ECS2110-26T 26-Port Web-smart Pro 10G Ethernet Switch ECS2100-52T 52-Port Web-smart Pro Gigabit Ethernet Switch Web Management Guide Software Release v1.2.71.204 www.edge-core.
Web Management Guide ECS2110-26T Gigabit Ethernet Switch Web-smart Pro Gigabit Ethernet Switch with 24 10/100/1000BASE-T (RJ-45) Ports and 2 10G SFP Ports ECS2100-52T Gigabit Ethernet Switch Web-smart Pro Gigabit Ethernet Switch with 48 10/100/1000BASE-T (RJ-45) Ports and 4 Gigabit SFP Ports E012021-CS-R05
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This guide is for network administrators who are responsible for operating and this Guide? maintaining network equipment.
How to Use This Guide For information on how to install the switch, see the following guide: Installation Guide For all safety information and regulatory statements, see the following documents: Quick Start Guide Safety and Regulatory Information Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions.
Contents Section I How to Use This Guide 3 Contents 5 Figures 15 Tables 27 Getting Started 29 1 Introduction 31 Key Features 31 Description of Software Features 32 Address Resolution Protocol 36 System Defaults Section II 37 Web Configuration 41 2 Using the Web Interface 43 Connecting to the Web Interface 43 Navigating the Web Browser Interface 44 Dashboard 44 Configuration Options 46 Panel Display 46 Main Menu 47 3 Basic Management Tasks 63 Displaying System Informa
Contents Managing System Files 68 Copying Files via FTP/SFTP/TFTP or HTTP 68 Saving the Running Configuration to a Local File 71 Setting the Start-up File 72 Showing System Files 72 Automatic Operation Code Upgrade 73 Setting the System Clock 77 Setting the Time Manually 77 Setting the SNTP Polling Interval 78 Configuring NTP 79 Configuring Time Servers 80 Setting the Time Zone 84 Configuring Summer Time 85 Configuring the Console Port 87 Configuring Telnet Settings 89 Display
Contents Displaying LACP Settings and Status for the Local Side 128 Displaying LACP Settings and Status for the Remote Side 130 Configuring Load Balancing 131 Saving Power 133 Configuring Local Port Mirroring 134 Configuring Remote Port Mirroring 136 Sampling Traffic Flows 140 Configuring sFlow Receiver Settings 141 Configuring an sFlow Polling Instance 143 Traffic Segmentation 145 Enabling Traffic Segmentation 145 Configuring Uplink and Downlink Ports 146 5 VLAN Configuration 149
Contents Configuring Loopback Detection 185 Configuring Global Settings for STA 187 Displaying Global Settings for STA 192 Configuring Interface Settings for STA 193 Displaying Interface Settings for STA 198 Configuring Multiple Spanning Trees 201 Configuring Interface Settings for MSTP 205 8 Congestion Control 207 Rate Limiting 207 Storm Control 208 9 Class of Service 211 Layer 2 Queue Settings 211 Setting the Default Priority for Interfaces 211 Selecting the Queue Mode 212 Lay
Contents Configuring AAA Accounting 245 Configuring AAA Authorization 251 Configuring User Accounts 255 Web Authentication 257 Configuring Global Settings for Web Authentication 257 Configuring Interface Settings for Web Authentication 258 Network Access (MAC Address Authentication) 259 Configuring Global Settings for Network Access 262 Configuring Network Access for Ports 263 Configuring a MAC Address Filter 265 Displaying Secure MAC Address Information 266 Configuring HTTPS 268 Co
Contents DoS Protection 309 DHCP Snooping 311 DHCP Snooping Global Configuration 314 DHCP Snooping VLAN Configuration 316 Configuring Ports for DHCP Snooping 317 Displaying DHCP Snooping Binding Information 318 IPv4 Source Guard 319 Configuring Ports for IPv4 Source Guard 319 Configuring Static Bindings for IPv4 Source Guard 321 Displaying Information for Dynamic IPv4 Source Guard Bindings 324 ARP Inspection 325 Configuring Global Settings for ARP Inspection 326 Configuring VLAN Set
Contents Setting Community Access Strings 377 Configuring Local SNMPv3 Users 378 Configuring Remote SNMPv3 Users 381 Specifying Trap Managers 384 Creating SNMP Notification Logs 388 Showing SNMP Statistics 390 Remote Monitoring 392 Configuring RMON Alarms 392 Configuring RMON Events 395 Configuring RMON History Samples 397 Configuring RMON Statistical Samples 400 Switch Clustering 402 Configuring General Settings for Clusters 403 Cluster Member Configuration 404 Managing Cluster
Contents Filtering and Throttling IGMP Groups 440 Enabling IGMP Filtering and Throttling 440 Configuring IGMP Filter Profiles 441 Configuring IGMP Filtering and Throttling for Interfaces 443 MLD Snooping (Snooping and Query for IPv6) 445 Configuring MLD Snooping and Query Parameters 445 Setting Immediate Leave Status for MLD Snooping per Interface 447 Specifying Static Interfaces for an IPv6 Multicast Router 448 Assigning Interfaces to IPv6 Multicast Services 450 Showing MLD Snooping Grou
Contents Showing the MTU for Responding Destinations 17 General IP Routing 500 501 Overview 501 Initial Configuration 501 IP Routing and Switching 502 Routing Path Management 503 Routing Protocols 503 Configuring Static Routes 504 Displaying the Routing Table 505 18 Unicast Routing 507 Overview 507 Configuring the Routing Information Protocol 508 Configuring General Protocol Settings 509 Clearing Entries from the Routing Table 512 Specifying Network Interfaces 513 Specifying P
Contents Section III Configuring DHCP Relay Service 536 Enabling DHCP Dynamic Provision 538 Appendices 539 A Software Specifications 541 Software Features 541 Management Features 542 Standards 543 Management Information Bases 543 B Troubleshooting 545 Problems Accessing the Management Interface 545 Using System Logs 546 C License Information 547 The GNU General Public License 547 Glossary 551 Index 559 – 14 –
Figures Figure 1: Dashboard 45 Figure 2: System Information 64 Figure 3: General Switch Information 66 Figure 4: Configuring Support for Jumbo Frames 67 Figure 5: Displaying Bridge Extension Configuration 68 Figure 6: Copy Firmware 70 Figure 7: Saving the Running Configuration 71 Figure 8: Setting Start-Up Files 72 Figure 9: Displaying System Files 73 Figure 10: Configuring Automatic Code Upgrade 76 Figure 11: Manually Setting the System Clock 78 Figure 12: Setting the Polling Interva
Figures Figure 30: Configuring the Switch for Cloud Management 97 Figure 31: Configuring Connections by Port List 102 Figure 32: Configuring Connections by Port Range 103 Figure 33: Displaying Port Information 104 Figure 34: Showing Port Statistics (Table) 107 Figure 35: Showing Port Statistics (Chart) 108 Figure 36: Configuring a History Sample 110 Figure 37: Showing Entries for History Sampling 110 Figure 38: Showing Status of Statistical History Sample 111 Figure 39: Showing Current St
Figures Figure 65: Configuring Remote Port Mirroring (Source) 139 Figure 66: Configuring Remote Port Mirroring (Intermediate) 140 Figure 67: Configuring Remote Port Mirroring (Destination) 140 Figure 68: Configuring an sFlow Receiver 142 Figure 69: Showing sFlow Receivers 143 Figure 70: Configuring an sFlow Instance 144 Figure 71: Showing sFlow Instances 144 Figure 72: Enabling Traffic Segmentation 146 Figure 73: Configuring Members for Traffic Segmentation 147 Figure 74: Showing Traffic
Figures Figure 100: Issuing MAC Address Traps (Interface Configuration) 181 Figure 101: STP Root Ports and Designated Ports 184 Figure 102: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree 184 Figure 103: Spanning Tree – Common Internal, Common, Internal 185 Figure 104: Configuring Port Loopback Detection 187 Figure 105: Configuring Global Settings for STA (STP) 191 Figure 106: Configuring Global Settings for STA (RSTP) 191 Figure 107: Configuring Global Settings for STA (MSTP) 19
Figures Figure 135: Showing Policy Maps 227 Figure 136: Adding Rules to a Policy Map 228 Figure 137: Showing the Rules for a Policy Map 228 Figure 138: Attaching a Policy Map to a Port 229 Figure 139: Configuring a Voice VLAN 233 Figure 140: Configuring an OUI Telephony List 234 Figure 141: Showing an OUI Telephony List 234 Figure 142: Configuring Port Settings for a Voice VLAN 236 Figure 143: Configuring the Authentication Sequence 240 Figure 144: Authentication Server Operation 240 Fi
Figures Figure 170: Configuring HTTPS 270 Figure 171: Downloading the Secure-Site Certificate 271 Figure 172: Configuring the SSH Server 275 Figure 173: Generating the SSH Host Key Pair 276 Figure 174: Showing the SSH Host Key Pair 276 Figure 175: Copying the SSH User’s Public Key 277 Figure 176: Showing the SSH User’s Public Key 278 Figure 177: Showing TCAM Utilization 281 Figure 178: Creating an ACL 282 Figure 179: Showing a List of ACLs 283 Figure 180: Configuring a Standard IPv4 ACL
Figures Figure 205: Configuring VLAN Settings for ARP Inspection 329 Figure 206: Configuring Interface Settings for ARP Inspection 330 Figure 207: Displaying Statistics for ARP Inspection 332 Figure 208: Displaying the ARP Inspection Log 333 Figure 209: Configuring Settings for System Memory Logs 337 Figure 210: Showing Error Messages Logged to System Memory 338 Figure 211: Configuring Settings for Remote Logging of Error Messages 339 Figure 212: Configuring SMTP Alert Messages 340 Figure 2
Figures Figure 240: Configuring Remote SNMPv3 Users 383 Figure 241: Showing Remote SNMPv3 Users 383 Figure 242: Configuring Trap Managers (SNMPv1) 387 Figure 243: Configuring Trap Managers (SNMPv2c) 387 Figure 244: Configuring Trap Managers (SNMPv3) 387 Figure 245: Showing Trap Managers 388 Figure 246: Creating SNMP Notification Logs 389 Figure 247: Showing SNMP Notification Logs 390 Figure 248: Showing SNMP Statistics 391 Figure 249: Configuring an RMON Alarm 394 Figure 250: Showing Co
Figures Figure 275: Configuring General Settings for IGMP Snooping 423 Figure 276: Configuring a Static Interface for a Multicast Router 425 Figure 277: Showing Static Interfaces Attached a Multicast Router 425 Figure 278: Showing Current Interfaces Attached a Multicast Router 426 Figure 279: Assigning an Interface to a Multicast Service 427 Figure 280: Showing Static Interfaces Assigned to a Multicast Service 428 Figure 281: Configuring IGMP Snooping on a VLAN 433 Figure 282: Showing Interfa
Figures Figure 310: Creating an MLD Filtering Profile 463 Figure 311: Showing the MLD Filtering Profiles Created 464 Figure 312: Adding Multicast Groups to an MLD Filtering Profile 464 Figure 313: Showing the Groups Assigned to an MLD Filtering Profile 465 Figure 314: Configuring MLD Filtering and Throttling Interface Settings 466 Figure 315: Dropping MLD Query Packets 467 Figure 316: Pinging a Network Device 470 Figure 317: Tracing the Route to a Network Device 472 Figure 318: Proxy ARP 4
Figures Figure 345: Specifying a Passive RIP Interface 516 Figure 346: Showing Passive RIP Interfaces 516 Figure 347: Specifying a Static RIP Neighbor 517 Figure 348: Showing Static RIP Neighbors 517 Figure 349: Redistributing External Routes into RIP 518 Figure 350: Showing External Routes Redistributed into RIP 518 Figure 351: Setting the Distance Assigned to External Routes 519 Figure 352: Showing the Distance Assigned to External Routes 520 Figure 353: Configuring a Network Interface fo
Figures – 26 –
Tables Table 1: Key Features 31 Table 2: System Defaults 37 Table 3: Web Page Configuration Buttons 46 Table 4: Switch Main Menu 47 Table 5: Predefined Summer-Time Parameters 86 Table 6: Port Statistics 104 Table 7: LACP Port Counters 127 Table 8: LACP Internal Configuration Information 128 Table 9: LACP Remote Device Configuration Information 130 Table 10: Traffic Segmentation Forwarding 146 Table 11: Recommended STA Path Cost Range 194 Table 12: Default STA Path Costs 194 Table 13
Tables Table 30: Show IPv6 Neighbors - display description 493 Table 31: Show IPv6 Statistics - display description 495 Table 32: Show MTU - display description 500 Table 33: Options 60, 66 and 67 Statements 535 Table 34: Options 55 and 124 Statements 535 Table 35: Troubleshooting Chart 545 – 28 –
Section I Getting Started This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.
Section I | Getting Started – 30 –
1 Introduction This switch provides a broad range of features for Layer 2 switching and Layer 3 routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Chapter 1 | Introduction Description of Software Features Table 1: Key Features (Continued) Feature Description Address Table Address Table 16K MAC addresses in the forwarding table (shared with L2 unicast, L2 multicast, IPv4 multicast, IPv6 multicast); 1K static MAC addresses; 511 L2 IPv4 multicast groups (shared with MAC address table); 56 entries in host table (8 static ARP + 48 dynamic ARP); 64 entries in route table (net table); 8 IP intefaces IP Version 4 and 6 Supports IPv4 and IPv6 addressing
Chapter 1 | Introduction Description of Software Features Authentication This switch authenticates management access via the console port, Telnet, or a web browser. User names and passwords can be configured locally or can be verified via a remote authentication server (i.e., RADIUS or TACACS+). Port-based authentication is also supported via the IEEE 802.1X protocol. This protocol uses Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.
Chapter 1 | Introduction Description of Software Features Storm Control Broadcast, multicast and unknown unicast storm suppression prevents traffic from overwhelming the network.When enabled on a port, the level of traffic passing through the port is restricted. If traffic rises above a pre-defined threshold, it will be throttled until the level falls back beneath the threshold. Static MAC Addresses A static address can be assigned to a specific interface on this switch.
Chapter 1 | Introduction Description of Software Features STP-compliant mode if they detect STP protocol messages from attached devices. ◆ Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is a direct extension of RSTP. It can provide an independent spanning tree for different VLANs.
Chapter 1 | Introduction Description of Software Features bits in the IP frame’s Type of Service (ToS) octet using DSCP, or IP Precedence. When these services are enabled, the priorities are mapped to a Class of Service value by the switch, and the traffic then sent to the corresponding output queue. Quality of Service Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis.
Chapter 1 | Introduction System Defaults Multicast Filtering Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN. The switch uses IGMP Snooping and Query for IPv4,and MLD Snooping and Query for IPv6 to manage multicast group registration.
Chapter 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default Authentication and Security Measures Privileged Exec Level Username “admin” Password “admin” Normal Exec Level Username “guest” Password “guest” Enable Privileged Exec from Normal Exec Level Password “super” RADIUS Authentication Disabled TACACS+ Authentication Disabled 802.
Chapter 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default Spanning Tree Algorithm Status Disabled Edge Ports Auto LLDP Status Enabled Virtual LANs Default VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Enabled Switchport Mode (Egress Mode) Hybrid GVRP (global) Disabled GVRP (port interface) Disabled QinQ Tunneling Disabled Ingress Port Priority 0 Queue Mode WRR Queue Weight Queue: 0 1 2 3 4 5 6 7 Weight: 1 2 4 6 8 10
Chapter 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default System Log Status Enabled Messages Logged to RAM Levels 0-7 (all) Messages Logged to Flash Levels 0-3 SMTP Email Alerts Event Handler Enabled (but no server defined) SNTP Clock Synchronization Disabled Switch Clustering Status Disabled Commander Disabled – 40 –
Section II Web Configuration This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser.
Section II | Web Configuration ◆ "Unicast Routing" on page 507 ◆ "IP Services" on page 527 – 42 –
2 Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 11, Mozilla Firefox 40, or Google Chrome 45, or more recent versions). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface switch port attached to your management station to fast forwarding (i.e., enable Admin Edge Port) to improve the switch’s response time to management commands issued through the web interface. See “Configuring Interface Settings for STA” on page 193. Note: Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 600 seconds.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Figure 1: Dashboard – 45 –
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 3: Web Page Configuration Buttons Button Action Apply Sets specified values to the system.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 4: Switch Main Menu Menu Description Page Dashboard Displays system information, CPU utilization, temperature, and top 5 most active interfaces.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Reset Restarts the switch immediately, at a specified time, after a specified delay, or at a periodic interval 93 Cloud Manage Configures the switch for management through ecCLOUD 97 Interface 99 Port 100 General 100 Configure by Port List Configures connection settings per port 100 Configure by Port Range Configures connection settings for a range of ports
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Information 127 Counters Displays statistics for LACP protocol messages 127 Internal Displays configuration settings and operational state for the local side of a link aggregation 128 Neighbors Displays configuration settings and operational state for the remote side of a link aggregation 130 Configure Trunk 121 Configure Configures connection settings
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page IEEE 802.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu MSTP Description Page Multiple Spanning Tree Algorithm 201 Configure Global 201 Add Configures initial VLAN and priority for an MST instance 201 Modify Configures the priority or an MST instance 201 Show Configures global settings for an MST instance 201 Add Member Adds VLAN members for an MST instance 201 Show Member Adds or deletes VLAN members for an MST instance 201
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Show Rule Configure Interface VoIP Configure Global Description Page Shows the rules used to enforce bandwidth policing for a policy map 225 Applies a policy map to an ingress port 228 Voice over IP 231 Configures auto-detection of VoIP traffic, sets the Voice VLAN, and VLAN 232 aging time Configure OUI 233 Add Maps the OUI in the source MAC address of ingress packets to the VoIP
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure Service Sets the authorization method applied used for the console port, and for Telnet 251 Show Information Shows the configured authorization methods, and the methods applied 251 to specific interfaces User Accounts 255 Add Configures user names, passwords, and access levels 255 Show Shows authorized users 255 Modify Modifies user attributes 255
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Add Adds an ACL based on IP or MAC address filtering 281 Show Shows the name and type of configured ACLs 281 Add Rule Configures packet filtering based on IP or MAC addresses and other packet attributes 281 Show Rule Shows the rules specified for an ACL 281 Configure Interface Binds a port to the specified ACL and time range Configure Binds a port to the spe
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page ARP Inspection 325 Configure General Enables inspection globally, configures validation of additional address 326 components, and sets the log rate for packet inspection Configure VLAN Enables ARP inspection on specified VLANs 328 Configure Interface Sets the trust mode for ports, and sets the rate limit for packet inspection 330 Show Information 331 Show Stati
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure Engine 367 Set Engine ID Sets the SNMP v3 engine ID on this switch 367 Add Remote Engine Sets the SNMP v3 engine ID for a remote device 368 Show Remote Engine Shows configured engine ID for remote devices 368 Configure View 369 Add View Adds an SNMP v3 view of the OID MIB 369 Show View Shows configured SNMP v3 views 369 Add OID Subtree Specifi
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show 392 Alarm Shows all configured alarms 392 Event Shows all configured events 395 History Periodically samples statistics on a physical interface 397 Statistics Enables collection of statistics on a physical interface 400 History Shows sampling parameters for each entry in the history group 397 Statistics Shows sampling parameters for each entry in the
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu ARP Description Page Shows entries in the Address Resolution Protocol cache 466 IP 479 General Routing Interface Add Address Configures an IP interface for a VLAN 479 Show Address Shows the IP interfaces assigned to a VLAN 479 Routing Static Routes 504 Add Configures static routing entries 504 Show Shows static routing entries 504 Shows all routing entries, including local
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Static Host Table 531 Add Configures static entries for domain name to address mapping 531 Show Shows the list of static mapping entries 531 Modify Modifies the static address mapped to the selected host name 531 Displays cache entries discovered by designated name servers 532 Multicast DNS Configures multicast DNS lookup on the local network without the need
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Add Multicast Group Range Assigns multicast groups to selected profile 441 Show Multicast Group Range Shows multicast groups assigned to a profile 441 Configure Interface Assigns IGMP filter profiles to port interfaces and sets throttling action 443 Statistics 436 Show Query Statistics Shows statistics for query-related messages 436 Show VLAN Statistics Shows
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Summary Shows summary statistics for querier and report/leave messages 450 Clear Clears all MLD statics or statistics for specified VLAN/port 450 Routing Protocol RIP 508 General 509 Configure Enables or disables RIP, sets the global RIP attributes and timer values 509 Clear Route Clears the specified route type or network interface from the routing table 51
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface – 62 –
3 Basic Management Tasks This chapter describes the following topics: ◆ Displaying System Information – Provides basic system description, including contact information. ◆ Displaying Hardware/Software Versions – Shows the hardware version, power status, and firmware versions ◆ Configuring Support for Jumbo Frames – Enables support for jumbo frames. ◆ Displaying Bridge Extension Capabilities – Shows the bridge extension parameters.
Chapter 3 | Basic Management Tasks Displaying System Information Displaying System Information Use the System > General page to identify the system by displaying information such as the device name, location and contact information. Parameters These parameters are displayed: ◆ System Description – Brief description of device type. ◆ System Object ID – MIB II object ID for switch’s network management subsystem. ◆ System Up Time – Length of time the management agent has been up.
Chapter 3 | Basic Management Tasks Displaying Hardware/Software Versions Displaying Hardware/Software Versions Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Parameters The following parameters are displayed: Main Board Information ◆ Serial Number – The serial number of the switch. ◆ Number of Ports – Number of built-in ports. ◆ Hardware Version – Hardware version of the main board.
Chapter 3 | Basic Management Tasks Configuring Support for Jumbo Frames Web Interface To view hardware and software version information. 1. Click System, then Switch. Figure 3: General Switch Information Configuring Support for Jumbo Frames Use the System > Capability page to configure support for layer 2 jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10240 bytes for Gigabit Ethernet and 10 Gigabit Ethernet ports or trunks.
Chapter 3 | Basic Management Tasks Displaying Bridge Extension Capabilities Web Interface To configure support for jumbo frames: 1. Click System, then Capability. 2. Enable or disable support for jumbo frames. 3. Click Apply. Figure 4: Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Use the System > Capability page to display settings based on the Bridge MIB.
Chapter 3 | Basic Management Tasks Managing System Files Untagged) on each port. (Refer to “VLAN Configuration” on page 149.) ◆ Max Supported VLAN Numbers – The maximum number of VLANs supported on this switch. ◆ Max Supported VLAN ID – The maximum configurable VLAN identifier supported on this switch. Web Interface To view Bridge Extension information: 1. Click System, then Capability.
Chapter 3 | Basic Management Tasks Managing System Files Command Usage ◆ When logging into an FTP/SFTP server, the interface prompts for a user name and password configured on the remote server. Note that “Anonymous” is set as the default user name. ◆ Secure Shell FTP (SFTP) provides a method of transferring files between two network devices over an SSH2-secured connection. SFTP functions similar to Secure Copy (SCP), using SSH for user authentication and data encryption.
Chapter 3 | Basic Management Tasks Managing System Files Note: Up to two copies of the system software (i.e., the runtime firmware) can be stored in the file directory on the switch. Note: The maximum number of user-defined configuration files is limited only by available flash memory space. Note: The file “Factory_Default_Config.cfg” can be copied to a file server or management station, but cannot be used as the destination file name on the switch. Web Interface To copy firmware files: 1.
Chapter 3 | Basic Management Tasks Managing System Files Saving the Running Use the System > File (Copy) page to save the current configuration settings to a Configuration to a local file on the switch. The configuration settings are not automatically saved by Local File the system for subsequent use when the switch is rebooted. You must save these settings to the current startup file, or to another file which can be subsequently set as the startup file.
Chapter 3 | Basic Management Tasks Managing System Files If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Setting the Use the System > File (Set Start-Up) page to specify the firmware or configuration Start-up File file to use for system initialization. Web Interface To set a file to use for system initialization: 1. Click System, then File. 2. Select Set Start-Up from the Action list. 3.
Chapter 3 | Basic Management Tasks Managing System Files Figure 9: Displaying System Files Automatic Operation Use the System > File (Automatic Operation Code Upgrade) page to automatically Code Upgrade download an operation code file when a file newer than the currently installed one is discovered on the file server. After the file is transferred from the server and successfully written to the file system, it is automatically set as the startup file, and the switch is rebooted.
Chapter 3 | Basic Management Tasks Managing System Files etc.) are case-sensitive, meaning that two files in the same directory, ecs2110series.bix and ECS2110-Series.bix are considered to be unique files. Thus, if the upgrade file is stored as ECS2110-Series.bix (or even EcS2100-Series.bix) on a case-sensitive server, then the switch (requesting ecs2100-series.bix) will not be upgraded because the server does not recognize the requested file name and the stored file name as being equal.
Chapter 3 | Basic Management Tasks Managing System Files ■ host – Defines the IP address of the TFTP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. DNS host names are not recognized. ■ filedir – Defines the directory, relative to the TFTP server root, where the upgrade file can be found. Nested directory structures are accepted.
Chapter 3 | Basic Management Tasks Managing System Files The following examples demonstrate the URL syntax for an FTP server at IP address 192.168.0.1 with various user name, password and file location options presented: ■ ftp://192.168.0.1/ The user name and password are empty, so “anonymous” will be the user name and the password will be blank. The image file is in the FTP root directory. ■ ftp://switches:upgrade@192.168.0.1/ The user name is “switches” and the password is “upgrade”.
Chapter 3 | Basic Management Tasks Setting the System Clock New image detected: current version 1.2.1.3; new version 1.2.1.6 Image upgrade in progress The switch will restart after upgrade succeeds Downloading new image Flash programming started Flash programming completed The switch will now restart . . . Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP).
Chapter 3 | Basic Management Tasks Setting the System Clock 2. Select Configure General from the Step list. 3. Select Manual from the Maintain Type list. 4. Enter the time and date in the appropriate fields. 5. Click Apply Figure 11: Manually Setting the System Clock Setting the SNTP Use the System > Time (Configure General - SNTP) page to set the polling interval at Polling Interval which the switch will query the specified time servers.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 12: Setting the Polling Interval for SNTP Configuring NTP Use the System > Time (Configure General - NTP) page to configure NTP authentication and show the polling interval at which the switch will query the specified time servers. Parameters The following parameters are displayed: ◆ Current Time – Shows the current time set on the switch.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 13: Configuring NTP Configuring Use the System > Time (Configure Time Server) pages to specify the IP address for Time Servers NTP/SNTP time servers, or to set the authentication key for NTP time servers. Specifying SNTP Time Servers Use the System > Time (Configure Time Server – Configure SNTP Server) page to specify the IP address for up to three SNTP time servers.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 14: Specifying SNTP Time Servers Specifying NTP Time Servers Use the System > Time (Configure Time Server – Add NTP Server) page to add the IP address for up to three NTP time servers. Parameters The following parameters are displayed: ◆ NTP Server IP Address – Sets the IPv4 address for up to three time servers.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 15: Adding an NTP Time Server To show the list of configured NTP time servers: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Show NTP Server from the Action list. Figure 16: Showing the NTP Time Server List Specifying NTP Authentication Keys Use the System > Time (Configure Time Server – Add NTP Authentication Key) page to add an entry to the authentication key list.
Chapter 3 | Basic Management Tasks Setting the System Clock Web Interface To add an entry to NTP authentication key list: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Add NTP Authentication Key from the Action list. 4. Enter the index number and MD5 authentication key string. 5. Click Apply. Figure 17: Adding an NTP Authentication Key To show the list of configured NTP authentication keys: 1. Click System, then Time. 2.
Chapter 3 | Basic Management Tasks Setting the System Clock Setting the Time Zone Use the System > Time (Configure Time Zone) page to set the time zone. SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 19: Setting the Time Zone Configuring Use the Summer Time page to set the system clock forward during the summer Summer Time months (also known as daylight savings time). In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST).
Chapter 3 | Basic Management Tasks Setting the System Clock Table 5: Predefined Summer-Time Parameters Region Start Time, Day, Week, & Month End Time, Day, Week, & Month Australia 00:00:00, Sunday, Week 5 of October 23:59:59, Sunday, Week 5 of March 60 min Europe 00:00:00, Sunday, Week 5 of March 60 min 23:59:59, Sunday, Week 5 of October New Zealand 00:00:00, Sunday, Week 1 of October 23:59:59, Sunday, Week 3 of March USA 02:00:00, Sunday, Week 2 of March Rel.
Chapter 3 | Basic Management Tasks Configuring the Console Port Figure 20: Configuring Summer Time Configuring the Console Port Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
Chapter 3 | Basic Management Tasks Configuring the Console Port per character. If no parity is required, specify 8 data bits per character. (Default: 8 bits) ◆ Stop Bits – Sets the number of the stop bits transmitted per byte. (Range: 1-2; Default: 1 stop bit) ◆ Parity – Defines the generation of a parity bit. Communication protocols provided by some terminals can require a specific parity bit setting. Specify Even, Odd, or None.
Chapter 3 | Basic Management Tasks Configuring Telnet Settings Configuring Telnet Settings Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password. Note that the password is only configurable through the CLI.
Chapter 3 | Basic Management Tasks Displaying CPU Utilization authentication by a single global password as configured for the password command, or by passwords set up for specific user-name accounts. The default is for local passwords configured on the switch. Web Interface To configure parameters for the console port: 1. Click System, then Telnet. 2. Specify the connection parameters as required. 3.
Chapter 3 | Basic Management Tasks Configuring CPU Guard Figure 23: Displaying CPU Utilization Configuring CPU Guard Use the System > CPU Guard page to set the CPU utilization high and low watermarks in percentage of CPU time utilized and the CPU high and low thresholds in the number of packets being processed per second. Parameters The following parameters are displayed: ◆ CPU Guard Status – Enables CPU Guard.
Chapter 3 | Basic Management Tasks Displaying Memory Utilization ◆ Trap Status – If enabled, an alarm message will be generated when utilization exceeds the high watermark or exceeds the maximum threshold. (Default: Disabled) Once the high watermark is exceeded, utilization must drop beneath the low watermark before the alarm is terminated, and then exceed the high watermark again before another alarm is triggered.
Chapter 3 | Basic Management Tasks Resetting the System ◆ Total – The total amount of system memory. Web Interface To display memory utilization: 1. Click System, then Memory Status. Figure 25: Displaying Memory Utilization Resetting the System Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. Command Usage ◆ This command resets the entire system.
Chapter 3 | Basic Management Tasks Resetting the System ■ Immediately – Restarts the system immediately. ■ In – Specifies an interval after which to reload the switch. (The specified time must be equal to or less than 24 days.) ■ ■ ■ hours – The number of hours, combined with the minutes, before the switch resets. (Range: 0-576) ■ minutes – The number of minutes, combined with the hours, before the switch resets. (Range: 0-59) At – Specifies a time at which to reload the switch.
Chapter 3 | Basic Management Tasks Resetting the System 5. When prompted, confirm that you want reset the switch.
Chapter 3 | Basic Management Tasks Resetting the System Figure 28: Restarting the Switch (At) Figure 29: Restarting the Switch (Regularly) – 96 –
Chapter 3 | Basic Management Tasks Using Cloud Management Using Cloud Management Use the System > Cloud Manage page to enable the cloud management agent on the switch. The Edgecore ecCLOUD Controller is a cloud-based network service available from anywhere through a web-browser interface. The switch can be managed by the ecCLOUD controller once you have set up an account and registered the device on the system. By default, the cloud management agent is disabled on the switch.
Chapter 3 | Basic Management Tasks Using Cloud Management – 98 –
4 Interface Configuration This chapter describes the following topics: ◆ Port Configuration – Configures connection settings, including autonegotiation, or manual setting of speed, duplex mode, and flow control. ◆ Displaying Statistics – Shows Interface, Etherlike, and RMON port statistics in table or chart form. ◆ Displaying Statistical History – Displays statistical history for the specified interfaces.
Chapter 4 | Interface Configuration Port Configuration Port Configuration This section describes how to configure port connections, mirror traffic from one port to another, and run cable diagnostics. Configuring by Use the Interface > Port > General (Configure by Port List) page to enable/disable Port List an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Chapter 4 | Interface Configuration Port Configuration capabilities to be advertised. When auto-negotiation is disabled, you can force the settings for speed, mode, and flow control.The following capabilities are supported. ■ 10h - Supports 10 Mbps half-duplex operation. ■ 10f - Supports 10 Mbps full-duplex operation. ■ 100h - Supports 100 Mbps half-duplex operation. ■ 100f - Supports 100 Mbps full-duplex operation. ■ 1000f - Supports 1000 Mbps full-duplex operation.
Chapter 4 | Interface Configuration Port Configuration Figure 31: Configuring Connections by Port List Configuring by Use the Interface > Port > General (Configure by Port Range) page to enable/ Port Range disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Chapter 4 | Interface Configuration Port Configuration Figure 32: Configuring Connections by Port Range Displaying Use the Interface > Port > General (Show Information) page to display the current Connection Status connection status, including link state, speed/duplex mode, flow control, and autonegotiation. Parameters These parameters are displayed: ◆ Port – Port identifier. ◆ Type – Indicates the port type. (1000BASE-T, 1000BASE SFP, 10GBASE SFP+) ◆ Name – Interface label.
Chapter 4 | Interface Configuration Port Configuration Web Interface To display port connection parameters: 1. Click Interface, Port, General. 2. Select Show Information from the Action List. Figure 33: Displaying Port Information Showing Port or Trunk Use the Interface > Port/Trunk > Statistics or Chart page to display standard Statistics statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
Chapter 4 | Interface Configuration Port Configuration Table 6: Port Statistics (Continued) Parameter Description Received Errors The number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol. Transmitted Errors The number of outbound packets that could not be transmitted because of errors. Received Unicast Packets The number of subnetwork-unicast packets delivered to a higher-layer protocol.
Chapter 4 | Interface Configuration Port Configuration Table 6: Port Statistics (Continued) Parameter Description SQE Test Errors A count of times that the SQE TEST ERROR message is generated by the PLS sublayer for a particular interface. Carrier Sense Errors The number of times that the carrier sense condition was lost or never asserted when attempting to transmit a frame.
Chapter 4 | Interface Configuration Port Configuration Table 6: Port Statistics (Continued) Parameter Description Output Octets in kbits per second Number of octets leaving this interface in kbits/second. Output Packets per second Number of packets leaving this interface per second. Output Utilization The output utilization rate for this interface. Web Interface To show a list of port statistics: 1. Click Interface, Port, Statistics. 2.
Chapter 4 | Interface Configuration Port Configuration Figure 35: Showing Port Statistics (Chart) Displaying Statistical Use the Interface > Port > History or Interface > Trunk > History page to display History statistical history for the specified interfaces. Command Usage ◆ For a description of the statistics displayed on these pages, see “Showing Port or Trunk Statistics” on page 104. ◆ To configure statistical history sampling, use the “Displaying Statistical History” on page 108.
Chapter 4 | Interface Configuration Port Configuration ◆ History Name – Name of sample interval. (Range: 1-32 characters) ◆ Interval - The interval for sampling statistics. (Range: 1-86400 minutes) ◆ Requested Buckets - The number of samples to take. (Range: 1-96) Show ◆ Port – Port number. (Range: 1-26/52) ◆ History Name – Name of sample interval. (Default settings: 15min, 1day) ◆ Interval - The interval for sampling statistics. ◆ Requested Buckets - The number of samples to take.
Chapter 4 | Interface Configuration Port Configuration Figure 36: Configuring a History Sample To show the configured entries for a history sample: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show from the Action menu. 3. Select an interface from the Port or Trunk list. Figure 37: Showing Entries for History Sampling To show the configured parameters for a sampling entry: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2.
Chapter 4 | Interface Configuration Port Configuration Figure 38: Showing Status of Statistical History Sample To show statistics for the current interval of a sample entry: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show Details from the Action menu. 3. Select Current Entry from the options for Mode. 4. Select an interface from the Port or Trunk list. 5. Select an sampling entry from the Name list.
Chapter 4 | Interface Configuration Port Configuration To show ingress or egress traffic statistics for a sample entry: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show Details from the Action menu. 3. Select Input Previous Entry or Output Previous Entry from the options for Mode. 4. Select an interface from the Port or Trunk list. 5. Select an sampling entry from the Name list.
Chapter 4 | Interface Configuration Port Configuration problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) provides information on transceiver parameters. Web Interface To display identifying information and functional parameters for optical transceivers: 1. Click Interface, Port, Transceiver. 2. Select a port from the scroll-down list.
Chapter 4 | Interface Configuration Port Configuration The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) provides information on transceiver parameters.
Chapter 4 | Interface Configuration Port Configuration ■ Threshold events are triggered as described above to avoid a hysteresis effect which would continuously trigger event messages if the power level were to fluctuate just above and below either the high threshold or the low threshold. ■ Trap messages configured by this command are sent to any management station configured as an SNMP trap manager using the Administration > SNMP (Configure Trap) page.
Chapter 4 | Interface Configuration Port Configuration ◆ Cable diagnostics can only be performed on twisted-pair media. ◆ This cable test is only accurate for Gigabit Ethernet cables 7 - 100 meters long. ◆ The test takes approximately 5 seconds. The switch displays the results of the test immediately upon completion, including common cable failures, as well as the status and approximate length to a fault. ◆ Potential conditions which may be listed by the diagnostics include those listed below.
Chapter 4 | Interface Configuration Trunk Configuration Web Interface To test the cable attached to a port: 1. Click Interface, Port, Cable Test. 2. Click Test for any port to start the cable test. Figure 43: Performing Cable Tests Trunk Configuration This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link.
Chapter 4 | Interface Configuration Trunk Configuration Command Usage Besides balancing the load across each port in the trunk, the other ports provide redundancy by taking over the load if a port in the trunk fails. However, before making any physical connections between devices, use the web interface or CLI to specify the trunk on the devices at both ends.
Chapter 4 | Interface Configuration Trunk Configuration Command Usage ◆ When configuring static trunks, you may not be able to link switches of different types, depending on the vendor’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Chapter 4 | Interface Configuration Trunk Configuration To add member ports to a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure Trunk from the Step list. 3. Select Add Member from the Action list. 4. Select a trunk identifier. 5. Set the unit and port for an additional trunk member. 6. Click Apply. Figure 46: Adding Static Trunks Members To configure connection parameters for a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3.
Chapter 4 | Interface Configuration Trunk Configuration To display trunk connection parameters: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3. Select Show Information from the Action list.
Chapter 4 | Interface Configuration Trunk Configuration ◆ Ports are only allowed to join the same Link Aggregation Group (LAG) if (1) the LACP port system priority matches, (2) the LACP port admin key matches, and (3) the LAG admin key matches (if configured). However, if the LAG admin key is set, then the port admin key must be set to the same value for a port to be allowed to join that group. Note: If the LACP admin key is not set when a channel group is formed (i.e.
Chapter 4 | Interface Configuration Trunk Configuration When a dynamic port-channel is torn down, the configured timeout value will be retained. When the dynamic port-channel is constructed again, that timeout value will be used. ◆ System Priority – LACP system priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations. ◆ System MAC Address – The device MAC address assigned to each trunk.
Chapter 4 | Interface Configuration Trunk Configuration ■ If an LAG already exists with the maximum number of allowed port members, and LACP is subsequently enabled on another port using a higher priority than an existing member, the newly configured port will replace an existing port member that has a lower priority.
Chapter 4 | Interface Configuration Trunk Configuration 6. Click Apply. Figure 51: Enabling LACP on a Port To configure LACP parameters for group members: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Configure from the Action list. 4. Click Actor or Partner. 5. Configure the required settings. 6. Click Apply.
Chapter 4 | Interface Configuration Trunk Configuration To show the active members of a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step list. 3. Select Show Member from the Action list. 4. Select a Trunk. Figure 53: Showing Members of a Dynamic Trunk To configure connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step list. 3. Select Configure from the Action list. 4.
Chapter 4 | Interface Configuration Trunk Configuration To show connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step list. 3. Select Show from the Action list. Figure 55: Showing Connection Parameters for Dynamic Trunks Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Port Counters Information - Counters) page to display statistics for LACP protocol messages.
Chapter 4 | Interface Configuration Trunk Configuration 5. Select a group member from the Port list. Figure 56: Displaying LACP Port Counters Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Settings and Status Information - Internal) page to display the configuration settings and operational for the Local Side state for the local side of a link aggregation.
Chapter 4 | Interface Configuration Trunk Configuration Table 8: LACP Internal Configuration Information (Continued) Parameter Description Admin State, Oper State (continued) ◆ ◆ ◆ Aggregation – The system considers this link to be aggregatable; i.e., a potential candidate for aggregation. Long timeout – Periodic transmission of LACPDUs uses a slow transmission rate. LACP-Activity – Activity control value with regard to this link.
Chapter 4 | Interface Configuration Trunk Configuration Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Settings and Status Information - Neighbors) page to display the configuration settings and for the Remote Side operational state for the remote side of a link aggregation. Parameters These parameters are displayed: Table 9: LACP Remote Device Configuration Information Parameter Description Partner Admin System LAG partner’s system ID assigned by the user.
Chapter 4 | Interface Configuration Trunk Configuration Figure 58: Displaying LACP Port Remote Information Configuring Use the Interface > Trunk > Load Balance page to set the load-distribution method Load Balancing used among ports in aggregated links. Command Usage ◆ This command applies to all static and dynamic trunks on the switch.
Chapter 4 | Interface Configuration Trunk Configuration ■ Source and Destination MAC Address: All traffic with the same source and destination MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is received from and destined for many different hosts. ■ Source IP Address: All traffic with the same source IP address is output on the same link in a trunk.
Chapter 4 | Interface Configuration Saving Power Saving Power Use the Interface > Green Ethernet page to enable power savings mode on the selected port. Command Usage ◆ IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters. Enabling power saving mode can reduce power used for cable lengths of 60 meters or less, with more significant reduction for cables of 20 meters or less, and continue to ensure signal integrity.
Chapter 4 | Interface Configuration Configuring Local Port Mirroring ◆ Power Saving Status – Adjusts the power provided to ports based on the length of the cable used to connect to other devices. Only sufficient power is used to maintain connection requirements. (Default: Enabled on Gigabit Ethernet RJ-45 ports) Web Interface To enable power savings: 1. Click Interface, Green Ethernet. 2. Mark the Enabled check box for a port. 3. Click Apply.
Chapter 4 | Interface Configuration Configuring Local Port Mirroring (remote port mirroring as described in “Configuring Remote Port Mirroring” on page 136). ◆ Monitor port speed should match or exceed source port speed, otherwise traffic may be dropped from the monitor port. ◆ The destination port cannot be a trunk or trunk member port. ◆ Note that Spanning Tree BPDU packets are also mirrored to the target port.
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring To display the configured mirror sessions: 1. Click Interface, Port, Mirror. 2. Select Show from the Action List. Figure 63: Displaying Local Port Mirror Sessions Configuring Remote Port Mirroring Use the Interface > RSPAN page to mirror traffic from remote switches for analysis at a destination port on the local switch.
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring Command Usage ◆ Traffic can be mirrored from one or more source ports to a destination port on the same switch (local port mirroring as described in “Configuring Local Port Mirroring” on page 134), or from one or more source ports on remote switches to a destination port on this switch (remote port mirroring as described in this section). ◆ Configuration Guidelines Take the following step to configure an RSPAN session: 1.
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring ■ MAC address learning is not supported on RSPAN uplink ports when RSPAN is enabled on the switch. Therefore, even if spanning tree is enabled after RSPAN has been configured, MAC address learning will still not be restarted on the RSPAN uplink ports. ■ IEEE 802.1X – RSPAN and 802.1X are mutually exclusive functions. When 802.
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring to an RSPAN VLAN. Also, note that the VLAN > Static (Show) page will not display any members for an RSPAN VLAN, but will only show configured RSPAN VLAN identifiers. ◆ Type – Specifies the traffic type to be mirrored remotely. (Options: Rx, Tx, Both) ◆ Destination Port – Specifies the destination port1 to monitor the traffic mirrored from the source ports.
Chapter 4 | Interface Configuration Sampling Traffic Flows Figure 66: Configuring Remote Port Mirroring (Intermediate) Figure 67: Configuring Remote Port Mirroring (Destination) Sampling Traffic Flows The flow sampling (sFlow) feature embedded on this switch, together with a remote sFlow Collector, can provide network administrators with an accurate, detailed and real-time overview of the types and levels of traffic present on their network.
Chapter 4 | Interface Configuration Sampling Traffic Flows Note: The terms “collector”, “receiver” and “owner”, in the context of this chapter, all refer to a remote server capable of receiving the sFlow datagrams generated by the sFlow agent of the switch. As the Collector receives streams from the various sFlow agents (other switches or routers) throughout the network, a timely, network-wide picture of utilization and traffic flows is created.
Chapter 4 | Interface Configuration Sampling Traffic Flows used to indicate the appropriate number of zeros required to fill the undefined fields. ◆ Receiver Socket Port2 – The UDP port on which the sFlow Collector is listening for sFlow streams. (Range: 1-65534) ◆ Maximum Datagram Size – Maximum size of the sFlow datagram payload. (Range: 200-1500 bytes) ◆ Datagram Version – Sends either v4 or v5 sFlow datagrams to the receiver. Web Interface To configure an sFlow receiver: 1.
Chapter 4 | Interface Configuration Sampling Traffic Flows Figure 69: Showing sFlow Receivers Configuring an sFlow Use the Interface > sFlow (Configure Details – Add) page to enable an sFlow polling Polling Instance data source that polls periodically based on a specified time interval, or an sFlow data source instance that takes samples periodically based on the number of packets processed. Parameters These parameters are displayed in the web interface: ◆ Receiver Owner Name – The name of the receiver.
Chapter 4 | Interface Configuration Sampling Traffic Flows 5. Click Apply. Figure 70: Configuring an sFlow Instance Web Interface To show configured instances: 1. Click Interface, sFlow. 2. Select Configure Details from the Step list. 3. Select Show from the Action list. 4. Select the owner name from the scroll-down list. 5. Select sFlow type as Sampling or Polling.
Chapter 4 | Interface Configuration Traffic Segmentation Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Data traffic on downlink ports is only forwarded to, and from, uplink ports. Traffic belonging to each client is isolated to the allocated downlink ports.
Chapter 4 | Interface Configuration Traffic Segmentation Figure 72: Enabling Traffic Segmentation Configuring Uplink Use the Interface > Traffic Segmentation (Configure Session) page to assign the and Downlink Ports downlink and uplink ports to use in the segmented group. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.
Chapter 4 | Interface Configuration Traffic Segmentation ◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports. Parameters These parameters are displayed: ◆ Session ID – Traffic segmentation session. (Range: 1-4) ◆ Direction – Adds an interface to the segmented group by setting the direction to uplink or downlink. (Default: Uplink) ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier.
Chapter 4 | Interface Configuration Traffic Segmentation To show the members of the traffic segmentation group: 1. Click Interface, Traffic Segmentation. 2. Select Configure Session from the Step list. 3. Select Show from the Action list.
5 VLAN Configuration This chapter includes the following topics: ◆ IEEE 802.1Q VLANs – Configures static VLANs. ◆ IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain customerspecific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs. ◆ Protocol VLANs – Configures VLAN groups based on specified protocols.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs This switch supports the following VLAN features: ◆ Up to 4094 VLANs based on the IEEE 802.1Q standard ◆ Distributed VLAN learning across multiple switches using explicit tagging.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Port Overlapping – Port overlapping can be used to allow access to commonly shared network resources among different VLAN groups, such as file servers or printers. Note that if you implement VLANs which do not overlap, but still need to communicate, you can connect them by enabled routing on this switch. Untagged VLANs – Untagged VLANs are typically used to reduce broadcast traffic and to increase security.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Modify ◆ VLAN ID – ID of configured VLAN (1-4094). ◆ VLAN Name – Name of the VLAN (1 to 32 characters). ◆ Status – Enables or disables the specified VLAN. ◆ L3 Interface – Sets the interface to support Layer 3 configuration, and reserves memory space required to maintain additional information about this interface type.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Figure 76: Creating Static VLANs To modify the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Modify from the Action list. 3. Select the identifier of a configured VLAN. 4. Modify the VLAN name or operational status as required. 5. Enable the L3 Interface field to specify that a VLAN will be used as a Layer 3 interface. 6. Click Apply.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs To show the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Show from the Action list. Figure 78: Showing Static VLANs Adding Static Use the VLAN > Static (Edit Member by VLAN, Edit Member by Interface, or Edit Members to VLANs Member by Interface Range) pages to configure port members for the selected VLAN index, interface, or a range of interfaces.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs identify the source VLAN. Note that frames belonging to the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames. ◆ PVID – VLAN ID assigned to untagged frames received on the interface. (Default: 1) When using Access mode, and an interface is assigned to a new VLAN, its PVID is automatically set to the identifier for that VLAN.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Edit Member by Interface All parameters are the same as those described under the preceding section for Edit Member by VLAN. Edit Member by Interface Range All parameters are the same as those described under the earlier section for Edit Member by VLAN, except for the items shown below. ◆ Port Range – Displays a list of ports. (Range: 1-26/52) ◆ Trunk Range – Displays a list of ports.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs To configure static members by interface: 1. Click VLAN, Static. 2. Select Edit Member by Interface from the Action list. 3. Select a port or trunk configure. 4. Modify the settings for any interface as required. 5. Click Apply. Figure 80: Configuring Static VLAN Members by Interface To configure static members by interface range: 1. Click VLAN, Static. 2. Select Edit Member by Interface Range from the Action list. 3.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Figure 81: Configuring Static VLAN Members by Interface Range IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling When a double-tagged packet enters another trunk port in an intermediate or core switch in the service provider’s network, the outer tag is stripped for packet processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet. When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 3. After packet classification through the switching process, the packet is written to memory with one tag (an outer tag) or with two tags (both an outer tag and inner tag). 4. The switch sends the packet to the proper egress port. 5. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 6. After packet classification, the packet is written to memory for processing as a single-tagged or double-tagged packet. 7. The switch sends the packet to the proper egress port. 8. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packet will have two tags. Configuration Limitations for QinQ ◆ The native VLAN of uplink ports should not be used as the SPVLAN.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 5. Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (see “Adding Static Members to VLANs” on page 154). 6. Configure the QinQ tunnel uplink port to Uplink mode (see “Adding an Interface to a QinQ Tunnel” on page 165). 7. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (see “Adding Static Members to VLANs” on page 154).
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 3. Enable Tunnel Status, and specify the TPID if a client attached to a tunnel port is using a non-standard ethertype to identify 802.1Q tagged frames. 4. Click Apply. Figure 83: Enabling QinQ Tunneling Creating Use the VLAN > Tunnel (Configure Service) page to create a CVLAN to SPVLAN CVLAN to SPVLAN mapping entry.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling ◆ Service VLAN ID – VLAN ID for the outer VLAN tag. (Range: 1-4094) Web Interface To configure a mapping entry: 1. Click VLAN, Tunnel. 2. Select Configure Service from the Step list. 3. Select Add from the Action list. 4. Select an interface from the Port list. 5. Specify the CVID to SVID mapping for packets exiting the specified port. 6. Click Apply. Figure 84: Configuring CVLAN to SPVLAN Mapping Entries To show the mapping table: 1.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling The preceding example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. For a more detailed example, see the “switchport dot1q-tunnel service match cvid” command in the CLI Reference Guide. Adding an Interface Follow the guidelines under in the preceding section to set up a QinQ tunnel on the to a QinQ Tunnel switch.
Chapter 5 | VLAN Configuration Protocol VLANs Figure 86: Adding an Interface to a QinQ Tunnel Protocol VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
Chapter 5 | VLAN Configuration Protocol VLANs Configuring Protocol Use the VLAN > Protocol (Configure Protocol - Add) page to create protocol groups. VLAN Groups Parameters These parameters are displayed: ◆ Frame Type – Choose either Ethernet, RFC 1042, or LLC Other as the frame type used by this protocol. ◆ Protocol Type – Specifies the protocol type to match. The available options are IP, ARP, RARP and IPv6. If LLC Other is chosen for the Frame Type, the only available Protocol Type is IPX Raw.
Chapter 5 | VLAN Configuration Protocol VLANs Figure 87: Configuring Protocol VLANs To configure a protocol group: 1. Click VLAN, Protocol. 2. Select Configure Protocol from the Step list. 3. Select Show from the Action list. Figure 88: Displaying Protocol VLANs Mapping Protocol Use the VLAN > Protocol (Configure Interface - Add) page to map a protocol group Groups to Interfaces to a VLAN for each interface that will participate in the group.
Chapter 5 | VLAN Configuration Protocol VLANs ■ If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN. ■ If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 1-26/52) ◆ Trunk – Trunk Identifier.
Chapter 5 | VLAN Configuration Configuring MAC-based VLANs Figure 89: Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk: 1. Click VLAN, Protocol. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port or trunk. Figure 90: Showing the Interface to Protocol Group Mapping Configuring MAC-based VLANs Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses.
Chapter 5 | VLAN Configuration Configuring MAC-based VLANs ◆ Source MAC addresses can be mapped to only one VLAN ID. ◆ Configured MAC addresses cannot be broadcast or multicast addresses. ◆ When MAC-based, IP subnet-based, or protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last. Parameters These parameters are displayed: ◆ MAC Address – A source MAC address which is to be mapped to a specific VLAN.
Chapter 5 | VLAN Configuration Configuring MAC-based VLANs Figure 91: Configuring MAC-Based VLANs To show the MAC addresses mapped to a VLAN: 1. Click VLAN, MAC-Based. 2. Select Show from the Action list.
6 Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. This chapter describes the following topics: ◆ Dynamic Address Cache – Shows dynamic entries in the address table.
Chapter 6 | Address Table Settings Clearing the Dynamic Address Table ◆ Life Time – Shows the time to retain the specified address. Web Interface To show the dynamic address table: 1. Click MAC Address, Dynamic. 2. Select Show Dynamic MAC from the Action list. 3. Select the Sort Key (MAC Address, VLAN, or Interface). 4. Enter the search parameters (MAC Address, VLAN, or Interface). 5. Click Query.
Chapter 6 | Address Table Settings Changing the Aging Time Web Interface To clear the entries in the dynamic address table: 1. Click MAC Address, Dynamic. 2. Select Clear Dynamic MAC from the Action list. 3. Select the method by which to clear the entries (i.e., All, MAC Address, VLAN, or Interface). 4. Enter information in the additional fields required for clearing entries by MAC Address, VLAN, or Interface. 5. Click Clear.
Chapter 6 | Address Table Settings Configuring MAC Address Learning 4. Specify a new aging time. 5. Click Apply. Figure 95: Setting the Address Aging Time Configuring MAC Address Learning Use the MAC Address > Learning Status page to enable or disable MAC address learning on an interface. Command Usage ◆ When MAC address learning is disabled, the switch immediately stops learning new MAC addresses on the specified interface.
Chapter 6 | Address Table Settings Configuring MAC Address Learning Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 1-26/52) ◆ Trunk – Trunk Identifier. (Range: 1-8) ◆ Status – The status of MAC address learning. (Default: Enabled) Web Interface To enable or disable MAC address learning: 1. Click MAC Address, Learning Status. 2. Set the learning status for any interface. 3. Click Apply.
Chapter 6 | Address Table Settings Setting Static Addresses Setting Static Addresses Use the MAC Address > Static page to configure static MAC addresses. A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
Chapter 6 | Address Table Settings Setting Static Addresses Web Interface To configure a static MAC address: 1. Click MAC Address, Static. 2. Select Add from the Action list. 3. Specify the VLAN, the port or trunk to which the address will be assigned, the MAC address, and the time to retain this entry. 4. Click Apply. Figure 97: Configuring Static MAC Addresses To show the static addresses in MAC address table: 1. Click MAC Address, Static. 2. Select Show from the Action list.
Chapter 6 | Address Table Settings Issuing MAC Address Traps Issuing MAC Address Traps Use the MAC Address > MAC Notification pages to send SNMP traps (i.e., SNMP notifications) when a dynamic MAC address is added or removed. Parameters These parameters are displayed: Configure Global ◆ MAC Notification Traps – Issues a trap when a dynamic MAC address is added or removed. (Default: Disabled) ◆ MAC Notification Trap Interval – Specifies the interval between issuing two consecutive traps.
Chapter 6 | Address Table Settings Issuing MAC Address Traps To enable MAC address traps at the interface level: 1. Click MAC Address, MAC Notification. 2. Select Configure Interface from the Step list. 3. Enable MAC notification traps for the required ports. 4. Click Apply.
Chapter 6 | Address Table Settings Issuing MAC Address Traps – 182 –
7 Spanning Tree Algorithm This chapter describes the following basic topics: ◆ Loopback Detection – Configures detection and response to loopback BPDUs. ◆ Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. ◆ Interface Settings for STA – Configures interface settings for STA, including priority, path cost, link type, and designation as an edge port.
Chapter 7 | Spanning Tree Algorithm Overview Figure 101: STP Root Ports and Designated Ports Designated Root x x x Designated Bridge x Designated Port Root Port x Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
Chapter 7 | Spanning Tree Algorithm Configuring Loopback Detection An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see “Configuring Multiple Spanning Trees” on page 201). An MST Region may contain multiple MSTP Instances. An Internal Spanning Tree (IST) is used to connect all the MSTP switches within an MST region.
Chapter 7 | Spanning Tree Algorithm Configuring Loopback Detection Note: Loopback detection will not be active if Spanning Tree is disabled on the switch. Note: When configured for manual release mode, then a link down/up event will not release the port from the discarding state. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Status – Enables loopback detection on this interface.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Figure 104: Configuring Port Loopback Detection Configuring Global Settings for STA Use the Spanning Tree > STA (Configure Global - Configure) page to configure global settings for the spanning tree that apply to the entire switch. Command Usage ◆ Spanning Tree Protocol3 This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance. ■ To allow multiple spanning trees to operate over the network, you must configure a related set of bridges with the same MSTP configuration, allowing them to participate in a specific set of spanning tree instances.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA ◆ Cisco Prestandard Status – Configures spanning tree operation to be compatible with Cisco prestandard versions. (Default: Disabled) Cisco prestandard versions prior to Cisco IOS Release 12.2(25)SEC do not fully follow the IEEE standard, causing some state machine procedures to function incorrectly. This command forces the spanning tree protocol to function in a manner compatible with Cisco prestandard versions.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result. ■ ■ ■ Default: 15 Minimum: The higher of 4 or [(Max. Message Age / 2) + 1] Maximum: 30 RSTP does not depend on the forward delay timer in most cases.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA 5.
Chapter 7 | Spanning Tree Algorithm Displaying Global Settings for STA Figure 107: Configuring Global Settings for STA (MSTP) Displaying Global Settings for STA Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ Root Path Cost – The path cost from the root port on this switch to the root device. ◆ Configuration Changes – The number of times the Spanning Tree has been reconfigured. ◆ Last Topology Change – Time since the Spanning Tree was last reconfigured. Web Interface To display global STA settings: 1. Click Spanning Tree, STA. 2. Select Configure Global from the Step list. 3. Select Show Information from the Action list.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ BPDU Flooding - Enables/disables the flooding of BPDUs to other ports when global spanning tree is disabled (page 187) or when spanning tree is disabled on a specific port. When flooding is enabled, BPDUs are flooded to all other ports on the switch or to all other ports within the receiving port’s native VLAN as specified by the Spanning Tree BPDU Flooding attribute (page 187).
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA Table 12: Default STA Path Costs (Continued) Port Type Short Path Cost (IEEE 802.1D-1998) Long Path Cost (IEEE 802.1D-2004) Gigabit Ethernet 10,000 10,000 10G Ethernet 1,000 1,000 Administrative path cost cannot be used to directly determine the root port on a switch. Connections to other devices use IEEE 802.1Q-2005 to determine the root port as in the following example.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ Admin Edge Port – Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA configurations because an administrator must manually enable the port. (Default: Disabled) BPDU guard can only be configured on an interface if the edge port attribute is not disabled (that is, if edge port is set to enabled or auto). ◆ BPDU Guard Auto Recovery – Automatically re-enables an interface after the specified interval.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA Figure 110: Configuring Interface Settings for STA Displaying Interface Settings for STA Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. Parameters These parameters are displayed: ◆ Spanning Tree – Shows if STA has been enabled on this interface.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA ◆ Forward Transitions – The number of times this port has transitioned from the Learning state to the Forwarding state. ◆ Designated Cost – The cost for a packet to travel from this port to the root in the current Spanning Tree configuration. The slower the media, the higher the cost.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA R A x Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port. R D B The criteria used for determining the port role is based on root bridge ID, root path cost, designated bridge, designated port, port priority, and port number, in that order and as applicable to the role under question. Web Interface To display interface settings for STA: 1. Click Spanning Tree, STA.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees Configuring Multiple Spanning Trees Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. Command Usage MSTP generates a unique spanning tree for each instance.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees Web Interface To create instances for MSTP: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Add from the Action list. 4. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree > MSTP (Configure Global Add Member) page. If the priority is not specified, the default value 32768 is used. 5. Click Apply.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To modify the priority for an MST instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Modify from the Action list. 4. Modify the priority for an MSTP Instance. 5. Click Apply. Figure 115: Modifying the Priority for an MST Instance To display global settings for MSTP: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To add additional VLAN groups to an MSTP instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Add Member from the Action list. 4. Select an MST instance from the MST ID list. 5. Enter the VLAN group to add to the instance in the VLAN ID field. Note that the specified member does not have to be a configured VLAN. 6.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP Configuring Interface Settings for MSTP Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. Parameters These parameters are displayed: ◆ MST ID – Instance identifier to configure. (Default: 0) ◆ Interface – Displays a list of ports or trunks. ◆ STA Status – Displays the current state of this interface within the Spanning Tree.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP Web Interface To configure MSTP parameters for a port or trunk: 1. Click Spanning Tree, MSTP. 2. Select Configure Interface from the Step list. 3. Select Configure from the Action list. 4. Enter the priority and path cost for an interface 5. Click Apply. Figure 119: Configuring MSTP Interface Settings To display MSTP parameters for a port or trunk: 1. Click Spanning Tree, MSTP. 2. Select Configure Interface from the Step list.
8 Congestion Control The switch can set the maximum upload or download data transfer rate for any port. It can also control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Congestion Control includes following options: ◆ Rate Limiting – Sets the input and output rate limits for a port.
Chapter 8 | Congestion Control Storm Control Web Interface To configure rate limits: 1. Click Traffic, Rate Limit. 2. Set the interface type to Port or Trunk. 3. Enable the Rate Limit Status for the required interface. 4. Set the rate limit for required interfaces. 5. Click Apply. Figure 121: Configuring Rate Limits Storm Control Use the Traffic > Storm Control page to configure broadcast, multicast, and unknown unicast storm control thresholds.
Chapter 8 | Congestion Control Storm Control ◆ Using both rate limiting and storm control on the same interface may lead to unexpected results. It is therefore not advisable to use both of these features on the same interface. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Type – Indicates the port type. (1000BASE-T, 1000BASE SFP, or 10GBASE SFP+). ◆ Unknown Unicast – Specifies storm control for unknown unicast traffic.
Chapter 8 | Congestion Control Storm Control Figure 122: Configuring Storm Control – 210 –
9 Class of Service Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s highpriority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
Chapter 9 | Class of Service Layer 2 Queue Settings ◆ If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ CoS – The priority that is assigned to untagged frames received on the specified interface. (Range: 0-7; Default: 0) Web Interface To configure the queue mode: 1. Click Traffic, Priority, Default Priority. 2.
Chapter 9 | Class of Service Layer 2 Queue Settings the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing. ◆ If Strict and WRR mode is selected, a combination of strict service is used for the high priority queues and weighted service for the remaining queues. The queues assigned to use strict priority should be specified using the Strict Mode field parameter.
Chapter 9 | Class of Service Layer 2 Queue Settings Web Interface To configure the queue mode: 1. Click Traffic, Priority, Queue. 2. Set the queue mode. 3. If the weighted queue mode is selected, the queue weight can be modified if required. 4. If the queue mode that uses a combination of strict and weighted queueing is selected, the queues which are serviced first must be specified by enabling strict mode parameter in the table. 5. Click Apply.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Figure 126: Setting the Queue Mode (Strict and WRR) Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet, or the number of the TCP/UDP port.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Setting Priority The switch allows a choice between using DSCP or CoS priority processing Processing to methods. Use the Priority > Trust Mode page to select the required processing DSCP or CoS method. Command Usage ◆ If the QoS mapping mode is set to DSCP, and the ingress packet type is IPv4, then priority processing will be based on the DSCP value in the ingress packet.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Figure 127: Setting the Trust Mode Mapping Use the Traffic > Priority > CoS to Queue page to map CoS/CFI values in incoming CoS Priorities to Per- packets to per-hop behavior for priority processing. hop Behavior Command Usage ◆ The default mapping of CoS/CFI to Queue/CFI values is shown below.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Web Interface To map CoS/CFI values to Queue precedence: 1. Click Traffic, Priority, CoS to Queue. 2. Set the Queue for any of the CoS/CFI combinations. 3. Click Apply. Figure 128: Configuring CoS to Queue Mapping Mapping Use the Traffic > Priority > DSCP to Queue page to map DSCP values in incoming DSCP Priorities to Per- packets to per-hop behavior for priority processing.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Parameters These parameters are displayed: ◆ Port – Specifies a port. ◆ DSCP – DSCP value in ingress packets. (Range: 0-63) ◆ Queue – Per-hop behavior, or the priority used for this router hop.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Figure 129: Configuring DSCP to Queue Mapping – 220 –
10 Quality of Service This chapter describes the following tasks required to apply QoS policies: ◆ Class Map – Creates a map which identifies a specific class of traffic. ◆ Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. ◆ Binding to a Port – Applies a policy map to an ingress port.
Chapter 10 | Quality of Service Configuring a Class Map Command Usage To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the Configure Class (Add) page to designate a class name for a specific category of traffic. 2. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, a VLAN, a CoS value, or a source port. 3.
Chapter 10 | Quality of Service Configuring a Class Map ◆ Description – A brief description of a class map. (Range: 1-64 characters) Add Rule ◆ Class Name – Name of the class map. ◆ Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command. ◆ ACL – Name of an access control list. Any type of ACL can be specified, including standard or extended IPv4/IPv6 ACLs and MAC ACLs. ◆ IP DSCP – A DSCP value.
Chapter 10 | Quality of Service Configuring a Class Map To show the configured class maps: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show from the Action list. Figure 131: Showing Class Maps To edit the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a class map. 5.
Chapter 10 | Quality of Service Creating QoS Policies To show the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show Rule from the Action list. Figure 133: Showing the Rules for a Class Map Creating QoS Policies Use the Traffic > DiffServ (Configure Policy) page to create a policy map that can be attached to multiple interfaces. A policy map is used to group one or more class map statements (page 222).
Chapter 10 | Quality of Service Creating QoS Policies Add Rule ◆ Policy Name – Name of policy map. ◆ Class Name – Name of a class map that defines a traffic classification upon which a policy can act. A policy map can contain up to 32 class maps. ◆ Action – This attribute is used to set an internal QoS value in hardware for matching packets.
Chapter 10 | Quality of Service Creating QoS Policies Figure 134: Configuring a Policy Map To show the configured policy maps: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show from the Action list. Figure 135: Showing Policy Maps To edit the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a policy map. 5.
Chapter 10 | Quality of Service Attaching a Policy Map to a Port Figure 136: Adding Rules to a Policy Map To show the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show Rule from the Action list. Figure 137: Showing the Rules for a Policy Map Attaching a Policy Map to a Port Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to a port.
Chapter 10 | Quality of Service Attaching a Policy Map to a Port ◆ Ingress – Applies the selected rule to ingress traffic. Web Interface To bind a policy map to a port: 1. Click Traffic, DiffServ. 2. Select Configure Interface from the Step list. 3. Check the box under the Ingress field to enable a policy map for a port. 4. Select a policy map from the scroll-down box. 5. Click Apply.
Chapter 10 | Quality of Service Attaching a Policy Map to a Port – 230 –
11 VoIP Traffic Configuration This chapter covers the following topics: ◆ Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. ◆ Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Configuring VoIP Traffic Use the Traffic > VoIP (Configure Global) page to configure the switch for VoIP traffic. First enable automatic detection of VoIP devices attached to the switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port. Command Usage All ports are set to VLAN hybrid mode by default.
Chapter 11 | VoIP Traffic Configuration Configuring Telephony OUI Figure 139: Configuring a Voice VLAN Configuring Telephony OUI VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to vendors and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP.
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports 6. Enter a description for the devices. 7. Click Apply. Figure 140: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: 1. Click Traffic, VoIP. 2. Select Configure OUI from the Step list. 3. Select Show from the Action list.
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports Parameters These parameters are displayed: ◆ Mode – Specifies if the port will be added to the Voice VLAN when VoIP traffic is detected. (Default: None) ■ None – The Voice VLAN feature is disabled on the port. The port will not detect VoIP traffic or be added to the Voice VLAN. ■ Auto – The port will be added as a tagged member to the Voice VLAN when VoIP traffic is detected on the port.
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports When VoIP Mode is set to Auto, the Remaining Age will be displayed. Otherwise, if the VoIP Mode is Disabled or set to Manual, the remaining age will display “NA.” Web Interface To configure VoIP traffic settings for a port: 1. Click Traffic, VoIP. 2. Select Configure Interface from the Step list. 3. Configure any required changes to the VoIP settings each port. 4. Click Apply.
12 Security Measures You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) with invalid MAC to IP Address bindings, which forms the basis for certain “man-in-the-middle” attacks. Note: The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) 2. Define RADIUS and TACACS+ server groups to support the accounting and authorization of services. 3. Define a method name for each service to which you want to apply accounting or authorization and specify the RADIUS or TACACS+ server groups to use. 4. Apply the method names to port or line interfaces. Note: This guide assumes that RADIUS and TACACS+ servers have already been configured to support AAA.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Web Interface To configure the method(s) of controlling management access: 1. Click Security, AAA, System Authentication. 2. Specify the authentication sequence (i.e., one to three methods). 3. Click Apply. Figure 143: Configuring the Authentication Sequence Configuring Use the Security > AAA > Server page to configure the message exchange Remote Logon parameters for RADIUS or TACACS+ remote access authentication servers.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Command Usage ◆ If a remote authentication server is used, you must specify the message exchange parameters for the remote authentication protocol. Both local and remote logon authentication control management access via the console port, web browser, or Telnet. ◆ RADIUS and TACACS+ logon authentication assign a specific privilege level for each user name/password pair.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ■ ◆ Confirm Authentication Key – Re-type the string entered in the previous field to ensure no errors were made. The switch will not change the encryption key if these two fields do not match. TACACS+ ■ Global – Provides globally applicable TACACS+ settings. ■ Server Index – Specifies the index number of the server to be configured. The switch currently supports only one TACACS+ server.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Web Interface To configure the parameters for RADIUS or TACACS+ authentication: 1. Click Security, AAA, Server. 2. Select Configure Server from the Step list. 3. Select RADIUS or TACACS+ server type. 4. Select Global to specify the parameters that apply globally to all specified servers, or select a specific Server Index to specify the parameters that apply to a specific server. 5.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 146: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Select RADIUS or TACACS+ server type. 5. Enter the group name, followed by the index of the server to use for each priority level. 6. Click Apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) To show the RADIUS or TACACS+ server groups used for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Show from the Action list.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ■ Exec – Administrative accounting for local console, Telnet, or SSH connections. ◆ Privilege Level – The CLI privilege levels (0-15). This parameter only applies to Command accounting. ◆ Method Name – Specifies an accounting method for service requests. The “default” methods are used for a requested service if no other methods have been defined.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ■ VTY Method Name – Specifies a user defined method name to apply to Telnet and SSH connections. Show Information – Summary ◆ Accounting Type - Displays the accounting service. ◆ Method Name - Displays the user-defined or default accounting method. ◆ Server Group Name - Displays the accounting server group. ◆ Interface - Displays the port, console or Telnet interface to which these rules apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) To configure the accounting method applied to various service types and the assigned server group: 1. Click Security, AAA, Accounting. 2. Select Configure Method from the Step list. 3. Select Add from the Action list. 4. Select the accounting type (802.1X, Command, Exec). 5. Specify the name of the accounting method and server group name. 6. Click Apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 151: Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or SSH connections: 1. Click Security, AAA, Accounting. 2. Select Configure Service from the Step list. 3. Select the accounting type (802.1X, Command, Exec). 4. Enter the required accounting method. 5. Click Apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 153: Configuring AAA Accounting Service for Command Service Figure 154: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Summary.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 155: Displaying a Summary of Applied AAA Accounting Methods To display basic accounting information and statistics recorded for user sessions: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Statistics.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Parameters These parameters are displayed: Configure Method ◆ Authorization Type – Specifies the service as: ■ Command – Administrative authorization to apply to commands entered at specific CLI privilege levels. ■ Exec – Administrative authorization for local console, Telnet, or SSH connections. ◆ Method Name – Specifies an authorization method for service requests.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Web Interface To configure the authorization method applied to the Exec service type and the assigned server group: 1. Click Security, AAA, Authorization. 2. Select Configure Method from the Step list. 3. Specify the name of the authorization method and server group name. 4. Click Apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) To configure the authorization method applied to local console, Telnet, or SSH connections: 1. Click Security, AAA, Authorization. 2. Select Configure Service from the Step list. 3. Enter the required authorization method. 4. Click Apply. Figure 159: Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type: 1.
Chapter 12 | Security Measures Configuring User Accounts Configuring User Accounts Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords. Command Usage ◆ The default guest name is “guest” with the password “guest.” The default administrator name is “admin” with the password “admin.” ◆ The guest only has read access for most configuration parameters.
Chapter 12 | Security Measures Configuring User Accounts ■ Encrypted Password – Encrypted password. The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP or FTP server. There is no need for you to manually configure encrypted passwords. ◆ Password – Specifies the user password.
Chapter 12 | Security Measures Web Authentication Figure 162: Showing User Accounts Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries. All other traffic, except for HTTP protocol traffic, is blocked.
Chapter 12 | Security Measures Web Authentication ◆ Quiet Period – Configures how long a host must wait to attempt authentication again after it has exceeded the maximum allowable failed login attempts. (Range: 1-180 seconds; Default: 60 seconds) ◆ Login Attempts – Configures the amount of times a supplicant may attempt and fail authentication before it must wait the configured quiet period.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ Revert – Restores the previous configuration settings. ◆ Re-authenticate – Ends all authenticated web sessions for selected host IP addresses in the Authenticated Host List, and forces the users to reauthenticate. ◆ Revert – Restores the previous configuration settings. Web Interface To enable web authentication for a port: 1. Click Security, Web Authentication. 2. Select Configure Interface from the Step list. 3.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Command Usage ◆ MAC address authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Table 15: Dynamic QoS Profiles ◆ Profile Attribute Syntax Example DiffServ service-policy-in=policy-map-name service-policy-in=p1 Rate Limit rate-limit-input=rate rate-limit-input=100 (kbps) rate-limit-output=rate rate-limit-output=200 (kbps) 802.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port, the user is denied access. ◆ While a port has an assigned dynamic QoS profile, any manual QoS configuration changes only take effect after all users have logged off the port.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Figure 165: Configuring Global Settings for Network Access Configuring Use the Security > Network Access (Configure Interface) page to configure MAC Network Access authentication on switch ports, including enabling address authentication, setting for Ports the maximum MAC count, and enabling dynamic VLAN or dynamic QoS assignments.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ Dynamic VLAN – Enables dynamic VLAN assignment for an authenticated port. When enabled, any VLAN identifiers returned by the RADIUS server through the 802.1X authentication process are applied to the port, providing the VLANs have already been created on the switch. (GVRP is not used to create the VLANs.) (Default: Enabled) The VLAN settings specified by the first authenticated MAC address are implemented for a port.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Figure 166: Configuring Interface Settings for Network Access Configuring a Use the Security > Network Access (Configure MAC Filter) page to designate MAC Address Filter specific MAC addresses or MAC address ranges as exempt from authentication. MAC addresses present in MAC Filter tables activated on a port are treated as preauthenticated on that port. Command Usage ◆ Specified MAC addresses are exempt from authentication.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) 4. Enter a filter ID, MAC address, and optional mask. 5. Click Apply. Figure 167: Configuring a MAC Address Filter for Network Access To show the MAC address filter table for MAC authentication: 1. Click Security, Network Access. 2. Select Configure MAC Filter from the Step list. 3. Select Show from the Action list.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ ■ Interface – Specifies a port interface. ■ Attribute – Displays static or dynamic addresses. Authenticated MAC Address List ■ MAC Address – The authenticated MAC address. ■ Interface – The port interface associated with a secure MAC address. ■ RADIUS Server – The IP address of the RADIUS server that authenticated the MAC address. ■ Time – The time when the MAC address was last authenticated.
Chapter 12 | Security Measures Configuring HTTPS Figure 169: Showing Addresses Authenticated for Network Access Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Configuring Global Use the Security > HTTPS (Configure Global) page to enable or disable HTTPS and Settings for HTTPS specify the TCP port used for this service.
Chapter 12 | Security Measures Configuring HTTPS ■ ◆ The client and server generate session keys for encrypting and decrypting data. The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 9, Mozilla Firefox 39, or Google Chrome 44, or more recent versions. ◆ The following web browsers and operating systems currently support HTTPS: Table 16: HTTPS System Support ◆ Web Browser Operating System Internet Explorer 9.
Chapter 12 | Security Measures Configuring HTTPS Figure 170: Configuring HTTPS Replacing the Default Use the Security > HTTPS (Copy Certificate) page to replace the default secure-site Secure-site Certificate certificate. When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that the web browser displays will be associated with a warning that the site is not recognized as a secure site.
Chapter 12 | Security Measures Configuring HTTPS ◆ Private Key Source File Name – Name of private key file stored on the TFTP server. ◆ Private Password – Password stored in the private key file. This password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch. ◆ Confirm Password – Re-type the string entered in the previous field to ensure no errors were made. The switch will not download the certificate if these two fields do not match.
Chapter 12 | Security Measures Configuring the Secure Shell Configuring the Secure Shell The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Chapter 12 | Security Measures Configuring the Secure Shell 3. Import Client’s Public Key to the Switch – See “Importing User Public Keys” on page 276 to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch via the User Accounts page as described on page 255.) The clients are subsequently authenticated using these keys.
Chapter 12 | Security Measures Configuring the Secure Shell the signature is correct. If both checks succeed, the client is authenticated. Note: The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. Note: The SSH server can be accessed using any configured IPv4 or IPv6 interface address on the switch.
Chapter 12 | Security Measures Configuring the Secure Shell Figure 172: Configuring the SSH Server Generating the Use the Security > SSH (Configure Host Key - Generate) page to generate a host Host Key Pair public/private key pair used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the section “Importing User Public Keys” on page 276.
Chapter 12 | Security Measures Configuring the Secure Shell 4. Select the host-key type from the drop-down box. 5. Click Apply. Figure 173: Generating the SSH Host Key Pair To display or clear the SSH host key pair: 1. Click Security, SSH. 2. Select Configure Host Key from the Step list. 3. Select Show from the Action list. 4. Select the option to save the host key from memory to flash by clicking Save, or select the host-key type to clear and click Clear.
Chapter 12 | Security Measures Configuring the Secure Shell “Configuring User Accounts” on page 255). ◆ User Key Type – The type of public key to upload. ■ RSA: The switch accepts a RSA encrypted public key. The SSH server uses RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption. The switch uses only RSA for SSHv2 clients.
Chapter 12 | Security Measures Access Control Lists To display or clear the SSH user’s public key: 1. Click Security, SSH. 2. Select Configure User Key from the Step list. 3. Select Show from the Action list. 4. Select a user from the User Name list. 5. Select the host-key type to clear. 6. Click Clear.
Chapter 12 | Security Measures Access Control Lists Command Usage The following restrictions apply to ACLs: ◆ The maximum number of ACLs is 256. ◆ The maximum number of rules per system is 512 rules. ◆ An ACL can have up to 128 rules. However, due to resource restrictions, the average number of rules bound to the ports should not exceed 20.
Chapter 12 | Security Measures Access Control Lists 3. If the result of checking an IP ACL is to permit a packet, but the result of a MAC ACL on the same packet is to deny it, the packet will be denied (because the decision to deny a packet has a higher priority for security reasons). A packet will also be denied if the IP ACL denies it and the MAC ACL accepts it.
Chapter 12 | Security Measures Access Control Lists Figure 177: Showing TCAM Utilization Setting the Use the Security > ACL (Configure ACL - Add) page to create an ACL. ACL Name and Type Parameters These parameters are displayed: ◆ ACL Name – Name of the ACL. (Maximum length: 32 characters) ◆ Type – The following filter modes are supported: ■ IP Standard: IPv4 ACL mode filters packets based on the source IPv4 address.
Chapter 12 | Security Measures Access Control Lists ■ MAC – MAC ACL mode filters packets based on the source or destination MAC address and the Ethernet frame type (RFC 1060). ■ ARP – ARP ACL specifies static IP-to-MAC address bindings used for ARP inspection (see “ARP Inspection” on page 325). Web Interface To configure the name and type of an ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add from the Action list. 4.
Chapter 12 | Security Measures Access Control Lists Figure 179: Showing a List of ACLs Configuring a Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to configure a Standard IPv4 ACL Standard IPv4 ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules.
Chapter 12 | Security Measures Access Control Lists Web Interface To add rules to an IPv4 Standard ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IP Standard from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the address type (Any, Host, or IP). 8. If you select “Host,” enter a specific address.
Chapter 12 | Security Measures Access Control Lists ◆ Action – An ACL can contain any combination of permit or deny rules. ◆ Source/Destination Address Type – Specifies the source or destination IP address type. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and Subnet Mask fields.
Chapter 12 | Security Measures Access Control Lists ◆ ◆ Service Type – Packet priority settings based on the following criteria: ■ Precedence – IP precedence level. (Range: 0-7) ■ DSCP – DSCP priority level. (Range: 0-63) Time Range – Name of a time range. Web Interface To add rules to an IPv4 Extended ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IP Extended from the Type list. 5.
Chapter 12 | Security Measures Access Control Lists Figure 181: Configuring an Extended IPv4 ACL Configuring a Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to Standard IPv6 ACL configure a Standard IPv6ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules.
Chapter 12 | Security Measures Access Control Lists Web Interface To add rules to a Standard IPv6 ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IPv6 Standard from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the source address type (Any, Host, or IPv6-prefix). 8. If you select “Host,” enter a specific address.
Chapter 12 | Security Measures Access Control Lists ◆ Action – An ACL can contain any combination of permit or deny rules. ◆ Source Address Type – Specifies the source IP address type. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IPv6-Prefix” to specify a range of addresses. (Options: Any, Host, IPv6-Prefix; Default: Any) ◆ Destination Address Type – Specifies the destination IP address type.
Chapter 12 | Security Measures Access Control Lists 60 : Destination Options (RFC 2460) ◆ Time Range – Name of a time range. Web Interface To add rules to an Extended IPv6 ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IPv6 Extended from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the address type (Any or IPv6-prefix). 8.
Chapter 12 | Security Measures Access Control Lists Configuring a Use the Security > ACL (Configure ACL - Add Rule - MAC) page to configure a MAC MAC ACL ACL based on hardware addresses, packet format, and Ethernet type. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules.
Chapter 12 | Security Measures Access Control Lists Web Interface To add rules to a MAC ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select MAC from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the address type (Any, Host, or MAC). 8. If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66).
Chapter 12 | Security Measures Access Control Lists Configuring an Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ACLs ARP ACL based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see “Configuring Global Settings for ARP Inspection” on page 326). Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type.
Chapter 12 | Security Measures Access Control Lists 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the packet type (Request, Response, All). 8. Select the address type (Any, Host, or IP). 9. If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “IP,” enter a base address and a hexadecimal bit mask for an address range. 10. Enable logging if required. 11. Click Apply.
Chapter 12 | Security Measures Access Control Lists ◆ Counter – Enables counter for ACL statistics. Web Interface To bind an ACL to a port: 1. Click Security, ACL. 2. Select Configure Interface from the Step list. 3. Select Configure from the Action list. 4. Select IP, MAC or IPv6 from the Type options. 5. Select a port. 6. Select the name of an ACL from the ACL list. 7. Click Apply.
Chapter 12 | Security Measures Access Control Lists ◆ Direction – Displays statistics for ingress or egress traffic. ◆ Query – Displays statistics for selected criteria. ◆ ACL Name – The ACL bound this port. ◆ Action – Shows if action is to permit or deny specified packets. ◆ Rules – Shows the rules for the ACL bound to this port. ◆ Time-Range – Name of a time range. ◆ Hit – Shows the number of packets matching this ACL. ◆ Clear Counter – Clears the hit counter for the specified ACL.
Chapter 12 | Security Measures Filtering IP Addresses for Management Access Filtering IP Addresses for Management Access Use the Security > IP Filter page to create a list of up to 15 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage ◆ The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.
Chapter 12 | Security Measures Filtering IP Addresses for Management Access Web Interface To create a list of IP addresses authorized for management access: 1. Click Security, IP Filter. 2. Select Add from the Action list. 3. Select the management interface to filter (Web, SNMP, Telnet, All). 4. Enter the IP addresses or range of addresses that are allowed management access to an interface. 5.
Chapter 12 | Security Measures Configuring Port Security Configuring Port Security Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Chapter 12 | Security Measures Configuring Port Security Parameters These parameters are displayed: ◆ Port – Port identifier. ◆ Security Status – Enables or disables port security on a port. (Default: Disabled) ◆ Port Status – The operational status: ◆ ◆ ■ Secure/Down – Port security is disabled. ■ Secure/Up – Port security is enabled. ■ Shutdown – Port is shut down due to a response to a port security violation.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Web Interface To configure port security: 1. Click Security, Port Security. 2. Mark the check box in the Security Status column to enable security, set the action to take when an invalid address is detected on a port, and set the maximum number of MAC addresses allowed on the port. 3. Click Apply Figure 190: Configuring Port Security Configuring 802.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Security), PEAP (Protected Extensible Authentication Protocol), or TTLS (Tunneled Transport Layer Security). The client responds to the appropriate method with its credentials, such as a password or certificate. The RADIUS server verifies the client credentials and responds with an accept or reject packet. If authentication is successful, the switch allows the client to access the network.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Configuring 802.1X Use the Security > Port Authentication (Configure Global) page to configure IEEE Global Settings 802.1X port authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Parameters These parameters are displayed: ◆ System Authentication Control – Sets the global setting for 802.1X. (Default: Disabled) ◆ Default – Sets all configurable 802.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ This switch can be configured to serve as the authenticator on selected ports by setting the Control Mode to Auto on this configuration page, and as a supplicant on other ports by the setting the control mode to Force-Authorized on this page and enabling the PAE supplicant on the Supplicant configuration page. Parameters These parameters are displayed: ◆ Port – Port number.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ Max Count – The maximum number of hosts that can connect to a port when the Multi-Host operation mode is selected. (Range: 1-1024; Default: 5) ◆ Max Request – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ■ Guest VLAN – All traffic for the port is assigned to a guest VLAN. The guest VLAN must be separately configured (See “Configuring VLAN Groups” on page 151) and mapped on each port (See “Configuring Network Access for Ports” on page 263). Supplicant List ◆ Supplicant – MAC address of authorized client.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Figure 193: Configuring Interface Settings for 802.1X Port Authenticator Displaying Use the Security > Port Authentication (Show Statistics) page to display statistics for 802.1X Statistics dot1x protocol exchanges for any port. Parameters These parameters are displayed: Table 17: 802.1X Statistics Parameter Description Authenticator Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Table 17: 802.1X Statistics (Continued) Parameter Description Rx EAP Resp/Id The number of EAP Resp/Id frames that have been received by this Authenticator. Rx EAP Resp/Oth The number of valid EAP Response frames (other than Resp/Id frames) that have been received by this Authenticator. Rx EAP LenError The number of EAPOL frames that have been received by this Authenticator in which the Packet Body Length field is invalid.
Chapter 12 | Security Measures DoS Protection Web Interface To display port authenticator statistics for 802.1X: 1. Click Security, Port Authentication. 2. Select Show Statistics from the Step list. Figure 194: Showing Statistics for 802.1X Port Authenticator DoS Protection Use the Security > DoS Protection page to protect against denial-of-service (DoS) attacks. A DoS attack is an attempt to block the services provided by a computer or network resource.
Chapter 12 | Security Measures DoS Protection victim. The victim should crash due to the many interrupts required to send ICMP Echo response packets. (Default: Disabled) ◆ TCP Flooding Attack – Attacks in which a perpetrator sends a succession of TCP SYN requests (with or without a spoofed-Source IP) to a target and never returns ACK packets. These half-open connections will bind resources on the target, and no new connections can be made, resulting in a denial of service.
Chapter 12 | Security Measures DHCP Snooping ◆ WinNuke Attack Rate – Maximum allowed rate. (Range: 64-2000 kbits/second; Default: 1000 kbits/second) Web Interface To protect against DoS attacks: 1. Click Security, DoS Protection. 2. Enable protection for specific DoS attacks, and set the maximum allowed rate as required. 3.
Chapter 12 | Security Measures DHCP Snooping messages received on an untrusted interface from a device not listed in the DHCP snooping table will be dropped. ◆ Table entries are only learned for trusted interfaces. An entry is added or removed dynamically to the DHCP snooping table when a client receives or releases an IP address from a DHCP server. Each entry includes a MAC address, IP address, lease time, VLAN identifier, and port identifier.
Chapter 12 | Security Measures DHCP Snooping ■ Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted. Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server. Also, when the switch sends out DHCP client packets for itself, no filtering takes place.
Chapter 12 | Security Measures DHCP Snooping DHCP Snooping Use the Security > DHCP Snooping (Configure Global) page to enable DHCP Global Configuration Snooping globally on the switch, or to configure MAC Address Verification. Parameters These parameters are displayed: General ◆ DHCP Snooping Status – Enables DHCP snooping globally. (Default: Disabled) ◆ DHCP Snooping MAC-Address Verification – Enables or disables MAC address verification.
Chapter 12 | Security Measures DHCP Snooping ◆ DHCP Snooping Information Option TR101 Board ID – Sets the board identifier used in Option 82 information based on TR-101 syntax. (Range: 0-9; Default: undefined) ◆ DHCP Snooping Information Option Policy – Specifies how to handle DHCP client request packets which already contain Option 82 information. ■ Drop – Drops the client’s request packet instead of relaying it.
Chapter 12 | Security Measures DHCP Snooping DHCP Snooping Use the Security > DHCP Snooping (Configure VLAN) page to enable or disable VLAN Configuration DHCP snooping on specific VLANs. Command Usage ◆ When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
Chapter 12 | Security Measures DHCP Snooping Configuring Ports Use the Security > DHCP Snooping (Configure Interface) page to configure switch for DHCP Snooping ports as trusted or untrusted. Command Usage ◆ A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall.
Chapter 12 | Security Measures DHCP Snooping 4. Specify the mode used for sending circuit ID information, and an arbitrary string if required. 5. Click Apply Figure 198: Configuring the Port Mode for DHCP Snooping Displaying DHCP Use the Security > DHCP Snooping (Show Information) page to display entries in Snooping Binding the binding table. Information Parameters These parameters are displayed: ◆ MAC Address – Physical address associated with the entry.
Chapter 12 | Security Measures IPv4 Source Guard Web Interface To display the binding table for DHCP Snooping: 1. Click IP Service, DHCP, Snooping. 2. Select Show Information from the Step list. 3. Use the Store or Clear function if required.
Chapter 12 | Security Measures IPv4 Source Guard VLAN ID, source IP address, and port number against all entries in the binding table. Use the SIP-MAC option to check these same parameters, plus the source MAC address. If no matching entry is found, the packet is dropped. Note: Multicast addresses cannot be used by IP Source Guard.
Chapter 12 | Security Measures IPv4 Source Guard ■ SIP-MAC – Enables traffic filtering based on IP addresses and corresponding MAC addresses stored in the binding table. ◆ Filter Table – Sets the source guard learning model to search for addresses in the ACL binding table or the MAC address binding table. (Default: ACL binding table) ◆ Max Binding Entry – The maximum number of entries that can be bound to an interface.
Chapter 12 | Security Measures IPv4 Source Guard ◆ When source guard is enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table. ◆ An entry with same MAC address and a different VLAN ID cannot be added to the binding table.
Chapter 12 | Security Measures IPv4 Source Guard ◆ VLAN – ID of a configured VLAN or a range of VLANs. (Range: 1-4094) ◆ IP Address – A valid unicast IP address, including classful types A, B or C. ◆ Port – The port to which a static entry is bound. Specify a physical port number or list of port numbers. Separate nonconsecutive port numbers with a comma and no spaces; or use a hyphen to designate a range of port numbers.
Chapter 12 | Security Measures IPv4 Source Guard 3. Select Show from the Action list. Figure 202: Displaying Static Bindings for IPv4 Source Guard Displaying Use the Security > IP Source Guard > Dynamic Binding page to display the sourceInformation for guard binding table for a selected interface. Dynamic IPv4 Source Guard Bindings Parameters These parameters are displayed: Query by ◆ Port – A port on this switch.
Chapter 12 | Security Measures ARP Inspection Figure 203: Showing the IPv4 Source Guard Binding Table ARP Inspection ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-themiddle” attacks.
Chapter 12 | Security Measures ARP Inspection ◆ ■ If ARP Inspection is disabled globally, then it becomes inactive for all VLANs, including those where inspection is enabled. ■ When ARP Inspection is disabled, all ARP request and reply packets will bypass the ARP Inspection engine and their switching behavior will match that of all other packets. ■ Disabling and then re-enabling global ARP Inspection will not affect the ARP Inspection configuration of any VLANs.
Chapter 12 | Security Measures ARP Inspection ARP Inspection Logging ◆ By default, logging is active for ARP Inspection, and cannot be disabled. ◆ The administrator can configure the log facility rate. ◆ When the switch drops a packet, it places an entry in the log buffer, then generates a system message on a rate-controlled basis. After the system message is generated, the entry is cleared from the log buffer.
Chapter 12 | Security Measures ARP Inspection Web Interface To configure global settings for ARP Inspection: 1. Click Security, ARP Inspection. 2. Select Configure General from the Step list. 3. Enable ARP inspection globally, enable any of the address validation options, and adjust any of the logging parameters if required. 4. Click Apply.
Chapter 12 | Security Measures ARP Inspection ◆ If Static is not specified, ARP packets are first validated against the selected ACL; if no ACL rules match the packets, then the DHCP snooping bindings database determines their validity. Parameters These parameters are displayed: ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ DAI Status – Enables Dynamic ARP Inspection for the selected VLAN. (Default: Disabled) ◆ ACL Name – Allows selection of any configured ARP ACLs.
Chapter 12 | Security Measures ARP Inspection Configuring Use the Security > ARP Inspection (Configure Interface) page to specify the ports Interface Settings for that require ARP inspection, and to adjust the packet inspection rate. $$$ ARP Inspection Parameters These parameters are displayed: ◆ Interface – Port or trunk identifier. ◆ Trust Status – Configures the port as trusted or untrusted.
Chapter 12 | Security Measures ARP Inspection Displaying Use the Security > ARP Inspection (Show Information - Show Statistics) page to ARP Inspection display statistics about the number of ARP packets processed, or dropped for Statistics various reasons. Parameters These parameters are displayed: Table 18: ARP Inspection Statistics Parameter Description Received ARP packets before ARP inspection rate limit Count of ARP packets received but not exceeding the ARP Inspection rate limit.
Chapter 12 | Security Measures ARP Inspection Figure 207: Displaying Statistics for ARP Inspection Displaying the Use the Security > ARP Inspection (Show Information - Show Log) page to show ARP Inspection Log information about entries stored in the log, including the associated VLAN, port, and address components. Parameters These parameters are displayed: Table 19: ARP Inspection Log Parameter Description VLAN ID The VLAN where this packet was seen. Port The port where this packet was seen. Src.
Chapter 12 | Security Measures ARP Inspection Figure 208: Displaying the ARP Inspection Log – 333 –
Chapter 12 | Security Measures ARP Inspection – 334 –
13 Basic Administration Protocols This chapter describes basic administration tasks including: ◆ Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Chapter 13 | Basic Administration Protocols Configuring Event Logging Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Use the Administration > Log > System (Configure Global) page to enable or Configuration disable event logging, and specify which levels are logged to RAM or flash memory.
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ RAM Level – Limits log messages saved to the switch’s temporary RAM memory for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7) Note: The Flash Level must be equal to or less than the RAM Level. Note: All log messages are retained in RAM and Flash after a warm restart (i.e., power is reset through the command interface).
Chapter 13 | Basic Administration Protocols Configuring Event Logging 3. Click RAM to display log messages stored in system memory, or Flash to display messages stored in flash memory. This page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory.
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ Server IP Address – Specifies the IPv4 or IPv6 address of a remote server which will be sent syslog messages. ◆ Port - Specifies the UDP port number used by the remote server. (Range: 1-65535; Default: 514) Web Interface To configure the logging of error messages to remote servers: 1. Click Administration, Log, Remote. 2. Enable remote logging, specify the facility type to use for the syslog messages.
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ Email Source Address – Sets the email address used for the “From” field in alert messages. You may use a symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. (Range: 1-41 characters) ◆ Email Destination Address – Specifies the email recipients of alert messages. You can specify up to five recipients.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Link Layer Discovery Protocol Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol increase the probability that multiple, rather than single changes, are reported in each transmission. This attribute must comply with the rule: (4 * Delay Interval) Transmission Interval ◆ Reinitialization Delay – Configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 213: Configuring LLDP Timing Attributes Configuring LLDP Use the Administration > LLDP (Configure Interface - Configure General) page to Interface Attributes specify the message attributes for individual interfaces, including whether messages are transmitted, received, or both transmitted and received, whether SNMP notifications are sent, and the type of information advertised.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Basic Optional TLVs – Configures basic information included in the TLV field of advertised messages. ■ Management Address – The management address protocol packet includes the IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ ■ VLAN ID – The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see “IEEE 802.1Q VLANs” on page 149). (Default: Enabled) ■ VLAN Name – The name of all VLANs to which this interface has been assigned (see “IEEE 802.1Q VLANs” on page 149.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ MED-Location Civic Address – Configures information for the location of the attached device included in the MED TLV field of advertised messages, including the country and the device type. ■ Country – The two-letter ISO 3166 country code in capital ASCII letters. (Example: DK, DE or US) ■ Device entry refers to – The type of device to which the location applies: ■ Location of DHCP server.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 214: Configuring LLDP Interface Attributes Configuring Use the Administration > LLDP (Configure Interface – Add CA-Type) page to specify LLDP Interface the physical location of the device attached to an interface.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Table 21: LLDP MED Location CA Types (Continued) ◆ CA Type Description CA Value Example 21 Landmark or vanity address Tech Center 26 Unit (apartment, suite) Apt 519 27 Floor 5 28 Room 509B Any number of CA type and value pairs can be specified for the civic address location, as long as the total does not exceed 250 characters.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol To show the physical location of the attached device: 1. Click Administration, LLDP. 2. Select Configure Interface from the Step list. 3. Select Show CA-Type from the Action list. 4. Select an interface from the Port or Trunk list.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. ◆ System Name – A string that indicates the system’s administratively assigned name (see “Displaying System Information” on page 64). ◆ System Description – A textual description of the network entity. This field is also displayed by the show system command.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Port/Trunk ID Type – There are several ways in which a port may be identified. A port ID subtype is used to indicate how the port is being referenced in the Port ID TLV.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 217: Displaying Local Device Information for LLDP (General) Figure 218: Displaying Local Device Information for LLDP (Port) Figure 219: Displaying Local Device Information for LLDP (Port Details) – 352 –
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Displaying LLDP Use the Administration > LLDP (Show Remote Device Information) page to display Remote Device information about devices connected directly to the switch’s ports which are Information advertising information through LLDP, or to display detailed information about an LLDP-enabled device connected to a specific port on the local switch.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ System Capabilities Supported – The capabilities that define the primary function(s) of the system. (See Table 23, "System Capabilities," on page 350.) ◆ System Capabilities Enabled – The primary function(s) of the system which are currently enabled. (See Table 23, "System Capabilities," on page 350.) ◆ Management Address List – The management addresses for this device.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Table 25: Remote Port Auto-Negotiation Advertised Capability (Continued) Bit Capability 5 100BASE-TX full duplex mode 6 100BASE-T2 half duplex mode 7 100BASE-T2 full duplex mode 8 PAUSE for full-duplex links 9 Asymmetric PAUSE for full-duplex links 10 Symmetric PAUSE for full-duplex links 11 Asymmetric and Symmetric PAUSE for full-duplex links 12 1000BASE-X, -LX, -SX, -CX half duplex mode 13 1000BASE-X, -LX, -SX, -
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Port Details – 802.3 Extension Trunk Information ◆ Remote Link Aggregation Capable – Shows if the remote port is not in link aggregation state and/or it does not support link aggregation. ◆ Remote Link Aggregation Status – The current aggregation status of the link. ◆ Remote Link Port ID – This object contains the IEEE 802.3 aggregated port identifier, aAggPortID (IEEE 802.3-2002, 30.7.2.1.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Port Details – Network Policy8 ◆ Application Type – The primary application(s) defined for this network policy: ■ Voice ■ Voice Signaling ■ Guest Signaling ■ Guest Voice Signaling ■ Softphone Voice ■ Video Conferencing ■ Streaming Video ■ Video Signaling ◆ Tagged Flag – Indicates whether the specified application type is using a tagged or untagged VLAN.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ■ ECS ELIN – Emergency Call Service Emergency Location Identification Number supports traditional PSAP-based Emergency Call Service in North America. ◆ Country Code – The two-letter ISO 3166 country code in capital ASCII letters. (Example: DK, DE or US) ◆ What – The type of device to which the location applies as described for the field entry “Device entry refers to” under “Configuring LLDP Interface Attributes.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Web Interface To display LLDP information for a remote port: 1. Click Administration, LLDP. 2. Select Show Remote Device Information from the Step list. 3. Select Port, Port Details, Trunk, or Trunk Details. 4. When the next page opens, select a port on this switch and the index for a remote device attached to this port. 5. Click Query.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 221: Displaying Remote Device Information for LLDP (Port Details) – 360 –
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Additional information displayed by an end-point device which advertises LLDPMED TLVs is shown in the following figure. Figure 222: Displaying Remote Device Information for LLDP (End Node) Displaying Use the Administration > LLDP (Show Device Statistics) page to display statistics for Device Statistics LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Neighbor Entries Dropped Count – The number of times which the remote database on this switch dropped an LLDPDU because of insufficient resources. ◆ Neighbor Entries Age-out Count – The number of times that a neighbor’s information has been deleted from the LLDP remote systems MIB because the remote TTL timer has expired.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 223: Displaying LLDP Device Statistics (General) Figure 224: Displaying LLDP Device Statistics (Port) – 363 –
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 26: SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security v1 noAuthNoPriv public (read only) defaultview none none Community string only v1 noAuthNoPriv private (read/write) defaultview defaultview none Community string only v1 noAuthNoPriv user defined user defined user defined user defined Community string only v2c noAuthNoPriv public (read only) defau
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol 3. Use the Administration > SNMP (Configure Engine) page to change the local engine ID. If you want to change the default engine ID, it must be changed before configuring other parameters. 4. Use the Administration > SNMP (Configure View) page to specify read and write access views for the switch MIB tree. 5. Use the Administration > SNMP (Configure User) page to configure SNMP user groups with the required security model (i.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Setting the Use the Administration > SNMP (Configure Engine - Set Engine ID) page to change Local Engine ID the local engine ID. An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Specifying a Use the Administration > SNMP (Configure Engine - Add Remote Engine) page to Remote Engine ID configure a engine ID for a remote management station. To allow management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To show the remote SNMP engine IDs: 1. Click Administration, SNMP. 2. Select Configure Engine from the Step list. 3. Select Show Remote Engine from the Action list. Figure 228: Showing Remote Engine IDs for SNMP Setting SNMPv3 Views Use the Administration > SNMP (Configure View) page to configure SNMPv3 views which are used to restrict user access to specified portions of the MIB tree.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure an SNMP view of the switch’s MIB database: 1. Click Administration, SNMP. 2. Select Configure View from the Step list. 3. Select Add View from the Action list. 4. Enter a view name and specify the initial OID subtree in the switch’s MIB database to be included or excluded in the view. Use the Add OID Subtree page to add additional object identifier branches to the view. 5.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To add an object identifier to an existing SNMP view of the switch’s MIB database: 1. Click Administration, SNMP. 2. Select Configure View from the Step list. 3. Select Add OID Subtree from the Action list. 4. Select a view name from the list of existing views, and specify an additional OID subtree in the switch’s MIB database to be included or excluded in the view. 5.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Configuring Use the Administration > SNMP (Configure Group) page to add an SNMPv3 group SNMPv3 Groups which can be used to set the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 27: Supported Notification Messages Model Level Group newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election. topologyChange 1.3.6.1.2.1.17.0.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 27: Supported Notification Messages (Continued) Model Level Group swPowerStatusChangeTrap 1.3.6.1.4.1.259.10.1.44.101.2.1.0.1 This trap is sent when the power state changes. swPortSecurityTrap 1.3.6.1.4.1.259.10.1.44.101.2.1.0.36 This trap is sent when the port is being intruded. This trap will only be sent when the portSecActionTrap is enabled. swIpFilterRejectTrap 1.3.6.1.4.1.259.10.1.44.101.2.1.0.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 27: Supported Notification Messages (Continued) Model Level Group lbdRecoveryTrap 1.3.6.1.4.1.259.10.1.44.101.2.1.0.142 This trap is sent when a recovery is done by LBD. sfpInsertTrap 1.3.6.1.4.1.259.10.1.44.101.2.1.0.159 This trap is sent when an SFP module is inserted. sfpRemoveTrap 1.3.6.1.4.1.259.10.1.44.101.2.1.0.160 This trap is sent when an SFP module is removed. sfpThresholdAlarmWarnTrap 1.3.6.1.4.1.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure an SNMP group: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Enter a group name, assign a security model and level, and then select read, write, and notify views. 5. Click Apply Figure 233: Creating an SNMP Group To show SNMP groups: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Setting Community Use the Administration > SNMP (Configure User - Add Community) page to Access Strings configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings. Parameters These parameters are displayed: ◆ Community String – A community string that acts like a password and permits access to the SNMP protocol.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To show the community access strings: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show Community from the Action list.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ■ AuthPriv – SNMP communications use both authentication and encryption. ◆ Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) ◆ Authentication Password – A minimum of eight plain text characters is required. (Range: 8-32 characters) ◆ Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 237: Configuring Local SNMPv3 Users To show local SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Local User from the Action list. Figure 238: Showing Local SNMPv3 Users To change a local SNMPv3 local user group: 1. Click Administration, SNMP. 2. Select Change SNMPv3 Local User Group from the Action list. 3. Select the User Name. 4.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol 5. Click Apply Figure 239: Changing a Local SNMPv3 User Group Configuring Use the Administration > SNMP (Configure User - Add SNMPv3 Remote User) page Remote SNMPv3 Users to identify the source of SNMPv3 inform messages sent from the local switch. Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ■ AuthPriv – SNMP communications use both authentication and encryption. ◆ Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) ◆ Authentication Password – A minimum of eight plain text characters is required. ◆ Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 240: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Remote User from the Action list.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Specifying Use the Administration > SNMP (Configure Trap) page to specify the host devices to Trap Managers be sent traps and the types of traps to send. Traps indicating status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ Community String – Specifies a valid community string for the new trap manager entry. (Range: 1-32 characters, case sensitive) Although you can set this string in the Configure Trap – Add page, we recommend defining it in the Configure User – Add Community page. ◆ UDP Port – Specifies the UDP port number used by the trap manager.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ■ ◆ Inform – Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts. (Default: traps are used) ■ Timeout – The number of seconds to wait for an acknowledgment before resending an inform message.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol 5.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To show configured trap managers: 1. Click Administration, SNMP. 2. Select Configure Trap from the Step list. 3. Select Show from the Action list. Figure 245: Showing Trap Managers Creating SNMP Use the Administration > SNMP (Configure Notify Filter - Add) page to create an Notification Logs SNMP notification log.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ When a trap host is created using the Administration > SNMP (Configure Trap – Add) page described on page 384, a default notify filter will be created. Parameters These parameters are displayed: ◆ IP Address – The IPv4 or IPv6 address of a remote device. The specified target host must already have been configured using the Administration > SNMP (Configure Trap – Add) page. The notification log is stored locally.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 247: Showing SNMP Notification Logs Showing Use the Administration > SNMP (Show Statistics) page to show counters for SNMP SNMP Statistics input and output protocol data units. Parameters The following counters are displayed: ◆ SNMP packets input – The total number of messages delivered to the SNMP entity from the transport service.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ SNMP packets output – The total number of SNMP Messages which were passed from the SNMP protocol entity to the transport service. ◆ Too big errors – The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error-status field is “tooBig.
Chapter 13 | Basic Administration Protocols Remote Monitoring Remote Monitoring Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 13 | Basic Administration Protocols Remote Monitoring ◆ Sample Type – Tests for absolute or relative changes in the specified variable. ■ Absolute – The variable is compared directly to the thresholds at the end of the sampling period. ■ Delta – The last sample is subtracted from the current value and the difference is then compared to the thresholds.
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 249: Configuring an RMON Alarm To show configured RMON alarms: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. 4. Click Alarm.
Chapter 13 | Basic Administration Protocols Remote Monitoring Configuring RMON Use the Administration > RMON (Configure Global - Add - Event) page to set the Events action to take when an alarm is triggered. The response can include logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems. Command Usage ◆ If an alarm is already defined for an index, the entry must be deleted before any changes can be made.
Chapter 13 | Basic Administration Protocols Remote Monitoring Web Interface To configure an RMON event: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Add from the Action list. 4. Click Event. 5. Enter an index number, the type of event to initiate, the community string to send with trap messages, the name of the person who created this event, and a brief description of the event. 6.
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 252: Showing Configured RMON Events Configuring RMON Use the Administration > RMON (Configure Interface - Add - History) page to collect History Samples statistics on a physical interface to monitor network utilization, packet types, and errors. A historical record of activity can be used to track down intermittent problems.
Chapter 13 | Basic Administration Protocols Remote Monitoring ◆ Interval - The polling interval. (Range: 1-3600 seconds; Default: 1800 seconds) ◆ Buckets - The number of buckets requested for this entry. (Range: 1-65536; Default: 8) The number of buckets granted are displayed on the Show page. ◆ Owner - Name of the person who created this entry. (Range: 1-32 characters) Web Interface To periodically sample statistics on a port: 1. Click Administration, RMON. 2.
Chapter 13 | Basic Administration Protocols Remote Monitoring 4. Select a port from the list. 5. Click History. Figure 254: Showing Configured RMON History Samples To show collected RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show Details from the Action list. 4. Select a port from the list. 5. Click History.
Chapter 13 | Basic Administration Protocols Remote Monitoring Configuring RMON Use the Administration > RMON (Configure Interface - Add - Statistics) page to Statistical Samples collect statistics on a port, which can subsequently be used to monitor the network for common errors and overall traffic rates. Command Usage ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made.
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 256: Configuring an RMON Statistical Sample To show configured RMON statistical samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port from the list. 5. Click Statistics. Figure 257: Showing Configured RMON Statistical Samples To show collected RMON statistical samples: 1. Click Administration, RMON. 2.
Chapter 13 | Basic Administration Protocols Switch Clustering Figure 258: Showing Collected RMON Statistical Samples Switch Clustering Switch clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Chapter 13 | Basic Administration Protocols Switch Clustering ◆ The cluster VLAN 4093 is not configured by default. Before using clustering, take the following actions to set up this VLAN: 1. Create VLAN 4093 (see “Configuring VLAN Groups” on page 151). 2. Add the participating ports to this VLAN (see “Adding Static Members to VLANs” on page 154), and set them to hybrid mode, tagged members, PVID = 1, and acceptable frame type = all.
Chapter 13 | Basic Administration Protocols Switch Clustering Web Interface To configure a switch cluster: 1. Click Administration, Cluster. 2. Select Configure Global from the Step list. 3. Set the required attributes for a Commander or a managed candidate. 4. Click Apply Figure 259: Configuring a Switch Cluster Cluster Member Use the Administration > Cluster (Configure Member - Add) page to add Candidate Configuration switches to the cluster as Members.
Chapter 13 | Basic Administration Protocols Switch Clustering Web Interface To configure cluster members: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3. Select Add from the Action list. 4. Select one of the cluster candidates discovered by this switch, or enter the MAC address of a candidate. 5. Click Apply. Figure 260: Configuring a Cluster Members To show the cluster members: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3.
Chapter 13 | Basic Administration Protocols Switch Clustering To show cluster candidates: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3. Select Show Candidate from the Action list. Figure 262: Showing Cluster Candidates Managing Cluster Use the Administration > Cluster (Show Member) page to manage another switch Members in the cluster. Parameters These parameters are displayed: ◆ Member ID – The ID number of the Member switch.
Chapter 13 | Basic Administration Protocols Setting a Time Range Web Interface To manage a cluster member: 1. Click Administration, Cluster. 2. Select Show Member from the Step list. 3. Select an entry from the Cluster Member List. 4. Click Operate. Figure 263: Managing a Cluster Member Setting a Time Range Use the Administration > Time Range page to set a time range during which various functions are applied, including applied ACLs or PoE.
Chapter 13 | Basic Administration Protocols Setting a Time Range ◆ Mode ■ Absolute – Specifies a specific time or time range. ■ ■ Start/End – Specifies the hours, minutes, month, day, and year at which to start or end. Periodic – Specifies a periodic interval. ■ Start/To – Specifies the days of the week, hours, and minutes at which to start or end. Web Interface To configure a time range: 1. Click Administration, Time Range. 2. Select Add from the Action list. 3. Enter the name of a time range. 4.
Chapter 13 | Basic Administration Protocols Setting a Time Range To configure a rule for a time range: 1. Click Administration, Time Range. 2. Select Add Rule from the Action list. 3. Select the name of time range from the drop-down list. 4. Select a mode option of Absolute or Periodic. 5. Fill in the required parameters for the selected mode. 6. Click Apply. Figure 266: Add a Rule to a Time Range To show the rules configured for a time range: 1. Click Administration, Time Range. 2.
Chapter 13 | Basic Administration Protocols LBD Configuration LBD Configuration The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When loopback detection (LBD) is enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Chapter 13 | Basic Administration Protocols LBD Configuration If the recover time is not enabled (checkbox unmarked), all ports placed in shutdown state can be restored to operation using the Release button. To restore a specific port, re-enable Admin status on the Configure Interface page. The recover-time is the maximum time when recovery is triggered after a loop is detected. The actual interval between recovery and detection will be less than or equal to the recover-time.
Chapter 13 | Basic Administration Protocols LBD Configuration Web Interface To configure global settings for LBD: 1. Click Administration, LBD, Configure Global. 2. Make the required configuration changes. 3. Click Apply. Figure 268: Configuring Global Settings for LBD Configuring Interface Use the Administration > LBD (Configure Interface) page to enable loopback Settings for LBD detection on an interface, to display the loopback operational state, and the VLANs which are looped back.
Chapter 13 | Basic Administration Protocols Smart Pair Configuration Figure 269: Configuring Interface Settings for LBD Smart Pair Configuration A Smart Pair consists of two ports which are paired to provide layer 2 link redundancy, The pair consists of a primary port and a backup port. All traffic is forwarded through the primary port and the backup port will be set to standby. If the primary port link goes down, the backup port is activated and all traffic is forwarded through it.
Chapter 13 | Basic Administration Protocols Smart Pair Configuration Configuring the Smart Use the Administration > Smart Pair (Configure Global) page to create a Smart Pair Pair Global Settings ID. The Smart paid ID will be used to specify two ports that are the primary and secondary members of the Smart Pair. Parameters These parameters are displayed: ◆ Smart Pair ID – Specifies a Smart Pair on the switch. (Default: None, Range: 11000 IDs can be specified.
Chapter 13 | Basic Administration Protocols Smart Pair Configuration ◆ WTR Delay Sets the wait-to-restore delay for a Smart Pair in seconds (Default: 30 seconds, Range: 0, 5-3600) Web Interface To configure the interface settings for a Smart Pair: 1. Click Administration, Smart Pair, Configure Smart Pair. 2. Select Configure from the Action menu. 3. Select the ID of the Smart Pair to be configured from the ID pull down-menu. 4.
Chapter 13 | Basic Administration Protocols Smart Pair Configuration Figure 272: Displaying the Smart Pair IDs. Display the Use the Administration > Smart Pair (Configure Smart Pair Global) to display the Configured Smart Pair port members of a Smart Pair. Port Members and Restore the Traffic Web Interface To configure the interface settings for a Smart Pair: 1. Click Administration, Smart Pair, Configure Smart Pair. 2. Select Configure from the Show menu. 3.
14 Multicast Filtering This chapter describes how to configure the following multicast services: ◆ IGMP Snooping – Configures snooping and query parameters. ◆ Filtering and Throttling – Filters specified multicast service, or throttles the maximum of multicast groups allowed on an interface. ◆ MLD Snooping – Configures snooping and query parameters for IPv6. ◆ MLD Filtering and Throttling – Filters specified multicast service, or throttles the maximum of multicast groups allowed on an interface.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) forwarded from any source except for those specified. In this case, traffic is filtered from sources in the Exclude list, and forwarded from all other available sources. Note: When the switch is configured to use IGMPv3 snooping, the snooping version may be downgraded to version 2 or version 1, depending on the version of the IGMP query packets detected on each VLAN.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Configuring IGMP Use the Multicast > IGMP Snooping > General page to configure the switch to Snooping and Query forward multicast traffic intelligently. Based on the IGMP query and report Parameters messages, the switch forwards multicast traffic only to the ports that request it. This prevents the switch from broadcasting the traffic to all ports and possibly disrupting network performance.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression. Last leave sends out a proxy query when the last member leaves a multicast group, and query suppression means that specific queries are not forwarded from an upstream multicast router to hosts downstream from this device.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) multicast router receives this solicitation, it immediately issues an IGMP general query. A query solicitation can be sent whenever the switch notices a topology change, even if it is not the root bridge in spanning tree. ◆ Router Alert Option – Discards any IGMPv2/v3 packets that do not include the Router Alert option. (Default: Disabled) As described in Section 9.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Router Port Expire Time – The time the switch waits after the previous querier stops before it considers it to have expired. (Range: 1-65535, Recommended Range: 300-500 seconds, Default: 300) ◆ IGMP Snooping Version – Sets the protocol version for compatibility with other devices on the network. This is the IGMP Version the switch uses to send snooping reports.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Specifying Static Use the Multicast > IGMP Snooping > Multicast Router (Add Static Multicast Router) Interfaces for a page to statically attach an interface to a multicast router/switch. Multicast Router Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Web Interface To specify a static interface attached to a multicast router: 1. Click Multicast, IGMP Snooping, Multicast Router. 2. Select Add Static Multicast Router from the Action list. 3. Select the VLAN which will forward all the corresponding multicast traffic, and select the port or trunk attached to the multicast router. 4. Click Apply.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch. To show the all interfaces attached to a multicast router: 1. Click Multicast, IGMP Snooping, Multicast Router. 2. Select Current Multicast Router from the Action list. 3. Select the VLAN for which to display this information.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Multicast IP – The IP address for a specific multicast service. Web Interface To statically assign an interface to a multicast service: 1. Click Multicast, IGMP Snooping, IGMP Member. 2. Select Add Static Member from the Action list. 3.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 280: Showing Static Interfaces Assigned to a Multicast Service Setting IGMP Use the Multicast > IGMP Snooping > Interface (Configure VLAN) page to configure Snooping Status IGMP snooping attributes for a VLAN. To configure snooping globally, refer to per Interface “Configuring IGMP Snooping and Query Parameters” on page 420.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) unsolicited periodically on all router interfaces on which multicast forwarding is enabled. They are sent upon the occurrence of these events: ■ Upon the expiration of a periodic (randomized) timer. ■ As a part of a router's start up procedure. ■ During the restart of a multicast forwarding interface. ■ On receipt of a Solicitation message.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) When IGMP snooping is disabled globally, snooping can still be configured per VLAN interface, but the interface settings will not take effect until snooping is re-enabled globally. ◆ Version Exclusive – Discards any received IGMP messages (except for multicast protocol packets) which use a version different to that currently configured by the IGMP Version attribute.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) If general query suppression is enabled, then these messages are forwarded only to downstream ports which have joined a multicast service. ◆ Proxy Reporting – Enables IGMP Snooping with Proxy Reporting.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Query Response Interval – The maximum time the system waits for a response to general queries. (Range: 10-31740 tenths of a second in multiples of 10; Default: 10 seconds) This attribute applies when the switch is serving as the querier (page 420), or as a proxy host when IGMP snooping proxy reporting is enabled (page 420).
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) 3. Select the VLAN to configure and update the required parameters. 4. Click Apply. Figure 281: Configuring IGMP Snooping on a VLAN To show the interface settings for IGMP snooping: 1. Click Multicast, IGMP Snooping, Interface. 2. Select Show VLAN Information from the Action list.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Filtering IGMP Query Use the Multicast > IGMP Snooping > Interface (Configure Interface) page to Packets and Multicast configure an interface to drop IGMP query packets or multicast data packets. Data Parameters These parameters are displayed: ◆ Interface – Port or Trunk identifier. ◆ IGMP Query Drop – Configures an interface to drop any IGMP query packets received on the specified interface.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Displaying Multicast Use the Multicast > IGMP Snooping > Forwarding Entry page to display the Groups Discovered forwarding entries learned through IGMP Snooping. by IGMP Snooping Command Usage To display information about multicast groups, IGMP Snooping must first be enabled on the switch (see page 420).
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Displaying IGMP Use the Multicast > IGMP Snooping > Statistics pages to display IGMP snooping Snooping Statistics protocol-related statistics for the specified interface. Parameters These parameters are displayed: ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ Port – Port identifier. (Range: 1-26/52) ◆ Trunk – Trunk identifier. (Range: 1-8) Query Statistics ◆ Other Querier – IP address of remote querier on this interface.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ V3 Warning Count – The number of times the query version received (Version 3) does not match the version configured for this interface. VLAN, Port, and Trunk Statistics Input Statistics ◆ Report – The number of IGMP membership reports received on this interface. ◆ Leave – The number of leave messages received on this interface. ◆ G Query – The number of general query messages received on this interface.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 285: Displaying IGMP Snooping Statistics – Query To display IGMP snooping protocol-related statistics for a VLAN: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show VLAN Statistics from the Action list. 3. Select a VLAN.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 286: Displaying IGMP Snooping Statistics – VLAN To display IGMP snooping protocol-related statistics for a port: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show Port Statistics from the Action list. 3. Select a Port.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups Filtering and Throttling IGMP Groups In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups Figure 288: Enabling IGMP Filtering and Throttling Configuring IGMP Use the Multicast > IGMP Snooping > Filter (Configure Profile – Add) page to create Filter Profiles an IGMP profile and set its access mode. Then use the (Add Multicast Group Range) page to configure the multicast groups to filter.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups Web Interface To create an IGMP filter profile and set its access mode: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Add from the Action list. 4. Enter the number for a profile, and set its access mode. 5. Click Apply. Figure 289: Creating an IGMP Filtering Profile To show the IGMP filter profiles: 1. Click Multicast, IGMP Snooping, Filter. 2.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups 4. Select the profile to configure, and add a multicast group address or range of addresses. 5. Click Apply. Figure 291: Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an IGMP filter profile: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Show Multicast Group Range from the Action list. 4.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups set to replace, the switch randomly removes an existing group and replaces it with the new multicast group. Parameters These parameters are displayed: ◆ Interface – Port or trunk identifier. An IGMP profile or throttling setting can be applied to a port or trunk. When ports are configured as trunk members, the trunk uses the settings applied to the first port member in the trunk.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 293: Configuring IGMP Filtering and Throttling Interface Settings MLD Snooping (Snooping and Query for IPv6) Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) An IPv6 address must be configured on the VLAN interface from which the querier will act if elected. When serving as the querier, the switch uses this IPv6 address as the query source address. The querier will not start or will disable itself after having started if it detects an IPv6 multicast router on the network. ◆ Robustness – MLD Snooping robustness variable.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) 3. Click Apply. Figure 294: Configuring General Settings for MLD Snooping Setting Immediate Use the Multicast > MLD Snooping > Interface page to configure Immediate Leave Leave Status for status for a VLAN. MLD Snooping per Interface Parameters These parameters are displayed: ◆ VLAN – A VLAN identification number.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 295: Configuring Immediate Leave for MLD Snooping Specifying Static Use the Multicast > MLD Snooping > Multicast Router (Add Static Multicast Router) Interfaces for an page to statically attach an interface to an IPv6 multicast router/switch. IPv6 Multicast Router Depending on your network connections, MLD snooping may not always be able to locate the MLD querier.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 296: Configuring a Static Interface for an IPv6 Multicast Router To show the static interfaces attached to a multicast router: 1. Click Multicast, MLD Snooping, Multicast Router. 2. Select Show Static Multicast Router from the Action list. 3. Select the VLAN for which to display this information.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Assigning Interfaces Use the Multicast > MLD Snooping > MLD Member (Add Static Member) page to to IPv6 Multicast statically assign an IPv6 multicast service to an interface. Services Multicast filtering can be dynamically configured using MLD snooping and query messages (see “Configuring MLD Snooping and Query Parameters” on page 445).
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 299: Assigning an Interface to an IPv6 Multicast Service To show the static interfaces assigned to an IPv6 multicast service: 1. Click Multicast, MLD Snooping, MLD Member. 2. Select Show Static Member from the Action list. 3. Select the VLAN for which to display this information.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 301: Showing Current Interfaces Assigned to an IPv6 Multicast Service Showing MLD Use the Multicast > MLD Snooping > Group Information page to display known Snooping Groups multicast groups, member ports, the means by which each group was learned, and and Source List the corresponding source list. Parameters These parameters are displayed: ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ Interface – Port or trunk identifier.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Web Interface To display known MLD multicast groups: 1. Click Multicast, MLD Snooping, Group Information. 2. Select the port or trunk, and then select a multicast service assigned to that interface. Figure 302: Showing IPv6 Multicast Services and Corresponding Sources Displaying MLD Use the Multicast > IGMP Snooping > Statistics pages to display MLD snooping Snooping Statistics protocol-related statistics.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ◆ Join Success – The number of times a multicast group was successfully joined. ◆ Group – The number of MLD groups active on this interface. Output Same as input parameters listed above, except that the direction of transmission is outbound. Query ◆ Other Querier Address – IP address of remote querier on this interface. ◆ Other Querier Expire – Time after which remote querier is assumed to have expired.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Physical Interface (Port/Trunk) ◆ Querier ■ ■ ◆ Transmit ■ General – The number of general queries sent from this interface. ■ Group Specific – The number of group specific queries sent from this interface. Received ■ General – The number of general queries received on this interface. ■ Group Specific – The number of group specific queries received on this interface.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ■ Other Expire – Time after which remote querier is assumed to have expired. ■ Self Addr – IPv6 address of local querier on this interface. ■ Self Expire – Time after which local querier is assumed to have expired. ■ Self Uptime – Time local querier has been up. ■ Transmit ■ ◆ ■ General – The number of general queries sent from this interface.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Web Interface To display MLD snooping input-related message statistics: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Input. Figure 303: Displaying MLD Snooping Statistics – Input To display MLD snooping output-related message statistics: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Output.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) To display MLD query message statistics: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Query.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) To display MLD summary statistics for a port or trunk: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Summary. 3. Select a port or trunk.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) To display MLD summary statistics for a VLAN: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Summary. 3. Select a VLAN.
Chapter 14 | Multicast Filtering Filtering and Throttling MLD Groups To clear MLD statistics: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Clear. 3. Select All or enter the required interface. 4. Click Clear. Figure 308: Clearing MLD Snooping Statistics Filtering and Throttling MLD Groups In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
Chapter 14 | Multicast Filtering Filtering and Throttling MLD Groups Enabling MLD Use the Multicast > MLD Snooping > Filter (Configure General) page to enable Filtering and IGMP filtering and throttling globally on the switch. Throttling Parameters These parameters are displayed: ◆ MLD Filter Status – Enables MLD filtering and throttling globally for the switch. (Default: Disabled) Web Interface To enable MLD filtering and throttling on the switch: 1. Click Multicast, MLD Snooping, Filter. 2.
Chapter 14 | Multicast Filtering Filtering and Throttling MLD Groups When the access mode is set to permit, MLD join reports are processed when a multicast group falls within the controlled range. When the access mode is set to deny, MLD join reports are only processed when the multicast group is not in the controlled range. Add Multicast Group Range ◆ Profile ID – Selects an IGMP profile to configure. ◆ Start Multicast IPv6 Address – Specifies the starting address of a range of multicast groups.
Chapter 14 | Multicast Filtering Filtering and Throttling MLD Groups Figure 311: Showing the MLD Filtering Profiles Created To add a range of multicast groups to an MLD filter profile: 1. Click Multicast, MLD Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Add Multicast Group Range from the Action list. 4. Select the profile to configure, and add a multicast group address or range of addresses. 5. Click Apply.
Chapter 14 | Multicast Filtering Filtering and Throttling MLD Groups To show the multicast groups configured for an MLD filter profile: 1. Click Multicast, MLD Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Show Multicast Group Range from the Action list. 4. Select the profile for which to display this information.
Chapter 14 | Multicast Filtering Filtering MLD Query Packets on an Interface ◆ Current Multicast Groups – Displays the current multicast groups the interface has joined. ◆ Throttling Action Mode – Sets the action to take when the maximum number of multicast groups for the interface has been exceeded. (Default: Deny) ◆ ■ Deny - The new multicast group join report is dropped. ■ Replace - The new multicast group replaces an existing group.
Chapter 14 | Multicast Filtering Filtering MLD Query Packets on an Interface This feature can be used to drop any query packets received on the specified interface. If this switch is acting as a Querier, this prevents it from being affected by messages received from another Querier. Web Interface To drop IGMP query packets: 1. Click Multicast, MLD Snooping, Query Drop. 2. Select Port or Trunk interface. 3. Enable query drop for any interface. 4. Click Apply.
Chapter 14 | Multicast Filtering Filtering MLD Query Packets on an Interface – 468 –
15 IP Tools This chapter provides information on network functions including: ◆ Ping – Sends ping message to another node on the network. ◆ Trace Route – Sends ICMP echo request packets to another node on the network. ◆ Address Resolution Protocol – Describes how to configure proxy ARP or static addresses, and how to display entries in the ARP cache. Using the Ping Function Use the Tools > Ping page to send ICMP echo request packets to another node on the network.
Chapter 15 | IP Tools Using the Ping Function ■ ◆ Network or host unreachable - The gateway found no corresponding entry in the route table. The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface. Web Interface To ping another device on the network: 1.
Chapter 15 | IP Tools Using the Trace Route Function Using the Trace Route Function Use the Tools > Trace Route page to show the route packets take to the specified destination. Parameters These parameters are displayed: ◆ Destination IP Address – Alias or IPv4/IPv6 address of the host. ◆ IPv4 Max Failures – The maximum number of failures before which the trace route is terminated. (Fixed: 5) ◆ IPv6 Max Failures – The maximum number of failures before which the trace route is terminated.
Chapter 15 | IP Tools Address Resolution Protocol Figure 317: Tracing the Route to a Network Device Address Resolution Protocol If IP routing is enabled (page 507), the router uses its routing tables to make routing decisions, and uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address.
Chapter 15 | IP Tools Address Resolution Protocol cache, and forwards the IP traffic on to the next hop. As long as this entry has not timed out, the router will be able forward traffic directly to the next hop for this destination without having to broadcast another ARP request. Also, if the switch receives a request for its own IP address, it will send back a response, and also cache the MAC of the source device's IP address.
Chapter 15 | IP Tools Address Resolution Protocol Web Interface To configure the timeout for the ARP cache or to enable Proxy ARP for a VLAN (i.e., IP subnetwork): 1. Click Tools, ARP. 2. Select Configure General from the Step List. 3. Enable Proxy ARP for subnetworks that do not have routing or a default gateway. 4. Click Apply.
Chapter 15 | IP Tools Address Resolution Protocol Parameters These parameters are displayed: ◆ IP Address – IP address statically mapped to a physical MAC address. (Valid IP addresses consist of four numbers, 0 to 255, separated by periods.) ◆ MAC Address – MAC address statically mapped to the corresponding IP address.
Chapter 15 | IP Tools Address Resolution Protocol Figure 321: Displaying Static ARP Entries Displaying Dynamic Use the Tools > ARP page to display dynamic or local entries in the ARP cache. The or Local ARP Entries ARP cache contains static entries, and entries for local interfaces, including subnet, host, and broadcast addresses. However, most entries will be dynamically learned through replies to broadcast messages. Web Interface To display all dynamic and local entries in the ARP cache: 1.
Chapter 15 | IP Tools Address Resolution Protocol Displaying Use the Tools > ARP (Show Information) page to display statistics for ARP messages ARP Statistics crossing all interfaces on this switch. Parameters These parameters are displayed: Table 29: ARP Statistics Parameter Description Received Request Number of ARP Request packets received by the router. Received Reply Number of ARP Reply packets received by the router. Sent Request Number of ARP Request packets sent by the router.
Chapter 15 | IP Tools Address Resolution Protocol – 478 –
16 IP Configuration This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address, or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server. An IPv6 address can either be manually configured or dynamically generated.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Command Usage ◆ This section describes how to configure a single local interface for initial access to the switch. To configure multiple IP interfaces, set up an IP interface for each VLAN. ◆ Once an IP address has been assigned to an interface, routing between different interfaces on the switch is enabled.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) ◆ Subnet Mask – This mask identifies the host address bits used for routing to specific subnets. (Default: None) ◆ Restart DHCP – Requests a new IP address from the DHCP server. Web Interface To set a static IPv4 address for the switch: 1. Click IP, General, Routing Interface. 2. Select Add Address from the Action list. 3. Select Add Address from the Action list. 4.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) IP will be enabled but will not function until a BOOTP or DHCP reply is received. Requests are broadcast every few minutes using exponential backoff until IP configuration information is obtained from a BOOTP or DHCP server. Figure 325: Configuring a Dynamic IPv4 Address Note: The switch will also broadcast a request for IP configuration settings on each power reset.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 326: Showing the Configured IPv4 Address for an Interface Setting the Switch’s IP Address (IP Version 6) This section describes how to configure an IPv6 interface for management access over the network, or for creating an interface to multiple subnets. This switch supports both IPv4 and IPv6, and can be managed through either of these address types.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch. ■ An IPv6 address must be configured according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Discovery to discover each other's presence, to determine each other's linklayer addresses, to find routers and to maintain reachability information about the paths to active neighbors.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ ◆ ■ If a non-default value is configured, an MTU option is included in the router advertisements sent from this device. This option is provided to ensure that all nodes on a link use the same MTU value in cases where the link MTU is not otherwise well known. ■ IPv6 routers do not fragment IPv6 packets forwarded from other routers.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) neighbor. Therefore, avoid using very short intervals for normal IPv6 operations. When a non-default value is configured, the specified interval is used both for router advertisements and by the router itself. ◆ ND Reachable-Time – The amount of time that a remote IPv6 node is considered reachable after some reachability confirmation event has occurred.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) This combination is known as DHCPv6 stateless autoconfiguration, in which a DHCPv6 server does not assign stateful addresses to IPv6 hosts, but does assign stateless configuration settings. Web Interface To configure general IPv6 settings for the switch: 1. Click IP, IPv6 Configuration. 2. Select Configure Interface from the Action list. 3. Specify the VLAN to configure. 4.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Configuring an Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an IPv6 IPv6 Address interface for management access over the network, or for creating an interface to multiple subnets. Command Usage ◆ All IPv6 addresses must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Parameters These parameters are displayed: ◆ VLAN – ID of a configured VLAN which is to be used for management access, or for creating an interface to multiple subnets. By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ ◆ Link Local – Configures an IPv6 link-local address. ■ The address prefix must be in the range of FE80~FEBF. ■ You can configure only one link-local address per interface. ■ The specified address replaces a link-local address that was automatically generated for the interface. IPv6 Address – IPv6 address assigned to this interface. Web Interface To configure an IPv6 address: 1. Click IP, IPv6 Configuration. 2.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) In addition to the unicast addresses assigned to an interface, a node is also required to listen to the all-nodes multicast addresses FF01::1 (interface-local scope) and FF02::1 (link-local scope). FF01::1/16 is the transient interface-local multicast address for all attached IPv6 nodes, and FF02::1/16 is the link-local multicast address for all attached IPv6 nodes.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Showing the IPv6 Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to display the Neighbor Cache IPv6 addresses detected for neighbor devices. Parameters These parameters are displayed: Table 30: Show IPv6 Neighbors - display description Field Description IPv6 Address IPv6 address of neighbor. Age The time since the address was verified as reachable (in seconds).
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Web Interface To show neighboring IPv6 devices: 1. Click IP, IPv6 Configuration. 2. Select Show IPv6 Neighbors from the Action list. Figure 331: Showing IPv6 Neighbors Showing Use the IP > IPv6 Configuration (Show Statistics) page to display statistics about IPv6 Statistics IPv6 traffic passing through this switch.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Parameters These parameters are displayed: Table 31: Show IPv6 Statistics - display description Field Description IPv6 Statistics IPv6 Received Total The total number of input datagrams received by the interface, including those received in error.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 31: Show IPv6 Statistics - display description (Continued) Field Description IPv6 Transmitted Forwards Datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were SourceRouted via this entity, and the Source-Route processing was successful.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 31: Show IPv6 Statistics - display description (Continued) Field Description Neighbor Advertisement Messages The number of ICMP Neighbor Advertisement messages received by the interface. Redirect Messages The number of Redirect messages received by the interface. Group Membership Query Messages The number of ICMPv6 Group Membership Query messages received by the interface.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 31: Show IPv6 Statistics - display description (Continued) Field Description Other Errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port. Output The total number of UDP datagrams sent from this entity. Web Interface To show the IPv6 statistics: 1. Click IP, IPv6 Configuration. 2. Select Show Statistics from the Action list. 3.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 333: Showing IPv6 Statistics (ICMPv6) Figure 334: Showing IPv6 Statistics (UDP) – 499 –
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Showing the MTU Use the IP > IPv6 Configuration (Show MTU) page to display the maximum for Responding transmission unit (MTU) cache for destinations that have returned an ICMP packetDestinations too-big message along with an acceptable MTU to this switch.
17 General IP Routing This chapter provides information on network functions including: ◆ Static Routes – Configures static routes to other network segments. ◆ Routing Table – Displays routing entries learned through statically configured entries. Overview This switch supports IP routing and routing path management via static routing definitions.
Chapter 17 | General IP Routing IP Routing and Switching Figure 336: Virtual Interfaces and Layer 3 Routing Inter-subnet traffic (Layer 3 switching) Routing Untagged Unt Untagged Unt VLAN 1 VLAN 2 Tagged or Tagged or Untagged Untagged Tagged or Tagged or Untagged Untagged Intra-subnet traffic (Layer 2 switching) IP Routing and Switching IP Switching (or packet forwarding) encompasses tasks required to forward packets for both Layer 2 and Layer 3, as well as traditional routing.
Chapter 17 | General IP Routing IP Routing and Switching If the destination belongs to a different subnet on this switch, the packet can be routed directly to the destination node. However, if the packet belongs to a subnet not included on this switch, then the packet should be sent to the next hop router (with the MAC address of the router itself used as the destination MAC address, and the destination IP address of the destination node).
Chapter 17 | General IP Routing Configuring Static Routes Configuring Static Routes You can enter static routes in the routing table using the IP > Routing > Static Routes (Add) page. Static routes may be required to force the use of a specific route to a subnet. Static routes do not automatically change in response to changes in network topology, so you should only configure a small number of stable routes to ensure network accessibility. Command Usage ◆ Up to 512 static routes can be configured.
Chapter 17 | General IP Routing Displaying the Routing Table Figure 337: Configuring Static Routes To display static routes: 1. Click IP, Routing, Static Routes. 2. Select Show from the Action List. Figure 338: Displaying Static Routes Displaying the Routing Table Use the IP > Routing > Routing Table (Show Information) page to display all routes that can be accessed via local network interfaces through static routes.
Chapter 17 | General IP Routing Displaying the Routing Table forwarding decision on a particular packet. The typical components within a FIB entry are a network prefix, a router (i.e., VLAN) interface, and next hop information. ◆ The Routing Table (and the “show ip route” command described in the CLI Reference Guide) only display routes which are currently accessible for forwarding. The router must be able to directly reach the next hop, so the VLAN interface associated with any route entry must be up.
18 Unicast Routing This chapter describes how to configure the following unicast routing protocols: RIP – Configures Routing Information Protocol. Overview This switch can route unicast traffic to different subnetworks using Routing Information Protocol (RIP). It supports RIP and RIP-2 dynamic routing. These protocols exchange routing information, calculate routing tables, and can respond to changes in the status or loading of the network.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Configuring the Routing Information Protocol The RIP protocol is the most widely used routing protocol. The RIP protocol uses a distance-vector-based approach to routing. Routes are determined on the basis of minimizing the distance vector, or hop count, which serves as a rough estimate of transmission cost. Each router broadcasts its advertisement every 30 seconds, together with any updates to its routing table.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Configuring General Use the Routing Protocol > RIP > General (Configure) page to configure general Protocol Settings settings and the basic timers. RIP is used to specify how routers exchange routing information. When RIP is enabled on this router, it sends RIP messages to all devices in the network every 30 seconds (by default), and updates its own routing table when RIP messages are received from other routers.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ RIP Default Metric – Sets the default metric assigned to external routes imported from other protocols. (Range: 1-15; Default: 1) The default metric must be used to resolve the problem of redistributing external routes with incompatible metrics. It is advisable to use a low metric when redistributing routes from another protocol into RIP. Using a high metric limits the usefulness of external routes redistributed into RIP.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Basic Timer Settings Note: The timers must be set to the same values for all routers in the network. ◆ Update – Sets the rate at which updates are sent. This is the fundamental timer used to control all basic RIP processes. (Range: 5-2147483647 seconds; Default: 30 seconds) Setting the update timer to a short interval can cause the router to spend an excessive amount of time processing updates.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 341: Configuring General Settings for RIP Clearing Entries from Use the Routing Protocol > RIP > General (Clear Route) page to clear entries from the Routing Table the routing table based on route type or a specific network address. Command Usage ◆ RIP must be enabled to activate this menu option. ◆ Clearing “All” types deletes all routes in the RIP table.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ Clear Route By Network – Clears a specific route based on its IP address and prefix length. ■ Network IP Address – Deletes all related entries for the specified network address. ■ Prefix Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the network portion of the address. Web Interface To clear entries from the routing table RIP: 1. Click Routing Protocol, RIP, General. 2.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Parameters These parameters are displayed: ◆ ◆ By Address – Adds a network to the RIP routing process. ■ Subnet Address – IP address of a network directly connected to this router. (Default: No networks are specified) ■ Prefix Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the network portion of the address.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 344: Showing Network Interfaces Using RIP Specifying Use the Routing Protocol > RIP > Passive Interface (Add) page to stop RIP from Passive Interfaces sending routing updates on the specified interface. Command Usage ◆ Network interfaces can be configured to stop RIP broadcast and multicast messages from being sent.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 345: Specifying a Passive RIP Interface To show the passive RIP interfaces: 1. Click Routing Protocol, RIP, Passive Interface. 2. Select Show from the Action list.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 347: Specifying a Static RIP Neighbor To show static RIP neighbors: 1. Click Routing Protocol, RIP, Neighbor Address. 2. Select Show from the Action list.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol It is advisable to use a low metric when redistributing routes from another protocol into RIP. Using a high metric limits the usefulness of external routes redistributed into RIP. For example, if a metric of 10 is defined for redistributed routes, these routes can only be advertised to routers up to 5 hops away, at which point the metric exceeds the maximum hop count of 15.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Specifying an Use the Routing Protocol > RIP > Distance (Add) page to define an administrative Administrative distance for external routes learned from other routing protocols. Distance Command Usage ◆ Administrative distance is used by the routers to select the preferred path when there are two or more different routes to the same destination from two different routing protocols.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol To show the distance assigned to external routes learned from other routing protocols: 1. Click Routing Protocol, RIP, Distance. 2. Select Show from the Action list.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ■ Use “RIPv1 and RIPv2” if some routers in the local network are using RIPv2, but there are still some older routers using RIPv1. (This is the default setting.) ■ Use “Do Not Receive” if dynamic entries are not required to be added to the routing table for an interface. (For example, when only static routes are to be allowed for a specific interface.) Protocol Message Authentication RIPv1 is not a secure protocol.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ Receive Version – The RIP version to receive on an interface. ■ RIPv1: Accepts only RIPv1 packets. ■ RIPv2: Accepts only RIPv2 packets. ■ RIPv1 and RIPv2: Accepts RIPv1 and RIPv2 packets. ■ Do Not Receive: Does not accept incoming RIP packets. This option does not add any dynamic entries to the routing table for an interface. The default depends on the setting for the Global RIP Version.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Web Interface To network interface settings for RIP: 1. Click Routing Protocol, RIP, Interface. 2. Select Add from the Action list. 3. Select a Layer 3 VLAN interface to participate in RIP. Select the RIP protocol message types that will be received and sent. Select the RIP authentication method and password. And then set the loopback prevention method. 4. Click Apply.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Displaying RIP Use the Routing Protocol > RIP > Statistics (Show Interface Information) page to Interface Settings display information about RIP interface configuration settings. Parameters These parameters are displayed: ◆ Interface – Source IP address of RIP router interface. ◆ Auth Type – The type of authentication used for exchanging RIPv2 protocol messages. ◆ Send Version – The RIP version to sent on this interface.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ Version – Shows whether RIPv1 or RIPv2 packets were received from this peer. ◆ Rcv Bad Packets – Number of bad RIP packets received from this peer. ◆ Rcv Bad Routes – Number of bad routes received from this peer. Web Interface To display information on neighboring RIP routers: 1. Click Routing Protocol, RIP, Statistics. 2. Select Show Peer Information from the Action list.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol – 526 –
19 IP Services This chapter describes the following IP services: ◆ DNS – Configures default domain names, identifies servers to use for dynamic lookup, and shows how to configure static entries. ◆ Multicast DNS – Configures multicast DNS host name-to-address mapping on the local network without the need for a dedicated DNS server. ◆ DHCP – Configures client, relay, and dynamic provisioning.
Chapter 19 | IP Services Domain Name Service Parameters These parameters are displayed: ◆ Domain Lookup – Enables DNS host name-to-address translation. (Default: Disabled) ◆ Default Domain Name – Defines the default domain name appended to incomplete host names. Do not include the initial dot that separates the host name from the domain name. (Range: 1-127 alphanumeric characters) Web Interface To configure general settings for DNS: 1. Click IP Service, DNS. 2.
Chapter 19 | IP Services Domain Name Service ◆ If all name servers are deleted, DNS will automatically be disabled. Parameters These parameters are displayed: Domain Name – Name of the host. Do not include the initial dot that separates the host name from the domain name. (Range: 1-127 characters) Web Interface To create a list domain names: 1. Click IP Service, DNS. 2. Select Add Domain Name from the Action list. 3. Enter one domain name at a time. 4. Click Apply.
Chapter 19 | IP Services Domain Name Service Configuring a List Use the IP Service > DNS - General (Add Name Server) page to configure a list of of Name Servers name servers to be tried in sequential order. Command Usage ◆ To enable DNS service on this switch, configure one or more name servers, and enable domain lookup status (see “Configuring General DNS Service Parameters” on page 527).
Chapter 19 | IP Services Domain Name Service To show the list name servers: 1. Click IP Service, DNS. 2. Select Show Name Servers from the Action list. Figure 362: Showing the List of Name Servers for DNS Configuring Use the IP Service > DNS - Static Host Table (Add) page to manually configure static Static DNS Host entries in the DNS table that are used to map domain names to IP addresses.
Chapter 19 | IP Services Domain Name Service Figure 363: Configuring Static Entries in the DNS Table To show static entries in the DNS table: 1. Click IP Service, DNS, Static Host Table. 2. Select Show from the Action list. Figure 364: Showing Static Entries in the DNS Table Displaying the DNS Use the IP Service > DNS - Cache page to display entries in the DNS cache that have Cache been learned via the designated name servers.
Chapter 19 | IP Services Multicast Domain Name Service ◆ TTL – The time to live reported by the name server. ◆ Host – The host name associated with this record. Web Interface To display entries in the DNS cache: 1. Click IP Service, DNS, Cache. Figure 365: Showing Entries in the DNS Cache Multicast Domain Name Service Use the IP Service > Multicast DNS page to enable multicast DNS host name-toaddress mapping on the local network without the need for a dedicated DNS server.
Chapter 19 | IP Services Dynamic Host Configuration Protocol ■ Announcing – The responder sends an unsolicited mDNS Response containing all of its newly registered resource records (both shared records, and unique records that have completed the probing step). ■ Updating – The responder repeats the Announcing step to update neighbor caches when the data for any local mDNS record changes.
Chapter 19 | IP Services Dynamic Host Configuration Protocol Specifying a DHCP Use the IP Service > DHCP > Client page to specify the DHCP client identifier for a Client Identifier VLAN interface. Command Usage ◆ The class identifier is used identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return. ◆ The general framework for this DHCP option is set out in RFC 2132 (Option 60).
Chapter 19 | IP Services Dynamic Host Configuration Protocol ◆ Vendor Class ID – The following options are supported when the check box is marked to enable this feature: ■ Default – The default string is the model number. ■ Text – A text string. (Range: 1-32 characters) ■ Hex – A hexadecimal value. (Range: 1-64 characters) Web Interface To configure a DHCP client identifier: 1. Click IP Service, DHCP, Client. 2. Mark the check box to enable this feature.
Chapter 19 | IP Services Dynamic Host Configuration Protocol Command Usage ◆ You must specify the IP address for at least one active DHCP server. Otherwise, the switch’s DHCP relay agent will not be able to forward client requests to a DHCP server. Up to five DHCP servers can be specified in order of preference.
Chapter 19 | IP Services Dynamic Host Configuration Protocol Enabling DHCP Use the IP Service > DHCP > Dynamic Provision to enable dynamic provisioning via Dynamic Provision DHCP. Command Usage DHCPD is the daemon used by Linux to dynamically configure TCP/IP information for client systems. To support DHCP option 66/67, you have to add corresponding statements to the configuration file of DHCPD.
Section III Appendices This section provides additional information and includes these items: ◆ “Software Specifications” on page 541 ◆ “Troubleshooting” on page 545 ◆ “License Information” on page 547 – 539 –
Section III | Appendices – 540 –
A Software Specifications Software Features Management Local, RADIUS, TACACS+, Port Authentication (802.1X), HTTPS, SSH, Port Security, IP Filter Authentication General Security Access Control Lists (512 rules), Port Authentication (802.
Appendix A | Software Specifications Management Features VLAN Support Up to 4094 groups; port-based, protocol-based, tagged (802.
Appendix A | Software Specifications Standards Standards IEEE 802.1AB Link Layer Discovery Protocol IEEE 802.1D-2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802.1p Priority tags IEEE 802.1Q VLAN IEEE 802.1v Protocol-based VLANs IEEE 802.1X Port Authentication IEEE 802.3-2005 Ethernet, Fast Ethernet, Gigabit Ethernet Link Aggregation Control Protocol (LACP) Full-duplex flow control (ISO/IEC 8802-3) IEEE 802.
Appendix A | Software Specifications Management Information Bases Ether-like MIB (RFC 2665) Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB (RFC 2233) Interfaces Evolution MIB (RFC 2863) IP MIB (RFC 2011) IP Forwarding Table MIB (RFC 2096) IP Multicasting related MIBs IPV6-MIB (RFC 2065) IPV6-ICMP-MIB (RFC 2066) IPV6-TCP-MIB (RFC 2052) IPV6-UDP-MIB (RFC2054) Link Aggregation MIB (IEEE 802.
B Troubleshooting Problems Accessing the Management Interface Table 35: Troubleshooting Chart Symptom Action Cannot connect using Telnet, web browser, or SNMP software ◆ Be sure the switch is powered on. ◆ Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable. Test the cable if necessary. ◆ Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
Appendix B | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
C License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
Appendix C | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix C | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
Appendix C | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Glossary ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
Glossary DiffServ Differentiated Services provides quality of service on large networks by employing a welldefined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
Glossary ICMP Internet Control Message Protocol is a network layer protocol that reports errors in processing IP packets. ICMP is also used by routers to feed back information about better routing choices. IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information.
Glossary IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork. IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members.
Glossary MIB Management Information Base. An acronym for Management Information Base. It is a set of database objects that contains information about a specific device. MRD Multicast Router Discovery is a A protocol used by IGMP snooping and multicast routing devices to discover which interfaces are attached to multicast routers. This process allows IGMP-enabled devices to determine where to send multicast source and group membership messages.
Glossary RADIUS Remote Authentication Dial-in User Service. RADIUS is a logon authentication protocol that uses software running on a central server to control access to RADIUS-compliant devices on the network. RMON Remote Monitoring. RMON provides comprehensive network monitoring capabilities. It eliminates the polling required in standard SNMP, and can set alarms on a variety of traffic conditions, including specific error types. RSTP Rapid Spanning Tree Protocol.
Glossary TFTP Trivial File Transfer Protocol. A TCP/IP protocol commonly used for software downloads. UDP User Datagram Protocol. UDP provides a datagram mode for packet-switched communications. It uses IP as the underlying transport mechanism to provide access to IPlike services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets. UDP is useful when TCP would be too complex, too slow, or just unnecessary.
Glossary – 558 –
Index Numerics 802.1Q tunnel 158 access 165 configuration, guidelines 161 configuration, limitations 161 CVID to SVID map 163 description 158 ethernet type 162 interface configuration 165 mode selection 165 status, configuring 162 TPID 162 uplink 165 802.1X authenticator, configuring 303 global settings 303 port authentication 301 port authentication accounting 245, 246 A AAA accounting 802.
Index clustering switches, management access 402 community string 377 configuration files, restoring defaults 68 configuration settings restoring 71, 72 saving 71 CoS 211 configuring 211 enabling 216 layer 3/4 priorities 215 queue mode 212 queue weights, assigning 213 CPU status 90 utilization, showing 90 CVLAN to SPVLAN map 163 D default IPv6 gateway, configuration 483 default priority, ingress port 211 default settings, system 37 DHCP 480, 534 class identifier 536 client 480 client identifier 535, 536 o
Index HTTPS, secure server 268 I IEEE 802.1D 183 IEEE 802.1s 183 IEEE 802.1w 183 IEEE 802.
Index local parameters 128 partner parameters 130 protocol message statistics 127 protocol parameters 123 timeout, for LACPDU 122 last member query interval, IGMP snooping 432 LBD 410, 413 recover action 411 recover time 410 transmit interval 410 license information 547 Link Layer Discovery Protocol - Media Endpoint Discovery See LLDP-MED Link Layer Discovery Protocol See LLDP link type, STA 195, 199 LLDP 341 device statistics details, displaying 363 device statistics, displaying 361 display device informa
Index displaying 427, 435, 451 static 426, 427, 450, 451 multicast router discovery 428 multicast router port, displaying 425, 449 multicast services configuring 426, 450 displaying 427, 451 multicast static router port 424 configuring 424 configuring for MLD snooping 448 multicast storm, threshold 209 multicast, filtering and throttling 440, 461 N network access authentication 259 dynamic QoS assignment 264 dynamic VLAN assignment 264 MAC address filter 264 port configuration 263 reauthentication 262 secu
Index default metric 510 description 507 global settings 509 interface protocol settings 520 interface, enabling 513 neighbor router 516, 524 passively monitoring updates 515 poison reverse 508, 522 protocol packets, receiving 522 protocol packets, sending 521 receive version 522 redistributing external routing information 517 routes, displaying 524 routing table, clearing 512 send version 521 specifying interfaces 513 split horizon 508, 522 timers 511 version 509 RMON 392 alarm, displaying settings 394 al
Index transmission limit 189 standards, IEEE 543 startup files creating 68 displaying 68 setting 68 static addresses, setting 178 static routes, configuring 504 statistics ARP 477 history for port 108 history for trunk 108 statistics, port 104 STP 187 summary, accounting 247 summer time, setting 85 switch clustering, for management 402 switch settings restoring 71 saving 71 system clock setting 77 setting manually 77 setting the time zone 84 setting with NTP 81 setting with SNTP 78 summer time 85 system so
Index configuring ports 258 port information, displaying 258, 259 ports, configuring 258 ports, re-authenticating 258 web interface access requirements 43 configuration buttons 46 menu list 47 panel display 46 – 566 –
E012021-CS-R05
