed in a similar manner. NOTE If no match is found to any ACE in all relevant ACLs, the packet is dropped (as a default action).
24 Access Control Defining MAC-based ACLs Creating ACLs Workflow To create ACLs and associate them with an interface, perform the following: 1. Create one or more of the following types of ACLs: a. MAC-based ACL by using the MAC Based ACL page and the MAC Based ACE page b. IP-based ACL by using the IPv4 Based ACL page and the IPv4 Based ACE page c. IPv6-based ACL by using the IPv6 Based ACL page and the IPv6 Based ACE page 2. Associate the ACL with interfaces by using the ACL Binding page.
24 Access Control Defining MAC-based ACLs MAC-based ACLs are defined in the MAC Based ACL page. The rules are defined in the MAC Based ACE page. To define a MAC-based ACL: STEP 1 Click Access Control > MAC-Based ACL. This page contains a list of all currently-defined MAC-based ACLs. STEP 2 Click Add. STEP 3 Enter the name of the new ACL in the ACL Name field. ACL names are case-sensitive. STEP 4 Click Apply. The MAC-based ACL is saved to the Running Configuration file.
24 Access Control Defining MAC-based ACLs • Time Range—Select to enable limiting the use of the ACL to a specific time range. • Time Range Name—If Time Range is selected, select the time range to be used. Time ranges are defined in the Time Range section. • Destination MAC Address—Select Any if all destination addresses are acceptable or User defined to enter a destination address or a range of destination addresses.
24 Access Control IPv4-based ACLs IPv4-based ACLs IPv4-based ACLs are used to check IPv4 packets, while other types of frames, such as ARPs, are not checked.
24 Access Control IPv4-based ACLs Adding Rules (ACEs) to an IPv4-Based ACL NOTE Each IPv4-based rule consumes one TCAM rule. Note that the TCAM allocation is performed in couples, such that, for the first ACE, 2 TCAM rules are allocated and the second TCAM rule is allocated to the next ACE, and so forth. To add rules (ACEs) to an IPv4-based ACL: STEP 1 Click Access Control > IPv4-Based ACE. STEP 2 Select an ACL, and click Go. All currently-defined IP ACEs for the selected ACL are displayed.
24 Access Control IPv4-based ACLs - EGP—Exterior Gateway Protocol - IGP—Interior Gateway Protocol - UDP—User Datagram Protocol - HMP—Host Mapping Protocol - RDP—Reliable Datagram Protocol.
24 Access Control IPv4-based ACLs • Source IP Wildcard Mask—Enter the mask to define a range of IP addresses. Note that this mask is different than in other uses, such as subnet mask. Here, setting a bit as 1 indicates don't care and 0 indicates to mask that value. NOTE Given a mask of 0000 0000 0000 0000 0000 0000 1111 1111 (which means that you match on the bits where there is 0 and don't match on the bits where there are 1's).
24 Access Control IPv6-Based ACLs - DSCP to Match—Differentiated Serves Code Point (DSCP) to match - IP Precedence to match—IP precedence is a model of TOS (type of service) that the network uses to help provide the appropriate QoS commitments. This model uses the 3 most significant bits of the service type byte in the IP header, as described in RFC 791 and RFC 1349. • • • ICMP—If the IP protocol of the ACL is ICMP, select the ICMP message type used for filtering purposes.
24 Access Control IPv6-Based ACLs NOTE ACLs are also used as the building elements of flow definitions for per-flow QoS handling (see QoS Advanced Mode). Defining an IPv6-based ACL To define an IPv6-based ACL: STEP 1 Click Access Control > IPv6-Based ACL. This window contains the list of defined ACLs and their contents STEP 2 Click Add. STEP 3 Enter the name of a new ACL in the ACL Name field. The names are case-sensitive. STEP 4 Click Apply.
24 485 Access Control IPv6-Based ACLs • Time Range—Select to enable limiting the use of the ACL to a specific time range. • Time Range Name—If Time Range is selected, select the time range to be used. Time ranges are described in the Time Range section. • Protocol—Select to create an ACE based on a specific protocol. Select Any (IPv6) to accept all IP protocols. Otherwise select one of the following protocols: - TCP—Transmission Control Protocol.
24 Access Control IPv6-Based ACLs • Range—Select a range of TCP/UDP source ports to which the packet is matched. Destination Port—Select one of the available values. (They are the same as for the Source Port field described above). NOTE You must specify the IPv6 protocol for the ACL before you can configure the source and/or destination port. • TCP Flags—Select one or more TCP flags with which to filter packets. Filtered packets are either forwarded or dropped.
24 Access Control Defining ACL Binding Defining ACL Binding When an ACL is bound to an interface (port, LAG or VLAN), its ACE rules are applied to packets arriving at that interface. Packets that do not match any of the ACEs in the ACL are matched to a default rule, whose action is to drop unmatched packets. Although each interface can be bound to only one ACL, multiple interfaces can be bound to the same ACL by grouping them into a policy-map, and binding that policy-map to the interface.
24 Access Control Defining ACL Binding • Default Action—Select one of the following options: - Deny Any—If packet does not match an ACL, it is denied (dropped). - Permit Any—If packet does not match an ACL, it is permitted (forwarded). NOTE Default Action can be defined only if IP Source Guard is not activated on the interface. STEP 6 Click Apply. The ACL binding is modified, and the Running Configuration file is updated.
25 Quality of Service The Quality of Service feature is applied throughout the network to ensure that network traffic is prioritized according to required criteria and the desired traffic receives preferential treatment.
25 Quality of Service QoS Features and Components QoS Features and Components The QoS feature is used to optimize network performance.
25 Quality of Service QoS Features and Components QoS Modes The QoS mode that is selected applies to all interfaces in the system. • Basic Mode—Class of Service (CoS). All traffic of the same class receives the same treatment, which is the single QoS action of determining the egress queue on the egress port, based on the indicated QoS value in the incoming frame. This can be the VLAN Priority Tag (VPT) 802.
25 Quality of Service QoS Features and Components • When disabling QoS, the shaper and queue setting (WRR/SP bandwidth setting) are reset to default values. All other user configurations remain intact. QoS Workflow To configure general QoS parameters, perform the following: STEP 1 Choose the QoS mode (Basic, Advanced, or Disabled, as described in the “QoS Modes” section) for the system by using the QoS Properties page. The following steps in the workflow, assume that you have chosen to enable QoS.
25 Quality of Service Configuring QoS - General Configuring QoS - General The QoS Properties Page contains fields for setting the QoS mode for the system (Basic, Advanced, or Disabled, as described in the “QoS Modes” section). In addition, the default CoS priority for each interface can be defined. Setting QoS Properties To select the QoS mode: STEP 1 Click Quality of Service > General > QoS Properties. STEP 2 Set the QoS mode.
25 Quality of Service Configuring QoS - General STEP 2 Click Apply. The interface default CoS value is saved to Running Configuration file. Configuring QoS Queues The device supports either 4 or 8 queues for each interface (selected in the System Mode and Stack Management page). Queue number four or eight is the highest priority queue. Queue number one is the lowest priority queue. There are two ways of determining how traffic in queues is handled, Strict Priority and Weighted Round Robin (WRR).
25 Quality of Service Configuring QoS - General To select the priority method and enter WRR data. STEP 1 Click Quality of Service > General > Queue. STEP 2 Enter the parameters. • Queue—Displays the queue number. • Scheduling Method: Select one of the following options: - Strict Priority—Traffic scheduling for the selected queue and all higher queues is based strictly on the queue priority. - WRR—Traffic scheduling for the selected queue is based on WRR.
25 Quality of Service Configuring QoS - General 802.1p Values (0-7, 7 being the highest) Queue (4 queues 14, 4 being the highest priority) Notes 1 1 Best Effort 2 2 Excellent Effort 3 3 Critical Application - LVS phone SIP 4 3 Video 5 4 Voice - Cisco IP phone default 6 4 Interwork Control - LVS phone RTP 7 4 Network Control The following table describes the default mapping when there are 8 queues: Notes 802.
25 Quality of Service Configuring QoS - General By changing the CoS/802.1p to Queue mapping (CoS/802.1p to Queue) and the Queue schedule method and bandwidth allocation (Queue page), it is possible to achieve the desired quality of service in a network. The CoS/802.1p to Queue mapping is applicable only if one of the following exists: • The device is in QoS Basic mode and CoS/802.1p trusted mode • The device is in QoS Advanced mode and the packets belong to flows that are CoS/802.
25 Quality of Service Configuring QoS - General • The device is in QoS Advanced mode and the packets belongs to flows that is DSCP trusted Non-IP packets are always classified to the best-effort queue.
25 Quality of Service Configuring QoS - General The following tables describe the default DSCP to queue mapping for a 4-queue system: DSCP 63 55 47 39 31 23 15 7 Queue 3 3 4 3 3 2 1 1 DSCP 62 54 46 38 30 22 14 6 Queue 3 3 4 3 3 2 1 1 DSCP 61 53 45 37 29 21 13 5 Queue 3 3 4 3 3 2 1 1 DSCP 60 52 44 36 28 20 12 4 Queue 3 3 4 3 3 2 1 1 DSCP 59 51 43 35 27 19 11 3 Queue 3 3 4 3 3 2 1 1 DSCP 58 50 42 34 26 18 10 2
25 Quality of Service Configuring QoS - General DSCP 60 52 44 36 28 20 12 4 Queue 6 6 7 5 4 3 2 1 DSCP 59 51 43 35 27 19 11 3 Queue 6 6 7 5 4 3 2 1 DSCP 58 50 42 34 26 18 10 2 Queue 6 6 7 5 4 3 2 1 DSCP 57 49 41 33 25 17 9 1 Queue 6 6 7 5 4 3 2 1 DSCP 56 48 40 32 24 16 8 0 Queue 6 6 6 7 6 6 1 1 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 500
25 Quality of Service Configuring QoS - General The following tables describe the default DSCP to queue mapping for a 8-queue system where 8 is highest: DSCP 63 55 47 39 31 23 15 7 Queue 7 7 8 6 5 4 3 1 DSCP 62 54 46 38 30 22 14 6 Queue 7 7 8 6 5 4 3 1 DSCP 61 53 45 37 29 21 13 5 Queue 7 7 8 6 5 4 3 1 DSCP 60 52 44 36 28 20 12 4 Queue 7 7 8 6 5 4 3 1 DSCP 59 51 43 35 27 19 11 3 Queue 7 7 8 6 5 4 3 1 DSCP 58 50 42
25 Quality of Service Configuring QoS - General STEP 3 Click Apply. The Running Configuration file is updated. Configuring Bandwidth The Bandwidth page enables users to define two values, Ingress Rate Limit and Egress Shaping Rate, which determine how much traffic the system can receive and send. The ingress rate limit is the number of bits per second that can be received from the ingress interface. Excess bandwidth above this limit is discarded.
25 Quality of Service Configuring QoS - General • Ingress Committed Burst Size (CBS)—Enter the maximum burst size of data for the ingress interface in bytes of data. This amount can be sent even if it temporarily increases the bandwidth beyond the allowed limit. This field is only available if the interface is a port. • Egress Shaping Rate—Select to enable egress shaping on the interface.
25 Quality of Service Configuring QoS - General This page enables shaping the egress for up to eight queues on each interface. STEP 4 Select the Interface. STEP 5 For each queue that is required, enter the following fields: • Enable Shaping—Select to enable egress shaping on this queue. • Committed Information Rate (CIR)—Enter the maximum rate (CIR) in Kbits per second (Kbps). CIR is the average maximum amount of data that can be sent.
25 Quality of Service Configuring QoS - General To define the VLAN ingress rate limit: STEP 1 Click Quality of Service > General > VLAN Ingress Rate Limit. This page displays the VLAN Ingress Rate Limit Table. STEP 2 Click Add. STEP 3 Enter the parameters. • VLAN ID—Select a VLAN. • Committed Information Rate (CIR)—Enter the average maximum amount of data that can be accepted into the VLAN in Kilobytes per second.
25 Quality of Service QoS Basic Mode QoS Basic Mode In QoS Basic mode, a specific domain in the network can be defined as trusted. Within that domain, packets are marked with 802.1p priority and/or DSCP to signal the type of service they require. Nodes within the domain use these fields to assign the packet to a specific output queue. The initial packet classification and marking of these fields is done in the ingress of the trusted domain.
25 Quality of Service QoS Basic Mode • CoS/802.1p—Traffic is mapped to queues based on the VPT field in the VLAN tag, or based on the per-port default CoS/802.1p value (if there is no VLAN tag on the incoming packet), the actual mapping of the VPT to queue can be configured in the mapping CoS/802.1p to Queue page. • DSCP—All IP traffic is mapped to queues based on the DSCP field in the IP header. The actual mapping of the DSCP to queue can be configured in the DSCP to Queue page.
25 Quality of Service QoS Advanced Mode To enter QoS settings per interface: STEP 1 Click Quality of Service > QoS Basic Mode > Interface Settings. STEP 2 Select Port or LAG to display the list of ports or LAGs. QoS State displays whether QoS is enabled on the interface. STEP 3 Select an interface, and click Edit. STEP 4 Select the Port or LAG interface. STEP 5 Click to enable or disable QoS State for this interface. STEP 6 Click Apply. The Running Configuration file is updated.
25 Quality of Service QoS Advanced Mode • Per flow QoS are applied to flows by binding the policies to the desired ports. A policy and its class maps can be bound to one or more ports, but each port is bound with at most one policy. Notes: • Single policer and aggregation policer are available when the device is in Layer 2 mode. • An ACL can be configured to one or more class maps regardless of policies. • A class map can belong to only one policy.
25 Quality of Service QoS Advanced Mode 4. Create a policy using the Policy Table page, and associate the policy with one or more class maps using the Policy Class Map page. You can also specify the QoS, if needed, by assigning a policer to a class map when you associate the class map to the policy. • Single Policer—Create a policy that associates a class map with a single policer by using the Policy Table page and the Class Mapping page. Within the policy, define the single policer.
25 Quality of Service QoS Advanced Mode In QoS Advanced Mode, when the Default Mode Status is set to Not Trusted, the default CoS values configured on the interface is ignored and all the traffic goes to queue 1. See the Quality of Service > QoS Advanced Mode > Global Settings page for details. If you have a policy on an interface then the Default Mode is irrelevant, the action is according to the policy configuration and unmatched traffic is dropped.
25 Quality of Service QoS Advanced Mode For example: Assume that there are three levels of service: Silver, Gold, and Platinum and the DSCP incoming values used to mark these levels are 10, 20, and 30 respectively. If this traffic is forwarded to another service provider that has the same three levels of service, but uses DSCP values 16, 24, and 48, Out of Profile DSCP Mapping changes the incoming values as they are mapped to the outgoing values.
25 Quality of Service QoS Advanced Mode To define a Class Map: STEP 1 Click Quality of Service > QoS Advanced Mode > Class Mapping. This page displays the already-defined class maps. STEP 2 Click Add. A new class map is added by selecting one or two ACLs and giving the class map a name. If a class map has two ACLs, you can specify that a frame must match both ACLs, or that it must match either one or both of the ACLs selected. STEP 3 Enter the parameters.
25 Quality of Service QoS Advanced Mode This can be done by using the ACLs in the class map(s) to match the desired traffic, and by using a policer to apply the QoS on the matching traffic. A policer is configured with a QoS specification. There are two kinds of policers: • Single (Regular) Policer—A single policer applies the QoS to a single class map, and to a single flow based on the policer's QoS specification.
25 Quality of Service QoS Advanced Mode Defining Aggregate Policers An aggregate policer applies the QoS to one or more class maps, therefore one or more flows. An aggregation policer can support class maps from different policies and applies the QoS to all its flow(s) in aggregation regardless of policies and ports. NOTE The device supports aggregate policers and single policers only when operating in Layer 2 mode in devices that support a separate Layer 2 system mode.
25 Quality of Service QoS Advanced Mode Configuring a Policy The Policy Table Map page displays the list of advanced QoS polices defined in the system. The page also allows you to create and delete polices. Only those policies that are bound to an interface are active (see Policy Binding page). Each policy consists of: • One or more class maps of ACLs which define the traffic flows in the policy. • One or more aggregates that applies the QoS to the traffic flows in the policy.
25 Quality of Service QoS Advanced Mode STEP 3 To add a new class map, click Add. STEP 4 Enter the parameters. • Policy Name—Displays the policy to which the class map is being added. • Class Map Name—Select an existing class map to be associated with the policy. Class maps are created in the Class Mapping page. • Action Type—Select the action regarding the ingress CoS/802.1p and/or DSCP value of all the matching packets. - Use default trust mode—Ignore the ingress CoS/802.1p and/or DSCP value.
25 Quality of Service QoS Advanced Mode If Police Type is Single, enter the following QoS parameters: • Ingress Committed Information Rate (CIR)—Enter the CIR in Kbps. See a description of this in the Bandwidth page. • Ingress Committed Burst Size (CBS)—Enter the CBS in bytes. See a description of this in the Bandwidth page. • Exceed Action—Select the action assigned to incoming packets exceeding the CIR. The options are: - None—No action.
25 Quality of Service Managing QoS Statistics • Binding—Select to bind the policy to the interface. • Permit Any—Select to forward packets on the interface if they do not match any policy. NOTE Permit Any can be defined only if IP Source Guard is not activated on the interface. STEP 5 Click Apply. The QoS policy binding is defined, and the Running Configuration file is updated. Managing QoS Statistics From these pages you can manage the Single Policer, Aggregated Policer, and view queues statistics.
25 Quality of Service Managing QoS Statistics • Out-of-Profile Bytes—Number of out-profile bytes received. STEP 2 Click Add. STEP 3 Enter the parameters. • Interface—Select the interface for which statistics are accumulated. • Policy Name—Select the policy name. • Class Map Name—Select the class name. STEP 4 Click Apply. An additional request for statistics is created and the Running Configuration file is updated.
25 Quality of Service Managing QoS Statistics To view Queues Statistics: STEP 1 Click Quality of Service > QoS Statistics > Queues Statistics. This page displays the following fields: • • Refresh Rate—Select the time period that passes before the interface Ethernet statistics are refreshed. The available options are: - No Refresh—Statistics are not refreshed. - 15 Sec—Statistics are refreshed every 15 seconds. - 30 Sec—Statistics are refreshed every 30 seconds.
25 Quality of Service Managing QoS Statistics - Unit No—Selects the unit number. - Port—Selects the port on the selected unit number for which statistics are displayed. - All Ports—Specifies that statistics are displayed for all ports. • Queue—Select the queue for which statistics are displayed. • Drop Precedence—Enter drop precedence that indicates the probability of being dropped. STEP 4 Click Apply. The Queue Statistics counter is added, and the Running Configuration file is updated.
25 523 Quality of Service Managing QoS Statistics Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
Quality of Service Managing QoS Statistics Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 25 524
26 SNMP This section describes the Simple Network Management Protocol (SNMP) feature that provides a method for managing network devices.
26 SNMP SNMP Versions and Workflow SNMPv1 and v2 To control access to the system, a list of community entries is defined. Each community entry consists of a community string and its access privilege. The system responds only to SNMP messages specifying the community which has the correct permissions and correct operation. SNMP agents maintain a list of variables that are used to manage the device. These variables are defined in the Management Information Base (MIB).
26 SNMP SNMP Versions and Workflow The following is the recommended series of actions for configuring SNMP: If you decide to use SNMPv1 or v2: STEP 1 Navigate to the SNMP -> Communities page and click Add. The community can be associated with access rights and a view in Basic mode or with a group in Advanced mode. There are two ways to define access rights of a community: • Basic mode—The access rights of a community can configure with Read Only, Read Write, or SNMP Admin.
26 SNMP Model OIDs STEP 5 Optionally, enable or disable traps by using the Trap Settings page. STEP 6 Optionally, define a notification filter(s) by using the Notification Filter page. STEP 7 Define a notification recipient(s) by using the Notification Recipients SNMPv3 page. Supported MIBs For a list of supported MIBs, visit the following URL and navigate to the download area listed as Cisco MIBS: www.cisco.com/cisco/software/navigator.
26 SNMP SNMP Engine ID Model Name Description Object ID SG500X-48 48-Port Gigabit with 4-Port 10-Gigabit Stackable Managed Switch 9.6.1.85.48.1 SG500X-48P 48-Port Gigabit with 4-Port 10-Gigabit PoE Stackable Managed Switch 9.6.1.85.48.2 ESW2-550X48 48-Port Gigabit with 4-Port 10-Gigabit Stackable Managed Switch 9.6.1.86.48.1 ESW2-550X48DC 48-Port Gigabit with 4-Port 10-Gigabit Stackable Managed Switch 9.6.1.86.48.6 SG500-52MP 52-Port Gigabit Max-PoE Managed Switch 9.6.1.81.5.3.
26 SNMP SNMP Engine ID To define the SNMP engine ID: STEP 1 Click SNMP > Engine ID. STEP 2 Choose which to use for Local Engine ID. • Use Default—Select to use the device-generated engine ID. The default engine ID is based on the device MAC address, and is defined per standard as: - First 4 octets—First bit = 1, the rest is the IANA enterprise number. - Fifth octet—Set to 3 to indicate the MAC address that follows. - Last 6 octets—MAC address of the device. • None—No engine ID is used.
26 SNMP Configuring SNMP Views • Link Local Interface—Select the link local interface (if IPv6 Address Type Link Local is selected) from the list. • Server IP Address/Name—Enter the IP address or domain name of the log server. • Engine ID—Enter the Engine ID. STEP 5 Click Apply. The Running Configuration file is updated. Configuring SNMP Views A view is a user-defined label for a collection of MIB subtrees. Each subtree ID is defined by the Object ID (OID) of the root of the relevant subtrees.
26 SNMP Creating SNMP Groups - User Defined—Enter an OID not offered in the Select from list option. STEP 4 Select or deselect Include in view. If this is selected, the selected MIBs are included in the view, otherwise they are excluded. STEP 5 Click Apply. STEP 6 In order to verify your view configuration, select the user-defined views from the Filter: View Name list. The following views exist by default: • Default—Default SNMP view for read and read/write views.
26 SNMP Creating SNMP Groups • Authentication (Authentication and no privacy) • Authentication and privacy SNMPv3 provides a means of controlling the content each user can read or write and the notifications they receive. A group defines read/write privileges and a level of security. It becomes operational when it is associated with an SNMP user or community. NOTE To associate a non-default view with a group, first create the view in the Views page.
26 SNMP Managing SNMP Users • View—Associating a view with the read, write, and notify access privileges of the group limits the scope of the MIB tree to which the group has read, write, and notify access. - View—Select a previously-defined view for Read, Write and Notify. - Read—Management access is read-only for the selected view. Otherwise, a user or a community associated with this group is able to read all MIBs except those that control SNMP itself.
26 SNMP Managing SNMP Users To display SNMP users and define new ones: STEP 1 Click SNMP > Users. This page contains existing users. STEP 2 Click Add. This page provides information for assigning SNMP access control privileges to SNMP users. STEP 3 Enter the parameters. • User Name—Enter a name for the user. • Engine ID—Select either the local or remote SNMP entity to which the user is connected. Changing or removing the local SNMP Engine ID deletes the SNMPv3 User Database.
26 SNMP Defining SNMP Communities • Authentication Password—If authentication is accomplished by either a MD5 or a SHA password, enter the local user password in either Encrypted or Plaintext. Local user passwords are compared to the local database. and can contain up to 32 ASCII characters. • Privacy Method—Select one of the following options: • - None—Privacy password is not encrypted. - DES—Privacy password is encrypted according to the Data Encryption Standard (DES).
26 SNMP Defining SNMP Communities To define SNMP communities: STEP 1 Click SNMP > Communities. This page contains a table of configured SNMP communities and their properties. STEP 2 Click Add. This page enables network managers to define and configure new SNMP communities. STEP 3 SNMP Management Station—Click User Defined to enter the management station IP address that can access the SNMP community. Click All to indicate that any IP device can access the SNMP community.
26 SNMP Defining Trap Settings Read Write—Management access is read-write. Changes can be made to the device configuration, but not to the community. SNMP Admin—User has access to all device configuration options, as well as permissions to modify the community. SNMP Admin is equivalent to Read Write for all MIBs except for the SNMP MIBs. SNMP Admin is required for access to the SNMP MIBs. • View Name—Select an SNMP view (a collection of MIB subtrees to which access is granted).
26 SNMP Notification Recipients Notification Recipients Trap messages are generated to report system events, as defined in RFC 1215. The system can generate traps defined in the MIB that it supports. Trap receivers (aka Notification Recipients) are network nodes where the trap messages are sent by the device. A list of notification recipients are defined as the targets of trap messages.
26 SNMP Notification Recipients • Traps IPv4 Source Interface—Select the source interface whose IPv6 address will be used as the source IPv6 address in trap messages for communication with IPv6 SNMP servers. • Informs IPv6 Source Interface—Select the source interface whose IPv4 address will be used as the source IPv4 address in inform messages for communication with IPv4 SNMP servers.
26 SNMP Notification Recipients • Retries—Enter the number of times that the device resends an inform request. • Community String—Select from the pull-down the community string of the trap manager. Community String names are generated from those listed in the Community page. • Notification Version—Select the trap SNMP version. Either SNMPv1 or SNMPv2 may be used as the version of traps, with only a single version enabled at a time.
26 SNMP Notification Recipients STEP 2 Click Add. STEP 3 Enter the parameters. • Server Definition—Select whether to specify the remote log server by IP address or name. • IP Version—Select either IPv4 or IPv6. • IPv6 Address Type—Select the IPv6 address type (if IPv6 is used). The options are: - Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network.
26 SNMP SNMP Notification Filters NOTE The Security Level here depends on which User Name was selected. If this User Name was configured as No Authentication, the Security Level is No Authentication only. However, if this User Name has assigned Authentication and Privacy on the User page, the security level on this screen can be either No Authentication, or Authentication Only, or Authentication and Privacy.
26 SNMP SNMP Notification Filters To define a notification filter: STEP 1 Click SNMP > Notification Filter. The Notification Filter page contains notification information for each filter. The table is able to filter notification entries by Filter Name. STEP 2 Click Add. STEP 3 Enter the parameters. • Filter Name—Enter a name between 0-30 characters. • Object ID Subtree—Select the node in the MIB tree that is included or excluded in the selected SNMP filter.
26 541 SNMP SNMP Notification Filters Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
SNMP SNMP Notification Filters Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 26 542
26 543 SNMP SNMP Notification Filters Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) © 2012-2013 Cisco Systems, Inc. All rights reserved.