ADMINISTRATION GUIDE Cisco Small Business SG200 Series 8-port Smart Switches
Contents Chapter 1: Getting Started Starting the Web-Based Switch Configuration Utility 8 8 Launching the Utility 9 Logging In 9 Logging Out 10 Quick Start Device Configuration 11 Window Navigation 12 Application Header 12 Other Resources 13 Navigation Window 14 Management Buttons 14 Chapter 2: Viewing Statistics System Summary 18 18 Displaying the System Summary 18 Configuring System Settings 21 Interface Statistics 22 Etherlike Statistics 23 802.
Contents Adding IPv6 Addresses 36 IPv6 Default Router Table 37 Viewing and Adding IPv6 Neighbors Managing User Accounts 38 39 Adding a User 39 Changing a User Password 40 Deleting a User 41 Enabling Management Services 42 Configuring the Idle Session Timeout 42 Login Sessions 42 Login History 43 Time Settings 43 Setting System Time 43 Configuring the SNTP Setting 46 Configuring SNTP Authentication 50 System Logs 51 Configuring Log Settings 52 Configuring Remote Log Servers
Contents Downloading an Image or Boot Code File Using TFTP 71 Downloading an Image or Boot Code File Using XMODEM 72 Rebooting the Switch 74 Pinging Hosts 74 Configuring Control Packet Forwarding 75 Diagnostics 76 Testing Copper Ports 77 Configuring Port Mirroring 78 CPU/Memory Utilization 80 Enabling Bonjour 80 LLDP-MED 81 Configuring Global LLDP-MED Properties 82 Configuring LLDP-MED on a Port 83 LLDP-MED Port Status Details 85 LLDP-MED Neighbor Information 87 Configuring DH
Contents Configuring VLAN Interface Settings Changing the Interface VLAN Mode 104 106 Configuring VLAN Membership 108 Configuring Port to VLAN 109 Configuring Port VLAN Membership 110 Setting the Default VLAN 111 Voice and Media 112 Displaying and Adding Telephony OUI 113 Configuring OUI Based Voice and Media 113 Configuring SIP/H323 Based Voice and Media 114 Media VLAN 115 Auto VoIP Sessions 117 Chapter 6: Spanning Tree 118 Overview of Spanning Tree 118 Configuring STP Status and
Contents Configuring MAC Address Group Port Membership 135 Configuring Group-to-Port 135 Configuring IGMP Snooping 136 Configuring MLD Snooping 138 Configuring IGMP Multicast Router Interfaces 140 Configuring MLD Multicast Router Interfaces 141 Chapter 9: IP Configuration 142 ARP Table 142 Domain Name System 142 Configuring DNS Servers 143 Configuring Global DNS Settings 143 Adding DNS Servers 144 Hostname Mapping 144 Configuring Static DNS Mappings 144 Viewing and Deleting Dyna
Contents Modifying Port PAE Capabilities 159 Configuring Port Authentication 160 Configuring Supplicant Port Authentication 162 Displaying Authenticated Hosts 163 Chapter 11: Quality of Service 164 QoS Properties 165 Defining Queues 166 Queue Configuration Recommendations 167 Configuring Queues 167 Mapping CoS/802.
1 Getting Started This chapter provides an introduction to the web-based switch configuration utility and includes the following topics: • Starting the Web-Based Switch Configuration Utility • Quick Start Device Configuration • Window Navigation Starting the Web-Based Switch Configuration Utility This section describes how to navigate the web-based switch configuration utility.
Getting Started Starting the Web-Based Switch Configuration Utility 1 Launching the Utility To open the web-based switch configuration utility: STEP 1 Open a web browser. STEP 2 Enter the IP address of the switch that you are configuring in the address bar on the browser, and then press Enter. (The factory default IP address is 192.168.1.254.) The Log In page opens. Logging In To log in to the web-based switch configuration utility: STEP 1 Enter the username and password.
Getting Started Starting the Web-Based Switch Configuration Utility 1 Select Don’t show this page on startup to prevent the Getting Started page from being displayed each time that you logon to the system. If you select this option, the System Summary page is opened instead of the Getting Started page. Logging Out By default, the application automatically logs you out after 10 minutes of inactivity. See Configuring the Idle Session Timeouts for instructions on changing the default timeout period.
1 Getting Started Quick Start Device Configuration Quick Start Device Configuration To simplify device configuration through quick navigation, the Getting Started page provides links to the most commonly-used pages.
1 Getting Started Window Navigation Window Navigation This section describes the features of the web-based switch configuration utility. Application Header The Application Header is displayed on every page. It provides the following buttons: Buttons Name Description The Syslog Alert Status button (red circle with an X) is displayed when a new Syslog message, above the critical severity level, is logged. Click to open the Status and Statistics > View Log > RAM Memory Log page.
1 Getting Started Window Navigation Buttons (Continued) Name Description Log Out Click to log out of the web-based switch configuration utility. About Click to display the switch type and switch version number. Help Click to display the online help. Other Resources You can use the following links on the Getting Started page for additional information and assistance with using your switch: • Support—Displays the support web page for Cisco Small Business Managed Switches.
1 Getting Started Window Navigation Navigation Window A navigation window is located on the left side of each page. Click a top-level category to display links to related pages. Links that are preceded by an arrow are subcategories that expand to display the related page links. Management Buttons The following table describes the commonly-used buttons that appear on various pages in the system.
1 Getting Started Window Navigation Management Buttons (Continued) Name Description Select the number of table entries to display on each page. Indicates a mandatory field. Add Click to display the related Add page and add an entry to a table. Enter the information and click Apply. Click Close to return to the main page. Note: Your changes are applied to the running configuration only. If the switch is rebooted, the running configuration is lost.
1 Getting Started Window Navigation Management Buttons (Continued) Name Description Copy Settings A table typically contains one or more entries containing configuration settings. Instead of modifying each entry individually, it is possible to modify one entry and then copy it to multiple entries, as described below: • Select the entry to be copied. Click Copy Settings. • Enter the destination entry numbers. • Click Apply to save the changes to the Running Configuration.
1 Getting Started Window Navigation Management Buttons (Continued) Name Description Sort buttons If the This table is sortable message appears below a table, each column heading is a sort button. Click a column heading to sort the records in ascending order, based on the contents of the selected column. After the sort is applied, an arrow appears in the column heading. You can click this arrow to reverse the sort order.
2 Viewing Statistics This chapter describes how to display switch statistics. It contains the following topics. • System Summary • Interface Statistics • Etherlike Statistics • 802.1X EAP Statistics • IPv6 DHCP Statistics • RADIUS Statistics • Logs System Summary The System Summary page displays basic information such as the hardware model description, software version, language packs, and system up time.
2 Viewing Statistics System Summary • System Contact—Name of a contact person. Click Edit to display the System Settings page and enter this value. (The characters ', ", %, and ? are not supported.) • Hostname—Name of the switch. Click Edit to display the System Settings page and enter this value. By default, the switch hostname is composed of the word switch concatenated with the three least significant bytes of the switch MAC address (the six furthest right hexadecimal digits).
2 Viewing Statistics System Summary Language Pack Table This table displays information about the languages available on the switch. A language can be selected by the administrator when logging into the configuration utility. English is the default language and it is built into the software. You can use the Upgrade/Backup Firmware/Language page to download additional language packs. Language files are available from the Cisco firmware download page.
2 Viewing Statistics System Summary • Port—The Internet Assigned Numbers Authority (IANA) port number for the service. • IP Address—The IP address, if any, of a remote device that is connected to this service on the switch. • Remote Port—The IANA port number of any remote device communicating with this service. • State—The state of the service. For UDP, only connections in the Active state display in the table.
2 Viewing Statistics Interface Statistics Interface Statistics Use the Interface page to display statistics for received and transmitted packets. To display this page, click Status and Statistics > Interface in the navigation window, or click Port Statistics under Device Status on the Getting Started page. Select the interface (Port or LAG) for which you want to display statistics, then select a refresh rate for the statistics.
2 Viewing Statistics Etherlike Statistics Etherlike Statistics The system collects and reports statistics on ports and LAGs in accordance with RFC2665. To display this page, click Status and Statistics > Etherlike in the navigation window. Select the interface (Port or LAG) for which you want to display statistics, then select a refresh rate for the statistics. These statistics are cumulative since the last time the page was refreshed.
2 Viewing Statistics 802.1X EAP Statistics 802.1X EAP Statistics The switch ports can be configured to use the IEEE 802.1X Extensible Authentication Protocol (EAP) to control network access (see 802.1X). You can use the 802.1X EAP page to display information about EAP packets received on a port. To display the 802.1X EAP page, click Status and Statistics > 802.1X EAP in the navigation window. STEP 1 Select the Port for which you want to display statistics. STEP 2 Select a Refresh Rate for the statistics.
2 Viewing Statistics IPv6 DHCP Statistics IPv6 DHCP Statistics The switch can be configured to allow management over an IPv6 interface, and to receive its management IPv6 address through the Dynamic Host Configuration Protocol (DHCPv6). See Management Interface for information on configuring IPv6 and DHCP on the management interface. You can use the IPv6 DHCP Statistics page to display information on transmitted and received DHCPv6 packets.
2 Viewing Statistics RADIUS Statistics RADIUS Statistics The switch can be configured to communicate with a RADIUS server for user authentication. To display the RADIUS Statistics page, click Status and Statistics > RADIUS Statistics in the navigation window. Select a RADIUS server from the list and select a refresh rate for the page. The page displays the following statistics, which are cumulative since the last time the page refreshed.
2 Viewing Statistics RMON RMON RMON (Remote Networking Monitoring) is an SNMP specification that enables an SNMP agent in the switch to monitor traffic statistics over a given period and send traps to an SNMP manager. The local SNMP agent compares actual, real-time counters against predefined thresholds and generates alarms, without the need for polling by a central SNMP management platform.
2 Viewing Statistics RMON • Multicast Packets Received—Good multicast packets received on the interface since the switch was last refreshed. • CRC & Align Errors—CRC and Align errors that have occurred on the interface since the switch was last refreshed. • Undersize Packets—Undersized packets (less than 64 octets) received on the interface since the switch was last refreshed. • Oversize Packets—Oversized packets (over 1518 octets) received on the interface since the switch was last refreshed.
2 Viewing Statistics Logs Logs The switch generates messages to identify the state of the system and to assist in diagnosing issues that arise during switch operation. Messages might be generated in response to events, faults, or errors occurring on the platform and to changes in configuration. Logs of these messages are stored in RAM and flash memory. Entries in the flash log—unlike those in RAM—are stored across reboots.
2 Viewing Statistics Logs - Informational (6)—Informational messages. - Debug (7)—Provides detailed information about an event. You can use the Log Settings page to select the severity levels that are recorded in the log. • Component - The software component or service that produced the log entry. • Description—The log description. You can click Clear Logs to remove all log entries from RAM.
2 Viewing Statistics Logs The Version 1 log is the current or most recently created log file, the Version 2 log is the next most recent, and the Version 3 log is the oldest file. When a new log file of the specified type is created, the Version 3 log is deleted and the Version 1 and Version 2 logs are renamed to Version 2 and Version 3, respectively. When a different version and log is selected, the new log automatically displays in the Flash Memory Log Table.
3 Administration This chapter describes how to configure global system settings and perform diagnostics. It contains the following topics.
3 Administration Configuring System Settings Configuring System Settings The System Settings page enables you to configure information that identifies the switch within the network. To configure system settings: STEP 1 Click Administration > System Settings in the navigation window. The System Description is hard-coded in the firmware. STEP 2 Enter the parameters: • System Location—Description of the physical location of the switch. • System Contact—Contact person for the switch.
3 Administration Management Interface Management Interface Switch management interface enable access to the web-based switch configuration utility from a management station on the network. The switch supports configuration of a management VLAN that segregates the management traffic from other traffic on the switch. The management interface can be configured with an IPv4 address or with an IPv6 address. The addresses can be configured statically or they can be obtained through DHCP/BOOTP servers.
3 Administration Management Interface STEP 3 Select one of the following options for the IP Address Type: • DHCP—The management interface obtains its IPv4 address from a DHCP server. DHCP is enabled by default and the switch requests an IP address from a DHCP server. If it is unable to get the IP address from a server, the switch falls back to the factory default static IP address. The System LED flashes continuously and the switch keeps trying to get its IP address from a DHCP server.
3 Administration Management Interface Configuring an IPv6 Management Interface Use the IPv6 Interface page to enable access to the web-based switch configuration utility over IPv6. You can configure the switch to dynamically learn its IPv6 addresses and you can configure IPv6 addresses statically. To enable IPv6 management access: STEP 1 Click Administration > Management Interface > IPv6 Interface in the navigation window. The Interface field shows the VLAN ID of the management VLAN.
3 Administration Management Interface • DAD Status—The Duplicate Address Detection status. When you configure an IPv6 address on the switch, before the switch actually assigns the address, it performs neighbor discovery to detect if that address is already in use on the network. - If the address is already in use, its DAD status is True, and the address is not usable for management access.
3 Administration Management Interface Viewing and Adding IPv6 Neighbors When IPv6 management is enabled, the switch identifies IPv6-enabled devices on attached links. The switch supports the discovery of up to 1,000 dynamic IPv6 neighbors and supports the static configuration of IPv6 neighbors. The IPv6 Neighbors page lists dynamically discovered and statically configured neighbors, and enables adding static hosts.
3 Administration Managing User Accounts STEP 4 Click Apply and then click Close. Your changes are saved to the Running Configuration. Managing User Accounts One management user is configured on the switch by default: • User Name: cisco • Password: cisco You can use the User Accounts page configure up to five additional users and to change a user password. Adding a User To add a new user: STEP 1 Click Administration > User Accounts in the navigation window.
3 Administration Managing User Accounts As you enter a password, the number and color of vertical bars changes to indicate the password strength, as follows: • Red—The password fails to meet the minimum complexity requirements. The text “Below Minimum” displays to the right of the meter. • Orange—The password meets the minimum complexity requirements but the password strength is weak. The text “Weak” displays to the right of the meter. • Green—The password is strong.
3 Administration Managing User Accounts As you enter a password, the number and color of vertical bars changes to indicate the password strength, as follows: • Red—The password fails to meet the minimum complexity requirements. The text “Below Minimum” displays to the right of the meter. • Orange—The password meets the minimum complexity requirements but the password strength is weak. The text “Weak” displays to the right of the meter. • Green—The password is strong.
3 Administration Enabling Management Services Enabling Management Services Use the Management Services page to enable and disable the available types of management connections. By default, HTTP access is enabled. Configuring the Idle Session Timeout The software automatically logs users off the management interface when there is no activity for a specified period of time. The user must reauthenticate after a timeout. You can use the Idle Session Timeout page to configure the timeout period.
3 Administration Login History • Authentication Method—Lists the protocol used to authenticate the session login. It can be Radius, Local, or None. Login History You can use the Login History page to display data on previous logins to the management software. To display this page, click Administration > Login History in the navigation window. This page displays the following fields: • Login Time—Date and time the user logged in. • User Name—Name that the user used to log in.
3 Administration Time Settings By default, the time is configured locally on the switch. NOTE The actual system time, date, time zone information, and daylight savings time status appears at the bottom of the page. Specifying Clock Settings Locally To configure the time settings locally: STEP 1 On the System Time page, select Use Local Settings. STEP 2 Select Timezone Source - DHCP if you want to have the switch to acquire its timezone from a DHCP server.
3 Administration Time Settings • USA/European/Other—Select USA or European to have the DST offset configured to the values used in those locations. Or select Other to configure the settings manually. When configuring manually, you can configure the settings for the upcoming DST period only, or you can configure recurring settings. • DST Time Zone Acronym—Specify an optional acronym up to four characters to identify the configured settings. This field is for reference only.
3 Administration Time Settings NOTE: If the Timezone Source - DHCP setting is enabled and time zone information is received from the DHCP server, then that information will be used to adjust instead of the manually configured GMT Time Zone Offset and Acronym. STEP 5 Configure the Daylight Savings Time settings, as described in step 5 in Specifying Clock Settings Locally. STEP 6 Click Apply. Your changes are saved to the Running Configuration.
3 Administration Time Settings • Client Port—The logical port number to use for the SNTP client on the switch. The default is the well-known IANA port number for this service, 123. • Unicast Poll Interval—The relative rate at which the switch sends synchronization messages to the SNTP server. This field is editable only when SNTP Unicast reception is selected. Enter a value from 3 to 16. The default value is 3.
3 Administration Time Settings - Server Kiss of Death—SNTP server has replied with a kiss of death packet, instructing the switch to stop sending requests to the server, due to traffic spikes or other error conditions. - Other—The status could not be determined. • Last Response—Time of the last response from the SNTP server. • Version—SNTP protocol version the server uses. • Port—Protocol port number (123 is a well-known port number for SNTP).
3 Administration Time Settings • Port—Specify the UDP port number to be specified in the SNTP message headers. By default, the port number is the well-known IANA value of 123. • Version—Specify the highest SNTP version (1–4) that the server supports. STEP 3 Click Apply and then click Close. Your changes are saved to the Running Configuration.
3 Administration Time Settings • Last Unicast Attempt Time—The time of the most recent attempt by the switch to synchronize with an SNTP unicast server. • Client Mode—The configured SNTP client mode (Unicast or Broadcast). See the System Time to configure this mode. • Server Maximum Entries—Maximum number of servers that you can configure on the switch. • Server Current Entries—Number of SNTP servers currently configured on the system, as listed in the Unicast SNTP Servers Table.
3 Administration System Logs STEP 4 In the SNTP Authentication Table, click Add to add a key to the list. STEP 5 Enter the parameters: • Authentication Key ID—The key number. When you define an SNTP server on the system, you specify which key it uses for authentication. • Authentication Key—The value of the key. The value is the cryptographic key that is used to encrypt and decrypt SNTP messages to and from the server. • Trusted Key—Indicates whether this key is a trusted key.
3 Administration System Logs Configuring Log Settings Use the Log Settings page to enable logs globally, and to define which event types are logged into temporary memory (RAM) and persistent memory (flash). Log messages in flash memory are retained across a reboot. When the log is full, the oldest events are automatically deleted and replaced with the new entries. To configure log settings: STEP 1 Click Administration > System Log > Log Settings in the navigation window.
3 Administration System Logs • Informational—Device information. • Debug—Provides detailed information about an event. NOTE: When you select a severity level, any events of that level or higher are automatically selected for logging. STEP 4 Click Apply. Your changes are saved to the Running Configuration. Configuring Remote Log Servers You can define one or more remote log servers that the switch sends Syslog messages to.
3 Administration File Management STEP 6 Click Apply and then click Close. Your changes are saved to the Running Configuration. File Management You can use the file management features to upgrade or backup the firmware, update the language files, save configuration changes, copy configuration files within the switch, and set up autoconfiguration feature.
3 Administration File Management Files and File Types The following types of configuration and operational files are found on the switch: • Running Configuration—Parameters that are currently used by the switch to operate. It is the only file type that is modified by you when the parameter values are changed by using one of the configuration interfaces, and must be manually saved to another file type, such as the Startup Configuration, to be preserved after a reboot.
3 Administration File Management • Language File—The dictionary that allows the windows to be displayed in the selected language. • Flash Log—SYSLOG messages stored in Flash memory. • Operational Log—Events that are not saved to the Startup Log. • Startup Log—The first 32 messages logged when the switch is booted. Subsequent messages are logged into the Operational Log. The Startup Log is not aged out; it retains the messages until the switch is rebooted. • Trap Log—SNMP traps.
3 Administration File Management To upgrade or backup the firmware or to update the boot code or language file: STEP 1 Click Administration > File Management > Upgrade/Backup Firmware/ Language in the navigation window. STEP 2 Enter the parameters: • Transfer Method—Select the protocol to be used for the file transfer (TFTP or HTTP), which corresponds to the type of server you are downloading to or uploading from.
3 Administration File Management WARNING Ensure that power to the switch remains uninterrupted while downloading an image or a boot code file to the switch. If a power failure occurs while downloading a file, the file contents in persistent memory are lost. If a power outage occurs during boot code file download, the switch will not be able to boot. Contact the Cisco Small Business Support Center for assistance.
3 Administration File Management STEP 4 Enter the following parameters: • TFTP Server (TFTP only)—Specify the IPv4 or IPv6 address of the TFTP server. Or specify the server name if DNS is enabled in the IP configuration (see Domain Name System). • Source File Name—For TFTP, specify the filename, including the path. For HTTP, browse to select the file from your computer.
3 Administration File Management STEP 4 Enter the parameters: • TFTP Server (TFTP only)—Specify the IP address of the TFTP server. Or specify the server’s domain name if DNS is enabled in the IP configuration (see Domain Name System). • Destination File Name (TFTP only)—Specify a name for the saved file, including the path on the TFTP server.
3 Administration File Management For HTTP backups, you are prompted to browse to a location to save the file. A progress bar indicates the status of the file transfer. Delete Configuration The Delete Configuration page enables you to delete the Startup configuration or the Backup configuration. If you delete both the startup and the backup configuration files, when the switch reboots it will use the default configuration file.
3 Administration File Management • Running Configuration—Current configuration, including any changes applied in the current management session. • Startup Configuration—Configuration file type used when the switch last booted. This does not include any configuration changes applied but not yet saved to the switch. • Backup Configuration—Backup configuration file type saved on the switch.
3 Administration File Management Overview During startup, the switch attempts communication with a DCHP server to obtain its IP address and other information. If Auto Configuration is enabled, the switch may also download a startup configuration file, depending on the TFTP server and startup configuration file name it receives from the DHCP server. Auto Configuration is enabled by default.
3 Administration File Management 1. The sname field in a DHCP or BOOTP reply. 2. The TFTP server name (option 66) field in a DHCP reply. 3. The TFTP server address (option 150) field in a DHCP reply. 4. The siaddr field of a DHCP or BOOTP reply. If only the sname or option 66 values are returned to the switch, a DNS server is needed to resolve the IP address of the TFTP server.
3 Administration File Management NOTE The switch requires the boot file name to have a .cfg extension. Default Network Configuration File If Default Network Configuration Mode is enabled, the switch downloads the configuration file .cfg when any one of the following conditions occurs: • A host specific configuration file is not specified or configured. • A host specific configuration file does not exist on the TFTP server. • A failure occurs during the download.
3 Administration File Management When the switch gets the default configuration file, the configuration is validated for errors. If the validation is successful, then the switch copies the configuration to the Startup Configuration file type and reboots. In this case, the default configuration file name is not stored in the non-volatile memory.
3 Administration File Management Setting DHCP Auto Configuration You can use the DHCP Auto Configuration page to enable and disable the feature, configure TFTP server and file name settings, and view status information. When DHCP Auto Configuration is enabled, it will be in the Waiting for boot options state, until it receives the notification from the DHCP client.
3 Administration File Management To configure DHCP Auto Configuration: STEP 1 Click Administration > File Management > DHCP Auto Configuration in the navigation window. STEP 2 Enter the parameters: • Auto Configuration Via DHCP—Select Enable to enable this feature on the switch. • Default Network Config Mode—Select Enable to have the switch download a default configuration file named fp-net.cfg when no hostspecific file is found on the switch. See Default Network Configuration File for details.
3 Administration File Management Firmware Recovery Over HTTP The switch has a firmware recovery feature that enables the restoration of a valid image on the switch after a failed download. If the power goes down during an image download, the switch might not be able to boot. In this event, although the image is not usable, the boot loader file that loads the firmware image from Flash memory to RAM should continue to be functional.
3 Administration File Management NOTE: The HTTP firmware recovery features supports the following browsers: • Firefox 3.0 and later versions • Internet Explorer 6 and later versions A Firmware Recovery page displays. No authentication is required. The web page displays the PIC VID (product ID and vendor ID), serial number, and MAC Address of the switch. STEP 4 Select Browse and select a valid firmware image to download. A progress bar appears while the file is downloading.
3 Administration File Management Downloading an Image or Boot Code File From the System Boot Prompt You can download and install a new image or boot code file at the system boot prompt using the TFTP and XMODEM protocols. This process may be necessary when the application software does not execute due to a corrupted software image or boot code file and, as a result, you cannot access the CLI or web-based interface utilities for downloading and installing new software.
3 Administration File Management STEP 5 Enter the command to have an IP address assigned to the port from a DHCP server on the attached network: CFE> ifconfig eth0 -auto When the switch receives a DHCP reply, the IP information displays on the terminal. STEP 6 Enter the command to download an image file to Flash: CFE>flash server-ipaddr:image-filename flash0.os Or, enter the command to download a boot code file: CFE> flash ipaddr:bootcode-filename flash0.
3 Administration File Management STEP 3 Stop the control at boot code by pressing and holding + C continuously as the switch boots up, until the following prompt displays: CFE> STEP 4 Enter the command to download a software image: CFE>flash uart0 flash0.os Or, enter the command to download a boot code file: CFE>flash uart0 flash0.boot WARNING! Make sure that the switch is connected to an uninterrupted power supply during a boot code upgrade. This process might take 10–20 seconds.
3 Administration Rebooting the Switch Rebooting the Switch Use the Reboot page reboot the switch. To reboot the switch: STEP 1 Click Administration > Reboot in the navigation window. STEP 2 Select one of the following options: • Reboot—Reboots the switch using the latest save configuration. • Reboot to Factory Default—Reboots the switch using with the factory default configuration file. Any customized settings are lost. A window appears to enable you to confirm or cancel the reboot.
Administration Configuring Control Packet Forwarding 3 STEP 3 For an IPv4 address, enter the following parameters: • IP Address/Hostname—Enter the IP address or the hostname of the station you want the switch to ping. • Count—Specify the number of pings to send. • Interval—Specify the number of seconds between pings sent. • Datagram Size—Specify the data size of the ping packet to send.
3 Administration Diagnostics • LLDP—Network devices use the Link Layer Discovery Protocol to advertise their capabilities to other devices. See LLDP-MED for information on configuring the LLDP feature on the switch. To configure control packet forwarding: STEP 1 Click Administration > Control Packet Forwarding in the navigation window. STEP 2 Select the protocol you want to configure (CDP, LLPD, or DOT1x).
3 Administration Diagnostics Testing Copper Ports Use the Copper Ports page to perform tests on copper cables. These physical layer diagnostics can be used to help determine where in the cable a break might exist. The Copper Ports Table lists each port and the following data, which it learned through the most recent test (default data appears if the port has not been tested): • Test Result—Results of the most recent cable test. Possible values are: - Normal—Cable is working correctly.
3 Administration Diagnostics Configuring Port Mirroring Use the port mirroring feature to send network traffic on a port copied to another port for analysis by a network analyzer. A mirroring session consists of a destination probe port and at least one source port. A mirror copy of the traffic on the source port(s) being probed are transmitted from the source port to the destination probe port. A network analyzer can be connected to a destination probe port to analyze network traffic.
3 Administration Diagnostics To configure a mirroring session: STEP 1 In the Port Mirroring Source Interface Table, click Add. STEP 2 Select a Session ID. STEP 3 Select the Source Interface and the type of traffic to be mirrored. STEP 4 By using the Type radio button, specify the direction of the traffic at the source interface that is to be monitored: • Rx Only—Incoming traffic • Tx Only—Outgoing traffic • Tx and Rx—Both incoming and outgoing traffic STEP 5 Click Apply.
3 Administration Enabling Bonjour To clear the current configuration for a session, select the session and click Edit. Then select Enable for Reset Session field. CPU/Memory Utilization Use the CPU/Memory Utilization page to monitor CPU and memory usage. To display this page, click Administration > Diagnostics > CPU/Memory Utilization in the navigation window.
3 Administration LLDP-MED • Cisco-specific device description (csco-sb)—This service enables clients to discover Cisco switches and other products deployed in small business networks. • Management user interfaces—This service identifies the management interface available on the switch (HTTP). When a Bonjour-enabled switch is attached to a network, any Bonjour client can discover and get access to the management interface without prior configuration.
3 Administration LLDP-MED The switch supports the LLDP Media Endpoint Discovery (LLDP-MED) extensions to the LLDP protocol. LLDP-MED enables auto-discovery of LAN policies, device location, and other device characteristics, and automates management of Powerover-Ethernet (PoE) endpoints.
3 Administration LLDP-MED • Coordinates—Switch GPS coordinates in hexadecimal format. • ELIN Address—The ELIN number. • Country—Country where the city is located. This is a two-character code as defined by ISO 3166. • City—City where the street is located. • Street—Street where the building is located. • Building—Building in which the switch is located. NOTE: The City, Street, and Building fields share the maximum character limitation; i.e.
3 Administration LLDP-MED STEP 4 Select the Available TLVs that you want the port to include in LLDP advertisements: • Network Policy—VLAN ID, the 802.1p class-of-service value, and the Differentiated Services Code Point (DSCP) value. This information is used to implement the Voice VLAN feature (see Voice and Media).
3 Administration LLDP-MED LLDP-MED Port Status Details The LLDP-MED Port Status Details page displays the LLDP-MED configuration for all ports on which the feature is enabled. To display this page, click Administration > Discovery - LLDP-MED > LLDP-MED Port Status Details in the navigation window. Select a port from the Port list.
3 Administration LLDP-MED • Management Address—The management interface IP address (see the IPv4 Interface page or the IPv6 Interface page). • Port ID SubType—The type of the port identifier. • Port ID—The port identifier. • Port Description—The port description. • System Capabilities Enabled—The capabilities that are enabled on the switch. • System Capabilities Supported—The capabilities that are currently advertised as supported by the switch.
3 Administration LLDP-MED LLDP-MED Neighbor Information The Neighbor Information page displays information received from other LLDPMED-capable devices in the network. To display this page, click Administration > Discovery - LLDP-MED > Neighbor Information in the navigation window. The Neighbor Information Table displays the following fields for each LLDP neighbor device for which an advertisement has been received: • Local Port—Port number of the switch where the LLDP advertisement was received.
3 Administration LLDP-MED Inventory • Hardware Revision—Switch hardware revision ID. • Firmware Revision—Switch firmware revision number. • Software Revision—Switch software revision number. • Manufacturer Name—Switch manufacturer name. • Model Name—Switch model name. • Asset ID—LLDP-MED asset ID for the switch.
Administration Configuring DHCP Client Vendor Options • 3 PoE Power Priority—Displays High, Low, or Critical to indicate how the port is prioritized when there is less PoE power to deliver than requested by all powered devices. Configuring DHCP Client Vendor Options You can configure the DHCP client functionality on the switch to include vendor information in its DHCP requests (DHCP option 60).
4 Port Management This chapter describes how to configure switch port settings, combine ports into link aggregation groups, and configure port power features. The following topics are included: • Configuring Port Settings • Link Aggregation • Configuring PoE • Green Ethernet Configuring Port Settings The Port Settings page enables you to administratively enable and disable ports and to configure autonegotiation of port speed and duplex mode.
4 Port Management Configuring Port Settings • Administrative Duplex Mode—If Auto Negotiation is disabled, select Half for half-duplex or Full for full-duplex operation. • Admin Advertisement—If Autonegotiation is enabled, select the highest port speed and duplex setting that you want the port to negotiate. If you select Max Capacity, the port autonegotiates up to the highest port speed and duplex setting supported by hardware. • Flow Control—Select to enable IEEE 802.3x flow control.
4 Port Management Link Aggregation Link Aggregation Link Aggregation allows one or more full-duplex Ethernet links to be aggregated together to form a Link Aggregation Group (LAG). The switch treats the LAG as if it is a single physical port, with improved fault tolerance and load- sharing capability. A LAG interface can be either static or dynamic: • Static LAG—Ports are assigned to a LAG directly by the administrator. The ports remain dedicated LAG members until configured otherwise.
4 Port Management Link Aggregation LAGs can be assigned membership in VLANs; however, individual ports lose their individual VLAN memberships when they become LAG members. When a port is removed from a LAG, it rejoins the VLANs that it previously belong to as specified in the startup configuration. To configure a LAG: STEP 1 Select a LAG to configure, and then click Edit. STEP 2 Specify the following for the selected LAG: • LAG Name—Enter up to 15 alphanumeric characters to identify the LAG.
4 Port Management Link Aggregation • Load Balance Algorithm—Select one of the options to enable the switch to load-balance outgoing packets among member ports of a LAG. The switch selects one of the links in the channel for transmitting specific packets. The switch prioritizes each criteria for load balancing in the order listed in the option.
4 Port Management Link Aggregation • Admin Key—A number that determines the dynamic LAG(s) that the interface can join. All interfaces in a dynamic LAG must share the same admin key. • Port Priority—A nonconfigurable priority assigned to the port. • LACP Aggregation—The port mode with respect to link aggregation. This field is not configurable. Possible values are: - Aggregate—The port is participating in link aggregation.
4 Port Management Configuring PoE - Long—Long LACP timeout is 3 times the long periodic timer to transmit LACP packets. The default Long LACP timeout is 90 seconds. STEP 3 Click Apply and then click Close. Your changes are saved to the Running Configuration. Configuring PoE On the SF200E-24P switch, ports 1–6 and 13–18 can operate as Power-overEthernet (PoE) power-sourcing equipment (PSE). PSE ports can provide power to connected PoE Powered Devices (PD).
4 Port Management Configuring PoE • Power Management Mode—Select how the switch prioritizes the power that it provides to multiple ports: - Static with Port Priority—Static with priority power management. This algorithm pre-allocates power based on the configured power limit and the priority of the port. - Dynamic with Port Priority—Dynamic with priority power management. This algorithm supplies power to devices as long as the consumption is within the configured limit and priority.
4 Port Management Configuring PoE Configuring PoE Port Settings You can use the Port Settings page to view and configure settings for ports acting as PSEs. To configure PoE settings for a port: STEP 1 Click Port Management > PoE > Port Settings in the navigation window. The PoE Setting Table displays which ports are enabled for PoE operation, their priority, power allocation in milliwatts, and other settings for each port. STEP 2 Select the port to configure and click Edit.
4 Port Management Configuring PoE - Dot3AF and LLDP-MED—The maximum power that can be delivered by the port is limited by the value in LLDP-MED TLVs received from a port device. The value specified by the device should be in the range of 3-16.2 watts. If it is not in this range, then the maximum power is limited by the IEEE 802.3AF class. - User-Defined and LLDP-MED—The maximum power that can be delivered by the port is limited by the value in LLDP-MED TLVs received from a port device.
4 Port Management Green Ethernet • Invalid Signature Counter—Number of times an invalid signature was received. Signatures are the means by which the powered device identifies itself to the PSE. A signature is generated during powered device detection, classification, or maintenance. STEP 4 Click Apply and then click Close. Your changes are saved to the Running Configuration.
4 Port Management Green Ethernet To configure global Green Ethernet properties: STEP 1 Click Port Management > Green Ethernet > Properties in the navigation window. By default, Energy Detect mode is enabled globally and on all ports. STEP 2 If not already enabled, select Energy Detect Mode to enable this feature on the switch. The switch automatically enters the low-power mode when energy on the line is lost, and it resumes normal operation when energy is detected. STEP 3 Click Apply.
4 Port Management Green Ethernet - Link up—There is activity on the link. - Admin Down—Energy detect mode is administratively disabled. STEP 2 Select the port to configure and click Edit. STEP 3 Select Energy Detect to administratively enable Energy Detect on the port. STEP 4 Click Apply to save any changes to the Running Configuration.
5 VLAN Management This chapter describes how to configure virtual LANs. It includes the following topics: • Creating VLANs • Configuring VLAN Interface Settings • Configuring VLAN Membership • Configuring Port VLAN Membership • Setting the Default VLAN • Voice and Media Virtual LAN (VLAN) on a Layer 2 switch offers some of the benefits of both bridging and routing. Like a bridge, a VLAN switch forwards traffic based on the Layer 2 header, which is fast.
5 VLAN Management Creating VLANs Creating VLANs The Create VLAN page enables you to define and configure VLANs on the network. To display this page VLAN Management > Create VLAN in the navigation window. The VLAN Table displays the VLAN ID, name, if one exists, and type for the preconfigured VLAN (VLAN ID 1) and any VLANs that you add. One port must be configured as the Default VLAN. The type for all other VLANs is Static. The switch is pre-configured with VLAN ID 1 as the Default VLAN.
5 VLAN Management Configuring VLAN Interface Settings To configure VLAN interface settings: STEP 1 Select the port or LAG to configure and click Edit. STEP 2 Configure the following settings for the selected port or LAG: • Interface VLAN Mode—Select an option to configure the port type with respect to VLAN membership and tagging. - General—The port can be a member of one or more tagged or untagged VLANs. This mode allows the full capabilities specified in the IEEE 802.1Q specification, “VLAN Tagging.
5 VLAN Management Configuring VLAN Interface Settings • Frame Type—Specifies the frame type accepted on the port: - Admit Untagged Only—Only untagged frames are accepted on the port. Tagged frames are discarded. - Admit Tagged Only—Only tagged frames are accepted on the port. Untagged frames are discarded. - Admit All—Both tagged and untagged frames are accepted on the port. An access port can admit untagged frames only.
VLAN Management Configuring VLAN Interface Settings 5 Changing from Trunk Port to Access Port If the original trunk port has an untagged VLAN member on the port, the port is removed from all its VLANs except the untagged VLAN on the port. The PVID is set to the untagged VLAN ID. If the original Trunk port does not have an untagged VLAN member on the port, the port is removed from all its VLANs and becomes a member of the default VLAN.
5 VLAN Management Configuring VLAN Membership • If an Access port was a member of the deleted VLAN, the Access port becomes a member of the default VLAN and its PVID is changed to the default VLAN. • If a General port was configured to use the VLAN ID as its PVID, the General port’s PVID is changed to the default VLAN ID. No other VLAN memberships are changed.
5 VLAN Management Configuring VLAN Membership Configuring Port to VLAN Use the Port to VLAN page to: • Configure ports as members of a selected VLAN. • Specify that when a port receives packets from the selected VLAN, the packets are tagged with the VLAN ID upon forwarding. • Specify that the selected VLAN ID serves as the port VLAN ID (i.e., the selected VLAN ID is added when the port forwards packets that it receives with no VLAN membership).
5 VLAN Management Configuring VLAN Membership Configuring Port VLAN Membership To configure VLAN settings for ports: STEP 1 Click VLAN Management > Port VLAN Membership in the navigation window. By default, the page displays VLAN information for each port. You can use the filter settings to display the VLAN information for LAG ports. The page displays the interface VLAN mode (Trunk, Access, or General), the PVID, and the VLAN membership(s).
5 VLAN Management Setting the Default VLAN • PVID—When this option in selected, the port uses the selected VLAN ID as its port VLAN ID (PVID). The port assigns the PVID to all untagged frames received on the port before forwarding. The following configuration rules apply: - If the interface VLAN mode is General, any VLAN of which the interface is a Tagged or Untagged member can be selected to provide the PVID.
5 VLAN Management Voice and Media • The type of the original default VLAN is changed from Default to Static, and it can be deleted. One exception is VLAN 1. Even if it is no longer designated as the default VLAN, VLAN 1 cannot be deleted. To select a default VLAN: STEP 1 Click VLAN Management > Default VLAN Settings in the navigation window. STEP 2 Select the VLAN from the list. STEP 3 Click Apply.
5 VLAN Management Voice and Media • Media VLAN • Auto VoIP Sessions Displaying and Adding Telephony OUI The Telephony OUI page lists the Organizationally Unique Identifiers (OUIs) associated with different voice VLANs. To display this page, click VLAN Management > Voice and Media > Telephony OUI in the navigation window. The Telephony OUI Table is preconfigured with identifiers for commonly used telephony devices. The administrator can add or remove OUIs.
5 VLAN Management Voice and Media • Enable ports for this feature. When enabled on a port, the port is automatically made member of the configured voice VLAN when the switch receives an OUI frame (the administrator does not need to manually add the port as a member of the VLAN). The Port VLAN Membership page shows that the port is a member of the Voice VLAN. To configure OUI-based Voice and Media: STEP 1 Click VLAN Management > Voice and Media > Telephony OUI Based in the navigation window.
5 VLAN Management Voice and Media STEP 1 Click VLAN Management > Voice and Media > SIP/H323 Based in the navigation window. The table lists the administrative and operational statuses for SIP/H323 Auto VoIP on each interface, and shows the class that traffic will be assigned to. The traffic class corresponding to the highest priority queue on the port is chosen automatically. STEP 2 Use the Interface Type menu to display ports or LAGs in the SIP/H323 Based Interface Settings Table.
5 VLAN Management Voice and Media When a port is LLDP-MED enabled with network policy, the switch will advertise its Media VLANs in the LLDP-MED network policy TLVs out to the port. When a LLDP Media Endpoint is discovered, the switch will install the Media VLAN at the corresponding port. You can enable LLDP-MED and networking policy in the Administration > Discovery - LLDP pages. Media VLAN is enabled and disabled globally. Each application and its Media VLAN is configured on a per-port basis.
5 VLAN Management Voice and Media STEP 6 For Application Status, select Enable to enable priority assignment for the selected application. Uncheck the box to disable this feature. STEP 7 If you enabled Application Status, enable or disable the following features: • Untagged—Select Enable if the media device (LLDP-MED Endpoint) will send untagged packets. The network policy TLV from the switch must also indicate this expectation, and a media device must acknowledge that it will use untagged frames.
6 Spanning Tree This chapter describes how to configure the Spanning Tree Protocol (STP) on the switch. It includes the following topics: • Overview of Spanning Tree • Configuring STP Status and Global Settings • Configuring STP Interface Settings • RSTP Interface Settings Overview of Spanning Tree STP enables efficient communication on a network that includes multiple bridges. Devices on these networks can learn multiple (that is, redundant) paths to the same endpoint.
Spanning Tree Configuring STP Status and Global Settings 6 When the root bridge is selected and each root port is established, each network segment can then determine which bridge provides the lowest cost path to the root port. The port that provides this path is named the designated port for the network segment. Spanning tree disables other ports for that network segment or designates them as alternate or backup ports.
Spanning Tree Configuring STP Status and Global Settings • • 6 STP Operation Mode—Select one of the following STP modes: - Classic STP—Operates according to the original IEEE 802.1D spanning tree protocol. - Rapid STP—Is the default value and provides faster spanning tree convergence after a topology change than does classic STP. BPDU Handling—Bridge Protocol Data Units (BPDUs) are the messages exchanged between switches to calculate STP topology.
6 Spanning Tree Configuring STP Interface Settings The following information appears in the Designated Root section of the page: • Bridge ID—The bridge identifier, which is a concatenation of the bridge priority and the base MAC address of the bridge. • Root Bridge ID—The Bridge ID of the root bridge. The bridge with the lowest Bridge ID among all the bridges become the root bridge. • Root Port—The port number that offers the lowest-cost path from this bridge to the root bridge.
6 Spanning Tree Configuring STP Interface Settings • STP—Select to enable STP operation on the port/LAG. • Auto Edge—Select Enable to allow the switch to automatically determine if the port is an edge port or PortFast. A port is an edge port if it is not connected to a bridge. Auto-detection speeds up the transition of the port to forwarding state. A port can forward traffic and learn MAC addresses when it is in forwarding state.
6 Spanning Tree RSTP Interface Settings • Port State—Current STP state of a port. If enabled, the port state determines the forwarding action that is taken on traffic. Possible port states are: - Disabled—STP is currently disabled on the port. The port does not participate in the spanning tree, but is in an operational state to learn MAC addresses and forward traffic. - Discarding—Port is currently blocked and cannot be used to forward traffic or learn MAC addresses.
6 Spanning Tree RSTP Interface Settings By default, the RSTP Interface Settings Table displays information for each port. Use the Interface Type list to display ports or LAGs in the table. The RSTP Interface Table displays the following information for each port: • Point to Point Operational Status—A physical port has a point-to-point connection to a LAN if it operates in full duplex. • Port Role—Port role assigned by the STP algorithm to provide to STP paths.
6 Spanning Tree RSTP Interface Settings MSTP Instance Settings MSTP Interface Settings Cisco Small Business SG200 Series 8-port Smart Switch 125
Spanning Tree RSTP Interface Settings Cisco Small Business SG200 Series 8-port Smart Switch 6 126
7 MAC Address Tables This chapter describes the static configuration and dynamic learning of Media Access Control (MAC) addresses into the filtering database of the switch. The switch searches its filtering database to determine which port a packet is to be forwarded to. The filtering database is also referred as the bridging table in this document. The search is based on the VLAN and destination MAC address of the packet.
7 MAC Address Tables Configuring Static MAC Addresses • MAC Address— Enter the static MAC address. • Status—Select a status for this static MAC address: - Permanent—When this status is selected, the static MAC address does not expire. Note, however, that if the switch is rebooted, the entry is not restored unless the Running Configuration file type was copied to the Startup Configuration file type. See Copying and Saving Configuration Files.
MAC Address Tables Configuring the Aging Time for Dynamic Addresses 7 Configuring the Aging Time for Dynamic Addresses The Dynamic Address Settings page enables you to set an aging time, after which the system removes addresses in the dynamic MAC address table that have not been refreshed. The aging period applies to dynamically learned addresses and to static addresses that are configured to Delete on Timeout. The default aging time is 300 seconds.
7 MAC Address Tables Dynamic MAC Addresses The Dynamic Address Table displays the following fields for each entry it learns: • VLAN ID—VLAN on which the MAC address was learned. Frames are forwarded to the interface only if they are associated with this VLAN. • MAC Address—The dynamically learned MAC address. • Interface—The port on which the MAC address was dynamically learned. Frames specifying this MAC address and VLAN as the destination are forwarded out to this port.
8 Multicast This chapter describes how to configure the multicast protocols that forward packets from one source to multiple destinations. It contains the following topics: • Multicast Properties • Configuring MAC Group Addresses • Configuring Group-to-Port • Configuring IGMP Snooping • Configuring MLD Snooping • Configuring IGMP Multicast Router Interfaces • Configuring MLD Multicast Router Interfaces Multicast protocols deliver packets from one source to multiple receivers.
8 Multicast Multicast Properties Multicast entries can be learned by snooping (listening in on) the layer 3 protocols that manage multicast memberships: • IPv4 multicast group addresses can be learned through the Internet Group Management protocol (IGMP). • IPv6 multicast group addresses can be learned through the Multicast Listener Discovery (MLD) protocol. Interfaces with IGMP and MLD multicast routers for a specific VLAN can be either statically or dynamic configured.
8 Multicast Configuring MAC Group Addresses • Forward All—All multicast packets received from a VLAN are flooded to all ports in the VLAN, regardless of port registrations to multicast addresses. • Filter Unregistered—If a packet is received from a VLAN for a multicast destination address and no ports in the VLAN are registered to receive multicast packets for that address, then the packets are dropped. STEP 3 Click Apply. Your changes are saved to the Running Configuration.
8 Multicast Configuring MAC Group Addresses Viewing the MAC Group Address Table To view the MAC Group Address Table, click Multicast > MAC Group Address in the navigation window. By default, all entries display in the table. You can use the VLAN ID and MAC Group Address filters to display only entries that match the specified values. The following fields display: • Type—Indicates whether the entry is statically configured or dynamically learned.
8 Multicast Configuring Group-to-Port Configuring MAC Address Group Port Membership By default, packets destined to a multicast MAC address are flooded on all ports. Ports might become members of a particular MAC address group dynamically through the exchange of IGMP packets, or you can statically configure them as members. To view details and configure the port members of a multicast group address: STEP 1 Select an entry on the MAC Group Address page and click Details.
8 Multicast Configuring IGMP Snooping STEP 4 Set the type to indicate whether the entry is statically configured or dynamically learned. Ports can become members of a particular MAC address group dynamically through the exchange of IGMP packets, or you can statically configure them as members. STEP 5 Click Apply. Your changes are saved to the Running Configuration.
8 Multicast Configuring IGMP Snooping To configure IGMP snooping: STEP 1 Click Multicast > IGMP Snooping in the navigation window. STEP 2 Select Enable for the IGMP Snooping Status. STEP 3 Click Add in the IGMP Snooping Table. STEP 4 For VLAN ID, select the VLAN that is to support IGMP snooping.
8 Multicast Configuring MLD Snooping STEP 7 Ensure that an IGMP Mrouter interface has been configured for this VLAN (or all VLANs). See Configuring IGMP Multicast Router Interfaces. Configuring MLD Snooping MLD is a protocol used by IPv6 multicast routers to discover the presence of multicast listeners (nodes wishing to receive IPv6 multicast packets) on its directly-attached links and to discover which multicast packets are of interest to neighboring nodes.
8 Multicast Configuring MLD Snooping STEP 4 For VLAN ID, select the VLAN that is to support MLD snooping. STEP 5 Enter the parameters: • MLD Fast Leave Mode—Select Enable to allow the switch to immediately remove a port (or LAG) from its multicast forwarding table when it receives an MLD leave message for that multicast group. When enabled, the switch removes the port without first sending out MAC-based general queries to the interface.
Multicast Configuring IGMP Multicast Router Interfaces 8 Configuring IGMP Multicast Router Interfaces An IGMP router must exist to manage the IGMP clients in a VLAN. For each VLAN that supports IGMP snooping, the switch must be statically configured with or must dynamically learn one or more interfaces where there is an IGMP router. An interface that has an IGMP router is known a IGMP Multicast router Interface. A VLAN that is IGMP snooping-enabled must have one or more IGMP multicast router interfaces.
Multicast Configuring MLD Multicast Router Interfaces 8 Configuring MLD Multicast Router Interfaces An MLD multicast router must exist to manage the MLD clients in a VLAN. For each VLAN that supports MLD snooping, the switch must be statically configured with or dynamically learn one or more interfaces where there is an MLD multicast router. The interface that has an MLD router is known a MLD Multicast router Interface.
9 IP Configuration This chapter describes the Address Resolution Protocol (ARP) and Domain Name System (DNS) client features. It includes the following topics: • ARP Table • Domain Name System ARP Table The switch maintains an Address Resolution Protocol (ARP) Table. Each entry in the table includes the IP address and the MAC addresses of a device that has recently communicated with the switch. You can use the ARP page to display ARP entries learned by the management VLAN.
9 IP Configuration Domain Name System See the following topics for more information on the configuration pages available in the IP Configuration > Domain Name System menu. • Configuring DNS Servers • Hostname Mapping Configuring DNS Servers To resolve a hostname to an IP address, the client contacts one or more DNS servers. DNS servers can be learned dynamically if the management interface is configured as a DHCP client (see Management Interface).
9 IP Configuration Domain Name System NOTE: Default domain names may be learned from reply messages from a DHCP server. These names display in the Default Domain Name List. STEP 4 Click Apply. Your changes are saved to the Running Configuration. Adding DNS Servers The DNS Servers Table lists the configured servers. To add a DNS server: STEP 1 Click Add. STEP 2 Specify the DNS server IPv4 or IPv6 address. STEP 3 Click Apply and then click Close.
9 IP Configuration Domain Name System STEP 5 Click Apply and then click Close. Your changes are saved to the Running Configuration. Viewing and Deleting Dynamic DNS Entries The DNS Dynamic Entries table displays hostnames that have been learned by applications that use DNS lookup services. For example, if you ping a hostname, the DNS lookup service is invoked and an associated IP address is learned and added to the table.
10 Security This chapter describes the security features for the port, user, and server. It includes the following topics: • RADIUS • Password Strength • Management Access Profile Rules • Authentication Methods • Storm Control • Port Security • 802.1X RADIUS The switch supports Remote Authorization Dial-In User Service (RADIUS) client functionality. RADIUS has become the protocol of choice by administrators of large accessible networks for authenticating users prior to access.
10 Security RADIUS Configuring Global RADIUS Settings To configure the global settings: STEP 1 Click Security > RADIUS in the navigation window. STEP 2 Enter the parameters: • Retries—Maximum number of times the RADIUS client retransmits requests to the RADIUS server. The range is 1 to 10. The default is 3. • Timeout for Reply—Number of seconds the switch waits for a RADIUS server to reply to a server request before sending another request. The range is 1 to 30. The default is 3.
10 Security RADIUS To add a RADIUS Server to the RADIUS Table: STEP 1 Click Add STEP 2 Enter the parameters: • RADIUS Server—IP address or hostname of the server. • Priority—The lower the priority number value, higher the priority of the server. For example, server configured with priority value 1 has higher priority than server configured with priority value 2.
10 Security Password Strength Password Strength You can use the Password Strength page to configure characteristics of secure management user passwords. To configure password strength settings: STEP 1 Click Security > Password Strength in the navigation window. STEP 2 Enter the following parameters: • Strength Check—Select Enable to configure the types of checks to be performed: • Minimum Password Length—The minimum number of characters required for a management user password.
10 Security Management Access Profile Rules Management Access Profile Rules Use the Management Access Profile Rules page to define a profile and rules for accessing the device for management purposes. You can limit access to specific user names, ingress ports or LAGs, and source IP addresses. To display this page, click Security > Management Access Profile Rules in the navigation window. The Access Profile Table lists the profile name of the currently configured profile, if one exists.
10 Security Management Access Profile Rules To limit access to the web-based switch configuration utility only to specified users, for example, you can create a rule in which HTTP access is denied to all users, and then create another rule in which specific users are permitted. The rule that permits the specific users must have a higher Rule Priority than the rule that denies all users.
Security Management Access Profile Rules 10 Modifying and Deleting Access Profiles and Rules Before you can delete an Access Profile or modify the rules, you must disable the profile. To disable an access profile: STEP 1 Select the profile in the Access Profile Table and click Edit. STEP 2 Uncheck the Enable box. STEP 3 Click Apply, and then click Close. When you finish making changes, re-enable the access profile.
10 Security Authentication Methods STEP 3 Click Apply, and then click Close. Authentication Methods You can use the Authentication Methods page to specify how users are allowed access to switch ports. To select the authentication method: STEP 1 Click Security > Authentication Methods in the navigation window. STEP 2 an authentication method from the list: • Local—A user ID and password combination from the supplicant is compared with a locally-stored user database on the switch.
10 Security Storm Control Storm Control A traffic storm is the result of an excessive number of broadcast, multicast, or unknown unicast messages simultaneously transmitted across a network by a port. Forwarded message responses might create a loop and overload network resources and cause the network to time-out. The switch measures the incoming broadcast, multicast, or unknown unicast packet rate per port and discards packets when a rate exceeds a defined value.
10 Security Port Security NOTE: The actual rate of ingress traffic required to activate Storm Control is based on the actual size of incoming packets and the hard-coded average packet size (512 bytes) parameter. A packet-per-second rate is calculated, as the switch requires a pps value to execute or not execute storm control versus an absolute data rate measured in kilobits-per-second (kbps).
10 Security Port Security • Interface Status—Select Lock to enable port security on the interface. When an interface transitions from unlocked to locked, all addresses that had been dynamically learned by the switch on that port are removed from its MAC address list. • Max No. of Static MAC Addresses—Specify the maximum number of static secure MAC addresses at the port/LAG. Static secure MAC address are configured on the Static Addresses page. The total number of secure addresses cannot exceed 256.
10 Security 802.1X • Reset Port—Select to reset the port if it has been shut down by the Port Security feature. STEP 4 Click Apply and then click Close. Your changes are saved to the Running Configuration. Viewing and Configuring Secure MAC Addresses To view the current list of secure MAC addresses, associated ports, and VLANs, click Secure Address Table on the Port Security page.
10 Security 802.1X on the network—the authenticator—uses to request authentication from a server. • Authenticator: An entity that facilitates the authentication of the supplicant on the remote end of a link. An authenticator grants port access to a supplicant if the authentication succeeds.
10 Security 802.1X • Local—The switch performs local authentication of a remote supplicant based on EAP-MD5. The supplicant identification must be one of the management users configured on the switch (see Managing User Accounts). • RADIUS—The switch depends on one or more external RADIUS servers to perform the authentication. You must configure the supplicant identity and authentication directly the servers. (See RADIUS for information.
10 Security 802.1X STEP 3 Select the role for the port: • Authenticator—Select this option if the port must authenticate the remote supplicant before granting access to a local port. • Supplicant—Select this option if the port must be connected to an authenticator and ask permission from the remote authenticator before accessing a remote port.
10 Security 802.1X - auto—Select this option if the port control is based on the result of the authentication process. If the supplicant is authenticated, the port control status becomes Authorized, meaning the supplicant is granted access to the port. If the supplicant is not authenticated, the port control status becomes Unauthorized, meaning the supplicant is denied access. - Force Authorized—Select this option to always allow port access if authentication of remote supplicants is not required.
10 Security 802.1X • Max EAP Requests—The preconfigured maximum number of times the switch can send an EAP request before restarting the authentication process if it does not receive a response. • Termination Cause—The reason for termination. STEP 4 Click Apply and then click Close. Your changes are saved to the Running Configuration.
10 Security 802.1X • User Name—Select the user to be used by the port to identify itself as a supplicant. The user must be one of the switch management users configured in the switch. The password configured for the user will be used in the authentication process. As a supplicant, the switch supports EAP-MD5 authentication method. (See Managing User Accounts to set up the users.) STEP 4 Click Apply and then click Close. Your changes are saved to the Running Configuration.
11 Quality of Service This chapter describes the QoS features of the device. • QoS Properties • Defining Queues • Mapping CoS/802.1p Priorities to Queues • Mapping IP Precedence to Queues • Mapping DSCP Values to Queues • Defining Rate Limit Profiles • Applying Rate Limit Profiles to Interfaces • Traffic Shaping QoS is a means of providing consistent, predictable data delivery by distinguishing packets that have strict timing requirements from those that are more tolerant of delay.
11 Quality of Service QoS Properties The switch supports four egress queues for each port or LAG. Queue1 has the lowest priority and queue 4 has the highest priority. The pages in the Quality of Service menu enable you to define the properties of the queues, and to associate to the queues the traffic that has particular characteristics or arrives on specific interfaces. You can also create rate limit profiles that define criteria for determining if a port is receiving more traffic than it can handle.
11 Quality of Service Defining Queues • trust ip-precedence—The port uses the IP Precedence value in the IP packet header. If no value is provided, the default priority is assigned. Non-IP VLAN tagged and untagged frames are assigned the default priority. • trust ip-dscp—The port uses the DSCP marking in the IP packet header for both VLAN tagged and untagged IP packets. Non-IP VLAN tagged and untagged frames are assigned the default priority.
11 Quality of Service Defining Queues Queue Configuration Recommendations It is recommended that higher numbered queues be configured with higher priority, weight, and minimum-bandwidth settings. The following are recommended scenarios for strict priority (SP) and WRR queues: • All eight queues in SP mode (q8 > q7 > q6 > q5 > q4 > q3 > q2 > q1). q8 is allocated bandwidth as long as there are packets to serve in q8. Then Q7 is served, followed by Q6, and so forth.
Quality of Service Mapping CoS/802.1p Priorities to Queues • 11 WRR—Select to have the scheduler service the queue in turn with other WRR queues, based on bandwidth percentage of the queue relative to other WRR queues. (Strict queues continue to be serviced for as long as they have higher priority traffic.) STEP 4 If you selected WRR mode for a queue, enter a bandwidth percentage in the Percentage of WRR Bandwidth field. The total of all bandwidth percentages for all queues cannot exceed 100 percent.
11 Quality of Service Mapping CoS/802.1p Priorities to Queues NOTE If you click Restore Defaults, the following mappings are applied to the selected interface. 802.
11 Quality of Service Mapping IP Precedence to Queues Mapping IP Precedence to Queues 802.1p Priority Output Queue 0 3 1 1 2 2 3 4 4 5 5 6 6 7 7 8 The priority of a packet arriving at an interface can be identified by the Type of Service (ToS) field in an IP packet header. Eight precedence levels are defined (0-7). You can use the IP Precedence to Queue page to map these values to the four. CoS queues to steer packets to the appropriate outbound queue.
11 Quality of Service Mapping DSCP Values to Queues NOTE If you click Restore Defaults, the following mappings are applied to all interfaces. IP Precedence Output Queue 0 1 1 1 2 2 3 3 4 3 5 4 6 3 7 3 Mapping DSCP Values to Queues The priority of a packet arriving at an interface can be identified by the Differentiated Service Code Point (DSCP) value in an IP packet header. The IP DSCP field might contain any one of 64 values (0–63).
11 Quality of Service Defining Rate Limit Profiles NOTE If you click Restore Defaults, the following mappings are applied to all interfaces. DSCP Value Output Queue 00-07 1 08-15 1 16-23 2 24-31 3 32-39 3 40-47 4 48-55 3 56-63 3 Defining Rate Limit Profiles The rate-limiting feature enables you to set a maximum incoming traffic rate for a port. When the data rate exceeds configured rate, the switch drops all further traffic from the port. Rate limits are applied per port.
Quality of Service Applying Rate Limit Profiles to Interfaces • 11 CBS—Specify a committed burst size, which is the guaranteed amount of bandwidth for bursty traffic on the port. The range is 4-16384 KB. STEP 4 Click Apply and then click Close. Your changes are saved to the Running Configuration. Applying Rate Limit Profiles to Interfaces If you have created one or more rate limit profiles, you can use this page to assign them to interfaces.
11 Quality of Service Traffic Shaping Traffic Shaping You can use the Traffic Shaping page to smooth the packet output rate. You can configure the maximum output rate for each port and LAG, expressed as a percentage of bandwidth. When the traffic rate reaches this limit, excess packets are retained in a queue and then are scheduled for later transmission over increments of time. To configure traffic shaping on a port or LAG: STEP 1 Click Quality of Service > Traffic Shaping in the navigation window.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Copyright © 2010 Cisco Systems, Inc. All rights reserved.
