ADMINISTRATION GUIDE Cisco Small Business 300 Series Managed Switch Administration Guide 10/100 Switches Gigabit Switches SF 300-08, SF 302-08, SF 302-08MP, SF 302-08P, SF 300-24, SF 300-24P, SF 300-48, SF 300-48P SG 300-10, SG 300-10MP, SG 300-10P, SG 300-20, SG 300-28, SG 30028P, SG 300-52
Contents Chapter 1: Getting Started Starting the Web-based Switch Configuration Utility 1 1 Launching the Configuration Utility 2 Logging In 2 Password Expiration 3 Logging Out 3 Quick Start Switch Configuration 4 Window Navigation 6 Application Header 6 Management Buttons 7 Chapter 2: Viewing Statistics 10 Viewing Ethernet Interface 10 Viewing Etherlike Statistics 12 Viewing GVRP Statistics 13 Viewing 802.
Contents Chapter 4: Managing System Files Upgrade/Backup Firmware/Language Uploading a New Firmware or Language File 30 33 33 Selecting the Active Image 36 Downloading or Backing-up a Configuration or Log 37 Displaying Configuration File Properties 39 Copying or Saving Switch Configuration File Types 40 Setting DHCP Auto Configuration 41 Chapter 5: General Administrative Information and Operations System Information 43 43 Displaying the System Summary 43 Configuring the System Settings 45
Contents Chapter 8: Configuring Discovery Configuring Bonjour Discovery 65 65 Bonjour for a System in Layer 2 Mode 65 Bonjour for a System in Layer 3 Mode 66 Configuring LLDP 67 Setting LLDP Properties 68 Editing LLDP Port Settings 69 LLDP MED Protocol 71 Setting LLDP MED Network Policy 72 Configuring LLDP MED Port Settings 73 Displaying LLDP Port Status 74 Displaying LLDP Local Information 76 Displaying LLDP Neighbors Information 79 Accessing LLDP Statistics 83 LLDP Overloading
Contents Chapter 10: Managing Power-over-Ethernet Devices 103 PoE on the Switch 103 PoE Features 103 PoE Operation 104 PoE Configuration Considerations 105 Configuring PoE Properties 105 Configuring the PoE Power, Priority, and Class 107 Chapter 11: VLAN Management 109 VLANs 109 Configuring Default VLAN Settings 112 Creating VLANs 113 Configuring VLAN Interface Settings 115 Defining VLAN Membership 117 Configuring Port to VLAN 117 Configuring VLAN to Port 118 Viewing VLAN Memb
Contents Defining Spanning Tree Interface Settings 132 Configuring Rapid Spanning Tree Settings 134 Multiple Spanning Tree 136 Defining MSTP Properties 137 Mapping VLANs to a MST Instance 138 Defining MST Instance Settings 139 Defining MSTP Interface Settings 140 Chapter 13: Managing MAC Address Tables 143 Configuring Static MAC Addresses 143 Dynamic MAC Addresses 144 Configuring Dynamic MAC Address Parameters 145 Querying Dynamic Addresses 145 Defining Reserved MAC Addresses 146
Contents Chapter 15: Configuring IP Information Management and IP Interfaces 168 168 Managing IPv6 170 IP Addressing 170 Defining IPv6 Global Configuration 175 Defining an IPv6 Interface 175 Defining IPv6 Addresses 177 Defining an IPv6 Default Router List 178 Configuring IPv6 Tunnels 179 Defining IPv6 Neighbors Information 181 Viewing IPv6 Route Tables 184 Defining IPv4 Static Routing 185 Enabling ARP Proxy 186 Defining UDP Relay 186 DHCP Relay 187 Defining DHCP Relay Properties
Contents Management Access Authentication 203 Access Profiles 204 Displaying, Adding, or Activating an Access Profile 206 Defining Profile Rules 208 Configuring TCP/UDP Services 210 Defining Storm Control 211 Configuring Port Security 212 802.1X 214 802.1X Parameters Workflow 218 Defining 802.1X Properties 219 Configuring Unauthenticated VLANs 220 Defining 802.
Contents Chapter 18: Configuring Quality of Service QoS Features and Components 249 249 QoS Modes 250 QoS Workflow 251 Configuring QoS 252 Displaying QoS Properties 252 Modifying Interface Default CoS Value 253 Configuring QoS Queues 254 Mapping CoS/802.
Contents Chapter 19: Configuring SNMP SNMP Versions and Workflow 277 277 SNMP v1 and v2 277 SNMP v3 278 SNMP Workflow 279 Supported MIBs 279 Model OIDs 282 SNMP Engine ID 283 Configuring SNMP Views 284 Creating SNMP Groups 286 Managing SNMP Users 288 Defining SNMP Communities 290 Defining Trap Settings 292 Notification Recipients 292 Defining SNMPv1,2 Notification Recipients 293 Defining SNMPv3 Notification Recipients 294 SNMP Notification Filters Chapter 20: Console Menu Int
Contents IP Configuration 308 IPv6 Address Configuration 309 Network Configuration 311 File Management 313 Port Status 315 Port Configuration 315 System Mode 316 Help 316 Logout 316 Cisco Small Business 300 Series Managed Switch Administration Guide 11
1 Getting Started This chapter provides an introduction to the user interface, and includes the following topics: • Starting the Web-based Switch Configuration Utility • Quick Start Switch Configuration • Window Navigation Starting the Web-based Switch Configuration Utility This section describes how to navigate the web-based switch configuration utility. Browsers have the following restrictions: • If you are using Internet Explorer 6, you cannot directly use an IPv6 address to access the switch.
Getting Started Starting the Web-based Switch Configuration Utility 1 NOTE When the switch is using the factory default IP address, its power LED flashes continuously. When the switch is using a DHCP assigned IP address or an administrator configured static IP address, the power LED is on solid. Logging In The default username is cisco and the default password is cisco. The first time that you log in with the default username and password, you are required to enter a new password.
Getting Started Starting the Web-based Switch Configuration Utility 1 Password Expiration The New Password Page is displayed: • The first time you access the switch with the default username cisco and password cisco. This page forces you to replace the factory default password. • When the password expires, this page forces you to select a new password. Logging Out By default, the application logs out after ten minutes of inactivity.
1 Getting Started Quick Start Switch Configuration Quick Start Switch Configuration To simplify switch configuration through quick navigation, the Getting Started Page provides links to the most commonly used pages.
1 Getting Started Window Navigation Window Navigation This section describes the features of the web-based switch configuration utility. Application Header The Application Header is displayed on every page. It provides the following application links: Application Links Application Link Name Description A red X icon displayed to the left of the Save application link indicates that Running Configuration changes have been made that have not yet been saved to the Startup Configuration file.
1 Getting Started Window Navigation Application Links (Continued) Application Link Name Description Language Menu Select a language or load a new language file into the switch. If the language required is displayed in the menu, select it. If it is not displayed, select Add new language. For more information about adding a new language, refer to the Upgrade/Backup Firmware/Language. The Syslog Alert Status icon is displayed when a SYSLOG message, above the critical severity level, is logged.
1 Getting Started Window Navigation Management Buttons (Continued) Button Name Description Apply Click to apply changes to the Running Configuration on the switch. If the swtich is rebooted, the Running Configuration is lost, unless it is saved to the Startup Configuration file type or another file type. Click Save to display the Copy/ Save Configuration Page and save the Running Configuration to the Startup Configuration file type on the switch. Cancel Click to reset changes made on the page.
1 Getting Started Window Navigation Management Buttons (Continued) Button Name Description Edit Select the entry and click Edit to open the entries for editing. The Edit page opens, and the entry can be modified. 1. Click Apply to save the changes to the Running Configuration. 2. Click Close to return to the main page. Go Enter the query filtering criteria and click Go. The results are displayed on the page. Test Click Test to perform the related tests.
2 Viewing Statistics This chapter describes how to view switch statistics. It contains the following sections: • Viewing Ethernet Interface • Viewing Etherlike Statistics • Viewing GVRP Statistics • Viewing 802.1X EAP Statistics • Viewing TCAM Utilization • Managing RMON Statistics Viewing Ethernet Interface The Interface Page displays traffic statistics per port. The refresh rate of the information can be selected.
2 Viewing Statistics Viewing Ethernet Interface To display Ethernet statistics: STEP 1 Click Status and Statistics > Interface. The Interface Page opens. STEP 2 Enter the parameters. • Interface—Select the type of interface and specific interface for which Ethernet statistics are to be displayed. • Refresh Rate—Select the time period that passes before the interface Ethernet statistics are refreshed. The available options are: - No Refresh—Statistics are not refreshed.
2 Viewing Statistics Viewing Etherlike Statistics Viewing Etherlike Statistics The Etherlike Page displays statistics per port according to the Etherlike MIB standard definition. The refresh rate of the information can be selected. This page provides more detailed information regarding errors in the physical layer (Layer 1), which might disrupt traffic. To view Etherlike Statistics: STEP 1 Click Status and Statistics > Etherlike. The Etherlike Page opens. STEP 2 Enter the parameters.
2 Viewing Statistics Viewing GVRP Statistics To clear statistics counters: • Click Clear Interface Counters to clear the selected interface’s Etherlike statistics counters. • Click Clear All Interface Counters to clear the Etherlike statistics counters of all interfaces. Viewing GVRP Statistics The GVRP Page displays information regarding GARP VLAN Registration Protocol (GVRP, also known as MVRP (Multiple VLAN Registration Protocol)) frames that were sent or received from a port.
2 Viewing Statistics Viewing 802.1X EAP Statistics • Leave All—Number of GVRP Leave All packets received/transmitted. The GVRP Error Statistics section displays the GVRP error counters. • Invalid Protocol ID—Invalid protocol ID errors. • Invalid Attribute Type—Invalid attribute ID errors. • Invalid Attribute Value—Invalid attribute value errors. • Invalid Attribute Length—Invalid attribute length errors. • Invalid Event—Invalid events. To clear the counters, click Clear Interface Counters.
2 Viewing Statistics Viewing TCAM Utilization • EAP Response Frames Received—EAP Response frames received by the port (other than Resp/ID frames). • EAP Request/ID Frames Transmitted—EAP Req/ID frames transmitted by the port. • EAP Request Frames Transmitted—EAP Request frames transmitted by the port. • Invalid EAPOL Frames Received—Unrecognized EAPOL frames received on this port. • EAP Length Error Frames Received—EAPOL frames with an invalid Packet Body Length received on this port.
2 Viewing Statistics Viewing TCAM Utilization TCAM Rules Per Process Process Per Port/ Per Switch Allocation on Activation Process Upper Limit TCAM Rules Used Up Per User Entry QoS Advanced Mode Rules Port 6/device No limit 1 or 2 TCAM entries per rule. Access Control Rules Port 6/device No limit 1 or 2 TCAM entries per rule. Protocol Based VLAN Port 0 No limit 1 or 2 Rules are duplicated for MAC-based VLANs.
2 Viewing Statistics Managing RMON Statistics Managing RMON Statistics RMON (Remote Networking Monitoring) is an SNMP specification that enables an SNMP agent in the switch to proactively monitor traffic statistics over a given period and send traps to an SNMP manager. The local SNMP agent compares actual, real-time counters against predefined thresholds and generates alarms, without the need for polling by a central SNMP management platform.
2 Viewing Statistics Managing RMON Statistics The statistics are displayed for the selected interface. • Bytes Received (Octets)—Number of octets received, including bad packets and FCS octets, but excluding framing bits. • Drop Events—Number of packets that were dropped. • Packets Received—Number of packets received, including bad packets, Multicast, and Broadcast packets. • Broadcast Packets Received—Number of good Broadcast packets received. This number does not include Multicast packets.
2 Viewing Statistics Managing RMON Statistics • Frames of 512 to 1023 Bytes—Number of frames, containing 512-1023 bytes that were received. • Frames of 1024 to 1632 Bytes—Number of frames, containing 1024-1632 bytes that were received. STEP 4 Select another interface in the Interface field. The RMON statistics are displayed. Configuring RMON History The History Control Table Page provides the ability to collect a log of statistics on a port.
2 Viewing Statistics Managing RMON Statistics STEP 3 Enter the parameters. • New History Entry—Displays the number of the new table entry. • Source Interface—Select the type of interface from where the history samples are to be taken. • Max No. of Samples to Keep—Enter the number of samples to store. • Sampling Interval—Enter the time in seconds that samples were collected from the ports. The field range is 1-3600. • Owner—Enter the RMON station or user that requested the RMON information.
2 Viewing Statistics Managing RMON Statistics • Packets Received—Packets received, including bad packets, Multicast, and Broadcast packets. • Broadcast Packets—Good Broadcast packets received. This number does not include Multicast packets. • Multicast Packets—Good Multicast packets received. • CRC Align Errors—CRC and Align errors that have occurred. • Undersize Packets—Undersized packets (less than 64 octets) received. • Oversize Packets—Oversized packets (over 1518 octets) received.
2 Viewing Statistics Managing RMON Statistics STEP 3 Enter the parameters. • Event Entry—Displays the event entry index number for the new entry. • Community—Enter the SNMP community string to be included when traps are sent (optional). • Description—Enter a name for the event. This name is used in the Add RMON Alarm Page to attach an alarm to an event. • Type—Select the type of action that results from this event. Values are: • - None—No action occurs when the alarm goes off.
2 Viewing Statistics Managing RMON Statistics Defining RMON Alarms RMON alarms provide a mechanism for setting thresholds and sampling intervals to generate exception events on any RMON counters or any other SNMP object counter maintained by the agent. Both the rising and falling thresholds must be configured in the alarm. After a rising threshold is crossed, another rising event is not generated until the companion falling threshold is crossed.
2 Viewing Statistics Managing RMON Statistics • Falling Threshold—Enter the falling counter value that triggers the falling threshold alarm. • Falling Event—Selects an event, from those defined in the Events table, to be performed when a falling event is triggered. • Startup Alarm—Select the first event from which to start generation of alarms. Rising is defined by crossing the threshold from a low-value threshold to a higher-value threshold.
3 Managing System Logs This chapter describes the System Log feature, which enables the switch to keep several independent logs. Each log is a set of messages recording system events. The switch generates the following local logs: • Log written into a cyclical list of logged events in RAM and is erased when the switch reboots. • Log written to a cyclical log-file saved to Flash memory and persists across reboots.
3 Managing System Logs Setting System Log Settings The event severity levels are listed from the highest severity to the lowest severity, as follows: • Emergency—System is not usable. • Alert—Action is needed. • Critical—System is in a critical condition. • Error—System is in error condition. • Warning—System warning has occurred. • Notice—System is functioning properly, but a system notice has occurred. • Informational—Device information.
3 Managing System Logs Setting Remote Logging Settings • RAM Memory Logging—Select the severity levels of the messages to be logged to RAM. • Flash Memory Logging—Select the severity levels of the messages to be logged to Flash memory. STEP 3 Click Apply. The switch is updated. Setting Remote Logging Settings The Remote Log Servers Page enables defining remote SYSLOG servers where log messages are sent (using the SYSLOG protocol).
3 Managing System Logs Viewing Memory Logs • UDP Port—Enter the UDP port to which the log messages are sent. • Facility—Select a facility value from which system logs are sent to the remote server. Only one facility value can be assigned to a server. If a second facility code is assigned, the first facility value is overridden. • Description—Enter a server description. • Minimum Severity—Select the minimum level of system log messages to be sent to the server. STEP 4 Click Apply.
3 Managing System Logs Viewing Memory Logs To clear the log messages, click Clear Logs. The messages are cleared. Flash Memory The Flash Memory Page displays the messages that were stored in Flash memory, in chronological order. The minimum severity for logging is configured in the Log Settings Page. Flash logs remain when the switch is rebooted. You can clear the logs manually. To view the Flash logs click Status and Statistics > View Log > Flash Memory. The Flash Memory Page opens.
4 Managing System Files You can chose the firmware file from which the switch boots. You can also copy file types internally on the switch, or to or from an external device, such as a PC. The methods of file transfer are: • Internal copy. • HTTP that uses the facilities that the browser provides. • TFTP client, requiring a TFTP server. Configuration files on the switch are defined by their type, and contain the settings and parameter values for the device.
4 Managing System Files To preserve any changes made to the switch, you must save the Running Configuration to the Startup Configuration, or another file type if you do not want the switch to reboot with this configuration. If you have saved the Running Configuration to the Startup Configuration, when the switch is rebooted, it recreates a Running Configuration that includes the changes you have made since the last time the Running Configuration was saved to the Startup Configuration.
4 Managing System Files • Language File—The dictionary that allows the windows to be displayed in the selected language. • Flash Log—SYSLOG messages stored in Flash memory. File Actions The following actions can be performed to manage firmware and configuration files: • Upgrade the firmware or boot code, or replace a language as described in Upgrade/Backup Firmware/Language section.
Managing System Files Upgrade/Backup Firmware/Language 4 It includes the following topics: • Upgrade/Backup Firmware/Language • Selecting the Active Image • Downloading or Backing-up a Configuration or Log • Displaying Configuration File Properties • Copying or Saving Switch Configuration File Types • Setting DHCP Auto Configuration Upgrade/Backup Firmware/Language The Upgrade/Backup Firmware/Language process can be used to: • Upgrade or backup the firmware image • Upgrade or backup the boo
Managing System Files Upgrade/Backup Firmware/Language 4 After uploading new firmware on the switch, the switch continues to boot by using the active image (the old version) until you change the status of the new image to be the active image by using the procedure in the “Selecting the Active Image” section. Then boot the switch by using the process described in the Rebooting the Switch section.
Managing System Files Upgrade/Backup Firmware/Language 4 If for the Save Action you selected Backup to specify that a copy of the file type is to be saved to a file on another device, do the following: a. File Type—Select the source file type. Only valid file types can be selected. (The file types are described in the Files and File Types section.) b. IP Version—Select whether an IPv4 or an IPv6 address is used. c. IPv6 Address Type—Select the IPv6 address type (if used).
4 Managing System Files Selecting the Active Image If for the Save Action you selected Backup to specify that a copy of the file type is to be saved to a file on another device, do the following: a. Source File Type—Select the configuration file type. Only valid file types are displayed. (The file types are described in the Files and File Types section.) b. Click Apply. The File Download window displays. c. Click Save. The Save As window displays. d. Click Save. STEP 5 Click Apply or Done.
Managing System Files Downloading or Backing-up a Configuration or Log 4 Downloading or Backing-up a Configuration or Log The Download/Backup Configuration/Log Page enables the backup from configuration file types or the flash log on the switch to a file on another device or the restoration of configuration file types from another device to the switch.
Managing System Files Downloading or Backing-up a Configuration or Log 4 d. TFTP Server—Enter the IP address of the TFTP server. e. Source File Name—Enter the source file name. File names cannot contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 160 characters. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”). f. Destination File Type—Enter the destination configuration file type.
Managing System Files Displaying Configuration File Properties 4 Select the Save Action. If for the Save Action you select Download to specify that the file type on the switch is to be replaced with a new version of that file type from a file on another device, do the following. Otherwise, go to the next procedure in this step. a. Source File Name—Click Browse to select a file or enter the path and source file name to be used in the transfer. b. Destination File Type—Select the configuration file type.
Managing System Files Copying or Saving Switch Configuration File Types 4 To clear a configuration file, select it and click Clear Files. Copying or Saving Switch Configuration File Types When you click Apply on any window, changes that you made to the switch configuration settings are stored only in the Running Configuration. To preserve the parameters in the Running Configuration, the Running Configuration must be copied to another configuration type or saved as a file on another device.
4 Managing System Files Setting DHCP Auto Configuration Setting DHCP Auto Configuration Dynamic Host Configuration Protocol (DHCP) provides a means of passing configuration information (including the IP address of a TFTP server and a configuration file name) to hosts on a TCP/IP network. By default, the switch is enabled as a DHCP client.
4 Managing System Files Setting DHCP Auto Configuration To configure DHCP server auto configuration: STEP 1 Click Administration > File Management > DHCP Auto Configuration. The DHCP Auto Configuration Page opens. STEP 2 Enter the values. • Auto Configuration Via DHCP—Select this field to enable or disable the automatic transfer of a configuration from a TFTP server to the Startup Configuration on the switch.
5 General Administrative Information and Operations This chapter describes how to view system information and configure various options on the switch.
General Administrative Information and Operations System Information 5 System information: • System Description—A description of the system. • System Location—Physical location of the switch. Click Edit to go the System Settings Page to enter this value. • System Contact—Name of a contact person. Click Edit to go the System Settings Page to enter this value. • Host Name—Name of the switch. Click Edit to go the System Settings Page to enter this value.
General Administrative Information and Operations System Information 5 • Locale—Locale of the first language. (This is always English.) • Language Version—Firmware version of the primary language package. • Language MD5 Checksum—MD5 checksum of the language file. • Locale—Locale of the second language. • Language version—Firmware version of the secondary language package. • Language MD5 Checksum—MD5 checksum of the secondary language file.
5 General Administrative Information and Operations Switch Models STEP 3 Click Apply to set the values in the Running Configuration. Switch Models All models can be fully managed through the web-based switch configuration utility. Layer 2 is the default mode of operation for all devices. In Layer 2 mode, the switch forwards packets as a VLAN aware bridge. In Layer 3 mode, the switch performs both IPv4 routing and VLAN aware bridging.
5 General Administrative Information and Operations Rebooting the Switch Managed Switch Models (Continued) Model Name Product ID (PID) Description Ports Power Dedicated to PoE No. of Ports that Support PoE SF 300-08 SRW208-K9 8-port 10/100. e1-e8. 8-port 10/100. SF 302-08 SRW208G-K9 8-port 10/100. e1-e8, g1-g2. 8-port 10/1000 plus two 10/100/1000 ports. SF 302-08MP SRW208MP-K9 8-port 10/100 PoE. e1-e8, g1-g2. 8-port 10/1000 plus two 10/100/1000 ports.
General Administrative Information and Operations Rebooting the Switch 5 To reboot the switch: STEP 1 Click Administration > Reboot. The Reboot Page opens. STEP 2 Click one of the Reboot buttons. • Reboot—Reboots the switch. Since any unsaved information in the Running Configuration s discarded when the switch is rebooted, you must click Save in the upper-right corner of any window to preserve current configuration across the boot process.
General Administrative Information and Operations Monitoring the Fan Status and Temperature 5 Monitoring the Fan Status and Temperature The Health Page displays the switch fan status and temperature on a SF 300-48P. The SG 300-28P, SF 300-24P, and SG 300-52 display only the fan status. To view the switch health parameters, click Status and Statistics > Health. The Health Page opens. The Health page displays the following fields: • Fan Status—Fan status. • Temperature—Switch temperature.
6 System Time Network time synchronization is critical because every aspect of managing, securing, planning, and debugging a network involves determining when events occur. Time also provides the only frame of reference between all devices on the network. Without synchronized time, accurately correlating log files between these devices is difficult, even impossible. A few of the specific reasons include, tracking security breaches, network usage.
6 System Time System Time Options System Time Options System time can be set manually by the user or dynamically by using an SNTP server. If an SNTP server is chosen, the manual time settings are overwritten when communications with the server is established. As part of the boot process, the switch always configures the time, time-zone, and DST in some way, either from DHCP, from SNTP, from values set manually, or if all else fails from the factory defaults.
6 System Time Configuring System Time • Manual configuration of the time zone and DST by the user, where the time zone and DST set manually becomes the Operational time zone and DST, only if the dynamic configuration of the time zone and DST is disabled or fails. Configuring System Time Use the System Time Page to configure the current time, time zone, DST, and the time source. If the time is determined manually, enter the manual time here.
6 System Time Configuring System Time Local Settings—The local time is used when there is no alternate source of time, such as an SNTP server: • Date—Enter the system date. • Local Time—Enter the system time. • Time Zone Offset—Select the difference in hours between Greenwich Mean Time (GMT) and the local time. For example, the Time Zone Offset for Paris is GMT +1, while the Time Zone Offset for New York is GMT – 5. • Daylight Savings—Select Daylight Savings to enable DST.
6 System Time Setting SNTP Time—The time at which DST ends every year. STEP 3 Click Apply. The system time values are defined, and the switch is updated. The time settings are displayed in the Actual Time Details block. Setting SNTP A switch can be configured to synchronize its system clock with an SNTP server by using the SNTP Settings Page. NOTE This feature requires that the DNS servers be configured on the switch (see the Defining DNS Servers section) to work properly.
6 System Time Setting SNTP • Authentication Key ID—Key Identification used to communicate between the SNTP server and switch. • Preference—Priority of use for the SNTP server. • - Primary—Server with the lowest stratum level. Stratum level is the distance from the reference clock. Time information is taken from this server. - Secondary—Server with the next lowest stratum level after the primary server. Serves as a backup to the primary server.
6 System Time Defining SNTP Authentication • IPv6 Address Type—Select the IPv6 address type (if IPv6 is used). The options are - Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration.
6 System Time Defining SNTP Authentication After a key has been created, it must be bound to one or more relevant SNTP servers to be authenticated. This authentication key can also be used for authentication when receiving Broadcast synchronization. SNTP sessions might require authentication. A Unicast SNTP server that requires authentication must be bounded with an authentication key when it is added by using the Add SNTP Server Page.
7 Managing Device Diagnostics This chapter contains information for configuring port mirroring, running cable tests, and viewing device operational information. It includes the following topics: • Testing Copper Ports • Displaying Optical Module Status • Configuring Port and VLAN Mirroring • Viewing CPU Utilization Testing Copper Ports The Copper Ports Page displays the results of integrated cable tests performed on copper cables.
7 Managing Device Diagnostics Testing Copper Ports To test copper cables attached to ports: STEP 1 Click Administration > Diagnostics > Copper Ports. The Copper Ports Page opens. This page displays the results of previously-conducted basic tests. STEP 2 To perform a Basic test, select a port from the list of ports, and click Basic Test. A message displays indicating that the test causes the link to briefly go down. STEP 3 Click OK to confirm that the link can go down or click Cancel to abort the test.
7 Managing Device Diagnostics Testing Copper Ports • Link Status—Current link Up/Down status. • Pair—Cable wire pairs being tested. • Distance to Fault—Distance between the port and the location on the cable where the fault was discovered. • Status—Wire pair status. Red indicates fault and Green indicates status OK. • Cable length—Cable length in meters. If the link is down, TDR Technology is used to test the GE and FE ports. Cable length measurements are accurate to within 3 to 4 meters.
7 Managing Device Diagnostics Displaying Optical Module Status Displaying Optical Module Status The Optical Module Status Page displays the operating conditions reported by the SFP (Small Form-factor Pluggable) transceiver. Some information might not be available for SFPs that do not support the digital diagnostic monitoring standard SFF-8472.
Managing Device Diagnostics Configuring Port and VLAN Mirroring 7 • Output Power—Transmitted optical power. • Input Power—Received optical power. • Transmitter Fault—Remote SFP reports signal loss. Values are True, False, and No Signal (N/S). • Loss of Signal—Local SFP reports signal loss. Values are True and False. • Data Ready—SFP is operational.
7 Managing Device Diagnostics Configuring Port and VLAN Mirroring To enable port and VLAN mirroring: STEP 1 Click Administration > Diagnostics > Port and VLAN Mirroring. The Port and VLAN Mirroring Page opens. This page displays the following fields: • Destination Port—Port to which traffic is to be copied; the analyzer port. • Source Interface—Interface, port, or VLAN, from which traffic is sent to the analyzer port. • Type—Type of monitoring: incoming to the port, outgoing from the port, or both.
Managing Device Diagnostics Viewing CPU Utilization 7 Viewing CPU Utilization The CPU Utilization Page displays the switch CPU utilization. You can enable or disable CPU utilization monitoring, and configure the rate at which the graph is updated. To enable and display CPU utilization: STEP 1 Click Administration > Diagnostics > CPU Utilization. The CPU Utilization Page opens. STEP 2 Select CPU Utilization to enable viewing CPU resource utilization information.
8 Configuring Discovery This chapter provides information for configuring Discovery. It includes the following topics: • Configuring Bonjour Discovery • Configuring LLDP Configuring Bonjour Discovery As a Bonjour client, the switch periodically broadcasts Bonjour Discovery protocol packets to directly-connected IP subnet(s), advertising its existence and the services that it provides, for example, HTTP, HTTPs, and Telnet.
Configuring Discovery Configuring Bonjour Discovery 8 To globally enable Bonjour when the switch is in Layer 2 mode: STEP 1 Click Administration > Discovery - Bonjour. The Discovery - Bonjour Page opens. STEP 2 Select Enable to enable Bonjour Discovery globally on the switch. STEP 3 Click Apply. Bonjour is enabled or disabled on the switch according to the selection. Bonjour for a System in Layer 3 Mode In Layer 3 mode, each interface (VLAN, port, or LAG) can be assigned an IP address.
8 Configuring Discovery Configuring LLDP Click Delete to disable an interface and remove it to the Bonjour Discovery Interface Control table. STEP 4 Click Apply. A popup is displayed indicating whether Bonjour was successfully enabled or disabled on the interfaces. STEP 5 Click Apply. Bonjour is enabled or disable on the interfaces added.
8 Configuring Discovery Configuring LLDP 4. Associate LLDP MED network policies to ports by using the LLDP MED Port Settings Page. 5. View LLDP local port status details by using the LLDP Local Information Page. 6. View the LLDP information that was discovered from neighbors, such as local port, system name, time to live, system description, system capabilities by using the LLDP Neighbors Information Page. 7. View LLDP-related statistical information per interface by using the LLDP Statistics Page. 8.
8 Configuring Discovery Configuring LLDP For a description of LLDP MED, refer to the LLDP MED Protocol section. STEP 3 In the Fast Start Repeat Count field, enter the number of times LLDP packets are sent when the LLDP-MED Fast Start mechanism is initialized. This occurs when a new endpoint device links to the switch. STEP 4 Click Apply. The LLDP properties are defined.
8 Configuring Discovery Configuring LLDP • SNMP Notification—Select Enable notifications are sent to SNMP notification recipients, for example a SNMP managing system, when there is a topology change. The time interval between notifications is entered in the Topology Change SNMP Notification Interval field in the LLDP Properties Page. Define SNMP Notification Recipients by using the SNMP > Notification Recipient v1,2 and/or SNMP > Notification Recipient v3.
8 Configuring Discovery Configuring LLDP - 802.3 Maximum Frame—Maximum frame size capability of the MAC/ PHY implementation. The following fields relate to the Management Address: • • Advertisement Mode—Select one of the following ways to advertise the IP management address of the switch: - Auto Advertise—Send the current management IP address of the switch, regardless of whether it was acquired via DHCP or manually. - None—Do not advertise the management IP address.
8 Configuring Discovery Configuring LLDP • Provides troubleshooting information. LLDP MED sends alerts to network managers: - Port speed and duplex mode conflicts - QoS policy misconfigurations NOTE The switch automatically advertises the policy according to your configuration; however, you must also manually configure the switch to use that policy. Setting LLDP MED Network Policy An LLDP-MED network policy is a related set of configuration settings identified by a network policy number.
8 Configuring Discovery Configuring LLDP • Application—Select from the list the type of application (type of traffic) for which the network policy is being defined: - Voice - Voice Signaling - Guest Voice - Guest Voice Signaling - Softphone Voice - Video Conferencing - Streaming Video - Video Signaling • VLAN ID—Enter the VLAN ID to which the traffic should be sent. • VLAN Tag—Select whether the traffic is Tagged or Untagged.
8 Configuring Discovery Configuring LLDP STEP 2 Select a port, and click Edit. The Edit LLDP MED Port Settings Page opens. This page enables associating LLDP MED policies to ports. STEP 3 Enter the parameters. • Port—Select a port to configure. After you have configured this port and clicked Apply, you can configure another port without returning to the LLDP MED Port Settings Page. • LLDP MED Status—Enable/disable LLDP MED on this port.
8 Configuring Discovery Configuring LLDP Displaying LLDP Port Status The LLDP Port Status Table Page displays the LLDP global information, as well as the LLDP status for every port. To view the LLDP port status, click Administration > Discovery - LLDP > LLDP Port Status. The LLDP Port Status Page opens. LLDP Port Status Global Information • Chassis ID Subtype—Type of chassis ID (for example, MAC address). • Chassis ID—Identifier of chassis.
8 Configuring Discovery Configuring LLDP Displaying LLDP Local Information To view the LLDP local port status advertised on a port: STEP 1 Click Administration > Discovery - LLDP > LLDP Local Information. The LLDP Local Information Page opens. Click LLDP Local Information Details to see the details of the LLDP and LLDPMED TLVs sent to the neighbor. Click LLDP Neighbor Information Details to see the details of the LLDP and LLDP-MED TLVs received from the neighbor.
8 Configuring Discovery Configuring LLDP • Address—Returned address most appropriate for management use, typically a Layer 3 address. • Interface Subtype—Numbering method used for defining the interface number. • Interface Number—Specific interface associated with this management address. MAC/PHY Details • Auto-Negotiation Supported—Port speed auto-negotiation support status. • Auto-Negotiation Enabled—Port speed auto-negotiation active status.
8 Configuring Discovery Configuring LLDP - Endpoint Class 2—Indicates a media endpoint class, offering media streaming capabilities, as well as all Class 1 features. - Endpoint Class 3—Indicates a communications device class, offering all Class 1 and Class 2 features plus location, 911, Layer 2 switch support, and device information management capabilities. • PoE Device Type—Port PoE type, for example, powered. • PoE Power Source—Port power source. • PoE Power Priority—Port power priority.
8 Configuring Discovery Configuring LLDP • VLAN Type—VLAN type for which the network policy is defined. The possible field values are: - Tagged—Indicates the network policy is defined for tagged VLANs. - Untagged—Indicates the network policy is defined for untagged VLANs. • User Priority—Network policy user priority. • DSCP—Network policy DSCP.
8 Configuring Discovery Configuring LLDP This page displays the following fields: Port Details • Local Port—Port number. • MSAP Entry—Device Media Service Access Point (MSAP) entry number. Basic Details • Chassis ID Subtype—Type of chassis ID (for example, MAC address). • Chassis ID—Identifier of the 802 LAN neighboring device chassis. • Port ID Subtype—Type of the port identifier that is shown. • Port ID—Identifier of port.
8 Configuring Discovery Configuring LLDP • Auto-Negotiation Enabled—Port speed auto-negotiation active status. The possible values are True and False. • Auto-Negotiation Advertised Capabilities—Port speed auto-negotiation capabilities, for example, 1000BASE-T half duplex mode, 100BASE-TX full duplex mode. • Operational MAU Type—Medium Attachment Unit (MAU) type.
8 Configuring Discovery Configuring LLDP - Endpoint Class 2—Indicates a media endpoint class, offering media streaming capabilities as well as all Class 1 features. - Endpoint Class 3—Indicates a communications device class, offering all Class 1 and Class 2 features plus location, 911, Layer 2 switch support and device information management capabilities. • PoE Device Type—Port PoE type, for example, powered. • PoE Power Source—Port’s power source. • PoE Power Priority—Port’s power priority.
8 Configuring Discovery Configuring LLDP Location Information Enter the following data structures in hexadecimal as described in section 10.2.4 of the ANSI-TIA-1057 standard: • Civic—Civic or street address. • Coordinates—Location map coordinates—latitude, longitude, and altitude. • ECS ELIN—Device’s Emergency Call Service (ECS) Emergency Location Identification Number (ELIN). • Unknown—Unknown location information.
8 Configuring Discovery Configuring LLDP • • Errors—Total number of received frames with errors. Rx TLVs - Discarded—Total number of received TLVs that were discarded. - Unrecognized—Total number of received TLVs that were unrecognized. Neighbor’s Information Deletion Count—Number of neighbor ageouts on the interface. STEP 2 Click Refresh to view the latest statistics. LLDP Overloading LLDP adds information to packets, and can create oversized packets.
8 Configuring Discovery Configuring LLDP • • • - Size (Bytes)—Total mandatory TLV byte size. - Status—If the mandatory TLV group is being transmitted, or if the TLV group was overloaded. LLDP MED Capabilities - Size (Bytes)—Total LLDP MED capabilities packets byte size. - Status—If the LLDP MED capabilities packets were sent, or if they were overloaded. LLDP MED Location - Size (Bytes)—Total LLDP MED location packets byte size.
8 Configuring Discovery Configuring LLDP • LLDP MED Inventor - Size (Bytes)—Total LLDP MED inventory TLVs packets byte size. - Status—If the LLDP MED inventory packets were sent, or if they were overloaded. • Total (Bytes)—Total number of packets sent (in bytes). • Left to Send (Bytes)—Total number of packet bytes left to transmit.
9 Port Management This chapter describes port configuration, link aggregation, and the Green Ethernet feature. It contains the following topics: • Setting the Basic Port Configuration • Configuring Link Aggregation • Static and Dynamic LAG Workflow • Defining LAG Management • Configuring LACP • Green Ethernet Port Management Workflow To configure ports, perform the following actions: 1. Configure port by using the Port Settings Page. 2.
9 Port Management Setting the Basic Port Configuration 7. If PoE is supported and enabled for the switch, configure the switch as described in Managing Power-over-Ethernet Devices. Setting the Basic Port Configuration The Port Settings Page displays the global and per port setting of all the ports. This page enables you to select and configure the desired ports from the Edit Port Setting Page. NOTE SFP Fiber takes precedence when both ports are being used.
9 Port Management Setting the Basic Port Configuration • Operational Status—Displays the current port connection status. • Reactivate Suspended Port—Select to reactivate a port that has been suspended. There are numerous ways that a port can be suspended, such as through the locked port security option, Access Control List (ACL) configurations, BPDUGuard, or Root-Guard. • Auto-Negotiation—Select to enable auto-negotiation on the port.
9 Port Management Setting the Basic Port Configuration - 1000 Full—1000 Mbps speed and Full Duplex mode. • Operation Advertisement—Displays the capabilities currently published to the port’s neighbor to start the negotiation process. The possible options are those specified in the Administrative Advertisement field. • Back Pressure—Select the Back Pressure mode on the port (used with Half Duplex mode) to slow down the packet reception rate when the switch is congested.
9 Port Management Configuring Link Aggregation • - Port protection is not subject to VLAN membership. Devices connected to protected ports are not allowed to communicate with each other, even if they are members of the same VLAN. - Both ports and LAGs can be defined as protected or unprotected. Member in LAG—Displays the LAG, if the port is a member of a LAG. STEP 6 Click Apply. The Port Settings are modified, and the switch is updated.
9 Port Management Configuring Link Aggregation The switch support two modes of load balancing: • By MAC Addresses—Based on the destination and source MAC addresses of all packets. • By IP and MAC Addresses—Based on the destination and source IP addresses for IP packets, and destination and source MAC addresses for non-IP packets. LAG Management Active member ports in a LAG are defined statically by explicit user assignment or are dynamically selected by the Link Aggregation Control Protocol (LACP).
9 Port Management Static and Dynamic LAG Workflow Static and Dynamic LAG Workflow To configure a static LAG, perform the following actions: 1. Configure the selected LAG as a static LAG by disabling LACP on the LAG. Assign up to eight active member ports to the static LAG by selecting and moving the ports from the Port List to the LAG Members list by using the LAG Management Page. 2. Configure the LAG speed and flow control by using the LAG Settings Page.
9 Port Management Configuring LAG Settings Defining Member Ports in a LAG The LAG Management Page enables you to define the member ports in a LAG. STEP 1 Select the LAG to be configured, and click Edit. The Edit LAG Membership Page opens. STEP 2 Enter the values for the following fields: • LAG—Select the LAG number. • LAG Name—Enter the LAG name or a comment. • LACP—Select to enable LACP on the selected LAG. This makes it a dynamic LAG.
9 Port Management Configuring LAG Settings • Administrative Status—Set the selected LAG to operational (Up) or nonoperational (Down). • Operational Status—Displays whether the LAG is currently operating. • Reactivate Suspended LAG—Select to reactivate a port if the LAG has been disabled through the locked port security option or through the ACL configurations. • Administrative Auto-Negotiation—Enables or disable auto-negotiation on the LAG.
9 Port Management Configuring LACP • Administrative Flow Control—Enable or disable Flow Control or enable the auto-negotiation of Flow Control on the LAG. • Operational Flow Control—Displays the current Flow Control setting. • Protected LAG—Select to make the LAG a protected port for Layer 2 isolation. The Port Configuration description in the Port Management Workflow section for details regarding protected ports and LAGs. STEP 4 Click Apply. The switch is updated.
9 Port Management Configuring LACP • If the port LACP priority of the link is lower than that of the currently-active link members, and the number of active members is already at the maximum number, the link is made inactive, and placed in standby mode. Setting Port LACP Parameter Settings The LACP Page displays and enables configuration of the LACP System Priority, LACP timeout, and LACP port priority.
9 Port Management Green Ethernet Green Ethernet Green Ethernet is a common name for a set of features that are designed to be environmentally friendly, and to reduce the power consumption of a device. The Green Ethernet feature reduces overall power usage in two ways: • Energy-Detect Mode—On an inactive link, the port moves into inactive mode, saving power while keeping the Administrative status of the port Up. Recovery from this mode to full operational mode is fast, transparent, and no frames are lost.
9 Port Management Green Ethernet Setting Global Green Ethernet Properties The Properties Page displays and enables configuration of the Green Ethernet mode for the switch. It also displays the current power savings. To define Global Green Ethernet properties: STEP 1 Click Port Management > Green Ethernet > Properties. The Properties Page opens. STEP 2 Enter the values for the following fields: • Energy Detect Mode—Globally enable or disable Energy Detect mode.
9 Port Management Green Ethernet Setting per Port Green Ethernet Properties The Port Settings Page displays the current Green Ethernet Energy mode for each port, and enables selecting a port for Green Ethernet Energy configuration by using the Edit Port Setting Page. For the Green Ethernet modes to operate on a port, the corresponding modes must be activated globally in the Properties Page. To define per port Green Ethernet settings: STEP 1 Click Port Management > Green Ethernet> Port Settings.
9 Port Management Green Ethernet STEP 5 Click Apply. The Green Ethernet port settings are modified, and the switch is updated. Select another port to display or edit that port.
10 Managing Power-over-Ethernet Devices The Power over Ethernet (PoE) feature is only available on PoE-based devices. For a list of PoE-based devices, refer to the Switch Models section. This chapter describes how to use the PoE feature.
Managing Power-over-Ethernet Devices PoE on the Switch 10 Power over Ethernet can be used in any enterprise network that deploys relatively low-powered devices connected to the Ethernet LAN, such as: • IP phones • Wireless access points • IP gateways • Audio and video remote monitoring devices PoE Operation PoE implements in the following stages: • Detection—Sends special pulses on the copper cable. When a PoE device is located at the other end, that device responds to these pulses.
Managing Power-over-Ethernet Devices Configuring PoE Properties 10 You can decide the following: • Maximum power a PSE is allowed to supply to a PD • During device operation, to change the mode from Class Power Limit to Port Limit and vice versa. The power values per port that were configured for the Port Limit mode are retained. • Maximum port limit allowed as a per-port numerical limit in mW (Port Limit mode).
Managing Power-over-Ethernet Devices Configuring PoE Properties 10 To configure PoE on the switch and monitor current power usage: STEP 1 Click Port Management > PoE > Properties. The PoE Properties Page opens. STEP 2 Enter the values for the following fields: • Power Mode—Select one of the following options: - Port Limit—The maximum power limit per each port is configured by the user.
Managing Power-over-Ethernet Devices Configuring the PoE Power, Priority, and Class 10 Configuring the PoE Power, Priority, and Class The PoE Settings Page displays system PoE information for enabling PoE on the interfaces and monitoring the current power usage and maximum power limit per port. This page limits the power per port in two ways depending on the Power Mode: • Port Limit: Power is limited to a specified wattage. For these settings to be active, the system must be in PoE Port Limit mode.
Managing Power-over-Ethernet Devices Configuring the PoE Power, Priority, and Class • 10 Class—This field is displayed only if the Power Mode set in the PoE Properties Page is Class Limit. The class determines the power level: Class Maximum Power Delivered by Switch Port 0 15.4 watt 1 4.0 watt 2 7.0 watt 3 15.4 watt 4 15.4 watt • Power Allocation—This field is displayed only if the Power Mode set in the PoE Properties Page is Port Limit. Enter the power in milliwatts allocated to the port.
11 VLAN Management This chapter contains the following topics: • VLANs • Configuring Default VLAN Settings • Creating VLANs • Configuring VLAN Interface Settings • Defining VLAN Membership • GVRP Settings • VLAN GROUPS • Voice VLAN • Configuring Voice VLAN Properties VLANs A VLAN is a logical group that enables devices connected to the VLAN to communicate with each other over the Ethernet MAC layer, regardless of the physical LAN segment of the bridged network to which they are connected.
11 VLAN Management VLANs VLANs address security and scalability issues. Traffic from a VLAN stays within the VLAN, and terminates at devices in the VLAN. It also eases network configuration by logically connecting devices without physically relocating those devices. If a frame is VLAN-tagged, a four-byte VLAN tag is added to each Ethernet frame, increasing the maximum frame size from 1518 to 1522. The tag contains a VLAN ID between 1 and 4094, and a VLAN Priority Tag (VPT) between 0 and 7.
11 VLAN Management VLANs Adjacent VLAN-aware devices exchange VLAN information with each other by using Generic VLAN Registration Protocol (GVRP). As a result, VLAN information is propagated through a bridged network. VLANs on a device can be created statically or dynamically, based on the GVRP information exchanged by devices. A VLAN can be static or dynamic (from GVRP), but not both. For more information about GVRP, refer to the GVRP Settings section.
11 VLAN Management Configuring Default VLAN Settings Configuring Default VLAN Settings At factory default settings the switch automatically creates VLAN 1 as the default VLAN, the default interface status of all ports is Trunk, and all ports are configured as untagged members of the default VLAN. The default VLAN has the following characteristics: • It is distinct, non-static/non-dynamic, and all ports are untagged members by default. • It cannot be deleted. • It cannot be given a label.
11 VLAN Management Creating VLANs To change the default VLAN: STEP 1 Click VLAN Management > Default VLAN Settings. The Default VLAN Settings Page opens. STEP 2 Enter the value for the following field: • Current Default VLAN ID—Displays the current default VLAN ID. • Default VLAN ID After Reset—Enter a new VLAN ID to replace the default VLAN ID after reboot. STEP 3 Click Apply.
11 VLAN Management Creating VLANs To create a VLAN: STEP 1 Click VLAN Management > Create VLAN. The Create VLAN Page opens. The Create VLAN page displays the following fields for all VLANs: • VLAN ID—User-defined VLAN ID. • VLAN Name—User-defined VLAN name. • Type—VLAN type. The possible options are: - Dynamic—VLAN was dynamically created through Generic VLAN Registration Protocol (GVRP). - Static—VLAN is user-defined. - Default—VLAN is the default VLAN.
11 VLAN Management Configuring VLAN Interface Settings Configuring VLAN Interface Settings The Interface Settings Page displays and enables configuration of VLAN-related parameters for all interfaces. The Cisco Sx300 Series switch supports 256 VLANs; default VLAN included. To configure the VLAN settings: STEP 1 Click VLAN Management > Interface Settings. The Interface Settings Page opens. The Interface Settings page lists all ports or LAGs and their VLAN parameters.
11 VLAN Management Configuring VLAN Interface Settings • Frame Type—Select the type of frame that the interface can receive. Frames that are not of the configured frame type are discarded at ingress. These frame types are only available in General mode. Possible values are: - Admit All—The interface accepts all types of frames: untagged frames, tagged frames, and priority tagged frames. - Admit Tagged Only—The interface accepts only tagged frames.
11 VLAN Management Defining VLAN Membership Defining VLAN Membership The Port to VLAN Page, VLAN To Port Page, and Port VLAN Membership Page display the VLAN memberships of the ports in various presentations. You can use the Port to VLAN Page and the VLAN To Port Page to add or remove memberships to or from the VLANs. When a port is forbidden default VLAN membership, that port is not allowed membership in any other VLAN. An internal VID of 4095 is assigned to the port.
11 VLAN Management Defining VLAN Membership The port mode for each port or LAG is displayed with its current port mode (Access, Trunk or General) configured from the Interface Settings Page. Each port or LAG is displayed with its current registration to the VLAN. STEP 3 Change the registration of an interface to the VLAN by selecting the desired option from the following list: • Forbidden—The interface is not allowed to join the VLAN even from GVRP registration.
11 VLAN Management Defining VLAN Membership • VLANs—Drop-down list that displays all VLANs of which the interface is a member. • LAG—If interface selected is Port, displays the LAG in which it is a member. STEP 3 Select a port, and click the Join VLAN button. The Join VLAN To Port Page opens. STEP 4 Enter the values for the following fields: • Interface—Select a Port or LAG. • Mode—Displays the port VLAN mode that was selected in the Interface Settings Page.
11 VLAN Management GVRP Settings The Port VLAN Membership page displays the operational membership of the ports or LAGs: • Port number. • Mode—Port mode defined in the Interface Settings Page. • PVID—Port VLAN Identifier of the VLAN to which incoming untagged frames are assigned at ingress. This assumes that no other VLAN assignment mechanism is used, such as MAC-based-VLAN. • VLANs—VLAN to which the port belongs.
11 VLAN Management VLAN GROUPS STEP 4 Select an interface type (Port or LAG), and click Go. The following fields are displayed in the GVRP Setting Table. • Interface—Port or LAG number. • GVRP State—Displays whether GVRP is enabled/disabled on the interface. • Dynamic VLAN Creation—Displays whether Dynamic VLAN creation is enabled/disabled on the interface. If it is disabled, GVRP can operate but new VLANs are not created.
11 VLAN Management VLAN GROUPS This feature is only available when the switch in Layer 2 mode. The VLAN must be created and then bound to the interface. To assign a MAC address to a VLAN Group: STEP 1 Click VLAN Management > VLAN Groups > MAC Based Groups. The MAC Based Groups Page opens. STEP 2 Click Add. The Add MAC Based Group opens. STEP 3 Enter the values for the following fields: • MAC Address—Enter a MAC address to be assigned to a VLAN group.
11 VLAN Management Voice VLAN STEP 2 Click Add. The Add Mapping Group to VLAN opens. (The interface must be in General mode.) STEP 3 Enter the values for the following fields: • Group Type—Displays that the group is MAC-based. • Interface—Enter an interface (Port or LAG) through which traffic is received. • Group ID—Select one of the VLAN groups defined in the MAC Based Groups Page. • VLAN ID—Select the VLAN to where traffic from the VLAN group is forwarded.
11 VLAN Management Voice VLAN In MAC addresses, the first three bytes contain a manufacturer ID, known as an Organizationally Unique Identifier (OUI), and the last three bytes contain a unique station ID. The classification of a packet from VoIP equipment or phones is based on the OUI of the packet source MAC address. Ports can be assigned to Voice VLAN as follows: • Static—Assigned manually to the Voice VLAN (described in the Configuring VLAN Interface Settings section).
11 VLAN Management Voice VLAN • Assign ports as candidates to the Voice VLAN. (This is configured by using the process described in the Configuring VLAN Interface Settings section.) • Assign the QoS mode per port to one of the following: - For a port that has already joined the Voice VLAN, all packets are assigned to the Voice VLAN as described in the Configuring VLAN Interface Settings section.
11 VLAN Management Configuring Voice VLAN Properties • The Voice VLAN QoS decision has priority over any other QoS decision, except for the Policy/ACL QoS decision. • The Voice VLAN QoS is applied to candidate ports that have joined the Voice VLAN, and to static ports. • The voice flow is accepted if the MAC address can be learned by the FDB. (If there is no free space in FDB, no action occurs).
11 VLAN Management Configuring Voice VLAN Properties • Auto Membership Aging Time—Enter the interval of time after which the port exits the voice VLAN, if no voice packets are received. The range is from 1 minute to 30 days. STEP 3 Click Apply. The VLAN properties are saved, and the switch is updated. Configuring Telephony OUI Organizationally Unique Identifiers (OUIs) are assigned by the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority.
VLAN Management Configuring Voice VLAN Properties 11 STEP 4 Click Apply. The OUI is added.
12 Configuring the Spanning Tree Protocol The Spanning Tree Protocol (STP) (IEEE802.1D and IEEE802.1Q) is enabled by default, set to RSTP (Rapid Spanning Tree Protocol) mode, and protects a Layer 2 Broadcast domain from broadcast storms by selectively setting links to standby mode to prevent loops. In standby mode, these links temporarily do not transfer user data. They are automatically re-activated when the topology changes to make it desirable to transfer user data.
Configuring the Spanning Tree Protocol STP Flavors 12 The switch supports the following Spanning Tree Protocol versions: • Classic STP provides a single path between any two end stations, avoiding and eliminating loops. • Rapid STP (RSTP) detects network topologies to provide faster convergence of the spanning tree. This is most effective when the network topology is naturally tree-structured, and therefore faster convergence might be possible. RSTP is enabled by default.
Configuring the Spanning Tree Protocol Configuring STP Status and Global Settings 12 Configuring STP Status and Global Settings The STP Status and Global Settings Page contains parameters for enabling STP, RSTP, or MSTP. For detailed configuration of each STP mode, use the STP Interface Settings Page, RSTP Interface Settings Page, and MSTP Properties Page, respectively. To set STP status and global settings: STEP 1 Click Spanning Tree > STP Status and Global Settings.
Configuring the Spanning Tree Protocol Defining Spanning Tree Interface Settings 12 • Hello Time—Set the interval in seconds that a Root Bridge waits between configuration messages. The range is 1 to 10 seconds. • Max Age—Set the interval in seconds that the switch can wait without receiving a configuration message, before attempting to redefine its own configuration. • Forward Delay—Set the interval in seconds that a bridge remains in a learning state before forwarding packets.
Configuring the Spanning Tree Protocol Defining Spanning Tree Interface Settings 12 To configure STP on an interface: STEP 1 Click Spanning Tree > STP Interface Settings. The STP Interface Settings Page displays. STEP 2 Select an interface and click Edit. The Edit Interface Settings Page displays. STEP 3 Enter the parameters • Interface—Select the port number or LAG on which Spanning Tree is configured. • STP—Enables or disables STP on the port.
Configuring the Spanning Tree Protocol Configuring Rapid Spanning Tree Settings 12 • Port Role—Displays the behavior of the port. • Designated Bridge ID—Displays the bridge priority and the MAC address of the designated bridge. • Designated Port ID—Displays the priority and interface of the selected port. • Designated Cost—Displays the cost of the port participating in the STP topology. Ports with a lower cost are less likely to be blocked if STP detects loops.
Configuring the Spanning Tree Protocol Configuring Rapid Spanning Tree Settings 12 STEP 4 If a link partner is discovered by using STP, click Activate Protocol Migration to run a Protocol Migration test. This discovers whether the link partner using STP still exists, and if so whether it has migrated to RSTP or MSTP. If it still exists as an STP link, the device continues to communicate with it by using STP.
Configuring the Spanning Tree Protocol Multiple Spanning Tree • • 12 Fast Link Operational Status—Displays whether the Fast Link (Edge Port) is enabled, disabled, or automatic for the interface. The values are: - Enabled—Fast Link is enabled. - Disabled—Fast Link is disabled. - Auto—Fast Link mode is enabled a few seconds after the interface becomes active. Port Status—Displays the RSTP status on the specific port. - Disabled—STP is currently disabled on the port.
Configuring the Spanning Tree Protocol Defining MSTP Properties 12 3. Associate these MTP instances to VLAN(s), deciding which MSTP instance will be active in what VLAN. 4.
Configuring the Spanning Tree Protocol Mapping VLANs to a MST Instance 12 STEP 3 Enter the parameters. • Region Name—Define an MSTP region name. • Revision—Define an unsigned 16-bit number that identifies the revision of the current MST configuration. The field range is from 0 to 65535. • Max Hops—Set the total number of hops that occur in a specific region before the BPDU is discarded. Once the BPDU is discarded, the port information is aged out. The field range is from 1 to 40.
Configuring the Spanning Tree Protocol Defining MST Instance Settings 12 STEP 2 To add a VLAN to an MST instance, select the MST instance, and click Edit. The Edit MST Instance to VLAN Page displays. STEP 3 Enter the parameters. • MST Instance ID—Select the MST instance. • VLANs—Define the VLANs being mapped to this MST instance. • Action—Define whether to Add (map) or Remove the VLAN to/from the MST instance. STEP 4 Click Apply. The MSTP VLAN mappings are defined, and the switch is updated.
Configuring the Spanning Tree Protocol Defining MSTP Interface Settings 12 • Bridge ID—Displays the bridge priority and the MAC address of this switch for the selected instance. • Remaining Hops—Displays the number of hops remaining to the next destination. STEP 3 Click Apply. The MST Instance configuration is defined, and the switch is updated.
Configuring the Spanning Tree Protocol Defining MSTP Interface Settings • • • • 12 Port State—Displays the MSTP status of the specific port on a specific MST instance. The parameters are defined as: - Disabled—STP is currently disabled. - Blocking—The port on this instance is currently blocked, and cannot forward traffic (with the exception of BPDU data) or learn MAC addresses. - Listening—The port on this instance is in Listening mode.
Configuring the Spanning Tree Protocol Defining MSTP Interface Settings 12 - Boundary Port—A Boundary port attaches MST bridges to a LAN in an outlying region. If the port is a boundary port, it also indicates whether the device on the other side of the link is working in RSTP or STP mode. - Master Port—A Master port provides connectivity from an MSTP region to the outlying CIST root. - Internal—The port is an internal port.
13 Managing MAC Address Tables MAC addresses are stored in the Static Address table or the Dynamic Address table, along with VLAN and port information. Static addresses are configured by the user in the Static Address table and do not age out. MAC addresses seen in packets arriving at the switch are listed in the Dynamic Address table for a period of time. If another frame with the same source MAC address does not appear on the switch before that time expires, the entry is deleted from the table.
13 Managing MAC Address Tables Dynamic MAC Addresses To define a static address: STEP 1 Click MAC Address Tables > Static Addresses. The Static Addresses Page opens. The Static Addresses Page displays the defined static addresses. STEP 2 Click Add. The Add Static Address Page opens. STEP 3 Enter the parameters. • VLAN ID—Select the VLAN ID for the port. • MAC Address—Enter the interface MAC address. • Interface—Select an interface (port or LAG) for the entry.
Managing MAC Address Tables Dynamic MAC Addresses 13 Configuring Dynamic MAC Address Parameters The Dynamic Addresses Setting Page enables entering the aging interval for the MAC address table. To enter the aging interval for dynamic addresses: STEP 1 Click MAC Address Tables > Dynamic Address Settings. The Dynamic Addresses Setting Page opens. STEP 2 Enter Aging Time. The aging time is a value between the user-configured value and twice that value minus 1.
Managing MAC Address Tables Defining Reserved MAC Addresses 13 • Interface—Select the interface for which the table is queried. The query can search for specific ports or LAGs. • Dynamic Address Table Sort Key—Enter the field by which the table is sorted. The address table can be sorted by VLAN ID, MAC address, or interface. STEP 3 Select the preferred option for sorting the addresses table in the Dynamic Address Sort Key. STEP 4 Click Go.
13 Managing MAC Address Tables Defining Reserved MAC Addresses STEP 3 Enter the values for the following fields: • MAC Address—Select the MAC address to be reserved. • Frame Type—Select a frame type based on the following criteria: • - Ethernet V2—Applies to Ethernet V2 packets with the specific MAC address. - LLC—Applies to Logical Link Control (LLC) packets with the specific MAC address.
14 Configuring Multicast Forwarding This chapter describes the Multicast Forwarding feature, and contains the following topics: • Multicast Forwarding • Defining Multicast Properties • MAC Group Address • IP Multicast Group Address • IGMP Snooping • MLD Snooping • IGMP/MLD IP Multicast Group • Multicast Router Port • Defining Forward All Multicast • Defining Unregistered Multicast Settings Multicast Forwarding Multicast forwarding enables one-to-many information dissemination.
Configuring Multicast Forwarding Multicast Forwarding 14 For Multicast forwarding to work across IP subnets, nodes, and routers must be Multicast-capable. A Multicast-capable node must be able to: • Send and receive Multicast packets. • Register the Multicast addresses being listened to by the node with local routers, so that local and remote routers can route the multicast packet to the nodes.
Configuring Multicast Forwarding Multicast Forwarding 14 The switch can forward multicast streams based on one of the following options: • Multicast MAC Group Address • IP Multicast Group Address (G) • A combination of the source IP address (S) and the destination IP Multicast Group Address (G) of the Multicast packet. One of these options can be configured per VLAN.
Configuring Multicast Forwarding Multicast Forwarding 14 An IGMP Querier is required to facilitate the IGMP protocol on a given subnet. In general, a multicast router is also a IGMP Querier. When there are multiple IGMP Queriers in a subnet, the queriers elect a single querier as the primary querier. The Sx300 can be configured to be an IGMP Querier as a backup querier, or in situation where a regular IGMP Querier does not exist. The Sx300 is not a full capability IGMP Querier.
Configuring Multicast Forwarding Defining Multicast Properties 14 Defining Multicast Properties The Properties Page enables you to configure the Bridge Multicast filtering status. By default, all Multicast frames are flooded to all port of the VLAN. To selectively forward only to relevant ports and filter (drop) the Multicast on the rest of the ports, enable Bridge Multicast filtering status in the Properties Page.
Configuring Multicast Forwarding MAC Group Address 14 To enable Multicast filtering, and select the forwarding method: STEP 1 Click Multicast> Properties. The Properties Page opens. STEP 2 Enter the parameters. • Bridge Multicast Filtering Status—Enable or disable filtering. • VLAN ID—Select the VLAN ID to set its forwarding method. • Forwarding Method for IPv6—Set the forwarding method for IPv6 addresses.
Configuring Multicast Forwarding MAC Group Address • 14 Display a list of all ports/LAGs that are a member for each VLAN ID and MAC address group, and enter whether traffic is forwarded to it or not. For viewing the forwarding information when the mode is IP Address Group or IP and Source Group, use the IP Multicast Group Address Page. To define and view MAC Multicast groups: STEP 1 Click Multicast> MAC Group Address. The MAC Group Address Page opens. STEP 2 Enter the parameters.
Configuring Multicast Forwarding IP Multicast Group Address 14 • Dynamic—Indicates that the interface was added to the Multicast group as a result of IGMP/MLD snooping. • Forbidden—Specifies that this port is forbidden from joining this group on this VLAN. • None—Specifies that the port is not currently a member of this Multicast group on this VLAN. STEP 10 Click Apply, and the switch is updated.
Configuring Multicast Forwarding IP Multicast Group Address 14 STEP 4 Click Add to add a static IP Multicast Group Address. The IP Multicast Interface Settings Page opens. STEP 5 Enter the parameters. • VLAN ID—Defines the VLAN ID of the group to be added. • IP Version—Select the IP address type. • IP Multicast Group Address—Define the IP address of the new multicast group. • Source Specific—Indicates that the entry contains a specific source, and adds the address in the IP Source Address field.
Configuring Multicast Forwarding IGMP Snooping 14 • Forbidden—Specifies that this port is forbidden from joining this group on this VLAN. • None—Indicates that the port is not currently a member of this Multicast group on this VLAN. STEP 11 Click Apply. The switch is updated. IGMP Snooping To support selective multicast forwarding (IPv4), Bridge Multicast filtering must be enabled, and IGMP Snooping must be enabled globally and for each relevant VLAN.
Configuring Multicast Forwarding IGMP Snooping 14 There should be only one IGMP Querier in a Layer 2 Multicast domain. The switch supports standards-based IGMP Querier election when more than one IGMP Querier is present in the domain. The speed of IGMP Querier activity should be aligned with the IGMP-snoopingenabled switches. Queries should be sent at a rate that is aligned to the snooping table aging time.
Configuring Multicast Forwarding IGMP Snooping 14 • Operational Query Robustness—Displays the robustness variable sent by the elected querier. • Query Interval—Enter the interval between the General Queries to be used if this switch is the elected querier. • Operational Query Interval—The time interval in seconds between General Queries sent by the elected querier. • Query Max Response Interval—Enter the delay used to calculate the Maximum Response Code inserted into the periodic General Queries.
Configuring Multicast Forwarding MLD Snooping • 14 IGMP Querier Version—Select the IGMP version used if the switch becomes the elected querier. Select IGMPv3 if there are switches and/or multicast routers in the VLAN that perform source-specific IP multicast forwarding. STEP 5 Click Apply. The switch is updated. MLD Snooping To support selective multicast forwarding (IPv6), Bridge Multicast filtering must be enabled, and MLD Snooping must be enabled globally and for each relevant VLAN.
Configuring Multicast Forwarding MLD Snooping 14 If you enable MLD snooping in addition to the manually-configured Multicast groups, the result is a union of the Multicast groups and port memberships derived from the manual setup and the dynamic discovery by MLD snooping. However, only the static definitions are preserved when the system is rebooted. To enable MLD Snooping: STEP 1 Click Multicast > MLD Snooping. The MLD Snooping Page opens. STEP 2 Enable or disable MLD Snooping Status.
Configuring Multicast Forwarding IGMP/MLD IP Multicast Group 14 • Query Max Response Interval—Enter Query Max Response delay to be used if the switch cannot read the Max Response Time value from General Queries sent by the elected querier. • Operational Query Max Response Interval—Displays the delay used to calculate the Maximum Response Code inserted into the General Queries.
Configuring Multicast Forwarding Multicast Router Port 14 To query for a IP Multicast group: STEP 1 Click Multicast > IGMP/MLD IP Multicast Group. The IGMP/MLD IP Multicast Group Page opens. STEP 2 Set the type of snooping group for which to search: IGMP or MLD. STEP 3 Enter some or all of following query filter criteria: • Group Address equals to—Defines the Multicast group MAC address or IP address to query. • Source Address equals to—Defines the sender address to query.
Configuring Multicast Forwarding Defining Forward All Multicast 14 To define Multicast router ports: STEP 1 Click Multicast > Multicast Router Port. The Multicast Router Port Page opens. STEP 2 Enter some or all of following query filter criteria: • VLAN ID equals to—Select the VLAN ID for the router ports that are described. • IPv4 or IPv6 equals to—Select the IP version that the multicast router supports. • Interface Type equals to—Select whether to display ports or LAGs. STEP 3 Click Go.
Configuring Multicast Forwarding Defining Unregistered Multicast Settings 14 IGMP or MLD messages are not forwarded to the ports are defined as forward all. NOTE The configuration affects only the ports that are members of the selected VLAN. To define Forward All Multicast: STEP 1 Click Multicast > Forward All. The Forward All Page opens. STEP 2 Define the following: • VLAN ID equals to—The VLAN ID the ports/LAGs are to be displayed. • Interface Type equals to—Define whether to display ports or LAGs.
Configuring Multicast Forwarding Defining Unregistered Multicast Settings 14 switch to forward the Multicast frames (from a registered Multicast group) only to ports that are joined to that Multicast group. The switch forwards Multicast frames (from a registered Multicast group) only to ports that are registered to that Multicast group. The Unregistered Multicast Page enables handling Multicast frames that belong to groups that are not known to the switch (unregistered Multicast groups).
Configuring Multicast Forwarding Defining Unregistered Multicast Settings - 14 Filtering—Enables filtering of unregistered Multicast frames to the selected interface. STEP 5 Click Apply. The settings are saved, and the switch is updated.
15 Configuring IP Information IP interface addresses are configured manually by the user, or auto-configured by a DHCP server. This chapter provides information for defining the switch IP addresses. It includes the following topics: • Management and IP Interfaces • Defining IPv4 Static Routing • Enabling ARP Proxy • Defining UDP Relay • DHCP Relay • Configuring ARP • Domain Name Systems Management and IP Interfaces The factory default setting of the IP address configuration is DHCP.
15 Configuring IP Information Management and IP Interfaces IP address collisions occur when the same IP address is used in the same IP subnet by more than one device. Address collisions require administrative actions on the DHCP server and/or the devices that collide with the switch. When a VLAN is configured to use dynamic IP addresses, the switch issues DHCP requests until it is assigned an IP address from a DHCP server.
15 Configuring IP Information Management and IP Interfaces Managing IPv6 The Internet Protocol version 6 (IPv6) is a network-layer protocol for packetswitched internetworks. IPv6 was designed to replace IPv4, the predominantly deployed Internet protocol. IPv6 introduces greater flexibility in assigning IP addresses because the address size increases from 32-bit to 128-bit addresses. IPv6 addresses are written as eight groups of four hexadecimal digits, for example FE80:0000:0000:0000:0000:9C00:876A:130B.
Configuring IP Information Management and IP Interfaces 15 The following sections describe the differences between IP addressing when the switch is in Layer 2 or Layer 3 mode. Layer 2 IP Addressing In Layer 2 mode, the switch has a single IP address in the management VLAN. This IP address and the default gateway can be configured with a static IP address, or by DHCP. The static IP address and default gateway for Layer 2 mode are configured on the IPv4 Interface Page.
15 Configuring IP Information Management and IP Interfaces Defining IPv4 Interface when the Switch is in Layer 2 Mode To manage the switch by using the web-based switch configuration utility, the IPv4 switch management IP address must be defined and known. The switch IP address can be manually configured or automatically taken from a DHCP server. To configure the IPv4 switch IP address: STEP 1 Click Administration > Management Interface > IPv4 Interface. The IPv4 Interface Page opens.
15 Configuring IP Information Management and IP Interfaces If a dynamic IP address is retrieved from the DHCP server, select the following fields that are enabled: • Renew DHCP Address—The switch dynamic IP address can be renewed any time after it is assigned by a DHCP server. Depending on your DHCP server configuration, the switch might receive a new IP address after the renewal that will cause a loss of connectivity to the web-based switch configuration utility.
15 Configuring IP Information Management and IP Interfaces • Mask—Configured IP address mask. • Status—Results of the IP address duplication check. - No Entry—The IP address is unknown. - Tentative—There is no final result for the IP address duplication check. - Valid—The IP address collision check was completed, and no IP address collision was detected. - Valid-Duplicated—The IP address duplication check was completed, and a duplicate IP address was detected.
15 Configuring IP Information Management and IP Interfaces Defining IPv6 Global Configuration The IPv6 Global Configuration Page defines the frequency of the IPv6 ICMP error messages generated by the switch. To define IPv6 global parameters: STEP 1 In Layer 2 mode, click Administration > Management Interface > IPv6 Global Configuration. In Layer 3 mode, click IP Configuration > Management and IP Interface > IPv6 Global Configuration. The IPv6 Global Configuration Page opens.
15 Configuring IP Information Management and IP Interfaces In Layer 3 mode, click IP Configuration > Management and IP Interface > IPv6 Interfaces. The IPv6 Interfaces Page opens. This page displays the IPv6 interfaces already configured. STEP 2 Click Add to add a new IPv6 interface, that is to define on which interface IPv6 is enabled. The Add IPv6 Interface Page opens. STEP 3 Enter the values. • IPv6 Interface—Select a specific port, LAG, VLAN, or ISATAP tunnel.
15 Configuring IP Information Management and IP Interfaces Defining IPv6 Addresses To assign an IPv6 address to an IPv6 Interface: STEP 1 In Layer 2 mode, click Administration > Management Interface > IPv6 Addresses. In Layer 3 mode, click IP Configuration > Management and IP Interface > IPv6 Addresses. The IPv6 Address Page opens. STEP 2 Select an interface, and click Go. The interface is displayed in the IPv6 Address Table. STEP 3 Click Add. The Add IPv6 Address Page opens.
15 Configuring IP Information Management and IP Interfaces • EUI-64—Select to use the EUI-64 parameter to identify the interface ID portion of the Global IPv6 address by using the EUI-64 format based on a device MAC address. STEP 5 Click Apply. The switch is updated. Defining an IPv6 Default Router List The IPv6 Default Router List Page enables configuring and viewing the default IPv6 router addresses.
15 Configuring IP Information Management and IP Interfaces - Dynamic—The default router was dynamically configured. State—The default router status options are: - Incomplete—Address resolution is in process. Default router has not yet responded. - Reachable—Positive confirmation was received within the Reachable Time. - Stale—Previously-known neighboring network is unreachable, and no action is taken to verify its reachability until it is necessary to send traffic.
15 Configuring IP Information Management and IP Interfaces • When the ISATAP router IPv4 address is not resolved via the DNS process, the ISATAP IP interface remains active. The system does not have a default router for ISATAP traffic until the DNS process is resolved. To configure an IPv6 Tunnel: STEP 1 In Layer 2 mode, click Administration > Management Interface > IPv6 Tunnel. In Layer 3 mode, click IP Configuration > Management and IP Interface > IPv6 Tunnel. The IPv6 Tunnel Page opens.
15 Configuring IP Information Management and IP Interfaces • ISATAP Robustness—Used to calculate the interval for the DNS or router solicitation queries. The bigger the number, the more frequent the queries. The default value is 3. The range is 1-20. NOTE The ISATAP tunnel is not operational if the underlying IPv4 interface is not in operation. STEP 3 Click Apply. The tunnel is defined, and the switch is updated.
15 Configuring IP Information Management and IP Interfaces The following fields are displayed for the neighboring interfaces: • Interface—Neighboring IPv6 interface type. • IPv6 Address—IPv6 address of a neighbor. • MAC Address—MAC address mapped to the specified IPv6 address. • Type—Neighbor discovery cache information entry type (static or dynamic). • State—Specifies the IPv6 neighbor status. The values are: - Incomplete—Address resolution is working. The neighbor has not yet responded.
15 Configuring IP Information Management and IP Interfaces In Layer 3 mode, click IP Configuration > Management and IP Interface > IPv6 Neighbors. The IPv6 Neighbors Page opens. STEP 2 Select an interface, and click Edit. The Edit IPv6 Neighbors Page opens. STEP 3 Enter the values for the following fields: • IPv6 Address—Select a valid IPv6 address. • MAC Address—Select the MAC address mapped to the specified IPv6 address. • Type—Select the type of the neighbor discovery cache information entry.
15 Configuring IP Information Defining IPv4 Static Routing • Next Hop—Address where the packet is forwarded. Typically, this is the address of a neighboring router. This must be a link local address. • Metric—Value used for comparing this route to other routes with the same destination in the IPv6 router table. All default routes have the same value. • Life Time—Time period that the packet can be sent, and resent, before being deleted.
15 Configuring IP Information Enabling ARP Proxy NOTE You cannot configure a static route through a directly-connected IP subnet where the switch gets its IP address from a DHCP server. • Route Type—Select the route type. - Reject—Rejects the route and stops routing to the destination network via all gateways. This ensures that if a frame arrives with the destination IP of this route, it is dropped. • Remote—Indicates that the route is a remote path.
Configuring IP Information Defining UDP Relay 15 STEP 3 Click Apply. The ARP proxy is enabled, and the switch is updated. Defining UDP Relay The UDP Relay feature is only available when the switch is in Layer 3 mode. Switches do not typically route IP broadcast packets between IP subnets. However, if configured, the switch can relay specific UDP broadcast packets received from its IPv4 interfaces to specific destination IP addresses.
Configuring IP Information DHCP Relay 15 DHCP Relay The switch can act as a DHCP Relay agent that listens for DHCP messages, and relays them between DHCP servers and clients that reside in different VLANs or IP subnets. DHCP Relay must be enabled globally and per VLAN. In Layer 2 mode, the switch can relay DHCP messages received from a VLAN to one or more configured DHCP servers.
15 Configuring IP Information DHCP Relay To configure the DHCP Relay feature: STEP 1 Click IP Configuration > DHCP Relay > Properties. The Properties Page opens. STEP 2 Enter the values for the following fields: • DHCP Relay—Select to enable or disable DHCP Relay. • Option 82—Select Option 82 to enable insertion of the device MAC address and input parameters into packets for identification of the device. This option is configurable only in Layer 3 mode.
15 Configuring IP Information Configuring ARP STEP 3 Enter the Interface value. • If the switch is in Layer 2 mode, select the VLAN that is to be DHCP Relay enabled. • If the switch is in Layer 3 mode, select whether the interface is for a port, VLAN, or LAG. STEP 4 Click Apply. A DHCP Relay interface is defined, and the switch is updated. Configuring ARP The switch maintains an ARP (Address Resolution Protocol) Table for all the known devices that reside in its directly connected IP subnets.
15 Configuring IP Information Configuring ARP • Clear ARP Table Entries—Select the type of ARP entries to be cleared the system. - All—Deletes all of the static and dynamic addresses immediately. - Dynamic—Deletes all of the dynamic addresses immediately. - Static—Deletes all of the static addresses immediately. - Normal Age Out—Deletes dynamic addresses based on the configured ARP Entry Age Out time.
15 Configuring IP Information Domain Name Systems Domain Name Systems The Domain Name System (DNS) translates user-defined domain names into IP addresses for the purpose of locating and addressing these objects. As a DNS client the switch resolves domain names to IP addresses through one or more configured DNS servers. Defining DNS Servers The DNS Servers Page enables configuring the DNS servers and the default domain used by the switch.
15 Configuring IP Information Domain Name Systems the next lowest priority is selected. If none of the static servers respond, the first dynamic server on the table, sorted by IP address (low to high), is selected. STEP 3 Click Add. The Add DNS Server Page opens. STEP 4 Enter the parameters. • IP Version—Select Version 6 for IPv6 or Version 4 for IPv4. • IPv6 Address Type—Select the IPv6 address type (if IPv6 is used).
15 Configuring IP Information Domain Name Systems To add a domain name and its IP address: STEP 1 Click IP Configuration > Domain Name System > Host Mapping. The Host Mapping Page opens. This page displays the following fields: • Host Name—User-defined domain name, up to 158 characters. • IP Address—The host name IP address. STEP 2 Click Add. The Add Host Mapping Page opens. STEP 3 Enter the parameters. • IP Version—Select Version 6 for IPv6 or Version 4 for IPv4.
16 Configuring Security This chapter describes various aspects of security and access control. The system handles various types of security. Some features are used for more than a single type of security or control, and so they appear twice in the list of topics below.
16 Configuring Security Defining Users • 802.1X Protection from other network users is detailed in the following sections. These are attacks that pass through, but are not directed at, the switch. • Denial of Service Prevention • Configuring TCP/UDP Services • Defining Storm Control • Configuring Port Security Defining Users A user, in this context, is a system administrator or superuser, who manages the switch. The default username is cisco and the default password is cisco.
16 Configuring Security Defining Users • Password—Enter a password. If the password strength and complexity is defined, the user password must comply with the policy. This is configured in the Setting Password Complexity Rules section. • Confirm Password—Enter the password again. • Password Strength Meter—Displays the strength of password. The policy for password strength and complexity are configured in the Password Strength Page. STEP 4 Click Apply. The user is added, and the switch is updated.
16 Configuring Security TACACS+ Configuration • Password Aging Time—Enter the number of days that can elapse before the user must change the password. The default is 180 days. STEP 4 Click Apply. The password settings are set, and the switch is updated. TACACS+ Configuration The switch is a Terminal Access Controller Access Control System (TACACS+) client that relies on a TACACS+ server to provide centralized security, authorizing and authenticating users attempting to access and administer the switch.
16 Configuring Security TACACS+ Configuration Configuring Default TACACS+ Parameters The TACACS+ Page enables adding, removing, and editing the TACACS+ servers. You can define the default parameters, such as the key string used to encrypt communications with the TACACS+ server. A user must be configured on the TACACS+ to have privilege level 15 to be granted permission to administer the switch.
16 Configuring Security Configuring RADIUS Parameters • Server IP Address—Enter the TACACS+ server IP address. • Priority—Enter the order that this TACACS+ server is used. Zero is the highest priority TACACS+ server and is the first server used. If it cannot establish a session with the high priority server, the switch will try the next highest priority server. • Key String—Enter the authentication and encryption key for the TACACS+ server.
16 Configuring Security Configuring RADIUS Parameters To set the default RADIUS parameters: STEP 1 Click Security > RADIUS. The RADIUS Page displays. The RADIUS table displays the specific parameters for each defined RADIUS server. STEP 2 Enter the default RADIUS parameters. Values entered in the Default Parameters and apply to all servers. If a value is not entered for a specific server the switch uses the values in these fields. • IP Version—Displays the supported IP version: IPv6 and/or IPv4 subnet.
16 Configuring Security Configuring RADIUS Parameters This page provides fields that must be entered individually for a server. STEP 3 Enter the fields for each server. To use the default values entered in the RADIUS Page, select Use Default. • IP Version—Select the IP version of the RADIUS server IP address. • Server IP Address—Enter the address of the RADIUS server. • Priority—Enter the priority of the server.
16 Configuring Security Management Access Authentication • Usage Type—Enter the RADIUS server authentication type. The options are: - Login—RADIUS server is used for authenticating users that want to administer the switch. - 802.1X—RADIUS server is used for authentication in 802.1x Access Control. - All—RADIUS server is used for authenticating user that wants to administer the switch and for authentication in 802.1X Access Control. STEP 4 Click Apply.
16 Configuring Security Access Profiles • RADIUS—User is authenticated on a RADIUS server. You must have configured one or more RADIUS servers. • TACACS+—User authenticated on the TACACS+ server. You must have configured one or more TACACS+ servers. • None—User is allowed to access the switch without authentication. • Local—Username and password is checked against the data stored on the local switch. These username and password pairs are defined in the User Accounts Page.
16 Configuring Security Access Profiles - Secure HTTP (HTTPS) - Simple Network Management Protocol (SNMP) - All of the above • Action—Permit or deny access to an interface or source address. • Interface—Which ports, LAGs, or VLANs are permitted to access or denied access to the web-based switch configuration utility. • Source IP Address—IP addresses or subnets. Access to management methods might differ among user groups.
16 Configuring Security Access Profiles STEP 2 To change the active access profile, select a profile from the Active Access Profile drop down menu and click Apply. This makes the chosen profile the active access profile. A caution message is displayed if you selected Console Only. If you continue, you are immediately disconnected from the web-based switch configuration utility and can access the switch only through the console port.
16 Configuring Security Access Profiles • • • SNMP—Users requesting access to the switch who meet the SNMP access profile criteria are permitted or denied. Action—Select the action attached to the rule. The options are: - Permit—Permits access to the switch if the user matches the settings in the profile. - Deny—Denies access to the switch if the user matches the settings in the profile. Applies to Interface—Select the interface attached to the rule.
16 Configuring Security Access Profiles Defining Profile Rules Access profiles can contain up to 128 rules to determine who is permitted to manage and access the switch, and the access methods that may be used. Each rule in an access profile contains an action and a criteria (one or more parameters) to match. Each rule has a priority; rules with the lowest priority are checked first. If the incoming packet matches a rule, the action associated with the rule is performed.
16 Configuring Security Access Profiles - HTTP—Assigns HTTP access to the rule. Users requesting access to the switch who meet the HTTP access profile criteria, are permitted or denied. - Secure HTTP (HTTPS)—Users requesting access to the switch who meet the HTTPS access profile criteria, are permitted or denied. - SNMP—Users requesting access to the switch who meet the SNMP access profile criteria are permitted or denied.
16 Configuring Security Configuring TCP/UDP Services Configuring TCP/UDP Services The TCP/UDP Services Page enables TCP or UDP-based services on the switch, usually for security reasons. The switch offers the following TCP/UDP services: • Telnet—disabled by factory default • SSH—disabled by factory default • HTTP—enabled by factory default • HTTPS—disabled by factory default • SNMP—disabled by factory default The active TCP connections are also displayed in this window.
16 Configuring Security Defining Storm Control • Local IP Address—Local IP address through which the switch is offering the service. • Local Port—Local UDP port through which the switch is offering the service. • Application Instance—The service instance of the UDP service. (For example, when two senders send to the same destination.) STEP 3 Click Apply. The services are added, and the switch is updated.
16 Configuring Security Configuring Port Security • Storm Control Rate Threshold—Enter the maximum rate at which unknown packets can be forwarded. • Storm Control Mode—Select one of the modes: - Unknown Unicast, Multicast & Broadcast—Counts unknown Unicast, Broadcast, and Multicast traffic together towards the bandwidth threshold. - Multicast & Broadcast—Counts Broadcast and Multicast traffic together towards the bandwidth threshold.
16 Configuring Security Configuring Port Security When a frame from a new MAC address is detected on a port where it is not authorized (the port is classically locked, and there is a new MAC address, or the port is dynamically locked, and the maximum number of allowed addresses has been exceeded), the protection mechanism is invoked, and one of the following actions can take place: • Frame is discarded • Frame is forwarded • Port is shut down When the secure MAC address is seen on another port, the
16 Configuring Security 802.1X - Limited Dynamic Lock—Locks the port by deleting the current dynamic MAC addresses associated with the port. The port learns up to the maximum addresses allowed on the port. Both re-learning and aging of MAC addresses are enabled. • Max No. of Addresses Allowed—Enter the maximum number of MAC addresses that can be learned on the port if Limited Dynamic Lock learning mode is selected. The range is 0-256.
16 Configuring Security 802.1X The 802.1x is an IEEE standard for port based network access control. The 802.1x framework enables a device (the supplicant) to request port access from a remote device (authenticator) to which it is connected. Only when the supplicant requesting port access is authenticated and authorized is the supplicant permitted to send data to the port. Otherwise, the authenticator discards the supplicant data unless the data is sent to a Guest VLAN and/or non-authenticated VLANs.
16 Configuring Security 802.1X For a device to be authenticated and authorized at a port with DVA enabled: • The RADIUS server must authenticate the device and dynamically assign a VLAN to the device. • The assigned VLAN must not be the default VLAN and must have been created at the switch. • The switch must not be configured to use both a DVA and a MAC-based VLAN group together.
16 Configuring Security 802.1X Unauthenticated VLANs and the Guest VLAN Unauthenticated VLANs and Guest VLAN provide access to services that do not require the subscribing devices or ports to be 802.1x or MAC-Based authenticated and authorized. An unauthenticated VLAN is a VLAN that allows access by both authorized and unauthorized devices or ports. You can configure one or more VLAN to be an unauthenticated in the Creating VLANs section in the Configuring Security chapter.
16 Configuring Security 802.1X 802.1X Parameters Workflow Define the 802.1X parameters as follows: 1. Set a time range(s) using the Time Range Page that is used in the Edit Port Authentication Page. This is optional. 2. Define one or more static VLANs as unauthenticated VLANs as described in the Defining 802.1X Properties section. 802.1x authorized and unauthorized devices or ports can always send or receive packets to or from unauthenticated VLANs. This is optional. 3. Define 802.
16 Configuring Security 802.1X - RADIUS—Authenticate the user on the RADIUS server. If no authentication is performed, the session is not permitted - None—Do not authenticate the user. Permit the session. • Guest VLAN—Select to enable the use of a Guest VLAN for unauthorized ports. If a Guest VLAN is enabled, all unauthorized ports automatically join the VLAN selected in the Guest VLAN ID field. If a port is later authorized, it is removed from the Guest VLAN.
16 Configuring Security 802.1X STEP 5 Click Apply, and the switch is updated. Defining 802.1X Port Authentication The Port Authentication Page enables configuration of several of the 802.1X parameters for each port. Since some of the configuration changes are only possible while the port is in Force Authorized state, such as the authentication method. We recommended that you change the port control to Force Authorized before making changes.
16 Configuring Security 802.1X • Administrative Port Control—Select the Administrative Port Authorization state. The options are: - Force Unauthorized—Denies the interface access by moving the interface into the unauthorized state. The switch does not provide authentication services to the client through the interface. - Auto—Enables port-based authentication and authorization on the switch.
16 Configuring Security 802.1X • Authentication Method—Select the authentication method for the port. The options are: - 802.1X Only—802.1X authentication is the only authentication method performed on the port. - MAC Only—Port is authenticated based on the supplicant MAC address. Only 8 MAC-based authentications can be used on the port. - 802.1X and MAC—Both 802.1X and MAC-based authentication are performed on the switch. The 802.1X authentication takes precedence.
16 Configuring Security 802.1X • Resending EAP—Enter the number of seconds that the switch waits for a response to an Extensible Authentication Protocol (EAP) request/identity frame from the supplicant (client) before resending the request. • Max EAP Requests—Enter the maximum number of EAP requests that can be sent. If a response is not received after the defined period (supplicant timeout), the authentication process is restarted.
16 Configuring Security 802.1X To define 802.1X advanced settings for ports: STEP 1 Click Security > 802.1X > Host and Session Authentication. The Host and Session Authentication Page displays. 802.1X authentication parameters are described for all ports. All fields except the following are described in the Edit Host and Session Authentication Page. • • Status—Displays the host status. An asterisk indicates that the port is either not linked or is down.
16 Configuring Security 802.1X - Shutdown—Discards the packets and shuts down the port. The ports remains shut down until reactivated, or until the switch is rebooted. • Traps—Select to enable traps. • Trap Frequency—Defines how often traps are sent to the host. This field can be defined only if multiple hosts are disabled. STEP 4 Click Apply. The settings are defined, and the switch is updated.
16 Configuring Security 802.1X Defining Time Ranges The Time Range Page enables the definition of the time period that 802.1X is active at the 802.1x-enabled ports. A Time Range must be configured with an absolute start and end time. If a time range has an absolute time range but no recurring range and it is configured to a 802.1x enabled port, the port is 802.1x active from the absolute start time to the end time.
16 Configuring Security 802.1X • Absolute Starting Time—Define the absolute start time: • Immediate—Click to indicate that the time range starts when the time range is created. • Date and Time—Select the absolute start date and time. • Absolute Ending Time—Define the absolute end time: • Infinite—Click to indicate that the time range never ends. • Date and Time—Select the absolute start date and time. STEP 4 Click Apply. The time range is created.
16 Configuring Security Denial of Service Prevention Denial of Service Prevention Denial of Service (DoS) Prevention increases network security by preventing packets with certain IP address parameters from entering the network. Denial of Service eliminates packets with headers or contents known to be signals of malicious intent.
16 Configuring Security Denial of Service Prevention To enter Denial of Service Prevention global settings: STEP 1 Click Security > Denial of Service Prevention > Security Suite Settings. The Security Suite Settings displays. STEP 2 Select DoS Prevention to enable the Denial of Service Prevention feature. • Disable—Disable the feature. • System-Level Prevention—prevents attacks from Stacheldraht Distribution, Invasor Trojan, and Back Orifice Trojan.
16 Configuring Security Denial of Service Prevention • Addresses defined to be illegal in the Martian Addresses Page. • Some of the addresses are illegal from the viewpoint of the protocol, such as loopback addresses, including the following ranges: - 0.0.0.0/8 (Except 0.0.0.0/32 as a Source Address)—Addresses in this block refer to source hosts on this network. - 127.0.0.0/8—Used as the Internet host loopback address. - 192.0.2.0/24—Used as the TEST-NET in documentation and example codes.
16 Configuring Security Denial of Service Prevention • Mask—Enter the mask of the IP address to define the range of IP addresses for which Denial of Service prevention is enabled. The values are: - Network Mask—Network mask in dotted decimal format. - Prefix Length—Enter the prefix of the IP address to define the range of IP addresses for which Denial of Service prevention is enabled. STEP 5 Click Apply. The Martian addresses are defined, and the switch is updated.
16 Configuring Security Denial of Service Prevention Define SYN Rate Protection The SYN Rate Protection Page enables rate limiting the number of SYN packets on the ingress. This mitigates the effect of Denial of Service attacks, such as a SYN flood against servers, by rate limiting the number of new connections. To define SYN rate protection: STEP 1 Click Security > Denial of Service Prevention > SYN Rate Protection. The SYN Rate Protection Page displays.
16 Configuring Security Denial of Service Prevention Define ICMP Filtering The ICMP Filtering Page enables the blocking of ICMP packets from certain sources. This can reduce the load on the network in case of an ICMP flood Denial of Service attack. To define ICMP filtering: STEP 1 Click Security > Denial of Service Prevention > ICMP Filtering. The ICMP Filtering Page displays. This page displays the rules by which the ICMP packets are blocked on each interface. STEP 2 Click Add.
16 Configuring Security Denial of Service Prevention STEP 2 Click Add. The Add IP Fragments Filtering Page displays. STEP 3 Enter the parameters. • Interface—Select the interface on which the IP fragmentation is being defined. • IP Address—Enter an IP network from which the fragmented IP packets is filtered or select All to block IP fragmented packets from all addresses. If you enter the IP address, enter either the mask or prefix length.
17 Access Control The Access Control List (ACL) feature is part of the security mechanism. ACL definitions serve as one of the mechanisms to define traffic flows that should be given a specific Quality of Service (QoS). For more information see the Configuring QoS section in the Configuring Quality of Service chapter. ACLs enable network managers to define patterns (filter and actions) for ingress traffic.
17 Access Control Access Control Lists When a packet matches an ACE filter, the ACE action is taken and that ACL processing is stopped. If the packet does not match the ACE filter, the next ACE is processed. If all ACEs of an ACL have been processed without finding a match, and if another ACL exists, it is processed in a similar manner. If no match is found to any ACE in all relevant ACLs, the packet is dropped (as a default action).
17 Access Control Access Control Lists Creating ACLs Workflow To create ACLs and associate them with an interface, perform the following: 1. Create one or more of the following types of ACLs: a. MAC-based ACL by using the MAC Based ACL Page and the MAC Based ACE Page b. IP-based ACL by using the IPv4 Based ACL Page and the IPv4 Based ACE Page c. IPv6-based ACL by using the IPv6 Based ACL Page and the IPv6 Based ACE Page 2. Associate the ACL with interfaces by using the ACL Binding Page.
17 Access Control Defining MAC-based ACLs Defining MAC-based ACLs MAC-based ACLs are used to filter traffic based on Layer 2 fields. MAC-based ACLs check all frames for a match. MAC-based ACLs are defined in the MAC Based ACL Page. The rules are defined in the MAC Based ACE Page. To define a MAC-based ACL: STEP 1 Click Access Control > MAC Based ACL. The MAC Based ACL Page opens. This page displays a list of all currently defined MAC-based ACLs. STEP 2 Click Add. The Add MAC Based ACL Page opens.
17 Access Control IPv4-based ACLs - Shutdown—Drop packets that meet the ACE criteria, and disable the port from where the packets were received. Such ports can be reactivated from the Port Settings Page. • Destination MAC Address—Select Any if all destination addresses are acceptable or User defined to enter a destination address or a range of destination addresses. • Destination MAC Address Value—Enter the MAC address to which the destination MAC address will be matched and its mask (if relevant).
17 Access Control IPv4-based ACLs The following fields can be matched: • IP protocol (by name for well-known protocols, or directly by value) • Source/destination ports for TCP/UDP traffic • Flag values for TCP frames • ICMP and IGMP type and code • Source/destination IP addresses (including wildcards) • DSCP/IP-precedence value NOTE ACLs are also used as the building elements of flow definitions for per-flow QoS handling (see QoS Advanced Mode).
17 Access Control IPv4-based ACLs STEP 3 Click Add. The Add IPv4 Based ACE Page opens. STEP 4 Enter the parameters. • ACL Name—Displays the name of the ACL. • Priority—Enter the priority. ACEs with higher priority are processed first. • Action—Select the action assigned to the packet matching the ACE. The options are as follows: • - Permit—Forward packets that meet the ACE criteria. - Deny—Drop packets that meet the ACE criteria.
17 Access Control IPv4-based ACLs - IDRP—Inter-Domain Routing Protocol - RSVP—ReSerVation Protocol - AH—Authentication Header - IPV6:ICMP—Internet Control Message Protocol - EIGRP—Enhanced Interior Gateway Routing Protocol - OSPF—Open Shortest Path First - IPIP—IP in IP - PIM—Protocol Independent Multicast - L2TP—Layer 2 Tunneling Protocol - ISIS—IGP-specific protocol • Protocol ID to Match—Instead of selecting the name, enter the protocol ID.
17 Access Control IPv4-based ACLs - • Range—Select a range of TCP/UDP source ports to which the packet is matched. There are eight different port ranges that can be configured (shared between source and destination ports). TCP and UDP protocols each have eight port ranges. Destination Port—Select one of the available values that are the same as for the Source Port field described above. NOTE You must specify the IP protocol for the ACE before you can enter the source and/or destination port.
17 Access Control IPv6-based ACLs • IGMP—If the ACL is based on IGMP, select the IGMP message type to be used for filtering purposes. Either select the message type by name or enter the message type number: - Any—All message types are accepted. - Select from list—Select message type by name. - IGMP Type to match—Number of message type that will be used for filtering purposes. STEP 5 Click Apply. The IPv4-based ACE is defined, and the switch is updated.
17 Access Control IPv6-based ACLs Defining a Rule (ACE) for an IPv6-based ACL STEP 1 Click Access Control > IPv6 Based ACE. The IPv6 Based ACE Page opens. This window displays the ACE (rules) for a specified ACL (group of rules). STEP 2 Select an ACL, and click Go. All currently-defined IP ACEs for the selected ACL are displayed. STEP 3 Click Add. The Add IPv6 Based ACE Page opens. STEP 4 Enter the parameters. • ACL Name—Displays the name of the ACL to which an ACE is being added.
17 Access Control IPv6-based ACLs • Source IP Address Value—Enter the IP address to which the source IP address will be matched and its mask (if relevant). • Source IP Prefix Length—Enter the prefix length of the source IP address. • Destination IP Address—Select Any if all destination address are acceptable or User defined to enter a destination address or a range of destination addresses.
17 Access Control Defining ACL Binding • - Select from list—Select message type by name from the drop-down list. - ICMP Type to Match—Number of message type that will be used for filtering purposes. ICMP Code—The ICMP messages may have a code field that indicates how to handle the message. Select one of the following options, to configure whether to filter on this code: - Any—Accept all codes. - User defined—Enter an ICMP code for filtering purposes. STEP 5 Click Apply.
17 Access Control Defining ACL Binding NOTE To unbind all ACLs from an interface, select the interface, and click Clear. STEP 4 Select an interface, and click Edit. The Edit ACL Binding Page opens. STEP 5 Select the Interface to which the ACLs are to be bound. STEP 6 Select one of the following: • Select MAC Based ACL—Select a MAC-based ACL to be bound to the interface. • Select IPv4 Based ACL—Select an IPv4-based ACL to be bound to the interface.
18 Configuring Quality of Service The Quality of Service feature is applied throughout the network to ensure that network traffic is prioritized according to required criteria and the desired traffic receives preferential treatment. This chapter contains the following topics: • QoS Features and Components • Configuring QoS • QoS Basic Mode • QoS Advanced Mode • Managing QoS Statistics QoS Features and Components The QoS feature is used to optimize network performance.
18 Configuring Quality of Service QoS Features and Components QoS includes the following: • Traffic Classification—Classifies each incoming packet as belonging to a specific traffic flow, based on the packet contents and/or the port.The classification is done by ACL (Access Control List), and only traffic that meets the ACL criteria is subject to CoS or QoS classification • Assignment to Hardware Queues—Assigns incoming packets to forwarding queues.
18 Configuring Quality of Service QoS Features and Components • Disable Mode In this mode all traffic is mapped to a single best effort queue, so that no type of traffic is prioritized over another. Only a single mode can be active at a time. When the system is configured to work in QoS Advanced mode, settings for QoS Basic mode are not active and vice versa.
Configuring Quality of Service Configuring QoS 18 7. Enter bandwidth and rate limits in the following pages: a. Set egress shaping per queue by using the Egress Shaping Per Queue Page. b. Set ingress rate limit and egress shaping rate per port by using the Bandwidth Page. c. Set VLAN ingress rate limit by using the VLAN Ingress Rate Limit Page 8. Configure the selected mode by performing one of the following: a. Configure Basic mode, as described in Workflow to Configure Basic QoS Mode b.
Configuring Quality of Service Configuring QoS 18 STEP 3 Select Port/LAG to display/modify all ports/LAGs and their CoS information. The following fields are displayed for all ports/LAGs: • Interface—Type of interface. • Default CoS—Default VPT value for incoming packets that do not have a VLAN Tag. The default CoS is 0. The default is only relevant for untagged frames and only if the system is in Basic mode and Trust CoS is selected in the Global Settings Page.
Configuring Quality of Service Configuring QoS 18 Configuring QoS Queues The switch supports four queues for each interface. Queue number four is the highest priority queue. Queue number one is the lowest priority queue. There are two ways of determining how traffic in queues is handled, Strict Priority and Weighted Round Robin (WRR). Strict Priority—Egress traffic from the highest-priority queue is transmitted first.
18 Configuring Quality of Service Configuring QoS To select the priority method and enter WRR data. STEP 1 Click Quality of Service > General > Queue. The Queue Page opens. STEP 2 Enter the parameters. • Queue—Displays the queue number. • Scheduling Method: Select one of the following options: - Strict Priority—Traffic scheduling for the selected queue and all higher queues is based strictly on the queue priority. - WRR—Traffic scheduling for the selected queue is based on WRR.
18 Configuring Quality of Service Configuring QoS 802.1p Values (0-7, 7 being the highest) Queue (4 queues 14, 4 being the highest priority) Queue (2 queues: Normal and High) Notes 1 1 Normal Best Effort 2 2 Normal Excellent Effort 3 3 Normal Critical Application LVS phone SIP 4 3 Normal Video 5 4 High Voice Cisco IP phone default 6 4 High Interwork Control LVS phone RTP 7 4 High Network Control By changing the CoS/802.
Configuring Quality of Service Configuring QoS • 18 Restore Defaults—Click to restore all queues to the factory default CoS/ 802.1pto Queue mapping. STEP 3 For each 802.1p priority select the Output Queue to which it is mapped. STEP 4 Click Apply. 801.1p priority values to queues are mapped, and the switch is updated. Mapping DSCP to Queue The DSCP (IP Differentiated Services Code Point) to Queue Page maps DSCP to egress queues.
Configuring Quality of Service Configuring QoS 18 Configuring Bandwidth The Bandwidth Page enables network managers to define two sets of values that determine how much traffic the system can receive and send. The ingress rate limit is the number of bits per second that can be received from the ingress interface. Excess bandwidth above this limit is discarded.
Configuring Quality of Service Configuring QoS 18 Configuring Egress Shaping per Queue In addition to limiting transmission rate per port, which is done in the Bandwidth Page, the switch can limit the transmission rate of selected egressing frames on a per-queue per-port basis. Egress rate limiting is performed by shaping the output load. The switch limits all frames except for management frames.
Configuring Quality of Service Configuring QoS 18 Configuring VLAN Rate Limit NOTE The VLAN Rate Limit feature is not available when the switch is in Layer 3 mode. Rate limiting per VLAN, performed in the VLAN Ingress Rate Limit Page, enables traffic limiting on VLANs. QoS rate limiting (configured in the Policy Table Page) has priority over VLAN rate limiting.
Configuring Quality of Service QoS Basic Mode 18 TCP Congestion Avoidance The TCP Congestion Avoidance Page enables activating a TCP congestion avoidance algorithm. The algorithm breaks up or avoids TCP global synchronization in a congested node, where the congestion is due to various sources sending packets with the same byte count. To configure TCP congestion avoidance: STEP 1 Click Quality of Service > General > TCP Congestion Avoidance. The TCP Congestion Avoidance Page opens.
Configuring Quality of Service QoS Basic Mode 18 the trusted mode at the ports where the CoS/802.1p and/or DSCP values in the incoming packets are not trustworthy. Otherwise, it might negatively affect the performance of your network Configuring Global Settings The Global Settings Page contains information for enabling Trust on the switch (see the Trust Mode field below). This configuration is active when the QoS mode is Basic mode.
Configuring Quality of Service QoS Advanced Mode 18 STEP 5 Click Apply. The switch is updated. Interface QoS Settings The Interface Settings Page enables configuring QoS on each port of the switch, as follows: QoS State Disabled on an Interface—All inbound traffic on the port is mapped to the best effort queue and no classification/prioritization takes place. QoS State of the Port is Enabled—Port prioritize traffic on ingress is based on the system wide configured trusted mode, which is either CoS/ 802.
Configuring Quality of Service QoS Advanced Mode 18 In QoS advanced mode, the switch uses policies to support per flow QoS. A policy and its components have the following characteristics and relationships: • A policy contains one or more class maps. • A class map defines a flow with one or more associating ACLs. Packets that match only ACL rules (ACE) in a class map with Permit (forward) action are considered belonging to the same flow, and are subjected to the same quality of services.
Configuring Quality of Service QoS Advanced Mode 18 Workflow to Configure Advanced QoS Mode To configure Advanced QoS mode, perform the following: 1. Select Advanced mode for the system by using the QoS Properties Page. 2. If internal DSCP values are different from those used on incoming packets, map the external values to internal values by using the Click Quality of Service > QoS Advanced Mode > Out of Profile DSCP Mapping. The Out of Profile DSCP Mapping Page opens. DSCP Remarking Page. 3.
Configuring Quality of Service QoS Advanced Mode 18 To use the out-of-profile DSCP exceed action, remap the DSCP value in the Out Of Profile DSCP Mapping Table. Otherwise the action is null, because the DSCP value in the table remaps the packets to itself by factory default. The Click Quality of Service > QoS Advanced Mode > Out of Profile DSCP Mapping. The Out of Profile DSCP Mapping Page opens. DSCP Remarking Page enables sets the change-the-DSCP-value of traffic entering or leaving the switch.
18 Configuring Quality of Service QoS Advanced Mode Defining Class Mapping A Class Map defines a traffic flow with ACLs (Access Control Lists). A MAC ACL, IP ACL, and IPv6 ACL can be combined into a class map. Class maps are configured to match packet criteria on a match-all or match-any basis. They are matched to packets on a first-fit basis, meaning that the action associated with the first-matched class map is the action performed by the system.
Configuring Quality of Service QoS Advanced Mode 18 • MAC—Select the MAC based ACL for the class map. • Preferred ACL—Select whether packets are first matched to an IP-based ACL or a MAC-based ACL. STEP 4 Click Apply. The switch is updated. QoS Policers You can measure the rate of traffic that matches a pre-defined set of rules, and to enforce limits, such as limiting the rate of file-transfer traffic that is allowed on a port.
18 Configuring Quality of Service QoS Advanced Mode • An action to be applied to frames that are over the limits (called out-ofprofile traffic), where such frames can be passed as is, dropped, or passed, but remapped to a new DSCP value that marks them as lower-priority frames for all subsequent handling within the device. Assigning a policer to a class map is done when a class map is added to a policy. If the policer is an aggregate policer, you must create it using the Aggregate Policer Page.
18 Configuring Quality of Service QoS Advanced Mode - Out of Profile DSCP—The DSCP values of packets exceeding the defined CIR value are remapped to a value based on the Out Of Profile DSCP Mapping Table. STEP 4 Click Apply. The switch is updated. Configuring a Policy The Policy Table Map Page displays the list of advanced QoS polices defined in the system. The page also allows you to create and delete polices. Only those policies that are bound to an interface are active (see Policy Binding Page).
18 Configuring Quality of Service QoS Advanced Mode Policy Class Maps One or more class maps can be added to a policy. A class map defines the type of packets that are considered to belong to the same traffic flow. NOTE You cannot configure a policer to a class map when the switch is operating in Layer 3 mode. The switch supports policers only in Layer 2 mode. To add a class map to a policy: STEP 1 Click Quality of Service > QoS Advanced Mode > Policy Class Maps. The Policy Class Maps Page opens.
18 Configuring Quality of Service QoS Advanced Mode - Set—If this option is selected, use the value entered in the New Value box to determine the egress queue of the matching packets as follows: If the new value (0..7) is a CoS/802.1p priority, use the priority value and the CoS/802.1p to Queue Table to determine the egress queue of all the matching packets. If the new value (0..63) is a DSCP, use the new DSCP and the DSCP to Queue Table to determine the egress queue of the matching IP packets.
Configuring Quality of Service Managing QoS Statistics 18 Policy Binding The Policy Binding Page shows which policy profile is bound and to which port. When a policy profile is bound to a specific port, it is active on that port. Only one policy profile can be configured on a single port, but a single policy can be bound to more than one port. When a policy is bound to a port, it filters and applies QoS to ingress traffic that belongs to the flows defined in the policy.
Configuring Quality of Service Managing QoS Statistics 18 To view policer statistics: STEP 1 Click Quality of Service > QoS Statistics > Single Policer Statistics. The Single Policer Statistics Page opens. This page displays the following fields: • Interface—Statistics are displayed for this interface. • Policy—Statistics are displayed for this policy. • Class Map—Statistics are displayed for this class map. • In-Profile Bytes—Number of in-profile bytes received.
18 Configuring Quality of Service Managing QoS Statistics STEP 3 Select an Aggregate Policer Name, one of the previously-created Aggregate Policers for which statistics will be displayed. STEP 4 Click Apply. An additional request for statistics is created, and the switch is updated. Viewing Queues Statistics The Queues Statistics Page displays queue statistics, including statistics of forwarded and dropped packets, based on interface, queue, and drop precedence.
18 Configuring Quality of Service Managing QoS Statistics STEP 3 Enter the parameters. • • Counter Set—Select the counter set: - Set 1—Displays the statistics for Set 1 that contains all interfaces and queues with a high DP (Drop Precedence). - Set 2—Displays the statistics for Set 2 that contains all interfaces and queues with a low DP. Interface—Select the ports for which statistics are displayed.
19 Configuring SNMP This chapter describes the Simple Network Management Protocol (SNMP) feature that provides a method for managing network devices. It includes the following topics: • SNMP Versions and Workflow • Model OIDs • Configuring SNMP Views • Managing SNMP Users • Creating SNMP Groups • Defining SNMP Communities • Notification Recipients • SNMP Notification Filters SNMP Versions and Workflow The switch functions as SNMP agent and supports SNMP v1, v2, and v3.
19 Configuring SNMP SNMP Versions and Workflow SNMP agents maintain a list of variables that are used to manage the switch. The variables are defined in the Management Information Base (MIB). The MIB presents the variables controlled by the agent. NOTE SNMPv2 protocol has known security vulnerabilities, and it is recommended to use SNMPv3. SNMP v3 In addition to the functionality provided by SNMP v1 and v2, SNMP v3 applies access control and new trap mechanisms to SNMPv1 and SNMPv2 PDUs.
19 Configuring SNMP SNMP Versions and Workflow SNMP Workflow NOTE The switch comes with SNMP turned off by default. Before you can configure SNMP, you must turn on SNMP by using Security-> TCP/UDP Services. The following is the recommended series of actions for configuring SNMP: If you decide to use SNMP v1 or v2: Define a community by using the Add SNMP Community Page. The community can be associated with an access rights and view in Basic mode or with a group in Advanced mode.
19 Configuring SNMP SNMP Versions and Workflow • CISCO-SMI.mib • CISCO-TC.mib • CISCO-VTP-MIB.mib • diffserv.mib • draft-ietf-bridge-8021x.mib • draft-ietf-bridge-rstpmib-04.mib • draft-ietf-entmib-sensor-mib.mib • draft-ietf-hubmib-etherif-mib-v3-00.mib • draft-ietf-syslog-device-mib.mib • ianaaddrfamnumbers.mib • ianaifty.mib • ianaprot.mib • inet-address-mib.mib • ip-forward-mib.mib • ip-mib.mib • lldp.mib • p-bridge-mib.mib • q-bridge-mib.mib • RFC-1212.
19 Configuring SNMP SNMP Versions and Workflow • rfc2011.mib • rfc2012.mib • rfc2013.mib • rfc2096.mib • rfc2233.mib • rfc2571.mib • rfc2572.mib • rfc2573.mib • rfc2574.mib • rfc2575.mib • rfc2576.mib • rfc2613.mib • rfc2618.mib • rfc2620.mib • rfc2665.mib • rfc2668.mib • rfc2674.mib • rfc2737.mib • rfc2851.mib • rfc2925.mib • rfc3621.mib • rfc4668.mib • rfc4670.mib • rmon2.mib • SNMPv2-CONF.mib • SNMPv2-SMI.mib • SNMPv2-TC.
19 Configuring SNMP SNMP Versions and Workflow • trunk.mib • udp-mib.
19 Configuring SNMP Model OIDs Model OIDs The following are the switch model Object IDs (OIDs): Model Name Description Ports Object ID SG 300-10 10-port Gigabit Managed Switch g1-g10 9.6.1.83.10.1 SG 300-10MP 10-port Gigabit PoE Managed Switch g1-g10 9.6.1.83.10.3 SG 300-10P 10-port Gigabit PoE Managed Switch g1-g10 9.6.1.83.10.2 SG 300-20 20-port Gigabit Managed Switch g1-g20 9.6.1.83.20.1 SG 300-28 28-port Gigabit Managed Switch g1-g28 9.6.1.83.28.
19 Configuring SNMP SNMP Engine ID The Object IDs are placed under: enterprises(1).cisco(9).otherEnterprises(6).ciscosb(1). The MIB root is 1.3.6.1.4.1.9.6.1.101. SNMP Engine ID The Engine ID is only used by SNMPv3 entities to uniquely identify them. An SNMP agent is considered an authoritative SNMP engine. This means that the agent responds to incoming messages (Get, GetNext, GetBulk, Set), and sends Trap messages to a manager. The agent's local information is encapsulated in fields in the message.
19 Configuring SNMP Configuring SNMP Views • User defined—Enter the local device engine ID. The field value is a hexadecimal string (range: 10 - 64). Each byte in the hexadecimal character strings is represented by two hexadecimal digits. Each byte can be separated by a period or a colon. STEP 3 Click Apply. The switch is updated. Configuring SNMP Views A view is a user-defined label for a collection of MIB tree subtrees.
19 Configuring SNMP Configuring SNMP Views STEP 4 Enter the parameters. • View Name—Enter a view name. • Object ID Subtree—Select the node in the MIB tree that is included or excluded in the selected SNMP view. The options to select the object are as follows: - Select from List—Enables you to navigate the MIB tree. Press the Up arrow to go to the level of the selected node's father and siblings; press the Down arrow to descend to the level of the selected node's descendents.
19 Configuring SNMP Creating SNMP Groups Creating SNMP Groups In SNMPv1 and SNMPv2, a community string is sent along with the SNMP frames. The community string acts as a password to gain access to a SNMP agent. However, neither the frames nor the community string are encrypted. So SNMPv1 and SNMPv2 are not secure. In SNMPv3, there are two security mechanisms, and both can be configured. • Authentication—The switch checks that the SNMP user is an authorized system administrator.
19 Configuring SNMP Managing SNMP Users • • Security Level—Define the security level attached to the group. Security levels apply to SNMPv3 only. - No Authentication—Neither the Authentication nor the Privacy security levels are assigned to the group. - Authentication—Authenticates SNMP messages, and ensures the SNMP message origin is authenticated but does not encrypt them, meaning that they can be intercepted and read. - Privacy—Encrypts SNMP messages.
19 Configuring SNMP Managing SNMP Users A user can only be a member of a single group. To create an SNMPv3 user, the following must first exist: • An engine ID must first be configured on the switch. This can be done in the Engine ID Page. • An SNMPv3 group must be available. An SNMPv3 group can be defined in the Groups Page. SNMP users are not saved to the configuration file for security reasons.
19 Configuring SNMP Defining SNMP Communities • Authentication Method—Select the Authentication method. The options are: - None—No user authentication is used. - MD5 Password—Users must enter a password that is encrypted using the MD5 authentication method. - SHA Password—Users must enter a password that is encrypted by using the SHA (Secure Hash Algorithm) authentication method. - MD5 Key—Users are authenticated by using a valid MD5 key.
19 Configuring SNMP Defining SNMP Communities The Communities Page associates communities with access rights, either directly (Basic mode) or through groups (Advanced mode): • Basic mode - The access rights of a community can configure with Read Only, Read Write, or SNMP Admin. In addition, you can restrict the access to the community to only certain MIB objects using a view. views are defined in the SNMP Views Page • Advanced Mode - The access rights to a community is defined by a group.
19 Configuring SNMP Defining SNMP Communities • Community String—Enter the community name (password) used to authenticate the management station to the device. • Basic—Select this mode for a selected community. In this mode, there is no connection to any group. You can only choose the community access level (R/O, R/W, or Admin) and, optionally, further qualify it for a specific view. By default, it applies to the entire MIB.
19 Configuring SNMP Defining Trap Settings Defining Trap Settings The Trap Settings Page enables configuring whether SNMP notifications are sent from the switch, and for which cases. The recipients of the SNMP notifications can be configured in the SNMPv1,2 Notification Recipient Page, or the SNMPv3 Notification Recipient Page. To define trap settings: STEP 1 Click SNMP > Trap Settings. The Trap Settings Page opens.
19 Configuring SNMP Notification Recipients It is also possible to filter certain notifications. This can be done by creating a filter in the Notification Filter Page and attaching it to an SNMP notification recipient. The notification filter enables filtering the type of SNMP notifications that are sent to the management station based on the OID of the notification that is about to be sent.
19 Configuring SNMP Notification Recipients • Notification Filter—Select to enable filtering the type of SNMP notifications sent to the management station. The filters are created in the Notification Filter Page. • Filter Name—Select the SNMP filter that defines the information contained in traps (defined in the Notification Filter Page). • (Inform) Timeout—Enter the number of seconds the device waits before resending informs. Timeout range: 1-300, default: 15.
19 Configuring SNMP Notification Recipients • Recipient IP Address—Enter the IP address of where the traps are sent. • UDP Port—Enter the UDP port used to for notifications on the recipient device. • User Name—Enter the user to whom SNMP notifications are sent. • Security Level—Select how much authentication is applied to the packet. The options are: - No Authentication—Indicates the packet is neither authenticated nor encrypted.
19 Configuring SNMP SNMP Notification Filters SNMP Notification Filters The Notification Filter Page enables configuring SNMP notification filters and Object IDs (OIDs) that are checked. After creating a notification filter, it is possible to attach it to a notification recipient in the SNMPv1,2 Notification Recipient Page, and SNMP v3 Notification Recipient page.
19 Configuring SNMP SNMP Notification Filters • Include in filter—If you used Select from list, the object identifier of the selected node is included in or excluded from the notification filter if the Include in filter option is selected. If you used Object ID, the entered object identifier is included in or excluded from the notification filter if the Include in filter option is selected. This means that the node and its descendents are included or excluded from the notification filter.
20 Console Menu Interface The switch provides a menu-driven console interface for basic configuration of the switch. The console interface is useful for switch configuration when: • The switch does not have a defined IP address, the IP address is not known, or only a direct serial cable connection can be used to communicate with the switch. • You must configure features, such as SSL/SSH certificate, that can not be done by using the web-based switch configuration utility.
Console Menu Interface Connecting By Using a Terminal Emulation Application 20 STEP 3 Enter a name for this connection, and optionally select an icon for the application shortcut that is created. STEP 4 Click OK. The Connect To window displays. STEP 5 If you connected to the switch with serial cable, select the COM port that links your PC to the switch from the Connect drop-down list. Otherwise, select TCP/IP.
Console Menu Interface Connecting By Using a Terminal Emulation Application 20 STEP 7 Select Execute or press Enter. The Switch Main Menu displays. STEP 8 Continue to the Console Interface Main Menu section. Communicating By Using a TCP/IP Connection It is assumed that in the terminal emulation application, you have selected TCP/IP. NOTE Telnet must be enabled on the switch. To display the console menu: STEP 1 Enter the IP address of the switch in the Host Address field. STEP 2 Click OK.
20 Console Menu Interface Connecting By Using Telnet Connecting By Using Telnet Telnet is disabled by default. It must be enabled by using the web-based switch configuration utility or the console interface and a serial cable connection. The procedure for enabling Telnet by using the console interface is described in the Telnet Configuration section. To open the console interface by running Telnet in the Windows command-line: STEP 1 Select Start > Run. STEP 2 Enter CMD in the Open field and press Enter.
Console Menu Interface Console Configuration Menu Navigation 20 Console Configuration Menu Navigation The console interface has two parts, the options list and the action list. Navigate through the configuration parameters by using the options list. Manage the Running Configuration by using the action list. For example, your workflow to change a parameter value is: 1. Navigate to the appropriate options list. 2. Select Edit by using the arrow keys to navigate to and highlight the action and press Enter.
20 Console Menu Interface Console Interface Main Menu Console Interface Main Menu Each console interface menu lists the options in a numbered list.
20 Console Menu Interface Console Interface Main Menu System Information Path: Switch Main Menu > System Configuration Menu > System Information Use the System Information menu to view the switch firmware versions and general system information. You can also change the hostname or location description. • Versions • General System Information Versions Path: Switch Main Menu > System Configuration Menu > System Information > Versions Versions displays the software, boot, and hardware firmware versions.
20 Console Menu Interface Console Interface Main Menu Use Serial Port Configuration to view or change the baud rate of the configuration port. If you are using a Windows HyperTerminal application and you change the baud rate parameter value, you must logoff the application and reset the session to match the values.
Console Menu Interface Console Interface Main Menu 20 SSH Crypto Key Generation Path: Switch Main Menu > System Configuration Menu > Management Settings > SSH Configuration > SSH Crypto Key Generation Use SSH Crypto Key Generation to view the SSH Public Key Length or to generate an SSH Crypto Key. To generate an SSH Crypto Key: STEP 1 Select Edit. STEP 2 Use the SPACE bar to toggle between the RSA and DSA options. STEP 3 Press ESC to return to the Action List. STEP 4 Select Execute, and press Enter.
20 Console Menu Interface Console Interface Main Menu Security Settings Path: Switch Main Menu > System Configuration Menu Use Security Settings to configure security on the switch, as well as to generate and display the SSL certificate. SSL Certificate Generation Path: Switch Main Menu > System Configuration Menu > Security Settings Use Certificate Generation to create a device-generated SSL certificate. • Public Key Length—Specifies the SSL RSA key length.
20 Console Menu Interface Console Interface Main Menu Select Default VLAN Setup to display the Default VLAN Setup.
20 Console Menu Interface Console Interface Main Menu • Interface Type—Select the interface type, LAG, VLAN, or GE (IPv4 Address Add). • Interface Number—Enter the interface number (IPv4 Address Add). IPv4 Address Table Path: Switch Main Menu > System Configuration Menu > IP Configuration The IP Address Table displays the IPv4 addresses in Layer 3. • Delete/Keep—Use the SPACE bar to toggle between Delete and Keep. When the action is executed, this entry is acted upon based on your selection.
20 Console Menu Interface Console Interface Main Menu • Prefix Length—The length of the Global IPv6 prefix as a decimal value from 0-128 indicating the number of the high-order contiguous bits of the address comprise the prefix (the network portion of the address).
20 Console Menu Interface Console Interface Main Menu HTTPS Configuration Path: Switch Main Menu > System Configuration Menu > IP Configuration > HTTPS Configuration Use the HTTPS Configuration option to enable or disable the HTTPS server, set the HTTPS server port number, or check the status of the HTTPS Certificate.
Console Menu Interface Console Interface Main Menu 20 TraceRoute IPv4 Path: Switch Main Menu > System Configuration Menu > IP Configuration > Network Configuration > TraceRoute IPv4 Use the TraceRoute IPv4 option to enter the IPv4 address for the network route you want to trace. Select Execute to begin the test. The results are displayed in the Status field. After the traceroute test is complete, it displays the IP address, status, and statistics of the traceroute test.
20 Console Menu Interface Console Interface Main Menu File Management Path: Switch Main Menu > System Configuration Menu > File Management Use the File Management Menu to upload or download files or change the Active Image. • Upgrade/Backup • Upgrade/Backup • Active Image There are two firmware images, Image1 and Image2, stored on the switch. One of the images is identified as the active image and other image is identified as the inactive image.
Console Menu Interface Console Interface Main Menu 20 To download a new boot and image, perform the following: STEP 1 If required, download the new boot code. DO NOT REBOOT THE DEVICE. Set the Source File to TFTP and the Destination File to boot by using the SPACE bar to toggle the values. File Name is the name of the boot file to be downloaded. IP Address is the IP address of the TFTP server. STEP 2 If required, download the new firmware image.
Console Menu Interface Console Interface Main Menu 20 Path: Switch Main Menu > System Configuration Menu > Reset to Factory Defaults To restore the switch to the factory default settings, select Reset to Factory Defaults and press Enter. You will be asked if you want to continue. Type Y to restore the switch default settings, or type N to cancel. Reboot System Path: Switch Main Menu > System Configuration Menu > Reboot System Select Reboot System and press Enter if you want to restart the switch.
Console Menu Interface Console Interface Main Menu 20 Port Configuration Path: Switch Main Menu > Port Configuration Menu > Port Configuration Use the Port Configuration option to change the parameters of the non-PoE ports. You can enable or disable the ports, enable or disable Auto Negotiation, set the speed and duplex (Auto, 10H, 100H, 10F, 100F, 1000F), and set Flow Control (On, Off, Auto). Twelve ports are displayed at one time. Use the arrow keys to scroll up or down the list.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco Ironport, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flip Video, Flip Video (Design), Flipshare (Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Store, and Flip Gift Card are service marks; and Access Regist
