0G/40G Top-of-Rack Switches AS5700-54X AS6700-32X Software Release v1.1.163.153 Web Management Guide www.edge-core.
Web Management Guide AS5700-54X 54-Port 10G Data Center Switch with 48 10GBASE SFP+ Ports, 6 40GBASE QSFP Ports, 2 Power Supply Units, and 5 Fan Trays (5 Fans – F2B and B2F Airflow) AS6700-32X 32-Port 40G Data Center Switch with 20 40G QSFP+ Ports, 2 40G Expansion Slots, 2 Power Supply Units, and 5 Fan Trays (5 Fans – F2B or B2F Airflow) E122015/ST-R02
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This This guide is for network administrators who are responsible for operating and Guide? maintaining network equipment.
How to Use This Guide For information on how to install the switch, see the following guide: Installation Guide For all safety information and regulatory statements, see the following documents: Quick Start Guide Safety and Regulatory Information Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions.
How to Use This Guide Table 1: Revision History (Continued) Description of Changes Added (Continued) "Displaying Transceiver Data" on page 123 "DHCP Snooping" on page 318 "Connectivity Fault Management" on page 390 "MLD Snooping (Snooping and Query for IPv6)" on page 462 "Layer 3 IGMP (Query used with Multicast Routing)" on page 470 "Domain Name Service" on page 505 "Configuring the Routing Information Protocol" on page 544 "Specifying Passive Interfaces" on page 596 "Multicast Routing" on page 599 Update
How to Use This Guide – 6 –
Contents Section I How to Use This Guide 3 Contents 7 Figures 19 Tables 33 Getting Started 35 1 Introduction 37 Key Features 37 Description of Software Features 38 Equal-cost Multipath Load Balancing System Defaults Section II 42 44 Web Configuration 47 2 Using the Web Interface 49 Connecting to the Web Interface 49 Navigating the Web Browser Interface 50 Home Page 50 Configuration Options 51 Panel Display 51 Main Menu 52 3 Basic Management Tasks 71 Displaying System I
Contents Managing System Files 77 Copying Files via FTP/TFTP or HTTP 77 Saving the Running Configuration to a Local File 79 Setting The Start-Up File 80 Showing System Files 80 Automatic Operation Code Upgrade 81 Setting the System Clock 85 Setting the Time Manually 85 Setting the SNTP Polling Interval 86 Configuring NTP 87 Configuring Time Servers 88 Setting the Time Zone 92 Configuring The Console Port 93 Configuring Telnet Settings 95 Displaying CPU Utilization 97 Displayin
Contents Configuring Load Balancing Traffic Segmentation 139 141 Enabling Traffic Segmentation 141 Configuring Uplink and Downlink Ports 142 5 VLAN Configuration 145 IEEE 802.1Q VLANs 145 Configuring VLAN Groups 147 Adding Static Members to VLANs 150 IEEE 802.
Contents 9 Class of Service 199 Layer 2 Queue Settings 199 Setting the Default Priority for Interfaces 199 Selecting the Queue Mode 200 Mapping CoS Values to Egress Queues 203 Layer 3/4 Priority Settings 206 Setting Priority Processing to IP Precedence/DSCP or CoS 206 Mapping Ingress DSCP Values to Internal DSCP Values 207 Mapping CoS Priorities to Internal DSCP Values 210 Mapping Internal DSCP Values to Egress CoS Values 212 Mapping IP Precedence Values to Internal DSCP Values 214 Ma
Contents Configuring the Secure Shell 258 Configuring the SSH Server 261 Generating the Host Key Pair 262 Showing the Host Key Pair 264 Importing User Public Keys 265 Access Control Lists 267 Showing TCAM Utilization 269 Setting the ACL Name and Type 270 Configuring a Standard IPv4 ACL 272 Configuring an Extended IPv4 ACL 273 Configuring a Standard IPv6 ACL 275 Configuring an Extended IPv6 ACL 277 Configuring a MAC ACL 278 Configuring an ARP ACL 280 Binding a Port to an Access C
Contents Configuring Static Bindings for IPv6 Source Guard 316 Displaying Information for Dynamic IPv6 Source Guard Bindings 318 DHCP Snooping 319 DHCP Snooping Global Configuration 321 DHCP Snooping VLAN Configuration 323 Configuring Interfaces for DHCP Snooping 324 Displaying DHCP Snooping Binding Information 325 12 Basic Administration Protocols Configuring Event Logging 327 327 System Log Configuration 327 Remote Log Configuration 330 Link Layer Discovery Protocol 331 Setting LLDP
Contents Configuring RMON Statistical Samples Connectivity Fault Management 388 390 Configuring Global Settings for CFM 394 Configuring Interfaces for CFM 397 Configuring CFM Maintenance Domains 398 Configuring CFM Maintenance Associations 403 Configuring Maintenance End Points 407 Configuring Remote Maintenance End Points 409 Transmitting Link Trace Messages 411 Transmitting Loop Back Messages 412 Transmitting Delay-Measure Requests 414 Displaying Local MEPs 416 Displaying Details fo
Contents Filtering and Throttling IGMP Groups 457 Enabling IGMP Filtering and Throttling 457 Configuring IGMP Filter Profiles 458 Configuring IGMP Filtering and Throttling for Interfaces 460 MLD Snooping (Snooping and Query for IPv6) 462 Configuring MLD Snooping and Query Parameters 462 Setting Immediate Leave Status for MLD Snooping per Interface 464 Specifying Static Interfaces for an IPv6 Multicast Router 465 Assigning Interfaces to IPv6 Multicast Services 467 Showing MLD Snooping Grou
Contents Configuring DHCP Relay Service 16 General IP Routing 513 515 Overview 515 Initial Configuration 515 IP Routing and Switching 516 Routing Path Management 517 Routing Protocols 518 Configuring IP Routing Interfaces 518 Configuring Local and Remote Interfaces 518 Using the Ping Function 519 Using the Trace Route Function 520 Address Resolution Protocol 522 ARP Timeout Configuration 522 Configuring Static ARP Addresses 523 Displaying Dynamic or Local ARP Entries 525 Displ
Contents Configuring Network Interfaces for RIP 556 Displaying RIP Interface Settings 560 Displaying Peer Router Information 561 Resetting RIP Statistics 561 Configuring the Open Shortest Path First Protocol (Version 2) 562 Defining Network Areas Based on Addresses 563 Configuring General Protocol Settings 566 Displaying Administrative Settings and Statistics 569 Adding an NSSA or Stub 571 Configuring NSSA Settings 572 Configuring Stub Settings 575 Displaying Information on NSSA and S
Contents Displaying PIM RP Mapping Configuring PIMv6 for IPv6 Section III 622 623 Enabling PIMv6 Globally 623 Configuring PIMv6 Interface Settings 624 Displaying PIM6 Neighbor Information 629 Configuring Global PIM6-SM Settings 630 Configuring a PIM6 BSR Candidate 631 Configuring a PIM6 Static Rendezvous Point 633 Configuring a PIM6 RP Candidate 635 Displaying the PIM6 BSR Router 637 Displaying RP Mapping 638 Appendices 641 A Software Specifications 643 Software Features 643 Mana
Contents – 18 –
Figures Figure 1: Home Page 50 Figure 2: Front Panel Indicators 51 Figure 3: System Information 72 Figure 4: General Switch Information 73 Figure 5: Configuring Support for Jumbo Frames 75 Figure 6: Displaying Bridge Extension Configuration 76 Figure 7: Copy Firmware 78 Figure 8: Saving the Running Configuration 79 Figure 9: Setting Start-Up Files 80 Figure 10: Displaying System Files 81 Figure 11: Configuring Automatic Code Upgrade 84 Figure 12: Manually Setting the System Clock 86
Figures Figure 30: Configuring Connections by Port Range 107 Figure 31: Displaying Port Information 108 Figure 32: Configuring Local Port Mirroring 108 Figure 33: Configuring Local Port Mirroring 109 Figure 34: Displaying Local Port Mirror Sessions 109 Figure 35: Configuring Remote Port Mirroring 110 Figure 36: Configuring Remote Port Mirroring (Source) 113 Figure 37: Configuring Remote Port Mirroring (Intermediate) 113 Figure 38: Configuring Remote Port Mirroring (Destination) 114 Figure
Figures Figure 65: Configuring Members for Traffic Segmentation 143 Figure 66: Showing Traffic Segmentation Members 144 Figure 67: VLAN Compliant and VLAN Non-compliant Devices 146 Figure 68: Creating Static VLANs 148 Figure 69: Modifying Settings for Static VLANs 149 Figure 70: Showing Static VLANs 149 Figure 71: Configuring Static Members by VLAN Index 152 Figure 72: Configuring Static VLAN Members by Interface 153 Figure 73: Configuring Static VLAN Members by Interface Range 153 Figure
Figures Figure 100: Modifying the Priority for an MST Instance 191 Figure 101: Displaying Global Settings for an MST Instance 191 Figure 102: Adding a VLAN to an MST Instance 192 Figure 103: Displaying Members of an MST Instance 192 Figure 104: Configuring MSTP Interface Settings 194 Figure 105: Displaying MSTP Interface Settings 194 Figure 106: Configuring Rate Limits 196 Figure 107: Configuring Storm Control 197 Figure 108: Setting the Default Port Priority 200 Figure 109: Setting the Q
Figures Figure 135: Authentication Server Operation 238 Figure 136: Configuring Remote Authentication Server (RADIUS) 241 Figure 137: Configuring Remote Authentication Server (TACACS+) 241 Figure 138: Configuring User Accounts 243 Figure 139: Showing User Accounts 243 Figure 140: Configuring Global Settings for Web Authentication 245 Figure 141: Configuring Interface Settings for Web Authentication 246 Figure 142: Configuring Global Settings for Network Access 249 Figure 143: Configuring In
Figures Figure 170: Configuring VLAN Settings for ARP Inspection 290 Figure 171: Configuring Interface Settings for ARP Inspection 291 Figure 172: Displaying Statistics for ARP Inspection 293 Figure 173: Displaying the ARP Inspection Log 294 Figure 174: Creating an IP Address Filter for Management Access 295 Figure 175: Showing IP Addresses Authorized for Management Access 295 Figure 176: Configuring Port Security 298 Figure 177: Configuring Port Security 299 Figure 178: Configuring Global
Figures Figure 205: Displaying Remote Device Information for LLDP (End Node) 351 Figure 206: Displaying LLDP Device Statistics (General) 352 Figure 207: Displaying LLDP Device Statistics (Port) 353 Figure 208: Configuring Global Settings for SNMP 356 Figure 209: Configuring the Local Engine ID for SNMP 357 Figure 210: Configuring a Remote Engine ID for SNMP 358 Figure 211: Showing Remote Engine IDs for SNMP 358 Figure 212: Creating an SNMP View 359 Figure 213: Showing SNMP Views 360 Figur
Figures Figure 240: Showing Configured RMON Statistical Samples 389 Figure 241: Showing Collected RMON Statistical Samples 390 Figure 242: Single CFM Maintenance Domain 392 Figure 243: Multiple CFM Maintenance Domains 392 Figure 244: Configuring Global Settings for CFM 397 Figure 245: Configuring Interfaces for CFM 398 Figure 246: Configuring Maintenance Domains 401 Figure 247: Showing Maintenance Domains 402 Figure 248: Configuring Detailed Settings for Maintenance Domains 402 Figure 249
Figures Figure 275: Showing Current Interfaces Attached an IPv4 Multicast Router 443 Figure 276: Assigning an Interface to an IPv4 Multicast Service 444 Figure 277: Showing Static Interfaces Assigned to an IPv4 Multicast Service 444 Figure 278: Showing Current Interfaces Attached a Multicast Router 445 Figure 279: Configuring IGMP Snooping on a VLAN 450 Figure 280: Showing Interface Settings for IGMP Snooping 451 Figure 281: Dropping IGMP Query Packets 452 Figure 282: Showing Multicast Groups
Figures Figure 310: Showing the IPv4 Address Configured for an Interface 485 Figure 311: Configuring the IPv6 Default Gateway 486 Figure 312: Configuring General Settings for an IPv6 Interface 490 Figure 313: Configuring RA Guard for an IPv6 Interface 491 Figure 314: Configuring an IPv6 Address 493 Figure 315: Showing Configured IPv6 Addresses 495 Figure 316: Showing IPv6 Neighbors 496 Figure 317: Showing IPv6 Statistics (IPv6) 501 Figure 318: Showing IPv6 Statistics (ICMPv6) 502 Figure 3
Figures Figure 345: Several Virtual Master Routers Using Backup Routers 534 Figure 346: Several Virtual Master Routers Configured for Mutual Backup and Load Sharing 534 Figure 347: Configuring the VRRP Group ID 538 Figure 348: Showing Configured VRRP Groups 538 Figure 349: Setting the Virtual Router Address for a VRRP Group 539 Figure 350: Showing the Virtual Addresses Assigned to VRRP Groups 539 Figure 351: Configuring Detailed Settings for a VRRP Group 540 Figure 352: Showing Counters for Err
Figures Figure 380: Adding an NSSA or Stub 571 Figure 381: Showing NSSAs or Stubs 572 Figure 382: 572 OSPF NSSA Figure 383: Configuring Protocol Settings for an NSSA 575 Figure 384: 575 OSPF Stub Area Figure 385: Configuring Protocol Settings for a Stub 577 Figure 386: Displaying Information on NSSA and Stub Areas 578 Figure 387: 578 Route Summarization for ABRs Figure 388: Configuring Route Summaries for an Area Range 579 Figure 389: Showing Configured Route Summaries 580 Figure 390
Figures Figure 415: Configuring PIM Interface Settings (Dense Mode) 612 Figure 416: Configuring PIM Interface Settings (Sparse Mode) 613 Figure 417: Showing PIM Neighbors 613 Figure 418: Configuring Global Settings for PIM-SM 615 Figure 419: Configuring a PIM-SM BSR Candidate 616 Figure 420: Configuring a PIM Static Rendezvous Point 618 Figure 421: Showing PIM Static Rendezvous Points 618 Figure 422: Configuring a PIM RP Candidate 620 Figure 423: Showing Settings for a PIM RP Candidate 620
Figures – 32 –
Tables Table 1: Revision History 4 Table 2: Key Features 37 Table 3: System Defaults 44 Table 4: Web Page Configuration Buttons 51 Table 5: Switch Main Menu 52 Table 6: Port Statistics 114 Table 7: LACP Port Counters 135 Table 8: LACP Internal Configuration Information 136 Table 9: LACP Remote Device Configuration Information 138 Table 10: Traffic Segmentation Forwarding 142 Table 11: Recommended STA Path Cost Range 182 Table 12: Default STA Path Costs 183 Table 13: IEEE 802.
Tables Table 30: Port ID Subtype 341 Table 31: Remote Port Auto-Negotiation Advertised Capability 345 Table 32: SNMPv3 Security Models and Levels 354 Table 33: Supported Notification Messages 362 Table 34: Remote MEP Priority Levels 400 Table 35: MEP Defect Descriptions 400 Table 36: Show IPv6 Neighbors - display description 495 Table 37: Show IPv6 Statistics - display description 497 Table 38: Show MTU - display description 503 Table 39: Options 60, 66 and 67 Statements 511 Table 40: O
Section I Getting Started This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.
Section I | Getting Started – 36 –
1 Introduction This switch provides a broad range of features for Layer 2 switching and Layer 3 routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Chapter 1 | Introduction Description of Software Features Table 2: Key Features (Continued) Feature Description Address Table 32K MAC addresses in forwarding table, 1K static MAC addresses; 8K entries in ARP cache, 256 static ARP entries; 512 static IP routes, 512 IP interfaces; 12K IPv4 entries in host table; 8K IPv4 entries in routing table; 6K IPv6 entries in host table; 4K IPv6 entries in routing table 1K L2 IPv4 multicast groups; 1K L3 IPv4 multicast groups (shared with IPv6); 1K L3 IPv6 multicast
Chapter 1 | Introduction Description of Software Features Some of the management features are briefly described below. Configuration You can save the current configuration settings to a file on the management station Backup and Restore (using the web interface) or an FTP/TFTP server (using the web or console interface), and later download this file to restore the switch configuration settings. Authentication This switch authenticates management access via the console port, Telnet, or a web browser.
Chapter 1 | Introduction Description of Software Features Storm Control Broadcast, multicast and unknown unicast storm suppression prevents traffic from overwhelming the network.When enabled on a port, the level of traffic passing through the port is restricted. If traffic rises above a pre-defined threshold, it will be throttled until the level falls back beneath the threshold. Static MAC A static address can be assigned to a specific interface on this switch.
Chapter 1 | Introduction Description of Software Features STP-compliant mode if they detect STP protocol messages from attached devices. ◆ Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is a direct extension of RSTP. It can provide an independent spanning tree for different VLANs.
Chapter 1 | Introduction Description of Software Features in each packet. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. IP Routing The switch provides Layer 3 IP routing. To maintain a high rate of throughput, the switch forwards all traffic passing within the same segment, and routes only traffic that passes between different subnetworks.
Chapter 1 | Introduction Description of Software Features this protocol is to allow a host device which has been configured with a fixed gateway to maintain network connectivity in case the primary gateway goes down. Address Resolution The switch uses ARP and Proxy ARP to convert between IP addresses and MAC Protocol (hardware) addresses. This switch supports conventional ARP, which locates the MAC address corresponding to a given IP address.
Chapter 1 | Introduction System Defaults System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file. The following table lists some of the basic system defaults.
Chapter 1 | Introduction System Defaults Table 3: System Defaults (Continued) Function Parameter Default Port Configuration Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Static Trunks None LACP (all ports) Disabled Congestion Control Storm Control Broadcast: Enabled (500 packets/sec) Multicast: Disabled Unknown Unicast: Disabled Address Table Aging Time 300 seconds Spanning Tree Algorithm Status Enabled, RSTP (Defaults: RSTP standard) Edge Ports Disabled LLDP
Chapter 1 | Introduction System Defaults Table 3: System Defaults (Continued) Function Parameter Default Unicast Routing OSPF Disabled OSPFv3 Disabled BGPv4 Disabled Multicast Routing Static Disabled Router Redundancy VRRP Disabled Multicast Filtering IGMP Snooping (Layer 2) Snooping: Enabled Querier: Disabled System Log Status Enabled Messages Logged to RAM Levels 0-7 (all) Messages Logged to Flash Levels 0-3 Clock Synchronization Disabled SNTP – 46 –
Section II Web Configuration This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser.
Section II | Web Configuration – 48 –
2 Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 8, or Mozilla Firefox 37, Google Chrome 42, or later versions). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Note: Connection to the web interface is not supported for HTTPS using an IPv6 link local address. Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 4: Web Page Configuration Buttons Button Action Apply Sets specified values to the system.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 5: Switch Main Menu (Continued) Menu Description Page Interface 103 Port 104 General Configure by Port List Configures connection settings per port 104 Configure by Port Range Configures connection settings for a range of ports 106 Show Information Displays port connection status 107 Mirror 108 Add Sets the source and target ports for mirroring 108 Show Shows the configured mirror sessions 108 Statistics
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 5: Switch Main Menu (Continued) Menu Description Page Internal Displays configuration settings and operational state for the local side of a link aggregation 137 Neighbors Displays configuration settings and operational state for the remote side of a link aggregation 139 Configure Trunk 130 Configure Configures connection settings 130 Show Displays port connection status 130 Show Member Shows the active members
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 5: Switch Main Menu (Continued) Menu Description Page Configure Aging Sets timeout for dynamically learned entries 167 Show Dynamic MAC Displays dynamic entries in the address table 168 Clear Dynamic MAC Removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system configured entries 169 Configure Global Issues a trap when a dynamic MAC address is added
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 5: Switch Main Menu (Continued) Menu Description Page DSCP to DSCP 207 Add Maps DSCP values in incoming packets to per-hop behavior and drop precedence values for internal priority processing 207 Show Shows the DSCP to DSCP mapping list 207 CoS to DSCP 210 Configure Maps CoS/CFI values in incoming packets to per-hop behavior and drop 210 precedence values for priority processing Show Shows the CoS to DSCP mapping
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 5: Switch Main Menu (Continued) Menu Configure Interface Description Page Applies a policy map to an ingress port 233 Security AAA 235 Authentication, Authorization and Accounting 236 System Authentication Configures authentication sequence – local, RADIUS, and TACACS 237 Server Configures RADIUS and TACACS server message exchange settings 238 User Accounts 241 Add Configures user names, passwords, and access le
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 5: Switch Main Menu (Continued) Menu ACL Description Page Access Control Lists 266 Configure ACL 269 Show TCAM Shows utilization parameters for TCAM 268 Add Adds an ACL based on IP or MAC address filtering 269 Show Shows the name and type of configured ACLs 269 Add Rule Configures packet filtering based on IP or MAC addresses and other packet attributes 269 Show Rule Shows the rules specified for an ACL 269
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 5: Switch Main Menu (Continued) Menu Description Page Configure ACL Table 308 Add Adds a static addresses to the source-guard binding table 308 Show Shows static addresses in the source-guard binding table 308 Configure MAC Table 308 Add Adds a static addresses to the source-guard binding table 308 Show Shows static addresses in the source-guard binding table 308 Displays the source-guard binding table for a s
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 5: Switch Main Menu (Continued) Menu SNMP Configure Global Description Page Simple Network Management Protocol 353 Enables SNMP agent status, and sets related trap functions 355 Configure Engine 356 Set Engine ID Sets the SNMP v3 engine ID on this switch 356 Add Remote Engine Sets the SNMP v3 engine ID for a remote device 357 Show Remote Engine Shows configured engine ID for remote devices 357 Configure View 3
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 5: Switch Main Menu (Continued) Menu Description Page Alarm Shows all configured alarms 380 Event Shows all configured events 383 History Periodically samples statistics on a physical interface 385 Statistics Enables collection of statistics on a physical interface 388 History Shows sampling parameters for each entry in the history group 385 Statistics Shows sampling parameters for each entry in the statistics
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 5: Switch Main Menu (Continued) Menu Description Page Transmit Link Trace Sends link trace messages to isolate connectivity faults by tracing the path through a network to the designated target node 411 Transmit Loopback Sends loopback messages to isolate connectivity faults by requesting a 412 target node to echo the message back to the source Transmit Delay Measure Sends periodic delay-measure requests to a specified
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 5: Switch Main Menu (Continued) Menu Description Page Show Information 525 Dynamic Address Shows dynamically learned entries in the IP routing table 525 Other Address Shows internal addresses used by the switch 525 Statistics Shows statistics on ARP requests sent and received 525 Routing Static Routes 526 Add Configures static routing entries 526 Show Shows static routing entries 526 Routing Table 528 Sho
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 5: Switch Main Menu (Continued) Menu Show MTU Description Page Shows the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this switch 503 IP Service DNS 505 Domain Name Service General 505 505 Configure Global Enables DNS lookup; defines the default domain name appended to incomplete host names 505 Add Domain Name Defines a list
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 5: Switch Main Menu (Continued) Menu Description Page IGMP Member 443 Add Static Member Statically assigns multicast addresses to the selected VLAN 443 Show Static Member Shows multicast addresses statically configured on the selected VLAN 443 Show Current Member Shows multicast addresses associated with the selected VLAN, either through static or dynamic configuration 443 Interface 445 Configure VLAN Configures
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 5: Switch Main Menu (Continued) Menu Description Page Show Static Member Shows multicast addresses statically configured on the selected VLAN 467 Show Current Member Shows multicast addresses associated with the selected VLAN, either through static or dynamic configuration 467 Displays known multicast groups, member ports, the means by which each group was learned, and the corresponding source list 469 Group Informati
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 5: Switch Main Menu (Continued) Menu Show Description Page Shows the network interfaces that will use RIP 549 Passive Interface 551 Add Stops RIP broadcast and multicast messages from being sent on specified network interfaces 551 Show Shows the configured passive interfaces 551 Neighbor Address 552 Add Configures the router to directly exchange routing information with a static neighbor Show Shows adjacent hos
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 5: Switch Main Menu (Continued) Menu Description Page Area Configure Area 571 Add Area Adds NSSA or stub 571 Show Area Shows configured NSSA or stub 571 Configure NSSA Area Configures settings for importing routes into or exporting routes out of not-so-stubby areas 572 Configure Stub Area Configures default cost, and settings for importing routes into a stub 575 Show Information Shows statistics for each area,
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 5: Switch Main Menu (Continued) Menu Description Page Suppresses OSPF routing traffic on the specified interface 551 Add Adds passive interface 551 Show Shows passive interfaces 551 Passive Interface PIM 607 General Enables PIM globally for the switch 607 Interface Enables PIM per interface, and sets the mode to dense or sparse 608 Neighbor Displays information neighboring PIM routers 613 Configure Global
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 5: Switch Main Menu (Continued) Menu Description Show Page Shows the multicast groups for which this switch is advertising itself as 635 an RP candidate to the BSR Show Information Show BSR Router Displays information about the BSR 637 Show RP Mapping Displays the active RPs and associated multicast routing entries 638 – 70 –
3 Basic Management Tasks This chapter describes the following topics: ◆ Displaying System Information – Provides basic system description, including contact information. ◆ Displaying Hardware/Software Versions – Shows the hardware version, power status, and firmware versions ◆ Configuring Support for Jumbo Frames – Enables support for jumbo frames. ◆ Displaying Bridge Extension Capabilities – Shows the bridge extension parameters.
Chapter 3 | Basic Management Tasks Displaying System Information ◆ Resetting the System – Restarts the switch immediately, at a specified time, after a specified delay, or at a periodic interval. Displaying System Information Use the System > General page to identify the system by displaying information such as the device name, location and contact information. Parameters These parameters are displayed: ◆ System Description – Brief description of device type.
Chapter 3 | Basic Management Tasks Displaying Hardware/Software Versions Displaying Hardware/Software Versions Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Parameters The following parameters are displayed: Main Board Information ◆ Serial Number – The serial number of the switch. ◆ Number of Ports – Number of built-in ports. ◆ Hardware Version – Hardware version of the main board.
Chapter 3 | Basic Management Tasks Configuring Support for Jumbo Frames Figure 4: General Switch Information Configuring Support for Jumbo Frames Use the System > Capability page to configure support for layer 2 jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames of up to 9216 bytes for Gigabit, 10 Gigabit, and 40 Gigabit Ethernet ports or trunks. Compared to standard Ethernet frames that run only up to 1.
Chapter 3 | Basic Management Tasks Displaying Bridge Extension Capabilities Web Interface To configure support for jumbo frames: 1. Click System, then Capability. 2. Enable or disable support for jumbo frames. 3. Click Apply. Figure 5: Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Use the System > Capability page to display settings based on the Bridge MIB.
Chapter 3 | Basic Management Tasks Displaying Bridge Extension Capabilities ◆ Configurable PVID Tagging – This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to “VLAN Configuration” on page 145.) ◆ Max Supported VLAN Numbers – The maximum number of VLANs supported on this switch. ◆ Max Supported VLAN ID – The maximum configurable VLAN identifier supported on this switch.
Chapter 3 | Basic Management Tasks Managing System Files Managing System Files This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. Copying Files via FTP/ Use the System > File (Copy) page to upload/download firmware or configuration TFTP or HTTP settings using FTP, TFTP or HTTP. By backing up a file to an FTP/TFTP server or management station, that file can later be downloaded to the switch to restore operation.
Chapter 3 | Basic Management Tasks Managing System Files Note: The maximum number of user-defined configuration files is limited only by available flash memory space. Note: The file “Factory_Default_Config.cfg” can be copied to a file server or management station, but cannot be used as the destination file name on the switch. Web Interface To copy firmware files: 1. Click System, then File. 2. Select Copy from the Action list. 3. Select FTP Upload, HTTP Upload, or TFTP Upload as the file transfer method.
Chapter 3 | Basic Management Tasks Managing System Files Saving the Running Use the System > File (Copy) page to save the current configuration settings to a Configuration to a local file on the switch. The configuration settings are not automatically saved by Local File the system for subsequent use when the switch is rebooted. You must save these settings to the current startup file, or to another file which can be subsequently set as the startup file.
Chapter 3 | Basic Management Tasks Managing System Files If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Setting The Use the System > File (Set Start-Up) page to specify the firmware or configuration Start-Up File file to use for system initialization. Web Interface To set a file to use for system initialization: 1. Click System, then File. 2. Select Set Start-Up from the Action list. 3.
Chapter 3 | Basic Management Tasks Managing System Files Figure 10: Displaying System Files Automatic Operation Use the System > File (Automatic Operation Code Upgrade) page to automatically Code Upgrade download an operation code file when a file newer than the currently installed one is discovered on the file server. After the file is transferred from the server and successfully written to the file system, it is automatically set as the startup file, and the switch is rebooted.
Chapter 3 | Basic Management Tasks Managing System Files aos5700-54x.bix and AOS5700-54X.BIX are considered to be unique files. Thus, if the upgrade file is stored as AOS5700-54X.BIX (or even Aos5700-54x.bix) on a case-sensitive server, then the switch (requesting AOS5700-54X.bix) will not be upgraded because the server does not recognize the requested file name and the stored file name as being equal.
Chapter 3 | Basic Management Tasks Managing System Files ■ host – Defines the IP address of the TFTP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. DNS host names are not recognized. ■ filedir – Defines the directory, relative to the TFTP server root, where the upgrade file can be found. Nested directory structures are accepted.
Chapter 3 | Basic Management Tasks Managing System Files The following examples demonstrate the URL syntax for an FTP server at IP address 192.168.0.1 with various user name, password and file location options presented: ■ ftp://192.168.0.1/ The user name and password are empty, so “anonymous” will be the user name and the password will be blank. The image file is in the FTP root directory. ■ ftp://switches:upgrade@192.168.0.1/ The user name is “switches” and the password is “upgrade”.
Chapter 3 | Basic Management Tasks Setting the System Clock If a new image is found at the specified location, the following type of messages will be displayed during bootup. . . . Automatic Upgrade is looking for a new image New image detected: current version 1.1.1.0; new version 1.1.1.2 Image upgrade in progress The switch will restart after upgrade succeeds Downloading new image Flash programming started Flash programming completed The switch will now restart . . .
Chapter 3 | Basic Management Tasks Setting the System Clock Web Interface To manually set the system clock: 1. Click System, then Time. 2. Select Configure General from the Step list. 3. Select Manual from the Maintain Type list. 4. Enter the time and date in the appropriate fields. 5.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 13: Setting the Polling Interval for SNTP Configuring NTP Use the System > Time (Configure General - NTP) page to configure NTP authentication and show the polling interval at which the switch will query the specified time servers. Parameters The following parameters are displayed: ◆ Current Time – Shows the current time set on the switch.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 14: Configuring NTP Configuring Time Use the System > Time (Configure Time Server) pages to specify the IP address for Servers NTP/SNTP time servers, or to set the authentication key for NTP time servers. Specifying SNTP Time Servers Use the System > Time (Configure Time Server – Configure SNTP Server) page to specify the IP address for up to three SNTP time servers.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 15: Specifying SNTP Time Servers Specifying NTP Time Servers Use the System > Time (Configure Time Server – Add NTP Server) page to add the IP address for up to 50 NTP time servers. Parameters The following parameters are displayed: ◆ NTP Server IP Address – Adds the IPv4 or IPv6 address for up to 50 time servers.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 16: Adding an NTP Time Server To show the list of configured NTP time servers: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Show NTP Server from the Action list. Figure 17: Showing the NTP Time Server List Specifying NTP Authentication Keys Use the System > Time (Configure Time Server – Add NTP Authentication Key) page to add an entry to the authentication key list.
Chapter 3 | Basic Management Tasks Setting the System Clock Web Interface To add an entry to NTP authentication key list: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Add NTP Authentication Key from the Action list. 4. Enter the index number and MD5 authentication key string. 5. Click Apply. Figure 18: Adding an NTP Authentication Key To show the list of configured NTP authentication keys: 1. Click System, then Time. 2.
Chapter 3 | Basic Management Tasks Setting the System Clock Setting the Time Zone Use the System > Time (Configure Time Server) page to set the time zone. SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Chapter 3 | Basic Management Tasks Configuring The Console Port Figure 20: Setting the Time Zone Configuring The Console Port Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
Chapter 3 | Basic Management Tasks Configuring The Console Port ◆ Data Bits – Sets the number of data bits per character that are interpreted and generated by the console port. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character. (Range: 1-8; Default: 8 bits) ◆ Stop Bits – Sets the number of the stop bits transmitted per byte. (Range: 1-2; Default: 1 stop bit) ◆ Parity – Defines the generation of a parity bit.
Chapter 3 | Basic Management Tasks Configuring Telnet Settings Figure 21: Console Port Settings Configuring Telnet Settings Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password.
Chapter 3 | Basic Management Tasks Configuring Telnet Settings ◆ Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts. When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt.
Chapter 3 | Basic Management Tasks Displaying CPU Utilization Displaying CPU Utilization Use the System > CPU Utilization page to display information on CPU utilization. Parameters The following parameters are displayed: ◆ Time Interval – The interval at which to update the displayed utilization rate. (Options: 1, 5, 10, 30, 60 seconds; Default: 1 second) ◆ CPU Utilization – CPU utilization over specified interval. Web Interface To display CPU utilization: 1. Click System, then CPU Utilization. 2.
Chapter 3 | Basic Management Tasks Displaying Memory Utilization Displaying Memory Utilization Use the System > Memory Status page to display memory utilization parameters. Parameters The following parameters are displayed: ◆ Free Size – The amount of memory currently free for use. ◆ Used Size – The amount of memory allocated to active processes. ◆ Total – The total amount of system memory. Web Interface To display memory utilization: 1. Click System, then Memory Status.
Chapter 3 | Basic Management Tasks Resetting the System ◆ Delete – Deletes the marked entry. ◆ Revert – Cancels the current settings. System Reload Configuration The following parameters are displayed by clicking Configure in the Action menu: ◆ Reset Mode – Restarts the switch immediately or at the specified time(s). ■ Immediately – Restarts the system immediately. ■ In – Specifies an interval after which to reload the switch. (The specified time must be equal to or less than 24 days.
Chapter 3 | Basic Management Tasks Resetting the System ◆ Revert – Click this button to cancel any changes. Web Interface To restart the switch: 1. Click System, then Reset. 2. Select the required reset mode. 3. For any option other than to reset immediately, fill in the required parameters 4. Click Apply. 5. When prompted, confirm that you want reset the switch.
Chapter 3 | Basic Management Tasks Resetting the System Figure 26: Restarting the Switch (In) Figure 27: Restarting the Switch (At) Figure 28: Restarting the Switch (Regularly) – 101 –
Chapter 3 | Basic Management Tasks Resetting the System – 102 –
4 Interface Configuration This chapter describes the following topics: ◆ Port Configuration – Configures connection settings, including autonegotiation, or manual setting of speed, duplex mode, and flow control. ◆ Local Port Mirroring – Sets the source and target ports for mirroring on the local switch. ◆ Remote Port Mirroring – Configures mirroring of traffic from remote switches for analysis at a destination port on the local switch.
Chapter 4 | Interface Configuration Port Configuration Port Configuration This section describes how to configure port connections, mirror traffic from one port to another, and run cable diagnostics. Configuring by Port Use the Interface > Port > General (Configure by Port List) page to enable/disable List an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Chapter 4 | Interface Configuration Port Configuration switch), and the payload. This should all be less than the configured port MTU, including the CRC at the end of the frame. ◆ For QinQ, the overall frame size is still calculated as described above, and does not add the length of the second tag to the frame. Parameters These parameters are displayed: ◆ Port – Port identifier. (Range: 1-32/54) ◆ Type – Indicates the port type.
Chapter 4 | Interface Configuration Port Configuration Web Interface To configure port connection parameters: 1. Click Interface, Port, General. 2. Select Configure by Port List from the Action List. 3. Modify the required interface settings. 4. Click Apply.
Chapter 4 | Interface Configuration Port Configuration Figure 30: Configuring Connections by Port Range Displaying Use the Interface > Port > General (Show Information) page to display the current Connection Status connection status, including link state, speed/duplex mode, flow control, and autonegotiation. Parameters These parameters are displayed: ◆ Port – Port identifier. ◆ Type – Indicates the port type. (1000BASE SFP, 10GBASE SFP+, 40GBASE QSFP) ◆ Name – Interface label.
Chapter 4 | Interface Configuration Port Configuration Web Interface To display port connection parameters: 1. Click Interface, Port, General. 2. Select Show Information from the Action List. Figure 31: Displaying Port Information Configuring Local Port Use the Interface > Port > Mirror page to mirror traffic from any source port to a Mirroring target port for real-time analysis.
Chapter 4 | Interface Configuration Port Configuration ◆ Target Port – The port that will mirror the traffic on the source port. ◆ Type – Allows you to select which traffic to mirror to the target port, Rx (receive), Tx (transmit), or Both. (Default: Both) Web Interface To configure a local mirror session: 1. Click Interface, Port, Mirror. 2. Select Add from the Action List. 3. Specify the source port. 4. Specify the monitor port. 5. Specify the traffic type to be mirrored. 6. Click Apply.
Chapter 4 | Interface Configuration Port Configuration Configuring Remote Use the Interface > Port > RSPAN page to mirror traffic from remote switches for Port Mirroring analysis at a destination port on the local switch. This feature, also called Remote Switched Port Analyzer (RSPAN), carries traffic generated on the specified source ports for each session over a user-specified VLAN dedicated to that RSPAN session in all participating switches.
Chapter 4 | Interface Configuration Port Configuration 4. Set up the destination switch on the RSPAN configuration page by specifying the mirror session, the switch’s role (Destination), the destination port2, whether or not the traffic exiting this port will be tagged or untagged, and the RSPAN VLAN. Then specify each uplink port where the mirrored traffic is being received.
Chapter 4 | Interface Configuration Port Configuration ◆ Operation Status – Indicates whether or not RSPAN is currently functioning. ◆ Switch Role – Specifies the role this switch performs in mirroring traffic. ■ None – This switch will not participate in RSPAN. ■ Source - Specifies this device as the source of remotely mirrored traffic. ■ Intermediate - Specifies this device as an intermediate switch, transparently passing mirrored traffic from one or more sources to one or more destinations.
Chapter 4 | Interface Configuration Port Configuration 3. Configure the required settings for each switch participating in the RSPAN VLAN. 4. Click Apply.
Chapter 4 | Interface Configuration Port Configuration Figure 38: Configuring Remote Port Mirroring (Destination) Showing Port or Trunk Use the Interface > Port/Trunk > Statistics or Chart page to display standard Statistics statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port.
Chapter 4 | Interface Configuration Port Configuration Table 6: Port Statistics (Continued) Parameter Description Received Unicast Packets The number of subnetwork-unicast packets delivered to a higher-layer protocol. Transmitted Unicast Packets The total number of packets that higher-level protocols requested be transmitted to a subnetwork-unicast address, including those that were discarded or not sent.
Chapter 4 | Interface Configuration Port Configuration Table 6: Port Statistics (Continued) Parameter Description Internal MAC Receive Errors A count of frames for which reception on a particular interface fails due to an internal MAC sublayer receive error. Internal MAC Transmit Errors A count of frames for which transmission on a particular interface fails due to an internal MAC sublayer transmit error.
Chapter 4 | Interface Configuration Port Configuration Table 6: Port Statistics (Continued) Parameter Description Output Packets per second Number of packets leaving this interface per second. Output Utilization The output utilization rate for this interface. Web Interface To show a list of port statistics: 1. Click Interface, Port, Statistics. 2. Select the statistics mode to display (Interface, Etherlike, RMON or Utilization). 3. Select a port from the drop-down list. 4.
Chapter 4 | Interface Configuration Port Configuration To show a chart of port statistics: 1. Click Interface, Port, Chart. 2. Select the statistics mode to display (Interface, Etherlike, RMON or All). 3. If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list. If All (ports) statistics mode is chosen, select the statistics type to display.
Chapter 4 | Interface Configuration Port Configuration Displaying Statistical Use the Interface > Port > History or Interface > Trunk > History page to display History statistical history for the specified interfaces. Command Usage For a description of the statistics displayed on these pages, see “Showing Port or Trunk Statistics” on page 114. Parameters These parameters are displayed: Add ◆ Port – Port number. (Range: 1-32/54) ◆ History Name – Name of sample interval.
Chapter 4 | Interface Configuration Port Configuration Web Interface To configure a periodic sample of statistics: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Add from the Action menu. 3. Select an interface from the Port or Trunk list. 4. Enter the sample name, the interval, and the number of buckets requested. 5. Click Apply. Figure 41: Configuring a History Sample To show the configured entries for a history sample: 1.
Chapter 4 | Interface Configuration Port Configuration To show the configured parameters for a sampling entry: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show Details from the Action menu. 3. Select Status from the options for Mode. 4. Select an interface from the Port or Trunk list. 5. Select an sampling entry from the Name list.
Chapter 4 | Interface Configuration Port Configuration To show statistics for the current interval of a sample entry: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show Details from the Action menu. 3. Select Current Entry from the options for Mode. 4. Select an interface from the Port or Trunk list. 5. Select an sampling entry from the Name list.
Chapter 4 | Interface Configuration Port Configuration Figure 45: Showing Ingress Statistics for a History Sample Displaying Use the Interface > Port > Transceiver page to display identifying information, and Transceiver Data operational for optical transceivers which support Digital Diagnostic Monitoring (DDM). Parameters These parameters are displayed: ◆ Port – Port number. (Range: 1-32/54) ◆ General – Information on connector type and vendor-related parameters.
Chapter 4 | Interface Configuration Port Configuration Figure 46: Displaying Transceiver Data Configuring Use the Interface > Port > Transceiver page to configure thresholds for alarm and Transceiver warning messages for optical transceivers which support DDM. Thresholds Parameters These parameters are displayed: ◆ Port – Port number. (Range: 1-32/54) ◆ General – Information on connector type and vendor-related parameters.
Chapter 4 | Interface Configuration Port Configuration ◆ DDM Thresholds – Information on alarm and warning thresholds. The switch can be configured to send a trap when the measured parameter falls outside of the specified thresholds. The following alarm and warning parameters are supported: ■ High Alarm – Sends an alarm message when the high threshold is crossed. ■ High Warning – Sends a warning message when the high threshold is crossed.
Chapter 4 | Interface Configuration Trunk Configuration Web Interface To configure threshold values for optical transceivers: 1. Click Interface, Port, Transceiver. 2. Select a port from the scroll-down list. 3. Set the switch to send a trap based on default or manual settings. 4. Set alarm and warning thresholds if manual configuration is used. 5. Click Apply. Figure 47: Configuring Transceiver Thresholds Trunk Configuration This section describes how to configure static and dynamic trunks.
Chapter 4 | Interface Configuration Trunk Configuration link in the trunk fail, one of the standby ports will automatically be activated to replace it. Command Usage Besides balancing the load across each port in the trunk, the other ports provide redundancy by taking over the load if a port in the trunk fails. However, before making any physical connections between devices, use the web interface or CLI to specify the trunk on the devices at both ends.
Chapter 4 | Interface Configuration Trunk Configuration Command Usage ◆ When configuring static trunks, you may not be able to link switches of different types, depending on the vendor’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Chapter 4 | Interface Configuration Trunk Configuration To add member ports to a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure Trunk from the Step list. 3. Select Add Member from the Action list. 4. Select a trunk identifier. 5. Set the unit and port for an additional trunk member. 6. Click Apply. Figure 50: Adding Static Trunks Members To configure connection parameters for a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3.
Chapter 4 | Interface Configuration Trunk Configuration To display trunk connection parameters: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3. Select Show Information from the Action list.
Chapter 4 | Interface Configuration Trunk Configuration ◆ Ports are only allowed to join the same Link Aggregation Group (LAG) if (1) the LACP port system priority matches, (2) the LACP port admin key matches, and (3) the LAG admin key matches (if configured). However, if the LAG admin key is set, then the port admin key must be set to the same value for a port to be allowed to join that group. Note: If the LACP admin key is not set when a channel group is formed (i.e.
Chapter 4 | Interface Configuration Trunk Configuration When a dynamic port-channel is torn down, the configured timeout value will be retained. When the dynamic port-channel is constructed again, that timeout value will be used. Configure Aggregation Port - General ◆ Port – Port identifier. (Range: 1-32/54) ◆ LACP Status – Enables or disables LACP on a port. Configure Aggregation Port - Actor/Partner ◆ Port – Port number.
Chapter 4 | Interface Configuration Trunk Configuration higher priority than an existing member, the newly configured port will replace an existing port member that has a lower priority. Note: Configuring LACP settings for a port only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with that port. Note: Configuring the port partner sets the remote side of an aggregate link; i.e., the ports on the attached device.
Chapter 4 | Interface Configuration Trunk Configuration Figure 55: Enabling LACP on a Port To configure LACP parameters for group members: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Configure from the Action list. 4. Click Actor or Partner. 5. Configure the required settings. 6. Click Apply.
Chapter 4 | Interface Configuration Trunk Configuration To show the active members of a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step List. 3. Select Show Member from the Action List. 4. Select a Trunk. Figure 57: Showing Members of a Dynamic Trunk To configure connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step List. 3. Select Configure from the Action List. 4.
Chapter 4 | Interface Configuration Trunk Configuration To display connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step List. 3. Select Show from the Action List. Figure 59: Displaying Connection Parameters for Dynamic Trunks Displaying LACP Port Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Counters Information - Counters) page to display statistics for LACP protocol messages.
Chapter 4 | Interface Configuration Trunk Configuration 5. Select a group member from the Port list. Figure 60: Displaying LACP Port Counters Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Settings and Status for Information - Internal) page to display the configuration settings and operational the Local Side state for the local side of a link aggregation.
Chapter 4 | Interface Configuration Trunk Configuration Table 8: LACP Internal Configuration Information (Continued) Parameter Description ◆ ◆ ◆ Aggregation – The system considers this link to be aggregatable; i.e., a potential candidate for aggregation. Long timeout – Periodic transmission of LACPDUs uses a slow transmission rate. LACP-Activity – Activity control value with regard to this link. (0: Passive; 1: Active) Web Interface To display LACP settings and status for the local side: 1.
Chapter 4 | Interface Configuration Trunk Configuration Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Settings and Status for Information - Neighbors) page to display the configuration settings and the Remote Side operational state for the remote side of a link aggregation. Parameters These parameters are displayed: Table 9: LACP Remote Device Configuration Information Parameter Description Partner Admin System LAG partner’s system ID assigned by the user.
Chapter 4 | Interface Configuration Trunk Configuration Figure 62: Displaying LACP Port Remote Information Configuring Use the Interface > Trunk > Load Balance page to set the load-distribution method Load Balancing used among ports in aggregated links. Command Usage ◆ This command applies to all static and dynamic trunks on the switch.
Chapter 4 | Interface Configuration Trunk Configuration ■ Source and Destination MAC Address: All traffic with the same source and destination MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is received from and destined for many different hosts. ■ Source IP Address: All traffic with the same source IP address is output on the same link in a trunk.
Chapter 4 | Interface Configuration Traffic Segmentation Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Data traffic on downlink ports is only forwarded to, and from, uplink ports Traffic belonging to each client is isolated to the allocated downlink ports.
Chapter 4 | Interface Configuration Traffic Segmentation Figure 64: Enabling Traffic Segmentation Configuring Uplink Use the Interface > Traffic Segmentation (Configure Session) page to assign the and Downlink Ports downlink and uplink ports to use in the segmented group. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.
Chapter 4 | Interface Configuration Traffic Segmentation ◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports. Parameters These parameters are displayed: ◆ Session ID – Traffic segmentation session. (Range: 1-4) ◆ Direction – Adds an interface to the segmented group by setting the direction to uplink or downlink. (Default: Uplink) ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier.
Chapter 4 | Interface Configuration Traffic Segmentation 3. Select Show from the Action list.
Chapter 4 | Interface Configuration Traffic Segmentation – 146 –
5 VLAN Configuration This chapter includes the following topics: ◆ IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain customerspecific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs. IEEE 802.1Q VLANs In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs ◆ Passing traffic between VLAN-aware and VLAN-unaware devices ◆ Priority tagging Assigning Ports to VLANs Before enabling VLANs for the switch, you must first assign each port to the VLAN group(s) in which it will participate. By default all ports are assigned to VLAN 1 as untagged ports.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Untagged VLANs can be used to manually isolate user groups or subnets. However, you should use IEEE 802.3 tagged VLANs whenever possible to automate VLAN registration. Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs ◆ VLAN Name – Name of the VLAN (1 to 32 characters). ◆ Status – Enables or disables the specified VLAN. ◆ L3 Interface – Sets the interface to support Layer 3 configuration, and reserves memory space required to maintain additional information about this interface type. This parameter must be enabled before you can assign an IP address to a VLAN. Show ◆ VLAN ID – ID of configured VLAN. ◆ VLAN Name – Name of the VLAN.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Figure 68: Creating Static VLANs To modify the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Modify from the Action list. 3. Select the identifier of a configured VLAN. 4. Modify the VLAN name, operational status, or Layer 3 Interface status as required. 5. Enable the L3 Interface field to specify that a VLAN will be used as a Layer 3 interface. 6. Click Apply.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs To show the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Show from the Action list. Figure 70: Showing Static VLANs Adding Static Use the VLAN > Static (Edit Member by VLAN, Edit Member by Interface, or Edit Members to VLANs Member by Interface Range) pages to configure port members for the selected VLAN index, interface, or a range of interfaces.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs identify the source VLAN. Note that frames belonging to the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames. ◆ PVID – VLAN ID assigned to untagged frames received on the interface. (Default: 1) When using Access mode, and an interface is assigned to a new VLAN, its PVID is automatically set to the identifier for that VLAN.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Edit Member by Interface All parameters are the same as those described under the preceding section for Edit Member by VLAN. Edit Member by Interface Range All parameters are the same as those described under the earlier section for Edit Member by VLAN, except for the items shown below. ◆ Port Range – Displays a list of ports. (Range: 1-32/54) ◆ Trunk Range – Displays a list of ports.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs To configure static members by interface: 1. Click VLAN, Static. 2. Select Edit Member by Interface from the Action list. 3. Select a port or trunk to configure. 4. Modify the settings for any interface as required. 5. Click Apply. Figure 72: Configuring Static VLAN Members by Interface To configure static members by interface range: 1. Click VLAN, Static. 2. Select Edit Member by Interface Range from the Action list. 3.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Figure 73: Configuring Static VLAN Members by Interface Range IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling When a double-tagged packet enters another trunk port in an intermediate or core switch in the service provider’s network, the outer tag is stripped for packet processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet. When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 3. After packet classification through the switching process, the packet is written to memory with one tag (an outer tag) or with two tags (both an outer tag and inner tag). 4. The switch sends the packet to the proper egress port. 5. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 6. After packet classification, the packet is written to memory for processing as a single-tagged or double-tagged packet. 7. The switch sends the packet to the proper egress port. 8. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packet will have two tags. Configuration Limitations for QinQ ◆ The native VLAN of uplink ports should not be used as the SPVLAN.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 5. Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (see “Adding Static Members to VLANs” on page 150). 6. Configure the QinQ tunnel uplink port to Uplink mode (see “Adding an Interface to a QinQ Tunnel” on page 161). 7. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (see “Adding Static Members to VLANs” on page 150).
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 3. Enable Tunnel Status, and specify the TPID if a client attached to a tunnel port is using a non-standard ethertype to identify 802.1Q tagged frames. 4. Click Apply. Figure 75: Enabling QinQ Tunneling Creating Use the VLAN > Tunnel (Configure Service) page to create a CVLAN to SPVLAN CVLAN to SPVLAN mapping entry.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling ◆ Customer VLAN ID – VLAN ID for the inner VLAN tag. (Range: 1-4094) ◆ Service VLAN ID – VLAN ID for the outer VLAN tag. (Range: 1-4094) Web Interface To configure a mapping entry: 1. Click VLAN, Tunnel. 2. Select Configure Service from the Step list. 3. Select Add from the Action list. 4. Select an interface from the Port list. 5. Specify the CVID to SVID mapping for packets exiting the specified port. 6. Click Apply.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Figure 77: Showing CVLAN to SPVLAN Mapping Entries The preceding example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. For a more detailed example, see the “switchport dot1q-tunnel service match cvid” command in the CLI Reference Guide. Adding an Interface to Follow the guidelines in the preceding section to set up a QinQ tunnel on the a QinQ Tunnel switch.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Web Interface To add an interface to a QinQ tunnel: 1. Click VLAN, Tunnel. 2. Select Configure Interface from the Step list. 3. Set the mode for any tunnel access port to Access and the tunnel uplink port to Uplink. 4. Click Apply.
6 Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. This chapter describes the following topics: ◆ MAC Address Learning – Enables or disables address learning on an interface.
Chapter 6 | Address Table Settings Configuring MAC Address Learning Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 1-32/54) ◆ Trunk – Trunk Identifier. (Range: 1-27) ◆ Status – The status of MAC address learning. (Default: Enabled) Web Interface To enable or disable MAC address learning: 1. Click MAC Address, Learning Status. 2. Set the learning status for any interface. 3. Click Apply.
Chapter 6 | Address Table Settings Setting Static Addresses Setting Static Addresses Use the MAC Address > Static page to configure static MAC addresses. A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
Chapter 6 | Address Table Settings Setting Static Addresses Web Interface To configure a static MAC address: 1. Click MAC Address, Static. 2. Select Add from the Action list. 3. Specify the VLAN, the port or trunk to which the address will be assigned, the MAC address, and the time to retain this entry. 4. Click Apply. Figure 80: Configuring Static MAC Addresses To show the static addresses in MAC address table: 1. Click MAC Address, Static. 2. Select Show from the Action list.
Chapter 6 | Address Table Settings Changing the Aging Time Changing the Aging Time Use the MAC Address > Dynamic (Configure Aging) page to set the aging time for entries in the dynamic address table. The aging time is used to age out dynamically learned forwarding information. Parameters These parameters are displayed: ◆ Aging Status – Enables/disables the function. ◆ Aging Time – The time after which a learned entry is discarded.
Chapter 6 | Address Table Settings Displaying the Dynamic Address Table Displaying the Dynamic Address Table Use the MAC Address > Dynamic (Show Dynamic MAC) page to display the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port. Otherwise, the traffic is flooded to all ports.
Chapter 6 | Address Table Settings Clearing the Dynamic Address Table Figure 83: Displaying the Dynamic MAC Address Table Clearing the Dynamic Address Table Use the MAC Address > Dynamic (Clear Dynamic MAC) page to remove any learned entries from the forwarding database. Parameters These parameters are displayed: ◆ Clear by – All entries can be cleared; or you can clear the entries for a specific MAC address, all the entries in a VLAN, or all the entries associated with a port or trunk.
Chapter 6 | Address Table Settings Issuing MAC Address Traps Figure 84: Clearing Entries in the Dynamic MAC Address Table Issuing MAC Address Traps Use the MAC Address > MAC Notification pages to send SNMP traps (i.e., SNMP notifications) when a dynamic MAC address is added or removed. Parameters These parameters are displayed: Configure Global ◆ MAC Notification Traps – Issues a trap when a dynamic MAC address is added or removed.
Chapter 6 | Address Table Settings Issuing MAC Address Traps Figure 85: Issuing MAC Address Traps (Global Configuration) To enable MAC address traps at the interface level: 1. Click MAC Address, MAC Notification. 2. Select Configure Interface from the Step list. 3. Enable MAC notification traps for the required ports. 4. Click Apply.
Chapter 6 | Address Table Settings Issuing MAC Address Traps – 172 –
7 Spanning Tree Algorithm This chapter describes the following basic topics: ◆ Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. ◆ Interface Settings for STA – Configures interface settings for STA, including priority, path cost, link type, and designation as an edge port.
Chapter 7 | Spanning Tree Algorithm Overview Figure 87: STP Root Ports and Designated Ports Designated Root x x x Designated Bridge x Designated Port Root Port x Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Configuration Digest – see “Configuring Multiple Spanning Trees” on page 188). An MST Region may contain multiple MSTP Instances. An Internal Spanning Tree (IST) is used to connect all the MSTP switches within an MST region. A Common Spanning Tree (CST) interconnects all adjacent MST Regions, and acts as a virtual bridge node for communications with STP or RSTP nodes in the global network.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA ◆ Rapid Spanning Tree Protocol3 RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits, as described below: ◆ ■ STP Mode – If the switch receives an 802.1D BPDU (i.e., STP BPDU) after a port’s migration delay timer expires, the switch assumes it is connected to an 802.1D bridge and starts using only 802.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA lowest MAC address will then become the root device. (Note that lower numeric values indicate higher priority.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA ◆ Forward Delay – The maximum time (in seconds) this device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Figure 90: Configuring Global Settings for STA (STP) Figure 91: Configuring Global Settings for STA (RSTP) – 179 –
Chapter 7 | Spanning Tree Algorithm Displaying Global Settings for STA Figure 92: Configuring Global Settings for STA (MSTP) Displaying Global Settings for STA Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ Root Path Cost – The path cost from the root port on this switch to the root device. ◆ Topology Changes – The number of times the Spanning Tree has been reconfigured. ◆ Last Topology Change – Time since the Spanning Tree was last reconfigured. Web Interface To display global STA settings: 1. Click Spanning Tree, STA. 2. Select Configure Global from the Step list. 3. Select Show Information from the Action list.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ BPDU Flooding - Enables/disables the flooding of BPDUs to other ports when global spanning tree is disabled (page 175) or when spanning tree is disabled on a specific port. When flooding is enabled, BPDUs are flooded to all other ports on the switch or to all other ports within the receiving port’s native VLAN as specified by the Spanning Tree BPDU Flooding attribute (page 175).
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA Table 12: Default STA Path Costs Port Type Short Path Cost (IEEE 802.1D-1998) Long Path Cost (IEEE 802.1D-2004) Ethernet 65,535 1,000,000 Fast Ethernet 65,535 100,000 Gigabit Ethernet 10,000 10,000 10G Ethernet 1,000 1,000 40G Ethernet 655351 2,000,0002 1 Undefined in standard, but recommended setting is 250. 2 Code does not support 40G path cost, and therefore defaults to 10M half duplex cost.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ Root Guard – STA allows a bridge with a lower bridge identifier (or same identifier and lower MAC address) to take over as the root bridge at any time. Root Guard can be used to ensure that the root bridge is not formed at a suboptimal location.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ BPDU Guard – This feature protects edge ports from receiving BPDUs. It prevents loops by shutting down an edge port when a BPDU is received instead of putting it into the spanning tree discarding state. In a valid configuration, configured edge ports should not receive BPDUs. If an edge port receives a BPDU an invalid configuration exists, such as a connection to an unauthorized device.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA Figure 95: Configuring Interface Settings for STA Displaying Interface Settings for STA Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. Parameters These parameters are displayed: ◆ Spanning Tree – Shows if STA has been enabled on this interface.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA ■ All ports are discarding when the switch is booted, then some of them change state to learning, and then to forwarding. ◆ Forward Transitions – The number of times this port has transitioned from the Learning state to the Forwarding state. ◆ Designated Cost – The cost for a packet to travel from this port to the root in the current Spanning Tree configuration. The slower the media, the higher the cost.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees R A x Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port. R D B The criteria used for determining the port role is based on root bridge ID, root path cost, designated bridge, designated port, port priority, and port number, in that order and as applicable to the role under question. Web Interface To display interface settings for STA: 1. Click Spanning Tree, STA. 2.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees By default all VLANs are assigned to the Internal Spanning Tree (MST Instance 0) that connects all bridges and LANs within the MST region. This switch supports up to 33 instances. You should try to group VLANs which cover the same general area of your network.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees 5. Click Apply. Figure 98: Creating an MST Instance To show the MSTP instances: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. Figure 99: Displaying MST Instances To modify the priority for an MST instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Modify from the Action list. 4. Modify the priority for an MSTP Instance.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees Figure 100: Modifying the Priority for an MST Instance To display global settings for MSTP: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Show Information from the Action list. 4. Select an MST ID. The attributes displayed on this page are described under “Displaying Global Settings for STA” on page 180.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP Figure 102: Adding a VLAN to an MST Instance To show the VLAN members of an MSTP instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Show Member from the Action list. Figure 103: Displaying Members of an MST Instance Configuring Interface Settings for MSTP Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP ◆ STA Status – Displays the current state of this interface within the Spanning Tree. (See “Displaying Interface Settings for STA” on page 186 for additional information.) ■ Discarding – Port receives STA configuration messages, but does not forward packets. ■ Learning – Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP Figure 104: Configuring MSTP Interface Settings To display MSTP parameters for a port or trunk: 1. Click Spanning Tree, MSTP. 2. Select Configure Interface from the Step list. 3. Select Show Information from the Action list.
8 Congestion Control The switch can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. Congestion Control includes following options: ◆ Rate Limiting – Sets the input and output rate limits for a port. ◆ Storm Control – Sets the traffic storm threshold for each interface. Rate Limiting Use the Traffic > Rate Limit page to apply rate limiting to ingress or egress ports.
Chapter 8 | Congestion Control Storm Control Web Interface To configure rate limits: 1. Click Traffic, Rate Limit. 2. Set the interface type to Port or Trunk. 3. Enable the Rate Limit Status for the required ports or trunks. 4. Set the rate limit for the individual ports,. 5. Click Apply. Figure 106: Configuring Rate Limits Storm Control Use the Traffic > Storm Control page to configure broadcast, multicast, and unknown unicast storm control thresholds.
Chapter 8 | Congestion Control Storm Control Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Type – Indicates interface type. (1000BASE SFP, 10GBASE SFP+, 40GBASE QSFP) ◆ Unknown Unicast – Specifies storm control for unknown unicast traffic. ◆ Multicast – Specifies storm control for multicast traffic. ◆ Broadcast – Specifies storm control for broadcast traffic. ◆ Status – Enables or disables storm control.
Chapter 8 | Congestion Control Storm Control – 198 –
9 Class of Service Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s highpriority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
Chapter 9 | Class of Service Layer 2 Queue Settings ◆ If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ CoS – The priority that is assigned to untagged frames received on the specified interface. (Range: 0-7; Default: 0) Web Interface To configure the queue mode: 1. Click Traffic, Priority, Default Priority. 2.
Chapter 9 | Class of Service Layer 2 Queue Settings the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing. ◆ If Strict and WRR mode is selected, a combination of strict and weighted service is used as specified for each queue. The queues assigned to use strict priority should be specified using the Strict Mode field parameter.
Chapter 9 | Class of Service Layer 2 Queue Settings Web Interface To configure the queue mode: 1. Click Traffic, Priority, Queue. 2. Select a port or trunk. 3. Set the queue mode. 4. If the weighted queue mode is selected, the queue weight can be modified if required. 5. If the queue mode that uses a combination of strict and weighted queueing is selected, the queues which are serviced first must be specified by enabling strict mode parameter in the table. 6. Click Apply.
Chapter 9 | Class of Service Layer 2 Queue Settings Figure 111: Setting the Queue Mode (Strict and WRR) Mapping CoS Values Use the Traffic > Priority > PHB to Queue page to specify the hardware output to Egress Queues queues to use based on the internal per-hop behavior value. (For more information on exact manner in which the ingress priority tags are mapped to egress queues for internal processing, see “Mapping CoS Priorities to Internal DSCP Values” on page 210).
Chapter 9 | Class of Service Layer 2 Queue Settings The priority levels recommended in the IEEE 802.1p standard for various network applications are shown in Table 14. However, priority levels can be mapped to the switch’s output queues in any way that benefits application traffic for the network.
Chapter 9 | Class of Service Layer 2 Queue Settings 3. Map an internal PHB to a hardware queue. Depending on how an ingress packet is processed internally based on its CoS value, and the assigned output queue, the mapping done on this page can effectively determine the service priority for different traffic classes. 4. Click Apply. Figure 112: Mapping CoS Values to Egress Queues To show the internal PHB to hardware queue map: 1. Click Traffic, Priority, PHB to Queue. 2. Select Show from the Action list.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet, or the number of the TCP/UDP port.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Parameters These parameters are displayed: ◆ Port – Specifies a port. ◆ Trust Mode ■ CoS – Maps layer 3/4 priorities using Class of Service values. (This is the default setting.) ■ DSCP – Maps layer 3/4 priorities using Differentiated Services Code Point values. ■ IP Precedence – Maps layer 3/4 priorities using IP Precedence values. Web Interface To configure the trust mode: 1. Click Traffic, Priority, Trust Mode. 2.
Chapter 9 | Class of Service Layer 3/4 Priority Settings ◆ This map is only used when the priority mapping mode is set to DSCP (see page 206), and the ingress packet type is IPv4. Any attempt to configure the DSCP mutation map will not be accepted by the switch, unless the trust mode has been set to DSCP. ◆ Two QoS domains can have different DSCP definitions, so the DSCP-to-PHB/ Drop Precedence mutation map can be used to modify one set of DSCP values to match the definition of another domain.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Web Interface To map DSCP values to internal PHB/drop precedence: 1. Click Traffic, Priority, DSCP to DSCP. 2. Select Configure from the Action list. 3. Select a port. 4. Set the PHB and drop precedence for any DSCP value. 5. Click Apply. Figure 115: Configuring DSCP to DSCP Internal Mapping To show the DSCP to internal PHB/drop precedence map: 1. Click Traffic, Priority, DSCP to DSCP. 2. Select Show from the Action list. 3. Select a port.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Mapping CoS Use the Traffic > Priority > CoS to DSCP page to maps CoS/CFI values in incoming Priorities to Internal packets to per-hop behavior and drop precedence values for priority processing. DSCP Values Command Usage ◆ The default mapping of CoS to PHB values is shown in Table 17 on page 210. ◆ Enter up to eight CoS/CFI paired values, per-hop behavior and drop precedence. ◆ If a packet arrives with a 802.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Table 17: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence CFI 0 1 6 (6,0) (6,1) 7 (7,0) (7,1) CoS Web Interface To map CoS/CFI values to internal PHB/drop precedence: 1. Click Traffic, Priority, CoS to DSCP. 2. Select Configure from the Action list. 3. Select a port. 4. Set the PHB and drop precedence for any of the CoS/CFI combinations. 5. Click Apply.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Figure 118: Showing CoS to DSCP Internal Mapping Mapping Internal Use the Traffic > Priority > DSCP to CoS page to map internal per-hop behavior and DSCP Values to drop precedence value pairs to CoS values used in tagged egress packets on a Egress CoS Values Layer 2 interface. Command Usage ◆ Enter any per-hop behavior and drop precedence pair within the internal priority map, and then enter the corresponding CoS/CFI pair.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Table 18: Mapping Internal PHB/Drop Precedence to CoS/CFI Values Drop Precedence 0 (green) 1 (red) 3 (yellow) 0 (0,0) (0,1) (0,1) 1 (1,0) (1,1) (1,1) 2 (2,0) (2,1) (2,1) 3 (3,0) (3,1) (3,1) 4 (4,0) (4,1) (4,1) 5 (5,0) (5,1) (5,1) 6 (6,0) (6,1) (6,1) 7 (7,0) (7,1) (7,1) Per-hop Behavior Web Interface To map internal per-hop behavior and drop precedence values to CoS values in the web interface: 1.
Chapter 9 | Class of Service Layer 3/4 Priority Settings 3. Select an interface. Figure 120: Showing DSCP to CoS Egress Mapping Mapping IP Use the Traffic > Priority > IP Precedence to DSCP page to map IP precedence Precedence Values to values in incoming packets to per-hop behavior and drop precedence values for Internal DSCP Values priority processing.
Chapter 9 | Class of Service Layer 3/4 Priority Settings ◆ If the priority mapping mode is set the IP Precedence and the ingress packet type is IPv4, then the IP Precedence-to-PHB/Drop Precedence mapping table is used to generate priority and drop precedence values for internal processing. Parameters These parameters are displayed in the web interface: ◆ Port – Port identifier. ◆ IP Precedence – IP Precedence value in ingress packets.
Chapter 9 | Class of Service Layer 3/4 Priority Settings To show the IP Precedence to internal PHB/drop precedence map in the web interface: 1. Click Traffic, Priority, IP Precedence to DSCP. 2. Select Show from the Action list. 3. Select a port.
Chapter 9 | Class of Service Layer 3/4 Priority Settings ◆ PHB – Per-hop behavior, or the priority used for this router hop. (Range: 0-7) ◆ Drop Precedence – Drop precedence used for controlling traffic congestion. (Range: 0 - Green, 3 - Yellow, 1 - Red) Web Interface To map TCP/UDP port number to per-hop behavior and drop precedence in the web interface: 1. Click Traffic, Priority, IP Port to DSCP. 2. Select Configure from the Action list. 3. Select a port. 4.
Chapter 9 | Class of Service Layer 3/4 Priority Settings To show the TCP/UDP port number to per-hop behavior and drop precedence map in the web interface: 1. Click Traffic, Priority, IP Port to DSCP. 2. Select Show from the Action list. 3. Select a port.
10 Quality of Service This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port – Applies a policy map to an ingress port.
Chapter 10 | Quality of Service Configuring a Class Map Command Usage To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the Configure Class (Add) page to designate a class name for a specific category of traffic. 2. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, a VLAN or a CoS value. 3.
Chapter 10 | Quality of Service Configuring a Class Map ◆ Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command. ◆ Description – A brief description of a class map. (Range: 1-64 characters) Add Rule ◆ Class Name – Name of the class map. ◆ Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command.
Chapter 10 | Quality of Service Configuring a Class Map To show the configured class maps: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show from the Action list. Figure 126: Showing Class Maps To edit the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a class map. 5.
Chapter 10 | Quality of Service Configuring a Class Map Figure 127: Adding Rules to a Class Map To show the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show Rule from the Action list.
Chapter 10 | Quality of Service Creating QoS Policies Creating QoS Policies Use the Traffic > DiffServ (Configure Policy) page to create a policy map that can be attached to multiple interfaces. A policy map is used to group one or more class map statements (page 220), modify service tagging, and enforce bandwidth policing. A policy map can then be bound by a service policy to one or more interfaces (page 233). Configuring QoS policies requires several steps.
Chapter 10 | Quality of Service Creating QoS Policies ◆ The meter operates in one of two modes. In the color-blind mode, the meter assumes that the packet stream is uncolored. In color-aware mode the meter assumes that some preceding entity has pre-colored the incoming packet stream so that each packet is either green, yellow, or red. The marker (re)colors an IP packet according to the results of the meter. The color is coded in the DS field [RFC 2474] of the packet.
Chapter 10 | Quality of Service Creating QoS Policies (BP). Action may taken for traffic conforming to the maximum throughput, exceeding the maximum throughput, or exceeding the peak burst size. ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion.
Chapter 10 | Quality of Service Creating QoS Policies which are green, yellow, or red. Refer to RFC 2698 for more information on other aspects of trTCM. Command Usage A policy map can contain 16 class statements that can be applied to the same interface (page 233). Up to 32 policy maps can be configured for ingress ports.
Chapter 10 | Quality of Service Creating QoS Policies ◆ Meter Mode – Selects one of the following policing methods. ■ Flow (Police Flow) – Defines the committed information rate (CIR, or maximum throughput), committed burst size (BC, or burst rate), and the action to take for conforming and non-conforming traffic.
Chapter 10 | Quality of Service Creating QoS Policies ■ Committed Information Rate (CIR) – Committed information rate in kilobits per second. (Range: 0-40000000 kbps at a granularity of 64 kbps or maximum port speed, whichever is lower) The rate cannot exceed the configured interface speed. ■ Committed Burst Size (BC) – Committed burst size in bytes. (Range: 1000-128000000 bytes at a granularity of 4k bytes) ■ Excess Burst Size (BE) – Burst in excess of committed burst size.
Chapter 10 | Quality of Service Creating QoS Policies ■ Committed Information Rate (CIR) – Committed information rate in kilobits per second. (Range: 0-40000000 kbps at a granularity of 64 kbps or maximum port speed, whichever is lower) The rate cannot exceed the configured interface speed. ■ Committed Burst Size (BC) – Committed burst size in bytes. (Range: 1000-128000000 bytes at a granularity of 4k bytes) ■ Peak Information Rate (PIR) – Rate in kilobits per second.
Chapter 10 | Quality of Service Creating QoS Policies Web Interface To configure a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Add from the Action list. 4. Enter a policy name. 5. Enter a description. 6. Click Add. Figure 129: Configuring a Policy Map To show the configured policy maps: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show from the Action list.
Chapter 10 | Quality of Service Creating QoS Policies To edit the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a policy map. 5. Set the CoS or per-hop behavior for matching packets to specify the quality of service to be assigned to the matching traffic class. Use one of the metering options to define parameters such as the maximum throughput and burst rate.
Chapter 10 | Quality of Service Attaching a Policy Map to a Port To show the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show Rule from the Action list. Figure 132: Showing the Rules for a Policy Map Attaching a Policy Map to a Port Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to a port. Command Usage ◆ First define a class map, define a policy map, and bind the service policy to the required interface.
Chapter 10 | Quality of Service Attaching a Policy Map to a Port 3. Check the box under the Ingress or Egress field to enable a policy map for a port. 4. Select a policy map from the scroll-down box. 5. Click Apply.
11 Security Measures You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Chapter 11 | Security Measures AAA Authentication, Authorization and Accounting ◆ DHCP Snooping – Filter IP traffic on insecure ports for which the source address cannot be identified via DHCP snooping. Note: The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping.
Chapter 11 | Security Measures AAA Authentication, Authorization and Accounting Note: This guide assumes that RADIUS and TACACS+ servers have already been configured to support AAA. The configuration of RADIUS and TACACS+ server software is beyond the scope of this guide, refer to the documentation provided with the RADIUS or TACACS+ server software. Configuring Local/ Use the Security > AAA > System Authentication page to specify local or remote Remote Logon authentication.
Chapter 11 | Security Measures AAA Authentication, Authorization and Accounting 3. Click Apply. Figure 134: Configuring the Authentication Sequence Configuring Remote Use the Security > AAA > Server page to configure the message exchange Logon Authentication parameters for RADIUS or TACACS+ remote access authentication servers.
Chapter 11 | Security Measures AAA Authentication, Authorization and Accounting between the authentication server and logon client. This switch can pass authentication messages between the server and client that have been encrypted using MD5 (Message-Digest 5), TLS (Transport Layer Security), or TTLS (Tunneled Transport Layer Security). Parameters These parameters are displayed: Configure Server Server Type – Select RADIUS or TACACS+ server.
Chapter 11 | Security Measures AAA Authentication, Authorization and Accounting ■ Server IP Address – Address of the TACACS+ server. (A Server Index entry must be selected to display this item.) ■ Authentication Server TCP Port – Network (TCP) port of TACACS+ server used for authentication messages. (Range: 1-65535; Default: 49) ■ Authentication Timeout – The number of seconds the switch waits for a reply from the TACACS+ server before it resends the request.
Chapter 11 | Security Measures Configuring User Accounts Figure 136: Configuring Remote Authentication Server (RADIUS) Figure 137: Configuring Remote Authentication Server (TACACS+) Configuring User Accounts Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords. Command Usage ◆ The default guest name is “guest” with the password “guest.” The default administrator name is “admin” with the password “admin.
Chapter 11 | Security Measures Configuring User Accounts Parameters These parameters are displayed: ◆ User Name – The name of the user. (Maximum length: 32 characters; maximum number of users: 16) ◆ Access Level – Specifies the user level. (Options: 0 - Normal, 15 - Privileged) Normal privilege level provides access to a limited number of the commands which display the current status of the switch, as well as several database clear and reset functions.
Chapter 11 | Security Measures Web Authentication Figure 138: Configuring User Accounts To show user accounts: 1. Click Security, User Accounts. 2. Select Show from the Action list. Figure 139: Showing User Accounts Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical.
Chapter 11 | Security Measures Web Authentication Note: RADIUS authentication must be activated and configured properly for the web authentication feature to work properly. (See “Configuring Local/Remote Logon Authentication” on page 237.) Note: Web authentication cannot be configured on trunk ports. Configuring Use the Security > Web Authentication (Configure Global) page to edit the global Global Settings for parameters for web authentication.
Chapter 11 | Security Measures Web Authentication Figure 140: Configuring Global Settings for Web Authentication Configuring Use the Security > Web Authentication (Configure Interface) page to enable web Interface Settings for authentication on a port, and display information for any connected hosts. Web Authentication Parameters These parameters are displayed: ◆ Port – Indicates the port being configured. ◆ Status – Configures the web authentication status for the port.
Chapter 11 | Security Measures Network Access (MAC Address Authentication) Figure 141: Configuring Interface Settings for Web Authentication Network Access (MAC Address Authentication) Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations. This is often true for devices such as network printers, IP phones, and some wireless access points.
Chapter 11 | Security Measures Network Access (MAC Address Authentication) ◆ Configured static MAC addresses are added to the secure address table when seen on a switch port. Static addresses are treated as authenticated without sending a request to a RADIUS server. ◆ When port status changes to down, all MAC addresses mapped to that port are cleared from the secure MAC address table. Static VLAN assignments are not restored.
Chapter 11 | Security Measures Network Access (MAC Address Authentication) ◆ Any unsupported profiles in the Filter-ID attribute are ignored. For example, if the attribute is “map-ip-dscp=2:3;service-policy-in=p1,” then the switch ignores the “map-ip-dscp” profile.
Chapter 11 | Security Measures Network Access (MAC Address Authentication) The maximum number of secure MAC addresses supported for the switch system is 1024. ◆ Reauthentication Time – Sets the time period after which the switch removes an autthenticated MAC address from the secure table.
Chapter 11 | Security Measures Network Access (MAC Address Authentication) ■ Max MAC Count6 – Sets the maximum number of MAC addresses that can be authenticated on a port via MAC authentication; that is, the Network Access process described in this section. (Range: 1-1024; Default: 1024) ◆ Network Access Max MAC Count6 – Sets the maximum number of MAC addresses that can be authenticated on a port interface via all forms of authentication (including Network Access and IEEE 802.1X).
Chapter 11 | Security Measures Network Access (MAC Address Authentication) Web Interface To configure MAC authentication on switch ports: 1. Click Security, Network Access. 2. Select Configure Interface from the Step list. 3. Click the General button. 4. Make any configuration changes required to enable address authentication on a port, set the maximum number of secure addresses supported, the guest VLAN to use when MAC Authentication or 802.
Chapter 11 | Security Measures Network Access (MAC Address Authentication) ■ Trap – An SNMP trap is sent. ■ Trap and shutdown – An SNMP trap is sent and the port is shut down. ■ Shutdown – The port is shut down. Web Interface To configure link detection on switch ports: 1. Click Security, Network Access. 2. Select Configure Interface from the Step list. 3. Click the Link Detection button. 4. Modify the link detection status, trigger condition, and the response for any port. 5. Click Apply.
Chapter 11 | Security Measures Network Access (MAC Address Authentication) Parameters These parameters are displayed: ◆ Filter ID – Adds a filter rule for the specified filter. (Range: 1-64) ◆ MAC Address – The filter rule will check ingress packets against the entered MAC address or range of MAC addresses (as defined by the MAC Address Mask). ◆ MAC Address Mask – The filter rule will check for the range of MAC addresses defined by the MAC bit mask.
Chapter 11 | Security Measures Network Access (MAC Address Authentication) Figure 146: Showing the MAC Address Filter Table for Network Access Displaying Secure Use the Security > Network Access (Show Information) page to display the MAC Address authenticated MAC addresses stored in the secure MAC address table. Information Information on the secure MAC entries can be displayed and selected entries can be removed from the table.
Chapter 11 | Security Measures Configuring HTTPS 4. Restrict the displayed addresses by entering a specific address in the MAC Address field, specifying a port in the Interface field, or setting the address type to static or dynamic in the Attribute field. 5. Click Query. Figure 147: Showing Addresses Authenticated for Network Access Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e.
Chapter 11 | Security Measures Configuring HTTPS ◆ ■ The client and server negotiate a set of security protocols to use for the connection. ■ The client and server generate session keys for encrypting and decrypting data. The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 11, Mozilla Firefox 40, or Google Chrome 45, or more recent versions.
Chapter 11 | Security Measures Configuring HTTPS Figure 148: Configuring HTTPS Replacing the Default Use the Security > HTTPS (Copy Certificate) page to replace the default secure-site Secure-site Certificate certificate. When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that the web browser displays will be associated with a warning that the site is not recognized as a secure site.
Chapter 11 | Security Measures Configuring the Secure Shell ◆ Private Password – Password stored in the private key file. This password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch. ◆ Confirm Password – Re-type the string entered in the previous field to ensure no errors were made. The switch will not download the certificate if these two fields do not match. Web Interface To replace the default secure-site certificate: 1.
Chapter 11 | Security Measures Configuring the Secure Shell Note: You need to install an SSH client on the management station to access the switch for management via the SSH protocol. Note: The switch supports both SSH Version 1.5 and 2.0 clients. Command Usage The SSH server on this switch supports both password and public key authentication.
Chapter 11 | Security Measures Configuring the Secure Shell 4. Set the Optional Parameters – On the SSH Settings page, configure the optional parameters, including the authentication timeout, the number of retries, and the server key size. 5. Enable SSH Service – On the SSH Settings page, enable the SSH server on the switch. 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b.
Chapter 11 | Security Measures Configuring the Secure Shell d. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct. If both checks succeed, the client is authenticated. Note: The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
Chapter 11 | Security Measures Configuring the Secure Shell 3. Enable the SSH server. 4. Adjust the authentication parameters as required. 5. Click Apply. Figure 150: Configuring the SSH Server Generating the Host Use the Security > SSH (Configure Host Key - Generate) page to generate a host Key Pair public/private key pair used to provide secure communications between an SSH client and the switch.
Chapter 11 | Security Measures Configuring the Secure Shell Web Interface To generate the SSH host key pair: 1. Click Security, SSH. 2. Select Configure Host Key from the Step list. 3. Select Generate from the Action list. 4. Select the host-key type from the drop-down box. 5. Click Apply.
Chapter 11 | Security Measures Configuring the Secure Shell Figure 152: Showing the SSH Host Key Pair Importing User Public Use the Security > SSH (Configure User Key - Copy) page to upload a user’s public Keys key to the switch. This public key must be stored on the switch for the user to be able to log in using the public key authentication mechanism. If the user’s public key does not exist on the switch, SSH will revert to the interactive password authentication mechanism to complete authentication.
Chapter 11 | Security Measures Configuring the Secure Shell Web Interface To copy the SSH user’s public key: 1. Click Security, SSH. 2. Select Configure User Key from the Step list. 3. Select Copy from the Action list. 4. Select the user name and the public-key type from the respective drop-down boxes, input the TFTP server IP address and the public key source file name. 5. Click Apply. Figure 153: Copying the SSH User’s Public Key To display or clear the SSH user’s public key: 1. Click Security, SSH.
Chapter 11 | Security Measures Access Control Lists Figure 154: Showing the SSH User’s Public Key Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address or DSCP traffic class, DSCP, next header type, or flow label), or any frames (based on MAC address or Ethernet type).
Chapter 11 | Security Measures Access Control Lists hardware table used to store ACEs), but the actual maximum number of ACEs possible depends on too many factors to be precisely determined. It depends on the amount of hardware resources reserved at runtime for this purpose. Auto ACE Compression is a software feature used to compress all the ACEs of an ACL to utilize hardware resources more efficiency. Without compression, one ACE would occupy a fixed number of entries in TCAM.
Chapter 11 | Security Measures Access Control Lists Showing TCAM Use the Security > ACL (Configure ACL - Show TCAM) page to show utilization Utilization parameters for TCAM (Ternary Content Addressable Memory), including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.
Chapter 11 | Security Measures Access Control Lists Setting the ACL Name Use the Security > ACL (Configure ACL - Add) page to create an ACL. and Type Parameters These parameters are displayed: ◆ ACL Name – Name of the ACL. (Maximum length: 32 characters) ◆ Type – The following filter modes are supported: ■ IP Standard: IPv4 ACL mode filters packets based on the source IPv4 address.
Chapter 11 | Security Measures Access Control Lists Web Interface To configure the name and type of an ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add from the Action list. 4. Fill in the ACL Name field, and select the ACL type. 5. Click Apply. Figure 156: Creating an ACL To show a list of ACLs: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Show from the Action list.
Chapter 11 | Security Measures Access Control Lists Configuring a Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to configure a Standard IPv4 ACL Standard IPv4 ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules. ◆ Address Type – Specifies the source IP address.
Chapter 11 | Security Measures Access Control Lists Figure 158: Configuring a Standard IPv4 ACL Configuring an Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to configure Extended IPv4 ACL an Extended IPv4 ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules.
Chapter 11 | Security Measures Access Control Lists ■ Precedence – IP precedence level. (Range: 0-7) ■ DSCP – DSCP priority level. (Range: 0-63) ◆ Control Code – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) ◆ Control Code Bit Mask – Decimal number representing the code bits to match. (Range: 0-63) The control bit mask is a decimal number (for an equivalent binary bit mask) that is applied to the control code.
Chapter 11 | Security Measures Access Control Lists 9. Set any other required criteria, such as service type, protocol type, or control code. 10. Click Apply. Figure 159: Configuring an Extended IPv4 ACL Configuring a Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to Standard IPv6 ACL configure a Standard IPv6ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type.
Chapter 11 | Security Measures Access Control Lists ◆ Source Prefix Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). (Range: 0-128 bits) Web Interface To add rules to a Standard IPv6 ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IPv6 Standard from the Type list. 5. Select the name of an ACL from the Name list. 6.
Chapter 11 | Security Measures Access Control Lists Configuring an Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page to Extended IPv6 ACL configure an Extended IPv6 ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules. ◆ Destination Address Type – Specifies the destination IP address type.
Chapter 11 | Security Measures Access Control Lists 3. Select Add Rule from the Action list. 4. Select IPv6 Extended from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the address type (Any, Host or IPv6-prefix). 8. If you select “Host,” enter a specific address. If you select “IPv6-prefix,” enter a subnet address and prefix length. 9. Click Apply.
Chapter 11 | Security Measures Access Control Lists ◆ Source/Destination Bit Mask – Hexadecimal mask for source or destination MAC address. ◆ Packet Format – This attribute includes the following packet types: ■ Any – Any Ethernet packet type. ■ Untagged-eth2 – Untagged Ethernet II packets. ■ Untagged-802.3 – Untagged Ethernet 802.3 packets. ■ Tagged-eth2 – Tagged Ethernet II packets. ■ Tagged-802.3 – Tagged Ethernet 802.3 packets. ◆ VID – VLAN ID.
Chapter 11 | Security Measures Access Control Lists Figure 162: Configuring a MAC ACL Configuring an Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ACLs ARP ACL based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see “Configuring Global Settings for ARP Inspection” on page 286). Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list.
Chapter 11 | Security Measures Access Control Lists ◆ Source/Destination MAC Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Mask fields. (Options: Any, Host, MAC; Default: Any) ◆ Source/Destination MAC Address – Source or destination MAC address. ◆ Source/Destination MAC Bit Mask – Hexadecimal mask for source or destination MAC address.
Chapter 11 | Security Measures Access Control Lists Figure 163: Configuring a ARP ACL Binding a Port to an After configuring ACLs, use the Security > ACL (Configure Interface – Configure) Access Control List page to bind the ports that need to filter traffic to the appropriate ACLs. Only one access list (IPv4, IPv6 or MAC) can be assigned to an ingress or egress port. Command Usage ◆ This switch supports ACLs for ingress filtering only.
Chapter 11 | Security Measures Access Control Lists 6. Select the name of an ACL from the ACL list. 7. Click Apply. Figure 164: Binding a Port to an ACL Configuring After configuring ACLs, use the Security > ACL > Configure Interface (Add Mirror) ACL Mirroring page to mirror traffic matching an ACL from one or more source ports to a target port for real-time analysis.
Chapter 11 | Security Measures Access Control Lists Web Interface To bind an ACL to a port: 1. Click Security, ACL. 2. Select Configure Interface from the Step list. 3. Select Add Mirror from the Action list. 4. Select a port. 5. Select the name of an ACL from the ACL list. 6. Click Apply. Figure 165: Configuring ACL Mirroring To show the ACLs to be mirrored: 1. Select Configure Interface from the Step list. 2. Select Show Mirror from the Action list. 3. Select a port.
Chapter 11 | Security Measures Access Control Lists Showing ACL Use the Security > ACL > (Configure Interface - Show Hardware Counters) page to Hardware Counters show statistics for ACL hardware counters. Parameters These parameters are displayed: ◆ Port – Port identifier. ◆ Type – Selects the type of ACL. ◆ Direction – Displays statistics for ingress or egress traffic. ◆ Time-Range – Name of a time range. ◆ Counter – Activates the counter for specified ACL.
Chapter 11 | Security Measures ARP Inspection Figure 167: Showing ACL Statistics ARP Inspection ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-themiddle” attacks.
Chapter 11 | Security Measures ARP Inspection ◆ ■ When ARP Inspection is disabled, all ARP request and reply packets will bypass the ARP Inspection engine and their switching behavior will match that of all other packets. ■ Disabling and then re-enabling global ARP Inspection will not affect the ARP Inspection configuration of any VLANs. ■ When ARP Inspection is disabled globally, it is still possible to configure ARP Inspection for individual VLANs.
Chapter 11 | Security Measures ARP Inspection ◆ When the switch drops a packet, it places an entry in the log buffer, then generates a system message on a rate-controlled basis. After the system message is generated, the entry is cleared from the log buffer. ◆ Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.
Chapter 11 | Security Measures ARP Inspection 4. Click Apply. Figure 168: Configuring Global Settings for ARP Inspection Configuring VLAN Use the Security > ARP Inspection (Configure VLAN) page to enable ARP inspection Settings for ARP for any VLAN and to specify the ARP ACL to use. Inspection Command Usage ARP Inspection VLAN Filters (ACLs) ◆ By default, no ARP Inspection ACLs are configured and the feature is disabled.
Chapter 11 | Security Measures ARP Inspection ◆ DAI Status – Enables Dynamic ARP Inspection for the selected VLAN. (Default: Disabled) ◆ ACL Name – Allows selection of any configured ARP ACLs. (Default: None) ◆ Static – When an ARP ACL is selected, and static mode also selected, the switch only performs ARP Inspection and bypasses validation against the DHCP Snooping Bindings database.
Chapter 11 | Security Measures ARP Inspection Packets arriving on trusted interfaces bypass all ARP Inspection and ARP Inspection Validation checks and will always be forwarded, while those arriving on untrusted interfaces are subject to all configured ARP inspection tests. ◆ Packet Rate Limit – Sets the maximum number of ARP packets that can be processed by the CPU per second on trusted or untrusted ports.
Chapter 11 | Security Measures ARP Inspection Displaying ARP Use the Security > ARP Inspection (Show Information - Show Statistics) page to Inspection Statistics display statistics about the number of ARP packets processed, or dropped for various reasons. Parameters These parameters are displayed: Table 23: ARP Inspection Statistics Parameter Description Received ARP packets before ARP inspection rate limit Count of ARP packets received but not exceeding the ARP Inspection rate limit.
Chapter 11 | Security Measures ARP Inspection Figure 171: Displaying Statistics for ARP Inspection Displaying the ARP Use the Security > ARP Inspection (Show Information - Show Log) page to show Inspection Log information about entries stored in the log, including the associated VLAN, port, and address components. Parameters These parameters are displayed: Table 24: ARP Inspection Log Parameter Description VLAN ID The VLAN where this packet was seen. Port The port where this packet was seen. Src.
Chapter 11 | Security Measures Filtering IP Addresses for Management Access Figure 172: Displaying the ARP Inspection Log Filtering IP Addresses for Management Access Use the Security > IP Filter page to create a list of up to 15 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage ◆ The management interfaces are open to all IP addresses by default.
Chapter 11 | Security Measures Filtering IP Addresses for Management Access ■ All – Configures IP address(es) for all groups. ◆ Start IP Address – A single IP address, or the starting address of a range. ◆ End IP Address – The end address of a range. Web Interface To create a list of IP addresses authorized for management access: 1. Click Security, IP Filter. 2. Select Add from the Action list. 3. Select the management interface to filter (Web, SNMP, Telnet, All). 4.
Chapter 11 | Security Measures Configuring Port Security Configuring Port Security Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Chapter 11 | Security Measures Configuring Port Security Parameters These parameters are displayed: ◆ Port – Port identifier. ◆ Security Status – Enables or disables port security on a port. (Default: Disabled) ◆ Port Status – The operational status: ◆ ◆ ■ Secure/Down – Port security is disabled. ■ Secure/Up – Port security is enabled. ■ Shutdown – Port is shut down due to a response to a port security violation.
Chapter 11 | Security Measures Configuring 802.1X Port Authentication Web Interface To configure port security: 1. Click Security, Port Security. 2. Mark the check box in the Security Status column to enable security, set the action to take when an invalid address is detected on a port, and set the maximum number of MAC addresses allowed on the port. 3. Click Apply. Figure 175: Configuring Port Security Configuring 802.
Chapter 11 | Security Measures Configuring 802.1X Port Authentication Security), PEAP (Protected Extensible Authentication Protocol), or TTLS (Tunneled Transport Layer Security). The client responds to the appropriate method with its credentials, such as a password or certificate. The RADIUS server verifies the client credentials and responds with an accept or reject packet. If authentication is successful, the switch allows the client to access the network.
Chapter 11 | Security Measures Configuring 802.1X Port Authentication Configuring 802.1X Use the Security > Port Authentication (Configure Global) page to configure IEEE Global Settings 802.1X port authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Parameters These parameters are displayed: ◆ System Authentication Control – Sets the global setting for 802.1X.
Chapter 11 | Security Measures Configuring 802.1X Port Authentication Configuring Port Use the Security > Port Authentication (Configure Interface) page to configure Authenticator 802.1X port settings for the switch as the local authenticator. When 802.1X is Settings for 802.1X enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e.
Chapter 11 | Security Measures Configuring 802.1X Port Authentication port can become unauthorized for all hosts if one attached host fails reauthentication or sends an EAPOL logoff message. ■ MAC-Based – Allows multiple hosts to connect to this port, with each host needing to be authenticated. In this mode, each host connected to a port needs to pass authentication. The number of hosts allowed access to a port operating in this mode is limited only by the available space in the secure address table (i.e.
Chapter 11 | Security Measures Configuring 802.1X Port Authentication ◆ Re-authentication Period – Sets the time period after which a connected client must be re-authenticated. (Range: 1-65535 seconds; Default: 3600 seconds) ◆ Re-authentication Max Retries – The maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session.
Chapter 11 | Security Measures Configuring 802.1X Port Authentication Web Interface To configure port authenticator settings for 802.1X: 1. Click Security, Port Authentication. 2. Select Configure Interface from the Step list. 3. Modify the authentication settings for each port as required. 4. Click Apply Figure 178: Configuring Interface Settings for 802.
Chapter 11 | Security Measures Configuring 802.1X Port Authentication Displaying 802.1X Use the Security > Port Authentication (Show Statistics) page to display statistics for Statistics dot1x protocol exchanges for any port. Parameters These parameters are displayed: Table 25: 802.1X Statistics Parameter Description Authenticator Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator.
Chapter 11 | Security Measures Configuring 802.1X Port Authentication Table 25: 802.1X Statistics (Continued) Parameter Description Rx EAP LenError The number of EAPOL frames that have been received by this Supplicant in which the Packet Body Length field is invalid. Tx EAPOL Total The number of EAPOL frames of any type that have been transmitted by this Supplicant. Tx EAPOL Start The number of EAPOL Start frames that have been transmitted by this Supplicant.
Chapter 11 | Security Measures IPv4 Source Guard IPv4 Source Guard IPv4 Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping” on page 318). IPv4 source guard can be used to prevent traffic attacks caused when a host tries to use the IPv4 address of a neighbor to access the network.
Chapter 11 | Security Measures IPv4 Source Guard ■ If DHCP snooping is enabled, IPv4 source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the SIP-MAC option). If a matching entry is found in the binding table and the entry type is static IPv4 source guard binding, or dynamic DHCP snooping binding, the packet will be forwarded.
Chapter 11 | Security Measures IPv4 Source Guard Web Interface To set the IP Source Guard filter for ports: 1. Click Security, IP Source Guard, Port Configuration. 2. Set the required filtering type, set the table type to use ACL or MAC address binding, and then set the maximum binding entries for each port. 3.
Chapter 11 | Security Measures IPv4 Source Guard ■ ■ ■ If there is an entry with the same VLAN ID and MAC address, and the type of entry is static IP source guard binding, then the new entry will replace the old one. ■ If there is an entry with the same VLAN ID and MAC address, and the type of the entry is dynamic DHCP snooping binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard binding.
Chapter 11 | Security Measures IPv4 Source Guard ◆ Lease Time – The time for which this IP address is leased to the client. (This value is zero for all static addresses.) ◆ VLAN – VLAN to which this entry is bound. ◆ Interface – The port to which this entry is bound. Web Interface To configure static bindings for IP Source Guard: 1. Click Security, IP Source Guard, Static Binding. 2. Select Configure ACL Table or Configure MAC Table from the Step list. 3. Select Add from the Action list. 4.
Chapter 11 | Security Measures IPv4 Source Guard Displaying Use the Security > IP Source Guard > Dynamic Binding page to display the sourceInformation for guard binding table for a selected interface. Dynamic IPv4 Source Guard Bindings Parameters These parameters are displayed: Query by ◆ Port – A port on this switch. ◆ VLAN – ID of a configured VLAN (Range: 1-4094) ◆ MAC Address – A valid unicast MAC address. ◆ IP Address – A valid unicast IP address, including classful types A, B or C.
Chapter 11 | Security Measures IPv6 Source Guard Web Interface To display the binding table for IP Source Guard: 1. Click Security, IP Source Guard, Dynamic Binding. 2. Mark the search criteria, and enter the required values. 3.
Chapter 11 | Security Measures IPv6 Source Guard ◆ After IPv6 source guard is enabled on an interface, the switch initially blocks all IPv6 traffic received on that interface, except for ND packets allowed by ND snooping and DHCPv6 packets allowed by DHCPv6 snooping. A port access control list (ACL) is applied to the interface. Traffic is then filtered based upon dynamic entries learned via ND snooping or DHCPv6 snooping, or static addresses configured in the source guard binding table.
Chapter 11 | Security Measures IPv6 Source Guard ■ ◆ SIP – Enables traffic filtering based on IPv6 global unicast source IPv6 addresses stored in the binding table. Max Binding Entry – The maximum number of entries that can be bound to an interface.
Chapter 11 | Security Measures IPv6 Source Guard Configuring Static Use the Security > IPv6 Source Guard > Static Configuration page to bind a static Bindings for IPv6 address to a port. Table entries include a MAC address, IPv6 global unicast address, Source Guard entry type (Static-IPv6-SG-Binding, Dynamic-ND-Binding, Dynamic-DHCPv6Binding), VLAN identifier, and port identifier. Command Usage ◆ Traffic filtering is based only on the source IPv6 address, VLAN ID, and port number.
Chapter 11 | Security Measures IPv6 Source Guard Show ◆ VLAN – VLAN to which this entry is bound. ◆ MAC Address – Physical address associated with the entry. ◆ Interface – The port to which this entry is bound. ◆ IPv6 Address – IPv6 address corresponding to the client. ◆ Type – Shows the entry type: ■ DHCP – Dynamic DHCPv6 binding, stateful address. ■ ND – Dynamic Neighbor Discovery binding, stateless address. ■ STA – Static IPv6 Source Guard binding.
Chapter 11 | Security Measures IPv6 Source Guard Figure 186: Displaying Static Bindings for IPv6 Source Guard Displaying Use the Security > IPv6 Source Guard > Dynamic Binding page to display the Information for source-guard binding table for a selected interface. Dynamic IPv6 Source Guard Bindings Parameters These parameters are displayed: Query by ◆ Port – A port on this switch. ◆ VLAN – ID of a configured VLAN (Range: 1-4094) ◆ MAC Address – A valid unicast MAC address.
Chapter 11 | Security Measures DHCP Snooping 3. Click Query Figure 187: Showing the IPv6 Source Guard Binding Table DHCP Snooping The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard). DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.
Chapter 11 | Security Measures DHCP Snooping ◆ Filtering rules are implemented as follows: ■ If the global DHCP snooping is disabled, all DHCP packets are forwarded. ■ If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, all DHCP packets are forwarded for a trusted port. If the received packet is a DHCP ACK message, a dynamic DHCP snooping entry is also added to the binding table.
Chapter 11 | Security Measures DHCP Snooping DHCP Snooping Option 82 ◆ DHCP provides a relay mechanism for sending information about its DHCP clients or the relay agent itself to the DHCP server. Also known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Chapter 11 | Security Measures DHCP Snooping packet is not same as the client's hardware address in the DHCP packet, the packet is dropped. (Default: Enabled) ◆ DHCP Snooping Rate Limit – Sets the maximum number of DHCP packets that can be trapped by the switch for DHCP snooping. (Range: 1-2048 packets/ second) Information ◆ DHCP Snooping Information Option Status – Enables or disables DHCP Option 82 information relay.
Chapter 11 | Security Measures DHCP Snooping 4. Click Apply Figure 188: Configuring Global Settings for DHCP Snooping DHCP Snooping VLAN Use the IP Service > DHCP > Snooping (Configure VLAN) page to enable or disable Configuration DHCP snooping on specific VLANs. Command Usage ◆ When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
Chapter 11 | Security Measures DHCP Snooping Web Interface To configure global settings for DHCP Snooping: 1. Click IP Service, DHCP, Snooping. 2. Select Configure VLAN from the Step list. 3. Enable DHCP Snooping on any existing VLAN. 4. Click Apply Figure 189: Configuring DHCP Snooping on a VLAN Configuring Interfaces Use the IP Service > DHCP > Snooping (Configure Interface) page to configure for DHCP Snooping switch interfaces as trusted or untrusted.
Chapter 11 | Security Measures DHCP Snooping ◆ Circuit ID – Specifies DHCP Option 82 circuit ID suboption information. ■ Mode – Specifies the default string “VLAN-Unit-Port” or an arbitrary string. (Default: VLAN-Unit-Port) ■ Value – An arbitrary string inserted into the circuit identifier field. (Range: 1-32 characters) Web Interface To configure global settings for DHCP Snooping: 1. Click IP Service, DHCP, Snooping. 2. Select Configure Interface from the Step list. 3.
Chapter 11 | Security Measures DHCP Snooping ◆ Type – Entry types include: ■ DHCP-Snooping – Dynamically snooped. ■ Static-DHCPSNP – Statically configured. ◆ VLAN – VLAN to which this entry is bound. ◆ Interface – Port or trunk to which this entry is bound. ◆ Store – Writes all dynamically learned snooping entries to flash memory. This function can be used to store the currently learned dynamic DHCP snooping entries to flash memory.
Chapter 11 | Security Measures DHCP Snooping – 326 –
12 Basic Administration Protocols This chapter describes basic administration tasks including: ◆ Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Chapter 12 | Basic Administration Protocols Configuring Event Logging The System Logs page allows you to configure and limit system messages that are logged to flash or RAM memory. The default is for event levels 0 to 3 to be logged to flash and levels 0 to 7 to be logged to RAM. Parameters These parameters are displayed: ◆ System Log Status – Enables/disables the logging of debug or error messages to the logging process.
Chapter 12 | Basic Administration Protocols Configuring Event Logging Web Interface To configure the logging of error messages to system memory: 1. Click Administration, Log, System. 2. Select Configure Global from the Step list. 3. Enable or disable system logging, set the level of event messages to be logged to flash memory and RAM. 4. Click Apply. Figure 193: Configuring Settings for System Memory Logs To show the error messages logged to system or flash memory: 1. Click Administration, Log, System.
Chapter 12 | Basic Administration Protocols Configuring Event Logging Figure 194: Showing Error Messages Logged to System Memory Remote Log Use the Administration > Log > Remote page to send log messages to syslog Configuration servers or other management stations. You can also limit the event messages sent to only those messages below a specified level. Parameters These parameters are displayed: ◆ Remote Log Status – Enables/disables the logging of debug or error messages to the remote logging process.
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol Web Interface To configure the logging of error messages to remote servers: 1. Click Administration, Log, Remote. 2. Enable remote logging, specify the facility type to use for the syslog messages. and enter the IP address of the remote servers. 3. Click Apply.
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol Setting LLDP Timing Use the Administration > LLDP (Configure Global) page to set attributes for general Attributes functions such as globally enabling LLDP on the switch, setting the message ageout time, and setting the frequency for broadcasting general advertisements or reports about changes in the LLDP MIB. Parameters These parameters are displayed: ◆ LLDP – Enables LLDP globally on the switch.
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. ◆ MED Fast Start Count – Configures the amount of LLDP MED Fast Start LLDPDUs to transmit during the activation process of the LLDP-MED Fast Start mechanism.
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol Configuring LLDP Use the Administration > LLDP (Configure Interface – Configure General) page to Interface Attributes specify the message attributes for individual interfaces, including whether messages are transmitted, received, or both transmitted and received, whether SNMP notifications are sent, and the type of information advertised.
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this TLV.
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol ◆ ◆ ■ Max Frame Size – The maximum frame size. (See “Configuring Support for Jumbo Frames” on page 74 for information on configuring the maximum frame size for this switch (Default: Enabled) ■ MAC/PHY Configuration/Status – The MAC/PHY configuration and status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type.
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol 4. Select an interface from the Port or Trunk list. 5. Set the LLDP transmit/receive mode, specify whether or not to send SNMP trap messages, and select the information to advertise in LLDP messages. 6. Click Apply.
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol Table 27: LLDP MED Location CA Types (Continued) ◆ CA Type Description CA Value Example 5 Neighborhood, block Riverside 6 Group of streets below the neighborhood level Exchange 18 Street suffix or type Avenue 19 House number 320 20 House number suffix A 21 Landmark or vanity address Tech Center 26 Unit (apartment, suite) Apt 519 27 Floor 5 28 Room 509B Any number of CA type and value pairs can be specif
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol Figure 198: Configuring the Civic Address for an LLDP Interface To show the physical location of the attached device: 1. Click Administration, LLDP. 2. Select Configure Interface from the Step list. 3. Select Show CA-Type from the Action list. 4. Select an interface from the Port or Trunk list.
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol Table 28: Chassis ID Subtype ID Basis Reference Chassis component EntPhysicalAlias when entPhysClass has a value of ‘chassis(3)’ (IETF RFC 2737) Interface alias IfAlias (IETF RFC 2863) Port component EntPhysicalAlias when entPhysicalClass has a value ‘port(10)’ or ‘backplane(4)’ (IETF RFC 2737) MAC address MAC address (IEEE Std 802-2001) Network address networkAddress Interface name ifName (IETF RFC 2863) Locally assign
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol Interface Settings The attributes listed below apply to both port and trunk interface types. When a trunk is listed, the descriptions apply to the first port of the trunk. ◆ Port/Trunk Description – A string that indicates the port or trunk description. If RFC 2863 is implemented, the ifDescr object should be used for this field.
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol ■ Extended Power via MDI – PSE ■ Extended Power via MDI – PD ■ Inventory Web Interface To display LLDP information for the local device: 1. Click Administration, LLDP. 2. Select Show Local Device Information from the Step list. 3. Select General, Port, Port Details, Trunk, or Trunk Details.
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol Figure 202: Displaying Local Device Information for LLDP (Port Details) Displaying LLDP Use the Administration > LLDP (Show Remote Device Information) page to display Remote Device information about devices connected directly to the switch’s ports which are Information advertising information through LLDP, or to display detailed information about an LLDP-enabled device connected to a specific port on the local switch.
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. ◆ System Name – A string that indicates the system’s assigned name. ◆ System Description – A textual description of the network entity. ◆ Port Type – Indicates the basis for the identifier that is listed in the Port ID field. See Table 30, “Port ID Subtype,” on page 341.
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol Port Details – 802.3 Extension Port Information ◆ Remote Port Auto-Neg Supported – Shows whether the given port (associated with remote system) supports auto-negotiation. ◆ Remote Port Auto-Neg Adv-Capability – The value (bitmap) of the ifMauAutoNegCapAdvertisedBits object (defined in IETF RFC 3636) which is associated with a port on the remote system.
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Remote Power Pairs – “Signal” means that the signal pairs only are in use, and “Spare” means that the spare pairs only are in use. ◆ Remote Power MDI Supported – Shows whether MDI power is supported on the given port associated with the remote system. ◆ Remote Power Pair Controllable – Indicates whether the pair selection can be controlled for sourcing power on the given port associated with the remote system.
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol ◆ ◆ Supported Capabilities – The supported set of capabilities that define the primary function(s) of the port: ■ LLDP-MED Capabilities ■ Network Policy ■ Location Identification ■ Extended Power via MDI – PSE ■ Extended Power via MDI – PD ■ Inventory Current Capabilities – The set of capabilities that define the primary function(s) of the port which are currently enabled.
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol Port Details – Location Identification8 ◆ Location Data Format – Any of these location ID data formats: ■ Coordinate-based LCI9 – Defined in RFC 3825, includes latitude resolution, latitude, longitude resolution, longitude, altitude type, altitude resolution, altitude, and datum. ■ Civic Address LCI9 – Includes What, Country code, CA type, CA length and CA value.
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Manufacture Name – The manufacturer of the end-point device. ◆ Asset ID – The asset identifier of the end-point device. End-point devices are typically assigned asset identifiers to facilitate inventory management and assets tracking. ◆ Firmware Revision – The firmware revision of the end-point device. ◆ Serial Number – The serial number of the end-point device. ◆ Model Name – The model name of the end-point device.
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol Figure 204: Displaying Remote Device Information for LLDP (Port Details) – 350 –
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol Additional information displayed by an end-point device which advertises LLDPMED TLVs is shown in the following figure. Figure 205: Displaying Remote Device Information for LLDP (End Node) Displaying Device Use the Administration > LLDP (Show Device Statistics) page to display statistics for Statistics LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces.
Chapter 12 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Neighbor Entries Age-out Count – The number of times that a neighbor’s information has been deleted from the LLDP remote systems MIB because the remote TTL timer has expired. Port/Trunk ◆ Frames Discarded – Number of frames discarded because they did not conform to the general validation rules as well as any specific usage rules defined for the particular TLV.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol Figure 207: Displaying LLDP Device Statistics (Port) Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol and specified security levels. Each group also has a defined security access to set of MIB objects for reading and writing, which are known as “views.” The switch has a default view (all MIB objects) and default groups defined for security models v1 and v2c. The following table shows the security models and levels available and the system default settings.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol Configuring SNMPv3 Management Access 1. Use the Administration > SNMP (Configure Global) page to enable SNMP on the switch, and to enable trap messages. 2. Use the Administration > SNMP (Configure Trap) page to specify trap managers so that key events are reported by this switch to your management station. 3. Use the Administration > SNMP (Configure Engine) page to change the local engine ID.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol Figure 208: Configuring Global Settings for SNMP Setting the Local Use the Administration > SNMP (Configure Engine - Set Engine ID) page to change Engine ID the local engine ID. An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol Figure 209: Configuring the Local Engine ID for SNMP Specifying a Remote Use the Administration > SNMP (Configure Engine - Add Remote Engine) page to Engine ID configure a engine ID for a remote management station. To allow management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol Figure 210: Configuring a Remote Engine ID for SNMP To show the remote SNMP engine IDs: 1. Click Administration, SNMP. 2. Select Configure Engine from the Step list. 3. Select Show Remote Engine from the Action list.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol Add OID Subtree ◆ View Name – Lists the SNMP views configured in the Add View page. A maximum of 32 views can be configured. (Range: 1-32 characters) ◆ OID Subtree – Adds an additional object identifier of a branch within the MIB tree to the selected View. Wild cards can be used to mask a specific portion of the OID string.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol Figure 213: Showing SNMP Views To add an object identifier to an existing SNMP view of the switch’s MIB database: 1. Click Administration, SNMP. 2. Select Configure View from the Step list. 3. Select Add OID Subtree from the Action list. 4. Select a view name from the list of existing views, and specify an additional OID subtree in the switch’s MIB database to be included or excluded in the view. 5.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol Figure 215: Showing the OID Subtree Configured for SNMP Views Configuring SNMPv3 Use the Administration > SNMP (Configure Group) page to add an SNMPv3 group Groups which can be used to set the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol Table 33: Supported Notification Messages Model Level Group newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election. topologyChange 1.3.6.1.2.1.17.0.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol Table 33: Supported Notification Messages (Continued) Model Level Group swThermalFallingNotification 1.3.6.1.4.1.259.12.1.2.2.1.0.59 This trap is sent when the temperature is below the switchThermalActionFallingThreshold. dot1agCfmMepUpTrap 1.3.6.1.4.1.259.10.1.36.2.1.0.97 This trap is sent when a new remote MEP is discovered. dot1agCfmMepDownTrap 1.3.6.1.4.1.259.10.1.36.2.1.0.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol Table 33: Supported Notification Messages (Continued) Model Level Group logoutTrap 1.3.6.1.4.1.259.12.1.2.2.1.0.202 This trap is sent when user logout. fileCopyTrap 1.3.6.1.4.1.259.12.1.2.2.1.0.208 This trap is sent when file copy is executed. userauthCreateUserTrap 1.3.6.1.4.1.259.12.1.2.2.1.0.209 This trap is sent when create user account. userauthDeleteUserTrap 1.3.6.1.4.1.259.12.1.2.2.1.0.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure an SNMP group: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Enter a group name, assign a security model and level, and then select read, write, and notify views. 5. Click Apply Figure 216: Creating an SNMP Group To show SNMP groups: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol Setting Community Use the Administration > SNMP (Configure User - Add Community) page to Access Strings configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings. Parameters These parameters are displayed: ◆ Community String – A community string that acts like a password and permits access to the SNMP protocol.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol 3. Select Show Community from the Action list. Figure 219: Showing Community Access Strings Configuring Local Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) page to SNMPv3 Users authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch. Each SNMPv3 user is defined by a unique name.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol ◆ ◆ Privacy Protocol – The encryption algorithm used for data privacy: ■ 3DES - Uses SNMPv3 with privacy with 3DES (168-bit) encryption. ■ AES128 - Uses SNMPv3 with privacy with AES128 encryption. ■ AES192 - Uses SNMPv3 with privacy with AES192 encryption. ■ AES256 - Uses SNMPv3 with privacy with AES256 encryption. ■ DES56 - Uses SNMPv3 with privacy with DES56 encryption.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol To show local SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Local User from the Action list. Figure 221: Showing Local SNMPv3 Users To change a local SNMPv3 local user group: 1. Click Administration, SNMP. 2. Select Change SNMPv3 Local User Group from the Action list. 3. Select the User Name. 4. Enter a new group name. 5.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol Command Usage ◆ To grant management access to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authentication and encryption of packets passed between the switch and the remote user.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure a remote SNMPv3 user: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Add SNMPv3 Remote User from the Action list. 4. Enter a name and assign it to a group. Enter the IP address to identify the source of SNMPv3 inform messages sent from the local switch.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol Figure 224: Showing Remote SNMPv3 Users Specifying Trap Use the Administration > SNMP (Configure Trap) page to specify the host devices to Managers be sent traps and the types of traps to send. Traps indicating status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol Parameters These parameters are displayed: SNMP Version 1 ◆ IP Address – IPv4 or IPv6 address of a new management station to receive notification message (i.e., the targeted recipient). ◆ Version – Specifies whether to send notifications as SNMP v1, v2c, or v3 traps. (Default: v1) ◆ Community String – Specifies a valid community string for the new trap manager entry.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol SNMP Version 3 ◆ IP Address – IPv4 or IPv6 address of a new management station to receive notification message (i.e., the targeted recipient). ◆ Version – Specifies whether to send notifications using SNMP v1, v2c, or v3 traps. ◆ Notification Type ◆ ■ Traps – Notifications are sent as trap messages. ■ Inform – Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure trap managers: 1. Click Administration, SNMP. 2. Select Configure Trap from the Step list. 3. Select Add from the Action list. 4. Fill in the required parameters based on the selected SNMP version. 5.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol Figure 227: Configuring Trap Managers (SNMPv3) To show configured trap managers: 1. Click Administration, SNMP. 2. Select Configure Trap from the Step list. 3. Select Show from the Action list. Figure 228: Showing Trap Managers Creating SNMP Use the Administration > SNMP (Configure Notify Filter - Add) page to create an Notification Logs SNMP notification log.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any important Notifications. ◆ If notification logging is not configured, when the switch reboots, some SNMP traps (such as warm start) cannot be logged.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol Figure 229: Creating SNMP Notification Logs To show configured SNMP notification logs: 1. Click Administration, SNMP. 2. Select Configure Notify Filter from the Step list. 3. Select Show from the Action list. Figure 230: Showing SNMP Notification Logs Showing SNMP Use the Administration > SNMP (Show Statistics) page to show counters for SNMP Statistics input and output protocol data units.
Chapter 12 | Basic Administration Protocols Simple Network Management Protocol ◆ Encoding errors – The total number of ASN.1 or BER errors encountered by the SNMP entity when decoding received SNMP messages. ◆ Number of requested variables – The total number of MIB objects which have been retrieved successfully by the SNMP protocol entity as the result of receiving valid SNMP Get-Request and Get-Next PDUs.
Chapter 12 | Basic Administration Protocols Remote Monitoring Figure 231: Showing SNMP Statistics Remote Monitoring Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 12 | Basic Administration Protocols Remote Monitoring Command Usage ◆ If an alarm is already defined for an index, the entry must be deleted before any changes can be made. Parameters These parameters are displayed: ◆ Index – Index to this entry. (Range: 1-65535) ◆ Variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled. Note that etherStatsEntry.n uniquely defines the MIB variable, and etherStatsEntry.n.
Chapter 12 | Basic Administration Protocols Remote Monitoring Web Interface To configure an RMON alarm: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Add from the Action list. 4. Click Alarm. 5. Enter an index number, the MIB object to be polled (etherStatsEntry.n.n), the polling interval, the sample type, the thresholds, and the event to trigger. 6. Click Apply Figure 232: Configuring an RMON Alarm To show configured RMON alarms: 1. Click Administration, RMON.
Chapter 12 | Basic Administration Protocols Remote Monitoring Figure 233: Showing Configured RMON Alarms Configuring RMON Use the Administration > RMON (Configure Global - Add - Event) page to set the Events action to take when an alarm is triggered. The response can include logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems.
Chapter 12 | Basic Administration Protocols Remote Monitoring ◆ Community – A password-like community string sent with the trap operation to SNMP v1 and v2c hosts. Although the community string can be set on this configuration page, it is recommended that it be defined on the SNMP trap configuration page (see “Setting Community Access Strings” on page 366) prior to configuring it here. (Range: 1-32 characters) ◆ Description – A comment that describes this event.
Chapter 12 | Basic Administration Protocols Remote Monitoring To show configured RMON events: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. 4. Click Event. Figure 235: Showing Configured RMON Events Configuring RMON Use the Administration > RMON (Configure Interface - Add - History) page to collect History Samples statistics on a physical interface to monitor network utilization, packet types, and errors.
Chapter 12 | Basic Administration Protocols Remote Monitoring example, if control entry 15 is assigned to port 5, this index entry will be removed from the Show and Show Details page for port 8. Parameters These parameters are displayed: ◆ Port – The port number on the switch. ◆ Index – Index to this entry. (Range: 1-65535) ◆ Interval - The polling interval. (Range: 1-3600 seconds; Default: 1800 seconds) ◆ Buckets – The number of buckets requested for this entry.
Chapter 12 | Basic Administration Protocols Remote Monitoring Figure 236: Configuring an RMON History Sample To show configured RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port from the list. 5. Click History. Figure 237: Showing Configured RMON History Samples To show collected RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3.
Chapter 12 | Basic Administration Protocols Remote Monitoring 5. Click History. Figure 238: Showing Collected RMON History Samples Configuring RMON Use the Administration > RMON (Configure Interface - Add - Statistics) page to Statistical Samples collect statistics on a port, which can subsequently be used to monitor the network for common errors and overall traffic rates. Command Usage ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made.
Chapter 12 | Basic Administration Protocols Remote Monitoring 5. Select a port from the list as the data source. 6. Enter an index number, and the name of the owner for this entry 7. Click Apply Figure 239: Configuring an RMON Statistical Sample To show configured RMON statistical samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port from the list. 5. Click Statistics.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management To show collected RMON statistical samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show Details from the Action list. 4. Select a port from the list. 5. Click Statistics.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management and cross-check messages which are used to verify a static list of remote maintenance points located on other devices (in the same maintenance association) against those found through continuity check messages. Fault verification is supported using loop back messages, and fault isolation with link trace messages.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management The following figure shows a single Maintenance Domain, with DSAPs located on the domain boundary, and Internal Service Access Points (ISAPs) inside the domain through which frames may pass between the DSAPs. Figure 242: Single CFM Maintenance Domain Maintenance Domain Bridge DSAP ISAP The figure below shows four maintenance associations contained within a hierarchical structure of maintenance domains.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management Basic CFM Operations CFM uses standard Ethernet frames for sending protocol messages. Both the source and destination address for these messages are based on unicast or multicast MAC addresses, and therefore confined to a single Layer 2 CFM service VLAN. For this reason, the transmission, forwarding, and processing of CFM frames is performed by bridges, not routers.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management 4. Enter a static list of MEPs assigned to other devices within the same maintenance association using the Remote MEP List (see "Configuring Remote Maintenance End Points"). This allows CFM to automatically verify the functionality of these remote end points by cross-checking the static list configured on this device against information learned through continuity check messages. 5.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management ◆ MEP Cross Check Start Delay – Sets the maximum delay that a device waits for remote MEPs to come up before starting the cross-check operation.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management ◆ Connectivity Check Loop – Sends a trap if this device receives a CCM with the same source MAC address and MPID as its own, indicating that a forwarding loop exists. ◆ Connectivity Check MEP Down – Sends a trap if this device loses connectivity with a remote maintenance end point (MEP), or connectivity has been restored to a remote MEP which has recovered from an error condition.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management 5. Enable the required traps for continuity check and cross-check errors. Remember that the “Connectivity Check” and “Cross Check” fields on the MA Configuration page must be enabled before related errors can be generated. 6. Click Apply. Figure 244: Configuring Global Settings for CFM Configuring Interfaces CFM processes are enabled by default for all physical interfaces, both ports and for CFM trunks.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management 2. Select Configure Interface from the Step list. 3. Select Port or Trunk. 4. Enable CFM on the required interface. 5. Click Apply. Figure 245: Configuring Interfaces for CFM Configuring CFM Use the Administration > CFM (Configure MD) pages to create and configure a Maintenance Domains Maintenance Domain (MD) which defines a portion of the network for which connectivity faults can be managed.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management In contrast, MIPs are interconnection points that make up all possible paths between the DSAPs within an MA. MIPs are automatically generated by the CFM protocol when the MIP Creation Type is set to “Default” or “Explicit,” and the MIP creation state machine is invoked (as defined in IEEE 802.1ag).
Chapter 12 | Basic Administration Protocols Connectivity Fault Management Priority levels include the following options: Table 34: Remote MEP Priority Levels Priority Level Level Name Description 1 allDef All defects. 2 macRemErrXcon DefMACstatus, DefRemoteCCM, DefErrorCCM, or DefXconCCM. 3 remErrXcon DefErrorCCM, DefXconCCM or DefRemoteCCM. 4 errXcon DefErrorCCM or DefXconCCM. 5 xcon DefXconCCM 6 noXcon No defects DefXconCCM or lower are to be reported.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management Configuring Detailed Settings for a Maintenance Domain ◆ MD Index – Domain index. (Range: 1-65535) ◆ MEP Archive Hold Time – The time that data from a missing MEP is retained in the continuity check message (CCM) database before being purged. (Range: 1-65535 minutes; Default: 100 minutes) A change to the hold time only applies to entries stored in the database after this attribute is changed.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management To show the configured maintenance domains: 1. Click Administration, CFM. 2. Select Configure MD from the Step list. 3. Select Show from the Action list. Figure 247: Showing Maintenance Domains To configure detailed settings for maintenance domains: 1. Click Administration, CFM. 2. Select Configure MD from the Step list. 3. Select Configure Details from the Action list. 4. Select an entry from the MD Index. 5.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management Configuring CFM Use the Administration > CFM (Configure MA) pages to create and configure the Maintenance Maintenance Associations (MA) which define a unique CFM service instance. Each Associations MA can be identified by its parent MD, the MD’s maintenance level, the VLAN assigned to the MA, and the set of maintenance end points (MEPs) assigned to it.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management Parameters These parameters are displayed: Creating a Maintenance Association ◆ MD Index – Domain index. (Range: 1-65535) ◆ MA Index – MA identifier. (Range: 1-2147483647) ◆ MA Name – MA name. (Range: 1-4313 alphanumeric characters) Each MA name must be unique within the CFM domain. ◆ Primary VLAN – Service VLAN ID. (Range: 1-4094) This is the VLAN through which all CFM functions are executed for this MA.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management Before starting the cross-check process, first configure the remote MEPs that exist on other devices inside the maintenance association using the Remote MEP List (see "Configuring Remote Maintenance End Points"). These remote MEPs are used in the cross-check operation to verify that all endpoints in the specified MA are operational.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management Figure 249: Creating Maintenance Associations To show the configured maintenance associations: 1. Click Administration, CFM. 2. Select Configure MA from the Step list. 3. Select Show from the Action list. 4. Select an entry from the MD Index list. Figure 250: Showing Maintenance Associations To configure detailed settings for maintenance associations: 1. Click Administration, CFM. 2. Select Configure MA from the Step list. 3.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management Figure 251: Configuring Detailed Settings for Maintenance Associations Configuring Use the Administration > CFM (Configure MEP – Add) page to configure Maintenance End Maintenance End Points (MEPs). MEPs, also called Domain Service Access Points Points (DSAPs), must be configured at the domain boundary to provide management access for each maintenance association.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management not selected, then the MEP is facing away from the switch, and transmits CFM messages towards, and receives them from, the direction of the physical medium. ◆ Interface – Indicates a port or trunk. Web Interface To configure a maintenance end point: 1. Click Administration, CFM. 2. Select Configure MEP from the Step list. 3. Select Add from the Action list. 4. Select an entry from MD Index and MA Index. 5.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management 4. Select an entry from MD Index and MA Index. Figure 253: Showing Maintenance End Points Configuring Remote Use the Administration > CFM (Configure Remote MEP – Add) page to specify Maintenance End remote maintenance end points (MEPs) set on other CFM-enabled devices within a Points common MA. Remote MEPs can be added to a static list in this manner to verify that each entry has been properly configured and is operational.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management ◆ MEP ID – Identifier for a maintenance end point which exists on another CFMenabled device within the same MA. (Range: 1-8191) Web Interface To configure a remote maintenance end point: 1. Click Administration, CFM. 2. Select Configure Remote MEP from the Step list. 3. Select Add from the Action list. 4. Select an entry from MD Index and MA Index. 5. Specify the remote MEPs which exist on other devices within the same MA. 6.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management Transmitting Link Use the Administration > CFM (Transmit Link Trace) page to transmit link trace Trace Messages messages (LTMs). These messages can isolate connectivity faults by tracing the path through a network to the designated target node (i.e., a remote maintenance end point). Command Usage ◆ LTMs can be targeted to MEPs, not MIPs.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management ◆ TTL – The time to live of the link trace message. (Range: 0-255 hops) Web Interface To transmit link trace messages: 1. Click Administration, CFM. 2. Select Transmit Link Trace from the Step list. 3. Select an entry from MD Index and MA Index. 4. Specify the source MEP, the target MEP using either its MEP identifier or MAC address, and set the maximum number of hops allowed in the TTL field. 5. Click Apply. 6.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management ◆ If the continuity check database does not have an entry for the specified maintenance point, an error message will be displayed. ◆ When using the command line or web interface, the source MEP used by to send a loopback message is chosen by the CFM protocol. However, when using SNMP, the source MEP can be specified by the user. Parameters These parameters are displayed: ◆ MD Index – Domain index.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management Figure 257: Transmitting Loopback Messages Transmitting Delay- Use the Administration > CFM (Transmit Delay Measure) page to send periodic Measure Requests delay-measure requests to a specified MEP within a maintenance association. Command Usage ◆ Delay measurement can be used to measure frame delay and frame delay variation between MEPs. ◆ A local MEP must be configured for the same MA before you can use this function.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management Parameters These parameters are displayed: ◆ MD Index – Domain index. (Range: 1-65535) ◆ MA Index – MA identifier. (Range: 1-2147483647) ◆ Source MEP ID – The identifier of a source MEP that will send the delaymeasure message. (Range: 1-8191) ◆ Target ■ MEP ID – The identifier of a remote MEP that is the target of a delaymeasure message.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management Figure 258: Transmitting Delay-Measure Messages Displaying Local MEPs Use the Administration > CFM > Show Information (Show Local MEP) page to show information for the MEPs configured on this device. Parameters These parameters are displayed: ◆ MEP ID – Maintenance end point identifier. ◆ MD Name – Maintenance domain name. ◆ Level – Authorized maintenance level for this domain.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management ◆ MAC Address – MAC address of this MEP entry. Web Interface To show information for the MEPs configured on this device: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Local MEP from the Action list.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management ◆ MAC Address – MAC address of the local maintenance point. (If a CCM for the specified remote MEP has never been received or the local MEP record times out, the address will be set to the initial value of all Fs.) ◆ Defect Condition – Shows the defect detected on the MEP. ◆ Received RDI – Receive status of remote defect indication (RDI) messages on the MEP.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management Figure 260: Showing Detailed Information on Local MEPs Displaying Local MIPs Use the Administration > CFM > Show Information (Show Local MIP) page to show the MIPs on this device discovered by the CFM protocol. (For a description of MIPs, refer to the Command Usage section under "Configuring CFM Maintenance Domains".) Parameters These parameters are displayed: ◆ MD Name – Maintenance domain name.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management 2. Select Show Information from the Step list. 3. Select Show Local MIP from the Action list. Figure 261: Showing Information on Local MIPs Displaying Remote Use the Administration > CFM > Show Information (Show Remote MEP) page to MEPs show MEPs located on other devices which have been discovered through continuity check messages, or statically configured in the MEP database and verified through cross-check messages.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management Figure 262: Showing Information on Remote MEPs Displaying Details for Use the Administration > CFM > Show Information (Show Remote MEP Details) Remote MEPs page to show detailed information for MEPs located on other devices which have been discovered through continuity check messages, or statically configured in the MEP database and verified through cross-check messages.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management ◆ ◆ ■ Blocked – The port has been blocked by the Spanning Tree Protocol. ■ No port state – Either no CCM has been received, or nor port status TLV was received in the last CCM. Interface State – Interface states include: ■ No Status – Either no CCM has been received, or no interface status TLV was received in the last CCM. ■ Up – The interface is ready to pass packets. ■ Down – The interface cannot pass packets.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management Figure 263: Showing Detailed Information on Remote MEPs Displaying the Link Use the Administration > CFM > Show Information (Show Link Trace Cache) page to Trace Cache show information about link trace operations launched from this device. Parameters These parameters are displayed: ◆ Hops – The number hops taken to reach the target MEP. ◆ MA – Maintenance association name.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management has another Down MEP at a higher MD level on the same bridge port that is causing the bridge port’s MAC_Operational parameter to be false. ◆ ◆ ■ IngBlocked – The ingress port can be identified, but the target data frame was not forwarded when received on this port due to active topology management, i.e., the bridge port is not in the forwarding state.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management Displaying Fault Use the Administration > CFM > Show Information (Show Fault Notification Notification Settings Generator) page to display configuration settings for the fault notification generator. Parameters These parameters are displayed: ◆ MEP ID – Maintenance end point identifier. ◆ MD Name – Maintenance domain name. ◆ MA Name – Maintenance association name.
Chapter 12 | Basic Administration Protocols Connectivity Fault Management ◆ Primary VLAN – VLAN in which this error occurred. ◆ MEP ID – Identifier of remote MEP. ◆ Interface – Port at which the error was recorded. ◆ Remote MAC – MAC address of remote MEP.
Chapter 12 | Basic Administration Protocols UDLD Configuration UDLD Configuration The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Chapter 12 | Basic Administration Protocols UDLD Configuration for all other steady-state transmissions. Mslow is the value configured by this command. ◆ Detection Interval – Sets the amount of time the switch remains in detection state after discovering a neighbor. (Range: 5-255 seconds; Default: 5 seconds) When a neighbor device is discovered by UDLD, the switch enters “detection state” and remains in this state for specified detection-interval.
Chapter 12 | Basic Administration Protocols UDLD Configuration Configuring UDLD Use the Administration > UDLD (Configure Interface) page to enable UDLD and Interface Settings aggressive mode which reduces the shut-down delay after loss of bidirectional connectivity is detected. Parameters These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28/54) ◆ UDLD – Enables UDLD on a port.
Chapter 12 | Basic Administration Protocols UDLD Configuration scenarios (typically only on point-to-point links where no communication failure between two neighbors is admissible).
Chapter 12 | Basic Administration Protocols UDLD Configuration ◆ Entry – Table entry number uniquely identifying the neighbor device discovered by UDLD on a port interface. ◆ Device ID – Device identifier of neighbor sending the UDLD packet. ◆ Port ID – The physical port the UDLD packet is sent from. ◆ Device Name – The device name of this neighbor.
Chapter 12 | Basic Administration Protocols UDLD Configuration – 432 –
13 Multicast Filtering This chapter describes how to configure the following multicast services: ◆ IGMP Snooping – Configures snooping and query parameters for IPv4. ◆ Filtering and Throttling – Filters specified multicast service, or throttles the maximum of multicast groups allowed on an interface for IPv4. ◆ MLD Snooping – Configures snooping and query parameters for IPv6. ◆ Layer 3 IGMP – Configures IGMP query used with multicast routing.
Chapter 13 | Multicast Filtering IGMP Protocol router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly. If there is no multicast router attached to the local subnet, multicast traffic and query messages may not be received by the switch. In this case (Layer 2) IGMP Query can be used to actively ask the attached hosts if they want to receive a specific multicast service.
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 271: IGMP Protocol Network core (multicast routing) Edge switches (snooping and query) Switch to end nodes (snooping on IGMP clients) Layer 2 IGMP (Snooping and Query for IPv4) IGMP Snooping and Query – If multicast routing is not supported on other switches in your network, you can use IGMP Snooping and IGMP Query (page 437) to monitor IGMP service requests passing between multicast clients and servers, and dynamically
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Note: When the switch is configured to use IGMPv3 snooping, the snooping version may be downgraded to version 2 or version 1, depending on the version of the IGMP query packets detected on each VLAN. Note: IGMP snooping will not function unless a multicast router port is enabled on the switch. This can accomplished in one of two ways.
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) IGMP Interface Parameters”). However, note that Layer 2 query is disabled if Layer 3 query is enabled. Configuring IGMP Use the Multicast > IGMP Snooping > General page to configure the switch to Snooping and Query forward multicast traffic intelligently. Based on the IGMP query and report Parameters messages, the switch forwards multicast traffic only to the ports that request it.
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) When IGMP snooping is disabled globally, snooping can still be configured per VLAN interface, but the interface settings will not take effect until snooping is re-enabled globally. ◆ Proxy Reporting Status – Enables IGMP Snooping with Proxy Reporting.
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ TCN Query Solicit – Sends out an IGMP general query solicitation when a spanning tree topology change notification (TCN) occurs. (Default: Disabled) When the root bridge in a spanning tree receives a TCN for a VLAN where IGMP snooping is enabled, it issues a global IGMP leave message (or query solicitation). When a switch receives this solicitation, it floods it to all ports in the VLAN where the spanning tree change occurred.
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) When a new upstream interface (that is, uplink port) starts up, the switch sends unsolicited reports for all currently learned multicast channels via the new upstream interface. This command only applies when proxy reporting is enabled. ◆ Router Port Expire Time – The time the switch waits after the previous querier stops before it considers it to have expired.
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Specifying Static Use the Multicast > IGMP Snooping > Multicast Router (Add Static Multicast Router) Interfaces for an IPv4 page to statically attach an IPv4 interface to a multicast router/switch. Multicast Router Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Web Interface To specify a static interface attached to a multicast router: 1. Click Multicast, IGMP Snooping, Multicast Router. 2. Select Add Static Multicast Router from the Action list. 3. Select the VLAN which will forward all the corresponding multicast traffic, and select the port or trunk attached to the multicast router. 4. Click Apply.
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) the switch or statically assigned to an interface on the switch. To show all the interfaces attached to a multicast router: 1. Click Multicast, IGMP Snooping, Multicast Router. 2. Select Show Current Multicast Router from the Action list. 3. Select the VLAN for which to display this information. Ports in the selected VLAN which are attached to a neighboring multicast router/switch are displayed.
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Web Interface To statically assign an interface to an IPv4 multicast service: 1. Click Multicast, IGMP Snooping, IGMP Member. 2. Select Add Static Member from the Action list. 3. Select the VLAN that will propagate the multicast service, specify the interface attached to a multicast service (through an IGMP-enabled switch or multicast router), and enter the multicast IP address. 4. Click Apply.
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) To show the all interfaces attached to a multicast router: 1. Click Multicast, IGMP Snooping, Multicast Router. 2. Select Current Multicast Router from the Action list. 3. Select the VLAN for which to display this information. Ports in the selected VLAN which are attached to a neighboring multicast router/switch are displayed.
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Multicast Router Discovery uses the following three message types to discover multicast routers: ◆ Multicast Router Advertisement – Advertisements are sent by routers to advertise that IP multicast forwarding is enabled. These messages are sent unsolicited periodically on all router interfaces on which multicast forwarding is enabled.
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) receive multicast traffic. This is referred to as IGMP Snooping. (Default: Disabled) When IGMP snooping is enabled globally (see page 437), the per VLAN interface settings for IGMP snooping take precedence. When IGMP snooping is disabled globally, snooping can still be configured per VLAN interface, but the interface settings will not take effect until snooping is re-enabled globally.
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ General Query Suppression – Suppresses general queries except for ports attached to downstream multicast hosts. (Default: Disabled) By default, general query messages are flooded to all ports, except for the multicast router through which they are received. If general query suppression is enabled, then these messages are forwarded only to downstream ports which have joined a multicast service.
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) This attribute applies when the switch is serving as the querier (page 437), or as a proxy host when IGMP snooping proxy reporting is enabled (page 437). ◆ Query Response Interval – The maximum time the system waits for a response to proxy general queries.
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Web Interface To configure IGMP snooping on a VLAN: 1. Click Multicast, IGMP Snooping, Interface. 2. Select Configure VLAN from the Action list. 3. Select the VLAN to configure and update the required parameters. 4. Click Apply.
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) To show the interface settings for IGMP snooping: 1. Click Multicast, IGMP Snooping, Interface. 2. Select Show VLAN Information from the Action list. Figure 280: Showing Interface Settings for IGMP Snooping Filtering IGMP Query Use the Multicast > IGMP Snooping > Interface (Configure Interface) page to Packets configure an interface to drop IGMP query packets.
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 281: Dropping IGMP Query Packets Displaying Multicast Use the Multicast > IGMP Snooping > Forwarding Entry page to display the Groups Discovered by forwarding entries learned through IGMP Snooping. IGMP Snooping Command Usage To display information about multicast groups, IGMP Snooping must first be enabled on the switch (see page 437).
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Web Interface To show multicast groups learned through IGMP snooping: 1. Click Multicast, IGMP Snooping, Forwarding Entry. 2. Select the VLAN for which to display this information. Figure 282: Showing Multicast Groups Learned by IGMP Snooping Displaying IGMP Use the Multicast > IGMP Snooping > Statistics pages to display IGMP snooping Snooping Statistics protocol-related statistics for the specified interface.
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ General Query Received – The number of general queries received on this interface. ◆ General Query Sent – The number of general queries sent from this interface. ◆ Specific Query Received – The number of specific queries received on this interface. ◆ Specific Query Sent – The number of specific queries sent from this interface.
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ G Query – The number of general query messages sent from this interface. ◆ G(-S)-S Query – The number of group specific or group-and-source specific query messages sent from this interface. Web Interface To display statistics for IGMP snooping query-related messages: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show Query Statistics from the Action list. 3. Select a VLAN.
Chapter 13 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 284: Displaying IGMP Snooping Statistics – VLAN To display IGMP snooping protocol-related statistics for a port: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show Port Statistics from the Action list. 3. Select a Port.
Chapter 13 | Multicast Filtering Filtering and Throttling IGMP Groups Filtering and Throttling IGMP Groups In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
Chapter 13 | Multicast Filtering Filtering and Throttling IGMP Groups Figure 286: Enabling IGMP Filtering and Throttling Configuring IGMP Use the Multicast > IGMP Snooping > Filter (Configure Profile – Add) page to create Filter Profiles an IGMP profile and set its access mode. Then use the (Add Multicast Group Range) page to configure the multicast groups to filter.
Chapter 13 | Multicast Filtering Filtering and Throttling IGMP Groups Web Interface To create an IGMP filter profile and set its access mode: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Add from the Action list. 4. Enter the number for a profile, and set its access mode. 5. Click Apply. Figure 287: Creating an IGMP Filtering Profile To show the IGMP filter profiles: 1. Click Multicast, IGMP Snooping, Filter. 2.
Chapter 13 | Multicast Filtering Filtering and Throttling IGMP Groups To add a range of multicast groups to an IGMP filter profile: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Add Multicast Group Range from the Action list. 4. Select the profile to configure, and add a multicast group address or range of addresses. 5. Click Apply.
Chapter 13 | Multicast Filtering Filtering and Throttling IGMP Groups Configuring IGMP Filtering and Throttling for Interfaces Use the Multicast > IGMP Snooping > Filter (Configure Interface) page to assign and IGMP filter profile to interfaces on the switch, or to throttle multicast traffic by limiting the maximum number of multicast groups an interface can join at the same time. Command Usage ◆ IGMP throttling sets a maximum number of multicast groups that a port can join at the same time.
Chapter 13 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 291: Configuring IGMP Filtering and Throttling Interface Settings MLD Snooping (Snooping and Query for IPv6) Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it.
Chapter 13 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) An IPv6 address must be configured on the VLAN interface from which the querier will act if elected. When serving as the querier, the switch uses this IPv6 address as the query source address. The querier will not start or will disable itself after having started if it detects an IPv6 multicast router on the network. ◆ Robustness – MLD Snooping robustness variable.
Chapter 13 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) 3. Click Apply. Figure 292: Configuring General Settings for MLD Snooping Setting Immediate Use the Multicast > MLD Snooping > Interface page to configure Immediate Leave Leave Status for MLD status for a VLAN. Snooping per Interface Parameters These parameters are displayed: ◆ VLAN – A VLAN identification number.
Chapter 13 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 293: Configuring Immediate Leave for MLD Snooping Specifying Static Use the Multicast > MLD Snooping > Multicast Router (Add Static Multicast Router) Interfaces for an IPv6 page to statically attach an interface to an IPv6 multicast router/switch. Multicast Router Depending on your network connections, MLD snooping may not always be able to locate the MLD querier.
Chapter 13 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 294: Configuring a Static Interface for an IPv6 Multicast Router To show the static interfaces attached to a multicast router: 1. Click Multicast, MLD Snooping, Multicast Router. 2. Select Show Static Multicast Router from the Action list. 3. Select the VLAN for which to display this information.
Chapter 13 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Assigning Interfaces Use the Multicast > MLD Snooping > MLD Member (Add Static Member) page to to IPv6 Multicast statically assign an IPv6 multicast service to an interface. Services Multicast filtering can be dynamically configured using MLD snooping and query messages (see “Configuring MLD Snooping and Query Parameters” on page 462).
Chapter 13 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 297: Assigning an Interface to an IPv6 Multicast Service To show the static interfaces assigned to an IPv6 multicast service: 1. Click Multicast, MLD Snooping, MLD Member. 2. Select Show Static Member from the Action list. 3. Select the VLAN for which to display this information.
Chapter 13 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 299: Showing Current Interfaces Assigned to an IPv6 Multicast Service Showing MLD Use the Multicast > MLD Snooping > Group Information page to display known Snooping Groups and multicast groups, member ports, the means by which each group was learned, and Source List the corresponding source list. Parameters These parameters are displayed: ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ Interface – Port or trunk identifier.
Chapter 13 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) Web Interface To display known MLD multicast groups: 1. Click Multicast, MLD Snooping, Group Information. 2. Select the port or trunk, and then select a multicast service assigned to that interface.
Chapter 13 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) Note: Multicast Routing Discovery (MRD) is used to discover which interfaces are attached to multicast routers. (For a description of this protocol, see “Multicast Router Discovery” on page 445.
Chapter 13 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) send the group membership information learned upstream, and then to forward multicast packets based upon that information to the downstream hosts. For the switch, IGMP proxy routing has only one upstream connection to the core network side and multiple downstream connections to the customer side.
Chapter 13 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) accordingly, and set the v1/v2 query present timer to indicate that there is an active v1/v2 querier in this VLAN. Otherwise, it will act as an IGMPv3 host. ◆ Multicast routing protocols are not supported when IGMP proxy service is enabled. ◆ Only one upstream interface is supported on the system. ◆ A maximum of 1024 multicast entries are supported.
Chapter 13 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) Configuring IGMP Use the Multicast > IGMP > Interface page to configure interface settings for IGMP. Interface Parameters The switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. The hosts may respond with several types of IP multicast messages.
Chapter 13 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) meaning that this device will not advertise a QRV in any query messages it subsequently sends. ◆ Query Interval – Configures the frequency at which host query messages are sent. (Range: 1-255; Default: 125 seconds) Multicast routers send host query messages to determine the interfaces that are connected to downstream hosts requesting a specific multicast service.
Chapter 13 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) 3. Click Apply. Figure 303: Configuring IGMP Interface Settings Configuring Static Use the Multicast > IGMP > Static Group page to manually propagate traffic from IGMP Group specific multicast groups onto the specified VLAN interface. Membership Command Usage ◆ Group addresses within the entire multicast group address range can be specified.
Chapter 13 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) ◆ Source Address – The source address of a multicast server transmitting traffic to the specified multicast group address. Web Interface To configure static IGMP groups: 1. Click Multicast, IGMP, Static Group. 2. Select Add from the Action list. 3. Select a VLAN interface to be assigned as a static multicast group member, and then specify the multicast group.
Chapter 13 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) Displaying Multicast When IGMP (Layer 3) is enabled on the switch, use the Multicast > IGMP > Group Group Information Information pages to display the current multicast groups learned through IGMP. When IGMP (Layer 3) is disabled and IGMP (Layer 2) is enabled, the active multicast groups can be viewed on the Multicast > IGMP Snooping > Forwarding Entry page (see page 452).
Chapter 13 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) Show Details The following additional information is displayed on this page: ◆ VLAN – VLAN identifier. The selected entry must be a configured IP interface. (Range: 1-4094) ◆ Group Address – IP multicast group address with subscribers directly attached or downstream from the switch, or a static multicast group assigned to this interface.
Chapter 13 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) Figure 306: Displaying Multicast Groups Learned from IGMP (Information) To display detailed information about the current multicast groups learned through IGMP: 1. Click Multicast, IGMP, Group Information. 2. Select Show Details from the Action list. 3. Select a VLAN. The selected entry must be a configured IP interface.
14 IP Configuration This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address, or direct the switch to obtain an IPv4 address from a DHCP server when it is powered on.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 4) ◆ To enable routing between interfaces defined on this switch and external network interfaces, you must configure static routes (page 526) or use dynamic routing; i.e., RIP (page 544), OSPFv2 (page 562), OSPFv3, or BGPv4. Note that OSPFv3 and BGPv4 are only supported through the Command Line Interface.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Web Interface To set a static IPv4 address for the switch: 1. Click IP, General, Routing Interface. 2. Select Add Address from the Action list. 3. Select any configured VLAN, set IP Address Mode to “User Specified,” set IP Address Type to “Primary” if no address has yet been configured for this interface, and then enter the IP address and subnet mask. 4. Click Apply.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Figure 309: Configuring a Dynamic IPv4 Address Note: The switch will also broadcast a request for IP configuration settings on each power reset. Note: If you lose the management connection, make a console connection to the switch and enter “show ip interface” to determine the new switch address. Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 310: Showing the IPv4 Address Configured for an Interface Setting the Switch’s IP Address (IP Version 6) This section describes how to configure an initial IPv6 interface for management access over the network, or for creating an interface to multiple subnets. This switch supports both IPv4 and IPv6, and can be managed through either of these address types.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ If a routing protocol is enabled (page 543), you can still define a static route (page 526) to ensure that traffic to the designated address or subnet passes through a preferred gateway. ■ An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) are the number of attempts made to verify whether or not a duplicate address exists on the same network segment, and the interval between neighbor solicitations used to verify reachability information. Parameters These parameters are displayed: VLAN Mode ◆ VLAN – ID of a configured VLAN which is to be used for management access, or as a standard interface for a subnet. By default, all ports on the switch are members of VLAN 1.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) all nodes on a link use the same MTU value in cases where the link MTU is not otherwise well known. ◆ ◆ ■ IPv6 routers do not fragment IPv6 packets forwarded from other routers. However, traffic originating from an end-station connected to an IPv6 router may be fragmented. ■ All devices on the same physical medium must use the same MTU in order to operate correctly.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) When a non-default value is configured, the specified interval is used both for router advertisements and by the router itself. ◆ ND Reachable-Time – The amount of time that a remote IPv6 node is considered reachable after some reachability confirmation event has occurred. (Range: 0-3600000 milliseconds) Default: 30000 milliseconds is used for neighbor discovery operations, 0 milliseconds is advertised in router advertisements.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) 5. Enable IPv6 Explicitly to automatically configure a link-local address and enable IPv6 on the selected interface. (To manually configure the link-local address, use the Add IPv6 Address page.) Set the MTU size, the maximum number of duplicate address detection messages, the neighbor solicitation message interval, and the amount of time that a remote IPv6 node is considered reachable. 6. Click Apply.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 313: Configuring RA Guard for an IPv6 Interface Configuring an IPv6 Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an initial IPv6 Address interface for management access over the network, or for creating an interface to multiple subnets. Command Usage ◆ All IPv6 addresses must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ If a duplicate link-local address is detected on the local segment, this interface is disabled and a warning message displayed on the console. If a duplicate global unicast address is detected on the network, the address is disabled on this interface and a warning message displayed on the console.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) addresses), changing 28 to 2A. Then the two bytes FFFE are inserted between the OUI (i.e., organizationally unique identifier, or company identifier) and the rest of the address, resulting in a modified EUI-64 interface identifier of 2A-9F-18-FF-FE-1C-82-35.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Showing IPv6 Use the IP > IPv6 Configuration (Show IPv6 Address) page to display the IPv6 Addresses addresses assigned to an interface. Parameters These parameters are displayed: ◆ VLAN – ID of a configured VLAN. By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Web Interface To show the configured IPv6 addresses: 1. Click IP, IPv6 Configuration. 2. Select Show IPv6 Address from the Action list. 3. Select a VLAN from the list. Figure 315: Showing Configured IPv6 Addresses Showing the IPv6 Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to display the Neighbor Cache IPv6 addresses detected for neighbor devices.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 36: Show IPv6 Neighbors - display description (Continued) Field Description ◆ ◆ ◆ Delay - More than the ReachableTime interval has elapsed since the last positive confirmation was received that the forward path was functioning. A packet was sent within the last DELAY_FIRST_PROBE_TIME interval.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ ICMPv6 – Internet Control Message Protocol for Version 6 addresses is a network layer protocol that transmits message packets to report errors in processing IPv6 packets. ICMP is therefore an integral part of the Internet Protocol.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 37: Show IPv6 Statistics - display description (Continued) Field Description Delivers The total number of datagrams successfully delivered to IPv6 userprotocols (including ICMP). This counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the datagrams.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 37: Show IPv6 Statistics - display description (Continued) Field Description Destination Unreachable Messages The number of ICMP Destination Unreachable messages received by the interface. Packet Too Big Messages The number of ICMP Packet Too Big messages received by the interface. Time Exceeded Messages The number of ICMP Time Exceeded messages received by the interface.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 37: Show IPv6 Statistics - display description (Continued) Field Description Neighbor Advertisement Messages The number of ICMP Router Advertisement messages sent by the interface. Redirect Messages The number of Redirect messages sent. For a host, this object will always be zero, since hosts do not send redirects.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Web Interface To show the IPv6 statistics: 1. Click IP, IPv6 Configuration. 2. Select Show Statistics from the Action list. 3. Click IPv6, ICMPv6 or UDP.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 318: Showing IPv6 Statistics (ICMPv6) Figure 319: Showing IPv6 Statistics (UDP) – 502 –
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Showing the MTU for Use the IP > IPv6 Configuration (Show MTU) page to display the maximum Responding transmission unit (MTU) cache for destinations that have returned an ICMP packetDestinations too-big message along with an acceptable MTU to this switch.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) – 504 –
15 IP Services This chapter describes the following IP services: ◆ DNS – Configures default domain names, identifies servers to use for dynamic lookup, and shows how to configure static entries. ◆ DHCP Client – Specifies the DHCP client identifier for an interface. ◆ DHCP Relay – Enables DHCP relay service, and defines the servers to which client requests are forwarded. Note: For information on DHCP snooping which is included in this folder, see “DHCP Snooping” on page 318.
Chapter 15 | IP Services Domain Name Service Parameters These parameters are displayed: ◆ Domain Lookup – Enables DNS host name-to-address translation. (Default: Disabled) ◆ Default Domain Name – Defines the default domain name appended to incomplete host names. Do not include the initial dot that separates the host name from the domain name. (Range: 1-127 alphanumeric characters) Web Interface To configure general settings for DNS: 1. Click IP Service, DNS. 2.
Chapter 15 | IP Services Domain Name Service checking with the specified name servers for a match (see “Configuring a List of Name Servers” on page 508). Parameters These parameters are displayed: Domain Name – Name of the host. Do not include the initial dot that separates the host name from the domain name. (Range: 1-68 characters) Web Interface To create a list domain names: 1. Click IP Service, DNS. 2. Select Add Domain Name from the Action list. 3. Enter one domain name at a time. 4. Click Apply.
Chapter 15 | IP Services Domain Name Service Configuring a List Use the IP Service > DNS - General (Add Name Server) page to configure a list of of Name Servers name servers to be tried in sequential order. Command Usage ◆ To enable DNS service on this switch, configure one or more name servers, and enable domain lookup status (see “Configuring General DNS Service Parameters” on page 505).
Chapter 15 | IP Services Domain Name Service Figure 325: Showing the List of Name Servers for DNS Configuring Use the IP Service > DNS - Static Host Table (Add) page to manually configure static Static DNS Host entries in the DNS table that are used to map domain names to IP addresses. to Address Entries Command Usage Static entries may be used for local devices connected directly to the attached network, or for commonly used resources located elsewhere on the network.
Chapter 15 | IP Services Domain Name Service To show static entries in the DNS table: 1. Click IP Service, DNS, Static Host Table. 2. Select Show from the Action list. Figure 327: Showing Static Entries in the DNS Table Displaying the DNS Use the IP Service > DNS - Cache page to display entries in the DNS cache that have Cache been learned via the designated name servers. Command Usage Servers or other network devices may support one or more connections via multiple IP addresses.
Chapter 15 | IP Services Dynamic Host Configuration Protocol Web Interface To display entries in the DNS cache: 1. Click IP Service, DNS, Cache. Figure 328: Showing Entries in the DNS Cache Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol (DHCP) can dynamically allocate an IP address and other configuration information to network clients when they boot up.
Chapter 15 | IP Services Dynamic Host Configuration Protocol ◆ By default, DHCP option 66/67 parameters are not carried in a DHCP server reply. To ask for a DHCP reply with option 66/67 information, the DHCP client request sent by this switch includes a “parameter request list” asking for this information. Besides, the client request also includes a “vendor class identifier” that allows the DHCP server to identify the device, and select the appropriate configuration file for download.
Chapter 15 | IP Services Dynamic Host Configuration Protocol Figure 329: Specifying a DHCP Client Identifier Configuring DHCP Use the IP Service > DHCP > Relay page to configure DHCP relay service for Relay Service attached host devices. If DHCP relay is enabled, and this switch sees a DHCP request broadcast, it inserts its own IP address into the request so that the DHCP server will know the subnet where the client is located. Then, the switch forwards the packet to the DHCP server.
Chapter 15 | IP Services Dynamic Host Configuration Protocol Parameters These parameters are displayed: ◆ VLAN ID – ID of configured VLAN. ◆ Server IP Address – Addresses of DHCP servers or relay servers to be used by the switch’s DHCP relay agent in order of preference. ◆ Restart DHCP Relay – Use this button to re-initialize DHCP relay service. Web Interface To configure DHCP relay service: 1. Click IP Service, DHCP, Relay. 2. Enter up to five IP addresses for any VLAN. 3. Click Apply.
16 General IP Routing This chapter provides information on network functions including: ◆ Ping – Sends ping message to another node on the network. ◆ Trace – Sends ICMP echo request packets to another node on the network. ◆ Address Resolution Protocol – Describes how to configure ARP aging time, proxy ARP, or static addresses. Also shows how to display dynamic entries in the ARP cache. ◆ Static Routes – Configures static routes to other network segments.
Chapter 16 | General IP Routing IP Routing and Switching Each VLAN represents a virtual interface to Layer 3. You just need to provide the network address for each virtual interface, and the traffic between different subnetworks will be routed by Layer 3 switching.
Chapter 16 | General IP Routing IP Routing and Switching address is not yet known to the switch, an Address Resolution Protocol (ARP) packet with the destination IP address is broadcast to get the destination MAC address from the destination node. The IP packet can then be sent directly with the destination MAC address. If the destination belongs to a different subnet on this switch, the packet can be routed directly to the destination node.
Chapter 16 | General IP Routing Configuring IP Routing Interfaces Routing Protocols The switch supports both static and dynamic routing. ◆ Static routing requires routing information to be stored in the switch either manually or when a connection is set up by an application outside the switch. ◆ Dynamic routing uses a routing protocol to exchange routing information, calculate routing tables, and respond to changes in the status or loading of the network.
Chapter 16 | General IP Routing Configuring IP Routing Interfaces destinations, i.e., packets that do not match any routing table entry. If another router is designated as the default gateway, then the switch will pass packets to this router for any unknown hosts or subnets. To configure a default gateway for IPv4, use the static routing table as described on page 526, enter 0.0.0.0 for the IP address and subnet mask, and then specify this switch itself or another router as the gateway.
Chapter 16 | General IP Routing Configuring IP Routing Interfaces include zone-id information indicating the VLAN identifier after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface. Web Interface To ping another device on the network: 1. Click IP, General, Ping. 2. Specify the target device and ping parameters. 3. Click Apply.
Chapter 16 | General IP Routing Configuring IP Routing Interfaces ◆ A trace terminates when the destination responds, when the maximum timeout (TTL) is exceeded, or the maximum number of hops is exceeded. ◆ The trace route function first sends probe datagrams with the TTL value set at one. This causes the first router to discard the datagram and return an error message. The trace function then sends several probe messages at each subsequent TTL level and displays the round-trip time for each message.
Chapter 16 | General IP Routing Address Resolution Protocol Address Resolution Protocol If IP routing is enabled (page 543), The router uses its routing tables to make routing decisions, and uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address.
Chapter 16 | General IP Routing Address Resolution Protocol The aging time determines how long dynamic entries remain in the cache. If the timeout is too short, the router may tie up resources by repeating ARP requests for addresses recently flushed from the table. When a ARP entry expires, it is deleted from the cache and an ARP request packet is sent to re-establish the MAC address. Web Interface To configure the timeout for the ARP cache: 1. Click IP, ARP. 2.
Chapter 16 | General IP Routing Address Resolution Protocol ◆ Static entries are only displayed on the Show page for VLANs that are up. In other words, static entries are only displayed when configured for the IP subnet of a existing VLAN, and that VLAN is linked up. Parameters These parameters are displayed: ◆ IP Address – IP address statically mapped to a physical MAC address. (Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
Chapter 16 | General IP Routing Address Resolution Protocol Figure 337: Displaying Static ARP Entries Displaying Dynamic or The ARP cache contains static entries, and entries for local interfaces, including Local ARP Entries subnet, host, and broadcast addresses. However, most entries will be dynamically learned through replies to broadcast messages. Use the IP > ARP (Show Information) page to display dynamic or local entries in the ARP cache. Web Interface To display all entries in the ARP cache: 1.
Chapter 16 | General IP Routing Configuring Static Routes Table 42: ARP Statistics (Continued) Parameter Description Sent Request Number of ARP Request packets sent by the router. Sent Reply Number of ARP Reply packets sent by the router. Web Interface To display ARP statistics: 1. Click IP, ARP. 2. Select Show Information from the Step List. 3. Click Statistics.
Chapter 16 | General IP Routing Configuring Static Routes ◆ If both static and dynamic paths have the same lowest cost, the first route stored in the routing table, either statically configured or dynamically learned via a routing protocol, will be used. ◆ Static routes are included in RIP and OSPF updates periodically sent by the router if this feature is enabled by (see page 553 or 580 respectively).
Chapter 16 | General IP Routing Displaying the Routing Table To display static routes: 1. Click IP, Routing, Static Routes. 2. Select Show from the Action List. Figure 341: Displaying Static Routes Displaying the Routing Table Use the IP > Routing > Routing Table (Show Information) page to display all routes that can be accessed via local network interfaces, through static routes, or through a dynamically learned route.
Chapter 16 | General IP Routing Equal-cost Multipath Routing Parameters These parameters are displayed: ◆ VLAN – VLAN identifier (i.e., configure as a valid IP subnet). ◆ Destination IP Address – IP address of the destination network, subnetwork, or host. Note that the address 0.0.0.0 indicates the default gateway for this router. ◆ Net Mask / Prefix Length – Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets.
Chapter 16 | General IP Routing Equal-cost Multipath Routing the traffic forwarded to the destination. ECMP uses either equal-cost multipaths manually configured in the static routing table, or equal-cost multipaths dynamically generated by the Open Shortest Path Algorithm (OSPF). In other words, it uses either static or OSPF entries, not both. Normal unicast routing simply selects the path to the destination that has the lowest cost.
Chapter 16 | General IP Routing Equal-cost Multipath Routing Web Interface To configure the maximum ECMP number: 1. Click IP, Routing, Routing Table. 2. Select Configure ECMP Number from the Action List. 3. Enter the maximum number of equal-cost paths used to route traffic to the same destination that are permitted on the switch. 4.
Chapter 16 | General IP Routing Equal-cost Multipath Routing – 532 –
18 Unicast Routing This chapter describes how to configure the following unicast routing protocols: RIP – Configures Routing Information Protocol. OSPFv2 – Configures Open Shortest Path First (Version 2) for IPv4. Overview This switch can route unicast traffic to different subnetworks using Routing Information Protocol (RIP) or Open Shortest Path First (OSPF) protocol. It supports RIP, RIP-2 and OSPFv2 dynamic routing in the web management interface.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Configuring the Routing Information Protocol The RIP protocol is the most widely used routing protocol. The RIP protocol uses a distance-vector-based approach to routing. Routes are determined on the basis of minimizing the distance vector, or hop count, which serves as a rough estimate of transmission cost. Each router broadcasts its advertisement every 30 seconds, together with any updates to its routing table.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Configuring General Use the Routing Protocol > RIP > General (Configure) page to configure general Protocol Settings settings and the basic timers. RIP is used to specify how routers exchange routing information. When RIP is enabled on this router, it sends RIP messages to all devices in the network every 30 seconds (by default), and updates its own routing table when RIP messages are received from other routers.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ RIP Default Metric – Sets the default metric assigned to external routes imported from other protocols. (Range: 1-15; Default: 1) The default metric must be used to resolve the problem of redistributing external routes with incompatible metrics. It is advisable to use a low metric when redistributing routes from another protocol into RIP. Using a high metric limits the usefulness of external routes redistributed into RIP.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ Number of Queries – The number of responses sent to RIP queries from other systems. Basic Timer Settings Note: The timers must be set to the same values for all routers in the network. ◆ Update – Sets the rate at which updates are sent. This is the fundamental timer used to control all basic RIP processes.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 355: Configuring General Settings for RIP Clearing Entries from Use the Routing Protocol > RIP > General (Clear Route) page to clear entries from the Routing Table the routing table based on route type or a specific network address. Command Usage ◆ RIP must be enabled to activate this menu option. ◆ Clearing “All” types deletes all routes in the RIP table.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ Clear Route By Network – Clears a specific route based on its IP address and prefix length. ■ Network IP Address – Deletes all related entries for the specified network address. ■ Prefix Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the network portion of the address. Web Interface To clear entries from the routing table RIP: 1. Click Routing Protocol, RIP, General. 2.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Parameters These parameters are displayed: ◆ ◆ By Address – Adds a network to the RIP routing process. ■ Subnet Address – IP address of a network directly connected to this router. (Default: No networks are specified) ■ Prefix Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the network portion of the address.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 358: Showing Network Interfaces Using RIP Specifying Passive Use the Routing Protocol > RIP > Passive Interface (Add) page to stop RIP from Interfaces sending routing updates on the specified interface. Command Usage ◆ Network interfaces can be configured to stop RIP broadcast and multicast messages from being sent.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol To show the passive RIP interfaces: 1. Click Routing Protocol, RIP, Passive Interface. 2. Select Show from the Action list.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 361: Specifying a Static RIP Neighbor To show static RIP neighbors: 1. Click Routing Protocol, RIP, Neighbor Address. 2. Select Show from the Action list.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ Metric – Metric assigned to all external routes for the specified protocol. (Range: 0-16; Default: the default metric as described under “Configuring General Protocol Settings” on page 545.) A route metric must be used to resolve the problem of redistributing external routes with incompatible metrics.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 364: Showing External Routes Redistributed into RIP Specifying an Use the Routing Protocol > RIP > Distance (Add) page to define an administrative Administrative distance for external routes learned from other routing protocols.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 365: Setting the Distance Assigned to External Routes To show the distance assigned to external routes learned from other routing protocols: 1. Click Routing Protocol, RIP, Distance. 2. Select Show from the Action list.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol multicasting as normally required by RIPv2. (Using this mode allows older RIPv2 routers which only receive RIP broadcast messages to receive all of the information provided by RIPv2, including subnet mask, next hop and authentication information. (This is the default setting.) ■ ◆ Use “Do Not Send” to passively monitor route information advertised by other routers attached to the network.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ Send Version – The RIP version to send on an interface. ■ RIPv1: Sends only RIPv1 packets. ■ RIPv2: Sends only RIPv2 packets. ■ RIPv1 Compatible: Route information is broadcast to other routers with RIPv2. ■ Do Not Send: Does not transmit RIP updates. Passively monitors route information advertised by other routers attached to the network. The default depends on the setting for the Global RIP Version.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ Instability Prevention – Specifies the method used to reduce the convergence time when the network topology changes, and to prevent RIP protocol messages from looping back to the source router. ■ Split Horizon – This method never propagate routes back to an interface from which they have been acquired.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 368: Showing RIP Network Interface Settings Displaying RIP Use the Routing Protocol > RIP > Statistics (Show Interface Information) page to Interface Settings display information about RIP interface configuration settings. Parameters These parameters are displayed: ◆ Interface – Source IP address of RIP router interface. ◆ Auth Type – The type of authentication used for exchanging RIPv2 protocol messages.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Displaying Peer Use the Routing Protocol > RIP > Statistics (Show Peer Information) page to display Router Information information on neighboring RIP routers. Parameters These parameters are displayed: ◆ Peer Address – IP address of a neighboring RIP router. ◆ Update Time – Last time a route update was received from this peer. ◆ Version – Shows whether RIPv1 or RIPv2 packets were received from this peer.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 371: Resetting RIP Statistics Configuring the Open Shortest Path First Protocol (Version 2) Open Shortest Path First (OSPF) is more suited for large area networks which experience frequent changes in the links. It also handles subnets much better than RIP.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) throughput and connectivity. OSPF utilizes IP multicast to reduce the amount of routing traffic required when sending or receiving routing path updates. The separate routing area scheme used by OSPF further reduces the amount of routing traffic, and thus inherently provides another level of routing protection. In addition, all routing protocol exchanges can be authenticated.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Routers in a normal area may import or export routing information about individual nodes. To reduce the amount of routing traffic flooded onto the network, an area can be configured to export a single summarized route that covers a broad range of network addresses within the area (page 578).
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ◆ If an address range overlaps other network areas, the router will use the network area with the address range that most closely matches the interface address. Also, note that if a more specific address range is removed from an area, the interface belonging to that range may still remain active if a less specific address range covering that area has been specified.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) To to show the OSPF areas and the assigned interfaces: 1. Click Routing Protocol, OSPF, Network Area. 2. Select Show from the Action list. Figure 375: Showing OSPF Network Areas To to show the OSPF process identifiers: 1. Click Routing Protocol, OSPF, Network Area. 2. Select Show Process from the Action list.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) compatibility mode to ensure that all routers are using the same RFC for calculating summary route costs. Enable this field to force the router to calculate summary route costs using RFC 1583. (Default: Disabled) When RFC 1583 compatibility is enabled, only cost is used when choosing among multiple AS-external LSAs advertising the same destination.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Default Information ◆ Originate Default Route17 – Generates a default external route into an autonomous system. Note that the Advertise Default Route field must also be properly configured. (Default: Disabled) When this feature is used to redistribute routes into a routing domain (that is, an Autonomous System), this router automatically becomes an Autonomous System Boundary Router (ASBR).
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Web Interface To configure general settings for OSPF: 1. Click Routing Protocol, OSPF, System. 2. Select Configure from the Action list. 3. Select a Process ID, and then specify the Router ID and other global attributes as required. For example, by setting the Auto Cost to 10000, the cost of using an interface is set to 10 for Gigabit ports, and 1 for 10 Gigabit ports. 4.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Table 44: OSPF System Information (Continued) Parameter Description Originate LSAs The number of new link-state advertisements that have been originated. AS LSA Count The number of autonomous system LSAs in the link-state database. External LSA Count The number of external link-state advertisements in the link-state database. External LSA Checksum Checksum of the external link-state advertisement database.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Adding an NSSA or Use the Routing Protocol > OSPF > Area (Configure Area – Add Area) page to add a Stub not-so-stubby area (NSSA) or a stubby area (Stub). Command Usage ◆ This router supports up to 5 stubs or NSSAs. Parameters These parameters are displayed: ◆ Process ID – Protocol identifier as configured on the Routing Protocol > OSPF > Network Area (Add) page.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) To show the NSSA or stubs added to the specified OSPF domain: 1. Click Routing Protocol, OSPF, Area. 2. Select Configure Area from the Step list. 3. Select Show Area from the Action list. 4. Select a Process ID.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Command Usage ◆ Before creating an NSSA, first specify the address range for the area (see “Defining Network Areas Based on Addresses” on page 563). Then create an NSSA as described under “Adding an NSSA or Stub” on page 571. ◆ NSSAs cannot be used as a transit area, and should therefore be placed at the edge of the routing domain. ◆ An NSSA can have multiple ABRs or exit points.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ◆ Originate Default Information – When the router is an NSSA Area Border Router (ABR) or an NSSA Autonomous System Boundary Router (ASBR), this option causes it to generate a Type-7 default LSA into the NSSA. This default provides a route to other areas within the AS for an NSSA ABR, or to areas outside the AS for an NSSA ASBR.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 383: Configuring Protocol Settings for an NSSA Configuring Stub Use the Routing Protocol > OSPF > Area (Configure Area – Configure Stub Area) Settings page to configure protocol settings for a stub. A stub does not accept external routing information.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Parameters These parameters are displayed: ◆ Process ID – Process ID as configured in the Network Area configuration screen (see page 563). ◆ Area ID – Identifier for a stub. ◆ Default Cost – Cost for the default summary route sent into a stub from an area border router (ABR).
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 385: Configuring Protocol Settings for a Stub Displaying Use the Routing Protocol > OSPF > Area (Show Information) page to protocol Information on NSSA information on NSSA and Stub areas. and Stub Areas Parameters These parameters are displayed: ◆ Process ID – Process ID as configured in the Network Area configuration screen (see page 563). ◆ Area ID – Identifier for a not-so-stubby area (NSSA) or stub.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 386: Displaying Information on NSSA and Stub Areas Configuring Area Ranges (Route Summarization for ABRs) An OSPF area can include a large number of nodes. If the Area Border Router (ABR) has to advertise route information for each of these nodes, this wastes a lot of bandwidth and processor time.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Parameters These parameters are displayed: ◆ Process ID – Process ID as configured in the Network Area configuration screen (see page 563). ◆ Area ID – Identifies an area for which the routes are summarized. The area ID can be in the form of an IPv4 address, or also as a four octet unsigned integer ranging from 0-4294967295. ◆ Range Network – Base address for the routes to summarize.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) To show the configured route summaries: 1. Click Routing Protocol, OSPF, Area Range. 2. Select Show from the Action list. 3. Select the process ID.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Parameters These parameters are displayed: ◆ Process ID – Process ID as configured in the Network Area configuration screen (see page 563). ◆ Protocol Type – Specifies the external routing protocol type for which routing information is to be redistributed into the local routing domain.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 391: Importing External Routes To show the imported external route types: 1. Click Routing Protocol, OSPF, Redistribute. 2. Select Show from the Action list. 3. Select the process ID.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) imported into the routing table, and then configure one or more summary addresses to reduce the size of the routing table and consolidate these external routes for advertising into the local domain. ◆ To summarize routes sent between OSPF areas, use the Area Range Configuration screen (page 578). ◆ This router supports up 20 Type-5 summary routes.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 394: Showing Summary Addresses for External Routes Configuring OSPF You should specify a routing interface for any local subnet that needs to Interfaces communicate with other network segments located on this router or elsewhere in the network. First configure a VLAN for each subnet that will be directly connected to this router, assign IP interfaces to each VLAN (i.e.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Routes are assigned a metric equal to the sum of all metrics for each interface link in the route. This router uses a default cost of 1 for all ports. Therefore, if you install a 10 Gigabit module, you need to reset the cost for all of the 1 Gbps ports to a value greater than 1 to reflect the actual interface bandwidth. ◆ Router Priority – Sets the interface priority for this router.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) problem, you can use the transmit delay to force the router to wait a specified interval between transmissions. ◆ Retransmit Interval – Sets the time between re-sending link-state advertisements. (Range: 1-65535 seconds; Default: 5 seconds) A router will resend an LSA to a neighbor if it receives no acknowledgment after the specified retransmit interval.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Normally, only one key is used per interface to generate authentication information for outbound packets and to authenticate incoming packets. Neighbor routers must use the same key identifier and key value. When changing to a new key, the router will send multiple copies of all protocol messages, one with the old key and another with the new key.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) To configure interface settings for a specific area assigned to a VLAN: 1. Click Routing Protocol, OSPF, Interface. 2. Select Configure by Address from the Action list. 3. Specify the VLAN ID, enter the address assigned to an area, and configure the required interface settings. 4. Click Apply.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 397: Showing OSPF Interfaces To show the MD5 authentication keys configured for an interface: 1. Click Routing Protocol, OSPF, Interface. 2. Select Show MD5 Key from the Action list. 3. Select the VLAN ID.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 399: OSPF Virtual Link isolated area ABR virtual link backbone ABR normal area Virtual links can also be used to create a redundant link between any area and the backbone to help prevent partitioning, or to connect two existing backbone areas into a common backbone.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Web Interface To create a virtual link: 1. Click Routing Protocol, OSPF, Virtual Link. 2. Select Add from the Action list. 3. Specify the process ID, the Area ID, and Neighbor router ID. 4. Click Apply. Figure 400: Adding a Virtual Link To show virtual links: 1. Click Routing Protocol, OSPF, Virtual Link. 2. Select Show from the Action list. 3. Select the process ID.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) 4. Click Apply. Figure 402: Configuring Detailed Settings for a Virtual Link To show the MD5 authentication keys configured for a virtual link: 1. Click Routing Protocol, OSPF, Interface. 2. Select Show MD5 Key from the Action list. 3. Select the VLAN ID.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) You can show information about different LSAs stored in this router’s database, which may include any of the following types: ◆ Router (Type 1) – All routers in an OSPF area originate Router LSAs that describe the state and cost of its active interfaces and neighbors.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ◆ Sequence – Sequence number of LSA (used to detect older duplicate LSAs). ◆ Checksum – Checksum of the complete contents of the LSA. Web Interface To display information in the link state database: 1. Click Routing Protocol, OSPF, Information. 2. Click LSDB. 3. Select the process identifier. 4.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Displaying Use the Routing Protocol > OSPF > Information (Neighbor) page to display Information on information about neighboring routers on each interface. Neighboring Routers Parameters These parameters are displayed: ◆ Process ID – Process ID as configured in the Network Area configuration screen (see page 563). ◆ ID – Neighbor’s router ID. ◆ Priority – Neighbor’s router priority.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 405: Displaying Neighbor Routers Stored in the Link State Database Specifying Use the Routing Protocol > OSPF > Passive Interface (Add) page to stop OSPF from Passive Interfaces sending routing updates on the specified interface. Command Usage You can configure an OSPF interface as passive to prevent OSPF routing traffic from exiting or entering that interface.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 406: Specifying a Passive OSPF Interface To show the passive OSPF interfaces: 1. Click Routing Protocol, OPPF, Passive Interface. 2. Select Show from the Action list.
Chapter 18 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) – 598 –
19 Multicast Routing This chapter describes the following multicast routing topics: ◆ Enabling Multicast Routing Globally – Describes how to globally enable multicast routing. ◆ Displaying the Multicast Routing Table – Describes how to display the multicast routing table. ◆ Configuring PIM for IPv4 – Describes how to configure PIM-DM and PIM-SM for IPv4. ◆ Configuring PIMv6 for IPv6 – Describes how to configure PIM-DM and PIM-SM (Version 6) for IPv6.
Chapter 19 | Multicast Routing Overview but uses information from the router’s unicast routing table, instead of maintaining its own multicast routing table, making it routing protocol independent. PIM-DM is a simple multicast routing protocol that uses flood and prune to build a source-routed multicast delivery tree for each multicast source-group pair.
Chapter 19 | Multicast Routing Overview advertising itself as a BSR candidate. Eventually, only the router with the highest BSR priority will continue sending bootstrap messages. Rendezvous Point (RP) – A router may periodically sends PIMv2 messages to the BSR advertising itself as a candidate RP for specified group addresses. The BSR places information about all of the candidate RPs in subsequent bootstrap messages.
Chapter 19 | Multicast Routing Configuring Global Settings for Multicast Routing register-stop message, it stops sending register messages to the RP. If there are no other sources using the shared tree, it is also torn down. Setting up the SPT requires more memory than when using the shared tree, but can significantly reduce group join and data transmission delays. The switch can also be configured to use SPT only for specific multicast groups, or to disable the change over to SPT for specific groups.
Chapter 19 | Multicast Routing Configuring Global Settings for Multicast Routing Web Interface (IPv6) To enable IPv6 multicast routing: 1. Click Multicast, IPv6 Multicast Routing, General. 2. Enable Multicast Forwarding Status. 3. Click Apply.
Chapter 19 | Multicast Routing Configuring Global Settings for Multicast Routing case, any VLAN receiving register packets will be converted into the register interface. ◆ Owner – The associated multicast protocol (PIM-DM, PIM-SM, IGMP Proxy for PIMv4, MLD Proxy for PIMv6). ◆ Flags – The flags associated with each routing entry indicate: ■ Forward – Traffic received from the upstream interface is being forwarded to this interface. ■ Local – This is the outgoing interface.
Chapter 19 | Multicast Routing Configuring Global Settings for Multicast Routing ■ SPT-bit set – Multicast packets have been received from a source on shortest path tree. ■ Join SPT – The rate of traffic arriving over the shared tree has exceeded the SPT-threshold for this group. If the SPT flag is set for (*,G) entries, the next (S,G) packet received will cause the router to join the shortest path tree. If the SPT flag is set for (S,G), the router immediately joins the shortest path tree.
Chapter 19 | Multicast Routing Configuring Global Settings for Multicast Routing 4. Select a Source Address. Figure 411: Displaying Detailed Entries from IPv4 Multicast Routing Table Web Interface (IPv6) To display the multicast routing table: 1. Click Multicast, IPv6 Multicast Routing, Information. 2. Select Show Summary from the Action List. Figure 412: Displaying the IPv6 Multicast Routing Table To display detailed information on a specific flow in multicast routing table: 1.
Chapter 19 | Multicast Routing Configuring PIM for IPv4 Figure 413: Displaying Detailed Entries from IPv6 Multicast Routing Table Configuring PIM for IPv4 This section describes how to configure PIM-DM and PIM-SM for IPv4. Enabling PIM Globally Use the Routing Protocol > PIM > General page to enable IPv4 PIM routing globally on the router. Command Usage ◆ This feature enables PIM-DM and PIM-SM globally for the router.
Chapter 19 | Multicast Routing Configuring PIM for IPv4 Figure 414: Enabling PIM Multicast Routing Configuring PIM Use the Routing Protocol > PIM > Interface page configure the routing protocol’s Interface Settings functional attributes for each interface. Command Usage ◆ Most of the attributes on this page are common to both PIM-DM and PIM-SM. Select Dense or Sparse Mode to display the common attributes, as well as those applicable to the selected mode.
Chapter 19 | Multicast Routing Configuring PIM for IPv4 Parameters These parameters are displayed: Common Attributes ◆ VLAN – Layer 3 VLAN interface. (Range: 1-4094) ◆ Mode – PIM routing mode. (Options: Dense, Sparse, None) ◆ IP Address – Primary IP address assigned to the selected VLAN. ◆ Hello Holdtime – Sets the interval to wait for hello messages from a neighboring PIM router before declaring it dead.
Chapter 19 | Multicast Routing Configuring PIM for IPv4 ◆ LAN Prune Delay – Causes this device to inform downstream routers of how long it will wait before pruning a flow after receiving a prune request. (Default: Disabled) When other downstream routers on the same VLAN are notified that this upstream router has received a prune request, they must send a Join to override the prune before the prune delay expires if they want to continue receiving the flow.
Chapter 19 | Multicast Routing Configuring PIM for IPv4 Dense-Mode Attributes ◆ Graft Retry Interval – The time to wait for a Graft acknowledgement before resending a Graft message. (Range: 1-10 seconds; Default: 3 seconds) A graft message is sent by a router to cancel a prune state. When a router receives a graft message, it must respond with an graft acknowledgement message.
Chapter 19 | Multicast Routing Configuring PIM for IPv4 Use the same join/prune message interval on all PIM-SM routers in the same PIM-SM domain, otherwise the routing protocol’s performance will be adversely affected. The multicast interface that first receives a multicast stream from a particular source forwards this traffic only to those interfaces on the router that have requests to join this group.
Chapter 19 | Multicast Routing Configuring PIM for IPv4 Figure 416: Configuring PIM Interface Settings (Sparse Mode) Displaying PIM Use the Routing Protocol > PIM > Neighbor page to display all neighboring PIM Neighbor Information routers. Parameters These parameters are displayed: ◆ Address – IP address of the next-hop router. ◆ VLAN – VLAN that is attached to this neighbor. ◆ Uptime – The duration this entry has been active. ◆ Expire – The time before this entry will be removed.
Chapter 19 | Multicast Routing Configuring PIM for IPv4 Configuring Global Use the Routing Protocol > PIM > PIM-SM (Configure Global) page to configure the PIM-SM Settings rate at which register messages are sent, the source of register messages, and switch over to the Shortest Path Tree (SPT). Parameters These parameters are displayed: ◆ Register Rate Limit – Configures the rate at which register messages are sent by the Designated Router (DR) for each (source, group) entry.
Chapter 19 | Multicast Routing Configuring PIM for IPv4 Web Interface To configure global settings for PIM-SM: 1. Click Multicast, Multicast Routing, SM. 2. Select Configure Global from the Step list. 3. Set the register rate limit and source of register messages if required. Also specify any multicast groups which must be routed across the shared tree, instead of switching over to the SPT. 4. Click Apply.
Chapter 19 | Multicast Routing Configuring PIM for IPv4 Parameters These parameters are displayed: ◆ BSR Candidate Status – Configures the switch as a Bootstrap Router (BSR) candidate. (Default: Disabled) ◆ VLAN ID – Identifier of configured VLAN interface. (Range: 1-4094) ◆ Hash Mask Length – Hash mask length (in bits) used for RP selection (see “Configuring a PIM Static Rendezvous Point” on page 617 and “Configuring a PIM RP Candidate” on page 618).
Chapter 19 | Multicast Routing Configuring PIM for IPv4 Configuring a PIM Use the Routing Protocol > PIM > PIM-SM (RP Address) page to configure a static Static Rendezvous address as the Rendezvous Point (RP) for a particular multicast group. Point Command Usage ◆ The router will act as an RP for all multicast groups in the local PIM-SM domain if no groups are specified. A static RP can either be configured for the whole multicast group range 224/4, or for specific group ranges.
Chapter 19 | Multicast Routing Configuring PIM for IPv4 Figure 420: Configuring a PIM Static Rendezvous Point To display static rendezvous points: 1. Click Routing Protocol, PIM, SM. 2. Select RP Address from the Step list. 3. Select Show from the Action list.
Chapter 19 | Multicast Routing Configuring PIM for IPv4 ■ Select those with the highest priority (lowest priority value). ■ Compute hash value based on the group address, RP address, priority, and hash mask included in the bootstrap messages. ■ If there is a tie, use the candidate RP with the highest IP address. ◆ This distributed election process provides faster convergence and minimal disruption when an RP fails. It also serves to provide load balancing by distributing groups across multiple RPs.
Chapter 19 | Multicast Routing Configuring PIM for IPv4 Figure 422: Configuring a PIM RP Candidate To display settings for an RP candidate: 1. Click Routing Protocol, PIM, SM. 2. Select RP Candidate from the Step list. 3. Select Show from the Action list. 4. Select an interface from the VLAN list.
Chapter 19 | Multicast Routing Configuring PIM for IPv4 ◆ Hash Mask Length – The number of significant bits used in the multicast group comparison mask by this BSR candidate. ◆ Expire – The time before the BSR is declared down. ◆ Role – Candidate or non-candidate BSR. ◆ State18 – Operation state of BSR includes: ■ No information – No information is stored for this device.
Chapter 19 | Multicast Routing Configuring PIM for IPv4 Figure 424: Showing Information About the PIM BSR Displaying PIM RP Use the Routing Protocol > PIM > PIM-SM (Show Information – Show RP Mapping) Mapping page to display active RPs and associated multicast routing entries. Parameters These parameters are displayed: ◆ Groups – A multicast group address. ◆ RP Address – IP address of the RP for the listed multicast group.
Chapter 19 | Multicast Routing Configuring PIMv6 for IPv6 Figure 425: Showing PIM RP Mapping Configuring PIMv6 for IPv6 This section describes how to configure PIM-DM and PIM-SM for IPv6. Enabling PIMv6 Use the Routing Protocol > PIM6 > General page to enable IPv6 PIM routing Globally globally on the router. Command Usage ◆ This feature enables PIM-DM and PIM-SM for IPv6 globally on the router.
Chapter 19 | Multicast Routing Configuring PIMv6 for IPv6 Configuring PIMv6 Use the Routing Protocol > PIM6 > Interface page configure the routing protocol’s Interface Settings functional attributes for each interface. Command Usage ◆ Most of the attributes on this page are common to both PIM6-DM and PIM6SM. Select Dense or Sparse Mode to display the common attributes, as well as those applicable to the selected mode.
Chapter 19 | Multicast Routing Configuring PIMv6 for IPv6 Parameters These parameters are displayed: Common Attributes ◆ VLAN – Layer 3 VLAN interface. (Range: 1-4094) ◆ Mode – PIMv6 routing mode. (Options: Dense, None) The routing mode must first be set to None, before changing between Dense and Sparse modes. ◆ IPv6 Address – IPv6 link-local address assigned to the selected VLAN. ◆ Hello Holdtime – Sets the interval to wait for hello messages from a neighboring PIM router before declaring it dead.
Chapter 19 | Multicast Routing Configuring PIMv6 for IPv6 maintains both the current join state and the pending RPT prune state for this (source, group) pair until the join/prune interval timer expires. ◆ LAN Prune Delay – Causes this device to inform downstream routers of how long it will wait before pruning a flow after receiving a prune request.
Chapter 19 | Multicast Routing Configuring PIMv6 for IPv6 Dense-Mode Attributes ◆ Graft Retry Interval – The time to wait for a Graft acknowledgement before resending a Graft message. (Range: 1-10 seconds; Default: 3 seconds) A graft message is sent by a router to cancel a prune state. When a router receives a graft message, it must respond with an graft acknowledgement message.
Chapter 19 | Multicast Routing Configuring PIMv6 for IPv6 Use the same join/prune message interval on all PIM-SM routers in the same PIM-SM domain, otherwise the routing protocol’s performance will be adversely affected. The multicast interface that first receives a multicast stream from a particular source forwards this traffic only to those interfaces on the router that have requests to join this group.
Chapter 19 | Multicast Routing Configuring PIMv6 for IPv6 Figure 428: Configuring PIMv6 Interface Settings (Sparse Mode) Displaying PIM6 Use the Routing Protocol > PIM6 > Neighbor page to display all neighboring PIMv6 Neighbor Information routers. Parameters These parameters are displayed: ◆ Address – IP address of the next-hop router. ◆ VLAN – VLAN that is attached to this neighbor. ◆ Uptime – The duration this entry has been active. ◆ Expire – The time before this entry will be removed.
Chapter 19 | Multicast Routing Configuring PIMv6 for IPv6 Web Interface To display neighboring PIMv6 routers: 1. Click Routing Protocol, PIM6, Neighbor. Figure 429: Showing PIMv6 Neighbors Configuring Global Use the Routing Protocol > PIM6 > PIM6-SM (Configure Global) page to configure PIM6-SM Settings the rate at which register messages are sent, the source of register messages, and switch over to the Shortest Path Tree (SPT).
Chapter 19 | Multicast Routing Configuring PIMv6 for IPv6 tree. Note that when the SPT threshold is not set by this command, the PIM leaf router will join the shortest path tree immediately after receiving the first packet from a new source. Enable the SPT threshold to force the router to use the shared tree for all multicast groups, or just for the specified multicast groups. ◆ Group Address – An IPv6 multicast group address.
Chapter 19 | Multicast Routing Configuring PIMv6 for IPv6 it accepts the bootstrap message and forwards it. Otherwise, it drops the message. ◆ This router will continue to be the BSR until it receives a bootstrap message from another candidate with a higher priority (or a higher IP address if the priorities are the same). ◆ To improve failover recovery, it is advisable to select at least two core routers in diverse locations, each to serve as both a candidate BSR and candidate RP.
Chapter 19 | Multicast Routing Configuring PIMv6 for IPv6 Figure 431: Configuring a PIM6-SM BSR Candidate Configuring a PIM6 Use the Routing Protocol > PIM6 > PIM6-SM (RP Address) page to configure a static Static Rendezvous address as the Rendezvous Point (RP) for a particular multicast group. Point Command Usage ◆ The router will act as an RP for all multicast groups in the local PIM6-SM domain if no groups are specified.
Chapter 19 | Multicast Routing Configuring PIMv6 for IPv6 ◆ Group Prefix Length – An IPv6 network prefix length for a multicast group. (Range: 8-128) Web Interface To configure a static rendezvous point: 1. Click Routing Protocol, PIM6, SM. 2. Select RP Address from the Step list. 3. Specify the static RP to use for a multicast group, or a range of groups by using a subnet mask. 4. Click Apply. Figure 432: Configuring a PIM6 Static Rendezvous Point To display static rendezvous points: 1.
Chapter 19 | Multicast Routing Configuring PIMv6 for IPv6 Configuring a PIM6 RP Use the Routing Protocol > PIM6 > PIM6-SM (RP Candidate) page to configure the Candidate switch to advertise itself as a Rendezvous Point (RP) candidate to the bootstrap router (BSR). Command Usage ◆ When this router is configured as an RP candidate, it periodically sends PIMv2 messages to the BSR advertising itself as a candidate RP for the specified group addresses.
Chapter 19 | Multicast Routing Configuring PIMv6 for IPv6 ◆ Group Address – An IP multicast group address. If not defined, the RP is advertised for all multicast groups. ◆ Group Prefix Length – Subnet mask that is used for the group address. (Range: 8-128) Web Interface To advertise the switch as an RP candidate: 1. Click Routing Protocol, PIM6, SM. 2. Select RP Candidate from the Step list. 3.
Chapter 19 | Multicast Routing Configuring PIMv6 for IPv6 Figure 435: Showing Settings for a PIM6 RP Candidate Displaying the PIM6 Use the Routing Protocol > PIM6 > PIM6-SM (Show Information – Show BSR Router) BSR Router page to display Information about the bootstrap router (BSR). Parameters These parameters are displayed: ◆ IP Address – IP address of interface configured as the BSR. ◆ Uptime – The time this BSR has been up and running. ◆ Priority – Priority value used by this BSR candidate.
Chapter 19 | Multicast Routing Configuring PIMv6 for IPv6 ■ Elected BSR – Elected to serve as BSR. Web Interface To display information about the BSR: 1. Click Routing Protocol, PIM6, SM. 2. Select Show Information from the Step list. 3. Select Show BSR Router from the Action list. Figure 436: Showing Information About the PIM6 BSR Displaying RP Use the Routing Protocol > PIM6 > PIM6-SM (Show Information – Show RP Mapping Mapping) page to display active RPs and associated multicast routing entries.
Chapter 19 | Multicast Routing Configuring PIMv6 for IPv6 Web Interface To display the RPs mapped to multicast groups: 1. Click Routing Protocol, PIM6, SM. 2. Select Show Information from the Step list. 3. Select Show RP Mapping from the Action list.
Chapter 19 | Multicast Routing Configuring PIMv6 for IPv6 – 640 –
Section III Appendices This section provides additional information and includes these items: ◆ “Software Specifications” on page 643 ◆ “Troubleshooting” on page 649 ◆ “License Information” on page 651 – 641 –
Section III | Appendices – 642 –
A Software Specifications Software Features Management Local, RADIUS, TACACS+, Port Authentication (802.1X), HTTPS, SSH, Port Security, IP Filter Authentication Client Access Control Access Control Lists (2048 rules), Port Authentication (802.1X), MAC Authentication, Port Security, DHCP Snooping, IP Source Guard Port Configuration 1000BASE-SX/LX - 1000 Mbps full duplex (SFP) 10GBASE-CR/SR/LR/LRM - 10 Gbps full duplex (SFP+) 40GBASET-CR4 - 40 Gbps full duplex (QSFP+) Flow Control Full Duplex: IEEE 802.
Appendix A | Software Specifications Management Features VLAN Support Up to 4094 groups; port-based, tagged (802.
Appendix A | Software Specifications Standards Software Loading HTTP, FTP or TFTP in-band, or XModem out-of-band SNMP Management access via MIB database Trap management to specified hosts RMON Groups 1, 2, 3, 9 (Statistics, History, Alarm, Event) Standards BGPv4 (RFC 4271) IEEE 802.1AB Link Layer Discovery Protocol IEEE 802.1D-2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802.1p Priority tags IEEE 802.
Appendix A | Software Specifications Management Information Bases PIM-DM (RFC 3973) RADIUS+ (RFC 2618) RIPv1 (RFC 1058) RIPv2 (RFC 2453) RIPv2, extension (RFC 1724) RMON (RFC 2819 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2c (RFC 1901, 2571) SNMPv3 (RFC DRAFT 2273, 2576, 3410, 3411, 3413, 3414, 3415) SNTP (RFC 2030) SSH (Version 2.
Appendix A | Software Specifications Management Information Bases Power Ethernet MIB (RFC 3621) Private MIB Q-Bridge MIB (RFC 2674Q) QinQ Tunneling (IEEE 802.
Appendix A | Software Specifications Management Information Bases – 648 –
B Troubleshooting Problems Accessing the Management Interface Table 45: Troubleshooting Chart Symptom Action Cannot connect using a web browser ◆ ◆ ◆ ◆ ◆ ◆ Cannot access the onboard configuration program via a serial port connection ◆ Forgot or lost the password ◆ Be sure the switch is powered on. Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable. Test the cable if necessary.
Appendix B | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
C License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
Appendix C | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix C | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
Appendix C | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Glossary ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
Glossary DNS Domain Name Service. A system used for translating host names for network nodes into IP addresses. DSCP Differentiated Services Code Point Service. DSCP uses a six-bit tag to provide for up to 64 different forwarding behaviors. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. The DSCP bits are mapped to the Class of Service categories, and then into the output queues. EAPOL Extensible Authentication Protocol over LAN.
Glossary IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks. IEEE 802.1p An IEEE standard for providing quality of service (QoS) in Ethernet networks.
Glossary IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. In-Band Management Management of the network from a station attached directly to the network. IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts.
Glossary MRD Multicast Router Discovery is a A protocol used by IGMP snooping and multicast routing devices to discover which interfaces are attached to multicast routers. This process allows IGMP-enabled devices to determine where to send multicast source and group membership messages. MSTP Multiple Spanning Tree Protocol can provide an independent spanning tree for different VLANs.
Glossary QinQ QinQ tunneling is designed for service providers carrying traffic for multiple customers across their networks. It is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs. QoS Quality of Service. QoS refers to the capability of a network to provide better service to selected traffic flows using features such as data prioritization, queuing, congestion avoidance and traffic shaping.
Glossary STA Spanning Tree Algorithm is a technology that checks your network for any loops. A loop can often occur in complicated or backup linked network systems. Spanning Tree detects and directs data along the shortest available path, maximizing the performance and efficiency of the network. TACACS+ Terminal Access Controller Access Control System Plus. TACACS+ is a logon authentication protocol that uses software running on a central server to control access to TACACScompliant devices on the network.
Glossary – 662 –
Index Numerics (not ready) 802.1Q tunnel 154 access 161 configuration, guidelines 157 configuration, limitations 157 CVID to SVID map 159 description 154 ethernet type 158 interface configuration 161 mode selection 161 status, configuring 158 TPID 158 uplink 161 802.
Index fault notification 391, 425 fault notification generator 393, 399, 425 fault verification 390 link trace cache 423 link trace message 391, 393, 411 loop back messages 390, 393, 412 maintenance association 390, 403 maintenance domain 390, 392, 398 maintenance end point 391, 393, 398, 403, 407, 416, 417 maintenance intermediate point 391, 399, 419 maintenance level 391, 393 maintenance point 390 MEP archive hold time 401 MEP direction 407 remote maintenance end point 394, 403, 409, 417, 420, 421 servic
Index DNS default domain name 505 displaying the cache 510 domain name list 505 enabling lookup 505 name server list 505 static entries, IPv4 509 static entries, IPv6 509 Domain Name Service See DNS domain service access point, CFM 391, 403, 407 downloading software 77 automatically 81 using FTP or TFTP 81 DR priority, PIM-SM 611 DR priority, PIMv6-SM 627 drop precedence CoS priority mapping 210 DSCP ingress map 208 DSA encryption 262, 264, 265 DSCP 206, 207 enabling 206 ingress map, drop precedence 208 ma
Index query 435, 437 query interval 475 query, enabling 440 report delay 475 robustness value 474 robustness variable 474 services, displaying 452, 478 showing groups 478 snooping 435 snooping & query, parameters 437 snooping, configuring 437 snooping, enabling 437 snooping, immediate leave 447 static groups, configuring 476 version 474 IGMP proxy configuration steps 472 enabling 473 unsolicited report interval 473 IGMP snooping configuring 445 enabling per interface 445, 446 forwarding entries 452 immedia
Index key pair host 258 host, generating 262, 264 L LACP admin key 130 configuration 129 group attributes, configuring 133 group members, configuring 131 load balancing 139 local parameters 136 partner parameters 138 protocol message statistics 135 protocol parameters 129 timeout mode 130 timeout, for LACPDU 130 last member query count, IGMP snooping 449 last member query interval, IGMP snooping 449 license information, GNU 651 Link Layer Discovery Protocol - Media Endpoint Discovery See LLDP-MED Link Lay
Index multicast static router port 465 querier 462 querier, enabling 462 query interval 463 query, maximum response time 463 robustness value 463 static port assignment 467 static router port 465 unknown multicast, handling 463 version 463 MSTP 173, 188 global settings, configuring 175, 188 global settings, displaying 180 interface settings, configuring 181, 192 interface settings, displaying 194 max hop count 178 path cost 193 region name 178 region revision 178 MTU for IPv6 487 multicast filtering 433 en
Index SPF timers 567 stub 571, 575 transit area 563, 564, 573, 575, 589, 590 transmit delay over interface 585 virtual link 589 virtual links, displaying 591 P packet block broadcast 197 multicast 196 unknown multicast 197 unknown unicast 196, 197 passwords 241 administrator setting 241 path cost 187 method 177 STA 182, 187 peak burst size, QoS policy 229 peak information rate, QoS policy 229 per-hop behavior, DSCP ingress map 208 PIM 607 configuring 607 dense-mode attributes 611 designated router 609 ena
Index ports autonegotiation 105 broadcast storm threshold 196, 197 capabilities 105 configuring 104 duplex mode 105 flow control 105 forced selection of media type 105, 107 mirroring 108 mirroring local traffic 108 mirroring remote traffic 110 mtu 105 multicast storm threshold 196, 197 speed 105 statistics 114 unknown unicast storm threshold 196, 197 priority, default port ingress 199 private key 258 problems, troubleshooting 649 protocol migration 185 proxy ARP 522 proxy query address, IGMP snooping 449 p
Index statistics, collection 388 statistics, displaying 389 router redundancy protocols 533 VRRP 533 routing table, displaying 528 RSA encryption 262, 264, 265 RSTP 173 global settings, configuring 175 global settings, displaying 180 interface settings, configuring 181 interface settings, displaying 186 S secure shell 258 configuration 258 security, general measures 235 serial port, configuring 93 service instance, CFM 391, 393 shared tree PIM-SM 614 PIMv6-SM 631 shortest path tree PIM-SM 614 PIMv6-SM 630
Index system logs 327 system software, downloading from server 77 T TACACS+ logon authentication 238 settings 239 TCN flood 438 general query solicitation 439 Telnet configuring 95 server, enabling 95 telnet connection, configuring 95 time zone, setting 92 time, setting 85 TPID 158 traffic segmentation 141 assigning ports 141 enabling 141 sessions, assigning ports 143 sessions, creating 142 transceiver data configuring trap thresholds 124 displaying 123 transceiver data, displaying 122 trap manager 372 tr
AOS5700-54X AOS6700-32X E122015/ST-R02
